Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On 2015-05-27 15:16, Christian Heimes wrote: Hello, here is my first patch for FreeIPA. The patch integrates python-kdcproxy for MS-KKDCP support (aka Kerberos over HTTPS). https://www.freeipa.org/page/V4/KDC_Proxy Ticket: https://fedorahosted.org/freeipa/ticket/4801 freeipa-cheimes-0001-2-Provide-Kerberos-over-HTTP-MS-KKDCP.patch doesn't apply anymore. The new patch is based on the current master. Christian From ee1bb0384eecfa6d6fe7770c44d54474b0d55951 Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Thu, 21 May 2015 12:42:27 +0200 Subject: [PATCH] Provide Kerberos over HTTP (MS-KKDCP) Add integration of python-kdcproxy into FreeIPA to support the MS Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD client requests over HTTP and HTTPS. - freeipa-server now depends on python-kdcproxy = 0.2.1. All kdcproxy dependencies are already satisfied. - The service can be globally toggled with the boolean attribute ipaKDCproxyEnabled in cn=ipaConfig,cn=etc. The switch is supported by ipa config-mod --enable-kdcproxy. - The installers and update create a new Apache config file ipa-kdc-proxy.conf that mounts a WSGI app at /KdcProxy. The app is run inside its own WSGI daemon group. - The WSGI app at /KdcProxy is a WSGI wrapper, that checks the state of the switch. When ipaKDCproxyEnabled is FALSE, a HTTP 404 error is returned. For performance reasons the flag is only checked at start of the WSGI app. Apache must be reloaded or restarted to read the switch state again. - The WSGI app uses the Apache principal to acquire a Kerberos ticket to perform GSSAPI bindings for the LDAP query of ipaKDCproxyEnabled. - The WSGI wrapper script sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf, so that an existing config is not used. - python-kdcproxy is configured to *not* use DNS SRV lookups. The location of KDC and KPASSWD servers are read from /etc/krb5.conf Changes since patch 1: - Further simplify krb ticket code Simo has pointed out that KRB5_CLIENT_KTNAME and MEMORY ccache are sufficient for the GSSAPI. http://k5wiki.kerberos.org/wiki/Projects/Keytab_initiation - switch is now in ipaConfigString=kdcProxyEnabled of cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc - add service principal KDCPROXY - add own keytab /etc/ipa/kdcproxy/kdcproxy.keytab - add permission 'System: Read IPA Masters KDC Proxy' - add privilege 'IPA Masters KDC Proxy Readers' - add ipa-ldap-updater scripts to enable/disable KDC Proxy - Create a separate user and group account The KDC Proxy WSGI app now uses a separate user account to run the daemon process. The keytab is only readable by that user, too. https://www.freeipa.org/page/V4/KDC_Proxy https://fedorahosted.org/freeipa/ticket/4801 --- ACI.txt| 4 +- API.txt| 3 +- freeipa.spec.in| 25 +++ install/conf/Makefile.am | 1 + install/conf/ipa-kdc-proxy.conf| 14 ++ install/conf/ipa.conf | 6 +- install/share/60ipaconfig.ldif | 4 +- install/share/Makefile.am | 2 + install/share/kdcproxy-disable.ldif| 3 + install/share/kdcproxy-enable.ldif | 6 + install/share/kdcproxy.conf| 4 + install/share/kdcproxyshim.py | 161 + install/ui/src/freeipa/serverconfig.js | 4 + install/updates/40-delegation.update | 7 + install/updates/50-ipaconfig.update| 4 + ipalib/plugins/config.py | 8 +- ipaplatform/base/paths.py | 4 +- ipaserver/install/ipa_backup.py| 1 + ipaserver/install/kdcproxyinstance.py | 201 + .../install/plugins/update_managed_permissions.py | 11 ++ ipaserver/install/server/install.py| 8 +- ipaserver/install/server/replicainstall.py | 9 +- ipaserver/install/server/upgrade.py| 8 + 23 files changed, 488 insertions(+), 10 deletions(-) create mode 100644 install/conf/ipa-kdc-proxy.conf create mode 100644 install/share/kdcproxy-disable.ldif create mode 100644 install/share/kdcproxy-enable.ldif create mode 100644 install/share/kdcproxy.conf create mode 100644 install/share/kdcproxyshim.py create mode 100644 ipaserver/install/kdcproxyinstance.py diff --git a/ACI.txt b/ACI.txt index 59173ac1b593f15e079c7b1fce43ec9b0084ec91..974a0b7da60bc8cecbe5b7712033e2c1a07d65fb 100644 --- a/ACI.txt +++ b/ACI.txt @@ -31,7 +31,7 @@ aci: (targetattr = cn || description || ipacertprofilestoreissued)(targetfilte dn: cn=certprofiles,cn=ca,dc=ipa,dc=example aci: (targetattr = cn || createtimestamp || description || entryusn || ipacertprofilestoreissued || modifytimestamp || objectclass
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On 2015-06-22 16:22, Nathaniel McCallum wrote: On Mon, 2015-06-22 at 10:10 -0400, Simo Sorce wrote: On Mon, 2015-06-22 at 10:01 -0400, Nathaniel McCallum wrote: I'd still prefer a user mapping to managing a keytab. This patch is just way too complex for what it does. User mapping ? EXTERNAL bind Nathaniel, Simo and I had a discussion on #ipa. Eventually our combined brains came up with a simpler solution, that is good enough for now. The new proposal does neither need a keytab nor a new permission. It even removes necessity for a shim module. The WSGI config file for Apache is moved to a different location (e.g. /etc/ipa/ipa-kdc-proxy.conf). I have to check SELinux rules to find a proper location. An additional ExecStartPre script is hooked into httpd.service instead. The script reads the status of the flag from LDAP. If kdcproxy is enabled, it symlinks the WSGI config file to /etc/httpd/conf.d/ipa-kdc-proxy.conf. Otherwise it removes the symlink. When the file is not a symlink or doesn't point to /etc/ipa/ipa-kdc-proxy.conf, then the script only print a warning. The file is neither replaced nor removed. Because systemd scripts run as root, the ExecStartPre script can use EXTERNAL bind over ldapi to access 389 DS. The root user is mapped to the Directory Manager user, which is allowed to read all entries in the cn=masters,cn=ipa,cn=etc subtree. That way the script does neither need a keytab nor an additional permission. With the ExecStartPre we don't lose any functionality. When the config file is not symlinked, Apache responds with a 404 (just like before). Apache must be reloaded, before a new setting becomes effective (just like before). Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On 2015-06-23 16:55, Nathaniel McCallum wrote: - Original Message - Ah, got it! What's the simplest way to download and test the new package on my VM? Download the package from koji. http://koji.fedoraproject.org/koji/packageinfo?packageID=19292 Ah, that's much simpler than my approach. I used rhpkg, spectool, wget and rpmbuild to build my own package. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On 2015-06-23 11:37, Christian Heimes wrote: Hi, I've created a new patch that implements the KDC switch as a ExecStartPre hook in httpd.service. My patch has a bug. Apache's SetEnv doesn't set an operating system env var. The information is only available as WSGI env var. I'm going to set it in httpd.service. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
This is hopefully the final patch. I've tested a fresh installation and upgrade from 4.2 alpha 1. Christian From f503bb15304edea863ba1bad91657b1f880f0e4b Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Tue, 23 Jun 2015 17:01:00 +0200 Subject: [PATCH] Provide Kerberos over HTTP (MS-KKDCP) Add integration of python-kdcproxy into FreeIPA to support the MS Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD client requests over HTTP and HTTPS. - freeipa-server now depends on python-kdcproxy = 0.2.1. All kdcproxy dependencies are already satisfied. - The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa, cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is present. - The installers and update create a new Apache config file /etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on /KdcProxy. The app is run inside its own WSGI daemon group with a different uid and gid than the webui. - A ExecStartPre script in httpd.service symlinks the config file to /etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present. - The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf, so that an existing config is not used. SetEnv from Apache config does not work here, because it doesn't set an OS env var. - python-kdcproxy is configured to *not* use DNS SRV lookups. The location of KDC and KPASSWD servers are read from /etc/krb5.conf. - The state of the service can be modified with two ldif files for ipa-ldap-updater. No CLI script is offered yet. Changes since the last patch: - WSGI shim module was removed in favor of the symlink approach. - Since the ExecStartPre scripts runs as root user, EXTERNAL GSSAPI bind can be used. This eliminates the need for a keytab, service principal and additional permission. - Require python-kdcproxy 0.3 - Set env var in httpd.service instead of SetEnv https://www.freeipa.org/page/V4/KDC_Proxy https://fedorahosted.org/freeipa/ticket/4801 --- freeipa.spec.in | 26 + init/systemd/httpd.service | 2 + install/conf/Makefile.am | 1 + install/conf/ipa-kdc-proxy.conf.template | 30 ++ install/conf/ipa.conf| 6 +- install/share/Makefile.am| 3 + install/share/kdcproxy-disable.ldif | 3 + install/share/kdcproxy-enable.ldif | 6 ++ install/share/kdcproxy.conf | 4 + install/tools/Makefile.am| 5 + install/tools/ipa-httpd-kdcproxy | 180 +++ ipaplatform/base/paths.py| 4 +- ipaserver/install/httpinstance.py| 65 ++- ipaserver/install/ipa_backup.py | 1 + 14 files changed, 331 insertions(+), 5 deletions(-) create mode 100644 install/conf/ipa-kdc-proxy.conf.template create mode 100644 install/share/kdcproxy-disable.ldif create mode 100644 install/share/kdcproxy-enable.ldif create mode 100644 install/share/kdcproxy.conf create mode 100755 install/tools/ipa-httpd-kdcproxy diff --git a/freeipa.spec.in b/freeipa.spec.in index 809ac1e5bb877c85e29c082ecfb9ad91aa97b4f5..80331e60006829c77c7994d600318fc331a6b711 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -22,6 +22,10 @@ %define _hardened_build 1 +%define kdcproxy_user kdcproxy +%define kdcproxy_group kdcproxy +%define kdcproxy_home %{_sharedstatedir}/kdcproxy + Name: freeipa Version:__VERSION__ Release:__RELEASE__%{?dist} @@ -95,6 +99,7 @@ BuildRequires: p11-kit-devel BuildRequires: pki-base = 10.2.4-1 BuildRequires: python-pytest-multihost = 0.5 BuildRequires: python-pytest-sourceorder +BuildRequires: python-kdcproxy = 0.3 %description IPA is an integrated solution to provide centrally managed Identity (machine, @@ -130,6 +135,7 @@ Requires: memcached Requires: python-memcached Requires: dbus-python Requires: systemd-units = 38 +Requires(pre): shadow-utils Requires(pre): systemd-units Requires(post): systemd-units Requires: selinux-policy = %{selinux_policy_version} @@ -140,6 +146,7 @@ Requires: pki-kra = 10.2.4-1 Requires(preun): python systemd-units Requires(postun): python systemd-units Requires: python-dns = 1.11.1 +Requires: python-kdcproxy = 0.3 Requires: zip Requires: policycoreutils = 2.1.12-5 Requires: tar @@ -429,6 +436,7 @@ ln -s ../../../..%{_sysconfdir}/ipa/html/browserconfig.html \ # So we can own our Apache configuration mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/ /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf +/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf mkdir -p %{buildroot}%{_usr}/share/ipa/html/ @@ -458,6 +466,10 @@ install daemons/dnssec/ipa-ods-exporter %{buildroot}%{_libexecdir}/ipa/ipa-ods-e # Web UI plugin dir mkdir -p
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On 2015-06-23 14:58, Nathaniel McCallum wrote: I agree. One other small nitpick is that the python-kdcproxy dependency is still wrong. Please make it depend on 0.3. 0.3 is already in RHEL and Fedora. The only remaining step here is to push python-kdcproxy in the same update as the next FreeIPA build. I don't see python-kdcproxy 0.3 on my F22 test VM. It's still python-kdcproxy-0.2.1-1.fc22.noarch. dnf update doesn't pull any updates either. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On 2015-06-23 14:56, Simo Sorce wrote: Why are you using #!/usr/bin/env python2.7 ? We do not use this idiom, as it breaks in some cases, at most in some sources that are v2 only we use #!/usr/bin/python2, please change it. Force of habit. I'm used to use /usr/bin/env in my own packages. Otherwise the code isn't compatible with virtual envs. For FreeIPA it makes more sense to stick to python2. I'm going to change it. I am not sure you should really have a completely separate KDCProxyInstance, if I read it right that will cause httpd to be restarted twice. If you put KDCProxy enablement as one step of the httpdinstance then you will have much less code and httpd can be restarted only once. KDCProxy in general is not a separate service so instantiating it as a full service seem wrong to me. IMO it should be just one of the many steps of the http instance. Correct, the KDCProxyInstance restarts the HTTPD service a second time. The instance used to do much more work. In the last patch it created a service principal with keytab and assigned a permission to the service principal. With the new design, the code has been simplified so much, that it actually makes sense to move it into HTTPInstance. It's going to take me just a couple of minutes to remove the instance. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On 2015-06-23 15:14, Nathaniel McCallum wrote: On Tue, 2015-06-23 at 15:11 +0200, Christian Heimes wrote: On 2015-06-23 14:58, Nathaniel McCallum wrote: I agree. One other small nitpick is that the python-kdcproxy dependency is still wrong. Please make it depend on 0.3. 0.3 is already in RHEL and Fedora. The only remaining step here is to push python-kdcproxy in the same update as the next FreeIPA build. I don't see python-kdcproxy 0.3 on my F22 test VM. It's still python-kdcproxy-0.2.1-1.fc22.noarch. dnf update doesn't pull any updates either. ... because it hasn't been pushed. Updates are a two-step process. First you build the new package, then you push it. It is currently built, just not pushed. We will push FreeIPA and kdcproxy together. Ah, got it! What's the simplest way to download and test the new package on my VM? Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On 2015-06-23 17:35, Nathaniel McCallum wrote: typo: is_kdcprox_configured You need to update the commit message (don't do changes since last patch). Also, I'm pretty sure this is the case, but the code in ipaserver/install/httpinstance.py only executes during initial installation, right? head - desk! Of course you are right. The old code ran the update code. I fixed it. Rob also suggested that I use .uldif as prefix. My LDIFs aren't strictly LDIFs because they use dynamic templates. From 93cc97a9ffdf0d76c377b731d418999d95fe299a Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Tue, 23 Jun 2015 17:01:00 +0200 Subject: [PATCH] Provide Kerberos over HTTP (MS-KKDCP) Add integration of python-kdcproxy into FreeIPA to support the MS Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD client requests over HTTP and HTTPS. - freeipa-server now depends on python-kdcproxy = 0.3. All kdcproxy dependencies are already satisfied. - The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa, cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is present. - The installers and update create a new Apache config file /etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on /KdcProxy. The app is run inside its own WSGI daemon group with a different uid and gid than the webui. - A ExecStartPre script in httpd.service symlinks the config file to /etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present. - The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf, so that an existing config is not used. SetEnv from Apache config does not work here, because it doesn't set an OS env var. - python-kdcproxy is configured to *not* use DNS SRV lookups. The location of KDC and KPASSWD servers are read from /etc/krb5.conf. - The state of the service can be modified with two ldif files for ipa-ldap-updater. No CLI script is offered yet. https://www.freeipa.org/page/V4/KDC_Proxy https://fedorahosted.org/freeipa/ticket/4801 --- freeipa.spec.in | 25 + init/systemd/httpd.service | 2 + install/conf/Makefile.am | 1 + install/conf/ipa-kdc-proxy.conf.template | 30 ++ install/conf/ipa.conf| 6 +- install/share/Makefile.am| 3 + install/share/kdcproxy-disable.uldif | 3 + install/share/kdcproxy-enable.uldif | 6 ++ install/share/kdcproxy.conf | 4 + install/tools/Makefile.am| 5 + install/tools/ipa-httpd-kdcproxy | 180 +++ ipaplatform/base/paths.py| 4 +- ipaserver/install/httpinstance.py| 65 ++- ipaserver/install/ipa_backup.py | 1 + ipaserver/install/server/upgrade.py | 5 + 15 files changed, 335 insertions(+), 5 deletions(-) create mode 100644 install/conf/ipa-kdc-proxy.conf.template create mode 100644 install/share/kdcproxy-disable.uldif create mode 100644 install/share/kdcproxy-enable.uldif create mode 100644 install/share/kdcproxy.conf create mode 100755 install/tools/ipa-httpd-kdcproxy diff --git a/freeipa.spec.in b/freeipa.spec.in index 809ac1e5bb877c85e29c082ecfb9ad91aa97b4f5..caacf4bda0611c31880933e8e05db6518886eb65 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -22,6 +22,10 @@ %define _hardened_build 1 +%define kdcproxy_user kdcproxy +%define kdcproxy_group kdcproxy +%define kdcproxy_home %{_sharedstatedir}/kdcproxy + Name: freeipa Version:__VERSION__ Release:__RELEASE__%{?dist} @@ -95,6 +99,7 @@ BuildRequires: p11-kit-devel BuildRequires: pki-base = 10.2.4-1 BuildRequires: python-pytest-multihost = 0.5 BuildRequires: python-pytest-sourceorder +BuildRequires: python-kdcproxy = 0.3 %description IPA is an integrated solution to provide centrally managed Identity (machine, @@ -130,6 +135,7 @@ Requires: memcached Requires: python-memcached Requires: dbus-python Requires: systemd-units = 38 +Requires(pre): shadow-utils Requires(pre): systemd-units Requires(post): systemd-units Requires: selinux-policy = %{selinux_policy_version} @@ -140,6 +146,7 @@ Requires: pki-kra = 10.2.4-1 Requires(preun): python systemd-units Requires(postun): python systemd-units Requires: python-dns = 1.11.1 +Requires: python-kdcproxy = 0.3 Requires: zip Requires: policycoreutils = 2.1.12-5 Requires: tar @@ -429,6 +436,7 @@ ln -s ../../../..%{_sysconfdir}/ipa/html/browserconfig.html \ # So we can own our Apache configuration mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/ /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf +/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf mkdir -p %{buildroot}%{_usr}/share/ipa/html/ @@ -458,6 +466,10 @@ install daemons
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On 2015-06-23 19:55, Nathaniel McCallum wrote: The behavior I'm worried about here is this: 1. Admin installs or updates FreeIPA (w/ kdcproxy) 2. Admin disables kdcproxy 3. Admin updates to the next version After step #3, is kdcproxy enabled or disabled? I don't have a clear answer to this (or at least I'm not seeing it). Other than this, I'm happy. So if we can answer this, it is an ack from me. That is covered by the check is_kdcproxy_configured(). It checks for the presence of a file. That file is created during installation or at the first update. Let's see if the check works. At first I'm disabling kdcproxy: # ipa-ldap-updater /usr/share/ipa/kdcproxy-disable.uldif Parsing update file '/usr/share/ipa/kdcproxy-disable.uldif' Updating existing entry: cn=KDC,cn=vm-164.abc.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example Done Update complete The ipa-ldap-updater command was successful # systemctl restart httpd.service # curl https://vm-164.abc.idm.lab.eng.brq.redhat.com/KdcProxy !DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN htmlhead title404 Not Found/title /headbody h1Not Found/h1 pThe requested URL /KdcProxy was not found on this server./p /body/html # stat /etc/httpd/conf.d/ipa-kdc-proxy.conf stat: cannot stat ‘/etc/httpd/conf.d/ipa-kdc-proxy.conf’: No such file or directory Next I'm running the updater and check the feature again: # ipa-server-upgrade ... # systemctl restart httpd.service # curl https://vm-164.abc.idm.lab.eng.brq.redhat.com/KdcProxy !DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN htmlhead title404 Not Found/title /headbody h1Not Found/h1 pThe requested URL /KdcProxy was not found on this server./p /body/html # stat /etc/httpd/conf.d/ipa-kdc-proxy.conf stat: cannot stat ‘/etc/httpd/conf.d/ipa-kdc-proxy.conf’: No such file or directory KDC proxy is still disable. Let's enable it and check again. # ipa-ldap-updater /usr/share/ipa/kdcproxy-enable.uldif Parsing update file '/usr/share/ipa/kdcproxy-enable.uldif' Updating existing entry: cn=KDC,cn=vm-164.abc.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example Done Update complete The ipa-ldap-updater command was successful # systemctl restart httpd.service # curl https://vm-164.abc.idm.lab.eng.brq.redhat.com/KdcProxy Method not allowed (GET) # stat /etc/httpd/conf.d/ipa-kdc-proxy.conf File: ‘/etc/httpd/conf.d/ipa-kdc-proxy.conf’ - ‘/etc/ipa/kdcproxy/ipa-kdc-proxy.conf’ Size: 36 Blocks: 0 IO Block: 4096 symbolic link Device: fd01h/64769dInode: 398238 Links: 1 ... signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] python-kdcproxy 0.3
On 2015-06-25 06:04, Martin Kosek wrote: We need to make sure it is at least in https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/builds/ https://copr.fedoraproject.org/coprs/mkosek/freeipa-master/builds/ I started the COPR builds based on the F22 SRPMs. Thanks Martin! You can easily build a F21 RPM with a small modification. You can either disable the %check block and remove the tox call from the spec file. Or you could include my patch. The code is fine. It is really just a small incompatibility in the test code. Apropos tests let's talk about CI for python-kdcproxy, when you are back in Brno. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] python-kdcproxy 0.3
Hi, today my patch for Kerberos over HTTP landed in FreeIPA. It introduces a new dependency on python-kdcproxy 0.3. The package is not yet available from the official repositories. You can download it from Koji: http://koji.fedoraproject.org/koji/packageinfo?packageID=19292 F21 builds are currently broken. The tox.ini uses a feature, that is not supported by tox 1.8. Fedora 21 has tox 1.7.1. I've submitted an upstream fix: https://github.com/npmccallum/kdcproxy/pull/19 I'm sorry for any inconveniences! Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
