[Freeipa-devel] [freeipa PR#462][closed] [WIP] pylint: add custom check for forbidden imports
URL: https://github.com/freeipa/freeipa/pull/462 Author: MartinBasti Title: #462: [WIP] pylint: add custom check for forbidden imports Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/462/head:pr462 git checkout pr462 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#462][comment] [WIP] pylint: add custom check for forbidden imports
URL: https://github.com/freeipa/freeipa/pull/462 Title: #462: [WIP] pylint: add custom check for forbidden imports MartinBasti commented: """ @HonzaCholasta has some WIP patches for this in his drawer which may be better than this, so closing this PR in favor of Honza's patches """ See the full comment at https://github.com/freeipa/freeipa/pull/462#issuecomment-279633108 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#462][comment] [WIP] pylint: add custom check for forbidden imports
URL: https://github.com/freeipa/freeipa/pull/462 Title: #462: [WIP] pylint: add custom check for forbidden imports tiran commented: """ Can you turn module matching into a regular expression? We need bit more advanced checks, e.g. ```ipalib``` should not import from ```ipaplatform``` except for modules in ```ipalib.install```. """ See the full comment at https://github.com/freeipa/freeipa/pull/462#issuecomment-279628559 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#459][comment] [WIP] Faster JSON encoder/decoder
URL: https://github.com/freeipa/freeipa/pull/459 Title: #459: [WIP] Faster JSON encoder/decoder tiran commented: """ @pvoborni I have modified the PR and added a pretty_print option. JSON is now pretty printed for verbose level 2 and higher. The old implementation converted all list to tuples. With ```obj_hook```, only lists in a JSON objects are converted at the moment. Nested lists are not fully converted, which causes a test failure. I wonder why we decided to convert lists to tuples in the first place? Can we drop the conversion and just use lists here? """ See the full comment at https://github.com/freeipa/freeipa/pull/459#issuecomment-279627304 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#459][synchronized] [WIP] Faster JSON encoder/decoder
URL: https://github.com/freeipa/freeipa/pull/459 Author: tiran Title: #459: [WIP] Faster JSON encoder/decoder Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/459/head:pr459 git checkout pr459 From e685e106dbcfb54d1651c97d6a07a17c3417127f Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 13 Feb 2017 09:46:39 +0100 Subject: [PATCH 1/3] Faster JSON encoder/decoder Improve performance of FreeIPA's JSON serializer and deserializer. * Don't indent and sort keys. Both options trigger a slow path in Python's json package. Without indention and sorting, encoding mostly happens in optimized C code. * Replace O(n) type checks with O(1) type lookup and eliminate the use of isinstance(). * Check each client capability only once for every conversion. * Use decoder's obj_hook feature to traverse the object tree once and to eliminate calls to isinstance(). Closes: https://fedorahosted.org/freeipa/ticket/6655 Signed-off-by: Christian Heimes --- ipalib/rpc.py | 211 +++-- ipaserver/rpcserver.py | 7 +- 2 files changed, 134 insertions(+), 84 deletions(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 7d9f6ec..6cad397 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -51,7 +51,7 @@ from ipalib.backend import Connectible from ipalib.constants import LDAP_GENERALIZED_TIME_FORMAT from ipalib.errors import (public_errors, UnknownError, NetworkError, -KerberosError, XMLRPCMarshallError, JSONError, ConversionError) +KerberosError, XMLRPCMarshallError, JSONError) from ipalib import errors, capabilities from ipalib.request import context, Connection from ipapython.ipa_log_manager import root_logger @@ -274,67 +274,140 @@ def xml_dumps(params, version, methodname=None, methodresponse=False, ) -def json_encode_binary(val, version): -''' - JSON cannot encode binary values. We encode binary values in Python str - objects and text in Python unicode objects. In order to allow a binary - object to be passed through JSON we base64 encode it thus converting it to - text which JSON can transport. To assure we recognize the value is a base64 - encoded representation of the original binary value and not confuse it with - other text we convert the binary value to a dict in this form: - - {'__base64__' : base64_encoding_of_binary_value} - - This modification of the original input value cannot be done "in place" as - one might first assume (e.g. replacing any binary items in a container - (e.g. list, tuple, dict) with the base64 dict because the container might be - an immutable object (i.e. a tuple). Therefore this function returns a copy - of any container objects it encounters with tuples replaced by lists. This - is O.K. because the JSON encoding will map both lists and tuples to JSON - arrays. - ''' - -if isinstance(val, dict): -new_dict = {} -for k, v in val.items(): -new_dict[k] = json_encode_binary(v, version) -return new_dict -elif isinstance(val, (list, tuple)): -new_list = [json_encode_binary(v, version) for v in val] -return new_list -elif isinstance(val, bytes): -encoded = base64.b64encode(val) -if not six.PY2: -encoded = encoded.decode('ascii') -return {'__base64__': encoded} -elif isinstance(val, Decimal): -return unicode(val) -elif isinstance(val, DN): -return str(val) -elif isinstance(val, datetime.datetime): -if capabilities.client_has_capability(version, 'datetime_values'): +class _JSONConverter(dict): +__slots__ = ('version', '_cap_datetime', '_cap_dnsname') + +_identity = object() + +def __init__(self, version, _identity=_identity): +super(_JSONConverter, self).__init__() +self.version = version +self._cap_datetime = None +self._cap_dnsname = None +self.update({ +unicode: _identity, +bool: _identity, +type(None): _identity, +float: _identity, +Decimal: unicode, +DN: str, +Principal: unicode, +DNSName: self._enc_dnsname, +datetime.datetime: self._enc_datetime, +bytes: self._enc_bytes, +list: self._enc_list, +tuple: self._enc_list, +dict: self._enc_dict, +}) +# int, long +for t in six.integer_types: +self[t] = _identity + +def __missing__(self, typ): +# walk MRO to find best match +for c in typ.__mro__: +if c in self: +self[typ] = self[c] +return self[c] +# use issubclass to check for registered ABCs +for c in self: +if issubclass(typ, c): +self[typ] = self[c] +return self[c] +raise TypeError(typ) + +
[Freeipa-devel] [freeipa PR#462][synchronized] [WIP] pylint: add custom check for forbidden imports
URL: https://github.com/freeipa/freeipa/pull/462 Author: MartinBasti Title: #462: [WIP] pylint: add custom check for forbidden imports Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/462/head:pr462 git checkout pr462 From 9a553e75595bacc43a17fdf372d93254150dba5f Mon Sep 17 00:00:00 2001 From: Martin Date: Tue, 14 Feb 2017 01:14:25 +0100 Subject: [PATCH] pylint: add custom check for forbidden imports Some modules of FreeIPA should not be importe to some other FreeIPA modules, like ipalib into ipapython --- pylint_plugins.py | 68 +++ 1 file changed, 64 insertions(+), 4 deletions(-) diff --git a/pylint_plugins.py b/pylint_plugins.py index fc2ce9b..8405568 100644 --- a/pylint_plugins.py +++ b/pylint_plugins.py @@ -9,10 +9,9 @@ from astroid import MANAGER from astroid import scoped_nodes - - -def register(linter): -pass +from pylint.checkers import BaseChecker +from pylint.checkers.utils import check_messages +from pylint.interfaces import IAstroidChecker def _warning_already_exists(cls, member): @@ -249,9 +248,70 @@ def fake_class(name_or_class_obj, members=()): } +# prefix match is used for all values specified here --> all submodules are +# matched +# module names must be specified in absolute path +FORBIDDEN_IMPORTS = ( +# ( checked module, [# forbidden.import.1, # forbidden.import.2]) +('ipapython', ('ipalib',)), +) + + def fix_ipa_classes(cls): class_name_with_module = "{}.{}".format(cls.root().name, cls.name) if class_name_with_module in ipa_class_members: fake_class(cls, ipa_class_members[class_name_with_module]) + +class IPAImportChecker(BaseChecker): +"""Check for specified imports from FORBIDDEN_IMPORTS and return +warning when module is not allowed ot be imported +into the particular module""" + +__implements__ = IAstroidChecker + +name = 'ipa-imports' +msgs = { +'W': ( +'IPA: forbidden import "%s" ("%s" should not import "%s")', +'ipa-forbidden-import', +'Used when import of module is not ' +'allowed in the particular module.' +), +} +priority = -2 + +def _check_imports(self, node, import_abs_name): +# name of the module where import statement is +current = node.root().name +for importer, imports in FORBIDDEN_IMPORTS: +if current.startswith(importer): +# current node is listed in rules +for imprt in imports: +if import_abs_name.startswith(imprt): +self.add_message( +'ipa-forbidden-import', +args=(import_abs_name, importer, imprt), +node=node) +break +break + +@check_messages('ipa-forbidden-import') +def visit_import(self, node): +"""triggered when an import statement is seen""" +modnode = [name for name, _obj in node.names] +for m in modnode: +self._check_imports(node, m) + +@check_messages('ipa-forbidden-import') +def visit_importfrom(self, node): +"""triggered when a from statement is seen""" +basename = node.modname +self._check_imports(node, basename) + + +def register(linter): +linter.register_checker(IPAImportChecker(linter)) + + MANAGER.register_transform(scoped_nodes.Class, fix_ipa_classes) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#462][opened] [WIP] pylint: add custom check for forbidden imports
URL: https://github.com/freeipa/freeipa/pull/462 Author: MartinBasti Title: #462: [WIP] pylint: add custom check for forbidden imports Action: opened PR body: """ Some modules of FreeIPA should not be imported to some other FreeIPA modules, like ipalib into ipapython This is WIP, it misses a lot of rules and I had hard time with naming variables, feedback more than welcome. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/462/head:pr462 git checkout pr462 From aaf13c5ed25ec619aab9c1566248812593fd6342 Mon Sep 17 00:00:00 2001 From: Martin Date: Tue, 14 Feb 2017 01:14:25 +0100 Subject: [PATCH] pylint: add custom check for forbidden imports Some modules of FreeIPA should not be importe to some other FreeIPA modules, like ipalib into ipapython --- pylint_plugins.py | 68 +++ 1 file changed, 64 insertions(+), 4 deletions(-) diff --git a/pylint_plugins.py b/pylint_plugins.py index fc2ce9b..078a802 100644 --- a/pylint_plugins.py +++ b/pylint_plugins.py @@ -9,10 +9,9 @@ from astroid import MANAGER from astroid import scoped_nodes - - -def register(linter): -pass +from pylint.checkers import BaseChecker +from pylint.checkers.utils import check_messages +from pylint.interfaces import IAstroidChecker def _warning_already_exists(cls, member): @@ -249,9 +248,70 @@ def fake_class(name_or_class_obj, members=()): } +# prefix match is used for all values specified here --> all submodules are +# matched +# module names must be specified in absolute path +FORBIDDEN_IMPORTS = ( +# ( checked module, [# forbidden.import.1, # forbidden.import.2]) +('ipapython', ('ipalib',)), +) + + def fix_ipa_classes(cls): class_name_with_module = "{}.{}".format(cls.root().name, cls.name) if class_name_with_module in ipa_class_members: fake_class(cls, ipa_class_members[class_name_with_module]) + +class IPAImportChecker(BaseChecker): +"""Check for specified imports from FORBIDDEN_IMPORTS and return +warning when module is not allowed ot be imported +into the particular module""" + +__implements__ = IAstroidChecker + +name = 'ipa-imports' +msgs = { +'W': ( +'IPA: forbidden import "%s" ("%s" should not import "%s")', +'ipa-forbidden-import', +'Used when import of module is not ' +'allowed in the particular module.' +), +} +priority = -2 + +def _check_imports(self, node, import_abs_name): +# name of the module where import statement is +current = node.root().name +for importer, imports in FORBIDDEN_IMPORTS: +if current.startswith(importer): +# current node is listed in rules +for imprt in imports: +if import_abs_name.startswith(imprt): +self.add_message( +'ipa-forbidden-import', +args=(import_abs_name, importer, imprt), +node=node) +break +break + +@check_messages('ipa-forbidden-import') +def visit_import(self, node): +"""triggered when an import statement is seen""" +modnode = [name for name, _ in node.names] +for m in modnode: +self._check_imports(node, m) + +@check_messages('ipa-forbidden-import') +def visit_importfrom(self, node): +"""triggered when a from statement is seen""" +basename = node.modname +self._check_imports(node, basename) + + +def register(linter): +linter.register_checker(IPAImportChecker(linter)) + + MANAGER.register_transform(scoped_nodes.Class, fix_ipa_classes) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ @HonzaCholasta push it before we break it again! :-) """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279538680 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Author: flo-renaud Title: #398: Support for Certificate Identity Mapping Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/398/head:pr398 git checkout pr398 From 8e9eeb0619f8a11767a37bce112c3ea6b19f7091 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Tue, 20 Dec 2016 16:21:58 +0100 Subject: [PATCH] Support for Certificate Identity Mapping See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542 --- ACI.txt| 16 +- API.txt| 181 VERSION.m4 | 4 +- install/share/73certmap.ldif | 16 ++ install/share/Makefile.am | 1 + install/updates/73-certmap.update | 27 +++ install/updates/Makefile.am| 1 + ipalib/constants.py| 4 + ipapython/dn.py| 8 +- ipaserver/install/dsinstance.py| 1 + ipaserver/plugins/baseuser.py | 152 - ipaserver/plugins/certmap.py | 336 + ipaserver/plugins/stageuser.py | 16 +- ipaserver/plugins/user.py | 23 ++- ipatests/test_ipapython/test_dn.py | 20 +++ 15 files changed, 794 insertions(+), 12 deletions(-) create mode 100644 install/share/73certmap.ldif create mode 100644 install/updates/73-certmap.update create mode 100644 ipaserver/plugins/certmap.py diff --git a/ACI.txt b/ACI.txt index 0b47489..2bde577 100644 --- a/ACI.txt +++ b/ACI.txt @@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all";;) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all";;) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || description || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all";;) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example @@ -337,6 +349,8 @@ aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:S dn: cn=users,cn=accounts,dc=ipa,dc=example aci: (targetat
[Freeipa-devel] [freeipa PR#459][comment] [WIP] Faster JSON encoder/decoder
URL: https://github.com/freeipa/freeipa/pull/459 Title: #459: [WIP] Faster JSON encoder/decoder pvoborni commented: """ As mention on meeting, if rpcserver prettyprints into output in debug mode then it is fine. """ See the full comment at https://github.com/freeipa/freeipa/pull/459#issuecomment-279466497 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#461][opened] Bump required version of bind-dyndb-ldap to 11.0-2
URL: https://github.com/freeipa/freeipa/pull/461 Author: tomaskrizek Title: #461: Bump required version of bind-dyndb-ldap to 11.0-2 Action: opened PR body: """ Fedora release bind-dyndb-ldap 11.0-2 transforms existing named.conf old style API to the new style API. This package version is required to enable upgrade of existing IPA installations to new version. https://fedorahosted.org/freeipa/ticket/6565 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/461/head:pr461 git checkout pr461 From d6d8ef7ffde060120a617ed295cb6a0fac9e9481 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Mon, 13 Feb 2017 18:36:12 +0100 Subject: [PATCH] Bump required version of bind-dyndb-ldap to 11.0-2 Fedora release bind-dyndb-ldap 11.0-2 transforms existing named.conf old style API to the new style API. This package version is required to enable upgrade of existing IPA installations to new version. https://fedorahosted.org/freeipa/ticket/6565 --- freeipa.spec.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 26481ff..3ccfeca 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -373,7 +373,7 @@ Summary: IPA integrated DNS server with support for automatic DNSSEC signing Group: System Environment/Base BuildArch: noarch Requires: %{name}-server = %{version}-%{release} -Requires: bind-dyndb-ldap >= 11.0 +Requires: bind-dyndb-ldap >= 11.0-2 Requires: bind >= 9.11.0-6.P2 Requires: bind-utils >= 9.11.0-6.P2 Requires: bind-pkcs11 >= 9.11.0-6.P2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#445][comment] Remove is_fips_enabled checks in installers and ipactl
URL: https://github.com/freeipa/freeipa/pull/445 Title: #445: Remove is_fips_enabled checks in installers and ipactl MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/08c71703a44d8aec308781351c3a9dd4a4ba94a7 """ See the full comment at https://github.com/freeipa/freeipa/pull/445#issuecomment-279456586 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#445][closed] Remove is_fips_enabled checks in installers and ipactl
URL: https://github.com/freeipa/freeipa/pull/445 Author: stlaz Title: #445: Remove is_fips_enabled checks in installers and ipactl Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/445/head:pr445 git checkout pr445 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#445][+pushed] Remove is_fips_enabled checks in installers and ipactl
URL: https://github.com/freeipa/freeipa/pull/445 Title: #445: Remove is_fips_enabled checks in installers and ipactl Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands
URL: https://github.com/freeipa/freeipa/pull/444 Title: #444: Allow nsaccountlock to be searched in user-find commands MartinBasti commented: """ LGTM, I'll test it later """ See the full comment at https://github.com/freeipa/freeipa/pull/444#issuecomment-279455811 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Author: flo-renaud Title: #398: Support for Certificate Identity Mapping Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/398/head:pr398 git checkout pr398 From 5a6a88db9a843a0636875fb3b1ee02e40291443a Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Tue, 20 Dec 2016 16:21:58 +0100 Subject: [PATCH] Support for Certificate Identity Mapping See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542 --- ACI.txt| 16 +- API.txt| 181 VERSION.m4 | 4 +- install/share/73certmap.ldif | 16 ++ install/share/Makefile.am | 1 + install/updates/73-certmap.update | 27 +++ install/updates/Makefile.am| 1 + ipalib/constants.py| 4 + ipapython/dn.py| 8 +- ipaserver/install/dsinstance.py| 1 + ipaserver/plugins/baseuser.py | 152 - ipaserver/plugins/certmap.py | 336 + ipaserver/plugins/stageuser.py | 16 +- ipaserver/plugins/user.py | 23 ++- ipatests/test_ipapython/test_dn.py | 20 +++ 15 files changed, 794 insertions(+), 12 deletions(-) create mode 100644 install/share/73certmap.ldif create mode 100644 install/updates/73-certmap.update create mode 100644 ipaserver/plugins/certmap.py diff --git a/ACI.txt b/ACI.txt index 0b47489..2bde577 100644 --- a/ACI.txt +++ b/ACI.txt @@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all";;) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all";;) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || description || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all";;) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example @@ -337,6 +349,8 @@ aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:S dn: cn=users,cn=accounts,dc=ipa,dc=example aci: (targetat
[Freeipa-devel] [freeipa PR#460][synchronized] [Py3] ipa-server-install, ipa-server-upgrade fixes
URL: https://github.com/freeipa/freeipa/pull/460 Author: MartinBasti Title: #460: [Py3] ipa-server-install, ipa-server-upgrade fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/460/head:pr460 git checkout pr460 From 28e19fd55154ad588dffe09a208fa03e394e1dca Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Fri, 10 Feb 2017 17:05:02 +0100 Subject: [PATCH 1/8] py3: use ConfigParser instead of SafeConfigParser DeprecationWarning: The SafeConfigParser class has been renamed to ConfigParser in Python 3.2. This alias will be removed in future versions. Use ConfigParser directly instead. https://fedorahosted.org/freeipa/ticket/4985 --- ipalib/install/sysrestore.py | 6 +- ipaserver/install/installutils.py| 7 ++- ipaserver/install/ipa_backup.py | 7 ++- ipaserver/install/ipa_replica_prepare.py | 7 ++- ipaserver/install/ipa_restore.py | 7 ++- ipaserver/install/server/upgrade.py | 6 +- 6 files changed, 34 insertions(+), 6 deletions(-) diff --git a/ipalib/install/sysrestore.py b/ipalib/install/sysrestore.py index b1bf4b9..5c21956 100644 --- a/ipalib/install/sysrestore.py +++ b/ipalib/install/sysrestore.py @@ -31,7 +31,11 @@ import six # pylint: disable=import-error -from six.moves.configparser import SafeConfigParser +if six.PY3: +# The SafeConfigParser class has been renamed to ConfigParser in Py3 +from configparser import ConfigParser as SafeConfigParser +else: +from ConfigParser import SafeConfigParser # pylint: enable=import-error from ipaplatform.tasks import tasks diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index ab2596c..a774200 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -41,7 +41,12 @@ import ldapurl import six # pylint: disable=import-error -from six.moves.configparser import SafeConfigParser, NoOptionError +if six.PY3: +# The SafeConfigParser class has been renamed to ConfigParser in Py3 +from configparser import ConfigParser as SafeConfigParser +else: +from ConfigParser import SafeConfigParser +from six.moves.configparser import NoOptionError # pylint: enable=import-error from ipalib.install import sysrestore diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py index c11120b..1dd8044 100644 --- a/ipaserver/install/ipa_backup.py +++ b/ipaserver/install/ipa_backup.py @@ -23,8 +23,13 @@ import time import pwd +import six # pylint: disable=import-error -from six.moves.configparser import SafeConfigParser +if six.PY3: +# The SafeConfigParser class has been renamed to ConfigParser in Py3 +from configparser import ConfigParser as SafeConfigParser +else: +from ConfigParser import SafeConfigParser # pylint: enable=import-error from ipaplatform.paths import paths diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index e7070b6..8b24c39 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -30,8 +30,13 @@ # pylint: enable=deprecated-module import dns.resolver +import six # pylint: disable=import-error -from six.moves.configparser import SafeConfigParser +if six.PY3: +# The SafeConfigParser class has been renamed to ConfigParser in Py3 +from configparser import ConfigParser as SafeConfigParser +else: +from ConfigParser import SafeConfigParser # pylint: enable=import-error from ipaserver.install import certs, installutils, bindinstance, dsinstance diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index 89cf9e6..42dd03e 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -25,8 +25,13 @@ import ldif import itertools +import six # pylint: disable=import-error -from six.moves.configparser import SafeConfigParser +if six.PY3: +# The SafeConfigParser class has been renamed to ConfigParser in Py3 +from configparser import ConfigParser as SafeConfigParser +else: +from ConfigParser import SafeConfigParser # pylint: enable=import-error from ipaclient.install.client import update_ipa_nssdb diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 0e034ef..5413b48 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -15,7 +15,11 @@ import six # pylint: disable=import-error -from six.moves.configparser import SafeConfigParser +if six.PY3: +# The SafeConfigParser class has been renamed to ConfigParser in Py3 +from configparser import ConfigParser as SafeConfigParser +else: +from ConfigParser import SafeConfigParser # pylint: enable=import-error from ipalib import api From a6b9b5aa2687160e113a37e369a20c1899032f5c Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Fri, 10 Feb 2017 17:13:15 +0100 Subjec
[Freeipa-devel] [freeipa PR#460][opened] [Py3] ipa-server-install, ipa-server-upgrade fixes
URL: https://github.com/freeipa/freeipa/pull/460 Author: MartinBasti Title: #460: [Py3] ipa-server-install, ipa-server-upgrade fixes Action: opened PR body: """ ipa-server-install --setup-dns now work without BytesWarnings under python3, ipa-server-upgrade should work on IPA side but there are issues on pyldap side. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/460/head:pr460 git checkout pr460 From 28e19fd55154ad588dffe09a208fa03e394e1dca Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Fri, 10 Feb 2017 17:05:02 +0100 Subject: [PATCH 1/8] py3: use ConfigParser instead of SafeConfigParser DeprecationWarning: The SafeConfigParser class has been renamed to ConfigParser in Python 3.2. This alias will be removed in future versions. Use ConfigParser directly instead. https://fedorahosted.org/freeipa/ticket/4985 --- ipalib/install/sysrestore.py | 6 +- ipaserver/install/installutils.py| 7 ++- ipaserver/install/ipa_backup.py | 7 ++- ipaserver/install/ipa_replica_prepare.py | 7 ++- ipaserver/install/ipa_restore.py | 7 ++- ipaserver/install/server/upgrade.py | 6 +- 6 files changed, 34 insertions(+), 6 deletions(-) diff --git a/ipalib/install/sysrestore.py b/ipalib/install/sysrestore.py index b1bf4b9..5c21956 100644 --- a/ipalib/install/sysrestore.py +++ b/ipalib/install/sysrestore.py @@ -31,7 +31,11 @@ import six # pylint: disable=import-error -from six.moves.configparser import SafeConfigParser +if six.PY3: +# The SafeConfigParser class has been renamed to ConfigParser in Py3 +from configparser import ConfigParser as SafeConfigParser +else: +from ConfigParser import SafeConfigParser # pylint: enable=import-error from ipaplatform.tasks import tasks diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index ab2596c..a774200 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -41,7 +41,12 @@ import ldapurl import six # pylint: disable=import-error -from six.moves.configparser import SafeConfigParser, NoOptionError +if six.PY3: +# The SafeConfigParser class has been renamed to ConfigParser in Py3 +from configparser import ConfigParser as SafeConfigParser +else: +from ConfigParser import SafeConfigParser +from six.moves.configparser import NoOptionError # pylint: enable=import-error from ipalib.install import sysrestore diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py index c11120b..1dd8044 100644 --- a/ipaserver/install/ipa_backup.py +++ b/ipaserver/install/ipa_backup.py @@ -23,8 +23,13 @@ import time import pwd +import six # pylint: disable=import-error -from six.moves.configparser import SafeConfigParser +if six.PY3: +# The SafeConfigParser class has been renamed to ConfigParser in Py3 +from configparser import ConfigParser as SafeConfigParser +else: +from ConfigParser import SafeConfigParser # pylint: enable=import-error from ipaplatform.paths import paths diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index e7070b6..8b24c39 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -30,8 +30,13 @@ # pylint: enable=deprecated-module import dns.resolver +import six # pylint: disable=import-error -from six.moves.configparser import SafeConfigParser +if six.PY3: +# The SafeConfigParser class has been renamed to ConfigParser in Py3 +from configparser import ConfigParser as SafeConfigParser +else: +from ConfigParser import SafeConfigParser # pylint: enable=import-error from ipaserver.install import certs, installutils, bindinstance, dsinstance diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index 89cf9e6..42dd03e 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -25,8 +25,13 @@ import ldif import itertools +import six # pylint: disable=import-error -from six.moves.configparser import SafeConfigParser +if six.PY3: +# The SafeConfigParser class has been renamed to ConfigParser in Py3 +from configparser import ConfigParser as SafeConfigParser +else: +from ConfigParser import SafeConfigParser # pylint: enable=import-error from ipaclient.install.client import update_ipa_nssdb diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 0e034ef..5413b48 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -15,7 +15,11 @@ import six # pylint: disable=import-error -from six.moves.configparser import SafeConfigParser +if six.PY3: +# The SafeConfigParser class has been renamed to ConfigParser in Py3 +from configparser import ConfigParser as SafeConfigParser +else: +from ConfigParser import SafeConfigParser # pylint: enable=impo
[Freeipa-devel] [bind-dyndb-ldap PR#9][comment] Remove duplicate const declaration specifier
URL: https://github.com/freeipa/bind-dyndb-ldap/pull/9 Title: #9: Remove duplicate const declaration specifier tomaskrizek commented: """ @pemensik Hi, could you please take a look at this PR and ACK? It's just a typo that was preventing a build on fedora rawhide to due some warnings. """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/9#issuecomment-279451102 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Author: flo-renaud Title: #398: Support for Certificate Identity Mapping Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/398/head:pr398 git checkout pr398 From 35263ec9625865eb2e786cbedf412d11d92c73f5 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Tue, 20 Dec 2016 16:21:58 +0100 Subject: [PATCH] Support for Certificate Identity Mapping See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542 --- ACI.txt| 16 +- API.txt| 181 VERSION.m4 | 4 +- install/share/73certmap.ldif | 16 ++ install/share/Makefile.am | 1 + install/updates/73-certmap.update | 27 +++ install/updates/Makefile.am| 1 + ipalib/constants.py| 4 + ipapython/dn.py| 17 +- ipaserver/install/dsinstance.py| 1 + ipaserver/plugins/baseuser.py | 158 - ipaserver/plugins/certmap.py | 336 + ipaserver/plugins/stageuser.py | 16 +- ipaserver/plugins/user.py | 23 ++- ipatests/test_ipapython/test_dn.py | 20 +++ 15 files changed, 809 insertions(+), 12 deletions(-) create mode 100644 install/share/73certmap.ldif create mode 100644 install/updates/73-certmap.update create mode 100644 ipaserver/plugins/certmap.py diff --git a/ACI.txt b/ACI.txt index 0b47489..2bde577 100644 --- a/ACI.txt +++ b/ACI.txt @@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all";;) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all";;) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || description || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all";;) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example @@ -337,6 +349,8 @@ aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:S dn: cn=users,cn=accounts,dc=ipa,dc=example aci: (targetat
[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server lslebodn commented: """ On (13/02/17 05:05), Christian Heimes wrote: >I'm following the development principals of **minimum viable product**. This >PR solves a critical use case for me. With the PR I can build FreeIPA client >packages in a lean and clean build container. Without the >```--disable-server``` flag I'm forced to bloat my build env with lots of >additional dependencies and then throw away all the extra stuff. > My comments are about semantic of this option. `--disable-server` should disable all parts which depends on server. I know that your use case is a little bit different but I do not like misusing of `--disable-server` for different use-cases (from semantic POV) That's the reason why I proposed compromise/alternative solution for installing `ipatests` which needn't be tight together with `--disable-server`. >My changes don't solve https://fedorahosted.org/freeipa/ticket/6517 to its >full extend. The PR provides enough of >https://fedorahosted.org/freeipa/ticket/6517 to enable me to finish some time >critical as soon as possible. RPM packaging changes and ipatests improvements >for client-only builds can be implemented another time. I consider these >changes sugar coating (aka stretch goals). > One more time; it will be solved with my proposed change to `ipatests` + small tweak to spec file (due to python2/3 changes) That is exactly way how I tested it. A little bit hacky way but works for testing: https://paste.fedoraproject.org/556868/48699519 LS """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-279405767 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands
URL: https://github.com/freeipa/freeipa/pull/444 Title: #444: Allow nsaccountlock to be searched in user-find commands redhatrises commented: """ @MartinBasti I believe that this is ready for your review. """ See the full comment at https://github.com/freeipa/freeipa/pull/444#issuecomment-279404707 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [bind-dyndb-ldap PR#9][opened] Remove duplicate const declaration specifier
URL: https://github.com/freeipa/bind-dyndb-ldap/pull/9 Author: tomaskrizek Title: #9: Remove duplicate const declaration specifier Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/9/head:pr9 git checkout pr9 From 7444264b2bbf2c8920a2fb76740995e73c07919f Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Thu, 9 Feb 2017 17:52:59 +0100 Subject: [PATCH] Remove duplicate const declaration specifier --- src/ldap_helper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ldap_helper.c b/src/ldap_helper.c index 5de9f69..1fa0ec9 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -2349,7 +2349,7 @@ free_rdatalist(isc_mem_t *mctx, dns_rdatalist_t *rdlist) * @retval others Unexpected errors. */ static isc_result_t ATTR_NONNULLS ATTR_CHECKRESULT -ldap_substitute_rr_template(isc_mem_t *mctx, const settings_set_t const * set, +ldap_substitute_rr_template(isc_mem_t *mctx, const settings_set_t * set, ld_string_t *orig_val, ld_string_t **output) { isc_result_t result; regex_t regex; -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server tiran commented: """ I'm following the development principals of **minimum viable product**. This PR solves a critical use case for me. With the PR I can build FreeIPA client packages in a lean and clean build container. Without the ```--disable-server``` flag I'm forced to bloat my build env with lots of additional dependencies and then throw away all the extra stuff. My changes don't solve https://fedorahosted.org/freeipa/ticket/6517 to its full extend. The PR provides enough of https://fedorahosted.org/freeipa/ticket/6517 to enable me to finish some time critical as soon as possible. RPM packaging changes and ipatests improvements for client-only builds can be implemented another time. I consider these changes sugar coating (aka stretch goals). """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-279387199 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server lslebodn commented: """ On (13/02/17 04:32), Christian Heimes wrote: >No, the test runner should either detect missing packages and skip tests >automatically, or should grow an option to load and execute client tests only. >It's a separate issue. > I have a different opinion. It is not a separate issue. For me, the name of configure option is crystall clear. It should not install anything related to daemon part; even thought it is test. Maybe we can add another option to install tests (--with-tests?? +default yes) It would work for your use-case and still allow old `CLIENT_ONLY` build (equivalent to 4.4) Or you can propose another compromise. LS """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-279381495 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server tiran commented: """ No, the test runner should either detect missing packages and skip tests automatically, or should grow an option to load and execute client tests only. It's a separate issue. """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-279376400 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#459][comment] [WIP] Faster JSON encoder/decoder
URL: https://github.com/freeipa/freeipa/pull/459 Title: #459: [WIP] Faster JSON encoder/decoder tiran commented: """ ```curl url | python -m json.tool``` """ See the full comment at https://github.com/freeipa/freeipa/pull/459#issuecomment-279375693 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#459][comment] [WIP] Faster JSON encoder/decoder
URL: https://github.com/freeipa/freeipa/pull/459 Title: #459: [WIP] Faster JSON encoder/decoder pvoborni commented: """ It's usually quicker to read raw response in browser than the folded "preview" because everything is visible and no clicking is required. Same for curl testing. But for curl I can imagine piping it to some tool. """ See the full comment at https://github.com/freeipa/freeipa/pull/459#issuecomment-279370915 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#459][comment] [WIP] Faster JSON encoder/decoder
URL: https://github.com/freeipa/freeipa/pull/459 Title: #459: [WIP] Faster JSON encoder/decoder abbra commented: """ Right, as long as ipa CLI is capable to print formatted debug output, that's enough. """ See the full comment at https://github.com/freeipa/freeipa/pull/459#issuecomment-279369801 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#459][comment] [WIP] Faster JSON encoder/decoder
URL: https://github.com/freeipa/freeipa/pull/459 Title: #459: [WIP] Faster JSON encoder/decoder tiran commented: """ Why would you want to sort or indent the raw output? The extra verbose output of ```ipa``` just loads and dumps the output a second time. It's less efficient but who cares about minor efficiency issues of a debug feature? For browser testing, any web developer tool will give you nicely formatted JSON, too. """ See the full comment at https://github.com/freeipa/freeipa/pull/459#issuecomment-279368825 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server lslebodn commented: """ On (13/02/17 03:56), Christian Heimes wrote: >Two reasons > >1. ```make install``` >2. I need ipatests to be part of the build process in order to get a Python >package for tox later. > OK, thank you for explanation. Then we should install just tests from directory `ipatests` which does not require daemon for execution. LS """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-279368656 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server tiran commented: """ Two reasons 1. ```make install``` 2. I need ipatests to be part of the build process in order to get a Python package for tox later. """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-279367184 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#459][comment] [WIP] Faster JSON encoder/decoder
