URL: https://github.com/freeipa/freeipa/pull/774 Author: stlaz Title: #774: Deprecate pkinit-anonymous command Action: opened
PR body: """ Ever since from v4.5, FreeIPA expects at least some kind of anonymous PKINIT to work. Deprecate the command which is capable of turning this feature off. https://pagure.io/freeipa/issue/6936 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/774/head:pr774 git checkout pr774
From 83d1b5170ebe9ad1c01c75d6738c3d0fd59c0ef1 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Wed, 10 May 2017 15:54:21 +0200 Subject: [PATCH] Deprecate pkinit-anonymous command Ever since from v4.5, FreeIPA expects at least some kind of anonymous PKINIT to work. Deprecate the command which is capable of turning this feature off. https://pagure.io/freeipa/issue/6936 --- ipaserver/plugins/pkinit.py | 74 ++++++++++----------------------------------- 1 file changed, 16 insertions(+), 58 deletions(-) diff --git a/ipaserver/plugins/pkinit.py b/ipaserver/plugins/pkinit.py index b6b3f38..9d58c6e 100644 --- a/ipaserver/plugins/pkinit.py +++ b/ipaserver/plugins/pkinit.py @@ -17,36 +17,21 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. -from ipalib import api, errors from ipalib import Str from ipalib import Object, Command from ipalib import _ +from ipalib import messages from ipalib.plugable import Registry -from ipalib.constants import ANON_USER -from ipapython.dn import DN __doc__ = _(""" Kerberos pkinit options -Enable or disable anonymous pkinit using the principal -WELLKNOWN/ANONYMOUS@REALM. The server must have been installed with -pkinit support. - -EXAMPLES: - - Enable anonymous pkinit: - ipa pkinit-anonymous enable - - Disable anonymous pkinit: - ipa pkinit-anonymous disable - -For more information on anonymous pkinit see: - -http://k5wiki.kerberos.org/wiki/Projects/Anonymous_pkinit +This module is deprecated since FreeIPA 4.5.1 """) register = Registry() + @register() class pkinit(Object): """ @@ -57,49 +42,22 @@ class pkinit(Object): label=_('PKINIT') -def valid_arg(ugettext, action): - """ - Accepts only Enable/Disable. - """ - a = action.lower() - if a != 'enable' and a != 'disable': - raise errors.ValidationError( - name='action', - error=_('Unknown command %s') % action - ) - @register() class pkinit_anonymous(Command): - __doc__ = _('Enable or Disable Anonymous PKINIT.') - - princ_name = '%s@%s' % (ANON_USER, api.env.realm) - default_dn = DN(('krbprincipalname', princ_name), ('cn', api.env.realm), ('cn', 'kerberos'), api.env.basedn) + __doc__ = _('Originally to enable or disable Anonymous PKINIT.\n' + 'Deprecated since FreeIPA 4.5.1') takes_args = ( - Str('action', valid_arg), + Str('action?'), ) - def execute(self, action, **options): - ldap = self.api.Backend.ldap2 - set_lock = False - lock = None - - entry_attrs = ldap.get_entry(self.default_dn, ['nsaccountlock']) - - if 'nsaccountlock' in entry_attrs: - lock = entry_attrs['nsaccountlock'][0].lower() - - if action.lower() == 'enable': - if lock == 'true': - set_lock = True - lock = None - elif action.lower() == 'disable': - if lock != 'true': - set_lock = True - lock = 'TRUE' - - if set_lock: - entry_attrs['nsaccountlock'] = lock - ldap.update_entry(entry_attrs) - - return dict(result=True) + def execute(self, **options): + self.add_message( + messages.CommandDeprecatedWarning( + command='pkinit-anonymous', + additional_info=_('This command was deprecated in ' + 'FreeIPA 4.5.1 because Anonymous PKINIT is ' + 'required for the system to work.') + ) + ) + return {'result': None}
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
