[Freeipa-devel] [freeipa PR#173][+pushed] Ensure correct IPA CA nickname in DS and HTTP NSSDBs

[jcholast]

  URL: https://github.com/freeipa/freeipa/pull/173
Title: #173: Ensure correct IPA CA nickname in DS and HTTP NSSDBs

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#173][comment] Ensure correct IPA CA nickname in DS and HTTP NSSDBs

[jcholast]

  URL: https://github.com/freeipa/freeipa/pull/173
Title: #173: Ensure correct IPA CA nickname in DS and HTTP NSSDBs

jcholast commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/cdd41e06e6ef97efafd36ee9e4c8d3be9e4099e7
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/173#issuecomment-259887677
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#173][closed] Ensure correct IPA CA nickname in DS and HTTP NSSDBs

[jcholast]

   URL: https://github.com/freeipa/freeipa/pull/173
Author: frasertweedale
 Title: #173: Ensure correct IPA CA nickname in DS and HTTP NSSDBs
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/173/head:pr173
git checkout pr173
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#229][comment] Remove the renewal lock file upon uninstall

[frasertweedale]

  URL: https://github.com/freeipa/freeipa/pull/229
Title: #229: Remove the renewal lock file upon uninstall

frasertweedale commented:
"""
Works as expected.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/229#issuecomment-259883307
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#173][synchronized] Ensure correct IPA CA nickname in DS and HTTP NSSDBs

[frasertweedale]

   URL: https://github.com/freeipa/freeipa/pull/173
Author: frasertweedale
 Title: #173: Ensure correct IPA CA nickname in DS and HTTP NSSDBs
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/173/head:pr173
git checkout pr173
From a6ce7e03adecb86c8f5ecd9170ae6f6e4dbb6466 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Thu, 20 Oct 2016 14:42:17 +1000
Subject: [PATCH] Ensure correct IPA CA nickname in DS and HTTP NSSDBs

During replica installation, if the IPA deployment has a custom
subject_base, the routines that create the DS and HTTP NSSDBs
erroneously compare the subject of CA certs to the *default* subject
base. This causes the IPA CA cert to be added to the NSSDBs with a
nickname derived from the subject name, instead of "{REALM} IPA CA".

At a later stage of installation, the `upload_cacrt` plugin reads
certs from the HTTP NSSDB in order to update the cn=certificates
LDAP certstore.  The NSSDB nickname of the cert is used as the CN
for the entry.  Because the IPA CA cert was not installed in the
HTTP NSSDB with the "{REALM} IPA CA", this causes a spurious entry
for the IPA CA to be added to the certstore.

To avoid this scenario, use the deployment's actual subject base
when deciding if a cert is the IPA CA cert.

Fixes: https://fedorahosted.org/freeipa/ticket/6415
---
 ipaserver/install/dsinstance.py| 2 +-
 ipaserver/install/server/replicainstall.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index a58f8eb..f4cb247 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -1265,7 +1265,7 @@ def __get_ds_keytab(self):
 os.chown(paths.DS_KEYTAB, pent.pw_uid, pent.pw_gid)
 
 def __get_ds_cert(self):
-subject = DN(('O', self.realm))
+subject = self.subject_base or DN(('O', self.realm))
 nssdb_dir = config_dirname(self.serverid)
 db = certs.CertDB(self.realm, nssdir=nssdb_dir, subject_base=subject)
 db.request_service_cert(self.nickname, self.principal, self.fqdn)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index aeae6b3..7e04374 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -93,7 +93,7 @@ def install_http_certs(config, fstore, remote_api):
 
 # Obtain certificate for the HTTP service
 nssdir = certs.NSS_DIR
-subject = DN(('O', config.realm_name))
+subject = config.subject_base or DN(('O', config.realm_name))
 db = certs.CertDB(config.realm_name, nssdir=nssdir, subject_base=subject)
 db.request_service_cert('Server-Cert', principal, config.host_name, True)
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#219][comment] Refactor installer code requesting certificates

[flo-renaud]

  URL: https://github.com/freeipa/freeipa/pull/219
Title: #219: Refactor installer code requesting certificates

flo-renaud commented:
"""
I updated the patch for renewal lock with a new fix. The timeout needs to be 
increased, but the lock may also happen because the renewal scripts are run by 
certmonger during the cert request and should not (for instance for http cert 
the renewal script restarts httpd while the service is not completely 
configured).
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/219#issuecomment-259803269
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#229][synchronized] Remove the renewal lock file upon uninstall

[flo-renaud]

   URL: https://github.com/freeipa/freeipa/pull/229
Author: flo-renaud
 Title: #229: Remove the renewal lock file upon uninstall
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/229/head:pr229
git checkout pr229
From 88d1855844cf54763bcc9b5528f6f3ed12b8fcce Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Thu, 10 Nov 2016 13:14:34 +0100
Subject: [PATCH] Fix renewal lock issues on installation

- Make sure that the file /var/run/ipa/renewal.lock is deleted upon
uninstallation, in order to avoid subsequent installation issues.

- Increase the timeout when waiting for certmonger to issue certs

- Configure certmonger presave and postsave commands after obtaining
the certificates (otherwise certmonger may call for instance restart_httpd
while httpd configuration is not complete).

Part of the refactoring effort, certificates sub-effort.

https://fedorahosted.org/freeipa/ticket/6433
---
 ipapython/certmonger.py | 31 +--
 ipaserver/install/server/install.py |  6 ++
 2 files changed, 23 insertions(+), 14 deletions(-)

diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
index 6f0948a..f644d95 100644
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -307,17 +307,30 @@ def request_and_wait_for_cert(
 The method also waits for the certificate to be available.
 """
 reqId = request_cert(nssdb, nickname, subject, principal,
- passwd_fname, dns, ca, profile,
- pre_command, post_command)
-state = wait_for_request(reqId, timeout=60)
+ passwd_fname, dns, ca, profile)
+state = wait_for_request(reqId, timeout=180)
 ca_error = get_request_value(reqId, 'ca-error')
 if state != 'MONITORING' or ca_error:
 raise RuntimeError("Certificate issuance failed")
+
+# Add presave and postsave commands
+# This is not done earlier to avoid running the cmds
+# during the initial request
+certmonger_cmd_template = paths.CERTMONGER_COMMAND_TEMPLATE
+if pre_command:
+if not os.path.isabs(pre_command):
+pre_command = certmonger_cmd_template % (pre_command)
+add_request_value(reqId, 'cert-presave-command', pre_command)
+if post_command:
+if not os.path.isabs(post_command):
+post_command = certmonger_cmd_template % (post_command)
+add_request_value(reqId, 'cert-postsave-command', post_command)
+
 return reqId
 
 def request_cert(
 nssdb, nickname, subject, principal, passwd_fname=None,
-dns=None, ca='IPA', profile=None, pre_command=None, post_command=None):
+dns=None, ca='IPA', profile=None):
 """
 Execute certmonger to request a server certificate.
 
@@ -342,16 +355,6 @@ def request_cert(
 if profile:
 request_parameters['ca-profile'] = profile
 
-certmonger_cmd_template = paths.CERTMONGER_COMMAND_TEMPLATE
-if pre_command:
-if not os.path.isabs(pre_command):
-pre_command = certmonger_cmd_template % (pre_command)
-request_parameters['cert-presave-command'] = pre_command
-if post_command:
-if not os.path.isabs(post_command):
-post_command = certmonger_cmd_template % (post_command)
-request_parameters['cert-postsave-command'] = post_command
-
 result = cm.obj_if.add_request(request_parameters)
 try:
 if result[0]:
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index ff99e78..acdd72b 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -1130,6 +1130,12 @@ def uninstall(installer):
   ' # getcert stop-tracking -i \n'
   'for each id in: %s' % ', '.join(ids))
 
+# Remove the cert renewal lock file
+try:
+os.remove(paths.IPA_RENEWAL_LOCK)
+except Exception:
+pass
+
 print("Removing IPA client configuration")
 try:
 result = run([paths.IPA_CLIENT_INSTALL, "--on-master",
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] webui: 0084, 0101: refactoring rpc module

[Petr Vobornik]

On 08/09/2016 01:29 PM, Pavel Vomacka wrote:
> Hello,
> 
> please review attached patches.
> 
> The rpc module is now separated from display layer
> and changing activity text while loading metadata.
> 
> https://fedorahosted.org/freeipa/ticket/6144
> 
> 
> 

patch 84:

Looks good, works fine, it just needed rebase(I could provide that).

Idea, but that doesn't have to be implemented, or sometime in future,
right now it is not useful: What about providing the rpc object in the
event, and having unique id for each rpc call so that we could track all
rpc which are executed.


patch 101:

1. It's event name but the property name looks like that it contains a text:
   that.change_text = 'change-activity-text';

Should it be rather: that.change_text_event.

Or even, why does it compare previous text? Does it matter? Wouldn't be
better to have 'set-activity' event. And then the handler would call
something new set_text method:

set_text(new_activity)
  that.dots = 0
  that.text = new_activity
  that.make_step()


-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] webui: Fix coverity bugs

[Petr Vobornik]

Commenting only on top, it's too long.

ACK for everything. I've rebased patch 90.

pushed to master

master:
* a2525ff64518038eaa64b0d855154a984030f7f3 Coverity - null pointer exception
* d4ad0ca04c0ae445c784787a675ac84d2cbfd766 Coverity - null pointer exception
* fa3982c7c82add3d201aec860cb981a595f10be9 Coverity - not initialized
variable
* de8cb7585b652fd1a61e3020e37192cb1db74f46 Coverity - identical code for
different branches
* 4b63ce26ebbef8ef1538aecb3cff8032df3357a7 Coverity - Accesing attribute
of null
* ed74e14ab4a17c83cf6782e4b6fd41a2ce79594d Coverity - removed dead code
* 7be585dbb206ed12b25d09bfb2f5452ee9c125ae Coverity - true branch can't
be executed
* d94a2aa185defba38f2bbe2c5ee28f9b9defc0f2 Coverity - true branch can't
be executed
* cad9f9b682d9bcc33fdfb1112e4cfb1a2c66a498 Coverity - null pointer
dereference
* 4af31c70c57fc223920b71fedfb40d1de27622b2 Coverity - iterating over
variable which could be null
* cd74f78ed74f8898c492024d0901cef9778df067 Coverity - opens dialog which
might not be created
* aa8a904c4a3953e799278de192d1613d21cde42a Coverity - accessing
attribute of variable which can point to null
* 2644c955489ee5b22ecc0227c5cd8ed1e90ee648 Coverity - null pointer
dereference


On 08/05/2016 02:33 PM, Pavel Vomacka wrote:
> 
> 
> On 08/01/2016 05:53 PM, Petr Vobornik wrote:
>> On 07/29/2016 03:25 PM, Alexander Bokovoy wrote:
>>> On Fri, 29 Jul 2016, Pavel Vomacka wrote:
 Hello,

 please review attached patches which fixes errors from Coverity.

 -- 
 Pavel^3 Vomacka

  From 0391289b3f6844897e2a9f3ae549bd4c33233ffc Mon Sep 17 00:00:00 2001
 From: Pavel Vomacka 
 Date: Mon, 25 Jul 2016 10:36:47 +0200
 Subject: [PATCH 01/13] Coverity - null pointer exception

 Variable 'option' can be null and there will be error of reading
 property of null.
 ---
 install/ui/src/freeipa/widget.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/install/ui/src/freeipa/widget.js
 b/install/ui/src/freeipa/widget.js
 index
 9151ebac9438e9e674f81bfb1ccfe7a63872b1ae..cfdf5d4750951e4549c16a2b9b9c355f61e90c39

 100644
 --- a/install/ui/src/freeipa/widget.js
 +++ b/install/ui/src/freeipa/widget.js
 @@ -2249,7 +2249,7 @@ IPA.option_widget_base = function(spec, that) {
  var child_values = [];
  var option = that.get_option(value);

 -if (option.widget) {
 +if (option && option.widget) {
  child_values = option.widget.save();
  values.push.apply(values, child_values);
  }
 -- 
 2.5.5

>>> ACK
>> ACK
>>
  From 6df8e608232e25daa9aefe4fccbdeca4dbaf1998 Mon Sep 17 00:00:00 2001
 From: Pavel Vomacka 
 Date: Mon, 25 Jul 2016 10:43:00 +0200
 Subject: [PATCH 02/13] Coverity - null pointer exception

 Variable 'row' could be null in some cases. And set css to variable
 which is pointing to null
 causes error. Therefore there is new check.
 ---
 install/ui/src/freeipa/widget.js | 2 ++
 1 file changed, 2 insertions(+)

 diff --git a/install/ui/src/freeipa/widget.js
 b/install/ui/src/freeipa/widget.js
 index
 cfdf5d4750951e4549c16a2b9b9c355f61e90c39..5844436abf090f12d5a9d65efe7a1aaee14097e2

 100644
 --- a/install/ui/src/freeipa/widget.js
 +++ b/install/ui/src/freeipa/widget.js
 @@ -5766,6 +5766,8 @@ exp.fluid_layout = IPA.fluid_layout =
 function(spec) {
  that.on_visible_change = function(event) {

  var row = that._get_row(event);
 +if (!row) return;
 +
  if (event.visible) {
  row.css('display', '');
  } else {
 -- 
 2.5.5

>>> ACK
>>
>> ACK
>>
>>>
  From 6f2ddc9e1c5323a640bdf744d2da00bfee7ab766 Mon Sep 17 00:00:00 2001
 From: Pavel Vomacka 
 Date: Mon, 25 Jul 2016 13:48:16 +0200
 Subject: [PATCH 03/13] Coverity - not initialized variable

 The variable hasn't been initialized, now it is set to null by default.
 ---
 install/ui/src/freeipa/widget.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/install/ui/src/freeipa/widget.js
 b/install/ui/src/freeipa/widget.js
 index
 5844436abf090f12d5a9d65efe7a1aaee14097e2..43804c5ea524ca741017d02f6e12ccf60d50b5df

 100644
 --- a/install/ui/src/freeipa/widget.js
 +++ b/install/ui/src/freeipa/widget.js
 @@ -1047,7 +1047,7 @@ IPA.multivalued_widget = function(spec) {

  that.child_spec = spec.child_spec;
  that.size = spec.size || 30;
 -that.undo_control;
 +that.undo_control = null;
  that.initialized = true;
  that.updating = false;

 -- 
 2.5.5

>>> ACK
>> ACK
>>
>>>
  From b9ddd32ec45aadae5a79e372c3e1b70990071e60 Mon Sep 17 00:00:00 2001
 From: Pave

[Freeipa-devel] [freeipa PR#215][comment] Add script to setup krb5 NFS exports

[jumitche]

  URL: https://github.com/freeipa/freeipa/pull/215
Title: #215: Add script to setup krb5 NFS exports

jumitche commented:
"""
The idea was to produce a script to simplify the setup of kerberos encrypted 
NFS exports, to make something that was as simple to use as ipa-*-install is, 
including the configuration of the automount parameters that would be needed to 
utilise ipa-client-automount.

The script calls the IPA external programs instead of using the library 
functions to make it easier to substitute AD versions if required.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/215#issuecomment-259747784
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#214][closed] ipaldap: remove do_bind from LDAPClient

[mbasti-rh]

   URL: https://github.com/freeipa/freeipa/pull/214
Author: tomaskrizek
 Title: #214: ipaldap: remove do_bind from LDAPClient
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/214/head:pr214
git checkout pr214
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#214][+pushed] ipaldap: remove do_bind from LDAPClient

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/214
Title: #214: ipaldap: remove do_bind from LDAPClient

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#214][comment] ipaldap: remove do_bind from LDAPClient

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/214
Title: #214: ipaldap: remove do_bind from LDAPClient

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/a68c95d11612108375877ff45bdb53ce6fc8fbe4
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/214#issuecomment-259740460
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#214][+ack] ipaldap: remove do_bind from LDAPClient

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/214
Title: #214: ipaldap: remove do_bind from LDAPClient

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#224][comment] Integration tests for certs in idoverrides

[mirielka]

  URL: https://github.com/freeipa/freeipa/pull/224
Title: #224: Integration tests for certs in idoverrides

mirielka commented:
"""
Functionally OK. 
Please extend commit message for the first commit and add links to tickets if 
applicable. Also ticket https://fedorahosted.org/freeipa/ticket/6146 is in 
closed milestone, please request update to open milestone.
I did not do code review yet, will provide next week.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/224#issuecomment-259736844
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#215][comment] Add script to setup krb5 NFS exports

[rcritten]

  URL: https://github.com/freeipa/freeipa/pull/215
Title: #215: Add script to setup krb5 NFS exports

rcritten commented:
"""
Quite a lot of this code can be eliminated if you use ipalib instead of 
manually reading configuration files, forking out to ipa, doing a kinit, etc or 
do you expect/anticipate that this can be executed on non-IPA-enrolled clients?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/215#issuecomment-259736364
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#215][synchronized] Add script to setup krb5 NFS exports

[jumitche]

   URL: https://github.com/freeipa/freeipa/pull/215
Author: jumitche
 Title: #215: Add script to setup krb5 NFS exports
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/215/head:pr215
git checkout pr215
From 99c8c50dd7f1cf106b9480c1805339eb2382f18c Mon Sep 17 00:00:00 2001
From: Justin Mitchell 
Date: Tue, 8 Nov 2016 11:15:57 +
Subject: [PATCH 1/2] Add script to setup krb5 NFS exports

---
 client/Makefile.am  |   1 +
 client/ipa-client-nfsexport | 814 
 freeipa.spec.in |   1 +
 3 files changed, 816 insertions(+)
 create mode 100755 client/ipa-client-nfsexport

diff --git a/client/Makefile.am b/client/Makefile.am
index 30adafd..8996fd5 100644
--- a/client/Makefile.am
+++ b/client/Makefile.am
@@ -45,6 +45,7 @@ sbin_PROGRAMS =			\
 sbin_SCRIPTS =			\
 	ipa-client-install	\
 	ipa-client-automount	\
+	ipa-client-nfsexport	\
 	ipa-certupdate		\
 	$(NULL)
 
diff --git a/client/ipa-client-nfsexport b/client/ipa-client-nfsexport
new file mode 100755
index 000..ef47942
--- /dev/null
+++ b/client/ipa-client-nfsexport
@@ -0,0 +1,814 @@
+#!/usr/bin/python -E
+#
+# Configure an IPA/AD client system to serve Kerberos NFS4
+#
+# Author: Justin Mitchell 
+#
+# Copyright (C) 2016 Red Hat, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see .
+#
+#
+## Clients must also do:
+# ipa service-add nfs/client.mydomain
+# ipa-getkeytab -s ipa.mydomain -p nfs/client.mydomain -k /etc/krb5.keytab
+# systemctl start nfs-client.target
+# optionally: ipa-client-automount
+
+from __future__ import print_function
+
+try:
+import sys
+import os
+import time
+import tempfile
+import dns
+import socket
+import netaddr
+import logging
+import subprocess
+import tempfile
+import ConfigParser
+import re
+
+from dns import resolver, rdatatype
+from dns.exception import DNSException
+from argparse import ArgumentParser
+from subprocess import CalledProcessError, check_output, check_call
+
+except ImportError as e:
+print("""\
+There was a problem importing one of the required Python modules. The
+error was:
+
+%s
+""" % e, file=sys.stderr)
+sys.exit(1)
+
+
+class Paths:
+"""Collection of pathnames and executables to use"""
+IPA_CLI = "/usr/bin/ipa"
+IPA_GETKEYTAB = "/usr/sbin/ipa-getkeytab"
+KLIST = "/usr/bin/klist"
+KINIT = "/usr/bin/kinit"
+IPA_DEFAULT_CONF = "/etc/ipa/default.conf"
+RESOLV_CONF = "/etc/resolv.conf"
+EXPORTS = "/var/lib/nfs/etab"
+KEYTAB = "/etc/krb5.keytab"
+EXPORTSFILE = "/etc/exports.d/krb5.exports"
+EXPORTFS = "/usr/sbin/exportfs"
+SYSTEMCTL = "/usr/bin/systemctl"
+IPACONFIG = "/etc/ipa/default.conf"
+KRB5CONFIG = "/etc/krb5.conf"
+DNF = "/usr/bin/dnf"
+
+
+def parse_options():
+parser = ArgumentParser()
+
+parser.add_argument("--domain", dest="domain", help="domain name")
+parser.add_argument("--server", dest="server", help="IPA server", action="append")
+parser.add_argument("--export", dest="exports", help="NFS mount exports", action="append")
+parser.add_argument("--realm", dest="realm", help="realm name")
+parser.add_argument("--hostname", dest="hostname", help="The hostname of this machine (FQDN)")
+parser.add_argument("--username", dest="username", help="Kerberos Username")
+parser.add_argument("--force", action="store_true", 
+help="Perform actions even if unneccessary")
+parser.add_argument("-v", "--verbose", help="Increase Verbosity", action="count")
+parser.add_argument("--automount", dest="automount", default=None, action="store_true", 
+help="Configure mounts for automount use")
+parser.add_argument("--noautomount", dest="automount", default=None, action="store_false", 
+help="Do not configure mounts for automount use")
+
+options = parser.parse_args()
+
+if options.verbose > 0:
+logging.getLogger().setLevel(logging.DEBUG)
+
+return options
+
+
+def have_keytab( hostname, service='host', realm=None ):
+"""Test if we have been configured for any realm by the existance
+of a host key in the default keytab"""
+
+principal = '%s/%s' % (service, hostname)
+if realm:
+principal = '%s/%s@%s' % (service, hostname, r

[Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/182
Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context

tiran commented:
"""
The argument is mood. Even now you can't tell which config file ```ipa ping``` 
is going to load. There are tons of ways to modify behavior, e.g. mount binds, 
LD_PRELOAD, a ```sitecustomize.py``` or a ```.pth``` file in the users 
site-packages which mokey-patches ```ipaplatform.paths.paths```...

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/182#issuecomment-259721448
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#226][comment] Build refactoring phase 5

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/226
Title: #226: Build refactoring phase 5

tomaskrizek commented:
"""
I don't understand Makefiles, but I tested building the git snapshots and srpms 
and it works. Just a few notes:

- `make clean` removes only the most recently created tarball
- there is not much of a time difference when building with 
`IPA_VERSION_IS_GIT_SNAPSHOT` - it takes about 1m50s instead of 1m35s when it's 
turned off. Is this expected?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/226#issuecomment-259708799
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#226][comment] Build refactoring phase 5

[pspacek]

  URL: https://github.com/freeipa/freeipa/pull/226
Title: #226: Build refactoring phase 5

pspacek commented:
"""
Rebased on top of current master.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/226#issuecomment-259695270
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#226][synchronized] Build refactoring phase 5

[pspacek]

   URL: https://github.com/freeipa/freeipa/pull/226
Author: pspacek
 Title: #226: Build refactoring phase 5
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/226/head:pr226
git checkout pr226
From 74b3f612e34cea48c66cfb536a7ff9da18442f30 Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Wed, 9 Nov 2016 15:42:30 +0100
Subject: [PATCH 1/7] Build: remove unused and redundant code from configure.ac
 and po/Makefile.in

https://fedorahosted.org/freeipa/ticket/6418
---
 configure.ac   | 4 
 po/Makefile.in | 1 -
 2 files changed, 5 deletions(-)

diff --git a/configure.ac b/configure.ac
index 6e82c62..5646cb0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -17,9 +17,6 @@ AC_HEADER_STDC
 
 AM_CONDITIONAL([HAVE_GCC], [test "$ac_cv_prog_gcc" = yes])
 
-AC_SUBST(VERSION)
-AC_SUBST([INSTALL_DATA], ['$(INSTALL) -m 644 -p'])
-
 dnl ---
 dnl - Check for NSPR/NSS
 dnl ---
@@ -359,7 +356,6 @@ AC_ARG_WITH([vendor-suffix],
 [VENDOR_SUFFIX=${withval}],
 	[VENDOR_SUFFIX=""])
 
-dnl TODO: IPA_VENDOR_RELEASE
 AC_SUBST([API_VERSION], [IPA_API_VERSION])
 AC_SUBST([DATA_VERSION], [IPA_DATA_VERSION])
 AC_SUBST([NUM_VERSION], [IPA_NUM_VERSION])
diff --git a/po/Makefile.in b/po/Makefile.in
index b42d8fc..0ab449c 100644
--- a/po/Makefile.in
+++ b/po/Makefile.in
@@ -5,7 +5,6 @@ datadir = ${datarootdir}
 localedir = ${datarootdir}/locale
 
 INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL@ -m 644
 AWK = @AWK@
 SED = @SED@
 MKDIR_P = @MKDIR_P@

From 14fc15929512ee5e3554c1b397e8845d59de839e Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Wed, 9 Nov 2016 16:15:19 +0100
Subject: [PATCH 2/7] Build: IPA_VERSION_IS_GIT_SNAPSHOT checks if source
 directory is Git repo

https://fedorahosted.org/freeipa/ticket/6418
---
 configure.ac | 11 +++
 1 file changed, 11 insertions(+)

diff --git a/configure.ac b/configure.ac
index 5646cb0..1b672fb 100644
--- a/configure.ac
+++ b/configure.ac
@@ -350,6 +350,17 @@ AC_MSG_RESULT([${IPAPLATFORM}])
 dnl ---
 dnl Version information from VERSION.m4 and command line
 dnl ---
+dnl Are we in source tree?
+AM_CONDITIONAL([IS_GIT_SNAPSHOT], [test "IPA_VERSION_IS_GIT_SNAPSHOT" == "yes"])
+AM_COND_IF([IS_GIT_SNAPSHOT], [
+	AC_MSG_CHECKING([if source directory is a Git reposistory])
+	if test ! -d "${srcdir}/.git"; then
+		AC_MSG_ERROR([Git reposistory is required by VERSION.m4 IPA_VERSION_IS_GIT_SNAPSHOT but not found])
+	else
+		AC_MSG_RESULT([yes])
+	fi
+])
+
 AC_ARG_WITH([vendor-suffix],
 AS_HELP_STRING([--with-vendor-suffix=STRING],
 			   [Vendor string used by package system, e.g. "-1.fc24"]),

From 65dda782d50191b85979668294b79d409f77bbb0 Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Wed, 9 Nov 2016 16:21:51 +0100
Subject: [PATCH 3/7] Build: use POSIX 1003.1-1988 (ustar) file format for tar
 archives

Default format used by Autotools limits length of paths to
99 characters. This is not enough for tarballs with Git snapshots.

https://fedorahosted.org/freeipa/ticket/6418
---
 configure.ac | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index 1b672fb..53d5dab 100644
--- a/configure.ac
+++ b/configure.ac
@@ -6,7 +6,7 @@ AC_INIT([freeipa],
 
 AC_CONFIG_HEADERS([config.h])
 
-AM_INIT_AUTOMAKE([foreign])
+AM_INIT_AUTOMAKE([foreign 1.9 tar-ustar])
 m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES])
 
 AC_PROG_CC_C99

From 424f3505a55e28d0045f3ef35b64caad84da81e4 Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Wed, 9 Nov 2016 16:16:45 +0100
Subject: [PATCH 4/7] Build: IPA_VERSION_IS_GIT_SNAPSHOT re-generates version
 number on RPM build

This is a huge hack. rpms target will touch VERSION.m4 file. This change
is then detected by automake Makefiles which subsequently re-execute configure
and make.

We have to workaround fact that variables in new make targets
(executed after new configure) are different than original ones.

Also, we have to 'bake-in' precise snapshot version from Git to
VERSION.m4 inside of RPM tarball so the RPM does not depend on git
anymore.

All this magic slows build down.
If you want quick builds, do not enable IPA_VERSION_IS_GIT_SNAPSHOT.

https://fedorahosted.org/freeipa/ticket/6418
---
 .gitignore   |  2 ++
 Makefile.am  | 46 ++
 VERSION.m4   | 22 +-
 configure.ac |  1 +
 4 files changed, 58 insertions(+), 13 deletions(-)

diff --git a/.gitignore b/.gitignore
index e1a42d6..de61aff 100644
--- a/.gitignore
+++ b/.gitignore
@@ -28,6 +28,8 @@ build/
 compile
 test-driver
 freeipa-*.tar.gz
+.tarball_name
+.version
 
 # Python compilation
 *.pyc
diff --git a/Makefile.am b/Makefile.am

[Freeipa-devel] [freeipa PR#213][edited] Build system refactoring phase 3

[pspacek]

   URL: https://github.com/freeipa/freeipa/pull/213
Author: pspacek
 Title: #213: Build system refactoring phase 3
Action: edited

 Changed field: body
Original value:
"""
This monster patch-set refactors most of build system and moves most of the 
logic from SPEC file to build system.

It is not yet complete, missing parts are:
- [ ] Python 3 support
- [ ] Client-only build is not supported
- [ ] IPA_VERSION_IS_GIT_SNAPSHOT does not work

These will be sorted out later on but the review of the patch set can begin.
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#213][comment] Build system refactoring phase 3

[pspacek]

  URL: https://github.com/freeipa/freeipa/pull/213
Title: #213: Build system refactoring phase 3

tiran commented:
"""
memo for me:

- [ ] /freeipa*.tar.gz is not removed
- [ ] ```MOSTLYCLEANFILES``` only cleans ipasetup.py[co] but keeps __pycache__ 
and other pyc/pyo. add ```clean-local: rm -rf *.pyc *.pyc __pycache__```
- [x]  ```Makefile.python.am``` clean-local has ```-delete``` and ```-exec```. 
AFAIK only one action is supported.
- [ ] neither clean nor distclean removes  ```/dist``` and ```/rpmbuild```
- [x] autoconf and automake files are not removed (Makefile.in, /config.sub ...)
- [x] add ```ipasetup.py``` to ```dist_noinst_SCRIPTS``` ?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/213#issuecomment-259371190
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#226][comment] Build refactoring phase 5

[pspacek]

  URL: https://github.com/freeipa/freeipa/pull/226
Title: #226: Build refactoring phase 5

pspacek commented:
"""
I've added missing files to .gitignore.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/226#issuecomment-259694249
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#226][synchronized] Build refactoring phase 5

[pspacek]

   URL: https://github.com/freeipa/freeipa/pull/226
Author: pspacek
 Title: #226: Build refactoring phase 5
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/226/head:pr226
git checkout pr226
From 212d059cc208a1bba32255867c6d7b8deaad8b6c Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Wed, 9 Nov 2016 13:34:04 +0100
Subject: [PATCH 1/8] Build: fix make clean to remove build artifacts from
 top-level directory

make lint and make dist were generating files which were not removed by
make clean.

https://fedorahosted.org/freeipa/ticket/6418
---
 Makefile.am | 12 +++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/Makefile.am b/Makefile.am
index ffa5de2..031aef4 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,6 +1,11 @@
 SUBDIRS = asn1 util client contrib daemons init install ipaclient ipalib ipaplatform ipapython ipaserver ipatests po
 
-MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo
+MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \
+		   ignore_import_errors.pyc ignore_import_errors.pyo \
+		   ipasetup.pyc ipasetup.pyo \
+		   lite-server.pyc lite-server.pyo \
+		   pylint_plugins.pyc pylint_plugins.pyo \
+		   $(TARBALL)
 
 # user-facing scripts
 dist_bin_SCRIPTS = ipa
@@ -25,6 +30,11 @@ EXTRA_DIST = .mailmap \
 	 pylintrc \
 	 pytest.ini
 
+clean-local:
+	rm -rf "$(RPMBUILD)"
+	rm -rf "$(top_builddir)/dist"
+	rm -rf "$(top_srcdir)/__pycache__"
+
 # convenience targets for RPM build
 RPMBUILD ?= $(abs_builddir)/rpmbuild
 TARBALL = $(PACKAGE)-$(VERSION).tar.gz

From cb2084eba47bc7608375c2060716a2a8fbf06c29 Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Wed, 9 Nov 2016 15:42:30 +0100
Subject: [PATCH 2/8] Build: remove unused and redundant code from configure.ac
 and po/Makefile.in

https://fedorahosted.org/freeipa/ticket/6418
---
 configure.ac   | 4 
 po/Makefile.in | 1 -
 2 files changed, 5 deletions(-)

diff --git a/configure.ac b/configure.ac
index 6e82c62..5646cb0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -17,9 +17,6 @@ AC_HEADER_STDC
 
 AM_CONDITIONAL([HAVE_GCC], [test "$ac_cv_prog_gcc" = yes])
 
-AC_SUBST(VERSION)
-AC_SUBST([INSTALL_DATA], ['$(INSTALL) -m 644 -p'])
-
 dnl ---
 dnl - Check for NSPR/NSS
 dnl ---
@@ -359,7 +356,6 @@ AC_ARG_WITH([vendor-suffix],
 [VENDOR_SUFFIX=${withval}],
 	[VENDOR_SUFFIX=""])
 
-dnl TODO: IPA_VENDOR_RELEASE
 AC_SUBST([API_VERSION], [IPA_API_VERSION])
 AC_SUBST([DATA_VERSION], [IPA_DATA_VERSION])
 AC_SUBST([NUM_VERSION], [IPA_NUM_VERSION])
diff --git a/po/Makefile.in b/po/Makefile.in
index b42d8fc..0ab449c 100644
--- a/po/Makefile.in
+++ b/po/Makefile.in
@@ -5,7 +5,6 @@ datadir = ${datarootdir}
 localedir = ${datarootdir}/locale
 
 INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL@ -m 644
 AWK = @AWK@
 SED = @SED@
 MKDIR_P = @MKDIR_P@

From 3347f58b656b86a5a22150fd8198d831867d5bbc Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Wed, 9 Nov 2016 16:15:19 +0100
Subject: [PATCH 3/8] Build: IPA_VERSION_IS_GIT_SNAPSHOT checks if source
 directory is Git repo

https://fedorahosted.org/freeipa/ticket/6418
---
 configure.ac | 11 +++
 1 file changed, 11 insertions(+)

diff --git a/configure.ac b/configure.ac
index 5646cb0..1b672fb 100644
--- a/configure.ac
+++ b/configure.ac
@@ -350,6 +350,17 @@ AC_MSG_RESULT([${IPAPLATFORM}])
 dnl ---
 dnl Version information from VERSION.m4 and command line
 dnl ---
+dnl Are we in source tree?
+AM_CONDITIONAL([IS_GIT_SNAPSHOT], [test "IPA_VERSION_IS_GIT_SNAPSHOT" == "yes"])
+AM_COND_IF([IS_GIT_SNAPSHOT], [
+	AC_MSG_CHECKING([if source directory is a Git reposistory])
+	if test ! -d "${srcdir}/.git"; then
+		AC_MSG_ERROR([Git reposistory is required by VERSION.m4 IPA_VERSION_IS_GIT_SNAPSHOT but not found])
+	else
+		AC_MSG_RESULT([yes])
+	fi
+])
+
 AC_ARG_WITH([vendor-suffix],
 AS_HELP_STRING([--with-vendor-suffix=STRING],
 			   [Vendor string used by package system, e.g. "-1.fc24"]),

From e21452024c91dacfa5ea9aa6e1e9a5b56710cc0b Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Wed, 9 Nov 2016 16:21:51 +0100
Subject: [PATCH 4/8] Build: use POSIX 1003.1-1988 (ustar) file format for tar
 archives

Default format used by Autotools limits length of paths to
99 characters. This is not enough for tarballs with Git snapshots.

https://fedorahosted.org/freeipa/ticket/6418
---
 configure.ac | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index 1b672fb..53d5dab 100644
--- a/configure.ac
+++ b/configure.ac
@@ -6,7 +6,7 @@ AC_INIT([freeipa],
 
 AC_CONFIG_HEADERS([config.h])
 
-AM_INIT_AUTOMAKE([foreign])
+AM_INIT_AUTOMAKE([foreign 1.9 tar-ustar])
 m4_ifdef([AM_SILEN

[Freeipa-devel] [freeipa PR#143][comment] Issue6386 nss dir

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/143
Title: #143: Issue6386 nss dir

tiran commented:
"""
No, #182 does not break ```ipa-client-install ``` in a bad way. The command 
simply refuses to work in the presence of ```IPA_CONFDIR```. 
```api.bootstrap()``` does not support ```IPA_CONFDIR``` for some contexts in 
order to prevent this kind of issue. I just pushed another change to #182 that 
raises an exception when ```IPA_CONFDIR``` is set in a reserved context 
(server, installer, updater etc.).
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/143#issuecomment-259693470
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#219][comment] Refactor installer code requesting certificates

[jcholast]

  URL: https://github.com/freeipa/freeipa/pull/219
Title: #219: Refactor installer code requesting certificates

jcholast commented:
"""
Turns out the request does not time out in certmonger, but the 60 seconds wait 
in `request_and_wait_for_cert()` it too short.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/219#issuecomment-259692618
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#182][synchronized] Use env var IPA_CONFDIR to get confdir for 'cli' context

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/182
Author: tiran
 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/182/head:pr182
git checkout pr182
From 43e044878708e7619bd289a264edac755c180e50 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Mon, 24 Oct 2016 10:35:41 +0200
Subject: [PATCH] Use env var IPA_CONFDIR to get confdir

The environment variable IPA_CONFDIR overrides the default confdir path.
The value of the environment variable must be an absolute path to an existing
directory. The new variable makes it much simpler to use the 'ipa'
command and ipalib with a local configuration directory.

Some contexts like server, installer and upgrades do not support the env
var.

Signed-off-by: Christian Heimes 
---
 client/man/ipa.1|  4 
 install/tools/ipa-httpd-kdcproxy|  2 +-
 install/tools/ipa-replica-conncheck |  2 +-
 ipalib/config.py| 18 +-
 4 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/client/man/ipa.1 b/client/man/ipa.1
index 9194ca0..b843e7b 100644
--- a/client/man/ipa.1
+++ b/client/man/ipa.1
@@ -186,6 +186,10 @@ The ipa client will determine which server to connect to in this order:
 
 .TP
 If a kerberos error is raised by any of the requests then it will stop processing and display the error message.
+.SH "ENVIRONMENT VARIABLES"
+.TP
+\fBIPA_CONFDIR\fR
+Override path to confdir (default: \fB/etc/ipa\fR).
 .SH "FILES"
 .TP
 \fB/etc/ipa/default.conf\fR
diff --git a/install/tools/ipa-httpd-kdcproxy b/install/tools/ipa-httpd-kdcproxy
index 20674c2..20daacd 100755
--- a/install/tools/ipa-httpd-kdcproxy
+++ b/install/tools/ipa-httpd-kdcproxy
@@ -184,7 +184,7 @@ class KDCProxyConfig(object):
 def main(debug=DEBUG, time_limit=TIME_LIMIT):
 # initialize API without file logging
 if not api.isdone('bootstrap'):
-api.bootstrap(context='ipa-httpd-kdcproxy', log=None, debug=debug)
+api.bootstrap(context='server', log=None, debug=debug)
 standard_logging_setup(verbose=True, debug=debug)
 
 try:
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 4045e41..fbe2dd5 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -478,7 +478,7 @@ def main():
 else:
 nss_dir = None
 
-api.bootstrap(context='client', xmlrpc_uri=xmlrpc_uri,
+api.bootstrap(context='installer', xmlrpc_uri=xmlrpc_uri,
   nss_dir=nss_db.secdir)
 api.finalize()
 try:
diff --git a/ipalib/config.py b/ipalib/config.py
index cf9e925..46da186 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -43,6 +43,7 @@
 from ipalib.base import check_name
 from ipalib.constants import CONFIG_SECTION
 from ipalib.constants import OVERRIDE_ERROR, SET_ERROR, DEL_ERROR
+from ipapython.admintool import ScriptError
 
 if six.PY3:
 unicode = str
@@ -200,6 +201,10 @@ class provides high-level methods for bootstraping a fresh `Env` instance
 
 __locked = False
 
+# Reserved contexts do not support IPA_CONFDIR env var
+_reserved_contexts = {'backup', 'cli_installer', 'installer', 'ipactl',
+  'renew', 'restore', 'server', 'updates'}
+
 def __init__(self, **initialize):
 object.__setattr__(self, '_Env__d', {})
 object.__setattr__(self, '_Env__done', set())
@@ -461,7 +466,18 @@ def _bootstrap(self, **overrides):
 
 # Set confdir:
 if 'confdir' not in self:
-if self.in_tree:
+ipa_confdir = os.environ.get('IPA_CONFDIR')
+if ipa_confdir is not None:
+if self.context in self._reserved_contexts:
+raise ScriptError(
+'IPA_CONFDIR env var is not allowed for context '
+'"{}".'.format(self.context))
+if not path.isabs(ipa_confdir) or not path.isdir(ipa_confdir):
+raise ScriptError(
+'IPA_CONFDIR env var must be an absolute path to an '
+'existing directory.')
+self.confdir = ipa_confdir
+elif self.in_tree:
 self.confdir = self.dot_ipa
 else:
 self.confdir = path.join('/', 'etc', 'ipa')
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/182
Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context

tiran commented:
"""
For a long time FreeIPA ignored Python packaging guidelines. It did neither 
support pip and wheels nor virtual envs or local configuration. There is 
pressing demand from multiple projects like OpenStack and Ansible to support 
proper Python packages. Ask @rcritten, @admiyo 

@mbasti-rh the proposal is **not** just about command line scripts. It's for 
Python applications that use ipalib, too. You are free to come up with another 
solution that works for all use cases.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/182#issuecomment-259689791
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#229][comment] Remove the renewal lock file upon uninstall

[flo-renaud]

  URL: https://github.com/freeipa/freeipa/pull/229
Title: #229: Remove the renewal lock file upon uninstall

flo-renaud commented:
"""
You are right, I updated the PR to put the code at the end of server 
uninstallation.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/229#issuecomment-259689730
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#229][synchronized] Remove the renewal lock file upon uninstall

[flo-renaud]

   URL: https://github.com/freeipa/freeipa/pull/229
Author: flo-renaud
 Title: #229: Remove the renewal lock file upon uninstall
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/229/head:pr229
git checkout pr229
From bd23f2d344f3404c4d42769e17382a912e3bad63 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Thu, 10 Nov 2016 13:14:34 +0100
Subject: [PATCH] Remove the renewal lock file upon uninstall

Make sure that the file /var/run/ipa/renewal.lock is deleted upon
uninstallation, in order to avoid subsequent installation issues.

Part of the refactoring effort, certificates sub-effort.

https://fedorahosted.org/freeipa/ticket/6433
---
 ipaserver/install/server/install.py | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index ff99e78..acdd72b 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -1130,6 +1130,12 @@ def uninstall(installer):
   ' # getcert stop-tracking -i \n'
   'for each id in: %s' % ', '.join(ids))
 
+# Remove the cert renewal lock file
+try:
+os.remove(paths.IPA_RENEWAL_LOCK)
+except Exception:
+pass
+
 print("Removing IPA client configuration")
 try:
 result = run([paths.IPA_CLIENT_INSTALL, "--on-master",
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#230][opened] cert-request: accept CSRs with extraneous data

[frasertweedale]

   URL: https://github.com/freeipa/freeipa/pull/230
Author: frasertweedale
 Title: #230: cert-request: accept CSRs with extraneous data
Action: opened

PR body:
"""
The cert-request command used to accept CSRs that had extra data
surrounding the PEM data, e.g. commentary about the contents of the
CSR.  Recent commits that switch to using python-cryptography for
cert and CSR handling broke this.  Our acceptance tests use such
CSRs, hence the tests are now failing.

To avoid the issue, freshly encode the python-cryptography
CertificateSigningRequest object as PEM.  This avoids re-using the
user-supplied data, in case it has extraneous data.

Fixes: https://fedorahosted.org/freeipa/ticket/6472
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/230/head:pr230
git checkout pr230
From 8f1164724d872c8b28513bbc5985ae3a77c3405d Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Thu, 10 Nov 2016 23:22:52 +1000
Subject: [PATCH] cert-request: accept CSRs with extraneous data

The cert-request command used to accept CSRs that had extra data
surrounding the PEM data, e.g. commentary about the contents of the
CSR.  Recent commits that switch to using python-cryptography for
cert and CSR handling broke this.  Our acceptance tests use such
CSRs, hence the tests are now failing.

To avoid the issue, freshly encode the python-cryptography
CertificateSigningRequest object as PEM.  This avoids re-using the
user-supplied data, in case it has extraneous data.

Fixes: https://fedorahosted.org/freeipa/ticket/6472
---
 ipalib/pkcs10.py  | 2 +-
 ipaserver/plugins/cert.py | 7 +--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/ipalib/pkcs10.py b/ipalib/pkcs10.py
index a993519..39ec95c 100644
--- a/ipalib/pkcs10.py
+++ b/ipalib/pkcs10.py
@@ -26,7 +26,7 @@
 
 def strip_header(csr):
 """
-Remove the header and footer from a CSR.
+Remove the header and footer (and surrounding material) from a CSR.
 """
 headerlen = 40
 s = csr.find("-BEGIN NEW CERTIFICATE REQUEST-")
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 4362d82..3571ef1 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -26,7 +26,7 @@
 import os
 
 import cryptography.x509
-from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives import hashes, serialization
 import six
 
 from ipalib import Command, Str, Int, Flag
@@ -750,8 +750,11 @@ def execute(self, csr, all=False, raw=False, **kw):
 
 # Request the certificate
 try:
+# re-serialise to PEM, in case the user-supplied data has
+# extraneous material that will cause Dogtag to freak out
+csr_pem = csr_obj.public_bytes(serialization.Encoding.PEM)
 result = self.Backend.ra.request_certificate(
-csr, profile_id, ca_id, request_type=request_type)
+csr_pem, profile_id, ca_id, request_type=request_type)
 except errors.HTTPRequestError as e:
 if e.status == 409:  # pylint: disable=no-member
 raise errors.CertificateOperationError(
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#231][opened] Do not log DM password in ca/kra installation logs

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/231
Author: stlaz
 Title: #231: Do not log DM password in ca/kra installation logs
Action: opened

PR body:
"""
We can merge this after refactoring merges not to mess the rebases.

https://fedorahosted.org/freeipa/ticket/6461
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/231/head:pr231
git checkout pr231
From d40d3e9bc5c0cccbd172ae4480316c13f3bf82f7 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Thu, 10 Nov 2016 14:24:26 +0100
Subject: [PATCH] Do not log DM password in ca/kra installation logs

https://fedorahosted.org/freeipa/ticket/6461
---
 ipaserver/install/cainstance.py  | 3 ++-
 ipaserver/install/krainstance.py | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 1c31281..ed5ac9e 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -576,7 +576,8 @@ def __spawn_instance(self):
 
 self.backup_state('installed', True)
 try:
-DogtagInstance.spawn_instance(self, cfg_file)
+DogtagInstance.spawn_instance(self, cfg_file,
+  nolog_list=[self.dm_password])
 finally:
 os.remove(cfg_file)
 
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index 77f23c1..e749c73 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -257,7 +257,8 @@ def __spawn_instance(self):
 config.write(f)
 
 try:
-DogtagInstance.spawn_instance(self, cfg_file)
+DogtagInstance.spawn_instance(self, cfg_file,
+  nolog_list=[self.dm_password])
 finally:
 os.remove(p12_tmpfile_name)
 os.remove(cfg_file)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#187][comment] Register entry points of Custodia plugins

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/187
Title: #187: Register entry points of Custodia plugins

tiran commented:
"""
@simo5 wrote the code. He should know why he did not follow PEP8 naming 
conventions for the class.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/187#issuecomment-259687787
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/182
Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context

mbasti-rh commented:
"""
For the long history of IPA we haven't had need for our own environment 
variables. I agree with Honza, why we should have the another way how to pass 
config dir to IPA commands.

Also handling env variables in IPA is inconsistent, so this should be fixed as 
well, see #204 somewhere environ variables are not passed to subprocesses at 
all.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/182#issuecomment-259687668
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#219][closed] Refactor installer code requesting certificates

[dkupka]

   URL: https://github.com/freeipa/freeipa/pull/219
Author: flo-renaud
 Title: #219: Refactor installer code requesting certificates
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/219/head:pr219
git checkout pr219
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#219][comment] Refactor installer code requesting certificates

[dkupka]

  URL: https://github.com/freeipa/freeipa/pull/219
Title: #219: Refactor installer code requesting certificates

dkupka commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/7462adec13c5b25b6868d2863dc38062c97d0ff7
https://fedorahosted.org/freeipa/changeset/808b1436b4158cb6f926ac2b5bd0979df6ea7e9f
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/219#issuecomment-259687145
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#219][+pushed] Refactor installer code requesting certificates

[dkupka]

  URL: https://github.com/freeipa/freeipa/pull/219
Title: #219: Refactor installer code requesting certificates

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#182][synchronized] Use env var IPA_CONFDIR to get confdir for 'cli' context

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/182
Author: tiran
 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/182/head:pr182
git checkout pr182
From 8ffcd720d01bc7394a3de7ce7d8c7d6e00fb35e8 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Mon, 24 Oct 2016 10:35:41 +0200
Subject: [PATCH] Use env var IPA_CONFDIR to get confdir

The environment variable IPA_CONFDIR overrides the default confdir path.
The value of the environment variable must be an absolute path to an existing
directory. The new variable makes it much simpler to use the 'ipa'
command and ipalib with a local configuration directory.

Some contexts like server, installer and upgrades do not support the env
var.

Signed-off-by: Christian Heimes 
---
 client/man/ipa.1|  4 
 install/tools/ipa-httpd-kdcproxy|  2 +-
 install/tools/ipa-replica-conncheck |  2 +-
 ipalib/config.py| 18 +-
 4 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/client/man/ipa.1 b/client/man/ipa.1
index 9194ca0..b843e7b 100644
--- a/client/man/ipa.1
+++ b/client/man/ipa.1
@@ -186,6 +186,10 @@ The ipa client will determine which server to connect to in this order:
 
 .TP
 If a kerberos error is raised by any of the requests then it will stop processing and display the error message.
+.SH "ENVIRONMENT VARIABLES"
+.TP
+\fBIPA_CONFDIR\fR
+Override path to confdir (default: \fB/etc/ipa\fR).
 .SH "FILES"
 .TP
 \fB/etc/ipa/default.conf\fR
diff --git a/install/tools/ipa-httpd-kdcproxy b/install/tools/ipa-httpd-kdcproxy
index 20674c2..20daacd 100755
--- a/install/tools/ipa-httpd-kdcproxy
+++ b/install/tools/ipa-httpd-kdcproxy
@@ -184,7 +184,7 @@ class KDCProxyConfig(object):
 def main(debug=DEBUG, time_limit=TIME_LIMIT):
 # initialize API without file logging
 if not api.isdone('bootstrap'):
-api.bootstrap(context='ipa-httpd-kdcproxy', log=None, debug=debug)
+api.bootstrap(context='server', log=None, debug=debug)
 standard_logging_setup(verbose=True, debug=debug)
 
 try:
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 4045e41..fbe2dd5 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -478,7 +478,7 @@ def main():
 else:
 nss_dir = None
 
-api.bootstrap(context='client', xmlrpc_uri=xmlrpc_uri,
+api.bootstrap(context='installer', xmlrpc_uri=xmlrpc_uri,
   nss_dir=nss_db.secdir)
 api.finalize()
 try:
diff --git a/ipalib/config.py b/ipalib/config.py
index cf9e925..7b32056 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -43,6 +43,7 @@
 from ipalib.base import check_name
 from ipalib.constants import CONFIG_SECTION
 from ipalib.constants import OVERRIDE_ERROR, SET_ERROR, DEL_ERROR
+from ipapython.admintool import ScriptError
 
 if six.PY3:
 unicode = str
@@ -200,6 +201,10 @@ class provides high-level methods for bootstraping a fresh `Env` instance
 
 __locked = False
 
+# reserved contexts do not support IPA_CONFDIR env var
+_reserved_contexts = {'backup', 'installer', 'ipactl', 'renew',
+  'restore', 'server', 'updates'}
+
 def __init__(self, **initialize):
 object.__setattr__(self, '_Env__d', {})
 object.__setattr__(self, '_Env__done', set())
@@ -461,7 +466,18 @@ def _bootstrap(self, **overrides):
 
 # Set confdir:
 if 'confdir' not in self:
-if self.in_tree:
+ipa_confdir = os.environ.get('IPA_CONFDIR')
+if ipa_confdir is not None:
+if self.context in self._reserved_contexts:
+raise ScriptError(
+'IPA_CONFDIR env var is not allowed for context '
+'"{}".'.format(self.context))
+if not path.isabs(ipa_confdir) or not path.isdir(ipa_confdir):
+raise ScriptError(
+'IPA_CONFDIR env var must be an absolute path to an '
+'existing directory.')
+self.confdir = ipa_confdir
+elif self.in_tree:
 self.confdir = self.dot_ipa
 else:
 self.confdir = path.join('/', 'etc', 'ipa')
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#219][+ack] Refactor installer code requesting certificates

[jcholast]

  URL: https://github.com/freeipa/freeipa/pull/219
Title: #219: Refactor installer code requesting certificates

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#229][comment] Remove the renewal lock file upon uninstall

[jcholast]

  URL: https://github.com/freeipa/freeipa/pull/229
Title: #229: Remove the renewal lock file upon uninstall

jcholast commented:
"""
The file is owned by the server, not the client, so it should be deleted in 
`ipa-server-install --uninstall`, not in `ipa-client-install --uninstall`.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/229#issuecomment-259683231
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#172][+rejected] fix pki-tomcat error after uninstall

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/172
Title: #172: fix pki-tomcat error after uninstall

Label: +rejected
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#168][+rejected] Update cli.py

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/168
Title: #168: Update cli.py

Label: +rejected
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#143][comment] Issue6386 nss dir

[jcholast]

  URL: https://github.com/freeipa/freeipa/pull/143
Title: #143: Issue6386 nss dir

jcholast commented:
"""
For example, if your `IPA_CONFDIR` PR was merged, setting the variable could 
break `ipa-client-install`, because the hard coded half of it assumes that the 
configuration directory is always `/etc/ipa`, but the API half would use 
something else.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/143#issuecomment-259681181
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context

[jcholast]

  URL: https://github.com/freeipa/freeipa/pull/182
Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context

jcholast commented:
"""
Sorry, but I just don't see an explanation in the comment you linked, just that 
you think it's easier to set an environment variable rather than an argument. 
Yes, it is easier, but it also make the configuration implicit - say this PR 
was merged, now look at this:
```
$ ipa ping
```
Can you tell me which configuration directory will this command use? The fact 
is you can't, as opposed to:
```
$ ipa -e confdir=/path/to/confdir
```
where it is clear just by looking at the command. This is the part I have a 
problem with.

The links you posted only show that environment variables are used to override 
configuration in a few pieces of software, not that it is a standard like you 
say. I could as easily compile a list of software which _doesn't_ do it.

All of the examples are doable by setting `confdir` explicitly in `ipa -e` or 
`api.bootstrap()` as well. I would like to see something more concrete.

I will read your proposal once you send it to freeipa-devel for review.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/182#issuecomment-259679930
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#225][comment] tests: Added basic tests for certs in idoverrides

[apophys]

  URL: https://github.com/freeipa/freeipa/pull/225
Title: #225: tests: Added basic tests for certs in idoverrides

apophys commented:
"""
Please address the inline comments.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/225#issuecomment-259679240
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#219][comment] Refactor installer code requesting certificates

[flo-renaud]

  URL: https://github.com/freeipa/freeipa/pull/219
Title: #219: Refactor installer code requesting certificates

flo-renaud commented:
"""
Thanks Fraser!
The patch for renewal lock file deletion is available at
https://github.com/freeipa/freeipa/pull/229
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/219#issuecomment-259678689
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#229][opened] Remove the renewal lock file upon uninstall

[flo-renaud]

   URL: https://github.com/freeipa/freeipa/pull/229
Author: flo-renaud
 Title: #229: Remove the renewal lock file upon uninstall
Action: opened

PR body:
"""
Make sure that the file /var/run/ipa/renewal.lock is deleted upon
uninstallation, in order to avoid subsequent installation issues.

Part of the refactoring effort, certificates sub-effort.

https://fedorahosted.org/freeipa/ticket/6433
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/229/head:pr229
git checkout pr229
From fafddd88dfd3ffd908293c7bdba57f81d4a52db1 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Thu, 10 Nov 2016 13:14:34 +0100
Subject: [PATCH] Remove the renewal lock file upon uninstall

Make sure that the file /var/run/ipa/renewal.lock is deleted upon
uninstallation, in order to avoid subsequent installation issues.

Part of the refactoring effort, certificates sub-effort.

https://fedorahosted.org/freeipa/ticket/6433
---
 client/ipa-client-install | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/client/ipa-client-install b/client/ipa-client-install
index c228ea3..f0546bc 100755
--- a/client/ipa-client-install
+++ b/client/ipa-client-install
@@ -821,6 +821,9 @@ def uninstall(options, env):
 # Remove the CA cert
 remove_file(CACERT)
 
+# Remove the cert renewal lock file
+remove_file(paths.IPA_RENEWAL_LOCK)
+
 root_logger.info("Client uninstall complete.")
 
 # The next block of code prompts for reboot, therefore all uninstall
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#205][closed] Support DAL version 5 and version 6

[mbasti-rh]

   URL: https://github.com/freeipa/freeipa/pull/205
Author: simo5
 Title: #205: Support DAL version 5 and version 6
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/205/head:pr205
git checkout pr205
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#205][comment] Support DAL version 5 and version 6

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/205
Title: #205: Support DAL version 5 and version 6

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/2775042787be4ea236c0b99dd75337414e24b89d
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/205#issuecomment-259677514
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#205][+pushed] Support DAL version 5 and version 6

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/205
Title: #205: Support DAL version 5 and version 6

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#168][closed] Update cli.py

[tomaskrizek]

   URL: https://github.com/freeipa/freeipa/pull/168
Author: Garont
 Title: #168: Update cli.py
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/168/head:pr168
git checkout pr168
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#168][comment] Update cli.py

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/168
Title: #168: Update cli.py

tomaskrizek commented:
"""
I was not able to find the issue and reproduce the error. Both unicode and 
ascii strings seem to be printed correctly.

Closing for missing issue/reproducer.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/168#issuecomment-259676938
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#219][comment] Refactor installer code requesting certificates

[frasertweedale]

  URL: https://github.com/freeipa/freeipa/pull/219
Title: #219: Refactor installer code requesting certificates

frasertweedale commented:
"""
Well I couldn't wait 'til tomorrow so I checked just then.  I could not 
reproduce the issue :)


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/219#issuecomment-259675725
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#219][comment] Refactor installer code requesting certificates

[frasertweedale]

  URL: https://github.com/freeipa/freeipa/pull/219
Title: #219: Refactor installer code requesting certificates

frasertweedale commented:
"""
@jcholast sure, especially if it is related to renewal locks or some other 
tangential matter.

( @flo-renaud I have not yet confirmed the cause; will get to it tomorrow )
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/219#issuecomment-259673472
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#143][comment] Issue6386 nss dir

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/143
Title: #143: Issue6386 nss dir

tiran commented:
"""
I don't understand your comment.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/143#issuecomment-259672798
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#227][synchronized] cert-request: match names against principal alises

[frasertweedale]

   URL: https://github.com/freeipa/freeipa/pull/227
Author: frasertweedale
 Title: #227: cert-request: match names against principal alises
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/227/head:pr227
git checkout pr227
From 8fb85f2fa0982f8557893fe3159d6780082b2d5f Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Wed, 26 Oct 2016 09:48:19 +1000
Subject: [PATCH] cert-request: match names against principal alises

Currently we do not check Kerberos principal aliases when validating
a CSR.  Enhance cert-request to accept the following scenarios:

- for hosts and services: CN and SAN dnsNames match a principal
  alias (realm and service name must be same as nominated principal)

- for all principal types: UPN or KRB5PrincipalName othername match
  any principal alias.

Fixes: https://fedorahosted.org/freeipa/ticket/6295
---
 ipaserver/plugins/cert.py  | 125 -
 .../test_xmlrpc/test_caacl_profile_enforcement.py  |  86 --
 2 files changed, 171 insertions(+), 40 deletions(-)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 4362d82..d3be89a 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -649,11 +649,13 @@ def execute(self, csr, all=False, raw=False, **kw):
 cn = cns[-1].value  # "most specific" is end of list
 
 if principal_type in (SERVICE, HOST):
-if cn.lower() != principal.hostname.lower():
-raise errors.ACIError(
-info=_("hostname in subject of request '%(cn)s' "
-"does not match principal hostname '%(hostname)s'")
-% dict(cn=cn, hostname=principal.hostname))
+if not _dns_name_matches_principal(cn, principal, principal_obj):
+raise errors.ValidationError(
+name='csr',
+error=_(
+"hostname in subject of request '%(cn)s' does not "
+"match name or aliases of principal '%(principal)s'"
+) % dict(cn=cn, principal=principal))
 elif principal_type == USER:
 # check user name
 if cn != principal.username:
@@ -686,26 +688,32 @@ def execute(self, csr, all=False, raw=False, **kw):
 generalnames = x509.process_othernames(ext_san.value)
 for gn in generalnames:
 if isinstance(gn, cryptography.x509.general_name.DNSName):
+if principal.is_user:
+raise errors.ValidationError(
+name='csr',
+error=_(
+"subject alt name type %s is forbidden "
+"for user principals") % "DNSName"
+)
+
 name = gn.value
-alt_principal = None
+
+if _dns_name_matches_principal(name, principal, principal_obj):
+continue  # nothing more to check for this alt name
+
+# no match yet; check for an alternative principal with
+# same realm and service type as subject principal.
+components = list(principal.components)
+components[-1] = name
+alt_principal = kerberos.Principal(components, principal.realm)
 alt_principal_obj = None
 try:
 if principal_type == HOST:
-alt_principal = kerberos.Principal(
-(u'host', name), principal.realm)
-alt_principal_obj = api.Command['host_show'](name, all=True)
+alt_principal_obj = api.Command['host_show'](
+name, all=True)
 elif principal_type == SERVICE:
-alt_principal = kerberos.Principal(
-(principal.service_name, name), principal.realm)
 alt_principal_obj = api.Command['service_show'](
 alt_principal, all=True)
-elif principal_type == USER:
-raise errors.ValidationError(
-name='csr',
-error=_(
-"subject alt name type %s is forbidden "
-"for user principals") % "DNSName"
-)
 except errors.NotFound:
 # We don't want to issue any certificates referencing
 # machines we don't know about. Nothing is stored in this
@@ -713,18 +721,23 @@ def execute(self, csr, all=False, raw=False, **kw):
 raise errors.NotFound(reason=_('The service principal for '
 'subject alt name %s in certificate request does not '
 'exis

[Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/182
Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context

tiran commented:
"""
Let me google that for you:

* https://specifications.freedesktop.org/basedir-spec/latest/ar01s03.html
* https://web.mit.edu/kerberos/krb5-1.14/doc/admin/env_variables.html
* https://docs.python.org/2/using/cmdline.html#environment-variables
* https://pip.pypa.io/en/stable/user_guide/#environment-variables

https://en.wikipedia.org/wiki/Environment_variable defines env vars as
>  Environment variables are a set of dynamic named values that can affect the 
> way running processes will behave on a computer.

Examples
* local installation in a virtual environment
* unified experience for non-root configuration
* user shell session with custom KRB5 and IPA settings
* Ansible playbook modules
* application in a root-less container that cannot write to /etc (OpenShift)
* unit and integration tests with custom config file location

You can find more detailed examples in my integration document.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/182#issuecomment-259671810
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#177][synchronized] Add options to write lightweight CA cert or chain to file

[frasertweedale]

   URL: https://github.com/freeipa/freeipa/pull/177
Author: frasertweedale
 Title: #177: Add options to write lightweight CA cert or chain to file
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/177/head:pr177
git checkout pr177
From 759b7a6dd15f9f9f08220175614ae9f8030de54c Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Tue, 16 Aug 2016 13:16:58 +1000
Subject: [PATCH 1/2] Add function for extracting PEM certs from PKCS #7

Add a single function for extracting X.509 certs in PEM format from
a PKCS #7 object.  Refactor sites that execute ``openssl pkcs7`` to
use the new function.

Part of: https://fedorahosted.org/freeipa/ticket/6178
---
 ipalib/x509.py  | 22 -
 ipapython/certdb.py |  9 ++-
 ipaserver/install/cainstance.py | 52 +++--
 3 files changed, 42 insertions(+), 41 deletions(-)

diff --git a/ipalib/x509.py b/ipalib/x509.py
index e1c3867..75eedff 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -49,6 +49,7 @@
 from ipalib import util
 from ipalib import errors
 from ipapython.dn import DN
+from ipapython import ipautil
 
 if six.PY3:
 unicode = str
@@ -56,7 +57,9 @@
 PEM = 0
 DER = 1
 
-PEM_REGEX = re.compile(r'(?<=-BEGIN CERTIFICATE-).*?(?=-END CERTIFICATE-)', re.DOTALL)
+PEM_REGEX = re.compile(
+r'-BEGIN CERTIFICATE-.*?-END CERTIFICATE-',
+re.DOTALL)
 
 EKU_SERVER_AUTH = '1.3.6.1.5.5.7.3.1'
 EKU_CLIENT_AUTH = '1.3.6.1.5.5.7.3.2'
@@ -145,6 +148,23 @@ def load_certificate_list_from_file(filename):
 return load_certificate_list(f.read())
 
 
+def pkcs7_to_pems(data, datatype=PEM):
+"""
+Extract certificates from a PKCS #7 object.
+
+Return a ``list`` of X.509 PEM strings.
+
+May throw ``ipautil.CalledProcessError`` on invalid data.
+
+"""
+cmd = [
+paths.OPENSSL, "pkcs7", "-print_certs",
+"-inform", "PEM" if datatype == PEM else "DER",
+]
+result = ipautil.run(cmd, stdin=data, capture_output=True)
+return PEM_REGEX.findall(result.output)
+
+
 def is_self_signed(certificate, datatype=PEM):
 cert = load_certificate(certificate, datatype)
 return cert.issuer == cert.subject
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index c2fe599..a3c8e95 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -272,13 +272,8 @@ def import_files(self, files, db_password_filename, import_keys=False,
 continue
 
 if label in ('PKCS7', 'PKCS #7 SIGNED DATA', 'CERTIFICATE'):
-args = [
-paths.OPENSSL, 'pkcs7',
-'-print_certs',
-]
 try:
-result = ipautil.run(
-args, stdin=body, capture_output=True)
+certs = x509.pkcs7_to_pems(body)
 except ipautil.CalledProcessError as e:
 if label == 'CERTIFICATE':
 root_logger.warning(
@@ -290,7 +285,7 @@ def import_files(self, files, db_password_filename, import_keys=False,
 filename, line, e)
 continue
 else:
-extracted_certs += result.output + '\n'
+extracted_certs += '\n'.join(certs) + '\n'
 loaded = True
 continue
 
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 7b26e74..6adeb8d 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -847,44 +847,30 @@ def __import_ca_chain(self):
 # makes openssl throw up.
 data = base64.b64decode(chain)
 
-result = ipautil.run(
-[paths.OPENSSL,
- "pkcs7",
- "-inform",
- "DER",
- "-print_certs",
- ], stdin=data, capture_output=True)
-certlist = result.output
+certlist = x509.pkcs7_to_pems(data, x509.DER)
 
 # Ok, now we have all the certificates in certs, walk through it
 # and pull out each certificate and add it to our database
 
-st = 1
-en = 0
-subid = 0
 ca_dn = DN(('CN','Certificate Authority'), self.subject_base)
-while st > 0:
-st = certlist.find('-BEGIN', en)
-en = certlist.find('-END', en+1)
-if st > 0:
-try:
-(chain_fd, chain_name) = tempfile.mkstemp()
-os.write(chain_fd, certlist[st:en+25])
-os.close(chain_fd)
-(_rdn, subject_dn) = certs.get_cert_nickname(certlist[st:en+25])
-if subject_dn == ca_dn:
-  

[Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/182
Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context

tiran commented:
"""
Let me google that for you:

* https://specifications.freedesktop.org/basedir-spec/latest/ar01s03.html
* https://web.mit.edu/kerberos/krb5-1.14/doc/admin/env_variables.html
* https://docs.python.org/2/using/cmdline.html#environment-variables
* https://pip.pypa.io/en/stable/user_guide/#environment-variables

https://en.wikipedia.org/wiki/Environment_variable defines env vars as
>  Environment variables are a set of dynamic named values that can affect the 
> way running processes will behave on a computer.

Examples
* local installation in a virtual environment
* unified experience for non-root configuration
* user shell session with custom KRB5 and IPA settings
* Ansible playbook modules
* application in a root-less container that cannot write to /etc (OpenShift)
* unit and integration tests with custom config file location

You can find more detailed examples in my integration document.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/182#issuecomment-259671810
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#228][opened] cert-request: allow directoryName in SAN extension

[frasertweedale]

   URL: https://github.com/freeipa/freeipa/pull/228
Author: frasertweedale
 Title: #228: cert-request: allow directoryName in SAN extension
Action: opened

PR body:
"""
Allow directoryName in SAN extension if the value matches the
subject principal's DN in the IPA directory.

Fixes: https://fedorahosted.org/freeipa/ticket/6112

---

A bit of commentary about this feature: it was just a drive-by case
of "hey I could implement this in a way that I think makes sense".
Noone actually asked for it (yet).

Also, there is not agreement that using directoryName to carry the
DN of the subject is valid.  On my part, I think it is obviously
valid, but see the original review thread for discussion:
https://www.redhat.com/archives/freeipa-devel/2016-August/msg00714.html

I had to rebase this commit and resolve conflicts, so now it is a PR
and it can age in oak on GitHub instead of the mailing list :)
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/228/head:pr228
git checkout pr228
From c8fbd658f3341fc54af2b26e5ee844e5bcfc3784 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Thu, 14 Jul 2016 21:36:33 +1000
Subject: [PATCH] cert-request: allow directoryName in SAN extension

Allow directoryName in SAN extension if the value matches the
subject principal's DN in the IPA directory.

Fixes: https://fedorahosted.org/freeipa/ticket/6112
---
 ipaserver/plugins/cert.py | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 4362d82..024d541 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -427,6 +427,7 @@ def _add_san_attribute(self, obj, full, gn):
 }
 default_attrs = {
 'san_rfc822name', 'san_dnsname', 'san_other_upn', 'san_other_kpn',
+'san_directoryname',
 }
 
 if type(gn) not in name_type_map:
@@ -743,6 +744,12 @@ def execute(self, csr, all=False, raw=False, **kw):
 "subject alt name type %s is forbidden "
 "for non-user principals") % "RFC822Name"
 )
+elif isinstance(gn, cryptography.x509.general_name.DirectoryName):
+if DN(gn.value) != principal_obj['dn']:
+raise errors.ValidationError(
+name='csr',
+error=_("Directory Name does not match principal's DN")
+)
 else:
 raise errors.ACIError(
 info=_("Subject alt name type %s is forbidden")
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#219][comment] Refactor installer code requesting certificates

[jcholast]

  URL: https://github.com/freeipa/freeipa/pull/219
Title: #219: Refactor installer code requesting certificates

jcholast commented:
"""
Can we fix this in a separate PR to unblock the merge of this one?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/219#issuecomment-259671468
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context

[jcholast]

  URL: https://github.com/freeipa/freeipa/pull/182
Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context

jcholast commented:
"""
Care to point me to some actual standard which recommends this? Using explicit 
configuration via library initialization arguments is no NIH, everyone else 
does it as well and it is a solution we already have in place.

Still zero examples to support you claim that environment variable is a must.

EDIT: There is no link to your proposal here nor is there a thread on 
freeipa-devel. I would be glad to read it but please follow our process for new 
feature designs.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/182#issuecomment-259670126
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#143][comment] Issue6386 nss dir

[jcholast]

  URL: https://github.com/freeipa/freeipa/pull/143
Title: #143: Issue6386 nss dir

jcholast commented:
"""
Sure, just please keep this in mind for your other changes.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/143#issuecomment-259670294
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context

[jcholast]

  URL: https://github.com/freeipa/freeipa/pull/182
Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context

jcholast commented:
"""
Care to point me to some actual standard which recommends this? Using explicit 
configuration via library initialization arguments is no NIH, everyone else 
does it as well and it is a solution we already have in place.

Still zero examples to support you claim that environment variable is a must.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/182#issuecomment-259670126
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/182
Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context

tiran commented:
"""
Everyone else does it is a very good argument. Standards and common practices 
provide a good user and developer experience. I detest _Not Invented Here_ 
solutions.

By the way did you read my integration improvement proposal? I haven't released 
it yet because it's not finished.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/182#issuecomment-259668716
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#173][+ack] Ensure correct IPA CA nickname in DS and HTTP NSSDBs

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/173
Title: #173: Ensure correct IPA CA nickname in DS and HTTP NSSDBs

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#173][comment] Ensure correct IPA CA nickname in DS and HTTP NSSDBs

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/173
Title: #173: Ensure correct IPA CA nickname in DS and HTTP NSSDBs

tomaskrizek commented:
"""
Works as expected.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/173#issuecomment-259669927
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#220][comment] Build: fix make clean to remove build artifacts from top-level directory

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/220
Title: #220: Build: fix make clean to remove build artifacts from top-level 
directory

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/d20f6a5ef2467e780026f1040f5a11a7a77594ca
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/220#issuecomment-259669055
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#220][closed] Build: fix make clean to remove build artifacts from top-level directory

[mbasti-rh]

   URL: https://github.com/freeipa/freeipa/pull/220
Author: pspacek
 Title: #220: Build: fix make clean to remove build artifacts from top-level 
directory
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/220/head:pr220
git checkout pr220
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#220][+pushed] Build: fix make clean to remove build artifacts from top-level directory

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/220
Title: #220: Build: fix make clean to remove build artifacts from top-level 
directory

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/182
Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context

tiran commented:
"""
Everyone else does it is a very good argument. Standards and common practices 
provide a good user and developer experience. I detest _Not Invented Here_ 
solutions.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/182#issuecomment-259668716
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#227][opened] cert-request: match names against principal alises

[frasertweedale]

   URL: https://github.com/freeipa/freeipa/pull/227
Author: frasertweedale
 Title: #227: cert-request: match names against principal alises
Action: opened

PR body:
"""
Currently we do not check Kerberos principal aliases when validating
a CSR.  Enhance cert-request to accept the following scenarios:

- for hosts and services: CN and SAN dnsNames match a principal
  alias (realm and service name must be same as nominated principal)

- for all principal types: UPN or KRB5PrincipalName othername match
  any principal alias.

Fixes: https://fedorahosted.org/freeipa/ticket/6295
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/227/head:pr227
git checkout pr227
From 91bfbeb6bfeb8568689f330d6640fcda0a949ed1 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Wed, 26 Oct 2016 09:48:19 +1000
Subject: [PATCH] cert-request: match names against principal alises

Currently we do not check Kerberos principal aliases when validating
a CSR.  Enhance cert-request to accept the following scenarios:

- for hosts and services: CN and SAN dnsNames match a principal
  alias (realm and service name must be same as nominated principal)

- for all principal types: UPN or KRB5PrincipalName othername match
  any principal alias.

Fixes: https://fedorahosted.org/freeipa/ticket/6295
---
 ipaserver/plugins/cert.py  | 124 -
 .../test_xmlrpc/test_caacl_profile_enforcement.py  |  86 --
 2 files changed, 170 insertions(+), 40 deletions(-)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 4362d82..95536ca 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -649,11 +649,12 @@ def execute(self, csr, all=False, raw=False, **kw):
 cn = cns[-1].value  # "most specific" is end of list
 
 if principal_type in (SERVICE, HOST):
-if cn.lower() != principal.hostname.lower():
-raise errors.ACIError(
-info=_("hostname in subject of request '%(cn)s' "
-"does not match principal hostname '%(hostname)s'")
-% dict(cn=cn, hostname=principal.hostname))
+if not _dns_name_matches_principal(cn, principal, principal_obj):
+raise errors.ValidationError(
+name='csr',
+error=_("hostname in subject of request '%(cn)s' does not "
+"match name or aliases of principal '%(principal)s'")
+% dict(cn=cn, principal=principal))
 elif principal_type == USER:
 # check user name
 if cn != principal.username:
@@ -686,26 +687,32 @@ def execute(self, csr, all=False, raw=False, **kw):
 generalnames = x509.process_othernames(ext_san.value)
 for gn in generalnames:
 if isinstance(gn, cryptography.x509.general_name.DNSName):
+if principal.is_user:
+raise errors.ValidationError(
+name='csr',
+error=_(
+"subject alt name type %s is forbidden "
+"for user principals") % "DNSName"
+)
+
 name = gn.value
-alt_principal = None
+
+if _dns_name_matches_principal(name, principal, principal_obj):
+continue  # nothing more to check for this alt name
+
+# no match yet; check for an alternative principal with
+# same realm and service type as subject principal.
+components = list(principal.components)
+components[-1] = name
+alt_principal = kerberos.Principal(components, principal.realm)
 alt_principal_obj = None
 try:
 if principal_type == HOST:
-alt_principal = kerberos.Principal(
-(u'host', name), principal.realm)
-alt_principal_obj = api.Command['host_show'](name, all=True)
+alt_principal_obj = api.Command['host_show'](
+name, all=True)
 elif principal_type == SERVICE:
-alt_principal = kerberos.Principal(
-(principal.service_name, name), principal.realm)
 alt_principal_obj = api.Command['service_show'](
 alt_principal, all=True)
-elif principal_type == USER:
-raise errors.ValidationError(
-name='csr',
-error=_(
-"subject alt name type %s is forbidden "
-"for user principals") % "DNSName"
-)
 except errors.NotFound:
 #

[Freeipa-devel] [freeipa PR#226][opened] Build refactoring phase 5

[pspacek]

   URL: https://github.com/freeipa/freeipa/pull/226
Author: pspacek
 Title: #226: Build refactoring phase 5
Action: opened

PR body:
"""
This PR fixes IPA_VERSION_IS_GIT_SNAPSHOT option and vendor version passing 
from SPEC to configure. At also contains minor cleanup and srpm target which is 
used by Coverity.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/226/head:pr226
git checkout pr226
From e701748b2eaf5f15803229d450a082a48f22560e Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Wed, 9 Nov 2016 13:34:04 +0100
Subject: [PATCH 1/8] Build: fix make clean to remove build artifacts from
 top-level directory

make lint and make dist were generating files which were not removed by
make clean.

https://fedorahosted.org/freeipa/ticket/6418
---
 Makefile.am | 12 +++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/Makefile.am b/Makefile.am
index ffa5de2..031aef4 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,6 +1,11 @@
 SUBDIRS = asn1 util client contrib daemons init install ipaclient ipalib ipaplatform ipapython ipaserver ipatests po
 
-MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo
+MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \
+		   ignore_import_errors.pyc ignore_import_errors.pyo \
+		   ipasetup.pyc ipasetup.pyo \
+		   lite-server.pyc lite-server.pyo \
+		   pylint_plugins.pyc pylint_plugins.pyo \
+		   $(TARBALL)
 
 # user-facing scripts
 dist_bin_SCRIPTS = ipa
@@ -25,6 +30,11 @@ EXTRA_DIST = .mailmap \
 	 pylintrc \
 	 pytest.ini
 
+clean-local:
+	rm -rf "$(RPMBUILD)"
+	rm -rf "$(top_builddir)/dist"
+	rm -rf "$(top_srcdir)/__pycache__"
+
 # convenience targets for RPM build
 RPMBUILD ?= $(abs_builddir)/rpmbuild
 TARBALL = $(PACKAGE)-$(VERSION).tar.gz

From 814cae9b122c96304e16cf67f90a42f0659e2174 Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Wed, 9 Nov 2016 15:42:30 +0100
Subject: [PATCH 2/8] Build: remove unused and redundant code from configure.ac
 and po/Makefile.in

https://fedorahosted.org/freeipa/ticket/6418
---
 configure.ac   | 4 
 po/Makefile.in | 1 -
 2 files changed, 5 deletions(-)

diff --git a/configure.ac b/configure.ac
index 6e82c62..5646cb0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -17,9 +17,6 @@ AC_HEADER_STDC
 
 AM_CONDITIONAL([HAVE_GCC], [test "$ac_cv_prog_gcc" = yes])
 
-AC_SUBST(VERSION)
-AC_SUBST([INSTALL_DATA], ['$(INSTALL) -m 644 -p'])
-
 dnl ---
 dnl - Check for NSPR/NSS
 dnl ---
@@ -359,7 +356,6 @@ AC_ARG_WITH([vendor-suffix],
 [VENDOR_SUFFIX=${withval}],
 	[VENDOR_SUFFIX=""])
 
-dnl TODO: IPA_VENDOR_RELEASE
 AC_SUBST([API_VERSION], [IPA_API_VERSION])
 AC_SUBST([DATA_VERSION], [IPA_DATA_VERSION])
 AC_SUBST([NUM_VERSION], [IPA_NUM_VERSION])
diff --git a/po/Makefile.in b/po/Makefile.in
index b42d8fc..0ab449c 100644
--- a/po/Makefile.in
+++ b/po/Makefile.in
@@ -5,7 +5,6 @@ datadir = ${datarootdir}
 localedir = ${datarootdir}/locale
 
 INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL@ -m 644
 AWK = @AWK@
 SED = @SED@
 MKDIR_P = @MKDIR_P@

From a5673d0ff2307b0cc289f47698bf4452d9a625f0 Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Wed, 9 Nov 2016 16:15:19 +0100
Subject: [PATCH 3/8] Build: IPA_VERSION_IS_GIT_SNAPSHOT checks if source
 directory is Git repo

https://fedorahosted.org/freeipa/ticket/6418
---
 configure.ac | 11 +++
 1 file changed, 11 insertions(+)

diff --git a/configure.ac b/configure.ac
index 5646cb0..1b672fb 100644
--- a/configure.ac
+++ b/configure.ac
@@ -350,6 +350,17 @@ AC_MSG_RESULT([${IPAPLATFORM}])
 dnl ---
 dnl Version information from VERSION.m4 and command line
 dnl ---
+dnl Are we in source tree?
+AM_CONDITIONAL([IS_GIT_SNAPSHOT], [test "IPA_VERSION_IS_GIT_SNAPSHOT" == "yes"])
+AM_COND_IF([IS_GIT_SNAPSHOT], [
+	AC_MSG_CHECKING([if source directory is a Git reposistory])
+	if test ! -d "${srcdir}/.git"; then
+		AC_MSG_ERROR([Git reposistory is required by VERSION.m4 IPA_VERSION_IS_GIT_SNAPSHOT but not found])
+	else
+		AC_MSG_RESULT([yes])
+	fi
+])
+
 AC_ARG_WITH([vendor-suffix],
 AS_HELP_STRING([--with-vendor-suffix=STRING],
 			   [Vendor string used by package system, e.g. "-1.fc24"]),

From 398e1e222e89e4a82b2a52ced9548fa14fe580e7 Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Wed, 9 Nov 2016 16:21:51 +0100
Subject: [PATCH 4/8] Build: use POSIX 1003.1-1988 (ustar) file format for tar
 archives

Default format used by Autotools limits length of paths to
99 characters. This is not enough for tarballs with Git snapshots.

https://fedorahosted.org/freeipa/ticket/6418
---
 configure.ac | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index 1b672fb..53d5dab 100644
--- a/confi

[Freeipa-devel] [freeipa PR#143][comment] Issue6386 nss dir

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/143
Title: #143: Issue6386 nss dir

tiran commented:
"""
The other locations are used for FreeIPA installation and therefore out of 
scope for this change.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/143#issuecomment-259667729
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#196][comment] ipatests: unresolvable nested netgroups

[apophys]

  URL: https://github.com/freeipa/freeipa/pull/196
Title: #196: ipatests: unresolvable nested netgroups

apophys commented:
"""
Ping for review.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/196#issuecomment-259666959
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#180][comment] Make api.env.nss_dir relative to api.env.confdir

[jcholast]

  URL: https://github.com/freeipa/freeipa/pull/180
Title: #180: Make api.env.nss_dir relative to api.env.confdir

jcholast commented:
"""
See my comment on #143.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/180#issuecomment-259663799
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964

[Martin Basti]

On 10.11.2016 10:06, Oleg Fayans wrote:



On 11/10/2016 09:43 AM, Martin Basti wrote:




ACK


On the other hand, make it a conditional one. The link in the comment
does not work. Please fix that.


--
Milan Kubik





--
Milan Kubik


After offline discussion and some clarification, the comment is 
right. ACK


--
Milan Kubik


Because patches are scattered over this thread, am I right that those
versions should be pushed?

freeipa-ofayans-0047.7-Automated-clean-ruv-subcommand-tests.patch
freeipa-ofayans-0048.4-Automated-ipa-replica-manage-del-tests.patch


Precisely!



Martin^2



Pushed to:
master: dc58f8f2a17adc642ae6f32fe9c9eb05d993c9d0
ipa-4-4: ddfa173488aa903b3e028f7e6328dbb4dcc21695

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#143][comment] Issue6386 nss dir

[jcholast]

  URL: https://github.com/freeipa/freeipa/pull/143
Title: #143: Issue6386 nss dir

jcholast commented:
"""
OK, but you should at least make sure that where the code depends on hard-coded 
paths, the API is bootstrapped with a hard coded `confdir` as well, otherwise 
things might break.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/143#issuecomment-259663631
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context

[jcholast]

  URL: https://github.com/freeipa/freeipa/pull/182
Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context

jcholast commented:
"""
"Everyone else does it" is not really a good argument to anything. Just saying.

Also you still haven't provided a single example of where explicitly setting 
confdir can't be used and thus the environment variable must be used, and just 
keep repeating how required it is, so sorry I'm a little bit sceptical.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/182#issuecomment-259662631
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/182
Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context

tiran commented:
"""
No, env vars are **the** standard way to change the behavior of a program for a 
local session. They are used all over the place: MIT KRB5 as KRB5_CONFIG, 
Python has PYTHONHOME and more, OpenSSL has SSL_CERT_FILE/DIR, Freedesktop has 
XDG_DATA_HOME, XDG_CONFIG_HOME...

I could bring up the same argument against your proposal to use a shell alias. 
Shell aliases are even worse because they work only in shells and not for 
```execve()``` calls. Env vars are common to change the environment of a 
program (hence the name) while shell aliases are a hack.

It is not only a good idea, it's required to make integration of FreeIPA's 
client libraries in 3rd party applications feasible.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/182#issuecomment-259654400
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#220][+ack] Build: fix make clean to remove build artifacts from top-level directory

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/220
Title: #220: Build: fix make clean to remove build artifacts from top-level 
directory

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [test][patch-0057] test for ticket N 6146 (installing rules with service principals)

[Oleg Fayans]

The patch was added to existing PR:
https://github.com/freeipa/freeipa/pull/224


On 11/08/2016 05:24 PM, Oleg Fayans wrote:

And this one.

On 11/03/2016 09:42 AM, Oleg Fayans wrote:

One more ping for review

On 10/27/2016 02:21 PM, Oleg Fayans wrote:

ping for review

On 10/25/2016 11:29 AM, Oleg Fayans wrote:

The patch was rebased to be able to apply on top of latest version of
certs in idoverrides patch. As before, it requires patches NN 0049 and
0059 to apply

On 08/10/2016 01:46 PM, Oleg Fayans wrote:

Hi Martin,

I am sorry, yes it depends on my patches 0049 and 0050.


On 08/10/2016 12:27 PM, Martin Basti wrote:



On 10.08.2016 10:38, Oleg Fayans wrote:





Hello,

I cannot apply this patch
error: ipatests/test_integration/test_certs_in_idoverrides.py: does
not
exist in index
It probably depends on another patch (which one?)

Please, use human readable subjects in email, I do not remember from
top
of my head what #6146 is.

Martin^2
















--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#224][synchronized] Integration tests for certs in idoverrides

[ofayans]

   URL: https://github.com/freeipa/freeipa/pull/224
Author: ofayans
 Title: #224: Integration tests for certs in idoverrides
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/224/head:pr224
git checkout pr224
From c0faf1d8263c11d110a63b912c82a74e2f04a4d8 Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Tue, 6 Sep 2016 12:39:45 +0200
Subject: [PATCH 1/3] Added interface to certutil

---
 ipatests/test_integration/tasks.py | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index df5e408..dcf9ab8 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -1207,6 +1207,13 @@ def run_server_del(host, server_to_delete, force=False,
 return host.run_command(args, raiseonerr=False)
 
 
+def run_certutil(host, args, reqdir, stdin=None, raiseonerr=True):
+new_args = [paths.CERTUTIL, "-d", reqdir]
+new_args = " ".join(new_args + args)
+return host.run_command(new_args, raiseonerr=raiseonerr,
+stdin_text=stdin)
+
+
 def assert_error(result, stderr_text, returncode=None):
 "Assert that `result` command failed and its stderr contains `stderr_text`"
 assert stderr_text in result.stderr_text, result.stderr_text

From 8967612df5461669862f2609bdf69ecf7d1a0901 Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Thu, 10 Nov 2016 10:32:41 +0100
Subject: [PATCH 2/3] Test: integration tests for certs in idoverrides feature

https://fedorahosted.org/freeipa/ticket/6005
---
 ipatests/test_integration/test_idviews.py | 156 ++
 1 file changed, 156 insertions(+)
 create mode 100644 ipatests/test_integration/test_idviews.py

diff --git a/ipatests/test_integration/test_idviews.py b/ipatests/test_integration/test_idviews.py
new file mode 100644
index 000..c35997c
--- /dev/null
+++ b/ipatests/test_integration/test_idviews.py
@@ -0,0 +1,156 @@
+#
+# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+#
+
+import os
+import re
+import string
+from ipatests.test_integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration.env_config import get_global_config
+from ipaplatform.paths import paths
+config = get_global_config()
+
+
+class TestCertsInIDOverrides(IntegrationTest):
+topology = "line"
+num_ad_domains = 1
+adview = 'Default Trust View'
+cert_re = re.compile('Certificate: (?P.*?)\\s+.*')
+adcert1 = 'MyCert1'
+adcert2 = 'MyCert2'
+adcert1_file = adcert1 + '.crt'
+adcert2_file = adcert2 + '.crt'
+
+@classmethod
+def uninstall(cls, mh):
+super(TestCertsInIDOverrides, cls).uninstall(mh)
+cls.master.run_command(['rm', '-rf', cls.reqdir], raiseonerr=False)
+
+@classmethod
+def install(cls, mh):
+super(TestCertsInIDOverrides, cls).install(mh)
+cls.ad = config.ad_domains[0].ads[0]
+cls.ad_domain = cls.ad.domain.name
+cls.aduser = "testuser@%s" % cls.ad_domain
+
+master = cls.master
+# A setup for test_dbus_user_lookup
+master.run_command(['dnf', 'install', '-y', 'sssd-dbus'],
+   raiseonerr=False)
+# The tasks.modify_sssd_conf way did not work because
+# sssd_domain.set_option knows nothing about 'services' parameter of
+# the sssd config file. Therefore I am using sed approach
+master.run_command(
+"sed -i '/^services/ s/$/, ifp/' %s" % paths.SSSD_CONF)
+master.run_command(
+"sed -i 's/= 7/= 0xFFF0/' %s" % paths.SSSD_CONF, raiseonerr=False)
+master.run_command(['systemctl', 'restart', 'sssd.service'])
+# End of setup for test_dbus_user_lookup
+
+# AD-related stuff
+tasks.install_adtrust(master)
+tasks.sync_time(master, cls.ad)
+tasks.establish_trust_with_ad(cls.master, cls.ad_domain,
+  extra_args=['--range-type',
+  'ipa-ad-trust'])
+
+cls.reqdir = os.path.join(master.config.test_dir, "certs")
+cls.reqfile1 = os.path.join(cls.reqdir, "test1.csr")
+cls.reqfile2 = os.path.join(cls.reqdir, "test2.csr")
+cls.pwname = os.path.join(cls.reqdir, "pwd")
+
+# Create a NSS database folder
+master.run_command(['mkdir', cls.reqdir], raiseonerr=False)
+# Create an empty password file
+master.run_command(["touch", cls.pwname], raiseonerr=False)
+
+# Initialize NSS database
+tasks.run_certutil(master, ["-N", "-f", cls.pwname], cls.reqdir)
+# Now generate self-signed certs for a windows user
+stdin_text = string.digits+string.letters[2:] + '\n'
+tasks.run_certutil(master, ['-S', '-s',
+"cn=%s,dc=ad,dc=test" % cls.adcert1, '-n',
+   

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Oleg Fayans]

All the patches from this thread were converted into github pull requests:
[1]: https://github.com/freeipa/freeipa/pull/224
[2]: https://github.com/freeipa/freeipa/pull/225

On 11/09/2016 04:43 PM, Milan Kubík wrote:

On 10/25/2016 10:24 AM, Oleg Fayans wrote:

Integration part of the tests is ready. 2 tests:

1. Adds a cert to idoverride of a windows user
2. sssd part - looks up user by his certificate using dbus-sssd

Second and third dbus call are executed as a string insted of as array
of strings because it just does not work otherwise. Some quote
escaping gets screwed probably, but the system returns "Error
org.freedesktop.DBus.Error.UnknownInterface: Unknown interface" if the
command is executed using the standard array-based approach

The run looks like this:

bash-4.3$ ipa-run-tests test_integration/test_idviews.py --pdb
WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13]
Permission denied: 'lextab.py'
WARNING: yacc table file version is out of date
WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission
denied: 'yacctab.py'
 test session starts

platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1
rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini
plugins: sourceorder-0.5, multihost-1.0
collected 2 items

test_integration/test_idviews.py ..

 2 passed in 948.44 seconds
=


On 10/21/2016 10:54 AM, Oleg Fayans wrote:

Added one more test, resolved the pep8 issues

On 10/19/2016 12:32 PM, Oleg Fayans wrote:

Hi Martin,

As you suggested, I've extended the
test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for
certs
in idoverrides.
The integration part still needs some polishing in the part related to
user lookup by cert

On 10/14/2016 03:57 PM, Martin Babinsky wrote:

On 10/14/2016 03:48 PM, Oleg Fayans wrote:

So, did I understand correctly, that there would be 2 patches: one
containing test for basic idoverrides functionality without
AD-integration, and the second one - with AD-integration and an sssd
check, correct?
I guess, the
freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch




might be a good candidate for the first one, I only have to change
the
filename to test_idviews.py, right?



Oleg, we already have XMLRPC tests for idoverrides:

ipatests/test_xmlrpc/test_idviews_plugin.py

Is there any particular reason why not to extend them with add
cert/remove cert operations?

Even better, you can extend
`ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the
same set of tests on idoverrideuser objects.

Or am I missing something?


On 09/15/2016 10:32 AM, Martin Basti wrote:



On 15.09.2016 10:10, Oleg Fayans wrote:

Hi Martin,

The file was renamed. Did I understand correctly that for now we
are
leaving the test as is and are planning to extend it later?


I would like to have there SSSD check involved, please use what
Summit
recommends. No new test cases.

And this can be done by separate patch, I want to have API/CLI
certificate override tests for non-AD idview (extending current
tests I
posted in this thread)

Martin^2


On 09/15/2016 09:49 AM, Martin Basti wrote:



On 14.09.2016 18:53, Sumit Bose wrote:

On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote:


On 14.09.2016 17:53, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:


On 14.09.2016 17:41, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:

1)
I still don't see the reason why AD trust is needed. Default
trust ID view is added just by ipa-adtrust-install, adding
trust is not needed for current implementation. You don't
need AD for this, IDviews is generic feature not just for
AD. Is that user configured on AD side?

You cannot add non-AD user to 'default trust view', so you
will
not be
able to set up certificates to ID override which does not
exist.

For non-'default trust view' you can add both IPA and AD
users,
so using
some other view and then assign certificate for a ID
override in
that
one.


Ok then, but anyway I would like to see API/CLI tests for this
feature with proper output validation.


How can be this tested with SSSD?

You need to log into the system with a certificate...

Is this possible from test? We are logged remotely as root, is
there any
cmdline util which allows us to test certificate against AD
user?


You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which
should
return the ssh key derived from the public key in the
certificate.
This
should work for certificate stored in AD as well as for
overrides.

You can also you the DBus lookup by certificate as described in
https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate




.

HTH

bye,
Sumit


Thank you Alexander and Summit for hints.

Oleg I realized we don't have any other idviews integration tests

So I propose to rename test file you are 

[Freeipa-devel] [freeipa PR#225][opened] tests: Added basic tests for certs in idoverrides

[ofayans]

   URL: https://github.com/freeipa/freeipa/pull/225
Author: ofayans
 Title: #225: tests: Added basic tests for certs in idoverrides
Action: opened

PR body:
"""
https://fedorahosted.org/freeipa/ticket/6412
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/225/head:pr225
git checkout pr225
From 5ee3edd752f347e873e51c01ef853fb1c5e3ffd9 Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Fri, 21 Oct 2016 10:53:19 +0200
Subject: [PATCH] tests: Added basic tests for certs in idoverrides

https://fedorahosted.org/freeipa/ticket/6412
---
 ipatests/test_xmlrpc/test_add_remove_cert_cmd.py | 91 
 1 file changed, 91 insertions(+)

diff --git a/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py b/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py
index edc97f0..cc19032 100644
--- a/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py
+++ b/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py
@@ -352,3 +352,94 @@ def delete_entity(cls):
 api.Command.host_del(TestCertManipCmdHost.entity_pkey)
 except errors.NotFound:
 pass
+
+
+@pytest.mark.tier1
+class TestCertManipIdOverride(XMLRPC_test):
+idview = u'testview'
+testuser = u'testuser'
+entity_subject = testuser
+entity_principal = testuser
+
+cert_add_cmd = api.Command.idoverrideuser_add_cert
+cert_del_cmd = api.Command.idoverrideuser_remove_cert
+
+def del_cert_from_idoverride(self, username, view_name, cert):
+result = self.cert_del_cmd(view_name,
+   username,
+   "--certificate=%s" % cert)
+return dict(
+usercertificate=result['result'].get('usercertificate', []),
+value=result.get('value'),
+summary=result.get('summary')
+)
+
+def add_cert_to_idoverride(self, username, view_name, cert):
+result = self.cert_add_cmd(view_name,
+   username,
+   usercertificate=cert)
+return dict(
+usercertificate=result['result'].get('usercertificate', []),
+value=result.get('value'),
+summary=result.get('summary')
+)
+
+@classmethod
+def teardown_class(cls):
+api.Command.user_del(cls.testuser)
+api.Command.idview_del(cls.idview)
+super(TestCertManipIdOverride, cls).teardown_class()
+
+@classmethod
+def setup_class(cls):
+# Create an idview
+api.Command.idview_add(cls.idview)
+# Create a user
+api.Command.user_add(cls.testuser, givenname=u'Bob', sn=u'Dylan')
+# Add the user to the idview
+api.Command.idoverrideuser_add(cls.idview, cls.testuser)
+# Create certificates
+cls.certs = [
+get_testcert(DN(('CN', cls.entity_subject)), cls.entity_principal)
+for _i in range(2)
+]
+cls.cert1 = cls.certs[0]
+cls.cert2 = cls.certs[1]
+
+super(TestCertManipIdOverride, cls).setup_class()
+
+def test_00_add_cert_to_idoverride(self):
+assert_deepequal(
+dict(usercertificate=(base64.b64decode(self.cert1),),
+ summary="Added certificates to"
+ " idoverrideuser \"%s\"" % self.testuser,
+ value=self.testuser,
+ ),
+self.add_cert_to_idoverride(self.testuser,
+self.idview,
+self.cert1)
+)
+
+def test_01_add_second_cert_to_idoverride(self):
+assert_deepequal(
+dict(
+usercertificate=(base64.b64decode(self.cert1),
+ base64.b64decode(self.cert2)),
+summary="Added certificates to"
+" idoverrideuser \"%s\"" % self.testuser,
+value=self.testuser,
+),
+self.add_cert_to_idoverride(self.testuser, self.idview, self.cert2)
+)
+
+def test_02_add_the_same_cert_to_idoverride(self):
+raises(errors.ExecutionError,
+   self.add_cert_to_idoverride,
+   self.testuser, self.idview, self.cert1)
+
+def test_04_user_show_displays_cert(self):
+result = api.Command.idoverrideuser_show(self.idview, self.testuser)
+assert_deepequal((base64.b64decode(self.cert1),
+  base64.b64decode(self.cert2)),
+ result['result']['usercertificate']
+ )
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#224][opened] Integration tests for certs in idoverrides

[ofayans]

   URL: https://github.com/freeipa/freeipa/pull/224
Author: ofayans
 Title: #224: Integration tests for certs in idoverrides
Action: opened

PR body:
"""
Original mailing list thread:

https://www.redhat.com/archives/freeipa-devel/2016-September/msg00134.html
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/224/head:pr224
git checkout pr224
From c0faf1d8263c11d110a63b912c82a74e2f04a4d8 Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Tue, 6 Sep 2016 12:39:45 +0200
Subject: [PATCH 1/2] Added interface to certutil

---
 ipatests/test_integration/tasks.py | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index df5e408..dcf9ab8 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -1207,6 +1207,13 @@ def run_server_del(host, server_to_delete, force=False,
 return host.run_command(args, raiseonerr=False)
 
 
+def run_certutil(host, args, reqdir, stdin=None, raiseonerr=True):
+new_args = [paths.CERTUTIL, "-d", reqdir]
+new_args = " ".join(new_args + args)
+return host.run_command(new_args, raiseonerr=raiseonerr,
+stdin_text=stdin)
+
+
 def assert_error(result, stderr_text, returncode=None):
 "Assert that `result` command failed and its stderr contains `stderr_text`"
 assert stderr_text in result.stderr_text, result.stderr_text

From 8967612df5461669862f2609bdf69ecf7d1a0901 Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Thu, 10 Nov 2016 10:32:41 +0100
Subject: [PATCH 2/2] Test: integration tests for certs in idoverrides feature

https://fedorahosted.org/freeipa/ticket/6005
---
 ipatests/test_integration/test_idviews.py | 156 ++
 1 file changed, 156 insertions(+)
 create mode 100644 ipatests/test_integration/test_idviews.py

diff --git a/ipatests/test_integration/test_idviews.py b/ipatests/test_integration/test_idviews.py
new file mode 100644
index 000..c35997c
--- /dev/null
+++ b/ipatests/test_integration/test_idviews.py
@@ -0,0 +1,156 @@
+#
+# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+#
+
+import os
+import re
+import string
+from ipatests.test_integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration.env_config import get_global_config
+from ipaplatform.paths import paths
+config = get_global_config()
+
+
+class TestCertsInIDOverrides(IntegrationTest):
+topology = "line"
+num_ad_domains = 1
+adview = 'Default Trust View'
+cert_re = re.compile('Certificate: (?P.*?)\\s+.*')
+adcert1 = 'MyCert1'
+adcert2 = 'MyCert2'
+adcert1_file = adcert1 + '.crt'
+adcert2_file = adcert2 + '.crt'
+
+@classmethod
+def uninstall(cls, mh):
+super(TestCertsInIDOverrides, cls).uninstall(mh)
+cls.master.run_command(['rm', '-rf', cls.reqdir], raiseonerr=False)
+
+@classmethod
+def install(cls, mh):
+super(TestCertsInIDOverrides, cls).install(mh)
+cls.ad = config.ad_domains[0].ads[0]
+cls.ad_domain = cls.ad.domain.name
+cls.aduser = "testuser@%s" % cls.ad_domain
+
+master = cls.master
+# A setup for test_dbus_user_lookup
+master.run_command(['dnf', 'install', '-y', 'sssd-dbus'],
+   raiseonerr=False)
+# The tasks.modify_sssd_conf way did not work because
+# sssd_domain.set_option knows nothing about 'services' parameter of
+# the sssd config file. Therefore I am using sed approach
+master.run_command(
+"sed -i '/^services/ s/$/, ifp/' %s" % paths.SSSD_CONF)
+master.run_command(
+"sed -i 's/= 7/= 0xFFF0/' %s" % paths.SSSD_CONF, raiseonerr=False)
+master.run_command(['systemctl', 'restart', 'sssd.service'])
+# End of setup for test_dbus_user_lookup
+
+# AD-related stuff
+tasks.install_adtrust(master)
+tasks.sync_time(master, cls.ad)
+tasks.establish_trust_with_ad(cls.master, cls.ad_domain,
+  extra_args=['--range-type',
+  'ipa-ad-trust'])
+
+cls.reqdir = os.path.join(master.config.test_dir, "certs")
+cls.reqfile1 = os.path.join(cls.reqdir, "test1.csr")
+cls.reqfile2 = os.path.join(cls.reqdir, "test2.csr")
+cls.pwname = os.path.join(cls.reqdir, "pwd")
+
+# Create a NSS database folder
+master.run_command(['mkdir', cls.reqdir], raiseonerr=False)
+# Create an empty password file
+master.run_command(["touch", cls.pwname], raiseonerr=False)
+
+# Initialize NSS database
+tasks.run_certutil(master, ["-N", "-f", cls.pwname], cls.reqdir)
+# Now generate self-signed certs for a windows user
+stdin_text = string.digits+string.letters[2:] + '\n'
+tasks.run_cert

[Freeipa-devel] [freeipa PR#217][closed] change certificate processing code to use python-cryptography

[dkupka]

   URL: https://github.com/freeipa/freeipa/pull/217
Author: frasertweedale
 Title: #217: change certificate processing code to use python-cryptography
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/217/head:pr217
git checkout pr217
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#217][comment] change certificate processing code to use python-cryptography

[dkupka]

  URL: https://github.com/freeipa/freeipa/pull/217
Title: #217: change certificate processing code to use python-cryptography

dkupka commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/9522970bfa28900abc90e959de483f59c79a3e5f
https://fedorahosted.org/freeipa/changeset/66637f766dd0ddc50888013962be2294fd8d0e9a
https://fedorahosted.org/freeipa/changeset/85487281cdc09720f6a0385ebb7157742d762a0c
https://fedorahosted.org/freeipa/changeset/44c2d685f01eb4c03e4659125e41d73b8be47c19
https://fedorahosted.org/freeipa/changeset/c57dc890b2bf447ab575f2e91249179bce3f05d5
https://fedorahosted.org/freeipa/changeset/db116f73fe5fc199bb2e28103cf5e3e2a24eab4c
https://fedorahosted.org/freeipa/changeset/b0430b67dc90fddf1e35fde9a0cf2977a07d7cbd
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/217#issuecomment-259640577
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#217][+pushed] change certificate processing code to use python-cryptography

[dkupka]

  URL: https://github.com/freeipa/freeipa/pull/217
Title: #217: change certificate processing code to use python-cryptography

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#217][+ack] change certificate processing code to use python-cryptography

[dkupka]

  URL: https://github.com/freeipa/freeipa/pull/217
Title: #217: change certificate processing code to use python-cryptography

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#209][comment] Enumerate available options in IPA installer

[Akasurde]

  URL: https://github.com/freeipa/freeipa/pull/209
Title: #209: Enumerate available options in IPA installer

Akasurde commented:
"""
ping
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/209#issuecomment-259639629
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964

[Oleg Fayans]

On 11/10/2016 09:43 AM, Martin Basti wrote:




ACK


On the other hand, make it a conditional one. The link in the comment
does not work. Please fix that.


--
Milan Kubik





--
Milan Kubik



After offline discussion and some clarification, the comment is right. ACK

--
Milan Kubik


Because patches are scattered over this thread, am I right that those
versions should be pushed?

freeipa-ofayans-0047.7-Automated-clean-ruv-subcommand-tests.patch
freeipa-ofayans-0048.4-Automated-ipa-replica-manage-del-tests.patch


Precisely!



Martin^2


--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context

[jcholast]

  URL: https://github.com/freeipa/freeipa/pull/182
Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context

jcholast commented:
"""
@tiran, setting `confdir` explicitly is not a hack, but the proper way to set 
the config directory path and there is nothing that makes the environment 
variable better as an API for integrators. I would argue that it's actually 
worse, because it is implicit and optimized towards the less common usage 
(everyone who wants to use the default path has to unset the variable now to 
make sure that's what they actually get), and while some software does indeed 
allow changing configuration using environment variables, there is other 
software (such as GNU grep) which is actually deprecating this way of changing 
configuration.

If majority of people think it is a good idea, I won't push back, but NACK on 
respecting the variable only in certain contexts.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/182#issuecomment-259635859
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context

[jcholast]

  URL: https://github.com/freeipa/freeipa/pull/182
Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context

jcholast commented:
"""
@tiran, setting `confdir` explicitly is not a hack, but the proper way to set 
the config directory path and there is nothing that makes the environment 
variable better as an API for integrators. I would argue that it's actually 
worse, because it is implicit and optimized towards the less common usage 
(everyone who wants to use the default path has to unset the variable now to 
make sure that's what they actually get), and while some software does indeed 
allow changing configuration using environment variables, there is other 
software (such as GNU grep) which is actually deprecating this way of changing 
configuration.

If majority of people think it is a good idea, I won't push back, but NACK on 
respecting the variable only in specific contexts.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/182#issuecomment-259635859
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964

[Martin Basti]

ACK

On the other hand, make it a conditional one. The link in the comment 
does not work. Please fix that.


--
Milan Kubik





--
Milan Kubik



After offline discussion and some clarification, the comment is right. ACK

--
Milan Kubik


Because patches are scattered over this thread, am I right that those 
versions should be pushed?


freeipa-ofayans-0047.7-Automated-clean-ruv-subcommand-tests.patch
freeipa-ofayans-0048.4-Automated-ipa-replica-manage-del-tests.patch

Martin^2
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964

[Milan Kubík]

On 11/09/2016 04:37 PM, Milan Kubík wrote:

On 11/09/2016 04:34 PM, Milan Kubík wrote:

On 11/03/2016 04:56 PM, Oleg Fayans wrote:

Hi Martin,

The commit message was updated with the correct ticket link
Thanks for review!

On 11/03/2016 04:22 PM, Martin Basti wrote:

almost ACK, but the ticket in commit message is closed as invalid. So
I'm quite puzzled now what to do.


On 03.11.2016 13:28, Oleg Fayans wrote:

ping for review

On 10/19/2016 04:54 PM, Oleg Fayans wrote:

Hi Martin,

Thanks for the review. Fixed both issues.

$ ipa-run-tests test_integration/test_topology.py -k 
TestCASpecificRUVs

WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13]
Permission denied: 'lextab.py'
WARNING: yacc table file version is out of date
WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission
denied: 'yacctab.py'
 



test session starts
= 




platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, 
pluggy-0.3.1
rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: 
pytest.ini

plugins: sourceorder-0.5, multihost-1.0
collected 5 items

test_integration/test_topology.py ..

 



2 passed in 2444.84 seconds
= 






On 10/17/2016 07:05 PM, Martin Basti wrote:

1)

you don't need to disable/enable dirsrv, just stop/start. Please 
remove

disable/enable parts


2)




traceback





self = 

def test_delete_ruvs(self):
"""
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/
Test_Plan#Test_case:_clean-ruv_subcommand
"""
replica = self.replicas[0]
master = self.master
res1 = master.run_command(['ipa-replica-manage', 
'list-ruv',

'-p',
master.config.dirman_password])

assert(res1.stdout_text.count(replica.hostname) == 2 and
   "Certificate Server Replica Update Vectors" in 
res1), (

"CA-specific RUVs are not displayed")
E   TypeError: argument of type 'SSHCommand' is not iterable

test_integration/test_topology.py:215: TypeError



entering PDB






/usr/lib/python2.7/site-packages/ipatests/test_integration/test_topology.py(215)test_delete_ruvs() 






-> assert(res1.stdout_text.count(replica.hostname) == 2 and



On 14.10.2016 11:36, Oleg Fayans wrote:

Right you are! I am sorry.

On 10/13/2016 06:10 PM, Martin Basti wrote:

I think that you forgot to squash commits. Patch 47 doesn't apply


On 13.10.2016 14:01, Oleg Fayans wrote:

Hi Martin,

Thanks for the review.
With disabling directory server it works as well, thanks for the
hint.
Also I moved the cleanup logic to the test itself for the 
sake of

simplicity. Patch-0048 was not changed

On 10/12/2016 02:35 PM, Martin Basti wrote:

1)

Can you just turn off dirsrv on replica instead of doing 
iptables

magic?


2) NACK

No more eval() ever in code, use 'getattr', 'get' or 
whatever in

the
object that can be used.

+evalhost = eval("args[0].%s" % host)

Martin^2

On 12.10.2016 14:03, Oleg Fayans wrote:

Hi Martin,

After extensive discussion with Ludwig, I finally got the 
clue on

how
does this feature work. When we uninstall the replica, the 
master

cleans the replication agreements with this replica and
automatically
cleans all replica's RUVs.
If we clean replica's RUVs on master without uninstalling the
replica,
the replica's RUVs get recreated on master (replication
works!). So,
the only way to test the clean-ruv subcommand is to turn 
off the

replica, or block the traffic on it so it gets inaccessible to
updates
from master.
The testcases were updated, see [1] and [2]

The updated versions of the patches are attached

[1]
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_.2A-ruv_subcommands_of_ipa-replica-manage_are_extended_to_handle_CA-specific_RUVs 








[2]
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_clean-ruv_subcommand 








On 08/05/2016 06:36 PM, Martin Basti wrote:



On 03.08.2016 14:45, Oleg Fayans wrote:

Hi Martin,

Thanks for the review! Both patches were updated.

On 07/28/2016 04:11 PM, Martin Basti wrote:



On 08.07.2016 15:41, Oleg Fayans wrote:

Hi Martin,

Thanks for the review!

On 07/08/2016 02:18 PM, Martin Basti wrote:



On 27.06.2016 13:53, Oleg Fayans wrote:

Hi guys,

Is there a chance the patches NN 0047.1 and 0048.1 get
reviewed
before
4.4 release? They cover a good part of the Managed 
Topology

4.4
feature.

On 06/17/2016 11:18 AM, Oleg Fayans wrote:

One more test was added to the patch-0048

On 06/17/2016 09:43 AM, Oleg Fayans wrote:

Fixed a bug in the previous patch, automated 2 more
testcases
from
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_P

[Freeipa-devel] [freeipa PR#182][-ack] Use env var IPA_CONFDIR to get confdir for 'cli' context

[jcholast]

  URL: https://github.com/freeipa/freeipa/pull/182
Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context

Label: -ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#221][+pushed] gitignore: ignore tar ball

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/221
Title: #221: gitignore: ignore tar ball

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#221][closed] gitignore: ignore tar ball

[mbasti-rh]

   URL: https://github.com/freeipa/freeipa/pull/221
Author: tomaskrizek
 Title: #221: gitignore: ignore tar ball
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/221/head:pr221
git checkout pr221
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code