Re: [Freeipa-devel] [PATCH] Fix printing of reverse zones in ipa-dns-install.

2014-10-15 Thread Martin Kosek 
On 10/15/2014 04:04 PM, Martin Basti wrote:
> On 15/10/14 16:04, David Kupka wrote:
>> Submitting the patch again. I sent it from my gmail account accidentally.
>>
>> On 10/15/2014 03:58 PM, Martin Basti wrote:
>>> New contributor :-)
>>>
>>> ACK
>>> Thank you!
>>>
>>
>>
>>
>> ___
>> Freeipa-devel mailing list
>> Freeipa-devel@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
> ACKing my previous ACK

Pushed to:
master: 47731f45845a4cc27da65b98a6ba82388824f363
ipa-4-1: 7e5a71dd463c401f2e1c9cd36a35b5b57fb8b005

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 353 Added initial vault implementation.

2014-10-15 Thread Endi Sukma Dewata 

This patch provides the initial vault implementation which allows
the admin to create a vault, archive a secret, and retrieve the
secret using a standard vault.

It currently has limitations including:
 - The vault only supports the standard vault type.
 - The vault can only be used by the admin user.
 - The transport certificate has to be installed manually.

These limitations, other vault features, schema and ACL changes will
be addressed in subsequent patches.

The NSSConnection class has to be modified not to shutdown existing
database because some of the vault clients (e.g. vault-archive and
vault-retrieve) also use a database to encrypt/decrypt the secret.

Ticket #3872

--
Endi S. Dewata
From 1ad4307323c9e76ed51e5cdbd736e8834864f6fc Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Tue, 16 Sep 2014 20:11:35 -0400
Subject: [PATCH] Added initial vault implementation.

This patch provides the initial vault implementation which allows
the admin to create a vault, archive a secret, and retrieve the
secret using a standard vault.

It currently has limitations including:
 - The vault only supports the standard vault type.
 - The vault can only be used by the admin user.
 - The transport certificate has to be installed manually.

These limitations, other vault features, schema and ACL changes will
be addressed in subsequent patches.

The NSSConnection class has to be modified not to shutdown existing
database because some of the vault clients (e.g. vault-archive and
vault-retrieve) also use a database to encrypt/decrypt the secret.

Ticket #3872
---
 API.txt| 160 
 VERSION|   4 +-
 install/share/60basev4.ldif|   3 +
 install/share/Makefile.am  |   1 +
 install/share/copy-schema-to-ca.py |   1 +
 install/updates/40-vault.update|  27 ++
 install/updates/Makefile.am|   1 +
 ipa-client/man/default.conf.5  |   1 +
 ipalib/constants.py|   1 +
 ipalib/plugins/user.py |   9 +
 ipalib/plugins/vault.py| 726 +
 ipapython/nsslib.py|  22 +-
 ipaserver/install/dsinstance.py|   1 +
 13 files changed, 943 insertions(+), 14 deletions(-)
 create mode 100644 install/share/60basev4.ldif
 create mode 100644 install/updates/40-vault.update
 create mode 100644 ipalib/plugins/vault.py

diff --git a/API.txt b/API.txt
index 
1af78509732b13eec07208114cea00e56c1059b4..1eec3527e36bc250acddbf0e2fe7a6baa30abd74
 100644
--- a/API.txt
+++ b/API.txt
@@ -4373,6 +4373,166 @@ option: Str('version?', exclude='webui')
 output: Output('result', , None)
 output: Output('summary', (, ), None)
 output: PrimaryKey('value', None, None)
+command: vault_add
+args: 1,8,3
+arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, 
multivalue=False, 
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', 
primary_key=True, required=True)
+option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
+option: Str('description', attribute=True, cli_name='desc', multivalue=False, 
required=False)
+option: Str('in?', cli_name='in')
+option: Str('parent', attribute=False, cli_name='parent', multivalue=False, 
required=False)
+option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
+option: Flag('rights', autofill=True, default=False)
+option: Bytes('secret', attribute=True, cli_name='secret', multivalue=False, 
required=False)
+option: Str('version?', exclude='webui')
+output: Entry('result', , Gettext('A dictionary representing an 
LDAP entry', domain='ipa', localedir=None))
+output: Output('summary', (, ), None)
+output: PrimaryKey('value', None, None)
+command: vault_archive
+args: 1,10,3
+arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, 
multivalue=False, 
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', 
primary_key=True, query=True, required=True)
+option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
+option: Bytes('encrypted_data?', cli_name='encrypted_data')
+option: Str('in?', cli_name='in')
+option: Bytes('nonce?', cli_name='nonce')
+option: Str('parent?', cli_name='parent')
+option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
+option: Flag('rights', autofill=True, default=False)
+option: Bytes('secret?', cli_name='secret')
+option: Str('version?', exclude='webui')
+option: Bytes('wrapped_session_key?', cli_name='wrapped_session_key')
+output: Entry('result', , Gettext('A dictionary representing an 
LDAP entry', domain='ipa', localedir=None))
+output: Output('summary', (, ), None)
+output: PrimaryKey('value', None, None)
+command: vault_del
+args: 1,3,3
+arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, 
multivalue=True, 
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', 
primary_key=True, query=True, required=True)
+option: Flag('continue', autofill=True, cli

[Freeipa-devel] [PATCH] 352 Fixed KRA backend.

2014-10-15 Thread Endi Sukma Dewata 

The KRA backend has been simplified since most of the tasks have
been moved somewhere else. The transport certificate will be
installed on the client, and it is not needed by KRA backend. The
KRA agent's PEM certificate is now generated during installation
due to permission issue. The kra_host() for now is removed since
the current ldap_enable() cannot register the KRA service, so it
is using the kra_host environment variable.

The KRA installer has been modified to use Dogtag's CLI go create
KRA agent and setup the client authentication.

The proxy settings have been updated to include KRA's URLs.

The certs.install_pem_from_p12() has been updated to generate the
proper client certificate using the -clcerts option and also take
a password file.

Some constants have been renamed for clarity. The DOGTAG_AGENT_P12
has been renamed to DOGTAG_ADMIN_P12 since file actually contains
the Dogtag admin's certificate and private key and it can be used
to access both CA and KRA. The DOGTAG_AGENT_PEM has been renamed
to KRA_AGENT_PEM since it can only be used for KRA.

Ticket #3872

--
Endi S. Dewata
From 018d849db0f08285aeeb26e3fc886c8c161b3f33 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Wed, 1 Oct 2014 14:59:46 -0400
Subject: [PATCH] Fixed KRA backend.

The KRA backend has been simplified since most of the tasks have
been moved somewhere else. The transport certificate will be
installed on the client, and it is not needed by KRA backend. The
KRA agent's PEM certificate is now generated during installation
due to permission issue. The kra_host() for now is removed since
the current ldap_enable() cannot register the KRA service, so it
is using the kra_host environment variable.

The KRA installer has been modified to use Dogtag's CLI go create
KRA agent and setup the client authentication.

The proxy settings have been updated to include KRA's URLs.

The certs.install_pem_from_p12() has been updated to generate the
proper client certificate using the -clcerts option and also take
a password file.

Some constants have been renamed for clarity. The DOGTAG_AGENT_P12
has been renamed to DOGTAG_ADMIN_P12 since file actually contains
the Dogtag admin's certificate and private key and it can be used
to access both CA and KRA. The DOGTAG_AGENT_PEM has been renamed
to KRA_AGENT_PEM since it can only be used for KRA.

