On 07/19/2016 12:32 PM, Jan Cholasta wrote:
Hi,
On 18.7.2016 13:51, Martin Babinsky wrote:
https://fedorahosted.org/freeipa/ticket/6078
I don't think we want the secret searchable. Add a 'no_search' flag to
the param to fix that.
Honza
'no_search' flag breaks the API backwards compatibility, so I am sending
another two patches which fix handling of deprecated options in the
framework and deprecate `--secret` in radiusproxy-find command.
I hope this solution is the best.
--
Martin^3 Babinsky
From 645b7ece72e902c9b108d41a5e71d7e88a48720f Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Mon, 18 Jul 2016 10:45:48 +0200
Subject: [PATCH] expose `--secret` option in radiusproxy-* commands
Option `--secret` was hidden from radiusproxy CLI preventing setting a secret
on existing server or searching by secret. Since thin client implementation it
was also not recognized by the interactive prompt code in CLI frontend since
it never got there.
https://fedorahosted.org/freeipa/ticket/6078
---
ipaserver/plugins/radiusproxy.py | 1 -
1 file changed, 1 deletion(-)
diff --git a/ipaserver/plugins/radiusproxy.py b/ipaserver/plugins/radiusproxy.py
index 44d87b9ae1337278bb6237d471f64693b0eac3db..5657e002c1ce66335b7697b98f95a49207c61d87 100644
--- a/ipaserver/plugins/radiusproxy.py
+++ b/ipaserver/plugins/radiusproxy.py
@@ -126,7 +126,6 @@ class radiusproxy(LDAPObject):
label=_('Secret'),
doc=_('The secret used to encrypt data'),
confirm=True,
- flags=['no_option'],
),
Int('ipatokenradiustimeout?',
cli_name='timeout',
--
2.7.4
From 4e3c8077f1d8bc8c4467ccbcd4d6c9d0f4631c46 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 19 Jul 2016 17:05:32 +0200
Subject: [PATCH] raise ValidationError when deprecated param is passed to
command
https://fedorahosted.org/freeipa/ticket/6078
---
ipalib/parameters.py | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/ipalib/parameters.py b/ipalib/parameters.py
index 1581b7dcac5259e5c4a127e2a38e13335002b204..5c3d7705a004f77614a754e1ecdcf4f6ca386eaf 100644
--- a/ipalib/parameters.py
+++ b/ipalib/parameters.py
@@ -852,6 +852,9 @@ class Param(ReadOnly):
if self.required or (supplied and 'nonempty' in self.flags):
raise RequirementError(name=self.name)
return
+ if self.deprecated:
+ raise ValidationError(name=self.get_param_name(),
+ error=_('this option is deprecated'))
if self.multivalue:
if type(value) is not tuple:
raise TypeError(
@@ -874,10 +877,6 @@ class Param(ReadOnly):
if error is not None:
raise ValidationError(name=self.get_param_name(), error=error)
- def _rule_deprecated(self, _, value):
- if self.deprecated:
- return _('this option is deprecated')
-
def get_default(self, **kw):
"""
Return the static default or construct and return a dynamic default.
--
2.7.4
From 631281ec6e50090cf819eda1f131c8e0b0011d7f Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 19 Jul 2016 13:04:05 +0200
Subject: [PATCH] prevent search for RADIUS proxy servers by secret
radiusproxy-find should not allow search by proxy secret even for privileged
users. Deprecate this option so that it is not shown in command's help and is
not allowed to be specified as parameter.
https://fedorahosted.org/freeipa/ticket/6078
---
API.txt | 2 +-
VERSION | 4 ++--
ipaserver/plugins/radiusproxy.py | 8 ++++++++
3 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/API.txt b/API.txt
index cbe23f4bde3a29cf3f28a9e361f83e176ede08e0..e5a5cc2ae07d2c44df31934dda857d63f6b90f1e 100644
--- a/API.txt
+++ b/API.txt
@@ -3818,7 +3818,7 @@ option: Flag('all', autofill=True, cli_name='all', default=False)
option: Str('cn?', autofill=False, cli_name='name')
option: Str('description?', autofill=False, cli_name='desc')
option: Int('ipatokenradiusretries?', autofill=False, cli_name='retries')
-option: Password('ipatokenradiussecret?', autofill=False, cli_name='secret', confirm=True)
+option: Password('ipatokenradiussecret?', autofill=False, cli_name='secret', confirm=True, deprecated=True)
option: Str('ipatokenradiusserver*', autofill=False, cli_name='server')
option: Int('ipatokenradiustimeout?', autofill=False, cli_name='timeout')
option: Str('ipatokenusermapattribute?', autofill=False, cli_name='userattr')
diff --git a/VERSION b/VERSION
index ca489965050f32d2d8987dfd251ec2b2a0ba1768..401b7d92839496f1b7bf97bf61475d53fd8e77df 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
# #
########################################################
IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=211
-# Last change: mbabinsk: allow 'value' output param in commands without primary key
+IPA_API_VERSION_MINOR=212
+# Last change: mbabinsk: prevent search for RADIUS proxy servers by secret
diff --git a/ipaserver/plugins/radiusproxy.py b/ipaserver/plugins/radiusproxy.py
index 5657e002c1ce66335b7697b98f95a49207c61d87..6946302c8d3f6d36a9686f9bf521f5bfae89681a 100644
--- a/ipaserver/plugins/radiusproxy.py
+++ b/ipaserver/plugins/radiusproxy.py
@@ -169,6 +169,14 @@ class radiusproxy_find(LDAPSearch):
'%(count)d RADIUS proxy server matched', '%(count)d RADIUS proxy servers matched', 0
)
+ def get_options(self):
+ for option in super(radiusproxy_find, self).get_options():
+ if option.name == 'ipatokenradiussecret':
+ option = option.clone(deprecated=True)
+
+ yield option
+
+
@register()
class radiusproxy_show(LDAPRetrieve):
__doc__ = _('Display information about a RADIUS proxy server.')
--
2.7.4
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
