[Freeipa-devel] Lets Encrypt scripts for multiple principals and Web/LDAP

2017-10-11 Thread Antonia Stevens via FreeIPA-devel 
Hi,

Thought I should introduce myself and post a link to some recent work which
might be relevant for some of you.

My name is Antonia Stevens and I'm a DevOps Engineer and long time FreeIPA
user.

We recently had a need to get proper certs for IPA servers in AWS which
means they have multiple IPs/DNS Names/Principals, since I could not find
anything I hacked together a couple of bash scripts to make it a bit easier.

https://github.com/antevens/letsencrypt-freeipa

Thanks for all the great work and depending on my schedule I might try to
contribute a bit more going forward.

Antonia Stevens
@antevens
a...@antevens.com
https://github.com/antevens/
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1146][opened] rpcserver.py code cleaning

2017-10-11 Thread slaykovsky via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/1146
Author: slaykovsky
 Title: #1146: rpcserver.py code cleaning
Action: opened

PR body:
"""
Hi!

I was going through `rpcserver` module code and just found out it's very hard 
to read. So I've made some style changes and string formatting related changes.

For my point of view, it's now more easy to read.

Any comments welcomed.

Thanks.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1146/head:pr1146
git checkout pr1146
From 470646a36de94d07042d377d4ccebca3fff88185 Mon Sep 17 00:00:00 2001
From: Aleksei Slaikovskii 
Date: Wed, 11 Oct 2017 15:40:30 +0200
Subject: [PATCH] rpcserver.py code cleaning

Fixes code formatting, changes old formatting for strings.
---
 ipaserver/rpcserver.py | 581 -
 1 file changed, 381 insertions(+), 200 deletions(-)

diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 5cbacf406d..ecc3d94fcf 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -1,7 +1,7 @@
 # Authors:
 #   Jason Gerard DeRose 
 #
-# Copyright (C) 2008-2016  Red Hat
+# Copyright (C) 2008-2017  Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -45,17 +45,21 @@
 from ipalib.frontend import Local
 from ipalib.install.kinit import kinit_armor, kinit_password
 from ipalib.backend import Executioner
-from ipalib.errors import (PublicError, InternalError, JSONError,
-CCacheError, RefererError, InvalidSessionPassword, NotFound, ACIError,
-ExecutionError, PasswordExpired, KrbPrincipalExpired, UserLocked)
+from ipalib.errors import (
+PublicError, InternalError, JSONError,
+CCacheError, RefererError, InvalidSessionPassword,
+NotFound, ACIError, ExecutionError,
+PasswordExpired, KrbPrincipalExpired, UserLocked
+)
 from ipalib.request import context, destroy_context
-from ipalib.rpc import (xml_dumps, xml_loads,
-json_encode_binary, json_decode_binary)
+from ipalib.rpc import (
+xml_dumps, xml_loads,
+json_encode_binary, json_decode_binary
+)
 from ipapython.dn import DN
 from ipaserver.plugins.ldap2 import ldap2
 from ipalib.backend import Backend
-from ipalib.krb_utils import (
-get_credentials_if_valid)
+from ipalib.krb_utils import get_credentials_if_valid
 from ipapython import kerberos
 from ipapython import ipautil
 from ipaplatform.paths import paths
@@ -80,7 +84,7 @@
 
 Not Found
 
-The requested URL %(url)s was not found on this server.
+The requested URL {url} was not found on this server.
 
 
 """
@@ -92,7 +96,7 @@
 
 Bad Request
 
-%(message)s
+{message}
 
 
 """
@@ -104,7 +108,7 @@
 
 Internal Server Error
 
-%(message)s
+{message}
 
 
 """
@@ -116,7 +120,7 @@
 
 Invalid Authentication
 
-%(message)s
+{message}
 
 
 """
@@ -126,13 +130,14 @@
 200 Success
 
 
-%(title)s
+{title}
 
-%(message)s
+{message}
 
 
 """
 
+
 class HTTP_Status(plugable.Plugin):
 def not_found(self, environ, start_response, url, message):
 """
@@ -142,8 +147,10 @@ def not_found(self, environ, start_response, url, message):
 response_headers = [('Content-Type', 'text/html; charset=utf-8')]
 
 logger.info('%s: URL="%s", %s', status, url, message)
+
 start_response(status, response_headers)
-output = _not_found_template % dict(url=escape(url))
+
+output = _not_found_template.format(url=escape(url))
 return [output.encode('utf-8')]
 
 def bad_request(self, environ, start_response, message):
@@ -156,7 +163,8 @@ def bad_request(self, environ, start_response, message):
 logger.info('%s: %s', status, message)
 
 start_response(status, response_headers)
-output = _bad_request_template % dict(message=escape(message))
+
+output = _bad_request_template.format(message=escape(message))
 return [output.encode('utf-8')]
 
 def internal_error(self, environ, start_response, message):
@@ -169,7 +177,8 @@ def internal_error(self, environ, start_response, message):
 logger.error('%s: %s', status, message)
 
 start_response(status, response_headers)
-output = _internal_error_template % dict(message=escape(message))
+
+output = _internal_error_template.format(message=escape(message))
 return [output.encode('utf-8')]
 
 def unauthorized(self, environ, start_response, message, reason):
@@ -178,15 +187,18 @@ def unauthorized(self, environ, start_response, message, reason):
 """
 status = '401 Unauthorized'
 response_headers = [('Content-Type', 'text/html; charset=utf-8')]
+
 if reason:
 response_headers.append(('X-IPA-Rejection-Reason', reason))
 
 logger.info('%s: %s', status, message)
 
 start_response(status, response_headers)
-output = _unauthorized_template %

[Freeipa-devel] [freeipa PR#1144][opened] Fix for https://pagure.io/freeipa/issue/6884 as agreed in BZ.

2017-10-11 Thread germanparente via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/1144
Author: germanparente
 Title: #1144: Fix for https://pagure.io/freeipa/issue/6884 as agreed in BZ.
Action: opened

PR body:
"""
The definitive fix to deal with the DS CVE would be to remove the 
ipaPermTargetFilter: (objectclass=) from the "Remove 
" permissions during ipa-server-upgrade, for instance, and re-run the 
task to generate the acl's (if this not done automatically when modifying the 
permission entry).

this has been also discussed in BZ1441262

https://bugzilla.redhat.com/show_bug.cgi?id=1441262
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1144/head:pr1144
git checkout pr1144
From 2f0e5306ea6063cef8c9f84b2ee875c0cc7b6b56 Mon Sep 17 00:00:00 2001
From: German Parente 
Date: Wed, 11 Oct 2017 10:51:15 +0200
Subject: [PATCH] Fix for https://pagure.io/freeipa/issue/6884 as agreed.

The definitive fix to deal with the DS CVE would be to remove the ipaPermTargetFilter: (objectclass=" permissions during ipa-server-upgrade, for instance, and re-run the task to generate the acl's (if this not done automatically when modifying the permission entry).
---
 ipaserver/plugins/group.py | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ipaserver/plugins/group.py b/ipaserver/plugins/group.py
index 5e94272396..ce689329f2 100644
--- a/ipaserver/plugins/group.py
+++ b/ipaserver/plugins/group.py
@@ -367,7 +367,10 @@ def post_callback(self, ldap, dn, *keys, **options):
 assert isinstance(dn, DN)
 try:
 api.Command['pwpolicy_del'](keys[-1])
-except errors.NotFound:
+# we catch ACI error because of CVE fixed in DS
+# when an entry does not exist and we have no privilege reading it,
+# there's err=50 instead of err=32
+except (errors.NotFound,errors.ACIError):
 pass
 
 return True
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org