subject:"\[Freeipa\-devel\] \[freeipa PR#397\]\[synchronized\] Improve wheel building and provide ipaserver wheel for local testing"

[Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing

2017-04-03 Thread tiran

   URL: https://github.com/freeipa/freeipa/pull/397
Author: tiran
 Title: #397: Improve wheel building and provide ipaserver wheel for local 
testing
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/397/head:pr397
git checkout pr397
From 5420e9cfbe7803808b6e26d2dae64f2a6a50149a Mon Sep 17 00:00:00 2001
From: Ben Lipton 
Date: Tue, 21 Mar 2017 12:21:30 -0400
Subject: [PATCH 1/8] csrgen: Remove helper abstraction

All requests now use the OpenSSL formatter. However, we keep Formatter
a separate class so that it can be changed out for tests.

https://pagure.io/freeipa/issue/4899

Reviewed-By: Jan Cholasta 
---
 ipaclient/csrgen.py| 71 ++--
 ipaclient/csrgen/rules/dataDNS.json| 13 +--
 ipaclient/csrgen/rules/dataEmail.json  | 13 +--
 ipaclient/csrgen/rules/dataHostCN.json | 13 +--
 ipaclient/csrgen/rules/dataSubjectBase.json| 13 +--
 ipaclient/csrgen/rules/dataUsernameCN.json | 13 +--
 ipaclient/csrgen/rules/syntaxSAN.json  | 19 ++---
 ipaclient/csrgen/rules/syntaxSubject.json  | 13 +--
 ipaclient/csrgen/templates/certutil_base.tmpl  | 11 ---
 ipaclient/plugins/csrgen.py|  2 +-
 .../data/test_csrgen/configs/caIPAserviceCert.conf | 34 
 .../data/test_csrgen/configs/userCert.conf | 34 
 .../data/test_csrgen/rules/basic.json  | 13 +--
 .../data/test_csrgen/rules/options.json| 18 +---
 .../scripts/caIPAserviceCert_certutil.sh   | 11 ---
 .../scripts/caIPAserviceCert_openssl.sh| 34 
 .../data/test_csrgen/scripts/userCert_certutil.sh  | 11 ---
 .../data/test_csrgen/scripts/userCert_openssl.sh   | 34 
 ipatests/test_ipaclient/test_csrgen.py | 98 +-
 19 files changed, 145 insertions(+), 323 deletions(-)
 delete mode 100644 ipaclient/csrgen/templates/certutil_base.tmpl
 create mode 100644 ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf
 create mode 100644 ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf
 delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/scripts/caIPAserviceCert_certutil.sh
 delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/scripts/caIPAserviceCert_openssl.sh
 delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/scripts/userCert_certutil.sh
 delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/scripts/userCert_openssl.sh

diff --git a/ipaclient/csrgen.py b/ipaclient/csrgen.py
index 8fb0b32..8ca0722 100644
--- a/ipaclient/csrgen.py
+++ b/ipaclient/csrgen.py
@@ -244,13 +244,6 @@ def _prepare_syntax_rule(
 return self.SyntaxRule(prepared_template, is_extension)
 
 
-class CertutilFormatter(Formatter):
-base_template_name = 'certutil_base.tmpl'
-
-def _get_template_params(self, syntax_rules):
-return {'options': syntax_rules}
-
-
 class FieldMapping(object):
 """Representation of the rules needed to construct a complete cert field.
 
@@ -279,13 +272,11 @@ def __init__(self, name, template, options):
 
 
 class RuleProvider(object):
-def rules_for_profile(self, profile_id, helper):
+def rules_for_profile(self, profile_id):
 """
 Return the rules needed to build a CSR using the given profile.
 
 :param profile_id: str, name of the CSR generation profile to use
-:param helper: str, name of tool (e.g. openssl, certutil) that will be
-used to create CSR
 
 :returns: list of FieldMapping, filled out with the appropriate rules
 """
@@ -321,40 +312,31 @@ def _open(self, subdir, filename):
 )
 )
 
-def _rule(self, rule_name, helper):
-if (rule_name, helper) not in self.rules:
+def _rule(self, rule_name):
+if rule_name not in self.rules:
 try:
 with self._open('rules', '%s.json' % rule_name) as f:
-ruleset = json.load(f)
+ruleconf = json.load(f)
 except IOError:
 raise errors.NotFound(
-reason=_('Ruleset %(ruleset)s does not exist.') %
-{'ruleset': rule_name})
+reason=_('No generation rule %(rulename)s found.') %
+{'rulename': rule_name})
 
-matching_rules = [r for r in ruleset['rules']
-  if r['helper'] == helper]
-if len(matching_rules) == 0:
+try:
+rule = ruleconf['rule']
+except KeyError:
 raise errors.EmptyResult(
-reason=_('No transformation in "%(ruleset)s" rule supports'
- ' helper "%(helper)s"') %
-{'ruleset': rule_name, 'helper': helper})
-elif

[Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing

2017-04-03 Thread tiran

   URL: https://github.com/freeipa/freeipa/pull/397
Author: tiran
 Title: #397: Improve wheel building and provide ipaserver wheel for local 
testing
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/397/head:pr397
git checkout pr397
From 5420e9cfbe7803808b6e26d2dae64f2a6a50149a Mon Sep 17 00:00:00 2001
From: Ben Lipton 
Date: Tue, 21 Mar 2017 12:21:30 -0400
Subject: [PATCH 1/8] csrgen: Remove helper abstraction

All requests now use the OpenSSL formatter. However, we keep Formatter
a separate class so that it can be changed out for tests.

https://pagure.io/freeipa/issue/4899

Reviewed-By: Jan Cholasta 
---
 ipaclient/csrgen.py| 71 ++--
 ipaclient/csrgen/rules/dataDNS.json| 13 +--
 ipaclient/csrgen/rules/dataEmail.json  | 13 +--
 ipaclient/csrgen/rules/dataHostCN.json | 13 +--
 ipaclient/csrgen/rules/dataSubjectBase.json| 13 +--
 ipaclient/csrgen/rules/dataUsernameCN.json | 13 +--
 ipaclient/csrgen/rules/syntaxSAN.json  | 19 ++---
 ipaclient/csrgen/rules/syntaxSubject.json  | 13 +--
 ipaclient/csrgen/templates/certutil_base.tmpl  | 11 ---
 ipaclient/plugins/csrgen.py|  2 +-
 .../data/test_csrgen/configs/caIPAserviceCert.conf | 34 
 .../data/test_csrgen/configs/userCert.conf | 34 
 .../data/test_csrgen/rules/basic.json  | 13 +--
 .../data/test_csrgen/rules/options.json| 18 +---
 .../scripts/caIPAserviceCert_certutil.sh   | 11 ---
 .../scripts/caIPAserviceCert_openssl.sh| 34 
 .../data/test_csrgen/scripts/userCert_certutil.sh  | 11 ---
 .../data/test_csrgen/scripts/userCert_openssl.sh   | 34 
 ipatests/test_ipaclient/test_csrgen.py | 98 +-
 19 files changed, 145 insertions(+), 323 deletions(-)
 delete mode 100644 ipaclient/csrgen/templates/certutil_base.tmpl
 create mode 100644 ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf
 create mode 100644 ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf
 delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/scripts/caIPAserviceCert_certutil.sh
 delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/scripts/caIPAserviceCert_openssl.sh
 delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/scripts/userCert_certutil.sh
 delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/scripts/userCert_openssl.sh

diff --git a/ipaclient/csrgen.py b/ipaclient/csrgen.py
index 8fb0b32..8ca0722 100644
--- a/ipaclient/csrgen.py
+++ b/ipaclient/csrgen.py
@@ -244,13 +244,6 @@ def _prepare_syntax_rule(
 return self.SyntaxRule(prepared_template, is_extension)
 
 
-class CertutilFormatter(Formatter):
-base_template_name = 'certutil_base.tmpl'
-
-def _get_template_params(self, syntax_rules):
-return {'options': syntax_rules}
-
-
 class FieldMapping(object):
 """Representation of the rules needed to construct a complete cert field.
 
