[Freeipa-devel] [freeipa PR#374][comment] pytest: set rules to find test files and functions

2017-01-06 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/374
Title: #374: pytest: set rules to find test files and functions

tiran commented:
"""
Reproducer:

* clone my tox branch https://github.com/tiran/freeipa/tree/tox
* run ```tox -e py27```

```
$ tox -e py27
py27 create: /home/heimes/redhat/freeipa/.tox/py27
py27 installdeps: ipaclient, ipatests
['/home/heimes/redhat/freeipa/.tox-install.sh', 
'/home/heimes/redhat/freeipa/.tox/py27/bin/python', 
'/home/heimes/redhat/freeipa/.tox/py27/lib/python2.7/site-packages', 
'ipaclient', 'ipatests']
py27 installed: 
cffi==1.9.1,configparser==3.5.0,cryptography==1.7.1,custodia==0.2.0,decorator==4.0.10,dnspython==1.15.0,enum34==1.1.6,gssapi==1.2.0,idna==2.2,ipaclient==4.4.90.dev201701051932+gitadb0120,ipaddress==1.0.17,ipalib==4.4.90.dev201701051932+gitadb0120,ipapython==4.4.90.dev201701051932+gitadb0120,ipatests==4.4.90.dev201701051932+gitadb0120,jwcrypto==0.4.0,netaddr==0.7.18,netifaces==0.10.5,nose==1.3.7,polib==1.0.8,py==1.4.32,pyasn1==0.1.9,pyasn1-modules==0.0.8,pycparser==2.17,pyldap==2.4.25.1,pytest==3.0.5,pytest-multihost==1.1,python-nss==1.0.1,python-yubico==1.3.2,pyusb==1.0.0,qrcode==5.3,requests==2.12.4,six==1.10.0
py27 runtests: PYTHONHASHSEED='3237466879'
py27 runtests: commands[0] | ipa-run-tests test_ipapython test_ipalib 
test_pkcs10 --ignore=test_ipalib/test_rpc.py
=== test 
session starts 

platform linux2 -- Python 2.7.12, pytest-3.0.5, py-1.4.32, pluggy-0.4.0
rootdir: /home/heimes/redhat, inifile: tox.ini
plugins: multihost-1.1
collected 0 items 

=== no tests ran in 
0.12 seconds ===
ERROR: InvocationError: 
'/home/heimes/redhat/freeipa/.tox/py27/bin/ipa-run-tests test_ipapython 
test_ipalib test_pkcs10 --ignore=test_ipalib/test_rpc.py'
_ 
summary 
__
ERROR:   py27: commands failed
```

* edit ```ipatests/conftest.py``` and enable ```python_files``` on line 47
* run ```tox -e py27``` again

```
=== test 
session starts 

platform linux2 -- Python 2.7.12, pytest-3.0.5, py-1.4.32, pluggy-0.4.0
rootdir: /home/heimes/redhat, inifile: tox.ini
plugins: multihost-1.1
collected 406 items 

test_ipapython/test_cookie.py 
test_ipapython/test_dn.py ...
test_ipapython/test_ipautil.py 
..
test_ipapython/test_ipavalidate.py ..
test_ipapython/test_kerberos.py ..
test_ipapython/test_keyring.py ..
test_ipapython/test_ssh.py ...
test_ipalib/test_aci.py ...
test_ipalib/test_backend.py 
test_ipalib/test_base.py ...
test_ipalib/test_capabilities.py .
test_ipalib/test_cli.py ...
test_ipalib/test_config.py ...
test_ipalib/test_crud.py ...
test_ipalib/test_errors.py ...
test_ipalib/test_frontend.py 
test_ipalib/test_messages.py 
test_ipalib/test_output.py ...
test_ipalib/test_parameters.py 
.
test_ipalib/test_plugable.py 
test_ipalib/test_text.py .
test_ipalib/test_x509.py ...
test_pkcs10/test_pkcs10.py .

== 
pytest-warning summary 
==
...
== 406 passed, 59 
pytest-warnings in 2.04 seconds 

_ 
summary 
  py27: commands succeeded
  congratulations :)
```

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/374#issuecomment-270962079
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Certificate Identity Mapping

2017-01-06 Thread Florence Blanc-Renaud 

On 12/16/2016 09:34 AM, Florence Blanc-Renaud wrote:

On 12/06/2016 04:39 PM, Florence Blanc-Renaud wrote:

Hi,

I have started a feature description for the Certificate Identity
Mapping at the following location:
http://www.freeipa.org/page/V4/Certificate_Identity_Mapping

This is a first step, focusing on the interface we would like to
provide. It still contains open questions, some of which are linked to
the corresponding design on SSSD side:
https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates


https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardsAndMultipleIdentities



Comments, concerns and suggestions are welcome. Thanks!

Flo.



Hi,

the design page for Certificate Identity Mapping [1] has been updated
with a schema proposal and an example of configuration data.

Please share your comments, concerns, suggestions before January 7, so
that we can finalize the API and start the implementation.
Thanks,
Flo.

