Re: [Freeipa-devel] [PATCH] 694 webui: new navigation structure
On Wed, Jul 02, 2014 at 04:14:13PM +0200, Petr Vobornik wrote: https://fedorahosted.org/freeipa/ticket/4418 according to latest proposal:http://www.redhat.com/archives/freeipa-devel/2014-June/msg00839.html -- Petr Vobornik Haven't run the webui tests but lines up with the proposal and looks very nice! ACK if webui tests pass. From 97cc94163e8ae57058b07741c7d70e44697c113f Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Wed, 2 Jul 2014 15:09:22 +0200 Subject: [PATCH] webui: new navigation structure https://fedorahosted.org/freeipa/ticket/4418 --- install/ui/src/freeipa/certificate.js | 2 +- install/ui/src/freeipa/dns.js | 2 +- install/ui/src/freeipa/navigation/menu_spec.js | 195 +++-- install/ui/test/data/ipa_init.json | 2 + ipalib/plugins/internal.py | 2 + ipatests/test_webui/test_navigation.py | 62 +--- ipatests/test_webui/ui_driver.py | 2 +- 7 files changed, 160 insertions(+), 107 deletions(-) diff --git a/install/ui/src/freeipa/certificate.js b/install/ui/src/freeipa/certificate.js index 01dfee2b64c14f487b66b91d449f63b6415dea69..6a11d959398517db6f720a36ff2a323e1d0c74a7 100755 --- a/install/ui/src/freeipa/certificate.js +++ b/install/ui/src/freeipa/certificate.js @@ -1293,7 +1293,7 @@ IPA.cert.cert_update_policy = function(spec) { exp.remove_menu_item = function() { if (!IPA.cert.is_enabled()) { -menu.remove_item('identity/cert'); +menu.remove_item('authentication/cert'); } }; diff --git a/install/ui/src/freeipa/dns.js b/install/ui/src/freeipa/dns.js index c7143ca91fef9bbc372654080fe899be1ae8367f..a566ccf61adcf4f688ac803bf5e3658b4f3a0253 100644 --- a/install/ui/src/freeipa/dns.js +++ b/install/ui/src/freeipa/dns.js @@ -2543,7 +2543,7 @@ IPA.network_validator = function(spec) { exp.remove_menu_item = function() { if (!IPA.dns_enabled) { -menu.remove_item('identity/dns'); +menu.remove_item('network_services/dns'); } }; diff --git a/install/ui/src/freeipa/navigation/menu_spec.js b/install/ui/src/freeipa/navigation/menu_spec.js index 01738cbe60b10bc0f1671093fc1616980780bac1..9182d11bf56c73e1fce724d438fe2211105b75ad 100644 --- a/install/ui/src/freeipa/navigation/menu_spec.js +++ b/install/ui/src/freeipa/navigation/menu_spec.js @@ -43,101 +43,134 @@ var nav = {}; { entity: 'netgroup' }, { entity: 'service' }, { +name: 'automember', +label: '@i18n:tabs.automember', +children: [ +{ +name: 'amgroup', +entity: 'automember', +facet: 'searchgroup', +label: '@i18n:objects.automember.usergrouprules', +children: [ +{ +entity: 'automember', +facet: 'usergrouprule', +hidden: true +} +] +}, +{ +name: 'amhostgroup', +entity: 'automember', +facet: 'searchhostgroup', +label: '@i18n:objects.automember.hostgrouprules', +children: [ +{ +entity: 'automember', +facet: 'hostgrouprule', +hidden: true +} +] +} +] +} +] +}, +{ +name: 'policy', +label: '@i18n:tabs.policy', +children: [ +{ +name: 'hbac', +label: '@i18n:tabs.hbac', +children: [ +{ entity: 'hbacrule' }, +{ entity: 'hbacsvc' }, +{ entity: 'hbacsvcgroup' }, +{ entity: 'hbactest' } +] +}, +{ +name: 'sudo', +label: '@i18n:tabs.sudo', +children: [ +{ entity: 'sudorule' }, +{ entity: 'sudocmd' }, +{ entity: 'sudocmdgroup' } +] +}, +{ entity: 'selinuxusermap' }, +{ entity: 'pwpolicy' }, +{ entity: 'krbtpolicy' } +] +
Re: [Freeipa-devel] [PATCHES 0080-0081] DNSSEC: Add experimental support for DNSSEC
On 2.7.2014 18:44, Petr Viktorin wrote: On 07/02/2014 06:25 PM, Petr Spacek wrote: On 27.6.2014 17:11, Martin Basti wrote: Ticket: https://fedorahosted.org/freeipa/ticket/4408 Patches attached. Both patches works for me. I have tested clean installation and upgrade from 3.3.5. Code looks okay, pushed to master: 3b310d6b4f8063149d1abe823b64bc9796a97ab2 Is this all for the ticket? Can we close it? Not yet, we need to push mbasti's patch 0083. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0091] Fix upgrade to forward zones
Patch attached -- Martin^2 Basti From 5b238e8376567242176a9363d7f90e7bc191c9f5 Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Wed, 2 Jul 2014 19:04:39 +0200 Subject: [PATCH] Fix upgrade to forward zones --- ipaserver/install/plugins/dns.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/plugins/dns.py b/ipaserver/install/plugins/dns.py index c45457eae605687c7861472f860f336467ecbb12..d2a9500c5bb58a81950bc2077fa611fcfd0c973a 100644 --- a/ipaserver/install/plugins/dns.py +++ b/ipaserver/install/plugins/dns.py @@ -228,7 +228,7 @@ class update_master_to_dnsforwardzones(PostUpdate): if 'managedBy' in zone: entry = ldap.get_entry(DN(zone['managedBy'][0])) -writer.unparse(str(entry.dn), dict(entry)) +writer.unparse(str(entry.dn), dict(entry.raw)) # raw values are required to store into ldif records = api.Command['dnsrecord_find']( -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0092] Fix incompatible permission in *zone-del
Patch attached -- Martin^2 Basti From a1a671cedda22c616b373bcb8df04e439f820bcb Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Thu, 3 Jul 2014 09:00:08 +0200 Subject: [PATCH] Fix incompatible permission name *zone-del Fixes ticket: https://fedorahosted.org/freeipa/ticket/4383 --- ipalib/plugins/dns.py | 33 +++-- 1 file changed, 19 insertions(+), 14 deletions(-) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index e8e4e33a17c935f81c66cb029af6bfdfd0a5a8e1..c3a09e9d9d36f3bedc06407bf05d6ad47290a9b8 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -1801,6 +1801,21 @@ class DNSZoneBase(LDAPObject): return None +def _remove_permission(self, zone): +permission_name = self.permission_name(zone) +try: +api.Command['permission_del'](permission_name, force=True) +except errors.NotFound, e: +# compatibility, older IPA versions which allows to create zone +# without absolute zone name +permission_name_rel = self.permission_name( +zone.relativize(DNSName.root) +) +try: +api.Command['permission_del'](permission_name_rel, force=True) +except errors.NotFound: +raise e # re-raise original exception + class DNSZoneBase_add(LDAPCreate): @@ -1838,8 +1853,7 @@ class DNSZoneBase_del(LDAPDelete): def post_callback(self, ldap, dn, *keys, **options): try: -api.Command['permission_del'](self.obj.permission_name(keys[-1]), -force=True) +self.obj._remove_permission(keys[-1]) except errors.NotFound: pass @@ -2017,18 +2031,9 @@ class DNSZoneBase_remove_permission(LDAPQuery): permission_name = self.obj.permission_name(keys[-1]) try: -api.Command['permission_del'](permission_name, force=True) -except errors.NotFound, e: -# compatibility, older IPA versions which allows to create zone -# without absolute zone name -permission_name_rel = self.obj.permission_name( -keys[-1].relativize(DNSName.root) -) -try: -api.Command['permission_del'](permission_name_rel, force=True) -except errors.NotFound: -raise e # re-raise original exception - +self.obj._remove_permission(keys[-1]) +except errors.NotFound: +pass return dict( result=True, -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0083] Add DNSSEC experimental support warning message
