[Freeipa-devel] [freeipa PR#396][comment] Explicitly remove support of SSLv2
URL: https://github.com/freeipa/freeipa/pull/396 Title: #396: Explicitly remove support of SSLv2 HonzaCholasta commented: """ LGTM. """ See the full comment at https://github.com/freeipa/freeipa/pull/396#issuecomment-279935166 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#450][comment] Add FIPS-token password of HTTPD NSS database
URL: https://github.com/freeipa/freeipa/pull/450 Title: #450: Add FIPS-token password of HTTPD NSS database HonzaCholasta commented: """ LGTM. I guess we don't have to bother with upgrade, given that you can turn on FIPS post-install, right? """ See the full comment at https://github.com/freeipa/freeipa/pull/450#issuecomment-279933986 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/c894ebefc5c4c4c7ea340d6ddc4cd3c081917e4a https://fedorahosted.org/freeipa/changeset/38c66896de1769077cd5b057133606ec5eeaf62b https://fedorahosted.org/freeipa/changeset/b109f5d850ce13585d4392ca48896dc069a746e5 https://fedorahosted.org/freeipa/changeset/b6741d81e187fc84177c12ef8ad900d3b5cda6a4 https://fedorahosted.org/freeipa/changeset/d2f5fc304f1938d23171ae330fa20b213ceed54e https://fedorahosted.org/freeipa/changeset/d124e307f3b7d88bca53784f030ed6043b224432 https://fedorahosted.org/freeipa/changeset/f648c5631afa5e7954eee9a84fb1222d3bce3bf1 https://fedorahosted.org/freeipa/changeset/c2b1b2a36200b50babfda1eca37fb4b51fefa9c6 https://fedorahosted.org/freeipa/changeset/4fd89833ee5421b05c10329d627d0e0fc8496046 https://fedorahosted.org/freeipa/changeset/4bd2d6ad46c9151e11f9223dd5383555fdedb249 https://fedorahosted.org/freeipa/changeset/00a9d2f94dee17e28e39cdae0c32acc3d1fe51ed https://fedorahosted.org/freeipa/changeset/41c1efc44a6b809445facd4772574595029553b1 https://fedorahosted.org/freeipa/changeset/09c92e2bc1ca9db5b73d5ab8483b42dbd6b9a0e9 https://fedorahosted.org/freeipa/changeset/e4d462ad53597fd5410aa4e94a57bb15b92a3f13 """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279925508 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][closed] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Author: simo5 Title: #314: RFC: privilege separation for ipa framework code Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/314/head:pr314 git checkout pr314 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][+pushed] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][+ack] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ Thank you. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279925390 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ Done """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279859272 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Title: #398: Support for Certificate Identity Mapping flo-renaud commented: """ Hi @HonzaCholasta PR updated with `ipa user-add-certmapdata` using positional arg for CERTMAPDATA """ See the full comment at https://github.com/freeipa/freeipa/pull/398#issuecomment-279796224 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Author: flo-renaud Title: #398: Support for Certificate Identity Mapping Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/398/head:pr398 git checkout pr398 From f26952bee2b45fce6defbb742e563f5d8b561018 Mon Sep 17 00:00:00 2001 From: Florence Blanc-RenaudDate: Tue, 20 Dec 2016 16:21:58 +0100 Subject: [PATCH] Support for Certificate Identity Mapping See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542 --- ACI.txt| 16 +- API.txt| 181 +++ VERSION.m4 | 4 +- install/share/73certmap.ldif | 16 ++ install/share/Makefile.am | 1 + install/updates/73-certmap.update | 27 +++ install/updates/Makefile.am| 1 + ipalib/constants.py| 4 + ipapython/dn.py| 8 +- ipaserver/install/dsinstance.py| 1 + ipaserver/plugins/baseuser.py | 158 - ipaserver/plugins/certmap.py | 355 + ipaserver/plugins/stageuser.py | 16 +- ipaserver/plugins/user.py | 23 ++- ipatests/test_ipapython/test_dn.py | 20 +++ 15 files changed, 818 insertions(+), 13 deletions(-) create mode 100644 install/share/73certmap.ldif create mode 100644 install/updates/73-certmap.update create mode 100644 ipaserver/plugins/certmap.py diff --git a/ACI.txt b/ACI.txt index 0b47489..2bde577 100644 --- a/ACI.txt +++ b/ACI.txt @@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || description || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all;;) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example @@ -337,6 +349,8 @@ aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:S dn: cn=users,cn=accounts,dc=ipa,dc=example
[Freeipa-devel] [freeipa PR#394][comment] Add fix for ipa plugins command
URL: https://github.com/freeipa/freeipa/pull/394 Title: #394: Add fix for ipa plugins command MartinBasti commented: """ That test actually doesn't test output of command, IMO it should be xmlrpc_test. But it can be done later, shouldn't block this PR """ See the full comment at https://github.com/freeipa/freeipa/pull/394#issuecomment-279794064 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#394][comment] Add fix for ipa plugins command
URL: https://github.com/freeipa/freeipa/pull/394 Title: #394: Add fix for ipa plugins command MartinBasti commented: """ That test actually doesn't test output of command, IMO it should be xmlrpc_test. But it can be done later, shouldn't block this PR """ See the full comment at https://github.com/freeipa/freeipa/pull/394#issuecomment-279794064 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#454][comment] Move AD trust installation code to a separate module
URL: https://github.com/freeipa/freeipa/pull/454 Title: #454: Move AD trust installation code to a separate module MartinBasti commented: """ LGTM, I can test it tomorrow """ See the full comment at https://github.com/freeipa/freeipa/pull/454#issuecomment-279791253 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#465][opened] Tests: search for disabled users
URL: https://github.com/freeipa/freeipa/pull/465 Author: MartinBasti Title: #465: Tests: search for disabled users Action: opened PR body: """ Add tests for searching disabled/enabled users. XFAIL: newly created users has no 'nsaccountlock' attribute set and user-find doesn't return them as active users. This should be fixed. Partially tests: #444 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/465/head:pr465 git checkout pr465 From 54526f42356a65993341f68aaea36e287b364c6b Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Tue, 14 Feb 2017 19:06:23 +0100 Subject: [PATCH] Tests: search for disabled users Add tests for searching disabled/enabled users. XFAIL: newly created users has no 'nsaccountlock' attribute set and user-find doesn't return them as active users. This should be fixed. --- ipatests/test_xmlrpc/test_user_plugin.py | 41 1 file changed, 41 insertions(+) diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py index d33c4d7..098163d 100644 --- a/ipatests/test_xmlrpc/test_user_plugin.py +++ b/ipatests/test_xmlrpc/test_user_plugin.py @@ -240,6 +240,47 @@ def test_find_with_pkey_only(self, user): result = command() user.check_find(result, pkey_only=True) +@pytest.mark.xfail( +reason="new users don't have set attribute nsaccountlock in LDAP, " + "thus this search doesn't return it in result") +def test_find_enabled_user(self, user): +"""Test user-find --disabled=False with enabled user""" +user.ensure_exists() +command = user.make_find_command( +uid=user.uid, pkey_only=True, nsaccountlock=False) +result = command() +user.check_find(result, pkey_only=True) + +def test_negative_find_enabled_user(self, user): +"""Test user-find --disabled=True with enabled user, shouldn't +return any result""" +user.ensure_exists() +command = user.make_find_command( +uid=user.uid, pkey_only=True, nsaccountlock=True) +result = command() +user.check_find_nomatch(result) + +def test_find_disabled_user(self, user): +"""Test user-find --disabled=True with disabled user""" +user.ensure_exists() +user.disable() +command = user.make_find_command( +uid=user.uid, pkey_only=True, nsaccountlock=True) +result = command() +user.check_find(result, pkey_only=True) +user.enable() + +def test_negative_find_disabled_user(self, user): +"""Test user-find --disabled=False with disabled user, shouldn't +return any results""" +user.ensure_exists() +user.disable() +command = user.make_find_command( +uid=user.uid, pkey_only=True, nsaccountlock=False) +result = command() +user.check_find_nomatch(result) +user.enable() + @pytest.mark.tier1 class TestActive(XMLRPC_test): -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#215][closed] Add script to setup krb5 NFS exports
URL: https://github.com/freeipa/freeipa/pull/215 Author: jumitche Title: #215: Add script to setup krb5 NFS exports Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/215/head:pr215 git checkout pr215 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#215][+rejected] Add script to setup krb5 NFS exports
URL: https://github.com/freeipa/freeipa/pull/215 Title: #215: Add script to setup krb5 NFS exports Label: +rejected -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#215][comment] Add script to setup krb5 NFS exports
URL: https://github.com/freeipa/freeipa/pull/215 Title: #215: Add script to setup krb5 NFS exports pvoborni commented: """ Justin, pasting here re-phrased mail I wrote you on Dec 5. This is a tool which integrates external host with FreeIPA. It is written in a way that it can exist completely outside of FreeIPA git repository. Thinking more about it. It might be actually better to write an Ansible module which would configure server as a NFS server and join it to FreeIPA realm. We will be working on better Ansible integration in very close future. Technical/maintenance side of the patch: tools merged in FreeIPA repository are then maintained by FreeIPA core team. Problem is that the tool is written in a way that it doesn't use any internal FreeIPA calls and thus reimplements IPA logic, it makes it hard to maintain. To make it easier to maintain it would be better to reuse IPA internal calls. But it doesn't make sense for you to spend time on rewriting it according to upstream rules nor it doesn't make sense for upstream developer to modify your code according to it (this would be faster for both sides then former review ping-pong). So it would be preferred to maintain it elsewhere. The proposal/general agreement on FreeIPA triage was: - move this script into separate git repo, e.g. on Git Hub. That way fixing the script doesn't have to rely on FreeIPA schedule. It might be your repo or maybe under FreeIPA org if you prefer it. - FreeIPA upstream will create wiki page where we will list similar contribution (like https://github.com/peterpakos/ipa_check_consistency/ ) and add it there so it would be discoverable - FreeIPA upstream will also make it discoverable from installed rpms - https://fedorahosted.org/freeipa/ticket/6536 - if the project receives high enough popularity - will be widely use it may be considered for rewrite and including it into IPA core What was not discuss but may be a good thing is to create integration travis tests in the separate repo which would test the script so it can be tested automatically. """ See the full comment at https://github.com/freeipa/freeipa/pull/215#issuecomment-279784708 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands
URL: https://github.com/freeipa/freeipa/pull/444 Title: #444: Allow nsaccountlock to be searched in user-find commands MartinBasti commented: """ Or we can modify search filter on server to cover this case, but it won't be nice """ See the full comment at https://github.com/freeipa/freeipa/pull/444#issuecomment-279777252 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands
URL: https://github.com/freeipa/freeipa/pull/444 Title: #444: Allow nsaccountlock to be searched in user-find commands MartinBasti commented: """ I found "not-sure-if" bug, nsaccountlock is not always specified (admin has it and any user after user-enable, that's why I didn't catch it during testing of PR) in LDAP tree, so search `user-find --disabled=false` returns only admin adn user that were explicitly enabled. IMHO this is unexpected behavior for users, however expected from IPA framework POW and LDAP POW. What could we do to improve UX? Maybe on client side we should allow `--disabled` only as flag to prevent users to search in enabled users and get corrupted results. """ See the full comment at https://github.com/freeipa/freeipa/pull/444#issuecomment-279776995 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#23][+postponed] Time-Based HBAC Policies
URL: https://github.com/freeipa/freeipa/pull/23 Title: #23: Time-Based HBAC Policies Label: +postponed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Author: flo-renaud Title: #398: Support for Certificate Identity Mapping Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/398/head:pr398 git checkout pr398 From e8a02937c9d44ea209f939a3129b8f176d50cd4a Mon Sep 17 00:00:00 2001 From: Florence Blanc-RenaudDate: Tue, 20 Dec 2016 16:21:58 +0100 Subject: [PATCH] Support for Certificate Identity Mapping See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542 --- ACI.txt| 16 +- API.txt| 181 +++ VERSION.m4 | 4 +- install/share/73certmap.ldif | 16 ++ install/share/Makefile.am | 1 + install/updates/73-certmap.update | 27 +++ install/updates/Makefile.am| 1 + ipalib/constants.py| 4 + ipapython/dn.py| 8 +- ipaserver/install/dsinstance.py| 1 + ipaserver/plugins/baseuser.py | 158 - ipaserver/plugins/certmap.py | 355 + ipaserver/plugins/stageuser.py | 16 +- ipaserver/plugins/user.py | 23 ++- ipatests/test_ipapython/test_dn.py | 20 +++ 15 files changed, 818 insertions(+), 13 deletions(-) create mode 100644 install/share/73certmap.ldif create mode 100644 install/updates/73-certmap.update create mode 100644 ipaserver/plugins/certmap.py diff --git a/ACI.txt b/ACI.txt index 0b47489..2bde577 100644 --- a/ACI.txt +++ b/ACI.txt @@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || description || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all;;) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example @@ -337,6 +349,8 @@ aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:S dn: cn=users,cn=accounts,dc=ipa,dc=example
[Freeipa-devel] [freeipa PR#379][comment] Packaging: Add placeholder and IPA commands packages
URL: https://github.com/freeipa/freeipa/pull/379 Title: #379: Packaging: Add placeholder and IPA commands packages pvoborni commented: """ If there is reason it can be maintained in IPA, but what is the reason? """ See the full comment at https://github.com/freeipa/freeipa/pull/379#issuecomment-279768384 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#379][comment] Packaging: Add placeholder and IPA commands packages
URL: https://github.com/freeipa/freeipa/pull/379 Title: #379: Packaging: Add placeholder and IPA commands packages tiran commented: """ I don't mind to maintain my own copy of ipacommands with ```ipa-getkeytab``` until we agree on a permanent solution. """ See the full comment at https://github.com/freeipa/freeipa/pull/379#issuecomment-279767747 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing
URL: https://github.com/freeipa/freeipa/pull/397 Title: #397: Improve wheel building and provide ipaserver wheel for local testing pvoborni commented: """ @tiran I have very vague idea how this is helpful. You have mentioned it during post-devconf "API meeting". But I no longer remember it and description of this PR is very general. In order to move all the pypi patches forward, we need to document(maybe design) the whole pypi workflow. This is not mentioned in http://www.freeipa.org/page/V4/Build_system_refactoring nor in http://www.freeipa.org/page/V4/Integration_Improvements I.e. how FreeIPA project will work/supply packages to PYPI and what are actually the requirements for these packages. What is expected to work and what not (like everything related to pyhbac). Right now I have no idea what are the missing blocker parts and what are just nice-to-have things. Also I don't really like the part that the patches use custom repo of python-nss. But I'm glad that you are working with @jdennis to improve it. @stlaz, with PR #367 what are the remaining usages of python-nss? Could we actually get rid of python-nss completely? """ See the full comment at https://github.com/freeipa/freeipa/pull/397#issuecomment-279767185 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#379][comment] Packaging: Add placeholder and IPA commands packages
URL: https://github.com/freeipa/freeipa/pull/379 Title: #379: Packaging: Add placeholder and IPA commands packages MartinBasti commented: """ We need placeholder package for sure, this PR should be splitted into 2, but I'm still not endorsed to have ipa-getkeytab installable by pip """ See the full comment at https://github.com/freeipa/freeipa/pull/379#issuecomment-279760067 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#444][closed] Allow nsaccountlock to be searched in user-find commands
URL: https://github.com/freeipa/freeipa/pull/444 Author: redhatrises Title: #444: Allow nsaccountlock to be searched in user-find commands Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/444/head:pr444 git checkout pr444 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#455][closed] Backup /root/kracert.p12
URL: https://github.com/freeipa/freeipa/pull/455 Author: tiran Title: #455: Backup /root/kracert.p12 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/455/head:pr455 git checkout pr455 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#379][comment] Packaging: Add placeholder and IPA commands packages
URL: https://github.com/freeipa/freeipa/pull/379 Title: #379: Packaging: Add placeholder and IPA commands packages pvoborni commented: """ I thought that I understand why this PR is needed bud in fact I don't. Ticket #6484 is closed. Why is it attached to it? How will the pypi packaging change if ipacommands package is not there? Would it be used for anything? How it should be used? """ See the full comment at https://github.com/freeipa/freeipa/pull/379#issuecomment-279753967 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#455][+pushed] Backup /root/kracert.p12
URL: https://github.com/freeipa/freeipa/pull/455 Title: #455: Backup /root/kracert.p12 Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#455][comment] Backup /root/kracert.p12
URL: https://github.com/freeipa/freeipa/pull/455 Title: #455: Backup /root/kracert.p12 MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/11ef2cacbf2ebb67f80a0cf4a3e7b39da700188b """ See the full comment at https://github.com/freeipa/freeipa/pull/455#issuecomment-279753418 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands
URL: https://github.com/freeipa/freeipa/pull/444 Title: #444: Allow nsaccountlock to be searched in user-find commands MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/a930ec824da0337109d646ab3acb495dc1b6ba63 """ See the full comment at https://github.com/freeipa/freeipa/pull/444#issuecomment-279752284 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#444][+pushed] Allow nsaccountlock to be searched in user-find commands
URL: https://github.com/freeipa/freeipa/pull/444 Title: #444: Allow nsaccountlock to be searched in user-find commands Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands
URL: https://github.com/freeipa/freeipa/pull/444 Title: #444: Allow nsaccountlock to be searched in user-find commands MartinBasti commented: """ @pvomacka IMO this may deserve webUI part too """ See the full comment at https://github.com/freeipa/freeipa/pull/444#issuecomment-279752074 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#444][+ack] Allow nsaccountlock to be searched in user-find commands
URL: https://github.com/freeipa/freeipa/pull/444 Title: #444: Allow nsaccountlock to be searched in user-find commands Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#464][+ack] Bump required python-cryptography version
URL: https://github.com/freeipa/freeipa/pull/464 Title: #464: Bump required python-cryptography version Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#464][comment] Bump required python-cryptography version
URL: https://github.com/freeipa/freeipa/pull/464 Title: #464: Bump required python-cryptography version HonzaCholasta commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/5b56952a547277fab4c68da02f213d40f931a4ca """ See the full comment at https://github.com/freeipa/freeipa/pull/464#issuecomment-279747218 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#464][closed] Bump required python-cryptography version
URL: https://github.com/freeipa/freeipa/pull/464 Author: stlaz Title: #464: Bump required python-cryptography version Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/464/head:pr464 git checkout pr464 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#464][+pushed] Bump required python-cryptography version
URL: https://github.com/freeipa/freeipa/pull/464 Title: #464: Bump required python-cryptography version Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#446][synchronized] No NSS database passwords in ipa-client-install
