Re: [Freeipa-devel] [PATCH 190] expose `--secret` option in radiusproxy-* commands

2016-09-07 Thread Jan Cholasta

On 7.9.2016 16:13, Martin Babinsky wrote:

On 09/07/2016 03:55 PM, Jan Cholasta wrote:

On 21.7.2016 10:50, Jan Cholasta wrote:

On 21.7.2016 10:13, Martin Babinsky wrote:

On 07/20/2016 12:10 PM, Martin Babinsky wrote:

On 07/19/2016 12:32 PM, Jan Cholasta wrote:

Hi,

On 18.7.2016 13:51, Martin Babinsky wrote:

https://fedorahosted.org/freeipa/ticket/6078


I don't think we want the secret searchable. Add a 'no_search'
flag to
the param to fix that.

Honza



'no_search' flag breaks the API backwards compatibility, so I am
sending
another two patches which fix handling of deprecated options in the
framework and deprecate `--secret` in radiusproxy-find command.

I hope this solution is the best.




After discussion with Jan we realized that it is enough to hide the
'--secret' option from CLI, not deprecate it.

Re-sending patch 190 and updated 193.1.


Thanks, ACK.

Pushed to master: 66da08445370f7024a6a529a6659714c33b7525e


Patch 192 will be send in
separate thread since the actual issue it fixes is orthogonal to this
one and requires a separate ticket.


Right. ATM this only affects --srchostcat in hbacrule-find.


Bump so that patch 192 is not forgotten.



Patch 192 was pushed as a fix to
https://fedorahosted.org/freeipa/ticket/6190.


Okay.

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCH 190] expose `--secret` option in radiusproxy-* commands

2016-09-07 Thread Martin Babinsky

On 09/07/2016 03:55 PM, Jan Cholasta wrote:

On 21.7.2016 10:50, Jan Cholasta wrote:

On 21.7.2016 10:13, Martin Babinsky wrote:

On 07/20/2016 12:10 PM, Martin Babinsky wrote:

On 07/19/2016 12:32 PM, Jan Cholasta wrote:

Hi,

On 18.7.2016 13:51, Martin Babinsky wrote:

https://fedorahosted.org/freeipa/ticket/6078


I don't think we want the secret searchable. Add a 'no_search' flag to
the param to fix that.

Honza



'no_search' flag breaks the API backwards compatibility, so I am
sending
another two patches which fix handling of deprecated options in the
framework and deprecate `--secret` in radiusproxy-find command.

I hope this solution is the best.




After discussion with Jan we realized that it is enough to hide the
'--secret' option from CLI, not deprecate it.

Re-sending patch 190 and updated 193.1.


Thanks, ACK.

Pushed to master: 66da08445370f7024a6a529a6659714c33b7525e


Patch 192 will be send in
separate thread since the actual issue it fixes is orthogonal to this
one and requires a separate ticket.


Right. ATM this only affects --srchostcat in hbacrule-find.


Bump so that patch 192 is not forgotten.



Patch 192 was pushed as a fix to 
https://fedorahosted.org/freeipa/ticket/6190.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCH 190] expose `--secret` option in radiusproxy-* commands

2016-09-07 Thread Jan Cholasta

On 21.7.2016 10:50, Jan Cholasta wrote:

On 21.7.2016 10:13, Martin Babinsky wrote:

On 07/20/2016 12:10 PM, Martin Babinsky wrote:

On 07/19/2016 12:32 PM, Jan Cholasta wrote:

Hi,

On 18.7.2016 13:51, Martin Babinsky wrote:

https://fedorahosted.org/freeipa/ticket/6078


I don't think we want the secret searchable. Add a 'no_search' flag to
the param to fix that.

Honza



'no_search' flag breaks the API backwards compatibility, so I am sending
another two patches which fix handling of deprecated options in the
framework and deprecate `--secret` in radiusproxy-find command.

I hope this solution is the best.




After discussion with Jan we realized that it is enough to hide the
'--secret' option from CLI, not deprecate it.

Re-sending patch 190 and updated 193.1.


Thanks, ACK.

Pushed to master: 66da08445370f7024a6a529a6659714c33b7525e


Patch 192 will be send in
separate thread since the actual issue it fixes is orthogonal to this
one and requires a separate ticket.


Right. ATM this only affects --srchostcat in hbacrule-find.


Bump so that patch 192 is not forgotten.

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCH 190] expose `--secret` option in radiusproxy-* commands

2016-07-21 Thread Martin Babinsky

On 07/20/2016 12:10 PM, Martin Babinsky wrote:

On 07/19/2016 12:32 PM, Jan Cholasta wrote:

Hi,

On 18.7.2016 13:51, Martin Babinsky wrote:

https://fedorahosted.org/freeipa/ticket/6078


I don't think we want the secret searchable. Add a 'no_search' flag to
the param to fix that.

Honza



'no_search' flag breaks the API backwards compatibility, so I am sending
another two patches which fix handling of deprecated options in the
framework and deprecate `--secret` in radiusproxy-find command.

I hope this solution is the best.



After discussion with Jan we realized that it is enough to hide the 
'--secret' option from CLI, not deprecate it.


Re-sending patch 190 and updated 193.1. Patch 192 will be send in 
separate thread since the actual issue it fixes is orthogonal to this 
one and requires a separate ticket.


--
Martin^3 Babinsky
From 645b7ece72e902c9b108d41a5e71d7e88a48720f Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Mon, 18 Jul 2016 10:45:48 +0200
Subject: [PATCH] expose `--secret` option in radiusproxy-* commands

Option `--secret` was hidden from radiusproxy CLI preventing setting a secret
on existing server or searching by secret. Since thin client implementation it
was also not recognized by the interactive prompt code in CLI frontend since
it never got there.

https://fedorahosted.org/freeipa/ticket/6078
---
 ipaserver/plugins/radiusproxy.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/ipaserver/plugins/radiusproxy.py b/ipaserver/plugins/radiusproxy.py
index 44d87b9ae1337278bb6237d471f64693b0eac3db..5657e002c1ce66335b7697b98f95a49207c61d87 100644
--- a/ipaserver/plugins/radiusproxy.py
+++ b/ipaserver/plugins/radiusproxy.py
@@ -126,7 +126,6 @@ class radiusproxy(LDAPObject):
 label=_('Secret'),
 doc=_('The secret used to encrypt data'),
 confirm=True,
-flags=['no_option'],
 ),
 Int('ipatokenradiustimeout?',
 cli_name='timeout',
-- 
2.7.4

From 5542508919a0615b4088329ba80eb92002d45f0f Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Thu, 21 Jul 2016 09:42:01 +0200
Subject: [PATCH] prevent search for RADIUS proxy servers by secret

radiusproxy-find should not allow search by proxy secret even for privileged
users so we should hide it from CLI.

https://fedorahosted.org/freeipa/ticket/6078
---
 ipaserver/plugins/radiusproxy.py | 8 
 1 file changed, 8 insertions(+)

diff --git a/ipaserver/plugins/radiusproxy.py b/ipaserver/plugins/radiusproxy.py
index 5657e002c1ce66335b7697b98f95a49207c61d87..3391b8aed77205fb1a586d5472d8cfdbc9fd1cd5 100644
--- a/ipaserver/plugins/radiusproxy.py
+++ b/ipaserver/plugins/radiusproxy.py
@@ -169,6 +169,14 @@ class radiusproxy_find(LDAPSearch):
 '%(count)d RADIUS proxy server matched', '%(count)d RADIUS proxy servers matched', 0
 )
 
+def get_options(self):
+for option in super(radiusproxy_find, self).get_options():
+if option.name == 'ipatokenradiussecret':
+option = option.clone(flags={'no_option'})
+
+yield option
+
+
 @register()
 class radiusproxy_show(LDAPRetrieve):
 __doc__ = _('Display information about a RADIUS proxy server.')
-- 
2.7.4

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 190] expose `--secret` option in radiusproxy-* commands

2016-07-20 Thread Martin Babinsky

On 07/19/2016 12:32 PM, Jan Cholasta wrote:

Hi,

On 18.7.2016 13:51, Martin Babinsky wrote:

https://fedorahosted.org/freeipa/ticket/6078


I don't think we want the secret searchable. Add a 'no_search' flag to
the param to fix that.

Honza



'no_search' flag breaks the API backwards compatibility, so I am sending 
another two patches which fix handling of deprecated options in the 
framework and deprecate `--secret` in radiusproxy-find command.


I hope this solution is the best.

--
Martin^3 Babinsky
From 645b7ece72e902c9b108d41a5e71d7e88a48720f Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Mon, 18 Jul 2016 10:45:48 +0200
Subject: [PATCH] expose `--secret` option in radiusproxy-* commands

Option `--secret` was hidden from radiusproxy CLI preventing setting a secret
on existing server or searching by secret. Since thin client implementation it
was also not recognized by the interactive prompt code in CLI frontend since
it never got there.

https://fedorahosted.org/freeipa/ticket/6078
---
 ipaserver/plugins/radiusproxy.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/ipaserver/plugins/radiusproxy.py b/ipaserver/plugins/radiusproxy.py
index 44d87b9ae1337278bb6237d471f64693b0eac3db..5657e002c1ce66335b7697b98f95a49207c61d87 100644
--- a/ipaserver/plugins/radiusproxy.py
+++ b/ipaserver/plugins/radiusproxy.py
@@ -126,7 +126,6 @@ class radiusproxy(LDAPObject):
 label=_('Secret'),
 doc=_('The secret used to encrypt data'),
 confirm=True,
-flags=['no_option'],
 ),
 Int('ipatokenradiustimeout?',
 cli_name='timeout',
-- 
2.7.4

From 4e3c8077f1d8bc8c4467ccbcd4d6c9d0f4631c46 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Tue, 19 Jul 2016 17:05:32 +0200
Subject: [PATCH] raise ValidationError when deprecated param is passed to
 command

https://fedorahosted.org/freeipa/ticket/6078
---
 ipalib/parameters.py | 7 +++
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/ipalib/parameters.py b/ipalib/parameters.py
index 1581b7dcac5259e5c4a127e2a38e13335002b204..5c3d7705a004f77614a754e1ecdcf4f6ca386eaf 100644
--- a/ipalib/parameters.py
+++ b/ipalib/parameters.py
@@ -852,6 +852,9 @@ class Param(ReadOnly):
 if self.required or (supplied and 'nonempty' in self.flags):
 raise RequirementError(name=self.name)
 return
+if self.deprecated:
+raise ValidationError(name=self.get_param_name(),
+  error=_('this option is deprecated'))
 if self.multivalue:
 if type(value) is not tuple:
 raise TypeError(
@@ -874,10 +877,6 @@ class Param(ReadOnly):
 if error is not None:
 raise ValidationError(name=self.get_param_name(), error=error)
 
-def _rule_deprecated(self, _, value):
-if self.deprecated:
-return _('this option is deprecated')
-
 def get_default(self, **kw):
 """
 Return the static default or construct and return a dynamic default.
-- 
2.7.4

From 631281ec6e50090cf819eda1f131c8e0b0011d7f Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Tue, 19 Jul 2016 13:04:05 +0200
Subject: [PATCH] prevent search for RADIUS proxy servers by secret

radiusproxy-find should not allow search by proxy secret even for privileged
users. Deprecate this option so that it is not shown in command's help and is
not allowed to be specified as parameter.

https://fedorahosted.org/freeipa/ticket/6078
---
 API.txt  | 2 +-
 VERSION  | 4 ++--
 ipaserver/plugins/radiusproxy.py | 8 
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/API.txt b/API.txt
index cbe23f4bde3a29cf3f28a9e361f83e176ede08e0..e5a5cc2ae07d2c44df31934dda857d63f6b90f1e 100644
--- a/API.txt
+++ b/API.txt
@@ -3818,7 +3818,7 @@ option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Str('cn?', autofill=False, cli_name='name')
 option: Str('description?', autofill=False, cli_name='desc')
 option: Int('ipatokenradiusretries?', autofill=False, cli_name='retries')
-option: Password('ipatokenradiussecret?', autofill=False, cli_name='secret', confirm=True)
+option: Password('ipatokenradiussecret?', autofill=False, cli_name='secret', confirm=True, deprecated=True)
 option: Str('ipatokenradiusserver*', autofill=False, cli_name='server')
 option: Int('ipatokenradiustimeout?', autofill=False, cli_name='timeout')
 option: Str('ipatokenusermapattribute?', autofill=False, cli_name='userattr')
diff --git a/VERSION b/VERSION
index ca489965050f32d2d8987dfd251ec2b2a0ba1768..401b7d92839496f1b7bf97bf61475d53fd8e77df 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412
 #  #
 
 IPA_API_VERSION_MAJOR=2

Re: [Freeipa-devel] [PATCH 190] expose `--secret` option in radiusproxy-* commands

2016-07-19 Thread Jan Cholasta

Hi,

On 18.7.2016 13:51, Martin Babinsky wrote:

https://fedorahosted.org/freeipa/ticket/6078


I don't think we want the secret searchable. Add a 'no_search' flag to 
the param to fix that.


Honza

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code