On 2.7.2014 15:34, Martin Basti wrote: On Wed, 2014-07-02 at 15:21 +0200, Petr Spacek wrote: On 2.7.2014 14:57, Martin Basti wrote: On Tue, 2014-07-01 at 12:23 +0200, Petr Spacek wrote: On 1.7.2014 12:20, Martin Kosek wrote: On 07/01/2014 10:55 AM, Petr Spacek wrote: On 1.7.2014 10:49, Petr Viktorin wrote: On 07/01/2014 10:43 AM, Petr Spacek wrote: On 30.6.2014 17:10, Martin Basti wrote: On Mon, 2014-06-30 at 16:57 +0200, Petr Spacek wrote: On 30.6.2014 14:33, Martin Basti wrote: On Mon, 2014-06-30 at 12:49 +0200, Martin Basti wrote: Patch attached. It works for me. Please change the string little bit, I have realized that we should ensure that file permissions are correct: chown named: * chmod u= * (the chmod part new) Thanks! Updated patch attached I'm really sorry, I had to change the message once again :-) None of us noticed that chmod command was completely incorrect. I'm attaching fixed patch as an apology. It works for me when applied to master (50c30c8401c21d43414404bd5caa157196449e4c). Functional self-ACK :-) IMHO it can be pushed if Python-review is okay. Once again, please define new message classes in messages.py instead of just using PublicMessage with a custom string. Also, these messages will work for console output, but I'm not sure pre-wrapped text would look good in web UI. I'm not sold on the idea of giving instructions in warning messages. Would a link to some documentation be better? Well, the idea was to provide copypaste instructions directly in the console, not speaking about problems with URLs downstream. If you insist on URL ... here it is: http://www.freeipa.org/page/Releases/4.0.0#Experimental_DNSSEC_Support Please use something more stable, like http://www.freeipa.org/page/DNSSEC which we would use as a gathering place for information about FreeIPA and DNSSEC. IMHO this particular warning should point to version-specific information. I'm not opposing to /page/DNSSEC idea in general but this warning should point to very specific steps which will be valid only to very specific version of FreeIPA. Updated patch attached I have bad news for you: Patch freeipa-mbasti-0083-4-DNSSEC-experimental-support-warning-message.patch cannot be applied on top of: current master (01b95805ab1428e10c79abf70c9bc9e2baf9de21) freeipa-mbasti-0080-Allow-to-add-non-string-values-to-named-conf.patch freeipa-mbasti-0081-DNSSEC-Add-experimental-support-for-DNSSEC.patch freeipa-mbasti-0082-Add-warning-about-semantic-change-for-zones.patch You need 0082-2 Functional tests are okay, it can be pushed if Python gurus are okay with the code. Ticket https://fedorahosted.org/freeipa/ticket/4408 can be closed. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0088] Use documentation addresses in dns help
On 2.7.2014 14:07, Petr Viktorin wrote: On 07/02/2014 01:43 PM, Martin Basti wrote: On Wed, 2014-07-02 at 13:09 +0200, Petr Viktorin wrote: On 07/02/2014 01:02 PM, Martin Basti wrote: Patch attached. (Forward zones help preparation) /me sighs This will invalidate all translations of the DNS plugin help. Is it really necessary for 4.0? Ask petr2, but I have ticket where I need to add some description about forward zones to help. If it's really absolutely unavoidable to change the strings at the last minute, please do it as fast as possible so translators can get a bit of time to retranslate. Whenever you touch a long docstring, please split up the text according to http://www.freeipa.org/page/Coding_Best_Practices#Split_long_translatable_strings (preferably in a separate patch). ACK from functional perspective. It can be pushed if there is no problem with Python side of things. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0089] Add help about forward zones
On 2.7.2014 16:04, Martin Basti wrote: On Wed, 2014-07-02 at 15:46 +0200, Petr Spacek wrote: I have only few nitpicks I didn't notice in the first round: The original proposal contained also this header: SUPPORTED ZONE TYPES * Master zone (dnszone-*) contains authoritative data. * Forward zone (dnsforwardzone-*) forwards queries to configured forwarders (a set of DNS servers). I can't see it in the patch. It is there Delete zone example.com with all resource records: ipa dnszone-del example.com Is there section with examples for master zones? Please move it there if the answer is yes, otherwise it can stay here. Moved Updated patch attached ACK from functional perspective. It can be pushed if there is no problem with Python side of things. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0090] Split dns.py doctring
On 2.7.2014 16:17, Martin Basti wrote: Required patches mbasti-0088, mbasti-0089-2 Patch attached ACK from functional perspective. As far as I know it didn't break anything. It can be pushed if there is no problem with Python side of things. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0082] Forward zones: add warning about forwarders semantic change in dnszone-add/mod
On 1.7.2014 17:23, Martin Basti wrote: On Tue, 2014-07-01 at 12:17 +0200, Petr Viktorin wrote: On 07/01/2014 12:10 PM, Martin Basti wrote: On Mon, 2014-06-30 at 13:57 +0200, Petr Viktorin wrote: On 06/30/2014 12:48 PM, Martin Basti wrote: Ticket: https://fedorahosted.org/freeipa/ticket/3210#comment:16 Patch attached. When you add a new message, you should also define a new class for it in messages.py with a new errno, not just reuse PublicMessage with a custom string. Could it be WarningMessage? Or should I be more specific ForwardersWarningMessage, DNSSECWarningMessage ? Be specific. I'd go for DNSSECWarning; message is already in the module name. Is there any rule how to choose errno? Just use the next unused one. Updated patch attached ACK from functional perspective. It can be pushed if there is no problem with Python side of things. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0082] Forward zones: add warning about forwarders semantic change in dnszone-add/mod
On 07/03/2014 10:29 AM, Petr Spacek wrote: On 1.7.2014 17:23, Martin Basti wrote: On Tue, 2014-07-01 at 12:17 +0200, Petr Viktorin wrote: On 07/01/2014 12:10 PM, Martin Basti wrote: On Mon, 2014-06-30 at 13:57 +0200, Petr Viktorin wrote: On 06/30/2014 12:48 PM, Martin Basti wrote: Ticket: https://fedorahosted.org/freeipa/ticket/3210#comment:16 Patch attached. When you add a new message, you should also define a new class for it in messages.py with a new errno, not just reuse PublicMessage with a custom string. Could it be WarningMessage? Or should I be more specific ForwardersWarningMessage, DNSSECWarningMessage ? Be specific. I'd go for DNSSECWarning; message is already in the module name. Is there any rule how to choose errno? Just use the next unused one. Updated patch attached ACK from functional perspective. It can be pushed if there is no problem with Python side of things. Pushed to master: 33cf958b98dc2d80d17b3de1c145d403df4a3ba3 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0083] Add DNSSEC experimental support warning message
On 07/03/2014 10:07 AM, Petr Spacek wrote: On 2.7.2014 15:34, Martin Basti wrote: On Wed, 2014-07-02 at 15:21 +0200, Petr Spacek wrote: On 2.7.2014 14:57, Martin Basti wrote: On Tue, 2014-07-01 at 12:23 +0200, Petr Spacek wrote: On 1.7.2014 12:20, Martin Kosek wrote: On 07/01/2014 10:55 AM, Petr Spacek wrote: On 1.7.2014 10:49, Petr Viktorin wrote: On 07/01/2014 10:43 AM, Petr Spacek wrote: On 30.6.2014 17:10, Martin Basti wrote: On Mon, 2014-06-30 at 16:57 +0200, Petr Spacek wrote: On 30.6.2014 14:33, Martin Basti wrote: On Mon, 2014-06-30 at 12:49 +0200, Martin Basti wrote: Patch attached. It works for me. Please change the string little bit, I have realized that we should ensure that file permissions are correct: chown named: * chmod u= * (the chmod part new) Thanks! Updated patch attached I'm really sorry, I had to change the message once again :-) None of us noticed that chmod command was completely incorrect. I'm attaching fixed patch as an apology. It works for me when applied to master (50c30c8401c21d43414404bd5caa157196449e4c). Functional self-ACK :-) IMHO it can be pushed if Python-review is okay. Once again, please define new message classes in messages.py instead of just using PublicMessage with a custom string. Also, these messages will work for console output, but I'm not sure pre-wrapped text would look good in web UI. I'm not sold on the idea of giving instructions in warning messages. Would a link to some documentation be better? Well, the idea was to provide copypaste instructions directly in the console, not speaking about problems with URLs downstream. If you insist on URL ... here it is: http://www.freeipa.org/page/Releases/4.0.0#Experimental_DNSSEC_Support Please use something more stable, like http://www.freeipa.org/page/DNSSEC which we would use as a gathering place for information about FreeIPA and DNSSEC. IMHO this particular warning should point to version-specific information. I'm not opposing to /page/DNSSEC idea in general but this warning should point to very specific steps which will be valid only to very specific version of FreeIPA. Updated patch attached I have bad news for you: Patch freeipa-mbasti-0083-4-DNSSEC-experimental-support-warning-message.patch cannot be applied on top of: current master (01b95805ab1428e10c79abf70c9bc9e2baf9de21) freeipa-mbasti-0080-Allow-to-add-non-string-values-to-named-conf.patch freeipa-mbasti-0081-DNSSEC-Add-experimental-support-for-DNSSEC.patch freeipa-mbasti-0082-Add-warning-about-semantic-change-for-zones.patch You need 0082-2 Functional tests are okay, it can be pushed if Python gurus are okay with the code. Ticket https://fedorahosted.org/freeipa/ticket/4408 can be closed. Pushed to master: 70224597a846cbe4cc7fe5f3b3cf3cec1e65ebd2 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0088] Use documentation addresses in dns help
On 07/03/2014 10:11 AM, Petr Spacek wrote: On 2.7.2014 14:07, Petr Viktorin wrote: On 07/02/2014 01:43 PM, Martin Basti wrote: On Wed, 2014-07-02 at 13:09 +0200, Petr Viktorin wrote: On 07/02/2014 01:02 PM, Martin Basti wrote: Patch attached. (Forward zones help preparation) /me sighs This will invalidate all translations of the DNS plugin help. Is it really necessary for 4.0? Ask petr2, but I have ticket where I need to add some description about forward zones to help. If it's really absolutely unavoidable to change the strings at the last minute, please do it as fast as possible so translators can get a bit of time to retranslate. Whenever you touch a long docstring, please split up the text according to http://www.freeipa.org/page/Coding_Best_Practices#Split_long_translatable_strings (preferably in a separate patch). ACK from functional perspective. It can be pushed if there is no problem with Python side of things. Pushed to master: d18eea457845705aa08e068c1ca19c407a7ede88 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0089] Add help about forward zones
On 07/03/2014 10:22 AM, Petr Spacek wrote: On 2.7.2014 16:04, Martin Basti wrote: On Wed, 2014-07-02 at 15:46 +0200, Petr Spacek wrote: I have only few nitpicks I didn't notice in the first round: The original proposal contained also this header: SUPPORTED ZONE TYPES * Master zone (dnszone-*) contains authoritative data. * Forward zone (dnsforwardzone-*) forwards queries to configured forwarders (a set of DNS servers). I can't see it in the patch. It is there Delete zone example.com with all resource records: ipa dnszone-del example.com Is there section with examples for master zones? Please move it there if the answer is yes, otherwise it can stay here. Moved Updated patch attached ACK from functional perspective. It can be pushed if there is no problem with Python side of things. Pushed to master: d22d9715756b2fcc5b11a8ee088f7eaa577f9625 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0090] Split dns.py doctring
On 07/03/2014 10:23 AM, Petr Spacek wrote: On 2.7.2014 16:17, Martin Basti wrote: Required patches mbasti-0088, mbasti-0089-2 Patch attached ACK from functional perspective. As far as I know it didn't break anything. It can be pushed if there is no problem with Python side of things. Thanks! Pushed to master: 1c5fa1c28dd36e1f63dfe341eeb857660eef503a I've also updated the source translations on Transifex. Next time you send a set of related patches, think about using one e-mail thread for all of them. It's not easy to track which patches depend on each other when each one is in a different thread. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0091] Fix upgrade to forward zones
On 3.7.2014 09:13, Martin Basti wrote: Patch attached ACK from functional perspective. It can be pushed if there is no problem with Python side of things. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0092] Fix incompatible permission in *zone-del
On 3.7.2014 09:17, Martin Basti wrote: Patch attached ACK from functional perspective. It almost works :-) Old permissions are deleted correctly but new permissions are not added to privileges. IMHO the permission adding should be fixed in separate patch. This patch can be pushed if there is no problem with Python side of things. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0092] Fix incompatible permission in *zone-del
On 07/03/2014 01:49 PM, Petr Spacek wrote: On 3.7.2014 09:17, Martin Basti wrote: Patch attached ACK from functional perspective. It almost works :-) Old permissions are deleted correctly but new permissions are not added to privileges. IMHO the permission adding should be fixed in separate patch. This patch can be pushed if there is no problem with Python side of things. Pushed to master: 21c829ffa52aa3a7af67eb267007aa92622f7eba -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0091] Fix upgrade to forward zones