Hi, I've created a new patch that implements the KDC switch as a ExecStartPre hook in httpd.service. Testing: If you are doing an upgrade of an existing installation, then you have to run ipa-server-update first. The update creates the config file /etc/ipa/kdcproxy/ipa-kdc-proxy.conf from a template. /usr/libexec/ipa/ipa-httpd-kdcproxy creates / removes the symlink /etc/httpd/conf.d/ipa-kdc-proxy.conf. The feature is enabled by default. Disable KDC Proxy on the current host: # ipa-ldap-updater /usr/share/ipa/kdcproxy-disable.ldif # systemctl restart httpd.service Enable KDC Proxy on the current host: # ipa-ldap-updater /usr/share/ipa/kdcproxy-enable.ldif # systemctl restart httpd.service Regards, Christian From b860590e6859fc0edcd9543b1a0dc6e58d93afa6 Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Tue, 23 Jun 2015 11:09:46 +0200 Subject: [PATCH] Provide Kerberos over HTTP (MS-KKDCP) Add integration of python-kdcproxy into FreeIPA to support the MS Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD client requests over HTTP and HTTPS. - freeipa-server now depends on python-kdcproxy = 0.2.1. All kdcproxy dependencies are already satisfied. - The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa, cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is present. - The installers and update create a new Apache config file /etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on /KdcProxy. The app is run inside its own WSGI daemon group with a different uid and gid than the webui. - A ExecStartPre script in httpd.service symlinks the config file to /etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present. - The Apache config sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf, so that an existing config is not used. - python-kdcproxy is configured to *not* use DNS SRV lookups. The location of KDC and KPASSWD servers are read from /etc/krb5.conf. - The state of the service can be modified with two ldif files for ipa-ldap-updater. No CLI script is offered yet. Changes since the last patch: - WSGI shim module was removed in favor of the symlink approach. - Since the ExecStartPre scripts runs as root user, EXTERNAL GSSAPI bind can be used. This eliminates the need for a keytab, service principal and additional permission. https://www.freeipa.org/page/V4/KDC_Proxy https://fedorahosted.org/freeipa/ticket/4801 --- freeipa.spec.in| 26 + init/systemd/httpd.service | 1 + install/conf/Makefile.am | 1 + install/conf/ipa-kdc-proxy.conf.template | 31 + install/conf/ipa.conf | 6 +- install/share/Makefile.am | 3 + install/share/kdcproxy-disable.ldif| 3 + install/share/kdcproxy-enable.ldif | 6 + install/share/kdcproxy.conf| 4 + install/tools/Makefile.am | 5 + install/tools/ipa-httpd-kdcproxy | 180 + ipaplatform/base/paths.py | 4 +- ipaserver/install/ipa_backup.py| 1 + ipaserver/install/kdcproxyinstance.py | 163 ++ ipaserver/install/server/install.py| 8 +- ipaserver/install/server/replicainstall.py | 8 +- ipaserver/install/server/upgrade.py| 8 ++ 17 files changed, 452 insertions(+), 6 deletions(-) create mode 100644 install/conf/ipa-kdc-proxy.conf.template create mode 100644 install/share/kdcproxy-disable.ldif create mode 100644 install/share/kdcproxy-enable.ldif create mode 100644 install/share/kdcproxy.conf create mode 100755 install/tools/ipa-httpd-kdcproxy create mode 100644 ipaserver/install/kdcproxyinstance.py diff --git a/freeipa.spec.in b/freeipa.spec.in index 809ac1e5bb877c85e29c082ecfb9ad91aa97b4f5..6b14650600016d9fa6f5baf01379c37af9b38eef 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -22,6 +22,10 @@ %define _hardened_build 1 +%define kdcproxy_user kdcproxy +%define kdcproxy_group kdcproxy +%define kdcproxy_home %{_sharedstatedir}/kdcproxy + Name: freeipa Version:__VERSION__ Release:__RELEASE__%{?dist} @@ -95,6 +99,7 @@ BuildRequires: p11-kit-devel BuildRequires: pki-base = 10.2.4-1 BuildRequires: python-pytest-multihost = 0.5 BuildRequires: python-pytest-sourceorder +BuildRequires: python-kdcproxy = 0.2.1 %description IPA is an integrated solution to provide centrally managed Identity (machine, @@ -130,6 +135,7 @@ Requires: memcached Requires: python-memcached Requires: dbus-python Requires: systemd-units = 38 +Requires(pre): shadow-utils Requires(pre): systemd-units Requires(post): systemd-units Requires: selinux-policy = %{selinux_policy_version} @@ -140,6 +146,7 @@ Requires: pki-kra = 10.2.4-1 Requires(preun): python systemd-units Requires(postun): python systemd-units Requires: python-dns = 1.11.1 +Requires: python-kdcproxy
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On 2015-06-17 18:09, Nathaniel McCallum wrote: * There is a new permission: Read IPA Masters KDC Proxy. Is this necessary. Can't the config be world-readable and admin writable? There is no extra security in hiding this attribute. This also completely removes the need for a keytab since anonymous binding can be used. This also, I believe, removes the need for a service. I brought up your suggestion in today's IPA devel meeting. Simo explained that anonymous binding might not be available. Some customers disable it on their systems. I'd have to find yet another way to authenticate, e.g. using the user account. That would only work locally, though. Let's go ahead with my current approach. It's implemented and I have tested upgrade and refresh installation a couple of times, too. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On 2015-06-22 16:01, Nathaniel McCallum wrote: I'd still prefer a user mapping to managing a keytab. This patch is just way too complex for what it does. I don't get what you mean with 'user mapping'. Are you referring to EXTERNAL bind over ldapi? signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On 2015-06-12 23:58, Adam Young wrote: So...I've been spoiled a bit by Gerrit. Here is what I just did to get them to apply: cd freeipa git clean -xdf . #use the -3 to do 3 way merge git am -3 ~/Documents/freeipa/patches/cheimes/freeipa-cheimes-0001-3-Provide-Kerberos-over-HTTP-MS-KKDCP.patch @git status show conflicts in both modified: install/share/Makefile.am both modified: ipaplatform/base/paths.py Which were due to this change and another making changes to the same section of the file, but they were accept both type conflicts Updated patch is attached. Christian, please confirm it is OK. Hi Adam, awesome! The three-way-merge option is a great trick. I didn't know it before. Your patch looks like the patch, that I was about to upload now. :) Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On 2015-06-17 18:09, Nathaniel McCallum wrote: On Fri, 2015-06-12 at 17:58 -0400, Adam Young wrote: On 06/12/2015 03:40 PM, Nathaniel McCallum wrote: It doesn't apply again. On Tue, 2015-06-09 at 15:55 +0200, Christian Heimes wrote: On 2015-05-27 15:16, Christian Heimes wrote: Hello, here is my first patch for FreeIPA. The patch integrates python -kdcproxy for MS-KKDCP support (aka Kerberos over HTTPS). https://www.freeipa.org/page/V4/KDC_Proxy Ticket: https://fedorahosted.org/freeipa/ticket/4801 freeipa-cheimes-0001-2-Provide-Kerberos-over-HTTP-MS-KKDCP.patch doesn't apply anymore. The new patch is based on the current master. Christian -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code Thanks Nathaniel, quick review before I have to leave again. A couple of Red Hatters from Brno just arrived at the hotel. I'll grab a beer with them. I'm reviewing Adam's version of Christian's patch. * FreeIPA should require python-kdcproxy = 0.3 considering there are lots of fixes related to this project. We need to package it first, when I'm back from NHO. I've started to study the packaging docs in the engineering section. Maybe you or somebody else can walk me through the process next week? * KDC Proxy path is not configurable. This probably needs to be noted in documentation somewhere when mentioning the default path. LGTM * Has OID 2.16.840.1.113730.3.8.3.28 been officially claimed? How? I thought 2.16.840.1.113730.3.8.3 is in our own OID space and we don't have to register it with IANA. Or are you referring to another registry? * There is a new permission: Read IPA Masters KDC Proxy. Is this necessary. Can't the config be world-readable and admin writable? There is no extra security in hiding this attribute. This also completely removes the need for a keytab since anonymous binding can be used. This also, I believe, removes the need for a service. That would make the code simpler and shorter too. I'm +0 on the proposal. * The creation of the kdcproxy user is trailed by exit 0. Why? https://fedoraproject.org/wiki/Packaging:UsersAndGroups recommends exit 0. * replicainstall.py has trailing whitespace I'll address it with my next patch. signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)
On 2015-05-27 11:59, Martin Kosek wrote: On 05/27/2015 11:53 AM, Alexander Bokovoy wrote: On Wed, 27 May 2015, Martin Kosek wrote: On 05/26/2015 05:40 PM, Jan Cholasta wrote: Dne 22.5.2015 v 12:24 Christian Heimes napsal(a): ... Finally I haven't figured out the best way to configure the instance. An admin should be able to enable / disable KDC proxy. Should I write a script or a ipa plugin for the job? A script, ipa-kdcproxy-install, if you want to be consistent with what's already there. I thought we wanted to install it by default and only switch it on/off via configuration in LDAP. In that case, no ipa-*-install should be needed. As with any other feature which requires configuration of other components, if it wasn't installed before, you need to make sure you are able to configure it over upgraded instance. Not providing ipa-kdcproxy-install would mean you are not supporting an upgrade case. I do not disagree with the approach for optional components. But as I wrote above, this was supposed to be configured everywhere by default - both on new and upgraded installations. AFAIK, it is mostly just one config for Apache and wsgi script. Yes, it is really just one boolean switch (service enabled/disabled). The state of the switch is read when Apache is started or reloaded. In the default state KDC Proxy is enabled. When the service is disabled, the WSGI script replies with 404 instead. All remaining settings like kdc, kadmin and kpasswd server(s) are read from /etc/krb5.conf. I had both the per-replica and the global switch implemented. After I discussion with Nathaniel and Martin, it's now a global switch only. Nathaniel argued, that a global switch is easier to implement as well as sufficient for now. The state of the switch is controlled with ipa config-mod: ipa config-mod --enable-kdcproxy=TRUE ipa config-mod --enable-kdcproxy=FALSE The schema changes for the new attribute are handled by ipa-server-upgrade. The Apache config file is created ipa-server-install, ipa-replica-install and ipa-server-upgrade. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
Changes since patch 1: - Further simplify krb ticket code Simo has pointed out that KRB5_CLIENT_KTNAME and MEMORY ccache are sufficient for the GSSAPI. http://k5wiki.kerberos.org/wiki/Projects/Keytab_initiation - switch is now in ipaConfigString=kdcProxyEnabled of cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc - add service principal KDCPROXY - add own keytab /etc/ipa/kdcproxy/kdcproxy.keytab - add permission 'System: Read IPA Masters KDC Proxy' - add privilege 'IPA Masters KDC Proxy Readers' - add ipa-ldap-updater scripts to enable/disable KDC Proxy - Create a separate user and group account The KDC Proxy WSGI app now uses a separate user account to run the daemon process. The keytab is only readable by that user, too. From 32b64b8b385853c04158596d010bb8977e2e03a8 Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Thu, 21 May 2015 12:42:27 +0200 Subject: [PATCH] Provide Kerberos over HTTP (MS-KKDCP) Add integration of python-kdcproxy into FreeIPA to support the MS Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD client requests over HTTP and HTTPS. - freeipa-server now depends on python-kdcproxy = 0.2.1. All kdcproxy dependencies are already satisfied. - The service can be globally toggled with the boolean attribute ipaKDCproxyEnabled in cn=ipaConfig,cn=etc. The switch is supported by ipa config-mod --enable-kdcproxy. - The installers and update create a new Apache config file ipa-kdc-proxy.conf that mounts a WSGI app at /KdcProxy. The app is run inside its own WSGI daemon group. - The WSGI app at /KdcProxy is a WSGI wrapper, that checks the state of the switch. When ipaKDCproxyEnabled is FALSE, a HTTP 404 error is returned. For performance reasons the flag is only checked at start of the WSGI app. Apache must be reloaded or restarted to read the switch state again. - The WSGI app uses the Apache principal to acquire a Kerberos ticket to perform GSSAPI bindings for the LDAP query of ipaKDCproxyEnabled. - The WSGI wrapper script sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf, so that an existing config is not used. - python-kdcproxy is configured to *not* use DNS SRV lookups. The location of KDC and KPASSWD servers are read from /etc/krb5.conf Changes since patch 1: - Further simplify krb ticket code Simo has pointed out that KRB5_CLIENT_KTNAME and MEMORY ccache are sufficient for the GSSAPI. http://k5wiki.kerberos.org/wiki/Projects/Keytab_initiation - switch is now in ipaConfigString=kdcProxyEnabled of cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc - add service principal KDCPROXY - add own keytab /etc/ipa/kdcproxy/kdcproxy.keytab - add permission 'System: Read IPA Masters KDC Proxy' - add privilege 'IPA Masters KDC Proxy Readers' - add ipa-ldap-updater scripts to enable/disable KDC Proxy - Create a separate user and group account The KDC Proxy WSGI app now uses a separate user account to run the daemon process. The keytab is only readable by that user, too. https://www.freeipa.org/page/V4/KDC_Proxy https://fedorahosted.org/freeipa/ticket/4801 --- ACI.txt| 4 +- API.txt| 3 +- freeipa.spec.in| 25 +++ install/conf/Makefile.am | 1 + install/conf/ipa-kdc-proxy.conf| 14 ++ install/conf/ipa.conf | 6 +- install/share/60ipaconfig.ldif | 4 +- install/share/Makefile.am | 2 + install/share/kdcproxy-disable.ldif| 3 + install/share/kdcproxy-enable.ldif | 6 + install/share/kdcproxy.conf| 4 + install/share/kdcproxyshim.py | 161 + install/ui/src/freeipa/serverconfig.js | 4 + install/updates/40-delegation.update | 7 + install/updates/50-ipaconfig.update| 4 + ipalib/plugins/config.py | 8 +- ipaplatform/base/paths.py | 4 +- ipaserver/install/ipa_backup.py| 1 + ipaserver/install/kdcproxyinstance.py | 201 + .../install/plugins/update_managed_permissions.py | 11 ++ ipaserver/install/server/install.py| 8 +- ipaserver/install/server/replicainstall.py | 9 +- ipaserver/install/server/upgrade.py| 8 + 23 files changed, 488 insertions(+), 10 deletions(-) create mode 100644 install/conf/ipa-kdc-proxy.conf create mode 100644 install/share/kdcproxy-disable.ldif create mode 100644 install/share/kdcproxy-enable.ldif create mode 100644 install/share/kdcproxy.conf create mode 100644 install/share/kdcproxyshim.py create mode 100644 ipaserver/install/kdcproxyinstance.py diff --git a/ACI.txt b/ACI.txt index 3c4ebde5b3ac2eb0b8e9465c5f2bd74f5bdbfb01..3d586876a525ec3d3b20cdab0d8e09542dd418a3
Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)
On 2015-05-27 15:51, Nathaniel McCallum wrote: As I understand the problem, there is an assumption that an optional component has a distinct service to start and stop. That is not the case here. This is just new config for apache. More details: The KDC Proxy uses the same Apache instance as FreeIPAs Web GUI and Tomcat. There is no extra service involved. The switch just decides if https://ipa.example.org/KdcProxy acts as a MS-KKDCP end point or returns a 404 error. My patch 0001 Provide Kerberos over HTTP (MS-KKDCP) has more details. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)
On 2015-05-27 14:47, Petr Vobornik wrote: Install/uninstall is not the same thing as enable/disable. Installation is a set of steps which first configures and then (optionally) enables the component. E.g: 1. modify configuration file(s), ldap entries 2. run something which starts the component. E.g. `systemctl start xxx`, an ldap change which is being observed (like topology plugin). The only rationale for external tool is to do stuff which can't be done trough API. E.g. restart of httpd.service or a need of Directory Manager. But in that case the tool should be: ipa-kdcproxy-manage enable|disable Right, the restart of httpd.service isn't handled by ipa config-mod. A tool like ipa-kdcproxy-manage could handle the restart on a local machine. As far as I know it won't be able to restart httpd on all replicas, too. My current implementation needs a restart of all Apache servers on all machines, that run a kdc proxy instance. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
Hello, here is my first patch for FreeIPA. The patch integrates python-kdcproxy for MS-KKDCP support (aka Kerberos over HTTPS). https://www.freeipa.org/page/V4/KDC_Proxy Ticket: https://fedorahosted.org/freeipa/ticket/4801 Christian From 49ad74834ef9036d0678dceb4020784fef389446 Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Thu, 21 May 2015 12:42:27 +0200 Subject: [PATCH] Provide Kerberos over HTTP (MS-KKDCP) Add integration of python-kdcproxy into FreeIPA to support the MS Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD client requests over HTTP and HTTPS. - freeipa-server now depends on python-kdcproxy = 0.2.1. All kdcproxy dependencies are already satisfied. - The service can be globally toggled with the boolean attribute ipaKDCproxyEnabled in cn=ipaConfig,cn=etc. The switch is supported by ipa config-mod --enable-kdcproxy. - The installers and update create a new Apache config file ipa-kdc-proxy.conf that mounts a WSGI app at /KdcProxy. The app is run inside its own WSGI daemon group. - The WSGI app at /KdcProxy is a WSGI wrapper, that checks the state of the switch. When ipaKDCproxyEnabled is FALSE, a HTTP 404 error is returned. For performance reasons the flag is only checked at start of the WSGI app. Apache must be reloaded or restarted to read the switch state again. - The WSGI app uses the Apache principal to acquire a Kerberos ticket to perform GSSAPI bindings for the LDAP query of ipaKDCproxyEnabled. - The WSGI wrapper script sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf, so that an existing config is not used. - python-kdcproxy is configured to *not* use DNS SRV lookups. The location of KDC and KPASSWD servers are read from /etc/krb5.conf https://www.freeipa.org/page/V4/KDC_Proxy https://fedorahosted.org/freeipa/ticket/4801 --- ACI.txt| 2 +- API.txt| 3 +- freeipa.spec.in| 11 ++ install/conf/Makefile.am | 1 + install/conf/ipa-kdc-proxy.conf| 14 +++ install/conf/ipa.conf | 6 +- install/share/60ipaconfig.ldif | 4 +- install/share/Makefile.am | 2 + install/share/kdcproxy.conf| 4 + install/share/kdcproxyshim.py | 189 + install/tools/ipa-replica-install | 6 ++ install/tools/ipa-server-install | 7 ++ install/ui/src/freeipa/serverconfig.js | 4 + install/updates/50-ipaconfig.update| 4 + ipalib/plugins/config.py | 8 +- ipaplatform/base/paths.py | 1 + ipaserver/install/ipa_backup.py| 1 + ipaserver/install/kdcproxyinstance.py | 105 ++ ipaserver/install/server.py| 8 ++ 19 files changed, 373 insertions(+), 7 deletions(-) create mode 100644 install/conf/ipa-kdc-proxy.conf create mode 100644 install/share/kdcproxy.conf create mode 100644 install/share/kdcproxyshim.py create mode 100644 ipaserver/install/kdcproxyinstance.py diff --git a/ACI.txt b/ACI.txt index 3c4ebde5b3ac2eb0b8e9465c5f2bd74f5bdbfb01..8576f56c3c89311dec92bcd7fe2932e42be3d510 100644 --- a/ACI.txt +++ b/ACI.txt @@ -23,7 +23,7 @@ aci: (targetattr = automountmapname || description)(targetfilter = (objectcla dn: cn=automount,dc=ipa,dc=example aci: (targetfilter = (objectclass=automountmap))(version 3.0;acl permission:System: Remove Automount Maps;allow (delete) groupdn = ldap:///cn=System: Remove Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=ipaconfig,cn=etc,dc=ipa,dc=example -aci: (targetattr = cn || createtimestamp || entryusn || ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || ipadefaultemaildomain || ipadefaultloginshell || ipadefaultprimarygroup || ipagroupobjectclasses || ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || ipamaxusernamelength || ipamigrationenabled || ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit || ipaselinuxusermapdefault || ipaselinuxusermaporder || ipauserauthtype || ipauserobjectclasses || ipausersearchfields || modifytimestamp || objectclass)(targetfilter = (objectclass=ipaguiconfig))(version 3.0;acl permission:System: Read Global Configuration;allow (compare,read,search) userdn = ldap:///all;;) +aci: (targetattr = cn || createtimestamp || entryusn || ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || ipadefaultemaildomain || ipadefaultloginshell || ipadefaultprimarygroup || ipagroupobjectclasses || ipagroupsearchfields || ipahomesrootdir || ipakdcproxyenabled || ipakrbauthzdata || ipamaxusernamelength || ipamigrationenabled || ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit || ipaselinuxusermapdefault || ipaselinuxusermaporder || ipauserauthtype || ipauserobjectclasses || ipausersearchfields || modifytimestamp || objectclass)(targetfilter = (objectclass=ipaguiconfig))(version 3.0;acl permission:System: Read Global
Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)
On 2015-05-27 15:41, Petr Vobornik wrote: It would be great to have a privileged daemon which could observed replicated configuration and perform such tasks on all servers so we would eliminate manual tasks(and errors and misconceptions which are caused by forgotten manual tasks) as much as possible. We don't need a separate daemon, we already have an HTTP interface. A reload interface can be implemented with an additional route, e.g. GET /KdcProxy/refresh. It needs a bit of extra work in kdcproxy, kdcproxyshim.py and an ACL for the route. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)
On 2015-05-28 10:02, Jan Cholasta wrote: The python-kdcproxy package is a new dependency for the freeipa-server package. It will always get installed with the server. Why? None of the IPA core functionality depends on it, so it should be optional. Also the overall trend in IPA is to have everything in subpackages. We discussed the idea on the internal IPA and Samba team list (KDC proxy for FreeIPA 4.2 on 2015-05-15). My initial design suggested a separate freeipa-server-kdcproxy package. Nathaniel, Nathan and Dmitri were in favor of a new dependency instead of a new subpackage. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)
On 2015-05-28 07:32, Jan Cholasta wrote: Dne 27.5.2015 v 16:01 Christian Heimes napsal(a): On 2015-05-27 15:51, Nathaniel McCallum wrote: As I understand the problem, there is an assumption that an optional component has a distinct service to start and stop. That is not the case here. This is just new config for apache. More details: The KDC Proxy uses the same Apache instance as FreeIPAs Web GUI and Tomcat. There is no extra service involved. The switch just decides if https://ipa.example.org/KdcProxy acts as a MS-KKDCP end point or returns a 404 error. FYI Tomcat does not use the same Apache instance, the Apache instance is configured to proxy requests to Tomcat. If the IPA KDC proxy package is not installed on a replica, then going to /KdcProxy will return 404, right? Why is an additional switch necessary then? The python-kdcproxy package is a new dependency for the freeipa-server package. It will always get installed with the server. signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)
On 2015-05-28 13:30, Jan Cholasta wrote: Dne 28.5.2015 v 12:53 Christian Heimes napsal(a): On 2015-05-28 12:46, Martin Kosek wrote: I am fine with this too. So if there is not another major disagreement, let us start with enabling KDCPROXY by default during upgrade/install, the new ACI and the per-replica standard configuration. API CLI/UI can come later (4.2.x or 4.3). LGTM, too. How should the new ACI work? I see two possible ways: 1) Allow compare/search for ipaConfigString=enabledService for everybody: (targetfilter=(ipaConfigString=enabledService))(targetattr=ipaConfigString)(version 3.0; acl Compare enabledService access to masters; allow(search, compare) userdn = ldap:///all;;) 2) Create a new permission, assign it to all HTTP principals and allow read, compare and search for all ipaConfigString attributes. For the second way I need somebody to walk me through the permission and role system of FreeIPA. Christian So, will it be a separate component with its own freeipa-server-kdcproxy subpackage and installer or will it be a sub-component of KDC (as Martin suggested) and part of the core freeipa-server package? For now I'm in favor of a sub-component as part of the freeipa-server package. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] KDC proxy implementation specs
Hello, thanks you for your input. The former thread has 58 messages in total. Since last Friday we have came to an agreement in most points. I like to some up our decisions and focus on some minor details. decisions - python-kdcproxy will be installed as a dependency of freeipa-server. There won't be a separate freeipa-server-kdcproxy package. That may or may not change in the future. The decision is out of scope for 4.2.0. [1] KDC proxy support will be enabled by default. The config files and LDAP settings will be created by ipa-server-install, ipa-server-upgrade and ipa-replica-install. The enabled/disabled switch will be stored per-replica in the cn=masters,cn=ipa,cn=etc tree. An API and CLI tool for management is postponed. [2] For now we settle for some doc examples that use the ipa-ldap-updater as suggested by Alex. [3] open for discussion --- Jan has suggested to ipaConfigString=kdcProxyEnabled in cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc instead of ipaConfigString=enabledService in cn=KDCPROXY,cn=$FQDN,cn=masters,cn=ipa,cn=etc. It makes sense to me. After all MS-KKDCP is just another transport for the KDC. [4] Martin Basti suggested a different keytab and principal for kdcproxy. [5] The keytab is only required for GSSAPI bind to lookup the state of the enabled/disabled switch. The current patch uses the same keytab as webgui. A new principal separates kdcproxy more cleanly and allows for fine-grained ACIs. It is also more future proof. In the future we may want to move kdcproxy from an Apache WSGI app to a separate service. A dedicated Twisted or asyncio daemon could handle more load. A separate keytab is easy to implement, too. I looked at the code in HTTPInstance.__create_http_keytab(). For the ACI I plan to add a new permission 'System: Read IPA Config String' and make the principal a direct memberOf of it. We don't have service roles yet. cn=roles,cn=accounts look like end user roles to me. The new ACI in cn=masters,cn=ipa,cn=etc will grant read, search and compare permission: (targetfilter = (objectClass=nsContainer))(targetattr = cn || objectClass || ipaConfigString)(version 3.0; acl Read IPA Config String; allow (read, search, compare) groupdn = ldap:///cn=System: Read IPA Config String,cn=permissions,cn=pbac,dc=ipa,dc=example;) I should be able to modify and test my patch in a matter of a couple of hours. Christian [1] http://www.redhat.com/archives/freeipa-devel/2015-May/msg00535.html [2] http://www.redhat.com/archives/freeipa-devel/2015-May/msg00555.html [3] http://www.redhat.com/archives/freeipa-devel/2015-May/msg00533.html [4] http://www.redhat.com/archives/freeipa-devel/2015-May/msg00543.html [5] http://www.redhat.com/archives/freeipa-devel/2015-May/msg00539.html signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] KDC proxy implementation specs
On 2015-05-28 16:53, Simo Sorce wrote: We can't have 2 different keytabs with the same principal name. If we need privilege separation we'll have to work on integrating GSS-Proxy and give the keytab only to GSS-Proxy leaving it off the hands of both the framework, the proxy, and apache itself. I had a different principal like KDCPROXY/fqdn@realm in mind. Although to be honest I do not see why the proxy need access to the keytab at all, can we simply run it as a wsgi application under a different user and prevent it from accessing the apache keytab at all ? Yes, mod_wsgi is able to run a WSGI app as a different user: https://code.google.com/p/modwsgi/wiki/ConfigurationDirectives#WSGIDaemonProcess A different user needs another location for the ccache and perhaps additional SELinux rules. What do we need the keytab for ? Is it just in order to authenticate and read if the service is enabled ? Can we make that information available anonymously ? Yes, the information is not available for anon bind. It doesn't feel right to disclose the settings to the public. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] KDC proxy implementation specs
On 2015-05-28 16:48, Nathaniel McCallum wrote: An apache module would also provide similar benefits. I'm not sure I necessarily want to stick with python here if we're optimizing for performance. Another option would be to add it to the KDC itself and proxy through Apache like we do for Tomcat. MIT might like that option. For that kind of network code Python is really fast enough. An event driven framework like asyncio or Twisted can handle lots of connections simultaneous. We aren't speaking about several GBit/sec where zero-copy is required. I'm more worried about Apache than Python. Apache is tuned for the needs of the webui, e.g. prefork MPM. Let's see how it works out in a production system. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] KDC proxy implementation specs
On 2015-05-28 17:10, Simo Sorce wrote: On Thu, 2015-05-28 at 17:00 +0200, Christian Heimes wrote: On 2015-05-28 16:53, Simo Sorce wrote: We can't have 2 different keytabs with the same principal name. If we need privilege separation we'll have to work on integrating GSS-Proxy and give the keytab only to GSS-Proxy leaving it off the hands of both the framework, the proxy, and apache itself. I had a different principal like KDCPROXY/fqdn@realm in mind. Although to be honest I do not see why the proxy need access to the keytab at all, can we simply run it as a wsgi application under a different user and prevent it from accessing the apache keytab at all ? Yes, mod_wsgi is able to run a WSGI app as a different user: https://code.google.com/p/modwsgi/wiki/ConfigurationDirectives#WSGIDaemonProcess A different user needs another location for the ccache and perhaps additional SELinux rules. If you are using the keytab only to acquire credentials to access ldap you could use a memory ccache and not have to deal with locations: KRB5CCNAME=MEMORY:kdcproxy_random_number Oh nice, I wasn't aware about the MEMORY scheme. Is that supported on older versions of RHEL, too? What do we need the keytab for ? Is it just in order to authenticate and read if the service is enabled ? Can we make that information available anonymously ? Yes, the information is not available for anon bind. It doesn't feel right to disclose the settings to the public. Another option is to use ldapi and external auth, I forgot if we allow automatic binding for no-root users though. No, been there, tried it, failed. It works as root but not as Apache user or my test user. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)
On 2015-05-28 13:29, Martin Basti wrote: On 28/05/15 12:53, Christian Heimes wrote: On 2015-05-28 12:46, Martin Kosek wrote: I am fine with this too. So if there is not another major disagreement, let us start with enabling KDCPROXY by default during upgrade/install, the new ACI and the per-replica standard configuration. API CLI/UI can come later (4.2.x or 4.3). LGTM, too. How should the new ACI work? I see two possible ways: 1) Allow compare/search for ipaConfigString=enabledService for everybody: (targetfilter=(ipaConfigString=enabledService))(targetattr=ipaConfigString)(version 3.0; acl Compare enabledService access to masters; allow(search, compare) userdn = ldap:///all;;) 2) Create a new permission, assign it to all HTTP principals and allow read, compare and search for all ipaConfigString attributes. For the second way I need somebody to walk me through the permission and role system of FreeIPA. 3) Or we can create a new keytab for KDC proxy, and add permission only for this service The new keytab must be readable by the Apache process.Therefore a new keytab doesn't give us extra security. It separates the kdcproxy service from the IPA webgui. Is that your goal? Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Fix removal of ipa-kdc-proxy.conf symlink
On 2015-06-29 17:28, Petr Vobornik wrote: On 06/29/2015 03:22 PM, Fraser Tweedale wrote: On Mon, Jun 29, 2015 at 10:54:50AM +0200, Christian Heimes wrote: Hello, the attached patch fixes the first bug, that was reported by Fraser today. installutils.remove_file() uses os.path.exists() to check if the file still exists, which in turn uses stat(2). I have modified the function to use os.path.lexists() instead. It doesn't follow symlinks. Because httpinstance first removes the target file /etc/ipa/kdcproxy/ipa-kdc-proxy.conf before it tries to remove the symlink /etc/httpd/conf.d/ipa-kdc-proxy.conf, the installutils.remove_file() ignores the dangling symlink. Christian ACK Pushed to master: 2842a83568301c85d340801daae42078333ce63d Christian, could please provide [PATCH] in subject for new threads with patch? It is an established practice on freeipa-devel and it helps with mail filtering. I'm sorry that I forgot to include [PATCH] and my patch number. It's Monday... Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] Kerberos over HTTPS (KDC proxy)
Hello, since May 1st I'm a new Red Hat employee and developer with the FreeIPA team. Some of you may already recognize my name from my contributions to CPython core, Python security and TLS/SSL improvements, or a couple of PEPs. I'm very glad that I can now work on Open Source as a full time job. I haven't had any dealings with FreeIPA before and just rudimentary experience with LDAP and Kerberos as a developer. Over the past two weeks I have been digging through FreeIPA sources, read docs and played with its services. I'm slowly starting to grasp the building blocks. I was put in charge of MS-KKDCP integration into FreeIPA 4.2 [1]. The task is small and isolated enough for a new contributor. KKDCP stands for Kerberos KDC proxy protocol. It was developed by Microsoft to tunnel KDC requests over HTTPS. It's useful for firewalled environments where 88/TCP+UDP are blocked and only 80/TCP + 443/TCP are available. With KKDCP the client side wraps each Kerberos request in an additional ASN.1 sequence and sends it as POST request to a proxy. The proxy unpacks the request, forwards it to a KDC and returns its reply to the client. MIT krb5 supports [2] KKDCP since 1.13, Fedora has backports for 1.12. Nathaniel McCallum has written [3] a proxy server as WSGI app. I'm working on improvements and integration of the WSGI app into FreeIPA. Yesterday several bug fixes already landed in kdcproxy. The integration into FreeIPA is the tricky part for me. I'm not familiar enough with FreeIPA yet to understand possible implications, so I need your guidance. I already got some feedback from several people (Dmitri, Nathan, Nathaniel, Martin, Martin2, Petr, Alexander...). Here is what I have so far: 1) The FreeIPA webui already depends on Apache and mod_wsgi. KDC proxy will run from the same Apache HTTPD instance but it will use a different mod_wsgi daemon configuration. A second WSGI daemon is easily configured and allows us to tune the daemon for KDC proxy's needs. FreeIPA is mounted at /ipa, KDC Proxy will be available at /KdcProxy or /kdc. 2) For now we are not going to introduce a separate package freeipa-server-kdcproxy. freeipa-server will depend on python-kdcproxy and install all configuration files. Therefore the entry point /KdcProxy is always configured 3) An administrator must be able to enable/disable the new feature. The state of the switch will be read when Apache is started or reloaded. The feature must be configurable for each replica, too. A WSGI wrapper will read the setting from ipaConfigString=enabledService in cn=KDCPROXY,cn=$FQDN,cn=masters,cn=ipa,cn=etc. When the feature is disabled, it will reply with 404 Not Found error. 4) In order to read the state of the switch, the WSGI script needs to be able to connect to LDAP. I can use Apache's / FreeIPA webui's keytab to get a ticket for GSSAPI bind. However Apache has no permission to read ipaConfigStrings in the masters subtree. A new role/permission and ACI is required here. 5) python-kdcproxy can read its configuration from multiple places. For performance reasons we don't want DNS lookups. Therefore our proxy instance will only use libkrb5.so to read a list of KDCs, kpasswd and admin servers from /etc/krb5.conf. Open questions / issues --- For 3) and 4) the Apache HTTP principal must be able to read or at least compare the state of the switch. The ACIs in the masters tree forbid any access to ipaConfigString entries except for principals with 'System: Read IPA Masters' permission. Martin Basti and Petr Spacek have suggested that I introduce a new permission for the task. I haven't figured out how to configure and assign a new permission. Right now my experimental code uses this ACI: (targetfilter=(ipaConfigString=enabledService))(targetattr=ipaConfigString)(version 3.0; acl Compare enabledService access to masters; allow(search, compare) userdn = ldap:///all;;) I found ipaserver.install.service.Service and SimpleServiceInstance in the FreeIPA sources. As far as I understand the use of the classes, they are used in the installers to configure service instances. However the kdcproxy service instance is going to be special. It has no 1:1 relation to a system service. Instead it shares a system service (Apache HTTPD) with the HttpInstance for FreeIPA's webui. AFAIK no other service instance has such a relation. Finally I haven't figured out the best way to configure the instance. An admin should be able to enable / disable KDC proxy. Should I write a script or a ipa plugin for the job? You can find my patch in my Github repos [4]. The installer code is mostly untested, though. Please advice :) Christian [1] https://www.freeipa.org/page/V4/KDC_Proxy [2] http://web.mit.edu/kerberos/krb5-current/doc/admin/https.html [3] https://github.com/npmccallum/kdcproxy [4] https://github.com/tiran/freeipa/compare/master...kdcproxy2 signature.asc Description: OpenPGP digital signature -- Manage your subscription for the
Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)
On 2015-05-22 13:02, Martin Kosek wrote: The original proposal was to do it globally in cn=config. But if it is about to be stored in the cn=masters, per-replica, this looks as the right way. My first proposal used cn=ipaConfig,cn=etc because it was the first place I found. It took me a bit to find and understand the other subtrees in cn=etc. Other developers have pointed me to the cn=masters subtree. What API did you plan using, for enabling/disabling service? If we go the general IPA service way, should we extend the planned service-* API that Petr Vobornik announced in http://www.redhat.com/archives/freeipa-devel/2015-May/msg00309.html and have command like serverservice-mod ipa.server kdcproxy --enabled=0? I don't have concrete plans for an enabling/disabling API yet. It's one of the questions I have raised at the end of my mail. I'm going to study Petr Vobornik's mail now. In order to disable or enable KDC proxy, the switch in LDAP must be switched and Apache must be reloaded or restarted. The WSGI wrapper does NOT poll the state of the switch. 4) In order to read the state of the switch, the WSGI script needs to be able to connect to LDAP. I can use Apache's / FreeIPA webui's keytab to get a ticket for GSSAPI bind. However Apache has no permission to read ipaConfigStrings in the masters subtree. A new role/permission and ACI is required here. There is already a permission 'System: Read IPA Masters' and privilege IPA Masters Readers defined, in ipaserver/install/plugins/update_managed_permissions.py. Can this be used? The permission sounds too broad to me. There is probably a reason why all ipaConfigStrings entries are read-protected. I really just need search (and maybe compare) for ipaConfigString=enabledService. Thanks for your feedback, Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)
On 2015-05-22 14:02, Petr Vobornik wrote: Actually the service part of IPA servers is not covered in the proposal. The proposal just says that it can be added later. There will be question if it should even be called services. Maybe capabilities would be better term given that KDC Proxy is not a standalone service. It's an implementation detail. KDC Proxy shares the Apache HTTP with webui because it is the simplest way. We don't have to create another certificate and an additional principal. However in the future that may change. For high traffic sites a separation of webui and KDC proxy may make sense. The KKDCP WSGI app has different tuning requirements than webui. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)
On 2015-05-26 15:57, Nathaniel McCallum wrote: /KdcProxy The URI uses the virtual directory /KdcProxy unless otherwise configured. https://msdn.microsoft.com/en-us/library/hh553891.aspx Also, the proxy should be available over both HTTP and HTTPS. Easy-peasy! I'm using /KdcProxy already and the default configuration allows HTTP and HTTPS requests. I prefer enabled by default unless there is some performance or security consideration. Mere proxying isn't a security consideration since we already expose the KDC by default. My latest patch enables the proxy by default. This is, indeed, a security problem. Do we have a strong use case for per-replica control? If not, let's just do a single global control since we can easily make this globally readable. Martin and Petr both suggested per-replica configuration of the new feature. Petr has argued it is a future-proof design. It will make containerization of FreeIPA simpler as no schema change is required later. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)
On 2015-05-26 16:24, Martin Kosek wrote: On 05/26/2015 04:17 PM, Christian Heimes wrote: On 2015-05-26 15:57, Nathaniel McCallum wrote: /KdcProxy The URI uses the virtual directory /KdcProxy unless otherwise configured. https://msdn.microsoft.com/en-us/library/hh553891.aspx Also, the proxy should be available over both HTTP and HTTPS. Easy-peasy! I'm using /KdcProxy already and the default configuration allows HTTP and HTTPS requests. Just make sure it works with the IPA might https rewrite rule: # Redirect to the secure port if not displaying an error or retrieving # configuration. RewriteCond %{SERVER_PORT} !^443$$ RewriteCond %{REQUEST_URI} !^/ipa/(errors|config|crl) RewriteCond %{REQUEST_URI} !^/ipa/[^\?]+(\.js|\.css|\.png|\.gif|\.ico|\.woff|\.svg|\.ttf|\.eot)$$ RewriteRule ^/ipa/(.*) https://$FQDN/ipa/$$1 [L,R=301,NC] The KDC proxy WSGI app is mounted at /KdcProxy. The IPA rewrite rule only affect /ipa* paths. I discussed this briefly with Nathaniel, if this is sufficiently easy/doable, I am fine with it. If not, then adding the global control may be the way for FreeIPA 4.2 GA and implement the per-replica control later. I guess the per-replica configuration is a bit more work. As far as I know FreeIPA has no command line tool to enable/disable services in the cn=masters,cn=ipa,cn=etc subtree. For starters Petr Vobornik has suggested an API command to list IPA servers. His proposal doesn't include an API to modify services of a server, though. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)
On 2015-05-26 16:50, Nathaniel McCallum wrote: Right. So as I see it, we have three options: 1. Merge kdcproxy soon with a global switch. A. Build per-replica switches later. B. Never build per-replica switches. 2. Merge kdcproxy later with per-replica switches. I don't think having both types of switches is bad UX. In fact, I think it is better UX than per-replica switches alone. Since per-replica switches are a superset of the global switch functionality, let's do 1A and do per-replica switches later (if needed and feasible) You know what? That was basically my second implementation. :) I had a global switch in cn=ipaConfig,cn=etc and a per-replica switch in cn=KDCPROXY,cn=$FQDN,cn=masters,cn=ipa,cn=etc. The code is still in another branch on my laptop. Since I have both variants mostly implemented, I'd like to suggest yet another option: 2. Merge kdcproxy with global and per-replica switch, but for now offer only a CLI command for the global switch. That's easy to implement. I only need an ACI for cn=masters,cn=ipa,cn=etc in order to allow compare and search for ipaConfigString=enabledService. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)
On 2015-05-26 17:11, Nathaniel McCallum wrote: I don't want to add code that: 1. is half-baked 2. we aren't committed to supporting. I'd rather land per-replica switches as a separate commit with everything polished and supportable. Well then ... I'm going to remove the code for per-replica config and go back to the global switch. Since I'm now familiar with the code, it's easy for me to add it back, in case we need it again. :) Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] error handling in httpd.service and ipa-httpd-kdcproxy
Hello, I like to ask for your opinion regarding the pre-exec hook 'ipa-httpd-kdcproxy' in httpd.service. Alex has asked me to handle error cases like LDAP connection timeout more gracefully. At the moment any error causes the script to return a non-zero exit code. This breaks the service and apparently also offline RPM upgrades. How should I handle error cases? I can change httpd.service to simply ignore the exit code of ipa-httpd-kdcproxy. But that might lead to an invalid state. I could modify the script to catch connection errors and to disable kdcproxy in case of an error. The options are: 1) httpd.service ignores exit code of ipa-httpd-kdcproxy 2) ipa-httpd-kdcproxy removes kdcproxy config file in case of a connection error 3) 1 + 2 What do you think? Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] otptoken: use ipapython.nsslib instead of Python's ssl module
Hello, the patch removes the dependency on Python's ssl module and python-backports-ssl_match_hostname. https://fedorahosted.org/freeipa/ticket/5068 Open question - Is paths.IPA_NSSDB_DIR the correct NSSDB? Christian From 976427e5c448093131a99bdf77fc9d23c2d87883 Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Tue, 7 Jul 2015 15:10:28 +0200 Subject: [PATCH] otptoken: use ipapython.nsslib instead of Python's ssl module The otptoken plugin is the only module in FreeIPA that uses Python's ssl module instead of NSS. The patch replaces ssl with NSSConnection. It uses the default NSS database to lookup trust anchors. NSSConnection uses NSS for hostname matching. The package python-backports-ssl_match_hostname is no longer required. https://fedorahosted.org/freeipa/ticket/5068 --- freeipa.spec.in| 2 -- ipalib/plugins/otptoken.py | 36 2 files changed, 8 insertions(+), 30 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 52af50dd0cac1902759d6d58061d73c7f80b3a0e..c419164410e33f0bc26762bed295f8c704f205fc 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -92,7 +92,6 @@ BuildRequires: systemd BuildRequires: libunistring-devel BuildRequires: python-lesscpy BuildRequires: python-yubico = 1.2.3 -BuildRequires: python-backports-ssl_match_hostname BuildRequires: softhsm-devel = 2.0.0rc1-1 BuildRequires: openssl-devel BuildRequires: p11-kit-devel @@ -252,7 +251,6 @@ Requires: libsss_autofs Requires: autofs Requires: libnfsidmap Requires: nfs-utils -Requires: python-backports-ssl_match_hostname Requires(post): policycoreutils Conflicts: %{alt_name}-client diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py index 294c1c54afdfa6a13d37766d6851affa44ece60c..07df0ee3ee29032aaee35f1afc4d0b882d67ea75 100644 --- a/ipalib/plugins/otptoken.py +++ b/ipalib/plugins/otptoken.py @@ -24,8 +24,9 @@ from ipalib.plugable import Registry from ipalib.errors import PasswordMismatch, ConversionError, LastMemberError, NotFound, ValidationError from ipalib.request import context from ipalib.frontend import Local +from ipaplatform.paths import paths +from ipapython.nsslib import NSSConnection -from backports.ssl_match_hostname import match_hostname import base64 import uuid import urllib @@ -34,7 +35,6 @@ import httplib import urlparse import qrcode import os -import ssl __doc__ = _( OTP Tokens @@ -471,28 +471,6 @@ class otptoken_remove_managedby(LDAPRemoveMember): member_attributes = ['managedby'] -class HTTPSConnection(httplib.HTTPConnection): -Generates an SSL HTTP connection that performs hostname validation. - -ssl_kwargs = ssl.wrap_socket.func_code.co_varnames[1:ssl.wrap_socket.func_code.co_argcount] #pylint: disable=E1101 -default_port = httplib.HTTPS_PORT - -def __init__(self, host, **kwargs): -# Strip out arguments we want to pass to ssl.wrap_socket() -self.__kwargs = {k: v for k, v in kwargs.items() if k in self.ssl_kwargs} -for k in self.__kwargs: -del kwargs[k] - -# Can't use super() because the parent is an old-style class. -httplib.HTTPConnection.__init__(self, host, **kwargs) - -def connect(self): -# Create the raw socket and wrap it in ssl. -httplib.HTTPConnection.connect(self) -self.sock = ssl.wrap_socket(self.sock, **self.__kwargs) - -# Verify the remote hostname. -match_hostname(self.sock.getpeercert(), self.host.split(':', 1)[0]) class HTTPSHandler(urllib2.HTTPSHandler): Opens SSL HTTPS connections that perform hostname validation. @@ -506,7 +484,9 @@ class HTTPSHandler(urllib2.HTTPSHandler): def __inner(self, host, **kwargs): tmp = self.__kwargs.copy() tmp.update(kwargs) -return HTTPSConnection(host, **tmp) +# NSSConnection doesn't support timeout argument +tmp.pop('timeout', None) +return NSSConnection(host, **tmp) def https_open(self, req): return self.do_open(self.__inner, req) @@ -548,9 +528,9 @@ class otptoken_sync(Local): # Sync the token. # pylint: disable=E1101 -handler = HTTPSHandler(ca_certs=os.path.join(self.api.env.confdir, 'ca.crt'), - cert_reqs=ssl.CERT_REQUIRED, - ssl_version=ssl.PROTOCOL_TLSv1) +handler = HTTPSHandler(dbdir=paths.IPA_NSSDB_DIR, + tls_version_min=api.env.tls_version_min, + tls_version_max=api.env.tls_version_max) rsp = urllib2.build_opener(handler).open(sync_uri, query) if rsp.getcode() == 200: status['result'][self.header] = rsp.info().get(self.header, 'unknown') -- 2.4.3 signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 019] Asymmetric vault: validate public key in client
