[Freeipa-devel] [freeipa PR#179][+pushed] Fix for handling CalledProcessError in authconfig

2017-01-17 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/179
Title: #179: Fix for handling CalledProcessError in authconfig

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#179][comment] Fix for handling CalledProcessError in authconfig

2017-01-17 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/179
Title: #179: Fix for handling CalledProcessError in authconfig

martbab commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/6d52c0fe6acb09f3b8525840dfacc3f0885eac37
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/179#issuecomment-273407044
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#179][closed] Fix for handling CalledProcessError in authconfig

2017-01-17 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/179
Author: Akasurde
 Title: #179: Fix for handling CalledProcessError in authconfig
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/179/head:pr179
git checkout pr179
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#394][comment] Add fix for ipa plugins command

2017-01-17 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/394
Title: #394: Add fix for ipa plugins command

HonzaCholasta commented:
"""
@mbasti-rh, no. Classes aren't named using unicode strings either.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/394#issuecomment-273395287
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#337][synchronized] Client-side CSR autogeneration (take 2)

2017-01-17 Thread LiptonB 
   URL: https://github.com/freeipa/freeipa/pull/337
Author: LiptonB
 Title: #337: Client-side CSR autogeneration (take 2)
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/337/head:pr337
git checkout pr337
From 4ead459036761600c43c414cb91a21c591ad906a Mon Sep 17 00:00:00 2001
From: Ben Lipton 
Date: Tue, 5 Jul 2016 14:19:35 -0400
Subject: [PATCH 1/7] Add code to generate scripts that generate CSRs

Adds a library that uses jinja2 to format a script that, when run, will
build a CSR. Also adds a CLI command, 'cert-get-requestdata', that uses
this library and builds the script for a given principal. The rules are
read from json files in /usr/share/ipa/csr, but the rule provider is a
separate class so that it can be replaced easily.

https://fedorahosted.org/freeipa/ticket/4899
---
 configure.ac   |   1 +
 freeipa.spec.in|   9 +
 install/share/Makefile.am  |   1 +
 install/share/csr/templates/ipa_macros.tmpl|  42 +++
 install/share/csrgen/Makefile.am   |  27 ++
 install/share/csrgen/templates/certutil_base.tmpl  |  14 +
 install/share/csrgen/templates/openssl_base.tmpl   |  35 +++
 install/share/csrgen/templates/openssl_macros.tmpl |  29 ++
 ipaclient/csrgen.py| 320 +
 ipaclient/plugins/csrgen.py| 116 
 ipalib/errors.py   |  28 ++
 ipaplatform/base/paths.py  |   1 +
 12 files changed, 623 insertions(+)
 create mode 100644 install/share/csr/templates/ipa_macros.tmpl
 create mode 100644 install/share/csrgen/Makefile.am
 create mode 100644 install/share/csrgen/templates/certutil_base.tmpl
 create mode 100644 install/share/csrgen/templates/openssl_base.tmpl
 create mode 100644 install/share/csrgen/templates/openssl_macros.tmpl
 create mode 100644 ipaclient/csrgen.py
 create mode 100644 ipaclient/plugins/csrgen.py

diff --git a/configure.ac b/configure.ac
index e8a4701..01fc81e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -530,6 +530,7 @@ AC_CONFIG_FILES([
 install/share/Makefile
 install/share/advise/Makefile
 install/share/advise/legacy/Makefile
+install/share/csrgen/Makefile
 install/share/profiles/Makefile
 install/share/schema.d/Makefile
 install/ui/Makefile
diff --git a/freeipa.spec.in b/freeipa.spec.in
index c4420a0..8396105 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -147,6 +147,7 @@ BuildRequires:  python-sssdconfig
 BuildRequires:  python-nose
 BuildRequires:  python-paste
 BuildRequires:  systemd-python
+BuildRequires:  python2-jinja2
 
 %if 0%{?with_python3}
 # FIXME: this depedency is missing - server will not work
@@ -602,6 +603,7 @@ Requires: python-dns >= 1.15
 Requires: python-enum34
 Requires: python-netifaces >= 0.10.4
 Requires: pyusb
+Requires: python2-jinja2
 
 Conflicts: %{alt_name}-python < %{version}
 
@@ -1208,6 +1210,13 @@ fi
 %{_usr}/share/ipa/advise/legacy/*.template
 %dir %{_usr}/share/ipa/profiles
 %{_usr}/share/ipa/profiles/*.cfg
+%dir %{_usr}/share/ipa/csrgen
+%dir %{_usr}/share/ipa/csrgen/templates
+%{_usr}/share/ipa/csrgen/templates/*.tmpl
+%dir %{_usr}/share/ipa/csrgen/profiles
+%{_usr}/share/ipa/csrgen/profiles/*.json
+%dir %{_usr}/share/ipa/csrgen/rules
+%{_usr}/share/ipa/csrgen/rules/*.json
 %dir %{_usr}/share/ipa/html
 %{_usr}/share/ipa/html/ffconfig.js
 %{_usr}/share/ipa/html/ffconfig_page.js
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 10de84d..715912d 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -2,6 +2,7 @@ NULL =
 
 SUBDIRS =  \
 	advise\
+	csrgen\
 	profiles			\
 	schema.d			\
 	$(NULL)
diff --git a/install/share/csr/templates/ipa_macros.tmpl b/install/share/csr/templates/ipa_macros.tmpl
new file mode 100644
index 000..e790d4e
--- /dev/null
+++ b/install/share/csr/templates/ipa_macros.tmpl
@@ -0,0 +1,42 @@
+{% set rendersyntax = {} %}
+
+{% set renderdata = {} %}
+
+{# Wrapper for syntax rules. We render the contents of the rule into a
+variable, so that if we find that none of the contained data rules rendered we
+can suppress the whole syntax rule. That is, a syntax rule is rendered either
+if no data rules are specified (unusual) or if at least one of the data rules
+rendered successfully. #}
+{% macro syntaxrule() -%}
+{% do rendersyntax.update(none=true, any=false) -%}
+{% set contents -%}
+{{ caller() -}}
+{% endset -%}
+{% if rendersyntax['none'] or rendersyntax['any'] -%}
+{{ contents -}}
+{% endif -%}
+{% endmacro %}
+
+{# Wrapper for data rules. A data rule is rendered only when all of the data
+fields it contains have data available. #}
+{% macro datarule() -%}
+{% do rendersyntax.update(none=false) -%}
+{% do renderdata.update(all=true) -%}
+{% set contents -%}
+{{ caller() -}}
+{%

[Freeipa-devel] [freeipa PR#394][comment] Add fix for ipa plugins command

2017-01-17 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/394
Title: #394: Add fix for ipa plugins command

mbasti-rh commented:
"""
Shouldn't be namespaces named using unicode strings?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/394#issuecomment-273275568
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#389][+ack] Fix build in mock

2017-01-17 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/389
Title: #389: Fix build in mock

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#389][comment] Fix build in mock

2017-01-17 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/389
Title: #389: Fix build in mock

tomaskrizek commented:
"""
Thanks for the fix and explanation!
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/389#issuecomment-273206316
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#347][comment] Improvements in {get|set}_directive functions

2017-01-17 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/347
Title: #347: Improvements in {get|set}_directive functions

martbab commented:
"""
Thanks, I have fixed the docstrings. I have also made directive unquoting less 
silly.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/347#issuecomment-273194982
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#347][synchronized] Improvements in {get|set}_directive functions

2017-01-17 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/347
Author: martbab
 Title: #347: Improvements in {get|set}_directive functions
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/347/head:pr347
git checkout pr347
From 57a75bd8ea2ccfe7ef61759cfdf38201ae6d9579 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Fri, 16 Dec 2016 12:14:20 +0100
Subject: [PATCH 1/4] Fix the installutils.set_directive docstring

Add missing parameter descriptions and fix incorrect indentation

https://fedorahosted.org/freeipa/ticket/6354
---
 ipaserver/install/installutils.py | 13 -
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 0d8a574..7f96eb2 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -388,11 +388,14 @@ def set_directive(filename, directive, value, quotes=True, separator=' ',
 
 This has only been tested with nss.conf
 
-   :param directive: directive name
-   :param value: value of the directive
-   :param quotes: whether to quote `value` in `quote_char`. If true, then
-the `quote_char` are first escaped to avoid unparseable directives
-   :param quote_char: the character used for quoting `value`
+:param filename: input filename
+:param directive: directive name
+:param value: value of the directive
+:param quotes: whether to quote `value` in `quote_char`. If true, then
+the `quote_char` are first escaped to avoid unparseable directives.
+:param separator: character serving as separator between directive and
+value
+:param quote_char: the character used for quoting `value`
 """
 
 def format_directive(directive, value, separator, quotes, quote_char):

From 18af389f6a9dbb56ed6eeeb29ceed529b0d31619 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Fri, 16 Dec 2016 13:34:57 +0100
Subject: [PATCH 2/4] installutils: improve directive value parsing in
 `get_directive`

`get_directive` value parsing was improved in order to bring its logic
more in-line to changes in `set_directive`: a specified quoting
character is now unquoted and stripped from the retrieved value. The
function will now also error out when malformed directive is
encountered.

https://fedorahosted.org/freeipa/ticket/6460
---
 ipaserver/install/installutils.py | 19 +--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 7f96eb2..4f93372 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -436,16 +436,31 @@ def format_directive(directive, value, separator, quotes, quote_char):
 fd.close()
 os.chown(filename, st.st_uid, st.st_gid) # reset perms
 
+
 def get_directive(filename, directive, separator=' '):
 """
 A rather inefficient way to get a configuration directive.
+
+:param filename: input filename
+:param directive: directive name
+:param separator: separator between directive and value
+:param quote_char: the characters that are used in this particular config
+file to quote values. This character will be stripped and unescaped
+from the raw value.
+
+:returns: The (unquoted) value if the directive was found, None otherwise
 """
 fd = open(filename, "r")
 for line in fd:
 if line.lstrip().startswith(directive):
 line = line.strip()
-result = line.split(separator, 1)[1]
-result = result.strip('"')
+
+(directive, sep, value) = line.partition(separator)
+if not sep or not value:
+raise ValueError("Malformed directive: {}".format(line))
+
+result = value.strip().strip(quote_char)
+result = ipautil.unescape_seq(quote_char, result)[0]
 result = result.strip(' ')
 fd.close()
 return result

From 5451ea971cc60f57fb64f8a3c068ac9191fa37f8 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Tue, 10 Jan 2017 17:15:33 +0100
Subject: [PATCH 3/4] Delegate directive value quoting/unquoting to separate
 functions

Separate functions were added to installutils module to quote/unquote a
string in arbitrary characters.

`installutils.get/set_directive` functions will use them to enclose
the directive values in double quotes/strip the double quotes from
retrieved values to maintain the original behavior.

These functions can be used also for custom quoting/unquoting of
retrieved values when desired.

https://fedorahosted.org/freeipa/ticket/6460
---
 ipaserver/install/installutils.py | 70 ---
 1 file changed, 43 insertions(+), 27 deletions(-)

diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index

[Freeipa-devel] [freeipa PR#396][comment] Explicitly remove support of SSLv2

2017-01-17 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/396
Title: #396: Explicitly remove support of SSLv2

tiran commented:
"""
* What is the point of supporting SSL 3.0, TLS 1.0 and TLS 1.1 on the client 
side these days? How about we remove ancient and potentially dangerous TLS 
versions completely?
* Would it be possible to validate the values during API initialization?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/396#issuecomment-273189049
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#359][synchronized] dogtag: search past the first 100 certificates

2017-01-17 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/359
Author: HonzaCholasta
 Title: #359: dogtag: search past the first 100 certificates
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/359/head:pr359
git checkout pr359
From fc2a2834236c3cf55bfa41d1f48d4d7c4044b01f Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 21 Dec 2016 09:55:40 +0100
Subject: [PATCH 1/2] dogtag: search past the first 100 certificates

Dogtag requires a size limit to be specified when searching for
certificates. When no limit is specified in the dogtag plugin, a limit of
100 entries is assumed. As a result, an unlimited certificate search
returns data only for a maximum of 100 certificates.

Raise the "unlimited" limit to the maximum value Dogtag accepts.

https://fedorahosted.org/freeipa/ticket/6564
---
 ipaserver/plugins/dogtag.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index 73c14ed..f5f9ebe 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1914,7 +1914,7 @@ def convert_time(value):
 
 url = 'http://%s/ca/rest/certs/search?size=%d' % (
 ipautil.format_netloc(self.ca_host, 8080),
-options.get('sizelimit', 100))
+options.get('sizelimit', 0x7fff))
 
 opener = urllib.request.build_opener()
 opener.addheaders = [('Accept-Encoding', 'gzip, deflate'),

From 66ade174732375f5fcf9f3786939285810cb7eba Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Tue, 17 Jan 2017 14:34:33 +0100
Subject: [PATCH 2/2] cert: fix search limit handling in cert-find

If search limits are not specified in cert-find, use the configured limits.
This applies to the certificate search in the CA as well.

Detect and report if size limit was exceeded in the certificate search in
the CA.

Do not apply limits to the internal ca-find call.

https://fedorahosted.org/freeipa/ticket/6564
---
 ipaserver/plugins/cert.py | 21 +
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index d8bfc1c..c5ed9bf 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -1304,8 +1304,10 @@ def _ca_search(self, all, raw, pkey_only, sizelimit, exactly, **options):
 elif isinstance(value, DN):
 value = unicode(value)
 ra_options[name] = value
-if sizelimit:
-ra_options['sizelimit'] = sizelimit
+if sizelimit > 0:
+# Dogtag doesn't tell that the size limit was exceeded
+# search for one more entry so that we can tell ourselves
+ra_options['sizelimit'] = sizelimit + 1
 if exactly:
 ra_options['exactly'] = True
 
@@ -1319,11 +1321,16 @@ def _ca_search(self, all, raw, pkey_only, sizelimit, exactly, **options):
 raise
 return result, False, complete
 
-ca_objs = self.api.Command.ca_find()['result']
+ca_objs = self.api.Command.ca_find(timelimit=0, sizelimit=0)['result']
 ca_objs = {DN(ca['ipacasubjectdn'][0]): ca for ca in ca_objs}
 
 ra = self.api.Backend.ra
 for ra_obj in ra.find(ra_options):
+if sizelimit > 0 and len(result) >= sizelimit:
+self.add_message(messages.SearchResultTruncated(
+reason=errors.SizeLimitExceeded()))
+break
+
 issuer = DN(ra_obj['issuer'])
 serial_number = ra_obj['serial_number']
 
@@ -1453,6 +1460,12 @@ def execute(self, criteria=None, all=False, raw=False, pkey_only=False,
 if criteria is not None:
 return dict(result=[], count=0, truncated=False)
 
+# respect the configured search limits
+if timelimit is None:
+timelimit = self.api.Backend.ldap2.time_limit
+if sizelimit is None:
+sizelimit = self.api.Backend.ldap2.size_limit
+
 result = collections.OrderedDict()
 truncated = False
 complete = False
@@ -1470,7 +1483,7 @@ def execute(self, criteria=None, all=False, raw=False, pkey_only=False,
 **options)
 
 if sub_complete:
-sizelimit = None
+sizelimit = 0
 
 for key in tuple(result):
 if key not in sub_result:
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#390][+ack] WebUI: Fix Coverity JS bugs

2017-01-17 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/390
Title: #390: WebUI: Fix Coverity JS bugs

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#359][comment] dogtag: search past the first 100 certificates

2017-01-17 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/359
Title: #359: dogtag: search past the first 100 certificates

HonzaCholasta commented:
"""
I have identified some issues in search limit handling in `cert-find` and fixed 
them in an additional commit. See commit message for details.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/359#issuecomment-273166075
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#359][synchronized] dogtag: search past the first 100 certificates

2017-01-17 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/359
Author: HonzaCholasta
 Title: #359: dogtag: search past the first 100 certificates
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/359/head:pr359
git checkout pr359
From fc2a2834236c3cf55bfa41d1f48d4d7c4044b01f Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 21 Dec 2016 09:55:40 +0100
Subject: [PATCH 1/2] dogtag: search past the first 100 certificates

Dogtag requires a size limit to be specified when searching for
certificates. When no limit is specified in the dogtag plugin, a limit of
100 entries is assumed. As a result, an unlimited certificate search
returns data only for a maximum of 100 certificates.

Raise the "unlimited" limit to the maximum value Dogtag accepts.

https://fedorahosted.org/freeipa/ticket/6564
---
 ipaserver/plugins/dogtag.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index 73c14ed..f5f9ebe 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1914,7 +1914,7 @@ def convert_time(value):
 
 url = 'http://%s/ca/rest/certs/search?size=%d' % (
 ipautil.format_netloc(self.ca_host, 8080),
-options.get('sizelimit', 100))
+options.get('sizelimit', 0x7fff))
 
 opener = urllib.request.build_opener()
 opener.addheaders = [('Accept-Encoding', 'gzip, deflate'),

From f7f2d04e550f997108f7a2177c50a8816d769b86 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Tue, 17 Jan 2017 14:34:33 +0100
Subject: [PATCH 2/2] cert: fix search limit handling in cert-find

If search limits are not specified in cert-find, use the configured limits.
This applies to the certificate search in the CA as well.

Detect and report if size limit was exceeded in the certificate search in
the CA.

Do not apply limits to the internal ca-find call.

https://fedorahosted.org/freeipa/ticket/6564
---
 ipaserver/plugins/cert.py | 21 +
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index d8bfc1c..f4ba630 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -1304,8 +1304,10 @@ def _ca_search(self, all, raw, pkey_only, sizelimit, exactly, **options):
 elif isinstance(value, DN):
 value = unicode(value)
 ra_options[name] = value
-if sizelimit:
-ra_options['sizelimit'] = sizelimit
+if sizelimit > 0:
+# Dogtag doesn't tell that the size limit was exceeded
+# search for one more entry so that we can tell ourselves
+ra_options['sizelimit'] = sizelimit + 1
 if exactly:
 ra_options['exactly'] = True
 
@@ -1319,11 +1321,16 @@ def _ca_search(self, all, raw, pkey_only, sizelimit, exactly, **options):
 raise
 return result, False, complete
 
-ca_objs = self.api.Command.ca_find()['result']
+ca_objs = self.api.Command.ca_find(timelimit=0, sizelimit=0)['result']
 ca_objs = {DN(ca['ipacasubjectdn'][0]): ca for ca in ca_objs}
 
 ra = self.api.Backend.ra
 for ra_obj in ra.find(ra_options):
+if sizelimit > 0 and len(result) >= sizelimit:
+self.add_message(messages.SearchResultTruncated(
+reason=errors.SizeLimitExceeded()))
+break
+
 issuer = DN(ra_obj['issuer'])
 serial_number = ra_obj['serial_number']
 
@@ -1453,6 +1460,12 @@ def execute(self, criteria=None, all=False, raw=False, pkey_only=False,
 if criteria is not None:
 return dict(result=[], count=0, truncated=False)
 
+# respect the configured search limits
+if timelimit is None:
+timelimit = self.api.Backend.ldap2.timelimit
+if sizelimit is None:
+sizelimit = self.api.Backend.ldap2.sizelimit
+
 result = collections.OrderedDict()
 truncated = False
 complete = False
@@ -1470,7 +1483,7 @@ def execute(self, criteria=None, all=False, raw=False, pkey_only=False,
 **options)
 
 if sub_complete:
-sizelimit = None
+sizelimit = 0
 
 for key in tuple(result):
 if key not in sub_result:
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#373][synchronized] ipaplatform: Add Debian platform module.

2017-01-17 Thread tjaalton 
   URL: https://github.com/freeipa/freeipa/pull/373
Author: tjaalton
 Title: #373: ipaplatform: Add Debian platform module.
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/373/head:pr373
git checkout pr373
From 6b490e2c4165215f0d6b9b08676661c4c9d4abd6 Mon Sep 17 00:00:00 2001
From: Timo Aaltonen 
Date: Thu, 5 Jan 2017 12:41:08 +0200
Subject: [PATCH] ipaplatform: Add Debian platform module.

v2:
- use redhat_services.redhat_system_units.copy
- don't use wildcard imports
- add some empty lines to make pep8 happy

v3:
- make parse_ipa_version static

v4:
- make more methods static

v5:
- fix pylint issues
- use syntax that doesn't break with python3

v6:
- remove IPA_GETKEYTAB from paths, it's the same across distros
---
 ipaplatform/base/tasks.py   |   3 +-
 ipaplatform/debian/__init__.py  |   7 ++
 ipaplatform/debian/constants.py |  25 ++
 ipaplatform/debian/paths.py |  96 +
 ipaplatform/debian/services.py  | 184 
 ipaplatform/debian/tasks.py |  50 +++
 ipaplatform/setup.py|   1 +
 7 files changed, 365 insertions(+), 1 deletion(-)
 create mode 100644 ipaplatform/debian/__init__.py
 create mode 100644 ipaplatform/debian/constants.py
 create mode 100644 ipaplatform/debian/paths.py
 create mode 100644 ipaplatform/debian/services.py
 create mode 100644 ipaplatform/debian/tasks.py

diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index 702da6b..8cf6fde 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -227,7 +227,8 @@ def create_system_user(self, name, group, homedir, shell, uid=None, gid=None, co
 else:
 log.debug('user %s exists', name)
 
-def parse_ipa_version(self, version):
+@staticmethod
+def parse_ipa_version(version):
 """
 :param version: textual version
 :return: object implementing proper __cmp__ method for version compare
diff --git a/ipaplatform/debian/__init__.py b/ipaplatform/debian/__init__.py
new file mode 100644
index 000..6305270
--- /dev/null
+++ b/ipaplatform/debian/__init__.py
@@ -0,0 +1,7 @@
+#
+# Copyright (C) 2017  FreeIPA Contributors see COPYING for license
+#
+
+"""
+This module contains Debian specific platform files.
+"""
diff --git a/ipaplatform/debian/constants.py b/ipaplatform/debian/constants.py
new file mode 100644
index 000..1edcb5a
--- /dev/null
+++ b/ipaplatform/debian/constants.py
@@ -0,0 +1,25 @@
+#
+# Copyright (C) 2017  FreeIPA Contributors see COPYING for license
+#
+
+'''
+This Debian family platform module exports platform dependant constants.
+'''
+
+# Fallback to default path definitions
+from ipaplatform.base.constants import BaseConstantsNamespace
+
+
+class DebianConstantsNamespace(BaseConstantsNamespace):
+HTTPD_USER = "www-data"
+NAMED_USER = "bind"
+NAMED_GROUP = "bind"
+# ntpd init variable used for daemon options
+NTPD_OPTS_VAR = "NTPD_OPTS"
+# quote used for daemon options
+NTPD_OPTS_QUOTE = "\'"
+ODS_USER = "opendnssec"
+ODS_GROUP = "opendnssec"
+SECURE_NFS_VAR = "NEED_GSSD"
+
+constants = DebianConstantsNamespace()
diff --git a/ipaplatform/debian/paths.py b/ipaplatform/debian/paths.py
new file mode 100644
index 000..5cbe9b8
--- /dev/null
+++ b/ipaplatform/debian/paths.py
@@ -0,0 +1,96 @@
+#
+# Copyright (C) 2017  FreeIPA Contributors see COPYING for license
+#
+
+"""
+This Debian base platform module exports default filesystem paths as common
+in Debian-based systems.
+"""
+
+# Fallback to default path definitions
+from ipaplatform.base.paths import BasePathNamespace
+import sysconfig
+
+MULTIARCH = sysconfig.get_config_var('MULTIARCH')
+
+class DebianPathNamespace(BasePathNamespace):
+BIN_HOSTNAMECTL = "/usr/bin/hostnamectl"
+AUTOFS_LDAP_AUTH_CONF = "/etc/autofs_ldap_auth.conf"
+ETC_HTTPD_DIR = "/etc/apache2"
+HTTPD_ALIAS_DIR = "/etc/apache2/nssdb"
+ALIAS_CACERT_ASC = "/etc/apache2/nssdb/cacert.asc"
+ALIAS_PWDFILE_TXT = "/etc/apache2/nssdb/pwdfile.txt"
+HTTPD_CONF_D_DIR = "/etc/apache2/conf-enabled/"
+HTTPD_IPA_KDCPROXY_CONF_SYMLINK = "/etc/apache2/conf-enabled/ipa-kdc-proxy.conf"
+HTTPD_IPA_PKI_PROXY_CONF = "/etc/apache2/conf-enabled/ipa-pki-proxy.conf"
+HTTPD_IPA_REWRITE_CONF = "/etc/apache2/conf-available/ipa-rewrite.conf"
+HTTPD_IPA_CONF = "/etc/apache2/conf-enabled/ipa.conf"
+HTTPD_NSS_CONF = "/etc/apache2/mods-available/nss.conf"
+IPA_KEYTAB = "/etc/apache2/ipa.keytab"
+HTTPD_PASSWORD_CONF = "/etc/apache2/password.conf"
+NAMED_CONF = "/etc/bind/named.conf"
+NAMED_VAR_DIR = "/var/cache/bind"
+NAMED_KEYTAB = "/etc/bind/named.keytab"
+NAMED_RFC1912_ZONES = "/etc/bind/named.conf.default-zones"
+NAMED_ROOT_KEY = "/etc/bind/bind.keys"
+NAMED_BINDKEYS_FILE = "/etc/bind/bind.keys"
+NAMED_MANAGED_KEYS_DIR =

[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server

2017-01-17 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/364
Title: #364: Client-only builds with --disable-server

tiran commented:
"""
@lslebodn I think you misunderstood me. The PR adds a new build flavor that 
ignores and skips the any server-related steps of the build process. The fact 
that this PR ignores the server part is actually a a **feature**. :)

The last version of the patch now skips ```ipaserver``` subdir completely, too.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/364#issuecomment-273148073
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#364][synchronized] Client-only builds with --disable-server

2017-01-17 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/364
Author: tiran
 Title: #364: Client-only builds with --disable-server
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/364/head:pr364
git checkout pr364
From aa6d89dc87261eac4e7a8d04ae464434a72138bf Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 3 Jan 2017 14:32:05 +0100
Subject: [PATCH] Client-only builds with --disable-server

https://fedorahosted.org/freeipa/ticket/6517
---
 Makefile.am  |   6 +-
 configure.ac | 253 +--
 server.m4| 119 
 3 files changed, 212 insertions(+), 166 deletions(-)
 create mode 100644 server.m4

diff --git a/Makefile.am b/Makefile.am
index 9bfc899..24d31c8 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,7 +1,11 @@
 ACLOCAL_AMFLAGS = -I m4
 
 IPACLIENT_SUBDIRS = ipaclient ipalib ipapython
-SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaplatform ipaserver ipatests po
+SUBDIRS = asn1 util client contrib $(IPACLIENT_SUBDIRS) ipaplatform ipatests po
+
+if ENABLE_SERVER
+SUBDIRS += daemons init install ipaserver
+endif
 
 MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \
 		   ignore_import_errors.pyc ignore_import_errors.pyo \
diff --git a/configure.ac b/configure.ac
index e8a4701..e83b9f6 100644
--- a/configure.ac
+++ b/configure.ac
@@ -24,6 +24,17 @@ LT_INIT
 
 AC_HEADER_STDC
 
+PKG_PROG_PKG_CONFIG
+
+AC_ARG_ENABLE([server],
+[  --disable-serverDisable server support],
+[case "${enableval}" in
+  yes) enable_server=true ;;
+  no)  enable_server=false ;;
+  *) AC_MSG_ERROR([bad value ${enableval} for --disable-server]) ;;
+esac],[enable_server=true])
+AM_CONDITIONAL([ENABLE_SERVER], [test x$enable_server = xtrue])
+
 AM_CONDITIONAL([HAVE_GCC], [test "$ac_cv_prog_gcc" = yes])
 
 dnl ---
@@ -33,37 +44,10 @@ PKG_CHECK_MODULES([NSPR], [nspr])
 PKG_CHECK_MODULES([NSS], [nss])
 
 dnl ---
-dnl - Check for DS slapi plugin
-dnl ---
-
-# Need to hack CPPFLAGS to be able to correctly detetct slapi-plugin.h
-SAVE_CPPFLAGS=$CPPFLAGS
-CPPFLAGS=$NSPR_CFLAGS
-AC_CHECK_HEADER(dirsrv/slapi-plugin.h)
-if test "x$ac_cv_header_dirsrv_slapi-plugin_h" = "xno" ; then
-	AC_MSG_ERROR([Required 389-ds header not available (389-ds-base-devel)])
-fi
-AC_CHECK_HEADER(dirsrv/repl-session-plugin.h)
-if test "x$ac_cv_header_dirsrv_repl_session_plugin_h" = "xno" ; then
-	AC_MSG_ERROR([Required 389-ds header not available (389-ds-base-devel)])
-fi
-CPPFLAGS=$SAVE_CPPFLAGS
-
-if test "x$ac_cv_header_dirsrv_slapi_plugin_h" = "xno" ; then
-	AC_MSG_ERROR([Required DS slapi plugin header not available (fedora-ds-base-devel)])
-fi
-
-dnl ---
 dnl - Check for KRB5
 dnl ---
 
 PKG_CHECK_MODULES([KRB5], [krb5])
-AC_CHECK_HEADER(krad.h, [], [AC_MSG_ERROR([krad.h not found])])
-AC_CHECK_LIB(krad, main, [], [AC_MSG_ERROR([libkrad not found])])
-KRAD_LIBS="-lkrad"
-krb5rundir="${localstatedir}/run/krb5kdc"
-AC_SUBST(KRAD_LIBS)
-AC_SUBST(krb5rundir)
 
 dnl ---
 dnl - Check for OpenLDAP SDK
@@ -101,69 +85,6 @@ if test "x$PYTHON" = "x" ; then
 fi
 
 dnl ---
-dnl Check for ndr_krb5pac and other samba libraries
-dnl ---
-
-PKG_PROG_PKG_CONFIG()
-PKG_CHECK_MODULES([TALLOC], [talloc])
-PKG_CHECK_MODULES([TEVENT], [tevent])
-PKG_CHECK_MODULES([NDRPAC], [ndr_krb5pac])
-PKG_CHECK_MODULES([NDRNBT], [ndr_nbt])
-PKG_CHECK_MODULES([NDR], [ndr])
-PKG_CHECK_MODULES([SAMBAUTIL], [samba-util])
-SAMBA40EXTRA_LIBPATH="-L`$PKG_CONFIG --variable=libdir samba-util`/samba -Wl,-rpath=`$PKG_CONFIG --variable=libdir samba-util`/samba"
-AC_SUBST(SAMBA40EXTRA_LIBPATH)
-
-bck_cflags="$CFLAGS"
-CFLAGS="$NDRPAC_CFLAGS"
-AC_CHECK_MEMBER(
-[struct PAC_DOMAIN_GROUP_MEMBERSHIP.domain_sid],
-[AC_DEFINE([HAVE_STRUCT_PAC_DOMAIN_GROUP_MEMBERSHIP], [1],
-   [struct PAC_DOMAIN_GROUP_MEMBERSHIP is available.])],
-[AC_MSG_NOTICE([struct PAC_DOMAIN_GROUP_MEMBERSHIP is not available])],
- [[#include 
-   #include ]])
-
-CFLAGS="$bck_cflags"
-
-LIBPDB_NAME=""
-AC_CHECK_LIB([samba-passdb],
- [make_pdb_method],
- [LIBPDB_NAME="samba-passdb"; HAVE_LIBPDB=1],
- [LIBPDB_NAME="pdb"],
- [$SAMBA40EXTRA_LIBPATH])
-
-if test "x$LIB_PDB_NAME" = "xpdb" ; then
-  AC_CHECK_LIB([$LIBPDB_NAME],
-

[Freeipa-devel] [freeipa PR#389][comment] Fix build in mock

2017-01-17 Thread lslebodn 
  URL: https://github.com/freeipa/freeipa/pull/389
Title: #389: Fix build in mock

lslebodn commented:
"""
@tiran or @pvomacka, @tomaskrizek  It would be good if you could test/ack the 
latest version of the patch.
Because currently it is not possible to build freeIPA with upstream spec file 
in mock; which blocks reasonable testing with static analysers
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/389#issuecomment-273147279
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Stageuser API

2017-01-17 Thread Alexander Bokovoy 

On ti, 17 tammi 2017, Christian Heimes wrote:

On 2017-01-17 12:56, David Kupka wrote:

Hi Christian,
uniqueness of uid is not checked in staging area on purpose, it may be
changed multiple times before the stageuser is transformed into user
(activated). The uid uniqueness is then checked during activation.

Third party application that use FreeIPA's LDAP should:
1) search for users (and usercertificate attribute) only in
cn=users,cn=accounts
2) respect the value of nsAccountLock that is set to true for all staged
users.

But it would be nice to have this scenario (stageuser.uid == user.uid)
implemented as a part of [1].


Can we safely assume that all parts of FreeIPA, Kerberos and all 3rd
party application *always* use the FreeIPA API or LDAP to validate a
user cert? Some applications may just validate the certificate and
OCSP/CRL for client cert authentication with e.g. mod_ssl.

Consider this scenario:

1) IT issues a smart card for a staging user. The smart card contains a
valid private/public key pair for FreeIPA.
2) HR sends the smart card to a new hire.
3) HR creates a standard user with same login as staging user
4) New hire uses the smart card to log into a system that only verifies
validity of cert (signature, dates, OCSP status) and uses subject to
identify user.

The certificate validity for a future users should have
validity.notBefore property set.  A login before that time should not be
possible with systems like (4) describes.


Even if we 'fix' the issue with non-unique UIDs in staging, it stays
dangerous to hand a valid certificate to a not-yet-valid user. At least
we should try to reduce risks with a couple of measures:

* Add a "valid from" field to stage users and set the cert's valid from
date accordingly. That renders the public key useless until the
estimated first day on the job.

According to RFC 3280, validity is the mandatory part of the x.509
certificate. Granted, certmonger does not allow you to set
validity.notBefore to some externally defined value, but this is
something we could implement. You can already achieve that with your own
certificate signing request. And it this case we deal with externally
provided user certificates, so we could have no ability to influence
what happens at all.


* Lock the smart card with a PIN and don't release the PIN until the
user has been moved from staging area to user area. This arrangement
makes the smart card inaccessible. We could use the KRA to store the PIN.

This is just a process, not a technical solution. Someone needs to
communicate PIN separate to the smartcard to a new hire anyway.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server

2017-01-17 Thread lslebodn 
  URL: https://github.com/freeipa/freeipa/pull/364
Title: #364: Client-only builds with --disable-server

lslebodn commented:
"""
I fine with ignoring python related parts; but it should be documented. But you 
might ask other freeIPA developers. (maybe on freeipa-devel)
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/364#issuecomment-273135814
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server

2017-01-17 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/364
Title: #364: Client-only builds with --disable-server

tiran commented:
"""
@lslebodn I like the idea to move the server related header and lib detection 
to a separate m4 file.

In server-less mode, I plan to ignore the Python server part completely.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/364#issuecomment-273130643
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server

2017-01-17 Thread lslebodn 
  URL: https://github.com/freeipa/freeipa/pull/364
Title: #364: Client-only builds with --disable-server

lslebodn commented:
"""
I think it would be simpler to read the code without to many `AM_COND_IF()`. 
IMHO it would be simpler to move C-related part to separate file (e.g. 
`server_daemons.m4`) an conditionally include  the file with `m4_include`.

I checked it very briefly; I might miss something. How do you want to handle 
python server part?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/364#issuecomment-273126212
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Stageuser API

2017-01-17 Thread Christian Heimes 
On 2017-01-17 12:56, David Kupka wrote:
> Hi Christian,
> uniqueness of uid is not checked in staging area on purpose, it may be
> changed multiple times before the stageuser is transformed into user
> (activated). The uid uniqueness is then checked during activation.
> 
> Third party application that use FreeIPA's LDAP should:
> 1) search for users (and usercertificate attribute) only in
> cn=users,cn=accounts
> 2) respect the value of nsAccountLock that is set to true for all staged
> users.
> 
> But it would be nice to have this scenario (stageuser.uid == user.uid)
> implemented as a part of [1].

Can we safely assume that all parts of FreeIPA, Kerberos and all 3rd
party application *always* use the FreeIPA API or LDAP to validate a
user cert? Some applications may just validate the certificate and
OCSP/CRL for client cert authentication with e.g. mod_ssl.

Consider this scenario:

1) IT issues a smart card for a staging user. The smart card contains a
valid private/public key pair for FreeIPA.
2) HR sends the smart card to a new hire.
3) HR creates a standard user with same login as staging user
4) New hire uses the smart card to log into a system that only verifies
validity of cert (signature, dates, OCSP status) and uses subject to
identify user.


Even if we 'fix' the issue with non-unique UIDs in staging, it stays
dangerous to hand a valid certificate to a not-yet-valid user. At least
we should try to reduce risks with a couple of measures:

* Add a "valid from" field to stage users and set the cert's valid from
date accordingly. That renders the public key useless until the
estimated first day on the job.

* Lock the smart card with a PIN and don't release the PIN until the
user has been moved from staging area to user area. This arrangement
makes the smart card inaccessible. We could use the KRA to store the PIN.

Christian





signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server

2017-01-17 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/364
Title: #364: Client-only builds with --disable-server

tomaskrizek commented:
"""
I'm not really experienced with autotools, so I do not want to ack this PR 
without someone else taking a look. I'm also not sure about the best practices 
in this area. Perhaps @lslebodn could share his opinion on this change?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/364#issuecomment-273124050
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#179][+ack] Fix for handling CalledProcessError in authconfig

2017-01-17 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/179
Title: #179: Fix for handling CalledProcessError in authconfig

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#179][comment] Fix for handling CalledProcessError in authconfig

2017-01-17 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/179
Title: #179: Fix for handling CalledProcessError in authconfig

tomaskrizek commented:
"""
Since there's been no suggestions for a more descriptive error message -> ack.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/179#issuecomment-273122903
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#179][comment] Fix for handling CalledProcessError in authconfig

2017-01-17 Thread Akasurde 
  URL: https://github.com/freeipa/freeipa/pull/179
Title: #179: Fix for handling CalledProcessError in authconfig

Akasurde commented:
"""
@tomaskrizek Done.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/179#issuecomment-273122447
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#179][synchronized] Fix for handling CalledProcessError in authconfig

2017-01-17 Thread Akasurde 
   URL: https://github.com/freeipa/freeipa/pull/179
Author: Akasurde
 Title: #179: Fix for handling CalledProcessError in authconfig
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/179/head:pr179
git checkout pr179
From 76df5889ddc0559134bdc184340941d87699d021 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde 
Date: Mon, 24 Oct 2016 10:50:03 +0530
Subject: [PATCH] Fix for handling CalledProcessError in authconfig

NIS configuration error should be hidden from user
while running ipa-client-install

Fixes https://fedorahosted.org/freeipa/ticket/5244

Signed-off-by: Abhijeet Kasurde 
---
 ipaplatform/redhat/authconfig.py | 18 +++---
 ipaplatform/redhat/paths.py  |  1 +
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/ipaplatform/redhat/authconfig.py b/ipaplatform/redhat/authconfig.py
index 7b06d58..db92016 100644
--- a/ipaplatform/redhat/authconfig.py
+++ b/ipaplatform/redhat/authconfig.py
@@ -18,11 +18,14 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see .
 
+from ipaplatform.paths import paths
 from ipapython import ipautil
+from ipapython.admintool import ScriptError
 import os
 
 FILES_TO_NOT_BACKUP = ['passwd', 'group', 'shadow', 'gshadow']
 
+
 class RedHatAuthConfig(object):
 """
 AuthConfig class implements system-independent interface to configure
@@ -85,10 +88,16 @@ def execute(self, update=True):
 self.add_option("update")
 
 args = self.build_args()
-ipautil.run(["/usr/sbin/authconfig"] + args)
+try:
+ipautil.run([paths.AUTHCONFIG] + args)
+except ipautil.CalledProcessError:
+raise ScriptError("Failed to execute authconfig command")
 
 def backup(self, path):
-ipautil.run(["/usr/sbin/authconfig", "--savebackup", path])
+try:
+ipautil.run([paths.AUTHCONFIG, "--savebackup", path])
+except ipautil.CalledProcessError:
+raise ScriptError("Failed to execute authconfig command")
 
 # do not backup these files since we don't want to mess with
 # users/groups during restore. Authconfig doesn't seem to mind about
@@ -101,4 +110,7 @@ def backup(self, path):
 pass
 
 def restore(self, path):
-ipautil.run(["/usr/sbin/authconfig", "--restorebackup", path])
+try:
+ipautil.run([paths.AUTHCONFIG, "--restorebackup", path])
+except ipautil.CalledProcessError:
+raise ScriptError("Failed to execute authconfig command")
diff --git a/ipaplatform/redhat/paths.py b/ipaplatform/redhat/paths.py
index b27b065..aaf71e2 100644
--- a/ipaplatform/redhat/paths.py
+++ b/ipaplatform/redhat/paths.py
@@ -33,6 +33,7 @@ class RedHatPathNamespace(BasePathNamespace):
 if sys.maxsize > 2**32:
 LIBSOFTHSM2_SO = BasePathNamespace.LIBSOFTHSM2_SO_64
 PAM_KRB5_SO = BasePathNamespace.PAM_KRB5_SO_64
+AUTHCONFIG = '/usr/sbin/authconfig'
 
 
 paths = RedHatPathNamespace()
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Stageuser API

2017-01-17 Thread Alexander Bokovoy 

On ti, 17 tammi 2017, Martin Basti wrote:



On 17.01.2017 12:38, Christian Heimes wrote:

On 2017-01-16 15:52, David Kupka wrote:

Hello everyone!

I've noticed that our API for stageuser is missing some commands that
user has (stageuser-{add,remove}-{principal,cert}). I was wondering if
there is reason for it but after asking some fellows developers it seems
that there's none.

I understand the stageuser area as a place where user entry can be
created and amended during the hiring process in organization, example:

1. HR creates the entry with just basic informations (givenname,
surname, manager)
2. IT assigns basic account information (uid, gid)
3. based on to-be-employee manager's request IT adds additional group
membership (memberOf)
4. based on to-be-employee request IT adds login alias (krbPrincipalName)
5. Security Officer adds certificate from Smart Card assigned to the
to-be-employee
6. HR adds extra information to the account (address, marital status, ...)
7. Facilities update work place related information (seat number, phone
number, ...)
8. At the first day IT activates the user account.

Considering this work flow I think it might be useful to have the same
API for stageuser as for the user.

Does the example work flow make sense?
Should we provide the same set of commands for user and stageuser?

I see one potential issue in your proposal. A stage user does not
reserve its user name. The unique index on uid excludes the staging user
and deleted user branch. Therefore it is possible to create a user with
the same login name as a staging user.

We either have to ensure that this name clash does not cause any trouble
with certificates or we have to enforce uniqueness of uid across the
whole tree. For FreeIPA it's probably fine because we compare certs
bytes. Third party applications parse the cert subject instead and use
the subject to identify a user.

Christian





AFAIK the non-uniques of stageuser and user names causes more pain 
than gain, this is not the first case when we have an issue with that. 
Maybe we should reevaluate this behavior and enforce uid uniqueness 
with stageusers too.


Note: we explicitly updated uniqueness plugin to allow conflicting 
names but I don't remember the reason from top of my head.

There might be workflows where an existing normal user would be deleted
and a new but completely separate stageuser would be promoted to a
normal one, both having the same name over an overlapping period of time.
In this case non-uniqueness requirement is needed.

This is a fairly common situation for English-speaking countries with
rather short common surnames and a typical username built out of a
first name + surname combination.



--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#347][comment] Improvements in {get|set}_directive functions

2017-01-17 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/347
Title: #347: Improvements in {get|set}_directive functions

tomaskrizek commented:
"""
I still managed to find a an issue for certain edge cases. See inline comments 
for more info.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/347#issuecomment-273119920
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Stageuser API

2017-01-17 Thread David Kupka 

On 17/01/17 12:38, Christian Heimes wrote:

On 2017-01-16 15:52, David Kupka wrote:

Hello everyone!

I've noticed that our API for stageuser is missing some commands that
user has (stageuser-{add,remove}-{principal,cert}). I was wondering if
there is reason for it but after asking some fellows developers it seems
that there's none.

I understand the stageuser area as a place where user entry can be
created and amended during the hiring process in organization, example:

1. HR creates the entry with just basic informations (givenname,
surname, manager)
2. IT assigns basic account information (uid, gid)
3. based on to-be-employee manager's request IT adds additional group
membership (memberOf)
4. based on to-be-employee request IT adds login alias (krbPrincipalName)
5. Security Officer adds certificate from Smart Card assigned to the
to-be-employee
6. HR adds extra information to the account (address, marital status, ...)
7. Facilities update work place related information (seat number, phone
number, ...)
8. At the first day IT activates the user account.

Considering this work flow I think it might be useful to have the same
API for stageuser as for the user.

Does the example work flow make sense?
Should we provide the same set of commands for user and stageuser?


I see one potential issue in your proposal. A stage user does not
reserve its user name. The unique index on uid excludes the staging user
and deleted user branch. Therefore it is possible to create a user with
the same login name as a staging user.

We either have to ensure that this name clash does not cause any trouble
with certificates or we have to enforce uniqueness of uid across the
whole tree. For FreeIPA it's probably fine because we compare certs
bytes. Third party applications parse the cert subject instead and use
the subject to identify a user.

Christian





Hi Christian,
uniqueness of uid is not checked in staging area on purpose, it may be 
changed multiple times before the stageuser is transformed into user 
(activated). The uid uniqueness is then checked during activation.


Third party application that use FreeIPA's LDAP should:
1) search for users (and usercertificate attribute) only in 
cn=users,cn=accounts
2) respect the value of nsAccountLock that is set to true for all staged 
users.


But it would be nice to have this scenario (stageuser.uid == user.uid) 
implemented as a part of [1].


[1] https://fedorahosted.org/freeipa/ticket/6615

--
David Kupka

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Stageuser API

2017-01-17 Thread Martin Basti 



On 17.01.2017 12:38, Christian Heimes wrote:

On 2017-01-16 15:52, David Kupka wrote:

Hello everyone!

I've noticed that our API for stageuser is missing some commands that
user has (stageuser-{add,remove}-{principal,cert}). I was wondering if
there is reason for it but after asking some fellows developers it seems
that there's none.

I understand the stageuser area as a place where user entry can be
created and amended during the hiring process in organization, example:

1. HR creates the entry with just basic informations (givenname,
surname, manager)
2. IT assigns basic account information (uid, gid)
3. based on to-be-employee manager's request IT adds additional group
membership (memberOf)
4. based on to-be-employee request IT adds login alias (krbPrincipalName)
5. Security Officer adds certificate from Smart Card assigned to the
to-be-employee
6. HR adds extra information to the account (address, marital status, ...)
7. Facilities update work place related information (seat number, phone
number, ...)
8. At the first day IT activates the user account.

Considering this work flow I think it might be useful to have the same
API for stageuser as for the user.

Does the example work flow make sense?
Should we provide the same set of commands for user and stageuser?

I see one potential issue in your proposal. A stage user does not
reserve its user name. The unique index on uid excludes the staging user
and deleted user branch. Therefore it is possible to create a user with
the same login name as a staging user.

We either have to ensure that this name clash does not cause any trouble
with certificates or we have to enforce uniqueness of uid across the
whole tree. For FreeIPA it's probably fine because we compare certs
bytes. Third party applications parse the cert subject instead and use
the subject to identify a user.

Christian





AFAIK the non-uniques of stageuser and user names causes more pain than 
gain, this is not the first case when we have an issue with that. Maybe 
we should reevaluate this behavior and enforce uid uniqueness with 
stageusers too.


Note: we explicitly updated uniqueness plugin to allow conflicting names 
but I don't remember the reason from top of my head.


Martin^2
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#382][comment] [Py3] ipa-server-install fixes (working NTP, DS, CA install steps)

2017-01-17 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/382
Title: #382: [Py3] ipa-server-install fixes (working NTP, DS, CA install steps)

mbasti-rh commented:
"""
We had discussion with @HonzaCholasta, and IPA framework only expects that 
everything is UTF-8 only, so even in case we parse UTF-32 properly, framework 
will answer by UTF-8 encoding. Maybe we should rather validate if input is 
utf-8 compatible earlier and send proper public error.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/382#issuecomment-273118134
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#397][opened] Improve wheel building and provide ipaserver wheel for local testing

2017-01-17 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/397
Author: tiran
 Title: #397: Improve wheel building and provide ipaserver wheel for local 
testing
Action: opened

PR body:
"""
The PR improve wheel bundle building and allows ipaserver bundles for local 
testing
with instrumented build of Python. Debug builds and instrumented builds can 
have a different binary interface (ABI). For example it is useful for dtrace or 
test installations in a virtual env. ipaplatform and ipaserver will not be 
uploaded to PyPI, though.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/397/head:pr397
git checkout pr397
From 75f66caa69e86f590cdab1672ffc60447244d869 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 17 Jan 2017 08:49:54 +0100
Subject: [PATCH 1/4] Conditionally import pyhbac

The pyhbac module is part of SSSD. It's not available as stand-alone
PyPI package. It would take a lot of effort to package it because the
code is deeply tight into SSSD.

Let's follow the example of other SSSD Python packages and make the
import of pyhbac conditionally. It's only necessary for caacl and
hbactest plugins.

This makes it much easier to install ipaserver with instrumented build
of Python with a different ABI or in isolated virtual envs to profile
and debug the server.

Signed-off-by: Christian Heimes 
---
 ipaserver/plugins/caacl.py| 11 ++-
 ipaserver/plugins/hbactest.py | 19 ---
 2 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py
index a7817c4..691f4e9 100644
--- a/ipaserver/plugins/caacl.py
+++ b/ipaserver/plugins/caacl.py
@@ -2,7 +2,6 @@
 # Copyright (C) 2015  FreeIPA Contributors see COPYING for license
 #
 
-import pyhbac
 import six
 
 from ipalib import api, errors, output
@@ -17,6 +16,11 @@
 from ipalib import _, ngettext
 from ipapython.dn import DN
 
+try:
+import pyhbac
+except ImportError:
+pyhbac = None
+
 if six.PY3:
 unicode = str
 
@@ -152,6 +156,11 @@ def _acl_make_rule(principal_type, obj):
 
 
 def acl_evaluate(principal_type, principal, ca_id, profile_id):
+if pyhbac is None:
+raise errors.ValidationError(
+name=_('missing pyhbac'),
+error=_('pyhbac is not available on the server.')
+)
 req = _acl_make_request(principal_type, principal, ca_id, profile_id)
 acls = api.Command.caacl_find(no_members=False)['result']
 rules = [_acl_make_rule(principal_type, obj) for obj in acls]
diff --git a/ipaserver/plugins/hbactest.py b/ipaserver/plugins/hbactest.py
index 626e894..e156568 100644
--- a/ipaserver/plugins/hbactest.py
+++ b/ipaserver/plugins/hbactest.py
@@ -29,9 +29,14 @@
 except ImportError:
 _dcerpc_bindings_installed = False
 
-import pyhbac
 import six
 
+try:
+import pyhbac
+except ImportError:
+pyhbac = None
+
+
 if six.PY3:
 unicode = str
 
@@ -210,7 +215,7 @@
 
 register = Registry()
 
-def convert_to_ipa_rule(rule):
+def _convert_to_ipa_rule(rule):
 # convert a dict with a rule to an pyhbac rule
 ipa_rule = pyhbac.HbacRule(rule['cn'][0])
 ipa_rule.enabled = rule['ipaenabledflag'][0]
@@ -309,6 +314,14 @@ def canonicalize(self, host):
 return host
 
 def execute(self, *args, **options):
+if pyhbac is None:
+raise errors.ValidationError(
+name=_('missing pyhbac'),
+error=_(
+'pyhbac is not available on the server.'
+)
+)
+
 # First receive all needed information:
 # 1. HBAC rules (whether enabled or disabled)
 # 2. Required options are (user, target host, service)
@@ -356,7 +369,7 @@ def execute(self, *args, **options):
 # --disabled will import all disabled rules
 # --rules will implicitly add the rules from a rule list
 for rule in hbacset:
-ipa_rule = convert_to_ipa_rule(rule)
+ipa_rule = _convert_to_ipa_rule(rule)
 if ipa_rule.name in testrules:
 ipa_rule.enabled = True
 rules.append(ipa_rule)

From 7e4d4ac4ce581b74fc6aa7d7a17b7e581590ee28 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 17 Jan 2017 08:57:33 +0100
Subject: [PATCH 2/4] Add extra_requires for additional dependencies

ipaserver did not have extra_requires to state additional dependencies.

Signed-off-by: Christian Heimes 
---
 ipaserver/setup.py | 14 --
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/ipaserver/setup.py b/ipaserver/setup.py
index 1f1b424..1468a24 100755
--- a/ipaserver/setup.py
+++ b/ipaserver/setup.py
@@ -61,12 +61,6 @@
 "python-memcached",
 "python-nss",
 "six",
-# not available on PyPI
-# "python-libipa_hbac",
-# "python-sss",
-

Re: [Freeipa-devel] Stageuser API

2017-01-17 Thread Christian Heimes 
On 2017-01-16 15:52, David Kupka wrote:
> Hello everyone!
> 
> I've noticed that our API for stageuser is missing some commands that
> user has (stageuser-{add,remove}-{principal,cert}). I was wondering if
> there is reason for it but after asking some fellows developers it seems
> that there's none.
> 
> I understand the stageuser area as a place where user entry can be
> created and amended during the hiring process in organization, example:
> 
> 1. HR creates the entry with just basic informations (givenname,
> surname, manager)
> 2. IT assigns basic account information (uid, gid)
> 3. based on to-be-employee manager's request IT adds additional group
> membership (memberOf)
> 4. based on to-be-employee request IT adds login alias (krbPrincipalName)
> 5. Security Officer adds certificate from Smart Card assigned to the
> to-be-employee
> 6. HR adds extra information to the account (address, marital status, ...)
> 7. Facilities update work place related information (seat number, phone
> number, ...)
> 8. At the first day IT activates the user account.
> 
> Considering this work flow I think it might be useful to have the same
> API for stageuser as for the user.
> 
> Does the example work flow make sense?
> Should we provide the same set of commands for user and stageuser?

I see one potential issue in your proposal. A stage user does not
reserve its user name. The unique index on uid excludes the staging user
and deleted user branch. Therefore it is possible to create a user with
the same login name as a staging user.

We either have to ensure that this name clash does not cause any trouble
with certificates or we have to enforce uniqueness of uid across the
whole tree. For FreeIPA it's probably fine because we compare certs
bytes. Third party applications parse the cert subject instead and use
the subject to identify a user.

Christian



signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Stageuser API

2017-01-17 Thread Alexander Bokovoy 

On ti, 17 tammi 2017, Florence Blanc-Renaud wrote:

On 01/16/2017 03:52 PM, David Kupka wrote:

Hello everyone!

I've noticed that our API for stageuser is missing some commands that
user has (stageuser-{add,remove}-{principal,cert}). I was wondering if
there is reason for it but after asking some fellows developers it seems
that there's none.

I understand the stageuser area as a place where user entry can be
created and amended during the hiring process in organization, example:

1. HR creates the entry with just basic informations (givenname,
surname, manager)
2. IT assigns basic account information (uid, gid)
3. based on to-be-employee manager's request IT adds additional group
membership (memberOf)
4. based on to-be-employee request IT adds login alias (krbPrincipalName)
5. Security Officer adds certificate from Smart Card assigned to the
to-be-employee
6. HR adds extra information to the account (address, marital status, ...)
7. Facilities update work place related information (seat number, phone
number, ...)
8. At the first day IT activates the user account.

Considering this work flow I think it might be useful to have the same
API for stageuser as for the user.

Does the example work flow make sense?
Should we provide the same set of commands for user and stageuser?

Thanks for your ideas and opinions!

Hi David,

I would be in favor of providing the same API for stageuser and user.

It is already possible to add a certificate or a principal alias to a 
stageuser with ipa stageuser-mod --cert or ipa stageuser-mod 
--principal, meaning that those operations are not forbidden.


I also checked that a stageuser
- is not able to perform kinit with any of his principal aliases
- is not able to authenticate to the LDAP server with a DN/pwd
- is not able to authenticate to the LDAP server using his SSL cert
- is not able to login with user/pwd on a client console
so I do not see any security concern with your proposal.

Thank you, Flo. Let's then proceed with the David's proposal.

For the record, we discussed this proposal on a weekly development call
and I raised the questions about authentication above. Florence
volunteered to experiment with it to see if SSL certificate
authentication would be possible. It is not, so we can unify the API
behind both user and stageuser.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#372][comment] Restore IPA 3.0 compatibility of copy-schema-to-ca.py

2017-01-17 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/372
Title: #372: Restore IPA 3.0 compatibility of copy-schema-to-ca.py

mbasti-rh commented:
"""
@tiran +1, but first this has to be generally approved :) topic for meeting 
maybe (today?)
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/372#issuecomment-273111475
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#372][comment] Restore IPA 3.0 compatibility of copy-schema-to-ca.py

2017-01-17 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/372
Title: #372: Restore IPA 3.0 compatibility of copy-schema-to-ca.py

tiran commented:
"""
Or we just grab a working and tested version from an old release.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/372#issuecomment-273110797
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Stageuser API

2017-01-17 Thread Florence Blanc-Renaud 

On 01/16/2017 03:52 PM, David Kupka wrote:

Hello everyone!

I've noticed that our API for stageuser is missing some commands that
user has (stageuser-{add,remove}-{principal,cert}). I was wondering if
there is reason for it but after asking some fellows developers it seems
that there's none.

I understand the stageuser area as a place where user entry can be
created and amended during the hiring process in organization, example:

1. HR creates the entry with just basic informations (givenname,
surname, manager)
2. IT assigns basic account information (uid, gid)
3. based on to-be-employee manager's request IT adds additional group
membership (memberOf)
4. based on to-be-employee request IT adds login alias (krbPrincipalName)
5. Security Officer adds certificate from Smart Card assigned to the
to-be-employee
6. HR adds extra information to the account (address, marital status, ...)
7. Facilities update work place related information (seat number, phone
number, ...)
8. At the first day IT activates the user account.

Considering this work flow I think it might be useful to have the same
API for stageuser as for the user.

Does the example work flow make sense?
Should we provide the same set of commands for user and stageuser?

Thanks for your ideas and opinions!

Hi David,

I would be in favor of providing the same API for stageuser and user.

It is already possible to add a certificate or a principal alias to a 
stageuser with ipa stageuser-mod --cert or ipa stageuser-mod 
--principal, meaning that those operations are not forbidden.


I also checked that a stageuser
- is not able to perform kinit with any of his principal aliases
- is not able to authenticate to the LDAP server with a DN/pwd
- is not able to authenticate to the LDAP server using his SSL cert
- is not able to login with user/pwd on a client console
so I do not see any security concern with your proposal.

Flo.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#372][comment] Restore IPA 3.0 compatibility of copy-schema-to-ca.py

2017-01-17 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/372
Title: #372: Restore IPA 3.0 compatibility of copy-schema-to-ca.py

stlaz commented:
"""
+1, we need to fix the script first, though.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/372#issuecomment-273108618
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#372][comment] Restore IPA 3.0 compatibility of copy-schema-to-ca.py

2017-01-17 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/372
Title: #372: Restore IPA 3.0 compatibility of copy-schema-to-ca.py

tiran commented:
"""
So with *separate script* you meant a separate downloadable version of the 
script. Got it! :)

It seems we have a consent. @mbasti-rh I second your proposal to move it to 
freeipa.org (that what I meant with wiki) and access.redhat.com.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/372#issuecomment-273071360
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#372][comment] Restore IPA 3.0 compatibility of copy-schema-to-ca.py

2017-01-17 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/372
Title: #372: Restore IPA 3.0 compatibility of copy-schema-to-ca.py

mbasti-rh commented:
"""
I proposed 2 ideas:
- move it to ipa-3-3 branch (or)
- extract that script from freeipa repo and allow to download that script from 
freeipa.org (and access.redhat.com)
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/372#issuecomment-273067048
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#372][comment] Restore IPA 3.0 compatibility of copy-schema-to-ca.py

2017-01-17 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/372
Title: #372: Restore IPA 3.0 compatibility of copy-schema-to-ca.py

martbab commented:
"""
IIRC @mbasti-rh proposed to maintain the script separately and serve it to 
users via external repo or something but the idea was rejected.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/372#issuecomment-273062322
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#266][synchronized] ipapython: simplify Env object initialization

2017-01-17 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/266
Author: HonzaCholasta
 Title: #266: ipapython: simplify Env object initialization
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/266/head:pr266
git checkout pr266
From bd4d58716c77b0ed9b13fe7fc78bc43b0bd5f178 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Tue, 22 Nov 2016 12:42:40 +0100
Subject: [PATCH 1/2] wsgi, oddjob: remove needless uses of Env

Do not use custom Env instance to determine the debug level to use for the
IPA API object - the IPA API object can properly determining the
configured debug level on its own.

https://fedorahosted.org/freeipa/ticket/6408
---
 doc/guide/wsgi.py.txt | 13 ++---
 install/oddjob/com.redhat.idm.trust-fetch-domains |  8 +---
 install/share/wsgi.py | 13 +
 3 files changed, 4 insertions(+), 30 deletions(-)

diff --git a/doc/guide/wsgi.py.txt b/doc/guide/wsgi.py.txt
index 8566a25..8c2f7e5 100644
--- a/doc/guide/wsgi.py.txt
+++ b/doc/guide/wsgi.py.txt
@@ -1,16 +1,7 @@
+from ipaplatform.paths import paths
 from ipalib import api
-from ipalib.config import Env
-from ipalib.constants import DEFAULT_CONFIG
 
-# Determine what debug level is configured. We can only do this
-# by reading in the configuration file(s). The server always reads
-# default.conf and will also read in `context'.conf.
-env = Env()
-env._bootstrap(context='server', log=None)
-env._finalize_core(**dict(DEFAULT_CONFIG))
-
-# Initialize the API with the proper debug level
-api.bootstrap(context='server', debug=env.debug, log=None) (ref:wsgi-app-bootstrap)
+api.bootstrap(context='server', confdir=paths.ETC_IPA, log=None) (ref:wsgi-app-bootstrap)
 try:
 api.finalize() (ref:wsgi-app-finalize)
 except Exception as e:
diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains
index e5c2e8c..a472dd6 100755
--- a/install/oddjob/com.redhat.idm.trust-fetch-domains
+++ b/install/oddjob/com.redhat.idm.trust-fetch-domains
@@ -5,8 +5,6 @@ from ipaserver.install.installutils import is_ipa_configured, ScriptError
 from ipapython import config, ipautil
 from ipalib import api
 from ipapython.dn import DN
-from ipalib.config import Env
-from ipalib.constants import DEFAULT_CONFIG
 from ipaplatform.constants import constants
 from ipaplatform.paths import paths
 import sys
@@ -91,12 +89,8 @@ if len(args) != 1:
 
 trusted_domain = ipautil.fsdecode(args[0]).lower()
 
-env = Env()
-env._bootstrap(debug=options.debug, log=None)
-env._finalize_core(**dict(DEFAULT_CONFIG))
-
 # Initialize the API with the proper debug level
-api.bootstrap(in_server=True, debug=env.debug, log=None,
+api.bootstrap(in_server=True, debug=options.debug, log=None,
   context='server', confdir=paths.ETC_IPA)
 api.finalize()
 
diff --git a/install/share/wsgi.py b/install/share/wsgi.py
index ca97d1e..a0aa3fc 100644
--- a/install/share/wsgi.py
+++ b/install/share/wsgi.py
@@ -25,19 +25,8 @@
 """
 from ipaplatform.paths import paths
 from ipalib import api
-from ipalib.config import Env
-from ipalib.constants import DEFAULT_CONFIG
 
-# Determine what debug level is configured. We can only do this
-# by reading in the configuration file(s). The server always reads
-# default.conf and will also read in `context'.conf.
-env = Env()
-env._bootstrap(context='server', log=None, confdir=paths.ETC_IPA)
-env._finalize_core(**dict(DEFAULT_CONFIG))
-
-# Initialize the API with the proper debug level
-api.bootstrap(context='server', confdir=paths.ETC_IPA,
-  debug=env.debug, log=None)
+api.bootstrap(context='server', confdir=paths.ETC_IPA, log=None)
 try:
 api.finalize()
 except Exception as e:

From 4008218a2704e2f511c0ea05894a627d62011663 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Mon, 16 Jan 2017 12:20:47 +0100
Subject: [PATCH 2/2] config: add public API to initialize Env

Add new API to initialize Env instances:

env = Env()
env.bootstrap(**overrides)
env.finalize()

This replaces the old private API:

env = Env()
env._bootstrap(**overrides)
env._finalize_core(**dict(DEFAULT_CONFIG))
env._finalize()

https://fedorahosted.org/freeipa/ticket/6408
---
 install/tools/ipa-pki-retrieve-key |   2 +-
 ipalib/__init__.py |   6 +-
 ipalib/config.py   | 120 +---
 ipalib/constants.py|  18 ++---
 ipalib/plugable.py |  11 +--
 ipaserver/install/server/replicainstall.py |   4 +-
 ipatests/test_ipalib/test_config.py| 123 ++---
 ipatests/test_ipalib/test_frontend.py  |   9 ++-
 ipatests/test_ipalib/test_plugable.py  |   6 +-
 9 files changed, 120 insertions(+), 179 deletions(-)

diff --git a/install/tools/ipa-pki-retrieve-key