[Freeipa-devel] [freeipa PR#396][synchronized] Explicitly remove support of SSLv2

2017-02-07 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/396
Author: stlaz
 Title: #396: Explicitly remove support of SSLv2
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/396/head:pr396
git checkout pr396
From 2761cbf779c97fd590913c21e753e673236d3378 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 13 Jan 2017 12:31:29 +0100
Subject: [PATCH] Explicitly remove support of SSLv2

It was possible to set tls_version_min/max to 'ssl2', even though
newer versions of NSS will fail to set this as a valid TLS version.
This patch explicitly checks for deprecated TLS versions prior to
creating a TLS connection.

Also, we don't allow tls_version_min/max to be set to a random
string anymore.

https://fedorahosted.org/freeipa/ticket/6607
---
 ipalib/config.py| 22 ++--
 ipalib/constants.py | 10 +
 ipapython/nsslib.py | 59 +++--
 3 files changed, 87 insertions(+), 4 deletions(-)

diff --git a/ipalib/config.py b/ipalib/config.py
index 20591db..f717732 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -41,8 +41,11 @@
 
 from ipapython.dn import DN
 from ipalib.base import check_name
-from ipalib.constants import CONFIG_SECTION
-from ipalib.constants import OVERRIDE_ERROR, SET_ERROR, DEL_ERROR
+from ipalib.constants import (
+CONFIG_SECTION,
+OVERRIDE_ERROR, SET_ERROR, DEL_ERROR,
+TLS_VERSIONS
+)
 from ipalib import errors
 
 if six.PY3:
@@ -578,6 +581,21 @@ def _finalize_core(self, **defaults):
 
 self._merge(**defaults)
 
+# set the best known TLS version if min/max versions are not set
+if 'tls_version_min' not in self:
+self.tls_version_min = TLS_VERSIONS[-1]
+elif self.tls_version_min not in TLS_VERSIONS:
+raise errors.EnvironmentError(
+"Unknown TLS version '{ver}' set in tls_version_min."
+.format(ver=self.tls_version_min))
+
+if 'tls_version_max' not in self:
+self.tls_version_max = TLS_VERSIONS[-1]
+elif self.tls_version_max not in TLS_VERSIONS:
+raise errors.EnvironmentError(
+"Unknown TLS version '{ver}' set in tls_version_max."
+.format(ver=self.tls_version_max))
+
 def _finalize(self, **lastchance):
 """
 Finalize and lock environment.
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 81643da..1e8f51a 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -276,3 +276,13 @@
 
 # regexp definitions
 PATTERN_GROUPUSER_NAME = '^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$'
+
+# TLS related constants
+TLS_VERSIONS = [
+"ssl2",
+"ssl3",
+"tls1.0",
+"tls1.1",
+"tls1.2"
+]
+TLS_VERSION_MINIMAL = "tls1.0"
diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py
index 08d05fc..ce3e5f6 100644
--- a/ipapython/nsslib.py
+++ b/ipapython/nsslib.py
@@ -23,6 +23,8 @@
 import getpass
 import socket
 from ipapython.ipa_log_manager import root_logger
+from ipapython.ipa_log_manager import log_mgr
+from ipalib.constants import TLS_VERSIONS, TLS_VERSION_MINIMAL
 
 from nss.error import NSPRError
 import nss.io as io
@@ -129,6 +131,57 @@ def client_auth_data_callback(ca_names, chosen_nickname, password, certdb):
 socket.AF_UNSPEC: io.PR_AF_UNSPEC
 }
 
+
+def get_proper_tls_version_span(tls_version_min, tls_version_max):
+"""
+This function checks whether the given TLS versions are known in FreeIPA
+and that these versions fulfill the requirements for minimal TLS version
+(see `ipalib.constants: TLS_VERSIONS, TLS_VERSION_MINIMAL`).
+
+:param tls_version_min:
+the lower value in the TLS min-max span, raised to the lowest allowed
+value if too low
+:param tls_version_max:
+the higher value in the TLS min-max span, raised to tls_version_min
+if lower than TLS_VERSION_MINIMAL
+"""
+logger = log_mgr.get_logger(__name__)
+
+min_allowed_idx = TLS_VERSIONS.index(TLS_VERSION_MINIMAL)
+
+try:
+min_version_idx = TLS_VERSIONS.index(tls_version_min)
+except ValueError:
+raise RuntimeError("tls_version_min ('{val}') is not a known "
+   "TLS version.".format(val=tls_version_min))
+
+try:
+max_version_idx = TLS_VERSIONS.index(tls_version_max)
+except ValueError:
+raise RuntimeError("tls_version_max ('{val}') is not a known "
+   "TLS version.".format(val=tls_version_max))
+
+if min_version_idx > max_version_idx:
+raise RuntimeError("tls_version_min is higher than "
+   "tls_version_max.")
+
+if min_version_idx < min_allowed_idx:
+min_version_idx = min_allowed_idx
+logger.warning("tls_version_min set too low ('{old}'),"
+   "using '{new}' instead"
+

[Freeipa-devel] FreeIPA and wildcard certificates

2017-02-07 Thread Martin Kosek 
Hi Fraser and the list,

I recently was in a conversation about integrating OpenShift with FreeIPA. One
of the gaps was around generating a wildcard certificate by FreeIPA that will
be used in the default OpenShift router for applications that do not deploy own
certificates [1].

Is there any way that FreeIPA can generate it? I was thinking that uploading
some custom certificate profile in FreeIPA may let us get such certificate...
Or is the the only way we can add it by adding a new RFE in FreeIPA, tracked in
[2]?

Thanks!

[1]
https://docs.openshift.com/container-platform/3.4/install_config/router/default_haproxy_router.html#using-wildcard-certificates
[2] https://fedorahosted.org/freeipa/ticket/3475

-- 
Martin Kosek 
Manager, Software Engineering - Identity Management Team
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#427][closed] [Py3] WSGI part 2

2017-02-07 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/427
Author: MartinBasti
 Title: #427: [Py3] WSGI part 2
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/427/head:pr427
git checkout pr427
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#427][+pushed] [Py3] WSGI part 2

2017-02-07 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/427
Title: #427: [Py3] WSGI part 2

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#427][comment] [Py3] WSGI part 2

2017-02-07 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/427
Title: #427: [Py3] WSGI part 2

HonzaCholasta commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/caa560ca79e4038b161b27d11e3f144606dbbcdb
https://fedorahosted.org/freeipa/changeset/a93b2bea5ce88a934ba2ab39bdaa518fb55064c4
https://fedorahosted.org/freeipa/changeset/a3d3b0ad2537c9d11d9c6108c31e079f0dfcf31c
https://fedorahosted.org/freeipa/changeset/03d0a55e8a21a334ca4dc625527cae93633a7314
https://fedorahosted.org/freeipa/changeset/a584758cfb87567a9c640ae107903b0f6c9fec30
https://fedorahosted.org/freeipa/changeset/ab53d80883320060769b7bfada2a813b345b9e4a
https://fedorahosted.org/freeipa/changeset/4c84341b8bc14cd19a4e2c2df4c13b95ff7eeb05
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/427#issuecomment-278250082
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#427][+ack] [Py3] WSGI part 2

2017-02-07 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/427
Title: #427: [Py3] WSGI part 2

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [DESIGN] IPA permission enforcement in Dogtag

2017-02-07 Thread Jan Cholasta 

On 8.2.2017 08:06, Fraser Tweedale wrote:

On Wed, Feb 08, 2017 at 08:02:18AM +0100, Jan Cholasta wrote:

On 8.2.2017 07:29, Fraser Tweedale wrote:

On Mon, Feb 06, 2017 at 10:24:31AM +0100, Jan Cholasta wrote:

On 17.1.2017 08:57, David Kupka wrote:

On 13/01/17 08:07, Fraser Tweedale wrote:

Related to design:
http://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication

Currently there are some operations that hit the CA that involve a
number of privileged operations against the CA, but for which there
is only one associated IPA permission.  Deleting a CA is a good
example (but it is one specific case of a more general issue).
Summary of current ca-del behaviour:

1. Disable LWCA in Dogtag (uses RA Agent cert)
2. Delete LWCA in Dogtag (uses RA Agent cert)
3. Delete CA entry from IPA (requires "System: Delete CA" permission)

So there are two things going on under the hood: a modify operation
(disable CA) and the delete.

When we implement proxy authentication to Dogtag, Dogtag will
enforce the IPA permissions on its operations.  Disable will map to
"System: Modify CA" and delete to "System: Delete CA".  So to delete
a CA a user will need *both* permissions.  Which could be
surprising.

There are a couple of reasonable approaches to this.

1. Decouple the disable and delete operations.  If CA is not
disabled, the user will be instructed to execute the ca-disable
command separately before they can disable the CA.  This introduces
an additional manual step for operators.

2. Just improve the error reporting.  In my WIP, for a user that has
'System: Delete CA' permission but not 'System: Modify CA', the
reported failure is a 403 Authorization Error from Dogtag.  We can
add guards to fail more gracefully.

I lean towards #2 because I guess the common case will be that users
either get all CA admin permissions, or none, and we don't want to
make more work (in the form of more commands to run) for users in
the common case.

I welcome alternative views and suggestions.

Thanks,
Fraser


Hi Fraser,
as a user with "System: Delete CA" permission calling "ca-del" command I
would be really surprised that I don't have enough privileges to
complete the action.

I would expect:
a) "Cannot delete active CA, disable it first" error.
b) Delete will be completed successfully. All internal and to my sight
hidden operations will be allowed just because I'm allowed to perform
the delete operation.

I think that b) might lead to strange exceptions in authorization
checking and therefore to security issues. So I would prefer decoupling
ca-disable and ca-del as you're describing in 1).


IMO having to disable the CA before deletion is an implementation detail and
should not be exposed to the user at all. Why do we have to disable the CA
from IPA in ca-del? I would expect Dogtag to disable it itself internally
when it's being deleted.


The CA requiring disablement before deletion is a property of how
Dogtag Lightweight CAs are implement.  I don't intend to change this
(besides, it might need to be this way for Common Criteria; a
similar restriction exists for profiles).


OK.



We could make it so that in IPA context, delete permission implies
disable permission.  Currently (in Dogtag) permission to
enable/disable is the 'modify' permission.  So to do this without
implying that someone with 'delete' permission as 'modify'
permission, I'd need to add an explicit 'enable/disable ca'
permission.


+1



This is a good idea, but it is more work to add the required ACLs
(which will need to be done during IPA upgrade or installation).
I'll shelve https://github.com/freeipa/freeipa/pull/415 for now, but
keep the patch in my working branch and code it out later, if
there's time before release.  Otherwise we might need to keep it
until there's time for the proper fix, so that things don't break.


OK. I can give you a hand with the ACLs if you want.


Thanks.  The ACLs are part of Dogtag actually; so when we upgrade to
a verison of Dogtag with the new permissions, new ACLs will need to
be added.  There will be two versions of the ACLs: one set for use
with RA Agent cert authn, and one set for use with externally
authenticated FreeIPA principals.

There are a handful of similar "new ACLs to chase Dogtag changes"
that will be part of the GSS-API work.  I have a good understanding
of what needs to happen.


I see. I though you meant ACIs on IPA side.

Are we not going to rely on our ACIs for access control in Dogtag + GSSAPI?



Cheers,
Fraser




--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [DESIGN] IPA permission enforcement in Dogtag

2017-02-07 Thread Fraser Tweedale 
On Wed, Feb 08, 2017 at 08:02:18AM +0100, Jan Cholasta wrote:
> On 8.2.2017 07:29, Fraser Tweedale wrote:
> > On Mon, Feb 06, 2017 at 10:24:31AM +0100, Jan Cholasta wrote:
> > > On 17.1.2017 08:57, David Kupka wrote:
> > > > On 13/01/17 08:07, Fraser Tweedale wrote:
> > > > > Related to design:
> > > > > http://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication
> > > > > 
> > > > > Currently there are some operations that hit the CA that involve a
> > > > > number of privileged operations against the CA, but for which there
> > > > > is only one associated IPA permission.  Deleting a CA is a good
> > > > > example (but it is one specific case of a more general issue).
> > > > > Summary of current ca-del behaviour:
> > > > > 
> > > > > 1. Disable LWCA in Dogtag (uses RA Agent cert)
> > > > > 2. Delete LWCA in Dogtag (uses RA Agent cert)
> > > > > 3. Delete CA entry from IPA (requires "System: Delete CA" permission)
> > > > > 
> > > > > So there are two things going on under the hood: a modify operation
> > > > > (disable CA) and the delete.
> > > > > 
> > > > > When we implement proxy authentication to Dogtag, Dogtag will
> > > > > enforce the IPA permissions on its operations.  Disable will map to
> > > > > "System: Modify CA" and delete to "System: Delete CA".  So to delete
> > > > > a CA a user will need *both* permissions.  Which could be
> > > > > surprising.
> > > > > 
> > > > > There are a couple of reasonable approaches to this.
> > > > > 
> > > > > 1. Decouple the disable and delete operations.  If CA is not
> > > > > disabled, the user will be instructed to execute the ca-disable
> > > > > command separately before they can disable the CA.  This introduces
> > > > > an additional manual step for operators.
> > > > > 
> > > > > 2. Just improve the error reporting.  In my WIP, for a user that has
> > > > > 'System: Delete CA' permission but not 'System: Modify CA', the
> > > > > reported failure is a 403 Authorization Error from Dogtag.  We can
> > > > > add guards to fail more gracefully.
> > > > > 
> > > > > I lean towards #2 because I guess the common case will be that users
> > > > > either get all CA admin permissions, or none, and we don't want to
> > > > > make more work (in the form of more commands to run) for users in
> > > > > the common case.
> > > > > 
> > > > > I welcome alternative views and suggestions.
> > > > > 
> > > > > Thanks,
> > > > > Fraser
> > > > > 
> > > > Hi Fraser,
> > > > as a user with "System: Delete CA" permission calling "ca-del" command I
> > > > would be really surprised that I don't have enough privileges to
> > > > complete the action.
> > > > 
> > > > I would expect:
> > > > a) "Cannot delete active CA, disable it first" error.
> > > > b) Delete will be completed successfully. All internal and to my sight
> > > > hidden operations will be allowed just because I'm allowed to perform
> > > > the delete operation.
> > > > 
> > > > I think that b) might lead to strange exceptions in authorization
> > > > checking and therefore to security issues. So I would prefer decoupling
> > > > ca-disable and ca-del as you're describing in 1).
> > > 
> > > IMO having to disable the CA before deletion is an implementation detail 
> > > and
> > > should not be exposed to the user at all. Why do we have to disable the CA
> > > from IPA in ca-del? I would expect Dogtag to disable it itself internally
> > > when it's being deleted.
> > > 
> > The CA requiring disablement before deletion is a property of how
> > Dogtag Lightweight CAs are implement.  I don't intend to change this
> > (besides, it might need to be this way for Common Criteria; a
> > similar restriction exists for profiles).
> 
> OK.
> 
> > 
> > We could make it so that in IPA context, delete permission implies
> > disable permission.  Currently (in Dogtag) permission to
> > enable/disable is the 'modify' permission.  So to do this without
> > implying that someone with 'delete' permission as 'modify'
> > permission, I'd need to add an explicit 'enable/disable ca'
> > permission.
> 
> +1
> 
> > 
> > This is a good idea, but it is more work to add the required ACLs
> > (which will need to be done during IPA upgrade or installation).
> > I'll shelve https://github.com/freeipa/freeipa/pull/415 for now, but
> > keep the patch in my working branch and code it out later, if
> > there's time before release.  Otherwise we might need to keep it
> > until there's time for the proper fix, so that things don't break.
> 
> OK. I can give you a hand with the ACLs if you want.
> 
Thanks.  The ACLs are part of Dogtag actually; so when we upgrade to
a verison of Dogtag with the new permissions, new ACLs will need to
be added.  There will be two versions of the ACLs: one set for use
with RA Agent cert authn, and one set for use with externally
authenticated FreeIPA principals.

There are a handful of similar "new ACLs to chase Dogtag changes"
that will be part of the GSS-API work.  I have a good understanding
of what needs to

Re: [Freeipa-devel] [DESIGN] IPA permission enforcement in Dogtag

2017-02-07 Thread Jan Cholasta 

On 8.2.2017 07:29, Fraser Tweedale wrote:

On Mon, Feb 06, 2017 at 10:24:31AM +0100, Jan Cholasta wrote:

On 17.1.2017 08:57, David Kupka wrote:

On 13/01/17 08:07, Fraser Tweedale wrote:

Related to design:
http://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication

Currently there are some operations that hit the CA that involve a
number of privileged operations against the CA, but for which there
is only one associated IPA permission.  Deleting a CA is a good
example (but it is one specific case of a more general issue).
Summary of current ca-del behaviour:

1. Disable LWCA in Dogtag (uses RA Agent cert)
2. Delete LWCA in Dogtag (uses RA Agent cert)
3. Delete CA entry from IPA (requires "System: Delete CA" permission)

So there are two things going on under the hood: a modify operation
(disable CA) and the delete.

When we implement proxy authentication to Dogtag, Dogtag will
enforce the IPA permissions on its operations.  Disable will map to
"System: Modify CA" and delete to "System: Delete CA".  So to delete
a CA a user will need *both* permissions.  Which could be
surprising.

There are a couple of reasonable approaches to this.

1. Decouple the disable and delete operations.  If CA is not
disabled, the user will be instructed to execute the ca-disable
command separately before they can disable the CA.  This introduces
an additional manual step for operators.

2. Just improve the error reporting.  In my WIP, for a user that has
'System: Delete CA' permission but not 'System: Modify CA', the
reported failure is a 403 Authorization Error from Dogtag.  We can
add guards to fail more gracefully.

I lean towards #2 because I guess the common case will be that users
either get all CA admin permissions, or none, and we don't want to
make more work (in the form of more commands to run) for users in
the common case.

I welcome alternative views and suggestions.

Thanks,
Fraser


Hi Fraser,
as a user with "System: Delete CA" permission calling "ca-del" command I
would be really surprised that I don't have enough privileges to
complete the action.

I would expect:
a) "Cannot delete active CA, disable it first" error.
b) Delete will be completed successfully. All internal and to my sight
hidden operations will be allowed just because I'm allowed to perform
the delete operation.

I think that b) might lead to strange exceptions in authorization
checking and therefore to security issues. So I would prefer decoupling
ca-disable and ca-del as you're describing in 1).


IMO having to disable the CA before deletion is an implementation detail and
should not be exposed to the user at all. Why do we have to disable the CA
from IPA in ca-del? I would expect Dogtag to disable it itself internally
when it's being deleted.


The CA requiring disablement before deletion is a property of how
Dogtag Lightweight CAs are implement.  I don't intend to change this
(besides, it might need to be this way for Common Criteria; a
similar restriction exists for profiles).


OK.



We could make it so that in IPA context, delete permission implies
disable permission.  Currently (in Dogtag) permission to
enable/disable is the 'modify' permission.  So to do this without
implying that someone with 'delete' permission as 'modify'
permission, I'd need to add an explicit 'enable/disable ca'
permission.


+1



This is a good idea, but it is more work to add the required ACLs
(which will need to be done during IPA upgrade or installation).
I'll shelve https://github.com/freeipa/freeipa/pull/415 for now, but
keep the patch in my working branch and code it out later, if
there's time before release.  Otherwise we might need to keep it
until there's time for the proper fix, so that things don't break.


OK. I can give you a hand with the ACLs if you want.



Thanks,
Fraser




--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#415][closed] ca-del: require CA to already be disabled

2017-02-07 Thread frasertweedale 
   URL: https://github.com/freeipa/freeipa/pull/415
Author: frasertweedale
 Title: #415: ca-del: require CA to already be disabled
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/415/head:pr415
git checkout pr415
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#415][comment] ca-del: require CA to already be disabled

2017-02-07 Thread frasertweedale 
  URL: https://github.com/freeipa/freeipa/pull/415
Title: #415: ca-del: require CA to already be disabled

frasertweedale commented:
"""
Shelving this PR for now.  It might get resurrected later.  Discussion:
https://www.redhat.com/archives/freeipa-devel/2017-February/msg00150.html
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/415#issuecomment-278241186
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [DESIGN] IPA permission enforcement in Dogtag

2017-02-07 Thread Fraser Tweedale 
On Mon, Feb 06, 2017 at 10:24:31AM +0100, Jan Cholasta wrote:
> On 17.1.2017 08:57, David Kupka wrote:
> > On 13/01/17 08:07, Fraser Tweedale wrote:
> > > Related to design:
> > > http://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication
> > > 
> > > Currently there are some operations that hit the CA that involve a
> > > number of privileged operations against the CA, but for which there
> > > is only one associated IPA permission.  Deleting a CA is a good
> > > example (but it is one specific case of a more general issue).
> > > Summary of current ca-del behaviour:
> > > 
> > > 1. Disable LWCA in Dogtag (uses RA Agent cert)
> > > 2. Delete LWCA in Dogtag (uses RA Agent cert)
> > > 3. Delete CA entry from IPA (requires "System: Delete CA" permission)
> > > 
> > > So there are two things going on under the hood: a modify operation
> > > (disable CA) and the delete.
> > > 
> > > When we implement proxy authentication to Dogtag, Dogtag will
> > > enforce the IPA permissions on its operations.  Disable will map to
> > > "System: Modify CA" and delete to "System: Delete CA".  So to delete
> > > a CA a user will need *both* permissions.  Which could be
> > > surprising.
> > > 
> > > There are a couple of reasonable approaches to this.
> > > 
> > > 1. Decouple the disable and delete operations.  If CA is not
> > > disabled, the user will be instructed to execute the ca-disable
> > > command separately before they can disable the CA.  This introduces
> > > an additional manual step for operators.
> > > 
> > > 2. Just improve the error reporting.  In my WIP, for a user that has
> > > 'System: Delete CA' permission but not 'System: Modify CA', the
> > > reported failure is a 403 Authorization Error from Dogtag.  We can
> > > add guards to fail more gracefully.
> > > 
> > > I lean towards #2 because I guess the common case will be that users
> > > either get all CA admin permissions, or none, and we don't want to
> > > make more work (in the form of more commands to run) for users in
> > > the common case.
> > > 
> > > I welcome alternative views and suggestions.
> > > 
> > > Thanks,
> > > Fraser
> > > 
> > Hi Fraser,
> > as a user with "System: Delete CA" permission calling "ca-del" command I
> > would be really surprised that I don't have enough privileges to
> > complete the action.
> > 
> > I would expect:
> > a) "Cannot delete active CA, disable it first" error.
> > b) Delete will be completed successfully. All internal and to my sight
> > hidden operations will be allowed just because I'm allowed to perform
> > the delete operation.
> > 
> > I think that b) might lead to strange exceptions in authorization
> > checking and therefore to security issues. So I would prefer decoupling
> > ca-disable and ca-del as you're describing in 1).
> 
> IMO having to disable the CA before deletion is an implementation detail and
> should not be exposed to the user at all. Why do we have to disable the CA
> from IPA in ca-del? I would expect Dogtag to disable it itself internally
> when it's being deleted.
> 
The CA requiring disablement before deletion is a property of how
Dogtag Lightweight CAs are implement.  I don't intend to change this
(besides, it might need to be this way for Common Criteria; a
similar restriction exists for profiles).

We could make it so that in IPA context, delete permission implies
disable permission.  Currently (in Dogtag) permission to
enable/disable is the 'modify' permission.  So to do this without
implying that someone with 'delete' permission as 'modify'
permission, I'd need to add an explicit 'enable/disable ca'
permission.

This is a good idea, but it is more work to add the required ACLs
(which will need to be done during IPA upgrade or installation).
I'll shelve https://github.com/freeipa/freeipa/pull/415 for now, but
keep the patch in my working branch and code it out later, if
there's time before release.  Otherwise we might need to keep it
until there's time for the proper fix, so that things don't break.

Thanks,
Fraser

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#370][comment] ci: send build log to paste.fedoraproject.org

2017-02-07 Thread frasertweedale 
  URL: https://github.com/freeipa/freeipa/pull/370
Title: #370: ci: send build log to paste.fedoraproject.org

frasertweedale commented:
"""
So... any blocker on merging this?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/370#issuecomment-278236511
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#416][comment] replica install: relax domain level check for promotion

2017-02-07 Thread frasertweedale 
  URL: https://github.com/freeipa/freeipa/pull/416
Title: #416: replica install: relax domain level check for promotion

frasertweedale commented:
"""
Any other changes requested?  What's preventing ack on this?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/416#issuecomment-278236565
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1

2017-02-07 Thread abbra 
  URL: https://github.com/freeipa/freeipa/pull/410
Title: #410: ipa-kdb: support KDB DAL version 6.1

abbra commented:
"""
Updated the spec file and the commit message.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/410#issuecomment-278108158
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#410][synchronized] ipa-kdb: support KDB DAL version 6.1

2017-02-07 Thread abbra 
   URL: https://github.com/freeipa/freeipa/pull/410
Author: abbra
 Title: #410: ipa-kdb: support KDB DAL version 6.1
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/410/head:pr410
git checkout pr410
From a08f150ae7f9e98a13f65d120f374d264ca4f0c3 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Tue, 24 Jan 2017 11:02:30 +0200
Subject: [PATCH] ipa-kdb: support KDB DAL version 6.1

DAL version 6.0 removed support for a callback to free principal.
This broke KDB drivers which had complex e_data structure within
the principal structure. As result, FreeIPA KDB driver was leaking
memory with DAL version 6.0 (krb5 1.15).

DAL version 6.1 added a special callback for freeing e_data structure.
See details at krb5/krb5#596

Restructure KDB driver code to provide this callback in case
we are built against DAL version that supports it. For DAL version
prior to 6.0 use this callback in the free_principal callback to
tidy the code.

Use explicit KDB version dependency in Fedora 26+ via BuildRequires.

