[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys simo5 commented: """ Can you please attach more of the logs before the failure ? """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298734189 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#752][opened] upgrade: add missing DN suffix when enabling KDC proxy
URL: https://github.com/freeipa/freeipa/pull/752 Author: tomaskrizek Title: #752: upgrade: add missing DN suffix when enabling KDC proxy Action: opened PR body: """ This issue prevented from upgrading from IPA 4.1. I also discovered a missing python dependency when I was running the ipa-server-upgrade manually. For packagers: the Python version that has the required symbols in CentOS is 2.7.5-24 https://pagure.io/freeipa/issue/6920 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/752/head:pr752 git checkout pr752 From cb3052b148ebab0898bc7597d1c3bdb354733d86 Mon Sep 17 00:00:00 2001 From: Tomas KrizekDate: Tue, 2 May 2017 18:32:34 +0200 Subject: [PATCH 1/3] python2-ipalib: add missing python dependency Commit dfd560a190cb2ab13f34ed9e21c5fb5c6e793f18 started to use ssl symbols like ssl.OP_NO_SSLv2 that were introduced in Python 2.7.9. Related https://pagure.io/freeipa/issue/6920 --- freeipa.spec.in | 1 + 1 file changed, 1 insertion(+) diff --git a/freeipa.spec.in b/freeipa.spec.in index ee9a36b..56c3f27 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -643,6 +643,7 @@ Requires: python-gssapi >= 1.2.0 Requires: gnupg Requires: keyutils Requires: pyOpenSSL +Requires: python >= 2.7.9 Requires: python-cryptography >= 1.6 Requires: python-netaddr >= %{python_netaddr_version} Requires: python-libipa_hbac From 213e25135f92d8d088e48e9cf4c5c29bd558c52d Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Tue, 2 May 2017 18:42:13 +0200 Subject: [PATCH 2/3] installer service: fix typo in service entry The typo would result in incorrect resolution of existing keys and their existence wasn't properly logged as intended. Related https://pagure.io/freeipa/issue/6920 --- ipaserver/install/service.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 6b5e69c..1aa49ed 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -181,7 +181,7 @@ def set_service_entry_config(name, fqdn, config_values, except errors.NotFound: pass else: -existing_values = entry.get('ipaConnfigString', []) +existing_values = entry.get('ipaConfigString', []) for value in config_values: if case_insensitive_attr_has_value(existing_values, value): root_logger.debug( From 74ef58e75cae5beb2dd8786c01e4a04f2fe8f5f6 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Tue, 2 May 2017 19:26:04 +0200 Subject: [PATCH 3/3] upgrade: add missing suffix to http instance During an upgrade, http.suffix is used to identify ldap entry when configuring kdc proxy. When the suffix is missing, the script crashed when enabling KDC proxy, because it used invalid DN. Fixes https://pagure.io/freeipa/issue/6920 --- ipaserver/install/server/upgrade.py | 1 + 1 file changed, 1 insertion(+) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 0f27428..dddec41 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1630,6 +1630,7 @@ def upgrade_configuration(): http = httpinstance.HTTPInstance(fstore) http.fqdn = fqdn http.realm = api.env.realm +http.suffix = ipautil.realm_to_suffix(api.env.realm) http.configure_selinux_for_httpd() http.change_mod_nss_port_from_http() -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#753][opened] Check CA status: add HTTP timeout
URL: https://github.com/freeipa/freeipa/pull/753 Author: MartinBasti Title: #753: Check CA status: add HTTP timeout Action: opened PR body: """ https://pagure.io/freeipa/issue/6766 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/753/head:pr753 git checkout pr753 From 1c0d760de5b882c819d96ef0ce791fe7557208b4 Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Tue, 2 May 2017 19:24:16 +0200 Subject: [PATCH 1/2] http_request: add timeout option httplib.HTTPConnection supports timeout option so _httplib_request can be updated to allow passing connection keyword arguments to connection_factory. We need connection timeout for cases when reply from server is not received on time to ask again and not to wait for infinity. https://pagure.io/freeipa/issue/6766 --- ipapython/dogtag.py | 20 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 48232a9..21d58a9 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -163,9 +163,10 @@ def connection_factory(host, port): method=method, headers=headers) -def http_request(host, port, url, **kw): +def http_request(host, port, url, timeout=None, **kw): """ :param url: The path (not complete URL!) to post to. +:param timeout: Timeout in seconds for waiting for reply. :param kw: Keyword arguments to encode into POST body. :return: (http_status, http_headers, http_body) as (integer, dict, str) @@ -173,21 +174,32 @@ def http_request(host, port, url, **kw): Perform an HTTP request. """ body = urlencode(kw) +if timeout is None: +conn_opt = {} +else: +conn_opt = {"timeout": timeout} + return _httplib_request( -'http', host, port, url, httplib.HTTPConnection, body) +'http', host, port, url, httplib.HTTPConnection, body, +connection_options=conn_opt) def _httplib_request( protocol, host, port, path, connection_factory, request_body, -method='POST', headers=None): +method='POST', headers=None, connection_options=None): """ :param request_body: Request body :param connection_factory: Connection class to use. Will be called with the host and port arguments. :param method: HTTP request method (default: 'POST') +:param connection_options: a dictionary that will be passed to +connection_factory as keyword arguments. Perform a HTTP(s) request. """ +if connection_options is None: +connection_options = {} + uri = u'%s://%s%s' % (protocol, ipautil.format_netloc(host, port), path) root_logger.debug('request %s %s', method, uri) root_logger.debug('request body %r', request_body) @@ -200,7 +212,7 @@ def _httplib_request( headers['content-type'] = 'application/x-www-form-urlencoded' try: -conn = connection_factory(host, port) +conn = connection_factory(host, port, **connection_options) conn.request(method, uri, body=request_body, headers=headers) res = conn.getresponse() From 278e6a1bc39ba1f73bcb238acf4b5030645802ba Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Tue, 2 May 2017 19:52:13 +0200 Subject: [PATCH 2/2] ca_status: add HTTP timeout 30 seconds CA sometimes "forgot to answer" so we have to add timeout for http connection and ask again rather than wait for infinity. https://pagure.io/freeipa/issue/6766 --- ipalib/constants.py | 3 +++ ipapython/dogtag.py | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/ipalib/constants.py b/ipalib/constants.py index e604bb4..e719fa0 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -171,6 +171,9 @@ ('ca_install_port', None), ('ca_agent_install_port', None), ('ca_ee_install_port', None), +# How long http connection should wait before trying again [seconds]. +# Do not mistake with "startup_timeout" +('ca_status_http_timeout', 30), # Topology plugin ('recommended_max_agmts', 4), # Recommended maximum number of replication diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 21d58a9..0c542d8 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -123,7 +123,9 @@ def ca_status(ca_host=None): if ca_host is None: ca_host = api.env.ca_host status, _headers, body = http_request( -ca_host, 8080, '/ca/admin/ca/getStatus') +ca_host, 8080, '/ca/admin/ca/getStatus', +# timeout: CA sometimes forgot to answer, we have to try again +timeout=api.env.ca_status_http_timeout) if status == 503: # Service temporarily unavailable return status -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys stlaz commented: """ I was expecting some action about my previous comment: > Fails with > 2017-04-12T14:16:14Z DEBUG The ipa-replica-install command failed, > exception: ValueError: Incorrect number of results (0) searching forpublic > key for > host/vm-225.abc.idm.lab.eng.brq.redhat@dom-096.abc.idm.lab.eng.brq.redhat.com > on first replica, every try. I did not see any change in code to fix this but I can try again. """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298534740 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 From 3c994f38a5dad38b89c57ecce0558059d4d39e65 Mon Sep 17 00:00:00 2001 From: Pavel VomackaDate: Thu, 6 Apr 2017 16:15:47 +0200 Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf Turn on NSSOCSP directive during install/replica install/upgrade. That check whether the certificate which is used for login is revoked or not using OSCP. Marks the server cert in httpd NSS DB as trusted peer ('P,,') to avoid chicken and egg problem when it is needed to contact the OCSP responder when httpd is starting. https://pagure.io/freeipa/issue/6370 --- freeipa.spec.in | 1 + install/restart_scripts/restart_httpd | 14 +- ipaserver/install/httpinstance.py | 30 ++ ipaserver/install/server/upgrade.py | 24 4 files changed, 68 insertions(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index ee9a36b..24fc838 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -314,6 +314,7 @@ Requires: oddjob Requires: gssproxy >= 0.7.0-2 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050) Requires: sssd-dbus >= 1.15.2 +Requires: python-augeas Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index d168481..b661b82 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -21,11 +21,23 @@ import syslog import traceback +from ipalib import api from ipaplatform import services -from ipaserver.install import certs +from ipaplatform.paths import paths +from ipaserver.install import certs, installutils def _main(): + +api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) +api.finalize() + +db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) +nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname") + +# Add trust flag which set certificate trusted for SSL connections. +db.trust_root_cert(nickname, "P,,") + syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') try: diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 7898c53..72488cc 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -29,6 +29,7 @@ import locale import six +from augeas import Augeas from ipalib.install import certmonger from ipaserver.install import service @@ -153,6 +154,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, self.set_mod_nss_protocol) self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) +self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("setting up httpd keytab", self.request_service_keytab) @@ -259,6 +261,31 @@ def enable_mod_nss_renegotiate(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) +def enable_mod_nss_ocsp(self): +aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD) + +aug.set('/augeas/load/Httpd/lens', 'Httpd.lns') +aug.set('/augeas/load/Httpd/incl', paths.HTTPD_NSS_CONF) +aug.load() + +path = os.path.join('/files', paths.HTTPD_NSS_CONF[1:], 'VirtualHost') + +ocsp_comment = aug.get( +'{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path)) +ocsp_dir = aug.get('{}/directive[.="NSSOCSP"]'.format(path)) + +if ocsp_dir is None and ocsp_comment is not None: +# Directive is missing, comment is present +aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path), +'NSSOCSP') +aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive') +elif ocsp_dir is None: +# Directive is missing and comment is missing +aug.set('{}/directive[last()+1]'.format(path), "NSSOCSP") + +aug.set('{}/directive[. = "NSSOCSP"]/arg'.format(path), 'on') +aug.save() + def set_mod_nss_cipher_suite(self): ciphers = ','.join(NSS_CIPHER_SUITE) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False) @@ -351,6 +378,7 @@ def __setup_ssl(self): create=True)
[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys pvoborni commented: """ What is this PR waiting for? """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298530908 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys simo5 commented: """ Turned out my master had some more relaxed permissions I added when developing the feature. I now have added a new function to just check for the host keys without asking for data that cannot be read with the identity we have available. This has been tested and seems to work correctly. Please check @stlaz """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298767350 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys simo5 commented: """ Nevermind I finally reproduced """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298750030 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys simo5 commented: """ @stlaz just FYI, I am sking this info because I cannot reproduce locally with a single replica. """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298748943 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#751][comment] ipa-client-install: remove extra space in pkinit_anchors definition
URL: https://github.com/freeipa/freeipa/pull/751 Title: #751: ipa-client-install: remove extra space in pkinit_anchors definition abbra commented: """ LGTM. For the record, this is broken since cf1c4e84e74ea15fe5cf7219872cf131bd53281e which is in 4.5.0 release. So we need to backport this to 4.5 branch. """ See the full comment at https://github.com/freeipa/freeipa/pull/751#issuecomment-298587034 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#751][+ack] ipa-client-install: remove extra space in pkinit_anchors definition
URL: https://github.com/freeipa/freeipa/pull/751 Title: #751: ipa-client-install: remove extra space in pkinit_anchors definition Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 From 91565422833deab89b378bb40df2bf19e9cb2209 Mon Sep 17 00:00:00 2001 From: Pavel VomackaDate: Thu, 6 Apr 2017 16:15:47 +0200 Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf Turn on NSSOCSP directive during install/replica install/upgrade. That check whether the certificate which is used for login is revoked or not using OSCP. Marks the server cert in httpd NSS DB as trusted peer ('P,,') to avoid chicken and egg problem when it is needed to contact the OCSP responder when httpd is starting. https://pagure.io/freeipa/issue/6370 --- freeipa.spec.in | 1 + install/restart_scripts/restart_httpd | 14 +- ipaserver/install/httpinstance.py | 30 ++ ipaserver/install/server/upgrade.py | 25 + 4 files changed, 69 insertions(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index ee9a36b..24fc838 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -314,6 +314,7 @@ Requires: oddjob Requires: gssproxy >= 0.7.0-2 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050) Requires: sssd-dbus >= 1.15.2 +Requires: python-augeas Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index d168481..b661b82 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -21,11 +21,23 @@ import syslog import traceback +from ipalib import api from ipaplatform import services -from ipaserver.install import certs +from ipaplatform.paths import paths +from ipaserver.install import certs, installutils def _main(): + +api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) +api.finalize() + +db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) +nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname") + +# Add trust flag which set certificate trusted for SSL connections. +db.trust_root_cert(nickname, "P,,") + syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') try: diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 7898c53..ab688a8 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -29,6 +29,7 @@ import locale import six +from augeas import Augeas from ipalib.install import certmonger from ipaserver.install import service @@ -153,6 +154,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, self.set_mod_nss_protocol) self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) +self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("setting up httpd keytab", self.request_service_keytab) @@ -259,6 +261,31 @@ def enable_mod_nss_renegotiate(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) +def enable_mod_nss_ocsp(self): +aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD) + +aug.set('/augeas/load/Httpd/lens', 'Httpd.lns') +aug.set('/augeas/load/Httpd/incl', paths.HTTPD_NSS_CONF) +aug.load() + +path = '/files{}/VirtualHost'.format(paths.HTTPD_NSS_CONF) + +ocsp_comment = aug.get( +'{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path)) +ocsp_dir = aug.get('{}/directive[.="NSSOCSP"]'.format(path)) + +if ocsp_dir is None and ocsp_comment is not None: +# Directive is missing, comment is present +aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path), +'NSSOCSP') +aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive') +elif ocsp_dir is None: +# Directive is missing and comment is missing +aug.set('{}/directive[last()+1]'.format(path), "NSSOCSP") + +aug.set('{}/directive[. = "NSSOCSP"]/arg'.format(path), 'on') +aug.save() + def set_mod_nss_cipher_suite(self): ciphers = ','.join(NSS_CIPHER_SUITE) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False) @@ -351,6 +378,7 @@ def __setup_ssl(self): create=True)
Re: [Freeipa-devel] "blocker" tag for pull request
On 04/28/2017 02:41 PM, Martin Bašti wrote: On 28.04.2017 14:17, Tomas Krizek wrote: On 04/28/2017 10:15 AM, Petr Vobornik wrote: Hi all, I created "blocker" tag for FreeIPA Git Hub PRs. It is should be used to mark PRs which solves test blocker or other functional blockers - e.g. blocks creation of demo. I.e. should be used rather rarely. I don't like the tag name, but I couldn't find better. I think we could use the name "high-priority". It could have other uses besides marking a blocker, e.g. requesting prompt execution of tests in PR CI. Sounds good or maybe "prioritized", IMHO "blocker" word is overused. Note: blocker priority in pagure doesn't imply blocker tag in PR. But testblocker tag in pagure does. Actually I'm thinking about changing Pagure priority names to: "highest, high, medium, low, patchwelcome" +1, but I'd prefer "critical" instead of "highest" +1 for critical pyldap uses "help wanted" instead "patchwelcome", it sounds better to me. I'd use it as separate tag instead of priority. Even high prioritized issues can be made by contributors in early phase of development if they are easy enough. Martin^2 -- Martin Bašti Software Engineer Red Hat Czech +1 for critical; +1 for "help wanted", reasons: - "patchwelcome" sounds strange, and strange is an understatement here (also, are you afraid of 2 word tags?) - "help wanted" is much more humble, "patches welcome" is a common cry when you just don't care enough to fix it yourself, and I don't believe that's the message we want to be sending outside -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#741][synchronized] 6.9 -> 7.4 migration fixes
URL: https://github.com/freeipa/freeipa/pull/741 Author: stlaz Title: #741: 6.9 -> 7.4 migration fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/741/head:pr741 git checkout pr741 From 169dea79ade3283c25821fef3c4a6062ec6aef6d Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Thu, 27 Apr 2017 12:51:30 +0200 Subject: [PATCH 1/2] Refresh Dogtag RestClient.ca_host property Refresh the ca_host property of the Dogtag's RestClient class when it's requested as a context manager. This solves the problem which would occur on DL0 when installing CA against an old master which does not have port 8443 accessible. The setup tries to update the cert profiles via this port but fail. This operation should be performed against the local instance anyway. https://pagure.io/freeipa/issue/6878 --- ipaserver/plugins/dogtag.py | 30 ++ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 3997531..bddaab5 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1202,7 +1202,6 @@ def select_any_master(ldap2, service='CA'): import random from ipaserver.plugins import rabase from ipalib.constants import TYPE_ERROR -from ipalib.util import cachedproperty from ipalib import _ from ipaplatform.paths import paths @@ -1250,34 +1249,41 @@ def __init__(self, api): self.client_keyfile = paths.RA_AGENT_KEY super(RestClient, self).__init__(api) +self._ca_host = None # session cookie self.override_port = None self.cookie = None -@cachedproperty +@property def ca_host(self): """ -:return: host - as str +:returns: FQDN of a host hopefully providing a CA service -Select our CA host. +Select our CA host, cache it for the first time. """ +if self._ca_host is not None: +return self._ca_host + ldap2 = self.api.Backend.ldap2 if host_has_service(api.env.ca_host, ldap2, "CA"): -return api.env.ca_host -if api.env.host != api.env.ca_host: +object.__setattr__(self, '_ca_host', api.env.ca_host) +elif api.env.host != api.env.ca_host: if host_has_service(api.env.host, ldap2, "CA"): -return api.env.host -host = select_any_master(ldap2) -if host: -return host +object.__setattr__(self, '_ca_host', api.env.host) else: -return api.env.ca_host +object.__setattr__(self, '_ca_host', select_any_master(ldap2)) +if self._ca_host is None: +object.__setattr__(self, '_ca_host', api.env.ca_host) +return self._ca_host def __enter__(self): """Log into the REST API""" if self.cookie is not None: return + +# Refresh the ca_host property +object.__setattr__(self, '_ca_host', None) + status, resp_headers, _resp_body = dogtag.https_request( self.ca_host, self.override_port or self.env.ca_agent_port, url='/ca/rest/account/login', From 225fc310606916445fcc152ec21f627e67f95494 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Fri, 28 Apr 2017 09:31:45 +0200 Subject: [PATCH 2/2] Remove the cachedproperty class The cachedproperty class was used in one special use-case where it only caused issues. Let's get rid of it. https://pagure.io/freeipa/issue/6878 --- ipalib/util.py | 34 -- 1 file changed, 34 deletions(-) diff --git a/ipalib/util.py b/ipalib/util.py index e9d4105..8973a19 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -34,7 +34,6 @@ import encodings import sys import ssl -from weakref import WeakKeyDictionary import netaddr from dns import resolver, rdatatype @@ -492,39 +491,6 @@ def remove_sshpubkey_from_output_list_post(context, entries): delattr(context, 'ipasshpubkey_added') -class cachedproperty(object): -""" -A property-like attribute that caches the return value of a method call. - -When the attribute is first read, the method is called and its return -value is saved and returned. On subsequent reads, the saved value is -returned. - -Typical usage: -class C(object): -@cachedproperty -def attr(self): -return 'value' -""" -__slots__ = ('getter', 'store') - -def __init__(self, getter): -self.getter = getter -self.store = WeakKeyDictionary() - -def __get__(self, obj, cls): -if obj is None: -return None -if obj not in self.store: -self.store[obj] = self.getter(obj) -return self.store[obj] - -def __set__(self, obj, value): -raise
[Freeipa-devel] [freeipa PR#741][synchronized] 6.9 -> 7.4 migration fixes
URL: https://github.com/freeipa/freeipa/pull/741 Author: stlaz Title: #741: 6.9 -> 7.4 migration fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/741/head:pr741 git checkout pr741 From 8cfc0770191003f9100e3405230e83a2e7059abf Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Thu, 27 Apr 2017 12:51:30 +0200 Subject: [PATCH 1/2] Refresh Dogtag RestClient.ca_host property Refresh the ca_host property of the Dogtag's RestClient class when it's requested as a context manager. This solves the problem which would occur on DL0 when installing CA against an old master which does not have port 8443 accessible. The setup tries to update the cert profiles via this port but fail. This operation should be performed against the local instance anyway. https://pagure.io/freeipa/issue/6878 --- ipaserver/plugins/dogtag.py | 30 ++ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 3997531..3fb93fd 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1202,7 +1202,6 @@ def select_any_master(ldap2, service='CA'): import random from ipaserver.plugins import rabase from ipalib.constants import TYPE_ERROR -from ipalib.util import cachedproperty from ipalib import _ from ipaplatform.paths import paths @@ -1250,34 +1249,41 @@ def __init__(self, api): self.client_keyfile = paths.RA_AGENT_KEY super(RestClient, self).__init__(api) +self._ca_host = None # session cookie self.override_port = None self.cookie = None -@cachedproperty +@property def ca_host(self): """ -:return: host - as str +:returns: FQDN of a host hopefully providing a CA service -Select our CA host. +Select our CA host, cache it for the first time. """ +if self._ca_host is not None: +return self._ca_host + ldap2 = self.api.Backend.ldap2 if host_has_service(api.env.ca_host, ldap2, "CA"): -return api.env.ca_host -if api.env.host != api.env.ca_host: +self._ca_host = api.env.ca_host +elif api.env.host != api.env.ca_host: if host_has_service(api.env.host, ldap2, "CA"): -return api.env.host -host = select_any_master(ldap2) -if host: -return host +self._ca_host = api.env.host else: -return api.env.ca_host +self._ca_host = select_any_master(ldap2) +if self._ca_host is None: +self._ca_host = api.env.ca_host +return self._ca_host def __enter__(self): """Log into the REST API""" if self.cookie is not None: return + +# Refresh the ca_host property +object.__setattr__(self, '_ca_host', None) + status, resp_headers, _resp_body = dogtag.https_request( self.ca_host, self.override_port or self.env.ca_agent_port, url='/ca/rest/account/login', From 1ccd4c16d8f2043cea5bd271ada4492db9fceca2 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Fri, 28 Apr 2017 09:31:45 +0200 Subject: [PATCH 2/2] Remove the cachedproperty class The cachedproperty class was used in one special use-case where it only caused issues. Let's get rid of it. https://pagure.io/freeipa/issue/6878 --- ipalib/util.py | 34 -- 1 file changed, 34 deletions(-) diff --git a/ipalib/util.py b/ipalib/util.py index e9d4105..8973a19 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -34,7 +34,6 @@ import encodings import sys import ssl -from weakref import WeakKeyDictionary import netaddr from dns import resolver, rdatatype @@ -492,39 +491,6 @@ def remove_sshpubkey_from_output_list_post(context, entries): delattr(context, 'ipasshpubkey_added') -class cachedproperty(object): -""" -A property-like attribute that caches the return value of a method call. - -When the attribute is first read, the method is called and its return -value is saved and returned. On subsequent reads, the saved value is -returned. - -Typical usage: -class C(object): -@cachedproperty -def attr(self): -return 'value' -""" -__slots__ = ('getter', 'store') - -def __init__(self, getter): -self.getter = getter -self.store = WeakKeyDictionary() - -def __get__(self, obj, cls): -if obj is None: -return None -if obj not in self.store: -self.store[obj] = self.getter(obj) -return self.store[obj] - -def __set__(self, obj, value): -raise AttributeError("can't set attribute") - -def __delete__(self, obj): -raise
[Freeipa-devel] [freeipa PR#751][opened] ipa-client-install: remove extra space in pkinit_anchors definition
URL: https://github.com/freeipa/freeipa/pull/751 Author: flo-renaud Title: #751: ipa-client-install: remove extra space in pkinit_anchors definition Action: opened PR body: """ ipa-client-install modifies /etc/krb5.conf and defines the following line: pkinit_anchors = FILE: /etc/ipa/ca.crt The extra space between FILE: and /etc/ipa/ca.crt break pkinit. https://pagure.io/freeipa/issue/6916 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/751/head:pr751 git checkout pr751 From 2348deb90b86b19a826fac683569c94e1ca3561b Mon Sep 17 00:00:00 2001 From: Florence Blanc-RenaudDate: Tue, 2 May 2017 10:22:22 +0200 Subject: [PATCH] ipa-client-install: remove extra space in pkinit_anchors definition ipa-client-install modifies /etc/krb5.conf and defines the following line: pkinit_anchors = FILE: /etc/ipa/ca.crt The extra space between FILE: and /etc/ipa/ca.crt break pkinit. https://pagure.io/freeipa/issue/6916 --- ipaclient/install/client.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index 549c9b8..abca692 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -710,7 +710,7 @@ def configure_krb5_conf( kropts.append(krbconf.setOption('default_domain', cli_domain)) kropts.append( -krbconf.setOption('pkinit_anchors', 'FILE: %s' % paths.IPA_CA_CRT)) +krbconf.setOption('pkinit_anchors', 'FILE:%s' % paths.IPA_CA_CRT)) ropts = [{ 'name': cli_realm, 'type': 'subsection', -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 From 740da4c68e307187de86beb2113df87157a9e950 Mon Sep 17 00:00:00 2001 From: Pavel VomackaDate: Thu, 6 Apr 2017 16:15:47 +0200 Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf Turn on NSSOCSP directive during install/replica install/upgrade. That check whether the certificate which is used for login is revoked or not using OSCP. Marks the server cert in httpd NSS DB as trusted peer ('P,,') to avoid chicken and egg problem when it is needed to contact the OCSP responder when httpd is starting. https://pagure.io/freeipa/issue/6370 --- freeipa.spec.in | 1 + install/restart_scripts/restart_httpd | 14 +- ipaserver/install/httpinstance.py | 30 ++ ipaserver/install/server/upgrade.py | 24 4 files changed, 68 insertions(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index ee9a36b..24fc838 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -314,6 +314,7 @@ Requires: oddjob Requires: gssproxy >= 0.7.0-2 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050) Requires: sssd-dbus >= 1.15.2 +Requires: python-augeas Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index d168481..b661b82 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -21,11 +21,23 @@ import syslog import traceback +from ipalib import api from ipaplatform import services -from ipaserver.install import certs +from ipaplatform.paths import paths +from ipaserver.install import certs, installutils def _main(): + +api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) +api.finalize() + +db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) +nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname") + +# Add trust flag which set certificate trusted for SSL connections. +db.trust_root_cert(nickname, "P,,") + syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') try: diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 7898c53..72488cc 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -29,6 +29,7 @@ import locale import six +from augeas import Augeas from ipalib.install import certmonger from ipaserver.install import service @@ -153,6 +154,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, self.set_mod_nss_protocol) self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) +self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("setting up httpd keytab", self.request_service_keytab) @@ -259,6 +261,31 @@ def enable_mod_nss_renegotiate(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) +def enable_mod_nss_ocsp(self): +aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD) + +aug.set('/augeas/load/Httpd/lens', 'Httpd.lns') +aug.set('/augeas/load/Httpd/incl', paths.HTTPD_NSS_CONF) +aug.load() + +path = os.path.join('/files', paths.HTTPD_NSS_CONF[1:], 'VirtualHost') + +ocsp_comment = aug.get( +'{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path)) +ocsp_dir = aug.get('{}/directive[.="NSSOCSP"]'.format(path)) + +if ocsp_dir is None and ocsp_comment is not None: +# Directive is missing, comment is present +aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path), +'NSSOCSP') +aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive') +elif ocsp_dir is None: +# Directive is missing and comment is missing +aug.set('{}/directive[last()+1]'.format(path), "NSSOCSP") + +aug.set('{}/directive[. = "NSSOCSP"]/arg'.format(path), 'on') +aug.save() + def set_mod_nss_cipher_suite(self): ciphers = ','.join(NSS_CIPHER_SUITE) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False) @@ -351,6 +378,7 @@ def __setup_ssl(self): create=True)
[Freeipa-devel] [freeipa PR#750][closed] Fixed typo in ipa-client-install help output
URL: https://github.com/freeipa/freeipa/pull/750 Author: tscherf Title: #750: Fixed typo in ipa-client-install help output Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/750/head:pr750 git checkout pr750 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#729][comment] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Title: #729: Turn on NSSOCSP check in mod_nss conf flo-renaud commented: """ Hi @pvomacka I tested your last update with a new install and with an upgraded instance, and both are functionally OK. Revoked certs do not allow to access IPA Web UI. """ See the full comment at https://github.com/freeipa/freeipa/pull/729#issuecomment-298620370 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#751][+pushed] ipa-client-install: remove extra space in pkinit_anchors definition
URL: https://github.com/freeipa/freeipa/pull/751 Title: #751: ipa-client-install: remove extra space in pkinit_anchors definition Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#723][comment] Store GSSAPI session key in /var/run/httpd
URL: https://github.com/freeipa/freeipa/pull/723 Title: #723: Store GSSAPI session key in /var/run/httpd MartinBasti commented: """ The issue will be fixed on the SELinux side """ See the full comment at https://github.com/freeipa/freeipa/pull/723#issuecomment-298627474 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#741][synchronized] 6.9 -> 7.4 migration fixes
URL: https://github.com/freeipa/freeipa/pull/741 Author: stlaz Title: #741: 6.9 -> 7.4 migration fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/741/head:pr741 git checkout pr741 From 802b2ad635f3e62290c95bb0636c85d90199d84b Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Thu, 27 Apr 2017 12:51:30 +0200 Subject: [PATCH 1/2] Refresh Dogtag RestClient.ca_host property Refresh the ca_host property of the Dogtag's RestClient class when it's requested as a context manager. This solves the problem which would occur on DL0 when installing CA which needs to perform a set of steps against itself accessing 8443 port. This port should however only be available locally so trying to connect to remote master would fail. We need to make sure the right CA host is accessed. https://pagure.io/freeipa/issue/6878 --- ipaserver/install/cainstance.py | 5 ++--- ipaserver/plugins/dogtag.py | 30 ++ 2 files changed, 20 insertions(+), 15 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 84d60bf..d72feb8 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -425,6 +425,8 @@ def configure_instance(self, host_name, dm_password, admin_password, self.step("Configure HTTP to proxy connections", self.http_proxy) self.step("restarting certificate server", self.restart_instance) +self.step("updating IPA configuration", update_ipa_conf) +self.step("enabling CA instance", self.__enable_instance) if not promote: self.step("migrating certificate profiles to LDAP", migrate_profiles_to_ldap) @@ -432,9 +434,6 @@ def configure_instance(self, host_name, dm_password, admin_password, import_included_profiles) self.step("adding default CA ACL", ensure_default_caacl) self.step("adding 'ipa' CA entry", ensure_ipa_authority_entry) -self.step("updating IPA configuration", update_ipa_conf) - -self.step("enabling CA instance", self.__enable_instance) self.step("configuring certmonger renewal for lightweight CAs", self.__add_lightweight_ca_tracking_requests) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 3997531..bddaab5 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1202,7 +1202,6 @@ def select_any_master(ldap2, service='CA'): import random from ipaserver.plugins import rabase from ipalib.constants import TYPE_ERROR -from ipalib.util import cachedproperty from ipalib import _ from ipaplatform.paths import paths @@ -1250,34 +1249,41 @@ def __init__(self, api): self.client_keyfile = paths.RA_AGENT_KEY super(RestClient, self).__init__(api) +self._ca_host = None # session cookie self.override_port = None self.cookie = None -@cachedproperty +@property def ca_host(self): """ -:return: host - as str +:returns: FQDN of a host hopefully providing a CA service -Select our CA host. +Select our CA host, cache it for the first time. """ +if self._ca_host is not None: +return self._ca_host + ldap2 = self.api.Backend.ldap2 if host_has_service(api.env.ca_host, ldap2, "CA"): -return api.env.ca_host -if api.env.host != api.env.ca_host: +object.__setattr__(self, '_ca_host', api.env.ca_host) +elif api.env.host != api.env.ca_host: if host_has_service(api.env.host, ldap2, "CA"): -return api.env.host -host = select_any_master(ldap2) -if host: -return host +object.__setattr__(self, '_ca_host', api.env.host) else: -return api.env.ca_host +object.__setattr__(self, '_ca_host', select_any_master(ldap2)) +if self._ca_host is None: +object.__setattr__(self, '_ca_host', api.env.ca_host) +return self._ca_host def __enter__(self): """Log into the REST API""" if self.cookie is not None: return + +# Refresh the ca_host property +object.__setattr__(self, '_ca_host', None) + status, resp_headers, _resp_body = dogtag.https_request( self.ca_host, self.override_port or self.env.ca_agent_port, url='/ca/rest/account/login', From f57ed03e97836876f21d18e68fd0f13f394dc471 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Fri, 28 Apr 2017 09:31:45 +0200 Subject: [PATCH 2/2] Remove the cachedproperty class The
[Freeipa-devel] [freeipa PR#750][comment] Fixed typo in ipa-client-install help output
URL: https://github.com/freeipa/freeipa/pull/750 Title: #750: Fixed typo in ipa-client-install help output MartinBasti commented: """ master: * e3f849d541e8d054b0932d8ec1bd4c836e53c6f0 Fixed typo in ipa-client-install output """ See the full comment at https://github.com/freeipa/freeipa/pull/750#issuecomment-298612165 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#750][+pushed] Fixed typo in ipa-client-install help output
URL: https://github.com/freeipa/freeipa/pull/750 Title: #750: Fixed typo in ipa-client-install help output Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#751][comment] ipa-client-install: remove extra space in pkinit_anchors definition
URL: https://github.com/freeipa/freeipa/pull/751 Title: #751: ipa-client-install: remove extra space in pkinit_anchors definition MartinBasti commented: """ master: * 26dbab1fd4384b8f3999b153c2d94220cf541ad2 ipa-client-install: remove extra space in pkinit_anchors definition ipa-4-5: * a3c4e70650dbcd5dd3f00a7b2fecc051afeebec0 ipa-client-install: remove extra space in pkinit_anchors definition """ See the full comment at https://github.com/freeipa/freeipa/pull/751#issuecomment-298613205 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#751][closed] ipa-client-install: remove extra space in pkinit_anchors definition
URL: https://github.com/freeipa/freeipa/pull/751 Author: flo-renaud Title: #751: ipa-client-install: remove extra space in pkinit_anchors definition Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/751/head:pr751 git checkout pr751 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#741][comment] 6.9 -> 7.4 migration fixes
URL: https://github.com/freeipa/freeipa/pull/741 Title: #741: 6.9 -> 7.4 migration fixes MartinBasti commented: """ It failed to me ``` [20/28]: Configure HTTP to proxy connections [21/28]: restarting certificate server [22/28]: migrating certificate profiles to LDAP [error] NetworkError: cannot connect to 'https://vm-058-166.abc.idm.lab.eng.brq.redhat.com:8443/ca/rest/account/login': [Errno 111] Connection refused Your system may be partly configured. ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/741#issuecomment-298609873 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#741][comment] 6.9 -> 7.4 migration fixes
URL: https://github.com/freeipa/freeipa/pull/741 Title: #741: 6.9 -> 7.4 migration fixes stlaz commented: """ This was supposed to be fixed by the patch and worked for me, it seems that I may need to investigate it further. """ See the full comment at https://github.com/freeipa/freeipa/pull/741#issuecomment-298610326 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#734][+ack] kerberos session: use CA cert with full cert chain for obtaining cookie
URL: https://github.com/freeipa/freeipa/pull/734 Title: #734: kerberos session: use CA cert with full cert chain for obtaining cookie Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#734][comment] kerberos session: use CA cert with full cert chain for obtaining cookie
URL: https://github.com/freeipa/freeipa/pull/734 Title: #734: kerberos session: use CA cert with full cert chain for obtaining cookie MartinBasti commented: """ master: * c19196a0d3fc0a38c4c83cb8a7fde56e6bc310af kerberos session: use CA cert with full cert chain for obtaining cookie ipa-4-5: * 82679c11f1fc0701d753433d1f2d14c3ee0279af kerberos session: use CA cert with full cert chain for obtaining cookie """ See the full comment at https://github.com/freeipa/freeipa/pull/734#issuecomment-298612483 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#734][closed] kerberos session: use CA cert with full cert chain for obtaining cookie
URL: https://github.com/freeipa/freeipa/pull/734 Author: pvoborni Title: #734: kerberos session: use CA cert with full cert chain for obtaining cookie Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/734/head:pr734 git checkout pr734 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#734][+pushed] kerberos session: use CA cert with full cert chain for obtaining cookie
URL: https://github.com/freeipa/freeipa/pull/734 Title: #734: kerberos session: use CA cert with full cert chain for obtaining cookie Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#723][closed] Store GSSAPI session key in /var/run/httpd
URL: https://github.com/freeipa/freeipa/pull/723 Author: MartinBasti Title: #723: Store GSSAPI session key in /var/run/httpd Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/723/head:pr723 git checkout pr723 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#723][+rejected] Store GSSAPI session key in /var/run/httpd
URL: https://github.com/freeipa/freeipa/pull/723 Title: #723: Store GSSAPI session key in /var/run/httpd Label: +rejected -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#741][comment] 6.9 -> 7.4 migration fixes
URL: https://github.com/freeipa/freeipa/pull/741 Title: #741: 6.9 -> 7.4 migration fixes stlaz commented: """ Turns out I forgot to reorder the CA installation steps a bit. """ See the full comment at https://github.com/freeipa/freeipa/pull/741#issuecomment-298631763 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][synchronized] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Author: simo5 Title: #679: Make sure remote hosts have our keys Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/679/head:pr679 git checkout pr679 From 0e70f02180e2ada8862fbd8d42a42f07a8cabbb9 Mon Sep 17 00:00:00 2001 From: Simo SorceDate: Fri, 31 Mar 2017 11:22:45 -0400 Subject: [PATCH] Make sure remote hosts have our keys In complex replication setups a replica may try to obtain CA keys from a host that is not the master we initially create the keys against. In this case race conditions may happen due to replication. So we need to make sure the server we are contacting to get the CA keys has our keys in LDAP. We do this by waiting to positively fetch our encryption public key (the last one we create) from the target host LDAP server. Fixes: https://pagure.io/freeipa/issue/6838 Signed-off-by: Simo Sorce --- ipaserver/install/custodiainstance.py | 28 +++- ipaserver/secrets/kem.py | 12 2 files changed, 39 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py index 6a61392..390576b 100644 --- a/ipaserver/install/custodiainstance.py +++ b/ipaserver/install/custodiainstance.py @@ -1,6 +1,6 @@ # Copyright (C) 2015 FreeIPa Project Contributors, see 'COPYING' for license. -from ipaserver.secrets.kem import IPAKEMKeys +from ipaserver.secrets.kem import IPAKEMKeys, KEMLdap from ipaserver.secrets.client import CustodiaClient from ipaplatform.paths import paths from ipaplatform.constants import constants @@ -18,6 +18,7 @@ import os import stat import tempfile +import time import pwd @@ -122,6 +123,27 @@ def import_dm_password(self, master_host_name): cli = self.__CustodiaClient(server=master_host_name) cli.fetch_key('dm/DMHash') +def __wait_keys(self, host, timeout=300): +ldap_uri = 'ldap://%s' % host +deadline = int(time.time()) + timeout +root_logger.info("Waiting up to {} seconds to see our keys " + "appear on host: {}".format(timeout, host)) + +konn = KEMLdap(ldap_uri) +saved_e = None +while True: +try: +return konn.check_host_keys(self.fqdn) +except Exception as e: +# log only once for the same error +if not isinstance(e, type(saved_e)): +root_logger.debug( +"Transient error getting keys: '{err}'".format(err=e)) +saved_e = e +if int(time.time()) > deadline: +raise RuntimeError("Timed out trying to obtain keys.") +time.sleep(1) + def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data): # Fecth all needed certs one by one, then combine them in a single # p12 file @@ -129,6 +151,10 @@ def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data): prefix = data['prefix'] certlist = data['list'] +# Before we attempt to fetch keys from this host, make sure our public +# keys have been replicated there. +self.__wait_keys(ca_host) + cli = self.__CustodiaClient(server=ca_host) # Temporary nssdb diff --git a/ipaserver/secrets/kem.py b/ipaserver/secrets/kem.py index 28fb4d3..c1991c6 100644 --- a/ipaserver/secrets/kem.py +++ b/ipaserver/secrets/kem.py @@ -24,6 +24,7 @@ IPA_REL_BASE_DN = 'cn=custodia,cn=ipa,cn=etc' IPA_KEYS_QUERY = '(&(ipaKeyUsage={usage:s})(memberPrincipal={princ:s}))' +IPA_CHECK_QUERY = '(cn=enc/{host:s})' RFC5280_USAGE_MAP = {KEY_USAGE_SIG: 'digitalSignature', KEY_USAGE_ENC: 'dataEncipherment'} @@ -78,6 +79,17 @@ def get_key(self, usage, principal): jwk['use'] = KEY_USAGE_MAP[usage] return json_encode(jwk) +def check_host_keys(self, host): +conn = self.connect() +scope = ldap.SCOPE_SUBTREE + +ldap_filter = self.build_filter(IPA_CHECK_QUERY, {'host': host}) +r = conn.search_s(self.keysbase, scope, ldap_filter) +if len(r) != 1: +raise ValueError("Incorrect number of results (%d) searching for" + "public key for %s" % (len(r), host)) +return True + def _format_public_key(self, key): if isinstance(key, str): jwkey = json_decode(key) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#729][comment] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Title: #729: Turn on NSSOCSP check in mod_nss conf MartinBasti commented: """ augeas should be dependency of python2-ipaserver and python3-ipaserver (python3-augeas) packages ``` * Module ipaserver.install.httpinstance ipaserver/install/httpinstance.py:32: [E0401(import-error), ] Unable to import 'augeas') ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/729#issuecomment-298665396 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys stlaz commented: """ Still fails. """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298681896 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#729][comment] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Title: #729: Turn on NSSOCSP check in mod_nss conf MartinBasti commented: """ And you also need python[3]-augeas as Pylint BuildDependency to pass pylint :), sorry I forgot about it. """ See the full comment at https://github.com/freeipa/freeipa/pull/729#issuecomment-298690276 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 From 9e8e55bb205211637539bf149eb1fa0ed13ff872 Mon Sep 17 00:00:00 2001 From: Pavel VomackaDate: Thu, 6 Apr 2017 16:15:47 +0200 Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf Turn on NSSOCSP directive during install/replica install/upgrade. That check whether the certificate which is used for login is revoked or not using OSCP. Marks the server cert in httpd NSS DB as trusted peer ('P,,') to avoid chicken and egg problem when it is needed to contact the OCSP responder when httpd is starting. https://pagure.io/freeipa/issue/6370 --- freeipa.spec.in | 2 ++ install/restart_scripts/restart_httpd | 14 +- ipaserver/install/httpinstance.py | 30 ++ ipaserver/install/server/upgrade.py | 25 + 4 files changed, 70 insertions(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index ee9a36b..0b5500e 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -359,6 +359,7 @@ Requires: python-dns >= 1.15 Requires: python-kdcproxy >= 0.3 Requires: rpm-libs Requires: pki-base-python2 +Requires: python-augeas %description -n python2-ipaserver IPA is an integrated solution to provide centrally managed Identity (users, @@ -388,6 +389,7 @@ Requires: python3-pyasn1 Requires: python3-dbus Requires: python3-dns >= 1.15 Requires: python3-kdcproxy >= 0.3 +Requires: python3-augeas Requires: rpm-libs Requires: pki-base-python3 diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index d168481..b661b82 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -21,11 +21,23 @@ import syslog import traceback +from ipalib import api from ipaplatform import services -from ipaserver.install import certs +from ipaplatform.paths import paths +from ipaserver.install import certs, installutils def _main(): + +api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) +api.finalize() + +db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) +nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname") + +# Add trust flag which set certificate trusted for SSL connections. +db.trust_root_cert(nickname, "P,,") + syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') try: diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 7898c53..ab688a8 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -29,6 +29,7 @@ import locale import six +from augeas import Augeas from ipalib.install import certmonger from ipaserver.install import service @@ -153,6 +154,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, self.set_mod_nss_protocol) self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) +self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("setting up httpd keytab", self.request_service_keytab) @@ -259,6 +261,31 @@ def enable_mod_nss_renegotiate(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) +def enable_mod_nss_ocsp(self): +aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD) + +aug.set('/augeas/load/Httpd/lens', 'Httpd.lns') +aug.set('/augeas/load/Httpd/incl', paths.HTTPD_NSS_CONF) +aug.load() + +path = '/files{}/VirtualHost'.format(paths.HTTPD_NSS_CONF) + +ocsp_comment = aug.get( +'{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path)) +ocsp_dir = aug.get('{}/directive[.="NSSOCSP"]'.format(path)) + +if ocsp_dir is None and ocsp_comment is not None: +# Directive is missing, comment is present +aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path), +'NSSOCSP') +aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive') +elif ocsp_dir is None: +# Directive is missing and comment is missing +aug.set('{}/directive[last()+1]'.format(path), "NSSOCSP") + +aug.set('{}/directive[. = "NSSOCSP"]/arg'.format(path), 'on') +aug.save() + def set_mod_nss_cipher_suite(self): ciphers =
[Freeipa-devel] [freeipa PR#729][comment] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Title: #729: Turn on NSSOCSP check in mod_nss conf pvomacka commented: """ Hello @flo-renaud, thank you for testing this. Hello @MartinBasti, thank you for review. I just fixed that. """ See the full comment at https://github.com/freeipa/freeipa/pull/729#issuecomment-298668970 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#736][synchronized] Fixing the cert-request command comparing whole email address case-sensitively.
URL: https://github.com/freeipa/freeipa/pull/736 Author: felipevolpone Title: #736: Fixing the cert-request command comparing whole email address case-sensitively. Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/736/head:pr736 git checkout pr736 From 6210297824b61c20e3ca70dff3c48ffd47aee29e Mon Sep 17 00:00:00 2001 From: felipe barretoDate: Wed, 26 Apr 2017 11:08:35 -0300 Subject: [PATCH 1/2] Fixing the cert-request comparing whole email address case-sensitively. Now, the cert-request command compares the domain part of the email case-insensitively. https://pagure.io/freeipa/issue/5919 --- ipaserver/plugins/cert.py| 20 +++- ipatests/test_xmlrpc/test_cert_plugin.py | 25 + 2 files changed, 44 insertions(+), 1 deletion(-) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 9f90107..a0b2b83 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -705,7 +705,8 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw): # fail if any email addr from DN does not appear in ldap entry email_addrs = csr_obj.subject.get_attributes_for_oid( cryptography.x509.oid.NameOID.EMAIL_ADDRESS) -if len(set(email_addrs) - set(principal_obj.get('mail', []))) > 0: +if not _emails_are_valid(email_addrs, + principal_obj.get('mail', [])): raise errors.ValidationError( name='csr', error=_( @@ -860,6 +861,23 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw): ) +def _emails_are_valid(cert_emails, principal_emails): +""" +Checks if any email addr from DN does not appear in ldap entry, +comparing the domain part case-insensitively. +""" + +def lower_domain(email): +return email.split('@')[0] + '@' + email.split('@')[1].lower() + +principal_emails_lower = [lower_domain(email) for email in principal_emails] + +email_addrs = [attr.value for attr in cert_emails] +cert_emails_lower = [lower_domain(email) for email in email_addrs] + +return not any(set(cert_emails_lower) - set(principal_emails_lower)) + + def principal_to_principal_type(principal): if principal.is_user: return USER diff --git a/ipatests/test_xmlrpc/test_cert_plugin.py b/ipatests/test_xmlrpc/test_cert_plugin.py index 0b8277b..cd8ee7b 100644 --- a/ipatests/test_xmlrpc/test_cert_plugin.py +++ b/ipatests/test_xmlrpc/test_cert_plugin.py @@ -253,6 +253,31 @@ def test_00010_cleanup(self): res = api.Command['service_find'](self.service_princ) assert res['count'] == 0 +def test_00011_email_are_valid(self): +from ipaserver.plugins.cert import _emails_are_valid +from collections import namedtuple +NameAttribute = namedtuple('NameAttribute', 'value') + +cert = [NameAttribute(u'a...@email.com')] +result = _emails_are_valid(cert, [u'a...@email.com']) +assert True == result, result + +cert = [NameAttribute(u'a...@email.com')] +result = _emails_are_valid(cert, [u'a...@email.com', u'anot...@email.com']) +assert True == result, result + +cert = [NameAttribute(u'a...@email.com'), NameAttribute('anot...@email.com')] +result = _emails_are_valid(cert, [u'a...@email.com']) +assert False == result, result + +result = _emails_are_valid([], [u'a...@email.com']) +assert True == result, result + +cert = [NameAttribute(u'a...@email.com')] +result = _emails_are_valid(cert, []) +assert False == result, result + + @pytest.mark.tier1 class test_cert_find(XMLRPC_test): From 943a287a71384e10d2f13e8402907f0d3d10a085 Mon Sep 17 00:00:00 2001 From: felipe barreto Date: Tue, 2 May 2017 12:29:46 -0300 Subject: [PATCH 2/2] Checking the emails in SAN extension --- ipaserver/plugins/cert.py| 31 --- ipatests/test_xmlrpc/test_cert_plugin.py | 28 +--- 2 files changed, 37 insertions(+), 22 deletions(-) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index a0b2b83..88cf6d4 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -705,7 +705,11 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw): # fail if any email addr from DN does not appear in ldap entry email_addrs = csr_obj.subject.get_attributes_for_oid( cryptography.x509.oid.NameOID.EMAIL_ADDRESS) -if not _emails_are_valid(email_addrs, + +san_email_addrs = csr_obj.extensions.get_extension_for_oid( +cryptography.x509.oid.ExtensionOID.SUBJECT_ALTERNATIVE_NAME) + +if
[Freeipa-devel] [freeipa PR#741][+ack] 6.9 -> 7.4 migration fixes
URL: https://github.com/freeipa/freeipa/pull/741 Title: #741: 6.9 -> 7.4 migration fixes Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#671][comment] Slim down dependencies
URL: https://github.com/freeipa/freeipa/pull/671 Title: #671: Slim down dependencies MartinBasti commented: """ Due missing jinja, tox tests failed ``` ERROR: py27: commands failed ERROR: py35: commands failed ERROR: py36: commands failed ERROR: pylint2: commands failed ERROR: pylint3: commands failed ``` Tests ``` ImportError while importing test module '/tmp/freeipa/.tox/py36/lib/python3.6/site-packages/ipatests/test_ipaclient/test_csrgen.py'. Hint: make sure your test modules/packages have valid Python names. Traceback: test_ipaclient/test_csrgen.py:8: in from ipaclient import csrgen ../ipaclient/csrgen.py:23: in import jinja2 E ModuleNotFoundError: No module named 'jinja2' ``` pylint ``` * Module ipaclient.csrgen lib/python3.5/site-packages/ipaclient/csrgen.py:23: [E0401(import-error), ] Unable to import 'jinja2') lib/python3.5/site-packages/ipaclient/csrgen.py:24: [E0401(import-error), ] Unable to import 'jinja2.ext') lib/python3.5/site-packages/ipaclient/csrgen.py:25: [E0401(import-error), ] Unable to import 'jinja2.sandbox') ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/671#issuecomment-298675008 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#736][synchronized] Fixing the cert-request command comparing whole email address case-sensitively.
URL: https://github.com/freeipa/freeipa/pull/736 Author: felipevolpone Title: #736: Fixing the cert-request command comparing whole email address case-sensitively. Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/736/head:pr736 git checkout pr736 From 6210297824b61c20e3ca70dff3c48ffd47aee29e Mon Sep 17 00:00:00 2001 From: felipe barretoDate: Wed, 26 Apr 2017 11:08:35 -0300 Subject: [PATCH 1/3] Fixing the cert-request comparing whole email address case-sensitively. Now, the cert-request command compares the domain part of the email case-insensitively. https://pagure.io/freeipa/issue/5919 --- ipaserver/plugins/cert.py| 20 +++- ipatests/test_xmlrpc/test_cert_plugin.py | 25 + 2 files changed, 44 insertions(+), 1 deletion(-) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 9f90107..a0b2b83 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -705,7 +705,8 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw): # fail if any email addr from DN does not appear in ldap entry email_addrs = csr_obj.subject.get_attributes_for_oid( cryptography.x509.oid.NameOID.EMAIL_ADDRESS) -if len(set(email_addrs) - set(principal_obj.get('mail', []))) > 0: +if not _emails_are_valid(email_addrs, + principal_obj.get('mail', [])): raise errors.ValidationError( name='csr', error=_( @@ -860,6 +861,23 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw): ) +def _emails_are_valid(cert_emails, principal_emails): +""" +Checks if any email addr from DN does not appear in ldap entry, +comparing the domain part case-insensitively. +""" + +def lower_domain(email): +return email.split('@')[0] + '@' + email.split('@')[1].lower() + +principal_emails_lower = [lower_domain(email) for email in principal_emails] + +email_addrs = [attr.value for attr in cert_emails] +cert_emails_lower = [lower_domain(email) for email in email_addrs] + +return not any(set(cert_emails_lower) - set(principal_emails_lower)) + + def principal_to_principal_type(principal): if principal.is_user: return USER diff --git a/ipatests/test_xmlrpc/test_cert_plugin.py b/ipatests/test_xmlrpc/test_cert_plugin.py index 0b8277b..cd8ee7b 100644 --- a/ipatests/test_xmlrpc/test_cert_plugin.py +++ b/ipatests/test_xmlrpc/test_cert_plugin.py @@ -253,6 +253,31 @@ def test_00010_cleanup(self): res = api.Command['service_find'](self.service_princ) assert res['count'] == 0 +def test_00011_email_are_valid(self): +from ipaserver.plugins.cert import _emails_are_valid +from collections import namedtuple +NameAttribute = namedtuple('NameAttribute', 'value') + +cert = [NameAttribute(u'a...@email.com')] +result = _emails_are_valid(cert, [u'a...@email.com']) +assert True == result, result + +cert = [NameAttribute(u'a...@email.com')] +result = _emails_are_valid(cert, [u'a...@email.com', u'anot...@email.com']) +assert True == result, result + +cert = [NameAttribute(u'a...@email.com'), NameAttribute('anot...@email.com')] +result = _emails_are_valid(cert, [u'a...@email.com']) +assert False == result, result + +result = _emails_are_valid([], [u'a...@email.com']) +assert True == result, result + +cert = [NameAttribute(u'a...@email.com')] +result = _emails_are_valid(cert, []) +assert False == result, result + + @pytest.mark.tier1 class test_cert_find(XMLRPC_test): From 943a287a71384e10d2f13e8402907f0d3d10a085 Mon Sep 17 00:00:00 2001 From: felipe barreto Date: Tue, 2 May 2017 12:29:46 -0300 Subject: [PATCH 2/3] Checking the emails in SAN extension --- ipaserver/plugins/cert.py| 31 --- ipatests/test_xmlrpc/test_cert_plugin.py | 28 +--- 2 files changed, 37 insertions(+), 22 deletions(-) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index a0b2b83..88cf6d4 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -705,7 +705,11 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw): # fail if any email addr from DN does not appear in ldap entry email_addrs = csr_obj.subject.get_attributes_for_oid( cryptography.x509.oid.NameOID.EMAIL_ADDRESS) -if not _emails_are_valid(email_addrs, + +san_email_addrs = csr_obj.extensions.get_extension_for_oid( +cryptography.x509.oid.ExtensionOID.SUBJECT_ALTERNATIVE_NAME) + +if
[Freeipa-devel] [freeipa PR#741][comment] 6.9 -> 7.4 migration fixes
URL: https://github.com/freeipa/freeipa/pull/741 Title: #741: 6.9 -> 7.4 migration fixes MartinBasti commented: """ master: * 0d406fcb784924bfe685729f3156efb8c902b947 Refresh Dogtag RestClient.ca_host property * 92313c9e9d37733feb79d1b1c825178f48d6c69c Remove the cachedproperty class ipa-4-5: * 32981a0f9d0ff699e3d16da8f5a37c112871ba3a Refresh Dogtag RestClient.ca_host property * 9de343987e6d76d2edeba372c73c1060657aef59 Remove the cachedproperty class """ See the full comment at https://github.com/freeipa/freeipa/pull/741#issuecomment-298671871 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#741][closed] 6.9 -> 7.4 migration fixes
URL: https://github.com/freeipa/freeipa/pull/741 Author: stlaz Title: #741: 6.9 -> 7.4 migration fixes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/741/head:pr741 git checkout pr741 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#741][+pushed] 6.9 -> 7.4 migration fixes
URL: https://github.com/freeipa/freeipa/pull/741 Title: #741: 6.9 -> 7.4 migration fixes Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#736][comment] Fixing the cert-request command comparing whole email address case-sensitively.
URL: https://github.com/freeipa/freeipa/pull/736 Title: #736: Fixing the cert-request command comparing whole email address case-sensitively. felipevolpone commented: """ @frasertweedale I did the check in SAN extension. However, I'm not sure if these are valid situations: Case 1) The principal email is a...@email.com The email in the certificate is b...@email.com The emails in the SAN extensions are: a...@email.com, c...@email.com or this: Case 2) The principal email is a...@email.com The email in the certificate is b...@email.com, a...@email.com The email in the SAN extensions is: c...@email.com If the case 1 is valid, the check in line 799 (below) is not right, because it expects that all emails in SAN extension are in the principal. ```python elif isinstance(gn, cryptography.x509.general_name.RFC822Name): if principal_type == USER: if principal_obj and gn.value not in principal_obj.get( 'mail', []): raise errors.ValidationError( name='csr', error=_( "RFC822Name does not match " "any of user's email addresses") ) else: raise errors.ValidationError( name='csr', error=_( "subject alt name type %s is forbidden " "for non-user principals") % "RFC822Name" ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/736#issuecomment-298673966 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#729][comment] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Title: #729: Turn on NSSOCSP check in mod_nss conf MartinBasti commented: """ And you also need to add it in `ipaserver/setup.py` as dependency for our PyPI packages """ See the full comment at https://github.com/freeipa/freeipa/pull/729#issuecomment-298691022 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code