[Freeipa-devel] [freeipa PR#33] Update translations (+ack)
mbasti-rh's pull request #33: "Update translations" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/33 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#33] Update translations (closed)
mbasti-rh's pull request #33: "Update translations" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/33 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/33/head:pr33 git checkout pr33 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#33] Update translations (+pushed)
mbasti-rh's pull request #33: "Update translations" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/33 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#33] Update translations (comment)
martbab commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/cb1cee4db830e2eee4e72560958a3e4e4f5ca007 """ See the full comment at https://github.com/freeipa/freeipa/pull/33#issuecomment-243368823 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#40] do not use trusted forest name to construct domain admin principal (opened)
martbab's pull request #40: "do not use trusted forest name to construct domain admin principal" was opened PR body: """ When `trust-add` is supplied AD domain admin name without realm component, the code appends the uppercased AD forest root domain name to construct the full principal. This can cause authentication error, however, when external trust with non-root domain is requested. We should instead use the supplied DNS domain name (if valid) as a realm component. https://fedorahosted.org/freeipa/ticket/6277 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/40 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/40/head:pr40 git checkout pr40 From ebce3c0cdf8a4b1df35614187c782551c2c590eb Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Wed, 31 Aug 2016 13:59:14 +0200 Subject: [PATCH] do not use trusted forest name to construct domain admin principal When `trust-add` is supplied AD domain admin name without realm component, the code appends the uppercased AD forest root domain name to construct the full principal. This can cause authentication error, however, when external trust with non-root domain is requested. We should instead use the supplied DNS domain name (if valid) as a realm component. https://fedorahosted.org/freeipa/ticket/6277 --- ipaserver/plugins/trust.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py index 26f85c2..65dc1f4 100644 --- a/ipaserver/plugins/trust.py +++ b/ipaserver/plugins/trust.py @@ -319,7 +319,7 @@ def generate_creds(trustinstance, style, **options): else: sp = admin_name.split(sep) if len(sp) == 1: -sp.append(trustinstance.remote_domain.info['dns_forest'].upper()) +sp.append(trustinstance.remote_domain.info['dns_domain'].upper()) creds = u"{name}%{password}".format(name=sep.join(sp), password=password) return creds -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#46] Always fetch forest info from root DCs when establishing two-way trust (opened)
martbab's pull request #46: "Always fetch forest info from root DCs when establishing two-way trust" was opened PR body: """ Prior To Windows Server 2012R2, the `netr_DsRGetForestTrustInformation` calls performed against non-root forest domain DCs were automatically routed to the root domain DCs to resolve trust topology information. This is no longer the case, so the `dcerpc.fetch_domains` function must explicitly contact root domain DCs even in the case when an external two-way trust to non-root domain is requested. https://fedorahosted.org/freeipa/ticket/6057 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/46 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/46/head:pr46 git checkout pr46 From 5a70f5dc53067f7a21a4fc60f95d7b11b2220611 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Thu, 1 Sep 2016 09:30:23 +0200 Subject: [PATCH] Always fetch forest info from root DCs when establishing two-way trust Prior To Windows Server 2012R2, the `netr_DsRGetForestTrustInformation` calls performed against non-root forest domain DCs were automatically routed to the root domain DCs to resolve trust topology information. This is no longer the case, so the `dcerpc.fetch_domains` function must explicitly contact root domain DCs even in the case when an external two-way trust to non-root domain is requested. https://fedorahosted.org/freeipa/ticket/6057 --- ipaserver/plugins/trust.py | 29 + 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py index 65dc1f4..8f8f987 100644 --- a/ipaserver/plugins/trust.py +++ b/ipaserver/plugins/trust.py @@ -770,7 +770,7 @@ def execute(self, *keys, **options): # Bidirectional trust allows us to use cross-realm TGT, so we can # run the call under original user's credentials res = fetch_domains_from_trust(self.api, self.trustinstance, - result['result'], **options) + **options) domains = add_new_domains_from_trust(self.api, self.trustinstance, result['result'], res, **options) else: @@ -1631,8 +1631,21 @@ def execute(self, *keys, **options): return result -def fetch_domains_from_trust(myapi, trustinstance, trust_entry, **options): -trust_name = trust_entry['cn'][0] +def fetch_domains_from_trust(myapi, trustinstance, **options): +""" +Contact trust forest root DC and fetch trusted forest topology information. + +:param myapi: API instance +:param trustinstance: Initialized instance of `dcerpc.TrustDomainJoins` +class +:param options: options passed from API command's `execute()` method + +:returns: dict containing forest domain information and forest-wide UPN +suffixes (if any) +""" + +forest_root_name = trustinstance.remote_domain.info['dns_forest'] + # We want to use Kerberos if we have admin credentials even with SMB calls # as eventually use of NTLMSSP will be deprecated for trusted domain operations # If admin credentials are missing, 'creds' will be None and fetch_domains @@ -1640,10 +1653,10 @@ def fetch_domains_from_trust(myapi, trustinstance, trust_entry, **options): # as well. creds = generate_creds(trustinstance, style=CRED_STYLE_KERBEROS, **options) server = options.get('realm_server', None) -domains = ipaserver.dcerpc.fetch_domains(myapi, - trustinstance.local_flatname, - trust_name, creds=creds, - server=server) +domains = ipaserver.dcerpc.fetch_domains( +myapi, trustinstance.local_flatname, forest_root_name, creds=creds, +server=server) + return domains @@ -1749,7 +1762,7 @@ def execute(self, *keys, **options): 'on the IPA server first' ) ) -res = fetch_domains_from_trust(self.api, trustinstance, trust, **options) +res = fetch_domains_from_trust(self.api, trustinstance, **options) domains = add_new_domains_from_trust(self.api, trustinstance, trust, res, **options) if len(domains) > 0: -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#46] Always fetch forest info from root DCs when establishing two-way trust (synchronize)
martbab's pull request #46: "Always fetch forest info from root DCs when establishing two-way trust" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/46 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/46/head:pr46 git checkout pr46 From 5a70f5dc53067f7a21a4fc60f95d7b11b2220611 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Thu, 1 Sep 2016 09:30:23 +0200 Subject: [PATCH 1/3] Always fetch forest info from root DCs when establishing two-way trust Prior To Windows Server 2012R2, the `netr_DsRGetForestTrustInformation` calls performed against non-root forest domain DCs were automatically routed to the root domain DCs to resolve trust topology information. This is no longer the case, so the `dcerpc.fetch_domains` function must explicitly contact root domain DCs even in the case when an external two-way trust to non-root domain is requested. https://fedorahosted.org/freeipa/ticket/6057 --- ipaserver/plugins/trust.py | 29 + 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py index 65dc1f4..8f8f987 100644 --- a/ipaserver/plugins/trust.py +++ b/ipaserver/plugins/trust.py @@ -770,7 +770,7 @@ def execute(self, *keys, **options): # Bidirectional trust allows us to use cross-realm TGT, so we can # run the call under original user's credentials res = fetch_domains_from_trust(self.api, self.trustinstance, - result['result'], **options) + **options) domains = add_new_domains_from_trust(self.api, self.trustinstance, result['result'], res, **options) else: @@ -1631,8 +1631,21 @@ def execute(self, *keys, **options): return result -def fetch_domains_from_trust(myapi, trustinstance, trust_entry, **options): -trust_name = trust_entry['cn'][0] +def fetch_domains_from_trust(myapi, trustinstance, **options): +""" +Contact trust forest root DC and fetch trusted forest topology information. + +:param myapi: API instance +:param trustinstance: Initialized instance of `dcerpc.TrustDomainJoins` +class +:param options: options passed from API command's `execute()` method + +:returns: dict containing forest domain information and forest-wide UPN +suffixes (if any) +""" + +forest_root_name = trustinstance.remote_domain.info['dns_forest'] + # We want to use Kerberos if we have admin credentials even with SMB calls # as eventually use of NTLMSSP will be deprecated for trusted domain operations # If admin credentials are missing, 'creds' will be None and fetch_domains @@ -1640,10 +1653,10 @@ def fetch_domains_from_trust(myapi, trustinstance, trust_entry, **options): # as well. creds = generate_creds(trustinstance, style=CRED_STYLE_KERBEROS, **options) server = options.get('realm_server', None) -domains = ipaserver.dcerpc.fetch_domains(myapi, - trustinstance.local_flatname, - trust_name, creds=creds, - server=server) +domains = ipaserver.dcerpc.fetch_domains( +myapi, trustinstance.local_flatname, forest_root_name, creds=creds, +server=server) + return domains @@ -1749,7 +1762,7 @@ def execute(self, *keys, **options): 'on the IPA server first' ) ) -res = fetch_domains_from_trust(self.api, trustinstance, trust, **options) +res = fetch_domains_from_trust(self.api, trustinstance, **options) domains = add_new_domains_from_trust(self.api, trustinstance, trust, res, **options) if len(domains) > 0: From 11e3bca0af0ff8969b2eddb9e0b19fcf6a4a9fd0 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Thu, 1 Sep 2016 18:09:05 +0200 Subject: [PATCH 2/3] factor out `populate_remote_domain` method into module-level function This allows for re-use of this method in cases where the caller can not or wishes not to instantiate local Samba domain to retrieve information about remote ones. https://fedorahosted.org/freeipa/ticket/6057 --- ipaserver/dcerpc.py | 94 ++--- 1 file changed, 53 insertions(+), 41 deletions(-) diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 4d98485..71b8ba6 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -1534,6 +1534,52 @@ def communicate(td): return result +def retrieve_remote_domain(hostname, local_flatname, + realm, realm_server=None, + realm_admin=None, realm_passwd=None): +def get_instance(local_flatname): +