Ticket #3872
---
 install/conf/ipa-pki-proxy.conf  |   2 +-
 ipaplatform/base/paths.py|   4 +-
 ipaserver/install/cainstance.py  |   4 +-
 ipaserver/install/certs.py   |  10 ++--
 ipaserver/install/ipa_backup.py  |   3 +-
 ipaserver/install/krainstance.py |  83 ---
 ipaserver/plugins/dogtag.py  | 120 +--
 7 files changed, 100 insertions(+), 126 deletions(-)

diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf
index 
2370b4d7a7467a7e47c0d223915e018c9a009e83..5d21156848f3b5ddf14c42d92a26a30a9f94af36
 100644
--- a/install/conf/ipa-pki-proxy.conf
+++ b/install/conf/ipa-pki-proxy.conf
@@ -19,7 +19,7 @@ ProxyRequests Off
 
 
 # matches for agent port and eeca port
-
+
 NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
 NSSVerifyClient require
 ProxyPassMatch ajp://localhost:$DOGTAG_PORT
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 
0ba6b46c562a3d3f97e3631fd9dc0f27536bc6bc..3652a3213d2d116b34d7c4239964c511f572ed6b
 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -127,8 +127,8 @@ class BasePathNamespace(object):
 HOME_DIR = "/home"
 ROOT_IPA_CACHE = "/root/.ipa_cache"
 ROOT_PKI = "/root/.pki"
-DOGTAG_AGENT_P12 = "/root/ca-agent.p12"
-DOGTAG_AGENT_PEM = "/etc/httpd/alias/agent.pem"
+DOGTAG_ADMIN_P12 = "/root/ca-agent.p12"
+KRA_AGENT_PEM = "/etc/httpd/alias/kra-agent.pem"
 CACERT_P12 = "/root/cacert.p12"
 ROOT_IPA_CSR = "/root/ipa.csr"
 ROOT_TMP_CA_P12 = "/root/tmp-ca.p12"
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 
2c912206a37accfdf217c955755b82ed0d2056af..aa6de498726e779e62cd96ec13d9e52cd1262714
 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -514,7 +514,7 @@ class CAInstance(DogtagInstance):
 config.set("CA", "pki_admin_nickname", "ipa-ca-agent")
 config.set("CA", "pki_admin_subject_dn",
 str(DN(('cn', 'ipa-ca-agent'), self.subject_base)))
-config.set("CA", "pki_client_admin_cert_p12", paths.DOGTAG_AGENT_P12)
+config.set("CA", "pki_client_admin_cert_p12", paths.DOGTAG_ADMIN_P12)
 
 # Directory server
 config.set("CA", "pki_ds_ldap_port", str(self.ds_port))
@@ -979,7 +979,7 @@ class CAInstance(DogtagInstance):
 try:
 ipautil.run([paths.PK12UTIL,
  "-n", "ipa-ca-agent",
- "-o", paths.DOGTAG_AGENT_P12,
+ "-o", paths.DOGTAG_ADMIN_P12,

Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

2014-10-15 Thread Petr Spacek 

On 14.10.2014 20:33, Nathaniel McCallum wrote:

On Tue, 2014-10-14 at 10:38 +0200, Jan Cholasta wrote:

Dne 14.10.2014 v 10:23 Petr Viktorin napsal(a):

On 10/14/2014 08:51 AM, Jan Cholasta wrote:

Dne 14.10.2014 v 08:37 Martin Kosek napsal(a):

On 10/13/2014 07:23 PM, Nathaniel McCallum wrote:

On Mon, 2014-10-13 at 12:39 +0200, Martin Kosek wrote:

Also, few comments to your current patch set (though the patches
themselves
will probably not land in 4.1):

Patch 0001:
- while it may work (after DS fixes), it adds PostRead for all our
commands,
not just otptoken-add. I would rather have some attribute like
"read_dn_from_postread" on LDAPObject which defaults to False to
make sure
there is no regression or performance hit with other LDAP calls.


As Honza says later in the mail, this should be an argument for
add_entry (or alternatively an additional add_entry_with_postread
method). Storing settings in data objects leads to trouble – when you
get such an object from somewhere, you never know what an operation on
it will do.


I would prefer add_entry argument rather than a new method, as that's
how find_entries does controls.




In the new code, we actually get a performance gain as the manual post
read is eliminated if the post read control is successful. Only one
issue can arise, which is when the post read control evaluates ACIs
in a
different context than a normal manual read. This problem is well known
and is trivial to fix (s/USERDN/SELFDN/).


That's my point - with such a big change, we can hit many unforeseen
issues and
we are close to deadline. I would rather like to use the PostRead
control only
in otptoken_add command. CCing Petr and Honza to chime in.


I agree it should be opt-in for now. Add a boolean argument to add_entry
as a switch.


+1

Also, I think the add_entry should not return anything; rather the
PostRead result should be merged into the added entry object. Honza,
what do you think?


It should, good point.



In the future it might be useful for add_entry to return a list of
controls, the `ctrls` in this patch.


If we're going to implement temporary workarounds like this in order to
merge this patch, I'd prefer to just wait until 4.2. Without activating
the post read control for all add operations, there is really no benefit
to this patch and added risk.


It would be really nice to has this opt-in feature in 4.1 - it would make 
DNSSEC support easier for me.


I guess that answer is 'no' so I'm going to implement a workaround.


I propose that for 4.1, we use the attached patch to remove the field
from the UI. Once we have proper ACI/UUID-plugin integration in 389, we
can revisit these patches.


--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 0072] Remove token vendor, model and serial defaults

2014-10-15 Thread Nathaniel McCallum 
These defaults are pretty useless and cause more confusion than
they are worth. The serial default never worked anyway. And now
that we are displaying the token type separately, there is no
reason to doubly record these data points.
From 8093c2c6d83ed0a1849c5261759df92129b36487 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum 
Date: Wed, 15 Oct 2014 12:26:47 -0400
Subject: [PATCH] Remove token vendor, model and serial defaults

These defaults are pretty useless and cause more confusion than
they are worth. The serial default never worked anyway. And now
that we are displaying the token type separately, there is no
reason to doubly record these data points.
---
 API.txt| 10 +-
 VERSION|  4 ++--
 ipalib/plugins/otptoken.py |  6 --
 3 files changed, 7 insertions(+), 13 deletions(-)

