[Freeipa-devel] [freeipa PR#880][comment] Changing how commands handles error when it can't connect to IPA server
URL: https://github.com/freeipa/freeipa/pull/880 Title: #880: Changing how commands handles error when it can't connect to IPA server felipevolpone commented: """ The ticket describe some commands that are not showing the right message. IMO we could split it into one ticket per command. """ See the full comment at https://github.com/freeipa/freeipa/pull/880#issuecomment-309497175 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#880][opened] Changing how commands handles error when it can't connect to IPA server
URL: https://github.com/freeipa/freeipa/pull/880 Author: felipevolpone Title: #880: Changing how commands handles error when it can't connect to IPA server Action: opened PR body: """ The commands that connects with IPA server can raise a `NetworkError` with the message: "ipa: ERROR: can't connect to `http://localhost:/ipa/json': [Errno 111] Connection refused`. Instead of that, this changes the message error in order to be more user-friendly. I've used the `GenericError` because it inherits from `PublicError`and do not have a default message. So, I do not have to change the `run` method in `ipalib/cli.py` to handle a different exception/case. Ticket: https://pagure.io/freeipa/issue/6261 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/880/head:pr880 git checkout pr880 From 1f9081e1e28176f8de82b866b0fab52282e7a2c4 Mon Sep 17 00:00:00 2001 From: Felipe VolponeDate: Mon, 19 Jun 2017 13:28:45 -0300 Subject: [PATCH] Changing how commands handles error when it can't connect to IPA server The commands that connects with IPA server can raise a NetworkError with the message: "ipa: ERROR: can't connect to 'http://localhost:/ipa/json': [Errno 111] Connection refused", which is not user friendly. Instead of that, this changes the message error in order to be more user-friendly. https://pagure.io/freeipa/issue/6261 --- ipalib/__init__.py | 19 --- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/ipalib/__init__.py b/ipalib/__init__.py index 16f90c3bb2..692848a4a3 100644 --- a/ipalib/__init__.py +++ b/ipalib/__init__.py @@ -923,7 +923,7 @@ def _enable_warnings(error=False): from ipalib.parameters import DefaultFrom, Bool, Flag, Int, Decimal, Bytes, Str, IA5Str, Password, DNParam from ipalib.parameters import (BytesEnum, StrEnum, IntEnum, AccessTime, File, DateTime, DNSNameParam) -from ipalib.errors import SkipPluginModule +from ipalib.errors import SkipPluginModule, GenericError, NetworkError from ipalib.text import _, ngettext, GettextFactory, NGettextFactory Registry = plugable.Registry @@ -942,12 +942,17 @@ def packages(self): ipaserver.plugins, ) else: -import ipaclient.remote_plugins -import ipaclient.plugins -result = ( -ipaclient.remote_plugins.get_package(self), -ipaclient.plugins, -) +try: +import ipaclient.remote_plugins +import ipaclient.plugins +result = ( +ipaclient.remote_plugins.get_package(self), +ipaclient.plugins, +) +except NetworkError: +# instead of raising the default error connection message, +# raising a more user-friendly one +raise GenericError('Cannot find IPA server to contact') if self.env.context in ('installer', 'updates'): # pylint: disable=import-error,ipa-forbidden-import ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#439][synchronized] Testing both py2/py3 in travis
URL: https://github.com/freeipa/freeipa/pull/439 Author: MartinBasti Title: #439: Testing both py2/py3 in travis Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/439/head:pr439 git checkout pr439 From f5afc91e05487e3b786feeb94f894c6d53f79169 Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Tue, 7 Feb 2017 14:56:39 +0100 Subject: [PATCH 1/3] Build: allow to build only py2 rpms for fedora This is more or less for testing purposes of py2/py3 compatibility --- BUILD.txt | 5 + Makefile.am | 4 ++-- freeipa.spec.in | 4 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/BUILD.txt b/BUILD.txt index 7901d0748c..1729daebf5 100644 --- a/BUILD.txt +++ b/BUILD.txt @@ -36,6 +36,11 @@ It may be possible to do a simple make install but this has not been well-tested. Additional work is done in pre/post install scripts in the ipa spec file. +To build only python2 packages on fedora following steps are required: +$ autoreconf -i +$ ./configure +$ make rpms RPMBUILD_OPTS="--define 'with_python3 0'" + Developing plugins -- diff --git a/Makefile.am b/Makefile.am index cbe4f2df49..972e260012 100644 --- a/Makefile.am +++ b/Makefile.am @@ -122,7 +122,7 @@ rpms: $(VERSION_UPDATE_TARGET) $(MAKE) _rpms-body _rpms-body: _rpms-prep - rpmbuild --define "_topdir $(RPMBUILD)" -ba $(top_builddir)/$(PACKAGE).spec + rpmbuild --define "_topdir $(RPMBUILD)" -ba $(top_builddir)/$(PACKAGE).spec $(RPMBUILD_OPTS) cp $(RPMBUILD)/RPMS/*/*$$(cat $(top_builddir)/.version)*.rpm $(top_builddir)/dist/rpms/ cp $(RPMBUILD)/SRPMS/*$$(cat $(top_builddir)/.version)*.src.rpm $(top_builddir)/dist/srpms/ rm -f rm -f $(top_builddir)/.version @@ -131,7 +131,7 @@ srpms: $(VERSION_UPDATE_TARGET) $(MAKE) _srpms-body _srpms-body: _rpms-prep - rpmbuild --define "_topdir $(RPMBUILD)" -bs $(top_builddir)/$(PACKAGE).spec + rpmbuild --define "_topdir $(RPMBUILD)" -bs $(top_builddir)/$(PACKAGE).spec $(RPMBUILD_OPTS) cp $(RPMBUILD)/SRPMS/*$$(cat $(top_builddir)/.version)*.src.rpm $(top_builddir)/dist/srpms/ rm -f rm -f $(top_builddir)/.version diff --git a/freeipa.spec.in b/freeipa.spec.in index 72f79c9f35..6c57cbe9e4 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -17,11 +17,15 @@ %global with_ipatests_option --without-ipatests %endif +%if 0%{?with_python3:1} +# with_python3 already defined +%else %if 0%{?rhel} %global with_python3 0 %else %global with_python3 1 %endif +%endif # lint is not executed during rpmbuild # %%global with_lint 1 From ff8b98d1401a5f7fb9463e3ff1a53b77f2330d5b Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Tue, 7 Feb 2017 17:23:54 +0100 Subject: [PATCH 2/3] Travis: build only py2 packages for py2 testing We will testing both py2 and py3 packages, first step is use only py2 builds for testing py2 packages --- .travis.yml | 2 ++ .travis_run_task.sh | 10 +- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index c275cdca5d..62578d3e41 100644 --- a/.travis.yml +++ b/.travis.yml @@ -17,8 +17,10 @@ env: matrix: - TASK_TO_RUN="lint" - TASK_TO_RUN="run-tests" + PYTHON=/usr/bin/python2 TESTS_TO_RUN="test_xmlrpc/test_[a-k]*.py" - TASK_TO_RUN="run-tests" + PYTHON=/usr/bin/python2 TESTS_TO_RUN="test_cmdline test_install test_ipaclient diff --git a/.travis_run_task.sh b/.travis_run_task.sh index 7d050b0b6f..540c883d83 100755 --- a/.travis_run_task.sh +++ b/.travis_run_task.sh @@ -4,10 +4,17 @@ # # NOTE: this script is intended to run in Travis CI only -PYTHON="/usr/bin/python${TRAVIS_PYTHON_VERSION}" test_set="" developer_mode_opt="--developer-mode" +if [[ $PYTHON == "/usr/bin/python2" ]] +then +env_opt="--define 'with_python3 0'" +else +env_opt="" +fi + + function truncate_log_to_test_failures() { # chop off everything in the CI_RESULTS_LOG preceding pytest error output # if there are pytest errors in the log @@ -43,6 +50,7 @@ ipa-docker-test-runner -l $CI_RESULTS_LOG \ -c $TEST_RUNNER_CONFIG \ $developer_mode_opt \ --container-environment "PYTHON=$PYTHON" \ +--container-environment "RPMBUILD_OPTS=$env_opt" \ --container-image $TEST_RUNNER_IMAGE \ --git-repo $TRAVIS_BUILD_DIR \ $TASK_TO_RUN $test_set From 2a3df10e7298374ae50cad2fef73be48574043df Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Tue, 7 Feb 2017 18:29:08 +0100 Subject: [PATCH 3/3] Travis: enable temporal Py3 testing This testconfig is temporal until all plugins are migrated into py3. After that this temporal config file will be removed and used only the previous one again --- .test_runner_config_py3_temp.yaml | 60 ++ .travis.yml | 90 ++- 2 files
[Freeipa-devel] [freeipa PR#872][comment] Add IPA-specific bind unit file
URL: https://github.com/freeipa/freeipa/pull/872 Title: #872: Add IPA-specific bind unit file MartinBasti commented: """ I checked BZ, this may not be worth fixing as those fails are just during upgrade but at the end named is working. For sure this huge change cannot go to ipa-4-4 or ipa-4-5 """ See the full comment at https://github.com/freeipa/freeipa/pull/872#issuecomment-309485173 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#879][opened] FIPS mode and NT hashes
URL: https://github.com/freeipa/freeipa/pull/879 Author: sumit-bose Title: #879: FIPS mode and NT hashes Action: opened PR body: """ In FIPS mode NT hashes (aka md4) are not allowed. If FIPS more is detected we disable NT hashes in the password plugin even is they are allowed by IPA configuration. Since ipa-sam is running as part of smbd is it safe to use the E_md4hash() from Samba. This way ipa-sam does not depend on other crypto libraries which might depend on other rules like e.g. FIPS mode. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/879/head:pr879 git checkout pr879 From 21e740d2ca6ebdfcf5d30b8468846e0e1c546de8 Mon Sep 17 00:00:00 2001 From: Sumit BoseDate: Fri, 16 Jun 2017 16:26:41 +0200 Subject: [PATCH 1/2] ipa-sam: replace encode_nt_key() with E_md4hash() Since ipa-sam is running as part of smbd is it safe to use the E_md4hash() from Samba. This way ipa-sam does not depend on other crypto libraries which might depend on other rules like e.g. FIPS mode. --- daemons/ipa-sam/ipa_sam.c | 27 ++- 1 file changed, 2 insertions(+), 25 deletions(-) diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c index 6a29e8e10b..59d92f37c9 100644 --- a/daemons/ipa-sam/ipa_sam.c +++ b/daemons/ipa-sam/ipa_sam.c @@ -110,6 +110,7 @@ char *sid_string_dbg(const struct dom_sid *sid); /* available in libsmbconf.so * char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s); /* available in libsmbconf.so */ bool secrets_store(const char *key, const void *data, size_t size); /* available in libpdb.so */ void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_id); /* available in libsmbconf.so */ +bool E_md4hash(const char *passwd, uint8_t p16[16]); /* available in libcliauth-samba4.so */ #define LDAP_OBJ_SAMBASAMACCOUNT "ipaNTUserAttrs" #define LDAP_OBJ_TRUSTED_DOMAIN "ipaNTTrustedDomain" @@ -2836,11 +2837,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, struct dom_sid *g_sid; char *name; char *trustpw = NULL; - char *trustpw_utf8 = NULL; - char *tmp_str = NULL; - int ret; uint8_t nt_key[16]; - size_t converted_size; bool res; char *sid_str; enum idmap_error_code err; @@ -2899,19 +2896,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, return false; } - if (!push_utf8_talloc(user, _utf8, trustpw, _size)) { - res = false; - goto done; - } - - tmp_str = talloc_strdup_upper(user, trustpw); - if (tmp_str == NULL) { - res = false; - goto done; - } - - ret = encode_nt_key(trustpw_utf8, nt_key); - if (ret != 0) { + if (!E_md4hash(trustpw, nt_key)) { res = false; goto done; } @@ -2927,14 +2912,6 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, memset(trustpw, 0, strlen(trustpw)); talloc_free(trustpw); } - if (trustpw_utf8 != NULL) { - memset(trustpw_utf8, 0, strlen(trustpw_utf8)); - talloc_free(trustpw_utf8); - } - if (tmp_str != NULL) { - memset(tmp_str, 0, strlen(tmp_str)); - talloc_free(tmp_str); - } return res; } From fef8e13d0c6c453d2849c2edc3743bf6fc614e1d Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 16 Jun 2017 17:49:44 +0200 Subject: [PATCH 2/2] ipa_pwd_extop: do not generate NT hashes in FIPS mode In FIPS mode NT hashes (aka md4) are not allowed. If FIPS more is detected we disable NT hashes even is the are allowed by IPA configuration. --- daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 53 ++-- 1 file changed, 40 insertions(+), 13 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c index 761f7a8e3e..5efadac5b1 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c @@ -46,6 +46,8 @@ /* Type of connection for this operation;*/ #define LDAP_EXTOP_PASSMOD_CONN_SECURE +#define PROC_SYS_FIPS "/proc/sys/crypto/fips_enabled" + /* Uncomment the following #undef FOR TESTING: * allows non-SSL connections to use the password change extended op */ /* #undef LDAP_EXTOP_PASSMOD_CONN_SECURE */ @@ -62,6 +64,27 @@ static const char *ipapwd_def_encsalts[] = { NULL }; +static bool fips_enabled(void) +{ +int fd; +ssize_t len; +char buf[8]; + +fd = open(PROC_SYS_FIPS, O_RDONLY); +if (fd != -1) { +len = read(fd, buf, sizeof(buf)); +close(fd); +/* Assume FIPS in enabled if PROC_SYS_FIPS contains a non-0 value + * similar to the is_fips_enabled() check in + * ipaplatform/redhat/tasks.py */ +if (!(len == 2 && buf[0] == '0' && buf[1] == '\n')) { +return true; +} +} + +return false; +} + static struct ipapwd_krbcfg *ipapwd_getConfig(void) { krb5_error_code krberr; @@ -232,23 +255,27 @@ static struct ipapwd_krbcfg
[Freeipa-devel] [freeipa PR#877][comment] LDAP ObjectClasses are case-insensitive
URL: https://github.com/freeipa/freeipa/pull/877 Title: #877: LDAP ObjectClasses are case-insensitive abbra commented: """ Please use `LDAPObject.has_objectclass()` method instead: ```python if not api.Object[obj_type].has_objectclass(entry['objectclass'], required_objectclass): raise ... ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/877#issuecomment-309426854 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#876][synchronized] python-netifaces: update to reflect upstream changes
URL: https://github.com/freeipa/freeipa/pull/876 Author: MartinBasti Title: #876: python-netifaces: update to reflect upstream changes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/876/head:pr876 git checkout pr876 From 42b125584a50672e5536c6e66830f1cff685b127 Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Fri, 16 Jun 2017 13:42:53 +0200 Subject: [PATCH] python-netifaces: update to reflect upstream changes python-netifaces now provides IPv6 netmask in format mask/prefix. It breaks freeipa as it is unexpected format for python-netaddr. We must split netmask and provide only prefix for netaddr. https://pagure.io/freeipa/issue/7021 --- ipapython/ipautil.py | 17 ++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index a277ed8747..f214ccbbc2 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -195,6 +195,7 @@ def get_matching_interface(self): """Find matching local interface for address :return: Interface name or None if no interface has this address """ +root_logger.debug("Searching for an interface of IP address: %s", self) if self.version == 4: family = netifaces.AF_INET elif self.version == 6: @@ -212,10 +213,20 @@ def get_matching_interface(self): # errors in IPNetwork ifaddr = ifdata['addr'].split(u'%', 1)[0] -ifnet = netaddr.IPNetwork('{addr}/{netmask}'.format( +# newer versions of netifaces provide IPv6 netmask in format +# ':::::/64'. We have to split and use prefix +# or the netmask with older versions +ifmask = ifdata['netmask'].split(u'/')[-1] + +ifaddrmask = '{addr}/{netmask}'.format( addr=ifaddr, -netmask=ifdata['netmask'] -)) +netmask=ifmask +) +root_logger.debug( +"Testing local IP address: %s (interface: %s)", +ifaddrmask, interface) + +ifnet = netaddr.IPNetwork(ifaddrmask) if ifnet == self._net or ( self._net is None and ifnet.ip == self): self._net = ifnet ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#878][+WIP] [experimental] Make certificate an object
URL: https://github.com/freeipa/freeipa/pull/878 Title: #878: [experimental] Make certificate an object Label: +WIP ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org