[Freeipa-devel] [freeipa PR#789][+ack] [4.4] ipaclient: fix missing RPM ownership
URL: https://github.com/freeipa/freeipa/pull/789 Title: #789: [4.4] ipaclient: fix missing RPM ownership Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#787][comment] ipasetup: fix dependencies handling based on python version
URL: https://github.com/freeipa/freeipa/pull/787 Title: #787: ipasetup: fix dependencies handling based on python version pvomacka commented: """ Works for me. """ See the full comment at https://github.com/freeipa/freeipa/pull/787#issuecomment-301713360 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#787][+ack] ipasetup: fix dependencies handling based on python version
URL: https://github.com/freeipa/freeipa/pull/787 Title: #787: ipasetup: fix dependencies handling based on python version Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#776][+ack] [4.5 backport] Added plugins directory to ipaclient subpackages
URL: https://github.com/freeipa/freeipa/pull/776 Title: #776: [4.5 backport] Added plugins directory to ipaclient subpackages Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#775][+ack] [4.4 backport] Added plugins directory to ipaclient subpackages
URL: https://github.com/freeipa/freeipa/pull/775 Title: #775: [4.4 backport] Added plugins directory to ipaclient subpackages Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#782][comment] [WIP] Improving GUI text in "Add DNS Zones" popup
URL: https://github.com/freeipa/freeipa/pull/782 Title: #782: [WIP] Improving GUI text in "Add DNS Zones" popup pvomacka commented: """ Yes, this pattern should be used. We already have a widget for this (without hiding not-selected area) and it is used i.e. in certmapdata adder dialog which could be opened from user's details page. Try to look for `multiple_choice_section`. """ See the full comment at https://github.com/freeipa/freeipa/pull/782#issuecomment-301450276 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#782][comment] [WIP] Improving GUI text in "Add DNS Zones" popup
URL: https://github.com/freeipa/freeipa/pull/782 Title: #782: [WIP] Improving GUI text in "Add DNS Zones" popup pvomacka commented: """ Sorry I haven't refresh the page so I didn't see @pvoborni comment before I sent mine. The suggestion which Petr wrote into Bugzilla should be discussed with @MartinBasti and if I recall correctly he did not recommend it from point of view of DNS. """ See the full comment at https://github.com/freeipa/freeipa/pull/782#issuecomment-301117428 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#782][comment] [WIP] Improving GUI text in "Add DNS Zones" popup
URL: https://github.com/freeipa/freeipa/pull/782 Title: #782: [WIP] Improving GUI text in "Add DNS Zones" popup pvomacka commented: """ Hello @felipevolpone , Thank you for your patch. For adding arbitrary text into a dialog or details page is probably the most suitable IPA.html_widget (but it has a big disadvantage - described below in section A). You can put it into the section you created. It might look like this: ``` { name: 'dnszone_title', show_header: false, fields: [ { field: false, $type: 'html', name: 'info', html: "Select the required zone type." } ], layout: { $factory: IPA.fluid_layout, widget_cls: "col-sm-12 controls", label_cls: "hide" } }, ``` Layout attribute of the section might not be needed, but I would say that here it good to add it. It hides label of field and set width of the field to 100% of the dialog. (Simpler solutions below - B and C) A) The html attribute contains text which will be displayed. Text there should be taken from translatable strings. It can be done by using `text.get('i18n:path.to.the.string')` and writing the string into ipaserver/internal.py. The main challenge here might be to find a place where the string has to be loaded. It has to be done before building the whole dialog and its sections. You will probably need to override `dialog_build_properites` attribute of entity specification and there change `$post_ops` operation which where is the function which builds adder dialog for entity (add there loading of translate string). B) (not tested) Another solution would be to set text field instead of html one and turn off the field in the same way as above and then set it non-writable and read_only. Then hide the label and there the `text.get()` should work directly in field definition. (should not be needed to change behavior of building entity's adder dialog). C) Another solution will be to create new widget, which will work in the same way as `IPA.html_widget` but it will support translatable strings. If you have any question feel free to ask. :) """ See the full comment at https://github.com/freeipa/freeipa/pull/782#issuecomment-301113031 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#778][+ack] ipaclient: fix missing RPM ownership
URL: https://github.com/freeipa/freeipa/pull/778 Title: #778: ipaclient: fix missing RPM ownership Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#762][+ack] fix managed-entries printing IPA not installed
URL: https://github.com/freeipa/freeipa/pull/762 Title: #762: fix managed-entries printing IPA not installed Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 From cbe2a8491beea81a80a2cb261496d1c41c9b2195 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Thu, 6 Apr 2017 16:15:47 +0200 Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf Turn on NSSOCSP directive during install/replica install/upgrade. That check whether the certificate which is used for login is revoked or not using OSCP. Marks the server cert in httpd NSS DB as trusted peer ('P,,') to avoid chicken and egg problem when it is needed to contact the OCSP responder when httpd is starting. https://pagure.io/freeipa/issue/6370 --- freeipa.spec.in | 4 install/restart_scripts/restart_httpd | 14 +- ipaserver/install/httpinstance.py | 30 ++ ipaserver/install/server/upgrade.py | 25 + ipaserver/setup.py| 1 + 5 files changed, 73 insertions(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index ee9a36b..83788bf 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -199,6 +199,7 @@ BuildRequires: python-nose BuildRequires: python-paste BuildRequires: systemd-python BuildRequires: python2-jinja2 +BuildRequires: python-augeas %if 0%{?with_python3} # FIXME: this depedency is missing - server will not work @@ -236,6 +237,7 @@ BuildRequires: python3-nose BuildRequires: python3-paste BuildRequires: python3-systemd BuildRequires: python3-jinja2 +BuildRequires: python3-augeas %endif # with_python3 %endif # with_lint @@ -359,6 +361,7 @@ Requires: python-dns >= 1.15 Requires: python-kdcproxy >= 0.3 Requires: rpm-libs Requires: pki-base-python2 +Requires: python-augeas %description -n python2-ipaserver IPA is an integrated solution to provide centrally managed Identity (users, @@ -388,6 +391,7 @@ Requires: python3-pyasn1 Requires: python3-dbus Requires: python3-dns >= 1.15 Requires: python3-kdcproxy >= 0.3 +Requires: python3-augeas Requires: rpm-libs Requires: pki-base-python3 diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index d168481..b661b82 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -21,11 +21,23 @@ import syslog import traceback +from ipalib import api from ipaplatform import services -from ipaserver.install import certs +from ipaplatform.paths import paths +from ipaserver.install import certs, installutils def _main(): + +api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) +api.finalize() + +db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) +nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname") + +# Add trust flag which set certificate trusted for SSL connections. +db.trust_root_cert(nickname, "P,,") + syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') try: diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 7898c53..ab688a8 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -29,6 +29,7 @@ import locale import six +from augeas import Augeas from ipalib.install import certmonger from ipaserver.install import service @@ -153,6 +154,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, self.set_mod_nss_protocol) self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) +self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("setting up httpd keytab", self.request_service_keytab) @@ -259,6 +261,31 @@ def enable_mod_nss_renegotiate(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) +def enable_mod_nss_ocsp(self): +aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD) + +aug.set('/augeas/load/Httpd/lens', 'Httpd.lns') +aug.set('/augeas/load/Httpd/incl', paths.HTTPD_NSS_CONF) +aug.load() + +path = '/files{}/VirtualHost'.format(paths.HTTPD_NSS_CONF) + +ocsp_comment = aug.get( +'{}/#comment[.=~regexp("NSS
[Freeipa-devel] [freeipa PR#729][comment] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Title: #729: Turn on NSSOCSP check in mod_nss conf pvomacka commented: """ @MartinBasti thank you for comments, fixed. """ See the full comment at https://github.com/freeipa/freeipa/pull/729#issuecomment-298853135 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#729][comment] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Title: #729: Turn on NSSOCSP check in mod_nss conf pvomacka commented: """ Hello @flo-renaud, thank you for testing this. Hello @MartinBasti, thank you for review. I just fixed that. """ See the full comment at https://github.com/freeipa/freeipa/pull/729#issuecomment-298668970 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 From 9e8e55bb205211637539bf149eb1fa0ed13ff872 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Thu, 6 Apr 2017 16:15:47 +0200 Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf Turn on NSSOCSP directive during install/replica install/upgrade. That check whether the certificate which is used for login is revoked or not using OSCP. Marks the server cert in httpd NSS DB as trusted peer ('P,,') to avoid chicken and egg problem when it is needed to contact the OCSP responder when httpd is starting. https://pagure.io/freeipa/issue/6370 --- freeipa.spec.in | 2 ++ install/restart_scripts/restart_httpd | 14 +- ipaserver/install/httpinstance.py | 30 ++ ipaserver/install/server/upgrade.py | 25 + 4 files changed, 70 insertions(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index ee9a36b..0b5500e 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -359,6 +359,7 @@ Requires: python-dns >= 1.15 Requires: python-kdcproxy >= 0.3 Requires: rpm-libs Requires: pki-base-python2 +Requires: python-augeas %description -n python2-ipaserver IPA is an integrated solution to provide centrally managed Identity (users, @@ -388,6 +389,7 @@ Requires: python3-pyasn1 Requires: python3-dbus Requires: python3-dns >= 1.15 Requires: python3-kdcproxy >= 0.3 +Requires: python3-augeas Requires: rpm-libs Requires: pki-base-python3 diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index d168481..b661b82 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -21,11 +21,23 @@ import syslog import traceback +from ipalib import api from ipaplatform import services -from ipaserver.install import certs +from ipaplatform.paths import paths +from ipaserver.install import certs, installutils def _main(): + +api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) +api.finalize() + +db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) +nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname") + +# Add trust flag which set certificate trusted for SSL connections. +db.trust_root_cert(nickname, "P,,") + syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') try: diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 7898c53..ab688a8 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -29,6 +29,7 @@ import locale import six +from augeas import Augeas from ipalib.install import certmonger from ipaserver.install import service @@ -153,6 +154,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, self.set_mod_nss_protocol) self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) +self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("setting up httpd keytab", self.request_service_keytab) @@ -259,6 +261,31 @@ def enable_mod_nss_renegotiate(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) +def enable_mod_nss_ocsp(self): +aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD) + +aug.set('/augeas/load/Httpd/lens', 'Httpd.lns') +aug.set('/augeas/load/Httpd/incl', paths.HTTPD_NSS_CONF) +aug.load() + +path = '/files{}/VirtualHost'.format(paths.HTTPD_NSS_CONF) + +ocsp_comment = aug.get( +'{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path)) +ocsp_dir = aug.get('{}/directive[.="NSSOCSP"]'.format(path)) + +if ocsp_dir is None and ocsp_comment is not None: +# Directive is missing, comment is present +aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path), +'NSSOCSP') +aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive') +elif ocsp_dir is None: +
[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 From 91565422833deab89b378bb40df2bf19e9cb2209 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Thu, 6 Apr 2017 16:15:47 +0200 Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf Turn on NSSOCSP directive during install/replica install/upgrade. That check whether the certificate which is used for login is revoked or not using OSCP. Marks the server cert in httpd NSS DB as trusted peer ('P,,') to avoid chicken and egg problem when it is needed to contact the OCSP responder when httpd is starting. https://pagure.io/freeipa/issue/6370 --- freeipa.spec.in | 1 + install/restart_scripts/restart_httpd | 14 +- ipaserver/install/httpinstance.py | 30 ++ ipaserver/install/server/upgrade.py | 25 + 4 files changed, 69 insertions(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index ee9a36b..24fc838 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -314,6 +314,7 @@ Requires: oddjob Requires: gssproxy >= 0.7.0-2 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050) Requires: sssd-dbus >= 1.15.2 +Requires: python-augeas Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index d168481..b661b82 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -21,11 +21,23 @@ import syslog import traceback +from ipalib import api from ipaplatform import services -from ipaserver.install import certs +from ipaplatform.paths import paths +from ipaserver.install import certs, installutils def _main(): + +api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) +api.finalize() + +db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) +nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname") + +# Add trust flag which set certificate trusted for SSL connections. +db.trust_root_cert(nickname, "P,,") + syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') try: diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 7898c53..ab688a8 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -29,6 +29,7 @@ import locale import six +from augeas import Augeas from ipalib.install import certmonger from ipaserver.install import service @@ -153,6 +154,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, self.set_mod_nss_protocol) self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) +self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("setting up httpd keytab", self.request_service_keytab) @@ -259,6 +261,31 @@ def enable_mod_nss_renegotiate(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) +def enable_mod_nss_ocsp(self): +aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD) + +aug.set('/augeas/load/Httpd/lens', 'Httpd.lns') +aug.set('/augeas/load/Httpd/incl', paths.HTTPD_NSS_CONF) +aug.load() + +path = '/files{}/VirtualHost'.format(paths.HTTPD_NSS_CONF) + +ocsp_comment = aug.get( +'{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path)) +ocsp_dir = aug.get('{}/directive[.="NSSOCSP"]'.format(path)) + +if ocsp_dir is None and ocsp_comment is not None: +# Directive is missing, comment is present +aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path), +'NSSOCSP') +aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive') +elif ocsp_dir is None: +# Directive is missing and comment is missing +aug.set('{}/directive[last()+1]'.format(path), "NSSOCSP") + +aug.set('{}/directive[. = "NSSOCSP"]/arg'.fo
[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 From 740da4c68e307187de86beb2113df87157a9e950 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Thu, 6 Apr 2017 16:15:47 +0200 Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf Turn on NSSOCSP directive during install/replica install/upgrade. That check whether the certificate which is used for login is revoked or not using OSCP. Marks the server cert in httpd NSS DB as trusted peer ('P,,') to avoid chicken and egg problem when it is needed to contact the OCSP responder when httpd is starting. https://pagure.io/freeipa/issue/6370 --- freeipa.spec.in | 1 + install/restart_scripts/restart_httpd | 14 +- ipaserver/install/httpinstance.py | 30 ++ ipaserver/install/server/upgrade.py | 24 4 files changed, 68 insertions(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index ee9a36b..24fc838 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -314,6 +314,7 @@ Requires: oddjob Requires: gssproxy >= 0.7.0-2 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050) Requires: sssd-dbus >= 1.15.2 +Requires: python-augeas Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index d168481..b661b82 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -21,11 +21,23 @@ import syslog import traceback +from ipalib import api from ipaplatform import services -from ipaserver.install import certs +from ipaplatform.paths import paths +from ipaserver.install import certs, installutils def _main(): + +api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) +api.finalize() + +db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) +nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname") + +# Add trust flag which set certificate trusted for SSL connections. +db.trust_root_cert(nickname, "P,,") + syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') try: diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 7898c53..72488cc 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -29,6 +29,7 @@ import locale import six +from augeas import Augeas from ipalib.install import certmonger from ipaserver.install import service @@ -153,6 +154,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, self.set_mod_nss_protocol) self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) +self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("setting up httpd keytab", self.request_service_keytab) @@ -259,6 +261,31 @@ def enable_mod_nss_renegotiate(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) +def enable_mod_nss_ocsp(self): +aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD) + +aug.set('/augeas/load/Httpd/lens', 'Httpd.lns') +aug.set('/augeas/load/Httpd/incl', paths.HTTPD_NSS_CONF) +aug.load() + +path = os.path.join('/files', paths.HTTPD_NSS_CONF[1:], 'VirtualHost') + +ocsp_comment = aug.get( +'{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path)) +ocsp_dir = aug.get('{}/directive[.="NSSOCSP"]'.format(path)) + +if ocsp_dir is None and ocsp_comment is not None: +# Directive is missing, comment is present +aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path), +'NSSOCSP') +aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive') +elif ocsp_dir is None: +# Directive is missing and comment is missing +aug.set('{}/directive[last()+1]'.format(path), "NSSOCSP") + +aug.set('{}/d
[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 From 3c994f38a5dad38b89c57ecce0558059d4d39e65 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Thu, 6 Apr 2017 16:15:47 +0200 Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf Turn on NSSOCSP directive during install/replica install/upgrade. That check whether the certificate which is used for login is revoked or not using OSCP. Marks the server cert in httpd NSS DB as trusted peer ('P,,') to avoid chicken and egg problem when it is needed to contact the OCSP responder when httpd is starting. https://pagure.io/freeipa/issue/6370 --- freeipa.spec.in | 1 + install/restart_scripts/restart_httpd | 14 +- ipaserver/install/httpinstance.py | 30 ++ ipaserver/install/server/upgrade.py | 24 4 files changed, 68 insertions(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index ee9a36b..24fc838 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -314,6 +314,7 @@ Requires: oddjob Requires: gssproxy >= 0.7.0-2 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050) Requires: sssd-dbus >= 1.15.2 +Requires: python-augeas Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index d168481..b661b82 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -21,11 +21,23 @@ import syslog import traceback +from ipalib import api from ipaplatform import services -from ipaserver.install import certs +from ipaplatform.paths import paths +from ipaserver.install import certs, installutils def _main(): + +api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) +api.finalize() + +db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) +nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname") + +# Add trust flag which set certificate trusted for SSL connections. +db.trust_root_cert(nickname, "P,,") + syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') try: diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 7898c53..72488cc 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -29,6 +29,7 @@ import locale import six +from augeas import Augeas from ipalib.install import certmonger from ipaserver.install import service @@ -153,6 +154,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, self.set_mod_nss_protocol) self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) +self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("setting up httpd keytab", self.request_service_keytab) @@ -259,6 +261,31 @@ def enable_mod_nss_renegotiate(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) +def enable_mod_nss_ocsp(self): +aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD) + +aug.set('/augeas/load/Httpd/lens', 'Httpd.lns') +aug.set('/augeas/load/Httpd/incl', paths.HTTPD_NSS_CONF) +aug.load() + +path = os.path.join('/files', paths.HTTPD_NSS_CONF[1:], 'VirtualHost') + +ocsp_comment = aug.get( +'{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path)) +ocsp_dir = aug.get('{}/directive[.="NSSOCSP"]'.format(path)) + +if ocsp_dir is None and ocsp_comment is not None: +# Directive is missing, comment is present +aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path), +'NSSOCSP') +aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive') +elif ocsp_dir is None: +# Directive is missing and comment is missing +aug.set('{}/directive[last()+1]'.format(path), "NSSOCSP") + +aug.set('{}/d
[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 From 2da6692288d276e199f3d4d92a69fd59f31ff138 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Thu, 6 Apr 2017 16:15:47 +0200 Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf Turn on NSSOCSP directive during install/replica install/upgrade. That check whether the certificate which is used for login is revoked or not using OSCP. Marks the server cert in httpd NSS DB as trusted peer ('P,,') to avoid chicken and egg problem when it is needed to contact the OCSP responder when httpd is starting. https://pagure.io/freeipa/issue/6370 --- freeipa.spec.in | 1 + install/restart_scripts/restart_httpd | 14 +- ipaserver/install/httpinstance.py | 30 ++ ipaserver/install/server/upgrade.py | 24 4 files changed, 68 insertions(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index fbc67cb..9077734 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -306,6 +306,7 @@ Requires: oddjob Requires: gssproxy >= 0.7.0-2 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050) Requires: sssd-dbus >= 1.15.2 +Requires: python-augeas Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index d168481..b661b82 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -21,11 +21,23 @@ import syslog import traceback +from ipalib import api from ipaplatform import services -from ipaserver.install import certs +from ipaplatform.paths import paths +from ipaserver.install import certs, installutils def _main(): + +api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) +api.finalize() + +db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) +nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname") + +# Add trust flag which set certificate trusted for SSL connections. +db.trust_root_cert(nickname, "P,,") + syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') try: diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index aeb5c5e..f291580 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -29,6 +29,7 @@ import locale import six +from augeas import Augeas from ipalib.constants import IPAAPI_USER from ipalib.install import certmonger @@ -156,6 +157,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, self.set_mod_nss_protocol) self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) +self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("setting up httpd keytab", self.request_service_keytab) @@ -263,6 +265,31 @@ def enable_mod_nss_renegotiate(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) +def enable_mod_nss_ocsp(self): +aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD) + +aug.set('/augeas/load/Httpd/lens', 'Httpd.lens') +aug.set('/augeas/load/Httpd/incl', paths.HTTPD_NSS_CONF) +aug.load() + +path = os.path.join('/files', paths.HTTPD_NSS_CONF[1:], 'VirtualHost') + +ocsp_comment = aug.get( +'{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path)) +ocsp_dir = aug.get('{}/directive[.="NSSOCSP"]'.format(path)) + +if ocsp_dir is None and ocsp_comment is not None: +# Directive is missing, comment is present +aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path), +'NSSOCSP') +aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive') +elif ocsp_dir is None: +# Directive is missing and comment is missing +aug.set('{}/directive[last()+1]'.format(path), "NSSOCSP") + +aug.set('{}/d
[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 From 96447296da8dd4ee565d9b5dcf5991e160e87091 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Thu, 6 Apr 2017 16:15:47 +0200 Subject: [PATCH 1/2] Turn on NSSOCSP check in mod_nss conf Turn on NSSOCSP directive during install/replica install/upgrade. That check whether the certificate which is used for login is revoked or not using OSCP. Marks the server cert in httpd NSS DB as trusted peer ('P,,') to avoid chicken and egg problem when it is needed to contact the OCSP responder when httpd is starting. https://pagure.io/freeipa/issue/6370 --- freeipa.spec.in | 1 + install/restart_scripts/restart_httpd | 14 +- ipaserver/install/httpinstance.py | 19 +++ ipaserver/install/server/upgrade.py | 24 4 files changed, 57 insertions(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index fbc67cb..9077734 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -306,6 +306,7 @@ Requires: oddjob Requires: gssproxy >= 0.7.0-2 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050) Requires: sssd-dbus >= 1.15.2 +Requires: python-augeas Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index d168481..b661b82 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -21,11 +21,23 @@ import syslog import traceback +from ipalib import api from ipaplatform import services -from ipaserver.install import certs +from ipaplatform.paths import paths +from ipaserver.install import certs, installutils def _main(): + +api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) +api.finalize() + +db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) +nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname") + +# Add trust flag which set certificate trusted for SSL connections. +db.trust_root_cert(nickname, "P,,") + syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') try: diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index aeb5c5e..90f918b 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -29,6 +29,7 @@ import locale import six +import augeas from ipalib.constants import IPAAPI_USER from ipalib.install import certmonger @@ -156,6 +157,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, self.set_mod_nss_protocol) self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) +self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("setting up httpd keytab", self.request_service_keytab) @@ -263,6 +265,20 @@ def enable_mod_nss_renegotiate(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) +def enable_mod_nss_ocsp(self): +aug = augeas.Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD) + +aug.set('/augeas/load/Httpd/lens', 'Httpd.lens') +aug.set('/augeas/load/Httpd/incl', paths.HTTPD_NSS_CONF) +aug.load() + +path = os.path.join('/files', paths.HTTPD_NSS_CONF[1:], 'VirtualHost') + +aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path), 'NSSOCSP') +aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive') +aug.set('{}/directive[. = "NSSOCSP"]/arg'.format(path), 'on') +aug.save() + def set_mod_nss_cipher_suite(self): ciphers = ','.join(NSS_CIPHER_SUITE) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False) @@ -369,6 +385,7 @@ def __setup_ssl(self): create=True) self.disable_system_trust() self.create_password_conf() + if self.pkcs12_info: if self.ca_is_configured: trust_flags = 'CT,C,C' @@ -393,6 +410
[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 From d2a319e8aed6cc0510fb2b4395a8e37f487fa95c Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Thu, 6 Apr 2017 16:15:47 +0200 Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf Turn on NSSOCSP directive during install/replica install/upgrade. That check whether the certificate which is used for login is revoked or not using OSCP. Marks the server cert in httpd NSS DB as trusted peer ('P,,') to avoid chicken and egg problem when it is needed to contact the OCSP responder when httpd is starting. https://pagure.io/freeipa/issue/6370 --- freeipa.spec.in | 1 + install/restart_scripts/restart_httpd | 14 +- ipaserver/install/httpinstance.py | 19 +++ ipaserver/install/server/upgrade.py | 24 4 files changed, 57 insertions(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index fbc67cb..9077734 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -306,6 +306,7 @@ Requires: oddjob Requires: gssproxy >= 0.7.0-2 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050) Requires: sssd-dbus >= 1.15.2 +Requires: python-augeas Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index d168481..b661b82 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -21,11 +21,23 @@ import syslog import traceback +from ipalib import api from ipaplatform import services -from ipaserver.install import certs +from ipaplatform.paths import paths +from ipaserver.install import certs, installutils def _main(): + +api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) +api.finalize() + +db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) +nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname") + +# Add trust flag which set certificate trusted for SSL connections. +db.trust_root_cert(nickname, "P,,") + syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') try: diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index aeb5c5e..aefb9dc 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -29,6 +29,7 @@ import locale import six +import augeas from ipalib.constants import IPAAPI_USER from ipalib.install import certmonger @@ -156,6 +157,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, self.set_mod_nss_protocol) self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) +self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("setting up httpd keytab", self.request_service_keytab) @@ -263,6 +265,20 @@ def enable_mod_nss_renegotiate(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) +def enable_mod_nss_ocsp(self): +aug = augeas.Augeas() +ocsp_path = os.path.join('/files', + paths.HTTPD_NSS_CONF[1:], + 'VirtualHost') +aug.set( +'{path}/#comment[. =~ regexp("NSSOCSP .*")]'.format(path=ocsp_path), +'NSSOCSP') +aug.rename('{path}/#comment[. = "NSSOCSP"]'.format(path=ocsp_path), + 'directive') +aug.set('{path}/directive[. = "NSSOCSP"]/arg'.format(path=ocsp_path), +'on') +aug.save() + def set_mod_nss_cipher_suite(self): ciphers = ','.join(NSS_CIPHER_SUITE) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False) @@ -369,6 +385,7 @@ def __setup_ssl(self): create=True) self.disable_system_trust() self.create_password_conf() + if self.pkcs12_info: if self.ca_is_configured: trust_flags = 'CT,C,C' @@ -393,6 +410,8 @@ def __setup_ssl(self): self.
[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 From dcd894bf135d37ed647a244f415b7a55cbe10412 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Thu, 6 Apr 2017 16:15:47 +0200 Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf Turn on NSSOCSP directive during install/replica install/upgrade. That check whether the certificate which is used for login is revoked or not using OSCP. https://pagure.io/freeipa/issue/6370 --- freeipa.spec.in | 1 + install/restart_scripts/restart_httpd | 13 - ipaserver/install/httpinstance.py | 18 ++ ipaserver/install/server/upgrade.py | 12 +++- 4 files changed, 42 insertions(+), 2 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index fbc67cb..9077734 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -306,6 +306,7 @@ Requires: oddjob Requires: gssproxy >= 0.7.0-2 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050) Requires: sssd-dbus >= 1.15.2 +Requires: python-augeas Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index d168481..f10544c 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -21,11 +21,22 @@ import syslog import traceback +from ipalib import api from ipaplatform import services -from ipaserver.install import certs +from ipaplatform.paths import paths +from ipaserver.install import certs, installutils def _main(): + +api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) +api.finalize() + +db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) +nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname") + +db.trust_root_cert(nickname, "P,,") + syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') try: diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index aeb5c5e..2844d19 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -29,6 +29,7 @@ import locale import six +import augeas from ipalib.constants import IPAAPI_USER from ipalib.install import certmonger @@ -156,6 +157,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, self.set_mod_nss_protocol) self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) +self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("setting up httpd keytab", self.request_service_keytab) @@ -263,6 +265,19 @@ def enable_mod_nss_renegotiate(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) +def enable_mod_nss_ocsp(self): +aug = augeas.Augeas() +ocsp_path = os.path.join('/files', + paths.HTTPD_NSS_CONF[1:], + 'VirtualHost') +ocsp = aug.get(os.path.join(ocsp_path, 'directive[. = "NSSOCSP"]/arg')) + +if ocsp is None: +aug.set(os.path.join(ocsp_path, 'directive[last()+1]'), 'NSSOCSP') + +aug.set(os.path.join(ocsp_path, 'directive[. = "NSSOCSP"]/arg'), 'on') +aug.save() + def set_mod_nss_cipher_suite(self): ciphers = ','.join(NSS_CIPHER_SUITE) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False) @@ -369,6 +384,7 @@ def __setup_ssl(self): create=True) self.disable_system_trust() self.create_password_conf() + if self.pkcs12_info: if self.ca_is_configured: trust_flags = 'CT,C,C' @@ -393,6 +409,8 @@ def __setup_ssl(self): self.__set_mod_nss_nickname(nickname) self.add_cert_to_service() +db.trust_root_cert(nickname, "P,,") + else: if not self.promote: ca_args = [ diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 927acb0..732f6b5 100644 --- a/ipaserve
[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 From 641a69736086a14743052c3c17200fe8a545d2a2 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Thu, 6 Apr 2017 16:15:47 +0200 Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf Turn on NSSOCSP directive during install/replica install/upgrade. That check whether the certificate which is used for login is revoked or not using OSCP. https://pagure.io/freeipa/issue/6370 --- freeipa.spec.in | 1 + install/restart_scripts/restart_httpd | 14 ++ ipaserver/install/httpinstance.py | 18 ++ ipaserver/install/server/upgrade.py | 14 -- 4 files changed, 45 insertions(+), 2 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index fbc67cb..9077734 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -306,6 +306,7 @@ Requires: oddjob Requires: gssproxy >= 0.7.0-2 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050) Requires: sssd-dbus >= 1.15.2 +Requires: python-augeas Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index d168481..1d7615c 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -21,11 +21,25 @@ import syslog import traceback +from ipalib import api from ipaplatform import services +from ipaplatform.paths import paths from ipaserver.install import certs def _main(): + +api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) +api.finalize() + +db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) +server_certs = db.find_server_certs() +if len(server_certs) == 0: +raise RuntimeError("Could not find a suitable server cert.") + +nickname = server_certs[0][0] +db.trust_root_cert(nickname, "P,,") + syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') try: diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index aeb5c5e..111392b 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -29,6 +29,7 @@ import locale import six +import augeas from ipalib.constants import IPAAPI_USER from ipalib.install import certmonger @@ -156,6 +157,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, self.set_mod_nss_protocol) self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) +self.step("enabling mod_nss NSSOCSP", self.enable_mod_nss_ocsp) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("setting up httpd keytab", self.request_service_keytab) @@ -263,6 +265,19 @@ def enable_mod_nss_renegotiate(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) +def enable_mod_nss_ocsp(self): +aug = augeas.Augeas() +ocsp_path = os.path.join('/files', + paths.HTTPD_NSS_CONF[1:], + 'VirtualHost') +ocsp = aug.get(os.path.join(ocsp_path, 'directive[. = "NSSOCSP"]/arg')) + +if ocsp is None: +aug.set(os.path.join(ocsp_path, 'directive[last()+1]'), 'NSSOCSP') + +aug.set(os.path.join(ocsp_path, 'directive[. = "NSSOCSP"]/arg'), 'on') +aug.save() + def set_mod_nss_cipher_suite(self): ciphers = ','.join(NSS_CIPHER_SUITE) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False) @@ -369,6 +384,7 @@ def __setup_ssl(self): create=True) self.disable_system_trust() self.create_password_conf() + if self.pkcs12_info: if self.ca_is_configured: trust_flags = 'CT,C,C' @@ -393,6 +409,8 @@ def __setup_ssl(self): self.__set_mod_nss_nickname(nickname) self.add_cert_to_service() +db.trust_root_cert(nickname, "P,,") + else: if not self.promote: ca_args = [ diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrad
[Freeipa-devel] [freeipa PR#729][opened] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: opened PR body: """ Turn on NSSOCSP directive during install/replica install/upgrade. That check whether the certificate which is used for login is revoked or not using OSCP. https://pagure.io/freeipa/issue/6370 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 From 5c1777f9ee12f49382b18926e788ea38aa8e2241 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Thu, 6 Apr 2017 16:15:47 +0200 Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf Turn on NSSOCSP directive during install/replica install/upgrade. That check whether the certificate which is used for login is revoked or not using OSCP. https://pagure.io/freeipa/issue/6370 --- freeipa.spec.in | 1 + install/restart_scripts/restart_httpd | 14 ++ ipaserver/install/httpinstance.py | 16 ipaserver/install/server/upgrade.py | 14 -- 4 files changed, 43 insertions(+), 2 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index fbc67cb..9077734 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -306,6 +306,7 @@ Requires: oddjob Requires: gssproxy >= 0.7.0-2 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050) Requires: sssd-dbus >= 1.15.2 +Requires: python-augeas Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index d168481..1d7615c 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -21,11 +21,25 @@ import syslog import traceback +from ipalib import api from ipaplatform import services +from ipaplatform.paths import paths from ipaserver.install import certs def _main(): + +api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) +api.finalize() + +db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) +server_certs = db.find_server_certs() +if len(server_certs) == 0: +raise RuntimeError("Could not find a suitable server cert.") + +nickname = server_certs[0][0] +db.trust_root_cert(nickname, "P,,") + syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') try: diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index aeb5c5e..5ef1438 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -29,6 +29,7 @@ import locale import six +import augeas from ipalib.constants import IPAAPI_USER from ipalib.install import certmonger @@ -156,6 +157,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, self.set_mod_nss_protocol) self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) +self.step("enabling mod_nss NSSOCSP", self.enable_mod_nss_ocsp) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("setting up httpd keytab", self.request_service_keytab) @@ -263,6 +265,17 @@ def enable_mod_nss_renegotiate(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) +def enable_mod_nss_ocsp(self): +aug = augeas.Augeas() +ocsp_path = os.path.join('/files', paths.HTTPD_NSS_CONF[1:], 'VirtualHost') +ocsp = aug.get(os.path.join(ocsp_path, 'directive[. = "NSSOCSP"]/arg')) + +if ocsp is None: +aug.set(os.path.join(ocsp_path, 'directive[last()+1]'), 'NSSOCSP') + +aug.set(os.path.join(ocsp_path, 'directive[. = "NSSOCSP"]/arg'), 'on') +aug.save() + def set_mod_nss_cipher_suite(self): ciphers = ','.join(NSS_CIPHER_SUITE) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False) @@ -369,6 +382,7 @@ def __setup_ssl(self): create=True) self.disable_system_trust() self.create_password_conf() + if self.pkcs12_info: if self.ca_is_configured: trust_flags = 'CT,C,C' @@ -393,6 +407,8 @@ def __setup_ssl(self): self.__set_mod_nss_nickname(nickname) self.add_cert_to_service() +db.trust_root_cert(nickname, "P,,&
[Freeipa-devel] [freeipa PR#713][opened] WebUI: fix showing required asterisk '*'
URL: https://github.com/freeipa/freeipa/pull/713 Author: pvomacka Title: #713: WebUI: fix showing required asterisk '*' Action: opened PR body: """ There was a bug that when user switch between two facets where is required field and in one of them is writable and in second one is not writable, then the asterisk which marks required field is not shown. i.e. admin vs. user details page or global_passwd_policy vs. other_passwd_policy details page. That was caused by incorrect evaluation of required state of field. Evaluation works that way: evaluate old required state, then evaluate current required state and if states has changed then emit change event. The evaluation depends on writable and read_only state of field. Those two states are set before evaluation of required state, but their old values (for evaluating previous required stated) were not stored anywhere. This commit adds two attributes which stores old writable and read_only states. The required asterisk is then shown correctly. https://pagure.io/freeipa/issue/6849 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/713/head:pr713 git checkout pr713 From dabf168e700efbe86c7c3788f4f8962852f183e3 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Thu, 13 Apr 2017 17:15:16 +0200 Subject: [PATCH] WebUI: fix showing required asterisk '*' There was a bug that when user switch between two facets where is required field and in one of them is writable and in second one is not writable, then the asterisk which marks required field is not shown. i.e. admin vs. user details page or global_passwd_policy vs. other_passwd_policy details page. That was caused by incorrect evaluation of required state of field. Evaluation works that way: evaluate old required state, then evaluate current required state and if states has changed then emit change event. The evaluation depends on writable and read_only state of field. Those two states are set before evaluation of required state, but their old values (for evaluating previous required stated) were not stored anywhere. This commit adds two attributes which stores old writable and read_only states. The required asterisk is then shown correctly. https://pagure.io/freeipa/issue/6849 --- install/ui/src/freeipa/field.js | 38 +- 1 file changed, 29 insertions(+), 9 deletions(-) diff --git a/install/ui/src/freeipa/field.js b/install/ui/src/freeipa/field.js index 76ce253..f9836e2 100644 --- a/install/ui/src/freeipa/field.js +++ b/install/ui/src/freeipa/field.js @@ -221,6 +221,13 @@ field.field = IPA.field = function(spec) { that.read_only = spec.read_only; /** + * Attribute for storing previous value of read_only attribute. + * It is set during changing read_only attribute. + * @property {boolean} + */ +that.old_read_only = spec.read_only; + +/** * Writable is set during load * @readonly * @property {boolean} @@ -228,6 +235,13 @@ field.field = IPA.field = function(spec) { that.writable = true; /** + * Attribute for storing previous value of writable attribute. + * It is set during changing writable attribute. + * @property {boolean} + */ +that.old_writable = true; + +/** * Enabled * @readonly * @property {boolean} @@ -352,9 +366,14 @@ field.field = IPA.field = function(spec) { * Evaluate if field has to have some value * @return {boolean} */ -that.is_required = function() { -if (that.read_only) return false; -if (!that.writable) return false; +that.is_required = function(old) { +if (old) { +if (that.old_read_only) return false; +if (!that.old_writable) return false; +} else { +if (that.read_only) return false; +if (!that.writable) return false; +} if (that.required !== undefined) return that.required; return that.metadata && that.metadata.required; @@ -369,9 +388,9 @@ field.field = IPA.field = function(spec) { * @param {boolean} required */ that.set_required = function(required) { -var old = that.is_required(); +var old = that.is_required(true); that.required = required; -var current = that.is_required(); +var current = that.is_required(false); if (current !== old) { that.emit('require-change', { source: that, required: current }); @@ -570,9 +589,9 @@ field.field = IPA.field = function(spec) { */ that.set_writable = function(writable) { -var old = !!that.writable; +that.old_writable = !!that.writable; that.writable = writable; -if (old !== writable) { +if (that.old_writable !== writable) { that.emit('writable-change', { source: that, writable: writ
[Freeipa-devel] [freeipa PR#712][opened] WebUI: Coverity fixes
URL: https://github.com/freeipa/freeipa/pull/712 Author: pvomacka Title: #712: WebUI: Coverity fixes Action: opened PR body: """ Several fixes: - null pointer exception - add explicit object - removes identical branches of if statement """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/712/head:pr712 git checkout pr712 From bcd280b6bebed9853522029a04e141c84fc7c2e2 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Thu, 13 Apr 2017 11:04:47 +0200 Subject: [PATCH 1/3] WebUI: Coverity - add explicit window object to alert methods All calls of alert were without explicit object. This commit adds explicit object window. --- install/ui/src/freeipa/association.js | 10 +- install/ui/src/freeipa/dns.js | 2 +- install/ui/src/freeipa/search.js | 2 +- install/ui/src/freeipa/sudo.js| 4 ++-- install/ui/src/freeipa/widget.js | 2 +- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/install/ui/src/freeipa/association.js b/install/ui/src/freeipa/association.js index 27a76a5..dcb78f1 100644 --- a/install/ui/src/freeipa/association.js +++ b/install/ui/src/freeipa/association.js @@ -116,7 +116,7 @@ IPA.serial_associator = function(spec) { batch.add_command(command); } -//alert(JSON.stringify(command.to_json())); +//window.alert(JSON.stringify(command.to_json())); batch.execute(); }; @@ -154,7 +154,7 @@ IPA.bulk_associator = function(spec) { command.set_option(that.other_entity.name, that.values); -//alert(JSON.stringify(command.to_json())); +//window.alert(JSON.stringify(command.to_json())); command.execute(); }; @@ -731,7 +731,7 @@ IPA.association_table_widget = function (spec) { if (!selected_values.length) { var message = text.get('@i18n:dialogs.remove_empty'); -alert(message); +window.alert(message); return; } @@ -1268,7 +1268,7 @@ exp.association_facet = IPA.association_facet = function (spec, no_init) { if (!values.length) { var message = text.get('@i18n:dialogs.remove_empty'); -alert(message); +window.alert(message); return; } @@ -1579,7 +1579,7 @@ exp.attribute_facet = IPA.attribute_facet = function(spec, no_init) { if (!selected_values.length) { var message = text.get('@i18n:dialogs.remove_empty'); -alert(message); +window.alert(message); return; } diff --git a/install/ui/src/freeipa/dns.js b/install/ui/src/freeipa/dns.js index 1ea3aaa..1be8513 100644 --- a/install/ui/src/freeipa/dns.js +++ b/install/ui/src/freeipa/dns.js @@ -1949,7 +1949,7 @@ IPA.dns.record_type_table_widget = function(spec) { if (!selected_values.length) { var message = text.get('@i18n:dialogs.remove_empty'); -alert(message); +window.alert(message); return; } diff --git a/install/ui/src/freeipa/search.js b/install/ui/src/freeipa/search.js index e2fbf44..fd7174d 100644 --- a/install/ui/src/freeipa/search.js +++ b/install/ui/src/freeipa/search.js @@ -213,7 +213,7 @@ IPA.search_facet = function(spec, no_init) { var title; if (!values.length) { title = text.get('@i18n:dialogs.remove_empty'); -alert(title); +window.alert(title); return null; } diff --git a/install/ui/src/freeipa/sudo.js b/install/ui/src/freeipa/sudo.js index 44c9a20..733e411 100644 --- a/install/ui/src/freeipa/sudo.js +++ b/install/ui/src/freeipa/sudo.js @@ -860,7 +860,7 @@ IPA.sudo.options_section = function(spec) { if (!values.length) { var message = text.get('@i18n:dialogs.remove_empty'); -alert(message); +window.alert(message); return; } @@ -952,4 +952,4 @@ exp.register = function() { phases.on('registration', exp.register); return exp; -}); \ No newline at end of file +}); diff --git a/install/ui/src/freeipa/widget.js b/install/ui/src/freeipa/widget.js index b7a6504..495e294 100644 --- a/install/ui/src/freeipa/widget.js +++ b/install/ui/src/freeipa/widget.js @@ -4331,7 +4331,7 @@ IPA.attribute_table_widget = function(spec) { if (!selected_values.length) { var message = text.get('@i18n:dialogs.remove_empty'); -alert(message); +window.alert(message); return null; } From c3c0909e6f2f1d451dde04b9c79a6e058bec838e Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Thu, 13 Apr 2017 12:03:08 +0200 Subject: [PATCH 2/3] WebUI - Coverity: fixed null pointer exception The record variable could be null. This check makes sure that variable w
[Freeipa-devel] [freeipa PR#709][closed] Fix s4u2self with adtrust
URL: https://github.com/freeipa/freeipa/pull/709 Author: simo5 Title: #709: Fix s4u2self with adtrust Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/709/head:pr709 git checkout pr709 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#709][+pushed] Fix s4u2self with adtrust
URL: https://github.com/freeipa/freeipa/pull/709 Title: #709: Fix s4u2self with adtrust Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#709][comment] Fix s4u2self with adtrust
URL: https://github.com/freeipa/freeipa/pull/709 Title: #709: Fix s4u2self with adtrust pvomacka commented: """ ipa-4-5: * b5114070ae55bcc7ec1abe57b4c303cee4822930 Fix s4u2self with adtrust master: * e88d5e815ea440bcef4acdc5f8fcb3a29e6eaec9 Fix s4u2self with adtrust """ See the full comment at https://github.com/freeipa/freeipa/pull/709#issuecomment-293500560 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#697][comment] Create system users for FreeIPA services during package installation
URL: https://github.com/freeipa/freeipa/pull/697 Title: #697: Create system users for FreeIPA services during package installation pvomacka commented: """ ipa-4-5: * e8a429d9e170955919f2e53e66b580be95e908d9 Create system users for FreeIPA services during package installation master: * a726e98f034347227765d7303a033a0538f5d8a1 Create system users for FreeIPA services during package installation """ See the full comment at https://github.com/freeipa/freeipa/pull/697#issuecomment-293308834 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#697][-ack] Create system users for FreeIPA services during package installation
URL: https://github.com/freeipa/freeipa/pull/697 Title: #697: Create system users for FreeIPA services during package installation Label: -ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#697][closed] Create system users for FreeIPA services during package installation
URL: https://github.com/freeipa/freeipa/pull/697 Author: dkupka Title: #697: Create system users for FreeIPA services during package installation Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/697/head:pr697 git checkout pr697 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#697][+pushed] Create system users for FreeIPA services during package installation
URL: https://github.com/freeipa/freeipa/pull/697 Title: #697: Create system users for FreeIPA services during package installation Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#697][+ack] Create system users for FreeIPA services during package installation
URL: https://github.com/freeipa/freeipa/pull/697 Title: #697: Create system users for FreeIPA services during package installation Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#704][+pushed] WebUI: cert login: Configure name of parameter used to pass username
URL: https://github.com/freeipa/freeipa/pull/704 Title: #704: WebUI: cert login: Configure name of parameter used to pass username Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#704][closed] WebUI: cert login: Configure name of parameter used to pass username
URL: https://github.com/freeipa/freeipa/pull/704 Author: dkupka Title: #704: WebUI: cert login: Configure name of parameter used to pass username Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/704/head:pr704 git checkout pr704 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#704][comment] WebUI: cert login: Configure name of parameter used to pass username
URL: https://github.com/freeipa/freeipa/pull/704 Title: #704: WebUI: cert login: Configure name of parameter used to pass username pvomacka commented: """ ipa-4-5: * a9721e529e7a02eeb40d29cb7820e69cd86d9337 WebUI: cert login: Configure name of parameter used to pass username master: * 157831a287c64106eed4da4ace5228d7e369ae2f WebUI: cert login: Configure name of parameter used to pass username """ See the full comment at https://github.com/freeipa/freeipa/pull/704#issuecomment-293263171 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#517][closed] Use Custodia 0.3.1 features
URL: https://github.com/freeipa/freeipa/pull/517 Author: tiran Title: #517: Use Custodia 0.3.1 features Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/517/head:pr517 git checkout pr517 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#517][comment] Use Custodia 0.3.1 features
URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: Use Custodia 0.3.1 features pvomacka commented: """ ipa-4-5: * 403263df7a3be61086c87c5577698cf32a912065 Use Custodia 0.3.1 features master: * f5bf5466eda0de2a211b4f2682e5c50b82577701 Use Custodia 0.3.1 features """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-289762284 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#517][+pushed] Use Custodia 0.3.1 features
URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: Use Custodia 0.3.1 features Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#643][closed] [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work
URL: https://github.com/freeipa/freeipa/pull/643 Author: dkupka Title: #643: [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/643/head:pr643 git checkout pr643 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#643][+pushed] [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work
URL: https://github.com/freeipa/freeipa/pull/643 Title: #643: [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#643][comment] [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work
URL: https://github.com/freeipa/freeipa/pull/643 Title: #643: [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work pvomacka commented: """ ipa-4-5: * aa24ed88006925e6d7e44567b087364b0116db9c spec file: Bump requires to make Certificate Login in WebUI work master: * 27d13d90fe9b06618c88bc20b7d6540e6b4d367f spec file: Bump requires to make Certificate Login in WebUI work """ See the full comment at https://github.com/freeipa/freeipa/pull/643#issuecomment-289753377 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#643][+ack] [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work
URL: https://github.com/freeipa/freeipa/pull/643 Title: #643: [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#660][+pushed] rpcserver.login_x509: Actually return reply from __call__ method
URL: https://github.com/freeipa/freeipa/pull/660 Title: #660: rpcserver.login_x509: Actually return reply from __call__ method Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#660][comment] rpcserver.login_x509: Actually return reply from __call__ method
URL: https://github.com/freeipa/freeipa/pull/660 Title: #660: rpcserver.login_x509: Actually return reply from __call__ method pvomacka commented: """ ipa-4-5: * c80941e98bfd00c1c6e530aa4a592354adff8d90 rpcserver.login_x509: Actually return reply from __call__ method master: * 7e1fdd2c5881893fd9540689045a11f9e88beef9 rpcserver.login_x509: Actually return reply from __call__ method """ See the full comment at https://github.com/freeipa/freeipa/pull/660#issuecomment-289736121 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#660][closed] rpcserver.login_x509: Actually return reply from __call__ method
URL: https://github.com/freeipa/freeipa/pull/660 Author: dkupka Title: #660: rpcserver.login_x509: Actually return reply from __call__ method Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/660/head:pr660 git checkout pr660 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#643][comment] [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work
URL: https://github.com/freeipa/freeipa/pull/643 Title: #643: [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work pvomacka commented: """ @dkupka I created a new ticket: https://pagure.io/freeipa/issue/6823 """ See the full comment at https://github.com/freeipa/freeipa/pull/643#issuecomment-289705221 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#660][+ack] rpcserver.login_x509: Actually return reply from __call__ method
URL: https://github.com/freeipa/freeipa/pull/660 Title: #660: rpcserver.login_x509: Actually return reply from __call__ method Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#617][comment] Allow renaming of sudo and HBAC rules
URL: https://github.com/freeipa/freeipa/pull/617 Title: #617: Allow renaming of sudo and HBAC rules pvomacka commented: """ ipa-4-5: * 28db6cd40100c6301121e3f82c074624fe53729c Reworked the renaming mechanism * 85f2a19f88eef94ff080a42246658f572b5275f4 Allow renaming of the HBAC rule objects * 7d3229bfb88f0fdc559245c8741563faba716106 Allow renaming of the sudorule objects master: * 8e4408e6784f929b4c3d861f0dd509335238e951 Reworked the renaming mechanism * 55424c8677ba7de464c820afd31260aa4a7678d0 Allow renaming of the HBAC rule objects * 8c1409155e9a9a978d3d763045a84d1eac585dfd Allow renaming of the sudorule objects """ See the full comment at https://github.com/freeipa/freeipa/pull/617#issuecomment-289518952 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#617][+pushed] Allow renaming of sudo and HBAC rules
URL: https://github.com/freeipa/freeipa/pull/617 Title: #617: Allow renaming of sudo and HBAC rules Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#617][closed] Allow renaming of sudo and HBAC rules
URL: https://github.com/freeipa/freeipa/pull/617 Author: stlaz Title: #617: Allow renaming of sudo and HBAC rules Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/617/head:pr617 git checkout pr617 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#659][comment] WebUI: Allow to add certs to certmapping with CERT LINES around
URL: https://github.com/freeipa/freeipa/pull/659 Title: #659: WebUI: Allow to add certs to certmapping with CERT LINES around pvomacka commented: """ ipa-4-5: * eda23a9847197513555f6237b46c658365dfc12d WebUI: Allow to add certs to certmapping with CERT LINES around master: * 84b38b6793cbc45d36c39abf79893e22e90baac6 WebUI: Allow to add certs to certmapping with CERT LINES around """ See the full comment at https://github.com/freeipa/freeipa/pull/659#issuecomment-289513389 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#653][comment] Bump samba version for FIPS and priv. separation
URL: https://github.com/freeipa/freeipa/pull/653 Title: #653: Bump samba version for FIPS and priv. separation pvomacka commented: """ ipa-4-5: * 41ff57b81807f6747b098f1ed2c281031e22bbae Bump samba version for FIPS and priv. separation master: * b7ae3363fd5bb1bf3b3175395d5bd3d26c9b48f0 Bump samba version for FIPS and priv. separation """ See the full comment at https://github.com/freeipa/freeipa/pull/653#issuecomment-289514129 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#659][closed] WebUI: Allow to add certs to certmapping with CERT LINES around
URL: https://github.com/freeipa/freeipa/pull/659 Author: pvomacka Title: #659: WebUI: Allow to add certs to certmapping with CERT LINES around Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/659/head:pr659 git checkout pr659 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#659][+pushed] WebUI: Allow to add certs to certmapping with CERT LINES around
URL: https://github.com/freeipa/freeipa/pull/659 Title: #659: WebUI: Allow to add certs to certmapping with CERT LINES around Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#653][closed] Bump samba version for FIPS and priv. separation
URL: https://github.com/freeipa/freeipa/pull/653 Author: stlaz Title: #653: Bump samba version for FIPS and priv. separation Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/653/head:pr653 git checkout pr653 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#653][+pushed] Bump samba version for FIPS and priv. separation
URL: https://github.com/freeipa/freeipa/pull/653 Title: #653: Bump samba version for FIPS and priv. separation Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#643][comment] [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work
URL: https://github.com/freeipa/freeipa/pull/643 Title: #643: [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work pvomacka commented: """ Please create new ticket and use it. The ticket you used is in already closed milestone. """ See the full comment at https://github.com/freeipa/freeipa/pull/643#issuecomment-289512585 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#643][-ack] [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work
URL: https://github.com/freeipa/freeipa/pull/643 Title: #643: [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work Label: -ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#660][comment] rpcserver.login_x509: Actually return reply from __call__ method
URL: https://github.com/freeipa/freeipa/pull/660 Title: #660: rpcserver.login_x509: Actually return reply from __call__ method pvomacka commented: """ Please change ticket to this one: https://pagure.io/freeipa/issue/6819 """ See the full comment at https://github.com/freeipa/freeipa/pull/660#issuecomment-289511868 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#643][+ack] [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work
URL: https://github.com/freeipa/freeipa/pull/643 Title: #643: [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#641][comment] Set "KDC:Disable Last Success" by default
URL: https://github.com/freeipa/freeipa/pull/641 Title: #641: Set "KDC:Disable Last Success" by default pvomacka commented: """ ipa-4-5: * fdcd5f486839d9279dcba74b74f7756ace5812fa Set "KDC:Disable Last Success" by default master: * eeaf428b1befc37489ed5ee14ae193b46cbd1db7 Set "KDC:Disable Last Success" by default """ See the full comment at https://github.com/freeipa/freeipa/pull/641#issuecomment-289506802 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#641][closed] Set "KDC:Disable Last Success" by default
URL: https://github.com/freeipa/freeipa/pull/641 Author: MartinBasti Title: #641: Set "KDC:Disable Last Success" by default Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/641/head:pr641 git checkout pr641 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#641][+pushed] Set "KDC:Disable Last Success" by default
URL: https://github.com/freeipa/freeipa/pull/641 Title: #641: Set "KDC:Disable Last Success" by default Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#651][comment] WebUI: Fix showing vault in selfservice view
URL: https://github.com/freeipa/freeipa/pull/651 Title: #651: WebUI: Fix showing vault in selfservice view pvomacka commented: """ ipa-4-5: * 7b3cb1ccad28a1fd17803bdd7dd245bdfee9a046 WebUI: Fix showing vault in selfservice view master: * ab6d7ac50a93efa6a9e3566dbe07b34a23c41cce WebUI: Fix showing vault in selfservice view """ See the full comment at https://github.com/freeipa/freeipa/pull/651#issuecomment-289505248 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#651][closed] WebUI: Fix showing vault in selfservice view
URL: https://github.com/freeipa/freeipa/pull/651 Author: pvomacka Title: #651: WebUI: Fix showing vault in selfservice view Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/651/head:pr651 git checkout pr651 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#651][+pushed] WebUI: Fix showing vault in selfservice view
URL: https://github.com/freeipa/freeipa/pull/651 Title: #651: WebUI: Fix showing vault in selfservice view Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#619][closed] pytest 3.x compatibility
URL: https://github.com/freeipa/freeipa/pull/619 Author: tiran Title: #619: pytest 3.x compatibility Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/619/head:pr619 git checkout pr619 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#470][closed] WebUI: Size limit warning on details pages fixed
URL: https://github.com/freeipa/freeipa/pull/470 Author: pvomacka Title: #470: WebUI: Size limit warning on details pages fixed Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/470/head:pr470 git checkout pr470 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#470][+pushed] WebUI: Size limit warning on details pages fixed
URL: https://github.com/freeipa/freeipa/pull/470 Title: #470: WebUI: Size limit warning on details pages fixed Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#470][comment] WebUI: Size limit warning on details pages fixed
URL: https://github.com/freeipa/freeipa/pull/470 Title: #470: WebUI: Size limit warning on details pages fixed pvomacka commented: """ ipa-4-5: * 422c9058d9a6be69db4eab7db654b9184ae5eab6 WebUI: Add support for suppressing warnings * 697a5779b377a5d76c1cb212514b6feb46326f71 WebUI: suppress truncation warning in select widget master: * 7b3a10da7001d7ee394cd891d926def66d0f2546 WebUI: Add support for suppressing warnings * b9e6ad1967ba24c7ebe5181da1ebe32d30e7b28f WebUI: suppress truncation warning in select widget """ See the full comment at https://github.com/freeipa/freeipa/pull/470#issuecomment-289502331 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#619][comment] pytest 3.x compatibility
URL: https://github.com/freeipa/freeipa/pull/619 Title: #619: pytest 3.x compatibility pvomacka commented: """ master: * dd6b72e418eba01cc9eb9a7305291bf141b9eadf pytest 3.x compatibility """ See the full comment at https://github.com/freeipa/freeipa/pull/619#issuecomment-289500363 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#619][+pushed] pytest 3.x compatibility
URL: https://github.com/freeipa/freeipa/pull/619 Title: #619: pytest 3.x compatibility Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#657][closed] configure: fix --disable-server with certauth plugin
URL: https://github.com/freeipa/freeipa/pull/657 Author: sumit-bose Title: #657: configure: fix --disable-server with certauth plugin Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/657/head:pr657 git checkout pr657 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#657][+pushed] configure: fix --disable-server with certauth plugin
URL: https://github.com/freeipa/freeipa/pull/657 Title: #657: configure: fix --disable-server with certauth plugin Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#657][comment] configure: fix --disable-server with certauth plugin
URL: https://github.com/freeipa/freeipa/pull/657 Title: #657: configure: fix --disable-server with certauth plugin pvomacka commented: """ ipa-4-5: * 203d5416ce807f5cdcf9e2431feef84d49b3df61 configure: fix --disable-server with certauth plugin * 8fde0b88d7c9360e16820d6086eba3e3ca0eee1e ipa-kdb: do not depend on certauth_plugin.h master: * 054f1bd78b04a79f765f524f829b34c0ee252a1b configure: fix --disable-server with certauth plugin * 0ba0c0781367d8e2d4affca29e3cf5ab93c4c33a ipa-kdb: do not depend on certauth_plugin.h """ See the full comment at https://github.com/freeipa/freeipa/pull/657#issuecomment-289498536 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#659][opened] WebUI: Allow to add certs to certmapping with CERT LINES around
URL: https://github.com/freeipa/freeipa/pull/659 Author: pvomacka Title: #659: WebUI: Allow to add certs to certmapping with CERT LINES around Action: opened PR body: """ The certificate to the certmapping might be inserted as base64 encoded blob. This patch allows to also insert the certificate blob with surrounding "-BEGIN CERTIFICATE-" and "-END CERTIFICATE-" lines. This behavior is the same in widget for assigning certificates to users, so the change helps WebUI to be more consistent. https://pagure.io/freeipa/issue/6772 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/659/head:pr659 git checkout pr659 From ad8d00741589c2a6d9e036f7c8451579f2eec9b1 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Mon, 27 Mar 2017 14:14:32 +0200 Subject: [PATCH] WebUI: Allow to add certs to certmapping with CERT LINES around The certificate to the certmapping might be inserted as base64 encoded blob. This patch allows to also insert the certificate blob with surrounding "-BEGIN CERTIFICATE-" and "-END CERTIFICATE-" lines. This behavior is the same in widget for assigning certificates to users, so the change helps WebUI to be more consistent. https://pagure.io/freeipa/issue/6772 --- install/ui/src/freeipa/plugins/certmap.js | 13 +++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/install/ui/src/freeipa/plugins/certmap.js b/install/ui/src/freeipa/plugins/certmap.js index ecbe095..c613601 100644 --- a/install/ui/src/freeipa/plugins/certmap.js +++ b/install/ui/src/freeipa/plugins/certmap.js @@ -8,6 +8,7 @@ define([ 'dojo/_base/declare', 'dojo/Evented', 'dojo/on', +'../certificate', '../navigation', '../field', '../ipa', @@ -19,8 +20,8 @@ define([ // plain imports '../search', '../entity'], -function(lang, declare, Evented, on, navigation, mod_field, IPA, - phases, reg, widget_mod, text, util) { +function(lang, declare, Evented, on, certificate, navigation, + mod_field, IPA, phases, reg, widget_mod, text, util) { /** * Certificate map module * @class @@ -312,6 +313,12 @@ certmap.certmap_multivalued_widget = function (spec) { var widget = widgets[0]; var inner_widgets = widget.widgets.get_widgets(); +var normalize_certs = function(certs) { +for (var k = 0, l = certs.length; k-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#651][opened] WebUI: Fix showing vault in selfservice view
URL: https://github.com/freeipa/freeipa/pull/651 Author: pvomacka Title: #651: WebUI: Fix showing vault in selfservice view Action: opened PR body: """ Vaults menu item was shown even when the KRA service was not installed. That was caused by different path to the menu item in admin's view and in selfservice view. The path is now set correctly for both situations. 'network_service/vault' for admin's view and 'vault' for selfservice view. https://pagure.io/freeipa/issue/6812 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/651/head:pr651 git checkout pr651 From aa9ecdb5411a6fd34d685807a58979f4953f36c0 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Fri, 24 Mar 2017 10:19:21 +0100 Subject: [PATCH] WebUI: Fix showing vault in selfservice view Vaults menu item was shown even when the KRA service was not installed. That was caused by different path to the menu item in admin's view and in selfservice view. The path is now set correctly for both situations. 'network_service/vault' for admin's view and 'vault' for selfservice view. https://pagure.io/freeipa/issue/6812 --- install/ui/src/freeipa/navigation/menu_spec.js | 1 + install/ui/src/freeipa/vault.js| 8 +--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/install/ui/src/freeipa/navigation/menu_spec.js b/install/ui/src/freeipa/navigation/menu_spec.js index 4f78e4b..2eba53a 100644 --- a/install/ui/src/freeipa/navigation/menu_spec.js +++ b/install/ui/src/freeipa/navigation/menu_spec.js @@ -326,6 +326,7 @@ nav.self_service = { { entity: 'user' }, { entity: 'otptoken' }, { +name: 'vault', entity: 'vault', facet: 'search', children: [ diff --git a/install/ui/src/freeipa/vault.js b/install/ui/src/freeipa/vault.js index b5cdc81..36a4838 100644 --- a/install/ui/src/freeipa/vault.js +++ b/install/ui/src/freeipa/vault.js @@ -809,9 +809,11 @@ vault.config_sidebar_policy = function(spec) { vault.remove_vault_menu_item = function() { -if (!IPA.vault_enabled) { -menu.remove_item('network_services/vault'); -} +if (IPA.vault_enabled) return; + +var menu_location = IPA.is_selfservice ? 'vault' : 'network_services/vault'; + +menu.remove_item(menu_location); }; vault.my_vault_spec = make_my_vault_spec(); -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#470][synchronized] WebUI: Size limit warning on details pages fixed
URL: https://github.com/freeipa/freeipa/pull/470 Author: pvomacka Title: #470: WebUI: Size limit warning on details pages fixed Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/470/head:pr470 git checkout pr470 From f1d8fc4bedc825612393dbac0d6c58e1cb7db735 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Fri, 17 Mar 2017 15:10:42 +0100 Subject: [PATCH 1/2] WebUI: Add support for suppressing warnings Each command can have specified an array of warning codes which will be suppressed and won't be shown. For specifying this it is necessary to set command property 'supressed_warnings: [codes_of_warning]' Part of: https://pagure.io/freeipa/issue/6618 --- install/ui/src/freeipa/rpc.js | 7 +++ 1 file changed, 7 insertions(+) diff --git a/install/ui/src/freeipa/rpc.js b/install/ui/src/freeipa/rpc.js index 7ae1b64..c910427 100644 --- a/install/ui/src/freeipa/rpc.js +++ b/install/ui/src/freeipa/rpc.js @@ -72,6 +72,12 @@ rpc.command = function(spec) { that.options = $.extend({}, spec.options || {}); /** + * @property {Array} suppress_warnings array of message codes which + * are suppressed + */ +that.suppress_warnings = spec.suppress_warnings || []; + +/** * Success handler * @property {Function} * @param {Object} data @@ -219,6 +225,7 @@ rpc.command = function(spec) { for (var i=0,l=msgs.length; i -1) continue; // escape and reformat message msg.message = util.beautify_message(msg.message); IPA.notify(msg.message, msg.type); From 4c29a605ba94792415c75c2c1c25c2e6485d6942 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Fri, 17 Mar 2017 15:10:49 +0100 Subject: [PATCH 2/2] WebUI: suppress truncation warning in select widget This widget is used on details pages and dialogs. When the size limit is set to lower number the warning about truncation was shown every time the details page was open. Now, with support for suppressing warning messages from server according to its code, we are able to disable warning with 13017 code (truncation warning) https://pagure.io/freeipa/issue/6618 --- install/ui/src/freeipa/widget.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/install/ui/src/freeipa/widget.js b/install/ui/src/freeipa/widget.js index 223b449..b7a6504 100644 --- a/install/ui/src/freeipa/widget.js +++ b/install/ui/src/freeipa/widget.js @@ -5012,7 +5012,8 @@ IPA.entity_select_widget = function(spec) { entity: that.other_entity.name, method: 'find', args: [filter], -options: that.filter_options +options: that.filter_options, +suppress_warnings: [13017] }); var no_members = metadata.get('@mc-opt:' + cmd.get_command() + ':no_members'); if (no_members) { -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#639][comment] WebUI: Login for AD Users
URL: https://github.com/freeipa/freeipa/pull/639 Title: #639: WebUI: Login for AD Users pvomacka commented: """ I implemented all comments which you proposed and I also changed menu of AD user selfservice - I removed User tab and renamed User ID override to Profile. """ See the full comment at https://github.com/freeipa/freeipa/pull/639#issuecomment-288744985 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#639][synchronized] WebUI: Login for AD Users
URL: https://github.com/freeipa/freeipa/pull/639 Author: pvomacka Title: #639: WebUI: Login for AD Users Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/639/head:pr639 git checkout pr639 From 36d039e75ebf07af0ad66d4f5b93fe6b4ea052dc Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Wed, 22 Mar 2017 16:39:21 +0100 Subject: [PATCH 1/3] WebUI: check principals in lowercase WebUI checks whether principal name of logged user and principal name in each command is equal. As KDC for our principals is case insensitive - it does make sense to switch this check also into case insensitive. So both principals are reformated to lower case and then compared. Part of: https://pagure.io/freeipa/issue/3242 --- install/ui/src/freeipa/rpc.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/install/ui/src/freeipa/rpc.js b/install/ui/src/freeipa/rpc.js index 7ae1b64..1880f8d 100644 --- a/install/ui/src/freeipa/rpc.js +++ b/install/ui/src/freeipa/rpc.js @@ -389,7 +389,8 @@ rpc.command = function(spec) { } else if (IPA.version && data.version && IPA.version !== data.version) { window.location.reload(); -} else if (IPA.principal && data.principal && IPA.principal !== data.principal) { +} else if (IPA.principal && data.principal && +IPA.principal.toLowerCase() !== data.principal.toLowerCase()) { window.location.reload(); } else if (data.error) { From cb5d8825ee05695265fd62f5cad6ee9de7072aab Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Wed, 22 Mar 2017 16:48:36 +0100 Subject: [PATCH 2/3] WebUI: add method for disabling item in user dropdown menu AD user can do only several things. One of those which are not allowed is to reset password to itself. Therefore we need to be able to turn of a item in dropdown menu. In our case 'Password reset' item. Function which disable menu item and detach the listener on click from the item specified by its name was added. Part of: https://pagure.io/freeipa/issue/3242 --- install/ui/src/freeipa/Application_controller.js | 42 install/ui/src/freeipa/widgets/App.js| 4 +++ 2 files changed, 40 insertions(+), 6 deletions(-) diff --git a/install/ui/src/freeipa/Application_controller.js b/install/ui/src/freeipa/Application_controller.js index 32add5f..d809c1f 100644 --- a/install/ui/src/freeipa/Application_controller.js +++ b/install/ui/src/freeipa/Application_controller.js @@ -69,6 +69,16 @@ define([ facet_changing: false, /** + * Listeners for user menu items + */ + on_profile_listener: null, + on_passwd_reset_listener: null, + on_logout_listener: null, + on_item_select_listener: null, + on_configuration_listerer: null, + on_about_listener: null, + +/** * Currently displayed facet * */ @@ -109,12 +119,7 @@ define([ } }; -on(this.app_widget.menu_widget, 'item-select', this.on_menu_click.bind(this)); -on(this.app_widget, 'profile-click', this.on_profile.bind(this)); -on(this.app_widget, 'logout-click', this.on_logout.bind(this)); -on(this.app_widget, 'password-reset-click', this.on_password_reset.bind(this)); -on(this.app_widget, 'configuration-click', this.on_configuration.bind(this)); -on(this.app_widget, 'about-click', this.on_about.bind(this)); +this.register_user_menu_listeners(); on(this.router, 'facet-show', this.on_facet_show.bind(this)); on(this.router, 'facet-change', this.on_facet_change.bind(this)); @@ -133,6 +138,31 @@ define([ IPA.opened_dialogs.start_handling(this); }, +register_user_menu_listeners: function() { +this.on_profile_listener = on(this.app_widget, 'profile-click', +this.on_profile.bind(this)); +this.on_passwd_reset_listener = on(this.app_widget, +'password-reset-click', this.on_password_reset.bind(this)); +this.on_logout_listener = on(this.app_widget, 'logout-click', +this.on_logout.bind(this)); +this.on_item_select_listener = on(this.app_widget.menu_widget, +'item-select', this.on_menu_click.bind(this)); +this.on_configuration_listerer = on(this.app_widget, +'configuration-click', this.on_configuration.bind(this)); +this.on_about_listener = on(this.app_widget, +'about-click', this.on_about.bind(this)); +}, + +/** +
[Freeipa-devel] [freeipa PR#639][synchronized] WebUI: Login for AD Users
URL: https://github.com/freeipa/freeipa/pull/639 Author: pvomacka Title: #639: WebUI: Login for AD Users Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/639/head:pr639 git checkout pr639 From 79a2dbfd1459ff4f1e95cbc547625222efa6beb1 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Wed, 22 Mar 2017 16:39:21 +0100 Subject: [PATCH 1/3] WebUI: check principals in lowercase WebUI checks whether principal name of logged user and principal name in each command is equal. As KDC for our principals is case insensitive - it does make sense to switch this check also into case insensitive. So both principals are reformated to lower case and then compared. Part of: https://pagure.io/freeipa/issue/3242 --- install/ui/src/freeipa/rpc.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/install/ui/src/freeipa/rpc.js b/install/ui/src/freeipa/rpc.js index 7ae1b64..1880f8d 100644 --- a/install/ui/src/freeipa/rpc.js +++ b/install/ui/src/freeipa/rpc.js @@ -389,7 +389,8 @@ rpc.command = function(spec) { } else if (IPA.version && data.version && IPA.version !== data.version) { window.location.reload(); -} else if (IPA.principal && data.principal && IPA.principal !== data.principal) { +} else if (IPA.principal && data.principal && +IPA.principal.toLowerCase() !== data.principal.toLowerCase()) { window.location.reload(); } else if (data.error) { From 23c693d8dae97e7b319c0608a5a9203ac4b0a185 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Wed, 22 Mar 2017 16:48:36 +0100 Subject: [PATCH 2/3] WebUI: add method for disabling item in user dropdown menu AD user can do only several things. One of those which are not allowed is to reset password to itself. Therefore we need to be able to turn of a item in dropdown menu. In our case 'Password reset' item. Function which disable menu item and detach the listener on click from the item specified by its name was added. Part of: https://pagure.io/freeipa/issue/3242 --- install/ui/src/freeipa/Application_controller.js | 42 install/ui/src/freeipa/widgets/App.js| 4 +++ 2 files changed, 40 insertions(+), 6 deletions(-) diff --git a/install/ui/src/freeipa/Application_controller.js b/install/ui/src/freeipa/Application_controller.js index 32add5f..d809c1f 100644 --- a/install/ui/src/freeipa/Application_controller.js +++ b/install/ui/src/freeipa/Application_controller.js @@ -69,6 +69,16 @@ define([ facet_changing: false, /** + * Listeners for user menu items + */ + on_profile_listener: null, + on_passwd_reset_listener: null, + on_logout_listener: null, + on_item_select_listener: null, + on_configuration_listerer: null, + on_about_listener: null, + +/** * Currently displayed facet * */ @@ -109,12 +119,7 @@ define([ } }; -on(this.app_widget.menu_widget, 'item-select', this.on_menu_click.bind(this)); -on(this.app_widget, 'profile-click', this.on_profile.bind(this)); -on(this.app_widget, 'logout-click', this.on_logout.bind(this)); -on(this.app_widget, 'password-reset-click', this.on_password_reset.bind(this)); -on(this.app_widget, 'configuration-click', this.on_configuration.bind(this)); -on(this.app_widget, 'about-click', this.on_about.bind(this)); +this.register_user_menu_listeners(); on(this.router, 'facet-show', this.on_facet_show.bind(this)); on(this.router, 'facet-change', this.on_facet_change.bind(this)); @@ -133,6 +138,31 @@ define([ IPA.opened_dialogs.start_handling(this); }, +register_user_menu_listeners: function() { +this.on_profile_listener = on(this.app_widget, 'profile-click', +this.on_profile.bind(this)); +this.on_passwd_reset_listener = on(this.app_widget, +'password-reset-click', this.on_password_reset.bind(this)); +this.on_logout_listener = on(this.app_widget, 'logout-click', +this.on_logout.bind(this)); +this.on_item_select_listener = on(this.app_widget.menu_widget, +'item-select', this.on_menu_click.bind(this)); +this.on_configuration_listerer = on(this.app_widget, +'configuration-click', this.on_configuration.bind(this)); +this.on_about_listener = on(this.app_widget, +'about-click', this.on_about.bind(this)); +}, + +/** +
[Freeipa-devel] [freeipa PR#639][synchronized] WebUI: Login for AD Users
URL: https://github.com/freeipa/freeipa/pull/639 Author: pvomacka Title: #639: WebUI: Login for AD Users Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/639/head:pr639 git checkout pr639 From 79a2dbfd1459ff4f1e95cbc547625222efa6beb1 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Wed, 22 Mar 2017 16:39:21 +0100 Subject: [PATCH 1/3] WebUI: check principals in lowercase WebUI checks whether principal name of logged user and principal name in each command is equal. As KDC for our principals is case insensitive - it does make sense to switch this check also into case insensitive. So both principals are reformated to lower case and then compared. Part of: https://pagure.io/freeipa/issue/3242 --- install/ui/src/freeipa/rpc.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/install/ui/src/freeipa/rpc.js b/install/ui/src/freeipa/rpc.js index 7ae1b64..1880f8d 100644 --- a/install/ui/src/freeipa/rpc.js +++ b/install/ui/src/freeipa/rpc.js @@ -389,7 +389,8 @@ rpc.command = function(spec) { } else if (IPA.version && data.version && IPA.version !== data.version) { window.location.reload(); -} else if (IPA.principal && data.principal && IPA.principal !== data.principal) { +} else if (IPA.principal && data.principal && +IPA.principal.toLowerCase() !== data.principal.toLowerCase()) { window.location.reload(); } else if (data.error) { From 23c693d8dae97e7b319c0608a5a9203ac4b0a185 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Wed, 22 Mar 2017 16:48:36 +0100 Subject: [PATCH 2/3] WebUI: add method for disabling item in user dropdown menu AD user can do only several things. One of those which are not allowed is to reset password to itself. Therefore we need to be able to turn of a item in dropdown menu. In our case 'Password reset' item. Function which disable menu item and detach the listener on click from the item specified by its name was added. Part of: https://pagure.io/freeipa/issue/3242 --- install/ui/src/freeipa/Application_controller.js | 42 install/ui/src/freeipa/widgets/App.js| 4 +++ 2 files changed, 40 insertions(+), 6 deletions(-) diff --git a/install/ui/src/freeipa/Application_controller.js b/install/ui/src/freeipa/Application_controller.js index 32add5f..d809c1f 100644 --- a/install/ui/src/freeipa/Application_controller.js +++ b/install/ui/src/freeipa/Application_controller.js @@ -69,6 +69,16 @@ define([ facet_changing: false, /** + * Listeners for user menu items + */ + on_profile_listener: null, + on_passwd_reset_listener: null, + on_logout_listener: null, + on_item_select_listener: null, + on_configuration_listerer: null, + on_about_listener: null, + +/** * Currently displayed facet * */ @@ -109,12 +119,7 @@ define([ } }; -on(this.app_widget.menu_widget, 'item-select', this.on_menu_click.bind(this)); -on(this.app_widget, 'profile-click', this.on_profile.bind(this)); -on(this.app_widget, 'logout-click', this.on_logout.bind(this)); -on(this.app_widget, 'password-reset-click', this.on_password_reset.bind(this)); -on(this.app_widget, 'configuration-click', this.on_configuration.bind(this)); -on(this.app_widget, 'about-click', this.on_about.bind(this)); +this.register_user_menu_listeners(); on(this.router, 'facet-show', this.on_facet_show.bind(this)); on(this.router, 'facet-change', this.on_facet_change.bind(this)); @@ -133,6 +138,31 @@ define([ IPA.opened_dialogs.start_handling(this); }, +register_user_menu_listeners: function() { +this.on_profile_listener = on(this.app_widget, 'profile-click', +this.on_profile.bind(this)); +this.on_passwd_reset_listener = on(this.app_widget, +'password-reset-click', this.on_password_reset.bind(this)); +this.on_logout_listener = on(this.app_widget, 'logout-click', +this.on_logout.bind(this)); +this.on_item_select_listener = on(this.app_widget.menu_widget, +'item-select', this.on_menu_click.bind(this)); +this.on_configuration_listerer = on(this.app_widget, +'configuration-click', this.on_configuration.bind(this)); +this.on_about_listener = on(this.app_widget, +'about-click', this.on_about.bind(this)); +}, + +/** +
[Freeipa-devel] [freeipa PR#639][opened] WebUI: Login for AD Users
URL: https://github.com/freeipa/freeipa/pull/639 Author: pvomacka Title: #639: WebUI: Login for AD Users Action: opened PR body: """ Allows login as AD user. AD Users has its own menu specification as there is visible only its profile and list of active IPA users. https://pagure.io/freeipa/issue/3242 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/639/head:pr639 git checkout pr639 From 79a2dbfd1459ff4f1e95cbc547625222efa6beb1 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Wed, 22 Mar 2017 16:39:21 +0100 Subject: [PATCH 1/3] WebUI: check principals in lowercase WebUI checks whether principal name of logged user and principal name in each command is equal. As KDC for our principals is case insensitive - it does make sense to switch this check also into case insensitive. So both principals are reformated to lower case and then compared. Part of: https://pagure.io/freeipa/issue/3242 --- install/ui/src/freeipa/rpc.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/install/ui/src/freeipa/rpc.js b/install/ui/src/freeipa/rpc.js index 7ae1b64..1880f8d 100644 --- a/install/ui/src/freeipa/rpc.js +++ b/install/ui/src/freeipa/rpc.js @@ -389,7 +389,8 @@ rpc.command = function(spec) { } else if (IPA.version && data.version && IPA.version !== data.version) { window.location.reload(); -} else if (IPA.principal && data.principal && IPA.principal !== data.principal) { +} else if (IPA.principal && data.principal && +IPA.principal.toLowerCase() !== data.principal.toLowerCase()) { window.location.reload(); } else if (data.error) { From 6660dd17632190c534e5aa0844d1fbf18f90964b Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Wed, 22 Mar 2017 16:48:36 +0100 Subject: [PATCH 2/3] WebUI: add method for disabling item in user dropdown menu AD user can do only several things. One of those which are not allowed is to reset password to itself. Therefore we need to be able to turn of a item in dropdown menu. In our case 'Password reset' item. Function which disable menu item and detach the listener on click from the item specified by its name was added. Part of: https://pagure.io/freeipa/issue/3242 --- install/ui/src/freeipa/Application_controller.js | 40 install/ui/src/freeipa/widgets/App.js| 4 +++ 2 files changed, 38 insertions(+), 6 deletions(-) diff --git a/install/ui/src/freeipa/Application_controller.js b/install/ui/src/freeipa/Application_controller.js index 32add5f..6c7da8b 100644 --- a/install/ui/src/freeipa/Application_controller.js +++ b/install/ui/src/freeipa/Application_controller.js @@ -69,6 +69,16 @@ define([ facet_changing: false, /** + * Listeners for user menu items + */ + on_profile_listener: null, + on_passwd_reset_listener: null, + on_logout_listener: null, + on_item_select_listener: null, + on_configuration_listerer: null, + on_about_listener: null, + +/** * Currently displayed facet * */ @@ -109,12 +119,7 @@ define([ } }; -on(this.app_widget.menu_widget, 'item-select', this.on_menu_click.bind(this)); -on(this.app_widget, 'profile-click', this.on_profile.bind(this)); -on(this.app_widget, 'logout-click', this.on_logout.bind(this)); -on(this.app_widget, 'password-reset-click', this.on_password_reset.bind(this)); -on(this.app_widget, 'configuration-click', this.on_configuration.bind(this)); -on(this.app_widget, 'about-click', this.on_about.bind(this)); +this.register_user_menu_listeners(); on(this.router, 'facet-show', this.on_facet_show.bind(this)); on(this.router, 'facet-change', this.on_facet_change.bind(this)); @@ -133,6 +138,29 @@ define([ IPA.opened_dialogs.start_handling(this); }, +register_user_menu_listeners: function() { +this.on_profile_listener = on(this.app_widget, 'profile-click', +this.on_profile.bind(this)); +this.on_passwd_reset_listener = on(this.app_widget, +'password-reset-click', this.on_password_reset.bind(this)); +this.on_logout_listener = on(this.app_widget, 'logout-click', +this.on_logout.bind(this)); +this.on_item_select_listener = on(this.app_widget.menu_widget, +'item-select', this.on_menu_click.bind(this)); +this.on_configuration_listerer = on(this.app_widget, +'configura
[Freeipa-devel] [freeipa PR#637][comment] ldap2: use LDAP whoami operation to retrieve bind DN for current connection
URL: https://github.com/freeipa/freeipa/pull/637 Title: #637: ldap2: use LDAP whoami operation to retrieve bind DN for current connection pvomacka commented: """ Hi @abbra, thank you for patch, works for me. """ See the full comment at https://github.com/freeipa/freeipa/pull/637#issuecomment-288375637 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#628][comment] WebUI: Remove offline version of WebUI
URL: https://github.com/freeipa/freeipa/pull/628 Title: #628: WebUI: Remove offline version of WebUI pvomacka commented: """ Self-NACK, build fails. """ See the full comment at https://github.com/freeipa/freeipa/pull/628#issuecomment-288046245 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#630][+pushed] ipapython.ipautil.nolog_replace: Do not replace empty value
URL: https://github.com/freeipa/freeipa/pull/630 Title: #630: ipapython.ipautil.nolog_replace: Do not replace empty value Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#630][closed] ipapython.ipautil.nolog_replace: Do not replace empty value
URL: https://github.com/freeipa/freeipa/pull/630 Author: dkupka Title: #630: ipapython.ipautil.nolog_replace: Do not replace empty value Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/630/head:pr630 git checkout pr630 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#630][comment] ipapython.ipautil.nolog_replace: Do not replace empty value
URL: https://github.com/freeipa/freeipa/pull/630 Title: #630: ipapython.ipautil.nolog_replace: Do not replace empty value pvomacka commented: """ ipa-4-5: * 8f0c7df198f8dd6ae742b099b3258c2383007c30 ipapython.ipautil.nolog_replace: Do not replace empty value master: * 4297ad6db0d4f39d82fd155323163df92b2b7894 ipapython.ipautil.nolog_replace: Do not replace empty value ipa-4-4: * 40e1eb695d648a03f45e9c8d6687cb3d8a99fd6d ipapython.ipautil.nolog_replace: Do not replace empty value """ See the full comment at https://github.com/freeipa/freeipa/pull/630#issuecomment-288012307 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#630][+ack] ipapython.ipautil.nolog_replace: Do not replace empty value
URL: https://github.com/freeipa/freeipa/pull/630 Title: #630: ipapython.ipautil.nolog_replace: Do not replace empty value Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#470][synchronized] WebUI: Size limit warning on details pages fixed
URL: https://github.com/freeipa/freeipa/pull/470 Author: pvomacka Title: #470: WebUI: Size limit warning on details pages fixed Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/470/head:pr470 git checkout pr470 From a3c4870a3af2a589df29ce53fb44334bd42c51d8 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Fri, 17 Mar 2017 15:10:42 +0100 Subject: [PATCH 1/2] WebUI: Add support for suppressing warnings Each command can have specified an array of warning codes which will be suppressed and won't be shown. For specifying this it is necessary to set command property 'supressed_warnings: [codes_of_warning]' Part of: https://pagure.io/freeipa/issue/6618 --- install/ui/src/freeipa/rpc.js | 7 +++ 1 file changed, 7 insertions(+) diff --git a/install/ui/src/freeipa/rpc.js b/install/ui/src/freeipa/rpc.js index 7ae1b64..72e1f30 100644 --- a/install/ui/src/freeipa/rpc.js +++ b/install/ui/src/freeipa/rpc.js @@ -72,6 +72,12 @@ rpc.command = function(spec) { that.options = $.extend({}, spec.options || {}); /** + * @property {Array} suppress_warnings array of message codes which + * are suppressed + */ +that.suppress_warnings = spec.suppress_warnings || []; + +/** * Success handler * @property {Function} * @param {Object} data @@ -219,6 +225,7 @@ rpc.command = function(spec) { for (var i=0,l=msgs.length; i -1) break; // escape and reformat message msg.message = util.beautify_message(msg.message); IPA.notify(msg.message, msg.type); From b9e94b1d700b8c166b4fcdce559f0dbad5cd798d Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Fri, 17 Mar 2017 15:10:49 +0100 Subject: [PATCH 2/2] WebUI: suppress truncation warning in select widget This widget is used on details pages and dialogs. When the size limit is set to lower number the warning about truncation was shown every time the details page was open. Now, with support for suppressing warning messages from server according to its code, we are able to disable warning with 13017 code (truncation warning) https://pagure.io/freeipa/issue/6618 --- install/ui/src/freeipa/widget.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/install/ui/src/freeipa/widget.js b/install/ui/src/freeipa/widget.js index 223b449..b7a6504 100644 --- a/install/ui/src/freeipa/widget.js +++ b/install/ui/src/freeipa/widget.js @@ -5012,7 +5012,8 @@ IPA.entity_select_widget = function(spec) { entity: that.other_entity.name, method: 'find', args: [filter], -options: that.filter_options +options: that.filter_options, +suppress_warnings: [13017] }); var no_members = metadata.get('@mc-opt:' + cmd.get_command() + ':no_members'); if (no_members) { -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#604][closed] [4.5] Set zanata version to ipa-4-5
URL: https://github.com/freeipa/freeipa/pull/604 Author: MartinBasti Title: #604: [4.5] Set zanata version to ipa-4-5 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/604/head:pr604 git checkout pr604 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#604][+pushed] [4.5] Set zanata version to ipa-4-5
URL: https://github.com/freeipa/freeipa/pull/604 Title: #604: [4.5] Set zanata version to ipa-4-5 Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#604][comment] [4.5] Set zanata version to ipa-4-5
URL: https://github.com/freeipa/freeipa/pull/604 Title: #604: [4.5] Set zanata version to ipa-4-5 pvomacka commented: """ ipa-4-5: * a1f2754f18f93752f97d14168b74fb0f299d795d Set zanata version to ipa-4-5 """ See the full comment at https://github.com/freeipa/freeipa/pull/604#issuecomment-287004757 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#605][closed] Set development version to 4.5.90
URL: https://github.com/freeipa/freeipa/pull/605 Author: MartinBasti Title: #605: Set development version to 4.5.90 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/605/head:pr605 git checkout pr605 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#605][comment] Set development version to 4.5.90
URL: https://github.com/freeipa/freeipa/pull/605 Title: #605: Set development version to 4.5.90 pvomacka commented: """ master: * 9ac62bec44b642838cbb175d94efd90acb417ecc Set development version to 4.5.90 """ See the full comment at https://github.com/freeipa/freeipa/pull/605#issuecomment-287004023 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#605][+pushed] Set development version to 4.5.90
URL: https://github.com/freeipa/freeipa/pull/605 Title: #605: Set development version to 4.5.90 Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#601][+ack] spec file: always provide python package aliases
URL: https://github.com/freeipa/freeipa/pull/601 Title: #601: spec file: always provide python package aliases Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#597][+ack] spec file: support build without ipatests
URL: https://github.com/freeipa/freeipa/pull/597 Title: #597: spec file: support build without ipatests Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#596][+ack] spec file: support client-only build
URL: https://github.com/freeipa/freeipa/pull/596 Title: #596: spec file: support client-only build Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code