[Freeipa-devel] [PATCH 0281] Validate adding a privilege to a permission
https://fedorahosted.org/freeipa/ticket/5075 Patch attached. -- Martin Basti From c8b9a1126a3c59183b39774333294cc413a26043 Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Thu, 9 Jul 2015 16:48:36 +0200 Subject: [PATCH] Validate adding privilege to a permission Adding priviledge to a permission via webUI allowed to avoid check and to add permission with improper type. https://fedorahosted.org/freeipa/ticket/5075 --- ipalib/plugins/permission.py | 7 +++ ipalib/plugins/privilege.py | 27 ++- ipalib/util.py | 27 +++ 3 files changed, 36 insertions(+), 25 deletions(-) diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index f2e896935cc777801ec3a70262372f296b1ea2b8..75532b35039428621bd180f916bb704b7cd9166e 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -29,6 +29,7 @@ from ipalib.capabilities import client_has_capability from ipalib.aci import ACI from ipapython.dn import DN from ipalib.request import context +from ipalib.util import validate_permission_to_privilege __doc__ = _( Permissions @@ -1377,6 +1378,12 @@ class permission_add_member(baseldap.LDAPAddMember): Add members to a permission. NO_CLI = True +def pre_callback(self, ldap, dn, member_dns, failed, *keys, **options): +# We can only add permissions with bind rule type set to +# permission (or old-style permissions) +validate_permission_to_privilege(self, ldap, keys[-1]) +return dn + @register() class permission_remove_member(baseldap.LDAPRemoveMember): diff --git a/ipalib/plugins/privilege.py b/ipalib/plugins/privilege.py index 867544359f76fdcb44cd3015f7466a46ba492bec..ce5df4f848be3ba88adf329f246948c3e439af64 100644 --- a/ipalib/plugins/privilege.py +++ b/ipalib/plugins/privilege.py @@ -20,6 +20,7 @@ from ipalib.plugins.baseldap import * from ipalib import api, _, ngettext, errors from ipalib.plugable import Registry +from ipalib.util import validate_permission_to_privilege __doc__ = _( Privileges @@ -185,31 +186,7 @@ class privilege_add_permission(LDAPAddReverseMember): if options.get('permission'): # We can only add permissions with bind rule type set to # permission (or old-style permissions) -ldapfilter = ldap.combine_filters(rules='', filters=[ -'(objectClass=ipaPermissionV2)', -'(!(ipaPermBindRuleType=permission))', -ldap.make_filter_from_attr('cn', options['permission'], - rules='|'), -]) -try: -entries, truncated = ldap.find_entries( -filter=ldapfilter, -attrs_list=['cn', 'ipapermbindruletype'], -base_dn=DN(self.api.env.container_permission, - self.api.env.basedn), -size_limit=1) -except errors.NotFound: -pass -else: -entry = entries[0] -message = _('cannot add permission %(perm)s with bindtype ' -'%(bindtype)s to a privilege') -raise errors.ValidationError( -name='permission', -error=message % { -'perm': entry.single_value['cn'], -'bindtype': entry.single_value.get( -'ipapermbindruletype', 'permission')}) +validate_permission_to_privilege(self, ldap, options['permission']) return dn diff --git a/ipalib/util.py b/ipalib/util.py index 649a4875fde0b44844749946cce53d81f7f6eea4..626b463d532b3f7da5e5fef46ddb673af31ced35 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -809,3 +809,30 @@ def get_topology_connection_errors(graph): if not_visited: connect_errors.append((m, list(visited), list(not_visited))) return connect_errors + + +def validate_permission_to_privilege(obj, ldap, permission): +ldapfilter = ldap.combine_filters(rules='', filters=[ +'(objectClass=ipaPermissionV2)', +'(!(ipaPermBindRuleType=permission))', +ldap.make_filter_from_attr('cn', permission, rules='|'), +]) +try: +entries, truncated = ldap.find_entries( +filter=ldapfilter, +attrs_list=['cn', 'ipapermbindruletype'], +base_dn=DN(obj.api.env.container_permission, + obj.api.env.basedn), +size_limit=1) +except errors.NotFound: +pass +else: +entry = entries[0] +message = _('cannot add permission %(perm)s with bindtype ' +'%(bindtype)s to a privilege') +raise errors.ValidationError( +
[Freeipa-devel] [PATCH 0282] Prevent to rename certprofile profile id
https://fedorahosted.org/freeipa/ticket/5074 Patch attached. -- Martin Basti From f6fb2885ad8a84e874ce940868072675c7180443 Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Thu, 9 Jul 2015 17:17:21 +0200 Subject: [PATCH] Prevent to rename certprofile profile id https://fedorahosted.org/freeipa/ticket/5074 --- ipalib/plugins/certprofile.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py index 6f9a41875b2a276b521219156e630817a9c41fdc..5550ed942521dbab2e783fba1570520268f9b378 100644 --- a/ipalib/plugins/certprofile.py +++ b/ipalib/plugins/certprofile.py @@ -291,6 +291,9 @@ class certprofile_mod(LDAPUpdate): def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): ca_enabled_check() +# Once a profile id is set it cannot be changed +if 'cn' in entry_attrs: +raise errors.ACIError(info=_('cn is immutable')) if 'file' in options: with self.api.Backend.ra_certprofile as profile_api: profile_api.disable_profile(keys[0]) -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0281] Validate adding a privilege to a permission
Hi, Dne 9.7.2015 v 16:55 Martin Basti napsal(a): https://fedorahosted.org/freeipa/ticket/5075 Patch attached. the check is very plugin-specific, so I don't think it should be in ipalib.util. You can keep it in privilege and import it from there in permission just fine. Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0282] Prevent to rename certprofile profile id
Hi, Dne 9.7.2015 v 17:21 Martin Basti napsal(a): https://fedorahosted.org/freeipa/ticket/5074 Patch attached. NACK, you should remove the --rename option from certprofile-mod. You can do it by removing rdn_is_primary_key = True from certprofile. Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [RFC] Community Portal - Where to go next?
On 07/03/2015 06:28 AM, David Kupka wrote: On 02/07/15 22:07, Drew Erny wrote: Hi, all, The core functionality of the community portal is more-or-less complete. In a local development environment, you can go to a web page, put in information, and have that information reflected in the FreeIPA server. There's definitely some polishing needed (for example, there is no styling to the web pages), but the core functionality is all there. What I need now is for someone to go through the source code, which can be found at github.com/dperny/freeipa-communityportal, and let me know if everything seems sound and sane. I also, perhaps more importantly, need some help on where to go with this next. The core functionality is all there, but how I'm going to deploy this to a live environment is still a bit hazy where I should start to make that happen. There are many ways to deploy a cherrypy web application, and I'm not sure which path is best. Or, if deployment isn't important yet at this stage in the prototype, what should I focus my efforts on now? Thanks, Drew Erny Hi Drew, when all the core functionality is done and ready then polish it, pack it, ship it :-) IIUC, the community portal is a part of WebUI so I would package it together, iow in freeipa-server. Or create another package depending on freeipa-server. IIRC we discussed it and agreed that it will be a separate application. I think that it would be nice to deploy it on OpenShift v3. -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 898-900 webui: user and multiple certs improvements
On 09/07/15 00:35, Petr Vobornik wrote: == [PATCH] 898 webui: cert-request improvements == Certificate request action and dialog now supports 'profile_id', 'add' and 'principal' options. 'add' and 'principal' are disaplayed only if certificate is added from certificate search facet. Certificate search facet allows to add a certificate. User details facet allows to add a certificate. part of https://fedorahosted.org/freeipa/ticket/5046 == [PATCH] 899 webui: show multiple cert == New certificate widget which replaced certificate status widget. It can display multiple certs. Drawback is that it cannot display if the certificate was revoked. Web UI does not have the information. part of: https://fedorahosted.org/freeipa/ticket/5045 == [PATCH] 900 webui: remove cert manipulation actions from host and service == Remove * cert_view * cert_get * cert_revoke * cert_restore These actions require serial number which is not provided to Web UI if multiple certificates are present. As an alternative to patch 900 we could also provide the original interface if there is only one cert and hide the actions if there are multiple certs. note: {user|host|service}-{add|remove}_cert command support is still missing. ACK -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] Notice: release-4-2-0 was tagged, ipa-4-2 branch created eom
-- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] 901 Bump 4.3 development version to 4.2.90
-- Petr Vobornik From 3696c70bd0aacf7a2f5b0b00f52445d798379034 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Thu, 9 Jul 2015 12:29:33 +0200 Subject: [PATCH] Bump 4.3 development version to 4.2.90 --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index b2f7a9a3e73b5f38741f7266054e3429803d7036..679ab95ea859a1d5b3fcc29bc2c2e30df100092b 100644 --- a/VERSION +++ b/VERSION @@ -21,7 +21,7 @@ IPA_VERSION_MAJOR=4 IPA_VERSION_MINOR=2 -IPA_VERSION_RELEASE=0 +IPA_VERSION_RELEASE=90 # For 'alpha' releases the version will be # -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 901 Bump 4.3 development version to 4.2.90
On 07/09/2015 12:36 PM, Petr Vobornik wrote: ACK, pushed to master: 0569910fead3b33a0806b216823738cf17283108 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 898-900 webui: user and multiple certs improvements
On 07/09/2015 10:54 AM, Martin Basti wrote: On 09/07/15 00:35, Petr Vobornik wrote: == [PATCH] 898 webui: cert-request improvements == Certificate request action and dialog now supports 'profile_id', 'add' and 'principal' options. 'add' and 'principal' are disaplayed only if certificate is added from certificate search facet. Certificate search facet allows to add a certificate. User details facet allows to add a certificate. part of https://fedorahosted.org/freeipa/ticket/5046 == [PATCH] 899 webui: show multiple cert == New certificate widget which replaced certificate status widget. It can display multiple certs. Drawback is that it cannot display if the certificate was revoked. Web UI does not have the information. part of: https://fedorahosted.org/freeipa/ticket/5045 == [PATCH] 900 webui: remove cert manipulation actions from host and service == Remove * cert_view * cert_get * cert_revoke * cert_restore These actions require serial number which is not provided to Web UI if multiple certificates are present. As an alternative to patch 900 we could also provide the original interface if there is only one cert and hide the actions if there are multiple certs. note: {user|host|service}-{add|remove}_cert command support is still missing. ACK pushed to master: * 7c481b1e90dbb6821b71707c4012b3857adb84e2 webui: cert-request improvements * cf8b56cc75af43a26f1bd7fadb29a2ab0dd64633 webui: show multiple cert * 0b943f3ce9cb70fa8b68aa44ec525d50604b84a2 webui: remove cert manipulation actions from host and service -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] 0001 Enhance the DNSNotARecordError message
The attached patch solves the https://fedorahosted.org/freeipa/ticket/3959 ticket. Veronika KabatovaFrom 70abe5901c15e71735a0e4e26ea90334b233135b Mon Sep 17 00:00:00 2001 From: Veronika Kabatova vkaba...@redhat.com Date: Thu, 9 Jul 2015 13:22:24 +0200 Subject: [PATCH] Enhance the DNSNotARecordError message Enhance the DNSNotARecordError message as proposed in ticket #3959. User is now suggested to use --force option. https://fedorahosted.org/freeipa/ticket/3959 --- ipalib/errors.py | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/ipalib/errors.py b/ipalib/errors.py index 63ec22269467b769d276c443f6b3dbed38cd766e..d874e68829e1a5491dec402d5976c3adfa556e84 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -1142,12 +1142,14 @@ class DNSNotARecordError(ExecutionError): raise DNSNotARecordError() Traceback (most recent call last): ... -DNSNotARecordError: Host does not have corresponding DNS A/ record +DNSNotARecordError: Host does not have corresponding DNS A/ record, +use --force to continue anyway errno = 4019 -format = _('Host does not have corresponding DNS A/ record') +format = _('Host does not have corresponding DNS A/ record, use' + ' --force to continue anyway') class ManagedGroupError(ExecutionError): -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCHES 0279-0280] Backport index fixes into IPA 4.1
Backport following commits into IPA 4-1: 57fba7a56f88c517b3ebb03842f1cc18bc129ebb 16f47ed4520d4f89db39d1dc58be7a8efb1d8612 Patches attached. -- Martin Basti From 3af07555cd8913ca7b503f14dc820800c1f9dd8d Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Thu, 9 Jul 2015 13:21:16 +0200 Subject: [PATCH] Fix indicies ntUserDomainId, ntUniqueId ntUserDomainId and ntUniqueId contained eq,pres index value, which is not valid. --- install/share/indices.ldif| 6 -- install/updates/20-indices.update | 14 ++ 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/install/share/indices.ldif b/install/share/indices.ldif index ad678e0b2123d961c957d3071ba48ff70bf27e7a..4a891b567e5485c0ab5705ae7fd82b39d9fcb4e2 100644 --- a/install/share/indices.ldif +++ b/install/share/indices.ldif @@ -89,12 +89,14 @@ nsMatchingRule: integerOrderingMatch dn: cn=ntUniqueId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config changetype: modify replace: nsIndexType -nsIndexType: eq,pres +nsIndexType: eq +nsIndexType: pres dn: cn=ntUserDomainId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config changetype: modify replace: nsIndexType -nsIndexType: eq,pres +nsIndexType: eq +nsIndexType: pres dn: cn=fqdn,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config changetype: add diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update index a8a432d9c28a7fb4ca74582e36d4c39fd98df2cf..b4a572b4ce41db6fa865468c8fb36046395d585e 100644 --- a/install/updates/20-indices.update +++ b/install/updates/20-indices.update @@ -150,3 +150,17 @@ default:ObjectClass: top default:ObjectClass: nsIndex default:nsSystemIndex: false only:nsIndexType: eq,pres,sub + +dn: cn=ntUniqueId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +default:cn: ntUniqueId +default:ObjectClass: top +default:ObjectClass: nsIndex +only:nsIndexType: eq +only:nsIndexType: pres + +dn: cn=ntUserDomainId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +default:cn: ntUserDomainId +default:ObjectClass: top +default:ObjectClass: nsIndex +only:nsIndexType: eq +only:nsIndexType: pres -- 2.4.3 From 9c7d208154af217210cc84573e8407286c09b43f Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Tue, 5 May 2015 19:47:07 +0200 Subject: [PATCH] Server Upgrade: fix memberUid index https://fedorahosted.org/freeipa/ticket/5007 --- install/updates/20-indices.update | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update index b4a572b4ce41db6fa865468c8fb36046395d585e..cb93f361cd554d36d8ec3c02a152deaa9b5422e3 100644 --- a/install/updates/20-indices.update +++ b/install/updates/20-indices.update @@ -10,7 +10,8 @@ default:cn: memberuid default:ObjectClass: top default:ObjectClass: nsIndex default:nsSystemIndex: false -default:nsIndexType: eq,pres +only:nsIndexType: eq +only:nsIndexType: pres dn: cn=memberHost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config default:cn: memberHost -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 897 fix error message when certificate CN is invalid
On 09/07/15 00:28, Petr Vobornik wrote: The error message was probably copied from mail address check below. ACK. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 897 fix error message when certificate CN is invalid
On 07/09/2015 11:21 AM, David Kupka wrote: On 09/07/15 00:28, Petr Vobornik wrote: The error message was probably copied from mail address check below. ACK. Pushed to master: f0e88e9b13c0c950cb02f377ac13c8e5b9188a34 -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] How to support Designate?
On 08/07/15 20:45, Rich Megginson wrote: On 07/08/2015 11:56 AM, Rich Megginson wrote: On 07/08/2015 10:11 AM, Petr Spacek wrote: On 8.7.2015 17:10, Rich Megginson wrote: On 07/08/2015 04:31 AM, Petr Spacek wrote: On 1.7.2015 17:12, Rich Megginson wrote: On 07/01/2015 09:10 AM, Petr Spacek wrote: On 1.7.2015 16:43, Rich Megginson wrote: How much work would it be to support IPA as an AXFR/IXFR client or server with Designate? Right now, their miniDNS component only supports being a master and sending updates via AXFR, but they have IXFR support planned. I need to read more about it. Could you please point me to some comprehensive docs about Designate? Thanks! http://docs.openstack.org/developer/designate/architecture.html Designate in setups with mini-DNS acts as DNS master server, i.e. the only source of DNS data/truth. Currently FreeIPA can act only as master, too, which is not possible. By master do you mean unable to accept AXFR/IXFR from another server? Sort of. DNS is conceptually built around concept of single authoritative database hosted on Primary Master server. The database is then transferred using AXFR to Slave servers, which are read-only (and can forward update requests to the Primary Master). See http://tools.ietf.org/html/rfc2136#section-1 The Primary Master server is the place where changes are made. There is by definition only one primary master server per zone, so FreeIPA and Designare cannot be Primary Masters at the same time. We need to decide who is going to have control over the data. I can see several alternatives: A) Add support for slave zones to FreeIPA. It should be relatively easy and I guess doable in Fedora 23 time frame if it gets appropriate priority. For plain/insecure DNS zones it will allow us to use FreeIPA in place of any other DNS server but the added value will be negligible because FreeIPA acting as a slave cannot change the data. The real added value could be the ability of FreeIPA to DNSSEC-sign zones and do the DNSSEC key management. I believe that we should be able to re-use machinery we implemented for master zones in FreeIPA so DNSSEC signing for slave zones should be almost 'for free'. When implemented, FreeIPA could become the easiest way how to secure DNS in Designate with DNSSEC technology even in cases where all the data are managed by Designate API. This sounds interesting. This seems like it would fit in with the typical OpenStack use case - create a new host, assign it a hostname in a sub-zone. To be sure we understood each other: In the scenarios where FreeIPA acts as Slave server, the change is done in Designate and then a new version of the DNS zone is transferred to FreeIPA. After that FreeIPA can DNSSEC-sign the zone and serve the signed version to the clients. B) We can avoid implementing slave zones by using 'agent': http://docs.openstack.org/developer/designate/glossary.html If I'm not mistaken, this is what you implemented last year. I implemented support in Designate for a FreeIPA backend which used the JSON HTTPS API to send updates from Designate to FreeIPA. Designate has deprecated support for backends. The agent approach is basically putting a mini-DNS-like daemon on each system which can accept AXFR from Designate. This agent would then use the backend code I developed to send the data to FreeIPA. Wow, that is a lot of complexity. I suspect that something like this is already implemented in dnssyncd written by Martin Basti: https://github.com/bastiak/dnssyncd How does this work? Does it receive zone transfer (AXFR? IXFR?) from a DNS master, then update LDAP with those records? It receives AXFR/IXFR, Notify from DNS master, and updates data by Dynamic DNS. You can write own plugin for it to support any DNS server/backend. But it is proof of concept, it is not rock stable. Martin Anyway, I do not see any value in doing so in this particular scenario. Designate would be the authoritative source of data (Primary Master) so from functional point of view it would be the same (or worse) than variant (A), just with more code and more error prone. C) We can say that combining FreeIPA DNS and Designate does not make sense and drop what you did last year. It was already dropped when the backend approach was deprecated. In current architecture it really does not add any value *unless* we add DNSSEC to the mix. D) Integrate IPA installers with Designate API. This is somehow complementary to variants A (and C) and would allow us to automatically add DNS records required by FreeIPA to Designate during FreeIPA installation and replica management. I wrote a script (ipaextractor.py) that will extract DNS data from FreeIPA and store it in Designate. That would be a good place to start. Generally FreeIPA should integrate with other DNS server implementations in a way similar to this: https://fedorahosted.org/freeipa/ticket/4424