[Freeipa-devel] [freeipa PR#503][opened] [WIP] Update testcase for cert plugin
URL: https://github.com/freeipa/freeipa/pull/503 Author: Akasurde Title: #503: [WIP] Update testcase for cert plugin Action: opened PR body: """ Fixes https://fedorahosted.org/freeipa/ticket/6275 Signed-off-by: Abhijeet Kasurde""" To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/503/head:pr503 git checkout pr503 From 76dcaceaed890e76a38915e4fd5345a04140794d Mon Sep 17 00:00:00 2001 From: Abhijeet Kasurde Date: Fri, 24 Feb 2017 13:21:49 +0530 Subject: [PATCH] [WIP] Update testcase for cert plugin Fixes https://fedorahosted.org/freeipa/ticket/6275 Signed-off-by: Abhijeet Kasurde --- ipatests/test_xmlrpc/test_cert_plugin.py | 56 +++- 1 file changed, 47 insertions(+), 9 deletions(-) diff --git a/ipatests/test_xmlrpc/test_cert_plugin.py b/ipatests/test_xmlrpc/test_cert_plugin.py index 0b8277b..140bd02 100644 --- a/ipatests/test_xmlrpc/test_cert_plugin.py +++ b/ipatests/test_xmlrpc/test_cert_plugin.py @@ -50,6 +50,7 @@ _EXP_CRL_URI = ''.join(['http://ipa-ca.', _DOMAIN, '/ipa/crl/MasterCRL.bin']) _EXP_OCSP_URI = ''.join(['http://ipa-ca.', _DOMAIN, '/ca/ocsp']) + def is_db_configured(): """ Raise an exception if we are testing against lite-server and the @@ -88,6 +89,8 @@ def setup_class(cls): raise nose.SkipTest('cert_request not registered') if 'cert_show' not in api.Command: raise nose.SkipTest('cert_show not registered') +if 'cert_status' not in api.Command: +raise nose.SkipTest('cert_status not registered') is_db_configured() @@ -97,15 +100,14 @@ def run_certutil(self, args, stdin=None): return ipautil.run(new_args, stdin) def setup(self): -self.reqdir = tempfile.mkdtemp(prefix = "tmp-") +self.reqdir = tempfile.mkdtemp(prefix="tmp-") self.reqfile = self.reqdir + "/test.csr" self.pwname = self.reqdir + "/pwd" self.certfile = self.reqdir + "/cert.crt" # Create an empty password file -fp = open(self.pwname, "w") -fp.write("\n") -fp.close() +with open(self.pwname, "w") as fp: +fp.write("\n") # Create our temporary NSS database self.run_certutil(["-N", "-f", self.pwname]) @@ -122,9 +124,8 @@ def generateCSR(self, subject): "-f", self.pwname, "-a", ]) -fp = open(self.reqfile, "r") -data = fp.read() -fp.close() +with open(self.reqfile, "r") as fp: +data = fp.read() return data host_fqdn = u'ipatestcert.%s' % api.env.domain @@ -191,10 +192,10 @@ def test_0005_cert_uris(self): See https://fedorahosted.org/freeipa/ticket/5881 """ -result = api.Command.cert_show(sn, out=unicode(self.certfile)) +api.Command['cert_show'](sn, out=unicode(self.certfile)) with open(self.certfile, "r") as f: pem_cert = unicode(f.read()) -result = run(['openssl', 'x509', '-text'], +result = run([paths.OPENSSL, 'x509', '-text'], stdin=pem_cert, capture_output=True) assert _EXP_CRL_URI in result.output assert _EXP_OCSP_URI in result.output @@ -290,6 +291,7 @@ def test_0002_find_CA(self): """ res = api.Command['cert_find'](subject=u'Certificate Authority') assert 'count' in res and res['count'] == 1 +assert u'CN=Certificate Authority' in res['result'][0]['subject'] def test_0003_find_OCSP(self): """ @@ -298,6 +300,7 @@ def test_0003_find_OCSP(self): res = api.Command['cert_find'](subject=u'OCSP Subsystem') assert 'count' in res assert res['count'], "No OSCP certificate found" +assert u'CN=OCSP Subsystem' in res['result'][0]['subject'] def test_0004_find_this_host(self): """ @@ -305,6 +308,7 @@ def test_0004_find_this_host(self): """ res = api.Command['cert_find'](subject=api.env.host) assert 'count' in res and res['count'] > 1 +assert api.env.host in res['result'][0]['subject'] def test_0005_find_this_host_exact(self): """ @@ -312,6 +316,7 @@ def test_0005_find_this_host_exact(self): """ res = api.Command['cert_find'](subject=api.env.host, exactly=True) assert 'count' in res and res['count'] > 1 +assert api.env.host in res['result'][0]['subject'] def test_0006_find_this_short_host_exact(self): """ @@ -319,6 +324,7 @@ def test_0006_find_this_short_host_exact(self): """ res = api.Command['cert_find'](subject=self.short, exactly=True) assert 'count' in res and res['count'] == 0 +assert u'0 certificates matched' in res['summary'] # tests 0007 to 0016 removed @@ -423,6
Re: [Freeipa-devel] MD5 certificate fingerprints removal
On 02/24/2017 08:34 AM, Standa Laznicka wrote: > On 02/24/2017 08:29 AM, Jan Cholasta wrote: >> On 23.2.2017 19:06, Martin Basti wrote: >>> >>> >>> On 23.02.2017 15:09, Tomas Krizek wrote: On 02/22/2017 01:44 PM, Fraser Tweedale wrote: > On Wed, Feb 22, 2017 at 01:41:22PM +0100, Tomas Krizek wrote: >> On 02/22/2017 12:28 AM, Fraser Tweedale wrote: >>> On Tue, Feb 21, 2017 at 05:23:07PM +0100, Standa Laznicka wrote: On 02/21/2017 04:24 PM, Tomas Krizek wrote: > On 02/21/2017 03:23 PM, Rob Crittenden wrote: >> Standa Laznicka wrote: >>> Hello, >>> >>> Since we're trying to make FreeIPA work in FIPS we got to >>> the point >>> where we need to do something with MD5 fingerprints in the >>> cert plugin. >>> Eventually we came to a realization that it'd be best to get >>> rid of them >>> as a whole. These are counted by the framework and are not >>> stored >>> anywhere. Note that alongside with these fingerprints SHA1 >>> fingerprints >>> are also counted and those are there to stay. >>> >>> The question for this ML is, then - is it OK to remove these >>> or would >>> you rather have them replaced with SHA-256 alongside the >>> SHA-1? MD5 is a >>> grandpa and I think it should go. >> I based the values displayed on what certutil displayed at >> the time (7 >> years ago). I don't know that anyone uses these fingerprints. >> The >> OpenSSL equivalent doesn't include them by default. >> >> You may be able to deprecate fingerprints altogether. >> >> rob > I think it's useful to display the certificate's fingerprint. > I'm in > favor of removing md5 and adding sha256 instead. > Rob, thank you for sharing the information of where the cert fingerprints are originated! `certutil` shipped with nss-3.27.0-1.3 currently displays SHA-256 and SHA1 fingerprints for certificates so I propose going that way too. >>> IMO we should remove MD5 and SHA-1, and add SHA-256. But we should >>> also make no API stability guarantee w.r.t. the fingerprint >>> attributes, i.e. to allow us to move to newer digests in future >>> (and >>> remove broken/no-longer-secure ones). We should advise that if a >>> customer has a hard requirement on a particular digest that they >>> should compute it themselves from the certificate. >>> >>> Cheers, >>> Fraser >> What is the motivation to remove SHA-1? Are there any attacks >> besides >> theoretical ones on SHA-1? >> >> Do other libraries already deprecate SHA-1? >> > Come to think of it, I was thinking about SHA-1 signatures (which > are completely forbidden in the public PKI nowadays). But for > fingerprints it is not so bad (for now). > > Thanks, > Fraser Actually, there's been a practical SHA1 attack just published [1]. Computational complexity was 9,223,372,036,854,775,808 SHA1 computations, which takes about 110 years on a single GPU. Therefore, I'm in favor to deprecate SHA1 as well and provide only SHA256. [1] - https://shattered.io/ >>> >>> I think we should wait with removal SHA1, don't remove it prematurely. >>> As MD5 is deprecated for very long time, SHA1 is not and we are not >>> using it for any cryptographic operation nor certificates. It is just >>> informational fingerprint. >> >> +1 >> > +1, I don't favour the > http://new2.fjcdn.com/gifs/Everybody_d72014_61779.gif approach. > People will most likely be using the software even years after its upstream release, so I think its best to address these issues sooner rather than later. SHA256 fingerprints should be added even if we decide to keep SHA1 for now. -- Tomas Krizek signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#502][opened] Make pylint and jsl optional
URL: https://github.com/freeipa/freeipa/pull/502 Author: tiran Title: #502: Make pylint and jsl optional Action: opened PR body: """ ./configure no longer fails when pylint or jsl are not available. The make targets for pylint and jsl are no longer defined without the tools. Rational: pylint and jsl are not required to build FreeIPA. Both are useful developer tools. It's more user friendly to make both components optionally with default config arguments. There is no reason to fail building on a build system without development tools. It's still possible to enforce dependency checks with --with-jslint and --enable-pylint. https://fedorahosted.org/freeipa/ticket/6604 Signed-off-by: Christian Heimes""" To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/502/head:pr502 git checkout pr502 From 21794f9008cbe5a3d239f8f7ecd7db441894e2f8 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 22 Feb 2017 19:19:35 +0100 Subject: [PATCH] Make pylint and jsl optional ./configure no longer fails when pylint or jsl are not available. The make targets for pylint and jsl are no longer defined without the tools. Rational: pylint and jsl are not required to build FreeIPA. Both are useful developer tools. It's more user friendly to make both components optionally with default config arguments. There is no reason to fail building on a build system without development tools. It's still possible to enforce dependency checks with --with-jslint and --enable-pylint. https://fedorahosted.org/freeipa/ticket/6604 Signed-off-by: Christian Heimes --- Makefile.am | 14 +++--- configure.ac | 32 2 files changed, 35 insertions(+), 11 deletions(-) diff --git a/Makefile.am b/Makefile.am index a35d18f..4e00053 100644 --- a/Makefile.am +++ b/Makefile.am @@ -146,6 +146,10 @@ JSLINT_TARGET = jslint endif WITH_JSLINT lint: acilint apilint $(POLINT_TARGET) $(PYLINT_TARGET) $(JSLINT_TARGET) +.PHONY: $(top_builddir)/ipapython/version.py +$(top_builddir)/ipapython/version.py: + (cd $(top_builddir)/ipapython && make version.py) + .PHONY: acilint acilint: $(top_builddir)/ipapython/version.py cd $(srcdir); ./makeaci --validate @@ -162,10 +166,10 @@ polint: # folders rpmbuild, freeipa-* and dist. Skip (match, but don't print) .*, # *.in, *~. Finally print all python files, including scripts that do not # have python extension. -.PHONY: pylint $(top_builddir)/ipapython/version.py -$(top_builddir)/ipapython/version.py: - (cd $(top_builddir)/ipapython && make version.py) +.PHONY: pylint + +if WITH_PYLINT pylint: $(top_builddir)/ipapython/version.py ipasetup.py FILES=`find $(top_srcdir) \ -type d -exec test -e '{}/__init__.py' \; -print -prune -o \ @@ -180,9 +184,12 @@ pylint: $(top_builddir)/ipapython/version.py ipasetup.py echo "Pylint is running, please wait ..."; \ PYTHONPATH=$(top_srcdir) $(PYTHON) -m pylint \ --rcfile=$(top_srcdir)/pylintrc $${FILES} +endif # WITH_PYLINT .PHONY: jslint jslint-ui jslint-ui-test jslint-html \ $(top_builddir)/install/ui/src/libs/loader.js + +if WITH_JSLINT jslint: jslint-ui jslint-ui-test jslint-html $(top_builddir)/install/ui/src/libs/loader.js: @@ -205,6 +212,7 @@ jslint-ui-test: jslint-html: cd $(top_srcdir)/install/html; \ jsl -nologo -nosummary -nofilelisting -conf jsl.conf +endif # WITH_JSLINT .PHONY: bdist_wheel wheel_bundle WHEELDISTDIR = $(top_builddir)/dist/wheels diff --git a/configure.ac b/configure.ac index 9ee281a..3e98653 100644 --- a/configure.ac +++ b/configure.ac @@ -375,14 +375,20 @@ AC_ARG_ENABLE([pylint], AS_HELP_STRING([--disable-pylint], [skip Pylint in make lint target]), [PYLINT=$enableval], - [PYLINT=yes] + [PYLINT=check] ) if test x$PYLINT != xno; then AC_MSG_CHECKING([for Pylint]) -$PYTHON -m pylint --version > /dev/null +$PYTHON -m pylint --version >/dev/null 2>&1 if test "$?" != "0"; then -AC_MSG_ERROR([cannot find pylint for $PYTHON]) +if test x$PYLINT = xcheck; then +PYLINT=no +AC_MSG_NOTICE([cannot find optional pylint for $PYTHON]) +else +AC_MSG_ERROR([cannot find pylint for $PYTHON]) +fi else +PYLINT=yes AC_MSG_RESULT([yes]) fi fi @@ -394,13 +400,20 @@ AC_ARG_WITH([jslint], AS_HELP_STRING([--with-jslint=[FILE]], [path to JavaScript linter. Default is autodetection of utility "jsl" ]), -dnl --without-jslint will set JSLINT=no -[JSLINT=$with_jslint], -[AC_PATH_PROG([JSLINT], [jsl])] +[], +[with_jslint=check] ) -if test "x${JSLINT}" == "x"; then - AC_MSG_ERROR([cannot find JS lint]) +if test "x$with_jslint=" != xno; then +AC_PATH_PROG([JSLINT], [jsl]) +if test "x${JSLINT}" == "x"; then +if test "x$with_jslint"
Re: [Freeipa-devel] MD5 certificate fingerprints removal