On 2015-08-13 12:10, Petr Vobornik wrote: On 07/23/2015 08:38 PM, Christian Heimes wrote: The ipa vault commands now load the public keys in order to verify them. The validation also prevents a user from accidentally sending her private keys to the server. The patch fixes #5142 and #5142. $ ./ipa vault-add AsymmetricVault --desc Asymmetric vault --type asymmetric --public-key-file mykey.pem ipa: ERROR: invalid 'ipavaultpublickey': Invalid or unsupported vault public key: Could not unserialize key data. https://fedorahosted.org/freeipa/ticket/5142 https://fedorahosted.org/freeipa/ticket/5143 ACK as fix for 5142. I don't think that it fixes 5143. The traceback is fixed therefore 5143 doesn't occur but if there was other traceback raised by `self.api.Command.vault_archive(*args, **opts)` then the vault added in `response = self.api.Command.vault_add_internal(*args, **options)` would be still created. Yes, that is correct. There aren't any arguments that can lead to an exception. The arguments are either already validated by vault_add() or don't raise an error. Of course there are plenty of opportunities errors. The connection to the IPA or LDAP server could fail, NSS DB could be missing and so on. How should we handle an error in vault_archive? Is there another way then to delete the new vault all along? try: self.api.Command.vault_archive(*args, **opts) except Exception: log_error() self.api.Command.vault_del(*args, **opts) report_error() Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 019] Asymmetric vault: validate public key in client
On 2015-08-13 14:05, Petr Vobornik wrote: On 08/13/2015 12:38 PM, Christian Heimes wrote: On 2015-08-13 12:10, Petr Vobornik wrote: On 07/23/2015 08:38 PM, Christian Heimes wrote: The ipa vault commands now load the public keys in order to verify them. The validation also prevents a user from accidentally sending her private keys to the server. The patch fixes #5142 and #5142. $ ./ipa vault-add AsymmetricVault --desc Asymmetric vault --type asymmetric --public-key-file mykey.pem ipa: ERROR: invalid 'ipavaultpublickey': Invalid or unsupported vault public key: Could not unserialize key data. https://fedorahosted.org/freeipa/ticket/5142 https://fedorahosted.org/freeipa/ticket/5143 ACK as fix for 5142. I don't think that it fixes 5143. The traceback is fixed therefore 5143 doesn't occur but if there was other traceback raised by `self.api.Command.vault_archive(*args, **opts)` then the vault added in `response = self.api.Command.vault_add_internal(*args, **options)` would be still created. Yes, that is correct. There aren't any arguments that can lead to an exception. The arguments are either already validated by vault_add() or don't raise an error. Of course there are plenty of opportunities errors. The connection to the IPA or LDAP server could fail, NSS DB could be missing and so on. How should we handle an error in vault_archive? Is there another way then to delete the new vault all along? try: self.api.Command.vault_archive(*args, **opts) except Exception: log_error() self.api.Command.vault_del(*args, **opts) report_error() Christian Imho this is the way. But it may fail because of the same root cause as vault_archive. That said I don't see #5142 as a priority and would defer it. I'd still like to see my patch for #5142 in RHEL, too. It prevents accidental exposure of private keys, too. In the test case the test uploads his private keys to the server. FreeIPA should not leak a user's private key. My patch prevents that, too. signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 023] Add flag to list all service and user vaults
On 2015-08-19 14:12, Jan Cholasta wrote: The new flags should be handled in vault_find's pre_callback instead of vault's get_dn, as they are exclusive to vault_find and worse yet, conflict with vault_{add,remove}_{owner,member}'s flags, leading to unwanted behavior: $ ipa vault-add-member --service testsvc/example.com testvault --services testsvc/example.com ipa: ERROR: Service(s), shared, and user(s) options cannot be specified simultaneously Here is an updated patch. The new flags are now handled by the pre_callback method. I have regenerated API.txt, too. Christian From a6eb87a73c1462a4de516f19b219b51e415852e5 Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Wed, 19 Aug 2015 13:32:01 +0200 Subject: [PATCH] Add flag to list all service and user vaults The vault-find plugin has two additional arguments to list all service vaults or user vaults. Since the name of a vault is only unique for a particular user or service, the commands also print the vault user or vault service. The virtual attributes were added in rev 01dd951ddc0181b559eb3dd5ff0336c81e245628. Example: $ ipa vault-find --users 2 vaults matched Vault name: myvault Type: standard Vault user: admin Vault name: UserVault Type: standard Vault user: admin Number of entries returned 2 $ ipa vault-find --services 2 vaults matched Vault name: myvault Type: standard Vault service: HTTP/ipatest.freeipa.local@FREEIPA.LOCAL Vault name: myvault Type: standard Vault service: ldap/ipatest.freeipa.local@FREEIPA.LOCAL Number of entries returned 2 https://fedorahosted.org/freeipa/ticket/5150 --- API.txt | 4 +++- ipalib/plugins/vault.py | 48 +--- 2 files changed, 36 insertions(+), 16 deletions(-) diff --git a/API.txt b/API.txt index 4d8d9dc3d3c38d4740bda3574396ecd85877b805..dd6bcc3c39895e6af213fcece85505fa0bd6d2f2 100644 --- a/API.txt +++ b/API.txt @@ -5508,7 +5508,7 @@ output: Output('result', type 'dict', None) output: Output('summary', (type 'unicode', type 'NoneType'), None) output: ListOfPrimaryKeys('value', None, None) command: vault_find -args: 1,13,4 +args: 1,15,4 arg: Str('criteria?', noextrawhitespace=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('cn', attribute=True, autofill=False, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=False) @@ -5518,10 +5518,12 @@ option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('pkey_only?', autofill=True, default=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('service?') +option: Flag('services?', autofill=True, default=False) option: Flag('shared?', autofill=True, default=False) option: Int('sizelimit?', autofill=False, minvalue=0) option: Int('timelimit?', autofill=False, minvalue=0) option: Str('username?', cli_name='user') +option: Flag('users?', autofill=True, default=False) option: Str('version?', exclude='webui') output: Output('count', type 'int', None) output: ListOfEntries('result', (type 'list', type 'tuple'), Gettext('A list of LDAP entries', domain='ipa', localedir=None)) diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py index 712e2d5ddfa723eb84b80a261289a7cf1c75674f..83dc085b5aadb4e2878e29d17449f0808cc7a9c2 100644 --- a/ipalib/plugins/vault.py +++ b/ipalib/plugins/vault.py @@ -343,21 +343,11 @@ class vault(LDAPObject): Generates vault DN from parameters. - service = options.get('service') shared = options.get('shared') user = options.get('username') -count = 0 -if service: -count += 1 - -if shared: -count += 1 - -if user: -count += 1 - +count = (bool(service) + bool(shared) + bool(user)) if count 1: raise errors.MutuallyExclusiveError( reason=_('Service, shared, and user options ' + @@ -387,8 +377,10 @@ class vault(LDAPObject): parent_dn = DN(('cn', service), ('cn', 'services'), container_dn) elif shared: parent_dn = DN(('cn', 'shared'), container_dn) -else: +elif user: parent_dn = DN(('cn', user), ('cn', 'users'), container_dn) +else: +raise RuntimeError return DN(rdns, parent_dn) @@ -814,7 +806,16 @@ class vault_del(LDAPDelete): class vault_find(LDAPSearch): __doc__ = _('Search for vaults.') -takes_options = LDAPSearch.takes_options + vault_options +takes_options = LDAPSearch.takes_options + vault_options + ( +Flag( +'services?', +doc
Re: [Freeipa-devel] [PATCHES] 0696-0710 More modernization
On 2015-08-21 12:55, Petr Viktorin wrote: On 08/14/2015 07:44 PM, Petr Viktorin wrote: Hello, These patches bring IPA another step towards compatibility with Python 3. Most of these were made by fixers from the python-modernize tool, but I reviewed and edited the results. Here are the patches rebased to current master. 0696.2-Remove-use-of-sys.exc_value ACK 0697.2-Don-t-use-a-tuple-in-function-arguments I prefer operator.itemgetter() over the hard-to-read lambda expression key=lambda k_v: (k_v[1], k_v[0]). import operator example = dict(a=3, ba=2, b=2, c=1) sorted(example.items(), key=operator.itemgetter(1, 0)) [('c', 1), ('b', 2), ('ba', 2), ('a', 3)] 0698.2-Add-python-six-to-dependencies ACK 0699.2-Remove-the-unused-pygettext-script ACK 0700.2-Use-six.string_types-instead-of-basestring LGTM, but I need to have a closer look at some places. I noticed a couple of asserts that should be if ... raise ValueError instead. python -o disables asserts. 0701.2-Use-Python3-compatible-dict-method-names NACK Why are you replacing iteritems() with items() instead of using six.iteritems()? Please use sorted(reference) instead of sorted(reference.keys()), set(tree) instead of set(tree.keys()) and list(somedict) instead of list(somedict.keys()), too. The keys() call is unnecessary and frowned upon. 0702.2-Replace-filter-calls-with-list-comprehensions In Python 2 list comprehensions leak the internal loop variable. It might be better to write a generator expression with list() instead of [] list comprehension. 0703.2-Use-six.moves.input-instead-of-raw_input ACK The code is fine, but pylint won't like it. For Dogtag I had to disable pylint warnings W0622 and F0401. 0704.2-Use-six.integer_types-instead-of-long-int ACK hint: For type checks you can also use the numbers module. 0705.2-Replace-uses-of-map See comment for 0702 706.2-Use-next-function-on-iterators ACK 0707.2-Use-the-print-function LGTM There are too many chances to review. Let's hope the automatic conversion tool did its job correctly. 0708.2-Use-new-style-raise-syntax ACK 0709.2-Use-six.reraise ACK 0710.2-Modernize-use-of-range NACK Please use six.moves.range. It defaults to xrange() in Python 2. I also see a couple of additional opportunities for enumerate(): for i in range(len(kw['attrs'])): kw['attrs'][i] = unicode(kw['attrs'][i]) for i, s in enumerate(kw['attrs']): kw['attrs'][i] = unicode(s) 0711.2-Convert-zip-result-to-list ACK The code isn't beautiful but it's just a test. signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] ipa-kdc-proxy.conf broken symlink after uninstalling ipa
On 2015-06-29 07:31, Fraser Tweedale wrote: Hi Christian, With the kdcproxy change landed, if IPA has been installed and then uninstalled, and then freeipa-server package erased or downgraded, the /etc/httpd/conf.d/ipa-kdc-proxy.conf symlink remains, and is broken, resulting in an inability to start Apache. Hi Fraser, I must confess that I didn't check Apache after uninstalled FreeIPA on my test box. The posted a trivial patch that addresses the issue. Thanks for testing! Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] Fix removal of ipa-kdc-proxy.conf symlink
Hello, the attached patch fixes the first bug, that was reported by Fraser today. installutils.remove_file() uses os.path.exists() to check if the file still exists, which in turn uses stat(2). I have modified the function to use os.path.lexists() instead. It doesn't follow symlinks. Because httpinstance first removes the target file /etc/ipa/kdcproxy/ipa-kdc-proxy.conf before it tries to remove the symlink /etc/httpd/conf.d/ipa-kdc-proxy.conf, the installutils.remove_file() ignores the dangling symlink. Christian From 322ee58bd07aa3df270c185fd319578042b5854e Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Mon, 29 Jun 2015 10:45:15 +0200 Subject: [PATCH] Fix removal of ipa-kdc-proxy.conf symlink installutils.remove_file() ignored broken symlinks. Now it uses os.path.lexists() to detect and also remove dangling symlinks. --- ipaserver/install/httpinstance.py | 2 +- ipaserver/install/installutils.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 107c20d7f116b0dc02f2066188c664b7014e316d..f5f2a86fca3a1ff3e9123d08052a7e57b50a94fe 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -481,8 +481,8 @@ class HTTPInstance(service.Service): installutils.remove_file(paths.HTTPD_IPA_REWRITE_CONF) installutils.remove_file(paths.HTTPD_IPA_CONF) installutils.remove_file(paths.HTTPD_IPA_PKI_PROXY_CONF) -installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF) installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF_SYMLINK) +installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF) # Restore SELinux boolean states boolean_states = {name: self.restore_state(name) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 42df2b7119c0e74a2b85b1a6f835f9d2c707b6f4..f6d037230a0d4332434ba1e88717a93e6b41b2f2 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -657,7 +657,7 @@ def remove_file(filename): Remove a file and log any exceptions raised. try: -if os.path.exists(filename): +if os.path.lexists(filename): os.unlink(filename) except Exception, e: root_logger.error('Error removing %s: %s' % (filename, str(e))) -- 2.4.3 signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 020] Change internal rsa_(public|private)_key variable names
In two places the vault plugin refers to rsa public or rsa private key although the code can handle just any kind of asymmetric algorithms, e.g. ECDSA. The patch just renames the occurences to avoid more confusion in the future. From 1b09967de50aa3c73a9fcab1ff11aa6d1800bae5 Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Tue, 28 Jul 2015 16:12:40 +0200 Subject: [PATCH] Change internal rsa_(public|private)_key variable names In two places the vault plugin refers to rsa public or rsa private key although the code can handle just any kind of asymmetric algorithms, e.g. ECDSA. The patch just renames the occurences to avoid more confusion in the future. --- ipalib/plugins/vault.py | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py index 81197f9328c7ed890fa336f464bfcda475ac6189..a2b78f4dec143524d81a1a006733c22db0f90847 100644 --- a/ipalib/plugins/vault.py +++ b/ipalib/plugins/vault.py @@ -469,11 +469,11 @@ class vault(LDAPObject): return fernet.encrypt(data) elif public_key: -rsa_public_key = load_pem_public_key( +public_key_obj = load_pem_public_key( data=public_key, backend=default_backend() ) -return rsa_public_key.encrypt( +return public_key_obj.encrypt( data, padding.OAEP( mgf=padding.MGF1(algorithm=hashes.SHA1()), @@ -496,12 +496,12 @@ class vault(LDAPObject): elif private_key: try: -rsa_private_key = load_pem_private_key( +private_key_obj = load_pem_private_key( data=private_key, password=None, backend=default_backend() ) -return rsa_private_key.decrypt( +return private_key_obj.decrypt( data, padding.OAEP( mgf=padding.MGF1(algorithm=hashes.SHA1()), -- 2.4.3 signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 021] Validate vault's file parameters
The patch fixes the issue described in #5155 as well as a couple of more potential issues. The vault plugin didn't catch IOError on multiple occasions. A user can pass file names for password, public and private key files to the vault plugin. The plugin attempts to read from these files. If any file can't be, an internal error was raised. The patch wraps all reads and turns any IOError and UnicodeError into a ValidationError. https://fedorahosted.org/freeipa/ticket/5155 From 71b3fcd6862bae2bfc6ea3e6fd38014ed77d4bac Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Thu, 30 Jul 2015 15:48:40 +0200 Subject: [PATCH] Validate vault's file parameters A user can pass file names for password, public and private key files to the vault plugin. The plugin attempts to read from these files. If any file can't be, an internal error was raised. The patch wraps all reads and turns any IOError and UnicodeError into a ValidationError. https://fedorahosted.org/freeipa/ticket/5155 --- ipalib/plugins/vault.py | 59 +++-- 1 file changed, 47 insertions(+), 12 deletions(-) diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py index 81197f9328c7ed890fa336f464bfcda475ac6189..423df6b7c0e39c46b20561133be8cd54560bf8b9 100644 --- a/ipalib/plugins/vault.py +++ b/ipalib/plugins/vault.py @@ -19,6 +19,7 @@ import base64 import getpass +import io import json import os import sys @@ -210,6 +211,33 @@ EXAMPLES: ipa vault-remove-member name --users usernames ) + +def validated_read(argname, filename, mode='r', encoding=None): +Read file and catch errors + +IOError and UnicodeError (for text files) are turned into a +ValidationError + +try: +with io.open(filename, mode=mode, encoding=encoding) as f: +data = f.read() +except IOError as exc: +raise errors.ValidationError( +name=argname, +error=_(Cannot read file '%(filename)s': %(exc)s) % { +'filename': filename, 'exc': exc[1] +} +) +except UnicodeError as exc: +raise errors.ValidationError( +name=argname, +error=_(Cannot decode file '%(filename)s': %(exc)s) % { +'filename': filename, 'exc': exc +} +) +return data + + register = Registry() @@ -591,8 +619,10 @@ class vault_add(PKQuery, Local): pass elif password_file: -with open(password_file, 'rb') as f: -password = f.read().rstrip('\n').decode('utf-8') +password = validated_read('password-file', + password_file, + encoding='utf-8') +password = password.rstrip('\n') else: password = self.obj.get_new_password() @@ -611,8 +641,9 @@ class vault_add(PKQuery, Local): pass elif public_key_file: -with open(public_key_file, 'rb') as f: -public_key = f.read() +public_key = validated_read('public-key-file', +public_key_file, +mode='rb') # store vault public key options['ipavaultpublickey'] = public_key @@ -904,8 +935,7 @@ class vault_archive(PKQuery, Local): reason=_('Input data specified multiple times')) elif input_file: -with open(input_file, 'rb') as f: -data = f.read() +data = validated_read('in', input_file, mode='rb') elif not data: data = '' @@ -937,8 +967,10 @@ class vault_archive(PKQuery, Local): pass elif password_file: -with open(password_file) as f: -password = f.read().rstrip('\n').decode('utf-8') +password = validated_read('password-file', + password_file, + encoding='utf-8') +password = password.rstrip('\n') else: password = self.obj.get_existing_password() @@ -1254,8 +1286,10 @@ class vault_retrieve(PKQuery, Local): pass elif password_file: -with open(password_file) as f: -password = f.read().rstrip('\n').decode('utf-8') +password = validated_read('password-file', + password_file, + encoding='utf-8') +password = password.rstrip('\n') else: password = self.obj.get_existing_password() @@ -1277,8 +1311,9 @@ class vault_retrieve(PKQuery, Local): pass elif private_key_file
[Freeipa-devel] CLI parameter: TextFile, BinaryFile and mutually exclusive group
Hello, While I was working on the ticket https://fedorahosted.org/freeipa/ticket/5155, I noticed a couple of additional places that may raise an IOError. Instead of a File() paramaeter, the vault plugin uses Str() paramater in combination with open() to read files. For passwords I can mostly replace the Str() parameter with File(). There is only one minor issue. The File() class has no encoding flag. ipalib.cli.cli.load_files() uses the encoding of sys.stdin to determinate the encoding. In some cases the encoding of sys.stdin can be ASCII. For that reason I like to add an encoding parameter to File(). For public and private key file I can't use File(). File() is a subclass of Str(), which requires unicode text. The vault code treats public and private key data as bytes. I assume it wants to support DER encoded key data, too. I like to introduce a new BinaryFile() parameter, which subclasses Bytes(). It might make sense to alias File as TextFile and deprecate the File name. Finally the vault plugin has several mutually exclusive paramater, e.g. passsword and password-file. The plugin has seven distinct checks for mutual exclusion. IMHO this should be better handled by the parameter parsing code. Python's argparse module has a similar feature: https://docs.python.org/2/library/argparse.html#mutual-exclusion I like to handle the case with a mutually_exclusive flag such as: Str( 'password?', cli_name='password', doc=_('Vault password'), mutually_exclusive='password', ), File( 'password_file?', cli_name='password_file', doc=_('File containing the vault password'), mutually_exclusive='password', ), If more than one parameter with the same mutually_exclusive group name is given, then a MutuallyExclusiveError is raised. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0002] Port from python-krbV to python-gssapi
On 2015-07-30 15:06, Michael Šimáček wrote: I didn't use ctypes, because it was advised against on this list: https://www.redhat.com/archives/freeipa-devel/2012-February/msg00268.html For the tests it's probably fine, but so is using klist. It would actually help a lot with getting the default realm name, but I'm afraid that the second point about problems with ctypes and SELinux in httpd still holds. Thanks for the pointer to Alexander's posting. I wasn't aware of any issues with ctypes and SELinux. I usually prefer Cython, C or cffi over ctypes myself. For simple tasks ctypes works good enough, though. python-kdcproxy uses ctypes bindings for libkrb5 to parse /etc/krb5.conf. It runs in mod_wsgi, too. I haven't seen or heard about issues with SELinux. Maybe the bug has been resolved? I'll keep an eye open. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] CLI parameter: TextFile, BinaryFile and mutually exclusive group
On 2015-07-30 14:37, Jan Cholasta wrote: Hi, Dne 30.7.2015 v 14:07 Christian Heimes napsal(a): Hello, While I was working on the ticket https://fedorahosted.org/freeipa/ticket/5155, I noticed a couple of additional places that may raise an IOError. Instead of a File() paramaeter, the vault plugin uses Str() paramater in combination with open() to read files. For passwords I can mostly replace the Str() parameter with File(). There is only one minor issue. The File() class has no encoding flag. ipalib.cli.cli.load_files() uses the encoding of sys.stdin to determinate the encoding. In some cases the encoding of sys.stdin can be ASCII. For that reason I like to add an encoding parameter to File(). For public and private key file I can't use File(). File() is a subclass of Str(), which requires unicode text. The vault code treats public and private key data as bytes. I assume it wants to support DER encoded key data, too. I like to introduce a new BinaryFile() parameter, which subclasses Bytes(). It might make sense to alias File as TextFile and deprecate the File name. Finally the vault plugin has several mutually exclusive paramater, e.g. passsword and password-file. The plugin has seven distinct checks for mutual exclusion. IMHO this should be better handled by the parameter parsing code. Python's argparse module has a similar feature: https://docs.python.org/2/library/argparse.html#mutual-exclusion I like to handle the case with a mutually_exclusive flag such as: Str( 'password?', cli_name='password', doc=_('Vault password'), mutually_exclusive='password', ), File( 'password_file?', cli_name='password_file', doc=_('File containing the vault password'), mutually_exclusive='password', ), If more than one parameter with the same mutually_exclusive group name is given, then a MutuallyExclusiveError is raised. NACK, instead of having duplicate definitions for a single logical parameter and dealing with their inherent mutual exclusiveness on the framework level, this should be handled exclusively by the CLI by generating multiple command line options for different dispositions of the logical parameter. If anything, File should be completely removed, not further extended, as it is inherently broken and never worked properly. I have an almost working patch which implements this, but I don't think it's 4.2.1 material, so I would suggest doing a simple fix for #5155 for now. I wasn't aware that you have a mostly working patch. In that case I'll come up with a simple fix. I can take care of a redesign when your patch has landed in the future. Thanks for the feedback! Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0002] Port from python-krbV to python-gssapi