diff --git a/API.txt b/API.txt
index 1af78509732b13eec07208114cea00e56c1059b4..549d2b69c3325cd86b415c5b56cbdbe9e6d950b5 100644
--- a/API.txt
+++ b/API.txt
@@ -2545,17 +2545,17 @@ option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui
 option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=False)
 option: Bool('ipatokendisabled', attribute=True, cli_name='disabled', multivalue=False, required=False)
 option: Int('ipatokenhotpcounter', attribute=True, autofill=True, cli_name='counter', default=0, minvalue=0, multivalue=False, required=False)
-option: Str('ipatokenmodel', attribute=True, autofill=True, cli_name='model', multivalue=False, required=False)
+option: Str('ipatokenmodel', attribute=True, cli_name='model', multivalue=False, required=False)
 option: DateTime('ipatokennotafter', attribute=True, cli_name='not_after', multivalue=False, required=False)
 option: DateTime('ipatokennotbefore', attribute=True, cli_name='not_before', multivalue=False, required=False)
 option: StrEnum('ipatokenotpalgorithm', attribute=True, autofill=True, cli_name='algo', default=u'sha1', multivalue=False, required=False, values=(u'sha1', u'sha256', u'sha384', u'sha512'))
 option: IntEnum('ipatokenotpdigits', attribute=True, autofill=True, cli_name='digits', default=6, multivalue=False, required=False, values=(6, 8))
 option: OTPTokenKey('ipatokenotpkey', attribute=True, autofill=True, cli_name='key', multivalue=False, required=False)
 option: Str('ipatokenowner', attribute=True, cli_name='owner', multivalue=False, required=False)
-option: Str('ipatokenserial', attribute=True, autofill=True, cli_name='serial', multivalue=False, required=False)
+option: Str('ipatokenserial', attribute=True, cli_name='serial', multivalue=False, required=False)
 option: Int('ipatokentotpclockoffset', attribute=True, autofill=True, cli_name='offset', default=0, multivalue=False, required=False)
 option: Int('ipatokentotptimestep', attribute=True, autofill=True, cli_name='interval', default=30, minvalue=5, multivalue=False, required=False)
-option: Str('ipatokenvendor', attribute=True, autofill=True, cli_name='vendor', default=u'FreeIPA', multivalue=False, required=False)
+option: Str('ipatokenvendor', attribute=True, cli_name='vendor', multivalue=False, required=False)
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Flag('qrcode?', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
@@ -2613,7 +2613,7 @@ option: Str('ipatokenserial', attribute=True, autofill=False, cli_name='serial',
 option: Int('ipatokentotpclockoffset', attribute=True, autofill=False, cli_name='offset', default=0, multivalue=False, query=True, required=False)
 option: Int('ipatokentotptimestep', attribute=True, autofill=False, cli_name='interval', default=30, minvalue=5, multivalue=False, query=True, required=False)
 option: Str('ipatokenuniqueid', attribute=True, autofill=False, cli_name='id', multivalue=False, primary_key=True, query=True, required=False)
-option: Str('ipatokenvendor', attribute=True, autofill=False, cli_name='vendor', default=u'FreeIPA', multivalue=False, query=True, required=False)
+option: Str('ipatokenvendor', attribute=True, autofill=False, cli_name='vendor', multivalue=False, query=True, required=False)
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Flag('pkey_only?', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
@@ -2638,7 +2638,7 @@ option: DateTime('ipatokennotafter', attribute=True, autofill=False, cli_name='n
 option: DateTime('ipatokennotbefore', attribute=True, autofill=False, cli_name='not_before', multivalue=False, required=False)
 option: Str('ipatokenowner', attribute=True, autofill=False, cli_name='owner', multivalue=False, required=False)
 option: Str('ipatokenserial', attribute=True, autofill=False, cli_name='serial', multivalue=False, required=False)
-option: Str('ipatokenvendor', attribute=True, autofill=False, cli_name='vendor', default=u'FreeIPA', mult

[Freeipa-devel] [PATCH 0071] Display token type when viewing token

2014-10-15 Thread Nathaniel McCallum 
When viewing a token from the CLI or UI, the type of the token
should be displayed.

https://fedorahosted.org/freeipa/ticket/4563
From b428b30e2110472d000e2c0e06bc82a3948a8906 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum 
Date: Wed, 15 Oct 2014 12:24:56 -0400
Subject: [PATCH] Display token type when viewing token

When viewing a token from the CLI or UI, the type of the token
should be displayed.

https://fedorahosted.org/freeipa/ticket/4563
---
 install/ui/src/freeipa/otptoken.js |  1 +
 ipalib/plugins/otptoken.py | 13 -
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/install/ui/src/freeipa/otptoken.js b/install/ui/src/freeipa/otptoken.js
index d5afd25e66c58f4a3b5ce7241b3ddd0ca4f00850..526ca22dc2a8a5d4a109ab9397383d1fb4d41a2a 100644
--- a/install/ui/src/freeipa/otptoken.js
+++ b/install/ui/src/freeipa/otptoken.js
@@ -177,6 +177,7 @@ return {
 label: '@i18n:objects.otptoken.details',
 fields: [
 'ipatokenuniqueid',
+'type',
 {
 $type: 'textarea',
 name: 'description'
diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py
index 1bd85d4b952dc51ea800ed37c49b3c50aeb31492..6917cfbbb0a5597827841f22e618289771267795 100644
--- a/ipalib/plugins/otptoken.py
+++ b/ipalib/plugins/otptoken.py
@@ -108,6 +108,12 @@ def _check_interval(not_before, not_after):
 return not_before <= not_after
 return True
 
+def _set_token_type(entry_attrs):
+klasses = [x.lower() for x in entry_attrs.get('objectclass', [])]
+for ttype in TOKEN_TYPES.keys():
+cls = 'ipatoken' + ttype
+if cls.lower() in klasses:
+entry_attrs['type'] = ttype.upper()
 
 @register()
 class otptoken(LDAPObject):
@@ -120,7 +126,7 @@ class otptoken(LDAPObject):
 object_class = ['ipatoken']
 possible_objectclasses = ['ipatokentotp', 'ipatokenhotp']
 default_attributes = [
-'ipatokenuniqueid', 'description', 'ipatokenowner',
+'objectclass', 'ipatokenuniqueid', 'description', 'ipatokenowner',
 'ipatokendisabled', 'ipatokennotbefore', 'ipatokennotafter',
 'ipatokenvendor', 'ipatokenmodel', 'ipatokenserial', 'managedby'
 ]
@@ -265,6 +271,7 @@ class otptoken_add(LDAPCreate):
   error='is before the validity start')
 
 # Set the object class and defaults for specific token types
+options['type'] = options['type'].lower()
 entry_attrs['objectclass'] = otptoken.object_class + ['ipatoken' + options['type']]
 for ttype, tattrs in TOKEN_TYPES.items():
 if ttype != options['type']:
@@ -315,6 +322,7 @@ class otptoken_add(LDAPCreate):
 
 def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
 entry_attrs['uri'] = getattr(context, 'uri')
+_set_token_type(entry_attrs)
 _convert_owner(self.api.Object.user, entry_attrs, options)
 return super(otptoken_add, self).post_callback(ldap, dn, entry_attrs, *keys, **options)
 
@@ -369,6 +377,7 @@ class otptoken_mod(LDAPUpdate):
 return dn
 
 def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+_set_token_type(entry_attrs)
 _convert_owner(self.api.Object.user, entry_attrs, options)
 return super(otptoken_mod, self).post_callback(ldap, dn, entry_attrs, *keys, **options)
 
@@ -396,6 +405,7 @@ class otptoken_find(LDAPSearch):
 
 def post_callback(self, ldap, entries, truncated, *args, **options):
 for entry in entries:
+_set_token_type(entry)
 _convert_owner(self.api.Object.user, entry, options)
 return super(otptoken_find, self).post_callback(ldap, entries, truncated, *args, **options)
 
@@ -405,6 +415,7 @@ class otptoken_show(LDAPRetrieve):
 __doc__ = _('Display information about an OTP token.')
 
 def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+_set_token_type(entry_attrs)
 _convert_owner(self.api.Object.user, entry_attrs, options)
 return super(otptoken_show, self).post_callback(ldap, dn, entry_attrs, *keys, **options)
 
-- 
2.1.0

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 0070] Remove token ID from self-service UI

2014-10-15 Thread Nathaniel McCallum 
Also, fix labels to properly use i18n strings for token types.
From 244834182add8e927171f6e9f1b4966c829b7aa4 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum 
Date: Tue, 14 Oct 2014 14:30:01 -0400
Subject: [PATCH] Remove token ID from self-service UI

Also, fix labels to properly use i18n strings for token types.
---
 install/ui/src/freeipa/otptoken.js | 8 ++--
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/install/ui/src/freeipa/otptoken.js b/install/ui/src/freeipa/otptoken.js
index d5afd25e66c58f4a3b5ce7241b3ddd0ca4f00850..2daeed9b6956921850b527e60b00ad124fb5f3d0 100644
--- a/install/ui/src/freeipa/otptoken.js
+++ b/install/ui/src/freeipa/otptoken.js
@@ -289,14 +289,10 @@ return {
 name: 'type',
 default_value: 'totp',
 options: [
-{ label: 'TOTP', value: 'totp' },
-{ label: 'HOTP', value: 'hotp' }
+{ label: '@i18n:objects.otptoken.type_totp', value: 'totp' },
+{ label: '@i18n:objects.otptoken.type_hotp', value: 'hotp' }
 ]
 },
-{
-name: 'ipatokenuniqueid',
-required: false
-},
 'description'
 ]
 }
-- 
2.1.0

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 335 Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage

2014-10-15 Thread Jan Cholasta 

Hi,

the attached patch fixes . 
It depends on my patches 333 and 334, which are also attached.