URL: https://github.com/freeipa/freeipa/pull/446 Author: stlaz Title: #446: No NSS database passwords in ipa-client-install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/446/head:pr446 git checkout pr446 From 61a865d14049acb5c17fac8033f173c54cbdfa84 Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Tue, 6 Dec 2016 09:14:54 +0100 Subject: [PATCH 1/3] Add password to certutil calls in NSSDatabase NSSDatabases should have the ability to run certutil with a password if location of the file containing it is known. https://fedorahosted.org/freeipa/ticket/5695 --- install/tools/ipa-replica-conncheck | 11 +++ ipaclient/install/client.py | 14 ++ ipapython/certdb.py | 19 +-- ipaserver/install/cainstance.py | 23 +++ ipaserver/install/certs.py | 2 +- ipaserver/install/installutils.py | 18 -- ipaserver/install/ipa_cacert_manage.py | 8 ipaserver/install/ipa_server_certinstall.py | 7 +++ ipaserver/install/kra.py| 7 --- ipaserver/install/server/upgrade.py | 5 + 10 files changed, 70 insertions(+), 44 deletions(-) diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index 04e23de..896fddc 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -542,12 +542,9 @@ def main(): with certdb.NSSDatabase(nss_dir) as nss_db: if options.ca_cert_file: -nss_dir = nss_db.secdir - -password = ipautil.ipa_generate_password() -password_file = ipautil.write_tmp_file(password) -nss_db.create_db(password_file.name) - +nss_db.create_passwd_file( +ipautil.ipa_generate_password()) +nss_db.create_db() ca_certs = x509.load_certificate_list_from_file( options.ca_cert_file) for ca_cert in ca_certs: @@ -555,8 +552,6 @@ def main(): serialization.Encoding.DER) nss_db.add_cert( data, str(DN(ca_cert.subject)), 'C,,') -else: -nss_dir = None api.bootstrap(context='client', confdir=paths.ETC_IPA, diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index 2b01b0d..79686b6 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -2284,18 +2284,16 @@ def install_check(options): def create_ipa_nssdb(): db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR) -pwdfile = os.path.join(db.secdir, 'pwdfile.txt') -ipautil.backup_file(pwdfile) +ipautil.backup_file(db.password_file) ipautil.backup_file(os.path.join(db.secdir, 'cert8.db')) ipautil.backup_file(os.path.join(db.secdir, 'key3.db')) ipautil.backup_file(os.path.join(db.secdir, 'secmod.db')) -with open(pwdfile, 'w') as f: -f.write(ipautil.ipa_generate_password()) -os.chmod(pwdfile, 0o600) +db.create_passwd_file(ipautil.ipa_generate_password()) +os.chmod(db.password_file, 0o600) -db.create_db(pwdfile) +db.create_db() os.chmod(os.path.join(db.secdir, 'cert8.db'), 0o644) os.chmod(os.path.join(db.secdir, 'key3.db'), 0o644) os.chmod(os.path.join(db.secdir, 'secmod.db'), 0o644) @@ -2667,8 +2665,8 @@ def _install(options): for cert in ca_certs ] try: -pwd_file = ipautil.write_tmp_file(ipautil.ipa_generate_password()) -tmp_db.create_db(pwd_file.name) +tmp_db.create_passwd_file(ipautil.ipa_generate_password()) +tmp_db.create_db() for i, cert in enumerate(ca_certs): tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,') diff --git a/ipapython/certdb.py b/ipapython/certdb.py index 9481326..597aa71 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -83,13 +83,17 @@ class NSSDatabase(object): # got too tied to IPA server details, killing reusability. # BaseCertDB is a class that knows nothing about IPA. # Generic NSS DB code should be moved here. -def __init__(self, nssdir=None): +def __init__(self, nssdir=None, password_file=None): if nssdir is None: self.secdir = tempfile.mkdtemp() self._is_temporary = True else: self.secdir = nssdir self._is_temporary = False +if password_file is None: +self.password_file = os.path.join(self.secdir, 'pwdfile.txt') +else: +
[Freeipa-devel] [freeipa PR#446][comment] No NSS database passwords in ipa-client-install
URL: https://github.com/freeipa/freeipa/pull/446 Title: #446: No NSS database passwords in ipa-client-install stlaz commented: """ NSSDatabase now defaults its `.password_file` to `.sec_dir + 'passwd.txt'`. It's necessary to create a pwdfile.txt in Dogtag cert store so that actions like CA renew function properly even with FIPS. """ See the full comment at https://github.com/freeipa/freeipa/pull/446#issuecomment-279738463 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#446][comment] No NSS database passwords in ipa-client-install
URL: https://github.com/freeipa/freeipa/pull/446 Title: #446: No NSS database passwords in ipa-client-install stlaz commented: """ NSSDatabase now defaults its `.password_file` to `.sec_dir + 'passwd.txt'`. It's necessary to create a pwdfile.txt in Dogtag cert store so that actions like CA renew function properly even with FIPS. """ See the full comment at https://github.com/freeipa/freeipa/pull/446#issuecomment-279738463 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#446][comment] No NSS database passwords in ipa-client-install
URL: https://github.com/freeipa/freeipa/pull/446 Title: #446: No NSS database passwords in ipa-client-install stlaz commented: """ NSSDatabase now defaults its `.password_file` to `.sec_dir + 'passwd.txt'`. It's necessary to create a pwdfile.txt in system-wide cert store so that actions like CA renew function properly even with FIPS. """ See the full comment at https://github.com/freeipa/freeipa/pull/446#issuecomment-279738463 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#423][+ack] dns-update-system-records: add support for nsupdate output format
URL: https://github.com/freeipa/freeipa/pull/423 Title: #423: dns-update-system-records: add support for nsupdate output format Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#423][comment] dns-update-system-records: add support for nsupdate output format
URL: https://github.com/freeipa/freeipa/pull/423 Title: #423: dns-update-system-records: add support for nsupdate output format tomaskrizek commented: """ Please update the ticket in trac/JIRA to mentiond the command does not support stdout. LGTM otherwise. """ See the full comment at https://github.com/freeipa/freeipa/pull/423#issuecomment-279735139 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ I would personally go with: * Change session handling: 5959 * Generate tmpfiles config at install time: 5959 * Drop use of kinit_as_http from trust code: 5959 * Use Anonymous user to obtain FAST armor ccache: 5959 * Configure HTTPD to work via Gss-Proxy: 4189, 5959 * Separate RA cert store from the HTTP cert store: 5959 * Simplify NSSDatabase password file handling: 5959 * Always use /etc/ipa/ca.crt as CA cert file: 5959 * Add a new user to run the framework code: 5959 * Rationalize creation of RA and HTTPD NSS databases: 5959 * Fix uninstall stopping ipa.service: 5959 * Allow rpc callers to pass ccache and service names: 6543 * Explicitly pass down ccache names for connections: 6543 * Insure removal of session on identity change: 6543 """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279729055 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#396][synchronized] Explicitly remove support of SSLv2
URL: https://github.com/freeipa/freeipa/pull/396 Author: stlaz Title: #396: Explicitly remove support of SSLv2 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/396/head:pr396 git checkout pr396 From 53aebe8ea2663dc6c57730e797f1e0b06a0b3b69 Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Fri, 13 Jan 2017 12:31:29 +0100 Subject: [PATCH] Explicitly remove support of SSLv2 It was possible to set tls_version_min/max to 'ssl2', even though newer versions of NSS will fail to set this as a valid TLS version. This patch explicitly checks for deprecated TLS versions prior to creating a TLS connection. Also, we don't allow tls_version_min/max to be set to a random string anymore. https://fedorahosted.org/freeipa/ticket/6607 --- ipalib/config.py| 27 ++-- ipalib/constants.py | 10 + ipapython/nsslib.py | 60 +++-- 3 files changed, 93 insertions(+), 4 deletions(-) diff --git a/ipalib/config.py b/ipalib/config.py index 20591db..1a59879 100644 --- a/ipalib/config.py +++ b/ipalib/config.py @@ -41,8 +41,11 @@ from ipapython.dn import DN from ipalib.base import check_name -from ipalib.constants import CONFIG_SECTION -from ipalib.constants import OVERRIDE_ERROR, SET_ERROR, DEL_ERROR +from ipalib.constants import ( +CONFIG_SECTION, +OVERRIDE_ERROR, SET_ERROR, DEL_ERROR, +TLS_VERSIONS +) from ipalib import errors if six.PY3: @@ -578,6 +581,26 @@ def _finalize_core(self, **defaults): self._merge(**defaults) +# set the best known TLS version if min/max versions are not set +if 'tls_version_min' not in self: +self.tls_version_min = TLS_VERSIONS[-1] +elif self.tls_version_min not in TLS_VERSIONS: +raise errors.EnvironmentError( +"Unknown TLS version '{ver}' set in tls_version_min." +.format(ver=self.tls_version_min)) + +if 'tls_version_max' not in self: +self.tls_version_max = TLS_VERSIONS[-1] +elif self.tls_version_max not in TLS_VERSIONS: +raise errors.EnvironmentError( +"Unknown TLS version '{ver}' set in tls_version_max." +.format(ver=self.tls_version_max)) + +if self.tls_version_max < self.tls_version_min: +raise errors.EnvironmentError( +"tls_version_min is set to a higher TLS version than " +"tls_version_max.") + def _finalize(self, **lastchance): """ Finalize and lock environment. diff --git a/ipalib/constants.py b/ipalib/constants.py index 81643da..1e8f51a 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -276,3 +276,13 @@ # regexp definitions PATTERN_GROUPUSER_NAME = '^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$' + +# TLS related constants +TLS_VERSIONS = [ +"ssl2", +"ssl3", +"tls1.0", +"tls1.1", +"tls1.2" +] +TLS_VERSION_MINIMAL = "tls1.0" diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py index 08d05fc..8b02f4b 100644 --- a/ipapython/nsslib.py +++ b/ipapython/nsslib.py @@ -23,6 +23,8 @@ import getpass import socket from ipapython.ipa_log_manager import root_logger +from ipapython.ipa_log_manager import log_mgr +from ipalib.constants import TLS_VERSIONS, TLS_VERSION_MINIMAL from nss.error import NSPRError import nss.io as io @@ -38,6 +40,9 @@ # pylint: disable=import-error import http.client as httplib +# get a logger for this module +logger = log_mgr.get_logger(__name__) + # NSS database currently open current_dbdir = None @@ -129,6 +134,55 @@ def client_auth_data_callback(ca_names, chosen_nickname, password, certdb): socket.AF_UNSPEC: io.PR_AF_UNSPEC } + +def get_proper_tls_version_span(tls_version_min, tls_version_max): +""" +This function checks whether the given TLS versions are known in FreeIPA +and that these versions fulfill the requirements for minimal TLS version +(see `ipalib.constants: TLS_VERSIONS, TLS_VERSION_MINIMAL`). + +:param tls_version_min: +the lower value in the TLS min-max span, raised to the lowest allowed +value if too low +:param tls_version_max: +the higher value in the TLS min-max span, raised to tls_version_min +if lower than TLS_VERSION_MINIMAL +""" +min_allowed_idx = TLS_VERSIONS.index(TLS_VERSION_MINIMAL) + +try: +min_version_idx = TLS_VERSIONS.index(tls_version_min) +except ValueError: +raise ValueError("tls_version_min ('{val}') is not a known " + "TLS version.".format(val=tls_version_min)) + +try: +max_version_idx = TLS_VERSIONS.index(tls_version_max) +except ValueError: +raise ValueError("tls_version_max ('{val}') is not a known " + "TLS version.".format(val=tls_version_max)) + +if
[Freeipa-devel] [freeipa PR#446][synchronized] No NSS database passwords in ipa-client-install
URL: https://github.com/freeipa/freeipa/pull/446 Author: stlaz Title: #446: No NSS database passwords in ipa-client-install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/446/head:pr446 git checkout pr446 From bb28aabc081179154dc38cb8b3986d67cb6b9bf9 Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Tue, 6 Dec 2016 09:14:54 +0100 Subject: [PATCH 1/3] Add password to certutil calls in NSSDatabase NSSDatabases should have the ability to run certutil with a password if location of the file containing it is known. https://fedorahosted.org/freeipa/ticket/5695 --- install/tools/ipa-replica-conncheck | 11 +++ ipaclient/install/client.py | 14 ++ ipapython/certdb.py | 19 +-- ipaserver/install/cainstance.py | 23 +++ ipaserver/install/certs.py | 2 +- ipaserver/install/installutils.py | 18 -- ipaserver/install/ipa_cacert_manage.py | 8 ipaserver/install/ipa_server_certinstall.py | 7 +++ ipaserver/install/kra.py| 7 --- ipaserver/install/server/upgrade.py | 5 + 10 files changed, 70 insertions(+), 44 deletions(-) diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index 04e23de..896fddc 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -542,12 +542,9 @@ def main(): with certdb.NSSDatabase(nss_dir) as nss_db: if options.ca_cert_file: -nss_dir = nss_db.secdir - -password = ipautil.ipa_generate_password() -password_file = ipautil.write_tmp_file(password) -nss_db.create_db(password_file.name) - +nss_db.create_passwd_file( +ipautil.ipa_generate_password()) +nss_db.create_db() ca_certs = x509.load_certificate_list_from_file( options.ca_cert_file) for ca_cert in ca_certs: @@ -555,8 +552,6 @@ def main(): serialization.Encoding.DER) nss_db.add_cert( data, str(DN(ca_cert.subject)), 'C,,') -else: -nss_dir = None api.bootstrap(context='client', confdir=paths.ETC_IPA, diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index aa3449c..1b75f49 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -2289,18 +2289,16 @@ def install_check(options): def create_ipa_nssdb(): db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR) -pwdfile = os.path.join(db.secdir, 'pwdfile.txt') -ipautil.backup_file(pwdfile) +ipautil.backup_file(db.password_file) ipautil.backup_file(os.path.join(db.secdir, 'cert8.db')) ipautil.backup_file(os.path.join(db.secdir, 'key3.db')) ipautil.backup_file(os.path.join(db.secdir, 'secmod.db')) -with open(pwdfile, 'w') as f: -f.write(ipautil.ipa_generate_password()) -os.chmod(pwdfile, 0o600) +db.create_passwd_file(ipautil.ipa_generate_password()) +os.chmod(db.password_file, 0o600) -db.create_db(pwdfile) +db.create_db() os.chmod(os.path.join(db.secdir, 'cert8.db'), 0o644) os.chmod(os.path.join(db.secdir, 'key3.db'), 0o644) os.chmod(os.path.join(db.secdir, 'secmod.db'), 0o644) @@ -2672,8 +2670,8 @@ def _install(options): for cert in ca_certs ] try: -pwd_file = ipautil.write_tmp_file(ipautil.ipa_generate_password()) -tmp_db.create_db(pwd_file.name) +tmp_db.create_passwd_file(ipautil.ipa_generate_password()) +tmp_db.create_db() for i, cert in enumerate(ca_certs): tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,') diff --git a/ipapython/certdb.py b/ipapython/certdb.py index 9481326..9493118 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -83,13 +83,17 @@ class NSSDatabase(object): # got too tied to IPA server details, killing reusability. # BaseCertDB is a class that knows nothing about IPA. # Generic NSS DB code should be moved here. -def __init__(self, nssdir=None): +def __init__(self, nssdir=None, password_file=None): if nssdir is None: self.secdir = tempfile.mkdtemp() self._is_temporary = True else: self.secdir = nssdir self._is_temporary = False +if password_file is None: +self.password_file = os.path.join(self.secdir, 'passwd.txt') +else: +
[Freeipa-devel] [freeipa PR#461][+pushed] Bump required version of bind-dyndb-ldap to 11.0-2
URL: https://github.com/freeipa/freeipa/pull/461 Title: #461: Bump required version of bind-dyndb-ldap to 11.0-2 Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#461][closed] Bump required version of bind-dyndb-ldap to 11.0-2
URL: https://github.com/freeipa/freeipa/pull/461 Author: tomaskrizek Title: #461: Bump required version of bind-dyndb-ldap to 11.0-2 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/461/head:pr461 git checkout pr461 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#461][comment] Bump required version of bind-dyndb-ldap to 11.0-2
URL: https://github.com/freeipa/freeipa/pull/461 Title: #461: Bump required version of bind-dyndb-ldap to 11.0-2 MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/6cb7bca68486a5ae4be6f93c1acacb7b9890ba9a """ See the full comment at https://github.com/freeipa/freeipa/pull/461#issuecomment-279721909 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#461][+ack] Bump required version of bind-dyndb-ldap to 11.0-2
URL: https://github.com/freeipa/freeipa/pull/461 Title: #461: Bump required version of bind-dyndb-ldap to 11.0-2 Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ @simo5, is there an umbrella ticket? 5959 perhaps? """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279716045 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#399][synchronized] Certificate mapping test
URL: https://github.com/freeipa/freeipa/pull/399 Author: dkupka Title: #399: Certificate mapping test Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/399/head:pr399 git checkout pr399 From 8fa8a3e8d3c9532d2cb53b0cc3b75705fd9ad87b Mon Sep 17 00:00:00 2001 From: David KupkaDate: Wed, 1 Feb 2017 11:36:32 +0100 Subject: [PATCH 01/10] tests: tracker: Split Tracker into one-purpose Trackers There are multiple types of entries and objects accessible in API and not all of them have the same set methods. Spliting Tracker into multiple trackers should reflect this better. --- ipatests/test_xmlrpc/tracker/base.py | 285 +-- 1 file changed, 172 insertions(+), 113 deletions(-) diff --git a/ipatests/test_xmlrpc/tracker/base.py b/ipatests/test_xmlrpc/tracker/base.py index aa88e6b..8b6e97e 100644 --- a/ipatests/test_xmlrpc/tracker/base.py +++ b/ipatests/test_xmlrpc/tracker/base.py @@ -15,61 +15,7 @@ from ipatests.util import Fuzzy -class Tracker(object): -"""Wraps and tracks modifications to a plugin LDAP entry object - -Stores a copy of state of a plugin entry object and allows checking that -the state in the database is the same as expected. -This allows creating independent tests: the individual tests check -that the relevant changes have been made. At the same time -the entry doesn't need to be recreated and cleaned up for each test. - -Two attributes are used for tracking: ``exists`` (true if the entry is -supposed to exist) and ``attrs`` (a dict of LDAP attributes that are -expected to be returned from IPA commands). - -For commonly used operations, there is a helper method, e.g. -``create``, ``update``, or ``find``, that does these steps: - -* ensure the entry exists (or does not exist, for "create") -* store the expected modifications -* get the IPA command to run, and run it -* check that the result matches the expected state - -Tests that require customization of these steps are expected to do them -manually, using lower-level methods. -Especially the first step (ensure the entry exists) is important for -achieving independent tests. - -The Tracker object also stores information about the entry, e.g. -``dn``, ``rdn`` and ``name`` which is derived from DN property. - -To use this class, the programer must subclass it and provide the -implementation of following methods: - - * make_*_command -- implementing the API call for particular plugin - and operation (add, delete, ...) - These methods should use the make_command method - * check_* commands -- an assertion for a plugin command (CRUD) - * track_create -- to make an internal representation of the - entry - -Apart from overriding these methods, the subclass must provide the -distinguished name of the entry in `self.dn` property. - -It is also required to override the class variables defining the sets -of ldap attributes/keys for these operations specific to the plugin -being implemented. Take the host plugin test for an example. - -The implementation of these methods is not strictly enforced. -A missing method will cause a NotImplementedError during runtime -as a result. -""" -retrieve_keys = None -retrieve_all_keys = None -create_keys = None -update_keys = None - +class BaseTracker(object): _override_me_msg = "This method needs to be overridden in a subclass" def __init__(self, default_version=None): @@ -78,8 +24,6 @@ def __init__(self, default_version=None): self._dn = None self.attrs = {} -self.exists = False - @property def dn(self): """A property containing the distinguished name of the entry.""" @@ -138,53 +82,33 @@ def make_command(self, name, *args, **options): return functools.partial(self.run_command, name, *args, **options) def make_fixture(self, request): -"""Make a pytest fixture for this tracker +"""Make fixture for the tracker -The fixture ensures the plugin entry does not exist before -and after the tests that use it. +Don't do anything here. """ -del_command = self.make_delete_command() -try: -del_command() -except errors.NotFound: -pass - -def cleanup(): -existed = self.exists -try: -del_command() -except errors.NotFound: -if existed: -raise -self.exists = False - -request.addfinalizer(cleanup) - return self -def ensure_exists(self): -"""If the entry does not exist (according to tracker state), create it -""" -if not self.exists: -
[Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Title: #398: Support for Certificate Identity Mapping HonzaCholasta commented: """ @flo-renaud, nevermind the `default_from` suggestion, I was wrong - if e.g. both `--certmapdata` and `--certificate` are specified, we want to use both, not throw away `--certificate`, which is exactly what would happen if `--certmapdata` had default derived from `--certificate`. One more issue, I think the `--certmapdata` option in `user-add-certmapdata` and friends should actually be a positional argument, as that would be more consistent with existing commands. The common pattern is that positional arguments are used to specify the literal value of the attribute (such as principal name in `user-add-principal`), but options need some preprocessing (such as conversion from UID to DN in `group-add-member`). Currently the only exception to this scheme is `user-add-cert` and friends, but that's only because the original intent was to add a certificate file positional argument, but it never happened. """ See the full comment at https://github.com/freeipa/freeipa/pull/398#issuecomment-279713429 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ For some commits I was sure what ticket to use, for some I was not, so I elected not to put a specific ticket in there. If you have a good idea of what ticket (of the External Authentication project) to apply to specific commits let me know and I can amend commit messages. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279709846 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ @simo5, most of the commits do not have a ticket link, is this intentional? """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279708615 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#464][synchronized] Bump required python-cryptography version