[Freeipa-devel] [freeipa PR#46] Always fetch forest info from root DCs when establishing two-way trust (synchronize)
martbab's pull request #46: "Always fetch forest info from root DCs when establishing two-way trust" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/46 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/46/head:pr46 git checkout pr46 From 5a70f5dc53067f7a21a4fc60f95d7b11b2220611 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Thu, 1 Sep 2016 09:30:23 +0200 Subject: [PATCH 1/3] Always fetch forest info from root DCs when establishing two-way trust Prior To Windows Server 2012R2, the `netr_DsRGetForestTrustInformation` calls performed against non-root forest domain DCs were automatically routed to the root domain DCs to resolve trust topology information. This is no longer the case, so the `dcerpc.fetch_domains` function must explicitly contact root domain DCs even in the case when an external two-way trust to non-root domain is requested. https://fedorahosted.org/freeipa/ticket/6057 --- ipaserver/plugins/trust.py | 29 + 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py index 65dc1f4..8f8f987 100644 --- a/ipaserver/plugins/trust.py +++ b/ipaserver/plugins/trust.py @@ -770,7 +770,7 @@ def execute(self, *keys, **options): # Bidirectional trust allows us to use cross-realm TGT, so we can # run the call under original user's credentials res = fetch_domains_from_trust(self.api, self.trustinstance, - result['result'], **options) + **options) domains = add_new_domains_from_trust(self.api, self.trustinstance, result['result'], res, **options) else: @@ -1631,8 +1631,21 @@ def execute(self, *keys, **options): return result -def fetch_domains_from_trust(myapi, trustinstance, trust_entry, **options): -trust_name = trust_entry['cn'][0] +def fetch_domains_from_trust(myapi, trustinstance, **options): +""" +Contact trust forest root DC and fetch trusted forest topology information. + +:param myapi: API instance +:param trustinstance: Initialized instance of `dcerpc.TrustDomainJoins` +class +:param options: options passed from API command's `execute()` method + +:returns: dict containing forest domain information and forest-wide UPN +suffixes (if any) +""" + +forest_root_name = trustinstance.remote_domain.info['dns_forest'] + # We want to use Kerberos if we have admin credentials even with SMB calls # as eventually use of NTLMSSP will be deprecated for trusted domain operations # If admin credentials are missing, 'creds' will be None and fetch_domains @@ -1640,10 +1653,10 @@ def fetch_domains_from_trust(myapi, trustinstance, trust_entry, **options): # as well. creds = generate_creds(trustinstance, style=CRED_STYLE_KERBEROS, **options) server = options.get('realm_server', None) -domains = ipaserver.dcerpc.fetch_domains(myapi, - trustinstance.local_flatname, - trust_name, creds=creds, - server=server) +domains = ipaserver.dcerpc.fetch_domains( +myapi, trustinstance.local_flatname, forest_root_name, creds=creds, +server=server) + return domains @@ -1749,7 +1762,7 @@ def execute(self, *keys, **options): 'on the IPA server first' ) ) -res = fetch_domains_from_trust(self.api, trustinstance, trust, **options) +res = fetch_domains_from_trust(self.api, trustinstance, **options) domains = add_new_domains_from_trust(self.api, trustinstance, trust, res, **options) if len(domains) > 0: From 11e3bca0af0ff8969b2eddb9e0b19fcf6a4a9fd0 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Thu, 1 Sep 2016 18:09:05 +0200 Subject: [PATCH 2/3] factor out `populate_remote_domain` method into module-level function This allows for re-use of this method in cases where the caller can not or wishes not to instantiate local Samba domain to retrieve information about remote ones. https://fedorahosted.org/freeipa/ticket/6057 --- ipaserver/dcerpc.py | 94 ++--- 1 file changed, 53 insertions(+), 41 deletions(-) diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 4d98485..71b8ba6 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -1534,6 +1534,52 @@ def communicate(td): return result +def retrieve_remote_domain(hostname, local_flatname, + realm, realm_server=None, + realm_admin=None, realm_passwd=None): +def get_instance(local_flatname): +
[Freeipa-devel] [freeipa PR#51] Fix failing negative tests for deprecated params (opened)
martbab's pull request #51: "Fix failing negative tests for deprecated params" was opened PR body: """ Fixes https://fedorahosted.org/freeipa/ticket/6190 There is one last failing test. To fix it properly we will have to rework `Parameter.__init__` method, see https://fedorahosted.org/freeipa/ticket/6292 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/51 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/51/head:pr51 git checkout pr51 From c6cec9e59dd62b5efdb45a8cf413177b517e9c22 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 19 Jul 2016 17:05:32 +0200 Subject: [PATCH] raise ValidationError when deprecated param is passed to command https://fedorahosted.org/freeipa/ticket/6190 --- ipalib/parameters.py | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/ipalib/parameters.py b/ipalib/parameters.py index 6917c8d..37f9650 100644 --- a/ipalib/parameters.py +++ b/ipalib/parameters.py @@ -854,6 +854,9 @@ def validate(self, value, supplied=None): if self.required or (supplied and 'nonempty' in self.flags): raise RequirementError(name=self.name) return +if self.deprecated: +raise ValidationError(name=self.get_param_name(), + error=_('this option is deprecated')) if self.multivalue: if type(value) is not tuple: raise TypeError( @@ -876,10 +879,6 @@ def _validate_scalar(self, value, index=None): if error is not None: raise ValidationError(name=self.get_param_name(), error=error) -def _rule_deprecated(self, _, value): -if self.deprecated: -return _('this option is deprecated') - def get_default(self, **kw): """ Return the static default or construct and return a dynamic default. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#46] Always fetch forest info from root DCs when establishing two-way trust (+pushed)
martbab's pull request #46: "Always fetch forest info from root DCs when establishing two-way trust" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/46 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#46] Always fetch forest info from root DCs when establishing two-way trust (comment)
martbab commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/33f8685513e06f6a398036a78407d61c3ac2db86 https://fedorahosted.org/freeipa/changeset/c789b17b2e28ed9008fee076a0db72fe90f7e93f https://fedorahosted.org/freeipa/changeset/4ca671788cc54a00de6a55a2529df6126da14d88 ipa-4-4: https://fedorahosted.org/freeipa/changeset/58513d3b2a72b6c15bdf5676ed63d6eb74f36ed7 https://fedorahosted.org/freeipa/changeset/034b78e320e4868e4dee520690bb49fefc242cde https://fedorahosted.org/freeipa/changeset/a532edf97337a80b0777fb00cc1b9e57ef8cf487 """ See the full comment at https://github.com/freeipa/freeipa/pull/46#issuecomment-244675328 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#46] Always fetch forest info from root DCs when establishing two-way trust (closed)
martbab's pull request #46: "Always fetch forest info from root DCs when establishing two-way trust" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/46 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/46/head:pr46 git checkout pr46 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#51] Fix failing negative tests for deprecated params (+pushed)
martbab's pull request #51: "Fix failing negative tests for deprecated params" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/51 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#51] Fix failing negative tests for deprecated params (closed)
martbab's pull request #51: "Fix failing negative tests for deprecated params" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/51 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/51/head:pr51 git checkout pr51 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#51] Fix failing negative tests for deprecated params (comment)
martbab commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/82e754e9c5e46317c7c060d9bc9c00ee259101a1 ipa-4-4: https://fedorahosted.org/freeipa/changeset/4d4ea09a82cf9234a0f3cec43fd1551acae5780c """ See the full comment at https://github.com/freeipa/freeipa/pull/51#issuecomment-244675738 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#48] [4.4] Set zanata project-version fo 4.4 branch (+ack)
mbasti-rh's pull request #48: "[4.4] Set zanata project-version fo 4.4 branch" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/48 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#48] [4.4] Set zanata project-version fo 4.4 branch (closed)
mbasti-rh's pull request #48: "[4.4] Set zanata project-version fo 4.4 branch" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/48 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/48/head:pr48 git checkout pr48 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#48] [4.4] Set zanata project-version fo 4.4 branch (comment)