On 02/24/2017 08:29 AM, Jan Cholasta wrote: On 23.2.2017 19:06, Martin Basti wrote: On 23.02.2017 15:09, Tomas Krizek wrote: On 02/22/2017 01:44 PM, Fraser Tweedale wrote: On Wed, Feb 22, 2017 at 01:41:22PM +0100, Tomas Krizek wrote: On 02/22/2017 12:28 AM, Fraser Tweedale wrote: On Tue, Feb 21, 2017 at 05:23:07PM +0100, Standa Laznicka wrote: On 02/21/2017 04:24 PM, Tomas Krizek wrote: On 02/21/2017 03:23 PM, Rob Crittenden wrote: Standa Laznicka wrote: Hello, Since we're trying to make FreeIPA work in FIPS we got to the point where we need to do something with MD5 fingerprints in the cert plugin. Eventually we came to a realization that it'd be best to get rid of them as a whole. These are counted by the framework and are not stored anywhere. Note that alongside with these fingerprints SHA1 fingerprints are also counted and those are there to stay. The question for this ML is, then - is it OK to remove these or would you rather have them replaced with SHA-256 alongside the SHA-1? MD5 is a grandpa and I think it should go. I based the values displayed on what certutil displayed at the time (7 years ago). I don't know that anyone uses these fingerprints. The OpenSSL equivalent doesn't include them by default. You may be able to deprecate fingerprints altogether. rob I think it's useful to display the certificate's fingerprint. I'm in favor of removing md5 and adding sha256 instead. Rob, thank you for sharing the information of where the cert fingerprints are originated! `certutil` shipped with nss-3.27.0-1.3 currently displays SHA-256 and SHA1 fingerprints for certificates so I propose going that way too. IMO we should remove MD5 and SHA-1, and add SHA-256. But we should also make no API stability guarantee w.r.t. the fingerprint attributes, i.e. to allow us to move to newer digests in future (and remove broken/no-longer-secure ones). We should advise that if a customer has a hard requirement on a particular digest that they should compute it themselves from the certificate. Cheers, Fraser What is the motivation to remove SHA-1? Are there any attacks besides theoretical ones on SHA-1? Do other libraries already deprecate SHA-1? Come to think of it, I was thinking about SHA-1 signatures (which are completely forbidden in the public PKI nowadays). But for fingerprints it is not so bad (for now). Thanks, Fraser Actually, there's been a practical SHA1 attack just published [1]. Computational complexity was 9,223,372,036,854,775,808 SHA1 computations, which takes about 110 years on a single GPU. Therefore, I'm in favor to deprecate SHA1 as well and provide only SHA256. [1] - https://shattered.io/ I think we should wait with removal SHA1, don't remove it prematurely. As MD5 is deprecated for very long time, SHA1 is not and we are not using it for any cryptographic operation nor certificates. It is just informational fingerprint. +1 +1, I don't favour the http://new2.fjcdn.com/gifs/Everybody_d72014_61779.gif approach. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#501][opened] C compilation fixes and hardening
URL: https://github.com/freeipa/freeipa/pull/501 Author: tiran Title: #501: C compilation fixes and hardening Action: opened PR body: """ Fix "implicit declaration of function ‘strlen’" in ipa_pwd_ntlm.c, credits to Lukas. Add -Werror=implicit-function-declaration to CFLAGS to point developers to missing includes. It causes compilation to fail when a developer forgets to add a required include. The problem is no longer hidden in a massive wall of text from make. Silence a harmless error from 389-DS slapi.h until the bug is fixed in downstream, https://pagure.io/389-ds-base/issue/48979 Signed-off-by: Christian Heimes""" To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/501/head:pr501 git checkout pr501 From bbf04dbc1637327d91a83e743d2dc877edf98d5d Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Fri, 24 Feb 2017 08:20:15 +0100 Subject: [PATCH] C compilation fixes and hardening MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix "implicit declaration of function ‘strlen’" in ipa_pwd_ntlm.c, credits to Lukas. Add -Werror=implicit-function-declaration to CFLAGS to point developers to missing includes. It causes compilation to fail when a developer forgets to add a required include. The problem is no longer hidden in a massive wall of text from make. Silence a harmless error from 389-DS slapi.h until the bug is fixed in downstream, https://pagure.io/389-ds-base/issue/48979 Signed-off-by: Christian Heimes --- configure.ac| 4 util/ipa_pwd_ntlm.c | 1 + 2 files changed, 5 insertions(+) diff --git a/configure.ac b/configure.ac index 9ee281a..369f2ae 100644 --- a/configure.ac +++ b/configure.ac @@ -24,6 +24,10 @@ LT_INIT AC_HEADER_STDC +dnl 389-DS' slapi-plugin.h contains wrong prototype +dnl warn about missing includes +CFLAGS+=" -Wno-strict-prototypes -Werror=implicit-function-declaration" + PKG_PROG_PKG_CONFIG AC_ARG_ENABLE([server], diff --git a/util/ipa_pwd_ntlm.c b/util/ipa_pwd_ntlm.c index f709981..263816d 100644 --- a/util/ipa_pwd_ntlm.c +++ b/util/ipa_pwd_ntlm.c @@ -26,6 +26,7 @@ #include #include +#include #include #include -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] MD5 certificate fingerprints removal
On 23.2.2017 19:06, Martin Basti wrote: On 23.02.2017 15:09, Tomas Krizek wrote: On 02/22/2017 01:44 PM, Fraser Tweedale wrote: On Wed, Feb 22, 2017 at 01:41:22PM +0100, Tomas Krizek wrote: On 02/22/2017 12:28 AM, Fraser Tweedale wrote: On Tue, Feb 21, 2017 at 05:23:07PM +0100, Standa Laznicka wrote: On 02/21/2017 04:24 PM, Tomas Krizek wrote: On 02/21/2017 03:23 PM, Rob Crittenden wrote: Standa Laznicka wrote: Hello, Since we're trying to make FreeIPA work in FIPS we got to the point where we need to do something with MD5 fingerprints in the cert plugin. Eventually we came to a realization that it'd be best to get rid of them as a whole. These are counted by the framework and are not stored anywhere. Note that alongside with these fingerprints SHA1 fingerprints are also counted and those are there to stay. The question for this ML is, then - is it OK to remove these or would you rather have them replaced with SHA-256 alongside the SHA-1? MD5 is a grandpa and I think it should go. I based the values displayed on what certutil displayed at the time (7 years ago). I don't know that anyone uses these fingerprints. The OpenSSL equivalent doesn't include them by default. You may be able to deprecate fingerprints altogether. rob I think it's useful to display the certificate's fingerprint. I'm in favor of removing md5 and adding sha256 instead. Rob, thank you for sharing the information of where the cert fingerprints are originated! `certutil` shipped with nss-3.27.0-1.3 currently displays SHA-256 and SHA1 fingerprints for certificates so I propose going that way too. IMO we should remove MD5 and SHA-1, and add SHA-256. But we should also make no API stability guarantee w.r.t. the fingerprint attributes, i.e. to allow us to move to newer digests in future (and remove broken/no-longer-secure ones). We should advise that if a customer has a hard requirement on a particular digest that they should compute it themselves from the certificate. Cheers, Fraser What is the motivation to remove SHA-1? Are there any attacks besides theoretical ones on SHA-1? Do other libraries already deprecate SHA-1? Come to think of it, I was thinking about SHA-1 signatures (which are completely forbidden in the public PKI nowadays). But for fingerprints it is not so bad (for now). Thanks, Fraser Actually, there's been a practical SHA1 attack just published [1]. Computational complexity was 9,223,372,036,854,775,808 SHA1 computations, which takes about 110 years on a single GPU. Therefore, I'm in favor to deprecate SHA1 as well and provide only SHA256. [1] - https://shattered.io/ I think we should wait with removal SHA1, don't remove it prematurely. As MD5 is deprecated for very long time, SHA1 is not and we are not using it for any cryptographic operation nor certificates. It is just informational fingerprint. +1 -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#500][opened] Replace sha1 fingerprints with sha256
URL: https://github.com/freeipa/freeipa/pull/500 Author: tomaskrizek Title: #500: Replace sha1 fingerprints with sha256 Action: opened PR body: """ - we probably want to keep SHA1 for DNS SSHFP (along with SHA256) - removing SHA1 from RSA-OAEP probably doesn't have any benefits http://security.stackexchange.com/questions/112029/should-sha-1-be-used-with-rsa-oaep - SHA1 for otp will be handled in a separate PR """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/500/head:pr500 git checkout pr500 From 3ea80f8a1e831da8580019f22159ce8f4c29da86 Mon Sep 17 00:00:00 2001 From: Tomas KrizekDate: Thu, 23 Feb 2017 17:03:01 +0100 Subject: [PATCH 1/2] Replace SHA1 cert fingerprints with SHA256 https://fedorahosted.org/freeipa/ticket/6701 --- install/ui/src/freeipa/certificate.js | 13 + install/ui/test/data/cert_request.json | 2 +- install/ui/test/data/cert_show.json| 2 +- install/ui/test/data/ipa_init.json | 1 - install/ui/test/data/service_show.json | 2 +- ipaserver/plugins/cert.py | 8 ipaserver/plugins/host.py | 4 ++-- ipaserver/plugins/internal.py | 1 - ipaserver/plugins/service.py | 8 ipatests/test_xmlrpc/test_host_plugin.py | 2 +- ipatests/test_xmlrpc/test_service_plugin.py| 14 +++--- ipatests/test_xmlrpc/tracker/host_plugin.py| 2 +- ipatests/test_xmlrpc/tracker/service_plugin.py | 2 +- 13 files changed, 28 insertions(+), 33 deletions(-) diff --git a/install/ui/src/freeipa/certificate.js b/install/ui/src/freeipa/certificate.js index b86c6cf..e02a08e 100755 --- a/install/ui/src/freeipa/certificate.js +++ b/install/ui/src/freeipa/certificate.js @@ -361,7 +361,6 @@ IPA.cert.view_dialog = function(spec) { that.issuer = IPA.cert.parse_dn(spec.certificate.issuer); that.issued_on = spec.certificate.valid_not_before || ''; that.expires_on = spec.certificate.valid_not_after || ''; -that.sha1_fingerprint = spec.certificate.sha1_fingerprint || ''; that.sha256_fingerprint = spec.certificate.sha256_fingerprint || ''; that.create_button({ @@ -426,8 +425,6 @@ IPA.cert.view_dialog = function(spec) { table_layout = that.create_layout().appendTo(that.container); -new_row('@i18n:objects.cert.sha1_fingerprint', that.sha1_fingerprint) -.appendTo(table_layout); new_row('@i18n:objects.cert.sha256_fingerprint', that.sha256_fingerprint) .appendTo(table_layout); }; @@ -570,7 +567,7 @@ IPA.cert.loader = function(spec) { revocation_reason: result.revocation_reason, serial_number: result.serial_number, serial_number_hex: result.serial_number_hex, -sha1_fingerprint: result.sha1_fingerprint, +sha256_fingerprint: result.sha256_fingerprint, subject: result.subject, valid_not_after: result.valid_not_after, valid_not_before: result.valid_not_before @@ -1575,9 +1572,9 @@ exp.create_cert_metadata = function() { add_param('valid_not_after', text.get('@i18n:objects.cert.expires_on'), text.get('@i18n:objects.cert.expires_on')); -add_param('sha1_fingerprint', -text.get('@i18n:objects.cert.sha1_fingerprint'), -text.get('@i18n:objects.cert.sha1_fingerprint')); +add_param('sha256_fingerprint', +text.get('@i18n:objects.cert.sha256_fingerprint'), +text.get('@i18n:objects.cert.sha256_fingerprint')); add_param('certificate', text.get('@i18n:objects.cert.certificate'), text.get('@i18n:objects.cert.certificate')); @@ -1754,7 +1751,7 @@ return { }, 'valid_not_before', 'valid_not_after', -'sha1_fingerprint', +'sha256_fingerprint', { $type: 'revocation_reason', name: 'revocation_reason' diff --git a/install/ui/test/data/cert_request.json b/install/ui/test/data/cert_request.json index f8d8544..d0f09e5 100644 --- a/install/ui/test/data/cert_request.json +++ b/install/ui/test/data/cert_request.json @@ -7,7 +7,7 @@ "issuer": "CN=Certificate Authority,O=EXAMPLE.COM", "request_id": "1", "serial_number": "1", -"sha1_fingerprint": "b8:4c:4b:79:4f:13:03:79:47:08:fa:6b:52:63:3d:f9:15:8e:7e:dc", +"sha256_fingerprint": "0f:3c:77:ed:c7:2b:09:5a:27:88:26:ca:91:e0:81:26:70:14:b1:cd:8e:fe:19:79:42:18:1b:02:07:70:25:30", "subject": "CN=dev.example.com,O=EXAMPLE.COM", "valid_not_after": "Tue Oct 13 01:59:32 2015 UTC", "valid_not_before": "Wed Oct 13
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ Hopefully all issues were addressed + `radb` removed. If the Travis check passes then this is ready for review again. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-282074914 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] MD5 certificate fingerprints removal
On 23.02.2017 15:09, Tomas Krizek wrote: On 02/22/2017 01:44 PM, Fraser Tweedale wrote: On Wed, Feb 22, 2017 at 01:41:22PM +0100, Tomas Krizek wrote: On 02/22/2017 12:28 AM, Fraser Tweedale wrote: On Tue, Feb 21, 2017 at 05:23:07PM +0100, Standa Laznicka wrote: On 02/21/2017 04:24 PM, Tomas Krizek wrote: On 02/21/2017 03:23 PM, Rob Crittenden wrote: Standa Laznicka wrote: Hello, Since we're trying to make FreeIPA work in FIPS we got to the point where we need to do something with MD5 fingerprints in the cert plugin. Eventually we came to a realization that it'd be best to get rid of them as a whole. These are counted by the framework and are not stored anywhere. Note that alongside with these fingerprints SHA1 fingerprints are also counted and those are there to stay. The question for this ML is, then - is it OK to remove these or would you rather have them replaced with SHA-256 alongside the SHA-1? MD5 is a grandpa and I think it should go. I based the values displayed on what certutil displayed at the time (7 years ago). I don't know that anyone uses these fingerprints. The OpenSSL equivalent doesn't include them by default. You may be able to deprecate fingerprints altogether. rob I think it's useful to display the certificate's fingerprint. I'm in favor of removing md5 and adding sha256 instead. Rob, thank you for sharing the information of where the cert fingerprints are originated! `certutil` shipped with nss-3.27.0-1.3 currently displays SHA-256 and SHA1 fingerprints for certificates so I propose going that way too. IMO we should remove MD5 and SHA-1, and add SHA-256. But we should also make no API stability guarantee w.r.t. the fingerprint attributes, i.e. to allow us to move to newer digests in future (and remove broken/no-longer-secure ones). We should advise that if a customer has a hard requirement on a particular digest that they should compute it themselves from the certificate. Cheers, Fraser What is the motivation to remove SHA-1? Are there any attacks besides theoretical ones on SHA-1? Do other libraries already deprecate SHA-1? Come to think of it, I was thinking about SHA-1 signatures (which are completely forbidden in the public PKI nowadays). But for fingerprints it is not so bad (for now). Thanks, Fraser Actually, there's been a practical SHA1 attack just published [1]. Computational complexity was 9,223,372,036,854,775,808 SHA1 computations, which takes about 110 years on a single GPU. Therefore, I'm in favor to deprecate SHA1 as well and provide only SHA256. [1] - https://shattered.io/ I think we should wait with removal SHA1, don't remove it prematurely. As MD5 is deprecated for very long time, SHA1 is not and we are not using it for any cryptographic operation nor certificates. It is just informational fingerprint. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#483][comment] lite-server: validate LDAP connection and cache schema
URL: https://github.com/freeipa/freeipa/pull/483 Title: #483: lite-server: validate LDAP connection and cache schema MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/dcb618152572ca013a447336e13d24399b5f7960 """ See the full comment at https://github.com/freeipa/freeipa/pull/483#issuecomment-282069082 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#483][closed] lite-server: validate LDAP connection and cache schema
URL: https://github.com/freeipa/freeipa/pull/483 Author: tiran Title: #483: lite-server: validate LDAP connection and cache schema Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/483/head:pr483 git checkout pr483 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#483][+pushed] lite-server: validate LDAP connection and cache schema
URL: https://github.com/freeipa/freeipa/pull/483 Title: #483: lite-server: validate LDAP connection and cache schema Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#482][+pushed] Remove MD5 certificate fingerprints
URL: https://github.com/freeipa/freeipa/pull/482 Title: #482: Remove MD5 certificate fingerprints Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#412][comment] Define template version in certmap.conf
URL: https://github.com/freeipa/freeipa/pull/412 Title: #412: Define template version in certmap.conf MartinBasti commented: """ needs rebase """ See the full comment at https://github.com/freeipa/freeipa/pull/412#issuecomment-282069402 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#482][closed] Remove MD5 certificate fingerprints
URL: https://github.com/freeipa/freeipa/pull/482 Author: stlaz Title: #482: Remove MD5 certificate fingerprints Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/482/head:pr482 git checkout pr482 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#498][+pushed] compat: fix `Any` params in `batch` and `dnsrecord`
URL: https://github.com/freeipa/freeipa/pull/498 Title: #498: compat: fix `Any` params in `batch` and `dnsrecord` Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#499][closed] added help about default value for --external-ca-type option
URL: https://github.com/freeipa/freeipa/pull/499 Author: tscherf Title: #499: added help about default value for --external-ca-type option Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/499/head:pr499 git checkout pr499 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#499][comment] added help about default value for --external-ca-type option
URL: https://github.com/freeipa/freeipa/pull/499 Title: #499: added help about default value for --external-ca-type option MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/573a0f1ffe5035b75fb88ee7752029e34c6b37af """ See the full comment at https://github.com/freeipa/freeipa/pull/499#issuecomment-282068837 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#499][+pushed] added help about default value for --external-ca-type option
URL: https://github.com/freeipa/freeipa/pull/499 Title: #499: added help about default value for --external-ca-type option Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#498][closed] compat: fix `Any` params in `batch` and `dnsrecord`
URL: https://github.com/freeipa/freeipa/pull/498 Author: HonzaCholasta Title: #498: compat: fix `Any` params in `batch` and `dnsrecord` Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/498/head:pr498 git checkout pr498 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#498][comment] compat: fix `Any` params in `batch` and `dnsrecord`
URL: https://github.com/freeipa/freeipa/pull/498 Title: #498: compat: fix `Any` params in `batch` and `dnsrecord` MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/19060db1b8fa9d1d3e8f3ac3fcd1f387e9a39c94 """ See the full comment at https://github.com/freeipa/freeipa/pull/498#issuecomment-282068566 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#498][comment] compat: fix `Any` params in `batch` and `dnsrecord`
URL: https://github.com/freeipa/freeipa/pull/498 Title: #498: compat: fix `Any` params in `batch` and `dnsrecord` MartinBasti commented: """ Works for me """ See the full comment at https://github.com/freeipa/freeipa/pull/498#issuecomment-282068296 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#498][+ack] compat: fix `Any` params in `batch` and `dnsrecord`
URL: https://github.com/freeipa/freeipa/pull/498 Title: #498: compat: fix `Any` params in `batch` and `dnsrecord` Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#472][synchronized] Packaging: Add placeholder packages
URL: https://github.com/freeipa/freeipa/pull/472 Author: tiran Title: #472: Packaging: Add placeholder packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/472/head:pr472 git checkout pr472 From 41acd1dc09f5ed5c03620f51e8e7a502c548ee47 Mon Sep 17 00:00:00 2001 From: Christian HeimesDate: Thu, 16 Feb 2017 15:27:49 +0100 Subject: [PATCH 1/7] Packaging: Add placeholder packages The ipa and freeipa packages are placeholders to prevent PyPI squashing attacks and reserve the names for future use. `pip install ipa` installs ipaclient. Signed-off-by: Christian Heimes --- Makefile.am | 6 +++--- Makefile.python.am| 21 + configure.ac | 3 +++ packaging/Makefile.am | 10 ++ packaging/freeipa/Makefile.am | 3 +++ packaging/freeipa/README.txt | 2 ++ packaging/freeipa/setup.cfg | 6 ++ packaging/freeipa/setup.py| 23 +++ packaging/ipa/Makefile.am | 3 +++ packaging/ipa/README.txt | 2 ++ packaging/ipa/setup.cfg | 6 ++ packaging/ipa/setup.py| 23 +++ 12 files changed, 97 insertions(+), 11 deletions(-) create mode 100644 packaging/Makefile.am create mode 100644 packaging/freeipa/Makefile.am create mode 100644 packaging/freeipa/README.txt create mode 100644 packaging/freeipa/setup.cfg create mode 100755 packaging/freeipa/setup.py create mode 100644 packaging/ipa/Makefile.am create mode 100644 packaging/ipa/README.txt create mode 100644 packaging/ipa/setup.cfg create mode 100755 packaging/ipa/setup.py diff --git a/Makefile.am b/Makefile.am index a35d18f..9595c9d 100644 --- a/Makefile.am +++ b/Makefile.am @@ -9,11 +9,9 @@ if WITH_IPATESTS endif IPACLIENT_SUBDIRS = ipaclient ipalib ipapython - -SUBDIRS = asn1 util client contrib po \ +SUBDIRS = asn1 util client contrib po pypi \ $(IPACLIENT_SUBDIRS) ipaplatform $(IPATESTS_SUBDIRS) $(SERVER_SUBDIRS) - MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \ ignore_import_errors.pyc ignore_import_errors.pyo \ ipasetup.pyc ipasetup.pyo \ @@ -217,6 +215,8 @@ $(WHEELBUNDLEDIR): mkdir -p $(WHEELBUNDLEDIR) bdist_wheel: $(WHEELDISTDIR) + $(MAKE) $(AM_MAKEFLAGS) -C packaging/ipa bdist_wheel || exit 1; + $(MAKE) $(AM_MAKEFLAGS) -C packaging/freeipa bdist_wheel || exit 1; for dir in $(IPACLIENT_SUBDIRS); do \ $(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \ done diff --git a/Makefile.python.am b/Makefile.python.am index 665893f..9c34fe3 100644 --- a/Makefile.python.am +++ b/Makefile.python.am @@ -1,5 +1,6 @@ pkgname = $(shell basename "$(abs_srcdir)") pkgpythondir = $(pythondir)/$(pkgname) +pkginstall = true if VERBOSE_MAKE VERBOSITY="--verbose" @@ -19,16 +20,20 @@ all-local: $(top_builddir)/ipasetup.py --build-base "$(abs_builddir)/build" install-exec-local: $(top_builddir)/ipasetup.py - $(PYTHON) $(srcdir)/setup.py \ - $(VERBOSITY) \ - install \ - --prefix "$(DESTDIR)$(prefix)" \ - --single-version-externally-managed \ - --record "$(DESTDIR)$(pkgpythondir)/install_files.txt" \ - --optimize 1 + if [ "x$(pkginstall)" = "xtrue" ]; then \ + $(PYTHON) $(srcdir)/setup.py \ + $(VERBOSITY) \ + install \ + --prefix "$(DESTDIR)$(prefix)" \ + --single-version-externally-managed \ + --record "$(DESTDIR)$(pkgpythondir)/install_files.txt" \ + --optimize 1; \ + fi uninstall-local: - cat "$(DESTDIR)$(pkgpythondir)/install_files.txt" | xargs rm -rf + if [ -f "$(DESTDIR)$(pkgpythondir)/install_files.txt" ]; then \ + cat "$(DESTDIR)$(pkgpythondir)/install_files.txt" | xargs rm -rf ; \ + fi rm -rf "$(DESTDIR)$(pkgpythondir)" clean-local: $(top_builddir)/ipasetup.py diff --git a/configure.ac b/configure.ac index 9ee281a..ebdd358 100644 --- a/configure.ac +++ b/configure.ac @@ -484,6 +484,9 @@ AC_CONFIG_FILES([ ipaserver/Makefile ipatests/Makefile ipatests/man/Makefile +packaging/Makefile +packaging/freeipa/Makefile +packaging/ipa/Makefile po/Makefile.in po/Makefile.hack util/Makefile diff --git a/packaging/Makefile.am b/packaging/Makefile.am new file mode 100644 index 000..5725ed9 --- /dev/null +++ b/packaging/Makefile.am @@ -0,0 +1,10 @@ +# This file will be processed with automake-1.7 to create Makefile.in +# +AUTOMAKE_OPTIONS = 1.7 subdir-objects + +NULL = + +SUBDIRS = \ + freeipa \ + ipa \ + $(NULL) diff --git a/packaging/freeipa/Makefile.am b/packaging/freeipa/Makefile.am new file mode 100644 index 000..15d86ce --- /dev/null +++ b/packaging/freeipa/Makefile.am @@ -0,0 +1,3 @@ +include $(top_srcdir)/Makefile.python.am + +pkginstall = false diff --git a/packaging/freeipa/README.txt b/packaging/freeipa/README.txt new file mode 100644 index 000..b58448f --- /dev/null +++ b/packaging/freeipa/README.txt @@ -0,0 +1,2 @@ +This is a dummy
[Freeipa-devel] [freeipa PR#479][synchronized] Merge AD trust installer into composite ones
URL: https://github.com/freeipa/freeipa/pull/479 Author: martbab Title: #479: Merge AD trust installer into composite ones Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/479/head:pr479 git checkout pr479 From e24d7ffe6978328738cf37c69cd522a2324f0343 Mon Sep 17 00:00:00 2001 From: Martin BabinskyDate: Thu, 16 Feb 2017 14:06:08 +0100 Subject: [PATCH 01/12] Refactor the code checking for missing SIDs Decompose the individual sub-tasks into separate functions. Also perform the lookup only when LDAP is connected. https://fedorahosted.org/freeipa/ticket/6630 --- ipaserver/install/adtrust.py | 107 ++- 1 file changed, 64 insertions(+), 43 deletions(-) diff --git a/ipaserver/install/adtrust.py b/ipaserver/install/adtrust.py index 92fe031..69e9834 100644 --- a/ipaserver/install/adtrust.py +++ b/ipaserver/install/adtrust.py @@ -168,6 +168,69 @@ def check_for_installed_deps(): raise ScriptError("Aborting installation.") +def retrieve_entries_without_sid(api): +""" +Retrieve a list of entries without assigned SIDs. +:returns: a list of entries or an empty list if an error occurs +""" +# The filter corresponds to ipa_sidgen_task.c LDAP search filter +filter = '(&(objectclass=ipaobject)(!(objectclass=mepmanagedentry))' \ + '(|(objectclass=posixaccount)(objectclass=posixgroup)' \ + '(objectclass=ipaidobject))(!(ipantsecurityidentifier=*)))' +base_dn = api.env.basedn +try: +root_logger.debug( +"Searching for objects with missing SID with " +"filter=%s, base_dn=%s", filter, base_dn) +entries, _truncated = api.Backend.ldap2.find_entries( +filter=filter, base_dn=base_dn, attrs_list=['']) +return entries +except errors.NotFound: +# All objects have SIDs assigned +pass +except (errors.DatabaseError, errors.NetworkError) as e: +print("Could not retrieve a list of objects that need a SID " + "identifier assigned:") +print(unicode(e)) + +return [] + + +def retrieve_and_ask_about_sids(api, options): +entries = [] +if api.Backend.ldap2.isconnected(): +entries = retrieve_entries_without_sid(api) +else: +root_logger.debug( +"LDAP backend not connected, can not retrieve entries " +"with missing SID") + +object_count = len(entries) +if object_count > 0: +print("") +print("WARNING: %d existing users or groups do not have " + "a SID identifier assigned." % len(entries)) +print("Installer can run a task to have ipa-sidgen " + "Directory Server plugin generate") +print("the SID identifier for all these users. Please note, " + "the in case of a high") +print("number of users and groups, the operation might " + "lead to high replication") +print("traffic and performance degradation. Refer to " + "ipa-adtrust-install(1) man page") +print("for details.") +print("") +if options.unattended: +print("Unattended mode was selected, installer will " + "NOT run ipa-sidgen task!") +else: +if ipautil.user_input( +"Do you want to run the ipa-sidgen task?", +default=False, +allow_empty=False): +options.add_sids = True + + def install_check(standalone, options, api): global netbios_name global reset_netbios_name @@ -225,49 +288,7 @@ def install_check(standalone, options, api): options.netbios_name, options.unattended, api) if not options.add_sids: -# The filter corresponds to ipa_sidgen_task.c LDAP search filter -filter = '(&(objectclass=ipaobject)(!(objectclass=mepmanagedentry))' \ - '(|(objectclass=posixaccount)(objectclass=posixgroup)' \ - '(objectclass=ipaidobject))(!(ipantsecurityidentifier=*)))' -base_dn = api.env.basedn -try: -root_logger.debug( -"Searching for objects with missing SID with " -"filter=%s, base_dn=%s", filter, base_dn) -entries, _truncated = api.Backend.ldap2.find_entries( -filter=filter, base_dn=base_dn, attrs_list=['']) -except errors.NotFound: -# All objects have SIDs assigned -pass -except (errors.DatabaseError, errors.NetworkError) as e: -print("Could not retrieve a list of objects that need a SID " - "identifier assigned:") -print(unicode(e)) -else: -object_count = len(entries) -if object_count > 0: -print("") -print("WARNING: %d existing users or groups do not have "
[Freeipa-devel] [freeipa PR#139][synchronized] WebUI: Vault Management
URL: https://github.com/freeipa/freeipa/pull/139 Author: pvomacka Title: #139: WebUI: Vault Management Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/139/head:pr139 git checkout pr139 From 18dc79dccc5e667a6de9d12136fa04eda9952628 Mon Sep 17 00:00:00 2001 From: Pavel VomackaDate: Wed, 5 Oct 2016 09:54:24 +0200 Subject: [PATCH 01/14] Additional option to add and del operations can be set By setting the property 'additional_add_del_field' to the name of one of the fields which are on current details page, we choose field which value will be added to *_add_* and *_del_* commands in this format: {field_name: field_value} --field_name: field_value Part of: https://fedorahosted.org/freeipa/ticket/5426 --- install/ui/src/freeipa/association.js | 22 ++ 1 file changed, 22 insertions(+) diff --git a/install/ui/src/freeipa/association.js b/install/ui/src/freeipa/association.js index 7579bb0..d44f8c8 100644 --- a/install/ui/src/freeipa/association.js +++ b/install/ui/src/freeipa/association.js @@ -421,6 +421,14 @@ IPA.association_table_widget = function (spec) { var that = IPA.table_widget(spec); +/** + * The value should be name of the field, which will be added to *_add_*, + * *_del_* commands as option: {fieldname: fieldvalue}. + * + * @property {String} fieldname + */ +that.additional_add_del_field = spec.additional_add_del_field; + that.other_entity = IPA.get_entity(spec.other_entity); that.attribute_member = spec.attribute_member; @@ -677,9 +685,22 @@ IPA.association_table_widget = function (spec) { }); command.set_option(that.other_entity.name, values); +that.join_additional_option(command); + command.execute(); }; +that.join_additional_option = function(command) { +var add_opt = that.additional_add_del_field; +if (add_opt && typeof add_opt === 'string') { +var opt_field = that.entity.facet.get_field(add_opt); +var value; +if (opt_field) value = opt_field.get_value()[0]; + +command.set_option(add_opt, value); +} +}; + that.show_remove_dialog = function() { var selected_values = that.get_selected_values(); @@ -741,6 +762,7 @@ IPA.association_table_widget = function (spec) { }); command.set_option(that.other_entity.name, values); +that.join_additional_option(command); command.execute(); }; From 7cdeea860d1f2698773e8c1763829fed45f9b754 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Wed, 5 Oct 2016 10:09:20 +0200 Subject: [PATCH 02/14] Allow to set another other_entity name Association table's add, del commands needs as option list of cn of other_entity, which is added or deleted. There is a case (currently in vaults) that the name of option is different than the name of other_entity. In this situation we can set 'other_option_name' and put there the option name. This option name will be used instead of 'other_entity' name. Part of: https://fedorahosted.org/freeipa/ticket/5426 --- install/ui/src/freeipa/association.js | 24 +--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/install/ui/src/freeipa/association.js b/install/ui/src/freeipa/association.js index d44f8c8..63beeb8 100644 --- a/install/ui/src/freeipa/association.js +++ b/install/ui/src/freeipa/association.js @@ -429,6 +429,17 @@ IPA.association_table_widget = function (spec) { */ that.additional_add_del_field = spec.additional_add_del_field; +/** + * Can be used in situations when the *_add_member command needs entity + * as a parameter, but parameter has different name than entity. + * i.e. vault_add_member --services=[values] ... this needs values from service + * entity, but option is called services, that we can set by setting + * this option in spec to other_option_name: 'services' + * + * @property other_option_name {String} + */ +that.other_option_name = spec.other_option_name; + that.other_entity = IPA.get_entity(spec.other_entity); that.attribute_member = spec.attribute_member; @@ -683,9 +694,9 @@ IPA.association_table_widget = function (spec) { on_success: on_success, on_error: on_error }); -command.set_option(that.other_entity.name, values); that.join_additional_option(command); +that.handle_entity_option(command, values); command.execute(); }; @@ -701,6 +712,14 @@ IPA.association_table_widget = function (spec) { } }; +that.handle_entity_option = function(command, values) { +var option_name = that.other_option_name; +if (!option_name) { +option_name = that.other_entity.name; +} +
[Freeipa-devel] [freeipa PR#139][comment] WebUI: Vault Management
URL: https://github.com/freeipa/freeipa/pull/139 Title: #139: WebUI: Vault Management pvomacka commented: """ @tiran Yes, rebased. """ See the full comment at https://github.com/freeipa/freeipa/pull/139#issuecomment-282060928 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#139][comment] WebUI: Vault Management
URL: https://github.com/freeipa/freeipa/pull/139 Title: #139: WebUI: Vault Management tiran commented: """ @MartinBasti you approved this PR a month ago but it has neither the ACK flag nor was it merged. @pvomacka Your work would be useful for my Custodia Vault work. Can you rebase this PR to master to verify it still works? """ See the full comment at https://github.com/freeipa/freeipa/pull/139#issuecomment-282053796 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#483][+ack] lite-server: validate LDAP connection and cache schema
URL: https://github.com/freeipa/freeipa/pull/483 Title: #483: lite-server: validate LDAP connection and cache schema Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#483][comment] lite-server: validate LDAP connection and cache schema
URL: https://github.com/freeipa/freeipa/pull/483 Title: #483: lite-server: validate LDAP connection and cache schema MartinBasti commented: """ Code looks good to me, as far as this is just code for developers I assume that @tiran tested it enough, so ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/483#issuecomment-282045305 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#379][comment] Packaging: Add placeholder and IPA commands packages
URL: https://github.com/freeipa/freeipa/pull/379 Title: #379: Packaging: Add placeholder and IPA commands packages tiran commented: """ I have postponed the ```ipacommands``` part. Placeholders are covered by #472. """ See the full comment at https://github.com/freeipa/freeipa/pull/379#issuecomment-282044669 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#379][+postponed] Packaging: Add placeholder and IPA commands packages
URL: https://github.com/freeipa/freeipa/pull/379 Title: #379: Packaging: Add placeholder and IPA commands packages Label: +postponed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#472][synchronized] Packaging: Add placeholder packages
URL: https://github.com/freeipa/freeipa/pull/472 Author: tiran Title: #472: Packaging: Add placeholder packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/472/head:pr472 git checkout pr472 From 41acd1dc09f5ed5c03620f51e8e7a502c548ee47 Mon Sep 17 00:00:00 2001 From: Christian HeimesDate: Thu, 16 Feb 2017 15:27:49 +0100 Subject: [PATCH 1/7] Packaging: Add placeholder packages The ipa and freeipa packages are placeholders to prevent PyPI squashing attacks and reserve the names for future use. `pip install ipa` installs ipaclient. Signed-off-by: Christian Heimes --- Makefile.am | 6 +++--- Makefile.python.am| 21 + configure.ac | 3 +++ packaging/Makefile.am | 10 ++ packaging/freeipa/Makefile.am | 3 +++ packaging/freeipa/README.txt | 2 ++ packaging/freeipa/setup.cfg | 6 ++ packaging/freeipa/setup.py| 23 +++ packaging/ipa/Makefile.am | 3 +++ packaging/ipa/README.txt | 2 ++ packaging/ipa/setup.cfg | 6 ++ packaging/ipa/setup.py| 23 +++ 12 files changed, 97 insertions(+), 11 deletions(-) create mode 100644 packaging/Makefile.am create mode 100644 packaging/freeipa/Makefile.am create mode 100644 packaging/freeipa/README.txt create mode 100644 packaging/freeipa/setup.cfg create mode 100755 packaging/freeipa/setup.py create mode 100644 packaging/ipa/Makefile.am create mode 100644 packaging/ipa/README.txt create mode 100644 packaging/ipa/setup.cfg create mode 100755 packaging/ipa/setup.py diff --git a/Makefile.am b/Makefile.am index a35d18f..9595c9d 100644 --- a/Makefile.am +++ b/Makefile.am @@ -9,11 +9,9 @@ if WITH_IPATESTS endif IPACLIENT_SUBDIRS = ipaclient ipalib ipapython - -SUBDIRS = asn1 util client contrib po \ +SUBDIRS = asn1 util client contrib po pypi \ $(IPACLIENT_SUBDIRS) ipaplatform $(IPATESTS_SUBDIRS) $(SERVER_SUBDIRS) - MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \ ignore_import_errors.pyc ignore_import_errors.pyo \ ipasetup.pyc ipasetup.pyo \ @@ -217,6 +215,8 @@ $(WHEELBUNDLEDIR): mkdir -p $(WHEELBUNDLEDIR) bdist_wheel: $(WHEELDISTDIR) + $(MAKE) $(AM_MAKEFLAGS) -C packaging/ipa bdist_wheel || exit 1; + $(MAKE) $(AM_MAKEFLAGS) -C packaging/freeipa bdist_wheel || exit 1; for dir in $(IPACLIENT_SUBDIRS); do \ $(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \ done diff --git a/Makefile.python.am b/Makefile.python.am index 665893f..9c34fe3 100644 --- a/Makefile.python.am +++ b/Makefile.python.am @@ -1,5 +1,6 @@ pkgname = $(shell basename "$(abs_srcdir)") pkgpythondir = $(pythondir)/$(pkgname) +pkginstall = true if VERBOSE_MAKE VERBOSITY="--verbose" @@ -19,16 +20,20 @@ all-local: $(top_builddir)/ipasetup.py --build-base "$(abs_builddir)/build" install-exec-local: $(top_builddir)/ipasetup.py - $(PYTHON) $(srcdir)/setup.py \ - $(VERBOSITY) \ - install \ - --prefix "$(DESTDIR)$(prefix)" \ - --single-version-externally-managed \ - --record "$(DESTDIR)$(pkgpythondir)/install_files.txt" \ - --optimize 1 + if [ "x$(pkginstall)" = "xtrue" ]; then \ + $(PYTHON) $(srcdir)/setup.py \ + $(VERBOSITY) \ + install \ + --prefix "$(DESTDIR)$(prefix)" \ + --single-version-externally-managed \ + --record "$(DESTDIR)$(pkgpythondir)/install_files.txt" \ + --optimize 1; \ + fi uninstall-local: - cat "$(DESTDIR)$(pkgpythondir)/install_files.txt" | xargs rm -rf + if [ -f "$(DESTDIR)$(pkgpythondir)/install_files.txt" ]; then \ + cat "$(DESTDIR)$(pkgpythondir)/install_files.txt" | xargs rm -rf ; \ + fi rm -rf "$(DESTDIR)$(pkgpythondir)" clean-local: $(top_builddir)/ipasetup.py diff --git a/configure.ac b/configure.ac index 9ee281a..ebdd358 100644 --- a/configure.ac +++ b/configure.ac @@ -484,6 +484,9 @@ AC_CONFIG_FILES([ ipaserver/Makefile ipatests/Makefile ipatests/man/Makefile +packaging/Makefile +packaging/freeipa/Makefile +packaging/ipa/Makefile po/Makefile.in po/Makefile.hack util/Makefile diff --git a/packaging/Makefile.am b/packaging/Makefile.am new file mode 100644 index 000..5725ed9 --- /dev/null +++ b/packaging/Makefile.am @@ -0,0 +1,10 @@ +# This file will be processed with automake-1.7 to create Makefile.in +# +AUTOMAKE_OPTIONS = 1.7 subdir-objects + +NULL = + +SUBDIRS = \ + freeipa \ + ipa \ + $(NULL) diff --git a/packaging/freeipa/Makefile.am b/packaging/freeipa/Makefile.am new file mode 100644 index 000..15d86ce --- /dev/null +++ b/packaging/freeipa/Makefile.am @@ -0,0 +1,3 @@ +include $(top_srcdir)/Makefile.python.am + +pkginstall = false diff --git a/packaging/freeipa/README.txt b/packaging/freeipa/README.txt new file mode 100644 index 000..b58448f --- /dev/null +++ b/packaging/freeipa/README.txt @@ -0,0 +1,2 @@ +This is a dummy
[Freeipa-devel] [freeipa PR#482][comment] Remove MD5 certificate fingerprints
URL: https://github.com/freeipa/freeipa/pull/482 Title: #482: Remove MD5 certificate fingerprints tomaskrizek commented: """ ACK, there is no disagreement on the freeipa-devel. I'm already working on replacing SHA1 with SHA256 given the [recent events](https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html). """ See the full comment at https://github.com/freeipa/freeipa/pull/482#issuecomment-282014171 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#482][+ack] Remove MD5 certificate fingerprints
URL: https://github.com/freeipa/freeipa/pull/482 Title: #482: Remove MD5 certificate fingerprints Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#472][synchronized] Packaging: Add placeholder packages