[1] http://www.freeipa.org/page/V4/Certificate_Identity_Mapping


Hi,

thanks for all the comments provided so far. The design page [1] has 
been updated and I hope that it reflects the current state of discussions:

- removed configuration options that did not seem useful
- shortened the feature name to certmap-xx
- added the notion of priority in the cert map rules

As always, comments are welcome.
Flo


[1] http://www.freeipa.org/page/V4/Certificate_Identity_Mapping

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#334][closed] Py3: Fix ToASCII method

2017-01-06 Thread mbasti-rh 
   URL: https://github.com/freeipa/freeipa/pull/334
Author: mbasti-rh
 Title: #334: Py3: Fix ToASCII method
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/334/head:pr334
git checkout pr334
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#334][+pushed] Py3: Fix ToASCII method

2017-01-06 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/334
Title: #334: Py3: Fix ToASCII method

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#334][comment] Py3: Fix ToASCII method

2017-01-06 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/334
Title: #334: Py3: Fix ToASCII method

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/35ba724de90b270773d91596de310291df745df0
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/334#issuecomment-270888978
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#334][+ack] Py3: Fix ToASCII method

2017-01-06 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/334
Title: #334: Py3: Fix ToASCII method

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#334][comment] Py3: Fix ToASCII method

2017-01-06 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/334
Title: #334: Py3: Fix ToASCII method

mbasti-rh commented:
"""
bump for review
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/334#issuecomment-270888152
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#210][synchronized] Tests: Stage User Tracker implementation

2017-01-06 Thread gkaihorodova 
   URL: https://github.com/freeipa/freeipa/pull/210
Author: gkaihorodova
 Title: #210: Tests: Stage User Tracker implementation
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/210/head:pr210
git checkout pr210
From 298e1a136c6a430e8deaa558a946ba51874ffd95 Mon Sep 17 00:00:00 2001
From: Ganna Kaihorodova 
Date: Mon, 10 Oct 2016 14:00:51 +0200
Subject: [PATCH 1/3] Unaccessible variable self.attrs in Tracker

In tracker, 'self.attrs' variable is created and filled in track_create method.
Some objects are not created but still require access to this variable.
Created 'self.attrs' variable in init

https://fedorahosted.org/freeipa/ticket/6125
---
 ipatests/test_xmlrpc/tracker/base.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ipatests/test_xmlrpc/tracker/base.py b/ipatests/test_xmlrpc/tracker/base.py
index a2b7406..aa88e6b 100644
--- a/ipatests/test_xmlrpc/tracker/base.py
+++ b/ipatests/test_xmlrpc/tracker/base.py
@@ -76,6 +76,7 @@ def __init__(self, default_version=None):
 self.api = api
 self.default_version = default_version or API_VERSION
 self._dn = None
+self.attrs = {}
 
 self.exists = False
 

From 0e319e3a3fc927ee7bc465461b266b9a2b533c8b Mon Sep 17 00:00:00 2001
From: Ganna Kaihorodova 
Date: Wed, 2 Nov 2016 15:02:30 +0100
Subject: [PATCH 2/3] Tests: Stage User Tracker implementation

Fix provide possibility of creation stage user with minimal values,
with uid not specified and check for non-empty unicode string
for attributes requested in init method

https://fedorahosted.org/freeipa/ticket/6448
---
 ipatests/test_xmlrpc/tracker/stageuser_plugin.py | 38 +++-
 1 file changed, 30 insertions(+), 8 deletions(-)

diff --git a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py
index 82d7e06..81943c5 100644
--- a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py
+++ b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py
@@ -61,23 +61,45 @@ class StageUserTracker(Tracker):
 find_keys = retrieve_keys - {u'has_keytab', u'has_password'}
 find_all_keys = retrieve_all_keys - {u'has_keytab', u'has_password'}
 
-def __init__(self, name, givenname, sn, **kwargs):
+def __init__(self, name=None, givenname=None, sn=None, **kwargs):
+""" Check for non-empty unicode string for the required attributes
+in the init method """
+
+if not (isinstance(givenname, six.string_types) and givenname):
+raise ValueError(
+"Invalid first name provided: {!r}".format(givenname)
+)
+if not (isinstance(sn, six.string_types) and sn):
+raise ValueError("Invalid second name provided: {!r}".format(sn))
+
 super(StageUserTracker, self).__init__(default_version=None)
-self.uid = name
-self.givenname = givenname
-self.sn = sn
+self.uid = unicode(name)
+self.givenname = unicode(givenname)
+self.sn = unicode(sn)
 self.dn = DN(
 ('uid', self.uid), api.env.container_stageuser, api.env.basedn)
 
 self.kwargs = kwargs
 
 def make_create_command(self, options=None):
-""" Make function that creates a staged user using stageuser-add """
+""" Make function that creates a staged user using stageuser-add
+with all set of attributes and with minimal values,
+where uid is not specified  """
+
 if options is not None:
 self.kwargs = options
-return self.make_command('stageuser_add', self.uid,
- givenname=self.givenname,
- sn=self.sn, **self.kwargs)
+if self.uid is not None:
+return self.make_command(
+'stageuser_add', self.uid,
+givenname=self.givenname,
+sn=self.sn, **self.kwargs
+)
+else:
+return self.make_command(
+'stageuser_add',
+givenname=self.givenname,
+sn=self.sn, **self.kwargs
+)
 
 def make_delete_command(self):
 """ Make function that deletes a staged user using stageuser-del """

From cab565d629f83e60bbec261ddeb379d5c1f8d2c6 Mon Sep 17 00:00:00 2001
From: Ganna Kaihorodova 
Date: Mon, 12 Dec 2016 14:11:52 +0100
Subject: [PATCH 3/3] Stage User: Test to create stage user with minimal values

Test to create stage user with minimal values, where uid is not specified

https://fedorahosted.org/freeipa/ticket/6448
---
 ipatests/test_xmlrpc/test_stageuser_plugin.py | 11 +++
 1 file changed, 11 insertions(+)

diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py
index 4a859e8..e630171 100644
---

[Freeipa-devel] [freeipa PR#181][synchronized] Tests : User Tracker creation of user with minimal values

2017-01-06 Thread gkaihorodova 
   URL: https://github.com/freeipa/freeipa/pull/181
Author: gkaihorodova
 Title: #181: Tests : User Tracker creation of user with minimal values
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/181/head:pr181
git checkout pr181
From 298e1a136c6a430e8deaa558a946ba51874ffd95 Mon Sep 17 00:00:00 2001
From: Ganna Kaihorodova 
Date: Mon, 10 Oct 2016 14:00:51 +0200
Subject: [PATCH 1/3] Unaccessible variable self.attrs in Tracker

In tracker, 'self.attrs' variable is created and filled in track_create method.
Some objects are not created but still require access to this variable.
Created 'self.attrs' variable in init

https://fedorahosted.org/freeipa/ticket/6125
---
 ipatests/test_xmlrpc/tracker/base.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ipatests/test_xmlrpc/tracker/base.py b/ipatests/test_xmlrpc/tracker/base.py
index a2b7406..aa88e6b 100644
--- a/ipatests/test_xmlrpc/tracker/base.py
+++ b/ipatests/test_xmlrpc/tracker/base.py
@@ -76,6 +76,7 @@ def __init__(self, default_version=None):
 self.api = api
 self.default_version = default_version or API_VERSION
 self._dn = None
+self.attrs = {}
 
 self.exists = False
 

From 239ce30184b29af67a674cbc2cf0bec402212f05 Mon Sep 17 00:00:00 2001
From: Ganna Kaihorodova 
Date: Thu, 8 Dec 2016 15:06:36 +0100
Subject: [PATCH 2/3] User Tracker: creation of user with minimal values

Fix provide possibility to create user-add test with minimal values,
where uid is not specified, to provide better coverage. Also provide
check for non-empty unicode string for attributes required in init method

https://fedorahosted.org/freeipa/ticket/6126
---
 ipatests/test_xmlrpc/tracker/user_plugin.py | 42 +
 1 file changed, 31 insertions(+), 11 deletions(-)

diff --git a/ipatests/test_xmlrpc/tracker/user_plugin.py b/ipatests/test_xmlrpc/tracker/user_plugin.py
index 4485fd9..29b3177 100644
--- a/ipatests/test_xmlrpc/tracker/user_plugin.py
+++ b/ipatests/test_xmlrpc/tracker/user_plugin.py
@@ -62,22 +62,42 @@ class UserTracker(KerberosAliasMixin, Tracker):
 
 primary_keys = {u'uid', u'dn'}
 
-def __init__(self, name, givenname, sn, **kwargs):
+def __init__(self, name=None, givenname=None, sn=None, **kwargs):
+""" Check for non-empty unicode string for the required attributes
+in the init method """
+
+if not (isinstance(givenname, six.string_types) and givenname):
+raise ValueError(
+"Invalid first name provided: {!r}".format(givenname)
+)
+if not (isinstance(sn, six.string_types) and sn):
+raise ValueError("Invalid second name provided: {!r}".format(sn))
+
 super(UserTracker, self).__init__(default_version=None)
-self.uid = name
-self.givenname = givenname
-self.sn = sn
+self.uid = unicode(name)
+self.givenname = unicode(givenname)
+self.sn = unicode(sn)
 self.dn = DN(('uid', self.uid), api.env.container_user, api.env.basedn)
 
 self.kwargs = kwargs
 
-def make_create_command(self):
-""" Make function that crates a user using user-add """
-return self.make_command(
-'user_add', self.uid,
-givenname=self.givenname,
-sn=self.sn, **self.kwargs
-)
+def make_create_command(self, force=None):
+
+""" Make function that creates a user using user-add
+with all set of attributes and with minimal values,
+where uid is not specified """
+
+if self.uid is not None:
+return self.make_command(
+'user_add', self.uid,
+givenname=self.givenname,
+sn=self.sn, **self.kwargs
+)
+else:
+return self.make_command(
+'user_add', givenname=self.givenname,
+sn=self.sn, **self.kwargs
+)
 
 def make_delete_command(self, no_preserve=True, preserve=False):
 """ Make function that deletes a user using user-del """

From 7205d9feba68ba3dbe183b64f6d28833b258ddd2 Mon Sep 17 00:00:00 2001
From: Ganna Kaihorodova 
Date: Thu, 8 Dec 2016 15:08:41 +0100
Subject: [PATCH 3/3] User Tracker: Test to create user with minimal values

Test to create user with minimal values, where uid is not specified

https://fedorahosted.org/freeipa/ticket/6126
---
 ipatests/test_xmlrpc/test_user_plugin.py | 13 +
 1 file changed, 13 insertions(+)

diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py
index 7508578..b90363e 100644
--- a/ipatests/test_xmlrpc/test_user_plugin.py
+++ b/ipatests/test_xmlrpc/test_user_plugin.py
@@ -79,6 +79,13 @@
 
 
 @pytest.fixture(scope='class')
+def user_min(request):
+""" User tracker fixture for testing

[Freeipa-devel] [freeipa PR#181][comment] Tests : User Tracker creation of user with minimal values

2017-01-06 Thread gkaihorodova 
  URL: https://github.com/freeipa/freeipa/pull/181
Title: #181: Tests : User Tracker creation of user with minimal values

gkaihorodova commented:
"""
Yes, the intention was to have repr() of the given string , so I'll use ''{!r} 
instead of '{}', and apply that change to #210 also. Thank you.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/181#issuecomment-270871478
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Certificate Identity Mapping

2017-01-06 Thread Sumit Bose 
On Fri, Jan 06, 2017 at 08:40:31AM +0100, Jan Cholasta wrote:
> On 5.1.2017 13:15, Sumit Bose wrote:
> > On Mon, Jan 02, 2017 at 08:06:04AM +0100, Jan Cholasta wrote:
> > > On 19.12.2016 12:13, Sumit Bose wrote:
> > > > On Mon, Dec 19, 2016 at 10:02:58AM +0100, Jan Cholasta wrote:
> > > > > I agree with *almost* everything Sumit said. See my inline comments 
> > > > > below.
> > > > > 
> > > > > On 16.12.2016 11:53, Sumit Bose wrote:
> > > > > > On Tue, Dec 06, 2016 at 04:39:10PM +0100, Florence Blanc-Renaud 
> > > > > > wrote:
> > > > > > > Hi,
> > > > > > > 
> > > > > > > I have started a feature description for the Certificate Identity 
> > > > > > > Mapping at
> > > > > > > the following location:
> > > > > > > http://www.freeipa.org/page/V4/Certificate_Identity_Mapping
> > > > > > > 
> > > > > > > This is a first step, focusing on the interface we would like to 
> > > > > > > provide. It
> > > > > > > still contains open questions, some of which are linked to the 
> > > > > > > corresponding
> > > > > > > design on SSSD side:
> > > > > > > https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates
> > > > > > > https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardsAndMultipleIdentities
> > > > > > > 
> > > > > > > Comments, concerns and suggestions are welcome. Thanks!
> > > > > > 
> > > > > > Hi Flo,
> > > > > > 
> > > > > > thank you very much for setting up the page.
> > > > > > 
> > > > > > My comments are mostly about the commands.
> > > > > > 
> > > > > > certmappingconfig-mod:
> > > > > > 
> > > > > > * --enable=Boolean: if this option is 'False' SSSD will basically 
> > > > > > show
> > > > > >   the current behavior and just look up the certificates directly. 
> > > > > > But I
> > > > > >   wonder if the option is needed at all because not adding any 
> > > > > > mapping
> > > > > >   rules would have the same effect.
> > > > > > 
> > > > > >   What is the scope here, only the IPA domain, or all trusted 
> > > > > > domains as
> > > > > >   well? If it is for trusted domains as well will the 
> > > > > > certmappingrule-*
> > > > > >   commands and user-{add/remove}-certmapping return an error?
> > > > > > 
> > > > > >   So, in general I see an overlap with the mapping rules and I 
> > > > > > think it
> > > > > >   would be clearer to drop this option and do the lookups according 
> > > > > > to
> > > > > >   the mapping rules.
> > > > > > 
> > > > > > * --prompt-username=Boolean: the description implies that this 
> > > > > > option is
> > > > > >   synonymous to 1:1 mapping, but it is not. On Linux authentication 
> > > > > > in
> > > > > >   most cases use a user name either by directly asking (e.g. 
> > > > > > /bin/login)
> > > > > >   or using the current user name (e.g. sudo). So, according to its 
> > > > > > name
> > > > > >   it would only control if gdm is allowed to ask for an (optional) 
> > > > > > user
> > > > > >   name.
> > > > > > 
> > > > > >   If the option is renamed to e.g. --force-1-to-1-mapping to really
> > > > > >   enforce a 1:1 mapping then it would make sense to derived to gdm
> > > > > >   behavior. I.e. if 1:1 mapping is enforce it makes no sense for 
> > > > > > gdm to
> > > > > >   ask for a user name and if it is not enforced then it makes sense 
> > > > > > to
> > > > > >   offer and optional user name input field.
> > > > > > 
> > > > > > * --enable-username-mismatch=Boolean: I think this option can be
> > > > > >   dropped. My test so far show that if a non-matching hint is given 
> > > > > > on a
> > > > > >   Windows client authentication fails.
> > > > > > 
> > > > > > * --alternate-attribute=STRING: I think this option isn't needed as
> > > > > >   well. For IPA server-side we should decide on an attribute name 
> > > > > > and
> > > > > >   add it to the schema for user objects. On the client side the
> > > > > >   attribute name can be taken from the mapping rule.A
> > > > > > 
> > > > > > 
> > > > > > certmappingrule.*:
> > > > > > 
> > > > > > * ISSUERDN: it looks like you want to use issuerName here. In
> > > > > >   certificateRecord it it used with LDAP ordering and I would prefer
> > > > > >   LDAP ordering at all points where we have a choice. Unfortunately 
> > > > > > in the
> > > > > >   issuer-subject mapping AD dictates X.500 ordering.
> > > > > 
> > > > > LDAP ordering should indeed be preferred, as it is used everywhere 
> > > > > else in
> > > > > IPA. We can convert to/from X.500 ordering where necessary, when 
> > > > > possible.
> > > > > 
> > > > > > 
> > > > > > * DOMAINDN: does this refer to the nsslapd-certmap-basedn attribute 
> > > > > > in
> > > > > >   the example? My intention in the SSSD design-page was to specify 
> > > > > > the
> > > > > >   domain (as in DNS domain/IPA domain/trusted domain) where the 
> > > > > > matching
> > > > > >   user should be searched. Different domains might certificates from
> > > > > >   different issuers and some domains might not even use 
> > > > > > certificates.

Re: [Freeipa-devel] [RFC] Matching and Mapping Certificates

2017-01-06 Thread Sumit Bose 
On Fri, Jan 06, 2017 at 08:50:14AM +0100, Jan Cholasta wrote:
> On 5.1.2017 10:39, Sumit Bose wrote:
> > On Mon, Jan 02, 2017 at 09:18:47AM +0100, Jan Cholasta wrote:
> > > On 18.10.2016 07:34, Jan Cholasta wrote:
> > > > On 17.10.2016 16:50, Rob Crittenden wrote:
> > > > > Jan Cholasta wrote:
> > > > > > Hi,
> > > > > > 
> > > > > > On 13.10.2016 18:52, Sumit Bose wrote:
> > > > > > > = Issuer specific matching =
> > > > > > > Although the MIT Kerberos rules allow to select the issuer of a
> > > > > > > certificate there are use cases where a more specific selection is
> > > > > > > needed. E.g. if there are some default matching rules for all 
> > > > > > > issuers
> > > > > > > and some other issuer specific rules where the default rules 
> > > > > > > should
> > > > > > > not apply. To make this possible with the above scheme the default
> > > > > > > rules must have an  clause which matches all but the 
> > > > > > > issuer
> > > > > > > with the specific rules. Writing regular-expressions to not match 
> > > > > > > a
> > > > > > > specific string or a list of strings is at least error-prone if 
> > > > > > > not
> > > > > > > impossible.
> > > > > > > 
> > > > > > > To make it easier to define issuer specific rules and default 
> > > > > > > rules at
> > > > > > > the same time and optional issuer string can be added to the rule 
> > > > > > > to
> > > > > > > indicate that for the given issuer only those rules should be
> > > > > > > considered. Given the use-case I think it is acceptable to require
> > > > > > > that the full issuer must be specified here in LDAP order (see 
> > > > > > > below)
> > > > > > > and case-sensitive matching is used.
> > > > > > 
> > > > > > This could also be solved by adding priority to rules - if two rules
> > > > > > match, the one with higher priority (the issuer specific rule) is
> > > > > > preferred over the one with lower priority (the default rule). IMO 
> > > > > > this
> > > > > > is better than an optional issuer string as it offers greater
> > > > > > flexibility.
> > > > > 
> > > > > The use cases I've seen haven't had to do with priority, though that
> > > > > would be a nice enhancement, but with only allowing certificates 
> > > > > issued
> > > > > by a specific CA to be allowed (this is pretty common in web servers).
> > > > > Being able to say "only do the matching on certificates issued by foo"
> > > > > is valuable.
> > > > 
> > > > Sure, I'm not suggesting that matching by issuer should be removed, only
> > > > that rule precedence should not be determined by the issuer field 
> > > > setting.
> > > > 
> > > 
> > > Bump. Sumit, what is your opinion on this?
> > 
> > I'm fine with an optional(?) priority as well. Since priorities are
> > already used in the pwpolicies this should be already known to the
> > experienced admin. I guess we just have stick with "A lower value
> > indicates a higher priority" to not confuse users. That's why I think
> > that the priority should be optional here and a missing value indicates
> > the lowest priority (default rules).
> 
> In pwpolicy and sudorule, the priority is required and has to be unique.
> Maybe we should do this for certificate mapping rules as well?

I think there is no requirement that only a single rule should match
hence I think the priority here must not be unique.

> 
> > 
> > Are you thinking of using the CoS scheme here as well would a priority
> > attribute be sufficient because we do not want to reference internal
> > objects in the mapping rules?
> 
> I'm not sure how CoS would be helpful here, I think a simple interger
> attribute would be perfectly sufficient.

I agree.

bye,
Sumit

> 
> > 
> > bye,
> > Sumit
> > 
> > > 
> > > --
> > > Jan Cholasta
> 
> 
> -- 
> Jan Cholasta

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#375][comment] Fix used before assignment bug in host_port_open()

2017-01-06 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/375
Title: #375: Fix used before assignment bug in host_port_open()

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/deaad95247fa9624bef0108bf3813f358fb17ee5
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/375#issuecomment-270861373
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#375][+pushed] Fix used before assignment bug in host_port_open()

2017-01-06 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/375
Title: #375: Fix used before assignment bug in host_port_open()

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#375][closed] Fix used before assignment bug in host_port_open()

2017-01-06 Thread mbasti-rh 
   URL: https://github.com/freeipa/freeipa/pull/375
Author: tiran
 Title: #375: Fix used before assignment bug in host_port_open()
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/375/head:pr375
git checkout pr375
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA

2017-01-06 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/367
Author: stlaz
 Title: #367: Remove nsslib from IPA
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/367/head:pr367
git checkout pr367
From b90e059d793f2b8f5af6246d046f5ecb9e69b71e Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 20 Dec 2016 10:05:36 +0100
Subject: [PATCH 1/7] Remove NSSConnection from the Python RPC module

NSSConnection was causing a lot of trouble in the past and there is
a lot of logic around it just to make it not fail. What's more,
when using NSS to create an SSL connection in FIPS mode, NSS
always requires database password which makes the `ipa` command
totally unusable.

NSSConnection is therefore replaced with Python's
httplib.HTTPSConnection which is OpenSSL based.

https://fedorahosted.org/freeipa/ticket/5695
---
 ipalib/config.py|  3 ++
 ipalib/constants.py |  1 +
 ipalib/rpc.py   | 69 -
 ipalib/util.py  | 97 +
 4 files changed, 115 insertions(+), 55 deletions(-)

diff --git a/ipalib/config.py b/ipalib/config.py
index 20591db..8ecada6 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -493,6 +493,9 @@ def _bootstrap(self, **overrides):
 if 'nss_dir' not in self:
 self.nss_dir = self._join('confdir', 'nssdb')
 
+if 'ca_certfile' not in self:
+self.ca_certfile = self._join('confdir', 'ca.crt')
+
 # Set plugins_on_demand:
 if 'plugins_on_demand' not in self:
 self.plugins_on_demand = (self.context == 'cli')
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 81643da..4f40545 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -226,6 +226,7 @@
 ('conf_default', object),  # File containing context independent config
 ('plugins_on_demand', object),  # Whether to finalize plugins on-demand (bool)
 ('nss_dir', object),  # Path to nssdb, default {confdir}/nssdb
+('ca_certfile', object),  # Path to CA cert file
 
 # Set in Env._finalize_core():
 ('in_server', object),  # Whether or not running in-server (bool)
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 921f5cb..66cd1c3 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -44,7 +44,7 @@
 import gssapi
 from dns import resolver, rdatatype
 from dns.exception import DNSException
-from nss.error import NSPRError
+from ssl import SSLError
 import six
 from six.moves import urllib
 
@@ -60,8 +60,7 @@
 from ipapython.cookie import Cookie
 from ipapython.dnsutil import DNSName
 from ipalib.text import _
-import ipapython.nsslib
-from ipapython.nsslib import NSSConnection
+from ipalib.util import IPAHTTPSConnection
 from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \
  KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, \
  KRB5_REALM_CANT_RESOLVE, KRB5_CC_NOTFOUND, get_principal
@@ -470,48 +469,21 @@ def get_host_info(self, host):
 
 return (host, extra_headers, x509)
 
+
 class SSLTransport(LanguageAwareTransport):
 """Handles an HTTPS transaction to an XML-RPC server."""
-
-def get_connection_dbdir(self):
-"""
-If there is a connections open it may have already initialized
-NSS database. Return the database location used by the connection.
-"""
-for value in context.__dict__.values():
-if not isinstance(value, Connection):
-continue
-if not isinstance(
-getattr(value.conn, '_ServerProxy__transport', None),
-SSLTransport):
-continue
-if hasattr(value.conn._ServerProxy__transport, 'dbdir'):
-return value.conn._ServerProxy__transport.dbdir
-return None
-
 def make_connection(self, host):
 host, self._extra_headers, _x509 = self.get_host_info(host)
 
 if self._connection and host == self._connection[0]:
 return self._connection[1]
 
-dbdir = context.nss_dir
-connection_dbdir = self.get_connection_dbdir()
+ca_certfile = context.ca_certfile
 
-if connection_dbdir:
-# If an existing connection is already using the same NSS
-# database there is no need to re-initialize.
-no_init = dbdir == connection_dbdir
-
-else:
-# If the NSS database is already being used there is no
-# need to re-initialize.
-no_init = dbdir == ipapython.nsslib.current_dbdir
-
-conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init,
- tls_version_min=api.env.tls_version_min,
- tls_version_max=api.env.tls_version_max)
-self.dbdir=dbdir
+conn = IPAHTTPSConnection(
+host, 443,

[Freeipa-devel] [freeipa PR#367][edited] Remove nsslib from IPA

2017-01-06 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/367
Author: stlaz
 Title: #367: Remove nsslib from IPA
Action: edited

 Changed field: body
Original value:
"""
This batch of patches removes NSSConnection along with the whole 
ipapython.nsslib from IPA and replaces it with more standard 
httplib.HTTPSConnection.

NSSConnection was causing a lot of trouble in the past because it  is 
apparently very fragile when it comes to nss library initialization. On top of 
that, when NSSConnection is used to set up an HTTPS connection in FIPS, it 
always requires a password to NSS database as NSS apparently tries to create a 
temporary private key and store it to the database even though client 
authentication is not required in the SSL connection.

TODO (will require changes in certmonger/dogatg.c):
- [x] remove NSSConnection from client modules
- [x] remove NSSConnection from server modules where it's used to connect to 
the certificate server
- [x] remove the nsslib library completely
- [ ] we may probably remove ipaCert from /etc/httpd/alias and stop tracking it 
with certmonger
- [ ] once ^- is done, track /var/lib/ipa/ra-agent.pem in certmonger instead

https://fedorahosted.org/freeipa/ticket/5695
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA

2017-01-06 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/367
Author: stlaz
 Title: #367: Remove nsslib from IPA
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/367/head:pr367
git checkout pr367
From b90e059d793f2b8f5af6246d046f5ecb9e69b71e Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 20 Dec 2016 10:05:36 +0100
Subject: [PATCH 1/7] Remove NSSConnection from the Python RPC module

NSSConnection was causing a lot of trouble in the past and there is
a lot of logic around it just to make it not fail. What's more,
when using NSS to create an SSL connection in FIPS mode, NSS
always requires database password which makes the `ipa` command
totally unusable.

NSSConnection is therefore replaced with Python's
httplib.HTTPSConnection which is OpenSSL based.

https://fedorahosted.org/freeipa/ticket/5695
---
 ipalib/config.py|  3 ++
 ipalib/constants.py |  1 +
 ipalib/rpc.py   | 69 -
 ipalib/util.py  | 97 +
 4 files changed, 115 insertions(+), 55 deletions(-)

diff --git a/ipalib/config.py b/ipalib/config.py
index 20591db..8ecada6 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -493,6 +493,9 @@ def _bootstrap(self, **overrides):
 if 'nss_dir' not in self:
 self.nss_dir = self._join('confdir', 'nssdb')
 
+if 'ca_certfile' not in self:
+self.ca_certfile = self._join('confdir', 'ca.crt')
+
 # Set plugins_on_demand:
 if 'plugins_on_demand' not in self:
 self.plugins_on_demand = (self.context == 'cli')
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 81643da..4f40545 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -226,6 +226,7 @@
 ('conf_default', object),  # File containing context independent config
 ('plugins_on_demand', object),  # Whether to finalize plugins on-demand (bool)
 ('nss_dir', object),  # Path to nssdb, default {confdir}/nssdb
+('ca_certfile', object),  # Path to CA cert file
 
 # Set in Env._finalize_core():
 ('in_server', object),  # Whether or not running in-server (bool)
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 921f5cb..66cd1c3 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -44,7 +44,7 @@
 import gssapi
 from dns import resolver, rdatatype
 from dns.exception import DNSException
-from nss.error import NSPRError
+from ssl import SSLError
 import six
 from six.moves import urllib
 
@@ -60,8 +60,7 @@
 from ipapython.cookie import Cookie
 from ipapython.dnsutil import DNSName
 from ipalib.text import _
-import ipapython.nsslib
-from ipapython.nsslib import NSSConnection
+from ipalib.util import IPAHTTPSConnection
 from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \
  KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, \
  KRB5_REALM_CANT_RESOLVE, KRB5_CC_NOTFOUND, get_principal
@@ -470,48 +469,21 @@ def get_host_info(self, host):
 
 return (host, extra_headers, x509)
 
+
 class SSLTransport(LanguageAwareTransport):
 """Handles an HTTPS transaction to an XML-RPC server."""
-
-def get_connection_dbdir(self):
-"""
-If there is a connections open it may have already initialized
-NSS database. Return the database location used by the connection.
-"""
-for value in context.__dict__.values():
-if not isinstance(value, Connection):
-continue
-if not isinstance(
-getattr(value.conn, '_ServerProxy__transport', None),
-SSLTransport):
-continue
-if hasattr(value.conn._ServerProxy__transport, 'dbdir'):
-return value.conn._ServerProxy__transport.dbdir
-return None
-
 def make_connection(self, host):
 host, self._extra_headers, _x509 = self.get_host_info(host)
 
 if self._connection and host == self._connection[0]:
 return self._connection[1]
 
-dbdir = context.nss_dir
-connection_dbdir = self.get_connection_dbdir()
+ca_certfile = context.ca_certfile
 
-if connection_dbdir:
-# If an existing connection is already using the same NSS
-# database there is no need to re-initialize.
-no_init = dbdir == connection_dbdir
-
-else:
-# If the NSS database is already being used there is no
-# need to re-initialize.
-no_init = dbdir == ipapython.nsslib.current_dbdir
-
-conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init,
- tls_version_min=api.env.tls_version_min,
- tls_version_max=api.env.tls_version_max)
-self.dbdir=dbdir
+conn = IPAHTTPSConnection(
+host, 443,

[Freeipa-devel] [freeipa PR#376][opened] client install: correctly report all failures

2017-01-06 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/376
Author: HonzaCholasta
 Title: #376: client install: correctly report all failures
Action: opened

PR body:
"""
In commit 5249eb817efbb5708d097173a8d5f1e322fb201e, the client install code
was converted to use exception handling instead of return codes. However,
some return statements were not converted to raise statements and as a
result, ipa-client-install will report success in some error conditions.

Convert the return statements to raise statements to fix the issue.

https://fedorahosted.org/freeipa/ticket/6392
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/376/head:pr376
git checkout pr376
From d64d4d1206df7618816e3a1f9e79b167d22f1f4d Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Tue, 3 Jan 2017 07:43:12 +0100
Subject: [PATCH] client install: correctly report all failures

In commit 5249eb817efbb5708d097173a8d5f1e322fb201e, the client install code
was converted to use exception handling instead of return codes. However,
some return statements were not converted to raise statements and as a
result, ipa-client-install will report success in some error conditions.

Convert the return statements to raise statements to fix the issue.

https://fedorahosted.org/freeipa/ticket/6392
---
 ipaclient/install/client.py | 25 +
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 60a5c18..dbe8fb0 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -2715,13 +2715,13 @@ def _install(options):
 except errors.PublicError as e2:
 root_logger.warning(
 "Second connect with delegate=True also failed: %s", e2)
-root_logger.error(
-"Cannot connect to the IPA server RPC interface: %s", e2)
-return CLIENT_INSTALL_ERROR
+raise ScriptError(
+"Cannot connect to the IPA server RPC interface: %s" % e2,
+rval=CLIENT_INSTALL_ERROR)
 except errors.PublicError as e:
-root_logger.error(
-"Cannot connect to the server due to generic error: %s", e)
-return CLIENT_INSTALL_ERROR
+raise ScriptError(
+"Cannot connect to the server due to generic error: %s" % e,
+rval=CLIENT_INSTALL_ERROR)
 
 # Use the RPC directly so older servers are supported
 try:
@@ -2744,8 +2744,9 @@ def _install(options):
 try:
 create_ipa_nssdb()
 except ipautil.CalledProcessError as e:
-root_logger.error("Failed to create IPA NSS database: %s", e)
-return CLIENT_INSTALL_ERROR
+raise ScriptError(
+"Failed to create IPA NSS database: %s" % e,
+rval=CLIENT_INSTALL_ERROR)
 
 # Get CA certificates from the certificate store
 try:
@@ -2768,9 +2769,9 @@ def _install(options):
 try:
 ipa_db.add_cert(cert, nickname, trust_flags)
 except CalledProcessError as e:
-root_logger.error(
-"Failed to add %s to the IPA NSS database.", nickname)
-return CLIENT_INSTALL_ERROR
+raise ScriptError(
+"Failed to add %s to the IPA NSS database." % nickname,
+rval=CLIENT_INSTALL_ERROR)
 
 # Add the CA certificates to the platform-dependant systemwide CA store
 tasks.insert_ca_certs_into_systemwide_ca_store(ca_certs)
@@ -2874,7 +2875,7 @@ def _install(options):
 cli_domain, cli_server, dnsok,
 options, nosssd_files[configurer.__name__])
 if retcode:
-return CLIENT_INSTALL_ERROR
+raise ScriptError(rval=CLIENT_INSTALL_ERROR)
 if conf:
 root_logger.info(
 "%s configured using configuration file(s) %s",
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA

2017-01-06 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/8db5b277a079fdfe5efbd7d49311f14489cee0e8
https://fedorahosted.org/freeipa/changeset/fb7c111ac13510609e2cba14ecf88cd2ed291a4b
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/317#issuecomment-270855325
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#317][+pushed] Unify password generation across FreeIPA

2017-01-06 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#317][closed] Unify password generation across FreeIPA

2017-01-06 Thread mbasti-rh 
   URL: https://github.com/freeipa/freeipa/pull/317
Author: stlaz
 Title: #317: Unify password generation across FreeIPA
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/317/head:pr317
git checkout pr317
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA

2017-01-06 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA

stlaz commented:
"""
I don't see any merge conflicts and the rebase was automatic so I don't see 
why, but ok. Just note that ipatool may be confused with me commiting 
@pspacek's commit as he was the author of the main code and I put it to work 
with the rest of IPA.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/317#issuecomment-270853592
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#317][synchronized] Unify password generation across FreeIPA

2017-01-06 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/317
Author: stlaz
 Title: #317: Unify password generation across FreeIPA
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/317/head:pr317
git checkout pr317
From 5398133a228d57e10d94268b73faad24ababe777 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 6 Dec 2016 09:05:42 +0100
Subject: [PATCH 1/2] Unify password generation across FreeIPA

Also had to recalculate entropy of the passwords as originally,
probability of generating each character was 1/256, however the
default probability of each character in the ipa_generate_password
is 1/95 (1/94 for first and last character).

https://fedorahosted.org/freeipa/ticket/5695
---
 ipaserver/install/certs.py | 8 ++--
 ipaserver/install/dogtaginstance.py| 3 +--
 ipaserver/install/dsinstance.py| 5 +
 ipaserver/install/httpinstance.py  | 5 ++---
 ipaserver/install/server/replicainstall.py | 3 +--
 ipaserver/secrets/store.py | 2 +-
 6 files changed, 8 insertions(+), 18 deletions(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 02b03d4..414a716 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -25,7 +25,6 @@
 import xml.dom.minidom
 import pwd
 import base64
-from hashlib import sha1
 import fcntl
 import time
 import datetime
@@ -159,9 +158,6 @@ def set_perms(self, fname, write=False, uid=None):
 perms |= stat.S_IWUSR
 os.chmod(fname, perms)
 
-def gen_password(self):
-return sha1(ipautil.ipa_generate_password()).hexdigest()
-
 def run_certutil(self, args, stdin=None, **kwargs):
 return self.nssdb.run_certutil(args, stdin, **kwargs)
 
@@ -177,7 +173,7 @@ def create_noise_file(self):
 if ipautil.file_exists(self.noise_fname):
 os.remove(self.noise_fname)
 f = open(self.noise_fname, "w")
-f.write(self.gen_password())
+f.write(ipautil.ipa_generate_password(pwd_len=25))
 self.set_perms(self.noise_fname)
 
 def create_passwd_file(self, passwd=None):
@@ -186,7 +182,7 @@ def create_passwd_file(self, passwd=None):
 if passwd is not None:
 f.write("%s\n" % passwd)
 else:
-f.write(self.gen_password())
+f.write(ipautil.ipa_generate_password(pwd_len=25))
 f.close()
 self.set_perms(self.passwd_fname)
 
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index f4856c7..dc4b5b0 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -18,7 +18,6 @@
 #
 
 import base64
-import binascii
 import ldap
 import os
 import shutil
@@ -428,7 +427,7 @@ def __add_admin_to_group(self, group):
 
 def setup_admin(self):
 self.admin_user = "admin-%s" % self.fqdn
-self.admin_password = binascii.hexlify(os.urandom(16))
+self.admin_password = ipautil.ipa_generate_password(pwd_len=20)
 self.admin_dn = DN(('uid', self.admin_user),
('ou', 'people'), ('o', 'ipaca'))
 
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index a0fdc4a..89315b6 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -508,7 +508,7 @@ def __setup_sub_dict(self):
 idrange_size = None
 self.sub_dict = dict(FQDN=self.fqdn, SERVERID=self.serverid,
  PASSWORD=self.dm_password,
- RANDOM_PASSWORD=self.generate_random(),
+ RANDOM_PASSWORD=ipautil.ipa_generate_password(),
  SUFFIX=self.suffix,
  REALM=self.realm, USER=DS_USER,
  SERVER_ROOT=server_root, DOMAIN=self.domain,
@@ -775,9 +775,6 @@ def __host_nis_groups(self):
 def __add_enrollment_module(self):
 self._ldap_mod("enrollment-conf.ldif", self.sub_dict)
 
-def generate_random(self):
-return ipautil.ipa_generate_password()
-
 def __enable_ssl(self):
 dirname = config_dirname(self.serverid)
 dsdb = certs.CertDB(self.realm, nssdir=dirname, subject_base=self.subject_base)
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index b7ce857..e8c706e 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -19,7 +19,6 @@
 
 from __future__ import print_function
 
-import binascii
 import os
 import os.path
 import pwd
@@ -314,9 +313,9 @@ def create_cert_db(self):
 ipautil.backup_file(nss_path)
 
 # Create the password file for this db
-hex_str = binascii.hexlify(os.urandom(10))
+password = ipautil.ipa_generate_password(pwd_len=15)
 f = os.open(pwd_file, os.O_CREAT | os.O_RDWR)
-os.write(f, hex_str)
+

[Freeipa-devel] [DESIGN] Dogtag GSS-API Authentication

2017-01-06 Thread Fraser Tweedale 
Hi comrades,

I have written up the high-level details of the FreeIPA->Dogtag
GSS-API authentication design.  The goal is improve security by
removing an egregious privilege separation violation: the RA Agent
cert.

There is a fair bit of work still to do on the Dogtag side but
things are shaping up there and it's time to work out the IPA
aspects.  The design is at:

  http://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication

Right now, I need feedback about the Domain Level aspects: whether
it is the right approach, whether there are mechanisms to perform
update steps (specifically: LDAP updates and/or api calls) alongside
a DL bump, or if there aren't, how to deal with that (implement such
a mechanism, make admins do extra steps, ???).

Of course, any other general or specific feedback is welcome.

Thanks,
Fraser

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code