(The original patch was posted at 
.)


How to test:

  1. install server

  2. kinit as admin

  3. run "ipa-cacert-manage renew --external-ca", it will produce a CSR

  4. sign the CSR with some external CA to get new IPA CA certificate

  5. run "while true; do ldapdelete -H ldap://$HOSTNAME -Y GSSAPI 
'cn=caSigningCert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,'; 
done" in background


  6. run "ipa-cacert-manage renew --external-cert-file=CA certificate> --external-cert-file=chain>"


  7. stop the loop from step 5

  8. run "getcert list -d /etc/pki/pki-tomcat/alias -n 'caSigningCert 
cert-pki-ca'", the request should be in MONITORING state, there should 
be no ca-error


Honza

--
Jan Cholasta
>From 6ac462b18d0a31d8eb697e949bc909327f41d618 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Tue, 14 Oct 2014 10:30:07 +0200
Subject: [PATCH] Handle profile changes in dogtag-ipa-ca-renew-agent

To update the CA certificate in the Dogtag NSS database, the
"ipa-cacert-manage renew" and "ipa-certupdate" commands temporarily change
the profile of the CA certificate certmonger request, resubmit it and
change the profile back to the original one.

When something goes wrong while resubmitting the request, it needs to be
modified and resubmitted again manually. This might fail with invalid
cookie error, because changing the profile does not change the internal
state of the request.

Detect this in dogtag-ipa-ca-renew-agent and reset the internal state when
profile is changed.

https://fedorahosted.org/freeipa/ticket/4627
---
 .../certmonger/dogtag-ipa-ca-renew-agent-submit| 87 --
 1 file changed, 80 insertions(+), 7 deletions(-)

diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
index 4f0b78a..ca4380c 100755
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@@ -31,6 +31,7 @@ import tempfile
 import shutil
 import base64
 import contextlib
+import json
 
 from ipapython import ipautil
 from ipapython.dn import DN
@@ -64,6 +65,78 @@ def ldap_connect():
 if conn is not None and conn.isconnected():
 conn.disconnect()
 
+def call_handler(_handler, *args, **kwargs):
+"""
+Request handler call wrapper
+
+Before calling the handler, get the original profile name and cookie from
+the provided cookie, if there is one. If the profile name does not match
+the requested profile name, drop the cookie and restart the request.
+
+After calling the handler, put the requested profile name and cookie
+returned by the handler in a new cookie and return it.
+"""
+operation = os.environ['CERTMONGER_OPERATION']
+if operation == 'POLL':
+cookie = os.environ.pop('CERTMONGER_CA_COOKIE', None)
+if cookie is not None:
+try:
+context = json.loads(cookie)
+if not isinstance(context, dict):
+raise TypeError
+except (TypeError, ValueError):
+return (UNCONFIGURED, "Invalid cookie: %r" % cookie)
+else:
+return (UNCONFIGURED, "Cookie not provided")
+
+if 'profile' in context:
+profile = context.pop('profile')
+try:
+if profile is not None:
+if not isinstance(profile, unicode):
+raise TypeError
+profile = profile.encode('raw_unicode_escape')
+except (TypeError, UnicodeEncodeError):
+return (UNCONFIGURED,
+"Invalid 'profile' in cookie: %r" % profile)
+else:
+return (UNCONFIGURED, "No 'profile' in cookie")
+
+# If profile has changed between SUBMIT and POLL, restart request
+if os.environ.get('CERTMONGER_CA_PROFILE') != profile:
+os.environ['CERTMONGER_OPERATION'] = 'SUBMIT'
+context = {}
+
+if 'cookie' in context:
+cookie = context.pop('cookie')
+try:
+if not isinstance(cookie, unicode):
+raise TypeError
+cookie = cookie.encode('raw_unicode_escape')
+except (TypeError, UnicodeEncodeError):
+return (UNCONFIGURED,
+"Invalid 'cookie' in cookie: %r" % cookie)
+os.environ['CERTMONGER_CA_COOKIE'] = cookie
+else:
+context = {}
+
+result = _handler(*args, **kwargs)
+
+if result[0] in (WAIT, WAIT_WITH_DELAY):
+context['cookie'] = result[-1].decode('raw_unicode_escape')
+
+profile = os.environ.get('CERTMONGER_CA_PROFILE')
+if profile is not None:
+profile = profile.decode('raw_unicode_escape')
+

Re: [Freeipa-devel] [PATCH] 353 Allow specifying signing algorithm of the IPA CA cert in ipa-ca-install

2014-10-15 Thread Petr Vobornik 

On 8.10.2014 13:35, Jan Cholasta wrote:

Hi,

the attached patch provides an additional fix for
.

Honza



Requires rebase because of `ca_type=options.external_ca_type)`. Works 
fine with older version.

--
Petr Vobornik

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 334 Do not wait for new CA certificate to appear in LDAP in ipa-certupdate

2014-10-15 Thread Jan Cholasta 

Hi,

the attached patch fixes . 
It depends on my patch 333, which is also attached.


(The original patch was posted at 
.)


How to test:

  1. install server

  2. run "ipa-certupdate"

  3. run "getcert list -d /etc/pki/pki-tomcat/alias -n 'caSigningCert 
cert-pki-ca'", the request should be in MONITORING state, there should 
be no ca-error


Honza

--
Jan Cholasta
>From 6ac462b18d0a31d8eb697e949bc909327f41d618 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Tue, 14 Oct 2014 10:30:07 +0200
Subject: [PATCH] Handle profile changes in dogtag-ipa-ca-renew-agent

To update the CA certificate in the Dogtag NSS database, the
"ipa-cacert-manage renew" and "ipa-certupdate" commands temporarily change
the profile of the CA certificate certmonger request, resubmit it and
change the profile back to the original one.

When something goes wrong while resubmitting the request, it needs to be
modified and resubmitted again manually. This might fail with invalid
cookie error, because changing the profile does not change the internal
state of the request.

Detect this in dogtag-ipa-ca-renew-agent and reset the internal state when
profile is changed.

https://fedorahosted.org/freeipa/ticket/4627
---
 .../certmonger/dogtag-ipa-ca-renew-agent-submit| 87 --
 1 file changed, 80 insertions(+), 7 deletions(-)

diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
index 4f0b78a..ca4380c 100755
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@@ -31,6 +31,7 @@ import tempfile
 import shutil
 import base64
 import contextlib
+import json
 
 from ipapython import ipautil
 from ipapython.dn import DN
@@ -64,6 +65,78 @@ def ldap_connect():
 if conn is not None and conn.isconnected():
 conn.disconnect()
 
