[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys

2017-05-02 Thread simo5 
  URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

simo5 commented:
"""
Can you please attach more of the logs before the failure ?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/679#issuecomment-298734189
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#752][opened] upgrade: add missing DN suffix when enabling KDC proxy

2017-05-02 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/752
Author: tomaskrizek
 Title: #752: upgrade: add missing DN suffix when enabling KDC proxy
Action: opened

PR body:
"""
This issue prevented from upgrading from IPA 4.1.

I also discovered a missing python dependency when I was running the 
ipa-server-upgrade manually. For packagers: the Python version that has the 
required symbols in CentOS is 2.7.5-24

https://pagure.io/freeipa/issue/6920
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/752/head:pr752
git checkout pr752
From cb3052b148ebab0898bc7597d1c3bdb354733d86 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Tue, 2 May 2017 18:32:34 +0200
Subject: [PATCH 1/3] python2-ipalib: add missing python dependency

Commit dfd560a190cb2ab13f34ed9e21c5fb5c6e793f18 started to use
ssl symbols like ssl.OP_NO_SSLv2 that were introduced in Python 2.7.9.

Related https://pagure.io/freeipa/issue/6920
---
 freeipa.spec.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index ee9a36b..56c3f27 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -643,6 +643,7 @@ Requires: python-gssapi >= 1.2.0
 Requires: gnupg
 Requires: keyutils
 Requires: pyOpenSSL
+Requires: python >= 2.7.9
 Requires: python-cryptography >= 1.6
 Requires: python-netaddr >= %{python_netaddr_version}
 Requires: python-libipa_hbac

From 213e25135f92d8d088e48e9cf4c5c29bd558c52d Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Tue, 2 May 2017 18:42:13 +0200
Subject: [PATCH 2/3] installer service: fix typo in service entry

The typo would result in incorrect resolution of existing keys and
their existence wasn't properly logged as intended.

Related https://pagure.io/freeipa/issue/6920
---
 ipaserver/install/service.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 6b5e69c..1aa49ed 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -181,7 +181,7 @@ def set_service_entry_config(name, fqdn, config_values,
 except errors.NotFound:
 pass
 else:
-existing_values = entry.get('ipaConnfigString', [])
+existing_values = entry.get('ipaConfigString', [])
 for value in config_values:
 if case_insensitive_attr_has_value(existing_values, value):
 root_logger.debug(

From 74ef58e75cae5beb2dd8786c01e4a04f2fe8f5f6 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Tue, 2 May 2017 19:26:04 +0200
Subject: [PATCH 3/3] upgrade: add missing suffix to http instance

During an upgrade, http.suffix is used to identify ldap entry when
configuring kdc proxy. When the suffix is missing, the script crashed
when enabling KDC proxy, because it used invalid DN.

Fixes https://pagure.io/freeipa/issue/6920
---
 ipaserver/install/server/upgrade.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 0f27428..dddec41 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1630,6 +1630,7 @@ def upgrade_configuration():
 http = httpinstance.HTTPInstance(fstore)
 http.fqdn = fqdn
 http.realm = api.env.realm
+http.suffix = ipautil.realm_to_suffix(api.env.realm)
 http.configure_selinux_for_httpd()
 http.change_mod_nss_port_from_http()
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#753][opened] Check CA status: add HTTP timeout

2017-05-02 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/753
Author: MartinBasti
 Title: #753: Check CA status: add HTTP timeout
Action: opened

PR body:
"""
https://pagure.io/freeipa/issue/6766
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/753/head:pr753
git checkout pr753
From 1c0d760de5b882c819d96ef0ce791fe7557208b4 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 2 May 2017 19:24:16 +0200
Subject: [PATCH 1/2] http_request: add timeout option

httplib.HTTPConnection supports timeout option so _httplib_request can
be updated to allow passing connection keyword arguments to
connection_factory.

We need connection timeout for cases when reply from server is not
received on time to ask again and not to wait for infinity.

https://pagure.io/freeipa/issue/6766
---
 ipapython/dogtag.py | 20 
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 48232a9..21d58a9 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -163,9 +163,10 @@ def connection_factory(host, port):
 method=method, headers=headers)
 
 
-def http_request(host, port, url, **kw):
+def http_request(host, port, url, timeout=None, **kw):
 """
 :param url: The path (not complete URL!) to post to.
+:param timeout: Timeout in seconds for waiting for reply.
 :param kw: Keyword arguments to encode into POST body.
 :return:   (http_status, http_headers, http_body)
 as (integer, dict, str)
@@ -173,21 +174,32 @@ def http_request(host, port, url, **kw):
 Perform an HTTP request.
 """
 body = urlencode(kw)
+if timeout is None:
+conn_opt = {}
+else:
+conn_opt = {"timeout": timeout}
+
 return _httplib_request(
-'http', host, port, url, httplib.HTTPConnection, body)
+'http', host, port, url, httplib.HTTPConnection, body,
+connection_options=conn_opt)
 
 
 def _httplib_request(
 protocol, host, port, path, connection_factory, request_body,
-method='POST', headers=None):
+method='POST', headers=None, connection_options=None):
 """
 :param request_body: Request body
 :param connection_factory: Connection class to use. Will be called
 with the host and port arguments.
 :param method: HTTP request method (default: 'POST')
+:param connection_options: a dictionary that will be passed to
+connection_factory as keyword arguments.
 
 Perform a HTTP(s) request.
 """
+if connection_options is None:
+connection_options = {}
+
 uri = u'%s://%s%s' % (protocol, ipautil.format_netloc(host, port), path)
 root_logger.debug('request %s %s', method, uri)
 root_logger.debug('request body %r', request_body)
@@ -200,7 +212,7 @@ def _httplib_request(
 headers['content-type'] = 'application/x-www-form-urlencoded'
 
 try:
-conn = connection_factory(host, port)
+conn = connection_factory(host, port, **connection_options)
 conn.request(method, uri, body=request_body, headers=headers)
 res = conn.getresponse()
 

From 278e6a1bc39ba1f73bcb238acf4b5030645802ba Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 2 May 2017 19:52:13 +0200
Subject: [PATCH 2/2] ca_status: add HTTP timeout 30 seconds

CA sometimes "forgot to answer" so we have to add timeout for http
connection and ask again rather than wait for infinity.

https://pagure.io/freeipa/issue/6766
---
 ipalib/constants.py | 3 +++
 ipapython/dogtag.py | 4 +++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/ipalib/constants.py b/ipalib/constants.py
index e604bb4..e719fa0 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -171,6 +171,9 @@
 ('ca_install_port', None),
 ('ca_agent_install_port', None),
 ('ca_ee_install_port', None),
+# How long http connection should wait before trying again [seconds].
+# Do not mistake with "startup_timeout"
+('ca_status_http_timeout', 30),
 
 # Topology plugin
 ('recommended_max_agmts', 4),  # Recommended maximum number of replication
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 21d58a9..0c542d8 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -123,7 +123,9 @@ def ca_status(ca_host=None):
 if ca_host is None:
 ca_host = api.env.ca_host
 status, _headers, body = http_request(
-ca_host, 8080, '/ca/admin/ca/getStatus')
+ca_host, 8080, '/ca/admin/ca/getStatus',
+# timeout: CA sometimes forgot to answer, we have to try again
+timeout=api.env.ca_status_http_timeout)
 if status == 503:
 # Service temporarily unavailable
 return status
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys

2017-05-02 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

stlaz commented:
"""
I was expecting some action about my previous comment:

> Fails with
>  2017-04-12T14:16:14Z DEBUG The ipa-replica-install command failed, 
> exception: ValueError: Incorrect number of results (0) searching forpublic 
> key for 
> host/vm-225.abc.idm.lab.eng.brq.redhat@dom-096.abc.idm.lab.eng.brq.redhat.com
> on first replica, every try.

I did not see any change in code to fix this but I can try again.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/679#issuecomment-298534740
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf

2017-05-02 Thread pvomacka 
   URL: https://github.com/freeipa/freeipa/pull/729
Author: pvomacka
 Title: #729: Turn on NSSOCSP check in mod_nss conf
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/729/head:pr729
git checkout pr729
From 3c994f38a5dad38b89c57ecce0558059d4d39e65 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Thu, 6 Apr 2017 16:15:47 +0200
Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf

Turn on NSSOCSP directive during install/replica install/upgrade.
That check whether the certificate which is used for login is
revoked or not using OSCP.

Marks the server cert in httpd NSS DB as trusted peer ('P,,')
to avoid chicken and egg problem when it is needed to contact
the OCSP responder when httpd is starting.

https://pagure.io/freeipa/issue/6370
---
 freeipa.spec.in   |  1 +
 install/restart_scripts/restart_httpd | 14 +-
 ipaserver/install/httpinstance.py | 30 ++
 ipaserver/install/server/upgrade.py   | 24 
 4 files changed, 68 insertions(+), 1 deletion(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index ee9a36b..24fc838 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -314,6 +314,7 @@ Requires: oddjob
 Requires: gssproxy >= 0.7.0-2
 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050)
 Requires: sssd-dbus >= 1.15.2
+Requires: python-augeas
 
 Provides: %{alt_name}-server = %{version}
 Conflicts: %{alt_name}-server
diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd
index d168481..b661b82 100644
--- a/install/restart_scripts/restart_httpd
+++ b/install/restart_scripts/restart_httpd
@@ -21,11 +21,23 @@
 
 import syslog
 import traceback
+from ipalib import api
 from ipaplatform import services
-from ipaserver.install import certs
+from ipaplatform.paths import paths
+from ipaserver.install import certs, installutils
 
 
 def _main():
+
+api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
+api.finalize()
+
+db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
+nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname")
+
+# Add trust flag which set certificate trusted for SSL connections.
+db.trust_root_cert(nickname, "P,,")
+
 syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')
 
 try:
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 7898c53..72488cc 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -29,6 +29,7 @@
 import locale
 
 import six
+from augeas import Augeas
 
 from ipalib.install import certmonger
 from ipaserver.install import service
@@ -153,6 +154,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None,
   self.set_mod_nss_protocol)
 self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
 self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate)
+self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp)
 self.step("adding URL rewriting rules", self.__add_include)
 self.step("configuring httpd", self.__configure_http)
 self.step("setting up httpd keytab", self.request_service_keytab)
@@ -259,6 +261,31 @@ def enable_mod_nss_renegotiate(self):
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False)
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False)
 
+def enable_mod_nss_ocsp(self):
+aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD)
+
+aug.set('/augeas/load/Httpd/lens', 'Httpd.lns')
+aug.set('/augeas/load/Httpd/incl', paths.HTTPD_NSS_CONF)
+aug.load()
+
+path = os.path.join('/files', paths.HTTPD_NSS_CONF[1:], 'VirtualHost')
+
+ocsp_comment = aug.get(
+'{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path))
+ocsp_dir = aug.get('{}/directive[.="NSSOCSP"]'.format(path))
+
+if ocsp_dir is None and ocsp_comment is not None:
+# Directive is missing, comment is present
+aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path),
+'NSSOCSP')
+aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive')
+elif ocsp_dir is None:
+# Directive is missing and comment is missing
+aug.set('{}/directive[last()+1]'.format(path), "NSSOCSP")
+
+aug.set('{}/directive[. = "NSSOCSP"]/arg'.format(path), 'on')
+aug.save()
+
 def set_mod_nss_cipher_suite(self):
 ciphers = ','.join(NSS_CIPHER_SUITE)
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False)
@@ -351,6 +378,7 @@ def __setup_ssl(self):
   create=True)

[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys

2017-05-02 Thread pvoborni 
  URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

pvoborni commented:
"""
What is this PR waiting for?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/679#issuecomment-298530908
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys

2017-05-02 Thread simo5 
  URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

simo5 commented:
"""
Turned out my master had some more relaxed permissions I added when developing 
the feature.
I now have added a new function to just check for the host keys without asking 
for data that cannot be read with the identity we have available.
This has been tested and seems to work correctly.
Please check @stlaz 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/679#issuecomment-298767350
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys

2017-05-02 Thread simo5 
  URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

simo5 commented:
"""
Nevermind I finally reproduced
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/679#issuecomment-298750030
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys

2017-05-02 Thread simo5 
  URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

simo5 commented:
"""
@stlaz just FYI, I am sking this info because I cannot reproduce locally with a 
single replica.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/679#issuecomment-298748943
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#751][comment] ipa-client-install: remove extra space in pkinit_anchors definition

2017-05-02 Thread abbra 
  URL: https://github.com/freeipa/freeipa/pull/751
Title: #751: ipa-client-install: remove extra space in pkinit_anchors definition

abbra commented:
"""
LGTM.

For the record, this is broken since cf1c4e84e74ea15fe5cf7219872cf131bd53281e 
which is in 4.5.0 release. So we need to backport this to 4.5 branch.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/751#issuecomment-298587034
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#751][+ack] ipa-client-install: remove extra space in pkinit_anchors definition

2017-05-02 Thread abbra 
  URL: https://github.com/freeipa/freeipa/pull/751
Title: #751: ipa-client-install: remove extra space in pkinit_anchors definition

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf

2017-05-02 Thread pvomacka 
   URL: https://github.com/freeipa/freeipa/pull/729
Author: pvomacka
 Title: #729: Turn on NSSOCSP check in mod_nss conf
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/729/head:pr729
git checkout pr729
From 91565422833deab89b378bb40df2bf19e9cb2209 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Thu, 6 Apr 2017 16:15:47 +0200
Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf

Turn on NSSOCSP directive during install/replica install/upgrade.
That check whether the certificate which is used for login is
revoked or not using OSCP.

Marks the server cert in httpd NSS DB as trusted peer ('P,,')
to avoid chicken and egg problem when it is needed to contact
the OCSP responder when httpd is starting.

https://pagure.io/freeipa/issue/6370
---
 freeipa.spec.in   |  1 +
 install/restart_scripts/restart_httpd | 14 +-
 ipaserver/install/httpinstance.py | 30 ++
 ipaserver/install/server/upgrade.py   | 25 +
 4 files changed, 69 insertions(+), 1 deletion(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index ee9a36b..24fc838 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -314,6 +314,7 @@ Requires: oddjob
 Requires: gssproxy >= 0.7.0-2
 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050)
 Requires: sssd-dbus >= 1.15.2
+Requires: python-augeas
 
 Provides: %{alt_name}-server = %{version}
 Conflicts: %{alt_name}-server
diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd
index d168481..b661b82 100644
--- a/install/restart_scripts/restart_httpd
+++ b/install/restart_scripts/restart_httpd
@@ -21,11 +21,23 @@
 
 import syslog
 import traceback
+from ipalib import api
 from ipaplatform import services
-from ipaserver.install import certs
+from ipaplatform.paths import paths
+from ipaserver.install import certs, installutils
 
 
 def _main():
+
+api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
+api.finalize()
+
+db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
+nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname")
+
+# Add trust flag which set certificate trusted for SSL connections.
+db.trust_root_cert(nickname, "P,,")
+
 syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')
 
 try:
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 7898c53..ab688a8 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -29,6 +29,7 @@
 import locale
 
 import six
+from augeas import Augeas
 
 from ipalib.install import certmonger
 from ipaserver.install import service
@@ -153,6 +154,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None,
   self.set_mod_nss_protocol)
 self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
 self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate)
+self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp)
 self.step("adding URL rewriting rules", self.__add_include)
 self.step("configuring httpd", self.__configure_http)
 self.step("setting up httpd keytab", self.request_service_keytab)
@@ -259,6 +261,31 @@ def enable_mod_nss_renegotiate(self):
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False)
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False)
 
+def enable_mod_nss_ocsp(self):
+aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD)
+
+aug.set('/augeas/load/Httpd/lens', 'Httpd.lns')
+aug.set('/augeas/load/Httpd/incl', paths.HTTPD_NSS_CONF)
+aug.load()
+
+path = '/files{}/VirtualHost'.format(paths.HTTPD_NSS_CONF)
+
+ocsp_comment = aug.get(
+'{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path))
+ocsp_dir = aug.get('{}/directive[.="NSSOCSP"]'.format(path))
+
+if ocsp_dir is None and ocsp_comment is not None:
+# Directive is missing, comment is present
+aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path),
+'NSSOCSP')
+aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive')
+elif ocsp_dir is None:
+# Directive is missing and comment is missing
+aug.set('{}/directive[last()+1]'.format(path), "NSSOCSP")
+
+aug.set('{}/directive[. = "NSSOCSP"]/arg'.format(path), 'on')
+aug.save()
+
 def set_mod_nss_cipher_suite(self):
 ciphers = ','.join(NSS_CIPHER_SUITE)
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False)
@@ -351,6 +378,7 @@ def __setup_ssl(self):
   create=True)

Re: [Freeipa-devel] "blocker" tag for pull request

2017-05-02 Thread Standa Laznicka 

On 04/28/2017 02:41 PM, Martin Bašti wrote:




On 28.04.2017 14:17, Tomas Krizek wrote:

On 04/28/2017 10:15 AM, Petr Vobornik wrote:

Hi all,

I created "blocker" tag for FreeIPA Git Hub PRs.

It is should be used to mark PRs which solves test blocker or other
functional blockers - e.g. blocks creation of demo. I.e. should be
used rather rarely.

I don't like the tag name, but I couldn't find better.

I think we could use the name "high-priority". It could have other uses
besides marking a blocker, e.g. requesting prompt execution of tests in
PR CI.

Sounds good or maybe "prioritized", IMHO "blocker" word is overused.


Note: blocker priority in pagure doesn't imply blocker tag in PR. But
testblocker tag in pagure does. Actually I'm thinking about changing
Pagure priority names to: "highest, high, medium, low, patchwelcome"


+1, but I'd prefer "critical" instead of "highest"




+1 for critical

pyldap uses "help wanted" instead "patchwelcome", it sounds better to 
me. I'd use it as separate tag instead of priority. Even high 
prioritized issues can be made by contributors in early phase of 
development if they are easy enough.


Martin^2
--
Martin Bašti
Software Engineer
Red Hat Czech



+1 for critical;

+1 for "help wanted", reasons:

- "patchwelcome" sounds strange, and strange is an understatement here 
(also, are you afraid of 2 word tags?)


- "help wanted" is much more humble, "patches welcome" is a common cry 
when you just don't care enough to fix it yourself, and I don't believe 
that's the message we want to be sending outside


-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#741][synchronized] 6.9 -> 7.4 migration fixes

2017-05-02 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/741
Author: stlaz
 Title: #741: 6.9 -> 7.4 migration fixes
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/741/head:pr741
git checkout pr741
From 169dea79ade3283c25821fef3c4a6062ec6aef6d Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Thu, 27 Apr 2017 12:51:30 +0200
Subject: [PATCH 1/2] Refresh Dogtag RestClient.ca_host property

Refresh the ca_host property of the Dogtag's RestClient class when
it's requested as a context manager.

This solves the problem which would occur on DL0 when installing
CA against an old master which does not have port 8443 accessible.
The setup tries to update the cert profiles via this port but
fail. This operation should be performed against the local instance
anyway.

https://pagure.io/freeipa/issue/6878
---
 ipaserver/plugins/dogtag.py | 30 ++
 1 file changed, 18 insertions(+), 12 deletions(-)

diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index 3997531..bddaab5 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1202,7 +1202,6 @@ def select_any_master(ldap2, service='CA'):
 import random
 from ipaserver.plugins import rabase
 from ipalib.constants import TYPE_ERROR
-from ipalib.util import cachedproperty
 from ipalib import _
 from ipaplatform.paths import paths
 
@@ -1250,34 +1249,41 @@ def __init__(self, api):
 self.client_keyfile = paths.RA_AGENT_KEY
 super(RestClient, self).__init__(api)
 
+self._ca_host = None
 # session cookie
 self.override_port = None
 self.cookie = None
 
-@cachedproperty
+@property
 def ca_host(self):
 """
-:return:   host
-   as str
+:returns: FQDN of a host hopefully providing a CA service
 
-Select our CA host.
+Select our CA host, cache it for the first time.
 """
+if self._ca_host is not None:
+return self._ca_host
+
 ldap2 = self.api.Backend.ldap2
 if host_has_service(api.env.ca_host, ldap2, "CA"):
-return api.env.ca_host
-if api.env.host != api.env.ca_host:
+object.__setattr__(self, '_ca_host', api.env.ca_host)
+elif api.env.host != api.env.ca_host:
 if host_has_service(api.env.host, ldap2, "CA"):
-return api.env.host
-host = select_any_master(ldap2)
-if host:
-return host
+object.__setattr__(self, '_ca_host', api.env.host)
 else:
-return api.env.ca_host
+object.__setattr__(self, '_ca_host', select_any_master(ldap2))
+if self._ca_host is None:
+object.__setattr__(self, '_ca_host', api.env.ca_host)
+return self._ca_host
 
 def __enter__(self):
 """Log into the REST API"""
 if self.cookie is not None:
 return
+
+# Refresh the ca_host property
+object.__setattr__(self, '_ca_host', None)
+
 status, resp_headers, _resp_body = dogtag.https_request(
 self.ca_host, self.override_port or self.env.ca_agent_port,
 url='/ca/rest/account/login',

From 225fc310606916445fcc152ec21f627e67f95494 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 28 Apr 2017 09:31:45 +0200
Subject: [PATCH 2/2] Remove the cachedproperty class

The cachedproperty class was used in one special use-case where it only
caused issues. Let's get rid of it.

https://pagure.io/freeipa/issue/6878
---
 ipalib/util.py | 34 --
 1 file changed, 34 deletions(-)

diff --git a/ipalib/util.py b/ipalib/util.py
index e9d4105..8973a19 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -34,7 +34,6 @@
 import encodings
 import sys
 import ssl
-from weakref import WeakKeyDictionary
 
 import netaddr
 from dns import resolver, rdatatype
@@ -492,39 +491,6 @@ def remove_sshpubkey_from_output_list_post(context, entries):
 delattr(context, 'ipasshpubkey_added')
 
 
-class cachedproperty(object):
-"""
-A property-like attribute that caches the return value of a method call.
-
-When the attribute is first read, the method is called and its return
-value is saved and returned. On subsequent reads, the saved value is
-returned.
-
-Typical usage:
-class C(object):
-@cachedproperty
-def attr(self):
-return 'value'
-"""
-__slots__ = ('getter', 'store')
-
-def __init__(self, getter):
-self.getter = getter
-self.store = WeakKeyDictionary()
-
-def __get__(self, obj, cls):
-if obj is None:
-return None
-if obj not in self.store:
-self.store[obj] = self.getter(obj)
-return self.store[obj]
-
-def __set__(self, obj, value):
-raise

[Freeipa-devel] [freeipa PR#741][synchronized] 6.9 -> 7.4 migration fixes

2017-05-02 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/741
Author: stlaz
 Title: #741: 6.9 -> 7.4 migration fixes
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/741/head:pr741
git checkout pr741
From 8cfc0770191003f9100e3405230e83a2e7059abf Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Thu, 27 Apr 2017 12:51:30 +0200
Subject: [PATCH 1/2] Refresh Dogtag RestClient.ca_host property

Refresh the ca_host property of the Dogtag's RestClient class when
it's requested as a context manager.

This solves the problem which would occur on DL0 when installing
CA against an old master which does not have port 8443 accessible.
The setup tries to update the cert profiles via this port but
fail. This operation should be performed against the local instance
anyway.

https://pagure.io/freeipa/issue/6878
---
 ipaserver/plugins/dogtag.py | 30 ++
 1 file changed, 18 insertions(+), 12 deletions(-)

diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index 3997531..3fb93fd 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1202,7 +1202,6 @@ def select_any_master(ldap2, service='CA'):
 import random
 from ipaserver.plugins import rabase
 from ipalib.constants import TYPE_ERROR
-from ipalib.util import cachedproperty
 from ipalib import _
 from ipaplatform.paths import paths
 
@@ -1250,34 +1249,41 @@ def __init__(self, api):
 self.client_keyfile = paths.RA_AGENT_KEY
 super(RestClient, self).__init__(api)
 
+self._ca_host = None
 # session cookie
 self.override_port = None
 self.cookie = None
 
-@cachedproperty
+@property
 def ca_host(self):
 """
-:return:   host
-   as str
+:returns: FQDN of a host hopefully providing a CA service
 
-Select our CA host.
+Select our CA host, cache it for the first time.
 """
+if self._ca_host is not None:
+return self._ca_host
+
 ldap2 = self.api.Backend.ldap2
 if host_has_service(api.env.ca_host, ldap2, "CA"):
-return api.env.ca_host
-if api.env.host != api.env.ca_host:
+self._ca_host = api.env.ca_host
+elif api.env.host != api.env.ca_host:
 if host_has_service(api.env.host, ldap2, "CA"):
-return api.env.host
-host = select_any_master(ldap2)
-if host:
-return host
+self._ca_host = api.env.host
 else:
-return api.env.ca_host
+self._ca_host = select_any_master(ldap2)
+if self._ca_host is None:
+self._ca_host = api.env.ca_host
+return self._ca_host
 
 def __enter__(self):
 """Log into the REST API"""
 if self.cookie is not None:
 return
+
+# Refresh the ca_host property
+object.__setattr__(self, '_ca_host', None)
+
 status, resp_headers, _resp_body = dogtag.https_request(
 self.ca_host, self.override_port or self.env.ca_agent_port,
 url='/ca/rest/account/login',

From 1ccd4c16d8f2043cea5bd271ada4492db9fceca2 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 28 Apr 2017 09:31:45 +0200
Subject: [PATCH 2/2] Remove the cachedproperty class

The cachedproperty class was used in one special use-case where it only
caused issues. Let's get rid of it.

https://pagure.io/freeipa/issue/6878
---
 ipalib/util.py | 34 --
 1 file changed, 34 deletions(-)

diff --git a/ipalib/util.py b/ipalib/util.py
index e9d4105..8973a19 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -34,7 +34,6 @@
 import encodings
 import sys
 import ssl
-from weakref import WeakKeyDictionary
 
 import netaddr
 from dns import resolver, rdatatype
@@ -492,39 +491,6 @@ def remove_sshpubkey_from_output_list_post(context, entries):
 delattr(context, 'ipasshpubkey_added')
 
 
-class cachedproperty(object):
-"""
-A property-like attribute that caches the return value of a method call.
-
-When the attribute is first read, the method is called and its return
-value is saved and returned. On subsequent reads, the saved value is
-returned.
-
-Typical usage:
-class C(object):
-@cachedproperty
-def attr(self):
-return 'value'
-"""
-__slots__ = ('getter', 'store')
-
-def __init__(self, getter):
-self.getter = getter
-self.store = WeakKeyDictionary()
-
-def __get__(self, obj, cls):
-if obj is None:
-return None
-if obj not in self.store:
-self.store[obj] = self.getter(obj)
-return self.store[obj]
-
-def __set__(self, obj, value):
-raise AttributeError("can't set attribute")
-
-def __delete__(self, obj):
-raise

[Freeipa-devel] [freeipa PR#751][opened] ipa-client-install: remove extra space in pkinit_anchors definition

2017-05-02 Thread flo-renaud 
   URL: https://github.com/freeipa/freeipa/pull/751
Author: flo-renaud
 Title: #751: ipa-client-install: remove extra space in pkinit_anchors 
definition
Action: opened

PR body:
"""
ipa-client-install modifies /etc/krb5.conf and defines the following line:
pkinit_anchors = FILE: /etc/ipa/ca.crt

The extra space between FILE: and /etc/ipa/ca.crt break pkinit.

https://pagure.io/freeipa/issue/6916
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/751/head:pr751
git checkout pr751
From 2348deb90b86b19a826fac683569c94e1ca3561b Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Tue, 2 May 2017 10:22:22 +0200
Subject: [PATCH] ipa-client-install: remove extra space in pkinit_anchors
 definition

ipa-client-install modifies /etc/krb5.conf and defines the following line:
pkinit_anchors = FILE: /etc/ipa/ca.crt

The extra space between FILE: and /etc/ipa/ca.crt break pkinit.

https://pagure.io/freeipa/issue/6916
---
 ipaclient/install/client.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 549c9b8..abca692 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -710,7 +710,7 @@ def configure_krb5_conf(
 kropts.append(krbconf.setOption('default_domain', cli_domain))
 
 kropts.append(
-krbconf.setOption('pkinit_anchors', 'FILE: %s' % paths.IPA_CA_CRT))
+krbconf.setOption('pkinit_anchors', 'FILE:%s' % paths.IPA_CA_CRT))
 ropts = [{
 'name': cli_realm,
 'type': 'subsection',
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf

2017-05-02 Thread pvomacka 
   URL: https://github.com/freeipa/freeipa/pull/729
Author: pvomacka
 Title: #729: Turn on NSSOCSP check in mod_nss conf
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/729/head:pr729
git checkout pr729
From 740da4c68e307187de86beb2113df87157a9e950 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Thu, 6 Apr 2017 16:15:47 +0200
Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf

Turn on NSSOCSP directive during install/replica install/upgrade.
That check whether the certificate which is used for login is
revoked or not using OSCP.

Marks the server cert in httpd NSS DB as trusted peer ('P,,')
to avoid chicken and egg problem when it is needed to contact
the OCSP responder when httpd is starting.

https://pagure.io/freeipa/issue/6370
---
 freeipa.spec.in   |  1 +
 install/restart_scripts/restart_httpd | 14 +-
 ipaserver/install/httpinstance.py | 30 ++
 ipaserver/install/server/upgrade.py   | 24 
 4 files changed, 68 insertions(+), 1 deletion(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index ee9a36b..24fc838 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -314,6 +314,7 @@ Requires: oddjob
 Requires: gssproxy >= 0.7.0-2
 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050)
 Requires: sssd-dbus >= 1.15.2
+Requires: python-augeas
 
 Provides: %{alt_name}-server = %{version}
 Conflicts: %{alt_name}-server
diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd
index d168481..b661b82 100644
--- a/install/restart_scripts/restart_httpd
+++ b/install/restart_scripts/restart_httpd
@@ -21,11 +21,23 @@
 
 import syslog
 import traceback
+from ipalib import api
 from ipaplatform import services
-from ipaserver.install import certs
+from ipaplatform.paths import paths
+from ipaserver.install import certs, installutils
 
 
 def _main():
+
+api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
+api.finalize()
+
+db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
+nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname")
+
+# Add trust flag which set certificate trusted for SSL connections.
+db.trust_root_cert(nickname, "P,,")
+
 syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')
 
 try:
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 7898c53..72488cc 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -29,6 +29,7 @@
 import locale
 
 import six
+from augeas import Augeas
 
 from ipalib.install import certmonger
 from ipaserver.install import service
@@ -153,6 +154,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None,
   self.set_mod_nss_protocol)
 self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
 self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate)
+self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp)
 self.step("adding URL rewriting rules", self.__add_include)
 self.step("configuring httpd", self.__configure_http)
 self.step("setting up httpd keytab", self.request_service_keytab)
@@ -259,6 +261,31 @@ def enable_mod_nss_renegotiate(self):
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False)
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False)
 
+def enable_mod_nss_ocsp(self):
+aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD)
+
+aug.set('/augeas/load/Httpd/lens', 'Httpd.lns')
+aug.set('/augeas/load/Httpd/incl', paths.HTTPD_NSS_CONF)
+aug.load()
+
+path = os.path.join('/files', paths.HTTPD_NSS_CONF[1:], 'VirtualHost')
+
+ocsp_comment = aug.get(
+'{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path))
+ocsp_dir = aug.get('{}/directive[.="NSSOCSP"]'.format(path))
+
+if ocsp_dir is None and ocsp_comment is not None:
+# Directive is missing, comment is present
+aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path),
+'NSSOCSP')
+aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive')
+elif ocsp_dir is None:
+# Directive is missing and comment is missing
+aug.set('{}/directive[last()+1]'.format(path), "NSSOCSP")
+
+aug.set('{}/directive[. = "NSSOCSP"]/arg'.format(path), 'on')
+aug.save()
+
 def set_mod_nss_cipher_suite(self):
 ciphers = ','.join(NSS_CIPHER_SUITE)
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False)
@@ -351,6 +378,7 @@ def __setup_ssl(self):
   create=True)

[Freeipa-devel] [freeipa PR#750][closed] Fixed typo in ipa-client-install help output

2017-05-02 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/750
Author: tscherf
 Title: #750: Fixed typo in ipa-client-install help output
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/750/head:pr750
git checkout pr750
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#729][comment] Turn on NSSOCSP check in mod_nss conf

2017-05-02 Thread flo-renaud 
  URL: https://github.com/freeipa/freeipa/pull/729
Title: #729: Turn on NSSOCSP check in mod_nss conf

flo-renaud commented:
"""
Hi @pvomacka 
I tested your last update with a new install and with an upgraded instance, and 
both are functionally OK. Revoked certs do not allow to access IPA Web UI.

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/729#issuecomment-298620370
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#751][+pushed] ipa-client-install: remove extra space in pkinit_anchors definition

2017-05-02 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/751
Title: #751: ipa-client-install: remove extra space in pkinit_anchors definition

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#723][comment] Store GSSAPI session key in /var/run/httpd

2017-05-02 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/723
Title: #723: Store GSSAPI session key in /var/run/httpd

MartinBasti commented:
"""
The issue will be fixed on the SELinux side
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/723#issuecomment-298627474
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#741][synchronized] 6.9 -> 7.4 migration fixes

2017-05-02 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/741
Author: stlaz
 Title: #741: 6.9 -> 7.4 migration fixes
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/741/head:pr741
git checkout pr741
From 802b2ad635f3e62290c95bb0636c85d90199d84b Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Thu, 27 Apr 2017 12:51:30 +0200
Subject: [PATCH 1/2] Refresh Dogtag RestClient.ca_host property

Refresh the ca_host property of the Dogtag's RestClient class when
it's requested as a context manager.

This solves the problem which would occur on DL0 when installing
CA which needs to perform a set of steps against itself accessing
8443 port. This port should however only be available locally so
trying to connect to remote master would fail. We need to make
sure the right CA host is accessed.

https://pagure.io/freeipa/issue/6878
---
 ipaserver/install/cainstance.py |  5 ++---
 ipaserver/plugins/dogtag.py | 30 ++
 2 files changed, 20 insertions(+), 15 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 84d60bf..d72feb8 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -425,6 +425,8 @@ def configure_instance(self, host_name, dm_password, admin_password,
 self.step("Configure HTTP to proxy connections",
   self.http_proxy)
 self.step("restarting certificate server", self.restart_instance)
+self.step("updating IPA configuration", update_ipa_conf)
+self.step("enabling CA instance", self.__enable_instance)
 if not promote:
 self.step("migrating certificate profiles to LDAP",
   migrate_profiles_to_ldap)
@@ -432,9 +434,6 @@ def configure_instance(self, host_name, dm_password, admin_password,
   import_included_profiles)
 self.step("adding default CA ACL", ensure_default_caacl)
 self.step("adding 'ipa' CA entry", ensure_ipa_authority_entry)
-self.step("updating IPA configuration", update_ipa_conf)
-
-self.step("enabling CA instance", self.__enable_instance)
 
 self.step("configuring certmonger renewal for lightweight CAs",
   self.__add_lightweight_ca_tracking_requests)
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index 3997531..bddaab5 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1202,7 +1202,6 @@ def select_any_master(ldap2, service='CA'):
 import random
 from ipaserver.plugins import rabase
 from ipalib.constants import TYPE_ERROR
-from ipalib.util import cachedproperty
 from ipalib import _
 from ipaplatform.paths import paths
 
@@ -1250,34 +1249,41 @@ def __init__(self, api):
 self.client_keyfile = paths.RA_AGENT_KEY
 super(RestClient, self).__init__(api)
 
+self._ca_host = None
 # session cookie
 self.override_port = None
 self.cookie = None
 
-@cachedproperty
+@property
 def ca_host(self):
 """
-:return:   host
-   as str
+:returns: FQDN of a host hopefully providing a CA service
 
-Select our CA host.
+Select our CA host, cache it for the first time.
 """
+if self._ca_host is not None:
+return self._ca_host
+
 ldap2 = self.api.Backend.ldap2
 if host_has_service(api.env.ca_host, ldap2, "CA"):
-return api.env.ca_host
-if api.env.host != api.env.ca_host:
+object.__setattr__(self, '_ca_host', api.env.ca_host)
+elif api.env.host != api.env.ca_host:
 if host_has_service(api.env.host, ldap2, "CA"):
-return api.env.host
-host = select_any_master(ldap2)
-if host:
-return host
+object.__setattr__(self, '_ca_host', api.env.host)
 else:
-return api.env.ca_host
+object.__setattr__(self, '_ca_host', select_any_master(ldap2))
+if self._ca_host is None:
+object.__setattr__(self, '_ca_host', api.env.ca_host)
+return self._ca_host
 
 def __enter__(self):
 """Log into the REST API"""
 if self.cookie is not None:
 return
+
+# Refresh the ca_host property
+object.__setattr__(self, '_ca_host', None)
+
 status, resp_headers, _resp_body = dogtag.https_request(
 self.ca_host, self.override_port or self.env.ca_agent_port,
 url='/ca/rest/account/login',

From f57ed03e97836876f21d18e68fd0f13f394dc471 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 28 Apr 2017 09:31:45 +0200
Subject: [PATCH 2/2] Remove the cachedproperty class

The

[Freeipa-devel] [freeipa PR#750][comment] Fixed typo in ipa-client-install help output

2017-05-02 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/750
Title: #750: Fixed typo in ipa-client-install help output

MartinBasti commented:
"""
master:

* e3f849d541e8d054b0932d8ec1bd4c836e53c6f0 Fixed typo in ipa-client-install 
output


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/750#issuecomment-298612165
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#750][+pushed] Fixed typo in ipa-client-install help output

2017-05-02 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/750
Title: #750: Fixed typo in ipa-client-install help output

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#751][comment] ipa-client-install: remove extra space in pkinit_anchors definition

2017-05-02 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/751
Title: #751: ipa-client-install: remove extra space in pkinit_anchors definition

MartinBasti commented:
"""
master:

* 26dbab1fd4384b8f3999b153c2d94220cf541ad2 ipa-client-install: remove extra 
space in pkinit_anchors definition


ipa-4-5:

* a3c4e70650dbcd5dd3f00a7b2fecc051afeebec0 ipa-client-install: remove extra 
space in pkinit_anchors definition


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/751#issuecomment-298613205
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#751][closed] ipa-client-install: remove extra space in pkinit_anchors definition

2017-05-02 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/751
Author: flo-renaud
 Title: #751: ipa-client-install: remove extra space in pkinit_anchors 
definition
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/751/head:pr751
git checkout pr751
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#741][comment] 6.9 -> 7.4 migration fixes

2017-05-02 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/741
Title: #741: 6.9 -> 7.4 migration fixes

MartinBasti commented:
"""
It failed to me
```
  [20/28]: Configure HTTP to proxy connections
  [21/28]: restarting certificate server
  [22/28]: migrating certificate profiles to LDAP
  [error] NetworkError: cannot connect to 
'https://vm-058-166.abc.idm.lab.eng.brq.redhat.com:8443/ca/rest/account/login': 
[Errno 111] Connection refused
Your system may be partly configured.
```

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/741#issuecomment-298609873
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#741][comment] 6.9 -> 7.4 migration fixes

2017-05-02 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/741
Title: #741: 6.9 -> 7.4 migration fixes

stlaz commented:
"""
This was supposed to be fixed by the patch and worked for me, it seems that I 
may need to investigate it further.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/741#issuecomment-298610326
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#734][+ack] kerberos session: use CA cert with full cert chain for obtaining cookie

2017-05-02 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/734
Title: #734: kerberos session: use CA cert with full cert chain for obtaining 
cookie

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#734][comment] kerberos session: use CA cert with full cert chain for obtaining cookie

2017-05-02 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/734
Title: #734: kerberos session: use CA cert with full cert chain for obtaining 
cookie

MartinBasti commented:
"""
master:

* c19196a0d3fc0a38c4c83cb8a7fde56e6bc310af kerberos session: use CA cert with 
full cert chain for obtaining cookie


ipa-4-5:

* 82679c11f1fc0701d753433d1f2d14c3ee0279af kerberos session: use CA cert with 
full cert chain for obtaining cookie


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/734#issuecomment-298612483
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#734][closed] kerberos session: use CA cert with full cert chain for obtaining cookie

2017-05-02 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/734
Author: pvoborni
 Title: #734: kerberos session: use CA cert with full cert chain for obtaining 
cookie
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/734/head:pr734
git checkout pr734
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#734][+pushed] kerberos session: use CA cert with full cert chain for obtaining cookie

2017-05-02 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/734
Title: #734: kerberos session: use CA cert with full cert chain for obtaining 
cookie

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#723][closed] Store GSSAPI session key in /var/run/httpd

2017-05-02 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/723
Author: MartinBasti
 Title: #723: Store GSSAPI session key in /var/run/httpd
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/723/head:pr723
git checkout pr723
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#723][+rejected] Store GSSAPI session key in /var/run/httpd

2017-05-02 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/723
Title: #723: Store GSSAPI session key in /var/run/httpd

Label: +rejected
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#741][comment] 6.9 -> 7.4 migration fixes

2017-05-02 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/741
Title: #741: 6.9 -> 7.4 migration fixes

stlaz commented:
"""
Turns out I forgot to reorder the CA installation steps a bit.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/741#issuecomment-298631763
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#679][synchronized] Make sure remote hosts have our keys

2017-05-02 Thread simo5 
   URL: https://github.com/freeipa/freeipa/pull/679
Author: simo5
 Title: #679: Make sure remote hosts have our keys
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/679/head:pr679
git checkout pr679
From 0e70f02180e2ada8862fbd8d42a42f07a8cabbb9 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Fri, 31 Mar 2017 11:22:45 -0400
Subject: [PATCH] Make sure remote hosts have our keys

In complex replication setups a replica may try to obtain CA keys from a
host that is not the master we initially create the keys against.
In this case race conditions may happen due to replication. So we need
to make sure the server we are contacting to get the CA keys has our
keys in LDAP. We do this by waiting to positively fetch our encryption
public key (the last one we create) from the target host LDAP server.

Fixes: https://pagure.io/freeipa/issue/6838

Signed-off-by: Simo Sorce 
---
 ipaserver/install/custodiainstance.py | 28 +++-
 ipaserver/secrets/kem.py  | 12 
 2 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py
index 6a61392..390576b 100644
--- a/ipaserver/install/custodiainstance.py
+++ b/ipaserver/install/custodiainstance.py
@@ -1,6 +1,6 @@
 # Copyright (C) 2015 FreeIPa Project Contributors, see 'COPYING' for license.
 
-from ipaserver.secrets.kem import IPAKEMKeys
+from ipaserver.secrets.kem import IPAKEMKeys, KEMLdap
 from ipaserver.secrets.client import CustodiaClient
 from ipaplatform.paths import paths
 from ipaplatform.constants import constants
@@ -18,6 +18,7 @@
 import os
 import stat
 import tempfile
+import time
 import pwd
 
 
@@ -122,6 +123,27 @@ def import_dm_password(self, master_host_name):
 cli = self.__CustodiaClient(server=master_host_name)
 cli.fetch_key('dm/DMHash')
 
+def __wait_keys(self, host, timeout=300):
+ldap_uri = 'ldap://%s' % host
+deadline = int(time.time()) + timeout
+root_logger.info("Waiting up to {} seconds to see our keys "
+ "appear on host: {}".format(timeout, host))
+
+konn = KEMLdap(ldap_uri)
+saved_e = None
+while True:
+try:
+return konn.check_host_keys(self.fqdn)
+except Exception as e:
+# log only once for the same error
+if not isinstance(e, type(saved_e)):
+root_logger.debug(
+"Transient error getting keys: '{err}'".format(err=e))
+saved_e = e
+if int(time.time()) > deadline:
+raise RuntimeError("Timed out trying to obtain keys.")
+time.sleep(1)
+
 def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data):
 # Fecth all needed certs one by one, then combine them in a single
 # p12 file
@@ -129,6 +151,10 @@ def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data):
 prefix = data['prefix']
 certlist = data['list']
 
+# Before we attempt to fetch keys from this host, make sure our public
+# keys have been replicated there.
+self.__wait_keys(ca_host)
+
 cli = self.__CustodiaClient(server=ca_host)
 
 # Temporary nssdb
diff --git a/ipaserver/secrets/kem.py b/ipaserver/secrets/kem.py
index 28fb4d3..c1991c6 100644
--- a/ipaserver/secrets/kem.py
+++ b/ipaserver/secrets/kem.py
@@ -24,6 +24,7 @@
 
 IPA_REL_BASE_DN = 'cn=custodia,cn=ipa,cn=etc'
 IPA_KEYS_QUERY = '(&(ipaKeyUsage={usage:s})(memberPrincipal={princ:s}))'
+IPA_CHECK_QUERY = '(cn=enc/{host:s})'
 RFC5280_USAGE_MAP = {KEY_USAGE_SIG: 'digitalSignature',
  KEY_USAGE_ENC: 'dataEncipherment'}
 
@@ -78,6 +79,17 @@ def get_key(self, usage, principal):
 jwk['use'] = KEY_USAGE_MAP[usage]
 return json_encode(jwk)
 
+def check_host_keys(self, host):
+conn = self.connect()
+scope = ldap.SCOPE_SUBTREE
+
+ldap_filter = self.build_filter(IPA_CHECK_QUERY, {'host': host})
+r = conn.search_s(self.keysbase, scope, ldap_filter)
+if len(r) != 1:
+raise ValueError("Incorrect number of results (%d) searching for"
+ "public key for %s" % (len(r), host))
+return True
+
 def _format_public_key(self, key):
 if isinstance(key, str):
 jwkey = json_decode(key)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#729][comment] Turn on NSSOCSP check in mod_nss conf

2017-05-02 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/729
Title: #729: Turn on NSSOCSP check in mod_nss conf

MartinBasti commented:
"""
augeas should be dependency of python2-ipaserver and python3-ipaserver 
(python3-augeas) packages
```
* Module ipaserver.install.httpinstance
ipaserver/install/httpinstance.py:32: [E0401(import-error), ] Unable to import 
'augeas')
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/729#issuecomment-298665396
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys

2017-05-02 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

stlaz commented:
"""
Still fails.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/679#issuecomment-298681896
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#729][comment] Turn on NSSOCSP check in mod_nss conf

2017-05-02 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/729
Title: #729: Turn on NSSOCSP check in mod_nss conf

MartinBasti commented:
"""
And you also need python[3]-augeas as Pylint BuildDependency to pass pylint :), 
sorry I forgot about it.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/729#issuecomment-298690276
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf

2017-05-02 Thread pvomacka 
   URL: https://github.com/freeipa/freeipa/pull/729
Author: pvomacka
 Title: #729: Turn on NSSOCSP check in mod_nss conf
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/729/head:pr729
git checkout pr729
From 9e8e55bb205211637539bf149eb1fa0ed13ff872 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Thu, 6 Apr 2017 16:15:47 +0200
Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf

Turn on NSSOCSP directive during install/replica install/upgrade.
That check whether the certificate which is used for login is
revoked or not using OSCP.

Marks the server cert in httpd NSS DB as trusted peer ('P,,')
to avoid chicken and egg problem when it is needed to contact
the OCSP responder when httpd is starting.

https://pagure.io/freeipa/issue/6370
---
 freeipa.spec.in   |  2 ++
 install/restart_scripts/restart_httpd | 14 +-
 ipaserver/install/httpinstance.py | 30 ++
 ipaserver/install/server/upgrade.py   | 25 +
 4 files changed, 70 insertions(+), 1 deletion(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index ee9a36b..0b5500e 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -359,6 +359,7 @@ Requires: python-dns >= 1.15
 Requires: python-kdcproxy >= 0.3
 Requires: rpm-libs
 Requires: pki-base-python2
+Requires: python-augeas
 
 %description -n python2-ipaserver
 IPA is an integrated solution to provide centrally managed Identity (users,
@@ -388,6 +389,7 @@ Requires: python3-pyasn1
 Requires: python3-dbus
 Requires: python3-dns >= 1.15
 Requires: python3-kdcproxy >= 0.3
+Requires: python3-augeas
 Requires: rpm-libs
 Requires: pki-base-python3
 
diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd
index d168481..b661b82 100644
--- a/install/restart_scripts/restart_httpd
+++ b/install/restart_scripts/restart_httpd
@@ -21,11 +21,23 @@
 
 import syslog
 import traceback
+from ipalib import api
 from ipaplatform import services
-from ipaserver.install import certs
+from ipaplatform.paths import paths
+from ipaserver.install import certs, installutils
 
 
 def _main():
+
+api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
+api.finalize()
+
+db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
+nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname")
+
+# Add trust flag which set certificate trusted for SSL connections.
+db.trust_root_cert(nickname, "P,,")
+
 syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')
 
 try:
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 7898c53..ab688a8 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -29,6 +29,7 @@
 import locale
 
 import six
+from augeas import Augeas
 
 from ipalib.install import certmonger
 from ipaserver.install import service
@@ -153,6 +154,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None,
   self.set_mod_nss_protocol)
 self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
 self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate)
+self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp)
 self.step("adding URL rewriting rules", self.__add_include)
 self.step("configuring httpd", self.__configure_http)
 self.step("setting up httpd keytab", self.request_service_keytab)
@@ -259,6 +261,31 @@ def enable_mod_nss_renegotiate(self):
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False)
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False)
 
+def enable_mod_nss_ocsp(self):
+aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD)
+
+aug.set('/augeas/load/Httpd/lens', 'Httpd.lns')
+aug.set('/augeas/load/Httpd/incl', paths.HTTPD_NSS_CONF)
+aug.load()
+
+path = '/files{}/VirtualHost'.format(paths.HTTPD_NSS_CONF)
+
+ocsp_comment = aug.get(
+'{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path))
+ocsp_dir = aug.get('{}/directive[.="NSSOCSP"]'.format(path))
+
+if ocsp_dir is None and ocsp_comment is not None:
+# Directive is missing, comment is present
+aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path),
+'NSSOCSP')
+aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive')
+elif ocsp_dir is None:
+# Directive is missing and comment is missing
+aug.set('{}/directive[last()+1]'.format(path), "NSSOCSP")
+
+aug.set('{}/directive[. = "NSSOCSP"]/arg'.format(path), 'on')
+aug.save()
+
 def set_mod_nss_cipher_suite(self):
 ciphers =

[Freeipa-devel] [freeipa PR#729][comment] Turn on NSSOCSP check in mod_nss conf

2017-05-02 Thread pvomacka 
  URL: https://github.com/freeipa/freeipa/pull/729
Title: #729: Turn on NSSOCSP check in mod_nss conf

pvomacka commented:
"""
Hello @flo-renaud, thank you for testing this. 
Hello @MartinBasti, thank you for review. I just fixed that.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/729#issuecomment-298668970
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#736][synchronized] Fixing the cert-request command comparing whole email address case-sensitively.

2017-05-02 Thread felipevolpone 
   URL: https://github.com/freeipa/freeipa/pull/736
Author: felipevolpone
 Title: #736: Fixing the cert-request command comparing whole email address 
case-sensitively.
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/736/head:pr736
git checkout pr736
From 6210297824b61c20e3ca70dff3c48ffd47aee29e Mon Sep 17 00:00:00 2001
From: felipe barreto 
Date: Wed, 26 Apr 2017 11:08:35 -0300
Subject: [PATCH 1/2] Fixing the cert-request comparing whole email address
 case-sensitively.

Now, the cert-request command compares the domain part of the
email case-insensitively.

https://pagure.io/freeipa/issue/5919
---
 ipaserver/plugins/cert.py| 20 +++-
 ipatests/test_xmlrpc/test_cert_plugin.py | 25 +
 2 files changed, 44 insertions(+), 1 deletion(-)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 9f90107..a0b2b83 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -705,7 +705,8 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw):
 # fail if any email addr from DN does not appear in ldap entry
 email_addrs = csr_obj.subject.get_attributes_for_oid(
 cryptography.x509.oid.NameOID.EMAIL_ADDRESS)
-if len(set(email_addrs) - set(principal_obj.get('mail', []))) > 0:
+if not _emails_are_valid(email_addrs,
+ principal_obj.get('mail', [])):
 raise errors.ValidationError(
 name='csr',
 error=_(
@@ -860,6 +861,23 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw):
 )
 
 
+def _emails_are_valid(cert_emails, principal_emails):
+"""
+Checks if any email addr from DN does not appear in ldap entry,
+comparing the domain part case-insensitively.
+"""
+
+def lower_domain(email):
+return email.split('@')[0] + '@' + email.split('@')[1].lower()
+
+principal_emails_lower = [lower_domain(email) for email in principal_emails]
+
+email_addrs = [attr.value for attr in cert_emails]
+cert_emails_lower = [lower_domain(email) for email in email_addrs]
+
+return not any(set(cert_emails_lower) - set(principal_emails_lower))
+
+
 def principal_to_principal_type(principal):
 if principal.is_user:
 return USER
diff --git a/ipatests/test_xmlrpc/test_cert_plugin.py b/ipatests/test_xmlrpc/test_cert_plugin.py
index 0b8277b..cd8ee7b 100644
--- a/ipatests/test_xmlrpc/test_cert_plugin.py
+++ b/ipatests/test_xmlrpc/test_cert_plugin.py
@@ -253,6 +253,31 @@ def test_00010_cleanup(self):
 res = api.Command['service_find'](self.service_princ)
 assert res['count'] == 0
 
+def test_00011_email_are_valid(self):
+from ipaserver.plugins.cert import _emails_are_valid
+from collections import namedtuple
+NameAttribute = namedtuple('NameAttribute', 'value')
+
+cert = [NameAttribute(u'a...@email.com')]
+result = _emails_are_valid(cert, [u'a...@email.com'])
+assert True == result, result
+
+cert = [NameAttribute(u'a...@email.com')]
+result = _emails_are_valid(cert, [u'a...@email.com', u'anot...@email.com'])
+assert True == result, result
+
+cert = [NameAttribute(u'a...@email.com'), NameAttribute('anot...@email.com')]
+result = _emails_are_valid(cert, [u'a...@email.com'])
+assert False == result, result
+
+result = _emails_are_valid([], [u'a...@email.com'])
+assert True == result, result
+
+cert = [NameAttribute(u'a...@email.com')]
+result = _emails_are_valid(cert, [])
+assert False == result, result
+
+
 
 @pytest.mark.tier1
 class test_cert_find(XMLRPC_test):

From 943a287a71384e10d2f13e8402907f0d3d10a085 Mon Sep 17 00:00:00 2001
From: felipe barreto 
Date: Tue, 2 May 2017 12:29:46 -0300
Subject: [PATCH 2/2] Checking the emails in SAN extension

---
 ipaserver/plugins/cert.py| 31 ---
 ipatests/test_xmlrpc/test_cert_plugin.py | 28 +---
 2 files changed, 37 insertions(+), 22 deletions(-)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index a0b2b83..88cf6d4 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -705,7 +705,11 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw):
 # fail if any email addr from DN does not appear in ldap entry
 email_addrs = csr_obj.subject.get_attributes_for_oid(
 cryptography.x509.oid.NameOID.EMAIL_ADDRESS)
-if not _emails_are_valid(email_addrs,
+
+san_email_addrs = csr_obj.extensions.get_extension_for_oid(
+cryptography.x509.oid.ExtensionOID.SUBJECT_ALTERNATIVE_NAME)
+
+if

[Freeipa-devel] [freeipa PR#741][+ack] 6.9 -> 7.4 migration fixes

2017-05-02 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/741
Title: #741: 6.9 -> 7.4 migration fixes

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#671][comment] Slim down dependencies

2017-05-02 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/671
Title: #671: Slim down dependencies

MartinBasti commented:
"""
Due missing jinja, tox tests failed

```
ERROR:   py27: commands failed
ERROR:   py35: commands failed
ERROR:   py36: commands failed
ERROR:   pylint2: commands failed
ERROR:   pylint3: commands failed
```

Tests
```
ImportError while importing test module 
'/tmp/freeipa/.tox/py36/lib/python3.6/site-packages/ipatests/test_ipaclient/test_csrgen.py'.
Hint: make sure your test modules/packages have valid Python names.
Traceback:
test_ipaclient/test_csrgen.py:8: in 
from ipaclient import csrgen
../ipaclient/csrgen.py:23: in 
import jinja2
E   ModuleNotFoundError: No module named 'jinja2'

```

pylint
```
* Module ipaclient.csrgen
lib/python3.5/site-packages/ipaclient/csrgen.py:23: [E0401(import-error), ] 
Unable to import 'jinja2')
lib/python3.5/site-packages/ipaclient/csrgen.py:24: [E0401(import-error), ] 
Unable to import 'jinja2.ext')
lib/python3.5/site-packages/ipaclient/csrgen.py:25: [E0401(import-error), ] 
Unable to import 'jinja2.sandbox')
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/671#issuecomment-298675008
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#736][synchronized] Fixing the cert-request command comparing whole email address case-sensitively.

2017-05-02 Thread felipevolpone 
   URL: https://github.com/freeipa/freeipa/pull/736
Author: felipevolpone
 Title: #736: Fixing the cert-request command comparing whole email address 
case-sensitively.
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/736/head:pr736
git checkout pr736
From 6210297824b61c20e3ca70dff3c48ffd47aee29e Mon Sep 17 00:00:00 2001
From: felipe barreto 
Date: Wed, 26 Apr 2017 11:08:35 -0300
Subject: [PATCH 1/3] Fixing the cert-request comparing whole email address
 case-sensitively.

Now, the cert-request command compares the domain part of the
email case-insensitively.

https://pagure.io/freeipa/issue/5919
---
 ipaserver/plugins/cert.py| 20 +++-
 ipatests/test_xmlrpc/test_cert_plugin.py | 25 +
 2 files changed, 44 insertions(+), 1 deletion(-)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 9f90107..a0b2b83 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -705,7 +705,8 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw):
 # fail if any email addr from DN does not appear in ldap entry
 email_addrs = csr_obj.subject.get_attributes_for_oid(
 cryptography.x509.oid.NameOID.EMAIL_ADDRESS)
-if len(set(email_addrs) - set(principal_obj.get('mail', []))) > 0:
+if not _emails_are_valid(email_addrs,
+ principal_obj.get('mail', [])):
 raise errors.ValidationError(
 name='csr',
 error=_(
@@ -860,6 +861,23 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw):
 )
 
 
+def _emails_are_valid(cert_emails, principal_emails):
+"""
+Checks if any email addr from DN does not appear in ldap entry,
+comparing the domain part case-insensitively.
+"""
+
+def lower_domain(email):
+return email.split('@')[0] + '@' + email.split('@')[1].lower()
+
+principal_emails_lower = [lower_domain(email) for email in principal_emails]
+
+email_addrs = [attr.value for attr in cert_emails]
+cert_emails_lower = [lower_domain(email) for email in email_addrs]
+
+return not any(set(cert_emails_lower) - set(principal_emails_lower))
+
+
 def principal_to_principal_type(principal):
 if principal.is_user:
 return USER
diff --git a/ipatests/test_xmlrpc/test_cert_plugin.py b/ipatests/test_xmlrpc/test_cert_plugin.py
index 0b8277b..cd8ee7b 100644
--- a/ipatests/test_xmlrpc/test_cert_plugin.py
+++ b/ipatests/test_xmlrpc/test_cert_plugin.py
@@ -253,6 +253,31 @@ def test_00010_cleanup(self):
 res = api.Command['service_find'](self.service_princ)
 assert res['count'] == 0
 
+def test_00011_email_are_valid(self):
+from ipaserver.plugins.cert import _emails_are_valid
+from collections import namedtuple
+NameAttribute = namedtuple('NameAttribute', 'value')
+
+cert = [NameAttribute(u'a...@email.com')]
+result = _emails_are_valid(cert, [u'a...@email.com'])
+assert True == result, result
+
+cert = [NameAttribute(u'a...@email.com')]
+result = _emails_are_valid(cert, [u'a...@email.com', u'anot...@email.com'])
+assert True == result, result
+
+cert = [NameAttribute(u'a...@email.com'), NameAttribute('anot...@email.com')]
+result = _emails_are_valid(cert, [u'a...@email.com'])
+assert False == result, result
+
+result = _emails_are_valid([], [u'a...@email.com'])
+assert True == result, result
+
+cert = [NameAttribute(u'a...@email.com')]
+result = _emails_are_valid(cert, [])
+assert False == result, result
+
+
 
 @pytest.mark.tier1
 class test_cert_find(XMLRPC_test):

From 943a287a71384e10d2f13e8402907f0d3d10a085 Mon Sep 17 00:00:00 2001
From: felipe barreto 
Date: Tue, 2 May 2017 12:29:46 -0300
Subject: [PATCH 2/3] Checking the emails in SAN extension

---
 ipaserver/plugins/cert.py| 31 ---
 ipatests/test_xmlrpc/test_cert_plugin.py | 28 +---
 2 files changed, 37 insertions(+), 22 deletions(-)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index a0b2b83..88cf6d4 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -705,7 +705,11 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw):
 # fail if any email addr from DN does not appear in ldap entry
 email_addrs = csr_obj.subject.get_attributes_for_oid(
 cryptography.x509.oid.NameOID.EMAIL_ADDRESS)
-if not _emails_are_valid(email_addrs,
+
+san_email_addrs = csr_obj.extensions.get_extension_for_oid(
+cryptography.x509.oid.ExtensionOID.SUBJECT_ALTERNATIVE_NAME)
+
+if

[Freeipa-devel] [freeipa PR#741][comment] 6.9 -> 7.4 migration fixes

2017-05-02 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/741
Title: #741: 6.9 -> 7.4 migration fixes

MartinBasti commented:
"""
master:

* 0d406fcb784924bfe685729f3156efb8c902b947 Refresh Dogtag RestClient.ca_host 
property
* 92313c9e9d37733feb79d1b1c825178f48d6c69c Remove the cachedproperty class


ipa-4-5:

* 32981a0f9d0ff699e3d16da8f5a37c112871ba3a Refresh Dogtag RestClient.ca_host 
property
* 9de343987e6d76d2edeba372c73c1060657aef59 Remove the cachedproperty class


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/741#issuecomment-298671871
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#741][closed] 6.9 -> 7.4 migration fixes

2017-05-02 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/741
Author: stlaz
 Title: #741: 6.9 -> 7.4 migration fixes
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/741/head:pr741
git checkout pr741
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#741][+pushed] 6.9 -> 7.4 migration fixes

2017-05-02 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/741
Title: #741: 6.9 -> 7.4 migration fixes

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#736][comment] Fixing the cert-request command comparing whole email address case-sensitively.

2017-05-02 Thread felipevolpone 
  URL: https://github.com/freeipa/freeipa/pull/736
Title: #736: Fixing the cert-request command comparing whole email address 
case-sensitively.

felipevolpone commented:
"""
@frasertweedale I did the check in SAN extension. 

However, I'm not sure if these are valid situations:
Case 1)
The principal email is a...@email.com
The email in the certificate is b...@email.com
The emails in the SAN extensions are: a...@email.com, c...@email.com

or this:

Case 2)
The principal email is a...@email.com
The email in the certificate is b...@email.com, a...@email.com
The email in the SAN extensions is: c...@email.com

If the case 1 is valid, the check in line 799 (below) is not right, because it 
expects that all emails in SAN extension are in the principal.
```python
elif isinstance(gn, cryptography.x509.general_name.RFC822Name):
if principal_type == USER:
if principal_obj and gn.value not in principal_obj.get(
'mail', []):
raise errors.ValidationError(
name='csr',
error=_(
"RFC822Name does not match "
"any of user's email addresses")
)
else:
raise errors.ValidationError(
name='csr',
error=_(
"subject alt name type %s is forbidden "
"for non-user principals") % "RFC822Name"
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/736#issuecomment-298673966
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#729][comment] Turn on NSSOCSP check in mod_nss conf

2017-05-02 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/729
Title: #729: Turn on NSSOCSP check in mod_nss conf

MartinBasti commented:
"""
And you also need to add it in `ipaserver/setup.py` as dependency for our PyPI 
packages
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/729#issuecomment-298691022
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code