[Freeipa-devel] [freeipa PR#880][comment] Changing how commands handles error when it can't connect to IPA server

2017-06-19 Thread felipevolpone via FreeIPA-devel 
  URL: https://github.com/freeipa/freeipa/pull/880
Title: #880: Changing how commands handles error when it can't connect to IPA 
server

felipevolpone commented:
"""
The ticket describe some commands that are not showing the right message. IMO 
we could split it into one ticket per command.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/880#issuecomment-309497175
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#880][opened] Changing how commands handles error when it can't connect to IPA server

2017-06-19 Thread felipevolpone via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/880
Author: felipevolpone
 Title: #880: Changing how commands handles error when it can't connect to IPA 
server
Action: opened

PR body:
"""
The commands that connects with IPA server can raise a `NetworkError` with the 
message: "ipa: ERROR: can't connect to `http://localhost:/ipa/json': [Errno 
111] Connection refused`. Instead of that, this changes the message error in 
order to be more user-friendly.

I've used the `GenericError` because it inherits from `PublicError`and do not 
have a default message. So, I do not have to change the `run` method in 
`ipalib/cli.py` to handle a different exception/case.

Ticket: https://pagure.io/freeipa/issue/6261
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/880/head:pr880
git checkout pr880
From 1f9081e1e28176f8de82b866b0fab52282e7a2c4 Mon Sep 17 00:00:00 2001
From: Felipe Volpone 
Date: Mon, 19 Jun 2017 13:28:45 -0300
Subject: [PATCH] Changing how commands handles error when it can't connect to
 IPA server

The commands that connects with IPA server can raise a NetworkError with the
message: "ipa: ERROR: can't connect to 'http://localhost:/ipa/json':
[Errno 111] Connection refused", which is not user friendly. Instead of
that, this changes the message error in order to be more user-friendly.

https://pagure.io/freeipa/issue/6261
---
 ipalib/__init__.py | 19 ---
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/ipalib/__init__.py b/ipalib/__init__.py
index 16f90c3bb2..692848a4a3 100644
--- a/ipalib/__init__.py
+++ b/ipalib/__init__.py
@@ -923,7 +923,7 @@ def _enable_warnings(error=False):
 from ipalib.parameters import DefaultFrom, Bool, Flag, Int, Decimal, Bytes, Str, IA5Str, Password, DNParam
 from ipalib.parameters import (BytesEnum, StrEnum, IntEnum, AccessTime, File,
 DateTime, DNSNameParam)
-from ipalib.errors import SkipPluginModule
+from ipalib.errors import SkipPluginModule, GenericError, NetworkError
 from ipalib.text import _, ngettext, GettextFactory, NGettextFactory
 
 Registry = plugable.Registry
@@ -942,12 +942,17 @@ def packages(self):
 ipaserver.plugins,
 )
 else:
-import ipaclient.remote_plugins
-import ipaclient.plugins
-result = (
-ipaclient.remote_plugins.get_package(self),
-ipaclient.plugins,
-)
+try:
+import ipaclient.remote_plugins
+import ipaclient.plugins
+result = (
+ipaclient.remote_plugins.get_package(self),
+ipaclient.plugins,
+)
+except NetworkError:
+#  instead of raising the default error connection message,
+#  raising a more user-friendly one
+raise GenericError('Cannot find IPA server to contact')
 
 if self.env.context in ('installer', 'updates'):
 # pylint: disable=import-error,ipa-forbidden-import
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#439][synchronized] Testing both py2/py3 in travis

2017-06-19 Thread MartinBasti via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/439
Author: MartinBasti
 Title: #439: Testing both py2/py3 in travis
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/439/head:pr439
git checkout pr439
From f5afc91e05487e3b786feeb94f894c6d53f79169 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 7 Feb 2017 14:56:39 +0100
Subject: [PATCH 1/3] Build: allow to build only py2 rpms for fedora

This is more or less for testing purposes of py2/py3 compatibility
---
 BUILD.txt   | 5 +
 Makefile.am | 4 ++--
 freeipa.spec.in | 4 
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/BUILD.txt b/BUILD.txt
index 7901d0748c..1729daebf5 100644
--- a/BUILD.txt
+++ b/BUILD.txt
@@ -36,6 +36,11 @@ It may be possible to do a simple make install but this has not been
 well-tested. Additional work is done in pre/post install scripts in the ipa
 spec file.
 
+To build only python2 packages on fedora following steps are required:
+$ autoreconf -i
+$ ./configure
+$ make rpms RPMBUILD_OPTS="--define 'with_python3 0'"
+
 Developing plugins
 --
 
diff --git a/Makefile.am b/Makefile.am
index cbe4f2df49..972e260012 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -122,7 +122,7 @@ rpms: $(VERSION_UPDATE_TARGET)
 	$(MAKE) _rpms-body
 
 _rpms-body: _rpms-prep
-	rpmbuild --define "_topdir $(RPMBUILD)" -ba $(top_builddir)/$(PACKAGE).spec
+	rpmbuild --define "_topdir $(RPMBUILD)" -ba $(top_builddir)/$(PACKAGE).spec  $(RPMBUILD_OPTS)
 	cp $(RPMBUILD)/RPMS/*/*$$(cat $(top_builddir)/.version)*.rpm $(top_builddir)/dist/rpms/
 	cp $(RPMBUILD)/SRPMS/*$$(cat $(top_builddir)/.version)*.src.rpm $(top_builddir)/dist/srpms/
 	rm -f rm -f $(top_builddir)/.version
@@ -131,7 +131,7 @@ srpms: $(VERSION_UPDATE_TARGET)
 	$(MAKE) _srpms-body
 
 _srpms-body: _rpms-prep
-	rpmbuild --define "_topdir $(RPMBUILD)" -bs $(top_builddir)/$(PACKAGE).spec
+	rpmbuild --define "_topdir $(RPMBUILD)" -bs $(top_builddir)/$(PACKAGE).spec $(RPMBUILD_OPTS)
 	cp $(RPMBUILD)/SRPMS/*$$(cat $(top_builddir)/.version)*.src.rpm $(top_builddir)/dist/srpms/
 	rm -f rm -f $(top_builddir)/.version
 
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 72f79c9f35..6c57cbe9e4 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -17,11 +17,15 @@
 %global with_ipatests_option --without-ipatests
 %endif
 
+%if 0%{?with_python3:1}
+# with_python3 already defined
+%else
 %if 0%{?rhel}
 %global with_python3 0
 %else
 %global with_python3 1
 %endif
+%endif
 
 # lint is not executed during rpmbuild
 # %%global with_lint 1

From ff8b98d1401a5f7fb9463e3ff1a53b77f2330d5b Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 7 Feb 2017 17:23:54 +0100
Subject: [PATCH 2/3] Travis: build only py2 packages for py2 testing

We will testing both py2 and py3 packages, first step is use only py2
builds for testing py2 packages
---
 .travis.yml |  2 ++
 .travis_run_task.sh | 10 +-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/.travis.yml b/.travis.yml
index c275cdca5d..62578d3e41 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -17,8 +17,10 @@ env:
 matrix:
 - TASK_TO_RUN="lint"
 - TASK_TO_RUN="run-tests"
+  PYTHON=/usr/bin/python2
   TESTS_TO_RUN="test_xmlrpc/test_[a-k]*.py"
 - TASK_TO_RUN="run-tests"
+  PYTHON=/usr/bin/python2
   TESTS_TO_RUN="test_cmdline
 test_install
 test_ipaclient
diff --git a/.travis_run_task.sh b/.travis_run_task.sh
index 7d050b0b6f..540c883d83 100755
--- a/.travis_run_task.sh
+++ b/.travis_run_task.sh
@@ -4,10 +4,17 @@
 #
 # NOTE: this script is intended to run in Travis CI only
 
-PYTHON="/usr/bin/python${TRAVIS_PYTHON_VERSION}"
 test_set=""
 developer_mode_opt="--developer-mode"
 
+if [[ $PYTHON == "/usr/bin/python2" ]]
+then
+env_opt="--define 'with_python3 0'"
+else
+env_opt=""
+fi
+
+
 function truncate_log_to_test_failures() {
 # chop off everything in the CI_RESULTS_LOG preceding pytest error output
 # if there are pytest errors in the log
@@ -43,6 +50,7 @@ ipa-docker-test-runner -l $CI_RESULTS_LOG \
 -c $TEST_RUNNER_CONFIG \
 $developer_mode_opt \
 --container-environment "PYTHON=$PYTHON" \
+--container-environment "RPMBUILD_OPTS=$env_opt" \
 --container-image $TEST_RUNNER_IMAGE \
 --git-repo $TRAVIS_BUILD_DIR \
 $TASK_TO_RUN $test_set

From 2a3df10e7298374ae50cad2fef73be48574043df Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 7 Feb 2017 18:29:08 +0100
Subject: [PATCH 3/3] Travis: enable temporal Py3 testing

This testconfig is temporal until all plugins are migrated into py3.
After that this temporal config file will be removed and used only the
previous one again
---
 .test_runner_config_py3_temp.yaml | 60 ++
 .travis.yml   | 90 ++-
 2 files

[Freeipa-devel] [freeipa PR#872][comment] Add IPA-specific bind unit file

2017-06-19 Thread MartinBasti via FreeIPA-devel 
  URL: https://github.com/freeipa/freeipa/pull/872
Title: #872: Add IPA-specific bind unit file

MartinBasti commented:
"""
I checked BZ, this may not be worth fixing as those fails are just during 
upgrade but at the end named is working. For sure this huge change cannot go to 
ipa-4-4 or ipa-4-5
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/872#issuecomment-309485173
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#879][opened] FIPS mode and NT hashes

2017-06-19 Thread sumit-bose via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/879
Author: sumit-bose
 Title: #879: FIPS mode and NT hashes
Action: opened

PR body:
"""
In FIPS mode NT hashes (aka md4) are not allowed. If FIPS more is detected we
disable NT hashes in the password plugin even is they are allowed by IPA
configuration.

Since ipa-sam is running as part of smbd is it safe to use the E_md4hash()
from Samba. This way ipa-sam does not depend on other crypto libraries
which might depend on other rules like e.g. FIPS mode.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/879/head:pr879
git checkout pr879
From 21e740d2ca6ebdfcf5d30b8468846e0e1c546de8 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Fri, 16 Jun 2017 16:26:41 +0200
Subject: [PATCH 1/2] ipa-sam: replace encode_nt_key() with E_md4hash()

Since ipa-sam is running as part of smbd is it safe to use the
E_md4hash() from Samba. This way ipa-sam does not depend on other crypto
libraries which might depend on other rules like e.g. FIPS mode.
---
 daemons/ipa-sam/ipa_sam.c | 27 ++-
 1 file changed, 2 insertions(+), 25 deletions(-)

diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 6a29e8e10b..59d92f37c9 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -110,6 +110,7 @@ char *sid_string_dbg(const struct dom_sid *sid); /* available in libsmbconf.so *
 char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s); /* available in libsmbconf.so */
 bool secrets_store(const char *key, const void *data, size_t size); /* available in libpdb.so */
 void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_id); /* available in libsmbconf.so */
+bool E_md4hash(const char *passwd, uint8_t p16[16]); /* available in libcliauth-samba4.so */
 
 #define LDAP_OBJ_SAMBASAMACCOUNT "ipaNTUserAttrs"
 #define LDAP_OBJ_TRUSTED_DOMAIN "ipaNTTrustedDomain"
@@ -2836,11 +2837,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
 	struct dom_sid *g_sid;
 	char *name;
 	char *trustpw = NULL;
-	char *trustpw_utf8 = NULL;
-	char *tmp_str = NULL;
-	int ret;
 	uint8_t nt_key[16];
-	size_t converted_size;
 	bool res;
 	char *sid_str;
 	enum idmap_error_code err;
@@ -2899,19 +2896,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
 		return false;
 	}
 
-	if (!push_utf8_talloc(user, _utf8, trustpw, _size)) {
-		res = false;
-		goto done;
-	}
-
-	tmp_str = talloc_strdup_upper(user, trustpw);
-	if (tmp_str == NULL) {
-		res = false;
-		goto done;
-	}
-
-	ret = encode_nt_key(trustpw_utf8, nt_key);
-	if (ret != 0) {
+	if (!E_md4hash(trustpw, nt_key)) {
 		res = false;
 		goto done;
 	}
@@ -2927,14 +2912,6 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
 		memset(trustpw, 0, strlen(trustpw));
 		talloc_free(trustpw);
 	}
-	if (trustpw_utf8 != NULL) {
-		memset(trustpw_utf8, 0, strlen(trustpw_utf8));
-		talloc_free(trustpw_utf8);
-	}
-	if (tmp_str != NULL) {
-		memset(tmp_str, 0, strlen(tmp_str));
-		talloc_free(tmp_str);
-	}
 
 	return res;
 }

From fef8e13d0c6c453d2849c2edc3743bf6fc614e1d Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Fri, 16 Jun 2017 17:49:44 +0200
Subject: [PATCH 2/2] ipa_pwd_extop: do not generate NT hashes in FIPS mode

In FIPS mode NT hashes (aka md4) are not allowed. If FIPS more is
detected we disable NT hashes even is the are allowed by IPA
configuration.
---
 daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 53 ++--
 1 file changed, 40 insertions(+), 13 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
index 761f7a8e3e..5efadac5b1 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
@@ -46,6 +46,8 @@
 /* Type of connection for this operation;*/
 #define LDAP_EXTOP_PASSMOD_CONN_SECURE
 
+#define PROC_SYS_FIPS "/proc/sys/crypto/fips_enabled"
+
 /* Uncomment the following #undef FOR TESTING:
  * allows non-SSL connections to use the password change extended op */
 /* #undef LDAP_EXTOP_PASSMOD_CONN_SECURE */
@@ -62,6 +64,27 @@ static const char *ipapwd_def_encsalts[] = {
 NULL
 };
 
+static bool fips_enabled(void)
+{
+int fd;
+ssize_t len;
+char buf[8];
+
+fd = open(PROC_SYS_FIPS, O_RDONLY);
+if (fd != -1) {
+len = read(fd, buf, sizeof(buf));
+close(fd);
+/* Assume FIPS in enabled if PROC_SYS_FIPS contains a non-0 value
+ * similar to the is_fips_enabled() check in
+ * ipaplatform/redhat/tasks.py */
+if (!(len == 2 && buf[0] == '0' && buf[1] == '\n')) {
+return true;
+}
+}
+
+return false;
+}
+
 static struct ipapwd_krbcfg *ipapwd_getConfig(void)
 {
 krb5_error_code krberr;
@@ -232,23 +255,27 @@ static struct ipapwd_krbcfg

[Freeipa-devel] [freeipa PR#877][comment] LDAP ObjectClasses are case-insensitive

2017-06-19 Thread abbra via FreeIPA-devel 
  URL: https://github.com/freeipa/freeipa/pull/877
Title: #877: LDAP ObjectClasses are case-insensitive

abbra commented:
"""
Please use `LDAPObject.has_objectclass()` method instead:

```python
if not api.Object[obj_type].has_objectclass(entry['objectclass'], 
required_objectclass):
raise ...
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/877#issuecomment-309426854
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#876][synchronized] python-netifaces: update to reflect upstream changes

2017-06-19 Thread MartinBasti via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/876
Author: MartinBasti
 Title: #876: python-netifaces: update to reflect upstream changes
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/876/head:pr876
git checkout pr876
From 42b125584a50672e5536c6e66830f1cff685b127 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Fri, 16 Jun 2017 13:42:53 +0200
Subject: [PATCH] python-netifaces: update to reflect upstream changes

python-netifaces now provides IPv6 netmask in format mask/prefix. It
breaks freeipa as it is unexpected format for python-netaddr. We must
split netmask and provide only prefix for netaddr.

https://pagure.io/freeipa/issue/7021
---
 ipapython/ipautil.py | 17 ++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index a277ed8747..f214ccbbc2 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -195,6 +195,7 @@ def get_matching_interface(self):
 """Find matching local interface for address
 :return: Interface name or None if no interface has this address
 """
+root_logger.debug("Searching for an interface of IP address: %s", self)
 if self.version == 4:
 family = netifaces.AF_INET
 elif self.version == 6:
@@ -212,10 +213,20 @@ def get_matching_interface(self):
 # errors in IPNetwork
 ifaddr = ifdata['addr'].split(u'%', 1)[0]
 
-ifnet = netaddr.IPNetwork('{addr}/{netmask}'.format(
+# newer versions of netifaces provide IPv6 netmask in format
+# ':::::/64'. We have to split and use prefix
+# or the netmask with older versions
+ifmask = ifdata['netmask'].split(u'/')[-1]
+
+ifaddrmask = '{addr}/{netmask}'.format(
 addr=ifaddr,
-netmask=ifdata['netmask']
-))
+netmask=ifmask
+)
+root_logger.debug(
+"Testing local IP address: %s (interface: %s)",
+ifaddrmask, interface)
+
+ifnet = netaddr.IPNetwork(ifaddrmask)
 if ifnet == self._net or (
 self._net is None and ifnet.ip == self):
 self._net = ifnet
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#878][+WIP] [experimental] Make certificate an object

2017-06-19 Thread stlaz via FreeIPA-devel 
  URL: https://github.com/freeipa/freeipa/pull/878
Title: #878: [experimental] Make certificate an object

Label: +WIP
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org