[Freeipa-devel] [freeipa PR#299][comment] Remove "Request Certificate with SubjectAltName" permission

2016-12-21 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/299
Title: #299: Remove "Request Certificate with SubjectAltName" permission

martbab commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/bdbb1c34a2f5ef864cd3a943dcd047cde20de681
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/299#issuecomment-268560529
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#299][comment] Remove "Request Certificate with SubjectAltName" permission

2016-12-20 Thread frasertweedale 
  URL: https://github.com/freeipa/freeipa/pull/299
Title: #299: Remove "Request Certificate with SubjectAltName" permission

frasertweedale commented:
"""
@martbab I don't think this will break migrations from v3; it does not actively 
remove the permission from existing deployments, it just doesn't add it for new 
installations.  (Admittedly, it is the next thing to test but I have not done 
so yet).
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/299#issuecomment-268450765
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#299][comment] Remove "Request Certificate with SubjectAltName" permission

2016-12-20 Thread frasertweedale 
  URL: https://github.com/freeipa/freeipa/pull/299
Title: #299: Remove "Request Certificate with SubjectAltName" permission

frasertweedale commented:
"""
On Tue, Dec 20, 2016 at 07:11:08AM -0800, Martin Babinsky wrote:
> Bumping this PR as it seems a bit forgotten.
> 
Cheers.  Not forgotten, just not my top priority right now.

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/299#issuecomment-268377852
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#299][comment] Remove "Request Certificate with SubjectAltName" permission

2016-12-20 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/299
Title: #299: Remove "Request Certificate with SubjectAltName" permission

martbab commented:
"""
Bumping this PR as it seems a bit forgotten.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/299#issuecomment-268267300
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#299][comment] Remove "Request Certificate with SubjectAltName" permission

2016-12-12 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/299
Title: #299: Remove "Request Certificate with SubjectAltName" permission

martbab commented:
"""
I have put on my Travis moustache and found these two failing tests, you will 
have to fix them:

```
=== FAILURES ===
 test_permission_legacy.test_command[: permission_find: Check that some 
legacy permission is found in $SUFFIX]


self = 
index = 0
declarative_test_definition = {'command': ('permission_find', [], 
{'ipapermlocation': ipapython.dn.DN('dc=ipa,dc=test'), 'version': '2.216'}), 
'desc...6e430230>, 'truncated': False}, 'nice': ': permission_find: Check 
that some legacy permission is found in $SUFFIX'}
def test_command(self, index, declarative_test_definition):
"""Run an individual test

The arguments are provided by the pytest plugin.
"""
if callable(declarative_test_definition):
declarative_test_definition(self)

else:

>   self.check(**declarative_test_definition)

/usr/lib/python2.7/site-packages/ipatests/test_xmlrpc/xmlrpc_test.py:318:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
/usr/lib/python2.7/site-packages/ipatests/test_xmlrpc/xmlrpc_test.py:330: in 
check
self.check_output(nice, cmd, args, options, expected, extra_check)
/usr/lib/python2.7/site-packages/ipatests/test_xmlrpc/xmlrpc_test.py:379: in 
check_output
assert_deepequal(expected, got, nice)
/usr/lib/python2.7/site-packages/ipatests/util.py:388: in assert_deepequal
assert_deepequal(e_sub, g_sub, doc, stack + (key,))
/usr/lib/python2.7/site-packages/ipatests/util.py:390: in assert_deepequal
if not expected(got):
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

results = [{'attrs': ('objectclass',), 'cn': ('Certificate Remove Hold',), 
'dn': 'cn=Certificate Remove Hold,cn=permissions,cn=p...eve Certificates from 
the CA,cn=permissions,cn=pbac,dc=ipa,dc=test', 'ipapermbindruletype': 
('permission',), ...}, ...]

def check_legacy_results(results):
"""Check that the expected number of legacy permissions are in 
$SUFFIX"""
legacy_permissions = [p for p in results
  if not p.get('ipapermissiontype')]

print(legacy_permissions)

>   assert len(legacy_permissions) == 9, len(legacy_permissions)
E   AssertionError: 8
E   assert 8 == 9

E+  where 8 = len([{'attrs': ('objectclass',), 'cn': ('Certificate 
Remove Hold',), 'dn': 'cn=Certificate Remove Hold,cn=permissions,cn=p...eve 
Certificates from the CA,cn=permissions,cn=pbac,dc=ipa,dc=test', 
'ipapermbindruletype': ('permission',), ...}, ...])

/usr/lib/python2.7/site-packages/ipatests/test_xmlrpc/test_permission_plugin.py:3128:
 AssertionError
```

I also wonder if there is a possibility for this removal to break replica 
install against older (IPA v3) masters.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/299#issuecomment-266423674
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code