date:20170131

[Freeipa-devel] Karma Requests for pki-core-10.3.5-11

2017-01-31 Thread Matthew Harmsen


*The following updated candidate builds of pki-core 10.3.5 were generated:*

 * *Fedora 24*
 o *pki-core-10.3.5-11.fc24
   
   *
 * *Fedora 25*
 o *pki-core-10.3.5-11.fc25
   
   *
 * *Fedora 26*
 o *pki-core-10.3.5-11.fc26
   *

*These builds address the following PKI TRAC tickets:*

 * *PKI TRAC Ticket #1741 - ECDSA Certificates Generated by Certificate
   System fail NIST validation test with parameter field.
   *
 * *PKI TRAC Ticket #2450 - Unable to search certificate requests using
   the latest request ID *
 * *PKI TRAC Ticket #2534 - Automatic recovery of encryption cert - CA
   and TPS tokendb shows different certificate status
   *
 * *PKI TRAC Ticket #2564 - pki-tomcat for 10+ minutes before
   generating cert *
 * *PKI TRAC Ticket #2570 - Problem with default AJP hostname in IPv6
   environment. *
 * *PKI TRAC Ticket #2573 - CA Certificate Issuance Date displayed on
   CA website incorrect *
 * *PKI TRAC Ticket #2579 - NumberFormatException in
   LDAPProfileSubsystem *

*Please provide Karma for the following builds:*

 * *Fedora 24*
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-a2898f25b1
   pki-core-10.3.5-11.fc24
   
   *
 * *Fedora 25*
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-fe062eaff7
   pki-core-10.3.5-11.fc25
   *


-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#416][comment] replica install: relax domain level check for promotion

2017-01-31 Thread frasertweedale

  URL: https://github.com/freeipa/freeipa/pull/416
Title: #416: replica install: relax domain level check for promotion

frasertweedale commented:
"""
@HonzaCholasta @MartinBasti PR updated.  I extracted the specific (== 0) and 
(>= 1) checks to the relevant call sites.  Also separated DL retrieval and "DL 
in range for IPA version" check into separate functions.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/416#issuecomment-276571652
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#415][comment] ca-del: require CA to already be disabled

2017-01-31 Thread frasertweedale

  URL: https://github.com/freeipa/freeipa/pull/415
Title: #415: ca-del: require CA to already be disabled

frasertweedale commented:
"""
@apophys done; PR updated.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/415#issuecomment-276571411
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#415][synchronized] ca-del: require CA to already be disabled

2017-01-31 Thread frasertweedale

   URL: https://github.com/freeipa/freeipa/pull/415
Author: frasertweedale
 Title: #415: ca-del: require CA to already be disabled
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/415/head:pr415
git checkout pr415
From ebfbdbf2524e98aee5d14886f9345fa1d3f88c3f Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Mon, 23 Jan 2017 11:37:37 +1000
Subject: [PATCH] ca-del: require CA to already be disabled

Currently ca-del disables the target CA before deleting it.
Conceptually, this involves two separate permissions: modify and
delete.  A user with delete permission does not necessarily have
modify permission.

As we move toward enforcing IPA permissions in Dogtag, it is
necessary to decouple disablement from deletion, otherwise the
disable operation would fail if the user does not have modify
permission.  Although it introduces an additional step for
administrators, the process is consistent, required permissions are
clear, and errors are human-friendly.

Part of: https://fedorahosted.org/freeipa/ticket/5011
---
 ipaserver/plugins/ca.py   | 7 ++-
 ipatests/test_xmlrpc/test_ca_plugin.py| 4 
 ipatests/test_xmlrpc/tracker/ca_plugin.py | 6 +-
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py
index 4f24278..0d3d7d0 100644
--- a/ipaserver/plugins/ca.py
+++ b/ipaserver/plugins/ca.py
@@ -286,7 +286,12 @@ def pre_callback(self, ldap, dn, *keys, **options):
 
 ca_id = self.api.Command.ca_show(keys[0])['result']['ipacaid'][0]
 with self.api.Backend.ra_lightweight_ca as ca_api:
-ca_api.disable_ca(ca_id)
+data = ca_api.read_ca(ca_id)
+if data['enabled']:
+raise errors.ProtectedEntryError(
+label=_("CA"),
+key=keys[0],
+reason=_("Must be disabled first"))
 ca_api.delete_ca(ca_id)
 
 return dn
diff --git a/ipatests/test_xmlrpc/test_ca_plugin.py b/ipatests/test_xmlrpc/test_ca_plugin.py
index 1e0e52f..ee826aa 100644
--- a/ipatests/test_xmlrpc/test_ca_plugin.py
+++ b/ipatests/test_xmlrpc/test_ca_plugin.py
@@ -87,6 +87,10 @@ def test_retrieve(self, crud_subca):
 def test_retrieve_all(self, crud_subca):
 crud_subca.retrieve(all=True)
 
+def test_delete_while_not_disabled(self, crud_subca):
+with pytest.raises(errors.ProtectedEntryError):
+crud_subca.make_command('ca_del', crud_subca.name)()
+
 def test_delete(self, crud_subca):
 crud_subca.delete()
 
diff --git a/ipatests/test_xmlrpc/tracker/ca_plugin.py b/ipatests/test_xmlrpc/tracker/ca_plugin.py
index e18b1c1..cb3fb70 100644
--- a/ipatests/test_xmlrpc/tracker/ca_plugin.py
+++ b/ipatests/test_xmlrpc/tracker/ca_plugin.py
@@ -82,7 +82,11 @@ def track_create(self):
 
 def make_delete_command(self):
 """Make function that deletes the plugin entry object."""
-return self.make_command('ca_del', self.name)
+def disable_then_delete():
+self.make_command('ca_disable', self.name)()
+return self.make_command('ca_del', self.name)()
+
+return disable_then_delete
 
 def check_delete(self, result):
 assert_deepequal(dict(
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#416][synchronized] replica install: relax domain level check for promotion

2017-01-31 Thread frasertweedale

   URL: https://github.com/freeipa/freeipa/pull/416
Author: frasertweedale
 Title: #416: replica install: relax domain level check for promotion
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/416/head:pr416
git checkout pr416
From 5517b9e47ced44bc6913fb7e3ec5202ce96a0b37 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Fri, 6 Jan 2017 16:04:10 +1000
Subject: [PATCH] replica install: relax domain level check for promotion

promote_check currently requires DL == 1.  Relax the check to
require DL >= 1, so that things will work for future DL increases.

Also separate the concerns of retrieving the current domain level,
validating whether the domain level is supported by the IPA version,
and validating whether the current domain level supports the replica
installation method attempted (i.e. replica file versus promotion).

Part of: https://fedorahosted.org/freeipa/ticket/5011
---
 ipaserver/install/server/replicainstall.py | 56 --
 1 file changed, 30 insertions(+), 26 deletions(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 18222c8..a312079 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -556,38 +556,25 @@ def common_check(no_ntp):
 pass
 
 
-def check_domain_level(api, expected):
+def current_domain_level(api):
+"""Return the current domain level.
+
+"""
 # Detect the current domain level
 try:
-current = api.Command['domainlevel_get']()['result']
+return api.Command['domainlevel_get']()['result']
 except errors.NotFound:
 # If we're joining an older master, domain entry is not
 # available
-current = constants.DOMAIN_LEVEL_0
+return constants.DOMAIN_LEVEL_0
 
-if current == constants.DOMAIN_LEVEL_0:
-message = (
-"You must provide a file generated by ipa-replica-prepare to "
-"create a replica when the domain is at level 0."
-)
-else:
-message = (
-"You used wrong mechanism to install a replica in domain level "
-"{dl}:\n"
-"\tDomain level 0 requires a replica file as a positional "
-"arugment.\n"
-"\tFor domain level 1 replica instalation, a replica file must "
-"not be used but you can can join the domain by running "
-"ipa-client-install first and then try"
-"to run this installation again."
-.format(dl=expected)
-)
 
-if current != expected:
-raise RuntimeError(message)
+def check_domain_level_is_supported(current):
+"""Check that the given domain level is supported by this server version.
 
-# Detect if current level is out of supported range
-# for this IPA version
+:raises: ScriptError if DL is out of supported range for this IPA version.
+
+"""
 under_lower_bound = current < constants.MIN_DOMAIN_LEVEL
 above_upper_bound = current > constants.MAX_DOMAIN_LEVEL
 
@@ -768,7 +755,13 @@ def install_check(installer):
config.host_name)
 raise ScriptError(msg, rval=3)
 
-check_domain_level(remote_api, expected=constants.DOMAIN_LEVEL_0)
+domain_level = current_domain_level(remote_api)
+check_domain_level_is_supported(domain_level)
+if domain_level != constants.DOMAIN_LEVEL_0:
+raise RuntimeError(
+"You must provide a file generated by ipa-replica-prepare to "
+"create a replica when the domain is at level 0."
+)
 
 # Check pre-existing host entry
 try:
@@ -1088,7 +1081,18 @@ def promote_check(installer):
  config.master_host_name, None)
 
 promotion_check_ipa_domain(conn, remote_api.env.basedn)
-check_domain_level(remote_api, expected=constants.DOMAIN_LEVEL_1)
+
+domain_level = current_domain_level(remote_api)
+check_domain_level_is_supported(domain_level)
+if domain_level < constants.DOMAIN_LEVEL_1:
+raise RuntimeError(
+"You used the wrong mechanism to install a replica in "
+"domain level {dl}:\n"
+"\tFor domain level >= 1 replica installation, first join the "
+"domain by running ipa-client-install, then run "
+"ipa-replica-install without a replica file."
+.format(dl=domain_level)
+)
 
 # Check authorization
 result = remote_api.Command['hostgroup_find'](
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#416][comment] replica install: relax domain level check for promotion

2017-01-31 Thread frasertweedale

  URL: https://github.com/freeipa/freeipa/pull/416
Title: #416: replica install: relax domain level check for promotion

frasertweedale commented:
"""
So, what do we want the behaviour of `check_domain_level` to be?  I just want 
to make a small change so that replica install does not break if DL > 1.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/416#issuecomment-276529816
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#429][synchronized] [py3] ipactl restart: log httplib failues as debug

2017-01-31 Thread MartinBasti

   URL: https://github.com/freeipa/freeipa/pull/429
Author: MartinBasti
 Title: #429: [py3] ipactl restart: log httplib failues as debug
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/429/head:pr429
git checkout pr429
From d8c7d3397536de66158828b29a7987fe6f1501b3 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 31 Jan 2017 22:51:31 +0100
Subject: [PATCH] py3: ipactl restart: log httplib failues as debug

With python3 there are several excerptions ConnectionRefusedError raised
before ipactl is able to connect to dogtag after restart. These
exception should be logged on debug level until timeout is reached.

https://fedorahosted.org/freeipa/ticket/4985
---
 ipapython/dogtag.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 01fc5cb..b171754 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -209,7 +209,7 @@ def _httplib_request(
 http_body = res.read()
 conn.close()
 except Exception as e:
-root_logger.exception("httplib request failed:")
+root_logger.debug("httplib request failed:", exc_info=True)
 raise NetworkError(uri=uri, error=str(e))
 
 root_logger.debug('response status %d',http_status)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#425][+ack] ipa-kra-install must create directory if it does not exist

2017-01-31 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/425
Title: #425: ipa-kra-install must create directory if it does not exist

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#427][synchronized] [Py3] WSGI part 2

2017-01-31 Thread MartinBasti

   URL: https://github.com/freeipa/freeipa/pull/427
Author: MartinBasti
 Title: #427: [Py3] WSGI part 2
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/427/head:pr427
git checkout pr427
From 7e99c15c21231e018132215ae6d3f6f0ddd3a40e Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 24 Jan 2017 17:49:06 +0100
Subject: [PATCH 1/7] py3: base64 encoding/decoding returns always bytes don't
 mix it

Using unicode(bytes) call causes undesired side effect that is inserting
`b` character to result. This obviously causes issues with binary base64 data

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/plugins/baseldap.py | 2 +-
 ipaserver/plugins/ca.py   | 4 +---
 ipaserver/plugins/cert.py | 2 +-
 ipaserver/secrets/client.py   | 6 --
 4 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/ipaserver/plugins/baseldap.py b/ipaserver/plugins/baseldap.py
index e7bf43c..24b6db7 100644
--- a/ipaserver/plugins/baseldap.py
+++ b/ipaserver/plugins/baseldap.py
@@ -1036,7 +1036,7 @@ def process_attr_options(self, entry_attrs, dn, keys, options):
 except ValueError:
 if isinstance(delval, bytes):
 # This is a Binary value, base64 encode it
-delval = unicode(base64.b64encode(delval))
+delval = base64.b64encode(delval).decode('ascii')
 raise errors.AttrValueNotFound(attr=attr, value=delval)
 
 # normalize all values
diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py
index 4f24278..3a052a1 100644
--- a/ipaserver/plugins/ca.py
+++ b/ipaserver/plugins/ca.py
@@ -4,8 +4,6 @@
 
 import base64
 
-import six
-
 from ipalib import api, errors, output, Bytes, DNParam, Flag, Str
 from ipalib.constants import IPA_CA_CN
 from ipalib.plugable import Registry
@@ -176,7 +174,7 @@ def set_certificate_attrs(entry, options, want_cert=True):
 with api.Backend.ra_lightweight_ca as ca_api:
 if want_cert or full:
 der = ca_api.read_ca_cert(ca_id)
-entry['certificate'] = six.text_type(base64.b64encode(der))
+entry['certificate'] = base64.b64encode(der).decode('ascii')
 
 if want_chain or full:
 pkcs7_der = ca_api.read_ca_chain(ca_id)
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 5bf4cfb..6bf5c03 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -1260,7 +1260,7 @@ def _get_cert_key(self, cert):
 return (DN(cert_obj.issuer), cert_obj.serial)
 
 def _get_cert_obj(self, cert, all, raw, pkey_only):
-obj = {'certificate': unicode(base64.b64encode(cert))}
+obj = {'certificate': base64.b64encode(cert).decode('ascii')}
 
 full = not pkey_only and all
 if not raw:
diff --git a/ipaserver/secrets/client.py b/ipaserver/secrets/client.py
index a04b9a6..a945e01 100644
--- a/ipaserver/secrets/client.py
+++ b/ipaserver/secrets/client.py
@@ -70,7 +70,8 @@ def init_creds(self):
 name = gssapi.Name(self.client_service,
gssapi.NameType.hostbased_service)
 store = {'client_keytab': self.keytab,
- 'ccache': 'MEMORY:Custodia_%s' % b64encode(os.urandom(8))}
+ 'ccache': 'MEMORY:Custodia_%s' % b64encode(
+ os.urandom(8)).decode('ascii')}
 return gssapi.Credentials(name=name, store=store, usage='initiate')
 
 def _auth_header(self):
@@ -78,7 +79,8 @@ def _auth_header(self):
 self.creds = self.init_creds()
 ctx = gssapi.SecurityContext(name=self.service_name, creds=self.creds)
 authtok = ctx.step()
-return {'Authorization': 'Negotiate %s' % b64encode(authtok)}
+return {'Authorization': 'Negotiate %s' % b64encode(
+authtok).decode('ascii')}
 
 def fetch_key(self, keyname, store=True):
 

From 24316d1ca054f262f438dfe96b5025c57170d5d9 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 24 Jan 2017 18:31:50 +0100
Subject: [PATCH 2/7] py3: base64.b64encode requires bytes as param

Decimal must be changed to string first and then encoded to bytes

https://fedorahosted.org/freeipa/ticket/4985
---
 ipalib/rpc.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index fb739f8..a3642a6 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -308,7 +308,7 @@ def json_encode_binary(val, version):
 encoded = encoded.decode('ascii')
 return {'__base64__': encoded}
 elif isinstance(val, Decimal):
-return {'__base64__': base64.b64encode(str(val))}
+return {'__base64__': base64.b64encode(str(val).encode('ascii'))}
 elif isinstance(val, DN):
 return str(val)
 elif isinstance(val, datetime.datetime):

From 3127a030d6678f920f2d79ca0db6c14ccbf15346

[Freeipa-devel] [freeipa PR#429][opened] [py3] ipactl restart: log httplib failues as debug

2017-01-31 Thread MartinBasti

   URL: https://github.com/freeipa/freeipa/pull/429
Author: MartinBasti
 Title: #429: [py3] ipactl restart: log httplib failues as debug
Action: opened

PR body:
"""
With python3 there are several excerptions ConnectionRefusedError raised
before ipactl is able to connect to dogtag after restart. These
exception should be logged on debug level until timeout is reached.

https://fedorahosted.org/freeipa/ticket/4985
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/429/head:pr429
git checkout pr429
From 6b3b2ea4058737003525c4571331284ee8d05cbb Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 31 Jan 2017 22:51:31 +0100
Subject: [PATCH] py3: ipactl restart: log httplib failues as debug

With python3 there are several excerptions ConnectionRefusedError raised
before ipactl is able to connect to dogtag after restart. These
exception should be logged on debug level until timeout is reached.

https://fedorahosted.org/freeipa/ticket/4985
---
 ipapython/dogtag.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 01fc5cb..c42b9d2 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -19,6 +19,7 @@
 
 import collections
 import xml.dom.minidom
+import traceback
 
 import nss.nss as nss
 import six
@@ -209,7 +210,8 @@ def _httplib_request(
 http_body = res.read()
 conn.close()
 except Exception as e:
-root_logger.exception("httplib request failed:")
+root_logger.debug("httplib request failed")
+root_logger.debug(traceback.format_exc())
 raise NetworkError(uri=uri, error=str(e))
 
 root_logger.debug('response status %d',http_status)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#427][synchronized] [Py3] WSGI part 2

2017-01-31 Thread MartinBasti

   URL: https://github.com/freeipa/freeipa/pull/427
Author: MartinBasti
 Title: #427: [Py3] WSGI part 2
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/427/head:pr427
git checkout pr427
From 8cb5b0f48c8f273cdc227ac8d7f399670f4bad5a Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 24 Jan 2017 17:49:06 +0100
Subject: [PATCH 1/7] py3: base64 encoding/decoding returns always bytes don't
 mix it

Using unicode(bytes) call causes undesired side effect that is inserting
`b` character to result. This obviously causes issues with binary base64 data

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/plugins/baseldap.py | 4 ++--
 ipaserver/plugins/ca.py   | 4 +---
 ipaserver/plugins/cert.py | 2 +-
 ipaserver/secrets/client.py   | 6 --
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/ipaserver/plugins/baseldap.py b/ipaserver/plugins/baseldap.py
index e7bf43c..2f7889b 100644
--- a/ipaserver/plugins/baseldap.py
+++ b/ipaserver/plugins/baseldap.py
@@ -1036,8 +1036,8 @@ def process_attr_options(self, entry_attrs, dn, keys, options):
 except ValueError:
 if isinstance(delval, bytes):
 # This is a Binary value, base64 encode it
-delval = unicode(base64.b64encode(delval))
-raise errors.AttrValueNotFound(attr=attr, value=delval)
+delval = base64.b64encode(delval).decode('ascii')
+raise errors.AttrValueNotFound(attr=attr, value=delval)
 
 # normalize all values
 changedattrs = setattrs | addattrs | delattrs
diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py
index 4f24278..3a052a1 100644
--- a/ipaserver/plugins/ca.py
+++ b/ipaserver/plugins/ca.py
@@ -4,8 +4,6 @@
 
 import base64
 
-import six
-
 from ipalib import api, errors, output, Bytes, DNParam, Flag, Str
 from ipalib.constants import IPA_CA_CN
 from ipalib.plugable import Registry
@@ -176,7 +174,7 @@ def set_certificate_attrs(entry, options, want_cert=True):
 with api.Backend.ra_lightweight_ca as ca_api:
 if want_cert or full:
 der = ca_api.read_ca_cert(ca_id)
-entry['certificate'] = six.text_type(base64.b64encode(der))
+entry['certificate'] = base64.b64encode(der).decode('ascii')
 
 if want_chain or full:
 pkcs7_der = ca_api.read_ca_chain(ca_id)
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 5bf4cfb..6bf5c03 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -1260,7 +1260,7 @@ def _get_cert_key(self, cert):
 return (DN(cert_obj.issuer), cert_obj.serial)
 
 def _get_cert_obj(self, cert, all, raw, pkey_only):
-obj = {'certificate': unicode(base64.b64encode(cert))}
+obj = {'certificate': base64.b64encode(cert).decode('ascii')}
 
 full = not pkey_only and all
 if not raw:
diff --git a/ipaserver/secrets/client.py b/ipaserver/secrets/client.py
index a04b9a6..a945e01 100644
--- a/ipaserver/secrets/client.py
+++ b/ipaserver/secrets/client.py
@@ -70,7 +70,8 @@ def init_creds(self):
 name = gssapi.Name(self.client_service,
gssapi.NameType.hostbased_service)
 store = {'client_keytab': self.keytab,
- 'ccache': 'MEMORY:Custodia_%s' % b64encode(os.urandom(8))}
+ 'ccache': 'MEMORY:Custodia_%s' % b64encode(
+ os.urandom(8)).decode('ascii')}
 return gssapi.Credentials(name=name, store=store, usage='initiate')
 
 def _auth_header(self):
@@ -78,7 +79,8 @@ def _auth_header(self):
 self.creds = self.init_creds()
 ctx = gssapi.SecurityContext(name=self.service_name, creds=self.creds)
 authtok = ctx.step()
-return {'Authorization': 'Negotiate %s' % b64encode(authtok)}
+return {'Authorization': 'Negotiate %s' % b64encode(
+authtok).decode('ascii')}
 
 def fetch_key(self, keyname, store=True):
 

From fcfeedf682f8993c0afe8bc85ec19cb275018882 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 24 Jan 2017 18:31:50 +0100
Subject: [PATCH 2/7] py3: base64.b64encode requires bytes as param

Decimal must be changed to string first and then encoded to bytes

https://fedorahosted.org/freeipa/ticket/4985
---
 ipalib/rpc.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index fb739f8..a3642a6 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -308,7 +308,7 @@ def json_encode_binary(val, version):
 encoded = encoded.decode('ascii')
 return {'__base64__': encoded}
 elif isinstance(val, Decimal):
-return {'__base64__': base64.b64encode(str(val))}
+return {'__base64__': base64.b64encode(str(val).encode('ascii'))}

[Freeipa-devel] [freeipa PR#417][closed] private_ccache: yield ccache name

2017-01-31 Thread MartinBasti

   URL: https://github.com/freeipa/freeipa/pull/417
Author: frasertweedale
 Title: #417: private_ccache: yield ccache name
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/417/head:pr417
git checkout pr417
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#417][comment] private_ccache: yield ccache name

2017-01-31 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/417
Title: #417: private_ccache: yield ccache name

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/caca181d3b73c045abd72e464a195c6b61c251c7
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/417#issuecomment-276437158
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#417][+pushed] private_ccache: yield ccache name

2017-01-31 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/417
Title: #417: private_ccache: yield ccache name

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#427][opened] [Py3] WSGI part 2

2017-01-31 Thread MartinBasti

   URL: https://github.com/freeipa/freeipa/pull/427
Author: MartinBasti
 Title: #427: [Py3] WSGI part 2
Action: opened

PR body:
"""
with this PR:
* server can be installed with python3-mod_wsgi
* any xmlrpc test can be executed to find a new py3 issues (still a lot of them 
there)
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/427/head:pr427
git checkout pr427
From 2f86d65d64bf3034d2fd91623f4b7c3bdfdc00be Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 24 Jan 2017 17:49:06 +0100
Subject: [PATCH 1/7] py3: base64 encoding/decoding returns always bytes don't
 mix it

Using unicode(bytes) call causes undesired side effect that is inserting
`b` character to result. This obviously causes issues with binary base64 data

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/plugins/baseldap.py | 4 ++--
 ipaserver/plugins/ca.py   | 2 +-
 ipaserver/plugins/cert.py | 2 +-
 ipaserver/secrets/client.py   | 6 --
 4 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/ipaserver/plugins/baseldap.py b/ipaserver/plugins/baseldap.py
index e7bf43c..2f7889b 100644
--- a/ipaserver/plugins/baseldap.py
+++ b/ipaserver/plugins/baseldap.py
@@ -1036,8 +1036,8 @@ def process_attr_options(self, entry_attrs, dn, keys, options):
 except ValueError:
 if isinstance(delval, bytes):
 # This is a Binary value, base64 encode it
-delval = unicode(base64.b64encode(delval))
-raise errors.AttrValueNotFound(attr=attr, value=delval)
+delval = base64.b64encode(delval).decode('ascii')
+raise errors.AttrValueNotFound(attr=attr, value=delval)
 
 # normalize all values
 changedattrs = setattrs | addattrs | delattrs
diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py
index 4f24278..ac9f68e 100644
--- a/ipaserver/plugins/ca.py
+++ b/ipaserver/plugins/ca.py
@@ -176,7 +176,7 @@ def set_certificate_attrs(entry, options, want_cert=True):
 with api.Backend.ra_lightweight_ca as ca_api:
 if want_cert or full:
 der = ca_api.read_ca_cert(ca_id)
-entry['certificate'] = six.text_type(base64.b64encode(der))
+entry['certificate'] = base64.b64encode(der).decode('ascii')
 
 if want_chain or full:
 pkcs7_der = ca_api.read_ca_chain(ca_id)
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 5bf4cfb..6bf5c03 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -1260,7 +1260,7 @@ def _get_cert_key(self, cert):
 return (DN(cert_obj.issuer), cert_obj.serial)
 
 def _get_cert_obj(self, cert, all, raw, pkey_only):
-obj = {'certificate': unicode(base64.b64encode(cert))}
+obj = {'certificate': base64.b64encode(cert).decode('ascii')}
 
 full = not pkey_only and all
 if not raw:
diff --git a/ipaserver/secrets/client.py b/ipaserver/secrets/client.py
index a04b9a6..a945e01 100644
--- a/ipaserver/secrets/client.py
+++ b/ipaserver/secrets/client.py
@@ -70,7 +70,8 @@ def init_creds(self):
 name = gssapi.Name(self.client_service,
gssapi.NameType.hostbased_service)
 store = {'client_keytab': self.keytab,
- 'ccache': 'MEMORY:Custodia_%s' % b64encode(os.urandom(8))}
+ 'ccache': 'MEMORY:Custodia_%s' % b64encode(
+ os.urandom(8)).decode('ascii')}
 return gssapi.Credentials(name=name, store=store, usage='initiate')
 
 def _auth_header(self):
@@ -78,7 +79,8 @@ def _auth_header(self):
 self.creds = self.init_creds()
 ctx = gssapi.SecurityContext(name=self.service_name, creds=self.creds)
 authtok = ctx.step()
-return {'Authorization': 'Negotiate %s' % b64encode(authtok)}
+return {'Authorization': 'Negotiate %s' % b64encode(
+authtok).decode('ascii')}
 
 def fetch_key(self, keyname, store=True):
 

From df975b68875628940ce50c5470d34f30cc716762 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 24 Jan 2017 18:31:50 +0100
Subject: [PATCH 2/7] py3: base64.b64encode requires bytes as param

Decimal must be changed to string first and then encoded to bytes

https://fedorahosted.org/freeipa/ticket/4985
---
 ipalib/rpc.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index fb739f8..a3642a6 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -308,7 +308,7 @@ def json_encode_binary(val, version):
 encoded = encoded.decode('ascii')
 return {'__base64__': encoded}
 elif isinstance(val, Decimal):
-return {'__base64__': base64.b64encode(str(val))}
+return {'__base64__': base64.b64encode(str(val).encode('ascii'))}
 elif isinstance(val, DN):

[Freeipa-devel] [freeipa PR#393][comment] [Py3] allow to run wsgi - part1

2017-01-31 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/393
Title: #393: [Py3] allow to run wsgi - part1

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/a9fec1de1aa2b3c0f4c4ec6eff25ff2e75c774b0
https://fedorahosted.org/freeipa/changeset/9739d0354a8ac5fd357f7d131b3f75aa05df058b
https://fedorahosted.org/freeipa/changeset/7e8eb533752bbf5e2f05ec6bfb0ffefa8e9dcddf
https://fedorahosted.org/freeipa/changeset/35e135c4e3a7f0bf21ed4c838b8f76b43701a047
https://fedorahosted.org/freeipa/changeset/cca9aa43e146f15e235eee1197209d0ca88eb39c
https://fedorahosted.org/freeipa/changeset/aa036e5f332ef0b1ebbff6b824e236b1eeaf076e
https://fedorahosted.org/freeipa/changeset/dd3d9f1ca61946ea5d7daa17ba1d8a883922d526
https://fedorahosted.org/freeipa/changeset/49333058c869dd4bd654a7974e6e144ffd3f0dc3
https://fedorahosted.org/freeipa/changeset/b37d18288d40b4ec0b5a8df676456e09ae5f26c1
https://fedorahosted.org/freeipa/changeset/deaf9ae2473833dacb64c4961db3ae9f7c570ebd
https://fedorahosted.org/freeipa/changeset/1023cfebff99af165212dee94290a05754297270
https://fedorahosted.org/freeipa/changeset/d5ab0637fe89cbcb61491fe08b7376aeaf7ccdb8
https://fedorahosted.org/freeipa/changeset/47e76e16ef2e5d714881f3cce204611a95b4e5c8
https://fedorahosted.org/freeipa/changeset/b8d6524d43dd0667184aebc79fb77a9b8a46939a
https://fedorahosted.org/freeipa/changeset/980c8a5f9e4ccbcd3c11def9cab33d0e61e945ae
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/393#issuecomment-276433723
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#393][+pushed] [Py3] allow to run wsgi - part1

2017-01-31 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/393
Title: #393: [Py3] allow to run wsgi - part1

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#393][closed] [Py3] allow to run wsgi - part1

2017-01-31 Thread MartinBasti

   URL: https://github.com/freeipa/freeipa/pull/393
Author: MartinBasti
 Title: #393: [Py3] allow to run wsgi - part1
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/393/head:pr393
git checkout pr393
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#426][opened] DNSSEC: forwarders validation improvement

2017-01-31 Thread MartinBasti

   URL: https://github.com/freeipa/freeipa/pull/426
Author: MartinBasti
 Title: #426: DNSSEC: forwarders validation improvement
Action: opened

PR body:
"""
Some DNS servers behaves oddly and instead sending result without RRSIG records
don't reply at all when DNSSEC flag is enabled (timeout). Instead of
hard error IPA should this handle as DNSSEC error and continue with
installation/adding forwarders.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/426/head:pr426
git checkout pr426
From 204b1f3e0147e418be3d50a0b5f5fa57e186ceb2 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 31 Jan 2017 16:47:44 +0100
Subject: [PATCH] DNSSEC: forwarders validation improvement

Some DNS servers behaves oddly and instead sending result without RRSIG records
don't reply at all when DNSSEC flag is enabled (timeout). Instead of
hard error IPA should this handle as DNSSEC error and continue with
installation/adding forwarders.
---
 ipalib/util.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/ipalib/util.py b/ipalib/util.py
index 1c354b6..1509607 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -670,8 +670,7 @@ def validate_dnssec_global_forwarder(ip_addr, log=None, timeout=10):
   timeout=timeout)
 except DNSException as e:
 _log_response(log, e)
-raise UnresolvableRecordError(owner=owner, rtype=rtype, ip=ip_addr,
-  error=e)
+raise DNSSECSignatureMissingError(owner=owner, rtype=rtype, ip=ip_addr)
 
 try:
 ans.response.find_rrset(
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#425][opened] ipa-kra-install must create directory if it does not exist

2017-01-31 Thread flo-renaud

   URL: https://github.com/freeipa/freeipa/pull/425
Author: flo-renaud
 Title: #425: ipa-kra-install must create directory if it does not exist
Action: opened

PR body:
"""
ipa-kra-install creates an admin cert file in
/root/.dogtag/pki-tomcat/ca_admin.cert but does not check that the
parent directory exists. This situation can happen when uninstall + restore
has been run.

The fix creates the directory if not present.

https://fedorahosted.org/freeipa/ticket/6606
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/425/head:pr425
git checkout pr425
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#393][+ack] [Py3] allow to run wsgi - part1

2017-01-31 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/393
Title: #393: [Py3] allow to run wsgi - part1

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#413][comment] Complete stageuser API

2017-01-31 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/413
Title: #413: Complete stageuser API

MartinBasti commented:
"""
LGTM except first commit that shouldn't be here and  `ipalib.x509: Handle 
missing SAN gracefully` has no ticket in commit message
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/413#issuecomment-276376015
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#415][comment] ca-del: require CA to already be disabled

2017-01-31 Thread apophys

  URL: https://github.com/freeipa/freeipa/pull/415
Title: #415: ca-del: require CA to already be disabled

apophys commented:
"""
Could you please extend the tests with the invalid order of the commands on a 
ca entry?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/415#issuecomment-276363432
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#8][+ack] Log when pointers are different

2017-01-31 Thread tomaskrizek

  URL: https://github.com/freeipa/bind-dyndb-ldap/pull/8
Title: #8: Log when pointers are different

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#8][closed] Log when pointers are different

2017-01-31 Thread tomaskrizek

   URL: https://github.com/freeipa/bind-dyndb-ldap/pull/8
Author: pemensik
 Title: #8: Log when pointers are different
Action: closed

To pull the PR as Git branch:
git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap
git fetch ghbind-dyndb-ldap pull/8/head:pr8
git checkout pr8
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#8][comment] Log when pointers are different

2017-01-31 Thread tomaskrizek

  URL: https://github.com/freeipa/bind-dyndb-ldap/pull/8
Title: #8: Log when pointers are different

tomaskrizek commented:
"""
Thanks, this should help with the future debugging efforts.

Fixed upstream: 
[ec2e125ed1b81c41448f699c8df54da66fbc5e8c](https://git.fedorahosted.org/cgit/bind-dyndb-ldap.git/commit/?id=ec2e125ed1b81c41448f699c8df54da66fbc5e8c)
"""

See the full comment at 
https://github.com/freeipa/bind-dyndb-ldap/pull/8#issuecomment-276355366
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#8][+pushed] Log when pointers are different

2017-01-31 Thread tomaskrizek

  URL: https://github.com/freeipa/bind-dyndb-ldap/pull/8
Title: #8: Log when pointers are different

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#416][-ack] replica install: relax domain level check for promotion

2017-01-31 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/416
Title: #416: replica install: relax domain level check for promotion

Label: -ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#416][comment] replica install: relax domain level check for promotion

2017-01-31 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/416
Title: #416: replica install: relax domain level check for promotion

MartinBasti commented:
"""
IMO the whole `check_domain_level` is somehow broken, AFAIK the main purpose of 
it is to print correct error message related to replica file option, depending 
on current and expected domain level.

@stlaz may know more details
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/416#issuecomment-276351845
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2017-01-31 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

martbab commented:
"""
I have disabled updates-testing in the CI because of multitude of unrelated 
breakages (recent openldap-client vs. nss breakage comes to mind), but we may 
take the SRPMS from koji and stick them to copr.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-276348713
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2017-01-31 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
The correct packages are now in updates-testing in Fedora 25, pick from there.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-276340645
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#416][comment] replica install: relax domain level check for promotion

2017-01-31 Thread HonzaCholasta

  URL: https://github.com/freeipa/freeipa/pull/416
Title: #416: replica install: relax domain level check for promotion

HonzaCholasta commented:
"""
I see. The point is, `check_domain_level()` is supposed to check whether 
replica promotion is possible or not in the current domain level, so it's weird 
it has an expected domain level argument and even weirder to introduce 
additional minimum domain level argument, when all it should have is a single 
boolean argument saying wheter you want to promote or not:
```python
def check_domain_level(api, want_promote):
...

promote = current >= constants.DOMAIN_LEVEL_1
if promote != want_promote:
raise RuntimeError(message)

...
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/416#issuecomment-276334410
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#417][+ack] private_ccache: yield ccache name

2017-01-31 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/417
Title: #417: private_ccache: yield ccache name

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#416][comment] replica install: relax domain level check for promotion

2017-01-31 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/416
Title: #416: replica install: relax domain level check for promotion

MartinBasti commented:
"""
expected is for domain level 0, because there are different expectations about 
replica file, it must exactly match domain level 0, you cannot have higher DL.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/416#issuecomment-276319884
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#402][comment] [master] wait_for_entry improvements

2017-01-31 Thread dkupka

  URL: https://github.com/freeipa/freeipa/pull/402
Title: #402: [master] wait_for_entry improvements

dkupka commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/38fd8b356d66553d21a3e64374fdc39427a05baf
https://fedorahosted.org/freeipa/changeset/f2ec44f2705fe87b71c6290ae8b35bc0a05f68d2
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/402#issuecomment-276318805
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#402][closed] [master] wait_for_entry improvements

2017-01-31 Thread dkupka

   URL: https://github.com/freeipa/freeipa/pull/402
Author: MartinBasti
 Title: #402: [master] wait_for_entry improvements
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/402/head:pr402
git checkout pr402
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#402][+pushed] [master] wait_for_entry improvements

2017-01-31 Thread dkupka

  URL: https://github.com/freeipa/freeipa/pull/402
Title: #402: [master] wait_for_entry improvements

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#423][synchronized] dns-update-system-records: add support for nsupdate output format

2017-01-31 Thread MartinBasti

   URL: https://github.com/freeipa/freeipa/pull/423
Author: MartinBasti
 Title: #423: dns-update-system-records: add support for nsupdate output format
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/423/head:pr423
git checkout pr423
From 23c3ca4761ab6cfd9a2ecee631cc2f8e4a5c3dc9 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Fri, 27 Jan 2017 13:42:19 +0100
Subject: [PATCH 1/2] DNS: dns-update-system-record can create nsupdate file

Added option --out  creates a file with IPA DNS data in nsupdate
format.

https://fedorahosted.org/freeipa/ticket/6585
---
 ipaclient/plugins/dns.py | 71 
 1 file changed, 65 insertions(+), 6 deletions(-)

diff --git a/ipaclient/plugins/dns.py b/ipaclient/plugins/dns.py
index 42ccd3d..944546f 100644
--- a/ipaclient/plugins/dns.py
+++ b/ipaclient/plugins/dns.py
@@ -35,6 +35,7 @@
 from ipalib.parameters import Bool, Str
 from ipalib.plugable import Registry
 from ipalib import _, ngettext
+from ipalib import util
 from ipapython.dnsutil import DNSName
 
 if six.PY3:
@@ -417,6 +418,63 @@ def interactive_prompt_callback(self, kw):
 
 @register(override=True, no_fail=True)
 class dns_update_system_records(MethodOverride):
+record_groups = ('ipa_records', 'location_records')
+
+def get_options(self):
+for option in super(dns_update_system_records, self).get_options():
+yield option
+yield Str(
+'out?',
+include='cli',
+doc=_('file to store DNS records in nsupdate format')
+)
+
+def _standard_output(self, textui, result, labels):
+"""Print output in standard format common across the other plugins"""
+for key in self.record_groups:
+if result.get(key):
+textui.print_indented(u'{}:'.format(labels[key]), indent=1)
+for val in sorted(result[key]):
+textui.print_indented(val, indent=2)
+textui.print_line(u'')
+
+def _nsupdate_output_file(self, file, result, labels):
+"""Store data in nsupdate format in file"""
+def parse_rname_rtype(record):
+"""Get rname and rtype from textual representation of record"""
+l = record.split(' ', 5)
+return l[0], l[3]
+
+already_removed = set()
+for key in self.record_groups:
+if result.get(key):
+file.write("; {}\n".format(labels[key]))  # comment
+for val in sorted(result[key]):
+# delete old first
+r_name_type = parse_rname_rtype(val)
+if r_name_type not in already_removed:
+# remove it only once
+already_removed.add(r_name_type)
+file.write("update delete {rname} {rtype}\n".format(
+rname=r_name_type[0], rtype=r_name_type[1]
+))
+# add new
+file.write("update add {}\n".format(val))
+file.write("send\n\n")
+
+def forward(self, *keys, **options):
+# pop `out` before sending to server as it is only client side option
+out = options.pop('out', None)
+if out:
+util.check_writable_file(out)
+
+res = super(dns_update_system_records, self).forward(*keys, **options)
+
+if out:
+options['out'] = out
+
+return res
+
 def output_for_cli(self, textui, output, *args, **options):
 output_super = copy.deepcopy(output)
 super_res = output_super.get('result', {})
@@ -431,11 +489,12 @@ def output_for_cli(self, textui, output, *args, **options):
 }
 
 result = output.get('result', {})
-for key in ('ipa_records', 'location_records'):
-if result.get(key):
-textui.print_indented(u'{}:'.format(labels[key]), indent=1)
-for val in sorted(result[key]):
-textui.print_indented(val, indent=2)
-textui.print_line(u'')
+
+self._standard_output(textui, result, labels)
+
+out = options.get('out')  # output to file
+if out:
+with open(out, "w") as f:
+self._nsupdate_output_file(f, result, labels)
 
 return int(not output['value'])

From 6da4085429f505d68923a48e38b3e09c10393b09 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 30 Jan 2017 21:18:46 +0100
Subject: [PATCH 2/2] Test: DNS nsupdate from dns-update-system-records

Get nsupdate data from dns-update-system-records, remove system records
and run nsupdate to verify that all system records were updated

https://fedorahosted.org/freeipa/ticket/6585
---
 ipatests/test_integration/test_dns_locations.py | 25 +
 1 file changed, 25 insertions(+)

diff

[Freeipa-devel] [freeipa PR#421][comment] Update warning message for replica install

2017-01-31 Thread Akasurde

  URL: https://github.com/freeipa/freeipa/pull/421
Title: #421: Update warning message for replica install

Akasurde commented:
"""
@MartinBasti I am OK for changing the warning message. I will wait for other to 
comment.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/421#issuecomment-276314536
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#421][comment] Update warning message for replica install

2017-01-31 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/421
Title: #421: Update warning message for replica install

MartinBasti commented:
"""
Hello,

I'd not omit the fact, that insufficient privilege error can be be caused by 
user credentials as well, I also wouldn't mention that hostgroup must exists 
explicitly.

I propose something like this, but I'm open to any suggestions and improvements
```
Insufficient privileges to promote the server.
Possible issues:
- a user has insufficient privileges
- this client has insufficient privileges to become replica (is the host member 
of "ipaservers" group)
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/421#issuecomment-276313860
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#337][+pushed] Client-side CSR autogeneration (take 2)

2017-01-31 Thread HonzaCholasta

  URL: https://github.com/freeipa/freeipa/pull/337
Title: #337: Client-side CSR autogeneration (take 2)

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#337][closed] Client-side CSR autogeneration (take 2)

2017-01-31 Thread HonzaCholasta

   URL: https://github.com/freeipa/freeipa/pull/337
Author: LiptonB
 Title: #337: Client-side CSR autogeneration (take 2)
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/337/head:pr337
git checkout pr337
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#337][comment] Client-side CSR autogeneration (take 2)

2017-01-31 Thread HonzaCholasta

  URL: https://github.com/freeipa/freeipa/pull/337
Title: #337: Client-side CSR autogeneration (take 2)

HonzaCholasta commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/10ef5947860f5098182b1f95c08c1158e2da15f9
https://fedorahosted.org/freeipa/changeset/fc58eff6a3d7fe805e612b8b002304d8b9cd4ba9
https://fedorahosted.org/freeipa/changeset/f1a1c6eca1b294f24174d7b0e1f78de46d9d5b05
https://fedorahosted.org/freeipa/changeset/afd7c05d11432304bfdf183832a21d419f363689
https://fedorahosted.org/freeipa/changeset/a26cf0d7910dd4c0a4da08682b4be8d3d94ba520
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/337#issuecomment-276312283
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#416][comment] replica install: relax domain level check for promotion

2017-01-31 Thread HonzaCholasta

  URL: https://github.com/freeipa/freeipa/pull/416
Title: #416: replica install: relax domain level check for promotion

HonzaCholasta commented:
"""
Excuse me, but what is the point of checking for an exact domain level? 
Shouldn't `check_domain_level()` rather always check for a minimum domain level?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/416#issuecomment-276308946
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#402][+ack] [master] wait_for_entry improvements

2017-01-31 Thread stlaz

  URL: https://github.com/freeipa/freeipa/pull/402
Title: #402: [master] wait_for_entry improvements

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#423][synchronized] dns-update-system-records: add support for nsupdate output format

2017-01-31 Thread MartinBasti

   URL: https://github.com/freeipa/freeipa/pull/423
Author: MartinBasti
 Title: #423: dns-update-system-records: add support for nsupdate output format
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/423/head:pr423
git checkout pr423
From 56b42b34e9896fdacc2beb767bb0e0633d347d3d Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Fri, 27 Jan 2017 13:42:19 +0100
Subject: [PATCH 1/2] DNS: dns-update-system-record can create nsupdate file

Added option --out  creates a file with IPA DNS data in nsupdate
format.

https://fedorahosted.org/freeipa/ticket/6585
---
 ipaclient/plugins/dns.py | 72 
 1 file changed, 66 insertions(+), 6 deletions(-)

diff --git a/ipaclient/plugins/dns.py b/ipaclient/plugins/dns.py
index 42ccd3d..2cb9d5a 100644
--- a/ipaclient/plugins/dns.py
+++ b/ipaclient/plugins/dns.py
@@ -26,6 +26,7 @@
 
 from ipaclient.frontend import MethodOverride
 from ipalib import errors
+from ipalib import Flag
 from ipalib.dns import (get_record_rrtype,
 has_cli_options,
 iterate_rrparams_by_parts,
@@ -35,6 +36,7 @@
 from ipalib.parameters import Bool, Str
 from ipalib.plugable import Registry
 from ipalib import _, ngettext
+from ipalib import util
 from ipapython.dnsutil import DNSName
 
 if six.PY3:
@@ -417,6 +419,63 @@ def interactive_prompt_callback(self, kw):
 
 @register(override=True, no_fail=True)
 class dns_update_system_records(MethodOverride):
+record_groups = ('ipa_records', 'location_records')
+
+def get_options(self):
+for option in super(dns_update_system_records, self).get_options():
+yield option
+yield Str(
+'out?',
+include='cli',
+doc=_('file to store DNS records in nsupdate format')
+)
+
+def _standard_output(self, textui, result, labels):
+"""Print output in standard format common across the other plugins"""
+for key in self.record_groups:
+if result.get(key):
+textui.print_indented(u'{}:'.format(labels[key]), indent=1)
+for val in sorted(result[key]):
+textui.print_indented(val, indent=2)
+textui.print_line(u'')
+
+def _nsupdate_output_file(self, file, result, labels):
+"""Store data in nsupdate format in file"""
+def parse_rname_rtype(record):
+"""Get rname and rtype from textual representation of record"""
+l = record.split(' ', 5)
+return l[0], l[3]
+
+already_removed = set()
+for key in self.record_groups:
+if result.get(key):
+file.write("; {}\n".format(labels[key]))  # comment
+for val in sorted(result[key]):
+# delete old first
+r_name_type = parse_rname_rtype(val)
+if r_name_type not in already_removed:
+# remove it only once
+already_removed.add(r_name_type)
+file.write("update delete {rname} {rtype}\n".format(
+rname=r_name_type[0], rtype=r_name_type[1]
+))
+# add new
+file.write("update add {}\n".format(val))
+file.write("send\n\n")
+
+def forward(self, *keys, **options):
+# pop `out` before sending to server as it is only client side option
+out = options.pop('out', None)
+if out:
+util.check_writable_file(out)
+
+res = super(dns_update_system_records, self).forward(*keys, **options)
+
+if out:
+options['out'] = out
+
+return res
+
 def output_for_cli(self, textui, output, *args, **options):
 output_super = copy.deepcopy(output)
 super_res = output_super.get('result', {})
@@ -431,11 +490,12 @@ def output_for_cli(self, textui, output, *args, **options):
 }
 
 result = output.get('result', {})
-for key in ('ipa_records', 'location_records'):
-if result.get(key):
-textui.print_indented(u'{}:'.format(labels[key]), indent=1)
-for val in sorted(result[key]):
-textui.print_indented(val, indent=2)
-textui.print_line(u'')
+
+self._standard_output(textui, result, labels)
+
+out = options.get('out')  # output to file
+if out:
+with open(out, "w") as f:
+self._nsupdate_output_file(f, result, labels)
 
 return int(not output['value'])

From a707cf99d9ac4c417b17f9145830eb01b26e885a Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 30 Jan 2017 21:18:46 +0100
Subject: [PATCH 2/2] Test: DNS nsupdate from dns-update-system-records

Get nsupdate data from dns-update-system-records,

[Freeipa-devel] [freeipa PR#416][+ack] replica install: relax domain level check for promotion

2017-01-31 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/416
Title: #416: replica install: relax domain level check for promotion

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#422][+ack] Fix reference before assignment

2017-01-31 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/422
Title: #422: Fix reference before assignment

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#424][opened] Tests: fix wait_for_replication task

2017-01-31 Thread MartinBasti

   URL: https://github.com/freeipa/freeipa/pull/424
Author: MartinBasti
 Title: #424: Tests: fix wait_for_replication task
Action: opened

PR body:
"""
DS changed a format of replication status attribute. Now it is with
prefix "Error (x)" where x is the error code.

Both formats were kept to allow tests run on older and new
versions of DS.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/424/head:pr424
git checkout pr424
From ade8a8fc9f98c91b53ab2944b6e2a6d79fbdddb3 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 31 Jan 2017 09:19:22 +0100
Subject: [PATCH] Tests: fix wait_for_replication task

DS changed a format of replication status attribute. Now it is with
prefix "Error (x)" where x is the error code.

Both formats were kept to allow tests run on older and new
versions of DS.
---
 ipatests/test_integration/tasks.py | 11 +--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index 5a9d526..f6fa451 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -1067,8 +1067,15 @@ def wait_for_replication(ldap, timeout=30):
 filter='(objectclass=nsds5replicationagreement)',
 attrs_list=[status_attr, progress_attr])
 log.debug('Replication agreements: \n%s', _entries_to_ldif(entries))
-if any(not e.single_value[status_attr].startswith('0 ')
-   for e in entries):
+if any(
+not (
+# older DS format
+e.single_value[status_attr].startswith('0 ') or
+# newer DS format
+e.single_value[status_attr].startswith('Error (0) ')
+)
+for e in entries
+):
 log.error('Replication error')
 continue
 if any(e.single_value[progress_attr] == 'TRUE' for e in entries):
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#423][opened] dns-update-system-records: add support for nsupdate output format

2017-01-31 Thread MartinBasti

   URL: https://github.com/freeipa/freeipa/pull/423
Author: MartinBasti
 Title: #423: dns-update-system-records: add support for nsupdate output format
Action: opened

PR body:
"""
Option --out does the trick
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/423/head:pr423
git checkout pr423
From 472fb7d73295fd582a71a23dd819e81fb3f049d2 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Fri, 27 Jan 2017 13:42:19 +0100
Subject: [PATCH 1/2] DNS: dns-update-system-record can create nsupdate file

Added option --out  creates a file with IPA DNS data in nsupdate
format.

https://fedorahosted.org/freeipa/ticket/6585
---
 ipaclient/plugins/dns.py | 71 
 1 file changed, 65 insertions(+), 6 deletions(-)

diff --git a/ipaclient/plugins/dns.py b/ipaclient/plugins/dns.py
index 42ccd3d..0c612a3 100644
--- a/ipaclient/plugins/dns.py
+++ b/ipaclient/plugins/dns.py
@@ -26,6 +26,7 @@
 
 from ipaclient.frontend import MethodOverride
 from ipalib import errors
+from ipalib import Flag
 from ipalib.dns import (get_record_rrtype,
 has_cli_options,
 iterate_rrparams_by_parts,
@@ -35,6 +36,7 @@
 from ipalib.parameters import Bool, Str
 from ipalib.plugable import Registry
 from ipalib import _, ngettext
+from ipalib import util
 from ipapython.dnsutil import DNSName
 
 if six.PY3:
@@ -417,6 +419,62 @@ def interactive_prompt_callback(self, kw):
 
 @register(override=True, no_fail=True)
 class dns_update_system_records(MethodOverride):
+record_groups = ('ipa_records', 'location_records')
+def get_options(self):
+for option in super(dns_update_system_records, self).get_options():
+yield option
+yield Str(
+'out?',
+include='cli',
+doc=_('file to store DNS records in nsupdate format')
+)
+
+def _standard_output(self, textui, result, labels):
+"""Print output in standard format common across the other plugins"""
+for key in self.record_groups:
+if result.get(key):
+textui.print_indented(u'{}:'.format(labels[key]), indent=1)
+for val in sorted(result[key]):
+textui.print_indented(val, indent=2)
+textui.print_line(u'')
+
+def _nsupdate_output_file(self, file, result, labels):
+"""Store data in nsupdate format in file"""
+def parse_rname_rtype(record):
+"""Get rname and rtype from textual representation of record"""
+l = record.split(' ', 5)
+return l[0], l[3]
+
+already_removed = set()
+for key in self.record_groups:
+if result.get(key):
+file.write("; {}\n".format(labels[key]))  # comment
+for val in sorted(result[key]):
+# delete old first
+r_name_type = parse_rname_rtype(val)
+if r_name_type not in already_removed:
+# remove it only once
+already_removed.add(r_name_type)
+file.write("update delete {rname} {rtype}\n".format(
+rname=r_name_type[0], rtype=r_name_type[1]
+))
+# add new
+file.write("update add {}\n".format(val))
+file.write("send\n\n")
+
+def forward(self, *keys, **options):
+# pop `out` before sending to server as it is only client side option
+out = options.pop('out', None)
+if out:
+util.check_writable_file(out)
+
+res = super(dns_update_system_records, self).forward(*keys, **options)
+
+if out:
+options['out'] = out
+
+return res
+
 def output_for_cli(self, textui, output, *args, **options):
 output_super = copy.deepcopy(output)
 super_res = output_super.get('result', {})
@@ -431,11 +489,12 @@ def output_for_cli(self, textui, output, *args, **options):
 }
 
 result = output.get('result', {})
-for key in ('ipa_records', 'location_records'):
-if result.get(key):
-textui.print_indented(u'{}:'.format(labels[key]), indent=1)
-for val in sorted(result[key]):
-textui.print_indented(val, indent=2)
-textui.print_line(u'')
+
+self._standard_output(textui, result, labels)
+
+out = options.get('out')  # output to file
+if out:
+with open(out, "w") as f:
+self._nsupdate_output_file(f, result, labels)
 
 return int(not output['value'])

From 4428fc65c01a4135f99892baefd52e8896b4ef49 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 30 Jan 2017 21:18:46 +0100
Subject: [PATCH 2/2] Test: DNS nsupdate from dns-update-system-records

Get nsupdate

50 matches

Mail list logo