URL: https://github.com/freeipa/freeipa/pull/464 Author: stlaz Title: #464: Bump required python-cryptography version Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/464/head:pr464 git checkout pr464 From 2de056524eaddf7c96e91db2f179163418009af8 Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Tue, 14 Feb 2017 13:34:14 +0100 Subject: [PATCH] Bump required python-cryptography version Since we started using 'Certificate.serial_number' instead of '.serial' from python-cryptography, bump the required version to the one where the above mentioned transition happened. --- freeipa.spec.in | 16 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 26481ff..00dda8b 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -121,8 +121,8 @@ BuildRequires: python-cffi %if 0%{?with_lint} BuildRequires: samba-python BuildRequires: python-setuptools -# 1.3: oldest PyPI version that still compiles with recent OpenSSL -BuildRequires: python-cryptography >= 1.3.1 +# 1.4: the version where Certificate.serial changed to .serial_number +BuildRequires: python-cryptography >= 1.4 BuildRequires: python-gssapi >= 1.2.0 BuildRequires: pylint >= 1.0 # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506 @@ -158,8 +158,8 @@ BuildRequires: python2-jinja2 # FIXME: this depedency is missing - server will not work #BuildRequires: python3-samba BuildRequires: python3-setuptools -# 0.6: serialization.load_pem_private_key, load_pem_public_key -BuildRequires: python3-cryptography >= 1.3.1 +# 1.4: the version where Certificate.serial changed to .serial_number +BuildRequires: python3-cryptography >= 1.4 BuildRequires: python3-gssapi >= 1.2.0 BuildRequires: python3-pylint >= 1.0 # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506 @@ -584,7 +584,7 @@ Requires: gnupg Requires: keyutils Requires: pyOpenSSL Requires: python-nss >= 0.16 -Requires: python-cryptography >= 1.3.1 +Requires: python-cryptography >= 1.4 Requires: python-netaddr Requires: python-libipa_hbac Requires: python-qrcode-core >= 5.0.0 @@ -634,7 +634,7 @@ Requires: gnupg Requires: keyutils Requires: python3-pyOpenSSL Requires: python3-nss >= 0.16 -Requires: python3-cryptography >= 1.3.1 +Requires: python3-cryptography >= 1.4 Requires: python3-netaddr Requires: python3-libipa_hbac Requires: python3-qrcode-core >= 5.0.0 @@ -709,7 +709,7 @@ Requires: python-pytest-multihost >= 0.5 Requires: python-pytest-sourceorder Requires: ldns-utils Requires: python-sssdconfig -Requires: python2-cryptography >= 1.3.1 +Requires: python2-cryptography >= 1.4 Provides: %{alt_name}-tests = %{version} Conflicts: %{alt_name}-tests @@ -743,7 +743,7 @@ Requires: python3-pytest-multihost >= 0.5 Requires: python3-pytest-sourceorder Requires: ldns-utils Requires: python3-sssdconfig -Requires: python3-cryptography >= 1.3.1 +Requires: python3-cryptography >= 1.4 %description -n python3-ipatests IPA is an integrated solution to provide centrally managed Identity (users, -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ Ok split the last stuff in 3 commits. I remove the use of private ccache for a few reasons: 1. touches environment variables. 2. will unconditionally remove a ccache even when passed in, so it may end up removing the wrong thing 3. private_ccache is used in dcerpc code and I do not want to change semantics and risk breaking tat code path 4. This fix is much smaller and removes one more yield, which is not a bad thing as it makes the code easier to read. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279700179 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#464][comment] Bump required python-cryptography version
URL: https://github.com/freeipa/freeipa/pull/464 Title: #464: Bump required python-cryptography version HonzaCholasta commented: """ NACK, you didn't update the comments. """ See the full comment at https://github.com/freeipa/freeipa/pull/464#issuecomment-279698054 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#464][opened] :arrow_up: Bump required python-cryptography version
URL: https://github.com/freeipa/freeipa/pull/464 Author: stlaz Title: #464: :arrow_up: Bump required python-cryptography version Action: opened PR body: """ Since we started using `Certificate.serial_number` instead of `.serial` from python-cryptography (https://github.com/freeipa/freeipa/commit/3d9bec2e879d60e6bb7b2602084d3314765a6283), bump the required version to the one where the above mentioned transition happened (https://github.com/pyca/cryptography/commit/e295f3ab615775c3549b7bc2e051af5cff801619). """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/464/head:pr464 git checkout pr464 From ce3e60c14174e8324259c614a4b69a9a76df1113 Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Tue, 14 Feb 2017 13:34:14 +0100 Subject: [PATCH] Bump required python-cryptography version Since we started using 'Certificate.serial_number' instead of '.serial' from python-cryptography, bump the required version to the one where the above mentioned transition happened. --- freeipa.spec.in | 12 ++-- 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 26481ff..5cc76f1 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -122,7 +122,7 @@ BuildRequires: python-cffi BuildRequires: samba-python BuildRequires: python-setuptools # 1.3: oldest PyPI version that still compiles with recent OpenSSL -BuildRequires: python-cryptography >= 1.3.1 +BuildRequires: python-cryptography >= 1.4 BuildRequires: python-gssapi >= 1.2.0 BuildRequires: pylint >= 1.0 # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506 @@ -159,7 +159,7 @@ BuildRequires: python2-jinja2 #BuildRequires: python3-samba BuildRequires: python3-setuptools # 0.6: serialization.load_pem_private_key, load_pem_public_key -BuildRequires: python3-cryptography >= 1.3.1 +BuildRequires: python3-cryptography >= 1.4 BuildRequires: python3-gssapi >= 1.2.0 BuildRequires: python3-pylint >= 1.0 # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506 @@ -584,7 +584,7 @@ Requires: gnupg Requires: keyutils Requires: pyOpenSSL Requires: python-nss >= 0.16 -Requires: python-cryptography >= 1.3.1 +Requires: python-cryptography >= 1.4 Requires: python-netaddr Requires: python-libipa_hbac Requires: python-qrcode-core >= 5.0.0 @@ -634,7 +634,7 @@ Requires: gnupg Requires: keyutils Requires: python3-pyOpenSSL Requires: python3-nss >= 0.16 -Requires: python3-cryptography >= 1.3.1 +Requires: python3-cryptography >= 1.4 Requires: python3-netaddr Requires: python3-libipa_hbac Requires: python3-qrcode-core >= 5.0.0 @@ -709,7 +709,7 @@ Requires: python-pytest-multihost >= 0.5 Requires: python-pytest-sourceorder Requires: ldns-utils Requires: python-sssdconfig -Requires: python2-cryptography >= 1.3.1 +Requires: python2-cryptography >= 1.4 Provides: %{alt_name}-tests = %{version} Conflicts: %{alt_name}-tests @@ -743,7 +743,7 @@ Requires: python3-pytest-multihost >= 0.5 Requires: python3-pytest-sourceorder Requires: ldns-utils Requires: python3-sssdconfig -Requires: python3-cryptography >= 1.3.1 +Requires: python3-cryptography >= 1.4 %description -n python3-ipatests IPA is an integrated solution to provide centrally managed Identity (users, -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#464][edited] :arrow_up: Bump required python-cryptography version
URL: https://github.com/freeipa/freeipa/pull/464 Author: stlaz Title: #464: :arrow_up: Bump required python-cryptography version Action: edited Changed field: title Original value: """ :arrow_up: Bump required python-cryptography version """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ @simo5, I don't agree, the changes in `ipalib/rpc.py` are a pre-requisite for the changes in `ipatests/util.py`, but that doesn't mean they should be in the same commit, as they affect every use of `RPCClient`, not just the one in the tests. Following your logic, the whole PR should be just a single commit, which would be equally wrong. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279695377 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server lslebodn commented: """ On (14/02/17 02:29), Christian Heimes wrote: >I'm following a different design and development philosophy. In my experience >an iterative approach with small, incremental improvements is often better and >faster than striving for 100% perfect PRs. Large and feature complete PRs take >more time than evolutionary steps. > I have never wrote anythig against this philosophy. All small chages can make sense from semantical point of view. Misussing names/options for different use-case just create a big mess and confuse other people. >Please review this PR under three viewpoints: > >* Does it contribute to resolving ticket >https://fedorahosted.org/freeipa/ticket/6517 ? client only build and --disable-server is the same thing (at least from "make install" POV) I have never required changes to spec file. >* Does it enable future changes to solve the ticket? If you will not install ipatests (if there is a way to not install ipatest) then it will enable future changes to solve the ticket. Because solving ticket6517 would be just writing right spec file. ATM it does not enable future changes to solve the ticket. >* Does it break any code or feature that is currently present? [1] Yes, it install server related options even though they should not be installed Summary: You should realize that the name of PR is "Client-only builds with --disable-server" and your use-case is not pure client only build. LS """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-279693909 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#459][synchronized] [WIP] Faster JSON encoder/decoder