+def call_handler(_handler, *args, **kwargs):
+"""
+Request handler call wrapper
+
+Before calling the handler, get the original profile name and cookie from
+the provided cookie, if there is one. If the profile name does not match
+the requested profile name, drop the cookie and restart the request.
+
+After calling the handler, put the requested profile name and cookie
+returned by the handler in a new cookie and return it.
+"""
+operation = os.environ['CERTMONGER_OPERATION']
+if operation == 'POLL':
+cookie = os.environ.pop('CERTMONGER_CA_COOKIE', None)
+if cookie is not None:
+try:
+context = json.loads(cookie)
+if not isinstance(context, dict):
+raise TypeError
+except (TypeError, ValueError):
+return (UNCONFIGURED, "Invalid cookie: %r" % cookie)
+else:
+return (UNCONFIGURED, "Cookie not provided")
+
+if 'profile' in context:
+profile = context.pop('profile')
+try:
+if profile is not None:
+if not isinstance(profile, unicode):
+raise TypeError
+profile = profile.encode('raw_unicode_escape')
+except (TypeError, UnicodeEncodeError):
+return (UNCONFIGURED,
+"Invalid 'profile' in cookie: %r" % profile)
+else:
+return (UNCONFIGURED, "No 'profile' in cookie")
+
+# If profile has changed between SUBMIT and POLL, restart request
+if os.environ.get('CERTMONGER_CA_PROFILE') != profile:
+os.environ['CERTMONGER_OPERATION'] = 'SUBMIT'
+context = {}
+
+if 'cookie' in context:
+cookie = context.pop('cookie')
+try:
+if not isinstance(cookie, unicode):
+raise TypeError
+cookie = cookie.encode('raw_unicode_escape')
+except (TypeError, UnicodeEncodeError):
+return (UNCONFIGURED,
+"Invalid 'cookie' in cookie: %r" % cookie)
+os.environ['CERTMONGER_CA_COOKIE'] = cookie
+else:
+context = {}
+
+result = _handler(*args, **kwargs)
+
+if result[0] in (WAIT, WAIT_WITH_DELAY):
+context['cookie'] = result[-1].decode('raw_unicode_escape')
+
+profile = os.environ.get('CERTMONGER_CA_PROFILE')
+if profile is not None:
+profile = profile.decode('raw_unicode_escape')
+context['profile'] = profile
+
+cookie = json.dumps(context)
+os.environ['CERTMONGER_CA_COOKIE'] = cookie
+if result[0] in (WAIT, WAIT_WITH_DELAY):
+result = result[:-1] + (cookie,)
+
+return result
+
 def request_cert():
 """
 Request certificate from IPA CA.
@@ -144,7 +217,7 @@ def store_cert():
 syslog.syslog(
 syslog.LOG_ERR,
 "Updating renewal cert

Re: [Freeipa-devel] [PATCH] 0004 permission-add gives confusing error when adding ACI to generated tree

2014-10-15 Thread Martin Kosek 
On 10/15/2014 01:57 PM, thierry bordaz wrote:
> On 10/15/2014 01:26 PM, Martin Kosek wrote:
>> On 10/15/2014 01:08 PM, thierry bordaz wrote:
>>> https://fedorahosted.org/freeipa/ticket/4523
>> I see 2 issues with the patch:
>>
>> 1) Patch description should not contain "
>> Reviewed by:", this gets added later by a script (or human)
> ok
>>
>> 2) The exception handling clause should be as focused as possible, i.e. not
>> including whole command, but rather just the failing call, i.e.:
>>
>>  def post_callback(self, ldap, dn, entry, *keys, **options):
>>  try:
>>  self.obj.add_aci(entry)
>>  except Exception:
>>
>> You can use
>>
>>  try:
>>  ...
>>  except errors.NotFound:
>>  self.obj.handle_not_found(*keys)
>>
>> to raise the right error.
>>
>> Martin
> Currently the exception is handled on the failure of
> baseldap.LDAPCreate.execute(). Do you recommend to make the fix inside
> baseldap.LDAPCreate.execute rather than at the 'permission_add.execute' level 
> ?

No, not there. I thought that the exception happens in

def post_callback(self, ldap, dn, entry, *keys, **options):
try:
self.obj.add_aci(entry)
except Exception:
   ...

> Also using handle_not_found looks good, but it reports something like:
> 
>ipa permission-add user1 --right read --attrs cn --subtree
>'cn=compat,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'
>ipa: ERROR: user1: permission not found
> 
> 
> If the entry 'user1' exists, it is not clear what was not found.
> Displaying the dn of the entry would help to know that we are updating an 
> entry
> into the 'compat' tree.

Ah, sorry, I think I mislead you with this advise. You probably could use the
same except clause as already used:

except errors.NotFound:
raise errors.ValidationError(
name='ipapermlocation',
error=_('Entry %s does not exist') % location)

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0023 Fix typo causing certmonger is provided with wrong path to, ipa-submit.

2014-10-15 Thread Jan Cholasta 

Hi,

Dne 15.10.2014 v 12:55 David Kupka napsal(a):

I forget to attach patch for ipa-4-0 branch. Attaching both now.

On 10/15/2014 11:08 AM, David Kupka wrote:

https://fedorahosted.org/freeipa/ticket/4624


The code could be more robust, but given that it will be gone soon 
(hopefully), ACK.


Honza

--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Fix printing of reverse zones in ipa-dns-install.

2014-10-15 Thread Martin Basti 

On 15/10/14 16:04, David Kupka wrote:

Submitting the patch again. I sent it from my gmail account accidentally.

On 10/15/2014 03:58 PM, Martin Basti wrote:

New contributor :-)

ACK
Thank you!





___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

ACKing my previous ACK

--
Martin Basti

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Fix printing of reverse zones in ipa-dns-install.

2014-10-15 Thread David Kupka 

Submitting the patch again. I sent it from my gmail account accidentally.

On 10/15/2014 03:58 PM, Martin Basti wrote:

New contributor :-)

ACK
Thank you!



--
David Kupka
From 4d094e99ff82f69ad08b0df408d847350e900c7b Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Wed, 15 Oct 2014 09:24:20 -0400
Subject: [PATCH] Fix printing of reverse zones in ipa-dns-install.

This was forgotten in patch for ticket
https://fedorahosted.org/freeipa/ticket/3575
---
 install/tools/ipa-dns-install | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
index ae60f211ab65fb2fddba437d4352f7fbd5ab6f8b..bf9d9908092a2cf4cd2f0252149bce426a8f2bb4 100755
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@@ -154,8 +154,8 @@ def main():
 reverse_zones = bindinstance.check_reverse_zones(ip_addresses,
 options.reverse_zones, options, options.unattended, True)
 
-if reverse_zones is not None:
-print "Using reverse zone %s" % ', '.join(reverse_zones)
+if reverse_zones:
+print "Using reverse zone(s) %s" % ', '.join(reverse_zones)
 
 conf_ntp = ntpinstance.NTPInstance(fstore).is_enabled()
 
-- 
1.9.3

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Fix printing of reverse zones in ipa-dns-install.

2014-10-15 Thread Martin Basti 

New contributor :-)

ACK
Thank you!

--
Martin Basti

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCHES] 0661-0670 Switch the test suite to pytest

2014-10-15 Thread Petr Viktorin 

This almost completes the switch to pytest. There are two missing things:
- the details of test results (--with-xunit) are not read correctly by 
Jenkins. I have a theory I'm investigating here.

- the beakerlib integration is still not ready


I'll not be available for the rest of the week so I'm sending this 
early, in case someone wants to take a look.


--
Petr³
From e48a4a4a38a107a463a1c0c14c35254abbace36b Mon Sep 17 00:00:00 2001
From: Petr Viktorin 
Date: Thu, 9 Oct 2014 17:02:25 +0200
Subject: [PATCH] dogtag plugin: Don't use doctest syntax for non-doctest
 examples

---
 ipaserver/plugins/dogtag.py | 16 
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index 0e141a45c290b84d65b15b8c2c638577a3a39363..4576c9113b1501f9ab32aef16f8be761e92a9806 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -163,16 +163,16 @@
 1. Reading a serial number from CMS requires conversion from hexadecimal
by converting it into a Python int or long object, use the int constructor:
 
-   >>> serial_number = int(serial_number, 16)
+serial_number = int(serial_number, 16)
 
 2. Big integers passed to XMLRPC must be decimal unicode strings
 
-   >>> unicode(serial_number)
+   unicode(serial_number)
 
 3. Big integers received from XMLRPC must be converted back to int or long
objects from the decimal string representation.
 
-   >>> serial_number = int(serial_number)
+   serial_number = int(serial_number)
 
 Xpath pattern matching on node names:
 -
@@ -202,7 +202,7 @@
 solve the chapter problem above is by using a predicate which says if the node
 name begins with 'chapter' it's a match. Here is how you can do that.
 
