Re: [Freeipa-devel] [PATCHES 0084-0086] NSEC3PARAM DNS record should be in DNS zone settings
On 07/01/2014 03:15 PM, Martin Basti wrote: On Tue, 2014-07-01 at 14:24 +0200, Martin Basti wrote: Ticket: https://fedorahosted.org/freeipa/ticket/4413 Patches attached Rebased patches attached 0084: in dns.py, you'll also want to remove NSEC3PARAMRecord from _dns_records. Otherwise I still see it in API.txt for dnsrecord_add friends. 0085: _nsec3param_errmsg will not get picked up by xgettext, so it won't be translated. The argument to _() must be a literal string, not a variable. -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0084-0086] NSEC3PARAM DNS record should be in DNS zone settings
On 1.7.2014 15:15, Martin Basti wrote:
On Tue, 2014-07-01 at 14:24 +0200, Martin Basti wrote:
Ticket: https://fedorahosted.org/freeipa/ticket/4413
Patches attached
Rebased patches attached
Besides #1, mostly minor stuff.
1. The regex r'^\d+ \d+ \d+ ([0-9a-fA-F]+|-)$' should be extended to
validate even number of hex chars, e.g.:
^\d+ \d+ \d+ ((([0-9a-fA-F]{2})+)|-)$
Should be then also reflected in _nsec3param_errmsg
This change will make Web UI more usable.
2. abbreviation 'alg' in 'hash_alg' is not so common as, for example,
'arg'. Full 'hash_algorithm' is more clear, there is enough space.
+doc=_('NSEC3PARAM record for zone in format: hash_alg flags
iterations salt'),
3. I think we should rather catch TypeError
+try:
+binascii.a2b_hex(salt)
+except Exception, e:
+return _('salt value: %(err)s') % {'err': e}
4. Extra empty line
+pattern_errmsg=_nsec3param_errmsg,
+
+),
Unrelated:
5. IMO framework should be extended to support translations in
`pattern_errmsg`
--
Petr Vobornik
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0084-0086] NSEC3PARAM DNS record should be in DNS zone settings
On Wed, 2014-07-02 at 09:39 +0200, Petr Viktorin wrote: On 07/01/2014 03:15 PM, Martin Basti wrote: On Tue, 2014-07-01 at 14:24 +0200, Martin Basti wrote: Ticket: https://fedorahosted.org/freeipa/ticket/4413 Patches attached Rebased patches attached 0084: in dns.py, you'll also want to remove NSEC3PARAMRecord from _dns_records. Otherwise I still see it in API.txt for dnsrecord_add friends. If remove it, it breaks dns.py. I havent add NSEC3PARAMRecord into _dns_records in original patch. 0085: _nsec3param_errmsg will not get picked up by xgettext, so it won't be translated. The argument to _() must be a literal string, not a variable. -- Martin^2 Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0084-0086] NSEC3PARAM DNS record should be in DNS zone settings
On Wed, 2014-07-02 at 13:17 +0200, Martin Basti wrote: On Wed, 2014-07-02 at 09:39 +0200, Petr Viktorin wrote: On 07/01/2014 03:15 PM, Martin Basti wrote: On Tue, 2014-07-01 at 14:24 +0200, Martin Basti wrote: Ticket: https://fedorahosted.org/freeipa/ticket/4413 Patches attached Rebased patches attached 0084: in dns.py, you'll also want to remove NSEC3PARAMRecord from _dns_records. Otherwise I still see it in API.txt for dnsrecord_add friends. If remove it, it breaks dns.py. I havent add NSEC3PARAMRecord into _dns_records in original patch. 0085: _nsec3param_errmsg will not get picked up by xgettext, so it won't be translated. The argument to _() must be a literal string, not a variable. Updated patch attached (API.txt updated) -- Martin^2 Basti From e5e567aae2e7fb8641fdfb8d59e361c533b6c0a5 Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Mon, 30 Jun 2014 18:29:40 +0200 Subject: [PATCH 2/3] Add NSEC3PARAM to zone settings Ticket: https://fedorahosted.org/freeipa/ticket/4413 --- ACI.txt | 4 ++-- API.txt | 9 +--- VERSION | 4 ++-- install/share/60ipadns.ldif | 2 +- install/ui/src/freeipa/dns.js | 3 ++- install/updates/40-dns.update | 2 +- ipalib/plugins/dns.py | 50 --- 7 files changed, 61 insertions(+), 13 deletions(-) diff --git a/ACI.txt b/ACI.txt index b8dfb56a2abea937823cdaed08322dea3dc0c0ef..8e73c5c8541154e73c201994de828aa43c3777b1 100644 --- a/ACI.txt +++ b/ACI.txt @@ -39,11 +39,11 @@ aci: (targetattr = idnsallowsyncptr || idnsforwarders || idnsforwardpolicy || i dn: cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (target = ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl permission:System: Add DNS Entries;allow (add) groupdn = ldap:///cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example -aci: (targetattr = a6record || record || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord)(target = ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl permission:System: Read DNS Entries;allow (compare,read,search) groupdn = ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example;) +aci: (targetattr = a6record || record || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord)(target = ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl permission:System: Read DNS Entries;allow (compare,read,search) groupdn = ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (target = ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl permission:System: Remove DNS Entries;allow (delete) groupdn = ldap:///cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example -aci: (targetattr = a6record || record || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord
Re: [Freeipa-devel] [PATCHES 0084-0086] NSEC3PARAM DNS record should be in DNS zone settings
On 2.7.2014 14:27, Martin Basti wrote: On Wed, 2014-07-02 at 13:17 +0200, Martin Basti wrote: On Wed, 2014-07-02 at 09:39 +0200, Petr Viktorin wrote: On 07/01/2014 03:15 PM, Martin Basti wrote: On Tue, 2014-07-01 at 14:24 +0200, Martin Basti wrote: Ticket: https://fedorahosted.org/freeipa/ticket/4413 Patches attached Rebased patches attached 0084: in dns.py, you'll also want to remove NSEC3PARAMRecord from _dns_records. Otherwise I still see it in API.txt for dnsrecord_add friends. If remove it, it breaks dns.py. I havent add NSEC3PARAMRecord into _dns_records in original patch. 0085: _nsec3param_errmsg will not get picked up by xgettext, so it won't be translated. The argument to _() must be a literal string, not a variable. Updated patch attached (API.txt updated) ACK pushed to master: * ff7b44e3b09b2e94fde66f918a6d1fb6db043d80 Remove NSEC3PARAM record * 30551a8aa30dcd39b3ae4c2fe97a163620773730 Add NSEC3PARAM to zone settings * 01b95805ab1428e10c79abf70c9bc9e2baf9de21 NSEC3PARAM tests -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0084-0086] NSEC3PARAM DNS record should be in DNS zone settings
On Tue, 2014-07-01 at 14:24 +0200, Martin Basti wrote: Ticket: https://fedorahosted.org/freeipa/ticket/4413 Patches attached ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Rebased patches attached -- Martin^2 Basti From e9156fea72f0f6fcea64ac26696a7c6256f73ab6 Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Mon, 30 Jun 2014 17:17:02 +0200 Subject: [PATCH 1/3] Remove NSEC3PARAM record Ticket: https://fedorahosted.org/freeipa/ticket/4413 --- ACI.txt | 4 +-- API.txt | 12 ++- VERSION | 4 +-- install/share/60ipadns.ldif | 2 +- install/ui/src/freeipa/dns.js | 16 + install/updates/40-dns.update | 2 +- ipalib/plugins/dns.py | 48 ++--- ipatests/test_xmlrpc/test_dns_plugin.py | 62 - 8 files changed, 12 insertions(+), 138 deletions(-) diff --git a/ACI.txt b/ACI.txt index 8e73c5c8541154e73c201994de828aa43c3777b1..b8dfb56a2abea937823cdaed08322dea3dc0c0ef 100644 --- a/ACI.txt +++ b/ACI.txt @@ -39,11 +39,11 @@ aci: (targetattr = idnsallowsyncptr || idnsforwarders || idnsforwardpolicy || i dn: cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (target = ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl permission:System: Add DNS Entries;allow (add) groupdn = ldap:///cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example -aci: (targetattr = a6record || record || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord)(target = ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl permission:System: Read DNS Entries;allow (compare,read,search) groupdn = ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example;) +aci: (targetattr = a6record || record || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord)(target = ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl permission:System: Read DNS Entries;allow (compare,read,search) groupdn = ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (target = ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl permission:System: Remove DNS Entries;allow (delete) groupdn = ldap:///cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example -aci: (targetattr = a6record || record || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord)(target = ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl permission:System: Update DNS Entries;allow (write) groupdn = ldap:///cn=System: Update DNS