On 2015-07-29 10:09, Michael Šimáček wrote: GSSAPI doesn't provide any method (that I'm aware of) to get default ccache name. In most cases this is not needed as we can simply not pass any name and it will use the default. The ldap plugin had to be adjusted for this - the connect method now takes new use_gssapi argument, which can turn on gssapi support without the need to supply explicit ccache name. The only place where the ccache name is really needed is the test server, where I use system klist command to obtain it. You can use ctypes or cffi for the task, too. It's much faster and more convenient. Here is a quick example how to use ctypes for the function calls. kdcproxy uses similar code to parse /etc/krb5.conf. import ctypes LIBKRB5 = ctypes.CDLL('libkrb5.so.3') ctx = ctypes.c_void_p() ccache = ctypes.c_void_p() LIBKRB5.krb5_init_context(ctypes.byref(ctx)) 0 LIBKRB5.krb5_cc_default(ctx, ctypes.byref(ccache)) 0 LIBKRB5.krb5_cc_get_type.restype = ctypes.c_char_p LIBKRB5.krb5_cc_get_name.restype = ctypes.c_char_p LIBKRB5.krb5_cc_get_type(ctx, ccache) 'KEYRING' LIBKRB5.krb5_cc_get_name(ctx, ccache) 'persistent:1000:1000' LIBKRB5.krb5_cc_close(ctx, ccache) LIBKRB5.krb5_free_context(ctx) If you like the approach I can write a more safe implementation with proper error checking. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 022] make-lint Python 3 porting mode
Python 3 porting mode for make-lint http://docs.pylint.org/features.html#general-options From eb0565a16934a85df5075a6389dc49239e08f699 Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Mon, 3 Aug 2015 11:18:03 +0200 Subject: [PATCH] make-lint Python 3 porting mode pylint can check code for Python 3 portability. The new option --py3k enables the Python 3 porting mode of pylint in make-lint. --- make-lint | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/make-lint b/make-lint index 0447985303f485a014fecf7d17d0b1c7eb6137bd..04d7f3644bef7fccba1ce37b9d92e2e1405ffd08 100755 --- a/make-lint +++ b/make-lint @@ -220,6 +220,8 @@ def main(): dest='fail', default=True, action='store_false') optparser.add_option('--enable-noerror', help='enable warnings and other non-error messages', dest='errors_only', default=True, action='store_false') +optparser.add_option('--py3k', help='Python 3 porting mode', +dest='py3k', default=False, action='store_true') options, args = optparser.parse_args() cwd = os.getcwd() @@ -246,7 +248,10 @@ def main(): '{path}:{line}: [{msg_id}({symbol}), {obj}] {msg})') linter.set_option('reports', False) linter.set_option('persistent', False) -linter.set_option('disable', 'python3') +if options.py3k: +linter.python3_porting_mode() +else: +linter.set_option('disable', 'python3') linter.check(files) -- 2.4.3 signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES] 0691-0695 Modernization
On 2015-07-31 23:14, Simo Sorce wrote: On Fri, 2015-07-31 at 19:14 +0200, Petr Viktorin wrote: Hello, Here is a batch of mostly mechanical changes: removing deprecated features to prepare for Python 3. Do we have accompanying lint (or similar) tests that will prevent new patches from reintroducing py3 incompatible syntax ? pylint has a Python 3 porting mode. That should help, see patch 022. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 022] make-lint Python 3 porting mode
On 2015-08-03 11:30, Jan Cholasta wrote: Hi, Dne 3.8.2015 v 11:22 Christian Heimes napsal(a): Python 3 porting mode for make-lint http://docs.pylint.org/features.html#general-options I would rather wait until all the modernization patches are pulled in and then make the porting mode enabled by default. If it's optional, no one will use it. In porting mode the normal checkers aren't executed. In order to enable the porting mode by default, make-lint has to run two passes: one linter instance with and one linter instance without the porting mode. signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES] 0691-0695 Modernization
On 2015-07-31 19:14, Petr Viktorin wrote: Hello, Here is a batch of mostly mechanical changes: removing deprecated features to prepare for Python 3. Out of curiosity, what tool did you use for patch 695-absolute-imports? Python-modernize adds from __future__ import absolute_imports and changes imports to explicit relative imports. In patch 693 you have removed test cases for CIDict.has_key(), but CIDict still provides the function. You should either keep the tests around or remove has_key() from CIDict. The rest looks good to me, but I haven't studied every change thoroughly. It's just too much. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 017] certprofile-import: do not require profileId in profile data
On 2015-07-24 12:41, Martin Basti wrote: On 24/07/15 05:15, Fraser Tweedale wrote: diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py index 5550ed942521dbab2e783fba1570520268f9b378..fe8934690fe09499f0bacb6610d9815a2b4367a4 100644 --- a/ipalib/plugins/certprofile.py +++ b/ipalib/plugins/certprofile.py @@ -233,8 +233,8 @@ class certprofile_import(LDAPCreate): match = self.PROFILE_ID_PATTERN.search(options['file']) if match is None: -raise errors.ValidationError(name='file', -error=_(Profile ID is not present in profile data)) +# no profileId found, use CLI value as profileId. +options['file'] = u'profileId=%s\n%s' % (keys[0], options['file']) NACK This assignment has no external effect; `post_callback' is called with original `options['file']' and dogtag profile import can fail due to missing profileId. The solution is to do the same thing in post_callback; updated patch attached. Thanks, Fraser I dont like to have the same code twice in pre and post callback. Can you use contexmanager to store the right value in pre callback and then use it in post callback? (can find it in dns plugin, search for context) Sounds good to me! Christian PS: Context is a fancy name for a TLS dict. ;) From 1c7a67f331fb7d07f1e306e292e97b1df810958c Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Thu, 23 Jul 2015 17:48:56 +0200 Subject: [PATCH] certprofile-import: do not require profileId in profile data certprofile-import no longer requires profileId in profile data. Instead the profile ID from the command line is taken and added to the profile data internally. If profileId is set in the profile, then it still has to match the CLI option. https://fedorahosted.org/freeipa/ticket/5090 --- ipalib/plugins/certprofile.py | 8 +--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py index ae75d43d7412d0df7c09a33c16c833995d9a3fe4..658fbca3b4eb851eb5a22190c443044f6ceb8491 100644 --- a/ipalib/plugins/certprofile.py +++ b/ipalib/plugins/certprofile.py @@ -11,6 +11,7 @@ from ipalib.plugins.virtual import VirtualCommand from ipalib.plugins.baseldap import ( LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, LDAPUpdate, LDAPRetrieve) +from ipalib.request import context from ipalib import ngettext from ipalib.text import _ from ipapython.version import API_VERSION @@ -230,11 +231,12 @@ class certprofile_import(LDAPCreate): def pre_callback(self, ldap, dn, entry, entry_attrs, *keys, **options): ca_enabled_check() +context.profile = options['file'] match = self.PROFILE_ID_PATTERN.search(options['file']) if match is None: -raise errors.ValidationError(name='file', -error=_(Profile ID is not present in profile data)) +# no profileId found, use CLI value as profileId. +context.profile = u'profileId=%s\n%s' % (keys[0], context.profile) elif keys[0] != match.group(1): raise errors.ValidationError(name='file', error=_(Profile ID '%(cli_value)s' does not match profile data '%(file_value)s') @@ -250,7 +252,7 @@ class certprofile_import(LDAPCreate): try: with self.api.Backend.ra_certprofile as profile_api: -profile_api.create_profile(options['file']) +profile_api.create_profile(context.profile) profile_api.enable_profile(keys[0]) except: # something went wrong ; delete entry -- 2.4.3 signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES] 0691-0695 Modernization
On 2015-08-12 18:10, Tomas Babej wrote: On 08/10/2015 05:39 PM, Petr Viktorin wrote: On 08/03/2015 11:07 AM, Christian Heimes wrote: On 2015-07-31 19:14, Petr Viktorin wrote: Hello, Here is a batch of mostly mechanical changes: removing deprecated features to prepare for Python 3. Out of curiosity, what tool did you use for patch 695-absolute-imports? Python-modernize adds from __future__ import absolute_imports and changes imports to explicit relative imports. I used modernize to find all the occurences, and fixed imports by hand. Most of IPA uses absolute imports, as recommended by PEP 8. In patch 693 you have removed test cases for CIDict.has_key(), but CIDict still provides the function. You should either keep the tests around or remove has_key() from CIDict. I haven't removed them: test_haskey is only skipped under Python 3. I assumed that's enough to verify that `has_key` works well (i.e. the same as `in`), so in the other tests I do use `in` instead. I'm attaching updated patches, under Python 3 they remove CIDict.has_key a bit more formally. They're also rebased. The rest looks good to me, but I haven't studied every change thoroughly. It's just too much. Anything I can do to help? Let's not sit on this for too long, it will a pain to rebase. I went through the gargatuan patches manually and did not discover any issues. Additionally, the patchset introduces no new unit-test failures. So I am inclined to ACK it, unless Christian has any objections. I've skimmed over the patches and didn't find any issues, too. pylint --py3k is going to complain about missing from __future__ import absolute_import lines. We can add them later, though. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0085] Limit request sizes to /KdcProxy
On 2015-07-22 20:23, Nathaniel McCallum wrote: Related: CVE-2015-5159 https://bugzilla.redhat.com/show_bug.cgi?id=1245200 The patch prevents a flood attack but I consider more a workaround than a solution. I'll update kdcproxy tomorrow. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0085] Limit request sizes to /KdcProxy
On 2015-07-22 20:38, Nathaniel McCallum wrote: On Wed, 2015-07-22 at 20:34 +0200, Christian Heimes wrote: On 2015-07-22 20:23, Nathaniel McCallum wrote: Related: CVE-2015-5159 https://bugzilla.redhat.com/show_bug.cgi?id=1245200 The patch prevents a flood attack but I consider more a workaround than a solution. I'll update kdcproxy tomorrow. The problem is that while we can provide a sane default, special applications might require different sizes (either smaller or larger). I think this fix is acceptable since it keeps the solution entirely within the configuration domain. The python-kdcproxy package may be used by other parties with different web servers. I also like to see a countermeasure in kdcproxy. Other installations should not fall victim to the same issue. How about we set the default maximum size to a rather large value (like 5 or 10 MB) and make it configurable in kdcproxy.conf? 5 MB is very, very large for a Kerberos request but still prevents DoS and OOM killer Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 017] certprofile-import: do not require profileId in profile data
On 2015-07-24 05:15, Fraser Tweedale wrote: diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py index 5550ed942521dbab2e783fba1570520268f9b378..fe8934690fe09499f0bacb6610d9815a2b4367a4 100644 --- a/ipalib/plugins/certprofile.py +++ b/ipalib/plugins/certprofile.py @@ -233,8 +233,8 @@ class certprofile_import(LDAPCreate): match = self.PROFILE_ID_PATTERN.search(options['file']) if match is None: -raise errors.ValidationError(name='file', -error=_(Profile ID is not present in profile data)) +# no profileId found, use CLI value as profileId. +options['file'] = u'profileId=%s\n%s' % (keys[0], options['file']) NACK This assignment has no external effect; `post_callback' is called with original `options['file']' and dogtag profile import can fail due to missing profileId. The solution is to do the same thing in post_callback; updated patch attached. Oh, I should have noticed that myself. The options parameter is passed in as **kwargs. The keyword arguments dict is always a flat copy. Thanks! Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] variable name 'rsa_public_key' in vault
Hello, while I was working on https://fedorahosted.org/freeipa/ticket/5142 and patch 019, I noticed the variable names rsa_public_key and rsa_private_key in vault.py. load_pem_public_key() can load and return other key formats (DSA, ECDSA), too. Does vault mean to support the other algorithms? In case vault should support any kind of asymmetric cipher, I'd like to change the variable names. It's confusing. Otherwise we should add a check for RSA and prevent DSA and ECDSA keys. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0015] mod_auth_gssapi: Remove ntlmssp support and restrict, mechanism to krb5
By default mod_auth_gssapi allows all locally available mechanisms. If the gssntlmssp package is installed, it also offers ntlmssp. This has the annoying side effect that some browser will pop up a username/password request dialog if no Krb5 credentials are available. The patch restricts the mechanism to krb5 and removes ntlmssp and iakerb support from Apache's ipa.conf. The new feature was added to mod_auth_gssapi 1.3.0. https://fedorahosted.org/freeipa/ticket/5114 From 758fd87a9e8a72412a9e3111e1564a4d875fec07 Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Fri, 17 Jul 2015 12:40:29 +0200 Subject: [PATCH] mod_auth_gssapi: Remove ntlmssp support and restrict mechanism to krb5 By default mod_auth_gssapi allows all locally available mechanisms. If the gssntlmssp package is installed, it also offers ntlmssp. This has the annoying side effect that some browser will pop up a username/password request dialog if no Krb5 credentials are available. The patch restricts the mechanism to krb5 and removes ntlmssp and iakerb support from Apache's ipa.conf. The new feature was added to mod_auth_gssapi 1.3.0. https://fedorahosted.org/freeipa/ticket/5114 --- freeipa.spec.in | 2 +- install/conf/ipa.conf | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index fef20e1f7e6fde9b90851a2686e515a6a779f954..5771ae5792c1c83dedff9bc3d1acb78b4b119e8d 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -127,7 +127,7 @@ Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp Requires: httpd = 2.4.6-6 Requires: mod_wsgi -Requires: mod_auth_gssapi = 1.1.0-2 +Requires: mod_auth_gssapi = 1.3.0-2 Requires: mod_nss = 1.0.8-26 Requires: python-ldap = 2.4.15 Requires: python-krbV diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index e2b602c8573078f517badac00a8c8c5bd593db28..44d87b192e1076398c5008b0a5788afb3bc7c117 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -66,6 +66,7 @@ WSGIScriptReloading Off GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches GssapiUseS4U2Proxy on + GssapiAllowedMech krb5 Require valid-user ErrorDocument 401 /ipa/errors/unauthorized.html WSGIProcessGroup ipa -- 2.4.3 signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 017] certprofile-import: do not require profileId in profile data
certprofile-import no longer requires profileId in profile data. Instead the profile ID from the command line is taken and added to the profile data internally. If profileId is set in the profile, then it still has to match the CLI option. https://fedorahosted.org/freeipa/ticket/5090 From 44212c91336f2dfbfdc1b6cefea3f928ba9074e9 Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Thu, 23 Jul 2015 17:48:56 +0200 Subject: [PATCH] certprofile-import: do not require profileId in profile data certprofile-import no longer requires profileId in profile data. Instead the profile ID from the command line is taken and added to the profile data internally. If profileId is set in the profile, then it still has to match the CLI option. https://fedorahosted.org/freeipa/ticket/5090 --- ipalib/plugins/certprofile.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py index 5550ed942521dbab2e783fba1570520268f9b378..fe8934690fe09499f0bacb6610d9815a2b4367a4 100644 --- a/ipalib/plugins/certprofile.py +++ b/ipalib/plugins/certprofile.py @@ -233,8 +233,8 @@ class certprofile_import(LDAPCreate): match = self.PROFILE_ID_PATTERN.search(options['file']) if match is None: -raise errors.ValidationError(name='file', -error=_(Profile ID is not present in profile data)) +# no profileId found, use CLI value as profileId. +options['file'] = u'profileId=%s\n%s' % (keys[0], options['file']) elif keys[0] != match.group(1): raise errors.ValidationError(name='file', error=_(Profile ID '%(cli_value)s' does not match profile data '%(file_value)s') -- 2.4.3 signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 018] certprofile-import: improve profile format documentation
The certprofile-import plugin expects a raw Dogtag config file. The XML format is not supported. --help gives a hint about the correct file format. https://fedorahosted.org/freeipa/ticket/5089 From 1344425af2886797ec9cef40a325e56a8d1752eb Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Thu, 23 Jul 2015 18:22:19 +0200 Subject: [PATCH] certprofile-import: improve profile format documentation The certprofile-import plugin expects a raw Dogtag config file. The XML format is not supported. --help gives a hint about the correct file format. https://fedorahosted.org/freeipa/ticket/5089 --- ipalib/plugins/certprofile.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py index 5550ed942521dbab2e783fba1570520268f9b378..ae75d43d7412d0df7c09a33c16c833995d9a3fe4 100644 --- a/ipalib/plugins/certprofile.py +++ b/ipalib/plugins/certprofile.py @@ -220,7 +220,7 @@ class certprofile_import(LDAPCreate): msg_summary = _('Imported profile %(value)s') takes_options = ( File('file', -label=_('Filename'), +label=_('Filename of a raw profile. The XML format is not supported.'), cli_name='file', flags=('virtual_attribute',), ), -- 2.4.3 signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 019] Asymmetric vault: validate public key in client
The ipa vault commands now load the public keys in order to verify them. The validation also prevents a user from accidentally sending her private keys to the server. The patch fixes #5142 and #5142. $ ./ipa vault-add AsymmetricVault --desc Asymmetric vault --type asymmetric --public-key-file mykey.pem ipa: ERROR: invalid 'ipavaultpublickey': Invalid or unsupported vault public key: Could not unserialize key data. https://fedorahosted.org/freeipa/ticket/5142 https://fedorahosted.org/freeipa/ticket/5143 From fd380c4539fdd18a7d10786230c15a259b097af6 Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Thu, 23 Jul 2015 20:30:21 +0200 Subject: [PATCH] Asymmetric vault: validate public key in client The ipa vault commands now load and validate the public key for asymmetric encryption, before sending it to the server. This prevents invalid vaults and prohibits accidental exposure of private key material. https://fedorahosted.org/freeipa/ticket/5142 https://fedorahosted.org/freeipa/ticket/5143 --- ipalib/plugins/vault.py | 13 + 1 file changed, 13 insertions(+) diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py index 81197f9328c7ed890fa336f464bfcda475ac6189..5d493ae183da48412a38e7074b88ec0ab4402311 100644 --- a/ipalib/plugins/vault.py +++ b/ipalib/plugins/vault.py @@ -622,6 +622,19 @@ class vault_add(PKQuery, Local): name='ipavaultpublickey', error=_('Missing vault public key')) +# validate public key and prevent users from accidentally +# sending a private key to the server. +try: +load_pem_public_key( +data=public_key, +backend=default_backend() +) +except ValueError as e: +raise errors.ValidationError( +name='ipavaultpublickey', +error=_('Invalid or unsupported vault public key: %s') % e, +) + # create vault response = self.api.Command.vault_add_internal(*args, **options) -- 2.4.3 signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0014] [py3] Replace M2Crypto RC4 with python-cryptography ARC4
On 2015-07-23 11:06, Alexander Bokovoy wrote: On Thu, 23 Jul 2015, Christian Heimes wrote: This patch removes the dependency on M2Crypto in favor for cryptography. Cryptography is more strict about the key size and doesn't support non-standard key sizes: from M2Crypto import RC4 from ipaserver.dcerpc import arcfour_encrypt RC4.RC4(b'key').update(b'data') 'o\r@\x8c' arcfour_encrypt(b'key', b'data') Traceback (most recent call last): ... ValueError: Invalid key size (24) for RC4. Standard key sizes 40, 56, 64, 80, 128, 192 and 256 are supported: arcfour_encrypt(b'key12', b'data') '\xcd\xf80d' RC4.RC4(b'key12').update(b'data') '\xcd\xf80d' Note that we are using NTLMv2 or Kerberos user session keys which are 128 bit long in this context. And please rework the spec file change as Honza noted. Thanks for the feedback regarding the key size, 128bit works. Is RC4 really the only supported algorithm for session keys? RC4 is insecure, especially the first few bytes have a high bias. It may not be much of an issue for short-lived session keys, though. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0014] [py3] Replace M2Crypto RC4 with python-cryptography ARC4
On 2015-07-23 10:54, Jan Cholasta wrote: Hi, Dne 23.7.2015 v 10:43 Christian Heimes napsal(a): This patch removes the dependency on M2Crypto in favor for cryptography. Cryptography is more strict about the key size and doesn't support non-standard key sizes: from M2Crypto import RC4 from ipaserver.dcerpc import arcfour_encrypt RC4.RC4(b'key').update(b'data') 'o\r@\x8c' arcfour_encrypt(b'key', b'data') Traceback (most recent call last): ... ValueError: Invalid key size (24) for RC4. Standard key sizes 40, 56, 64, 80, 128, 192 and 256 are supported: arcfour_encrypt(b'key12', b'data') '\xcd\xf80d' RC4.RC4(b'key12').update(b'data') '\xcd\xf80d' http://cryptography.readthedocs.org/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.ARC4 https://fedorahosted.org/freeipa/ticket/5148 NACK on the spec file change. There is a BuildRequires and Requires on m2crypto, replace them with BuildRequires and Requires on python-cryptography. Argh, m2crypto ... I was looking for M2Crypto (case sensitive). Here is an updated patch. An additional Requires: python-cryptography is not required. server-trust-ad depends on ipa-server which depends on the ipa-python package. The ipa-python package already has Requires: python-cryptography. Christian From d0a6ab9f9c0723af7ca027fd3522a063428b7f34 Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Tue, 21 Jul 2015 15:18:40 +0200 Subject: [PATCH] [py3] Replace M2Crypto RC4 with python-cryptography ARC4 This patch removes the dependency on M2Crypto in favor for cryptography. Cryptography is more strict about the key size and doesn't support non-standard key sizes: from M2Crypto import RC4 from ipaserver.dcerpc import arcfour_encrypt RC4.RC4(b'key').update(b'data') 'o\r@\x8c' arcfour_encrypt(b'key', b'data') Traceback (most recent call last): ... ValueError: Invalid key size (24) for RC4. Standard key sizes 40, 56, 64, 80, 128, 192 and 256 are supported: arcfour_encrypt(b'key12', b'data') '\xcd\xf80d' RC4.RC4(b'key12').update(b'data') '\xcd\xf80d' http://cryptography.readthedocs.org/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.ARC4 https://fedorahosted.org/freeipa/ticket/5148 --- freeipa.spec.in | 2 -- ipaserver/dcerpc.py | 15 ++- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index fef20e1f7e6fde9b90851a2686e515a6a779f954..bf04582de949e6fe8ae34ea5a96f32598247aa7e 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -84,7 +84,6 @@ BuildRequires: python-lxml BuildRequires: python-pyasn1 = 0.0.9a BuildRequires: python-qrcode-core = 5.0.0 BuildRequires: python-dns = 1.11.1 -BuildRequires: m2crypto BuildRequires: check BuildRequires: libsss_idmap-devel BuildRequires: libsss_nss_idmap-devel = 1.12.2 @@ -219,7 +218,6 @@ Integrated DNS server is BIND 9. OpenDNSSEC provides key management. Summary: Virtual package to install packages required for Active Directory trusts Group: System Environment/Base Requires: %{name}-server = %version-%release -Requires: m2crypto Requires: samba-python Requires: samba = %{samba_version} Requires: samba-winbind diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 4de5afb540e880e8948749c2cfa9a019eb807c47..578b3ee209ee988bca4d75bd5b898f339625236c 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -42,7 +42,8 @@ from samba.ndr import ndr_pack, ndr_print from samba import net import samba import random -from M2Crypto import RC4 +from cryptography.hazmat.primitives.ciphers import Cipher, algorithms +from cryptography.hazmat.backends import default_backend try: from ldap.controls import RequestControl as LDAPControl #pylint: disable=F0401 except ImportError: @@ -120,6 +121,14 @@ def assess_dcerpc_exception(num=None,message=None): message %(message)s (both may be None)''') % dict(num=num, message=message) return errors.RemoteRetrieveError(reason=reason) + +def arcfour_encrypt(key, data): +algorithm = algorithms.ARC4(key) +cipher = Cipher(algorithm, mode=None, backend=default_backend()) +encryptor = cipher.encryptor() +return encryptor.update(data) + + class ExtendedDNControl(LDAPControl): # This class attempts to implement LDAP control that would work # with both python-ldap 2.4.x and 2.3.x, thus there is mix of properties @@ -910,10 +919,6 @@ class TrustDomainInstance(object): self.info['is_pdc'] = (result.role == lsa.LSA_ROLE_PRIMARY) def generate_auth(self, trustdom_secret): -def arcfour_encrypt(key, data): -c = RC4.RC4(key) -return c.update(data) - password_blob = string_to_array(trustdom_secret.encode('utf-16-le')) clear_value = drsblobs.AuthInfoClear() -- 2.4.3 signature.asc Description: OpenPGP digital signature -- Manage your subscription
[Freeipa-devel] [PATCH 0014] [py3] Replace M2Crypto RC4 with python-cryptography ARC4
This patch removes the dependency on M2Crypto in favor for cryptography. Cryptography is more strict about the key size and doesn't support non-standard key sizes: from M2Crypto import RC4 from ipaserver.dcerpc import arcfour_encrypt RC4.RC4(b'key').update(b'data') 'o\r@\x8c' arcfour_encrypt(b'key', b'data') Traceback (most recent call last): ... ValueError: Invalid key size (24) for RC4. Standard key sizes 40, 56, 64, 80, 128, 192 and 256 are supported: arcfour_encrypt(b'key12', b'data') '\xcd\xf80d' RC4.RC4(b'key12').update(b'data') '\xcd\xf80d' http://cryptography.readthedocs.org/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.ARC4 https://fedorahosted.org/freeipa/ticket/5148 From da4aa9baa932e335ad0bd0f3cfe2551667c7ca76 Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Tue, 21 Jul 2015 15:18:40 +0200 Subject: [PATCH] [py3] Replace M2Crypto RC4 with python-cryptography ARC4 This patch removes the dependency on M2Crypto in favor for cryptography. Cryptography is more strict about the key size and doesn't support non-standard key sizes: from M2Crypto import RC4 from ipaserver.dcerpc import arcfour_encrypt RC4.RC4(b'key').update(b'data') 'o\r@\x8c' arcfour_encrypt(b'key', b'data') Traceback (most recent call last): ... ValueError: Invalid key size (24) for RC4. Standard key sizes 40, 56, 64, 80, 128, 192 and 256 are supported: arcfour_encrypt(b'key12', b'data') '\xcd\xf80d' RC4.RC4(b'key12').update(b'data') '\xcd\xf80d' http://cryptography.readthedocs.org/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.ARC4 https://fedorahosted.org/freeipa/ticket/5148 --- freeipa.spec.in | 1 + ipaserver/dcerpc.py | 15 ++- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index fef20e1f7e6fde9b90851a2686e515a6a779f954..afae22430515a9f15eced9e16e0a6e192400e6e2 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -150,6 +150,7 @@ Requires(preun): python systemd-units Requires(postun): python systemd-units Requires: python-dns = 1.11.1 Requires: python-kdcproxy = 0.3 +Requires: python-cryptography Requires: zip Requires: policycoreutils = 2.1.12-5 Requires: tar diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 4de5afb540e880e8948749c2cfa9a019eb807c47..578b3ee209ee988bca4d75bd5b898f339625236c 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -42,7 +42,8 @@ from samba.ndr import ndr_pack, ndr_print from samba import net import samba import random -from M2Crypto import RC4 +from cryptography.hazmat.primitives.ciphers import Cipher, algorithms +from cryptography.hazmat.backends import default_backend try: from ldap.controls import RequestControl as LDAPControl #pylint: disable=F0401 except ImportError: @@ -120,6 +121,14 @@ def assess_dcerpc_exception(num=None,message=None): message %(message)s (both may be None)''') % dict(num=num, message=message) return errors.RemoteRetrieveError(reason=reason) + +def arcfour_encrypt(key, data): +algorithm = algorithms.ARC4(key) +cipher = Cipher(algorithm, mode=None, backend=default_backend()) +encryptor = cipher.encryptor() +return encryptor.update(data) + + class ExtendedDNControl(LDAPControl): # This class attempts to implement LDAP control that would work # with both python-ldap 2.4.x and 2.3.x, thus there is mix of properties @@ -910,10 +919,6 @@ class TrustDomainInstance(object): self.info['is_pdc'] = (result.role == lsa.LSA_ROLE_PRIMARY) def generate_auth(self, trustdom_secret): -def arcfour_encrypt(key, data): -c = RC4.RC4(key) -return c.update(data) - password_blob = string_to_array(trustdom_secret.encode('utf-16-le')) clear_value = drsblobs.AuthInfoClear() -- 2.4.3 signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 016] Require Dogtag PKI = 10.2.6
Dogtag 10.2.6 comes with two fixes for cloning from 9.x to 10.x instances: https://fedorahosted.org/pki/ticket/1495 https://fedorahosted.org/pki/ticket/1488 https://fedorahosted.org/freeipa/ticket/5140 https://fedorahosted.org/freeipa/ticket/5129 From a8e806816b207f242e2fc7b3fe02a961ade68d84 Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Thu, 23 Jul 2015 12:20:49 +0200 Subject: [PATCH] Require Dogtag PKI = 10.2.6 Dogtag 10.2.6 comes with two fixes for cloning from 9.x to 10.x instances: https://fedorahosted.org/pki/ticket/1495 https://fedorahosted.org/pki/ticket/1488 https://fedorahosted.org/freeipa/ticket/5140 https://fedorahosted.org/freeipa/ticket/5129 --- freeipa.spec.in | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 928425fdc65a092f67a28d97101c32b7392bf1c8..f365d105211a9f8db772c14ef5a56cdbf11d031f 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -99,7 +99,7 @@ BuildRequires: python-backports-ssl_match_hostname BuildRequires: softhsm-devel = 2.0.0rc1-1 BuildRequires: openssl-devel BuildRequires: p11-kit-devel -BuildRequires: pki-base = 10.2.5 +BuildRequires: pki-base = 10.2.6 BuildRequires: python-pytest-multihost = 0.5 BuildRequires: python-pytest-sourceorder BuildRequires: python-kdcproxy = 0.3 @@ -144,8 +144,8 @@ Requires(post): systemd-units Requires: selinux-policy = %{selinux_policy_version} Requires(post): selinux-policy-base Requires: slapi-nis = 0.54.2-1 -Requires: pki-ca = 10.2.5 -Requires: pki-kra = 10.2.5 +Requires: pki-ca = 10.2.6 +Requires: pki-kra = 10.2.6 Requires(preun): python systemd-units Requires(postun): python systemd-units Requires: python-dns = 1.11.1 -- 2.4.3 signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 007] Remove tuple unpacking from except clause
The patch replaces implicit tuple unpacking from except clauses with explicit unpacking of the exception objects' args attribute. Example: e = RuntimeError('num', 'messages') num, message = e num, message ('num', 'messages') e.args ('num', 'messages') num, message = e.args num, message ('num', 'messages') Christian From 6b57eb232641370f7d91febdc663bfcc62a795e7 Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Mon, 13 Jul 2015 14:02:29 +0200 Subject: [PATCH] Remove tuple unpacking from except clause Python 3 doesn't support tuple unpacking in except clauses. All implicit tuple unpackings have been replaced with explicit unpacking of e.args. Signed-off-by: Christian Heimes chei...@redhat.com --- contrib/RHEL4/ipachangeconf.py| 4 ++-- ipa-client/ipaclient/ipachangeconf.py | 4 ++-- ipalib/plugins/hbactest.py| 7 --- ipaserver/dcerpc.py | 18 -- 4 files changed, 20 insertions(+), 13 deletions(-) diff --git a/contrib/RHEL4/ipachangeconf.py b/contrib/RHEL4/ipachangeconf.py index 1a361513558f20d65ac8cbb0044e7b8d352e6bad..87b306f5dff336f80b1d02909433253f148108a6 100644 --- a/contrib/RHEL4/ipachangeconf.py +++ b/contrib/RHEL4/ipachangeconf.py @@ -29,13 +29,13 @@ def openLocked(filename, perms): fd = os.open(filename, os.O_RDWR | os.O_CREAT, perms) fcntl.lockf(fd, fcntl.LOCK_EX) -except OSError, (errno, strerr): +except OSError as e: if fd != -1: try: os.close(fd) except OSError: pass -raise IOError(errno, strerr) +raise IOError(e.errno, e.strerror) return os.fdopen(fd, r+) diff --git a/ipa-client/ipaclient/ipachangeconf.py b/ipa-client/ipaclient/ipachangeconf.py index 15d41274f7a99550b0a49314fb949402e65ee1d1..edf34f5ae738eb22b8935c222392dc9b6f08638d 100644 --- a/ipa-client/ipaclient/ipachangeconf.py +++ b/ipa-client/ipaclient/ipachangeconf.py @@ -31,13 +31,13 @@ def openLocked(filename, perms): fd = os.open(filename, os.O_RDWR | os.O_CREAT, perms) fcntl.lockf(fd, fcntl.LOCK_EX) -except OSError, (errno, strerr): +except OSError as e: if fd != -1: try: os.close(fd) except OSError: pass -raise IOError(errno, strerr) +raise IOError(e.errno, e.strerror) return os.fdopen(fd, r+) diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py index 068190310bf14d068620bc4a86d1c48ae1437251..c8dedd367e78cbe900b716369f8ef78575a21298 100644 --- a/ipalib/plugins/hbactest.py +++ b/ipalib/plugins/hbactest.py @@ -462,13 +462,14 @@ class hbactest(Command): matched_rules.append(ipa_rule.name) if res == pyhbac.HBAC_EVAL_DENY: notmatched_rules.append(ipa_rule.name) -except pyhbac.HbacError as (code, rule_name): +except pyhbac.HbacError as e: +code, rule_name = e.args if code == pyhbac.HBAC_EVAL_ERROR: error_rules.append(rule_name) self.log.info('Native IPA HBAC rule %s parsing error: %s' % \ (rule_name, pyhbac.hbac_result_string(code))) -except (TypeError, IOError) as (info): -self.log.error('Native IPA HBAC module error: %s' % (info)) +except (TypeError, IOError) as info: +self.log.error('Native IPA HBAC module error: %s' % info) access_granted = len(matched_rules) 0 else: diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index a1da0a641064f59a79639d97489ff73181787a4a..4de5afb540e880e8948749c2cfa9a019eb807c47 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -772,7 +772,8 @@ class TrustDomainInstance(object): try: result = lsa.lsarpc(binding, self.parm, self.creds) return result - except RuntimeError, (num, message): + except RuntimeError as e: + num, message = e.args raise assess_dcerpc_exception(num=num, message=message) def init_lsa_pipe(self, remote_host): @@ -889,7 +890,8 @@ class TrustDomainInstance(object): try: self._policy_handle = self._pipe.OpenPolicy2(u, objectAttribute, security.SEC_FLAG_MAXIMUM_ALLOWED) result = self._pipe.QueryInfoPolicy2(self._policy_handle, lsa.LSA_POLICY_INFO_DNS) -except RuntimeError, (num, message): +except RuntimeError as e: +num, message = e.args raise assess_dcerpc_exception(num=num, message=message) self.info['name'] = unicode(result.name.string) @@ -901,7 +903,8 @@ class TrustDomainInstance(object): try: result = self._pipe.QueryInfoPolicy2(self._policy_handle, lsa.LSA_POLICY_INFO_ROLE) -except RuntimeError, (num
Re: [Freeipa-devel] [PATCH 007] Remove tuple unpacking from except clause
On 2015-07-13 15:21, Tomas Babej wrote: On 07/13/2015 02:59 PM, Rob Crittenden wrote: Christian Heimes wrote: The patch replaces implicit tuple unpacking from except clauses with explicit unpacking of the exception objects' args attribute. Example: e = RuntimeError('num', 'messages') num, message = e num, message ('num', 'messages') e.args ('num', 'messages') num, message = e.args num, message ('num', 'messages') Not related to this patch directly but I think it would be a good idea to create a Python 3 tracking ticket to make it easy to find python 3-specific changes. Then create tickets to fix particular issues and link those with the tracking ticket. rob ACK Otherwise, I agree with Rob. Can you create an umbrella ticket? I will pushmark the commit there. Sure, I'll create a meta ticket for Python 3 and a sub ticket for each task. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 007-010] Remove tuple unpacking from except clause
On 2015-07-13 16:29, Alexander Bokovoy wrote: I will pushmark the commit there. Please do not push this specific version of the patch yet. Christian will do the changes with four separate commits as discussed on the IRC, to avoid future problems with maintenance and backports. Alex, please have a look at the patches. I have split the patch into four files, one for every file. Is that right? Christian From 995001a2960da3482300791baa4a8cbf5b325fc7 Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Tue, 14 Jul 2015 10:49:39 +0200 Subject: [PATCH 07/10] Remove tuple unpacking from except clause contrib/RHEL4/ipachangeconf.py Python 3 doesn't support tuple unpacking in except clauses. All implicit tuple unpackings have been replaced with explicit unpacking of e.args. https://fedorahosted.org/freeipa/ticket/5120 --- contrib/RHEL4/ipachangeconf.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/contrib/RHEL4/ipachangeconf.py b/contrib/RHEL4/ipachangeconf.py index 1a361513558f20d65ac8cbb0044e7b8d352e6bad..87b306f5dff336f80b1d02909433253f148108a6 100644 --- a/contrib/RHEL4/ipachangeconf.py +++ b/contrib/RHEL4/ipachangeconf.py @@ -29,13 +29,13 @@ def openLocked(filename, perms): fd = os.open(filename, os.O_RDWR | os.O_CREAT, perms) fcntl.lockf(fd, fcntl.LOCK_EX) -except OSError, (errno, strerr): +except OSError as e: if fd != -1: try: os.close(fd) except OSError: pass -raise IOError(errno, strerr) +raise IOError(e.errno, e.strerror) return os.fdopen(fd, r+) -- 2.4.3 From 8898e4762b908a10fee3bc4d33071b827c7e8175 Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Tue, 14 Jul 2015 10:50:04 +0200 Subject: [PATCH 08/10] Remove tuple unpacking from except clause ipa-client/ipaclient/ipachangeconf.py Python 3 doesn't support tuple unpacking in except clauses. All implicit tuple unpackings have been replaced with explicit unpacking of e.args. https://fedorahosted.org/freeipa/ticket/5120 --- ipa-client/ipaclient/ipachangeconf.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipa-client/ipaclient/ipachangeconf.py b/ipa-client/ipaclient/ipachangeconf.py index 15d41274f7a99550b0a49314fb949402e65ee1d1..edf34f5ae738eb22b8935c222392dc9b6f08638d 100644 --- a/ipa-client/ipaclient/ipachangeconf.py +++ b/ipa-client/ipaclient/ipachangeconf.py @@ -31,13 +31,13 @@ def openLocked(filename, perms): fd = os.open(filename, os.O_RDWR | os.O_CREAT, perms) fcntl.lockf(fd, fcntl.LOCK_EX) -except OSError, (errno, strerr): +except OSError as e: if fd != -1: try: os.close(fd) except OSError: pass -raise IOError(errno, strerr) +raise IOError(e.errno, e.strerror) return os.fdopen(fd, r+) -- 2.4.3 From 1d5f4d9bb77b1dc983244f45e560a98c90697f19 Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Tue, 14 Jul 2015 10:50:18 +0200 Subject: [PATCH 09/10] Remove tuple unpacking from except clause ipalib/plugins/hbactest.py Python 3 doesn't support tuple unpacking in except clauses. All implicit tuple unpackings have been replaced with explicit unpacking of e.args. https://fedorahosted.org/freeipa/ticket/5120 --- ipalib/plugins/hbactest.py | 7 --- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py index 068190310bf14d068620bc4a86d1c48ae1437251..c8dedd367e78cbe900b716369f8ef78575a21298 100644 --- a/ipalib/plugins/hbactest.py +++ b/ipalib/plugins/hbactest.py @@ -462,13 +462,14 @@ class hbactest(Command): matched_rules.append(ipa_rule.name) if res == pyhbac.HBAC_EVAL_DENY: notmatched_rules.append(ipa_rule.name) -except pyhbac.HbacError as (code, rule_name): +except pyhbac.HbacError as e: +code, rule_name = e.args if code == pyhbac.HBAC_EVAL_ERROR: error_rules.append(rule_name) self.log.info('Native IPA HBAC rule %s parsing error: %s' % \ (rule_name, pyhbac.hbac_result_string(code))) -except (TypeError, IOError) as (info): -self.log.error('Native IPA HBAC module error: %s' % (info)) +except (TypeError, IOError) as info: +self.log.error('Native IPA HBAC module error: %s' % info) access_granted = len(matched_rules) 0 else: -- 2.4.3 From 6b5b5f4d868c0a181f9465a45efc31030a89b027 Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Tue, 14 Jul 2015 10:50:34 +0200 Subject: [PATCH 10/10] Remove tuple unpacking from except clause ipaserver/dcerpc.py Python 3 doesn't
[Freeipa-devel] [PATCH 011] [py3] Replace file() with open()
The patch replaces file() with open() and a proper with statement. The patch is related to https://fedorahosted.org/freeipa/ticket/5127 Christian From db8e96818344b5d9c59789b1a77abc0f958873a0 Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Tue, 14 Jul 2015 13:18:55 +0200 Subject: [PATCH] [py3] Replace file() with open() The open() function is the recommended way to open a file. In Python 3 the file type is gone, but open() still works the same. The patch is related to https://fedorahosted.org/freeipa/ticket/5127 --- ipapython/sysrestore.py | 10 -- 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/ipapython/sysrestore.py b/ipapython/sysrestore.py index 580df9a4fd6d0fae35602dad1f81d498fa8f0173..4389dc1af7498a6d620fe4eb677fa821cd593aa7 100644 --- a/ipapython/sysrestore.py +++ b/ipapython/sysrestore.py @@ -93,9 +93,8 @@ class FileStore: for (key, value) in self.files.items(): p.set('files', key, str(value)) -f = file(self._index, w) -p.write(f) -f.close() +with open(self._index, w) f: +p.write(f) def backup_file(self, path): Create a copy of the file at @path - so long as a copy @@ -354,9 +353,8 @@ class StateFile: for (key, value) in self.modules[module].items(): p.set(module, key, str(value)) -f = file(self._path, w) -p.write(f) -f.close() +with open(self._path, w) as f: +p.write(f) def backup_state(self, module, key, value): Backup an item of system state from @module, identified -- 2.4.3 signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 011] [py3] Replace file() with open()
On 2015-07-14 13:24, Christian Heimes wrote: The patch replaces file() with open() and a proper with statement. The patch is related to https://fedorahosted.org/freeipa/ticket/5127 Christian The first patch has a typo. Note to self: save file first, then commit Christian From da3d6910f3997d5d411cd20bcad4b75efb333b65 Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Tue, 14 Jul 2015 13:18:55 +0200 Subject: [PATCH] [py3] Replace file() with open() The open() function is the recommended way to open a file. In Python 3 the file type is gone, but open() still works the same. The patch is related to https://fedorahosted.org/freeipa/ticket/5127 --- ipapython/sysrestore.py | 10 -- 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/ipapython/sysrestore.py b/ipapython/sysrestore.py index 580df9a4fd6d0fae35602dad1f81d498fa8f0173..c058ff7c04d4604ba96c2a4ece68d476b5b6491f 100644 --- a/ipapython/sysrestore.py +++ b/ipapython/sysrestore.py @@ -93,9 +93,8 @@ class FileStore: for (key, value) in self.files.items(): p.set('files', key, str(value)) -f = file(self._index, w) -p.write(f) -f.close() +with open(self._index, w) as f: +p.write(f) def backup_file(self, path): Create a copy of the file at @path - so long as a copy @@ -354,9 +353,8 @@ class StateFile: for (key, value) in self.modules[module].items(): p.set(module, key, str(value)) -f = file(self._path, w) -p.write(f) -f.close() +with open(self._path, w) as f: +p.write(f) def backup_state(self, module, key, value): Backup an item of system state from @module, identified -- 2.4.3 signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 012] Fix selinux denial during kdcproxy user creation
Hi, the patch fixes the SELinux denial for kdcproxy's home directory. I have successfully tested a migration from FreeIPA 4.1. The user, group and home directory are successfully created with the correct permissions. https://fedorahosted.org/freeipa/ticket/5135 Christian From a67beee26511750e73b0132f08683bcab8a26c76 Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Wed, 15 Jul 2015 21:49:16 +0200 Subject: [PATCH] Create pkiuser user and group during installation The group 'pkiuser' and user 'pkiuser' are now created during the installation of the pki-server package. https://fedorahosted.org/pki/ticket/1468 --- specs/pki-core.spec | 19 +++ 1 file changed, 19 insertions(+) diff --git a/specs/pki-core.spec b/specs/pki-core.spec index 148c90734a0103b21b3d3984586d42bc3da3cede..6ac51d85efcf49a4e69cd4fe70709a9e1fc9bb84 100644 --- a/specs/pki-core.spec +++ b/specs/pki-core.spec @@ -30,6 +30,13 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1)))} # REMINDER: Remove this '%%define' once 'tpsclient' is rewritten as a Java app %define _unpackaged_files_terminate_build 0 +# pkiuser and group. The uid and gid are preallocated +# see /usr/share/doc/setup/uidgid +%define pki_username pkiuser +%define pki_uid 17 +%define pki_groupname pkiuser +%define pki_gid 17 +%define pki_homedir /usr/share/pki Name: pki-core Version: 10.2.6 @@ -395,6 +402,7 @@ Requires: velocity Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units +Requires(pre):shadow-utils %if 0%{?rhel} Requires:tomcatjss = 7.1.0-6 @@ -727,6 +735,17 @@ if (test(/etc/sysconfig/pki/ca) or end %endif +%pre -n pki-server +getent group %{pki_groupname} /dev/null || groupadd -f -g %{pki_gid} -r %{pki_groupname} +if ! getent passwd %{pki_username} /dev/null ; then +if ! getent passwd %{pki_uid} /dev/null ; then + useradd -r -u %{pki_uid} -g %{pki_groupname} -d %{pki_homedir} -s /sbin/nologin -c Certificate System %{pki_username} +else + useradd -r -g %{pki_groupname} -d %{pki_homedir} -s /sbin/nologin -c Certificate System %{pki_username} +fi +fi +exit 0 + %post -n pki-base if [ $1 -eq 1 ] -- 2.4.3 signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 012] Fix selinux denial during kdcproxy user creation
On 2015-07-16 12:51, Christian Heimes wrote: Hi, the patch fixes the SELinux denial for kdcproxy's home directory. I have successfully tested a migration from FreeIPA 4.1. The user, group and home directory are successfully created with the correct permissions. https://fedorahosted.org/freeipa/ticket/5135 I accidentally pushed the spec file fix for PKI. Here is the correct patch for FreeIPA. From 15060e7ae718b50c2fca21cad54a5d4835bbaeed Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Thu, 16 Jul 2015 12:45:23 +0200 Subject: [PATCH] Fix selinux denial during kdcproxy user creation The home directory of the kdcproxy user is now properly owned by the package and no longer created by useradd. https://fedorahosted.org/freeipa/ticket/5135 --- freeipa.spec.in | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index bfc021618797109396892205fabff057be4bee32..fabfaee619d4cf0203b2f87d7fe804c2e72026f3 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -469,6 +469,7 @@ install daemons/dnssec/ipa-ods-exporter %{buildroot}%{_libexecdir}/ipa/ipa-ods-e mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins # KDC proxy config (Apache config sets KDCPROXY_CONFIG to load this file) +mkdir -p %{buildroot}%{kdcproxy_home} mkdir -p %{buildroot}%{_sysconfdir}/ipa/kdcproxy/ install -m 644 install/share/kdcproxy.conf %{buildroot}%{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf @@ -568,7 +569,7 @@ fi # create kdcproxy user getent group %{kdcproxy_group} /dev/null || groupadd -r %{kdcproxy_group} getent passwd %{kdcproxy_user} /dev/null || \ -/usr/sbin/useradd -r -m -c IPA KDC Proxy User -s /sbin/nologin \ +/usr/sbin/useradd -r -c IPA KDC Proxy User -s /sbin/nologin \ -g %{kdcproxy_group} -d %{kdcproxy_home} %{kdcproxy_user} exit 0 @@ -711,6 +712,7 @@ fi %{_libexecdir}/ipa/ipa-ods-exporter %{_libexecdir}/ipa/ipa-httpd-kdcproxy %dir %attr(0755,root,root) %{_sysconfdir}/ipa/kdcproxy +%dir %attr(0700,%{kdcproxy_user},%{kdcproxy_group}) %{kdcproxy_home} %config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached %config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter -- 2.4.3 signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 012] Fix selinux denial during kdcproxy user creation