->>> doc.xpath("//book/*[starts-with(name(), 'chapter')]/section[2]")
+doc.xpath("//book/*[starts-with(name(), 'chapter')]/section[2]")
 
 The built-in starts-with() returns true if its first argument starts with its
 second argument. Thus the example above says if the node name of the second
@@ -219,10 +219,10 @@
 EXSLT regular expression match() function on the node name. Here is how this is
 done:
 
->>> regexpNS = "http://exslt.org/regular-expressions";
->>> find = etree.XPath("//book/*[re:match(name(), '^chapter(_\d+)$')]/section[2]",
-...namespaces={'re':regexpNS}
->>> find(doc)
+regexpNS = "http://exslt.org/regular-expressions";
+find = etree.XPath("//book/*[re:match(name(), '^chapter(_\d+)$')]/section[2]",
+   namespaces={'re':regexpNS}
+find(doc)
 
 What is happening here is that etree.XPath() has returned us an evaluator
 function which we bind to the name 'find'. We've passed it a set of namespaces
-- 
2.1.0

From c115cf7fb1a9c9f4b0f3c02982c02f4a07a6f404 Mon Sep 17 00:00:00 2001
From: Petr Viktorin 
Date: Thu, 9 Oct 2014 17:03:02 +0200
Subject: [PATCH] Configure pytest to run doctests

---
 ipatests/pytest.ini |  2 --
 pytest.ini  | 13 +
 2 files changed, 13 insertions(+), 2 deletions(-)
 delete mode 100644 ipatests/pytest.ini
 create mode 100644 pytest.ini

diff --git a/ipatests/pytest.ini b/ipatests/pytest.ini
deleted file mode 100644
index d2355d9616a2aea000d14fa27c9b35d0ad5fb353..
--- a/ipatests/pytest.ini
+++ /dev/null
@@ -1,2 +0,0 @@
-[pytest]
-python_classes = test_ Test
diff --git a/pytest.ini b/pytest.ini
new file mode 100644
index ..fc5ab12cc45beca44a47cdfb9b2e8339c978bc02
--- /dev/null
+++ b/pytest.ini
@@ -0,0 +1,13 @@
+[pytest]
+python_classes = test_ Test
+addopts = --doctest-modules
+# Ignore files for doc tests.
+# TODO: ideally, these should all use __name__=='__main__' guards
+  --ignore=setup.py
+  --ignore=setup-client.py
+  --ignore=checks/check-ra.py
+  --ignore=daemons/ipa-otpd/test.py
+  --ignore=doc/examples/python-api.py
+  --ignore=install/share/copy-schema-to-ca.py
+  --ignore=install/share/wsgi.py
+  --ignore=ipapython/py_default_encoding/setup.py
-- 
2.1.0

From 1ff7fcc4e8a075c3aad0774ec5ba77e433177c10 Mon Sep 17 00:00:00 2001
From: Petr Viktorin 
Date: Fri, 10 Oct 2014 09:39:00 +0200
Subject: [PATCH] Declarative tests: Move cleanup to setup_class/teardown_class

---
 ipatests/test_xmlrpc/xmlrpc_test.py | 29 +
 1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/ipatests/test_xmlrpc/xmlrpc_test.py b/ipatests/test_xmlrpc/xmlrpc_test.py
index 1f44f7794bdd390153317b08b396ac3dfc09e150..306d66f715b504c51bf3189aee7d406ceddb8c36 100644
--- a/ipatests/test_xmlrpc/xmlrpc_test.py
+++ b/ipatests/test_xmlrpc/xmlrpc_test.py
@@ -252,6 +252,18 @@ class Declarative(XMLRPC_test):
 cleanup_commands = tuple()
 tests = tuple()
 
+@classmethod
+def setup_class(cls):
+super(Declarati

[Freeipa-devel] [PATCH] 773-777 ranges: prohibit setting --rid-base with ipa-trust-ad-posix type

2014-10-15 Thread Petr Vobornik 

ticket: https://fedorahosted.org/freeipa/ticket/4221

== [PATCH] 773 ranges: prohibit setting --rid-base with 
ipa-trust-ad-posix type ==


We should not allow setting --rid-base for ranges of ipa-trust-ad-posix 
since we do not perform any RID -> UID/GID mappings for these ranges 
(objects have UID/GID set in AD). Thus, setting RID base makes no sense.


Since ipaBaseRID is a MUST in ipaTrustedADDomainRange object class, 
value '0' is allowed and used internally for 'ipa-trust-ad-posix' range 
type.


No schema change is done.

== [PATCH] 774 unittests: baserid for ipa-ad-trust-posix idranges ==

== [PATCH] 775 ldapupdater: set baserid to 0 for ipa-ad-trust-posix 
ranges ==


New updater plugin which sets baserid to 0 for ranges with type 
ipa-ad-trust-posix


https://fedorahosted.org/freeipa/ticket/4221

== [PATCH] 776 idrange: include raw range type in output ==

iparangetype output is a localized human-readable value which is not 
suitable for machine-based API consumers


Solved by new iparangetyperaw output attribute which contains 
iparangetype's raw value


Note: I don't like this approach. It would be better to return just the 
raw value a do the transformation in clients. But we do have a 
precedent: 
http://www.redhat.com/archives/freeipa-devel/2012-January/msg00190.html


== [PATCH] 777 webui: prohibit setting rid base with ipa-trust-ad-posix 
type ==


Base RID is no longer editable for ipa-trust-ad-posix range type

Adder dialog:
- Range type selector was moved up because it affects a field above it

Details page:
- Only fields relevant to range's type are visible

https://fedorahosted.org/freeipa/ticket/4221
--
Petr Vobornik
From 1bda87528855aaf4ad9b18a31479c8b2a353bd92 Mon Sep 17 00:00:00 2001
From: Petr Vobornik 
Date: Wed, 3 Sep 2014 17:23:33 +0200
Subject: [PATCH] webui: prohibit setting rid base with ipa-trust-ad-posix type

Base RID is no longer editable for ipa-trust-ad-posix range type

Adder dialog:
- Range type selector was moved up because it affects a field above it

Details page:
- Only fields relevant to range's type are visible

https://fedorahosted.org/freeipa/ticket/4221
---
 install/ui/src/freeipa/idrange.js | 77 ++-
 1 file changed, 60 insertions(+), 17 deletions(-)

diff --git a/install/ui/src/freeipa/idrange.js b/install/ui/src/freeipa/idrange.js
index 12c0b288b766c059db6b844f445fb88b5821a1db..4e5dbfa00dcf80495d8a96f7fc961b9c6676691f 100644
--- a/install/ui/src/freeipa/idrange.js
+++ b/install/ui/src/freeipa/idrange.js
@@ -54,6 +54,11 @@ return {
 'cn',
 'iparangetype',
 {
+name: 'iparangetyperaw',
+read_only: true,
+visible: false
+},
+{
 name: 'ipabaseid',
 label: '@i18n:objects.idrange.ipabaseid',
 title: '@mo-param:idrange:ipabaseid:label'
@@ -80,6 +85,9 @@ return {
 }
 ]
 }
+],
+policies: [
+exp.idrange_policy
 ]
 }
 ],
@@ -89,21 +97,6 @@ return {
 name: 'cn'
 },
 {
-name: 'ipabaseid',
-label: '@i18n:objects.idrange.ipabaseid',
-title: '@mo-param:idrange:ipabaseid:label'
-},
-{
-name: 'ipaidrangesize',
-label: '@i18n:objects.idrange.ipaidrangesize',
-title: '@mo-param:idrange:ipaidrangesize:label'
-},
-{
-name: 'ipabaserid',
-label: '@i18n:objects.idrange.ipabaserid',
-title: '@mo-param:idrange:ipabaserid:label'
-},
-{
 name: 'iparangetype',
 $type: 'radio',
 label: '@i18n:objects.idrange.type',
@@ -125,6 +118,21 @@ return {
 ]
 },
 {
+name: 'ipabaseid',
+label: '@i18n:objects.idrange.ipabaseid',
+title: '@mo-param:idrange:ipabaseid:label'
+},
+{
+name: 'ipaidrangesize',
+label: '@i18n:objects.idrange.ipaidrangesize',
+title: '@mo-param:idrange:ipaidrangesize:label'
+},
+{
+name: 'ipabaserid',
+label: '@i18n:objects.idrange.ipabaserid',
+title: '@mo-param:idrange:ipabaserid:label'
+},
+{
 name: 'ipasecondarybaserid',
 label: '@i18n:objects.idrange.ipasecondarybaserid',
 title: '@mo-param:idrange:ipasecondarybaserid:label'
@@ -147,7 +155,9 @@ IPA.idrange_adder_policy = function(spec) {
 The logic for enabling/requiring ipabase