martbab commented on a pull request """ Fixed upstream ipa-4-4: https://fedorahosted.org/freeipa/changeset/362162aba5ce83043cb3947e453234e933266f4b """ See the full comment at https://github.com/freeipa/freeipa/pull/48#issuecomment-244677238 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#48] [4.4] Set zanata project-version fo 4.4 branch (+pushed)
mbasti-rh's pull request #48: "[4.4] Set zanata project-version fo 4.4 branch" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/48 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#59] Fix BadSyntax exception in ldapupdate.py (opened)
martbab's pull request #59: "Fix BadSyntax exception in ldapupdate.py" was opened PR body: """ This complements commit 00d43095da211f542189c95c88fc2e2c32e75565 and fixes two failing testcases in `ipatests/test_install/test_updates.py` https://fedorahosted.org/freeipa/ticket/6294 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/59 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/59/head:pr59 git checkout pr59 From 3fabb5b64d4df9ef1a7a00312e5244b92af67eb0 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 6 Sep 2016 11:46:58 +0200 Subject: [PATCH] ldapupdate: Use proper inheritance in BadSyntax exception https://fedorahosted.org/freeipa/ticket/6294 --- ipaserver/install/ldapupdate.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py index 32fa4e2..1b39745 100644 --- a/ipaserver/install/ldapupdate.py +++ b/ipaserver/install/ldapupdate.py @@ -83,8 +83,8 @@ def connect(ldapi=False, realm=None, fqdn=None, dm_password=None, pw_name=None): class BadSyntax(installutils.ScriptError): def __init__(self, value): self.value = value -self.msg = "LDAPUpdate: syntax error: \n %s" % value -self.rval = 1 +super(BadSyntax, self).__init__( +msg="LDAPUpdate: syntax error: \n %s" % value, rval=1) def __str__(self): return repr(self.value) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#61] Use Travis-CI for basic sanity checks (opened)
martbab's pull request #61: "Use Travis-CI for basic sanity checks" was opened PR body: """ This patch adds the config file for Travis CI. The config file instructs the CI to: * check pep8 errors in PR * pull in a freeipa builder container image from docker.io/martbab/freeipa-fedora-builder * build RPMs in pulled container These basic checks should eliminate basic errors that can break the build itself, it does not run any of our integration/unit tests. """ See the full pull-request at https://github.com/freeipa/freeipa/pull/61 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/61/head:pr61 git checkout pr61 From 807925dc8c276eefb3b57d96ad548575ce746a03 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Mon, 5 Sep 2016 10:19:40 +0200 Subject: [PATCH] Use Travis-CI for basic sanity checks This patch adds the config file for Travis CI. The config file instructs the CI to: * check pep8 errors in PR * pull in a freeipa builder container image from docker.io/martbab/freeipa-fedora-builder * build RPMs in pulled container These basic checks should eliminate basic errors that can break the build itself, it does not run any of our integration/unit tests. --- .travis.yml | 16 1 file changed, 16 insertions(+) create mode 100644 .travis.yml diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 000..0b9f2e3 --- /dev/null +++ b/.travis.yml @@ -0,0 +1,16 @@ +services: +- docker + +before_install: +- pip install pep8 + +script: +- > +if [[ "$TRAVIS_EVENT_TYPE" == "pull_request" ]]; +then +git diff origin/master -U0 | pep8 --diff; +fi +- > +docker run -v $PWD:/freeipa -w /freeipa +martbab/freeipa-fedora-builder:master-latest +/bin/bash -c 'dnf builddep -y --spec freeipa.spec.in && make rpms' -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#61] Use Travis-CI for basic sanity checks (synchronize)
martbab's pull request #61: "Use Travis-CI for basic sanity checks" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/61 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/61/head:pr61 git checkout pr61 From d9b1bf57d6a03bcbe762bbe9142a3b9eccb4c7b9 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Mon, 5 Sep 2016 10:19:40 +0200 Subject: [PATCH] Use Travis-CI for basic sanity checks This patch adds the config file for Travis CI. The config file instructs the CI to: * check pep8 errors in PR * build RPMs in pulled in Fedora builder container (docker.io/martbab/freeipa-fedora-builder) These basic checks should eliminate basic errors that can break the build itself (formatting errors, Syntax errors/undeclared variables, missing BuildRequires, broken API.txt, etc.). It does not run any of our integration/unit tests. --- .travis.yml | 16 1 file changed, 16 insertions(+) create mode 100644 .travis.yml diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 000..0b9f2e3 --- /dev/null +++ b/.travis.yml @@ -0,0 +1,16 @@ +services: +- docker + +before_install: +- pip install pep8 + +script: +- > +if [[ "$TRAVIS_EVENT_TYPE" == "pull_request" ]]; +then +git diff origin/master -U0 | pep8 --diff; +fi +- > +docker run -v $PWD:/freeipa -w /freeipa +martbab/freeipa-fedora-builder:master-latest +/bin/bash -c 'dnf builddep -y --spec freeipa.spec.in && make rpms' -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#61] Use Travis-CI for basic sanity checks (synchronize)
martbab's pull request #61: "Use Travis-CI for basic sanity checks" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/61 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/61/head:pr61 git checkout pr61 From 08e345b4b93fd982d54b1e47d8390e54ef7a87c9 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Mon, 5 Sep 2016 10:19:40 +0200 Subject: [PATCH] Use Travis-CI for basic sanity checks This patch adds the config file for Travis CI. The config file instructs the CI to: * check pep8 errors in PR * build RPMs in pulled in Fedora builder container (docker.io/martbab/freeipa-fedora-builder) These basic checks should eliminate basic errors that can break the build itself (formatting errors, Syntax errors/undeclared variables, missing BuildRequires, broken API.txt, etc.). It does not run any of our integration/unit tests. --- .travis.yml | 16 1 file changed, 16 insertions(+) create mode 100644 .travis.yml diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 000..f221e82 --- /dev/null +++ b/.travis.yml @@ -0,0 +1,16 @@ +services: +- docker + +before_install: +- pip install pep8 + +script: +- > +if [[ "$TRAVIS_EVENT_TYPE" == "pull_request" ]]; +then +git diff origin/${TRAVIS_BRANCH} -U0 | pep8 --diff; +fi +- > +docker run -v $PWD:/freeipa -w /freeipa +martbab/freeipa-fedora-builder:${TRAVIS_BRANCH}-latest +/bin/bash -c 'dnf builddep -y --spec freeipa.spec.in && make rpms' -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#63] fix for 6238 "Unable to view certificates issued by Sub CA in Web UI" separated from pr31 (+pushed)
pvoborni's pull request #63: "fix for 6238 "Unable to view certificates issued by Sub CA in Web UI" separated from pr31" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/63 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#63] fix for 6238 "Unable to view certificates issued by Sub CA in Web UI" separated from pr31 (comment)
martbab commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/40f923f56b4777e3e18c9f76ba1a745ed69ef0a6 https://fedorahosted.org/freeipa/changeset/64ac981dddcecf1176585b6e7b729cf38b24bcea ipa-4-4: https://fedorahosted.org/freeipa/changeset/0b76ba8723d7ba6f7657d0f7c17f2fc2a7356752 https://fedorahosted.org/freeipa/changeset/29af03aa4283883612bdc8cbd299f5caa6adee2b """ See the full comment at https://github.com/freeipa/freeipa/pull/63#issuecomment-245196074 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#63] fix for 6238 "Unable to view certificates issued by Sub CA in Web UI" separated from pr31 (closed)
pvoborni's pull request #63: "fix for 6238 "Unable to view certificates issued by Sub CA in Web UI" separated from pr31" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/63 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/63/head:pr63 git checkout pr63 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#58] Ip addr validation (comment)
martbab commented on a pull request """ @mbasti-rh you forgot to copy-paste the code to promote_check function. @pvoborni ^^ and that's why we need to refactor installer code """ See the full comment at https://github.com/freeipa/freeipa/pull/58#issuecomment-245277233 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#67] advise: Use `name` instead of `__name__` to get plugin names (opened)
martbab's pull request #67: "advise: Use `name` instead of `__name__` to get plugin names" was opened PR body: """ This change will allow ipa-advise to correctly handle advise plugins with custom names. """ See the full pull-request at https://github.com/freeipa/freeipa/pull/67 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/67/head:pr67 git checkout pr67 From c4555af51ccdf9e867436ec5e0349538da512baf Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Mon, 18 Jul 2016 10:44:23 +0200 Subject: [PATCH] advise: Use `name` instead of `__name__` to get plugin names This change will allow ipa-advise to correctly handle advise plugins with custom names. --- ipaserver/advise/base.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipaserver/advise/base.py b/ipaserver/advise/base.py index a2dc9cc..f7e8ef5 100644 --- a/ipaserver/advise/base.py +++ b/ipaserver/advise/base.py @@ -168,11 +168,11 @@ def print_config_list(self): self.print_header('List of available advices') max_keyword_len = max( -(len(advice.__name__) for advice in advise_api.Advice)) +(len(advice.name) for advice in advise_api.Advice)) for advice in advise_api.Advice: description = getattr(advice, 'description', '') -keyword = advice.__name__.replace('_', '-') +keyword = advice.name.replace('_', '-') # Compute the number of spaces needed for the table to be aligned offset = max_keyword_len - len(keyword) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#19] WebUI: Add 'Restore' option to action dropdown menu (+pushed)
pvomacka's pull request #19: "WebUI: Add 'Restore' option to action dropdown menu" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/19 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#19] WebUI: Add 'Restore' option to action dropdown menu (comment)
martbab commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/c3374c6e16a10e8780401c58c04dcf8d95ea1a4d ipa-4-4: https://fedorahosted.org/freeipa/changeset/8ac026a22506188815f66a65f9592fee724a6720 """ See the full comment at https://github.com/freeipa/freeipa/pull/19#issuecomment-245519260 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#19] WebUI: Add 'Restore' option to action dropdown menu (closed)
pvomacka's pull request #19: "WebUI: Add 'Restore' option to action dropdown menu" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/19 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/19/head:pr19 git checkout pr19 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#67] advise: Use `name` instead of `__name__` to get plugin names (comment)
martbab commented on a pull request """ This change is intended only for master branch and I think a ticket would be a bit overkill. """ See the full comment at https://github.com/freeipa/freeipa/pull/67#issuecomment-245526674 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#68] netgroup: avoid extraneous LDAP search when retrieving primary key from DN (opened)
martbab's pull request #68: "netgroup: avoid extraneous LDAP search when retrieving primary key from DN" was opened PR body: """ Fixes https://fedorahosted.org/freeipa/ticket/5855 Please note that the parent method does not correctly handle cases when the attribute considered as primary ked is contained in multiple RDNs: >>> LDAPObject.get_primary_key_from_dn( ... DN('ipauniqueid=yadda-yadda,cn=ng,cn=alt,dc=ipa,dc=test')) u'ng' That's why I had to completely override parent method. """ See the full pull-request at https://github.com/freeipa/freeipa/pull/68 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/68/head:pr68 git checkout pr68 From 37df489287887ad99ffa26a00a43b558535b2ea5 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Thu, 8 Sep 2016 16:30:33 +0200 Subject: [PATCH] netgroup: avoid extraneous LDAP search when retrieving primary key from DN DNs for netgroup entries can contain either 'cn' or 'ipauniqueid' attribute in their leaf RDN depending on their origin. Since 'cn' is the primary key, we can return it in `get_primary_key_from_dn` right away and avoid any extraneous LDAP search. https://fedorahosted.org/freeipa/ticket/5855 --- ipaserver/plugins/netgroup.py | 16 1 file changed, 16 insertions(+) diff --git a/ipaserver/plugins/netgroup.py b/ipaserver/plugins/netgroup.py index f76a0ba..3a24a38 100644 --- a/ipaserver/plugins/netgroup.py +++ b/ipaserver/plugins/netgroup.py @@ -237,6 +237,22 @@ class netgroup(LDAPObject): external_host_param, ) +def get_primary_key_from_dn(self, dn): +first_ava = dn.rdns[0][0] +if first_ava[0] == self.primary_key.name: +return unicode(first_ava[1]) + +try: +entry_attrs = self.backend.get_entry( +dn, [self.primary_key.name] +) +try: +return entry_attrs[self.primary_key.name][0] +except (KeyError, IndexError): +return '' +except errors.NotFound: +return unicode(dn) + @register() class netgroup_add(LDAPCreate): -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#67] advise: Use `name` instead of `__name__` to get plugin names (+pushed)
martbab's pull request #67: "advise: Use `name` instead of `__name__` to get plugin names" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/67 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#67] advise: Use `name` instead of `__name__` to get plugin names (closed)
martbab's pull request #67: "advise: Use `name` instead of `__name__` to get plugin names" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/67 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/67/head:pr67 git checkout pr67 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#60] Tests: extend DNS cmdline tests with lowercased record type (closed)
mbasti-rh's pull request #60: "Tests: extend DNS cmdline tests with lowercased record type" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/60 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/60/head:pr60 git checkout pr60 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#60] Tests: extend DNS cmdline tests with lowercased record type (+pushed)
mbasti-rh's pull request #60: "Tests: extend DNS cmdline tests with lowercased record type" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/60 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#60] Tests: extend DNS cmdline tests with lowercased record type (comment)
martbab commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/866e59bdcee74ea9aea4e65f193339ae9cab5ce3 ipa-4-4: https://fedorahosted.org/freeipa/changeset/e302886204fbac3f155bf272debeaf3330c99952 """ See the full comment at https://github.com/freeipa/freeipa/pull/60#issuecomment-245636839 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#67] advise: Use `name` instead of `__name__` to get plugin names (comment)
martbab commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/5b9516753cae324126fac7e17b6918c08e210d59 """ See the full comment at https://github.com/freeipa/freeipa/pull/67#issuecomment-245636195 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#68] netgroup: avoid extraneous LDAP search when retrieving primary key from DN (edited)
martbab's pull request #68: "netgroup: avoid extraneous LDAP search when retrieving primary key from DN" was edited See the full pull-request at https://github.com/freeipa/freeipa/pull/68 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/68/head:pr68 git checkout pr68 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#68] netgroup: avoid extraneous LDAP search when retrieving primary key from DN (edited)
martbab's pull request #68: "netgroup: avoid extraneous LDAP search when retrieving primary key from DN" was edited See the full pull-request at https://github.com/freeipa/freeipa/pull/68 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/68/head:pr68 git checkout pr68 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#66] [master, ipa-4-4] Tests: Add cleanup to integration trust tests (+ack)
mirielka's pull request #66: "[master, ipa-4-4] Tests: Add cleanup to integration trust tests" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/66 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#70] [master, ipa-4-4] Tests: Fix failing ldap.backend test (+ack)
mirielka's pull request #70: "[master, ipa-4-4] Tests: Fix failing ldap.backend test" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/70 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#43] Tests: Fix regex errors in integration trust tests (+ack)
mirielka's pull request #43: "Tests: Fix regex errors in integration trust tests" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/43 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#68] netgroup: avoid extraneous LDAP search when retrieving primary key from DN (synchronize)
martbab's pull request #68: "netgroup: avoid extraneous LDAP search when retrieving primary key from DN" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/68 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/68/head:pr68 git checkout pr68 From 78b3d051022bb67e0539c75fcc4b0dec88f2635e Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Thu, 8 Sep 2016 16:30:33 +0200 Subject: [PATCH] netgroup: avoid extraneous LDAP search when retrieving primary key from DN DNs for netgroup entries can contain either 'cn' or 'ipauniqueid' attribute in their leaf RDN depending on their origin. Since 'cn' is the primary key, we can return it in `get_primary_key_from_dn` right away and avoid any extraneous LDAP search. https://fedorahosted.org/freeipa/ticket/5855 --- ipaserver/plugins/netgroup.py | 20 1 file changed, 20 insertions(+) diff --git a/ipaserver/plugins/netgroup.py b/ipaserver/plugins/netgroup.py index f76a0ba..11fec0a 100644 --- a/ipaserver/plugins/netgroup.py +++ b/ipaserver/plugins/netgroup.py @@ -237,6 +237,26 @@ class netgroup(LDAPObject): external_host_param, ) +def get_primary_key_from_dn(self, dn): +assert isinstance(dn, DN) +if not dn.rdns: +return u'' + +first_ava = dn.rdns[0][0] +if first_ava[0] == self.primary_key.name: +return unicode(first_ava[1]) + +try: +entry_attrs = self.backend.get_entry( +dn, [self.primary_key.name] +) +try: +return entry_attrs[self.primary_key.name][0] +except (KeyError, IndexError): +return u'' +except errors.NotFound: +return unicode(dn) + @register() class netgroup_add(LDAPCreate): -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#71] Fix regression introduced in ipa-certupdate (+ack)
flo-renaud's pull request #71: "Fix regression introduced in ipa-certupdate" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/71 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#71] Fix regression introduced in ipa-certupdate (closed)
flo-renaud's pull request #71: "Fix regression introduced in ipa-certupdate" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/71 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/71/head:pr71 git checkout pr71 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#71] Fix regression introduced in ipa-certupdate (+pushed)
flo-renaud's pull request #71: "Fix regression introduced in ipa-certupdate" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/71 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#71] Fix regression introduced in ipa-certupdate (comment)
martbab commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/cd75eb3b2557cbd97e93be3e1ceeef21b948a694 ipa-4-4: https://fedorahosted.org/freeipa/changeset/2eeab3acf43c8f33729b48779c12aea57e453075 """ See the full comment at https://github.com/freeipa/freeipa/pull/71#issuecomment-245927050 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#68] netgroup: avoid extraneous LDAP search when retrieving primary key from DN (comment)
martbab commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/003b364c5a06a5adc89bac7371f46d534cfb4616 ipa-4-4: https://fedorahosted.org/freeipa/changeset/85b98059f91670bd489c35816b2ff901a7820c4f """ See the full comment at https://github.com/freeipa/freeipa/pull/68#issuecomment-245929493 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#68] netgroup: avoid extraneous LDAP search when retrieving primary key from DN (+pushed)
martbab's pull request #68: "netgroup: avoid extraneous LDAP search when retrieving primary key from DN" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/68 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#68] netgroup: avoid extraneous LDAP search when retrieving primary key from DN (closed)
martbab's pull request #68: "netgroup: avoid extraneous LDAP search when retrieving primary key from DN" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/68 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/68/head:pr68 git checkout pr68 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#43] Tests: Fix regex errors in integration trust tests (closed)
mirielka's pull request #43: "Tests: Fix regex errors in integration trust tests" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/43 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/43/head:pr43 git checkout pr43 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#43] Tests: Fix regex errors in integration trust tests (comment)
martbab commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/fc5a99274c2ea0301a539fe9a8b2dc9b61786a8a ipa-4-4: https://fedorahosted.org/freeipa/changeset/86fa116ee8617a60c8111f3061408bcd70db06ff """ See the full comment at https://github.com/freeipa/freeipa/pull/43#issuecomment-245937241 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#43] Tests: Fix regex errors in integration trust tests (+pushed)
mirielka's pull request #43: "Tests: Fix regex errors in integration trust tests" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/43 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#66] [master, ipa-4-4] Tests: Add cleanup to integration trust tests (closed)
mirielka's pull request #66: "[master, ipa-4-4] Tests: Add cleanup to integration trust tests" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/66 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/66/head:pr66 git checkout pr66 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#66] [master, ipa-4-4] Tests: Add cleanup to integration trust tests (comment)
martbab commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/b8240133866bb8fabd3962b44789a0315f2e7dd8 ipa-4-4: https://fedorahosted.org/freeipa/changeset/f27b064eeac0fece9cf79482c3971c971c7ef46d """ See the full comment at https://github.com/freeipa/freeipa/pull/66#issuecomment-246683023 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#66] [master, ipa-4-4] Tests: Add cleanup to integration trust tests (+pushed)
mirielka's pull request #66: "[master, ipa-4-4] Tests: Add cleanup to integration trust tests" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/66 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#70] [master, ipa-4-4] Tests: Fix failing ldap.backend test (+pushed)
mirielka's pull request #70: "[master, ipa-4-4] Tests: Fix failing ldap.backend test" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/70 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#70] [master, ipa-4-4] Tests: Fix failing ldap.backend test (closed)
mirielka's pull request #70: "[master, ipa-4-4] Tests: Fix failing ldap.backend test" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/70 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/70/head:pr70 git checkout pr70 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#70] [master, ipa-4-4] Tests: Fix failing ldap.backend test (comment)
martbab commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/8c6f677a166d01a120e6b2a9361d7e5d3888c1c7 ipa-4-4: https://fedorahosted.org/freeipa/changeset/0670721ae34f50b93befd4d59737a8991f33c6f7 """ See the full comment at https://github.com/freeipa/freeipa/pull/70#issuecomment-246683564 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#79] trust-fetch-domains: contact forest DCs when fetching trust domain info (opened)
martbab's pull request #79: "trust-fetch-domains: contact forest DCs when fetching trust domain info" was opened PR body: """ The code should always contact forest root DCs when requesting trust domain info. In the case of one-way or external trusts `com.redhat.idm.trust-fetch-domains` helper is leveraged, otherwise forest root domain is contacted directly through Samba using the credentials of HTTP principal. https://fedorahosted.org/freeipa/ticket/6328 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/79 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/79/head:pr79 git checkout pr79 From f284042564c1ca6f6d52690d5c734f1ee0d92e6d Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 13 Sep 2016 15:59:40 +0200 Subject: [PATCH] trust-fetch-domains: contact forest DCs when fetching trust domain info The code should always contact forest root DCs when requesting trust domain info. In the case of one-way or external trusts `com.redhat.idm.trust-fetch-domains` helper is leveraged, otherwise forest root domain is contacted directly through Samba using the credentials of HTTP principal. https://fedorahosted.org/freeipa/ticket/6328 --- ipaserver/plugins/trust.py | 14 +++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py index 8f8f987..6e6f6c5 100644 --- a/ipaserver/plugins/trust.py +++ b/ipaserver/plugins/trust.py @@ -1739,15 +1739,20 @@ def execute(self, *keys, **options): ldap = self.api.Backend.ldap2 verify_samba_component_presence(ldap, self.api) -trust = self.api.Command.trust_show(keys[0], raw=True)['result'] +trust = self.api.Command.trust_show( +keys[0], all=True, raw=True)['result'] result = dict() result['result'] = [] result['count'] = 0 result['truncated'] = False -# For one-way trust fetch over DBus. we don't get the list in this case. -if int(trust['ipanttrustdirection'][0]) != TRUST_BIDIRECTIONAL: +trust_direction = int(trust['ipanttrustdirection'][0]) +is_nontransitive = int(trust.get('ipanttrustattributes', + [0])[0]) & LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE +# For one-way trust and external trust fetch over DBus. +# We don't get the list in this case. +if trust_direction != TRUST_BIDIRECTIONAL or is_nontransitive: fetch_trusted_domains_over_dbus(self.api, self.log, keys[0]) result['summary'] = unicode(_('List of trust domains successfully refreshed. Use trustdomain-find command to list them.')) return result @@ -1762,6 +1767,9 @@ def execute(self, *keys, **options): 'on the IPA server first' ) ) + +trustinstance.populate_remote_domain(keys[0]) + res = fetch_domains_from_trust(self.api, trustinstance, **options) domains = add_new_domains_from_trust(self.api, trustinstance, trust, res, **options) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#80] ipa passwd: use correct normalizer for user principals (opened)
martbab's pull request #80: "ipa passwd: use correct normalizer for user principals" was opened PR body: """ Commit c2af032c0333f7e210c54369159d1d9f5e3fec74 introduced a regression in the handling of user principals supplied to the`ipa passwd` command. This patch restores the original behavior which lowercases the username portion of the principal. https://fedorahosted.org/freeipa/ticket/6329 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/80 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/80/head:pr80 git checkout pr80 From 8f17dcd7ada1ea296f589962c5ca24dd7f9089b8 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 13 Sep 2016 15:40:04 +0200 Subject: [PATCH] ipa passwd: use correct normalizer for user principals Commit c2af032c0333f7e210c54369159d1d9f5e3fec74 introduced a regression in the handling of user principals supplied to the`ipa passwd` command. This patch restores the original behavior which lowercases the username portion of the principal. https://fedorahosted.org/freeipa/ticket/6329 --- ipaserver/plugins/passwd.py | 7 --- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/ipaserver/plugins/passwd.py b/ipaserver/plugins/passwd.py index 1576c4c..ebc41d9 100644 --- a/ipaserver/plugins/passwd.py +++ b/ipaserver/plugins/passwd.py @@ -29,7 +29,8 @@ from ipalib.request import context from ipapython import kerberos from ipapython.dn import DN -from ipaserver.plugins.service import validate_realm, normalize_principal +from ipaserver.plugins.baseuser import normalize_user_principal +from ipaserver.plugins.service import validate_realm if six.PY3: unicode = str @@ -66,7 +67,7 @@ def get_current_password(principal): be ignored later. """ current_principal = krb_utils.get_principal() -if current_principal == unicode(normalize_principal(principal)): +if current_principal == unicode(normalize_user_principal(principal)): return None else: return MAGIC_VALUE @@ -84,7 +85,7 @@ class passwd(Command): primary_key=True, autofill=True, default_from=lambda: kerberos.Principal(krb_utils.get_principal()), -normalizer=lambda value: normalize_principal(value), +normalizer=lambda value: normalize_user_principal(value), ), Password('password', label=_('New Password'), -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#79] trust-fetch-domains: contact forest DCs when fetching trust domain info (closed)
martbab's pull request #79: "trust-fetch-domains: contact forest DCs when fetching trust domain info" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/79 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/79/head:pr79 git checkout pr79 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#79] trust-fetch-domains: contact forest DCs when fetching trust domain info (+pushed)
martbab's pull request #79: "trust-fetch-domains: contact forest DCs when fetching trust domain info" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/79 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#79] trust-fetch-domains: contact forest DCs when fetching trust domain info (comment)
martbab commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/b0d40b80e8d9a4960296ce70d843ad987657696b ipa-4-4: https://fedorahosted.org/freeipa/changeset/6755cbbc3346910bcd4be1577351cc15ab7d3140 """ See the full comment at https://github.com/freeipa/freeipa/pull/79#issuecomment-246944496 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#80] ipa passwd: use correct normalizer for user principals (closed)
martbab's pull request #80: "ipa passwd: use correct normalizer for user principals" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/80 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/80/head:pr80 git checkout pr80 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#80] ipa passwd: use correct normalizer for user principals (+pushed)
martbab's pull request #80: "ipa passwd: use correct normalizer for user principals" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/80 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#80] ipa passwd: use correct normalizer for user principals (comment)
martbab commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/f3f9087ee8d1b1531730cf1e91fe404092e8c81d ipa-4-4: https://fedorahosted.org/freeipa/changeset/0fe08fdce78b8a26cae1ad238cfea20fe86b8332 """ See the full comment at https://github.com/freeipa/freeipa/pull/80#issuecomment-246979841 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#81] Fix emptyzones dns upgrade (+pushed)
mbasti-rh's pull request #81: "Fix emptyzones dns upgrade" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/81 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#81] Fix emptyzones dns upgrade (comment)
martbab commented on a pull request """ Fixed upstream ipa-4-3: https://fedorahosted.org/freeipa/changeset/2d011b97c8a56d9eabae2ca3d88c30314e0adb58 https://fedorahosted.org/freeipa/changeset/93756dc719723bbec93497ecd6e06e325e6eecbd ipa-4-4: https://fedorahosted.org/freeipa/changeset/afeb4bd8a6039173c24201803f1253fae2529a83 https://fedorahosted.org/freeipa/changeset/e39cc53d90175e3cae6805302f318a96bc0e1af1 master: https://fedorahosted.org/freeipa/changeset/22fd6f020940b5b2a1258f8e0e6058c95f7a1ba5 https://fedorahosted.org/freeipa/changeset/271a4f098230112ee0e3ea3ffb3a509977ee7330 """ See the full comment at https://github.com/freeipa/freeipa/pull/81#issuecomment-247004156 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#81] Fix emptyzones dns upgrade (closed)
mbasti-rh's pull request #81: "Fix emptyzones dns upgrade" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/81 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/81/head:pr81 git checkout pr81 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#81] Fix emptyzones dns upgrade (+ack)
mbasti-rh's pull request #81: "Fix emptyzones dns upgrade" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/81 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#98][opened] Make server uninstaller exit with non-zero exit status during failed validation
URL: https://github.com/freeipa/freeipa/pull/98 Author: martbab Title: #98: Make server uninstaller exit with non-zero exit status during failed validation Action: opened PR body: """ https://fedorahosted.org/freeipa/ticket/5725 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/98/head:pr98 git checkout pr98 From 96f61a20e5bf0d6c1a945bc6288700b7531ac315 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 20 Sep 2016 15:12:30 +0200 Subject: [PATCH 1/2] use separate exception handlers for executors and validators installer framework has been modified to allow for different error handling during validation and execution phases. https://fedorahosted.org/freeipa/ticket/5725 --- ipapython/install/core.py | 22 ++ 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/ipapython/install/core.py b/ipapython/install/core.py index 9582852..881d3c6 100644 --- a/ipapython/install/core.py +++ b/ipapython/install/core.py @@ -322,7 +322,9 @@ def _validator(self): Coroutine which runs the validation part of the configurable. """ -return self.__runner(_VALIDATE_PENDING, _VALIDATE_RUNNING) +return self.__runner(_VALIDATE_PENDING, + _VALIDATE_RUNNING, + self._handle_validate_exception) def execute(self): """ @@ -337,7 +339,9 @@ def _executor(self): Coroutine which runs the execution part of the configurable. """ -return self.__runner(_EXECUTE_PENDING, _EXECUTE_RUNNING) +return self.__runner(_EXECUTE_PENDING, + _EXECUTE_RUNNING, + self._handle_execute_exception) def done(self): """ @@ -353,7 +357,7 @@ def run_until_executing(self, gen): except StopIteration: break -def __runner(self, pending_state, running_state): +def __runner(self, pending_state, running_state, exc_handler): self.__transition(pending_state, running_state) step = lambda: next(self.__gen) @@ -369,7 +373,7 @@ def __runner(self, pending_state, running_state): except BaseException: exc_info = sys.exc_info() try: -self._handle_exception(exc_info) +exc_handler(exc_info) except BaseException: raise else: @@ -393,6 +397,16 @@ def _handle_exception(self, exc_info): six.reraise(*exc_info) +def _handle_validate_exception(self, exc_info): +assert not hasattr(super(Configurable, self), + '_handle_validate_exception') +self._handle_exception(exc_info) + +def _handle_execute_exception(self, exc_info): +assert not hasattr(super(Configurable, self), + '_handle_execute_exception') +self._handle_exception(exc_info) + def __transition(self, from_state, to_state): if self.__state != from_state: raise InvalidStateError(self.__state) From 8c990e0407c9682a306e2c9d66c768aa6be87b0e Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 20 Sep 2016 15:15:50 +0200 Subject: [PATCH 2/2] Make Continuous installer continuous only during execution phase `common.Continuous` class is a basis for uninstallers, which should execute all the steps regardless of occuring errors. However, we would like the installer to raise exceptions and return non-zero exit code during validation phase when some preconditions are not met. Add a separate exception handler which catches exceptions and logs them as errors during execution phase only. https://fedorahosted.org/freeipa/ticket/5725 --- ipapython/install/common.py | 4 ++-- ipapython/install/core.py | 5 + 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/ipapython/install/common.py b/ipapython/install/common.py index 799ce50..fc8e332 100644 --- a/ipapython/install/common.py +++ b/ipapython/install/common.py @@ -86,9 +86,9 @@ class Interactive(core.Configurable): class Continuous(core.Configurable): -def _handle_exception(self, exc_info): +def _handle_execute_exception(self, exc_info): try: -super(Continuous, self)._handle_exception(exc_info) +super(Continuous, self)._handle_execute_exception(exc_info) except BaseException as e: self.log.debug(traceback.format_exc()) if isinstance(e, Exception): diff --git a/ipapython/install/core.py b/ipapython/install/core.py index 881d3c6..8593690 100644 --- a/ipapython/install/core.py +++ b/ipapython/install/core.py @@ -375,11 +375,8 @@ def __runner(self, pending_state, running_state, exc_handler): try:
[Freeipa-devel] [freeipa PR#82][comment] Fix regexp in user/group name
URL: https://github.com/freeipa/freeipa/pull/82 Title: #82: Fix regexp in user/group name martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/37200806118d39ef8afe84ad5887a294d54e2659 https://fedorahosted.org/freeipa/changeset/8f8e3d008f1de91337a83ea6d271662432209767 ipa-4-4: https://fedorahosted.org/freeipa/changeset/85ee93deb62ce8026122e5c40cdc8813f6a70e81 https://fedorahosted.org/freeipa/changeset/63914414bcc151ca954258215757ddd2bf4c3843 """ See the full comment at https://github.com/freeipa/freeipa/pull/82#issuecomment-248339321 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#82][+pushed] Fix regexp in user/group name
URL: https://github.com/freeipa/freeipa/pull/82 Title: #82: Fix regexp in user/group name Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#82][closed] Fix regexp in user/group name
URL: https://github.com/freeipa/freeipa/pull/82 Author: mbasti-rh Title: #82: Fix regexp in user/group name Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/82/head:pr82 git checkout pr82 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#100][+rejected] Ipa 4 4
URL: https://github.com/freeipa/freeipa/pull/100 Title: #100: Ipa 4 4 Label: +rejected -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#100][closed] Ipa 4 4
URL: https://github.com/freeipa/freeipa/pull/100 Author: alibasim86 Title: #100: Ipa 4 4 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/100/head:pr100 git checkout pr100 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#100][comment] Ipa 4 4
URL: https://github.com/freeipa/freeipa/pull/100 Title: #100: Ipa 4 4 martbab commented: """ Pull Requests are intended for contributing code to FreeIPA upstream. If you need help with your deployment or have a question about FreeIPA please use our public mailing list (https://www.redhat.com/mailman/listinfo/freeipa-users) or ask at #freeipa irc channel on freenode. """ See the full comment at https://github.com/freeipa/freeipa/pull/100#issuecomment-248530322 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#96][+ack] Show error message for invalid IPs in client install
URL: https://github.com/freeipa/freeipa/pull/96 Title: #96: Show error message for invalid IPs in client install Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#96][closed] Show error message for invalid IPs in client install
URL: https://github.com/freeipa/freeipa/pull/96 Author: tomaskrizek Title: #96: Show error message for invalid IPs in client install Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/96/head:pr96 git checkout pr96 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#96][comment] Show error message for invalid IPs in client install
URL: https://github.com/freeipa/freeipa/pull/96 Title: #96: Show error message for invalid IPs in client install martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/ddf48f2fef344784b9e1918d2f2ee6feef9d4c04 """ See the full comment at https://github.com/freeipa/freeipa/pull/96#issuecomment-248545080 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#96][+pushed] Show error message for invalid IPs in client install
URL: https://github.com/freeipa/freeipa/pull/96 Title: #96: Show error message for invalid IPs in client install Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#92][comment] Add log messages for IP checks during client install
URL: https://github.com/freeipa/freeipa/pull/92 Title: #92: Add log messages for IP checks during client install martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/d6f6a291da5926217ac3acbbb959fd23227c7bd2 """ See the full comment at https://github.com/freeipa/freeipa/pull/92#issuecomment-248547405 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#92][closed] Add log messages for IP checks during client install
URL: https://github.com/freeipa/freeipa/pull/92 Author: tomaskrizek Title: #92: Add log messages for IP checks during client install Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/92/head:pr92 git checkout pr92 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#92][+pushed] Add log messages for IP checks during client install
URL: https://github.com/freeipa/freeipa/pull/92 Title: #92: Add log messages for IP checks during client install Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install martbab commented: """ Regarding requesting certificate for krbtgt, we plan to fix cert-request in a more systematic manner to allow requesting certificate for any principal in IPA realm (see https://fedorahosted.org/freeipa/ticket/6295) so hopefully the cert-request fixes would not be needed eventually. As a side question is the separate profile needed due to some custom extensions required for PKINIT certificate? """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-248570361 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install martbab commented: """ I thought so, it would be nice to have this mentioned somewhere, e.g. in profile description so that the future selves will know why this is needed. """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-248576106 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install martbab commented: """ Thank you """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-248581191 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#103][+rejected] Backport XMLRPC test fixes to ipa-4-3 branch
URL: https://github.com/freeipa/freeipa/pull/103 Title: #103: Backport XMLRPC test fixes to ipa-4-3 branch Label: +rejected -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#103][closed] Backport XMLRPC test fixes to ipa-4-3 branch
URL: https://github.com/freeipa/freeipa/pull/103 Author: martbab Title: #103: Backport XMLRPC test fixes to ipa-4-3 branch Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/103/head:pr103 git checkout pr103 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#104][opened] Backport XMLRPC test fixes to ipa-4-3 branch
URL: https://github.com/freeipa/freeipa/pull/104 Author: martbab Title: #104: Backport XMLRPC test fixes to ipa-4-3 branch Action: opened PR body: """ https://fedorahosted.org/freeipa/ticket/6316 https://fedorahosted.org/freeipa/ticket/6317 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/104/head:pr104 git checkout pr104 From 68f049a1d7830726f1f74267d33dda26ca33f837 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Fri, 19 Aug 2016 10:39:40 +0200 Subject: [PATCH 1/2] Raise DuplicatedEnrty error when user exists in delete_container We do not have right to write to users delete_container. In case that user already exists in that container and we tried to add entry, we receive ACIError. This must be checked and DuplicationEntry error must be raised before. https://fedorahosted.org/freeipa/ticket/6199 Reviewed-By: Jan Cholasta --- ipalib/plugins/user.py | 15 +-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 2b792af..a207809 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -356,6 +356,10 @@ class user(baseuser): ), ) +def get_delete_dn(self, *keys, **options): +active_dn = self.get_dn(*keys, **options) +return DN(active_dn[0], self.delete_container_dn, api.env.basedn) + def get_either_dn(self, *keys, **options): ''' Returns the DN of a user @@ -372,7 +376,7 @@ def get_either_dn(self, *keys, **options): dn = active_dn except errors.NotFound: # Check that this value is a Delete user -delete_dn = DN(active_dn[0], self.delete_container_dn, api.env.basedn) +delete_dn = self.get_delete_dn(*keys, **options) try: ldap.get_entry(delete_dn, ['dn']) @@ -416,7 +420,14 @@ class user_add(baseuser_add): ) def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): -dn = self.obj.get_either_dn(*keys, **options) +delete_dn = self.obj.get_delete_dn(*keys, **options) +try: +ldap.get_entry(delete_dn, ['']) +except errors.NotFound: +pass +else: +raise self.obj.handle_duplicate_entry(*keys) + if not options.get('noprivate', False): try: # The Managed Entries plugin will allow a user to be created From 51ba0797ba92e83208061bb3346ffd80dc71fd69 Mon Sep 17 00:00:00 2001 From: Petr Spacek Date: Fri, 12 Aug 2016 19:49:33 +0200 Subject: [PATCH 2/2] Tests: fix test_forward_zones in test_xmlrpc/test_dns_plugin Class test_forward_zones in ipatests/test_xmlrpc/test_dns_plugin was using DNS zone 'fwzone2.test.' and expected to get warning 'Forwarding policy conflicts with some automatic empty zones.' (aka 'DNSForwardPolicyConflictWithEmptyZone'). This does not make sense because 'test.' zone is not listed in IANA registry 'Locally-Served DNS Zones': http://www.iana.org/assignments/locally-served-dns-zones/locally-served-dns-zones.xhtml To fix this I simply removed the warning from set of expected results. https://fedorahosted.org/freeipa/ticket/6213 Reviewed-By: Martin Basti Reviewed-By: Stanislav Laznicka --- ipatests/test_xmlrpc/test_dns_plugin.py | 10 +- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/ipatests/test_xmlrpc/test_dns_plugin.py b/ipatests/test_xmlrpc/test_dns_plugin.py index 7c2450f..810c7c3 100644 --- a/ipatests/test_xmlrpc/test_dns_plugin.py +++ b/ipatests/test_xmlrpc/test_dns_plugin.py @@ -3417,15 +3417,7 @@ def setup_class(cls): expected={ 'value': fwzone2_dnsname, 'summary': None, -u'messages': ( -{u'message': lambda x: x.startswith( -u"Forwarding policy conflicts with some " -"automatic empty zones."), - u'code': 13021, - u'type': u'warning', - u'name': u'DNSForwardPolicyConflictWithEmptyZone', -}, -{u'message': lambda x: x.startswith( +u'messages': ({u'message': lambda x: x.startswith( u"DNS server %s: query '%s SOA':" % (forwarder1, fwzone2)), u'code': 13006, -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#104][synchronized] Backport XMLRPC test fixes to ipa-4-3 branch
URL: https://github.com/freeipa/freeipa/pull/104 Author: martbab Title: #104: Backport XMLRPC test fixes to ipa-4-3 branch Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/104/head:pr104 git checkout pr104 From 2a95cf2cce9a032d453eb84f319d7a82ab964c22 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Fri, 19 Aug 2016 10:39:40 +0200 Subject: [PATCH 1/2] Raise DuplicatedEnrty error when user exists in delete_container We do not have right to write to users delete_container. In case that user already exists in that container and we tried to add entry, we receive ACIError. This must be checked and DuplicationEntry error must be raised before. Original ticket: https://fedorahosted.org/freeipa/ticket/6199 Backported to ipa-4-3: https://fedorahosted.org/freeipa/ticket/6316 --- ipalib/plugins/user.py | 15 +-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 2b792af..a207809 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -356,6 +356,10 @@ class user(baseuser): ), ) +def get_delete_dn(self, *keys, **options): +active_dn = self.get_dn(*keys, **options) +return DN(active_dn[0], self.delete_container_dn, api.env.basedn) + def get_either_dn(self, *keys, **options): ''' Returns the DN of a user @@ -372,7 +376,7 @@ def get_either_dn(self, *keys, **options): dn = active_dn except errors.NotFound: # Check that this value is a Delete user -delete_dn = DN(active_dn[0], self.delete_container_dn, api.env.basedn) +delete_dn = self.get_delete_dn(*keys, **options) try: ldap.get_entry(delete_dn, ['dn']) @@ -416,7 +420,14 @@ class user_add(baseuser_add): ) def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): -dn = self.obj.get_either_dn(*keys, **options) +delete_dn = self.obj.get_delete_dn(*keys, **options) +try: +ldap.get_entry(delete_dn, ['']) +except errors.NotFound: +pass +else: +raise self.obj.handle_duplicate_entry(*keys) + if not options.get('noprivate', False): try: # The Managed Entries plugin will allow a user to be created From dde22fbd3b438f761740f31315d6a91cebd4e721 Mon Sep 17 00:00:00 2001 From: Petr Spacek Date: Fri, 12 Aug 2016 19:49:33 +0200 Subject: [PATCH 2/2] Tests: fix test_forward_zones in test_xmlrpc/test_dns_plugin Class test_forward_zones in ipatests/test_xmlrpc/test_dns_plugin was using DNS zone 'fwzone2.test.' and expected to get warning 'Forwarding policy conflicts with some automatic empty zones.' (aka 'DNSForwardPolicyConflictWithEmptyZone'). This does not make sense because 'test.' zone is not listed in IANA registry 'Locally-Served DNS Zones': http://www.iana.org/assignments/locally-served-dns-zones/locally-served-dns-zones.xhtml To fix this I simply removed the warning from set of expected results. Original ticket: https://fedorahosted.org/freeipa/ticket/6213 Backported to ipa-4-3: https://fedorahosted.org/freeipa/ticket/6317 --- ipatests/test_xmlrpc/test_dns_plugin.py | 10 +- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/ipatests/test_xmlrpc/test_dns_plugin.py b/ipatests/test_xmlrpc/test_dns_plugin.py index 7c2450f..810c7c3 100644 --- a/ipatests/test_xmlrpc/test_dns_plugin.py +++ b/ipatests/test_xmlrpc/test_dns_plugin.py @@ -3417,15 +3417,7 @@ def setup_class(cls): expected={ 'value': fwzone2_dnsname, 'summary': None, -u'messages': ( -{u'message': lambda x: x.startswith( -u"Forwarding policy conflicts with some " -"automatic empty zones."), - u'code': 13021, - u'type': u'warning', - u'name': u'DNSForwardPolicyConflictWithEmptyZone', -}, -{u'message': lambda x: x.startswith( +u'messages': ({u'message': lambda x: x.startswith( u"DNS server %s: query '%s SOA':" % (forwarder1, fwzone2)), u'code': 13006, -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#105][+ack] Test: dont use global variable for iteration in test_cert_plugin