On 07/03/2014 01:47 PM, Petr Spacek wrote: On 3.7.2014 09:13, Martin Basti wrote: Patch attached ACK from functional perspective. It can be pushed if there is no problem with Python side of things. Pushed to master: eea101544125895b3d4f66b61cf8e3870bffed66 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 693 webui-build: use /usr/share/java/js.jar instead of rhino.jar
On 07/01/2014 06:27 PM, Timo Aaltonen wrote: On 01.07.2014 19:20, Petr Vobornik wrote: /usr/share/java/rhino.jar is a Fedora's symlink to /usr/share/java/js.jar Debian doesn't have it. Direct usage of upstream /usr/share/java/js.jar should work on both systems. yup, tested on Debian and checked fedora rhino rpm that it has both. thanks! Works for me as well. Pushed to master: 76ec9384fb112ee528c5198af0261182f1ad049e Thanks! Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0087] Fix: missing tlsarecord in 40-dns.update
On 2.7.2014 10:32, Petr Spacek wrote: On 2.7.2014 10:23, Martin Basti wrote: On Wed, 2014-07-02 at 09:40 +0200, Petr Spacek wrote: On 1.7.2014 17:28, Martin Basti wrote: Patch attached I'm not able to apply it on top of current master (21e1e4ac3bd62c20c6331ea3dc09793e3a869c22). Sorry I lost myself in ACIs, it depends on the patch mbasti-0084-2 and 0085-2 Okay, I will test it when you send new versions of 0084 and 0085. NACK. It doesn't work for me for some reason, tlsarecord was not added to aci for some reason. The same problem applies to DLVRecord and nSEC3PARAMRecord. DS record seems to be okay. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 694 webui: new navigation structure
On 3.7.2014 08:13, Fraser Tweedale wrote: On Wed, Jul 02, 2014 at 04:14:13PM +0200, Petr Vobornik wrote: https://fedorahosted.org/freeipa/ticket/4418 according to latest proposal:http://www.redhat.com/archives/freeipa-devel/2014-June/msg00839.html -- Petr Vobornik Haven't run the webui tests but lines up with the proposal and looks very nice! ACK if webui tests pass. I've run the complete test suite and discovered that I forgot to modify 2 other tests. Also there was an existing fail in test_navigation in DNS-less installation. All fixed, updated patch attached. From 97cc94163e8ae57058b07741c7d70e44697c113f Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Wed, 2 Jul 2014 15:09:22 +0200 Subject: [PATCH] webui: new navigation structure https://fedorahosted.org/freeipa/ticket/4418 --- install/ui/src/freeipa/certificate.js | 2 +- install/ui/src/freeipa/dns.js | 2 +- install/ui/src/freeipa/navigation/menu_spec.js | 195 +++-- install/ui/test/data/ipa_init.json | 2 + ipalib/plugins/internal.py | 2 + ipatests/test_webui/test_navigation.py | 62 +--- ipatests/test_webui/ui_driver.py | 2 +- 7 files changed, 160 insertions(+), 107 deletions(-) diff --git a/install/ui/src/freeipa/certificate.js b/install/ui/src/freeipa/certificate.js index 01dfee2b64c14f487b66b91d449f63b6415dea69..6a11d959398517db6f720a36ff2a323e1d0c74a7 100755 --- a/install/ui/src/freeipa/certificate.js +++ b/install/ui/src/freeipa/certificate.js @@ -1293,7 +1293,7 @@ IPA.cert.cert_update_policy = function(spec) { exp.remove_menu_item = function() { if (!IPA.cert.is_enabled()) { -menu.remove_item('identity/cert'); +menu.remove_item('authentication/cert'); } }; diff --git a/install/ui/src/freeipa/dns.js b/install/ui/src/freeipa/dns.js index c7143ca91fef9bbc372654080fe899be1ae8367f..a566ccf61adcf4f688ac803bf5e3658b4f3a0253 100644 --- a/install/ui/src/freeipa/dns.js +++ b/install/ui/src/freeipa/dns.js @@ -2543,7 +2543,7 @@ IPA.network_validator = function(spec) { exp.remove_menu_item = function() { if (!IPA.dns_enabled) { -menu.remove_item('identity/dns'); +menu.remove_item('network_services/dns'); } }; diff --git a/install/ui/src/freeipa/navigation/menu_spec.js b/install/ui/src/freeipa/navigation/menu_spec.js index 01738cbe60b10bc0f1671093fc1616980780bac1..9182d11bf56c73e1fce724d438fe2211105b75ad 100644 --- a/install/ui/src/freeipa/navigation/menu_spec.js +++ b/install/ui/src/freeipa/navigation/menu_spec.js @@ -43,101 +43,134 @@ var nav = {}; { entity: 'netgroup' }, { entity: 'service' }, { +name: 'automember', +label: '@i18n:tabs.automember', +children: [ +{ +name: 'amgroup', +entity: 'automember', +facet: 'searchgroup', +label: '@i18n:objects.automember.usergrouprules', +children: [ +{ +entity: 'automember', +facet: 'usergrouprule', +hidden: true +} +] +}, +{ +name: 'amhostgroup', +entity: 'automember', +facet: 'searchhostgroup', +label: '@i18n:objects.automember.hostgrouprules', +children: [ +{ +entity: 'automember', +facet: 'hostgrouprule', +hidden: true +} +] +} +] +} +] +}, +{ +name: 'policy', +label: '@i18n:tabs.policy', +children: [ +{ +name: 'hbac', +label: '@i18n:tabs.hbac', +children: [ +{ entity: 'hbacrule' }, +{ entity: 'hbacsvc' }, +{ entity: 'hbacsvcgroup' }, +{ entity: 'hbactest' } +] +}, +{ +name: 'sudo', +label: '@i18n:tabs.sudo', +children: [ +{ entity: 'sudorule' }, +{ entity: 'sudocmd' }, +{ entity: 'sudocmdgroup' } +] +}, +
Re: [Freeipa-devel] [PATCH] 0153 ipa-ldap-updater does not work with hardened LDAP configuration
On 2.7.2014 15:52, Alexander Bokovoy wrote: When nsslapd-minssf is greater than 0, running as root ipa-ldap-updater [-l] will fail even if we force use of autobind for root over LDAPI. The reason for this is that schema updater doesn't get ldapi flag passed and attempts to connect to LDAP port instead and for hardened configurations using simple bind over LDAP is not enough. Additionally, report properly previously unhandled LDAP exceptions. https://fedorahosted.org/freeipa/ticket/3468 Note that the ticket is in 'Future releases' but we have this bug in 3.3 and in my view it is serious enough to fix it. ACK from functional perspective. I have tested clean installation and upgrade from 3.3.5 (Fedora 20) and both works. Also ipa-ldap-updates works with minssf = 56. It can be pushed if there is no problem with Python side of things. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 695 webui: display messages contained in API responses