URL: https://github.com/freeipa/freeipa/pull/459 Author: tiran Title: #459: [WIP] Faster JSON encoder/decoder Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/459/head:pr459 git checkout pr459 From 0524479852c48de7b70db8a37c0fdc8673ea1557 Mon Sep 17 00:00:00 2001 From: Christian HeimesDate: Mon, 13 Feb 2017 09:46:39 +0100 Subject: [PATCH 1/5] Faster JSON encoder/decoder Improve performance of FreeIPA's JSON serializer and deserializer. * Don't indent and sort keys. Both options trigger a slow path in Python's json package. Without indention and sorting, encoding mostly happens in optimized C code. * Replace O(n) type checks with O(1) type lookup and eliminate the use of isinstance(). * Check each client capability only once for every conversion. * Use decoder's obj_hook feature to traverse the object tree once and to eliminate calls to isinstance(). Closes: https://fedorahosted.org/freeipa/ticket/6655 Signed-off-by: Christian Heimes --- ipalib/rpc.py | 211 +++-- ipaserver/rpcserver.py | 7 +- 2 files changed, 134 insertions(+), 84 deletions(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 7d9f6ec..6cad397 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -51,7 +51,7 @@ from ipalib.backend import Connectible from ipalib.constants import LDAP_GENERALIZED_TIME_FORMAT from ipalib.errors import (public_errors, UnknownError, NetworkError, -KerberosError, XMLRPCMarshallError, JSONError, ConversionError) +KerberosError, XMLRPCMarshallError, JSONError) from ipalib import errors, capabilities from ipalib.request import context, Connection from ipapython.ipa_log_manager import root_logger @@ -274,67 +274,140 @@ def xml_dumps(params, version, methodname=None, methodresponse=False, ) -def json_encode_binary(val, version): -''' - JSON cannot encode binary values. We encode binary values in Python str - objects and text in Python unicode objects. In order to allow a binary - object to be passed through JSON we base64 encode it thus converting it to - text which JSON can transport. To assure we recognize the value is a base64 - encoded representation of the original binary value and not confuse it with - other text we convert the binary value to a dict in this form: - - {'__base64__' : base64_encoding_of_binary_value} - - This modification of the original input value cannot be done "in place" as - one might first assume (e.g. replacing any binary items in a container - (e.g. list, tuple, dict) with the base64 dict because the container might be - an immutable object (i.e. a tuple). Therefore this function returns a copy - of any container objects it encounters with tuples replaced by lists. This - is O.K. because the JSON encoding will map both lists and tuples to JSON - arrays. - ''' - -if isinstance(val, dict): -new_dict = {} -for k, v in val.items(): -new_dict[k] = json_encode_binary(v, version) -return new_dict -elif isinstance(val, (list, tuple)): -new_list = [json_encode_binary(v, version) for v in val] -return new_list -elif isinstance(val, bytes): -encoded = base64.b64encode(val) -if not six.PY2: -encoded = encoded.decode('ascii') -return {'__base64__': encoded} -elif isinstance(val, Decimal): -return unicode(val) -elif isinstance(val, DN): -return str(val) -elif isinstance(val, datetime.datetime): -if capabilities.client_has_capability(version, 'datetime_values'): +class _JSONConverter(dict): +__slots__ = ('version', '_cap_datetime', '_cap_dnsname') + +_identity = object() + +def __init__(self, version, _identity=_identity): +super(_JSONConverter, self).__init__() +self.version = version +self._cap_datetime = None +self._cap_dnsname = None +self.update({ +unicode: _identity, +bool: _identity, +type(None): _identity, +float: _identity, +Decimal: unicode, +DN: str, +Principal: unicode, +DNSName: self._enc_dnsname, +datetime.datetime: self._enc_datetime, +bytes: self._enc_bytes, +list: self._enc_list, +tuple: self._enc_list, +dict: self._enc_dict, +}) +# int, long +for t in six.integer_types: +self[t] = _identity + +def __missing__(self, typ): +# walk MRO to find best match +for c in typ.__mro__: +if c in self: +self[typ] = self[c] +return self[c] +# use issubclass to check for registered ABCs +for c in self: +if issubclass(typ, c): +self[typ] = self[c] +return
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ We actually record the principal, change the patch to destroy session_cookie in create_connection if the principal is different. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279692958 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ The changes in ipalib/rpc.py are connected to the changes in ipatest/util.py, it makes no sense to keep them separate as in eahc patch I add respecively to connect() and disconnect() arguments that are use in ipatest/util.py As for resetting session_cookie, when principal change, I am all for it, except we do not record the principal in the rpc context ... """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279691469 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#463][comment] pylint_plugins: add forbidden import checker
URL: https://github.com/freeipa/freeipa/pull/463 Title: #463: pylint_plugins: add forbidden import checker HonzaCholasta commented: """ The format could be nicer though - suggestions are welcome. """ See the full comment at https://github.com/freeipa/freeipa/pull/463#issuecomment-279689307 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Title: #398: Support for Certificate Identity Mapping flo-renaud commented: """ Hi @HonzaCholasta, PR updated with most of your comments, except the suggestion to use default_from. Please see my answer inline for this one. """ See the full comment at https://github.com/freeipa/freeipa/pull/398#issuecomment-279689115 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#463][comment] pylint_plugins: add forbidden import checker
URL: https://github.com/freeipa/freeipa/pull/463 Title: #463: pylint_plugins: add forbidden import checker MartinBasti commented: """ Awesome then """ See the full comment at https://github.com/freeipa/freeipa/pull/463#issuecomment-279689037 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#463][comment] pylint_plugins: add forbidden import checker
URL: https://github.com/freeipa/freeipa/pull/463 Title: #463: pylint_plugins: add forbidden import checker HonzaCholasta commented: """ You can, using: ``` ipaclient/install/ ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/463#issuecomment-279688754 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#459][comment] [WIP] Faster JSON encoder/decoder
URL: https://github.com/freeipa/freeipa/pull/459 Title: #459: [WIP] Faster JSON encoder/decoder MartinBasti commented: """ LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/459#issuecomment-279688053 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#463][comment] pylint_plugins: add forbidden import checker
URL: https://github.com/freeipa/freeipa/pull/463 Title: #463: pylint_plugins: add forbidden import checker MartinBasti commented: """ In this case: ``` ipaclient/:ipaclient.install:ipalib.install:ipaplatform:ipaserver, ipaclient/install/:ipaserver, ``` `ipaclient/install` allows all import everything but `ipaserver`, but I cannot currently specify a rule that allows `ipaclient/install` import everything (with `ipaserver`) But as I said this is a corner case, should be done when needed """ See the full comment at https://github.com/freeipa/freeipa/pull/463#issuecomment-279681262 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#463][comment] pylint_plugins: add forbidden import checker
URL: https://github.com/freeipa/freeipa/pull/463 Title: #463: pylint_plugins: add forbidden import checker HonzaCholasta commented: """ I don't know what you mean, could you give me an example? """ See the full comment at https://github.com/freeipa/freeipa/pull/463#issuecomment-279678738 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#463][comment] pylint_plugins: add forbidden import checker
URL: https://github.com/freeipa/freeipa/pull/463 Title: #463: pylint_plugins: add forbidden import checker MartinBasti commented: """ Ok, this will not work if ipaclient/submodule allows to import any module, but seems OK for me now, can be improved when needed """ See the full comment at https://github.com/freeipa/freeipa/pull/463#issuecomment-279678379 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#463][comment] pylint_plugins: add forbidden import checker
URL: https://github.com/freeipa/freeipa/pull/463 Title: #463: pylint_plugins: add forbidden import checker HonzaCholasta commented: """ @MartinBasti, this issue is already solved in the PR without using regular expressions. See `pylintrc` for example. """ See the full comment at https://github.com/freeipa/freeipa/pull/463#issuecomment-279676848 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#463][comment] pylint_plugins: add forbidden import checker
URL: https://github.com/freeipa/freeipa/pull/463 Title: #463: pylint_plugins: add forbidden import checker MartinBasti commented: """ > Can you turn module matching into a regular expression? We need bit more > advanced checks, e.g. ipalib should not import from ipaplatform except for > modules in ipalib.install. How can be the issue mentioned by @tiran solved in this PR? should regexp be used or allow rules added? """ See the full comment at https://github.com/freeipa/freeipa/pull/463#issuecomment-279676228 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ @simo5, I don't think this is the correct approach. Rather than deleting `context.session_cookie` in `RPCClient.destroy_connection()` when requested, it should be done automatically in `RPCClient.create_connection()` when the principal name in the ccache is different from the principal name of the cookie. Also, IMHO it would be preferable to keep the changes in `ipatest/util.py` in a separate commit and not mix them with the generic changes not related only to tests in `ipalib/rpc.py`. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279675537 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#463][synchronized] pylint_plugins: add forbidden import checker
URL: https://github.com/freeipa/freeipa/pull/463 Author: HonzaCholasta Title: #463: pylint_plugins: add forbidden import checker Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/463/head:pr463 git checkout pr463 From 82af6b07e922f4cad625ab31b91f65cf804a9858 Mon Sep 17 00:00:00 2001 From: Jan CholastaDate: Tue, 14 Feb 2017 09:58:44 +0100 Subject: [PATCH] pylint_plugins: add forbidden import checker Add new pylint AST checker plugin which implements a check for imports forbidden in IPA. Which imports are forbidden is configurable in pylintrc. Provide default forbidden import configuration and disable the check for existing forbidden imports in our code base. --- Makefile.am | 4 +- ipaclient/csrgen.py | 2 +- ipaclient/install/ipa_certupdate.py | 4 +- ipaclient/remote_plugins/__init__.py | 4 +- ipalib/__init__.py | 8 +++- ipaplatform/base/services.py | 4 +- ipaplatform/debian/services.py | 2 + ipaplatform/redhat/services.py | 2 + ipaplatform/redhat/tasks.py | 2 + ipapython/certdb.py | 6 ++- ipapython/cookie.py | 2 + ipapython/dogtag.py | 2 + ipapython/ipaldap.py | 2 + pylint_plugins.py| 82 +++- pylintrc | 15 ++- 15 files changed, 129 insertions(+), 12 deletions(-) diff --git a/Makefile.am b/Makefile.am index 9bfc899..bb6e480 100644 --- a/Makefile.am +++ b/Makefile.am @@ -164,7 +164,9 @@ pylint: $(top_builddir)/ipapython/version.py ipasetup.py -type f -exec grep -qsm1 '^#!.*\bpython' '{}' \; -print`; \ echo "Pylint is running, please wait ..."; \ PYTHONPATH=$(top_srcdir) $(PYTHON) -m pylint \ - --rcfile=$(top_srcdir)/pylintrc $${FILES} + --rcfile=$(top_srcdir)/pylintrc \ + --load-plugins pylint_plugins \ + $${FILES} .PHONY: jslint jslint-ui jslint-ui-test jslint-html \ $(top_builddir)/install/ui/src/libs/loader.js diff --git a/ipaclient/csrgen.py b/ipaclient/csrgen.py index 96100ae..828ab43 100644 --- a/ipaclient/csrgen.py +++ b/ipaclient/csrgen.py @@ -15,7 +15,7 @@ from ipalib import errors from ipalib.text import _ -from ipaplatform.paths import paths +from ipaplatform.paths import paths # pylint: disable=ipa-forbidden-import from ipapython.ipa_log_manager import log_mgr if six.PY3: diff --git a/ipaclient/install/ipa_certupdate.py b/ipaclient/install/ipa_certupdate.py index 75c5d97..d6ffbde 100644 --- a/ipaclient/install/ipa_certupdate.py +++ b/ipaclient/install/ipa_certupdate.py @@ -100,9 +100,9 @@ def run(self): if server_fstore.has_files(): self.update_server(certs) try: -# pylint: disable=import-error +# pylint: disable=import-error,ipa-forbidden-import from ipaserver.install import cainstance -# pylint: enable=import-error +# pylint: enable=import-error,ipa-forbidden-import cainstance.add_lightweight_ca_tracking_requests( self.log, lwcas) except Exception: diff --git a/ipaclient/remote_plugins/__init__.py b/ipaclient/remote_plugins/__init__.py index da7004d..037dd6f 100644 --- a/ipaclient/remote_plugins/__init__.py +++ b/ipaclient/remote_plugins/__init__.py @@ -109,7 +109,9 @@ def is_valid(self): def get_package(api): if api.env.in_tree: -from ipaserver import plugins # pylint: disable=import-error +# pylint: disable=import-error,ipa-forbidden-import +from ipaserver import plugins +# pylint: enable=import-error,ipa-forbidden-import else: try: plugins = api._remote_plugins diff --git a/ipalib/__init__.py b/ipalib/__init__.py index 544fcf2..16f90c3 100644 --- a/ipalib/__init__.py +++ b/ipalib/__init__.py @@ -935,7 +935,9 @@ class API(plugable.API): @property def packages(self): if self.env.in_server: -import ipaserver.plugins # pylint: disable=import-error +# pylint: disable=import-error,ipa-forbidden-import +import ipaserver.plugins +# pylint: enable=import-error,ipa-forbidden-import result = ( ipaserver.plugins, ) @@ -948,7 +950,9 @@ def packages(self): ) if self.env.context in ('installer', 'updates'): -import ipaserver.install.plugins # pylint: disable=import-error +# pylint: disable=import-error,ipa-forbidden-import +import ipaserver.install.plugins +# pylint: enable=import-error,ipa-forbidden-import result += (ipaserver.install.plugins,) return result diff --git a/ipaplatform/base/services.py b/ipaplatform/base/services.py index 9c9a5ae..ae7c777 100644 ---
[Freeipa-devel] [freeipa PR#462][+rejected] [WIP] pylint: add custom check for forbidden imports
URL: https://github.com/freeipa/freeipa/pull/462 Title: #462: [WIP] pylint: add custom check for forbidden imports Label: +rejected -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server tiran commented: """ I'm following a different design and development philosophy. In my experience an iterative approach with small, incremental improvements is often better and faster than striving for 100% perfect PRs. Large and feature complete PRs take more time than evolutionary steps. Your object regarding semantics is valid for the ticket, but not necessarily valid for this PR as this PR only addresses a part of the problem. I don't dispute that your proposed changes to the spec file are necessary. However I argue for a separate PR. I'm not an expert in RPM packaging and I'd rather let somebody else figure out the appropriate way to deal with client-only packaging. ipatests is yet another problem that should be solved in a third PR. Ticket https://fedorahosted.org/freeipa/ticket/6517 does not, in fact it should not be solved in one PR. Please review this PR under three viewpoints: * Does it contribute to resolving ticket https://fedorahosted.org/freeipa/ticket/6517 ? * Does it enable future changes to solve the ticket? * Does it break any code or feature that is currently present? [1] [1] client-only packaging is currently not available """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-279669097 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#463][opened] pylint_plugins: add forbidden import checker
URL: https://github.com/freeipa/freeipa/pull/463 Author: HonzaCholasta Title: #463: pylint_plugins: add forbidden import checker Action: opened PR body: """ Add new pylint AST checker plugin which implements a check for imports forbidden in IPA. Which imports are forbidden is configurable in pylintrc. Provide default forbidden import configuration and disable the check for existing forbidden imports in our code base. Supersedes @MartinBasti's PR #462. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/463/head:pr463 git checkout pr463 https://assets-cdn.github.com/assets/frameworks-70aff62372b4dd20e8b7e3141aa52f2b7fda1b9238a597db09f7dd5bbcff25f6.css; media="all" rel="stylesheet" /> https://assets-cdn.github.com/assets/github-0e373bf06af78ffa67fcc21199552cb7946a49bf88cbc2e1084257963fc45d1f.css; media="all" rel="stylesheet" /> https://assets-cdn.github.com/assets/site-fef5731cce75ca5e750fa22524df18fd064fb4c10df83448ed7db5797e3f3303.css; media="all" rel="stylesheet" /> pylint_plugins: add forbidden import checker by HonzaCholasta · Pull Request #463 · freeipa/freeipa · GitHub https://github.com/fluidicon.png; title="GitHub"> https://assets-cdn.github.com/;> https://collector.githubapp.com/github-external/browser_event; name="octolytics-event-url" /> span.labelstyle-d93f0b, .linked-labelstyle-d93f0b { background-color: #d93f0b !important; color: #fff !important;}.labelstyle-d93f0b.selected { background-color: #d93f0b !important; color: #fff !important;}.label-select-menu .labelstyle-d93f0b.selected { background:rgba(217, 63, 11, 0.12) !important; color: #982c07 !important;} span.labelstyle-1d76db, .linked-labelstyle-1d76db { background-color: #1d76db !important; color: #fff !important;}.labelstyle-1d76db.selected { background-color: #1d76db !important; color: #fff !important;}.label-select-menu .labelstyle-1d76db.selected { background:rgba(29, 118, 219, 0.12) !important; color: #145299 !important;} span.labelstyle-0e8a16, .linked-labelstyle-0e8a16 { background-color: #0e8a16 !important; color: #fff !important;}.labelstyle-0e8a16.selected { background-color: #0e8a16 !important; color: #fff !important;}.label-select-menu .labelstyle-0e8a16.selected { background:rgba(14, 138, 22, 0.12) !important; color: #0f9918 !important;} https://github.com/freeipa/freeipa.git;> https://github.com/freeipa/freeipa/commits/master-pylint-forbidden-imports.atom; rel="alternate" title="Recent Commits to freeipa:master-pylint-forbidden-imports" type="application/atom+xml"> https://api.github.com/_private/browser/stats;> https://api.github.com/_private/browser/errors;> https://assets-cdn.github.com/pinned-octocat.svg; color="#00"> https://assets-cdn.github.com/favicon.ico;> Skip to content https://github.com/; aria-label="Homepage" data-ga-click="(Logged out) Header, go to homepage, icon:logo-wordmark"> Personal Open source Business Explore Sign up Sign in Pricing Blog https://help.github.com;>Support https://github.com/search;>Search GitHub This repository http://schema.org/SoftwareSourceCode;> Watch 18 Star 59 Fork 64 freeipa/freeipa http://schema.org/BreadcrumbList; role="navigation" data-pjax="#js-repo-pjax-container"> http://schema.org/ListItem; itemprop="itemListElement"> Code http://schema.org/ListItem; itemprop="itemListElement"> Pull requests 52 Projects 0 Pulse Graphs pylint_plugins: add forbidden import checker #463 Open HonzaCholasta wants to merge 1 commit into freeipa:master base: master from HonzaCholasta:master-pylint-forbidden-imports +126 −11 Conversation 0 Commits 1
[Freeipa-devel] [freeipa PR#410][+ack] ipa-kdb: support KDB DAL version 6.1
URL: https://github.com/freeipa/freeipa/pull/410 Title: #410: ipa-kdb: support KDB DAL version 6.1 Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [bind-dyndb-ldap PR#9][comment] Remove duplicate const declaration specifier
URL: https://github.com/freeipa/bind-dyndb-ldap/pull/9 Title: #9: Remove duplicate const declaration specifier tomaskrizek commented: """ @pemensik Thanks for review! """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/9#issuecomment-279650948 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [bind-dyndb-ldap PR#9][+pushed] Remove duplicate const declaration specifier
URL: https://github.com/freeipa/bind-dyndb-ldap/pull/9 Title: #9: Remove duplicate const declaration specifier Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [bind-dyndb-ldap PR#9][closed] Remove duplicate const declaration specifier
URL: https://github.com/freeipa/bind-dyndb-ldap/pull/9 Author: tomaskrizek Title: #9: Remove duplicate const declaration specifier Action: closed To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/9/head:pr9 git checkout pr9 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [bind-dyndb-ldap PR#9][comment] Remove duplicate const declaration specifier
URL: https://github.com/freeipa/bind-dyndb-ldap/pull/9 Title: #9: Remove duplicate const declaration specifier tomaskrizek commented: """ Fixed upstream. master - f76ca3b3a4c2c030071dd23c706d8cc06e1fa2a9 """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/9#issuecomment-279650750 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#446][reopened] No NSS database passwords in ipa-client-install
URL: https://github.com/freeipa/freeipa/pull/446 Author: stlaz Title: #446: No NSS database passwords in ipa-client-install Action: reopened To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/446/head:pr446 git checkout pr446 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [bind-dyndb-ldap PR#9][+ack] Remove duplicate const declaration specifier
URL: https://github.com/freeipa/bind-dyndb-ldap/pull/9 Title: #9: Remove duplicate const declaration specifier Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#446][closed] No NSS database passwords in ipa-client-install
URL: https://github.com/freeipa/freeipa/pull/446 Author: stlaz Title: #446: No NSS database passwords in ipa-client-install Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/446/head:pr446 git checkout pr446 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#446][synchronized] No NSS database passwords in ipa-client-install
URL: https://github.com/freeipa/freeipa/pull/446 Author: stlaz Title: #446: No NSS database passwords in ipa-client-install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/446/head:pr446 git checkout pr446 From 29effa5d373340923382a508afc0e6b8545dd427 Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Tue, 6 Dec 2016 09:14:54 +0100 Subject: [PATCH 1/3] Add password to certutil calls in NSSDatabase NSSDatabases should have the ability to run certutil with a password if location of the file containing it is known. https://fedorahosted.org/freeipa/ticket/5695 --- install/tools/ipa-replica-conncheck | 11 +++ ipaclient/install/client.py | 14 ++ ipapython/certdb.py | 19 +-- ipaserver/install/cainstance.py | 18 ++ ipaserver/install/certs.py | 2 +- ipaserver/install/installutils.py | 18 -- ipaserver/install/ipa_cacert_manage.py | 8 ipaserver/install/ipa_server_certinstall.py | 7 +++ ipaserver/install/kra.py| 7 --- 9 files changed, 60 insertions(+), 44 deletions(-) diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index 04e23de..896fddc 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -542,12 +542,9 @@ def main(): with certdb.NSSDatabase(nss_dir) as nss_db: if options.ca_cert_file: -nss_dir = nss_db.secdir - -password = ipautil.ipa_generate_password() -password_file = ipautil.write_tmp_file(password) -nss_db.create_db(password_file.name) - +nss_db.create_passwd_file( +ipautil.ipa_generate_password()) +nss_db.create_db() ca_certs = x509.load_certificate_list_from_file( options.ca_cert_file) for ca_cert in ca_certs: @@ -555,8 +552,6 @@ def main(): serialization.Encoding.DER) nss_db.add_cert( data, str(DN(ca_cert.subject)), 'C,,') -else: -nss_dir = None api.bootstrap(context='client', confdir=paths.ETC_IPA, diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index aa3449c..1b75f49 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -2289,18 +2289,16 @@ def install_check(options): def create_ipa_nssdb(): db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR) -pwdfile = os.path.join(db.secdir, 'pwdfile.txt') -ipautil.backup_file(pwdfile) +ipautil.backup_file(db.password_file) ipautil.backup_file(os.path.join(db.secdir, 'cert8.db')) ipautil.backup_file(os.path.join(db.secdir, 'key3.db')) ipautil.backup_file(os.path.join(db.secdir, 'secmod.db')) -with open(pwdfile, 'w') as f: -f.write(ipautil.ipa_generate_password()) -os.chmod(pwdfile, 0o600) +db.create_passwd_file(ipautil.ipa_generate_password()) +os.chmod(db.password_file, 0o600) -db.create_db(pwdfile) +db.create_db() os.chmod(os.path.join(db.secdir, 'cert8.db'), 0o644) os.chmod(os.path.join(db.secdir, 'key3.db'), 0o644) os.chmod(os.path.join(db.secdir, 'secmod.db'), 0o644) @@ -2672,8 +2670,8 @@ def _install(options): for cert in ca_certs ] try: -pwd_file = ipautil.write_tmp_file(ipautil.ipa_generate_password()) -tmp_db.create_db(pwd_file.name) +tmp_db.create_passwd_file(ipautil.ipa_generate_password()) +tmp_db.create_db() for i, cert in enumerate(ca_certs): tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,') diff --git a/ipapython/certdb.py b/ipapython/certdb.py index 9481326..9493118 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -83,13 +83,17 @@ class NSSDatabase(object): # got too tied to IPA server details, killing reusability. # BaseCertDB is a class that knows nothing about IPA. # Generic NSS DB code should be moved here. -def __init__(self, nssdir=None): +def __init__(self, nssdir=None, password_file=None): if nssdir is None: self.secdir = tempfile.mkdtemp() self._is_temporary = True else: self.secdir = nssdir self._is_temporary = False +if password_file is None: +self.password_file = os.path.join(self.secdir, 'passwd.txt') +else: +self.password_file = password_file def close(self):
[Freeipa-devel] [freeipa PR#459][synchronized] [WIP] Faster JSON encoder/decoder
URL: https://github.com/freeipa/freeipa/pull/459 Author: tiran Title: #459: [WIP] Faster JSON encoder/decoder Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/459/head:pr459 git checkout pr459 From e685e106dbcfb54d1651c97d6a07a17c3417127f Mon Sep 17 00:00:00 2001 From: Christian HeimesDate: Mon, 13 Feb 2017 09:46:39 +0100 Subject: [PATCH 1/4] Faster JSON encoder/decoder Improve performance of FreeIPA's JSON serializer and deserializer. * Don't indent and sort keys. Both options trigger a slow path in Python's json package. Without indention and sorting, encoding mostly happens in optimized C code. * Replace O(n) type checks with O(1) type lookup and eliminate the use of isinstance(). * Check each client capability only once for every conversion. * Use decoder's obj_hook feature to traverse the object tree once and to eliminate calls to isinstance(). Closes: https://fedorahosted.org/freeipa/ticket/6655 Signed-off-by: Christian Heimes --- ipalib/rpc.py | 211 +++-- ipaserver/rpcserver.py | 7 +- 2 files changed, 134 insertions(+), 84 deletions(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 7d9f6ec..6cad397 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -51,7 +51,7 @@ from ipalib.backend import Connectible from ipalib.constants import LDAP_GENERALIZED_TIME_FORMAT from ipalib.errors import (public_errors, UnknownError, NetworkError, -KerberosError, XMLRPCMarshallError, JSONError, ConversionError) +KerberosError, XMLRPCMarshallError, JSONError) from ipalib import errors, capabilities from ipalib.request import context, Connection from ipapython.ipa_log_manager import root_logger @@ -274,67 +274,140 @@ def xml_dumps(params, version, methodname=None, methodresponse=False, ) -def json_encode_binary(val, version): -''' - JSON cannot encode binary values. We encode binary values in Python str - objects and text in Python unicode objects. In order to allow a binary - object to be passed through JSON we base64 encode it thus converting it to - text which JSON can transport. To assure we recognize the value is a base64 - encoded representation of the original binary value and not confuse it with - other text we convert the binary value to a dict in this form: - - {'__base64__' : base64_encoding_of_binary_value} - - This modification of the original input value cannot be done "in place" as - one might first assume (e.g. replacing any binary items in a container - (e.g. list, tuple, dict) with the base64 dict because the container might be - an immutable object (i.e. a tuple). Therefore this function returns a copy - of any container objects it encounters with tuples replaced by lists. This - is O.K. because the JSON encoding will map both lists and tuples to JSON - arrays. - ''' - -if isinstance(val, dict): -new_dict = {} -for k, v in val.items(): -new_dict[k] = json_encode_binary(v, version) -return new_dict -elif isinstance(val, (list, tuple)): -new_list = [json_encode_binary(v, version) for v in val] -return new_list -elif isinstance(val, bytes): -encoded = base64.b64encode(val) -if not six.PY2: -encoded = encoded.decode('ascii') -return {'__base64__': encoded} -elif isinstance(val, Decimal): -return unicode(val) -elif isinstance(val, DN): -return str(val) -elif isinstance(val, datetime.datetime): -if capabilities.client_has_capability(version, 'datetime_values'): +class _JSONConverter(dict): +__slots__ = ('version', '_cap_datetime', '_cap_dnsname') + +_identity = object() + +def __init__(self, version, _identity=_identity): +super(_JSONConverter, self).__init__() +self.version = version +self._cap_datetime = None +self._cap_dnsname = None +self.update({ +unicode: _identity, +bool: _identity, +type(None): _identity, +float: _identity, +Decimal: unicode, +DN: str, +Principal: unicode, +DNSName: self._enc_dnsname, +datetime.datetime: self._enc_datetime, +bytes: self._enc_bytes, +list: self._enc_list, +tuple: self._enc_list, +dict: self._enc_dict, +}) +# int, long +for t in six.integer_types: +self[t] = _identity + +def __missing__(self, typ): +# walk MRO to find best match +for c in typ.__mro__: +if c in self: +self[typ] = self[c] +return self[c] +# use issubclass to check for registered ABCs +for c in self: +if issubclass(typ, c): +self[typ] = self[c] +return
[Freeipa-devel] [freeipa PR#403][comment] Add new ipa passwd-generate command
URL: https://github.com/freeipa/freeipa/pull/403 Title: #403: Add new ipa passwd-generate command abbra commented: """ Sorry for another delay too. We have discussed this proposal again and would like to have an ipa-advise implementation instead of IPA CLI command. There are multiple reasons for this: * If an IPA CLI implementation would be done, from your last comment it looks like you would be interested in supplying a generated password to another IPA command call, like 'ipa passwd'. However, to get access to password policy object, one has to have administrative privileges, while it is supposed that 'ipa passwd' command is executed under user privileges. Thus, 'ipa foobar --generate | ipa passwd' is not possible as that would require two different auth identities run in the same session space. * Implementation that only uses user's identity will see no password policy settings at all. Thus it would not be able to follow any specific password policy. * Existing 'ipa user-add --random' and 'ipa host-add --random' which set user/host password to a random value apply to situations where the passwords are of one-time use and will get changed on the first use. * Any administratively set password for IPA users will cause its change on the first authentication attempt. This is not going to change. Thus, setting a generated password as administrator is not going to honor the password that was just set. As result, a sequence of events "administrator calls IPA CLI to generate password and then sets this password to a user" is not going to work in practice to retain the generated password. * For system accounts we want to have an overall proper management. When it is implemented, we can add there an option to generate passwords. Given that system accounts aren't handled by the IPA framework right now, the source of a policy compliant password can be anything, as additing the account is done externally (via ldapadd/ldapmodify) with administrative privileges. Thus, we'd still prefer to use 'ipa-advise' plugin approach. A script that 'ipa-advise' would generate, can be run on any machine. If it couldn't be run on the target machine, it can always be run on an IPA client. An important part of this solution is that 'ipa-advise' plugins can be run with administrative privileges (ipa-advise is always run as root) and thus can read password policy settings for a specific user (or a specific password policy). """ See the full comment at https://github.com/freeipa/freeipa/pull/403#issuecomment-279634244 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code