URL: https://github.com/freeipa/freeipa/pull/105 Title: #105: Test: dont use global variable for iteration in test_cert_plugin Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#105][+pushed] Test: dont use global variable for iteration in test_cert_plugin
URL: https://github.com/freeipa/freeipa/pull/105 Title: #105: Test: dont use global variable for iteration in test_cert_plugin Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#105][closed] Test: dont use global variable for iteration in test_cert_plugin
URL: https://github.com/freeipa/freeipa/pull/105 Author: mbasti-rh Title: #105: Test: dont use global variable for iteration in test_cert_plugin Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/105/head:pr105 git checkout pr105 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#105][comment] Test: dont use global variable for iteration in test_cert_plugin
URL: https://github.com/freeipa/freeipa/pull/105 Title: #105: Test: dont use global variable for iteration in test_cert_plugin martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/929086e0992cc32a654b4dfa435f536ecb0c665b """ See the full comment at https://github.com/freeipa/freeipa/pull/105#issuecomment-248901967 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#112][opened] The first jab at fixing https://fedorahosted.org/freeipa/ticket/5809
URL: https://github.com/freeipa/freeipa/pull/112 Author: martbab Title: #112: The first jab at fixing https://fedorahosted.org/freeipa/ticket/5809 Action: opened PR body: """ There are two ways to fix the issue reported in the ticket: 1.) Make certificate handling code to generate nicknames that do not break existing implementation of `installutils.set_directive` 2.) Extend the quoting abilities of the function so that it is less fragile when encoding more funky values such as quoted RDNs This PR opts for option 2. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/112/head:pr112 git checkout pr112 From 6db1f860dd13d90b039e71a08804bdd1f7f5a8fd Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Fri, 23 Sep 2016 15:53:41 +0200 Subject: [PATCH 1/2] Move character escaping function to ipautil Functions `escape_seq` and `unescape_seq` have a generic use-case so it makes sense to move them from `kerberos` to ipautil module so that other modules can reuse them more readily. https://fedorahosted.org/freeipa/ticket/5809 --- ipapython/ipautil.py | 27 +++ ipapython/kerberos.py | 29 ++--- 2 files changed, 29 insertions(+), 27 deletions(-) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 62d029d..fac76d1 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -1484,3 +1484,30 @@ def is_fips_enabled(): # Consider that the host is not fips-enabled if the file does not exist pass return False + + +def unescape_seq(seq, *args): +""" +unescape (remove '\\') all occurences of sequence in input strings. + +:param seq: sequence to unescape +:param args: input string to process + +:returns: tuple of strings with unescaped sequences +""" +unescape_re = re.compile(r'\\{}'.format(seq)) + +return tuple(re.sub(unescape_re, seq, a) for a in args) + + +def escape_seq(seq, *args): +""" +escape (prepend '\\') all occurences of sequence in input strings + +:param seq: sequence to escape +:param args: input string to process + +:returns: tuple of strings with escaped sequences +""" + +return tuple(a.replace(seq, u'\\{}'.format(seq)) for a in args) diff --git a/ipapython/kerberos.py b/ipapython/kerberos.py index 298dbf1..a8ebc04 100644 --- a/ipapython/kerberos.py +++ b/ipapython/kerberos.py @@ -8,6 +8,8 @@ import re import six +from ipapython.ipautil import escape_seq, unescape_seq + if six.PY3: unicode = str @@ -58,33 +60,6 @@ def split_principal_name(principal_name): return tuple(COMPONENT_SPLIT_RE.split(principal_name)) -def unescape_seq(seq, *args): -""" -unescape (remove '\\') all occurences of sequence in input strings. - -:param seq: sequence to unescape -:param args: input string to process - -:returns: tuple of strings with unescaped sequences -""" -unescape_re = re.compile(r'\\{}'.format(seq)) - -return tuple(re.sub(unescape_re, seq, a) for a in args) - - -def escape_seq(seq, *args): -""" -escape (prepend '\\') all occurences of sequence in input strings - -:param seq: sequence to escape -:param args: input string to process - -:returns: tuple of strings with escaped sequences -""" - -return tuple(a.replace(seq, u'\\{}'.format(seq)) for a in args) - - @six.python_2_unicode_compatible class Principal(object): """ From 685e48ef2fca9e0bccacb789d8c15ce367f9b846 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Fri, 23 Sep 2016 15:56:46 +0200 Subject: [PATCH 2/2] mod_nss: use more robust quoting of NSSNickname directive The code which handles configuration of mod_nss module must be more robust when handling NSS nicknames generated from subject names containing quoted RDN values. https://fedorahosted.org/freeipa/ticket/5809 --- ipaserver/install/httpinstance.py | 3 ++- ipaserver/install/installutils.py | 41 --- 2 files changed, 32 insertions(+), 12 deletions(-) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 00f8901..7914f4c 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -263,7 +263,8 @@ def __set_mod_nss_port(self): print("Updating port in %s failed." % paths.HTTPD_NSS_CONF) def __set_mod_nss_nickname(self, nickname): -installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSNickname', nickname) +installutils.set_directive( +paths.HTTPD_NSS_CONF, 'NSSNickname', nickname, quote_char="'") def set_mod_nss_protocol(self): installutils.set_di
[Freeipa-devel] [freeipa PR#112][synchronized] The first jab at fixing https://fedorahosted.org/freeipa/ticket/5809
URL: https://github.com/freeipa/freeipa/pull/112 Author: martbab Title: #112: The first jab at fixing https://fedorahosted.org/freeipa/ticket/5809 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/112/head:pr112 git checkout pr112 From 6db1f860dd13d90b039e71a08804bdd1f7f5a8fd Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Fri, 23 Sep 2016 15:53:41 +0200 Subject: [PATCH 1/2] Move character escaping function to ipautil Functions `escape_seq` and `unescape_seq` have a generic use-case so it makes sense to move them from `kerberos` to ipautil module so that other modules can reuse them more readily. https://fedorahosted.org/freeipa/ticket/5809 --- ipapython/ipautil.py | 27 +++ ipapython/kerberos.py | 29 ++--- 2 files changed, 29 insertions(+), 27 deletions(-) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 62d029d..fac76d1 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -1484,3 +1484,30 @@ def is_fips_enabled(): # Consider that the host is not fips-enabled if the file does not exist pass return False + + +def unescape_seq(seq, *args): +""" +unescape (remove '\\') all occurences of sequence in input strings. + +:param seq: sequence to unescape +:param args: input string to process + +:returns: tuple of strings with unescaped sequences +""" +unescape_re = re.compile(r'\\{}'.format(seq)) + +return tuple(re.sub(unescape_re, seq, a) for a in args) + + +def escape_seq(seq, *args): +""" +escape (prepend '\\') all occurences of sequence in input strings + +:param seq: sequence to escape +:param args: input string to process + +:returns: tuple of strings with escaped sequences +""" + +return tuple(a.replace(seq, u'\\{}'.format(seq)) for a in args) diff --git a/ipapython/kerberos.py b/ipapython/kerberos.py index 298dbf1..a8ebc04 100644 --- a/ipapython/kerberos.py +++ b/ipapython/kerberos.py @@ -8,6 +8,8 @@ import re import six +from ipapython.ipautil import escape_seq, unescape_seq + if six.PY3: unicode = str @@ -58,33 +60,6 @@ def split_principal_name(principal_name): return tuple(COMPONENT_SPLIT_RE.split(principal_name)) -def unescape_seq(seq, *args): -""" -unescape (remove '\\') all occurences of sequence in input strings. - -:param seq: sequence to unescape -:param args: input string to process - -:returns: tuple of strings with unescaped sequences -""" -unescape_re = re.compile(r'\\{}'.format(seq)) - -return tuple(re.sub(unescape_re, seq, a) for a in args) - - -def escape_seq(seq, *args): -""" -escape (prepend '\\') all occurences of sequence in input strings - -:param seq: sequence to escape -:param args: input string to process - -:returns: tuple of strings with escaped sequences -""" - -return tuple(a.replace(seq, u'\\{}'.format(seq)) for a in args) - - @six.python_2_unicode_compatible class Principal(object): """ From 49a3535e0eff2a9ed2c3cbc36adff03c96730f69 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Fri, 23 Sep 2016 15:56:46 +0200 Subject: [PATCH 2/2] mod_nss: use more robust quoting of NSSNickname directive The code which handles configuration of mod_nss module must be more robust when handling NSS nicknames generated from subject names containing quoted RDN values. https://fedorahosted.org/freeipa/ticket/5809 --- ipaserver/install/httpinstance.py | 3 ++- ipaserver/install/installutils.py | 42 +-- 2 files changed, 33 insertions(+), 12 deletions(-) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 00f8901..7914f4c 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -263,7 +263,8 @@ def __set_mod_nss_port(self): print("Updating port in %s failed." % paths.HTTPD_NSS_CONF) def __set_mod_nss_nickname(self, nickname): -installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSNickname', nickname) +installutils.set_directive( +paths.HTTPD_NSS_CONF, 'NSSNickname', nickname, quote_char="'") def set_mod_nss_protocol(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSProtocol', 'TLSv1.0,TLSv1.1,TLSv1.2', False) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index bf179a2..2e4fc58 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -376,13 +376,35 @@ def update_file(filename, orig, subst): print("File