On 2015-07-16 13:46, Tomas Babej wrote: On 07/16/2015 01:35 PM, Christian Heimes wrote: On 2015-07-16 12:51, Christian Heimes wrote: Hi, the patch fixes the SELinux denial for kdcproxy's home directory. I have successfully tested a migration from FreeIPA 4.1. The user, group and home directory are successfully created with the correct permissions. https://fedorahosted.org/freeipa/ticket/5135 I accidentally pushed the spec file fix for PKI. Here is the correct patch for FreeIPA. ACK! Thanks for fixing this issue, actually it was haunting me for some time as I was unable to pinpoint the issue. Pushed to: master: 0700d340c7c88c295a62dd5d1a7d6866650d9de3 ipa-4-2: 9c3368a3eb091acab10b65ff3fc33d41d0d4c556 You are welcome! Alexander deserves most of the credit for the patch. He analyzed the issue and explained it to me. The patch was a matter of minutes to write. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 005] otptoken: use ipapython.nsslib instead of Python's ssl module
On 2015-07-07 18:40, Christian Heimes wrote: Hello, the patch removes the dependency on Python's ssl module and python-backports-ssl_match_hostname. https://fedorahosted.org/freeipa/ticket/5068 Open question - Is paths.IPA_NSSDB_DIR the correct NSSDB? My patch hasn't been processed since last week. Can somebody have a look, please? Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 464] spec file: Move /etc/ipa/kdcproxy to the server subpackage
On 2015-07-14 13:56, Jan Cholasta wrote: Hi, the attached patch fixes client-only builds. LGTM. I didn't know about the difference between server and client-only builds. Thanks for the fix! signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 013] Fix minor typos
This patch from Yuri Chornoivan fixes some typos. All fixes look ok to me. https://fedorahosted.org/freeipa/ticket/5109 https://bugzilla.redhat.com/show_bug.cgi?id=1239132 From 9554caac8965671840e2361cbb62884333c12e3c Mon Sep 17 00:00:00 2001 From: Yuri Chornoivan yurc...@ukr.net Date: Fri, 3 Jul 2015 19:14:42 +0300 Subject: [PATCH] Fix minor typos ame - name overriden - overridden ablity - ability enties - entries the the - the https://fedorahosted.org/freeipa/ticket/5109 Reviewed-By: Christian Heimes chei...@redhat.com --- daemons/ipa-slapi-plugins/ipa-dns/ipa_dns.c| 2 +- install/ui/src/freeipa/_base/Singleton_registry.js | 2 +- ipalib/__init__.py | 2 +- ipalib/plugins/idviews.py | 4 ++-- ipalib/plugins/servicedelegation.py| 2 +- ipalib/plugins/stageuser.py| 2 +- ipalib/plugins/trust.py| 2 +- ipalib/plugins/vault.py| 2 +- ipaserver/advise/base.py | 2 +- ipatests/test_xmlrpc/ldaptracker.py| 2 +- 10 files changed, 11 insertions(+), 11 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-dns/ipa_dns.c b/daemons/ipa-slapi-plugins/ipa-dns/ipa_dns.c index c70385dd608147dc08736cb915b506f715108527..bffaa0120387b72ff4a201c4201c741b871e55f3 100644 --- a/daemons/ipa-slapi-plugins/ipa-dns/ipa_dns.c +++ b/daemons/ipa-slapi-plugins/ipa-dns/ipa_dns.c @@ -129,7 +129,7 @@ ipadns_entry_iszone( Slapi_Entry *entry ) { * The server calls this plug-in function before executing LDAP ADD operation. * * ipadns_add function adds default value to idnsSOAserial attribute - * in idnsZone objects if the the attribute is not present. + * in idnsZone objects if the attribute is not present. * * Default value is added only to objects coming from other servers * via replication. diff --git a/install/ui/src/freeipa/_base/Singleton_registry.js b/install/ui/src/freeipa/_base/Singleton_registry.js index 18b0c420a702ed16abeece3e1fb7f5d48894ec1e..eca7898f5992b919326b61b73b93234e22539363 100644 --- a/install/ui/src/freeipa/_base/Singleton_registry.js +++ b/install/ui/src/freeipa/_base/Singleton_registry.js @@ -54,7 +54,7 @@ define(['dojo/_base/declare', * * When an object is passed in, the function returns it. * - * @param {string|Object} type Type's name. Or the the object itself. + * @param {string|Object} type Type's name. Or the object itself. * @return {Object|null} */ get: function(type) { diff --git a/ipalib/__init__.py b/ipalib/__init__.py index 44aacd0916454e03c6611f106088b98ea0169979..5ba2c9760891c5d45f7bf9841a54c59fc99da01e 100644 --- a/ipalib/__init__.py +++ b/ipalib/__init__.py @@ -711,7 +711,7 @@ assume these variables will all exist by the time the module containing their plugin (or plugins) is imported. `Env._bootstrap()`, which is called by `API.bootstrap()`, will create several -run-time variables that connot be overriden in configuration files or through +run-time variables that connot be overridden in configuration files or through command-line options. Here is an overview of this run-time information: = = === diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py index 67f52f886f0e19288a829616603c7aef6768f8db..4a14162249959088ab389b99df3867f872a34030 100644 --- a/ipalib/plugins/idviews.py +++ b/ipalib/plugins/idviews.py @@ -339,7 +339,7 @@ class baseidview_apply(LDAPQuery): class idview_apply(baseidview_apply): __doc__ = _('Applies ID View to specified hosts or current members of ' 'specified hostgroups. If any other ID View is applied to ' -'the host, it is overriden.') +'the host, it is overridden.') member_count_out = (_('ID View applied to %i host.'), _('ID View applied to %i hosts.')) @@ -462,7 +462,7 @@ def resolve_object_to_anchor(ldap, obj_type, obj, fallback_to_ldap): raise errors.ValidationError( name=_('IPA object'), error=_('system IPA objects (e.g system groups, user ' -'private groups) cannot be overriden') +'private groups) cannot be overridden') ) # The domain prefix, this will need to be reworked once we diff --git a/ipalib/plugins/servicedelegation.py b/ipalib/plugins/servicedelegation.py index 34312e39a844eb798d55c659ab850da57ab126f7..37de916389c46d99f17b66c1cac16e391265491d 100644 --- a/ipalib/plugins/servicedelegation.py +++ b/ipalib/plugins/servicedelegation.py @@ -65,7 +65,7 @@ the bound user's behalf. It is strongly discouraged to modify the delegations that ship with IPA, ipa-http-delegation and its targets ipa-cifs-delegation-targets and -ipa-ldap-delegation-targets. Incorrect changes
Re: [Freeipa-devel] [PATCH] 0193 fix Coverity issue in extdom plugin
On 2015-07-20 15:23, Alexander Bokovoy wrote: Hi, this patch fixes Coverity CID 13130. The bug turned out to be impossible to cause crash in 389-ds externally because all conditions that could cause not to properly allocate req could not be influenced via extended operation (req could be NULL only if calloc() in parse_request_data() failed). The finding is still correct as calloc() indeed could fail. ACK Coverity is really good in finding this kind of bugs. Over the last years I've fixed several similar issue in Python. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi
On 2015-07-21 14:02, Michael Simacek wrote: Hi, This is a first part of my effort to port FreeIPA from Python3-incompatible Kerberos libraries to python-gssapi. This patch should replace python-kerberos with python-gssapi (both use C GSSAPI behind the scenes). def _handle_exception(self, e, service=None): -(major, minor) = ipautil.get_gsserror(e) -if minor[1] == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: +# kerberos library coerced error codes to signed, gssapi uses unsigned +minor = e.min_code - (1 32) +if minor == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: The unsigned to sign conversion is not correct. Although it doesn't make a difference here, please use the technical correct way: minor = e.min_code if minor (1 31): minor -= 1 32 or if you prefer hex: if minor 0x8000: minor -= 0x1 Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 cert-show: Remove check if hostname != CN
On 2015-10-09 15:11, Jan Cholasta wrote: > On 9.10.2015 15:00, Christian Heimes wrote: >> On 2015-10-09 13:21, Jan Orel wrote: >>> Hello, >>> >>> this patch removes (IMHO) redundat check in cert_show, which fails when >>> host tries to re-submit certificate of different host/service which he >>> can manage. >>> >>> I also reported the bug here: >>> https://bugzilla.redhat.com/show_bug.cgi?id=1269089 >>> >>> I tired to run the tests as well and it doesn't seem to break anything. >>> Any feedpack appriciated. >> >> Jan Cholasta, you implemented the check in 2011. What purpose does it >> have? > > I did not, it was added in commit 2e8bae59 by Rob. Sorry, I didn't check the context, just the output of $ git annotate ipalib/plugins/cert.py | grep common_name signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] error handling in httpd.service and ipa-httpd-kdcproxy
On 2015-07-07 15:41, Simo Sorce wrote: On Tue, 2015-07-07 at 08:48 -0400, Nathaniel McCallum wrote: On Jul 6, 2015, at 11:35 AM, Christian Heimes chei...@redhat.com wrote: Hello, I like to ask for your opinion regarding the pre-exec hook 'ipa-httpd-kdcproxy' in httpd.service. Alex has asked me to handle error cases like LDAP connection timeout more gracefully. At the moment any error causes the script to return a non-zero exit code. This breaks the service and apparently also offline RPM upgrades. How should I handle error cases? I can change httpd.service to simply ignore the exit code of ipa-httpd-kdcproxy. But that might lead to an invalid state. I could modify the script to catch connection errors and to disable kdcproxy in case of an error. The options are: 1) httpd.service ignores exit code of ipa-httpd-kdcproxy 2) ipa-httpd-kdcproxy removes kdcproxy config file in case of a connection error 3) 1 + 2 What do you think? If ipa-httpd-kdcproxy cannot contact LDAP, kdcproxy MUST NOT be enabled. So #2. However, ipa-httpd-kdcproxy should leave error codes to real catastrophic failures and http.service should be aware of these. So not #1. Nathaniel IMO it is ok for httpd to fail to start if the kdc-proxy cannot contact LDAP, because other stuff will fail too if that's the case anyway. In fact I had to change my replica promotion patches to account for this as it was failing here, for various reasons, on one restart during the install. :-) Without LDAP non of the IPA services in Apache are usable. From that perspective it doesn't make much of a difference. However Alexander is worried about a different thing. When LDAP isn't running or GSSAPI fails, then the service can't be restarted and offline RPM update fails. We can either fix the offline update problem in the spec file (ignore systemctl failures) or in the ipa-httpd-kdcproxy script. Since my script is new and changes behavior, I'm reluctant to say that I'm to blame. :) Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] 004 Improve error handling in ipa-httpd-kdcproxy
Hi, the patch addresses the error handling of ipa-httpd-kdcproxy as discussed in the other thread. Christian From 85dc0cc3f597accdee6f6de9d7b4d41b2173a8d9 Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Tue, 7 Jul 2015 16:05:48 +0200 Subject: [PATCH] Improve error handling in ipa-httpd-kdcproxy The pre start script 'ipa-httpd-kdcproxy' for httpd.service now handles connection and authentication errors more gracefully. If the script is not able to conenct to LDAP, it only prints a warning and exits with status code 0. All other errors are still reported as fatal error and result in a non-zero exit code. This fixes a problem with offline RPM updates. A restart of Apache no longer fails when LDAP is not running. --- install/tools/ipa-httpd-kdcproxy | 75 +--- 1 file changed, 55 insertions(+), 20 deletions(-) diff --git a/install/tools/ipa-httpd-kdcproxy b/install/tools/ipa-httpd-kdcproxy index c71f9cccfe0c05e1484aac7cfcd6801050ed51ab..60b22f2cc321d416871c74f3b4d580594c186a85 100755 --- a/install/tools/ipa-httpd-kdcproxy +++ b/install/tools/ipa-httpd-kdcproxy @@ -37,8 +37,26 @@ DEBUG = False TIME_LIMIT = 2 -class CheckError(Exception): -An unrecoverable error has occured +class Error(Exception): +Base error class + + +class ConfigFileError(Error): +Something is wrong with the config file + + +class CheckError(Error): +An unrecoverable error has occured + +The exit code is 0. + + + +class FatalError(Error): +A fatal error has occured + +Fatal errors cause the command to exit with a non-null exit code. + class KDCProxyConfig(object): @@ -64,14 +82,16 @@ class KDCProxyConfig(object): self.con.ldapi = True self.con.do_bind(timeout=self.time_limit) except errors.NetworkError as e: -msg = 'Failed to get setting from dirsrv: %s' % e -self.log.exception(msg) +msg = 'Unable to connect to dirsrv: %s' % e +raise CheckError(msg) +except errors.AuthorizationError as e: +msg = 'Authorization error: %s' % e raise CheckError(msg) except Exception as e: msg = ('Unknown error while retrieving setting from %s: %s' % (self.ldap_uri, e)) self.log.exception(msg) -raise CheckError(msg) +raise FatalError(msg) def _find_entry(self, dn, attrs, filter, scope=IPAdmin.SCOPE_BASE): Find an LDAP entry, handles NotFound and Limit @@ -87,7 +107,7 @@ class KDCProxyConfig(object): msg = ('Unknown error while retrieving setting from %s: %s' % (self.ldap_uri, e)) self.log.exception(msg) -raise CheckError(msg) +raise FatalError(msg) return entries[0] def is_host_enabled(self): @@ -105,19 +125,21 @@ class KDCProxyConfig(object): if not os.path.exists(self.conflink): return False if not os.path.islink(self.conflink): -raise CheckError('%s' already exists, but it is not a symlink % - self.conflink) +raise ConfigFileError( +'%s' already exists, but it is not a symlink +% self.conflink) dest = os.readlink(self.conflink) if dest != self.conf: -raise CheckError('%s' points to '%s', expected '%s' - % (self.conflink, dest, self.conf)) +raise ConfigFileError( +'%s' points to '%s', expected '%s' +% (self.conflink, dest, self.conf)) return True def create_symlink(self): Create symlink to enable KDC proxy support try: valid = self.validate_symlink() -except CheckError as e: +except ConfigFileError as e: self.log.warn(Cannot enable KDC proxy: %s % e) return False @@ -165,16 +187,29 @@ class KDCProxyConfig(object): def main(debug=DEBUG, time_limit=TIME_LIMIT): # initialize API without file logging if not api.isdone('bootstrap'): -api.bootstrap(context='kdcproxyshim', log=None, debug=debug) +api.bootstrap(context='ipa-httpd-kdcproxy', log=None, debug=debug) standard_logging_setup(verbose=True, debug=debug) -with KDCProxyConfig(time_limit) as cfg: -if cfg.is_host_enabled(): -if cfg.create_symlink(): -api.log.info('KDC proxy enabled') -else: -if cfg.remove_symlink(): -api.log.info('KDC proxy disabled') +try: +cfg = KDCProxyConfig(time_limit) +with cfg: +if cfg.is_host_enabled(): +if cfg.create_symlink(): +api.log.info('KDC proxy enabled') +return 0 +else: +if cfg.remove_symlink(): +api.log.info('KDC proxy disabled
[Freeipa-devel] [PATCH 0006] Start dirsrv for kdcproxy upgrade
Hi, this patch ensures that DS is running before HTTPInstance attempts to connect to LDAP. https://fedorahosted.org/freeipa/ticket/5113 While I was testing the patch I ran into trouble with DS. The upgrade script couldn't connect to 389/TCP, although ns-slapd was running. After some digging I found this log line: Jul 10 18:13:24 vm-120.abc.idm.lab.eng.brq.redhat.com ns-slapd[6278]: [10/Jul/2015:18:13:24 +0200] - Information: Non-Secure Port Disabled which eventually lead me to /etc/dirsrv/slapd-IPA-EXAMPLE/dse.ldif. The port was disabled with nsslapd-port: 0. After I stopped DS, changed the port back to 389 and started DS again, ipa-server-upgrade worked again. Christian From 90c77671a3f8969adb06d7c6092369e90acfd59b Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Fri, 10 Jul 2015 18:18:29 +0200 Subject: [PATCH] Start dirsrv for kdcproxy upgrade The kdcproxy upgrade step in ipa-server-upgrade needs a running dirsrv instance. Under some circumstances the dirsrv isn't running. The patch rearranges some upgrade steps and starts DS before enable_kdcproxy(). https://fedorahosted.org/freeipa/ticket/5113 --- ipaserver/install/server/upgrade.py | 35 +++ 1 file changed, 19 insertions(+), 16 deletions(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 84a5b06accb10663eaa4d995f66796366040e9c8..f295655dc2aa592e0215f15017c9b65af49eef80 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1396,22 +1396,6 @@ def upgrade_configuration(): http.change_mod_nss_port_from_http() http.configure_certmonger_renewal_guard() -if not http.is_kdcproxy_configured(): -root_logger.info('[Enabling KDC Proxy]') -if http.admin_conn is None: -http.ldapi = True -http.fqdn = fqdn -http.realm = api.env.realm -http.suffix = ipautil.realm_to_suffix(api.env.realm) -http.ldap_connect() -http.create_kdcproxy_conf() -http.enable_kdcproxy() - -http.stop() -update_mod_nss_protocol(http) -fix_trust_flags() -http.start() - ds = dsinstance.DsInstance() ds.configure_dirsrv_ccache() @@ -1433,6 +1417,25 @@ def upgrade_configuration(): ds.suffix = ipautil.realm_to_suffix(api.env.realm) ds_enable_sidgen_extdom_plugins(ds) +# Now 389-ds is available, run the remaining http tasks +if not http.is_kdcproxy_configured(): +root_logger.info('[Enabling KDC Proxy]') +if http.admin_conn is None: + # 389-ds needs to be running +ds.start() +http.ldapi = True +http.fqdn = fqdn +http.realm = api.env.realm +http.suffix = ipautil.realm_to_suffix(api.env.realm) +http.ldap_connect() +http.create_kdcproxy_conf() +http.enable_kdcproxy() + +http.stop() +update_mod_nss_protocol(http) +fix_trust_flags() +http.start() + uninstall_selfsign(ds, http) simple_service_list = ( -- 2.4.3 signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0024] Handle timeout error in ipa-httpd-kdcproxy
The ipa-httpd-kdcproxy script now handles LDAP timeout errors correctly. A timeout does no longer result into an Apache startup error. https://fedorahosted.org/freeipa/ticket/5292 From 7ae756234534f0c6e750b5820733c6c5cb0682c6 Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Thu, 10 Sep 2015 11:54:32 +0200 Subject: [PATCH] Handle timeout error in ipa-httpd-kdcproxy The ipa-httpd-kdcproxy script now handles LDAP timeout errors correctly. A timeout does no longer result into an Apache startup error. https://fedorahosted.org/freeipa/ticket/5292 --- install/tools/ipa-httpd-kdcproxy | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/install/tools/ipa-httpd-kdcproxy b/install/tools/ipa-httpd-kdcproxy index 60b22f2cc321d416871c74f3b4d580594c186a85..5e9863f8bd82e1628030b0b767a6697ab2a1d7bd 100755 --- a/install/tools/ipa-httpd-kdcproxy +++ b/install/tools/ipa-httpd-kdcproxy @@ -24,6 +24,7 @@ This script creates or removes the symlink from /etc/ipa/ipa-kdc-proxy.conf to /etc/httpd/conf.d/. It's called from ExecStartPre hook in httpd.service. """ import os +import socket import sys from ipalib import api, errors @@ -81,7 +82,7 @@ class KDCProxyConfig(object): # EXTERNAL bind as root user self.con.ldapi = True self.con.do_bind(timeout=self.time_limit) -except errors.NetworkError as e: +except (errors.NetworkError, socket.timeout) as e: msg = 'Unable to connect to dirsrv: %s' % e raise CheckError(msg) except errors.AuthorizationError as e: -- 2.4.3 signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0024] Handle timeout error in ipa-httpd-kdcproxy
On 2015-09-10 14:58, Rob Crittenden wrote: > Christian Heimes wrote: >> The ipa-httpd-kdcproxy script now handles LDAP timeout errors correctly. >> A timeout does no longer result into an Apache startup error. >> >> https://fedorahosted.org/freeipa/ticket/5292 >> >> >> >> > > > Since this is related to IPA not being configured yet would it make > sense to call ipaserver.install.installutils.is_ipa_configured() and > exit early and gracefully, doing no work, if it isn't? IMHO it should > happen before the api is initialized. That sounds like a very good idea! I didn't know about that API function. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] The Community Auth.NEXT Working Group Inagural Meeting
On 2015-09-30 08:05, Alexander Bokovoy wrote: > On Tue, 29 Sep 2015, Brian Stinson wrote: >> Hi FreeIPA! >> >> We are starting a working group of member projects looking to solve >> problems >> related to Community Authentication. The FreeIPA Community Portal >> feature added >> this summer is one of the important bits we are evaluating. >> >> We are hoping to collaborate on centos-de...@centos.org, and have IRC >> meetings >> in #centos-devel on Freenode every now and then to check in. We >> currently have >> interest from CentOS, Fedora, and a few other projects, and would love to >> invite anyone interested to participate. >> >> Patrick Uiterwijk will be starting a thread soon scheduling our next IRC >> meeting in 2 weeks time. > Thanks, Brian. > > There is also community-auth-next...@lists.fedoraproject.org for the same > purpose around Fedora Project needs. Reading your first meeting notes, > it is unclear why we couldn't use this list and would instead need to > subscribe to centos-devel@ (which I assume has more than this topic to > discuss). Hi Brian, thanks for your mail and for keeping us in the loop. I agree with Alexander's suggestion to use Patrick's new mailing list community-auth-next-wg. The centos-devel mailing list and #centos-devel channel are too busy to follow. For me and the other FreeIPA devs a dedicated mailing list has a better signal to noise ratio. I'm already subscribed to more mailing lists than I'm able to read on a daily bases... About the working-group representative for FreeIPA, I'm probably the best candidate. I'm familiar with the community portal. For the next months I'm busy with another project, but I can spare one to two hours a week to give feedback. I also like to get started on the design process early. Some neessary features and changes belong in the FreeIPA core, e.g. password change or unique email addresses. I like to addresss the modifications in FreeIPA 4.4. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 494] install: create kdcproxy user during server install
On 2015-09-23 12:40, Jan Cholasta wrote: > On 23.9.2015 11:44, Christian Heimes wrote: >> On 2015-09-23 10:54, Jan Cholasta wrote: >>>> Correction, the HTTP server works, but it spits lots of errors in >>>> error_log about /var/lib/kdcproxy not existing. >>>> >>>> Is the KDCProxy supposed to be installked/enabled on upgrade ? >>>> If not, why not ? >>>> Even if it is not enabled, shouldn't the user be created just in case ? >>> >>> Fixed, patch attached. >> >> I haven't tested the patch yet. It looks like the kdcproxy user doesn't >> own its home directory. Please chown /var/lib/kdcproxy. > > I can't chown it because the user may not exist at RPM install time. It > doesn't matter anyway, since nothing is ever stored in the directory and > KDC proxy works just fine. The same thing is done for the DS user and > nobody complained so far, so I assumed it should be OK for KDC proxy as > well. I think we have a slight misunderstanding here. :) Of course you can't set the owner at RPM install time. I wasn't talking about chown-ing the directory in RPM, but chown-ing the directory after or inside the tasks.create_system_user() call. Sorry for the confusion! AFAIK neither mod_wsgi nor python-kdcproxy need a writeable home directory. It's not guaranteed for eternity, though. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 494] install: create kdcproxy user during server install
On 2015-09-23 10:54, Jan Cholasta wrote: >> Correction, the HTTP server works, but it spits lots of errors in >> error_log about /var/lib/kdcproxy not existing. >> >> Is the KDCProxy supposed to be installked/enabled on upgrade ? >> If not, why not ? >> Even if it is not enabled, shouldn't the user be created just in case ? > > Fixed, patch attached. I haven't tested the patch yet. It looks like the kdcproxy user doesn't own its home directory. Please chown /var/lib/kdcproxy. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0026] Workarounds for SELinux execmem violations in cryptography
The patch fixes SELinux violations in Fedora 23. Background: Recent versions of cryptography cause SELinux violation which will lead to a segfault, see https://bugzilla.redhat.com/show_bug.cgi?id=1277224 . The segfault only occurs in the context of Apache HTTPD (FreeIPA web ui) when cryptography.hazmat.backends.default_backend() is initialized. I'm working on a fix for cryptography but it will take a while. First I have to wait for a new upstream release of python-cffi. Armin Ronacher plans to release cffi 1.4 in two weeks. ipaserver.dcerpc uses M2Crypto again on Python 2.7 and Dogtag's pki.client no longer tries to use PyOpenSSL instead of Python's ssl module. Some dependencies like Dogtag's pki.client library and custodia use python-requsts to make HTTPS connection. python-requests prefers PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top of python-cryptography which trigger a execmem SELinux violation in the context of Apache HTTPD (httpd_execmem). When requests is imported, it always tries to import pyopenssl glue code from urllib3's contrib directory. The import of PyOpenSSL is enough to trigger the SELinux denial. A hack in wsgi.py prevents the import by raising an ImportError. From 5ac052f085c74f058703c5da29d59849c11e571f Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Thu, 3 Dec 2015 14:26:19 +0100 Subject: [PATCH 26/26] Workarounds for SELinux execmem violations in cryptography ipaserver.dcerpc uses M2Crypto again on Python 2.7 and Dogtag's pki.client no longer tries to use PyOpenSSL instead of Python's ssl module. Some dependencies like Dogtag's pki.client library and custodia use python-requsts to make HTTPS connection. python-requests prefers PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top of python-cryptography which trigger a execmem SELinux violation in the context of Apache HTTPD (httpd_execmem). When requests is imported, it always tries to import pyopenssl glue code from urllib3's contrib directory. The import of PyOpenSSL is enough to trigger the SELinux denial. A hack in wsgi.py prevents the import by raising an ImportError. --- freeipa.spec.in | 2 ++ install/share/wsgi.py | 14 ++ ipaserver/dcerpc.py | 32 +++- 3 files changed, 39 insertions(+), 9 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index a60d9b63f363773b6ca1b0969fa56b369a94092f..4fe8a911f0ae08882287bfea262064f5a2386ec1 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -66,6 +66,7 @@ BuildRequires: python-ldap BuildRequires: python-setuptools BuildRequires: python-nss BuildRequires: python-cryptography +BuildRequires: m2crypto BuildRequires: python-netaddr BuildRequires: python-gssapi >= 1.1.2 BuildRequires: python-rhsm @@ -322,6 +323,7 @@ Requires: keyutils Requires: pyOpenSSL Requires: python-nss >= 0.16 Requires: python-cryptography +Requires: m2crypto Requires: python-lxml Requires: python-netaddr Requires: python-libipa_hbac diff --git a/install/share/wsgi.py b/install/share/wsgi.py index ee9311e4eab8b95b5143170469cac7dc0b8b8e5e..ba42c343228da21f8e2ae9ea717450bada93359d 100644 --- a/install/share/wsgi.py +++ b/install/share/wsgi.py @@ -23,6 +23,20 @@ """ WSGI appliction for IPA server. """ +import sys + +# Some dependencies like Dogtag's pki.client library and custodia use +# python-requsts to make HTTPS connection. python-requests prefers +# PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top +# of python-cryptography which trigger a execmem SELinux violation +# in the context of Apache HTTPD (httpd_execmem). +# When requests is imported, it always tries to import pyopenssl glue +# code from urllib3's contrib directory. The import of PyOpenSSL is +# enough to trigger the SELinux denial. +# This hack prevents the import by raising an ImportError. + +sys.modules['request.packages.urllib3.contrib.pyopenssl'] = None + from ipalib import api from ipalib.config import Env from ipalib.constants import DEFAULT_CONFIG diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 2e412861ebc265a9b07c8634068151181a3e9b9e..15d8e192e397868a0bf623d8a23c4a2489126bcb 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -42,8 +42,6 @@ from samba.ndr import ndr_pack, ndr_print from samba import net import samba import random -from cryptography.hazmat.primitives.ciphers import Cipher, algorithms -from cryptography.hazmat.backends import default_backend try: from ldap.controls import RequestControl as LDAPControl #pylint: disable=F0401 except ImportError: @@ -65,6 +63,29 @@ if six.PY3: unicode = str long = int +# Some versions of python-cryptography depend on python-cffi callbacks which +# are built on top of libffi's closure API. The closures require writeable +# and executable anonymous memory mappings, which violate SELinux execmem +# rules such as 'httpd_execmem'. Prefer M2Cr
Re: [Freeipa-devel] [PATCH 0026] Workarounds for SELinux execmem violations in cryptography
On 2015-12-07 16:17, Alexander Bokovoy wrote: > On Mon, 07 Dec 2015, Christian Heimes wrote: >> The patch fixes SELinux violations in Fedora 23. >> >> Background: Recent versions of cryptography cause SELinux violation >> which will lead to a segfault, see >> https://bugzilla.redhat.com/show_bug.cgi?id=1277224 . The segfault only >> occurs in the context of Apache HTTPD (FreeIPA web ui) when >> cryptography.hazmat.backends.default_backend() is initialized. I'm >> working on a fix for cryptography but it will take a while. First I have >> to wait for a new upstream release of python-cffi. Armin Ronacher plans >> to release cffi 1.4 in two weeks. >> >> >> ipaserver.dcerpc uses M2Crypto again on Python 2.7 and Dogtag's >> pki.client no longer tries to use PyOpenSSL instead of Python's ssl >> module. >> >> Some dependencies like Dogtag's pki.client library and custodia use >> python-requsts to make HTTPS connection. python-requests prefers >> PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top >> of python-cryptography which trigger a execmem SELinux violation >> in the context of Apache HTTPD (httpd_execmem). >> When requests is imported, it always tries to import pyopenssl glue >> code from urllib3's contrib directory. The import of PyOpenSSL is >> enough to trigger the SELinux denial. >> A hack in wsgi.py prevents the import by raising an ImportError. > ACK. Thanks for these patches. > > Note to Debian/Ubuntu maintainers: AppArmor 'support' in python-cffi > already detects apparmor by looking into /proc and disabling the use of > writeable and executable memory. On those platforms I suspect recent > enough python-cryptography would work without problem by downgrading own > feature set. The code in this patches should be harmless, though. Cryptography's core depends on dynamic callbacks. There is no "downgrade feature-set" feature. I guess the libffi uses the broken and potential dangerous workaround with two shared mmap() with file backend. (http://www.akkadia.org/drepper/selinux-mem.html). The approach requires a writeable, executable temp file and breaks isolation between a parent process and all its forked child processes. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0026] Workarounds for SELinux execmem violations in cryptography
On 2015-12-07 19:59, Petr Vobornik wrote: > On 7.12.2015 16:26, Christian Heimes wrote: >> On 2015-12-07 16:17, Alexander Bokovoy wrote: >>> On Mon, 07 Dec 2015, Christian Heimes wrote: >>>> The patch fixes SELinux violations in Fedora 23. >>>> >>>> Background: Recent versions of cryptography cause SELinux violation >>>> which will lead to a segfault, see >>>> https://bugzilla.redhat.com/show_bug.cgi?id=1277224 . The segfault only >>>> occurs in the context of Apache HTTPD (FreeIPA web ui) when >>>> cryptography.hazmat.backends.default_backend() is initialized. I'm >>>> working on a fix for cryptography but it will take a while. First I >>>> have >>>> to wait for a new upstream release of python-cffi. Armin Ronacher plans >>>> to release cffi 1.4 in two weeks. >>>> >>>> >>>> ipaserver.dcerpc uses M2Crypto again on Python 2.7 and Dogtag's >>>> pki.client no longer tries to use PyOpenSSL instead of Python's ssl >>>> module. >>>> >>>> Some dependencies like Dogtag's pki.client library and custodia use >>>> python-requsts to make HTTPS connection. python-requests prefers >>>> PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top >>>> of python-cryptography which trigger a execmem SELinux violation >>>> in the context of Apache HTTPD (httpd_execmem). >>>> When requests is imported, it always tries to import pyopenssl glue >>>> code from urllib3's contrib directory. The import of PyOpenSSL is >>>> enough to trigger the SELinux denial. >>>> A hack in wsgi.py prevents the import by raising an ImportError. >>> ACK. Thanks for these patches. >>> >>> Note to Debian/Ubuntu maintainers: AppArmor 'support' in python-cffi >>> already detects apparmor by looking into /proc and disabling the use of >>> writeable and executable memory. On those platforms I suspect recent >>> enough python-cryptography would work without problem by downgrading own >>> feature set. The code in this patches should be harmless, though. >> >> Cryptography's core depends on dynamic callbacks. There is no "downgrade >> feature-set" feature. >> >> I guess the libffi uses the broken and potential dangerous workaround >> with two shared mmap() with file backend. >> (http://www.akkadia.org/drepper/selinux-mem.html). The approach requires >> a writeable, executable temp file and breaks isolation between a parent >> process and all its forked child processes. >> >> Christian >> > > The patch needs to be rebased to 4-2 branch to be usable on Fedora 23 - > FreeIPA 4.2.3. For FreeIPA 4.2 only the patch in wsgi.py is needed. The older version doesn't use cryptography for RC4. I've attached a patch. Christian From ef68483bb3c9e328e3d65e0c02327cdb5ac9859a Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Tue, 8 Dec 2015 11:18:22 +0100 Subject: [PATCH 26/26] Workarounds for SELinux execmem violations in cryptography Some dependencies like Dogtag's pki.client library and custodia use python-requsts to make HTTPS connection. python-requests prefers PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top of python-cryptography which trigger a execmem SELinux violation in the context of Apache HTTPD (httpd_execmem). When requests is imported, it always tries to import pyopenssl glue code from urllib3's contrib directory. The import of PyOpenSSL is enough to trigger the SELinux denial. A hack in wsgi.py prevents the import by raising an ImportError. --- install/share/wsgi.py | 14 ++ 1 file changed, 14 insertions(+) diff --git a/install/share/wsgi.py b/install/share/wsgi.py index 9f7d3f487dbe07f60b748cfd48d533495de99f2c..ffeb3bb6caea62c82d19e4e772b47efa43cc715f 100644 --- a/install/share/wsgi.py +++ b/install/share/wsgi.py @@ -23,6 +23,20 @@ """ WSGI appliction for IPA server. """ +import sys + +# Some dependencies like Dogtag's pki.client library and custodia use +# python-requsts to make HTTPS connection. python-requests prefers +# PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top +# of python-cryptography which trigger a execmem SELinux violation +# in the context of Apache HTTPD (httpd_execmem). +# When requests is imported, it always tries to import pyopenssl glue +# code from urllib3's contrib directory. The import of PyOpenSSL is +# enough to trigger the SELinux denial. +# This hack prevents the import by raising an ImportError. + +sys.modules['request.packages.urllib3.contrib.pyopenssl'] = None + from ipalib import api from ipalib.config import Env from ipalib.constants import DEFAULT_CONFIG -- 2.5.0 signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 25] Improve error logging for Dogtag subsystem installation
On 2015-12-03 11:04, Jan Cholasta wrote: > On 2.12.2015 13:44, Petr Spacek wrote: >> On 2.12.2015 13:23, Jan Cholasta wrote: >>> On 2.12.2015 12:54, Petr Spacek wrote: >>>> On 2.12.2015 12:51, Christian Heimes wrote: >>>>> On 2015-12-02 08:37, Petr Spacek wrote: >>>>>> On 1.12.2015 18:42, Christian Heimes wrote: >>>>>>> From 33be1f56a64e53d261a1058c4606a7e48c0aac52 Mon Sep 17 >>>>>>> 00:00:00 2001 >>>>>>> From: Christian Heimes <chei...@redhat.com> >>>>>>> Date: Tue, 1 Dec 2015 15:49:53 +0100 >>>>>>> Subject: [PATCH 25] Improve error logging for Dogtag subsystem >>>>>>> installation >>>>>>> >>>>>>> In the case of a failed installation or uninstallation of a Dogtag >>>>>>> subsystem, the error output of pkispawn / pkidestroyed are now >>>>>>> shown to >>>>>>> the user. It makes it more obvious what went wrong and makes it >>>>>>> easier >>>>>>> to debug a problem. >>>>>>> >>>>>>> The error handler also attempts to get the full name of the >>>>>>> installation >>>>>>> / uninstallation log file from stdout. pkispawn and pkidestroy >>>>>>> print the >>>>>>> absolute name as 'Log file: /path/to/file.log'. The user no >>>>>>> longer has >>>>>>> to guess the right log file. >>>>>>> >>>>>>> Example: >>>>>>> [1/8]: configuring KRA instance >>>>>>> Failed to configure KRA instance: Command ''/usr/sbin/pkispawn' '-s' >>>>>>> 'KRA' '-f' '/tmp/tmp1UpbwF'' returned non-zero exit status 1 >>>>>>> pkispawn: ERROR... PKI subsystem 'KRA' for instance >>>>>>> 'pki-tomcat' already exists! >>>>>>> See the installation logs and the following files/directories for >>>>>>> more >>>>>>> information: >>>>>>> /var/log/pki/pki-tomcat >>>>>>> /var/log/pki/pki-kra-spawn.20151201151735.log >>>>>>> [error] RuntimeError: KRA configuration failed. >>>>>>> >>>>>>> The patch also changes a couple of modules that were using >>>>>>> the CalledProcessError exception object from subprocess instead of >>>>>>> ipautil. >>>>>> >>>>>> I'm wondering if ipautil.run() can log stdout and stderr on log >>>>>> level ERROR >>>>>> when return code is non-zero (and log on level DEBUG as usual when >>>>>> return >>>>>> code >>>>>> is zero). >>>>>> >>>>>> IMHO it would be nicer, universal, and does not require any >>>>>> changes in places >>>>>> calling ipautil.run(). >>>>> >>>>> I think it's a bit confusing to print out stdout and stderr, because >>>>> both streams are captured separately. The output is missing its >>>>> chronological order. subprocess can capture stdout and stderr in the >>>>> same stream, but then we can't distinguish between output and error >>>>> output... >>>> >>>> I do not think it is a problem if these two are clearly marked as such: >>>> standard output: %s (if non-empty) >>>> stanrard error output: %s (if non-empty) >>> >>> We do not want to log with level ERROR by default when rc != 0, >>> because some >>> commands generate a *lot* of output. >> >> I do not agree, but whatever. Somebody needs to review the original >> Christian's patch. > > We had a short discussion about this with Petr offline and we agreed > that a reasonable compromise would be to log the last few lines of > stderr with ERROR level when a command fails. > > This would mean adding custom __str__() to CalledProcessError, so that > the stderr tail is logged when the CalledProcessError is not handled, > and also logging it from ipautil.run() if raiseonerr == False. Yes, that sounds like a reasonable idea. In the default case (raiseonerr == True) ipautil.run() returns a custom CalledProcessError exception that prints the command and the last two or three non-empty lines from stderr. Callers can either log the exception directly or format the out as they see fit. With raiseonerr == False and exit code != 0 the same information is logged with log level ERROR. I can just create the exception object and log its string representation without raising the exception. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 25] Improve error logging for Dogtag subsystem installation
In the case of a failed installation or uninstallation of a Dogtag subsystem, the error output of pkispawn / pkidestroyed are now shown to the user. It makes it more obvious what went wrong and makes it easier to debug a problem. The error handler also attempts to get the full name of the installation / uninstallation log file from stdout. pkispawn and pkidestroy print the absolute name as 'Log file: /path/to/file.log'. The user no longer has to guess the right log file. Example: [1/8]: configuring KRA instance Failed to configure KRA instance: Command ''/usr/sbin/pkispawn' '-s' 'KRA' '-f' '/tmp/tmp1UpbwF'' returned non-zero exit status 1 pkispawn: ERROR... PKI subsystem 'KRA' for instance 'pki-tomcat' already exists! See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat /var/log/pki/pki-kra-spawn.20151201151735.log [error] RuntimeError: KRA configuration failed. The patch also changes a couple of modules that were using the CalledProcessError exception object from subprocess instead of ipautil. .freeipa-cheimes-0025-Improve-error-logging-for-Dogtag-subsystem-installat.patch.swp Description: Binary data signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 25] Improve error logging for Dogtag subsystem installation
Now the correct patch file instead of a vim swap file... From 33be1f56a64e53d261a1058c4606a7e48c0aac52 Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Tue, 1 Dec 2015 15:49:53 +0100 Subject: [PATCH 25] Improve error logging for Dogtag subsystem installation In the case of a failed installation or uninstallation of a Dogtag subsystem, the error output of pkispawn / pkidestroyed are now shown to the user. It makes it more obvious what went wrong and makes it easier to debug a problem. The error handler also attempts to get the full name of the installation / uninstallation log file from stdout. pkispawn and pkidestroy print the absolute name as 'Log file: /path/to/file.log'. The user no longer has to guess the right log file. Example: [1/8]: configuring KRA instance Failed to configure KRA instance: Command ''/usr/sbin/pkispawn' '-s' 'KRA' '-f' '/tmp/tmp1UpbwF'' returned non-zero exit status 1 pkispawn: ERROR... PKI subsystem 'KRA' for instance 'pki-tomcat' already exists! See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat /var/log/pki/pki-kra-spawn.20151201151735.log [error] RuntimeError: KRA configuration failed. The patch also changes a couple of modules that were using the CalledProcessError exception object from subprocess instead of ipautil. --- ipaplatform/redhat/tasks.py| 3 +-- ipapython/dnssec/bindmgr.py| 1 - ipapython/dnssec/odsmgr.py | 1 - ipapython/ipautil.py | 24 +--- ipaserver/install/dns.py | 4 +--- ipaserver/install/dogtaginstance.py| 28 ++-- ipaserver/install/opendnssecinstance.py| 3 +-- ipaserver/install/server/replicainstall.py | 3 +-- 8 files changed, 31 insertions(+), 36 deletions(-) diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py index 94d2cb4e906965a20bcfdd55f38854005091c26f..1c502a2c859b23851d3b6101fca31e6cbb75b1eb 100644 --- a/ipaplatform/redhat/tasks.py +++ b/ipaplatform/redhat/tasks.py @@ -31,7 +31,6 @@ import socket import sys import base64 -from subprocess import CalledProcessError from nss.error import NSPRError from pyasn1.error import PyAsn1Error from six.moves import urllib @@ -173,7 +172,7 @@ class RedHatTaskNamespace(BaseTaskNamespace): def reload_systemwide_ca_store(self): try: ipautil.run([paths.UPDATE_CA_TRUST]) -except CalledProcessError as e: +except ipautil.CalledProcessError as e: root_logger.error( "Could not update systemwide CA trust database: %s", e) return False diff --git a/ipapython/dnssec/bindmgr.py b/ipapython/dnssec/bindmgr.py index 1822dacf2535e7c37062e4d639e01289edcf5074..5b1d34135e8e5bd5c135b3d204c8de76531ecd07 100644 --- a/ipapython/dnssec/bindmgr.py +++ b/ipapython/dnssec/bindmgr.py @@ -9,7 +9,6 @@ import os import logging import shutil import stat -import subprocess from ipalib import api import ipalib.constants diff --git a/ipapython/dnssec/odsmgr.py b/ipapython/dnssec/odsmgr.py index efbe16cc6ebf050d9cf347ed97b2b2e4b37c8a6e..a36ed7224a5abeb8c1ee91cc7eb60c048c05d2ed 100644 --- a/ipapython/dnssec/odsmgr.py +++ b/ipapython/dnssec/odsmgr.py @@ -6,7 +6,6 @@ import logging from lxml import etree import dns.name -import subprocess from ipapython import ipa_log_manager, ipautil diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 4551ea5c4025223dcff5cdc8998fedeccd14c3c2..ac85cb7b90ebde6f895dc09cae485a95c1c4a28d 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -63,20 +63,14 @@ KRB5_KDC_UNREACH = 2529639068 # Cannot contact any KDC for requested realm KRB5KDC_ERR_SVC_UNAVAILABLE = 2529638941 # A service is not available that is # required to process the request -try: -from subprocess import CalledProcessError -except ImportError: -# Python 2.4 doesn't implement CalledProcessError -class CalledProcessError(Exception): -"""This exception is raised when a process run by check_call() returns -a non-zero exit status. The exit status will be stored in the -returncode attribute.""" -def __init__(self, returncode, cmd, output=None): -self.returncode = returncode -self.cmd = cmd -self.output = output -def __str__(self): -return "Command '%s' returned non-zero exit status %d" % (self.cmd, self.returncode) + +class CalledProcessError(subprocess.CalledProcessError): +"""Custom CalledProcessError with error output +""" +def __init__(self, returncode, cmd, output=None, erroutput=None): +super(CalledProcessError, self).__init__(returncode, cmd, output) +self.erroutput = erroutput + def get_
Re: [Freeipa-devel] [PATCH 25] Improve error logging for Dogtag subsystem installation
On 2015-12-02 08:37, Petr Spacek wrote: > On 1.12.2015 18:42, Christian Heimes wrote: >> From 33be1f56a64e53d261a1058c4606a7e48c0aac52 Mon Sep 17 00:00:00 2001 >> From: Christian Heimes <chei...@redhat.com> >> Date: Tue, 1 Dec 2015 15:49:53 +0100 >> Subject: [PATCH 25] Improve error logging for Dogtag subsystem installation >> >> In the case of a failed installation or uninstallation of a Dogtag >> subsystem, the error output of pkispawn / pkidestroyed are now shown to >> the user. It makes it more obvious what went wrong and makes it easier >> to debug a problem. >> >> The error handler also attempts to get the full name of the installation >> / uninstallation log file from stdout. pkispawn and pkidestroy print the >> absolute name as 'Log file: /path/to/file.log'. The user no longer has >> to guess the right log file. >> >> Example: >> [1/8]: configuring KRA instance >> Failed to configure KRA instance: Command ''/usr/sbin/pkispawn' '-s' >> 'KRA' '-f' '/tmp/tmp1UpbwF'' returned non-zero exit status 1 >> pkispawn: ERROR... PKI subsystem 'KRA' for instance >> 'pki-tomcat' already exists! >> See the installation logs and the following files/directories for more >> information: >> /var/log/pki/pki-tomcat >> /var/log/pki/pki-kra-spawn.20151201151735.log >> [error] RuntimeError: KRA configuration failed. >> >> The patch also changes a couple of modules that were using >> the CalledProcessError exception object from subprocess instead of >> ipautil. > > I'm wondering if ipautil.run() can log stdout and stderr on log level ERROR > when return code is non-zero (and log on level DEBUG as usual when return code > is zero). > > IMHO it would be nicer, universal, and does not require any changes in places > calling ipautil.run(). I think it's a bit confusing to print out stdout and stderr, because both streams are captured separately. The output is missing its chronological order. subprocess can capture stdout and stderr in the same stream, but then we can't distinguish between output and error output... In case of Dogtag stderr contains the relevant error message. In order to understand the events, that lead to the particular error, a user has to read the log file anyway -- unless you run pkispawn with '-vv' for extra verbosity. But then you get pages over pages of debug output on *stderr*. It's not helpful either. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code