@@ -279,13 +272,11 @@ def __init__(self, name, template, options):
 
 
 class RuleProvider(object):
-def rules_for_profile(self, profile_id, helper):
+def rules_for_profile(self, profile_id):
 """
 Return the rules needed to build a CSR using the given profile.
 
 :param profile_id: str, name of the CSR generation profile to use
-:param helper: str, name of tool (e.g. openssl, certutil) that will be
-used to create CSR
 
 :returns: list of FieldMapping, filled out with the appropriate rules
 """
@@ -321,40 +312,31 @@ def _open(self, subdir, filename):
 )
 )
 
-def _rule(self, rule_name, helper):
-if (rule_name, helper) not in self.rules:
+def _rule(self, rule_name):
+if rule_name not in self.rules:
 try:
 with self._open('rules', '%s.json' % rule_name) as f:
-ruleset = json.load(f)
+ruleconf = json.load(f)
 except IOError:
 raise errors.NotFound(
-reason=_('Ruleset %(ruleset)s does not exist.') %
-{'ruleset': rule_name})
+reason=_('No generation rule %(rulename)s found.') %
+{'rulename': rule_name})
 
-matching_rules = [r for r in ruleset['rules']
-  if r['helper'] == helper]
-if len(matching_rules) == 0:
+try:
+rule = ruleconf['rule']
+except KeyError:
 raise errors.EmptyResult(
-reason=_('No transformation in "%(ruleset)s" rule supports'
- ' helper "%(helper)s"') %
-{'ruleset': rule_name, 'helper': helper})
-elif

[Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing

2017-04-03 Thread tiran

   URL: https://github.com/freeipa/freeipa/pull/397
Author: tiran
 Title: #397: Improve wheel building and provide ipaserver wheel for local 
testing
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/397/head:pr397
git checkout pr397
From 5420e9cfbe7803808b6e26d2dae64f2a6a50149a Mon Sep 17 00:00:00 2001
From: Ben Lipton 
Date: Tue, 21 Mar 2017 12:21:30 -0400
Subject: [PATCH 1/8] csrgen: Remove helper abstraction

All requests now use the OpenSSL formatter. However, we keep Formatter
a separate class so that it can be changed out for tests.

https://pagure.io/freeipa/issue/4899

Reviewed-By: Jan Cholasta 
---
 ipaclient/csrgen.py| 71 ++--
 ipaclient/csrgen/rules/dataDNS.json| 13 +--
 ipaclient/csrgen/rules/dataEmail.json  | 13 +--
 ipaclient/csrgen/rules/dataHostCN.json | 13 +--
 ipaclient/csrgen/rules/dataSubjectBase.json| 13 +--
 ipaclient/csrgen/rules/dataUsernameCN.json | 13 +--
 ipaclient/csrgen/rules/syntaxSAN.json  | 19 ++---
 ipaclient/csrgen/rules/syntaxSubject.json  | 13 +--
 ipaclient/csrgen/templates/certutil_base.tmpl  | 11 ---
 ipaclient/plugins/csrgen.py|  2 +-
 .../data/test_csrgen/configs/caIPAserviceCert.conf | 34 
 .../data/test_csrgen/configs/userCert.conf | 34 
 .../data/test_csrgen/rules/basic.json  | 13 +--
 .../data/test_csrgen/rules/options.json| 18 +---
 .../scripts/caIPAserviceCert_certutil.sh   | 11 ---
 .../scripts/caIPAserviceCert_openssl.sh| 34 
 .../data/test_csrgen/scripts/userCert_certutil.sh  | 11 ---
 .../data/test_csrgen/scripts/userCert_openssl.sh   | 34 
 ipatests/test_ipaclient/test_csrgen.py | 98 +-
 19 files changed, 145 insertions(+), 323 deletions(-)
 delete mode 100644 ipaclient/csrgen/templates/certutil_base.tmpl
 create mode 100644 ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf
 create mode 100644 ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf
 delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/scripts/caIPAserviceCert_certutil.sh
 delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/scripts/caIPAserviceCert_openssl.sh
 delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/scripts/userCert_certutil.sh
 delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/scripts/userCert_openssl.sh

diff --git a/ipaclient/csrgen.py b/ipaclient/csrgen.py
index 8fb0b32..8ca0722 100644
--- a/ipaclient/csrgen.py
+++ b/ipaclient/csrgen.py
@@ -244,13 +244,6 @@ def _prepare_syntax_rule(
 return self.SyntaxRule(prepared_template, is_extension)
 
 
-class CertutilFormatter(Formatter):
-base_template_name = 'certutil_base.tmpl'
-
-def _get_template_params(self, syntax_rules):
-return {'options': syntax_rules}
-
-
 class FieldMapping(object):
 """Representation of the rules needed to construct a complete cert field.
 
@@ -279,13 +272,11 @@ def __init__(self, name, template, options):
 
 
 class RuleProvider(object):
-def rules_for_profile(self, profile_id, helper):
+def rules_for_profile(self, profile_id):
 """
 Return the rules needed to build a CSR using the given profile.
 
 :param profile_id: str, name of the CSR generation profile to use
-:param helper: str, name of tool (e.g. openssl, certutil) that will be
-used to create CSR
 
 :returns: list of FieldMapping, filled out with the appropriate rules
 """
@@ -321,40 +312,31 @@ def _open(self, subdir, filename):
 )
 )
 
-def _rule(self, rule_name, helper):
-if (rule_name, helper) not in self.rules:
+def _rule(self, rule_name):
+if rule_name not in self.rules:
 try:
 with self._open('rules', '%s.json' % rule_name) as f:
-ruleset = json.load(f)
+ruleconf = json.load(f)
 except IOError:
 raise errors.NotFound(
-reason=_('Ruleset %(ruleset)s does not exist.') %
-{'ruleset': rule_name})
+reason=_('No generation rule %(rulename)s found.') %
+{'rulename': rule_name})
 
-matching_rules = [r for r in ruleset['rules']
-  if r['helper'] == helper]
-if len(matching_rules) == 0:
+try:
+rule = ruleconf['rule']
+except KeyError:
 raise errors.EmptyResult(
-reason=_('No transformation in "%(ruleset)s" rule supports'
- ' helper "%(helper)s"') %
-{'ruleset': rule_name, 'helper': helper})
-elif

[Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing

2017-04-03 Thread tiran

   URL: https://github.com/freeipa/freeipa/pull/397
Author: tiran
 Title: #397: Improve wheel building and provide ipaserver wheel for local 
testing
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/397/head:pr397
git checkout pr397
From 6419040e0bcf726232f30c4020fbea9bb9e10376 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 17 Jan 2017 08:49:54 +0100
Subject: [PATCH 1/3] Conditionally import pyhbac

The pyhbac module is part of SSSD. It's not available as stand-alone
PyPI package. It would take a lot of effort to package it because the
code is deeply tight into SSSD.

Let's follow the example of other SSSD Python packages and make the
import of pyhbac conditionally. It's only necessary for caacl and
hbactest plugins.

I renamed convert_to_ipa_rule() to _convert_to_ipa_rule() because it
does not check for presence of pyhbac package itself. The check is
performed earlier in execute(). The prefix indicates that it is an
internal function and developers have to think twice before using it
in another place.

This makes it much easier to install ipaserver with instrumented build
of Python with a different ABI or in isolated virtual envs to profile
and debug the server.

Signed-off-by: Christian Heimes 
---
 ipaserver/plugins/caacl.py| 86 -
 ipaserver/plugins/cert.py | 90 ++-
 ipaserver/plugins/hbactest.py | 19 +++--
 3 files changed, 105 insertions(+), 90 deletions(-)

diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py
index ff1178a..43a397d 100644
--- a/ipaserver/plugins/caacl.py
+++ b/ipaserver/plugins/caacl.py
@@ -2,12 +2,10 @@
 # Copyright (C) 2015  FreeIPA Contributors see COPYING for license
 #
 
-import pyhbac
 import six
 
 from ipalib import api, errors, output
 from ipalib import Bool, Str, StrEnum
-from ipalib.constants import IPA_CA_CN
 from ipalib.plugable import Registry
 from .baseldap import (
 LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, LDAPQuery,
@@ -80,90 +78,6 @@
 register = Registry()
 
 
-def _acl_make_request(principal_type, principal, ca_id, profile_id):
-"""Construct HBAC request for the given principal, CA and profile"""
-
-req = pyhbac.HbacRequest()
-req.targethost.name = ca_id
-req.service.name = profile_id
-if principal_type == 'user':
-req.user.name = principal.username
-elif principal_type == 'host':
-req.user.name = principal.hostname
-elif principal_type == 'service':
-req.user.name = unicode(principal)
-groups = []
-if principal_type == 'user':
-user_obj = api.Command.user_show(principal.username)['result']
-groups = user_obj.get('memberof_group', [])
-groups += user_obj.get('memberofindirect_group', [])
-elif principal_type == 'host':
-host_obj = api.Command.host_show(principal.hostname)['result']
-groups = host_obj.get('memberof_hostgroup', [])
-groups += host_obj.get('memberofindirect_hostgroup', [])
-req.user.groups = sorted(set(groups))
-return req
-
-
-def _acl_make_rule(principal_type, obj):
-"""Turn CA ACL object into HBAC rule.
-
-``principal_type``
-String in {'user', 'host', 'service'}
-"""
-rule = pyhbac.HbacRule(obj['cn'][0])
-rule.enabled = obj['ipaenabledflag'][0]
-rule.srchosts.category = {pyhbac.HBAC_CATEGORY_ALL}
-
-# add CA(s)
-if 'ipacacategory' in obj and obj['ipacacategory'][0].lower() == 'all':
-rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL}
-else:
-# For compatibility with pre-lightweight-CAs CA ACLs,
-# no CA members implies the host authority (only)
-rule.targethosts.names = obj.get('ipamemberca_ca', [IPA_CA_CN])
-
-# add profiles
-if ('ipacertprofilecategory' in obj
-and obj['ipacertprofilecategory'][0].lower() == 'all'):
-rule.services.category = {pyhbac.HBAC_CATEGORY_ALL}
-else:
-attr = 'ipamembercertprofile_certprofile'
-rule.services.names = obj.get(attr, [])
-
-# add principals and principal's groups
-category_attr = '{}category'.format(principal_type)
-if category_attr in obj and obj[category_attr][0].lower() == 'all':
-rule.users.category = {pyhbac.HBAC_CATEGORY_ALL}
-else:
-if principal_type == 'user':
-rule.users.names = obj.get('memberuser_user', [])
-rule.users.groups = obj.get('memberuser_group', [])
-elif principal_type == 'host':
-rule.users.names = obj.get('memberhost_host', [])
-rule.users.groups = obj.get('memberhost_hostgroup', [])
-elif principal_type == 'service':
-rule.users.names = [
-unicode(principal)
-for principal in obj.get('memberservice_service', [])
-]
-
-return rule

[Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing

2017-03-31 Thread tiran

   URL: https://github.com/freeipa/freeipa/pull/397
Author: tiran
 Title: #397: Improve wheel building and provide ipaserver wheel for local 
testing
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/397/head:pr397
git checkout pr397
From 6419040e0bcf726232f30c4020fbea9bb9e10376 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 17 Jan 2017 08:49:54 +0100
Subject: [PATCH 1/3] Conditionally import pyhbac

The pyhbac module is part of SSSD. It's not available as stand-alone
PyPI package. It would take a lot of effort to package it because the
code is deeply tight into SSSD.

Let's follow the example of other SSSD Python packages and make the
import of pyhbac conditionally. It's only necessary for caacl and
hbactest plugins.

I renamed convert_to_ipa_rule() to _convert_to_ipa_rule() because it
does not check for presence of pyhbac package itself. The check is
performed earlier in execute(). The prefix indicates that it is an
internal function and developers have to think twice before using it
in another place.

This makes it much easier to install ipaserver with instrumented build
of Python with a different ABI or in isolated virtual envs to profile
and debug the server.

Signed-off-by: Christian Heimes 
---
 ipaserver/plugins/caacl.py| 86 -
 ipaserver/plugins/cert.py | 90 ++-
 ipaserver/plugins/hbactest.py | 19 +++--
 3 files changed, 105 insertions(+), 90 deletions(-)

diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py
index ff1178a..43a397d 100644
--- a/ipaserver/plugins/caacl.py
+++ b/ipaserver/plugins/caacl.py
@@ -2,12 +2,10 @@
 # Copyright (C) 2015  FreeIPA Contributors see COPYING for license
 #
 
-import pyhbac
 import six
 
 from ipalib import api, errors, output
 from ipalib import Bool, Str, StrEnum
-from ipalib.constants import IPA_CA_CN
 from ipalib.plugable import Registry
 from .baseldap import (
 LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, LDAPQuery,
@@ -80,90 +78,6 @@
 register = Registry()
 
 
-def _acl_make_request(principal_type, principal, ca_id, profile_id):
-"""Construct HBAC request for the given principal, CA and profile"""
-
-req = pyhbac.HbacRequest()
-req.targethost.name = ca_id
-req.service.name = profile_id
-if principal_type == 'user':
-req.user.name = principal.username
-elif principal_type == 'host':
-req.user.name = principal.hostname
-elif principal_type == 'service':
-req.user.name = unicode(principal)
-groups = []
-if principal_type == 'user':
-user_obj = api.Command.user_show(principal.username)['result']
-groups = user_obj.get('memberof_group', [])
-groups += user_obj.get('memberofindirect_group', [])
-elif principal_type == 'host':
-host_obj = api.Command.host_show(principal.hostname)['result']
-groups = host_obj.get('memberof_hostgroup', [])
-groups += host_obj.get('memberofindirect_hostgroup', [])
-req.user.groups = sorted(set(groups))
-return req
-
-
-def _acl_make_rule(principal_type, obj):
-"""Turn CA ACL object into HBAC rule.
-
-``principal_type``
-String in {'user', 'host', 'service'}
-"""
-rule = pyhbac.HbacRule(obj['cn'][0])
-rule.enabled = obj['ipaenabledflag'][0]
-rule.srchosts.category = {pyhbac.HBAC_CATEGORY_ALL}
-
-# add CA(s)
-if 'ipacacategory' in obj and obj['ipacacategory'][0].lower() == 'all':
-rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL}
-else:
-# For compatibility with pre-lightweight-CAs CA ACLs,
-# no CA members implies the host authority (only)
-rule.targethosts.names = obj.get('ipamemberca_ca', [IPA_CA_CN])
-
-# add profiles
-if ('ipacertprofilecategory' in obj
-and obj['ipacertprofilecategory'][0].lower() == 'all'):
-rule.services.category = {pyhbac.HBAC_CATEGORY_ALL}
-else:
-attr = 'ipamembercertprofile_certprofile'
-rule.services.names = obj.get(attr, [])
-
-# add principals and principal's groups
-category_attr = '{}category'.format(principal_type)
-if category_attr in obj and obj[category_attr][0].lower() == 'all':
-rule.users.category = {pyhbac.HBAC_CATEGORY_ALL}
-else:
-if principal_type == 'user':
-rule.users.names = obj.get('memberuser_user', [])
-rule.users.groups = obj.get('memberuser_group', [])
-elif principal_type == 'host':
-rule.users.names = obj.get('memberhost_host', [])
-rule.users.groups = obj.get('memberhost_hostgroup', [])
-elif principal_type == 'service':
-rule.users.names = [
-unicode(principal)
-for principal in obj.get('memberservice_service', [])
-]
-
-return rule

[Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing

2017-03-31 Thread tiran

   URL: https://github.com/freeipa/freeipa/pull/397
Author: tiran
 Title: #397: Improve wheel building and provide ipaserver wheel for local 
testing
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/397/head:pr397
git checkout pr397
From 6419040e0bcf726232f30c4020fbea9bb9e10376 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 17 Jan 2017 08:49:54 +0100
Subject: [PATCH 1/3] Conditionally import pyhbac

The pyhbac module is part of SSSD. It's not available as stand-alone
PyPI package. It would take a lot of effort to package it because the
code is deeply tight into SSSD.

Let's follow the example of other SSSD Python packages and make the
import of pyhbac conditionally. It's only necessary for caacl and
hbactest plugins.

I renamed convert_to_ipa_rule() to _convert_to_ipa_rule() because it
does not check for presence of pyhbac package itself. The check is
performed earlier in execute(). The prefix indicates that it is an
internal function and developers have to think twice before using it
in another place.

This makes it much easier to install ipaserver with instrumented build
of Python with a different ABI or in isolated virtual envs to profile
and debug the server.

Signed-off-by: Christian Heimes 
---
 ipaserver/plugins/caacl.py| 86 -
 ipaserver/plugins/cert.py | 90 ++-
 ipaserver/plugins/hbactest.py | 19 +++--
 3 files changed, 105 insertions(+), 90 deletions(-)

diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py
index ff1178a..43a397d 100644
--- a/ipaserver/plugins/caacl.py
+++ b/ipaserver/plugins/caacl.py
@@ -2,12 +2,10 @@
 # Copyright (C) 2015  FreeIPA Contributors see COPYING for license
 #
 
-import pyhbac
 import six
 
 from ipalib import api, errors, output
 from ipalib import Bool, Str, StrEnum
-from ipalib.constants import IPA_CA_CN
 from ipalib.plugable import Registry
 from .baseldap import (
 LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, LDAPQuery,
@@ -80,90 +78,6 @@
 register = Registry()
 
 
-def _acl_make_request(principal_type, principal, ca_id, profile_id):
-"""Construct HBAC request for the given principal, CA and profile"""
-
-req = pyhbac.HbacRequest()
-req.targethost.name = ca_id
-req.service.name = profile_id
-if principal_type == 'user':
-req.user.name = principal.username
-elif principal_type == 'host':
-req.user.name = principal.hostname
-elif principal_type == 'service':
-req.user.name = unicode(principal)
-groups = []
-if principal_type == 'user':
-user_obj = api.Command.user_show(principal.username)['result']
-groups = user_obj.get('memberof_group', [])
-groups += user_obj.get('memberofindirect_group', [])
-elif principal_type == 'host':
-host_obj = api.Command.host_show(principal.hostname)['result']
-groups = host_obj.get('memberof_hostgroup', [])
-groups += host_obj.get('memberofindirect_hostgroup', [])
-req.user.groups = sorted(set(groups))
-return req
-
-
-def _acl_make_rule(principal_type, obj):
-"""Turn CA ACL object into HBAC rule.
-
-``principal_type``
-String in {'user', 'host', 'service'}
-"""
-rule = pyhbac.HbacRule(obj['cn'][0])
-rule.enabled = obj['ipaenabledflag'][0]
-rule.srchosts.category = {pyhbac.HBAC_CATEGORY_ALL}
-
-# add CA(s)
-if 'ipacacategory' in obj and obj['ipacacategory'][0].lower() == 'all':
-rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL}
-else:
-# For compatibility with pre-lightweight-CAs CA ACLs,
-# no CA members implies the host authority (only)
-rule.targethosts.names = obj.get('ipamemberca_ca', [IPA_CA_CN])
-
-# add profiles
-if ('ipacertprofilecategory' in obj
-and obj['ipacertprofilecategory'][0].lower() == 'all'):
-rule.services.category = {pyhbac.HBAC_CATEGORY_ALL}
-else:
-attr = 'ipamembercertprofile_certprofile'
-rule.services.names = obj.get(attr, [])
-
-# add principals and principal's groups
-category_attr = '{}category'.format(principal_type)
-if category_attr in obj and obj[category_attr][0].lower() == 'all':
-rule.users.category = {pyhbac.HBAC_CATEGORY_ALL}
-else:
-if principal_type == 'user':
-rule.users.names = obj.get('memberuser_user', [])
-rule.users.groups = obj.get('memberuser_group', [])
-elif principal_type == 'host':
-rule.users.names = obj.get('memberhost_host', [])
-rule.users.groups = obj.get('memberhost_hostgroup', [])
-elif principal_type == 'service':
-rule.users.names = [
-unicode(principal)
-for principal in obj.get('memberservice_service', [])
-]
-
-return rule

[Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing

2017-03-16 Thread tiran

   URL: https://github.com/freeipa/freeipa/pull/397
Author: tiran
 Title: #397: Improve wheel building and provide ipaserver wheel for local 
testing
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/397/head:pr397
git checkout pr397
From 3388a271d88e40df67ee79a69f5e10404dc1449d Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 17 Jan 2017 08:49:54 +0100
Subject: [PATCH 1/3] Conditionally import pyhbac

The pyhbac module is part of SSSD. It's not available as stand-alone
PyPI package. It would take a lot of effort to package it because the
code is deeply tight into SSSD.

Let's follow the example of other SSSD Python packages and make the
import of pyhbac conditionally. It's only necessary for caacl and
hbactest plugins.

I renamed convert_to_ipa_rule() to _convert_to_ipa_rule() because it
does not check for presence of pyhbac package itself. The check is
performed earlier in execute(). The prefix indicates that it is an
internal function and developers have to think twice before using it
in another place.

This makes it much easier to install ipaserver with instrumented build
of Python with a different ABI or in isolated virtual envs to profile
and debug the server.

Signed-off-by: Christian Heimes 
---
 ipaserver/plugins/caacl.py| 86 -
 ipaserver/plugins/cert.py | 90 ++-
 ipaserver/plugins/hbactest.py | 19 +++--
 3 files changed, 105 insertions(+), 90 deletions(-)

diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py
index ff1178a..43a397d 100644
--- a/ipaserver/plugins/caacl.py
+++ b/ipaserver/plugins/caacl.py
@@ -2,12 +2,10 @@
 # Copyright (C) 2015  FreeIPA Contributors see COPYING for license
 #
 
-import pyhbac
 import six
 
 from ipalib import api, errors, output
 from ipalib import Bool, Str, StrEnum
-from ipalib.constants import IPA_CA_CN
 from ipalib.plugable import Registry
 from .baseldap import (
 LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, LDAPQuery,
@@ -80,90 +78,6 @@
 register = Registry()
 
 
-def _acl_make_request(principal_type, principal, ca_id, profile_id):
-"""Construct HBAC request for the given principal, CA and profile"""
-
-req = pyhbac.HbacRequest()
-req.targethost.name = ca_id
-req.service.name = profile_id
-if principal_type == 'user':
-req.user.name = principal.username
-elif principal_type == 'host':
-req.user.name = principal.hostname
-elif principal_type == 'service':
-req.user.name = unicode(principal)
-groups = []
-if principal_type == 'user':
-user_obj = api.Command.user_show(principal.username)['result']
-groups = user_obj.get('memberof_group', [])
-groups += user_obj.get('memberofindirect_group', [])
-elif principal_type == 'host':
-host_obj = api.Command.host_show(principal.hostname)['result']
-groups = host_obj.get('memberof_hostgroup', [])
-groups += host_obj.get('memberofindirect_hostgroup', [])
-req.user.groups = sorted(set(groups))
-return req
-
-
-def _acl_make_rule(principal_type, obj):
-"""Turn CA ACL object into HBAC rule.
-
-``principal_type``
-String in {'user', 'host', 'service'}
-"""
-rule = pyhbac.HbacRule(obj['cn'][0])
-rule.enabled = obj['ipaenabledflag'][0]
-rule.srchosts.category = {pyhbac.HBAC_CATEGORY_ALL}
-
-# add CA(s)
-if 'ipacacategory' in obj and obj['ipacacategory'][0].lower() == 'all':
-rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL}
-else:
-# For compatibility with pre-lightweight-CAs CA ACLs,
-# no CA members implies the host authority (only)
-rule.targethosts.names = obj.get('ipamemberca_ca', [IPA_CA_CN])
-
-# add profiles
-if ('ipacertprofilecategory' in obj
-and obj['ipacertprofilecategory'][0].lower() == 'all'):
-rule.services.category = {pyhbac.HBAC_CATEGORY_ALL}
-else:
-attr = 'ipamembercertprofile_certprofile'
-rule.services.names = obj.get(attr, [])
-
-# add principals and principal's groups
-category_attr = '{}category'.format(principal_type)
-if category_attr in obj and obj[category_attr][0].lower() == 'all':
-rule.users.category = {pyhbac.HBAC_CATEGORY_ALL}
-else:
-if principal_type == 'user':
-rule.users.names = obj.get('memberuser_user', [])
-rule.users.groups = obj.get('memberuser_group', [])
-elif principal_type == 'host':
-rule.users.names = obj.get('memberhost_host', [])
-rule.users.groups = obj.get('memberhost_hostgroup', [])
-elif principal_type == 'service':
-rule.users.names = [
-unicode(principal)
-for principal in obj.get('memberservice_service', [])
-]
-
-return rule

[Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing

2017-03-14 Thread tiran

   URL: https://github.com/freeipa/freeipa/pull/397
Author: tiran
 Title: #397: Improve wheel building and provide ipaserver wheel for local 
testing
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/397/head:pr397
git checkout pr397
From 87c7da85421aa145e7214547ee78edf297cb3b36 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 17 Jan 2017 08:49:54 +0100
Subject: [PATCH 1/3] Conditionally import pyhbac

The pyhbac module is part of SSSD. It's not available as stand-alone
PyPI package. It would take a lot of effort to package it because the
code is deeply tight into SSSD.

Let's follow the example of other SSSD Python packages and make the
import of pyhbac conditionally. It's only necessary for caacl and
hbactest plugins.

I renamed convert_to_ipa_rule() to _convert_to_ipa_rule() because it
does not check for presence of pyhbac package itself. The check is
performed earlier in execute(). The prefix indicates that it is an
internal function and developers have to think twice before using it
in another place.

This makes it much easier to install ipaserver with instrumented build
of Python with a different ABI or in isolated virtual envs to profile
and debug the server.

Signed-off-by: Christian Heimes 
---
 ipaserver/plugins/caacl.py| 86 -
 ipaserver/plugins/cert.py | 90 ++-
 ipaserver/plugins/hbactest.py | 19 +++--
 3 files changed, 105 insertions(+), 90 deletions(-)

diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py
index ff1178a..43a397d 100644
--- a/ipaserver/plugins/caacl.py
+++ b/ipaserver/plugins/caacl.py
@@ -2,12 +2,10 @@
 # Copyright (C) 2015  FreeIPA Contributors see COPYING for license
 #
 
-import pyhbac
 import six
 
 from ipalib import api, errors, output
 from ipalib import Bool, Str, StrEnum
-from ipalib.constants import IPA_CA_CN
 from ipalib.plugable import Registry
 from .baseldap import (
 LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, LDAPQuery,
@@ -80,90 +78,6 @@
 register = Registry()
 
 
-def _acl_make_request(principal_type, principal, ca_id, profile_id):
-"""Construct HBAC request for the given principal, CA and profile"""
-
-req = pyhbac.HbacRequest()
-req.targethost.name = ca_id
-req.service.name = profile_id
-if principal_type == 'user':
-req.user.name = principal.username
-elif principal_type == 'host':
-req.user.name = principal.hostname
-elif principal_type == 'service':
-req.user.name = unicode(principal)
-groups = []
-if principal_type == 'user':
-user_obj = api.Command.user_show(principal.username)['result']
-groups = user_obj.get('memberof_group', [])
-groups += user_obj.get('memberofindirect_group', [])
-elif principal_type == 'host':
-host_obj = api.Command.host_show(principal.hostname)['result']
-groups = host_obj.get('memberof_hostgroup', [])
-groups += host_obj.get('memberofindirect_hostgroup', [])
-req.user.groups = sorted(set(groups))
-return req
-
-
-def _acl_make_rule(principal_type, obj):
-"""Turn CA ACL object into HBAC rule.
-
-``principal_type``
-String in {'user', 'host', 'service'}
-"""
-rule = pyhbac.HbacRule(obj['cn'][0])
-rule.enabled = obj['ipaenabledflag'][0]
-rule.srchosts.category = {pyhbac.HBAC_CATEGORY_ALL}
-
-# add CA(s)
-if 'ipacacategory' in obj and obj['ipacacategory'][0].lower() == 'all':
-rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL}
-else:
-# For compatibility with pre-lightweight-CAs CA ACLs,
-# no CA members implies the host authority (only)
-rule.targethosts.names = obj.get('ipamemberca_ca', [IPA_CA_CN])
-
-# add profiles
-if ('ipacertprofilecategory' in obj
-and obj['ipacertprofilecategory'][0].lower() == 'all'):
-rule.services.category = {pyhbac.HBAC_CATEGORY_ALL}
-else:
-attr = 'ipamembercertprofile_certprofile'
-rule.services.names = obj.get(attr, [])
-
-# add principals and principal's groups
-category_attr = '{}category'.format(principal_type)
-if category_attr in obj and obj[category_attr][0].lower() == 'all':
-rule.users.category = {pyhbac.HBAC_CATEGORY_ALL}
-else:
-if principal_type == 'user':
-rule.users.names = obj.get('memberuser_user', [])
-rule.users.groups = obj.get('memberuser_group', [])
-elif principal_type == 'host':
-rule.users.names = obj.get('memberhost_host', [])
-rule.users.groups = obj.get('memberhost_hostgroup', [])
-elif principal_type == 'service':
-rule.users.names = [
-unicode(principal)
-for principal in obj.get('memberservice_service', [])
-]
-
-return rule

[Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing

2017-03-01 Thread tiran

   URL: https://github.com/freeipa/freeipa/pull/397
Author: tiran
 Title: #397: Improve wheel building and provide ipaserver wheel for local 
testing
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/397/head:pr397
git checkout pr397
From 1075a7a2db5fa9fd6016daf49d77f80c38bd9ce5 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 17 Jan 2017 08:49:54 +0100
Subject: [PATCH 1/5] Conditionally import pyhbac

The pyhbac module is part of SSSD. It's not available as stand-alone
PyPI package. It would take a lot of effort to package it because the
code is deeply tight into SSSD.

Let's follow the example of other SSSD Python packages and make the
import of pyhbac conditionally. It's only necessary for caacl and
hbactest plugins.

I renamed convert_to_ipa_rule() to _convert_to_ipa_rule() because it
does not check for presence of pyhbac package itself. The check is
performed earlier in execute(). The prefix indicates that it is an
internal function and developers have to think twice before using it
in another place.

This makes it much easier to install ipaserver with instrumented build
of Python with a different ABI or in isolated virtual envs to profile
and debug the server.

Signed-off-by: Christian Heimes 
---
 ipaserver/plugins/caacl.py| 11 ++-
 ipaserver/plugins/hbactest.py | 19 ---
 2 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py
index a7817c4..691f4e9 100644
--- a/ipaserver/plugins/caacl.py
+++ b/ipaserver/plugins/caacl.py
@@ -2,7 +2,6 @@
 # Copyright (C) 2015  FreeIPA Contributors see COPYING for license
 #
 
-import pyhbac
 import six
 
 from ipalib import api, errors, output
@@ -17,6 +16,11 @@
 from ipalib import _, ngettext
 from ipapython.dn import DN
 
+try:
+import pyhbac
+except ImportError:
+pyhbac = None
+
 if six.PY3:
 unicode = str
 
@@ -152,6 +156,11 @@ def _acl_make_rule(principal_type, obj):
 
 
 def acl_evaluate(principal_type, principal, ca_id, profile_id):
+if pyhbac is None:
+raise errors.ValidationError(
+name=_('missing pyhbac'),
+error=_('pyhbac is not available on the server.')
+)
 req = _acl_make_request(principal_type, principal, ca_id, profile_id)
 acls = api.Command.caacl_find(no_members=False)['result']
 rules = [_acl_make_rule(principal_type, obj) for obj in acls]
diff --git a/ipaserver/plugins/hbactest.py b/ipaserver/plugins/hbactest.py
index 626e894..e156568 100644
--- a/ipaserver/plugins/hbactest.py
+++ b/ipaserver/plugins/hbactest.py
@@ -29,9 +29,14 @@
 except ImportError:
 _dcerpc_bindings_installed = False
 
-import pyhbac
 import six
 
+try:
+import pyhbac
+except ImportError:
+pyhbac = None
+
+
 if six.PY3:
 unicode = str
 
@@ -210,7 +215,7 @@
 
 register = Registry()
 
-def convert_to_ipa_rule(rule):
+def _convert_to_ipa_rule(rule):
 # convert a dict with a rule to an pyhbac rule
 ipa_rule = pyhbac.HbacRule(rule['cn'][0])
 ipa_rule.enabled = rule['ipaenabledflag'][0]
@@ -309,6 +314,14 @@ def canonicalize(self, host):
 return host
 
 def execute(self, *args, **options):
+if pyhbac is None:
+raise errors.ValidationError(
+name=_('missing pyhbac'),
+error=_(
+'pyhbac is not available on the server.'
+)
+)
+
 # First receive all needed information:
 # 1. HBAC rules (whether enabled or disabled)
 # 2. Required options are (user, target host, service)
@@ -356,7 +369,7 @@ def execute(self, *args, **options):
 # --disabled will import all disabled rules
 # --rules will implicitly add the rules from a rule list
 for rule in hbacset:
-ipa_rule = convert_to_ipa_rule(rule)
+ipa_rule = _convert_to_ipa_rule(rule)
 if ipa_rule.name in testrules:
 ipa_rule.enabled = True
 rules.append(ipa_rule)

From c2a5039f71e3e3ba434a13be32a0159446bdd38c Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 17 Jan 2017 08:57:33 +0100
Subject: [PATCH 2/5] Add extra_requires for additional dependencies

ipaserver did not have extra_requires to state additional dependencies.

Signed-off-by: Christian Heimes 
---
 ipaserver/setup.py | 14 --
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/ipaserver/setup.py b/ipaserver/setup.py
index 95ba5eb..acdae5a 100755
--- a/ipaserver/setup.py
+++ b/ipaserver/setup.py
@@ -60,12 +60,6 @@
 "pyldap",
 "python-nss",
 "six",
-# not available on PyPI
-# "python-libipa_hbac",
-# "python-sss",
-# "python-sss-murmur",
-# "python-SSSDConfig",
-

[Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing

2017-02-23 Thread tiran

   URL: https://github.com/freeipa/freeipa/pull/397
Author: tiran
 Title: #397: Improve wheel building and provide ipaserver wheel for local 
testing
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/397/head:pr397
git checkout pr397
From cff6590500682cde35148542cf7f078a31ca34a2 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 17 Jan 2017 08:49:54 +0100
Subject: [PATCH 1/6] Conditionally import pyhbac

The pyhbac module is part of SSSD. It's not available as stand-alone
PyPI package. It would take a lot of effort to package it because the
code is deeply tight into SSSD.

