Re: [Freeipa-devel] [PATCHES 0084-0086] NSEC3PARAM DNS record should be in DNS zone settings
On 2.7.2014 14:27, Martin Basti wrote: On Wed, 2014-07-02 at 13:17 +0200, Martin Basti wrote: On Wed, 2014-07-02 at 09:39 +0200, Petr Viktorin wrote: On 07/01/2014 03:15 PM, Martin Basti wrote: On Tue, 2014-07-01 at 14:24 +0200, Martin Basti wrote: Ticket: https://fedorahosted.org/freeipa/ticket/4413 Patches attached Rebased patches attached 0084: in dns.py, you'll also want to remove NSEC3PARAMRecord from _dns_records. Otherwise I still see it in API.txt for dnsrecord_add & friends. If remove it, it breaks dns.py. I havent add NSEC3PARAMRecord into _dns_records in original patch. 0085: _nsec3param_errmsg will not get picked up by xgettext, so it won't be translated. The argument to _() must be a literal string, not a variable. Updated patch attached (API.txt updated) ACK pushed to master: * ff7b44e3b09b2e94fde66f918a6d1fb6db043d80 Remove NSEC3PARAM record * 30551a8aa30dcd39b3ae4c2fe97a163620773730 Add NSEC3PARAM to zone settings * 01b95805ab1428e10c79abf70c9bc9e2baf9de21 NSEC3PARAM tests -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0084-0086] NSEC3PARAM DNS record should be in DNS zone settings
On Wed, 2014-07-02 at 13:17 +0200, Martin Basti wrote: > On Wed, 2014-07-02 at 09:39 +0200, Petr Viktorin wrote: > > On 07/01/2014 03:15 PM, Martin Basti wrote: > > > On Tue, 2014-07-01 at 14:24 +0200, Martin Basti wrote: > > >> Ticket: https://fedorahosted.org/freeipa/ticket/4413 > > >> Patches attached > > > > > > > > Rebased patches attached > > > > > > > > > 0084: > > in dns.py, you'll also want to remove NSEC3PARAMRecord from > > _dns_records. Otherwise I still see it in API.txt for dnsrecord_add & > > friends. > If remove it, it breaks dns.py. I havent add NSEC3PARAMRecord into > _dns_records in original patch. > > > 0085: > > _nsec3param_errmsg will not get picked up by xgettext, so it won't be > > translated. The argument to _() must be a literal string, not a variable. > > > > > > > > Updated patch attached (API.txt updated) -- Martin^2 Basti >From e5e567aae2e7fb8641fdfb8d59e361c533b6c0a5 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Mon, 30 Jun 2014 18:29:40 +0200 Subject: [PATCH 2/3] Add NSEC3PARAM to zone settings Ticket: https://fedorahosted.org/freeipa/ticket/4413 --- ACI.txt | 4 ++-- API.txt | 9 +--- VERSION | 4 ++-- install/share/60ipadns.ldif | 2 +- install/ui/src/freeipa/dns.js | 3 ++- install/updates/40-dns.update | 2 +- ipalib/plugins/dns.py | 50 --- 7 files changed, 61 insertions(+), 13 deletions(-) diff --git a/ACI.txt b/ACI.txt index b8dfb56a2abea937823cdaed08322dea3dc0c0ef..8e73c5c8541154e73c201994de828aa43c3777b1 100644 --- a/ACI.txt +++ b/ACI.txt @@ -39,11 +39,11 @@ aci: (targetattr = "idnsallowsyncptr || idnsforwarders || idnsforwardpolicy || i dn: cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Add DNS Entries";allow (add) groupdn = "ldap:///cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example -aci: (targetattr = "a6record || record || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "a6record || record || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Remove DNS Entries";allow (delete) groupdn = "ldap:///cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example -aci: (targetattr = "a6record || record || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecor
Re: [Freeipa-devel] [PATCHES 0084-0086] NSEC3PARAM DNS record should be in DNS zone settings
On Wed, 2014-07-02 at 09:39 +0200, Petr Viktorin wrote: > On 07/01/2014 03:15 PM, Martin Basti wrote: > > On Tue, 2014-07-01 at 14:24 +0200, Martin Basti wrote: > >> Ticket: https://fedorahosted.org/freeipa/ticket/4413 > >> Patches attached > > > > > Rebased patches attached > > > > > 0084: > in dns.py, you'll also want to remove NSEC3PARAMRecord from > _dns_records. Otherwise I still see it in API.txt for dnsrecord_add & > friends. If remove it, it breaks dns.py. I havent add NSEC3PARAMRecord into _dns_records in original patch. > 0085: > _nsec3param_errmsg will not get picked up by xgettext, so it won't be > translated. The argument to _() must be a literal string, not a variable. > > > -- Martin^2 Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0084-0086] NSEC3PARAM DNS record should be in DNS zone settings
On 1.7.2014 15:15, Martin Basti wrote: On Tue, 2014-07-01 at 14:24 +0200, Martin Basti wrote: Ticket: https://fedorahosted.org/freeipa/ticket/4413 Patches attached Rebased patches attached Besides #1, mostly minor stuff. 1. The regex r'^\d+ \d+ \d+ ([0-9a-fA-F]+|-)$' should be extended to validate even number of hex chars, e.g.: "^\d+ \d+ \d+ ((([0-9a-fA-F]{2})+)|-)$" Should be then also reflected in _nsec3param_errmsg This change will make Web UI more usable. 2. abbreviation 'alg' in 'hash_alg' is not so common as, for example, 'arg'. Full 'hash_algorithm' is more clear, there is enough space. +doc=_('NSEC3PARAM record for zone in format: hash_alg flags iterations salt'), 3. I think we should rather catch TypeError +try: +binascii.a2b_hex(salt) +except Exception, e: +return _('salt value: %(err)s') % {'err': e} 4. Extra empty line +pattern_errmsg=_nsec3param_errmsg, + +), Unrelated: 5. IMO framework should be extended to support translations in `pattern_errmsg` -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0084-0086] NSEC3PARAM DNS record should be in DNS zone settings
On 07/01/2014 03:15 PM, Martin Basti wrote: On Tue, 2014-07-01 at 14:24 +0200, Martin Basti wrote: Ticket: https://fedorahosted.org/freeipa/ticket/4413 Patches attached Rebased patches attached 0084: in dns.py, you'll also want to remove NSEC3PARAMRecord from _dns_records. Otherwise I still see it in API.txt for dnsrecord_add & friends. 0085: _nsec3param_errmsg will not get picked up by xgettext, so it won't be translated. The argument to _() must be a literal string, not a variable. -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0084-0086] NSEC3PARAM DNS record should be in DNS zone settings
On Tue, 2014-07-01 at 14:24 +0200, Martin Basti wrote: > Ticket: https://fedorahosted.org/freeipa/ticket/4413 > Patches attached > ___ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Rebased patches attached -- Martin^2 Basti >From e9156fea72f0f6fcea64ac26696a7c6256f73ab6 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Mon, 30 Jun 2014 17:17:02 +0200 Subject: [PATCH 1/3] Remove NSEC3PARAM record Ticket: https://fedorahosted.org/freeipa/ticket/4413 --- ACI.txt | 4 +-- API.txt | 12 ++- VERSION | 4 +-- install/share/60ipadns.ldif | 2 +- install/ui/src/freeipa/dns.js | 16 + install/updates/40-dns.update | 2 +- ipalib/plugins/dns.py | 48 ++--- ipatests/test_xmlrpc/test_dns_plugin.py | 62 - 8 files changed, 12 insertions(+), 138 deletions(-) diff --git a/ACI.txt b/ACI.txt index 8e73c5c8541154e73c201994de828aa43c3777b1..b8dfb56a2abea937823cdaed08322dea3dc0c0ef 100644 --- a/ACI.txt +++ b/ACI.txt @@ -39,11 +39,11 @@ aci: (targetattr = "idnsallowsyncptr || idnsforwarders || idnsforwardpolicy || i dn: cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Add DNS Entries";allow (add) groupdn = "ldap:///cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example -aci: (targetattr = "a6record || record || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "a6record || record || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Remove DNS Entries";allow (delete) groupdn = "ldap:///cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example -aci: (targetattr = "a6record || record || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Update DNS Entries";allow (write) groupdn = "ldap:///cn=System: Update DNS Entrie
[Freeipa-devel] [PATCHES 0084-0086] NSEC3PARAM DNS record should be in DNS zone settings
Ticket: https://fedorahosted.org/freeipa/ticket/4413 Patches attached -- Martin^2 Basti >From f114f904695a60893bf1fd2801b50843e2d33b73 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Mon, 30 Jun 2014 17:17:02 +0200 Subject: [PATCH 1/3] Remove NSEC3PARAM record Ticket: https://fedorahosted.org/freeipa/ticket/4413 --- ACI.txt | 4 +-- API.txt | 12 ++- VERSION | 4 +-- install/share/60ipadns.ldif | 2 +- install/ui/src/freeipa/dns.js | 16 + install/updates/40-dns.update | 2 +- ipalib/plugins/dns.py | 48 ++--- ipatests/test_xmlrpc/test_dns_plugin.py | 62 - 8 files changed, 12 insertions(+), 138 deletions(-) diff --git a/ACI.txt b/ACI.txt index 8e73c5c8541154e73c201994de828aa43c3777b1..b8dfb56a2abea937823cdaed08322dea3dc0c0ef 100644 --- a/ACI.txt +++ b/ACI.txt @@ -39,11 +39,11 @@ aci: (targetattr = "idnsallowsyncptr || idnsforwarders || idnsforwardpolicy || i dn: cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Add DNS Entries";allow (add) groupdn = "ldap:///cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example -aci: (targetattr = "a6record || record || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "a6record || record || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Remove DNS Entries";allow (delete) groupdn = "ldap:///cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example -aci: (targetattr = "a6record || record || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Update DNS Entries";allow (write) groupdn = "ldap:///cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "a6record || record || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdat