Re: [Freeipa-devel] [PATCHES] 98-101 Preserve case of LDAP attribute names
On 19.2.2013 17:30, Rob Crittenden wrote: I think dropping raw=True in patch 99.3 is going to break a check later where we look at the managedby attribute. Without raw this will be managedby_host. Fixed, thanks for the catch. I have also made 2 changes to patch 100 (made sure the entry returned by ldap2.get_ipa_config is using the correct IPASimpleLDAPObject and changed LDAPEntry.clone to be less fragile). Updated (and rebased) patches attached. Honza -- Jan Cholasta From 78d3da5cc8837ae2f3be9783df6d19af2683f8fe Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Thu, 31 Jan 2013 11:19:13 +0100 Subject: [PATCH 1/4] Use the dn attribute of LDAPEntry to set/get DNs of entries. Convert all code that uses the 'dn' key of LDAPEntry for this to use the dn attribute instead. --- install/tools/ipa-compliance | 10 +++ install/tools/ipa-replica-install | 2 +- ipalib/plugins/automember.py | 9 -- ipalib/plugins/baseldap.py| 58 +++ ipalib/plugins/krbtpolicy.py | 6 ++-- ipalib/plugins/permission.py | 6 ++-- ipalib/plugins/sudorule.py| 8 -- ipalib/plugins/trust.py | 2 +- ipalib/plugins/user.py| 9 ++ ipaserver/ipaldap.py | 4 +-- ipaserver/plugins/ldap2.py| 2 -- 11 files changed, 73 insertions(+), 43 deletions(-) diff --git a/install/tools/ipa-compliance b/install/tools/ipa-compliance index c82e415..9b34350 100644 --- a/install/tools/ipa-compliance +++ b/install/tools/ipa-compliance @@ -116,7 +116,7 @@ def check_compliance(tmpdir, debug=False): hostcount = 0 # Get the hosts first try: -(entries, truncated) = conn.find_entries('(krblastpwdchange=*)', ['dn'], +(entries, truncated) = conn.find_entries('(krblastpwdchange=*)', [], DN(api.env.container_host, api.env.basedn), conn.SCOPE_ONELEVEL, size_limit = -1) @@ -136,10 +136,10 @@ def check_compliance(tmpdir, debug=False): available = 0 try: (entries, truncated) = conn.find_entries('(objectclass=ipaentitlement)', -['dn', 'userCertificate'], -DN(api.env.container_entitlements, api.env.basedn), -conn.SCOPE_ONELEVEL, -size_limit = -1) +['userCertificate'], +DN(api.env.container_entitlements, api.env.basedn), +conn.SCOPE_ONELEVEL, +size_limit = -1) for entry in entries: (dn, attrs) = entry diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 13c3260..846122d 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -572,7 +572,7 @@ def main(): config.dirman_password) found = False try: -entry = conn.find_entries(u'fqdn=%s' % host, ['dn', 'fqdn'], DN(api.env.container_host, api.env.basedn)) +entry = conn.find_entries(u'fqdn=%s' % host, ['fqdn'], DN(api.env.container_host, api.env.basedn)) print The host %s already exists on the master server.\nYou should remove it before proceeding: % host print %% ipa host-del %s % host found = True diff --git a/ipalib/plugins/automember.py b/ipalib/plugins/automember.py index af39f6a..520f8a0 100644 --- a/ipalib/plugins/automember.py +++ b/ipalib/plugins/automember.py @@ -316,10 +316,12 @@ class automember_add_condition(LDAPUpdate): except errors.NotFound: failed['failed'][attr].append(regex) +entry_attrs = entry_to_dict(entry_attrs, **options) + # Set failed and completed to they can be harvested in the execute super setattr(context, 'failed', failed) setattr(context, 'completed', completed) -setattr(context, 'entry_attrs', dict(entry_attrs)) +setattr(context, 'entry_attrs', entry_attrs) # Make sure to returned the failed results if there is nothing to remove if completed == 0: @@ -406,10 +408,13 @@ class automember_remove_condition(LDAPUpdate): else: failed['failed'][attr].append(regex) entry_attrs[attr] = old_entry + +entry_attrs = entry_to_dict(entry_attrs, **options) + # Set failed and completed to they can be harvested in the execute super setattr(context, 'failed', failed) setattr(context, 'completed', completed) -setattr(context, 'entry_attrs', dict(entry_attrs)) +setattr(context, 'entry_attrs', entry_attrs) # Make sure to returned the failed results if there is nothing to remove if completed == 0: diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 44751e1..74e2384 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -229,6 +229,12 @@ def entry_from_entry(entry, newentry): for e in
Re: [Freeipa-devel] [PATCH 0035] Use default.conf as flag of IPA client being installed
On 02/20/2013 10:31 AM, Tomas Babej wrote: Hi, When installing / uninstalling IPA client, the checks that determine whether IPA client is installed now take the existence of /etc/ipa/default.conf into consideration. The client will not uninstall unless either something is backed up or /etc/ipa/default.conf file does exist. The client will not install if something is backed up or default.conf file does exist (unless it's installation on master). https://fedorahosted.org/freeipa/ticket/3331 Tomas Can we create a function testing if ipa client is installed to avoid duplication of the decision logic? Something like is_ipa_configured present in ipaserver/install/installutils.py. Keep in mind that we cannot use ipaserver package as it may not be present on client. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 240-252 AMD modules and Web UI build
On 01/18/2013 03:16 PM, Petr Vobornik wrote: On 01/18/2013 03:11 AM, Endi Sukma Dewata wrote: On 1/17/2013 8:01 PM, Petr Vobornik wrote: On 01/17/2013 04:24 AM, Endi Sukma Dewata wrote: Nice work! They seem to be working fine so it's ACKed. I found a little error - there is a jsl problem in dojo.profile:86 - comma at the end of a list. Updated patch 243 attached. ACK. Pushed to master. Pushed to ipa-3-1 -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 228-237 Confirmation of dialogs by keyboard, better password dialogs
On 01/07/2013 12:53 PM, Petr Vobornik wrote: On 11/27/2012 04:50 PM, Endi Sukma Dewata wrote: On 11/20/2012 6:54 AM, Petr Vobornik wrote: New design page: http://www.freeipa.org/page/V3/WebUI_keyboard_confirmation Link to design page was added to tickets #3200 and #2910. In the ticket list of previous mail is a mistake. This effort is related to tickets #3200, #2910 and #2884. Probably commit messages should be amended. ACK. Pushed to master. Pushed to ipa-3-1 -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Web UI: ipa-3-1 and master are equal
I pushed Web UI patches which were in master but not in ipa-3-1 branch to ipa-3-1 branch. 2808a5ac01483275a75c0c0cbf9836a7e21a2041 Fix BuildRequires: rhino replaced with java-1.7.0-openjdk 95a191e98177d56bee32d5844f34241d5b987663 Change tests to use AMD loader aec35465fed1771e45f9755c80781bf478087fa9 Updated makefiles to build FreeIPA Web UI layer 591041d54d22703153ff2d7793d2a45a634152ff Change Web UI sources to simple AMD modules e472a3419e60cda05978994db3915962a241a86f AMD config file 193d0ac9d23b0a8873846e2797e001fe83e1d2f3 Update JavaScript Lint configuration file 5ae3f90500cac3bbe26210635a1fbd304def474c Move of core Web UI files to AMD directory 27d9348139ef7b603bc515cf5bbbac78f1e416a2 Move of Web UI non AMD dep. libs to libs subdirectory 16f9038b3e105d9ac6099be25404c3e6cf31d89c Web UI Sync development utility 146f3a73b00cbbafc734578c767b932030bc1aec Web UI development environment directory structure and configuration 2ae4e649a72838cbbfa68818c183d20fcf11151c Minimal Dojo layer 4a4cbdecc2c1fec377fe6839a1897d2c6dd3 Config files for builder of FreeIPA UI layer e8db24fdb989e6cb68f7a6eb8cdbca1b77c35721 Dojo Builder d7b25b0bd34568d28f74a3dfc27f520bc7f094b9 Use Uglify.js for JS optimization 69cbbd10a11736754e5137e394b3f87291cb0fd2 Enable mod_deflate 06a6ef87d81a0300c716dac47a998dcbc38fbcc2 Focus first input element after 'Add and Add another' 8e3b09310e615036570ab29fb7c2d1f3009aa2b2 Standardize login password reset, user reset password and host set OTP dialogs d68dd2138d546673c1dae90e6dfc977ed0b82cd4 Confirm association dialogs by enter b1632ffa52b2a2f30f3d83aaabc958e4a9928c0e Focus last dialog when some is closed 69185978eb8b9b206fda13af49e9885cc4a150b7 Confirm error dialog by enter 40a5d90cfe2077d847841ce46a859ca9ade97a61 Confirm adder dialog by enter c3de70c77bae2b184b52b6029c4146b8312be784 Confirm mixin c66c8202919f10a65fddf3b97355a87c39b8ba2b Make confirm_dialog a base class for message_dialog 92aa635be56fe6e991e902ece369a7bbf57a018d Make confirm_dialog a base class for deleter dialog 9806eae286764e35a218d9e3f832a6c85a7ca929 Make confirm_dialog a base class of revoke and restore certificate dialogs b238fc13ef98afb0bae4c479be1fc2c7fa94468d Avoid internal error when user is not Trust admin -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0035] Use default.conf as flag of IPA client being installed
On 02/21/2013 01:29 PM, Tomas Babej wrote: On 02/21/2013 12:47 PM, Martin Kosek wrote: On 02/20/2013 10:31 AM, Tomas Babej wrote: Hi, When installing / uninstalling IPA client, the checks that determine whether IPA client is installed now take the existence of /etc/ipa/default.conf into consideration. The client will not uninstall unless either something is backed up or /etc/ipa/default.conf file does exist. The client will not install if something is backed up or default.conf file does exist (unless it's installation on master). https://fedorahosted.org/freeipa/ticket/3331 Tomas Can we create a function testing if ipa client is installed to avoid duplication of the decision logic? Something like is_ipa_configured present in ipaserver/install/installutils.py. Keep in mind that we cannot use ipaserver package as it may not be present on client. Martin Moved to is_ipa_client_installed function to ipautils.py Updated patch attached. Tomas You just created a nice import loop: # make rpms ... if [ != yes ]; then \ ./makeapi --validate; \ fi Traceback (most recent call last): File ./makeapi, line 457, in module sys.exit(main()) File ./makeapi, line 428, in main api.finalize() File /root/freeipa-master/ipalib/plugable.py, line 674, in finalize self.__do_if_not_done('load_plugins') File /root/freeipa-master/ipalib/plugable.py, line 454, in __do_if_not_done getattr(self, name)() File /root/freeipa-master/ipalib/plugable.py, line 613, in load_plugins self.import_plugins('ipalib') File /root/freeipa-master/ipalib/plugable.py, line 655, in import_plugins __import__(fullname) File /root/freeipa-master/ipalib/plugins/cert.py, line 30, in module from ipalib import pkcs10 File /root/freeipa-master/ipalib/pkcs10.py, line 24, in module from ipapython import ipautil File /root/freeipa-master/ipapython/ipautil.py, line 52, in module from ipapython import sysrestore File /root/freeipa-master/ipapython/sysrestore.py, line 34, in module from ipapython import ipautil ImportError: cannot import name ipautil make: *** [version-update] Error 1 Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0182 Fix permission validation and normalization in aci.py
This patch fixes an internal error in the permission plugin that would become more noticeable when CSV is dropped. https://fedorahosted.org/freeipa/ticket/3420 -- Petr³ From c9928467ea776d444208d329cd03bff3eac3b597 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Thu, 14 Feb 2013 07:23:06 -0500 Subject: [PATCH] Fix permission validation and normalization in aci.py The code split the permission string on commas, essentially doing poor man's CSV parsing. So if a permission contained a comma-separated list of valid permissions, validation would pass but we'd get errors later. https://fedorahosted.org/freeipa/ticket/3420 --- ipalib/plugins/aci.py | 23 ++- 1 files changed, 10 insertions(+), 13 deletions(-) diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py index 7c4e8a549797a9893d6343d0c7126e0754dbf561..2860ac8b1d33664139ec5b64583c9078c8c1b0ad 100644 --- a/ipalib/plugins/aci.py +++ b/ipalib/plugins/aci.py @@ -392,21 +392,18 @@ def _find_aci_by_name(acis, aciprefix, aciname): return a raise errors.NotFound(reason=_('ACI with name %s not found') % aciname) -def validate_permissions(ugettext, permissions): -valid_permissions = [] -permissions = permissions.split(',') -for p in permissions: -p = p.strip().lower() -if not p in _valid_permissions_values: - return '%s is not a valid permission' % p -def _normalize_permissions(permissions): +def validate_permissions(ugettext, perm): +perm = perm.strip().lower() +if perm not in _valid_permissions_values: +return '%s is not a valid permission' % perm + + +def _normalize_permissions(perm): valid_permissions = [] -permissions = permissions.split(',') -for p in permissions: -p = p.strip().lower() -if p not in valid_permissions: -valid_permissions.append(p) +perm = perm.strip().lower() +if perm not in valid_permissions: +valid_permissions.append(perm) return ','.join(valid_permissions) _prefix_option = StrEnum('aciprefix', -- 1.7.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0104-0106 Provide means of displaying warning and informational messages on clients
On 02/21/2013 12:50 PM, Petr Viktorin wrote: On 02/20/2013 05:17 PM, Martin Kosek wrote: On 02/19/2013 12:15 PM, Petr Viktorin wrote: On 02/13/2013 11:18 AM, Petr Viktorin wrote: On 01/29/2013 05:06 PM, Petr Viktorin wrote: On 01/04/2013 07:20 PM, Petr Viktorin wrote: On 12/14/2012 09:04 AM, Jan Cholasta wrote: On 13.12.2012 18:09, Petr Viktorin wrote: On 12/13/2012 04:43 PM, Martin Kosek wrote: On 12/13/2012 10:59 AM, Petr Viktorin wrote: It's time to give this to another set of eyes :) Design document: http://freeipa.org/page/V3/Messages Ticket: https://fedorahosted.org/freeipa/ticket/2732 More info is in commit messages. Because of https://fedorahosted.org/freeipa/ticket/3294, I needed to change the design document: when the client doesn't send the API version, it is assumed it's at a version before capabilities were introduced (i.e. 2.47). The client still gets a warning if the version is missing. Except for those commands where IPA didn't send a version -- ping, cert-show, etc. -- the warning wouldn't pass validation on old clients. (I'm assuming that our client is so far the only one that validates so strictly.) I did a basic test of this patch and also quickly read through the patches and besides nitpicks (like unused inspect module in tests/test_ipalib/test_messages.py in patch 0105) I did not find any obvious errors in the Python code. Noted, will fix in future versions of the patch. However, this patch breaks WebUI badly, I did not even get to a log in screen. Cooperation with Petr Vobornik will be needed. In my case, I got blank screen and Javascript error: TypeError: IPA.messages.dialogs is undefined https://vm-037.idm.lab.bos.redhat.com/ipa/ui/ipa.js Line 1460 I assume this is related to the Internal Error that was returned in the JSON call { error: null, id: null, principal: ad...@idm.lab.bos.redhat.com, result: { count: 5, results: [ { error: an internal error has occurred, error_code: 903, error_name: InternalError }, { ... This can be reproduced with: # curl -v -H Content-Type:application/json -H referer:https://`hostname`/ipa; -H Accept:applicaton/json --negotiate -u : --cacert /etc/ipa/ca.crt -d '{method:i18n_messages,params:[[],{}],id:0}' -X POST https://`hostname`/ipa/json Good catch! The i18n_messages plugin already defines a messages output. When I renamed this from warnings to messages I forgot to check for clashes. Since i18n_messages is an internal command only used by the Web UI, we can rename its output to texts without breaking compatibility. I'm attaching a preliminary fix (for both backend and UI), but hopefully it won't be necessary, see below. I am also not sure I like the requirement of a specific version option to be always passed. I would prefer that missing version option would mean I use the most recent version of API instead - it would make the custom JSONRPC/XMLRPC calls easier to use. But since the version option was not being sent for some commands, we may not have a choice anyway if we do not want to break old clients in case we add some capabilities to these commands. I see three other options, all worse: - Do not use capabilities for the affected commands, meaning no new functionality can be added to them (and by extension, no new functionality common to all commands can be added). - Treat a missing version as the current version - Break backwards compatibility And one possibly better (thanks to Petr¹ and Martin for opening my eyes off-list!): - Deprecate XML-RPC. All XML-RPC requests would be pinned to current version (2.47). Capabilities/messages would only apply to JSON-RPC. This would also allow us to solve the above name-clashing problem elegantly. Here is a reminder of what a JSON response looks like: { error: null, id: 0, principal: ad...@idm.lab.bos.redhat.com, result: { summary: IPA server version 3.1.0GIT2e4bd02. API version 2.47 }, version: 3.1.0GIT2e4bd02 } A XML-RPC response only contains the result part of that. So with JSON, we can put the messages in the top level, which is much better design. Custom info in the top level seems to be a violation of the JSON-RPC spec. I'd rather not do more of those, so I'm withdrawing this idea. XML-RPC sucks in other ways too. We already have a workaround for its inability to attach extra info to errors (commit 88262a75ffe7a25640333dcc4da2100830cae821, Add instructions support to PublicError). I've opened a RFC here: https://fedorahosted.org/freeipa/ticket/3299. +1, XML-RPC sucks. This should have been done a long time ago. Honza Here are new patches. XML-RPC requests with missing version are assumed to be old (the version before capabilities are introduced, 2.47). This
Re: [Freeipa-devel] [PATCH] 256-258 Web UI: removed build dependency errors
On 02/19/2013 04:12 AM, Endi Sukma Dewata wrote: ACK. Pushed to master, ipa-3-1 -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 372 Use fixed test domain in realmdomains test
Fixes test unit broken on some systems. Pushed as a one-liner. Martin From c0c07f1f6afc6ddc497545474ec2144f69382a30 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Thu, 21 Feb 2013 13:40:20 +0100 Subject: [PATCH] Use fixed test domain in realmdomains test Random domain name may bring undererministic behavior. It also breaks the test on some systems as string.lowercase is locale dependent and can return non-ASCII letters and thus later break the unicode encoding and raise UnicodeDecodeError. Use a fixed domain in test TLD instead. This domain is guaranteed to be not existent. --- tests/test_xmlrpc/test_realmdomains_plugin.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_xmlrpc/test_realmdomains_plugin.py b/tests/test_xmlrpc/test_realmdomains_plugin.py index 11231638251abd793596f054787c500bdce80b9e..539643b0dab7b8fd25a177d3d17f45f4ab63b748 100644 --- a/tests/test_xmlrpc/test_realmdomains_plugin.py +++ b/tests/test_xmlrpc/test_realmdomains_plugin.py @@ -32,7 +32,7 @@ dn = DN(('cn', cn), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) our_domain = api.env.domain new_domain_1 = u'example1.com' new_domain_2 = u'example2.com' -bad_domain = u'this-domain-does-not-exist-%s.com' % ''.join(random.choice(string.lowercase) for x in range(10)) +bad_domain = u'doesnotexist.test' class test_realmdomains(Declarative): -- 1.8.1.2 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0024-0025] Improvements to idrange.py
On 02/20/2013 03:19 PM, Tomas Babej wrote: On Wed 20 Feb 2013 02:24:03 PM CET, Alexander Bokovoy wrote: On Wed, 20 Feb 2013, Tomas Babej wrote: On 12/21/2012 12:15 PM, Tomas Babej wrote: Hi, Sending updated and rebased versions of patches 0024 and 0025. Tomas Sending rebased version, these got quite rotten. Thanks for updating them. @@ -504,25 +515,37 @@ class idrange_mod(LDAPUpdate): 'not be found. Please specify the SID directly ' 'using dom-sid option.')) -try: -(old_dn, old_attrs) = ldap.get_entry(dn, -['ipabaseid', -'ipaidrangesize', -'ipabaserid', -'ipasecondarybaserid']) -except errors.NotFound: -self.obj.handle_not_found(*keys) +if in_updated_attrs('ipanttrusteddomainsid'): +if in_updated_attrs('ipasecondarybaserid'): +raise errors.ValidationError(name='ID Range setup', +error=_('Options dom_sid and secondary_rid_base cannot ' +'be used together')) Since we agreed to refer to options by their CLI name (--dom-sid and --secondary-rid-base) in the other patch, it makes sense to use it here too. -if is_set('ipanttrusteddomainsid'): -# Validate SID as the one of trusted domains - self.obj.validate_trusted_domain_sid(entry_attrs['ipanttrusteddomainsid']) +if not in_updated_attrs('ipabaserid'): +raise errors.ValidationError(name='ID Range setup', +error=_('Options dom_sid and rid_base must ' +'be used together')) Same here. +# secondary base rid must be set if and only if base rid is set +if in_updated_attrs('ipasecondarybaserid') !=\ +in_updated_attrs('ipabaserid'): +raise errors.ValidationError(name='ID Range setup', +error=_('Options secondary_rid_base and rid_base must ' +'be used together')) Same here. +dict( +desc='Try to modify ID range %r so it has only primary rid range set' % (testrange8), +command=('idrange_mod', [testrange8], + dict(ipabaserid=testrange8_base_rid)), +expected=errors.ValidationError( +name='ID Range setup', error='Options secondary_rid_base and rid_base must be used together'), +), And synchronize error message here too. Thanks! Sending the updated patch 0024. Tomas In patch 0024 your intention is OK, but the checking functions are not: is_set = lambda x: (x in entry_attrs) and (x is not None) +in_updated_attrs = lambda x: any((x in attrs and x is not None) + for attrs in (entry_attrs, old_attrs)) They return True even when the attribute is None because they check if *x* is None and not if *attrs[x]* is None. Example: # ipa idrange-add --base-id=120 --range-size=20 --rid-base=1000 --secondary-rid-base=100 local_range Added ID range local_range Range name: local_range First Posix ID of the range: 120 Number of IDs in the range: 20 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100 Range type: local domain range This command should be NOOP, but is not: # ipa idrange-mod local_range --dom-sid= ipa: ERROR: invalid 'ID Range setup': Options dom-sid and secondary-rid-base cannot be used together Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] patch for trac 2575
Thanks Brian. I still see few issues though: 1) The patch adds a whitespace error: $ git apply ~/freeipa-bcook-0001-Add-DNS-Setup-Prompt-to-Install.patch /home/mkosek/freeipa-bcook-0001-Add-DNS-Setup-Prompt-to-Install.patch:41: trailing whitespace. warning: 1 line adds whitespace errors 2) It does unrelated and unnecessary changes to the main function: --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -560,10 +560,16 @@ def set_subject_in_config(realm_name, dm_password, suffix, subject_base): conn.disconnect() def main(): + + + +:return: + global ds global pw_name global uninstalling global installation_cleanup + ds = None safe_options, options = parse_options() 3) In the question, I would replace bind with BIND as this is how the project should be spelled. I see that few lines above we also refer to BIND with bind (it may have caused the confusion), I think this can be fixed too. Martin On 02/15/2013 03:07 AM, Brian Cook wrote: Thanks Martin and Dmitri. I have attached a patch that I -think- is formatted correctly... I removed the new variable and added check for --unattended. Thanks, Brian --- *From: *Martin Kosek mko...@redhat.com *To: *d...@redhat.com *Cc: *freeipa-devel@redhat.com *Sent: *Wednesday, February 13, 2013 11:16:51 PM *Subject: *Re: [Freeipa-devel] patch for trac 2575 On 02/14/2013 03:49 AM, Dmitri Pal wrote: On 02/13/2013 05:20 PM, Brian Cook wrote: Please disregard the first patch as it still asked the user if they want to install DNS even if --setup-dns was passed, this one is fixed. Brian Brian, Thanks for the patch. Can you please format it following these guidelines: https://fedorahosted.org/freeipa/wiki/PatchFormat Thanks Dmitri Hello Brian, Thanks for the patch! Also few technical notes: 1) There is no need to invent the new variable, you can ask and set options.setup_dns to True. We already to this in other parts incode 2) This patch would --unattended mode when no --setup-dns is passed Martin diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 1559107..96ef802 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -564,6 +564,7 @@ def main(): global pw_name global uninstalling global installation_cleanup + ds = None safe_options, options = parse_options() @@ -740,8 +741,18 @@ def main(): admin_password = reverse_zone = None -# check bind packages are installed +# Setup a variable to use instead of options.setup_dns to enable interactive DNS selection +setup_dns=False if options.setup_dns: +setup_dns=True +else: +# Ask user if they want to install DNS +if ipautil.user_input(Do you want to configure integrated DNS (bind)?, False): +setup_dns=True + + +# check bind packages are installed +if setup_dns: if not bindinstance.check_inst(options.unattended): sys.exit(Aborting installation) @@ -827,7 +838,7 @@ def main(): else: admin_password = options.admin_password -if options.setup_dns: +if setup_dns: if options.no_forwarders: dns_forwarders = () elif options.forwarders: @@ -858,7 +869,7 @@ def main(): print Realm name:%s % realm_name print -if options.setup_dns: +if setup_dns: print BIND DNS server will be configured to serve IPA domain with: print Forwarders:%s % (No forwarders if not dns_forwarders \ else , .join([str(ip) for ip in dns_forwarders])) @@ -1102,7 +1113,7 @@ def main(): persistent_search=options.persistent_search, serial_autoincrement=options.serial_autoincrement, ca_configured=not options.selfsign) -if options.setup_dns: +if setup_dns: api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=dm_password) bind.create_instance() @@ -1147,11 +1158,11 @@ def main(): print \t\t * 80, 443: HTTP/HTTPS print \t\t * 389, 636: LDAP/LDAPS print \t\t * 88, 464: kerberos -if options.setup_dns: +if setup_dns: print \t\t * 53: bind print \t\tUDP Ports: print \t\t * 88, 464: kerberos -if options.setup_dns: +if setup_dns: print \t\t * 53: bind if options.conf_ntp: print \t\t * 123: ntp Message: 8 Date: Wed, 13 Feb 2013 13:39:32 -0800 From: Brian Cook bc...@redhat.com To: freeipa-devel@redhat.com freeipa-devel@redhat.com Subject: [Freeipa-devel] patch for trac 2575 Message-ID: 9dd1d1bb-6b86-4ea1-b61b-b208e6bc7...@redhat.com Content-Type: text/plain; charset=windows-1252 This is a patch
Re: [Freeipa-devel] [PATCH 0035] Use default.conf as flag of IPA client being installed
On 02/21/2013 01:50 PM, Martin Kosek wrote: On 02/21/2013 01:29 PM, Tomas Babej wrote: On 02/21/2013 12:47 PM, Martin Kosek wrote: On 02/20/2013 10:31 AM, Tomas Babej wrote: Hi, When installing / uninstalling IPA client, the checks that determine whether IPA client is installed now take the existence of /etc/ipa/default.conf into consideration. The client will not uninstall unless either something is backed up or /etc/ipa/default.conf file does exist. The client will not install if something is backed up or default.conf file does exist (unless it's installation on master). https://fedorahosted.org/freeipa/ticket/3331 Tomas Can we create a function testing if ipa client is installed to avoid duplication of the decision logic? Something like is_ipa_configured present in ipaserver/install/installutils.py. Keep in mind that we cannot use ipaserver package as it may not be present on client. Martin Moved to is_ipa_client_installed function to ipautils.py Updated patch attached. Tomas You just created a nice import loop: ... I made the function part of ipa-client-install script then. We probably will not need to check whether client is installed anywhere else. Tomas From 9351410b0dc3958a7dcd67ef404568f839f22bfe Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Tue, 19 Feb 2013 17:59:50 +0100 Subject: [PATCH] Use default.conf as flag of IPA client being installed When installing / uninstalling IPA client, the checks that determine whether IPA client is installed now take the existence of /etc/ipa/default.conf into consideration. The client will not uninstall unless either something is backed up or /etc/ipa/default.conf file does exist. The client will not install if something is backed up or default.conf file does exist (unless it's installation on master). https://fedorahosted.org/freeipa/ticket/3331 --- ipa-client/ipa-install/ipa-client-install | 21 ++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 2d32e28ece72c1058152787058c83ae5b06df64c..308c3f8d0ec39e1e7f048d37a34738bf6a4853e2 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -36,7 +36,9 @@ try: from ipaclient.ipadiscovery import CACERT import ipaclient.ipachangeconf import ipaclient.ntpconf -from ipapython.ipautil import run, user_input, CalledProcessError, file_exists, realm_to_suffix, convert_ldap_error +from ipapython.ipautil import run, user_input, CalledProcessError,\ + file_exists, realm_to_suffix,\ + convert_ldap_error import ipapython.services as ipaservices from ipapython import ipautil from ipapython import sysrestore @@ -281,9 +283,22 @@ def delete_ipa_domain(): root_logger.warning(IPA domain could not be deleted. No access to the /etc/sssd/sssd.conf file.) +def is_ipa_client_installed(on_master=False): + +Consider IPA client not installed if nothing is backed up +and default.conf file does not exist. If on_master is set to True, +the existence of default.conf file is not taken into consideration, +since it has been already created by ipa-server-install. + + +installed = fstore.has_files() or \ + (not on_master and os.path.exists('/etc/ipa/default.conf')) + +return installed + def uninstall(options, env): -if not fstore.has_files(): +if not is_ipa_client_installed(): root_logger.error(IPA client is not configured on this system.) return CLIENT_NOT_CONFIGURED @@ -2326,7 +2341,7 @@ def main(): if options.uninstall: return uninstall(options, env) -if fstore.has_files(): +if is_ipa_client_installed(on_master=options.on_master): root_logger.error(IPA client is already configured on this system.) root_logger.info( If you want to reinstall the IPA client, uninstall it first + -- 1.7.11.7 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0115] Add support for DNAME substitution
On 21.2.2013 16:21, Petr Spacek wrote: Hello, Add support for DNAME substitution. https://fedorahosted.org/bind-dyndb-ldap/ticket/63 And now the patch :-) -- Petr^2 Spacek From dc1215e8a82d3993f69436b4de9ff91ea16f4369 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Thu, 21 Feb 2013 13:34:52 +0100 Subject: [PATCH] Add support for DNAME substitution. https://fedorahosted.org/bind-dyndb-ldap/ticket/63 Signed-off-by: Petr Spacek pspa...@redhat.com --- src/ldap_driver.c | 22 +++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/src/ldap_driver.c b/src/ldap_driver.c index cde09ee8aa3c9332f3766a031030a95b0cff3229..9cae66b3950323221d3319649fc7b86ef25a5d68 100644 --- a/src/ldap_driver.c +++ b/src/ldap_driver.c @@ -457,7 +457,6 @@ cleanup: return result; } -/* XXX add support for DNAME redirection */ static isc_result_t find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, dns_rdatatype_t type, unsigned int options, isc_stdtime_t now, @@ -469,6 +468,7 @@ find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, ldapdb_node_t *node = NULL; dns_rdatalist_t *rdlist = NULL; isc_boolean_t is_cname = ISC_FALSE; + isc_boolean_t is_dname = ISC_FALSE; isc_boolean_t is_delegation = ISC_FALSE; ldapdb_rdatalist_t rdatalist; unsigned int labels, qlabels; @@ -515,7 +515,20 @@ find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, continue; } - /* TODO: We should check for DNAME records right here */ + /* RFC 6672 section 2.3.: + Unlike a CNAME RR, a DNAME RR redirects DNS names + subordinate to its owner name; the owner name of a DNAME + is not redirected itself. */ + if (qlabels dns_name_countlabels(traversename)) { + rdlist = NULL; + result = ldapdb_rdatalist_findrdatatype(rdatalist, +dns_rdatatype_dname, +rdlist); + if (result == ISC_R_SUCCESS) { +is_dname = ISC_TRUE; +goto skipfind; + } + } /* * Check if there is at least one NS RR. If yes and this is not NS @@ -527,6 +540,7 @@ find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, if (dns_name_countlabels(db-origin) dns_name_countlabels(traversename) (options DNS_DBFIND_GLUEOK) == 0) { + rdlist = NULL; result = ldapdb_rdatalist_findrdatatype(rdatalist, dns_rdatatype_ns, rdlist); @@ -582,7 +596,7 @@ found: skipfind: CHECK(dns_name_copy(traversename, foundname, NULL)); - if (rdataset != NULL type != dns_rdatatype_any) { + if (rdataset != NULL (type != dns_rdatatype_any || is_dname)) { /* dns_rdatalist_tordataset returns success only */ CHECK(clone_rdatalist_to_rdataset(ldapdb-common.mctx, rdlist, rdataset)); @@ -600,6 +614,8 @@ skipfind: return DNS_R_DELEGATION; else if (is_cname) return DNS_R_CNAME; + else if (is_dname) + return DNS_R_DNAME; else return ISC_R_SUCCESS; -- 1.7.11.7 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0115] Add support for DNAME substitution
Hello, Add support for DNAME substitution. https://fedorahosted.org/bind-dyndb-ldap/ticket/63 -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0104-0106 Provide means of displaying warning and informational messages on clients
On 02/21/2013 03:09 PM, Petr Viktorin wrote: On 02/21/2013 02:06 PM, Martin Kosek wrote: On 02/21/2013 12:50 PM, Petr Viktorin wrote: On 02/20/2013 05:17 PM, Martin Kosek wrote: On 02/19/2013 12:15 PM, Petr Viktorin wrote: On 02/13/2013 11:18 AM, Petr Viktorin wrote: On 01/29/2013 05:06 PM, Petr Viktorin wrote: On 01/04/2013 07:20 PM, Petr Viktorin wrote: On 12/14/2012 09:04 AM, Jan Cholasta wrote: On 13.12.2012 18:09, Petr Viktorin wrote: On 12/13/2012 04:43 PM, Martin Kosek wrote: On 12/13/2012 10:59 AM, Petr Viktorin wrote: It's time to give this to another set of eyes :) Design document: http://freeipa.org/page/V3/Messages Ticket: https://fedorahosted.org/freeipa/ticket/2732 More info is in commit messages. Because of https://fedorahosted.org/freeipa/ticket/3294, I needed to change the design document: when the client doesn't send the API version, it is assumed it's at a version before capabilities were introduced (i.e. 2.47). The client still gets a warning if the version is missing. Except for those commands where IPA didn't send a version -- ping, cert-show, etc. -- the warning wouldn't pass validation on old clients. (I'm assuming that our client is so far the only one that validates so strictly.) I did a basic test of this patch and also quickly read through the patches and besides nitpicks (like unused inspect module in tests/test_ipalib/test_messages.py in patch 0105) I did not find any obvious errors in the Python code. Noted, will fix in future versions of the patch. However, this patch breaks WebUI badly, I did not even get to a log in screen. Cooperation with Petr Vobornik will be needed. In my case, I got blank screen and Javascript error: TypeError: IPA.messages.dialogs is undefined https://vm-037.idm.lab.bos.redhat.com/ipa/ui/ipa.js Line 1460 I assume this is related to the Internal Error that was returned in the JSON call { error: null, id: null, principal: ad...@idm.lab.bos.redhat.com, result: { count: 5, results: [ { error: an internal error has occurred, error_code: 903, error_name: InternalError }, { ... This can be reproduced with: # curl -v -H Content-Type:application/json -H referer:https://`hostname`/ipa; -H Accept:applicaton/json --negotiate -u : --cacert /etc/ipa/ca.crt -d '{method:i18n_messages,params:[[],{}],id:0}' -X POST https://`hostname`/ipa/json Good catch! The i18n_messages plugin already defines a messages output. When I renamed this from warnings to messages I forgot to check for clashes. Since i18n_messages is an internal command only used by the Web UI, we can rename its output to texts without breaking compatibility. I'm attaching a preliminary fix (for both backend and UI), but hopefully it won't be necessary, see below. I am also not sure I like the requirement of a specific version option to be always passed. I would prefer that missing version option would mean I use the most recent version of API instead - it would make the custom JSONRPC/XMLRPC calls easier to use. But since the version option was not being sent for some commands, we may not have a choice anyway if we do not want to break old clients in case we add some capabilities to these commands. I see three other options, all worse: - Do not use capabilities for the affected commands, meaning no new functionality can be added to them (and by extension, no new functionality common to all commands can be added). - Treat a missing version as the current version - Break backwards compatibility And one possibly better (thanks to Petr¹ and Martin for opening my eyes off-list!): - Deprecate XML-RPC. All XML-RPC requests would be pinned to current version (2.47). Capabilities/messages would only apply to JSON-RPC. This would also allow us to solve the above name-clashing problem elegantly. Here is a reminder of what a JSON response looks like: { error: null, id: 0, principal: ad...@idm.lab.bos.redhat.com, result: { summary: IPA server version 3.1.0GIT2e4bd02. API version 2.47 }, version: 3.1.0GIT2e4bd02 } A XML-RPC response only contains the result part of that. So with JSON, we can put the messages in the top level, which is much better design. Custom info in the top level seems to be a violation of the JSON-RPC spec. I'd rather not do more of those, so I'm withdrawing this idea. XML-RPC sucks in other ways too. We already have a workaround for its inability to attach extra info to errors (commit 88262a75ffe7a25640333dcc4da2100830cae821, Add instructions support to PublicError). I've opened a RFC here: https://fedorahosted.org/freeipa/ticket/3299. +1, XML-RPC sucks. This should have been done a long time ago. Honza Here are new patches.
[Freeipa-devel] [PATCHES] 0183-0185 Drop CSV support
These patches remove CSV parsing from the client. Ticket: https://fedorahosted.org/freeipa/ticket/3352 Design: http://freeipa.org/page/V3/Drop_CSV The design page also talks about adding a warning for the user when they seem to use CSV, but this will need the JSON transport so it's not included in these patches. The csv flag is left on parameters so when that warning is added, we know for which params to show it. -- Petr³ From ff0945e5246b06f3ea9a3be2c3b38ab098e42fae Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Thu, 14 Feb 2013 11:34:16 -0500 Subject: [PATCH] Remove csv_separator and csv_skipspace Param arguments These were never set to anything but the defaults. Part of work for https://fedorahosted.org/freeipa/ticket/3352 --- ipalib/parameters.py | 14 +++--- make-lint|2 +- tests/test_ipalib/test_parameters.py | 31 --- 3 files changed, 4 insertions(+), 43 deletions(-) diff --git a/ipalib/parameters.py b/ipalib/parameters.py index 2e26923ddc1bd14fbb04b0a4f28d79368f37552a..9fed0fd5dc29b5a86cc681e07ba4e1dfc1311a86 100644 --- a/ipalib/parameters.py +++ b/ipalib/parameters.py @@ -356,10 +356,6 @@ class Param(ReadOnly): - sortorder: used to sort a list of parameters for Command. See `Command.finalize()` for further information - csv: this multivalue attribute is given in CSV format - - csv_separator: character that separates values in CSV (comma by -default) - - csv_skipspace: if true, leading whitespace will be ignored in -individual CSV values # This is a dummy type so that most of the functionality of Param can be @@ -393,8 +389,6 @@ class Param(ReadOnly): ('alwaysask', bool, False), ('sortorder', int, 2), # see finalize() ('csv', bool, False), -('csv_separator', str, ','), -('csv_skipspace', bool, True), ('option_group', unicode, None), # The 'default' kwarg gets appended in Param.__init__(): @@ -690,9 +684,8 @@ class Param(ReadOnly): def __unicode_csv_reader(self, unicode_csv_data, dialect=csv.excel, **kwargs): # csv.py doesn't do Unicode; encode temporarily as UTF-8: csv_reader = csv.reader(self.__utf_8_encoder(unicode_csv_data), -dialect=dialect, -delimiter=self.csv_separator, quotechar='', -skipinitialspace=self.csv_skipspace, +dialect=dialect, delimiter=',', quotechar='', +skipinitialspace=True, **kwargs) try: for row in csv_reader: @@ -967,8 +960,7 @@ class Param(ReadOnly): json_exclude_attrs = ( 'alwaysask', 'autofill', 'cli_name', 'cli_short_name', 'csv', -'csv_separator', 'csv_skipspace', 'sortorder', 'falsehoods', 'truths', -'version', +'sortorder', 'falsehoods', 'truths', 'version', ) def __json__(self): diff --git a/make-lint b/make-lint index 1b274b17376765c87e13e27e4c682be6445a36c8..7c5ec924508a9bf410a41d6a039bda616511d981 100755 --- a/make-lint +++ b/make-lint @@ -67,7 +67,7 @@ class IPATypeChecker(TypeChecker): 'default', 'doc', 'required', 'multivalue', 'primary_key', 'normalizer', 'default_from', 'autofill', 'query', 'attribute', 'include', 'exclude', 'flags', 'hint', 'alwaysask', 'sortorder', -'csv', 'csv_separator', 'csv_skipspace', 'option_group'], +'csv', 'option_group'], 'ipalib.parameters.Bool': ['truths', 'falsehoods'], 'ipalib.parameters.Data': ['minlength', 'maxlength', 'length', 'pattern', 'pattern_errmsg'], diff --git a/tests/test_ipalib/test_parameters.py b/tests/test_ipalib/test_parameters.py index 12270a94f391e4ce410d8b08e70a6e0948f18c3f..47c5de1fccec1915d4c3d61db3bcd4ecec3505d2 100644 --- a/tests/test_ipalib/test_parameters.py +++ b/tests/test_ipalib/test_parameters.py @@ -203,8 +203,6 @@ class test_Param(ClassChecker): assert o.flags == frozenset() assert o.sortorder == 2 assert o.csv is False -assert o.csv_separator == ',' -assert o.csv_skipspace is True # Test that doc defaults from label: o = self.cls('my_param', doc=_('Hello world')) @@ -635,35 +633,6 @@ class test_Param(ClassChecker): assert e.name == 'my_list' assert e.error == u'Improperly formatted CSV value (newline inside string)' -def test_split_csv_separator(self): - -Test the `ipalib.parameters.Param.split_csv` method with csv and a separator. - -o = self.cls('my_list+', csv=True, csv_separator='|') - -n = o.split_csv('a') -assert type(n) is tuple -assert len(n) is 1 - -n = o.split_csv('a|b') -assert type(n) is tuple -