Let's follow the example of other SSSD Python packages and make the
import of pyhbac conditionally. It's only necessary for caacl and
hbactest plugins.

I renamed convert_to_ipa_rule() to _convert_to_ipa_rule() because it
does not check for presence of pyhbac package itself. The check is
performed earlier in execute(). The prefix indicates that it is an
internal function and developers have to think twice before using it
in another place.

This makes it much easier to install ipaserver with instrumented build
of Python with a different ABI or in isolated virtual envs to profile
and debug the server.

Signed-off-by: Christian Heimes 
---
 ipaserver/plugins/caacl.py| 11 ++-
 ipaserver/plugins/hbactest.py | 19 ---
 2 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py
index a7817c4..691f4e9 100644
--- a/ipaserver/plugins/caacl.py
+++ b/ipaserver/plugins/caacl.py
@@ -2,7 +2,6 @@
 # Copyright (C) 2015  FreeIPA Contributors see COPYING for license
 #
 
-import pyhbac
 import six
 
 from ipalib import api, errors, output
@@ -17,6 +16,11 @@
 from ipalib import _, ngettext
 from ipapython.dn import DN
 
+try:
+import pyhbac
+except ImportError:
+pyhbac = None
+
 if six.PY3:
 unicode = str
 
@@ -152,6 +156,11 @@ def _acl_make_rule(principal_type, obj):
 
 
 def acl_evaluate(principal_type, principal, ca_id, profile_id):
+if pyhbac is None:
+raise errors.ValidationError(
+name=_('missing pyhbac'),
+error=_('pyhbac is not available on the server.')
+)
 req = _acl_make_request(principal_type, principal, ca_id, profile_id)
 acls = api.Command.caacl_find(no_members=False)['result']
 rules = [_acl_make_rule(principal_type, obj) for obj in acls]
diff --git a/ipaserver/plugins/hbactest.py b/ipaserver/plugins/hbactest.py
index 626e894..e156568 100644
--- a/ipaserver/plugins/hbactest.py
+++ b/ipaserver/plugins/hbactest.py
@@ -29,9 +29,14 @@
 except ImportError:
 _dcerpc_bindings_installed = False
 
-import pyhbac
 import six
 
+try:
+import pyhbac
+except ImportError:
+pyhbac = None
+
+
 if six.PY3:
 unicode = str
 
@@ -210,7 +215,7 @@
 
 register = Registry()
 
-def convert_to_ipa_rule(rule):
+def _convert_to_ipa_rule(rule):
 # convert a dict with a rule to an pyhbac rule
 ipa_rule = pyhbac.HbacRule(rule['cn'][0])
 ipa_rule.enabled = rule['ipaenabledflag'][0]
@@ -309,6 +314,14 @@ def canonicalize(self, host):
 return host
 
 def execute(self, *args, **options):
+if pyhbac is None:
+raise errors.ValidationError(
+name=_('missing pyhbac'),
+error=_(
+'pyhbac is not available on the server.'
+)
+)
+
 # First receive all needed information:
 # 1. HBAC rules (whether enabled or disabled)
 # 2. Required options are (user, target host, service)
@@ -356,7 +369,7 @@ def execute(self, *args, **options):
 # --disabled will import all disabled rules
 # --rules will implicitly add the rules from a rule list
 for rule in hbacset:
-ipa_rule = convert_to_ipa_rule(rule)
+ipa_rule = _convert_to_ipa_rule(rule)
 if ipa_rule.name in testrules:
 ipa_rule.enabled = True
 rules.append(ipa_rule)

From b094db2321ef425bb14fb031247a2af89f1d6b90 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 17 Jan 2017 08:57:33 +0100
Subject: [PATCH 2/6] Add extra_requires for additional dependencies

ipaserver did not have extra_requires to state additional dependencies.

Signed-off-by: Christian Heimes 
---
 ipaserver/setup.py | 14 --
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/ipaserver/setup.py b/ipaserver/setup.py
index 95ba5eb..acdae5a 100755
--- a/ipaserver/setup.py
+++ b/ipaserver/setup.py
@@ -60,12 +60,6 @@
 "pyldap",
 "python-nss",
 "six",
-# not available on PyPI
-# "python-libipa_hbac",
-# "python-sss",
-# "python-sss-murmur",
-# "python-SSSDConfig",
-

[Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing

2017-02-21 Thread tiran

   URL: https://github.com/freeipa/freeipa/pull/397
Author: tiran
 Title: #397: Improve wheel building and provide ipaserver wheel for local 
testing
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/397/head:pr397
git checkout pr397
From 96f614ea132f61c1d052d831568c8b5e2aa3fa34 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 17 Jan 2017 08:49:54 +0100
Subject: [PATCH 1/5] Conditionally import pyhbac

The pyhbac module is part of SSSD. It's not available as stand-alone
PyPI package. It would take a lot of effort to package it because the
code is deeply tight into SSSD.

Let's follow the example of other SSSD Python packages and make the
import of pyhbac conditionally. It's only necessary for caacl and
hbactest plugins.

I renamed convert_to_ipa_rule() to _convert_to_ipa_rule() because it
does not check for presence of pyhbac package itself. The check is
performed earlier in execute(). The prefix indicates that it is an
internal function and developers have to think twice before using it
in another place.

This makes it much easier to install ipaserver with instrumented build
of Python with a different ABI or in isolated virtual envs to profile
and debug the server.

Signed-off-by: Christian Heimes 
---
 ipaserver/plugins/caacl.py| 11 ++-
 ipaserver/plugins/hbactest.py | 19 ---
 2 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py
index a7817c4..691f4e9 100644
--- a/ipaserver/plugins/caacl.py
+++ b/ipaserver/plugins/caacl.py
@@ -2,7 +2,6 @@
 # Copyright (C) 2015  FreeIPA Contributors see COPYING for license
 #
 
-import pyhbac
 import six
 
 from ipalib import api, errors, output
@@ -17,6 +16,11 @@
 from ipalib import _, ngettext
 from ipapython.dn import DN
 
+try:
+import pyhbac
+except ImportError:
+pyhbac = None
+
 if six.PY3:
 unicode = str
 
@@ -152,6 +156,11 @@ def _acl_make_rule(principal_type, obj):
 
 
 def acl_evaluate(principal_type, principal, ca_id, profile_id):
+if pyhbac is None:
+raise errors.ValidationError(
+name=_('missing pyhbac'),
+error=_('pyhbac is not available on the server.')
+)
 req = _acl_make_request(principal_type, principal, ca_id, profile_id)
 acls = api.Command.caacl_find(no_members=False)['result']
 rules = [_acl_make_rule(principal_type, obj) for obj in acls]
diff --git a/ipaserver/plugins/hbactest.py b/ipaserver/plugins/hbactest.py
index 626e894..e156568 100644
--- a/ipaserver/plugins/hbactest.py
+++ b/ipaserver/plugins/hbactest.py
@@ -29,9 +29,14 @@
 except ImportError:
 _dcerpc_bindings_installed = False
 
-import pyhbac
 import six
 
+try:
+import pyhbac
+except ImportError:
+pyhbac = None
+
+
 if six.PY3:
 unicode = str
 
@@ -210,7 +215,7 @@
 
 register = Registry()
 
-def convert_to_ipa_rule(rule):
+def _convert_to_ipa_rule(rule):
 # convert a dict with a rule to an pyhbac rule
 ipa_rule = pyhbac.HbacRule(rule['cn'][0])
 ipa_rule.enabled = rule['ipaenabledflag'][0]
@@ -309,6 +314,14 @@ def canonicalize(self, host):
 return host
 
 def execute(self, *args, **options):
+if pyhbac is None:
+raise errors.ValidationError(
+name=_('missing pyhbac'),
+error=_(
+'pyhbac is not available on the server.'
+)
+)
+
 # First receive all needed information:
 # 1. HBAC rules (whether enabled or disabled)
 # 2. Required options are (user, target host, service)
@@ -356,7 +369,7 @@ def execute(self, *args, **options):
 # --disabled will import all disabled rules
 # --rules will implicitly add the rules from a rule list
 for rule in hbacset:
-ipa_rule = convert_to_ipa_rule(rule)
+ipa_rule = _convert_to_ipa_rule(rule)
 if ipa_rule.name in testrules:
 ipa_rule.enabled = True
 rules.append(ipa_rule)

From 6d73ae828d7a18b813338cc5a5770a53d0fd29b8 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 17 Jan 2017 08:57:33 +0100
Subject: [PATCH 2/5] Add extra_requires for additional dependencies

ipaserver did not have extra_requires to state additional dependencies.

Signed-off-by: Christian Heimes 
---
 ipaserver/setup.py | 14 --
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/ipaserver/setup.py b/ipaserver/setup.py
index 95ba5eb..acdae5a 100755
--- a/ipaserver/setup.py
+++ b/ipaserver/setup.py
@@ -60,12 +60,6 @@
 "pyldap",
 "python-nss",
 "six",
-# not available on PyPI
-# "python-libipa_hbac",
-# "python-sss",
-# "python-sss-murmur",
-# "python-SSSDConfig",
-

[Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing

2017-01-23 Thread tiran

   URL: https://github.com/freeipa/freeipa/pull/397
Author: tiran
 Title: #397: Improve wheel building and provide ipaserver wheel for local 
testing
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/397/head:pr397
git checkout pr397
From 1f195bb418a1a0edbce3371e1fd315263ccb7f5f Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 17 Jan 2017 08:49:54 +0100
Subject: [PATCH 1/4] Conditionally import pyhbac

The pyhbac module is part of SSSD. It's not available as stand-alone
PyPI package. It would take a lot of effort to package it because the
code is deeply tight into SSSD.

Let's follow the example of other SSSD Python packages and make the
import of pyhbac conditionally. It's only necessary for caacl and
hbactest plugins.

I renamed convert_to_ipa_rule() to _convert_to_ipa_rule() because it
does not check for presence of pyhbac package itself. The check is
performed earlier in execute(). The prefix indicates that it is an
internal function and developers have to think twice before using it
in another place.

This makes it much easier to install ipaserver with instrumented build
of Python with a different ABI or in isolated virtual envs to profile
and debug the server.

Signed-off-by: Christian Heimes 
---
 ipaserver/plugins/caacl.py| 11 ++-
 ipaserver/plugins/hbactest.py | 19 ---
 2 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py
index a7817c4..691f4e9 100644
--- a/ipaserver/plugins/caacl.py
+++ b/ipaserver/plugins/caacl.py
@@ -2,7 +2,6 @@
 # Copyright (C) 2015  FreeIPA Contributors see COPYING for license
 #
 
-import pyhbac
 import six
 
 from ipalib import api, errors, output
@@ -17,6 +16,11 @@
 from ipalib import _, ngettext
 from ipapython.dn import DN
 
+try:
+import pyhbac
+except ImportError:
+pyhbac = None
+
 if six.PY3:
 unicode = str
 
@@ -152,6 +156,11 @@ def _acl_make_rule(principal_type, obj):
 
 
 def acl_evaluate(principal_type, principal, ca_id, profile_id):
+if pyhbac is None:
+raise errors.ValidationError(
+name=_('missing pyhbac'),
+error=_('pyhbac is not available on the server.')
+)
 req = _acl_make_request(principal_type, principal, ca_id, profile_id)
 acls = api.Command.caacl_find(no_members=False)['result']
 rules = [_acl_make_rule(principal_type, obj) for obj in acls]
diff --git a/ipaserver/plugins/hbactest.py b/ipaserver/plugins/hbactest.py
index 626e894..e156568 100644
--- a/ipaserver/plugins/hbactest.py
+++ b/ipaserver/plugins/hbactest.py
@@ -29,9 +29,14 @@
 except ImportError:
 _dcerpc_bindings_installed = False
 
-import pyhbac
 import six
 
+try:
+import pyhbac
+except ImportError:
+pyhbac = None
+
+
 if six.PY3:
 unicode = str
 
@@ -210,7 +215,7 @@
 
 register = Registry()
 
-def convert_to_ipa_rule(rule):
+def _convert_to_ipa_rule(rule):
 # convert a dict with a rule to an pyhbac rule
 ipa_rule = pyhbac.HbacRule(rule['cn'][0])
 ipa_rule.enabled = rule['ipaenabledflag'][0]
@@ -309,6 +314,14 @@ def canonicalize(self, host):
 return host
 
 def execute(self, *args, **options):
+if pyhbac is None:
+raise errors.ValidationError(
+name=_('missing pyhbac'),
+error=_(
+'pyhbac is not available on the server.'
+)
+)
+
 # First receive all needed information:
 # 1. HBAC rules (whether enabled or disabled)
 # 2. Required options are (user, target host, service)
@@ -356,7 +369,7 @@ def execute(self, *args, **options):
 # --disabled will import all disabled rules
 # --rules will implicitly add the rules from a rule list
 for rule in hbacset:
-ipa_rule = convert_to_ipa_rule(rule)
+ipa_rule = _convert_to_ipa_rule(rule)
 if ipa_rule.name in testrules:
 ipa_rule.enabled = True
 rules.append(ipa_rule)

From c69c30c2e62b065d061b509fe054f17097fbeec0 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 17 Jan 2017 08:57:33 +0100
Subject: [PATCH 2/4] Add extra_requires for additional dependencies

ipaserver did not have extra_requires to state additional dependencies.

Signed-off-by: Christian Heimes 
---
 ipaserver/setup.py | 14 --
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/ipaserver/setup.py b/ipaserver/setup.py
index 1f1b424..1468a24 100755
--- a/ipaserver/setup.py
+++ b/ipaserver/setup.py
@@ -61,12 +61,6 @@
 "python-memcached",
 "python-nss",
 "six",
-# not available on PyPI
-# "python-libipa_hbac",
-# "python-sss",
-# "python-sss-murmur",
-# "python-SSSDConfig",

[Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing

[Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing

[Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing

[Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing

[Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing

[Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing

[Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing

[Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing

[Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing

[Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing

[Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing

[Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing

12 matches

Site Navigation

Mail list logo

Footer information