API responses can contain warnings in messages array. This patch also adds support for displaying multiple notifications at the same time in order to show the message and a status of finished operation. Notes: - was implemented because of https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=33cf958b98dc2d80d17b3de1c145d403df4a3ba3 -- test by modifying Master DNS Zone which has a Zone forwarder set. - I'd like to move the notification code to separate module in a future and then extend it according to PatternFly pattern which is currently under developemnt (should contain history, ...). -- Petr Vobornik From da9375212307e5a746e253a3d163e1eb8f3dbd75 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Thu, 3 Jul 2014 10:31:54 +0200 Subject: [PATCH] webui: display messages contained in API responses API responses can contain warnings in messages array. This patch also adds support for displaying multiple notifications at the same time in order to show the message and a status of finished operation. --- install/ui/src/freeipa/ipa.js| 80 ++-- install/ui/src/freeipa/rpc.js| 21 ++- install/ui/src/freeipa/util.js | 36 +- install/ui/src/freeipa/widget.js | 10 - 4 files changed, 91 insertions(+), 56 deletions(-) diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js index be202ecdc9882638fc072c1a11452c8e1bcfccc6..0fb35632e9147c901f1a961c978d6ed8ff84aa2e 100644 --- a/install/ui/src/freeipa/ipa.js +++ b/install/ui/src/freeipa/ipa.js @@ -36,9 +36,10 @@ define([ './reg', './rpc', './text', +'./util', 'exports' ], function(Deferred, keys, topic, $, JSON, i18n, auth, datetime, -metadata_provider, builder, reg, rpc, text, exports) { +metadata_provider, builder, reg, rpc, text, util, exports) { /** * @class @@ -830,32 +831,6 @@ IPA.error_dialog = function(spec) { /** @property {string[]} visible_buttons=['retry', 'cancel'] Visible button names */ that.visible_buttons = spec.visible_buttons || ['retry', 'cancel']; -/** - * Beautify error message - * - * Multi-lined text may contain TAB character as first char of the line - * to hint at marking the whole line differently. - * @param {jQuery} container Container to add the beautified message. - * @param {string} message - */ -that.beautify_message = function(container, message) { -var lines = message.split(/\n/g); -var line_span; -for(var i=0; ilines.length; i++) { - -if (lines[i].charAt(0) == '\t') { -line_span = $('p /', { -'class': 'error-message-hinted', -text: lines[i].substr(1) -}).appendTo(container); -} else { -line_span = $('p /', { -text: lines[i] -}).appendTo(container); -} -} -}; - /** @inheritDoc */ that.create_content = function() { if (that.error_thrown.url) { @@ -865,7 +840,7 @@ IPA.error_dialog = function(spec) { } var error_message = $('div /', {}); -that.beautify_message(error_message, that.error_thrown.message); +error_message.append(util.beautify_message(that.error_thrown.message)); error_message.appendTo(that.container); if(that.errors that.errors.length 0) { @@ -896,7 +871,7 @@ IPA.error_dialog = function(spec) { var error = that.errors[i]; if(error.message) { var error_div = $('li /', {}); -that.beautify_message(error_div, error.message); +error_div.append(util.beautify_message(error.message)); error_div.appendTo(errors_container); } } @@ -1161,36 +1136,38 @@ IPA.notify = function(message, type, timeout) { if (!message) return; // don't show undefined, null and such -message = text.get(message); - -function destroy_timeout() { -if (IPA.notify_success.timeout) window.clearTimeout(IPA.notify_success.timeout); +if (typeof message === 'string') { +message = text.get(message); } -var notification_area = $('.notification-area'); +var notification_area = $('#notification .notification-area'); if (notification_area.length === 0) { notification_area = $('div/', { -'class': 'notification-area', -click: function() { -destroy_timeout(); -notification_area.fadeOut(100); -} +'class': 'notification-area' }); - notification_area.appendTo('#notification'); } -notification_area.empty(); - var alert = IPA.alert_helper.create_alert('msg', message, type); -var el = IPA.alert_helper.render_alert(alert); +var el =
Re: [Freeipa-devel] [PATCH 0140] [PATCH 140/140] ipalib: Use DateTime parameter class for OTP token
On 2.6.2014 18:35, Petr Vobornik wrote: On 14.1.2014 15:20, Petr Viktorin wrote: On 01/14/2014 09:33 AM, Jan Cholasta wrote: On 9.1.2014 16:32, Tomas Babej wrote: Hi, For ipatokennotbefore and ipatokennotafter attributes use DateTime parameter class instead of Str, since these are represented as LDAP Generalized Time in LDAP. Tomas ACK. This apparently depends on tbabej-0137, so let's not push it yet. I've rebased the patch and wanted to push it but I found out, that in patch 138 - expose krbPrincipalExpiration we removed the (UTC) from labels [1]. We should do the same here. [1] http://www.redhat.com/archives/freeipa-devel/2014-April/msg00442.html Since Tomas is on vacation, I've rebased it again and addressed ^^. If we want this change, it should be pushed before GA since it changes API. Web UI part is pvoborni-548-1 -- Petr Vobornik From ba3b94c3dc43ac29e608e1b45991040e37751f6b Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Thu, 9 Jan 2014 11:29:39 +0100 Subject: [PATCH] ipalib: Use DateTime parameter class for OTP token timestamp attributes For ipatokennotbefore and ipatokennotafter attributes use DateTime parameter class instead of Str, since these are represented as LDAP Generalized Time in LDAP. --- API.txt| 16 VERSION| 4 ++-- ipalib/plugins/otptoken.py | 6 +++--- 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/API.txt b/API.txt index c0f551706e4f5be4ff2e3f2ec00f9ad4dcf1ed03..0181f7d6cb7dd2fb6ba36ed48ad49a16088f6c2f 100644 --- a/API.txt +++ b/API.txt @@ -2303,8 +2303,8 @@ option: Str('description', attribute=True, cli_name='desc', multivalue=False, re option: Bool('ipatokendisabled', attribute=True, cli_name='disabled', multivalue=False, required=False) option: Int('ipatokenhotpcounter', attribute=True, autofill=True, cli_name='counter', default=0, minvalue=0, multivalue=False, required=False) option: Str('ipatokenmodel', attribute=True, autofill=True, cli_name='model', multivalue=False, required=False) -option: Str('ipatokennotafter', attribute=True, cli_name='not_after', multivalue=False, required=False) -option: Str('ipatokennotbefore', attribute=True, cli_name='not_before', multivalue=False, required=False) +option: DateTime('ipatokennotafter', attribute=True, cli_name='not_after', multivalue=False, required=False) +option: DateTime('ipatokennotbefore', attribute=True, cli_name='not_before', multivalue=False, required=False) option: StrEnum('ipatokenotpalgorithm', attribute=True, autofill=True, cli_name='algo', default=u'sha1', multivalue=False, required=False, values=(u'sha1', u'sha256', u'sha384', u'sha512')) option: IntEnum('ipatokenotpdigits', attribute=True, autofill=True, cli_name='digits', default=6, multivalue=False, required=False, values=(6, 8)) option: OTPTokenKey('ipatokenotpkey', attribute=True, autofill=True, cli_name='key', multivalue=False, required=False) @@ -2338,8 +2338,8 @@ args: 1,8,1 arg: Str('ipatokenuniqueid?', cli_name='id', primary_key=True) option: Str('description?', cli_name='desc') option: Bool('ipatokendisabled?', cli_name='disabled') -option: Str('ipatokennotafter?', cli_name='not_after') -option: Str('ipatokennotbefore?', cli_name='not_before') +option: DateTime('ipatokennotafter?', cli_name='not_after') +option: DateTime('ipatokennotbefore?', cli_name='not_before') option: IntEnum('ipatokenotpdigits?', autofill=True, cli_name='digits', default=6, values=(6, 8)) option: Str('ipatokenowner?', cli_name='owner') option: IntEnum('slot?', cli_name='slot', values=(1, 2)) @@ -2361,8 +2361,8 @@ option: Str('description', attribute=True, autofill=False, cli_name='desc', mult option: Bool('ipatokendisabled', attribute=True, autofill=False, cli_name='disabled', multivalue=False, query=True, required=False) option: Int('ipatokenhotpcounter', attribute=True, autofill=False, cli_name='counter', default=0, minvalue=0, multivalue=False, query=True, required=False) option: Str('ipatokenmodel', attribute=True, autofill=False, cli_name='model', multivalue=False, query=True, required=False) -option: Str('ipatokennotafter', attribute=True, autofill=False, cli_name='not_after', multivalue=False, query=True, required=False) -option: Str('ipatokennotbefore', attribute=True, autofill=False, cli_name='not_before', multivalue=False, query=True, required=False) +option: DateTime('ipatokennotafter', attribute=True, autofill=False, cli_name='not_after', multivalue=False, query=True, required=False) +option: DateTime('ipatokennotbefore', attribute=True, autofill=False, cli_name='not_before', multivalue=False, query=True, required=False) option: StrEnum('ipatokenotpalgorithm', attribute=True, autofill=False, cli_name='algo', default=u'sha1', multivalue=False, query=True, required=False, values=(u'sha1', u'sha256', u'sha384', u'sha512')) option: IntEnum('ipatokenotpdigits', attribute=True, autofill=False, cli_name='digits', default=6, multivalue=False,
Re: [Freeipa-devel] [PATCH] 0153 ipa-ldap-updater does not work with hardened LDAP configuration
On Thu, 2014-07-03 at 15:21 +0200, Petr Spacek wrote: On 2.7.2014 15:52, Alexander Bokovoy wrote: When nsslapd-minssf is greater than 0, running as root ipa-ldap-updater [-l] will fail even if we force use of autobind for root over LDAPI. The reason for this is that schema updater doesn't get ldapi flag passed and attempts to connect to LDAP port instead and for hardened configurations using simple bind over LDAP is not enough. Additionally, report properly previously unhandled LDAP exceptions. https://fedorahosted.org/freeipa/ticket/3468 Note that the ticket is in 'Future releases' but we have this bug in 3.3 and in my view it is serious enough to fix it. ACK from functional perspective. I have tested clean installation and upgrade from 3.3.5 (Fedora 20) and both works. Also ipa-ldap-updates works with minssf = 56. It can be pushed if there is no problem with Python side of things. I would love to see this in 4.0 GA too. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0614 test_ipagetkeytab: Fix expected error message
On Wed, 2014-07-02 at 18:32 +0200, Petr Viktorin wrote: It looks like ipa-getkeytab error message for a non-existent service changed. Simo, is this expected? I was asked to change some messages and I guess this got changed with all the other new ones. It wasn't strictly intentional but it wasn't done by mistake either. Is the new message final, or should we just check for the PrincipalName not found. substring? I do not expect other changes for the near future. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0140] [PATCH 140/140] ipalib: Use DateTime parameter class for OTP token
On 3.7.2014 17:03, Petr Vobornik wrote: On 2.6.2014 18:35, Petr Vobornik wrote: On 14.1.2014 15:20, Petr Viktorin wrote: On 01/14/2014 09:33 AM, Jan Cholasta wrote: On 9.1.2014 16:32, Tomas Babej wrote: Hi, For ipatokennotbefore and ipatokennotafter attributes use DateTime parameter class instead of Str, since these are represented as LDAP Generalized Time in LDAP. Tomas ACK. This apparently depends on tbabej-0137, so let's not push it yet. I've rebased the patch and wanted to push it but I found out, that in patch 138 - expose krbPrincipalExpiration we removed the (UTC) from labels [1]. We should do the same here. [1] http://www.redhat.com/archives/freeipa-devel/2014-April/msg00442.html Since Tomas is on vacation, I've rebased it again and addressed ^^. If we want this change, it should be pushed before GA since it changes API. Web UI part is pvoborni-548-1 Thanks, ACK again. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0093] Restore priviledges after forward zone upgrade
Patch attached -- Martin^2 Basti From f7e6c6d17562d4d5bcdbddaefbaf279fd1b901db Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Thu, 3 Jul 2014 15:50:27 +0200 Subject: [PATCH] Restore privileges after forward zones update Ticket: https://fedorahosted.org/freeipa/ticket/3210 --- ipaserver/install/plugins/dns.py | 43 +++- 1 file changed, 42 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/plugins/dns.py b/ipaserver/install/plugins/dns.py index d2a9500c5bb58a81950bc2077fa611fcfd0c973a..07c0325d7a7c6062c1827d08f211d317bdc63db4 100644 --- a/ipaserver/install/plugins/dns.py +++ b/ipaserver/install/plugins/dns.py @@ -210,6 +210,10 @@ class update_master_to_dnsforwardzones(PostUpdate): # add time to filename self.backup_path = time.strftime(self.backup_path) +# DNs of privileges which contain dns managed permissions +privileges_to_ldif = set() # store priviledges only once +zone_to_privileges = {} # zone: [privileges cn] + self.log.info('Zones with specified forwarders with policy different' ' than none will be transformed to forward zones.') self.log.info('Original zones will be saved in LDIF format in ' @@ -228,8 +232,14 @@ class update_master_to_dnsforwardzones(PostUpdate): if 'managedBy' in zone: entry = ldap.get_entry(DN(zone['managedBy'][0])) +for privilege_member_dn in entry.get('member', []): +privileges_to_ldif.add(privilege_member_dn) writer.unparse(str(entry.dn), dict(entry.raw)) +# privileges where permission is used +if entry.get('member'): +zone_to_privileges[zone['idnsname'][0]] = entry['member'] + # raw values are required to store into ldif records = api.Command['dnsrecord_find']( zone['idnsname'][0], @@ -249,6 +259,17 @@ class update_master_to_dnsforwardzones(PostUpdate): zone['idnsname'][0]) self.log.error(traceback.format_exc()) return (False, False, []) + +for privilege_dn in privileges_to_ldif: +try: +entry = ldap.get_entry(privilege_dn) +writer.unparse(str(entry.dn), dict(entry.raw)) +except Exception, e: +self.log.error('Unable to backup privilege %s' % + privilege_dn) +self.log.error(traceback.format_exc()) +return (False, False, []) + f.close() except Exception: self.log.error('Unable to create backup file') @@ -285,7 +306,8 @@ class update_master_to_dnsforwardzones(PostUpdate): # create permission if original zone has one if 'managedBy' in zone: try: -api.Command['dnsforwardzone_add_permission'](zone['idnsname'][0]) +perm_name = api.Command['dnsforwardzone_add_permission']( +zone['idnsname'][0])['value'] except Exception, e: self.log.error('Transform to forwardzone terminated: ' 'Adding managed by permission to forward zone' @@ -296,9 +318,28 @@ class update_master_to_dnsforwardzones(PostUpdate): zone['idnsname'][0]) continue +else: +if zone['idnsname'][0] in zone_to_privileges: +privileges = [ +dn[0].value for dn in zone_to_privileges[zone['idnsname'][0]] +] +try: +api.Command['permission_add_member'](perm_name, +privilege=privileges) +except Exception, e: +self.log.error('Unable to restore privileges for ' + 'permission %s, for zone %s' +% (perm_name, zone['idnsname'])) +self.log.error(traceback.format_exc()) +self.log.info('Zone %s was transformed to forward zone' + ' without restored privileges', + zone['idnsname'][0]) +
[Freeipa-devel] [PATCH 0093] Non IDNA zone name should be normalized to lowercase
Regresion caused by removing validation in DNSName for regular domain names In original code before IDNA, zones were normalized Patch attached -- Martin^2 Basti From ff9df6b6f7a28a0e598e20cd3308252ce836f7bb Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Thu, 3 Jul 2014 18:14:40 +0200 Subject: [PATCH] Non IDNA zonename should be normalized to lowercase Before IDNA support zone was normalized. --- ipalib/plugins/dns.py | 10 ++ 1 file changed, 10 insertions(+) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index c3a09e9d9d36f3bedc06407bf05d6ad47290a9b8..4c3497f6c74defbde3aa810f9d42b9c19ad870fc 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -1708,6 +1708,15 @@ def _records_idn_postprocess(record, **options): rrs.append(dnsvalue) record[attr] = rrs +def _normalize_zone(zone): +if isinstance(zone, unicode): +# normalize only non-IDNA zones +try: +return unicode(zone.encode('ascii')).lower() +except UnicodeError: +pass +return zone + class DNSZoneBase(LDAPObject): @@ -1727,6 +1736,7 @@ class DNSZoneBase(LDAPObject): label=_('Zone name'), doc=_('Zone name (FQDN)'), default_from=lambda name_from_ip: _reverse_zone_name(name_from_ip), +normalizer=_normalize_zone, primary_key=True, ), Str('name_from_ip?', _validate_ipnet, -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0094] Non IDNA zone name should be normalized to lowercase
On Thu, 2014-07-03 at 19:03 +0200, Martin Basti wrote: Regresion caused by removing validation in DNSName for regular domain names In original code before IDNA, zones were normalized Patch attached ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Subject changed to patch 0094 sorry, I attach patch again. -- Martin^2 Basti From ff9df6b6f7a28a0e598e20cd3308252ce836f7bb Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Thu, 3 Jul 2014 18:14:40 +0200 Subject: [PATCH] Non IDNA zonename should be normalized to lowercase Before IDNA support zone was normalized. --- ipalib/plugins/dns.py | 10 ++ 1 file changed, 10 insertions(+) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index c3a09e9d9d36f3bedc06407bf05d6ad47290a9b8..4c3497f6c74defbde3aa810f9d42b9c19ad870fc 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -1708,6 +1708,15 @@ def _records_idn_postprocess(record, **options): rrs.append(dnsvalue) record[attr] = rrs +def _normalize_zone(zone): +if isinstance(zone, unicode): +# normalize only non-IDNA zones +try: +return unicode(zone.encode('ascii')).lower() +except UnicodeError: +pass +return zone + class DNSZoneBase(LDAPObject): @@ -1727,6 +1736,7 @@ class DNSZoneBase(LDAPObject): label=_('Zone name'), doc=_('Zone name (FQDN)'), default_from=lambda name_from_ip: _reverse_zone_name(name_from_ip), +normalizer=_normalize_zone, primary_key=True, ), Str('name_from_ip?', _validate_ipnet, -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0087] Fix: missing records in 40-dns.update
On Thu, 2014-07-03 at 14:59 +0200, Petr Spacek wrote: On 2.7.2014 10:32, Petr Spacek wrote: On 2.7.2014 10:23, Martin Basti wrote: On Wed, 2014-07-02 at 09:40 +0200, Petr Spacek wrote: On 1.7.2014 17:28, Martin Basti wrote: Patch attached I'm not able to apply it on top of current master (21e1e4ac3bd62c20c6331ea3dc09793e3a869c22). Sorry I lost myself in ACIs, it depends on the patch mbasti-0084-2 and 0085-2 Okay, I will test it when you send new versions of 0084 and 0085. NACK. It doesn't work for me for some reason, tlsarecord was not added to aci for some reason. The same problem applies to DLVRecord and nSEC3PARAMRecord. DS record seems to be okay. Updated patch attached -- Martin^2 Basti From fb6d0c97625912d1558c6e590f483c3a3570ce68 Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Tue, 1 Jul 2014 17:25:43 +0200 Subject: [PATCH] Fix: Missing ACI for records in 40-dns.update --- install/updates/40-dns.update | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/install/updates/40-dns.update b/install/updates/40-dns.update index 796a293692f790666bafaca865d010b7f6899e6f..290f1e402bdbaef232a4e43df1d1ece78aec625b 100644 --- a/install/updates/40-dns.update +++ b/install/updates/40-dns.update @@ -4,13 +4,13 @@ dn: cn=dns, $SUFFIX addifexist: objectClass: idnsConfigObject addifexist: aci:'(target = ldap:///idnsname=*,cn=dns,$SUFFIX;)(version 3.0;acl Add DNS entries in a zone;allow (add) userattr = parent[1].managedby#GROUPDN;)' addifexist: aci:'(target = ldap:///idnsname=*,cn=dns,$SUFFIX;)(version 3.0;acl Remove DNS entries from a zone;allow (delete) userattr = parent[1].managedby#GROUPDN;)' -addifexist: aci:'(targetattr = idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || record || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders)(target = ldap:///idnsname=*,cn=dns,$SUFFIX;)(version 3.0;acl Update DNS entries in a zone;allow (write) userattr = parent[0,1].managedby#GROUPDN;)' +addifexist: aci:'(targetattr = idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || record || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders dlvrecord || idnssecinlinesigning || nsec3paramrecord || tlsarecord)(target = ldap:///idnsname=*,cn=dns,$SUFFIX;)(version 3.0;acl Update DNS entries in a zone;allow (write) userattr = parent[0,1].managedby#GROUPDN;)' # replace DNS tree deny rule with managedBy enhanced allow rule dn: cn=dns, $SUFFIX replace:aci:'(targetattr = *)(version 3.0; acl No access to DNS tree without a permission; deny (read,search,compare) (groupdn != ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;) and (groupdn != ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX);)::(targetattr = *)(version 3.0; acl Read DNS entries from a zone; allow (read,search,compare) userattr = parent[0,1].managedby#GROUPDN;)' replace:aci:'(targetattr = *)(version 3.0; acl Allow read access; allow (read,search,compare) groupdn = ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX or userattr = parent[0,1].managedby#GROUPDN;)::(targetattr = *)(version 3.0; acl Read DNS entries from a zone; allow (read,search,compare) userattr = parent[0,1].managedby#GROUPDN;)' -replace:aci:'(targetattr = idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || record || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders)(target =
Re: [Freeipa-devel] [PATCH 0087] Fix: missing records in 40-dns.update
On 3.7.2014 19:34, Martin Basti wrote: On Thu, 2014-07-03 at 14:59 +0200, Petr Spacek wrote: On 2.7.2014 10:32, Petr Spacek wrote: On 2.7.2014 10:23, Martin Basti wrote: On Wed, 2014-07-02 at 09:40 +0200, Petr Spacek wrote: On 1.7.2014 17:28, Martin Basti wrote: Patch attached I'm not able to apply it on top of current master (21e1e4ac3bd62c20c6331ea3dc09793e3a869c22). Sorry I lost myself in ACIs, it depends on the patch mbasti-0084-2 and 0085-2 Okay, I will test it when you send new versions of 0084 and 0085. NACK. It doesn't work for me for some reason, tlsarecord was not added to aci for some reason. The same problem applies to DLVRecord and nSEC3PARAMRecord. DS record seems to be okay. Updated patch attached Sorry, NACK! ;-) Upgrade from 3.3.5 died with error in ipa-ldap-updater: Parsing update file '/usr/share/ipa/updates/40-dns.update' Updating existing entry: cn=IPA DNS,cn=plugins,cn=config Done Updating existing entry: cn=dns,dc=ipa,dc=example Unexpected error - see /var/log/ipaupgrade.log for details: InvalidSyntax: targetattr idnsforwarders dlvrecord does not exist in schema. Please add attributeTypes idnsforwarders dlvrecord to schema if necessary. ACL Syntax Error(-5):(targetattr = \22idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || record || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders dlvrecord || idnssecinlinesigning || nsec3paramrecord || tlsarecord\22)(target = \22ldap:///idnsname=\2a,cn=dns,dc=ipa,dc=example\22)(version 3.0;acl \22Update DNS entries in a zone\22;allow (write) userattr = \22parent[0,1].managedby#GROUPDN\22;): Invalid syntax. /var/log/ipaupgrade.log says this: 2014-07-03T18:52:48Z DEBUG Final value after applying updates 2014-07-03T18:52:48Z DEBUG dn: cn=dns,dc=ipa,dc=example 2014-07-03T18:52:48Z DEBUG objectClass: 2014-07-03T18:52:48Z DEBUG nsContainer 2014-07-03T18:52:48Z DEBUG top 2014-07-03T18:52:48Z DEBUG idnsConfigObject 2014-07-03T18:52:48Z DEBUG idnsConfigObject 2014-07-03T18:52:48Z DEBUG aci: 2014-07-03T18:52:48Z DEBUG (target = ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl Add DNS entries in a zone;allow (add) userattr = parent[1].manage dby#GROUPDN;) 2014-07-03T18:52:48Z DEBUG (target = ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl Remove DNS entries from a zone;allow (delete) userattr = parent[1 ].managedby#GROUPDN;) 2014-07-03T18:52:48Z DEBUG (targetattr = idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || record || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord | | kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaseria l || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders)(target = ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl Update DNS entries in a zone;allow (write) userattr = parent[0,1].managedby#GROU PDN;) 2014-07-03T18:52:48Z DEBUG (targetattr = *)(version 3.0; acl Allow read access; allow (read,search,compare) groupdn = ldap:///cn=Read DNS Entries,cn=permissions,cn =pbac,dc=ipa,dc=example or userattr = parent[0,1].managedby#GROUPDN;) 2014-07-03T18:52:48Z DEBUG (target = ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl Add DNS entries in a zone;allow (add) userattr = parent[1].manage dby#GROUPDN;) 2014-07-03T18:52:48Z DEBUG (target = ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl Remove DNS entries from a zone;allow (delete) userattr = parent[1 ].managedby#GROUPDN;) 2014-07-03T18:52:48Z DEBUG (targetattr = idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || record || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord | | kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname ||
Re: [Freeipa-devel] [PATCH 0093] Restore priviledges after forward zone upgrade
On 3.7.2014 19:00, Martin Basti wrote: Patch attached Congratulations! I wasn't able to find any bug in this ;-) ACK from functional perspective. It can be pushed if there is no problem with Python side of things. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0094] Non IDNA zone name should be normalized to lowercase
On 3.7.2014 19:04, Martin Basti wrote: On Thu, 2014-07-03 at 19:03 +0200, Martin Basti wrote: Regresion caused by removing validation in DNSName for regular domain names In original code before IDNA, zones were normalized Patch attached Subject changed to patch 0094 sorry, I attach patch again. ACK from functional perspective. Command ipa dnszone TEST adds DNS zone test.. It can be pushed if there is no problem on Python side of things. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate
Jan Cholasta wrote: On 2.7.2014 19:37, Jan Cholasta wrote: On 2.7.2014 19:08, Rob Crittenden wrote: Trimming to respond to your questions. Not sure if this is related: # pki cert-find PKIException: Internal Server Error I'm pretty sure the cert-find error is related to the fact that I had a test build of dogtag installed, so that can be ignored. It does not work for me as well, with the current F20 dogtag packages, but like I said, it worked some time ago. Still haven't figured this out, unfortunately. Added patches 304 and 305 to fix /etc/ipa/ca.crt not having all the CA certificates on master. Updated rebased patches attached. The correct order to apply is 295-294, 303-305, 295-299. 251 I'm a little confused about the profile names. I see you changed the renewal profile from ipaCACertRenewal to caCACert which I guess makes sense. I don't see a ipaCACertRenewal profile. There is still a reference to a ipaRetrieval profile, what is that? ACK to the changes in 291 299 I guess you added the check for existing certs to avoid conflicts? I guess it means that a user is hosed if they chose the same name for their CA that we use? I think you're missing a sys.exit(1) here. 303 Looks good. The man page is still a little thin 304 Not to be too pedantic but if removing the old CACERT fails (SELinux, immutable file) then the install will blow up and this is the very end. I think the removal should happen earlier, before anything else happens. That way at least you don't wait 10 minuts to find out the install failed. 305 ACK I didn't have a ton of time to test but a basic install fails with: 2014-07-03T21:44:49Z DEBUG stderr= 2014-07-03T21:44:49Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 640, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1046, in main dm_password, subject_base=options.subject) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 489, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 1041, in __import_ca_chain (rdn, subject_dn) = certs.get_cert_nickname(certlist[st:en+25]) File /usr/lib/python2.7/site-packages/ipaserver/install/certs.py, line 79, in get_cert_nickname nsscert = x509.load_certificate(cert) File /usr/lib/python2.7/site-packages/ipalib/x509.py, line 119, in load_certificate return nss.Certificate(buffer(data)) 2014-07-03T21:44:49Z DEBUG The ipa-server-install command failed, exception: NSPRError: (SEC_ERROR_REUSED_ISSUER_AND_SERIAL) You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel