Re: [Freeipa-devel] [PATCH 0107-0108] Fix DNS wildcard validation
On 20.8.2014 17:37, Martin Basti wrote: +# dissallowed wildcard (RFC 4592) +no_wildcard_rtypes = ['CNAME', 'DNAME', 'DS', 'NS'] NACK http://tools.ietf.org/html/rfc4592#section-4.3 doesn't forbid CNAME with wildcard owner name. This subsection is is just a note for implementers about proper wildcard handling. Sorry :-) -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] - Add DRM to IPA
On 08/20/2014 09:35 PM, Rob Crittenden wrote: [...] I'm kinda with Petr, I don't know that an uninstall option is needed. On a single master install I successfully did a kra install, uninstall, re-install, so maybe the issue that Petr saw was related to cloning. Yes, on a single master it works great. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 733-735 webui: Better description for User authentication types
On 13.8.2014 16:17, Endi Sukma Dewata wrote: On 8/5/2014 6:38 AM, Petr Vobornik wrote: [PATCH] 733 webui: rename tooltip to title - use title for input's elements 'title' attribute - tooltip for Bootstrap's tooltip component https://fedorahosted.org/freeipa/ticket/4471 ACK. [PATCH] 734 webui: tooltip support Allow to set 'tooltip' attribute in spec. It displays info icon with Bootstrap's tooltip near field's label. https://fedorahosted.org/freeipa/ticket/4471 ACK. [PATCH] 735 webui: better authentication types description Tooltips were added to User authentication types and Default user objectclasses to describe their relationship and a meaning of not-setting a value. https://fedorahosted.org/freeipa/ticket/4471 Just one thing, in the patch comment you probably meant Default user authentication types. ACK. Yes, comment amended. Pushed to: master: * def8696819e923bc7126af54bcd9f1452de30dcd webui: rename tooltip to title * 19bef5bd01b2490e11ffaead12066c2ad0e0e885 webui: tooltip support * 27128bd8f50cebb8fc3b8a86b642ca0e272d2024 webui: better authentication types description ipa-4-1: * 9554b5109c191df23872d4ca7f2fa29787df70f4 webui: rename tooltip to title * c1290a768c6105045e7acae2cd13a9228a7d5f41 webui: tooltip support * af83c37ef1311dca744f3775c5301d09e2ce61c6 webui: better authentication types description -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0107-0108] Fix DNS wildcard validation
On 21/08/14 08:43, Petr Spacek wrote:
On 20.8.2014 17:37, Martin Basti wrote:
+# dissallowed wildcard (RFC 4592)
+no_wildcard_rtypes = ['CNAME', 'DNAME', 'DS', 'NS']
NACK
http://tools.ietf.org/html/rfc4592#section-4.3 doesn't forbid CNAME
with wildcard owner name. This subsection is is just a note for
implementers about proper wildcard handling.
Sorry :-)
Thank you!
Updated patches attached.
--
Martin Basti
From cdda1ebffe16e3c331be7576b26fecdeeaf7b5f7 Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Wed, 20 Aug 2014 15:14:12 +0200
Subject: [PATCH 1/2] FIX DNS wildcard records (RFC4592)
Make validation more strict
* DS, NS, CNAME, DNAME owners should not be a wildcard domanin name
* zone name should not be a wildcard domain name
Ticket: https://fedorahosted.org/freeipa/ticket/4488
---
ipalib/plugins/dns.py | 22 ++
1 file changed, 22 insertions(+)
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index fdcccb0b74a2b044a1ad917d22d2fe9696d7584c..2a4972cbb6dab142346246a9ea166a001d603a38 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -489,6 +489,14 @@ def _hostname_validator(ugettext, value):
return None
+def _no_wildcard_validator(ugettext, value):
+Disallow usage of wildcards as RFC 4592 recommends
+
+assert isinstance(value, DNSName)
+if value.is_wild():
+return _('should not be a wildcard domain name (RFC 4592)')
+return None
+
def is_forward_record(zone, str_address):
addr = netaddr.IPAddress(str_address)
if addr.version == 4:
@@ -1731,6 +1739,7 @@ class DNSZoneBase(LDAPObject):
takes_params = (
DNSNameParam('idnsname',
+_no_wildcard_validator, # RFC 4592 section 4
only_absolute=True,
cli_name='name',
label=_('Zone name'),
@@ -2619,6 +2628,19 @@ class dnsrecord(LDAPObject):
error=unicode(_('out-of-zone data: record name must '
'be a subdomain of the zone or a '
'relative name')))
+# dissallowed wildcard (RFC 4592 section 4)
+no_wildcard_rtypes = ['DNAME', 'DS', 'NS']
+if (keys[-1].is_wild() and
+any(entry_attrs.get('%srecord' % r.lower())
+for r in no_wildcard_rtypes)
+):
+raise errors.ValidationError(
+name='idnsname',
+error=(_('owner of %(types)s records '
+'should not be a wildcard domain name (RFC 4592)') %
+{'types': ', '.join(no_wildcard_rtypes)}
+)
+)
def _ptrrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, **options):
assert isinstance(dn, DN)
--
1.8.3.1
From a92a3806da7314c2667724283ee6c05c9b923ced Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Wed, 20 Aug 2014 17:26:34 +0200
Subject: [PATCH 2/2] Tests: DNS wildcard records
Ticket: https://fedorahosted.org/freeipa/ticket/4488
---
ipatests/test_xmlrpc/test_dns_plugin.py | 47 -
1 file changed, 46 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_xmlrpc/test_dns_plugin.py b/ipatests/test_xmlrpc/test_dns_plugin.py
index 50b4d2ec7bf4d55f7d138f45993184f1bf7790bd..f20b61755e2b22f1219dc9e85140b8a0863a5295 100644
--- a/ipatests/test_xmlrpc/test_dns_plugin.py
+++ b/ipatests/test_xmlrpc/test_dns_plugin.py
@@ -263,6 +263,7 @@ zone_findtest_forward = u'forward.find.test.'
zone_findtest_forward_dnsname = DNSName(zone_findtest_forward)
zone_findtest_forward_dn = DN(('idnsname', zone_findtest_forward), api.env.container_dns, api.env.basedn)
+zone_fw_wildcard = u'*.wildcardforwardzone.test.'
class test_dns(Declarative):
@@ -289,7 +290,8 @@ class test_dns(Declarative):
revzone3_classless1, revzone3_classless2,
idnzone1, revidnzone1, zone_findtest_master],
{'continue': True}),
-('dnsforwardzone_del', [fwzone1, zone_findtest_forward],
+('dnsforwardzone_del', [fwzone1, zone_findtest_forward,
+zone_fw_wildcard],
{'continue': True}),
('dnsconfig_mod', [], {'idnsforwarders' : None,
'idnsforwardpolicy' : None,
@@ -2736,6 +2738,39 @@ class test_dns(Declarative):
dict(
+desc='Try to add NS record to wildcard owner %r in zone %r' % (wildcard_rec1, zone1),
+command=('dnsrecord_add', [zone1, wildcard_rec1], {'nsrecord': zone2_ns, 'force': True}),
+expected=errors.ValidationError(
+name='idnsname',
+error=(u'owner of DNAME, DS, NS records '
+'should not be a wildcard domain name (RFC 4592)')
+)
+),
+
+
+dict(
+desc='Try to add DNAME record to wildcard owner %r in zone %r' % (wildcard_rec1,
Re: [Freeipa-devel] [PATCH 0030][DOC] Chapter 1 and 2 updates to documentation
On 08/11/2014 03:28 PM, Gabe Alford wrote: Thanks, Petr. What is the project's preference here as far as (if they were correct) having documentation flow from RHEL to the Fedora docs? It seems to me that really the upstream should be Freeipa Docs that flows into RHEL docs (with mods for RH needs)? Hello, The preference is that the upstream FreeIPA docs flow into RHEL, yes. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0154-0158 improve trust operations
Hi! Attached patchset improves trust operations: 1. Ensures we only allow establishing trust to forest root domain 2. Ensures that we select primary domain controllers 3. Ensures first create trust and later set it to transitive state and update forest topology 4. Relaxes filtering of domains obtained from AD side to allow some of possible topology combinations which were not accounted for previously 5. Reverts to any PDC rather than a closest one if closest one is not available due to site mismanagement. Affected tickets: https://fedorahosted.org/freeipa/ticket/4463 https://fedorahosted.org/freeipa/ticket/4479 https://fedorahosted.org/freeipa/ticket/4458 The patches should apply cleanly to master and ipa-3-3 (and 4-0/4-1 branches). They were tested with Windows Server 2008R2 and Windows Server 2012 environments. -- / Alexander Bokovoy From 18b27e8363799070cce57ab393787c99fa7ebc77 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Tue, 19 Aug 2014 16:19:45 +0300 Subject: [PATCH 1/5] ipaserver/dcerpc.py: if search of a closest GC failed, try to find any GC https://fedorahosted.org/freeipa/ticket/4458 --- ipaserver/dcerpc.py | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index f1c7508..b11476a 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -588,7 +588,11 @@ class DomainValidator(object): try: result = netrc.finddc(domain=domain, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_GC | nbt.NBT_SERVER_CLOSEST) except RuntimeError, e: -finddc_error = e +try: +# If search of closest GC failed, attempt to find any one +result = netrc.finddc(domain=domain, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_GC) +except RuntimeError, e: +finddc_error = e if not self._domains: self._domains = self.get_trusted_domains() -- 1.9.3 From 96e5022a65798f4f4961ea904ce639ffe4477dc1 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Tue, 19 Aug 2014 16:21:21 +0300 Subject: [PATCH 2/5] ipaserver/dcerpc.py: make PDC discovery more robust Certain operations against AD domain controller can only be done if its FSMO role is primary domain controller. We need to use writable DC and PDC when creating trust and updating name suffix routing information. https://fedorahosted.org/freeipa/ticket/4479 --- ipaserver/dcerpc.py | 21 - 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index b11476a..78bfc5d 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -706,16 +706,19 @@ class TrustDomainInstance(object): binding_template=lambda x,y,z: u'%s:%s[%s]' % (x, y, z) return [binding_template(t, remote_host, o) for t in transports for o in options] -def retrieve_anonymously(self, remote_host, discover_srv=False): +def retrieve_anonymously(self, remote_host, discover_srv=False, search_pdc=False): When retrieving DC information anonymously, we can't get SID of the domain netrc = net.Net(creds=self.creds, lp=self.parm) +flags = nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS | nbt.NBT_SERVER_WRITABLE +if search_pdc: +flags = flags | nbt.NBT_SERVER_PDC try: if discover_srv: -result = netrc.finddc(domain=remote_host, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS) +result = netrc.finddc(domain=remote_host, flags=flags) else: -result = netrc.finddc(address=remote_host, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS) +result = netrc.finddc(address=remote_host, flags=flags) except RuntimeError, e: raise assess_dcerpc_exception(message=str(e)) @@ -726,6 +729,7 @@ class TrustDomainInstance(object): self.info['dns_forest'] = unicode(result.forest) self.info['guid'] = unicode(result.domain_uuid) self.info['dc'] = unicode(result.pdc_dns_name) +self.info['is_pdc'] = (result.server_type nbt.NBT_SERVER_PDC) != 0 # Netlogon response doesn't contain SID of the domain. # We need to do rootDSE search with LDAP_SERVER_EXTENDED_DN_OID control to reveal the SID @@ -774,6 +778,13 @@ class TrustDomainInstance(object): self.info['sid'] = unicode(result.sid) self.info['dc'] = remote_host +try: +result = self._pipe.QueryInfoPolicy2(self._policy_handle, lsa.LSA_POLICY_INFO_ROLE) +except RuntimeError, (num, message): +raise assess_dcerpc_exception(num=num, message=message) + +self.info['is_pdc'] = (result.role == lsa.LSA_ROLE_PRIMARY) + def generate_auth(self, trustdom_secret): def arcfour_encrypt(key, data): c = RC4.RC4(key) @@ -1069,9 +1080,9 @@ class
Re: [Freeipa-devel] [PATCH] 736-740 webui: various minor fixes
On 13.8.2014 17:20, Endi Sukma Dewata wrote: On 8/5/2014 6:43 AM, Petr Vobornik wrote: [PATCH] 736 webui: convert widget.less indentation to spaces ACK. [PATCH] 737 webui: improve rule table css - category radio line has line-height large enough to contain undo button - content doesn't move several pixels on change - remove vertical padding from btns in table headers to maintain about the same height - remove invisible border from link buttons to have the same height for disabled and enabled button ACK. [PATCH] 738 webui: sshkey widget - usability fixes - save one click by opening edit dialog right after adding new row - add margin between fingerprint and show/edit button - fix honoring of writable/read-only flags upon row creation ACK. Possible improvements: 1. How about removing the row if the user cancels the addition or enters blank value? That way the rows will always have values, so we don't need the New: key set/not set labels anymore. Good idea. 2. Can the UI parse the new key and display it the same way as other keys that are already saved? That will make it more seamless. Would be nice, but is it worth the effort? We would have to reimplement ipapython.ssh into JavaScript + pull in crypto.js or other lib for sha1 and sha256 functions since Web Cryptography API is still only a draft [1]. [1] https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html 3. If we do #2, the Show/Set key button probably can be changed to Edit or Modify. [PATCH] 739 webui: disable batch action buttons by default action buttons associated with batch actions were enabled by default, but they were disabled right after facet creation and a load of data. It caused a visual flicker. UX is enhanced by making them disabled by default. ACK. [PATCH] 740 webui: fix group type padding ACK. Pushed to: ipa-4-1: * 500db900e578bc87bb95fef53ac8abff9ca47e4b webui: convert widget.less indentation to spaces * 189f6fdfd539486cf49e114cf5d0ebf9fb6bee6e webui: improve rule table css * a8a799822c4f1f3b17ac2b86ef8cf84a4a781d9e webui: sshkey widget - usability fixes * dd45278e5aeb4fbb4b7f567ee6e6dda079afb728 webui: disable batch action buttons by default * 2752f8e286074c210d3229ae94871afbfdc99f7f webui: fix group type padding master: * 8f73bf3713da42bfe6503ef2afbe4a6de3bf44d0 webui: convert widget.less indentation to spaces * 356059e07ddb492aa9d6b63ee806ae804afbec40 webui: improve rule table css * d138b44480dfef3220e0a39bef9c064a314ee6bf webui: sshkey widget - usability fixes * 9446c4c8b4bc397c6c2d1d94725f7aae4b123b5f webui: disable batch action buttons by default * 981b399c4e6938b4ab096dee9411cb025e221703 webui: fix group type padding -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 736-740 webui: various minor fixes
On Thu, 2014-08-21 at 14:11 +0200, Petr Vobornik wrote: Would be nice, but is it worth the effort? We would have to reimplement ipapython.ssh into JavaScript + pull in crypto.js or other lib for sha1and sha256 functions since Web Cryptography API is still only a draft [1]. I do not do this lightly, but you have my veto to do any crypto in javascript unless you convince me first it make sense. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0635 Support delegating RBAC roles to service principals
On 08/20/2014 06:09 PM, Petr Viktorin wrote: On 08/20/2014 10:59 AM, Martin Kosek wrote: On 08/19/2014 07:49 PM, Petr Viktorin wrote: On 08/19/2014 01:41 PM, Martin Kosek wrote: On 08/19/2014 01:28 PM, Petr Viktorin wrote: Services can now be added to roles. https://fedorahosted.org/freeipa/ticket/3164 I added a new integration test for checking that a service can actually use the right granted by a role. I don't think there's a good way to do this kind of thing in our Declarative test suite. 1) I think you also need to update service object's attribute_members so that it can properly show role membership. Right, added (with tests). Thanks! (especially for the tests) I am thinking about one usability improvement. All over the code, we allow to specify services without the REALM as the realm is pretty clear and we do not need it from the user: # ipa service-add test/`hostname` -- Added service test/ipa.mkosek-fedora20.t...@mkosek-fedora20.test -- Principal: test/ipa.mkosek-fedora20.t...@mkosek-fedora20.test Managed by: ipa.mkosek-fedora20.test However, the new --services option does not allow that: ]# ipa role-add-member foo --services test/`hostname` Role name: foo Description: foo Failed members: member user: member group: member host: member host group: member service: test/ipa.mkosek-fedora20.test: no such entry - Number of members added 0 - Could we just add the realm if it does not exists in the service-add-member precallback? Looks like we want to add it any time we look up a service, right? This additional patch should do that. Right. This approach works for me, ACK on both. Pushed to: master: a8ba6b3b8cdaf39152bce394ad419d28037f687e ipa-4-1: e49768864f5fd735f9f30241b22c595908b762af Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] ipa trust-add command should be interactive
Hello,
Just wondering if this needs to be re-ack'd.
Thanks,
Gabe
On Thu, Jul 31, 2014 at 7:57 AM, Gabe Alford redhatri...@gmail.com wrote:
Okay. Sounds good. Update patch attached.
On Thu, Jul 31, 2014 at 7:18 AM, Martin Kosek mko...@redhat.com wrote:
Ah, right. But I still think that's a too-early optimization. We can add
this
callback when this necessity arises. Until then, I would rather prefer to
keep
the code clean.
Martin
On 07/31/2014 03:17 PM, Gabe Alford wrote:
Right. The reason I added it in there is that I could see that in the
future trust_type could be more than just 'ad' (maybe 'ipa', 'krb',
etc?)
which at that point I'm not sure a default makes sense. So, I thought
to go
ahead and add the check for future use cases so that it doesn't have to
be
remembered later. However, maybe that was just a bad idea as right now
it
is a pointless check?
Gabe
On Thu, Jul 31, 2014 at 3:18 AM, Alexander Bokovoy aboko...@redhat.com
wrote:
On Thu, 31 Jul 2014, Martin Kosek wrote:
Sorry for going late in the game, just a quick question - why do we
want
to add
this part:
+if trust_type is None:
+kw['trust_type'] = self.prompt_param(self.params[
'trust_type'])
? I do not see a reason for adding a special interactive prompt
callback
for
that - trust_type has a default value ad. CCing Alexander to double
check.
I also don't understand why you need to ask interactively for the
trust_type as it defaults to non-empty value and this value is the only
one we currently support.
--
/ Alexander Bokovoy
From 3fc52b8fec42a294f0e95f0bd8bcc2f1e0958ed3 Mon Sep 17 00:00:00 2001
From: Gabe redhatri...@gmail.com
Date: Thu, 31 Jul 2014 07:26:00 -0600
Subject: [PATCH] ipa trust-add command should be interactive
- Make ipa trust-add command interactive for realm_admin and realm_passwd
- Fix 'Active directory' typo to 'Active Directory'
https://fedorahosted.org/freeipa/ticket/3034
---
ipalib/plugins/trust.py | 26 +-
1 files changed, 25 insertions(+), 1 deletions(-)
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index
fe1a76719b0e35136fb46d917bd998cdfd631695..736cb6f573f9a18eca882db136133205c583b67d
100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -435,7 +435,7 @@ sides.
),
Password('realm_passwd?',
cli_name='password',
-label=_(Active directory domain administrator's password),
+label=_(Active Directory domain administrator's password),
confirm=False,
),
Str('realm_server?',
@@ -511,6 +511,30 @@ sides.
return result
+def interactive_prompt_callback(self, kw):
+
+Also ensure that realm_admin is prompted for if --admin or
+--trust-secret is not specified when 'ipa trust-add' is run on the
+system.
+
+Also ensure that realm_passwd is prompted for if --password or
+--trust-secret is not specified when 'ipa trust-add' is run on the
+system.
+
+
+trust_secret = kw.get('trust_secret')
+realm_admin = kw.get('realm_admin')
+realm_passwd = kw.get('realm_passwd')
+
+if trust_secret is None:
+if realm_admin is None:
+kw['realm_admin'] = self.prompt_param(
+ self.params['realm_admin'])
+
+if realm_passwd is None:
+kw['realm_passwd'] = self.Backend.textui.prompt_password(
+ self.params['realm_passwd'].label, confirm=False)
+
def validate_options(self, *keys, **options):
if not _bindings_installed:
raise errors.NotFound(
--
1.7.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] - Add DRM to IPA
As agreed on #irc, disabling uninstallation for now.
Please apply this new patch on top of the big one.
Ade
On Thu, 2014-08-21 at 01:15 -0400, Ade Lee wrote:
On Wed, 2014-08-20 at 15:35 -0400, Rob Crittenden wrote:
Ade Lee wrote:
On Thu, 2014-08-14 at 14:29 +0200, Petr Viktorin wrote:
On 08/14/2014 10:53 AM, Martin Kosek wrote:
On 08/13/2014 09:54 PM, Ade Lee wrote:
In Dogtag, we have decided to revert the name of the DRM to the old
name KRA.
DRM was really only used in docs/marketing, whereas KRA is all over
the code.
Soon, the code and the marketing/docs will match.
The following patch changes all references to the DRM to KRA.
so for example, you need to run ipa-kra-install etc.
Please apply this on top of the previous patch. I'll go ahead and
squash them
before commit.
Thanks,
Ade
Ah, thanks for unifying that one. I changed DRM component in FreeIPA
Trac to
KRA and assigned respective tickets to that. Let us use the KRA term
for the
Vault then.
Martin
ipa_drm_install.py: No newline at end of file
ipa_drm_install.DRMInstaller.FAIL_MESSAGE: the command is
ipa-drm-install (with hyphens)
fixed
The error I got previously was when running ipa-kra-install on a replica
that didn't have CA yet. It would be nice to provide a better message
for this case.
agreed. the problem here was that the check to see whether a ca was
already installed locally was not working as expected.
I have since added a new check - which should fail if a CA is not
installed locally.
On a replica with KRA, I get:
$ sudo ipa-kra-install --uninstall
Usage: ipa-kra-install [options] [replica_file]
ipa-kra-install: error: Cannot uninstall. There is no KRA
installed on this system.
Not sure what happened there. With the latest code, that does not
appear to happen for me. Let me know if it recurs.
I tested the kra plugin with this Python script:
from ipalib import api
api.bootstrap(context='server', kra_host='localhost')
api.finalize()
api.Backend.kra.store_secret('test', 'tkey')
which gives me:
Traceback (most recent call last):
File stdin, line 1, in module
File ipaserver/plugins/dogtag.py, line 2012, in store_secret
self._setup()
File ipaserver/plugins/dogtag.py, line 1965, in _setup
connection = PKIConnection('https', self.kra_host,
self.kra_port, 'kra')
File /usr/lib/python2.7/site-packages/pki/client.py, line 36,
in __init__
self.hostname + ':' + self.port + '/' + \
TypeError: coercing to Unicode: need string or buffer, int found
Apparently, PKIConnection requires the port to be a string, but we pass
an int. I'd consider this an issue in pki.
Agreed. I will open a ticket to fix it in pki. For now though, I have
cast to str().
The kra_host='localhost' option to api.bootstrap is necessary because
kra_host is not added to default.conf on install. How is this planned to
work when the plugin is done?
I followed what was done for ca_host, but did not set the required
default in constants.py. Thats fixed, so this should work now.
After discussion with Endi, I also removed some functions in dogtag.py
(the plugin) which basically just wrapped calls to the keyclient. There
is no need to do this wrapping and it is much more flexible for IPA code
to call the keyclient directly. Accordingly, I have added a method to
get the keyclient. Your test code would look like this now:
from ipalib import api
from pki.key import KeyClient
api.bootstrap(context='server')
api.finalize()
keyclient = api.Backend.kra.get_keyclient()
keyclient.archive_key('test', KeyClient.PASS_PHRASE_TYPE,'tkey')
I added a couple of directives in the proxy file to allow it to progress
further and it now fails in trying to do the archive_key due to
authentication issues.
Did some more investigation on this. It turns out that the problem is
in the PEM file that is generated (/etc/httpd/aliad/agent.pem)
There are in fact two problems. One is that the agent.pem that is
available there is for the IPA RA agent, who is not an agent on the KRA.
Also, it appears that the PEM file itself may have some weirdness in its
format.
The PEM file is generated by the code _generate_pem_file() in dogtag.py.
That code will need to be re-examined and fixed. I would like to leave
that task to Endi - as he needs to decide how/which agent will be used
to communicate with the KRA.
If you use a valid agent PEM, then the above test code works.
Here is what I did:
$ openssl pkcs12 -in /root/ca_agent.p12 -out /etc/httpd/alias/agent.pem -nodes
And then I ran the following without issues:
from ipalib import api
from
Re: [Freeipa-devel] [PATCH] - Add DRM to IPA
On 08/21/2014 03:48 PM, Ade Lee wrote: As agreed on #irc, disabling uninstallation for now. Please apply this new patch on top of the big one. I'm fine with pushing a patch with incomplete functionality, after all I did this all the time with permissions. The incomplete parts (apart from the plugin which is entirely out of scope) are: - The agent PEM issue (will be sorted out as the plugin is implemented) - Missing man page (will be written before the plugin is implemented) - Uninstall (will be fixed on Dogtag side, re-tested and enabled) I'll open tickets for these before pushing. ACK from me if Rob agrees. On IRC, Rob said he'd rather delay pushing until the man page is written, but delegated the decision to Martin. So, Martin, can we push now and trust Ade's promise that he'll write the docs? -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 742 webui: adjust behavior of bounce url
based on:
http://www.redhat.com/archives/freeipa-devel/2014-August/msg00073.html
- bounce url param was renamed from 'redirect' to 'url'
- support for 'delay' param added
Behavior:
- Continue to next page link is shown if 'url' is present
- page is no longer automatically redirected if 'url' is present
- automatic redirect is controlled by 'delay' param - it specifies
number of seconds until redirection
- info message 'You will be redirected in Xs' is show to notify
the user that something will happen. It's useful even if delay
is 0 or negative because redirection might be slow.
- counter is decremented every second
- delay is ignored if parsed as NaN
https://fedorahosted.org/freeipa/ticket/4440
--
Petr Vobornik
From 10317eee01d427245be07c1666bf425fbbb596ec Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Thu, 21 Aug 2014 17:43:39 +0200
Subject: [PATCH] webui: adjust behavior of bounce url
- bounce url param was renamed from 'redirect' to 'url'
- support for 'delay' param added
Behavior:
- Continue to next page link is shown if 'url' is present
- page is no longer automatically redirected if 'url' is present
- automatic redirect is controlled by 'delay' param - it specifies
number of seconds until redirection
- info message 'You will be redirected in Xs' is show to notify
the user that something will happen. It's useful even if delay
is 0 or negative because redirection might be slow.
- counter is decremented every second
- delay is ignored if parsed as NaN
https://fedorahosted.org/freeipa/ticket/4440
---
install/ui/reset_password.html | 3 +++
install/ui/reset_password.js | 45 --
2 files changed, 46 insertions(+), 2 deletions(-)
diff --git a/install/ui/reset_password.html b/install/ui/reset_password.html
index 598fe8f1e9cc440699ccfdd257dd6f569fc4..ec09bbfafc1670df4bdb082c4f337be1ea81213f 100644
--- a/install/ui/reset_password.html
+++ b/install/ui/reset_password.html
@@ -50,6 +50,9 @@
div class=alert alert-warning style=display:none;
span class=fa fa-warning/spanp/p
/div
+div class=alert alert-info style=display:none;
+span class=fa fa-info-circle/spanp/p
+/div
/div
/div
/div
diff --git a/install/ui/reset_password.js b/install/ui/reset_password.js
index 1afc76eba061a7015d1e817e840177fd60e35160..2e0db7db8049aa3edc9bccbfe87b7224d3a68878 100644
--- a/install/ui/reset_password.js
+++ b/install/ui/reset_password.js
@@ -134,6 +134,16 @@ RP.show_error = function(message) {
$('.alert-success').css('display', 'none');
};
+RP.show_info = function(message) {
+
+$('.alert-info p').text(message || '');
+if (!message) {
+$('.alert-info').css('display', 'none');
+} else {
+$('.alert-info').css('display', '');
+}
+};
+
RP.show_success = function(message) {
$('.alert-success p').text(message);
@@ -158,10 +168,41 @@ RP.parse_uri = function() {
RP.redirect = function() {
var opts = RP.parse_uri();
-var url = opts['redirect'];
+var url = opts['url'];
+var delay = parseInt(opts['delay'], 10);
+
+var msg_cont = $('.alert-success p');
+$('.redirect', msg_cont).remove();
+
+// button for manual redirection
if (url) {
-window.location = url;
+var redir_cont = $('span/', { 'class': 'redirect' }).
+append(' ').
+append($('a/', {
+href: url,
+text: 'Continue to next page'
+})).
+appendTo(msg_cont);
+} else {
+return;
}
+
+if (delay = 0 || delay 0) { // NaN check
+RP.redir_url = url;
+RP.redir_delay = delay;
+RP.redir_count_down();
+}
+};
+
+RP.redir_count_down = function() {
+
+RP.show_info(You will be redirected in + Math.max(RP.redir_delay, 0) + s);
+if (RP.redir_delay = 0) {
+window.location = RP.redir_url;
+return;
+}
+window.setTimeout(RP.redir_count_down, 1000);
+RP.redir_delay--;
};
--
1.9.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCHES 0111-0113] Fix NS record coexistence validation
During work on DNSSEC we found a wrong validation of NS records
Patch 0113 fixes an error in tests caused by bind-dyndb-ldap bug
https://fedorahosted.org/bind-dyndb-ldap/ticket/123
Patches attached.
--
Martin Basti
From 625b69151f3ff7d8fb18e62b2cc9542fc03b7c17 Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Thu, 21 Aug 2014 18:08:10 +0200
Subject: [PATCH 1/3] DNS fix NS record coexistence validator
NS can coexistent only with A, , DS, NS record
---
ipalib/plugins/dns.py | 21 -
1 file changed, 16 insertions(+), 5 deletions(-)
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index c7a6ae1baac595eb7344bafaf6b893820b691871..24b303d8405aa3b4a6e0474e75d0e46e6949860d 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -2919,11 +2919,6 @@ class dnsrecord(LDAPObject):
error=_('only one DNAME record is allowed per name '
'(RFC 6672, section 2.4)'))
# DNAME must not coexist with CNAME, but this is already checked earlier
-if rrattrs.get('nsrecord') and not keys[1].is_empty():
-raise errors.ValidationError(name='dnamerecord',
- error=_('DNAME record is not allowed to coexist with an '
- 'NS record except when located in a zone root '
- 'record (RFC 6672, section 2.3)'))
# DS record validation
dsrecords = rrattrs.get('dsrecord')
@@ -2935,6 +2930,22 @@ class dnsrecord(LDAPObject):
error=_('DS record requires to coexist with an '
'NS record (RFC 4529, section 4.6)'))
+# NS record validation
+# NS record can coexist only with A, , DS, and other NS records (except zone apex)
+# RFC 2181 section 6.1,
+allowed_records = ['', 'A', 'DS', 'NS']
+if nsrecords and not self.is_pkey_zone_record(*keys):
+for r_type in _record_types:
+if (r_type not in allowed_records
+and rrattrs.get('%srecord' % r_type.lower())
+):
+raise errors.ValidationError(
+name='nsrecord',
+error=_('NS record is not allowed to coexist with an '
+'%(type)s record except when located in a '
+'zone root record (RFC 2181, section 6.1)') %
+{'type': r_type})
+
def _entry2rrsets(self, entry_attrs, dns_name, dns_domain):
'''Convert entry_attrs to a dictionary {rdtype: rrset}.
--
1.8.3.1
From 161daf7b0561119300db048112b9b8021c5dcf6c Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Thu, 21 Aug 2014 18:09:22 +0200
Subject: [PATCH 2/3] Test: DNS NS validation
---
ipatests/test_xmlrpc/test_dns_plugin.py | 33 +
1 file changed, 17 insertions(+), 16 deletions(-)
diff --git a/ipatests/test_xmlrpc/test_dns_plugin.py b/ipatests/test_xmlrpc/test_dns_plugin.py
index 97e567d29237ad647a71f804e20c52ac0700421a..d2d5b3c0ce8c6d7ab714af15d3c95aa846f72313 100644
--- a/ipatests/test_xmlrpc/test_dns_plugin.py
+++ b/ipatests/test_xmlrpc/test_dns_plugin.py
@@ -123,6 +123,10 @@ name1_dn = DN(('idnsname',name1), zone1_dn)
name1_renamed = u'testdnsres-renamed'
name1_renamed_dnsname = DNSName(name1_renamed)
+name_ns = u'testdnsres-ns'
+name_ns_dnsname = DNSName(name_ns)
+name_ns_dn = DN(('idnsname',name_ns), zone1_dn)
+
revname1 = u'80'
revname1_dnsname = DNSName(revname1)
revname1_ip = revzone1_ipprefix + revname1
@@ -1168,9 +1172,10 @@ class test_dns(Declarative):
desc='Try to add NS record to %r using dnsrecord_add' % (dname),
command=('dnsrecord_add', [zone1, dname],
{'nsrecord': u'%s.%s.' % (name1, zone1)}),
-expected=errors.ValidationError(name='dnamerecord',
-error=u'DNAME record is not allowed to coexist with an NS '
- u'record except when located in a zone root record (RFC 6672, section 2.3)'),
+expected=errors.ValidationError(name='nsrecord',
+error=u'NS record is not allowed to coexist with an DNAME '
+ u'record except when located in a zone root record '
+ '(RFC 2181, section 6.1'),
),
dict(
@@ -1245,32 +1250,29 @@ class test_dns(Declarative):
dict(
-desc='Try to add unresolvable absolute NS record to %r using dnsrecord_add' % (name1),
-command=('dnsrecord_add', [zone1, name1], {'nsrecord': absnxname}),
+desc='Try to add unresolvable absolute NS record to %r using dnsrecord_add' % (name_ns),
+command=('dnsrecord_add', [zone1, name_ns], {'nsrecord': absnxname}),
expected=errors.NotFound(reason=uNameserver '%s' does not have a corresponding
Re: [Freeipa-devel] [PATCH] - Add DRM to IPA
On 08/21/2014 05:27 PM, Petr Viktorin wrote: On 08/21/2014 03:48 PM, Ade Lee wrote: As agreed on #irc, disabling uninstallation for now. Please apply this new patch on top of the big one. I'm fine with pushing a patch with incomplete functionality, after all I did this all the time with permissions. The incomplete parts (apart from the plugin which is entirely out of scope) are: - The agent PEM issue (will be sorted out as the plugin is implemented) - Missing man page (will be written before the plugin is implemented) - Uninstall (will be fixed on Dogtag side, re-tested and enabled) I'll open tickets for these before pushing. ACK from me if Rob agrees. On IRC, Rob said he'd rather delay pushing until the man page is written, but delegated the decision to Martin. So, Martin, can we push now and trust Ade's promise that he'll write the docs? Yes, if you open ticket(s) for all missing parts and put them in the same milestone. I would rather have the patches in than waiting for man page and then have a conflict and postpone the patch set. I trust Ade to provide the man page later, I am sure he does not want to meet with my whip otherwise :-) Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] - Add DRM to IPA
On Thu, 2014-08-21 at 21:52 +0200, Martin Kosek wrote: On 08/21/2014 05:27 PM, Petr Viktorin wrote: On 08/21/2014 03:48 PM, Ade Lee wrote: As agreed on #irc, disabling uninstallation for now. Please apply this new patch on top of the big one. I'm fine with pushing a patch with incomplete functionality, after all I did this all the time with permissions. The incomplete parts (apart from the plugin which is entirely out of scope) are: - The agent PEM issue (will be sorted out as the plugin is implemented) - Missing man page (will be written before the plugin is implemented) - Uninstall (will be fixed on Dogtag side, re-tested and enabled) I'll open tickets for these before pushing. ACK from me if Rob agrees. On IRC, Rob said he'd rather delay pushing until the man page is written, but delegated the decision to Martin. So, Martin, can we push now and trust Ade's promise that he'll write the docs? Yes, if you open ticket(s) for all missing parts and put them in the same milestone. I would rather have the patches in than waiting for man page and then have a conflict and postpone the patch set. I trust Ade to provide the man page later, I am sure he does not want to meet with my whip otherwise :-) Perfect, thanks! I don't have commit rights, so please commit the patches for me. Ade Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