URL: https://github.com/freeipa/freeipa/pull/459 Title: #459: [WIP] Faster JSON encoder/decoder pvoborni commented: """ Is there a way(I did not read changes thoroughly) to enable sorting and indentation, e.g. for testing purposes? """ See the full comment at https://github.com/freeipa/freeipa/pull/459#issuecomment-279365267 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server lslebodn commented: """ On (13/02/17 03:08), Christian Heimes wrote: >Packaging is a different issue. The PR does not provide RPM packaging for >client-only build. It merely implements configuration and building without >server components. > I mentioned old version of `CLIENT_ONLY` build because I consider it as a referential implementation. And `ipa tests` were not installed in 4.4 for client only build. >For client-only builds I need ipatests to run part of the test suite to verify >client code. Test suites ```test_ipapython, test_ipalib, test_pkcs10``` >without ```test_ipalib.test_rpc``` work without ```ipaserver```. > I expected a little bit more details. Do you need to run `make install` and then run tests in installed directory? Or how do you want to "run part of the test suite". Because if you needn't run "make install" for your use-case then my proposed patch would work. BTW `ipatests` will still be part of tarball and/or git. You can run them even thought they will not be installed with `make install` LS """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-279362399 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server tiran commented: """ Packaging is a different issue. The PR does not provide RPM packaging for client-only build. It merely implements configuration and building without server components. For client-only builds I need ipatests to run part of the test suite to verify client code. Test suites ```test_ipapython, test_ipalib, test_pkcs10``` without ```test_ipalib.test_rpc``` work without ```ipaserver```. """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-279357147 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server lslebodn commented: """ On (13/02/17 01:25), Christian Heimes wrote: >@lslebodn it works even better without your proposed changes. Parts >```ipatests``` work fine for ```--disable-server``` builds. I need the package >to run tests. > The old version (4.4) of `CLIENT_ONLY` build did not package ipatests. Could you describe a reason/use-case for installing `ipatests` without server? LS """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-279349836 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#459][synchronized] [WIP] Faster JSON encoder/decoder
URL: https://github.com/freeipa/freeipa/pull/459 Author: tiran Title: #459: [WIP] Faster JSON encoder/decoder Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/459/head:pr459 git checkout pr459 From e685e106dbcfb54d1651c97d6a07a17c3417127f Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 13 Feb 2017 09:46:39 +0100 Subject: [PATCH 1/2] Faster JSON encoder/decoder Improve performance of FreeIPA's JSON serializer and deserializer. * Don't indent and sort keys. Both options trigger a slow path in Python's json package. Without indention and sorting, encoding mostly happens in optimized C code. * Replace O(n) type checks with O(1) type lookup and eliminate the use of isinstance(). * Check each client capability only once for every conversion. * Use decoder's obj_hook feature to traverse the object tree once and to eliminate calls to isinstance(). Closes: https://fedorahosted.org/freeipa/ticket/6655 Signed-off-by: Christian Heimes --- ipalib/rpc.py | 211 +++-- ipaserver/rpcserver.py | 7 +- 2 files changed, 134 insertions(+), 84 deletions(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 7d9f6ec..6cad397 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -51,7 +51,7 @@ from ipalib.backend import Connectible from ipalib.constants import LDAP_GENERALIZED_TIME_FORMAT from ipalib.errors import (public_errors, UnknownError, NetworkError, -KerberosError, XMLRPCMarshallError, JSONError, ConversionError) +KerberosError, XMLRPCMarshallError, JSONError) from ipalib import errors, capabilities from ipalib.request import context, Connection from ipapython.ipa_log_manager import root_logger @@ -274,67 +274,140 @@ def xml_dumps(params, version, methodname=None, methodresponse=False, ) -def json_encode_binary(val, version): -''' - JSON cannot encode binary values. We encode binary values in Python str - objects and text in Python unicode objects. In order to allow a binary - object to be passed through JSON we base64 encode it thus converting it to - text which JSON can transport. To assure we recognize the value is a base64 - encoded representation of the original binary value and not confuse it with - other text we convert the binary value to a dict in this form: - - {'__base64__' : base64_encoding_of_binary_value} - - This modification of the original input value cannot be done "in place" as - one might first assume (e.g. replacing any binary items in a container - (e.g. list, tuple, dict) with the base64 dict because the container might be - an immutable object (i.e. a tuple). Therefore this function returns a copy - of any container objects it encounters with tuples replaced by lists. This - is O.K. because the JSON encoding will map both lists and tuples to JSON - arrays. - ''' - -if isinstance(val, dict): -new_dict = {} -for k, v in val.items(): -new_dict[k] = json_encode_binary(v, version) -return new_dict -elif isinstance(val, (list, tuple)): -new_list = [json_encode_binary(v, version) for v in val] -return new_list -elif isinstance(val, bytes): -encoded = base64.b64encode(val) -if not six.PY2: -encoded = encoded.decode('ascii') -return {'__base64__': encoded} -elif isinstance(val, Decimal): -return unicode(val) -elif isinstance(val, DN): -return str(val) -elif isinstance(val, datetime.datetime): -if capabilities.client_has_capability(version, 'datetime_values'): +class _JSONConverter(dict): +__slots__ = ('version', '_cap_datetime', '_cap_dnsname') + +_identity = object() + +def __init__(self, version, _identity=_identity): +super(_JSONConverter, self).__init__() +self.version = version +self._cap_datetime = None +self._cap_dnsname = None +self.update({ +unicode: _identity, +bool: _identity, +type(None): _identity, +float: _identity, +Decimal: unicode, +DN: str, +Principal: unicode, +DNSName: self._enc_dnsname, +datetime.datetime: self._enc_datetime, +bytes: self._enc_bytes, +list: self._enc_list, +tuple: self._enc_list, +dict: self._enc_dict, +}) +# int, long +for t in six.integer_types: +self[t] = _identity + +def __missing__(self, typ): +# walk MRO to find best match +for c in typ.__mro__: +if c in self: +self[typ] = self[c] +return self[c] +# use issubclass to check for registered ABCs +for c in self: +if issubclass(typ, c): +self[typ] = self[c] +return self[c] +raise TypeError(typ) + +
[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server tiran commented: """ @lslebodn it works even better without your proposed changes. Parts ```ipatests``` work fine for ```--disable-server``` builds. I need the package to run tests. """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-279333838 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#459][edited] [WIP] Faster JSON encoder/decoder
URL: https://github.com/freeipa/freeipa/pull/459 Author: tiran Title: #459: [WIP] Faster JSON encoder/decoder Action: edited Changed field: title Original value: """ Faster JSON encoder/decoder """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#459][opened] Faster JSON encoder/decoder
URL: https://github.com/freeipa/freeipa/pull/459 Author: tiran Title: #459: Faster JSON encoder/decoder Action: opened PR body: """ Improve performance of FreeIPA's JSON serializer and deserializer. * Don't indent and sort keys. Both options trigger a slow path in Python's json package. Without indention and sorting, encoding mostly happens in optimized C code. * Replace O(n) type checks with O(1) type lookup and eliminate the use of isinstance(). * Check each client capability only once for every conversion. * Use decoder's obj_hook feature to traverse the object tree once and to eliminate calls to isinstance(). Closes: https://fedorahosted.org/freeipa/ticket/6655 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/459/head:pr459 git checkout pr459 From d00d547d0024fe5712a33ccabcd5c03564b10223 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 13 Feb 2017 09:46:39 +0100 Subject: [PATCH] Faster JSON encoder/decoder Improve performance of FreeIPA's JSON serializer and deserializer. * Don't indent and sort keys. Both options trigger a slow path in Python's json package. Without indention and sorting, encoding mostly happens in optimized C code. * Replace O(n) type checks with O(1) type lookup and eliminate the use of isinstance(). * Check each client capability only once for every conversion. * Use decoder's obj_hook feature to traverse the object tree once and to eliminate calls to isinstance(). Closes: https://fedorahosted.org/freeipa/ticket/6655 Signed-off-by: Christian Heimes --- ipalib/rpc.py | 209 +++-- ipaserver/rpcserver.py | 6 +- 2 files changed, 133 insertions(+), 82 deletions(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 7d9f6ec..25abc7f 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -274,67 +274,140 @@ def xml_dumps(params, version, methodname=None, methodresponse=False, ) -def json_encode_binary(val, version): -''' - JSON cannot encode binary values. We encode binary values in Python str - objects and text in Python unicode objects. In order to allow a binary - object to be passed through JSON we base64 encode it thus converting it to - text which JSON can transport. To assure we recognize the value is a base64 - encoded representation of the original binary value and not confuse it with - other text we convert the binary value to a dict in this form: - - {'__base64__' : base64_encoding_of_binary_value} - - This modification of the original input value cannot be done "in place" as - one might first assume (e.g. replacing any binary items in a container - (e.g. list, tuple, dict) with the base64 dict because the container might be - an immutable object (i.e. a tuple). Therefore this function returns a copy - of any container objects it encounters with tuples replaced by lists. This - is O.K. because the JSON encoding will map both lists and tuples to JSON - arrays. - ''' - -if isinstance(val, dict): -new_dict = {} -for k, v in val.items(): -new_dict[k] = json_encode_binary(v, version) -return new_dict -elif isinstance(val, (list, tuple)): -new_list = [json_encode_binary(v, version) for v in val] -return new_list -elif isinstance(val, bytes): -encoded = base64.b64encode(val) -if not six.PY2: -encoded = encoded.decode('ascii') -return {'__base64__': encoded} -elif isinstance(val, Decimal): -return unicode(val) -elif isinstance(val, DN): -return str(val) -elif isinstance(val, datetime.datetime): -if capabilities.client_has_capability(version, 'datetime_values'): +class _JSONConverter(dict): +__slots__ = ('version', '_cap_datetime', '_cap_dnsname') + +_identity = object() + +def __init__(self, version, _identity=_identity): +super(_JSONConverter, self).__init__() +self.version = version +self._cap_datetime = None +self._cap_dnsname = None +self.update({ +unicode: _identity, +bool: _identity, +type(None): _identity, +float: _identity, +Decimal: unicode, +DN: str, +Principal: unicode, +DNSName: self._enc_dnsname, +datetime.datetime: self._enc_datetime, +bytes: self._enc_bytes, +list: self._enc_list, +tuple: self._enc_list, +dict: self._enc_dict, +}) +# int, long +for t in six.integer_types: +self[t] = _identity + +def __missing__(self, typ): +# walk MRO to find best match +for c in typ.__mro__: +if c in self: +self[typ] = self[c] +return self[c] +# use issubclass to check for registered ABCs +for c in self:
[Freeipa-devel] [freeipa PR#445][+ack] Remove is_fips_enabled checks in installers and ipactl
URL: https://github.com/freeipa/freeipa/pull/445 Title: #445: Remove is_fips_enabled checks in installers and ipactl Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code