URL: https://github.com/freeipa/freeipa/pull/472 Author: tiran Title: #472: Packaging: Add placeholder packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/472/head:pr472 git checkout pr472 From 41acd1dc09f5ed5c03620f51e8e7a502c548ee47 Mon Sep 17 00:00:00 2001 From: Christian HeimesDate: Thu, 16 Feb 2017 15:27:49 +0100 Subject: [PATCH 1/5] Packaging: Add placeholder packages The ipa and freeipa packages are placeholders to prevent PyPI squashing attacks and reserve the names for future use. `pip install ipa` installs ipaclient. Signed-off-by: Christian Heimes --- Makefile.am | 6 +++--- Makefile.python.am| 21 + configure.ac | 3 +++ packaging/Makefile.am | 10 ++ packaging/freeipa/Makefile.am | 3 +++ packaging/freeipa/README.txt | 2 ++ packaging/freeipa/setup.cfg | 6 ++ packaging/freeipa/setup.py| 23 +++ packaging/ipa/Makefile.am | 3 +++ packaging/ipa/README.txt | 2 ++ packaging/ipa/setup.cfg | 6 ++ packaging/ipa/setup.py| 23 +++ 12 files changed, 97 insertions(+), 11 deletions(-) create mode 100644 packaging/Makefile.am create mode 100644 packaging/freeipa/Makefile.am create mode 100644 packaging/freeipa/README.txt create mode 100644 packaging/freeipa/setup.cfg create mode 100755 packaging/freeipa/setup.py create mode 100644 packaging/ipa/Makefile.am create mode 100644 packaging/ipa/README.txt create mode 100644 packaging/ipa/setup.cfg create mode 100755 packaging/ipa/setup.py diff --git a/Makefile.am b/Makefile.am index a35d18f..9595c9d 100644 --- a/Makefile.am +++ b/Makefile.am @@ -9,11 +9,9 @@ if WITH_IPATESTS endif IPACLIENT_SUBDIRS = ipaclient ipalib ipapython - -SUBDIRS = asn1 util client contrib po \ +SUBDIRS = asn1 util client contrib po pypi \ $(IPACLIENT_SUBDIRS) ipaplatform $(IPATESTS_SUBDIRS) $(SERVER_SUBDIRS) - MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \ ignore_import_errors.pyc ignore_import_errors.pyo \ ipasetup.pyc ipasetup.pyo \ @@ -217,6 +215,8 @@ $(WHEELBUNDLEDIR): mkdir -p $(WHEELBUNDLEDIR) bdist_wheel: $(WHEELDISTDIR) + $(MAKE) $(AM_MAKEFLAGS) -C packaging/ipa bdist_wheel || exit 1; + $(MAKE) $(AM_MAKEFLAGS) -C packaging/freeipa bdist_wheel || exit 1; for dir in $(IPACLIENT_SUBDIRS); do \ $(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \ done diff --git a/Makefile.python.am b/Makefile.python.am index 665893f..9c34fe3 100644 --- a/Makefile.python.am +++ b/Makefile.python.am @@ -1,5 +1,6 @@ pkgname = $(shell basename "$(abs_srcdir)") pkgpythondir = $(pythondir)/$(pkgname) +pkginstall = true if VERBOSE_MAKE VERBOSITY="--verbose" @@ -19,16 +20,20 @@ all-local: $(top_builddir)/ipasetup.py --build-base "$(abs_builddir)/build" install-exec-local: $(top_builddir)/ipasetup.py - $(PYTHON) $(srcdir)/setup.py \ - $(VERBOSITY) \ - install \ - --prefix "$(DESTDIR)$(prefix)" \ - --single-version-externally-managed \ - --record "$(DESTDIR)$(pkgpythondir)/install_files.txt" \ - --optimize 1 + if [ "x$(pkginstall)" = "xtrue" ]; then \ + $(PYTHON) $(srcdir)/setup.py \ + $(VERBOSITY) \ + install \ + --prefix "$(DESTDIR)$(prefix)" \ + --single-version-externally-managed \ + --record "$(DESTDIR)$(pkgpythondir)/install_files.txt" \ + --optimize 1; \ + fi uninstall-local: - cat "$(DESTDIR)$(pkgpythondir)/install_files.txt" | xargs rm -rf + if [ -f "$(DESTDIR)$(pkgpythondir)/install_files.txt" ]; then \ + cat "$(DESTDIR)$(pkgpythondir)/install_files.txt" | xargs rm -rf ; \ + fi rm -rf "$(DESTDIR)$(pkgpythondir)" clean-local: $(top_builddir)/ipasetup.py diff --git a/configure.ac b/configure.ac index 9ee281a..ebdd358 100644 --- a/configure.ac +++ b/configure.ac @@ -484,6 +484,9 @@ AC_CONFIG_FILES([ ipaserver/Makefile ipatests/Makefile ipatests/man/Makefile +packaging/Makefile +packaging/freeipa/Makefile +packaging/ipa/Makefile po/Makefile.in po/Makefile.hack util/Makefile diff --git a/packaging/Makefile.am b/packaging/Makefile.am new file mode 100644 index 000..5725ed9 --- /dev/null +++ b/packaging/Makefile.am @@ -0,0 +1,10 @@ +# This file will be processed with automake-1.7 to create Makefile.in +# +AUTOMAKE_OPTIONS = 1.7 subdir-objects + +NULL = + +SUBDIRS = \ + freeipa \ + ipa \ + $(NULL) diff --git a/packaging/freeipa/Makefile.am b/packaging/freeipa/Makefile.am new file mode 100644 index 000..15d86ce --- /dev/null +++ b/packaging/freeipa/Makefile.am @@ -0,0 +1,3 @@ +include $(top_srcdir)/Makefile.python.am + +pkginstall = false diff --git a/packaging/freeipa/README.txt b/packaging/freeipa/README.txt new file mode 100644 index 000..b58448f --- /dev/null +++ b/packaging/freeipa/README.txt @@ -0,0 +1,2 @@ +This is a dummy
Re: [Freeipa-devel] MD5 certificate fingerprints removal
On 02/22/2017 01:44 PM, Fraser Tweedale wrote: > On Wed, Feb 22, 2017 at 01:41:22PM +0100, Tomas Krizek wrote: >> On 02/22/2017 12:28 AM, Fraser Tweedale wrote: >>> On Tue, Feb 21, 2017 at 05:23:07PM +0100, Standa Laznicka wrote: On 02/21/2017 04:24 PM, Tomas Krizek wrote: > On 02/21/2017 03:23 PM, Rob Crittenden wrote: >> Standa Laznicka wrote: >>> Hello, >>> >>> Since we're trying to make FreeIPA work in FIPS we got to the point >>> where we need to do something with MD5 fingerprints in the cert plugin. >>> Eventually we came to a realization that it'd be best to get rid of them >>> as a whole. These are counted by the framework and are not stored >>> anywhere. Note that alongside with these fingerprints SHA1 fingerprints >>> are also counted and those are there to stay. >>> >>> The question for this ML is, then - is it OK to remove these or would >>> you rather have them replaced with SHA-256 alongside the SHA-1? MD5 is a >>> grandpa and I think it should go. >> I based the values displayed on what certutil displayed at the time (7 >> years ago). I don't know that anyone uses these fingerprints. The >> OpenSSL equivalent doesn't include them by default. >> >> You may be able to deprecate fingerprints altogether. >> >> rob > I think it's useful to display the certificate's fingerprint. I'm in > favor of removing md5 and adding sha256 instead. > Rob, thank you for sharing the information of where the cert fingerprints are originated! `certutil` shipped with nss-3.27.0-1.3 currently displays SHA-256 and SHA1 fingerprints for certificates so I propose going that way too. >>> IMO we should remove MD5 and SHA-1, and add SHA-256. But we should >>> also make no API stability guarantee w.r.t. the fingerprint >>> attributes, i.e. to allow us to move to newer digests in future (and >>> remove broken/no-longer-secure ones). We should advise that if a >>> customer has a hard requirement on a particular digest that they >>> should compute it themselves from the certificate. >>> >>> Cheers, >>> Fraser >> What is the motivation to remove SHA-1? Are there any attacks besides >> theoretical ones on SHA-1? >> >> Do other libraries already deprecate SHA-1? >> > Come to think of it, I was thinking about SHA-1 signatures (which > are completely forbidden in the public PKI nowadays). But for > fingerprints it is not so bad (for now). > > Thanks, > Fraser Actually, there's been a practical SHA1 attack just published [1]. Computational complexity was 9,223,372,036,854,775,808 SHA1 computations, which takes about 110 years on a single GPU. Therefore, I'm in favor to deprecate SHA1 as well and provide only SHA256. [1] - https://shattered.io/ -- Tomas Krizek signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#484][closed] FIPS: Remove pkispawn cruft
URL: https://github.com/freeipa/freeipa/pull/484 Author: stlaz Title: #484: FIPS: Remove pkispawn cruft Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/484/head:pr484 git checkout pr484 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#484][comment] FIPS: Remove pkispawn cruft
URL: https://github.com/freeipa/freeipa/pull/484 Title: #484: FIPS: Remove pkispawn cruft pvoborni commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/728a6bd4229ba170b2e94f216127b19d5d94e2ba https://fedorahosted.org/freeipa/changeset/a39effed7603d66acd238e3142f4df8081ff7bc8 """ See the full comment at https://github.com/freeipa/freeipa/pull/484#issuecomment-281997170 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#484][+pushed] FIPS: Remove pkispawn cruft
URL: https://github.com/freeipa/freeipa/pull/484 Title: #484: FIPS: Remove pkispawn cruft Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#499][comment] added help about default value for --external-ca-type option
URL: https://github.com/freeipa/freeipa/pull/499 Title: #499: added help about default value for --external-ca-type option MartinBasti commented: """ Thanks! Next time please use `git push --force` to update current pull request instead creating a new one. """ See the full comment at https://github.com/freeipa/freeipa/pull/499#issuecomment-281995320 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#497][+rejected] added more meaningful help for --external-ca-type option
URL: https://github.com/freeipa/freeipa/pull/497 Title: #497: added more meaningful help for --external-ca-type option Label: +rejected -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#497][comment] added more meaningful help for --external-ca-type option
URL: https://github.com/freeipa/freeipa/pull/497 Title: #497: added more meaningful help for --external-ca-type option MartinBasti commented: """ Replaced by #499 """ See the full comment at https://github.com/freeipa/freeipa/pull/497#issuecomment-281995516 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#499][+ack] added help about default value for --external-ca-type option
URL: https://github.com/freeipa/freeipa/pull/499 Title: #499: added help about default value for --external-ca-type option Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#499][comment] added help about default value for --external-ca-type option
URL: https://github.com/freeipa/freeipa/pull/499 Title: #499: added help about default value for --external-ca-type option MartinBasti commented: """ Thanks! Next time please use 'git push --force' to update current pull request instead a creating a new one. """ See the full comment at https://github.com/freeipa/freeipa/pull/499#issuecomment-281995320 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages
URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages tiran commented: """ Commit 1f8326aa fixes an issue in ```Makefile.python.am```. I think the issue caused ```ipaplatform``` and ```pypi/ipaplatform``` to cross streams. """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281989060 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#412][+ack] Define template version in certmap.conf
URL: https://github.com/freeipa/freeipa/pull/412 Title: #412: Define template version in certmap.conf Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#412][comment] Define template version in certmap.conf
URL: https://github.com/freeipa/freeipa/pull/412 Title: #412: Define template version in certmap.conf tomaskrizek commented: """ Works as expected. """ See the full comment at https://github.com/freeipa/freeipa/pull/412#issuecomment-28194 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#472][synchronized] Packaging: Add placeholder packages
URL: https://github.com/freeipa/freeipa/pull/472 Author: tiran Title: #472: Packaging: Add placeholder packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/472/head:pr472 git checkout pr472 From 4adaffb04e8fea15feb661611e2eaef71c9b6fd8 Mon Sep 17 00:00:00 2001 From: Christian HeimesDate: Thu, 16 Feb 2017 15:27:49 +0100 Subject: [PATCH 1/5] Packaging: Add placeholder packages The ipa and freeipa packages are placeholders to prevent PyPI squashing attacks and reserve the names for future use. `pip install ipa` installs ipaclient. Signed-off-by: Christian Heimes --- Makefile.am | 6 +++--- Makefile.python.am| 21 + configure.ac | 3 +++ packaging/Makefile.am | 10 ++ packaging/freeipa/Makefile.am | 3 +++ packaging/freeipa/README.txt | 2 ++ packaging/freeipa/setup.cfg | 6 ++ packaging/freeipa/setup.py| 23 +++ packaging/ipa/Makefile.am | 3 +++ packaging/ipa/README.txt | 2 ++ packaging/ipa/setup.cfg | 6 ++ packaging/ipa/setup.py| 23 +++ 12 files changed, 97 insertions(+), 11 deletions(-) create mode 100644 packaging/Makefile.am create mode 100644 packaging/freeipa/Makefile.am create mode 100644 packaging/freeipa/README.txt create mode 100644 packaging/freeipa/setup.cfg create mode 100755 packaging/freeipa/setup.py create mode 100644 packaging/ipa/Makefile.am create mode 100644 packaging/ipa/README.txt create mode 100644 packaging/ipa/setup.cfg create mode 100755 packaging/ipa/setup.py diff --git a/Makefile.am b/Makefile.am index a35d18f..9595c9d 100644 --- a/Makefile.am +++ b/Makefile.am @@ -9,11 +9,9 @@ if WITH_IPATESTS endif IPACLIENT_SUBDIRS = ipaclient ipalib ipapython - -SUBDIRS = asn1 util client contrib po \ +SUBDIRS = asn1 util client contrib po pypi \ $(IPACLIENT_SUBDIRS) ipaplatform $(IPATESTS_SUBDIRS) $(SERVER_SUBDIRS) - MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \ ignore_import_errors.pyc ignore_import_errors.pyo \ ipasetup.pyc ipasetup.pyo \ @@ -217,6 +215,8 @@ $(WHEELBUNDLEDIR): mkdir -p $(WHEELBUNDLEDIR) bdist_wheel: $(WHEELDISTDIR) + $(MAKE) $(AM_MAKEFLAGS) -C packaging/ipa bdist_wheel || exit 1; + $(MAKE) $(AM_MAKEFLAGS) -C packaging/freeipa bdist_wheel || exit 1; for dir in $(IPACLIENT_SUBDIRS); do \ $(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \ done diff --git a/Makefile.python.am b/Makefile.python.am index 665893f..9c34fe3 100644 --- a/Makefile.python.am +++ b/Makefile.python.am @@ -1,5 +1,6 @@ pkgname = $(shell basename "$(abs_srcdir)") pkgpythondir = $(pythondir)/$(pkgname) +pkginstall = true if VERBOSE_MAKE VERBOSITY="--verbose" @@ -19,16 +20,20 @@ all-local: $(top_builddir)/ipasetup.py --build-base "$(abs_builddir)/build" install-exec-local: $(top_builddir)/ipasetup.py - $(PYTHON) $(srcdir)/setup.py \ - $(VERBOSITY) \ - install \ - --prefix "$(DESTDIR)$(prefix)" \ - --single-version-externally-managed \ - --record "$(DESTDIR)$(pkgpythondir)/install_files.txt" \ - --optimize 1 + if [ "x$(pkginstall)" = "xtrue" ]; then \ + $(PYTHON) $(srcdir)/setup.py \ + $(VERBOSITY) \ + install \ + --prefix "$(DESTDIR)$(prefix)" \ + --single-version-externally-managed \ + --record "$(DESTDIR)$(pkgpythondir)/install_files.txt" \ + --optimize 1; \ + fi uninstall-local: - cat "$(DESTDIR)$(pkgpythondir)/install_files.txt" | xargs rm -rf + if [ -f "$(DESTDIR)$(pkgpythondir)/install_files.txt" ]; then \ + cat "$(DESTDIR)$(pkgpythondir)/install_files.txt" | xargs rm -rf ; \ + fi rm -rf "$(DESTDIR)$(pkgpythondir)" clean-local: $(top_builddir)/ipasetup.py diff --git a/configure.ac b/configure.ac index 9ee281a..ebdd358 100644 --- a/configure.ac +++ b/configure.ac @@ -484,6 +484,9 @@ AC_CONFIG_FILES([ ipaserver/Makefile ipatests/Makefile ipatests/man/Makefile +packaging/Makefile +packaging/freeipa/Makefile +packaging/ipa/Makefile po/Makefile.in po/Makefile.hack util/Makefile diff --git a/packaging/Makefile.am b/packaging/Makefile.am new file mode 100644 index 000..5725ed9 --- /dev/null +++ b/packaging/Makefile.am @@ -0,0 +1,10 @@ +# This file will be processed with automake-1.7 to create Makefile.in +# +AUTOMAKE_OPTIONS = 1.7 subdir-objects + +NULL = + +SUBDIRS = \ + freeipa \ + ipa \ + $(NULL) diff --git a/packaging/freeipa/Makefile.am b/packaging/freeipa/Makefile.am new file mode 100644 index 000..15d86ce --- /dev/null +++ b/packaging/freeipa/Makefile.am @@ -0,0 +1,3 @@ +include $(top_srcdir)/Makefile.python.am + +pkginstall = false diff --git a/packaging/freeipa/README.txt b/packaging/freeipa/README.txt new file mode 100644 index 000..b58448f --- /dev/null +++ b/packaging/freeipa/README.txt @@ -0,0 +1,2 @@ +This is a dummy
[Freeipa-devel] [freeipa PR#499][opened] added help about default value for --external-ca-type option
URL: https://github.com/freeipa/freeipa/pull/499 Author: tscherf Title: #499: added help about default value for --external-ca-type option Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/499/head:pr499 git checkout pr499 From 9932ec8f32e0d36af4a4b2a825bb4f1b7cecf540 Mon Sep 17 00:00:00 2001 From: Thorsten ScherfDate: Thu, 23 Feb 2017 14:09:39 +0100 Subject: [PATCH] added help about default value for --external-ca-type option --- install/tools/ipa-ca-install | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 5e425f8..c05abb9 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -65,7 +65,7 @@ def parse_options(): parser.add_option("--external-ca-type", dest="external_ca_type", type="choice", choices=ext_cas, metavar="{{{0}}}".format(",".join(ext_cas)), - help="Type of the external CA") + help="Type of the external CA. Default: generic") parser.add_option("--external-cert-file", dest="external_cert_files", action="append", metavar="FILE", help="File containing the IPA CA certificate and the external CA certificate chain") -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#497][closed] added more meaningful help for --external-ca-type option
URL: https://github.com/freeipa/freeipa/pull/497 Author: tscherf Title: #497: added more meaningful help for --external-ca-type option Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/497/head:pr497 git checkout pr497 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#498][opened] compat: fix `Any` params in `batch` and `dnsrecord`
URL: https://github.com/freeipa/freeipa/pull/498 Author: HonzaCholasta Title: #498: compat: fix `Any` params in `batch` and `dnsrecord` Action: opened PR body: """ The `methods` argument of `batch` and `dnsrecords` attribute of `dnsrecord` were incorrectly defined as `Str` instead of `Any`. https://fedorahosted.org/freeipa/ticket/6647 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/498/head:pr498 git checkout pr498 From 3936af7513c1f39de254db05a9fbb8f3395dfaa6 Mon Sep 17 00:00:00 2001 From: Jan CholastaDate: Thu, 23 Feb 2017 13:04:19 + Subject: [PATCH] compat: fix `Any` params in `batch` and `dnsrecord` The `methods` argument of `batch` and `dnsrecords` attribute of `dnsrecord` were incorrectly defined as `Str` instead of `Any`. https://fedorahosted.org/freeipa/ticket/6647 --- ipaclient/remote_plugins/2_114/batch.py | 2 +- ipaclient/remote_plugins/2_114/dns.py | 2 +- ipaclient/remote_plugins/2_156/batch.py | 2 +- ipaclient/remote_plugins/2_156/dns.py | 2 +- ipaclient/remote_plugins/2_164/batch.py | 2 +- ipaclient/remote_plugins/2_164/dns.py | 2 +- ipaclient/remote_plugins/2_49/batch.py | 2 +- ipaclient/remote_plugins/2_49/dns.py| 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/ipaclient/remote_plugins/2_114/batch.py b/ipaclient/remote_plugins/2_114/batch.py index 4a613b6..2709e59 100644 --- a/ipaclient/remote_plugins/2_114/batch.py +++ b/ipaclient/remote_plugins/2_114/batch.py @@ -50,7 +50,7 @@ class batch(Command): NO_CLI = True takes_args = ( -parameters.Str( +parameters.Any( 'methods', required=False, multivalue=True, diff --git a/ipaclient/remote_plugins/2_114/dns.py b/ipaclient/remote_plugins/2_114/dns.py index 5d91dbc..acb8a65 100644 --- a/ipaclient/remote_plugins/2_114/dns.py +++ b/ipaclient/remote_plugins/2_114/dns.py @@ -326,7 +326,7 @@ class dnsrecord(Object): 'dnsclass', required=False, ), -parameters.Str( +parameters.Any( 'dnsrecords', required=False, label=_(u'Records'), diff --git a/ipaclient/remote_plugins/2_156/batch.py b/ipaclient/remote_plugins/2_156/batch.py index 4a613b6..2709e59 100644 --- a/ipaclient/remote_plugins/2_156/batch.py +++ b/ipaclient/remote_plugins/2_156/batch.py @@ -50,7 +50,7 @@ class batch(Command): NO_CLI = True takes_args = ( -parameters.Str( +parameters.Any( 'methods', required=False, multivalue=True, diff --git a/ipaclient/remote_plugins/2_156/dns.py b/ipaclient/remote_plugins/2_156/dns.py index 39a0b26..bbfaa9f 100644 --- a/ipaclient/remote_plugins/2_156/dns.py +++ b/ipaclient/remote_plugins/2_156/dns.py @@ -326,7 +326,7 @@ class dnsrecord(Object): 'dnsclass', required=False, ), -parameters.Str( +parameters.Any( 'dnsrecords', required=False, label=_(u'Records'), diff --git a/ipaclient/remote_plugins/2_164/batch.py b/ipaclient/remote_plugins/2_164/batch.py index 4a613b6..2709e59 100644 --- a/ipaclient/remote_plugins/2_164/batch.py +++ b/ipaclient/remote_plugins/2_164/batch.py @@ -50,7 +50,7 @@ class batch(Command): NO_CLI = True takes_args = ( -parameters.Str( +parameters.Any( 'methods', required=False, multivalue=True, diff --git a/ipaclient/remote_plugins/2_164/dns.py b/ipaclient/remote_plugins/2_164/dns.py index b07a94f..244be87 100644 --- a/ipaclient/remote_plugins/2_164/dns.py +++ b/ipaclient/remote_plugins/2_164/dns.py @@ -326,7 +326,7 @@ class dnsrecord(Object): 'dnsclass', required=False, ), -parameters.Str( +parameters.Any( 'dnsrecords', required=False, label=_(u'Records'), diff --git a/ipaclient/remote_plugins/2_49/batch.py b/ipaclient/remote_plugins/2_49/batch.py index a1f351d..67e5978 100644 --- a/ipaclient/remote_plugins/2_49/batch.py +++ b/ipaclient/remote_plugins/2_49/batch.py @@ -50,7 +50,7 @@ class batch(Command): NO_CLI = True takes_args = ( -parameters.Str( +parameters.Any( 'methods', required=False, multivalue=True, diff --git a/ipaclient/remote_plugins/2_49/dns.py b/ipaclient/remote_plugins/2_49/dns.py index 07cef75..4b543a2 100644 --- a/ipaclient/remote_plugins/2_49/dns.py +++ b/ipaclient/remote_plugins/2_49/dns.py @@ -256,7 +256,7 @@ class dnsrecord(Object): label=_(u'Class'), doc=_(u'DNS class'), ), -parameters.Str( +parameters.Any( 'dnsrecords', required=False, label=_(u'Records'), -- Manage your subscription for the Freeipa-devel mailing list:
[Freeipa-devel] [freeipa PR#497][comment] added more meaningful help for --external-ca-type option
URL: https://github.com/freeipa/freeipa/pull/497 Title: #497: added more meaningful help for --external-ca-type option MartinBasti commented: """ This is already fixed in master, however it missed what is the default value ``` --external-ca-type={generic,ms-cs} Type of the external CA ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/497#issuecomment-281983727 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#497][comment] added more meaningful help for --external-ca-type option
URL: https://github.com/freeipa/freeipa/pull/497 Title: #497: added more meaningful help for --external-ca-type option MartinBasti commented: """ This is already fixed in master, however it missed what is the default value ``` --external-ca-type={generic,ms-cs} Type of the external CA ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/497#issuecomment-281983727 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#497][opened] added more meaningful help for --external-ca-type option
URL: https://github.com/freeipa/freeipa/pull/497 Author: tscherf Title: #497: added more meaningful help for --external-ca-type option Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/497/head:pr497 git checkout pr497 From f0dccbc6c997e5410f355e96a48bd568658decec Mon Sep 17 00:00:00 2001 From: Thorsten ScherfDate: Thu, 23 Feb 2017 13:48:29 +0100 Subject: [PATCH] added more meaningful help for --external-ca-type option --- install/tools/ipa-ca-install | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 5e425f8..7e29c9a 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -65,7 +65,7 @@ def parse_options(): parser.add_option("--external-ca-type", dest="external_ca_type", type="choice", choices=ext_cas, metavar="{{{0}}}".format(",".join(ext_cas)), - help="Type of the external CA") + help="Type of the external CA. Possible values are "generic", "ms-cs". Default value is "generic") parser.add_option("--external-cert-file", dest="external_cert_files", action="append", metavar="FILE", help="File containing the IPA CA certificate and the external CA certificate chain") -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#484][+ack] FIPS: Remove pkispawn cruft
URL: https://github.com/freeipa/freeipa/pull/484 Title: #484: FIPS: Remove pkispawn cruft Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#484][comment] FIPS: Remove pkispawn cruft
URL: https://github.com/freeipa/freeipa/pull/484 Title: #484: FIPS: Remove pkispawn cruft tomaskrizek commented: """ Works as expected. """ See the full comment at https://github.com/freeipa/freeipa/pull/484#issuecomment-281979229 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] make causes unsolicited changes to PO files
Hi, for a while make causes unsolicited modifications to all translation files. I have to reset all PO files a couple of times a day during development: git checkout -- po/*.po It's slowly wearing me off. I opened ticket https://fedorahosted.org/freeipa/ticket/6605 a while ago. It contains more details and a reproducer. Regards, Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#476][synchronized] vault: cache the transport certificate on client
URL: https://github.com/freeipa/freeipa/pull/476 Author: HonzaCholasta Title: #476: vault: cache the transport certificate on client Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/476/head:pr476 git checkout pr476 From a8e1704ef4055b7d8083b99367b53dbdf95c475f Mon Sep 17 00:00:00 2001 From: Jan CholastaDate: Fri, 17 Feb 2017 11:25:17 +0100 Subject: [PATCH] vault: cache the transport certificate on client Cache the KRA transport certificate on disk (in ~/.cache/ipa) as well as in memory. https://fedorahosted.org/freeipa/ticket/6652 --- ipaclient/plugins/vault.py | 161 +++ ipaclient/remote_plugins/__init__.py | 3 +- ipaclient/remote_plugins/schema.py | 12 +-- ipalib/constants.py | 14 +++ 4 files changed, 143 insertions(+), 47 deletions(-) diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py index 9efb1f1..ebfb129 100644 --- a/ipaclient/plugins/vault.py +++ b/ipaclient/plugins/vault.py @@ -20,29 +20,41 @@ from __future__ import print_function import base64 +import errno import getpass import io import json import os import sys +import tempfile from cryptography.fernet import Fernet, InvalidToken from cryptography.hazmat.backends import default_backend -from cryptography.hazmat.primitives import hashes +from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC from cryptography.hazmat.primitives.asymmetric import padding from cryptography.hazmat.primitives.serialization import load_pem_public_key,\ load_pem_private_key import nss.nss as nss +import six from ipaclient.frontend import MethodOverride +from ipalib import x509 +from ipalib.constants import USER_CACHE_PATH from ipalib.frontend import Local, Method, Object from ipalib.util import classproperty from ipalib import api, errors from ipalib import Bytes, Flag, Str from ipalib.plugable import Registry from ipalib import _ +from ipapython.dnsutil import DNSName +from ipapython.ipa_log_manager import log_mgr + +logger = log_mgr.get_logger(__name__) + +TRANSPORT_CERT_CACHE_PATH = ( +os.path.join(USER_CACHE_PATH, 'ipa', 'kra-transport-certs')) def validated_read(argname, filename, mode='r', encoding=None): @@ -568,6 +580,115 @@ def forward(self, *args, **options): return response +class _TransportCertInvalid(Exception): +def __init__(self, exc_info): +self.exc_info = exc_info + + +_transport_cert_cache = {} + + +class ModVaultData(Local): +def _do_internal(self, mechanism, session_key, transport_cert_der, + *args, **options): +nss_transport_cert = nss.Certificate(transport_cert_der) + +# wrap session key with transport certificate +# pylint: disable=no-member +public_key = nss_transport_cert.subject_public_key_info.public_key +# pylint: enable=no-member +wrapped_session_key = nss.pub_wrap_sym_key(mechanism, + public_key, + session_key) + +options['session_key'] = wrapped_session_key.data + +name = self.name + '_internal' +try: +return self.api.Command[name](*args, **options) +except errors.NotFound: +raise +except (errors.InternalError, +errors.ExecutionError, +errors.GenericError): +raise _TransportCertInvalid(sys.exc_info()) + +def internal(self, mechanism, session_key, *args, **options): +""" +Calls the internal counterpart of the command. +""" +domain = self.api.env.domain +dirname = TRANSPORT_CERT_CACHE_PATH +basename = DNSName(domain).ToASCII() + '.pem' +filename = os.path.join(dirname, basename) + +# get transport cert from cache +transport_cert_der = _transport_cert_cache.get(domain) +if transport_cert_der is None: +try: +try: +transport_cert = x509.load_certificate_from_file(filename) +except EnvironmentError as e: +if e.errno != errno.ENOENT: +raise +else: +transport_cert_der = transport_cert.public_bytes( +serialization.Encoding.DER) +except Exception: +logger.warning("Failed to load %s: %s", filename, + exc_info=True) + +# try call with the cached transport cert, uncache it if unsuccessful +if transport_cert_der is not None: +try: +return self._do_internal(mechanism, + session_key, + transport_cert_der, +
[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages
URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages MartinBasti commented: """ The old pylint issue is back ``` * Module ipaserver.install.installutils ipaserver/install/installutils.py:1209: [E1101(no-member), store_version] Module 'ipaplatform' has no 'NAME' member) ipaserver/install/installutils.py:1221: [E1101(no-member), check_version] Module 'ipaplatform' has no 'NAME' member) ipaserver/install/installutils.py:1224: [E1101(no-member), check_version] Module 'ipaplatform' has no 'NAME' member) ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281970741 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Release: script for updating contributors
On 23.02.2017 12:31, Martin Kosek wrote: Hi all, Based on my recent Contributors.txt update and on Martin Basti's request in the pull request: https://github.com/freeipa/freeipa/pull/493#issuecomment-281938080 I added my (hacky) script for updating the file in the freeipa-tools repo and updated our Release page: http://www.freeipa.org/page/Release#Update_Contributors.txt HTH! +1, Thank you! -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] Release: script for updating contributors
Hi all, Based on my recent Contributors.txt update and on Martin Basti's request in the pull request: https://github.com/freeipa/freeipa/pull/493#issuecomment-281938080 I added my (hacky) script for updating the file in the freeipa-tools repo and updated our Release page: http://www.freeipa.org/page/Release#Update_Contributors.txt HTH! -- Martin KosekManager, Software Engineering - Identity Management Team Red Hat, Inc. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#492][synchronized] [WIP] config: remove meaningless defaults
URL: https://github.com/freeipa/freeipa/pull/492 Author: HonzaCholasta Title: #492: [WIP] config: remove meaningless defaults Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/492/head:pr492 git checkout pr492 From a5bfc0b734466ea5a8a9447fd1a916fa85462922 Mon Sep 17 00:00:00 2001 From: Jan CholastaDate: Thu, 23 Feb 2017 09:44:04 + Subject: [PATCH 1/6] user, migration: use LDAPClient for ad-hoc LDAP connections Use LDAPClient instead of ldap2 for ad-hoc remote LDAP connections in the user_status and migrate-ds plugins. --- ipaserver/plugins/migration.py | 15 +-- ipaserver/plugins/user.py | 11 --- 2 files changed, 9 insertions(+), 17 deletions(-) diff --git a/ipaserver/plugins/migration.py b/ipaserver/plugins/migration.py index 72abd14..e8d102a 100644 --- a/ipaserver/plugins/migration.py +++ b/ipaserver/plugins/migration.py @@ -28,13 +28,9 @@ from ipalib.cli import to_cli from ipalib.plugable import Registry from .user import NO_UPG_MAGIC -if api.env.in_server and api.env.context in ['lite', 'server']: -try: -from ipaserver.plugins.ldap2 import ldap2 -except Exception as e: -raise e from ipalib import _ from ipapython.dn import DN +from ipapython.ipaldap import LDAPClient from ipapython.ipautil import write_tmp_file from ipapython.kerberos import Principal import datetime @@ -885,8 +881,6 @@ def execute(self, ldapuri, bindpw, **options): return dict(result={}, failed={}, enabled=False, compat=True) # connect to DS -ds_ldap = ldap2(self.api, ldap_uri=ldapuri) - cacert = None if options.get('cacertfile') is not None: # store CA cert into file @@ -894,12 +888,13 @@ def execute(self, ldapuri, bindpw, **options): cacert = tmp_ca_cert_f.name # start TLS connection -ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw, -cacert=cacert) +ds_ldap = LDAPClient(ldapuri, cacert=cacert) +ds_ldap.simple_bind(options['binddn'], bindpw) tmp_ca_cert_f.close() else: -ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw) +ds_ldap = LDAPClient(ldapuri, cacert=cacert) +ds_ldap.simple_bind(options['binddn'], bindpw) # check whether the compat plugin is enabled if not options.get('compat'): diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py index 88171cf..4c4b7d3 100644 --- a/ipaserver/plugins/user.py +++ b/ipaserver/plugins/user.py @@ -21,7 +21,6 @@ import time from time import gmtime, strftime import posixpath -import os import six @@ -62,12 +61,10 @@ from ipalib import output from ipaplatform.paths import paths from ipapython.dn import DN +from ipapython.ipaldap import LDAPClient from ipapython.ipautil import ipa_generate_password, TMP_PWD_ENTROPY_BITS from ipalib.capabilities import client_has_capability -if api.env.in_server: -from ipaserver.plugins.ldap2 import ldap2 - if six.PY3: unicode = str @@ -1115,9 +1112,9 @@ def execute(self, *keys, **options): if host == api.env.host: other_ldap = self.obj.backend else: -other_ldap = ldap2(self.api, ldap_uri='ldap://%s' % host) try: -other_ldap.connect(ccache=os.environ['KRB5CCNAME']) +other_ldap = LDAPClient(ldap_uri='ldap://%s' % host) +other_ldap.gssapi_bind() except Exception as e: self.error("user_status: Connecting to %s failed with %s" % (host, str(e))) newresult = {'dn': dn} @@ -1162,7 +1159,7 @@ def execute(self, *keys, **options): count += 1 if host != api.env.host: -other_ldap.disconnect() +other_ldap.close() return dict(result=entries, count=count, From f77a3d6f811c20e46b6a61e4e8a20b1e447b0ed5 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 23 Feb 2017 09:52:51 + Subject: [PATCH 2/6] {ca,kra}instance: drop redundant URI argument from ad-hoc ldap2 connections Use the default URI from api.env.ldap_uri, as it is the same as the URI provided using the argument. --- ipaserver/install/cainstance.py | 19 +-- ipaserver/install/krainstance.py | 4 +--- 2 files changed, 6 insertions(+), 17 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 3c86b91..b79b432 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -703,9 +703,7 @@ def __create_ca_agent(self): cert = x509.load_certificate(cert_data, x509.DER) # connect to CA database -server_id =
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ Some more fixes for Travis to check. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-281950085 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages
URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages tiran commented: """ @MartinBasti I dropped the last commit. make check no longer checks wheel packages. I'm going to open a new ticket for @martbab and ask him to add to add a proper test for wheel building to his awesome container magic. """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281946900 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#472][synchronized] Packaging: Add placeholder packages
URL: https://github.com/freeipa/freeipa/pull/472 Author: tiran Title: #472: Packaging: Add placeholder packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/472/head:pr472 git checkout pr472 From 4adaffb04e8fea15feb661611e2eaef71c9b6fd8 Mon Sep 17 00:00:00 2001 From: Christian HeimesDate: Thu, 16 Feb 2017 15:27:49 +0100 Subject: [PATCH 1/4] Packaging: Add placeholder packages The ipa and freeipa packages are placeholders to prevent PyPI squashing attacks and reserve the names for future use. `pip install ipa` installs ipaclient. Signed-off-by: Christian Heimes --- Makefile.am | 6 +++--- Makefile.python.am| 21 + configure.ac | 3 +++ packaging/Makefile.am | 10 ++ packaging/freeipa/Makefile.am | 3 +++ packaging/freeipa/README.txt | 2 ++ packaging/freeipa/setup.cfg | 6 ++ packaging/freeipa/setup.py| 23 +++ packaging/ipa/Makefile.am | 3 +++ packaging/ipa/README.txt | 2 ++ packaging/ipa/setup.cfg | 6 ++ packaging/ipa/setup.py| 23 +++ 12 files changed, 97 insertions(+), 11 deletions(-) create mode 100644 packaging/Makefile.am create mode 100644 packaging/freeipa/Makefile.am create mode 100644 packaging/freeipa/README.txt create mode 100644 packaging/freeipa/setup.cfg create mode 100755 packaging/freeipa/setup.py create mode 100644 packaging/ipa/Makefile.am create mode 100644 packaging/ipa/README.txt create mode 100644 packaging/ipa/setup.cfg create mode 100755 packaging/ipa/setup.py diff --git a/Makefile.am b/Makefile.am index a35d18f..9595c9d 100644 --- a/Makefile.am +++ b/Makefile.am @@ -9,11 +9,9 @@ if WITH_IPATESTS endif IPACLIENT_SUBDIRS = ipaclient ipalib ipapython - -SUBDIRS = asn1 util client contrib po \ +SUBDIRS = asn1 util client contrib po pypi \ $(IPACLIENT_SUBDIRS) ipaplatform $(IPATESTS_SUBDIRS) $(SERVER_SUBDIRS) - MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \ ignore_import_errors.pyc ignore_import_errors.pyo \ ipasetup.pyc ipasetup.pyo \ @@ -217,6 +215,8 @@ $(WHEELBUNDLEDIR): mkdir -p $(WHEELBUNDLEDIR) bdist_wheel: $(WHEELDISTDIR) + $(MAKE) $(AM_MAKEFLAGS) -C packaging/ipa bdist_wheel || exit 1; + $(MAKE) $(AM_MAKEFLAGS) -C packaging/freeipa bdist_wheel || exit 1; for dir in $(IPACLIENT_SUBDIRS); do \ $(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \ done diff --git a/Makefile.python.am b/Makefile.python.am index 665893f..9c34fe3 100644 --- a/Makefile.python.am +++ b/Makefile.python.am @@ -1,5 +1,6 @@ pkgname = $(shell basename "$(abs_srcdir)") pkgpythondir = $(pythondir)/$(pkgname) +pkginstall = true if VERBOSE_MAKE VERBOSITY="--verbose" @@ -19,16 +20,20 @@ all-local: $(top_builddir)/ipasetup.py --build-base "$(abs_builddir)/build" install-exec-local: $(top_builddir)/ipasetup.py - $(PYTHON) $(srcdir)/setup.py \ - $(VERBOSITY) \ - install \ - --prefix "$(DESTDIR)$(prefix)" \ - --single-version-externally-managed \ - --record "$(DESTDIR)$(pkgpythondir)/install_files.txt" \ - --optimize 1 + if [ "x$(pkginstall)" = "xtrue" ]; then \ + $(PYTHON) $(srcdir)/setup.py \ + $(VERBOSITY) \ + install \ + --prefix "$(DESTDIR)$(prefix)" \ + --single-version-externally-managed \ + --record "$(DESTDIR)$(pkgpythondir)/install_files.txt" \ + --optimize 1; \ + fi uninstall-local: - cat "$(DESTDIR)$(pkgpythondir)/install_files.txt" | xargs rm -rf + if [ -f "$(DESTDIR)$(pkgpythondir)/install_files.txt" ]; then \ + cat "$(DESTDIR)$(pkgpythondir)/install_files.txt" | xargs rm -rf ; \ + fi rm -rf "$(DESTDIR)$(pkgpythondir)" clean-local: $(top_builddir)/ipasetup.py diff --git a/configure.ac b/configure.ac index 9ee281a..ebdd358 100644 --- a/configure.ac +++ b/configure.ac @@ -484,6 +484,9 @@ AC_CONFIG_FILES([ ipaserver/Makefile ipatests/Makefile ipatests/man/Makefile +packaging/Makefile +packaging/freeipa/Makefile +packaging/ipa/Makefile po/Makefile.in po/Makefile.hack util/Makefile diff --git a/packaging/Makefile.am b/packaging/Makefile.am new file mode 100644 index 000..5725ed9 --- /dev/null +++ b/packaging/Makefile.am @@ -0,0 +1,10 @@ +# This file will be processed with automake-1.7 to create Makefile.in +# +AUTOMAKE_OPTIONS = 1.7 subdir-objects + +NULL = + +SUBDIRS = \ + freeipa \ + ipa \ + $(NULL) diff --git a/packaging/freeipa/Makefile.am b/packaging/freeipa/Makefile.am new file mode 100644 index 000..15d86ce --- /dev/null +++ b/packaging/freeipa/Makefile.am @@ -0,0 +1,3 @@ +include $(top_srcdir)/Makefile.python.am + +pkginstall = false diff --git a/packaging/freeipa/README.txt b/packaging/freeipa/README.txt new file mode 100644 index 000..b58448f --- /dev/null +++ b/packaging/freeipa/README.txt @@ -0,0 +1,2 @@ +This is a dummy
[Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing
URL: https://github.com/freeipa/freeipa/pull/397 Author: tiran Title: #397: Improve wheel building and provide ipaserver wheel for local testing Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/397/head:pr397 git checkout pr397 From cff6590500682cde35148542cf7f078a31ca34a2 Mon Sep 17 00:00:00 2001 From: Christian HeimesDate: Tue, 17 Jan 2017 08:49:54 +0100 Subject: [PATCH 1/6] Conditionally import pyhbac The pyhbac module is part of SSSD. It's not available as stand-alone PyPI package. It would take a lot of effort to package it because the code is deeply tight into SSSD. Let's follow the example of other SSSD Python packages and make the import of pyhbac conditionally. It's only necessary for caacl and hbactest plugins. I renamed convert_to_ipa_rule() to _convert_to_ipa_rule() because it does not check for presence of pyhbac package itself. The check is performed earlier in execute(). The prefix indicates that it is an internal function and developers have to think twice before using it in another place. This makes it much easier to install ipaserver with instrumented build of Python with a different ABI or in isolated virtual envs to profile and debug the server. Signed-off-by: Christian Heimes --- ipaserver/plugins/caacl.py| 11 ++- ipaserver/plugins/hbactest.py | 19 --- 2 files changed, 26 insertions(+), 4 deletions(-) diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py index a7817c4..691f4e9 100644 --- a/ipaserver/plugins/caacl.py +++ b/ipaserver/plugins/caacl.py @@ -2,7 +2,6 @@ # Copyright (C) 2015 FreeIPA Contributors see COPYING for license # -import pyhbac import six from ipalib import api, errors, output @@ -17,6 +16,11 @@ from ipalib import _, ngettext from ipapython.dn import DN +try: +import pyhbac +except ImportError: +pyhbac = None + if six.PY3: unicode = str @@ -152,6 +156,11 @@ def _acl_make_rule(principal_type, obj): def acl_evaluate(principal_type, principal, ca_id, profile_id): +if pyhbac is None: +raise errors.ValidationError( +name=_('missing pyhbac'), +error=_('pyhbac is not available on the server.') +) req = _acl_make_request(principal_type, principal, ca_id, profile_id) acls = api.Command.caacl_find(no_members=False)['result'] rules = [_acl_make_rule(principal_type, obj) for obj in acls] diff --git a/ipaserver/plugins/hbactest.py b/ipaserver/plugins/hbactest.py index 626e894..e156568 100644 --- a/ipaserver/plugins/hbactest.py +++ b/ipaserver/plugins/hbactest.py @@ -29,9 +29,14 @@ except ImportError: _dcerpc_bindings_installed = False -import pyhbac import six +try: +import pyhbac +except ImportError: +pyhbac = None + + if six.PY3: unicode = str @@ -210,7 +215,7 @@ register = Registry() -def convert_to_ipa_rule(rule): +def _convert_to_ipa_rule(rule): # convert a dict with a rule to an pyhbac rule ipa_rule = pyhbac.HbacRule(rule['cn'][0]) ipa_rule.enabled = rule['ipaenabledflag'][0] @@ -309,6 +314,14 @@ def canonicalize(self, host): return host def execute(self, *args, **options): +if pyhbac is None: +raise errors.ValidationError( +name=_('missing pyhbac'), +error=_( +'pyhbac is not available on the server.' +) +) + # First receive all needed information: # 1. HBAC rules (whether enabled or disabled) # 2. Required options are (user, target host, service) @@ -356,7 +369,7 @@ def execute(self, *args, **options): # --disabled will import all disabled rules # --rules will implicitly add the rules from a rule list for rule in hbacset: -ipa_rule = convert_to_ipa_rule(rule) +ipa_rule = _convert_to_ipa_rule(rule) if ipa_rule.name in testrules: ipa_rule.enabled = True rules.append(ipa_rule) From b094db2321ef425bb14fb031247a2af89f1d6b90 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Tue, 17 Jan 2017 08:57:33 +0100 Subject: [PATCH 2/6] Add extra_requires for additional dependencies ipaserver did not have extra_requires to state additional dependencies. Signed-off-by: Christian Heimes --- ipaserver/setup.py | 14 -- 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/ipaserver/setup.py b/ipaserver/setup.py index 95ba5eb..acdae5a 100755 --- a/ipaserver/setup.py +++ b/ipaserver/setup.py @@ -60,12 +60,6 @@ "pyldap", "python-nss", "six", -# not available on PyPI -# "python-libipa_hbac", -# "python-sss", -# "python-sss-murmur", -# "python-SSSDConfig", -
[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages
URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages MartinBasti commented: """ @tiran I thought we agreed on having `with_wheels` in specfile and install dependencies only when you want to build wheel packages, what is not the case of RHEL. So what is the issue with python-wheel? My only concern it to not run wheel build in make check """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281943814 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] python-ipaserver & freeipa-server-trust-ad split
On 20.02.2017 20:24, Alexander Bokovoy wrote: > On la, 18 helmi 2017, Timo Aaltonen wrote: >> >> Hi, >> >> So Fedora puts all of dist-packages/ipaserver/* in python-ipaserver, >> but dcerpc.py imports python-samba which -ipaserver does not depend on. >> So I've kept dcerpc.py and adtrustinstance.py in freeipa-server-trust-ad >> on Debian, but now with 4.4.3 (because of fd8c17252fbc) it seems that >> ipa-server-install wants to import adtrustinstance and fails to run if >> it's not installed. >> >> Traceback (most recent call last): >> File "/usr/sbin/ipa-server-install", line 25, in >>from ipaserver.install.server import Server >> File >> "/usr/lib/python2.7/dist-packages/ipaserver/install/server/__init__.py", >> line 8, in >>from .upgrade import upgrade_check, upgrade >> File >> "/usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py", >> line 49, in >>from ipaserver.install import adtrustinstance >> ImportError: cannot import name adtrustinstance >> >> >> So what to do here? I can't remember exactly what problems I hit when >> everything was in python-ipaserver while testing 4.3.0, but I think they >> were about the samba stuff.. and don't want to test again without asking >> first. Should the upgrader stuff be split? > I think we simply can move ipa_smb_conf_exists() to ipapython or ipalib. > It only needs to read a config file and check a signature. Signature > could be > moved to constants. Then ipa_smb_conf_exists() can be imported in both > upgrade tool and in adtrustinstance. > > Want to make a PR? Well, maybe I'll first try moving adtrustinstance/dcerpc stuff back to python-ipaserver and see if something breaks with the current version and then perhaps fix that instead. t -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Title: #398: Support for Certificate Identity Mapping sumit-bose commented: """ Ok, sorry for the noise, I tested on a fresh install again and now it is working as expected. I guess I shouldn't have tried to update from an older version of your patch to a newer one. """ See the full comment at https://github.com/freeipa/freeipa/pull/398#issuecomment-281939524 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#493][comment] Update Contributors.txt
URL: https://github.com/freeipa/freeipa/pull/493 Title: #493: Update Contributors.txt MartinBasti commented: """ If script for generating contributors file was published it may be documented in releasing page and it may be part of each release. """ See the full comment at https://github.com/freeipa/freeipa/pull/493#issuecomment-281938080 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#493][+pushed] Update Contributors.txt
URL: https://github.com/freeipa/freeipa/pull/493 Title: #493: Update Contributors.txt Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#493][comment] Update Contributors.txt
URL: https://github.com/freeipa/freeipa/pull/493 Title: #493: Update Contributors.txt MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/b367c3a622c8c8b96777e4ce50334d2a4477bbe7 """ See the full comment at https://github.com/freeipa/freeipa/pull/493#issuecomment-281937859 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#493][closed] Update Contributors.txt
URL: https://github.com/freeipa/freeipa/pull/493 Author: mkosek Title: #493: Update Contributors.txt Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/493/head:pr493 git checkout pr493 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#495][comment] Fix ipa-server-upgrade
URL: https://github.com/freeipa/freeipa/pull/495 Title: #495: Fix ipa-server-upgrade MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/32076df10231b381a80c9ef850c2c31d7a25feb8 """ See the full comment at https://github.com/freeipa/freeipa/pull/495#issuecomment-281937465 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#496][closed] Use newer Certificate.serial_number in krainstance.py
URL: https://github.com/freeipa/freeipa/pull/496 Author: stlaz Title: #496: Use newer Certificate.serial_number in krainstance.py Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/496/head:pr496 git checkout pr496 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#495][closed] Fix ipa-server-upgrade
URL: https://github.com/freeipa/freeipa/pull/495 Author: stlaz Title: #495: Fix ipa-server-upgrade Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/495/head:pr495 git checkout pr495 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#495][+pushed] Fix ipa-server-upgrade
URL: https://github.com/freeipa/freeipa/pull/495 Title: #495: Fix ipa-server-upgrade Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#496][comment] Use newer Certificate.serial_number in krainstance.py
URL: https://github.com/freeipa/freeipa/pull/496 Title: #496: Use newer Certificate.serial_number in krainstance.py MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/8c2cd66269d7be976ae7fc990343ed8e9b5282a3 """ See the full comment at https://github.com/freeipa/freeipa/pull/496#issuecomment-281937212 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#496][+pushed] Use newer Certificate.serial_number in krainstance.py
URL: https://github.com/freeipa/freeipa/pull/496 Title: #496: Use newer Certificate.serial_number in krainstance.py Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#439][+postponed] [WIP] [Py3] testing both py2/py3 in travis
URL: https://github.com/freeipa/freeipa/pull/439 Title: #439: [WIP] [Py3] testing both py2/py3 in travis Label: +postponed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#460][+postponed] [Py3] ipa-server-install, ipa-server-upgrade fixes
URL: https://github.com/freeipa/freeipa/pull/460 Title: #460: [Py3] ipa-server-install, ipa-server-upgrade fixes Label: +postponed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages
URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages lslebodn commented: """ NACK for downstream patch. The intentin of build system refactoring was make packaging in downstream simpler. """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281935052 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages
URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages lslebodn commented: """ NACK for downstream patch. The intentin of build system refactoring was make packaging in downstream simpler. """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281935052 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages
URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages pvoborni commented: """ Some distros like RHEL doesn't have python-wheel packaged. It can be disabled by downstream patch, but better would be to remove it or make it configurable. """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281934554 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#493][+ack] Update Contributors.txt
URL: https://github.com/freeipa/freeipa/pull/493 Title: #493: Update Contributors.txt Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#493][comment] Update Contributors.txt
URL: https://github.com/freeipa/freeipa/pull/493 Title: #493: Update Contributors.txt stlaz commented: """ I don't give two poops and a popsicle about the order of names in the Contributors.txt file. ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/493#issuecomment-281934226 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages
URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages lslebodn commented: """ FYI: At the moment, `make check` run just C-based unit test and all of them are optional. If required dependency is not found at configure time then test is not build/executed. The reason is that required dependencies are not in some downstream distributions and IIRC python-wheel is not there either. """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281933816 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing
URL: https://github.com/freeipa/freeipa/pull/397 Title: #397: Improve wheel building and provide ipaserver wheel for local testing tiran commented: """ I didn't know about the ```SkipPluginModule``` feature. I agree with you, your solution is more elegant. """ See the full comment at https://github.com/freeipa/freeipa/pull/397#issuecomment-281932095 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#412][comment] Define template version in certmap.conf
URL: https://github.com/freeipa/freeipa/pull/412 Title: #412: Define template version in certmap.conf flo-renaud commented: """ Bump for review """ See the full comment at https://github.com/freeipa/freeipa/pull/412#issuecomment-281931336 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages
URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages tiran commented: """ That's not the point here. We are arguing about a new build dependency (python-wheel). """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281930993 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages
URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages lslebodn commented: """ I agree with @MartinBasti it is not a unit test. IMHO better approach is to test it in CI/travis/... """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281929628 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#496][+ack] Use newer Certificate.serial_number in krainstance.py
URL: https://github.com/freeipa/freeipa/pull/496 Title: #496: Use newer Certificate.serial_number in krainstance.py Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages
URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages tiran commented: """ I'm open to suggestions here, but I like to have automatic validation of packaging. """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281928143 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#496][comment] Use newer Certificate.serial_number in krainstance.py
URL: https://github.com/freeipa/freeipa/pull/496 Title: #496: Use newer Certificate.serial_number in krainstance.py flo-renaud commented: """ Hi @stlaz , the warning `/usr/lib/python2.7/site-packages/ipaserver/install/krainstance.py:316: DeprecationWarning: Certificate serial is deprecated, use serial_number instead. ` is not present anymore. ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/496#issuecomment-281928293 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages
URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages MartinBasti commented: """ Is really needed to have this is make check? It makes build dependencies of wheel mandratory not optional ``` error: invalid command 'bdist_wheel' make[5]: *** [bdist_wheel] Error 1 Makefile:591: recipe for target 'bdist_wheel' failed make[5]: Leaving directory '/freeipa/rpmbuild/BUILD/freeipa-4.4.90.dev201702221837+git07cd377/pypi/freeipa' Makefile:1192: recipe for target 'wheel_placeholder' failed make[4]: *** [wheel_placeholder] Error 1 make[4]: *** Waiting for unfinished jobs usage: setup.py [global_opts] cmd1 [cmd1_opts] [cmd2 [cmd2_opts] ...] or: setup.py --help [cmd1 cmd2 ...] or: setup.py --help-commands or: setup.py cmd --help ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281926018 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages
URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages MartinBasti commented: """ Is really needed to have this is make check? It makes build dependencies of wheel mandratory not optional ``` error: invalid command 'bdist_wheel' make[5]: *** [bdist_wheel] Error 1 Makefile:591: recipe for target 'bdist_wheel' failed make[5]: Leaving directory '/freeipa/rpmbuild/BUILD/freeipa-4.4.90.dev201702221837+git07cd377/pypi/freeipa' Makefile:1192: recipe for target 'wheel_placeholder' failed make[4]: *** [wheel_placeholder] Error 1 make[4]: *** Waiting for unfinished jobs usage: setup.py [global_opts] cmd1 [cmd1_opts] [cmd2 [cmd2_opts] ...] or: setup.py --help [cmd1 cmd2 ...] or: setup.py --help-commands or: setup.py cmd --help ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281926018 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code