With new DAL version, freeipa package will fail to build and
we'll have to add a support for new DAL version explicitly.

https://fedorahosted.org/freeipa/ticket/6619
---
 configure.ac | 21 ++
 daemons/ipa-kdb/ipa_kdb.c| 42 ++--
 daemons/ipa-kdb/ipa_kdb.h|  2 ++
 daemons/ipa-kdb/ipa_kdb_principals.c | 42 
 freeipa.spec.in  |  8 +++
 5 files changed, 95 insertions(+), 20 deletions(-)

diff --git a/configure.ac b/configure.ac
index 8fdc731..570f382 100644
--- a/configure.ac
+++ b/configure.ac
@@ -65,6 +65,27 @@ krb5rundir="${localstatedir}/run/krb5kdc"
 AC_SUBST(KRAD_LIBS)
 AC_SUBST(krb5rundir)
 
+AC_CHECK_HEADER(kdb.h, [], [AC_MSG_ERROR([kdb.h not found])])
+AC_CHECK_MEMBER(
+	[kdb_vftabl.free_principal],
+	[AC_DEFINE([HAVE_KDB_FREEPRINCIPAL], [1],
+		   [KDB driver API has free_principal callback])],
+	[AC_MSG_NOTICE([KDB driver API has no free_principal callback])],
+	[[#include ]])
+AC_CHECK_MEMBER(
+	[kdb_vftabl.free_principal_e_data],
+	[AC_DEFINE([HAVE_KDB_FREEPRINCIPAL_EDATA], [1],
+		   [KDB driver API has free_principal_e_data callback])],
+	[AC_MSG_NOTICE([KDB driver API has no free_principal_e_data callback])],
+	[[#include ]])
+
+if test "x$ac_cv_member_kdb_vftabl_free_principal" = "xno" \
+	-a "x$ac_cv_member_kdb_vftable_free_principal_e_data" = "xno" ; then
+AC_MSG_WARN([KDB driver API does not allow to free Kerberos principal data.])
+AC_MSG_WARN([KDB driver will leak memory on Kerberos principal use])
+AC_MSG_WARN([See https://github.com/krb5/krb5/pull/596 for details])
+fi
+
 dnl ---
 dnl - Check for OpenLDAP SDK
 dnl ---
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index e96353f..e74ab56 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -625,6 +625,9 @@ static void ipadb_free(krb5_context context, void *ptr)
 
 /* KDB Virtual Table */
 
+/* We explicitly want to keep different ABI tables below separate. */
+/* Do not merge them together. Older ABI does not need to be updated */
+
 #if KRB5_KDB_DAL_MAJOR_VERSION == 5
 kdb_vftabl kdb_function_table = {
 .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
@@ -657,8 +660,9 @@ kdb_vftabl kdb_function_table = {
 .audit_as_req = ipadb_audit_as_req,
 .check_allowed_to_delegate = ipadb_check_allowed_to_delegate
 };
+#endif
 
-#elif KRB5_KDB_DAL_MAJOR_VERSION == 6
+#if (KRB5_KDB_DAL_MAJOR_VERSION == 6) && !defined(HAVE_KDB_FREEPRINCIPAL_EDATA)
 kdb_vftabl kdb_function_table = {
 .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
 .min_ver = 0,
@@ -686,8 +690,42 @@ kdb_vftabl kdb_function_table = {
 .audit_as_req = ipadb_audit_as_req,
 .check_allowed_to_delegate = ipadb_check_allowed_to_delegate
 };
+#endif
+
+#if (KRB5_KDB_DAL_MAJOR_VERSION == 6) && defined(HAVE_KDB_FREEPRINCIPAL_EDATA)
+kdb_vftabl kdb_function_table = {
+.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
+.min_ver = 1,
+.init_library = ipadb_init_library,
+.fini_library = ipadb_fini_library,
+.init_module = ipadb_init_module,
+.fini_module = ipadb_fini_module,
+.create = ipadb_create,
+.get_age = ipadb_get_age,
+.get_principal = ipadb_get_principal,
+.put_principal = ipadb_put_principal,
+.delete_principal = ipadb_delete_principal,
+.iterate = ipadb_iterate,
+.create_policy = ipadb_create_pwd_policy,
+.get_policy = ipadb_get_pwd_policy,
+.put_policy = ipadb_put_pwd_policy,
+.iter_policy = ipadb_iterate_pwd_policy,
+.delete_policy = ipadb_delete_pwd_policy,
+.fetch_master_key = ipadb_fetch_master_key,
+.store_master_key_list = ipadb_store_master_key_list,
+

[Freeipa-devel] [freeipa PR#410][synchronized] ipa-kdb: support KDB DAL version 6.1

2017-02-07 Thread abbra 
   URL: https://github.com/freeipa/freeipa/pull/410
Author: abbra
 Title: #410: ipa-kdb: support KDB DAL version 6.1
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/410/head:pr410
git checkout pr410
From 284a8d4917b41fbe38ce879919196459a4a3ddfe Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Tue, 24 Jan 2017 11:02:30 +0200
Subject: [PATCH 1/2] ipa-kdb: support KDB DAL version 6.1

DAL version 6.0 removed support for a callback to free principal.
This broke KDB drivers which had complex e_data structure within
the principal structure. As result, FreeIPA KDB driver was leaking
memory with DAL version 6.0 (krb5 1.15).

DAL version 6.1 added a special callback for freeing e_data structure.
See details at krb5/krb5#596

Restructure KDB driver code to provide this callback in case
we are built against DAL version that supports it. For DAL version
prior to 6.0 use this callback in the free_principal callback to
tidy the code.

https://fedorahosted.org/freeipa/ticket/6619
---
 configure.ac | 21 ++
 daemons/ipa-kdb/ipa_kdb.c| 42 ++--
 daemons/ipa-kdb/ipa_kdb.h|  2 ++
 daemons/ipa-kdb/ipa_kdb_principals.c | 42 
 freeipa.spec.in  |  4 
 5 files changed, 91 insertions(+), 20 deletions(-)

diff --git a/configure.ac b/configure.ac
index 6cd3a89..e2f71d7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -65,6 +65,27 @@ krb5rundir="${localstatedir}/run/krb5kdc"
 AC_SUBST(KRAD_LIBS)
 AC_SUBST(krb5rundir)
 
+AC_CHECK_HEADER(kdb.h, [], [AC_MSG_ERROR([kdb.h not found])])
+AC_CHECK_MEMBER(
+	[kdb_vftabl.free_principal],
+	[AC_DEFINE([HAVE_KDB_FREEPRINCIPAL], [1],
+		   [KDB driver API has free_principal callback])],
+	[AC_MSG_NOTICE([KDB driver API has no free_principal callback])],
+	[[#include ]])
+AC_CHECK_MEMBER(
+	[kdb_vftabl.free_principal_e_data],
+	[AC_DEFINE([HAVE_KDB_FREEPRINCIPAL_EDATA], [1],
+		   [KDB driver API has free_principal_e_data callback])],
+	[AC_MSG_NOTICE([KDB driver API has no free_principal_e_data callback])],
+	[[#include ]])
+
+if test "x$ac_cv_member_kdb_vftabl_free_principal" = "xno" \
+	-a "x$ac_cv_member_kdb_vftable_free_principal_e_data" = "xno" ; then
+AC_MSG_WARN([KDB driver API does not allow to free Kerberos principal data.])
+AC_MSG_WARN([KDB driver will leak memory on Kerberos principal use])
+AC_MSG_WARN([See https://github.com/krb5/krb5/pull/596 for details])
+fi
+
 dnl ---
 dnl - Check for OpenLDAP SDK
 dnl ---
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index e96353f..e74ab56 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -625,6 +625,9 @@ static void ipadb_free(krb5_context context, void *ptr)
 
 /* KDB Virtual Table */
 
+/* We explicitly want to keep different ABI tables below separate. */
+/* Do not merge them together. Older ABI does not need to be updated */
+
 #if KRB5_KDB_DAL_MAJOR_VERSION == 5
 kdb_vftabl kdb_function_table = {
 .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
@@ -657,8 +660,9 @@ kdb_vftabl kdb_function_table = {
 .audit_as_req = ipadb_audit_as_req,
 .check_allowed_to_delegate = ipadb_check_allowed_to_delegate
 };
+#endif
 
-#elif KRB5_KDB_DAL_MAJOR_VERSION == 6
+#if (KRB5_KDB_DAL_MAJOR_VERSION == 6) && !defined(HAVE_KDB_FREEPRINCIPAL_EDATA)
 kdb_vftabl kdb_function_table = {
 .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
 .min_ver = 0,
@@ -686,8 +690,42 @@ kdb_vftabl kdb_function_table = {
 .audit_as_req = ipadb_audit_as_req,
 .check_allowed_to_delegate = ipadb_check_allowed_to_delegate
 };
+#endif
+
+#if (KRB5_KDB_DAL_MAJOR_VERSION == 6) && defined(HAVE_KDB_FREEPRINCIPAL_EDATA)
+kdb_vftabl kdb_function_table = {
+.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
+.min_ver = 1,
+.init_library = ipadb_init_library,
+.fini_library = ipadb_fini_library,
+.init_module = ipadb_init_module,
+.fini_module = ipadb_fini_module,
+.create = ipadb_create,
+.get_age = ipadb_get_age,
+.get_principal = ipadb_get_principal,
+.put_principal = ipadb_put_principal,
+.delete_principal = ipadb_delete_principal,
+.iterate = ipadb_iterate,
+.create_policy = ipadb_create_pwd_policy,
+.get_policy = ipadb_get_pwd_policy,
+.put_policy = ipadb_put_pwd_policy,
+.iter_policy = ipadb_iterate_pwd_policy,
+.delete_policy = ipadb_delete_pwd_policy,
+.fetch_master_key = ipadb_fetch_master_key,
+.store_master_key_list = ipadb_store_master_key_list,
+.change_pwd = ipadb_change_pwd,
+.sign_authdata = ipadb_sign_authdata,
+.check_transited_realms = ipadb_check_transited_realms,
+.check_policy_as = ipadb_check_policy_as,
+

[Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1

2017-02-07 Thread frozencemetery 
  URL: https://github.com/freeipa/freeipa/pull/410
Title: #410: ipa-kdb: support KDB DAL version 6.1

frozencemetery commented:
"""
@simo5 @abbra I'll move it over, but it won't break anything to pull in 
krb5-devel *and* krb5-kdb-version as far as I can tell.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/410#issuecomment-278088391
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1

2017-02-07 Thread frozencemetery 
  URL: https://github.com/freeipa/freeipa/pull/410
Title: #410: ipa-kdb: support KDB DAL version 6.1

frozencemetery commented:
"""
@simo5 @abbra I'll move it over, but it won't break anything to pull in 
krb5-devel *and* krb5-kdb-version as far as I can tell.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/410#issuecomment-278088391
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#434][comment] csrgen: Automate full cert request flow

2017-02-07 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/434
Title: #434: csrgen: Automate full cert request flow

MartinBasti commented:
"""
- pylint:
```
* Module ipaclient.plugins.cert
ipaclient/plugins/cert.py:102: [W1612(unicode-builtin), cert_request.forward] 
unicode built-in referenced)
ipaclient/plugins/cert.py:127: [W1612(unicode-builtin), cert_request.forward] 
unicode built-in referenced)
ipaclient/plugins/cert.py:99: [W0612(unused-variable), cert_request.forward] 
Unused variable 'requestdata')
```

for unicode you can use etiher `six.string_type()` or
```
if six.PY3:
unicode = str
```

-  pep8 errors
- failing test expects DN object instead of String
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/434#issuecomment-278085296
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#433][comment] csrgen: Allow some certificate fields to be specified by the user

2017-02-07 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/433
Title: #433: csrgen: Allow some certificate fields to be specified by the user

MartinBasti commented:
"""
```
* Module ipaclient.csrgen
ipaclient/csrgen.py:376: [E1101(no-member), CSRGenerator.get_user_prompts] 
Module 'ipalib.errors' has no 'CertificateMappingError' member)
ipaclient/csrgen.py:380: [E1101(no-member), CSRGenerator.get_user_prompts] 
Module 'ipalib.errors' has no 'CertificateMappingError' member)
ipaclient/csrgen.py:385: [E1101(no-member), CSRGenerator.get_user_prompts] 
Module 'ipalib.errors' has no 'CertificateMappingError' member)
ipaclient/csrgen.py:367: [W0612(unused-variable), 
CSRGenerator.get_user_prompts] Unused variable 'syntax_rules')
* Module ipatests.test_ipaclient.test_csrgen
ipatests/test_ipaclient/test_csrgen.py:322: [W0612(unused-variable), 
test_rule_handling.test_userdata_included] Unused variable 'script')
ipatests/test_ipaclient/test_csrgen.py:324: [W0612(unused-variable), 
test_rule_handling.test_userdata_included] Unused variable 'expected_script'm)
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/433#issuecomment-278083528
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#439][synchronized] [WIP] [Py3] testing both py2/py3 in travis

2017-02-07 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/439
Author: MartinBasti
 Title: #439: [WIP] [Py3] testing both py2/py3 in travis
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/439/head:pr439
git checkout pr439
From 182650cef909592963e9f30423d2f3a7c045bd07 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 7 Feb 2017 14:56:39 +0100
Subject: [PATCH 1/3] Build: allow to build only py2 rpms for fedora

This is more or less for testing purposes of py2/py3 compatibility
---
 BUILD.txt   | 5 +
 Makefile.am | 4 ++--
 freeipa.spec.in | 4 
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/BUILD.txt b/BUILD.txt
index 620adc3..9b5ff1d 100644
--- a/BUILD.txt
+++ b/BUILD.txt
@@ -30,6 +30,11 @@ It may be possible to do a simple make install but this has not been
 well-tested. Additional work is done in pre/post install scripts in the ipa
 spec file.
 
+To build only python2 packages on fedora following steps are required:
+$ autoreconf -i
+$ ./configure
+$ make rpms RPMBUILD_OPTS="--define 'with_python3 0'"
+
 Developing plugins
 --
 
diff --git a/Makefile.am b/Makefile.am
index 9bfc899..0ad50e4 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -106,7 +106,7 @@ rpms: $(VERSION_UPDATE_TARGET)
 	$(MAKE) _rpms-body
 
 _rpms-body: _rpms-prep
-	rpmbuild --define "_topdir $(RPMBUILD)" -ba $(top_builddir)/$(PACKAGE).spec
+	rpmbuild --define "_topdir $(RPMBUILD)" -ba $(top_builddir)/$(PACKAGE).spec  $(RPMBUILD_OPTS)
 	cp $(RPMBUILD)/RPMS/*/*$$(cat $(top_builddir)/.version)*.rpm $(top_builddir)/dist/rpms/
 	cp $(RPMBUILD)/SRPMS/*$$(cat $(top_builddir)/.version)*.src.rpm $(top_builddir)/dist/srpms/
 	rm -f rm -f $(top_builddir)/.version
@@ -115,7 +115,7 @@ srpms: $(VERSION_UPDATE_TARGET)
 	$(MAKE) _srpms-body
 
 _srpms-body: _rpms-prep
-	rpmbuild --define "_topdir $(RPMBUILD)" -bs $(top_builddir)/$(PACKAGE).spec
+	rpmbuild --define "_topdir $(RPMBUILD)" -bs $(top_builddir)/$(PACKAGE).spec $(RPMBUILD_OPTS)
 	cp $(RPMBUILD)/SRPMS/*$$(cat $(top_builddir)/.version)*.src.rpm $(top_builddir)/dist/srpms/
 	rm -f rm -f $(top_builddir)/.version
 
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 27a979c..7e77b32 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -2,11 +2,15 @@
 # subpackages
 %{!?ONLY_CLIENT:%global ONLY_CLIENT 0}
 
+%if 0%{?with_python3:1}
+# with_python3 already defined
+%else
 %if 0%{?rhel}
 %global with_python3 0
 %else
 %global with_python3 1
 %endif
+%endif
 
 # lint is not executed during rpmbuild
 # %%global with_lint 1

From aeef677b29279341d85994c9b969d0a0ba9c8743 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 7 Feb 2017 17:23:54 +0100
Subject: [PATCH 2/3] Travis: build only py2 packages for py2 testing

We will testing both py2 and py3 packages, first step is use only py2
builds for testing py2 packages
---
 .travis.yml |  2 ++
 .travis_run_task.sh | 10 +-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/.travis.yml b/.travis.yml
index 6301974..402c3ee 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -15,8 +15,10 @@ env:
 matrix:
 - TASK_TO_RUN="lint"
 - TASK_TO_RUN="run-tests"
+  PYTHON=/usr/bin/python2
   TESTS_TO_RUN="test_xmlrpc/test_[a-k]*.py"
 - TASK_TO_RUN="run-tests"
+  PYTHON=/usr/bin/python2
   TESTS_TO_RUN="test_cmdline
 test_install
 test_ipalib
diff --git a/.travis_run_task.sh b/.travis_run_task.sh
index 7d050b0..43fcaae 100755
--- a/.travis_run_task.sh
+++ b/.travis_run_task.sh
@@ -4,10 +4,17 @@
 #
 # NOTE: this script is intended to run in Travis CI only
 
-PYTHON="/usr/bin/python${TRAVIS_PYTHON_VERSION}"
 test_set=""
 developer_mode_opt="--developer-mode"
 
+if [[ $PYTHON == "/usr/bin/python2" ]]
+then
+env_opt="RPMBUILD_OPTS=--define 'with_python3 0'"
+else
+env_opt="RPMBUILD_OPTS="
+fi
+
+
 function truncate_log_to_test_failures() {
 # chop off everything in the CI_RESULTS_LOG preceding pytest error output
 # if there are pytest errors in the log
@@ -43,6 +50,7 @@ ipa-docker-test-runner -l $CI_RESULTS_LOG \
 -c $TEST_RUNNER_CONFIG \
 $developer_mode_opt \
 --container-environment "PYTHON=$PYTHON" \
+--container-environment $env_opt \
 --container-image $TEST_RUNNER_IMAGE \
 --git-repo $TRAVIS_BUILD_DIR \
 $TASK_TO_RUN $test_set

From 7c03c5153ef913f29c538f8a674288d45acb6dfb Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 7 Feb 2017 18:29:08 +0100
Subject: [PATCH 3/3] Travis: enable temporal Py3 testing

This testconfig is temporal until all plugins are migrated into py3.
After that this temporal config file will be removed and used only the
previous one again
---
 .test_runner_config_py3_temp.yaml | 154 ++
 .travis.yml   |  18 -
 2 files changed, 171 insertions(+), 1

[Freeipa-devel] [freeipa PR#423][comment] dns-update-system-records: add support for nsupdate output format

2017-02-07 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/423
Title: #423: dns-update-system-records: add support for nsupdate output format

tomaskrizek commented:
"""
I added some in-line comments/questions.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/423#issuecomment-278076554
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#439][synchronized] [WIP] [Py3] testing both py2/py3 in travis

2017-02-07 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/439
Author: MartinBasti
 Title: #439: [WIP] [Py3] testing both py2/py3 in travis
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/439/head:pr439
git checkout pr439
From 182650cef909592963e9f30423d2f3a7c045bd07 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 7 Feb 2017 14:56:39 +0100
Subject: [PATCH 1/3] Build: allow to build only py2 rpms for fedora

This is more or less for testing purposes of py2/py3 compatibility
---
 BUILD.txt   | 5 +
 Makefile.am | 4 ++--
 freeipa.spec.in | 4 
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/BUILD.txt b/BUILD.txt
index 620adc3..9b5ff1d 100644
--- a/BUILD.txt
+++ b/BUILD.txt
@@ -30,6 +30,11 @@ It may be possible to do a simple make install but this has not been
 well-tested. Additional work is done in pre/post install scripts in the ipa
 spec file.
 
+To build only python2 packages on fedora following steps are required:
+$ autoreconf -i
+$ ./configure
+$ make rpms RPMBUILD_OPTS="--define 'with_python3 0'"
+
 Developing plugins
 --
 
diff --git a/Makefile.am b/Makefile.am
index 9bfc899..0ad50e4 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -106,7 +106,7 @@ rpms: $(VERSION_UPDATE_TARGET)
 	$(MAKE) _rpms-body
 
 _rpms-body: _rpms-prep
-	rpmbuild --define "_topdir $(RPMBUILD)" -ba $(top_builddir)/$(PACKAGE).spec
+	rpmbuild --define "_topdir $(RPMBUILD)" -ba $(top_builddir)/$(PACKAGE).spec  $(RPMBUILD_OPTS)
 	cp $(RPMBUILD)/RPMS/*/*$$(cat $(top_builddir)/.version)*.rpm $(top_builddir)/dist/rpms/
 	cp $(RPMBUILD)/SRPMS/*$$(cat $(top_builddir)/.version)*.src.rpm $(top_builddir)/dist/srpms/
 	rm -f rm -f $(top_builddir)/.version
@@ -115,7 +115,7 @@ srpms: $(VERSION_UPDATE_TARGET)
 	$(MAKE) _srpms-body
 
 _srpms-body: _rpms-prep
-	rpmbuild --define "_topdir $(RPMBUILD)" -bs $(top_builddir)/$(PACKAGE).spec
+	rpmbuild --define "_topdir $(RPMBUILD)" -bs $(top_builddir)/$(PACKAGE).spec $(RPMBUILD_OPTS)
 	cp $(RPMBUILD)/SRPMS/*$$(cat $(top_builddir)/.version)*.src.rpm $(top_builddir)/dist/srpms/
 	rm -f rm -f $(top_builddir)/.version
 
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 27a979c..7e77b32 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -2,11 +2,15 @@
 # subpackages
 %{!?ONLY_CLIENT:%global ONLY_CLIENT 0}
 
+%if 0%{?with_python3:1}
+# with_python3 already defined
+%else
 %if 0%{?rhel}
 %global with_python3 0
 %else
 %global with_python3 1
 %endif
+%endif
 
 # lint is not executed during rpmbuild
 # %%global with_lint 1

From aeef677b29279341d85994c9b969d0a0ba9c8743 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 7 Feb 2017 17:23:54 +0100
Subject: [PATCH 2/3] Travis: build only py2 packages for py2 testing

We will testing both py2 and py3 packages, first step is use only py2
builds for testing py2 packages
---
 .travis.yml |  2 ++
 .travis_run_task.sh | 10 +-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/.travis.yml b/.travis.yml
index 6301974..402c3ee 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -15,8 +15,10 @@ env:
 matrix:
 - TASK_TO_RUN="lint"
 - TASK_TO_RUN="run-tests"
+  PYTHON=/usr/bin/python2
   TESTS_TO_RUN="test_xmlrpc/test_[a-k]*.py"
 - TASK_TO_RUN="run-tests"
+  PYTHON=/usr/bin/python2
   TESTS_TO_RUN="test_cmdline
 test_install
 test_ipalib
diff --git a/.travis_run_task.sh b/.travis_run_task.sh
index 7d050b0..43fcaae 100755
--- a/.travis_run_task.sh
+++ b/.travis_run_task.sh
@@ -4,10 +4,17 @@
 #
 # NOTE: this script is intended to run in Travis CI only
 
-PYTHON="/usr/bin/python${TRAVIS_PYTHON_VERSION}"
 test_set=""
 developer_mode_opt="--developer-mode"
 
+if [[ $PYTHON == "/usr/bin/python2" ]]
+then
+env_opt="RPMBUILD_OPTS=--define 'with_python3 0'"
+else
+env_opt="RPMBUILD_OPTS="
+fi
+
+
 function truncate_log_to_test_failures() {
 # chop off everything in the CI_RESULTS_LOG preceding pytest error output
 # if there are pytest errors in the log
@@ -43,6 +50,7 @@ ipa-docker-test-runner -l $CI_RESULTS_LOG \
 -c $TEST_RUNNER_CONFIG \
 $developer_mode_opt \
 --container-environment "PYTHON=$PYTHON" \
+--container-environment $env_opt \
 --container-image $TEST_RUNNER_IMAGE \
 --git-repo $TRAVIS_BUILD_DIR \
 $TASK_TO_RUN $test_set

From 3d24d7075b72e1ccc4953cb920888ef29b047ed1 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 7 Feb 2017 18:29:08 +0100
Subject: [PATCH 3/3] Travis: enable temporal Py3 testing

This testconfig is temporal until all plugins are migrated into py3.
After that this temporal config file will be removed and used only the
previous one again
---
 .test_runner_config_py3_temp.yaml | 154 ++
 .travis.yml   |  17 -
 2 files changed, 170 insertions(+), 1

[Freeipa-devel] [freeipa PR#439][synchronized] [WIP] [Py3] testing both py2/py3 in travis

2017-02-07 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/439
Author: MartinBasti
 Title: #439: [WIP] [Py3] testing both py2/py3 in travis
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/439/head:pr439
git checkout pr439
From 182650cef909592963e9f30423d2f3a7c045bd07 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 7 Feb 2017 14:56:39 +0100
Subject: [PATCH 1/2] Build: allow to build only py2 rpms for fedora

This is more or less for testing purposes of py2/py3 compatibility
---
 BUILD.txt   | 5 +
 Makefile.am | 4 ++--
 freeipa.spec.in | 4 
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/BUILD.txt b/BUILD.txt
index 620adc3..9b5ff1d 100644
--- a/BUILD.txt
+++ b/BUILD.txt
@@ -30,6 +30,11 @@ It may be possible to do a simple make install but this has not been
 well-tested. Additional work is done in pre/post install scripts in the ipa
 spec file.
 
+To build only python2 packages on fedora following steps are required:
+$ autoreconf -i
+$ ./configure
+$ make rpms RPMBUILD_OPTS="--define 'with_python3 0'"
+
 Developing plugins
 --
 
diff --git a/Makefile.am b/Makefile.am
index 9bfc899..0ad50e4 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -106,7 +106,7 @@ rpms: $(VERSION_UPDATE_TARGET)
 	$(MAKE) _rpms-body
 
 _rpms-body: _rpms-prep
-	rpmbuild --define "_topdir $(RPMBUILD)" -ba $(top_builddir)/$(PACKAGE).spec
+	rpmbuild --define "_topdir $(RPMBUILD)" -ba $(top_builddir)/$(PACKAGE).spec  $(RPMBUILD_OPTS)
 	cp $(RPMBUILD)/RPMS/*/*$$(cat $(top_builddir)/.version)*.rpm $(top_builddir)/dist/rpms/
 	cp $(RPMBUILD)/SRPMS/*$$(cat $(top_builddir)/.version)*.src.rpm $(top_builddir)/dist/srpms/
 	rm -f rm -f $(top_builddir)/.version
@@ -115,7 +115,7 @@ srpms: $(VERSION_UPDATE_TARGET)
 	$(MAKE) _srpms-body
 
 _srpms-body: _rpms-prep
-	rpmbuild --define "_topdir $(RPMBUILD)" -bs $(top_builddir)/$(PACKAGE).spec
+	rpmbuild --define "_topdir $(RPMBUILD)" -bs $(top_builddir)/$(PACKAGE).spec $(RPMBUILD_OPTS)
 	cp $(RPMBUILD)/SRPMS/*$$(cat $(top_builddir)/.version)*.src.rpm $(top_builddir)/dist/srpms/
 	rm -f rm -f $(top_builddir)/.version
 
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 27a979c..7e77b32 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -2,11 +2,15 @@
 # subpackages
 %{!?ONLY_CLIENT:%global ONLY_CLIENT 0}
 
+%if 0%{?with_python3:1}
+# with_python3 already defined
+%else
 %if 0%{?rhel}
 %global with_python3 0
 %else
 %global with_python3 1
 %endif
+%endif
 
 # lint is not executed during rpmbuild
 # %%global with_lint 1

From aeef677b29279341d85994c9b969d0a0ba9c8743 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 7 Feb 2017 17:23:54 +0100
Subject: [PATCH 2/2] Travis: build only py2 packages for py2 testing

We will testing both py2 and py3 packages, first step is use only py2
builds for testing py2 packages
---
 .travis.yml |  2 ++
 .travis_run_task.sh | 10 +-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/.travis.yml b/.travis.yml
index 6301974..402c3ee 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -15,8 +15,10 @@ env:
 matrix:
 - TASK_TO_RUN="lint"
 - TASK_TO_RUN="run-tests"
+  PYTHON=/usr/bin/python2
   TESTS_TO_RUN="test_xmlrpc/test_[a-k]*.py"
 - TASK_TO_RUN="run-tests"
+  PYTHON=/usr/bin/python2
   TESTS_TO_RUN="test_cmdline
 test_install
 test_ipalib
diff --git a/.travis_run_task.sh b/.travis_run_task.sh
index 7d050b0..43fcaae 100755
--- a/.travis_run_task.sh
+++ b/.travis_run_task.sh
@@ -4,10 +4,17 @@
 #
 # NOTE: this script is intended to run in Travis CI only
 
-PYTHON="/usr/bin/python${TRAVIS_PYTHON_VERSION}"
 test_set=""
 developer_mode_opt="--developer-mode"
 
+if [[ $PYTHON == "/usr/bin/python2" ]]
+then
+env_opt="RPMBUILD_OPTS=--define 'with_python3 0'"
+else
+env_opt="RPMBUILD_OPTS="
+fi
+
+
 function truncate_log_to_test_failures() {
 # chop off everything in the CI_RESULTS_LOG preceding pytest error output
 # if there are pytest errors in the log
@@ -43,6 +50,7 @@ ipa-docker-test-runner -l $CI_RESULTS_LOG \
 -c $TEST_RUNNER_CONFIG \
 $developer_mode_opt \
 --container-environment "PYTHON=$PYTHON" \
+--container-environment $env_opt \
 --container-image $TEST_RUNNER_IMAGE \
 --git-repo $TRAVIS_BUILD_DIR \
 $TASK_TO_RUN $test_set
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#427][synchronized] [Py3] WSGI part 2

2017-02-07 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/427
Author: MartinBasti
 Title: #427: [Py3] WSGI part 2
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/427/head:pr427
git checkout pr427
From 090bc4b7d6fa8b7ed79f04f46c85f98b271d2fe8 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 24 Jan 2017 17:49:06 +0100
Subject: [PATCH 1/7] py3: base64 encoding/decoding returns always bytes don't
 mix it

Using unicode(bytes) call causes undesired side effect that is inserting
`b` character to result. This obviously causes issues with binary base64 data

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/plugins/baseldap.py | 2 +-
 ipaserver/plugins/ca.py   | 4 +---
 ipaserver/plugins/cert.py | 2 +-
 ipaserver/secrets/client.py   | 6 --
 4 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/ipaserver/plugins/baseldap.py b/ipaserver/plugins/baseldap.py
index e7bf43c..24b6db7 100644
--- a/ipaserver/plugins/baseldap.py
+++ b/ipaserver/plugins/baseldap.py
@@ -1036,7 +1036,7 @@ def process_attr_options(self, entry_attrs, dn, keys, options):
 except ValueError:
 if isinstance(delval, bytes):
 # This is a Binary value, base64 encode it
-delval = unicode(base64.b64encode(delval))
+delval = base64.b64encode(delval).decode('ascii')
 raise errors.AttrValueNotFound(attr=attr, value=delval)
 
 # normalize all values
diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py
index 4f24278..3a052a1 100644
--- a/ipaserver/plugins/ca.py
+++ b/ipaserver/plugins/ca.py
@@ -4,8 +4,6 @@
 
 import base64
 
-import six
-
 from ipalib import api, errors, output, Bytes, DNParam, Flag, Str
 from ipalib.constants import IPA_CA_CN
 from ipalib.plugable import Registry
@@ -176,7 +174,7 @@ def set_certificate_attrs(entry, options, want_cert=True):
 with api.Backend.ra_lightweight_ca as ca_api:
 if want_cert or full:
 der = ca_api.read_ca_cert(ca_id)
-entry['certificate'] = six.text_type(base64.b64encode(der))
+entry['certificate'] = base64.b64encode(der).decode('ascii')
 
 if want_chain or full:
 pkcs7_der = ca_api.read_ca_chain(ca_id)
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 5bf4cfb..6bf5c03 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -1260,7 +1260,7 @@ def _get_cert_key(self, cert):
 return (DN(cert_obj.issuer), cert_obj.serial)
 
 def _get_cert_obj(self, cert, all, raw, pkey_only):
-obj = {'certificate': unicode(base64.b64encode(cert))}
+obj = {'certificate': base64.b64encode(cert).decode('ascii')}
 
 full = not pkey_only and all
 if not raw:
diff --git a/ipaserver/secrets/client.py b/ipaserver/secrets/client.py
index a04b9a6..a945e01 100644
--- a/ipaserver/secrets/client.py
+++ b/ipaserver/secrets/client.py
@@ -70,7 +70,8 @@ def init_creds(self):
 name = gssapi.Name(self.client_service,
gssapi.NameType.hostbased_service)
 store = {'client_keytab': self.keytab,
- 'ccache': 'MEMORY:Custodia_%s' % b64encode(os.urandom(8))}
+ 'ccache': 'MEMORY:Custodia_%s' % b64encode(
+ os.urandom(8)).decode('ascii')}
 return gssapi.Credentials(name=name, store=store, usage='initiate')
 
 def _auth_header(self):
@@ -78,7 +79,8 @@ def _auth_header(self):
 self.creds = self.init_creds()
 ctx = gssapi.SecurityContext(name=self.service_name, creds=self.creds)
 authtok = ctx.step()
-return {'Authorization': 'Negotiate %s' % b64encode(authtok)}
+return {'Authorization': 'Negotiate %s' % b64encode(
+authtok).decode('ascii')}
 
 def fetch_key(self, keyname, store=True):
 

From cc25007e23504097f63173fa18324b9586aad675 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 25 Jan 2017 14:56:07 +0100
Subject: [PATCH 2/7] py3: remove_entry_from_group: attribute name must be
 string

Do not encode attribute names

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/plugins/ldap2.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index 71c095d..e671ecb 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -442,7 +442,7 @@ def remove_entry_from_group(self, dn, group_dn, member_attr='member'):
 # update group entry
 try:
 with self.error_handler():
-modlist = [(a, self.encode(b), self.encode(c))
+modlist = [(a, b, self.encode(c))
for a, b, c in modlist]
 self.conn.modify_s(str(group_dn), modlist)
 except

[Freeipa-devel] [freeipa PR#426][comment] DNSSEC: forwarders validation improvement

2017-02-07 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/426
Title: #426: DNSSEC: forwarders validation improvement

tomaskrizek commented:
"""
I think the same issue can also occur in 
`validate_dnssec_zone_forwarder_step2()`.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/426#issuecomment-278056789
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#440][opened] [Py3] fix various issues in tests related to BytesWarning

2017-02-07 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/440
Author: MartinBasti
 Title: #440: [Py3] fix various issues in tests related to BytesWarning
Action: opened

PR body:
"""

"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/440/head:pr440
git checkout pr440
From 2196847478d8cb9b7a6f69db3b20b26360ffe7f1 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Thu, 2 Feb 2017 15:48:19 +0100
Subject: [PATCH 1/3] py3: DN: fix BytesWarning

User repr() instead of str() for bytes, it has the same effect, but it
is proper way how to print bytes

https://fedorahosted.org/freeipa/ticket/4985
---
 ipapython/dn.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipapython/dn.py b/ipapython/dn.py
index 2f7655d..4e8c22b 100644
--- a/ipapython/dn.py
+++ b/ipapython/dn.py
@@ -452,7 +452,7 @@ def _adjust_indices(start, end, length):
 
 def _normalize_ava_input(val):
 if six.PY3 and isinstance(val, bytes):
-raise TypeError('expected str, got bytes: %s' % val)
+raise TypeError('expected str, got bytes: %r' % val)
 elif not isinstance(val, six.string_types):
 val = val_encode(six.text_type(val))
 elif six.PY2 and isinstance(val, unicode):

From 3f5564741e3eb1927ee34f5c9834d41c6282142d Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Thu, 2 Feb 2017 16:51:21 +0100
Subject: [PATCH 2/3] py3: get_memberofindirect: fix ByteWarnings

DN must be converted to bytes as other variables adn lists contain bytes

https://fedorahosted.org/freeipa/ticket/4985
---
 ipapython/ipaldap.py  | 6 --
 ipaserver/plugins/baseldap.py | 2 +-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index 497b947..4de8a21 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -379,8 +379,10 @@ def _set_raw(self, name, value):
 name, value.__class__.__name__, value))
 for (i, item) in enumerate(value):
 if not isinstance(item, bytes):
-raise TypeError("%s[%d] value must be str, got %s object %r" % (
-name, i, item.__class__.__name__, item))
+raise TypeError(
+"%s[%d] value must be bytes, got %s object %r" % (
+name, i, item.__class__.__name__, item)
+)
 
 name = self._add_attr_name(name)
 
diff --git a/ipaserver/plugins/baseldap.py b/ipaserver/plugins/baseldap.py
index e7bf43c..94c8547 100644
--- a/ipaserver/plugins/baseldap.py
+++ b/ipaserver/plugins/baseldap.py
@@ -722,7 +722,7 @@ def get_memberofindirect(self, entry):
 direct = set()
 indirect = set(entry.raw.get('memberof', []))
 for group_entry in result:
-dn = str(group_entry.dn)
+dn = str(group_entry.dn).encode('utf-8')
 if dn in indirect:
 indirect.remove(dn)
 direct.add(dn)

From 0479dfa6030943caceef011d990fc313f8b4b8b6 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 7 Feb 2017 13:37:56 +0100
Subject: [PATCH 3/3] py3: test_ipaserver: fix BytesWarnings

https://fedorahosted.org/freeipa/ticket/6633
---
 ipatests/test_ipaserver/test_rpcserver.py | 12 +++-
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/ipatests/test_ipaserver/test_rpcserver.py b/ipatests/test_ipaserver/test_rpcserver.py
index 6cc2472..7ee94d3 100644
--- a/ipatests/test_ipaserver/test_rpcserver.py
+++ b/ipatests/test_ipaserver/test_rpcserver.py
@@ -62,7 +62,7 @@ def test_not_found():
 url = '/ipa/foo/stuff'
 assert_equal(
 f.not_found(None, s, url, None),
-[t % dict(url='/ipa/foo/stuff')]
+[(t % dict(url='/ipa/foo/stuff')).encode('utf-8')]
 )
 assert s.status == '404 Not Found'
 assert s.headers == [('Content-Type', 'text/html; charset=utf-8')]
@@ -72,7 +72,9 @@ def test_not_found():
 url ='' + 'do_bad_stuff();'
 assert_equal(
 f.not_found(None, s, url, None),
-[t % dict(url='nbsp;scriptdo_bad_stuff();/script')]
+[(t % dict(
+url='nbsp;scriptdo_bad_stuff();/script')
+).encode('utf-8')]
 )
 assert s.status == '404 Not Found'
 assert s.headers == [('Content-Type', 'text/html; charset=utf-8')]
@@ -86,7 +88,7 @@ def test_bad_request():
 
 assert_equal(
 f.bad_request(None, s, 'illegal request'),
-[t % dict(message='illegal request')]
+[(t % dict(message='illegal request')).encode('utf-8')]
 )
 assert s.status == '400 Bad Request'
 assert s.headers == [('Content-Type', 'text/html; charset=utf-8')]
@@ -100,7 +102,7 @@ def test_internal_error():
 
 assert_equal(
 f.internal_error(None, s, 'request failed'),
-[t % dict(message='request failed')]
+[(t % dict(message='request failed')).encode('utf-8')]
 )
 assert s.status == '500 Internal

[Freeipa-devel] [freeipa PR#439][edited] [Py3] tests: fix various bytes related issues in tests

2017-02-07 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/439
Author: MartinBasti
 Title: #439: [Py3] tests: fix various bytes related issues in tests
Action: edited

 Changed field: title
Original value:
"""
[Py3] tests: fix various bytes related issues in tests
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#439][synchronized] [Py3] tests: fix various bytes related issues in tests

2017-02-07 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/439
Author: MartinBasti
 Title: #439: [Py3] tests: fix various bytes related issues in tests
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/439/head:pr439
git checkout pr439
From 182650cef909592963e9f30423d2f3a7c045bd07 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 7 Feb 2017 14:56:39 +0100
Subject: [PATCH 1/2] Build: allow to build only py2 rpms for fedora

This is more or less for testing purposes of py2/py3 compatibility
---
 BUILD.txt   | 5 +
 Makefile.am | 4 ++--
 freeipa.spec.in | 4 
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/BUILD.txt b/BUILD.txt
index 620adc3..9b5ff1d 100644
--- a/BUILD.txt
+++ b/BUILD.txt
@@ -30,6 +30,11 @@ It may be possible to do a simple make install but this has not been
 well-tested. Additional work is done in pre/post install scripts in the ipa
 spec file.
 
+To build only python2 packages on fedora following steps are required:
+$ autoreconf -i
+$ ./configure
+$ make rpms RPMBUILD_OPTS="--define 'with_python3 0'"
+
 Developing plugins
 --
 
diff --git a/Makefile.am b/Makefile.am
index 9bfc899..0ad50e4 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -106,7 +106,7 @@ rpms: $(VERSION_UPDATE_TARGET)
 	$(MAKE) _rpms-body
 
 _rpms-body: _rpms-prep
-	rpmbuild --define "_topdir $(RPMBUILD)" -ba $(top_builddir)/$(PACKAGE).spec
+	rpmbuild --define "_topdir $(RPMBUILD)" -ba $(top_builddir)/$(PACKAGE).spec  $(RPMBUILD_OPTS)
 	cp $(RPMBUILD)/RPMS/*/*$$(cat $(top_builddir)/.version)*.rpm $(top_builddir)/dist/rpms/
 	cp $(RPMBUILD)/SRPMS/*$$(cat $(top_builddir)/.version)*.src.rpm $(top_builddir)/dist/srpms/
 	rm -f rm -f $(top_builddir)/.version
@@ -115,7 +115,7 @@ srpms: $(VERSION_UPDATE_TARGET)
 	$(MAKE) _srpms-body
 
 _srpms-body: _rpms-prep
-	rpmbuild --define "_topdir $(RPMBUILD)" -bs $(top_builddir)/$(PACKAGE).spec
+	rpmbuild --define "_topdir $(RPMBUILD)" -bs $(top_builddir)/$(PACKAGE).spec $(RPMBUILD_OPTS)
 	cp $(RPMBUILD)/SRPMS/*$$(cat $(top_builddir)/.version)*.src.rpm $(top_builddir)/dist/srpms/
 	rm -f rm -f $(top_builddir)/.version
 
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 27a979c..7e77b32 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -2,11 +2,15 @@
 # subpackages
 %{!?ONLY_CLIENT:%global ONLY_CLIENT 0}
 
+%if 0%{?with_python3:1}
+# with_python3 already defined
+%else
 %if 0%{?rhel}
 %global with_python3 0
 %else
 %global with_python3 1
 %endif
+%endif
 
 # lint is not executed during rpmbuild
 # %%global with_lint 1

From 1a0142addfacd4cee29cc8da1f0a86c238d00599 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 7 Feb 2017 17:23:54 +0100
Subject: [PATCH 2/2] Travis: build only py2 packages for py2 testing

We will testing both py2 and py3 packages, first step is use only py2
builds for testing py2 packages
---
 .travis.yml |  2 ++
 .travis_run_task.sh | 10 +-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/.travis.yml b/.travis.yml
index 6301974..402c3ee 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -15,8 +15,10 @@ env:
 matrix:
 - TASK_TO_RUN="lint"
 - TASK_TO_RUN="run-tests"
+  PYTHON=/usr/bin/python2
   TESTS_TO_RUN="test_xmlrpc/test_[a-k]*.py"
 - TASK_TO_RUN="run-tests"
+  PYTHON=/usr/bin/python2
   TESTS_TO_RUN="test_cmdline
 test_install
 test_ipalib
diff --git a/.travis_run_task.sh b/.travis_run_task.sh
index 7d050b0..b51a712 100755
--- a/.travis_run_task.sh
+++ b/.travis_run_task.sh
@@ -4,10 +4,17 @@
 #
 # NOTE: this script is intended to run in Travis CI only
 
-PYTHON="/usr/bin/python${TRAVIS_PYTHON_VERSION}"
 test_set=""
 developer_mode_opt="--developer-mode"
 
+if [[ $PYTHON == "/usr/bin/python2" ]]
+then
+env_opt="RPMBUILD_OPTS=--define \'with_python3 0\'"
+else
+env_opt="RPMBUILD_OPTS="
+fi
+
+
 function truncate_log_to_test_failures() {
 # chop off everything in the CI_RESULTS_LOG preceding pytest error output
 # if there are pytest errors in the log
@@ -43,6 +50,7 @@ ipa-docker-test-runner -l $CI_RESULTS_LOG \
 -c $TEST_RUNNER_CONFIG \
 $developer_mode_opt \
 --container-environment "PYTHON=$PYTHON" \
+--container-environment $env_opt \
 --container-image $TEST_RUNNER_IMAGE \
 --git-repo $TRAVIS_BUILD_DIR \
 $TASK_TO_RUN $test_set
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#439][opened] [Py3] tests: fix various bytes related issues in tests

2017-02-07 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/439
Author: MartinBasti
 Title: #439: [Py3] tests: fix various bytes related issues in tests
Action: opened

PR body:
"""
This is more or less for testing purposes of py2/py3 compatibility
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/439/head:pr439
git checkout pr439
From 182650cef909592963e9f30423d2f3a7c045bd07 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 7 Feb 2017 14:56:39 +0100
Subject: [PATCH] Build: allow to build only py2 rpms for fedora

This is more or less for testing purposes of py2/py3 compatibility
---
 BUILD.txt   | 5 +
 Makefile.am | 4 ++--
 freeipa.spec.in | 4 
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/BUILD.txt b/BUILD.txt
index 620adc3..9b5ff1d 100644
--- a/BUILD.txt
+++ b/BUILD.txt
@@ -30,6 +30,11 @@ It may be possible to do a simple make install but this has not been
 well-tested. Additional work is done in pre/post install scripts in the ipa
 spec file.
 
+To build only python2 packages on fedora following steps are required:
+$ autoreconf -i
+$ ./configure
+$ make rpms RPMBUILD_OPTS="--define 'with_python3 0'"
+
 Developing plugins
 --
 
diff --git a/Makefile.am b/Makefile.am
index 9bfc899..0ad50e4 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -106,7 +106,7 @@ rpms: $(VERSION_UPDATE_TARGET)
 	$(MAKE) _rpms-body
 
 _rpms-body: _rpms-prep
-	rpmbuild --define "_topdir $(RPMBUILD)" -ba $(top_builddir)/$(PACKAGE).spec
+	rpmbuild --define "_topdir $(RPMBUILD)" -ba $(top_builddir)/$(PACKAGE).spec  $(RPMBUILD_OPTS)
 	cp $(RPMBUILD)/RPMS/*/*$$(cat $(top_builddir)/.version)*.rpm $(top_builddir)/dist/rpms/
 	cp $(RPMBUILD)/SRPMS/*$$(cat $(top_builddir)/.version)*.src.rpm $(top_builddir)/dist/srpms/
 	rm -f rm -f $(top_builddir)/.version
@@ -115,7 +115,7 @@ srpms: $(VERSION_UPDATE_TARGET)
 	$(MAKE) _srpms-body
 
 _srpms-body: _rpms-prep
-	rpmbuild --define "_topdir $(RPMBUILD)" -bs $(top_builddir)/$(PACKAGE).spec
+	rpmbuild --define "_topdir $(RPMBUILD)" -bs $(top_builddir)/$(PACKAGE).spec $(RPMBUILD_OPTS)
 	cp $(RPMBUILD)/SRPMS/*$$(cat $(top_builddir)/.version)*.src.rpm $(top_builddir)/dist/srpms/
 	rm -f rm -f $(top_builddir)/.version
 
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 27a979c..7e77b32 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -2,11 +2,15 @@
 # subpackages
 %{!?ONLY_CLIENT:%global ONLY_CLIENT 0}
 
+%if 0%{?with_python3:1}
+# with_python3 already defined
+%else
 %if 0%{?rhel}
 %global with_python3 0
 %else
 %global with_python3 1
 %endif
+%endif
 
 # lint is not executed during rpmbuild
 # %%global with_lint 1
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#437][synchronized] FIPS: replica install check

2017-02-07 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/437
Author: tomaskrizek
 Title: #437: FIPS: replica install check
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/437/head:pr437
git checkout pr437
From bef382c8b3039c39aafdad7203932d92e7670162 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 6 Feb 2017 13:08:11 +0100
Subject: [PATCH 1/3] Add fips_mode variable to env

Variable fips_mode indicating whether machine is running in
FIPS-enabled mode was added to env.

https://fedorahosted.org/freeipa/ticket/5695
---
 ipalib/config.py | 5 +
 1 file changed, 5 insertions(+)

diff --git a/ipalib/config.py b/ipalib/config.py
index 20591db..4002164 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -44,6 +44,7 @@
 from ipalib.constants import CONFIG_SECTION
 from ipalib.constants import OVERRIDE_ERROR, SET_ERROR, DEL_ERROR
 from ipalib import errors
+from ipaplatform.tasks import tasks
 
 if six.PY3:
 unicode = str
@@ -497,6 +498,10 @@ def _bootstrap(self, **overrides):
 if 'plugins_on_demand' not in self:
 self.plugins_on_demand = (self.context == 'cli')
 
+# Set fips_mode:
+if 'fips_mode' not in self:
+self.fips_mode = tasks.is_fips_enabled()
+
 def _finalize_core(self, **defaults):
 """
 Complete initialization of standard IPA environment.

From cd8a3982dadc32fe65fc8b2e4d98c3c574a84f33 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 6 Feb 2017 17:17:49 +0100
Subject: [PATCH 2/3] check_remote_version: update exception and string

Refactor function to use ScriptError exception and proper
string formatting.
---
 ipaserver/install/server/replicainstall.py | 9 ++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 18222c8..f9951b0 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -518,12 +518,15 @@ def check_remote_version(api):
 finally:
 client.disconnect()
 
+# Check version compatibility
 remote_version = parse_version(env['version'])
 api_version = parse_version(api.env.version)
 if remote_version > api_version:
-raise RuntimeError(
-"Cannot install replica of a server of higher version ({}) than"
-"the local version ({})".format(remote_version, api_version))
+raise ScriptError(
+"Cannot install replica of a server of higher version "
+"(%(remote_version)s) than the local version (%(api_version)s)"
+% dict(remote_version=remote_version, api_version=api_version))
+
 
 
 def common_check(no_ntp):

From 8b07c3bbedf1b873fd96604ea462965b08457f26 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 6 Feb 2017 17:31:56 +0100
Subject: [PATCH 3/3] FIPS: perform replica installation check

Check status of remote server's FIPS mode and proceed with
installation only if it matches the current replica's FIPS mode.

https://fedorahosted.org/freeipa/ticket/5695
---
 ipaserver/install/server/replicainstall.py | 25 ++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index f9951b0..620c37c 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -508,13 +508,20 @@ def promote_openldap_conf(hostname, master):
 root_logger.info("Failed to update {}: {}".format(ldap_conf, e))
 
 
-def check_remote_version(api):
+def check_remote_compatibility(api):
+"""
+Perform a check to verify remote server's version and fips-mode
+
+:param api: remote api
+
+:raises: ``ScriptError`` if the checks fails
+"""
 client = rpc.jsonclient(api)
 client.finalize()
 
 client.connect()
 try:
-env = client.forward(u'env', u'version')['result']
+env = client.forward(u'env', u'version', u'fips_mode')['result']
 finally:
 client.disconnect()
 
@@ -527,6 +534,18 @@ def check_remote_version(api):
 "(%(remote_version)s) than the local version (%(api_version)s)"
 % dict(remote_version=remote_version, api_version=api_version))
 
+# Check FIPS mode compatibility
+remote_fips_mode = env['fips_mode']
+fips_mode = tasks.is_fips_enabled()
+if fips_mode != remote_fips_mode:
+if fips_mode:
+raise ScriptError(
+"Cannot join FIPS-enabled replica into existing topology: "
+"FIPS is not enabled on the master server.")
+else:
+raise ScriptError(
+"Cannot join replica into existing FIPS-enabled topology: "
+"FIPS has to be enabled locally first.")
 
 
 def common_check(no_ntp):
@@

[Freeipa-devel] [freeipa PR#437][comment] FIPS: replica install check

2017-02-07 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/437
Title: #437: FIPS: replica install check

tomaskrizek commented:
"""
Thanks for the feedback. Hopefully I addressed all the concerns above in the 
update.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/437#issuecomment-278035787
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#438][synchronized] ipaldap: preserve order of values in LDAPEntry._sync()

2017-02-07 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/438
Author: HonzaCholasta
 Title: #438: ipaldap: preserve order of values in LDAPEntry._sync()
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/438/head:pr438
git checkout pr438
From 822495ea1adfc944dab824565d7d0edea61acd41 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Tue, 7 Feb 2017 14:11:24 +0100
Subject: [PATCH] ipaldap: preserve order of values in LDAPEntry._sync()

In Python 2, the order was preserved by accident.

This change makes sure the order is preserved in both Python 2 and 3.

https://fedorahosted.org/freeipa/ticket/4985
---
 ipapython/ipaldap.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index 497b947..108adbf 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -292,13 +292,13 @@ def _sync_attr(self, name):
 continue
 nice.remove(value)
 
-for value in nice_adds:
+for value in sorted(nice_adds, key=nice.index):
 value = self._conn.encode(value)
 if value in raw_dels:
 continue
 raw.append(value)
 
-for value in raw_adds:
+for value in sorted(raw_adds, key=raw.index):
 try:
 value = self._conn.decode(value, name)
 except ValueError as e:
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#396][comment] Explicitly remove support of SSLv2

2017-02-07 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/396
Title: #396: Explicitly remove support of SSLv2

HonzaCholasta commented:
"""
@stlaz, you don't have to replace `root_logger` in old code, but don't use it 
in new code.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/396#issuecomment-278028074
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#396][synchronized] Explicitly remove support of SSLv2

2017-02-07 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/396
Author: stlaz
 Title: #396: Explicitly remove support of SSLv2
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/396/head:pr396
git checkout pr396
From c59b2aef542d4a394283703d24718399af0d5d30 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 13 Jan 2017 12:31:29 +0100
Subject: [PATCH] Explicitly remove support of SSLv2

It was possible to set tls_version_min/max to 'ssl2', even though
newer versions of NSS will fail to set this as a valid TLS version.
This patch explicitly checks for deprecated TLS versions prior to
creating a TLS connection.

Also, we don't allow tls_version_min/max to be set to a random
string anymore.

https://fedorahosted.org/freeipa/ticket/6607
---
 ipalib/config.py| 22 --
 ipalib/constants.py | 10 ++
 ipapython/nsslib.py | 46 --
 3 files changed, 74 insertions(+), 4 deletions(-)

diff --git a/ipalib/config.py b/ipalib/config.py
index 20591db..f717732 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -41,8 +41,11 @@
 
 from ipapython.dn import DN
 from ipalib.base import check_name
-from ipalib.constants import CONFIG_SECTION
-from ipalib.constants import OVERRIDE_ERROR, SET_ERROR, DEL_ERROR
+from ipalib.constants import (
+CONFIG_SECTION,
+OVERRIDE_ERROR, SET_ERROR, DEL_ERROR,
+TLS_VERSIONS
+)
 from ipalib import errors
 
 if six.PY3:
@@ -578,6 +581,21 @@ def _finalize_core(self, **defaults):
 
 self._merge(**defaults)
 
+# set the best known TLS version if min/max versions are not set
+if 'tls_version_min' not in self:
+self.tls_version_min = TLS_VERSIONS[-1]
+elif self.tls_version_min not in TLS_VERSIONS:
+raise errors.EnvironmentError(
+"Unknown TLS version '{ver}' set in tls_version_min."
+.format(ver=self.tls_version_min))
+
+if 'tls_version_max' not in self:
+self.tls_version_max = TLS_VERSIONS[-1]
+elif self.tls_version_max not in TLS_VERSIONS:
+raise errors.EnvironmentError(
+"Unknown TLS version '{ver}' set in tls_version_max."
+.format(ver=self.tls_version_max))
+
 def _finalize(self, **lastchance):
 """
 Finalize and lock environment.
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 81643da..1e8f51a 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -276,3 +276,13 @@
 
 # regexp definitions
 PATTERN_GROUPUSER_NAME = '^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$'
+
+# TLS related constants
+TLS_VERSIONS = [
+"ssl2",
+"ssl3",
+"tls1.0",
+"tls1.1",
+"tls1.2"
+]
+TLS_VERSION_MINIMAL = "tls1.0"
diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py
index 08d05fc..9f8fd3c 100644
--- a/ipapython/nsslib.py
+++ b/ipapython/nsslib.py
@@ -23,6 +23,7 @@
 import getpass
 import socket
 from ipapython.ipa_log_manager import root_logger
+from ipalib.constants import TLS_VERSIONS, TLS_VERSION_MINIMAL
 
 from nss.error import NSPRError
 import nss.io as io
@@ -129,6 +130,45 @@ def client_auth_data_callback(ca_names, chosen_nickname, password, certdb):
 socket.AF_UNSPEC: io.PR_AF_UNSPEC
 }
 
+
+def get_proper_tls_version_span(tls_version_min, tls_version_max):
+# every tls version from `tls_versions` prior to min_allowed_idx
+# is deprecated in IPA
+min_allowed_idx = TLS_VERSIONS.index(TLS_VERSION_MINIMAL)
+
+try:
+min_version_idx = TLS_VERSIONS.index(tls_version_min)
+except ValueError:
+raise RuntimeError("tls_version_min ('{val}') is not a known "
+   "TLS version.".format(val=tls_version_min))
+
+try:
+max_version_idx = TLS_VERSIONS.index(tls_version_max)
+except ValueError:
+raise RuntimeError("tls_version_max ('{val}') is not a known "
+   "TLS version.".format(val=tls_version_max))
+
+if min_version_idx > max_version_idx:
+raise RuntimeError("tls_version_min is higher than "
+   "tls_version_max.")
+
+if min_version_idx < min_allowed_idx:
+min_version_idx = min_allowed_idx
+root_logger.warning("tls_version_min set too low ('{old}'),"
+"using '{new}' instead"
+.format(old=tls_version_min,
+new=TLS_VERSIONS[min_version_idx]))
+
+if max_version_idx < min_allowed_idx:
+max_version_idx = min_version_idx
+root_logger.warning("tls_version_max set too low ('{old}'),"
+"using '{new}' instead"
+.format(old=tls_version_max,
+new=TLS_VERSIONS[max_version_idx]))
+
+return TLS_VERSIONS[min_version_idx:max_version_idx+1]
+
+
 class

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2017-02-07 Thread simo5 
  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
I added 1.5.0 as a dep in freeipa.spec.in and rebased the PR
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-278008429
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#396][comment] Explicitly remove support of SSLv2

2017-02-07 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/396
Title: #396: Explicitly remove support of SSLv2

stlaz commented:
"""
Did not realize merging to Env from default constants was happening in the end 
of `_finalize_core()`, moved the checks in config.py accordingly.
Also, for some reason, github shows `root_logger` issue as solved but it's not 
- should all `root_logger` appearances be replaces by a module-own logger?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/396#issuecomment-277996232
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#438][opened] ipaldap: preserve order of values in LDAPEntry._sync()

2017-02-07 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/438
Author: HonzaCholasta
 Title: #438: ipaldap: preserve order of values in LDAPEntry._sync()
Action: opened

PR body:
"""
In Python 2, the order was preserved by accident.

This change makes sure the order is preserved in both Python 2 and 3.

https://fedorahosted.org/freeipa/ticket/4985
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/438/head:pr438
git checkout pr438
From 8eab66daa2ba503bc9ae3ce0b5f650e330b1a371 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Tue, 7 Feb 2017 14:11:24 +0100
Subject: [PATCH] ipaldap: preserve order of values in LDAPEntry._sync()

In Python 2, the order was preserved by accident.

This change makes sure the order is preserved in both Python 2 and 3.

https://fedorahosted.org/freeipa/ticket/4985
---
 ipapython/ipaldap.py | 32 
 1 file changed, 20 insertions(+), 12 deletions(-)

diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index 497b947..24dc896 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -271,40 +271,48 @@ def _sync_attr(self, name):
 if nice == nice_sync and raw == raw_sync:
 return
 
-nice_adds = set(nice) - set(nice_sync)
-nice_dels = set(nice_sync) - set(nice)
-raw_adds = set(raw) - set(raw_sync)
-raw_dels = set(raw_sync) - set(raw)
+nice_set = set(nice)
+raw_set = set(raw)
+nice_sync_set = set(nice_sync)
+raw_sync_set = set(raw_sync)
 
-for value in nice_dels:
+for value in nice_sync:
+if value in nice_set:
+continue
 value = self._conn.encode(value)
-if value in raw_adds:
+if value in raw_set and value not in raw_sync_set:
 continue
 raw.remove(value)
 
-for value in raw_dels:
+for value in raw_sync:
+if value in raw_set:
+continue
 try:
 value = self._conn.decode(value, name)
 except ValueError as e:
 raise ValueError("{error} in LDAP entry '{dn}'".format(
 error=e, dn=self._dn))
-if value in nice_adds:
+if value in nice_set and value not in nice_sync_set:
 continue
 nice.remove(value)
 
-for value in nice_adds:
+for value in nice:
+if value in nice_sync_set:
+continue
 value = self._conn.encode(value)
-if value in raw_dels:
+if value in raw_sync_set and value not in raw_set:
 continue
 raw.append(value)
 
-for value in raw_adds:
+for value in raw:
+if value in raw_sync_set:
+continue
 try:
 value = self._conn.decode(value, name)
 except ValueError as e:
 raise ValueError("{error} in LDAP entry '{dn}'".format(
 error=e, dn=self._dn))
-if value in nice_dels:
+if value in nice_sync_set and value not in nice_set:
 continue
 nice.append(value)
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#396][synchronized] Explicitly remove support of SSLv2

2017-02-07 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/396
Author: stlaz
 Title: #396: Explicitly remove support of SSLv2
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/396/head:pr396
git checkout pr396
From db2b762293815c1263b3ce9390f564fe9e611735 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 13 Jan 2017 12:31:29 +0100
Subject: [PATCH] Explicitly remove support of SSLv2

It was possible to set tls_version_min/max to 'ssl2', even though
newer versions of NSS will fail to set this as a valid TLS version.
This patch explicitly checks for deprecated TLS versions prior to
creating a TLS connection.

Also, we don't allow tls_version_min/max to be set to a random
string anymore.

https://fedorahosted.org/freeipa/ticket/6607
---
 ipalib/config.py| 19 +--
 ipalib/constants.py | 10 ++
 ipapython/nsslib.py | 46 --
 3 files changed, 71 insertions(+), 4 deletions(-)

diff --git a/ipalib/config.py b/ipalib/config.py
index 20591db..79f7a82 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -41,8 +41,11 @@
 
 from ipapython.dn import DN
 from ipalib.base import check_name
-from ipalib.constants import CONFIG_SECTION
-from ipalib.constants import OVERRIDE_ERROR, SET_ERROR, DEL_ERROR
+from ipalib.constants import (
+CONFIG_SECTION,
+OVERRIDE_ERROR, SET_ERROR, DEL_ERROR,
+TLS_VERSIONS
+)
 from ipalib import errors
 
 if six.PY3:
@@ -497,6 +500,7 @@ def _bootstrap(self, **overrides):
 if 'plugins_on_demand' not in self:
 self.plugins_on_demand = (self.context == 'cli')
 
+
 def _finalize_core(self, **defaults):
 """
 Complete initialization of standard IPA environment.
@@ -578,6 +582,17 @@ def _finalize_core(self, **defaults):
 
 self._merge(**defaults)
 
+if self.tls_version_min not in TLS_VERSIONS:
+raise errors.EnvironmentError(
+"Unknown TLS version '{ver}' set in tls_version_min."
+.format(self.tls_version_min))
+
+if self.tls_version_max not in TLS_VERSIONS:
+raise errors.EnvironmentError(
+"Unknown TLS version '{ver}' set in tls_version_max."
+.format(self.tls_version_max))
+
+
 def _finalize(self, **lastchance):
 """
 Finalize and lock environment.
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 81643da..1e8f51a 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -276,3 +276,13 @@
 
 # regexp definitions
 PATTERN_GROUPUSER_NAME = '^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$'
+
+# TLS related constants
+TLS_VERSIONS = [
+"ssl2",
+"ssl3",
+"tls1.0",
+"tls1.1",
+"tls1.2"
+]
+TLS_VERSION_MINIMAL = "tls1.0"
diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py
index 08d05fc..9f8fd3c 100644
--- a/ipapython/nsslib.py
+++ b/ipapython/nsslib.py
@@ -23,6 +23,7 @@
 import getpass
 import socket
 from ipapython.ipa_log_manager import root_logger
+from ipalib.constants import TLS_VERSIONS, TLS_VERSION_MINIMAL
 
 from nss.error import NSPRError
 import nss.io as io
@@ -129,6 +130,45 @@ def client_auth_data_callback(ca_names, chosen_nickname, password, certdb):
 socket.AF_UNSPEC: io.PR_AF_UNSPEC
 }
 
+
+def get_proper_tls_version_span(tls_version_min, tls_version_max):
+# every tls version from `tls_versions` prior to min_allowed_idx
+# is deprecated in IPA
+min_allowed_idx = TLS_VERSIONS.index(TLS_VERSION_MINIMAL)
+
+try:
+min_version_idx = TLS_VERSIONS.index(tls_version_min)
+except ValueError:
+raise RuntimeError("tls_version_min ('{val}') is not a known "
+   "TLS version.".format(val=tls_version_min))
+
+try:
+max_version_idx = TLS_VERSIONS.index(tls_version_max)
+except ValueError:
+raise RuntimeError("tls_version_max ('{val}') is not a known "
+   "TLS version.".format(val=tls_version_max))
+
+if min_version_idx > max_version_idx:
+raise RuntimeError("tls_version_min is higher than "
+   "tls_version_max.")
+
+if min_version_idx < min_allowed_idx:
+min_version_idx = min_allowed_idx
+root_logger.warning("tls_version_min set too low ('{old}'),"
+"using '{new}' instead"
+.format(old=tls_version_min,
+new=TLS_VERSIONS[min_version_idx]))
+
+if max_version_idx < min_allowed_idx:
+max_version_idx = min_version_idx
+root_logger.warning("tls_version_max set too low ('{old}'),"
+"using '{new}' instead"
+.format(old=tls_version_max,
+new=TLS_VERSIONS[max_version_idx]))
+
+return TLS_VERSIONS[min_version_idx:max_version_idx+1]
+
+
 class

[Freeipa-devel] [freeipa PR#413][+pushed] Complete stageuser API

2017-02-07 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/413
Title: #413: Complete stageuser API

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#413][comment] Complete stageuser API

2017-02-07 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/413
Title: #413: Complete stageuser API

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/9c0e86530ec693606ca4f69e74a9dfe4118a21aa
https://fedorahosted.org/freeipa/changeset/7e2d185ba09382a815e9b0530aeae3d56f9378d1
https://fedorahosted.org/freeipa/changeset/308c790ee90f00e0bc2c40abf51c30e5250631e9
https://fedorahosted.org/freeipa/changeset/7b68cc5b08c5563535486d72f37b766209791dbf
https://fedorahosted.org/freeipa/changeset/c5c98af99db53b5f9453bf70e9fd4c11e219cf3e
https://fedorahosted.org/freeipa/changeset/9382efde4fbc027dcfb5dc5f22d25296f232e0a6
https://fedorahosted.org/freeipa/changeset/8e139d4b559a6f19d859e078e1940a69d8977fdb
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/413#issuecomment-277991933
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#413][closed] Complete stageuser API

2017-02-07 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/413
Author: dkupka
 Title: #413: Complete stageuser API
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/413/head:pr413
git checkout pr413
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#418][closed] replica install: do not log host OTP

2017-02-07 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/418
Author: HonzaCholasta
 Title: #418: replica install: do not log host OTP
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/418/head:pr418
git checkout pr418
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#418][+pushed] replica install: do not log host OTP

2017-02-07 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/418
Title: #418: replica install: do not log host OTP

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2017-02-07 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

martbab commented:
"""
I have figured out that the previous Travis failures were caused by missing 
version in mod_auth_gssapi Requires. If I downgrade the package to 
mod_auth_gssapi-1.4.1-1.fc25.x86_64 apache crashes on unknown directive:

```
Feb 07 13:32:41 master1.ipa.test httpd[45040]: Invalid command 
'GssapiDelegCcachePerms', perhaps misspelled or defined by a module not 
included in the server configuration
Feb 07 13:32:41 master1.ipa.test systemd[1]: httpd.service: Main process 
exited, code=exited, status=1/FAILURE
Feb 07 13:32:41 master1.ipa.test systemd[1]: Failed to start The Apache HTTP 
Server.
Feb 07 13:32:41 master1.ipa.test systemd[1]: httpd.service: Unit entered failed 
state.
Feb 07 13:32:41 master1.ipa.test systemd[1]: httpd.service: Failed with result 
'exit-code'.
```

We will need bump requires to mod_auth_gssapi-1.5.0-1.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-277991477
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#336][+pushed] [py3] pki: add missing depedency pki-base[-python3]

2017-02-07 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/336
Title: #336: [py3] pki: add missing depedency pki-base[-python3]

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#336][comment] [py3] pki: add missing depedency pki-base[-python3]

2017-02-07 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/336
Title: #336: [py3] pki: add missing depedency pki-base[-python3]

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/66fa0585aa3a7219aa3f5b548a0a84f052d62b8e
https://fedorahosted.org/freeipa/changeset/bd83fdf51621fe777c1f7823dcb13c4dfa26fa8e
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/336#issuecomment-277982495
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#336][closed] [py3] pki: add missing depedency pki-base[-python3]

2017-02-07 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/336
Author: MartinBasti
 Title: #336: [py3] pki: add missing depedency pki-base[-python3]
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/336/head:pr336
git checkout pr336
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#394][comment] Add fix for ipa plugins command

2017-02-07 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/394
Title: #394: Add fix for ipa plugins command

MartinBasti commented:
"""
@Akasurde sorry for delay, we still miss test. Otherwise I'm fine with this 
approach (when issue commented inline fixed)
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/394#issuecomment-277977077
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#418][+ack] replica install: do not log host OTP

2017-02-07 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/418
Title: #418: replica install: do not log host OTP

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#396][synchronized] Explicitly remove support of SSLv2

2017-02-07 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/396
Author: stlaz
 Title: #396: Explicitly remove support of SSLv2
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/396/head:pr396
git checkout pr396
From be99b8327a488440a9991b5d76d2046aae3d74a3 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 13 Jan 2017 12:31:29 +0100
Subject: [PATCH] Explicitly remove support of SSLv2

It was possible to set tls_version_min/max to 'ssl2', even though
newer versions of NSS will fail to set this as a valid TLS version.
This patch explicitly checks for deprecated TLS versions prior to
creating a TLS connection.

https://fedorahosted.org/freeipa/ticket/6607
---
 ipalib/config.py| 18 --
 ipalib/constants.py | 10 ++
 ipapython/nsslib.py | 47 +--
 3 files changed, 71 insertions(+), 4 deletions(-)

diff --git a/ipalib/config.py b/ipalib/config.py
index 20591db..22446ca 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -41,8 +41,11 @@
 
 from ipapython.dn import DN
 from ipalib.base import check_name
-from ipalib.constants import CONFIG_SECTION
-from ipalib.constants import OVERRIDE_ERROR, SET_ERROR, DEL_ERROR
+from ipalib.constants import (
+CONFIG_SECTION,
+OVERRIDE_ERROR, SET_ERROR, DEL_ERROR,
+TLS_VERSIONS
+)
 from ipalib import errors
 
 if six.PY3:
@@ -497,6 +500,17 @@ def _bootstrap(self, **overrides):
 if 'plugins_on_demand' not in self:
 self.plugins_on_demand = (self.context == 'cli')
 
+if self.tls_version_min not in TLS_VERSIONS:
+raise errors.EnvironmentError(
+"Unknown TLS version '{ver}' set in tls_version_min."
+.format(self.tls_version_min))
+
+if self.tls_version_min not in TLS_VERSIONS:
+raise errors.EnvironmentError(
+"Unknown TLS version '{ver}' set in tls_version_min."
+.format(self.tls_version_min))
+
+
 def _finalize_core(self, **defaults):
 """
 Complete initialization of standard IPA environment.
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 81643da..1e8f51a 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -276,3 +276,13 @@
 
 # regexp definitions
 PATTERN_GROUPUSER_NAME = '^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$'
+
+# TLS related constants
+TLS_VERSIONS = [
+"ssl2",
+"ssl3",
+"tls1.0",
+"tls1.1",
+"tls1.2"
+]
+TLS_VERSION_MINIMAL = "tls1.0"
diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py
index 08d05fc..5e8bde0 100644
--- a/ipapython/nsslib.py
+++ b/ipapython/nsslib.py
@@ -23,6 +23,8 @@
 import getpass
 import socket
 from ipapython.ipa_log_manager import root_logger
+from ipalib.errors import InvocationError
+from ipalib.constants import TLS_VERSIONS, TLS_VERSION_MINIMAL
 
 from nss.error import NSPRError
 import nss.io as io
@@ -129,6 +131,45 @@ def client_auth_data_callback(ca_names, chosen_nickname, password, certdb):
 socket.AF_UNSPEC: io.PR_AF_UNSPEC
 }
 
+
+def get_proper_tls_version_span(tls_version_min, tls_version_max):
+# every tls version from `tls_versions` prior to min_allowed_idx
+# is deprecated in IPA
+min_allowed_idx = TLS_VERSIONS.index(TLS_VERSION_MINIMAL)
+
+try:
+min_version_idx = TLS_VERSIONS.index(tls_version_min)
+except ValueError:
+raise InvocationError("tls_version_min ('{val}') is not a known "
+  "TLS version.".format(val=tls_version_min))
+
+try:
+max_version_idx = TLS_VERSIONS.index(tls_version_max)
+except ValueError:
+raise InvocationError("tls_version_max ('{val}') is not a known "
+  "TLS version.".format(val=tls_version_max))
+
+if min_version_idx > max_version_idx:
+raise InvocationError("tls_version_min is higher than "
+  "tls_version_max.")
+
+if min_version_idx < min_allowed_idx:
+min_version_idx = min_allowed_idx
+root_logger.warning("tls_version_min set too low ('{old}'),"
+"using '{new}' instead"
+.format(old=tls_version_min,
+new=TLS_VERSIONS[min_version_idx]))
+
+if max_version_idx < min_allowed_idx:
+max_version_idx = min_version_idx
+root_logger.warning("tls_version_max set too low ('{old}'),"
+"using '{new}' instead"
+.format(old=tls_version_max,
+new=TLS_VERSIONS[max_version_idx]))
+
+return TLS_VERSIONS[min_version_idx:max_version_idx+1]
+
+
 class NSSAddressFamilyFallback(object):
 def __init__(self, family):
 self.sock_family = family
@@ -217,8 +258,10 @@ def __init__(self, host, port=None, strict=None,
 
 ssl.set_domestic_policy()

[Freeipa-devel] [freeipa PR#336][+ack] [py3] pki: add missing depedency pki-base[-python3]

2017-02-07 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/336
Title: #336: [py3] pki: add missing depedency pki-base[-python3]

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#413][+ack] Complete stageuser API

2017-02-07 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/413
Title: #413: Complete stageuser API

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#437][comment] FIPS: replica install check

2017-02-07 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/437
Title: #437: FIPS: replica install check

MartinBasti commented:
"""
@pvoborni more or less brainstorming, as I'm almost sure that people will want 
to migrate current deployments to FIPS mode
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/437#issuecomment-277966347
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#409][closed] ipatests: nested netgroups (intg)

2017-02-07 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/409
Author: celestian
 Title: #409: ipatests: nested netgroups (intg)
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/409/head:pr409
git checkout pr409
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#409][comment] ipatests: nested netgroups (intg)

2017-02-07 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/409
Title: #409: ipatests: nested netgroups (intg)

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/dc99d3c04e43b08d2364209a641b8b9111e5986c
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/409#issuecomment-277965285
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#409][+pushed] ipatests: nested netgroups (intg)

2017-02-07 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/409
Title: #409: ipatests: nested netgroups (intg)

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#435][+pushed] py3: fix replica install regression

2017-02-07 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/435
Title: #435: py3: fix replica install regression

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#435][comment] py3: fix replica install regression

2017-02-07 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/435
Title: #435: py3: fix replica install regression

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/91ab650ac42d34d4958e33da7ef0641842511a89
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/435#issuecomment-277961075
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#435][closed] py3: fix replica install regression

2017-02-07 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/435
Author: MartinBasti
 Title: #435: py3: fix replica install regression
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/435/head:pr435
git checkout pr435
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#437][comment] FIPS: replica install check

2017-02-07 Thread pvoborni 
  URL: https://github.com/freeipa/freeipa/pull/437
Title: #437: FIPS: replica install check

pvoborni commented:
"""
@MartinBasti I'm not sure from your comment if you would like to provide a way 
to change non-FIPS server into a FIPS server or just brainstorming ways how it 
can be worked around. In any case this path is not a goal and actually should 
be discouraged. http://www.freeipa.org/page/V4/FreeIPA-on-FIPS#Design
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/437#issuecomment-277950210
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1

2017-02-07 Thread simo5 
  URL: https://github.com/freeipa/freeipa/pull/410
Title: #410: ipa-kdb: support KDB DAL version 6.1

simo5 commented:
"""
@frozencemetery Should we provide krb5-kdb-version-devel from krb5-devel ?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/410#issuecomment-277949768
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#435][+ack] py3: fix replica install regression

2017-02-07 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/435
Title: #435: py3: fix replica install regression

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#435][comment] py3: fix replica install regression

2017-02-07 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/435
Title: #435: py3: fix replica install regression

stlaz commented:
"""
Works for me.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/435#issuecomment-277948678
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1

2017-02-07 Thread abbra 
  URL: https://github.com/freeipa/freeipa/pull/410
Title: #410: ipa-kdb: support KDB DAL version 6.1

abbra commented:
"""
@simo5 @frozencemetery unfortunately, the provide of "krb5-kdb-version = 6.1" 
is on krb5-libs, not on krb5-devel, so I cannot do a buildrequires dependency 
this way.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/410#issuecomment-277935827
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#421][synchronized] Update warning message for replica install

2017-02-07 Thread Akasurde 
   URL: https://github.com/freeipa/freeipa/pull/421
Author: Akasurde
 Title: #421: Update warning message for replica install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/421/head:pr421
git checkout pr421
From 75d4cfd62b76ef62c165fc1f2c6c5670c88896a2 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde 
Date: Mon, 30 Jan 2017 19:22:12 +0530
Subject: [PATCH] Update warning message for replica install

New warning message in replica install describes more about
"insufficient privilege" error

Fixes https://fedorahosted.org/freeipa/ticket/6352

Signed-off-by: Abhijeet Kasurde 
---
 ipaserver/install/server/replicainstall.py | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 18222c8..710027e 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -1235,7 +1235,11 @@ def promote_check(installer):
 
 except errors.ACIError:
 root_logger.debug(traceback.format_exc())
-raise ScriptError("\nInsufficient privileges to promote the server.")
+raise ScriptError("\nInsufficient privileges to promote the server."
+  "\nPossible issues:"
+  "\n- An user has insufficient privileges"
+  "\n- Thin Client has insufficient privileges "
+  "to become IPA Replica Server")
 except errors.LDAPError:
 root_logger.debug(traceback.format_exc())
 raise ScriptError("\nUnable to connect to LDAP server %s" %
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code