Re: [Freeipa-devel] [PATCH] 0004 permission-add gives confusing error when adding ACI to generated tree

2014-10-15 Thread thierry bordaz 

On 10/15/2014 01:26 PM, Martin Kosek wrote:

On 10/15/2014 01:08 PM, thierry bordaz wrote:

https://fedorahosted.org/freeipa/ticket/4523

I see 2 issues with the patch:

1) Patch description should not contain "
Reviewed by:", this gets added later by a script (or human)

ok


2) The exception handling clause should be as focused as possible, i.e. not
including whole command, but rather just the failing call, i.e.:

 def post_callback(self, ldap, dn, entry, *keys, **options):
 try:
 self.obj.add_aci(entry)
 except Exception:

You can use

 try:
 ...
 except errors.NotFound:
 self.obj.handle_not_found(*keys)

to raise the right error.

Martin
Currently the exception is handled on the failure of 
baseldap.LDAPCreate.execute(). Do you recommend to make the fix inside 
baseldap.LDAPCreate.execute rather than at the 'permission_add.execute' 
level ?


Also using handle_not_found looks good, but it reports something like:

   ipa permission-add user1 --right read --attrs cn --subtree
   'cn=compat,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'
   ipa: ERROR: user1: permission not found


If the entry 'user1' exists, it is not clear what was not found.
Displaying the dn of the entry would help to know that we are updating 
an entry into the 'compat' tree.


thanks
thierry


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0004 permission-add gives confusing error when adding ACI to generated tree

2014-10-15 Thread Martin Kosek 
On 10/15/2014 01:08 PM, thierry bordaz wrote:
> https://fedorahosted.org/freeipa/ticket/4523

I see 2 issues with the patch:

1) Patch description should not contain "
Reviewed by:", this gets added later by a script (or human)

2) The exception handling clause should be as focused as possible, i.e. not
including whole command, but rather just the failing call, i.e.:

def post_callback(self, ldap, dn, entry, *keys, **options):
try:
self.obj.add_aci(entry)
except Exception:

You can use

try:
...
except errors.NotFound:
self.obj.handle_not_found(*keys)

to raise the right error.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 0004 permission-add gives confusing error when adding ACI to generated tree

2014-10-15 Thread thierry bordaz 

https://fedorahosted.org/freeipa/ticket/4523


From 27275d46251452175c4cb66222ffeda089a15e2e Mon Sep 17 00:00:00 2001
From: "Thierry bordaz (tbordaz)" 
Date: Tue, 7 Oct 2014 18:41:44 +0200
Subject: [PATCH] permission-add gives confusing error when adding ACI to
 generated tree

Error reports that the modified entry does not exists

https://fedorahosted.org/freeipa/ticket/4523

Reviewed by:
---
 ipalib/plugins/permission.py | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index 9028f02483bc113c19c75b94d70dd1b133272524..30d3266e4618a85e3974fc839c0d640542374d6d 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -943,7 +943,11 @@ class permission_add(baseldap.LDAPCreate):
 # the whole command, not just the callbacks
 def execute(self, *keys, **options):
 self.obj.preprocess_options(options, merge_targetfilter=True)
-return super(permission_add, self).execute(*keys, **options)
+try:
+res = super(permission_add, self).execute(*keys, **options)
+except errors.NotFound:
+raise errors.NotFound(reason=_('Entry %s does not exist') % self.obj.get_dn(*keys, **options))
+return res
 
 def get_args(self):
 for arg in super(permission_add, self).get_args():
-- 
1.7.11.7

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0023 Fix typo causing certmonger is provided with wrong path to, ipa-submit.

2014-10-15 Thread David Kupka 

I forget to attach patch for ipa-4-0 branch. Attaching both now.

On 10/15/2014 11:08 AM, David Kupka wrote:

https://fedorahosted.org/freeipa/ticket/4624


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel



--
David Kupka
From c2808f958c9ee99374aadf808ca01bf7047de509 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Tue, 14 Oct 2014 06:54:00 -0400
Subject: [PATCH] Fix typo causing certmonger is provided with wrong path to
 ipa-submit.

Using strip() instead split() caused that only first character of path was specified.
Also using shlex for more robust parsing.

https://fedorahosted.org/freeipa/ticket/4624
---
 ipapython/certmonger.py | 7 ---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
index ca8b373924428343fe108c88dfa0904237dfccce..dc6cff966539a288273172b3f3633646c96dd5ab 100644
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -26,6 +26,7 @@ import os
 import sys
 import time
 import dbus
+import shlex
 from ipapython import ipautil
 from ipapython import dogtag
 from ipapython.ipa_log_manager import *
@@ -371,7 +372,7 @@ def add_principal_to_cas(principal):
 ca = _find_IPA_ca()
 if ca:
 ext_helper = ca.prop_if.Get(DBUS_CM_CA_IF, 'external-helper')
-if ext_helper and ext_helper.find('-k') == -1:
+if ext_helper and '-k' not in shlex.split(ext_helper):
 ext_helper = '%s -k %s' % (ext_helper.strip(), principal)
 ca.prop_if.Set(DBUS_CM_CA_IF, 'external-helper', ext_helper)
 
@@ -383,8 +384,8 @@ def remove_principal_from_cas():
 ca = _find_IPA_ca()
 if ca:
 ext_helper = ca.prop_if.Get(DBUS_CM_CA_IF, 'external-helper')
-if ext_helper and ext_helper.find('-k'):
-ext_helper = ext_helper.strip()[0]
+if ext_helper and '-k' in shlex.split(ext_helper):
+ext_helper = shlex.split(ext_helper)[0]
 ca.prop_if.Set(DBUS_CM_CA_IF, 'external-helper', ext_helper)
 
 
-- 
1.9.3

From ae9d6d00ef5ba2dc61053b5429a0a6a6ac21f086 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Tue, 14 Oct 2014 06:54:00 -0400
Subject: [PATCH] Fix typo causing certmonger is provided with wrong path to
 ipa-submit.

Using strip() instead split() caused that only first character of path was specified.
Also using shlex for more robust parsing.

https://fedorahosted.org/freeipa/ticket/4624
---
 ipapython/certmonger.py | 7 ---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
index 84f04a62e5e94716310efcd7847bc7f89460b73c..72ae8d5ef063bec495d996b44e6aba2b4e19839f 100644
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -26,6 +26,7 @@ import os
 import sys
 import time
 import dbus
+import shlex
 from ipapython import ipautil
 from ipapython import dogtag
 from ipaplatform.paths import paths
@@ -357,7 +358,7 @@ def add_principal_to_cas(principal):
 ca = _find_IPA_ca()
 if ca:
 ext_helper = ca.prop_if.Get(DBUS_CM_CA_IF, 'external-helper')
-if ext_helper and ext_helper.find('-k') == -1:
+if ext_helper and '-k' not in shlex.split(ext_helper):
 ext_helper = '%s -k %s' % (ext_helper.strip(), principal)
 ca.prop_if.Set(DBUS_CM_CA_IF, 'external-helper', ext_helper)
 
@@ -369,8 +370,8 @@ def remove_principal_from_cas():
 ca = _find_IPA_ca()
 if ca:
 ext_helper = ca.prop_if.Get(DBUS_CM_CA_IF, 'external-helper')
-if ext_helper and ext_helper.find('-k'):
-ext_helper = ext_helper.strip()[0]
+if ext_helper and '-k' in shlex.split(ext_helper):
+ext_helper = shlex.split(ext_helper)[0]
 ca.prop_if.Set(DBUS_CM_CA_IF, 'external-helper', ext_helper)
 
 
-- 
1.9.3

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 0023 Fix typo causing certmonger is provided with wrong path to, ipa-submit.

2014-10-15 Thread David Kupka 

https://fedorahosted.org/freeipa/ticket/4624
--
David Kupka
From c2808f958c9ee99374aadf808ca01bf7047de509 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Tue, 14 Oct 2014 06:54:00 -0400
Subject: [PATCH] Fix typo causing certmonger is provided with wrong path to
 ipa-submit.

Using strip() instead split() caused that only first character of path was specified.
Also using shlex for more robust parsing.

https://fedorahosted.org/freeipa/ticket/4624
---
 ipapython/certmonger.py | 7 ---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
index ca8b373924428343fe108c88dfa0904237dfccce..dc6cff966539a288273172b3f3633646c96dd5ab 100644
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -26,6 +26,7 @@ import os
 import sys
 import time
 import dbus
+import shlex
 from ipapython import ipautil
 from ipapython import dogtag
 from ipapython.ipa_log_manager import *
@@ -371,7 +372,7 @@ def add_principal_to_cas(principal):
 ca = _find_IPA_ca()
 if ca:
 ext_helper = ca.prop_if.Get(DBUS_CM_CA_IF, 'external-helper')
-if ext_helper and ext_helper.find('-k') == -1:
+if ext_helper and '-k' not in shlex.split(ext_helper):
 ext_helper = '%s -k %s' % (ext_helper.strip(), principal)
 ca.prop_if.Set(DBUS_CM_CA_IF, 'external-helper', ext_helper)
 
@@ -383,8 +384,8 @@ def remove_principal_from_cas():
 ca = _find_IPA_ca()
 if ca:
 ext_helper = ca.prop_if.Get(DBUS_CM_CA_IF, 'external-helper')
-if ext_helper and ext_helper.find('-k'):
-ext_helper = ext_helper.strip()[0]
+if ext_helper and '-k' in shlex.split(ext_helper):
+ext_helper = shlex.split(ext_helper)[0]
 ca.prop_if.Set(DBUS_CM_CA_IF, 'external-helper', ext_helper)
 
 
-- 
1.9.3

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin

2014-10-15 Thread Martin Kosek 
On 10/14/2014 09:01 PM, Nathaniel McCallum wrote:
> On Thu, 2014-10-09 at 18:48 +0200, thierry bordaz wrote:
>> On 10/09/2014 05:51 PM, Nathaniel McCallum wrote:
>>
>>> On Thu, 2014-10-09 at 11:44 +0200, thierry bordaz wrote:
 On 10/09/2014 12:15 AM, Nathaniel McCallum wrote:

> On Wed, 2014-10-08 at 17:19 -0400, Simo Sorce wrote:
>> On Wed, 08 Oct 2014 15:53:39 -0400
>> Nathaniel McCallum  wrote:
>>
>>> As I understand my code, all servers will have csnD. Some servers will
>>> have valueB and others will have valueD, but valueB == valueD.
>>>
>>> We *never* discard a CSN. We only discard the counter/watermark mods
>>> in the replication operation.
>> What Thierry is saying is that the individual attributes in the entry
>> have associate the last CSN that modified them. Because you remove the
>> mods when ValueD == ValueB the counter attribute will not have the
>> associated CSN changed. But it doesn't really matter because the plugin
>> will always keep things consistent.
> Attached is a new version. It removes this optimization. If server X has
> valueB/csnB and receives valueD/csnD and valueB == valueD, the
> replication will be applied without any modification. However, if valueB
>> valueD and csnD > csnB, the counter mods will still be stripped.
> It also collapses the error check from betxnpre to bepre now that we
> have a fix for https://fedorahosted.org/389/ticket/47919 committed. The
> betxnpre functions are completely removed. Also, a dependency on 389
> 1.3.3.4 (not yet released) is added.
>
> Nathaniel
 Hello Nathaniel,

 For me the code is fine. Ack.
>>> New attached patch.
>>>
 I have two minor comments:
   * in preop_mod, when a direct update moves the counter
 backward you send UNWILLING to perform with a message.
 The message is allocated with slapi_ch_smprintf, you
 may free it with slapi_ch_free_string (rather than
 'free').
>>> Fixed.
>>>
   * About this message, for example when you have these
 MODS (I admit they make no sens):
 
 changetype: modify
 ipatokenHOTPcounter: MOD_DELETE
 -
 ipatokenHOTPcounter: MOD_INCREMENT
 
 The returned message will be "Will not decrement
 ipatokenHOTPcounter", because 'simulate' will return
 'COUNTER_UNSET+1'.
 Is it the message you expected ?
>>> I changed the logic in simulate(). Please review it.
>>>
>>> Nathaniel
>>>
>> Hello Nathaniel,
>>
>>
>> The patch is ok for me. Ack.
> 
> Since the ACK, the upstream 389 fix actually landed in 1.3.3.5. This
> patch changes nothing except the dependency version. I have tested it
> against the 1.3.3.5 build.
> 
> Nathaniel

Great! As soon as the new build land in Fedora 21 (and we add it to our Copr),
the patch can be pushed.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0019 Stop dogtag when updating its configuration in, ipa-upgradeconfig

2014-10-15 Thread Martin Kosek 
On 10/14/2014 03:59 PM, Jan Cholasta wrote:
> Dne 14.10.2014 v 15:18 David Kupka napsal(a):
>> On 10/14/2014 02:28 PM, Jan Cholasta wrote:
>>> Dne 14.10.2014 v 14:19 David Kupka napsal(a):


 On 10/14/2014 01:39 PM, Jan Cholasta wrote:
> Dne 14.10.2014 v 12:47 David Kupka napsal(a):
>>
>>
>> On 10/10/2014 03:24 PM, Jan Cholasta wrote:
>>> Dne 8.10.2014 v 12:36 David Kupka napsal(a):
 On 10/08/2014 09:29 AM, Jan Cholasta wrote:
> Hi,
>
> Dne 8.10.2014 v 09:09 David Kupka napsal(a):
>> https://fedorahosted.org/freeipa/ticket/4569
>
> In renew_ca_cert and cainstance.py, dogtag should already be
> stopped in
> the places you modified, so why the change?

 I didn't noticed that it is already stopped, fixed.
>
> Also I don't think it's a good idea to backup CS.cfg when dogtag is
> still running (in cainstance.py). If the file is being modified by
> dogtag at the time it is backed up, the backup may be corrupted.
>
 Fixed, thanks.
>>>
>>> CAInstance.backup_config should be called only when Dogtag is
>>> stopped as
>>> well, you don't need to change it.
>>>
>>
>> backup_config is callable from outside of cainstance.py so it's
>> safer to
>> check that dogtag is stopped and stop it if necessary. When dogtag is
>> already stopped it won't do anything.
>
> If dogtag is not stopped in backup_config, it's an error, so an
> exception should be raised.
>>>
>>> What I meant by this is that you should add this check to backup_config,
>>> because it's not there ATM. Sorry for confusing you.
>>>
>>
>> Ok, hope that I finally understood.
>>
> 
> ACK.
> 

Pushed to:
master: c44f4dcbea210e7802deda1909a3ec70aa6b6460
ipa-4-1: 080c8635de15e3954333e402e9a750d551ff8abd
ipa-4-0: 320ea12373f0172a9505c5e4f7c12b20c3439ac5

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel