[Freeipa-devel] [PATCH] 358 Do not check if port 8443 is available in step 2 of external CA install

[Jan Cholasta]

Hi,

the attached patch fixes https://fedorahosted.org/freeipa/ticket/4660.

Honza

--
Jan Cholasta
From 1a42a07cfa02753053298c75d3a76cb1cb3bf839 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Wed, 22 Oct 2014 11:18:35 +0200
Subject: [PATCH] Do not check if port 8443 is available in step 2 of external
 CA install

The port is never available in step 2 of external CA install, as Dogtag is
already running.

https://fedorahosted.org/freeipa/ticket/4660
---
 install/tools/ipa-ca-install | 3 ++-
 install/tools/ipa-server-install | 9 +
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index cb072e6..1bda22d 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -301,7 +301,8 @@ def install_master(safe_options, options):
 domain_name = api.env.domain
 host_name = api.env.host
 
-check_ca()
+if external != 2:
+check_ca()
 
 dirname = dsinstance.config_dirname(
 dsinstance.realm_to_serverid(realm_name))
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 0394314..67dd21f 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -869,10 +869,11 @@ def main():
 # Make sure the 389-ds ports are available
 check_dirsrv(options.unattended)
 
-if setup_ca:
-if not cainstance.check_port():
-print IPA requires port 8443 for PKI but it is currently in use.
-sys.exit(Aborting installation)
+if setup_ca:
+if not cainstance.check_port():
+print (IPA requires port 8443 for PKI but it is currently in 
+   use.)
+sys.exit(Aborting installation)
 
 if options.conf_ntp:
 try:
-- 
1.9.3

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 781 build: increase java stack size for all arches

[Petr Vobornik]

Gradually new arches which need a bigger stack size for web ui build 
appear. It's safer to increase the stack size for every architecture and 
avoid possible future issues.


Reason: build fail on armv7hl
--
Petr Vobornik
From 662c7d3b20195a035f20251d0a1e15c2eb382d11 Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Wed, 22 Oct 2014 12:20:05 +0200
Subject: [PATCH] build: increase java stack size for all arches

Gradually new arches which need a bigger stack size for web ui build appear. It's safer to increase the stack size for every architecture and avoid possible future issues.

Reason: build fail on armv7hl
---
 freeipa.spec.in | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index be13e69255e7612f84aeca22105645b544cc50b5..f3e0b198ae48ddb5c02152c5db3bfdaaf5a7f678 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -320,10 +320,9 @@ This package contains tests that verify IPA functionality.
 %setup -n freeipa-%{version} -q
 
 %build
-%ifarch ppc %{power64} s390 s390x aarch64
 # UI compilation segfaulted on some arches when the stack was lower (#1040576)
 export JAVA_STACK_SIZE=8m
-%endif
+
 export CFLAGS=%{optflags} $CFLAGS
 export LDFLAGS=%{__global_ldflags} $LDFLAGS
 export SUPPORTED_PLATFORM=%{platform_module}
-- 
1.9.3

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 781 build: increase java stack size for all arches

[Martin Kosek]

On 10/22/2014 12:27 PM, Petr Vobornik wrote:
 Gradually new arches which need a bigger stack size for web ui build appear.
 It's safer to increase the stack size for every architecture and avoid 
 possible
 future issues.
 
 Reason: build fail on armv7hl

ACK from me if it really fixes the problem on ARM and does not break other arch
builds.

I am now not sure why we did not make this setting default in the first place...

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] isolated pkcs11 module

[Petr Spacek]

Hello,

On 15.10.2014 16:24, Nikos Mavrogiannopoulos wrote:

Hi,
  Concerning: https://bugs.freedesktop.org/show_bug.cgi?id=51949#c3
What are your requirements? We currently have working code (but not yet
merged) for an isolated security module via p11-kit. Our requirements
are to protect private keys by keeping them outside a process' boundary.

FreeIPA has the same requirement in this regard + couple more.


The main target is to run softhsm (v2) in an isolated mode. If we can

This was our plan too :-)


combine efforts would be nice.

Definitely!

The original intent was to design LDAP-backed PKCS#11 module which will be 
used for CA certificate distribution to clients.


E.g. SSSD would download the CA certificates managed by FreeIPA to client and 
expose them via PKCS#11 to p11-kit. We hope that this would allow almost 
seamless CA roll-over.

This is in scope of https://fedorahosted.org/freeipa/ticket/4322

Later we found out that DNSSEC support in FreeIPA needs to distribute and 
share private keys among all FreeIPA DNS servers. It seems that LDAP-backed 
PKCS#11 backend could be used for the same purpose.

The idea how it can be done in secure way is described on:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Shortterm#Keydistribution

We did not get to coding it yet but the very rough idea was to wrap local 
SoftHSM instance and use SSSD to do two-way synchronization between local HSM 
and LDAP-backend.


It certainly could be extended to handle user credentials too (SSH private 
keys or passwords in GNOME keyring?).


Jan Cholasta (CCed) can add more details, he is the main architect of this 
solution :-)


--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 358 Do not check if port 8443 is available in step 2 of external CA install

[David Kupka]

On 10/22/2014 11:28 AM, Jan Cholasta wrote:

Hi,

the attached patch fixes https://fedorahosted.org/freeipa/ticket/4660.

Honza



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Works for me, ACK.
--
David Kupka

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 781 build: increase java stack size for all arches

[Petr Vobornik]

On 22.10.2014 13:12, Martin Kosek wrote:

On 10/22/2014 12:27 PM, Petr Vobornik wrote:

Gradually new arches which need a bigger stack size for web ui build appear.
It's safer to increase the stack size for every architecture and avoid possible
future issues.

Reason: build fail on armv7hl


ACK from me if it really fixes the problem on ARM and does not break other arch
builds.


failed build: http://koji.fedoraproject.org/koji/taskinfo?taskID=7927120
successful scratch build: 
http://koji.fedoraproject.org/koji/taskinfo?taskID=7928725




I am now not sure why we did not make this setting default in the first place...


IIRC, one of the reason was that at the beginning it was only for two 
arches. But the very first patch has something similar, but not 
configurable through a env. variable.


Pushed to:
ipa-4-0: 4ac55bf52ff0d6817a130bd7d9bc65415c359bec
ipa-4-1: 1300f82b9ce9c42b5314e018fa4989990af6218b
master: 09808c92c001ba8a6d5705e719d63430eeeb3ecb
--
Petr Vobornik

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 358 Do not check if port 8443 is available in step 2 of external CA install

[Jan Cholasta]

Dne 22.10.2014 v 13:30 David Kupka napsal(a):

On 10/22/2014 11:28 AM, Jan Cholasta wrote:

Hi,

the attached patch fixes https://fedorahosted.org/freeipa/ticket/4660.

Honza



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Works for me, ACK.


Thanks.

See attachment for ipa-4-0 version of the patch.

--
Jan Cholasta
From dcb53769739e74de865ed54c5ee22f15eb287abc Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Wed, 22 Oct 2014 11:18:35 +0200
Subject: [PATCH] Do not check if port 8443 is available in step 2 of external
 CA install

The port is never available in step 2 of external CA install, as Dogtag is
already running.

https://fedorahosted.org/freeipa/ticket/4660
---
 install/tools/ipa-server-install | 9 +
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index beb5cfe..3d34d4b 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -803,10 +803,11 @@ def main():
 # Make sure the 389-ds ports are available
 check_dirsrv(options.unattended)
 
-if setup_ca:
-if not cainstance.check_port():
-print IPA requires port 8443 for PKI but it is currently in use.
-sys.exit(Aborting installation)
+if setup_ca:
+if not cainstance.check_port():
+print (IPA requires port 8443 for PKI but it is currently in 
+   use.)
+sys.exit(Aborting installation)
 
 if options.conf_ntp:
 try:
-- 
1.9.3

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 358 Do not check if port 8443 is available in step 2 of external CA install

[Petr Vobornik]

On 22.10.2014 13:57, Jan Cholasta wrote:

Dne 22.10.2014 v 13:30 David Kupka napsal(a):

On 10/22/2014 11:28 AM, Jan Cholasta wrote:

Hi,

the attached patch fixes https://fedorahosted.org/freeipa/ticket/4660.

Honza



Works for me, ACK.


Thanks.

See attachment for ipa-4-0 version of the patch.



Looks good.

Pushed to:
ipa-4-0: 3cb982bc010216c7613de67ea537ba0dbe8d8342
ipa-4-1: e22cf5bafc4c862a16bd8ac0b950c7547b048ae9
master: 50e66337340ae8f9c243658b58409de4e911d1c4
--
Petr Vobornik

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 354 Modififed NSSConnection not to shutdown existing database.

[Endi Sukma Dewata]

The NSSConnection class has been modified not to shutdown the
existing NSS database if the database is already opened to
establish an SSL connection, or is already opened by another
code that uses an NSS database without establishing an SSL
connection such as vault CLIs.

Ticket #4638

--
Endi S. Dewata
From d7b05ef151a59e6828b537ac2077d05b74b25903 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Tue, 16 Sep 2014 20:11:35 -0400
Subject: [PATCH] Modififed NSSConnection not to shutdown existing database.

The NSSConnection class has been modified not to shutdown the
existing NSS database if the database is already opened to
establish an SSL connection, or is already opened by another
code that uses an NSS database without establishing an SSL
connection such as vault CLIs.

Ticket #4638
---
 ipalib/rpc.py   | 34 +++---
 ipapython/nsslib.py | 35 +++
 2 files changed, 42 insertions(+), 27 deletions(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 
5934f0c26e4b7c0a44adbab978c1f9b319d72e9f..001b7f1ca06edadfc7aad635d9d564e517008a63
 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -63,6 +63,7 @@ from ipaplatform.paths import paths
 from ipapython.cookie import Cookie
 from ipapython.dnsutil import DNSName
 from ipalib.text import _
+import ipapython.nsslib
 from ipapython.nsslib import NSSHTTPS, NSSConnection
 from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, 
KRB5KRB_AP_ERR_TKT_EXPIRED, \
  KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, 
KRB5_REALM_CANT_RESOLVE
@@ -450,14 +451,10 @@ class LanguageAwareTransport(MultiProtocolTransport):
 class SSLTransport(LanguageAwareTransport):
 Handles an HTTPS transaction to an XML-RPC server.
 
-def __nss_initialized(self, dbdir):
+def get_connection_dbdir(self):
 
-If there is another connections open it may have already
-initialized NSS. This is likely to lead to an NSS shutdown
-failure.  One way to mitigate this is to tell NSS to not
-initialize if it has already been done in another open connection.
-
-Returns True if another connection is using the same db.
+If there is a connections open it may have already initialized
+NSS database. Return the database location used by the connection.
 
 for value in context.__dict__.values():
 if not isinstance(value, Connection):
@@ -466,25 +463,32 @@ class SSLTransport(LanguageAwareTransport):
 getattr(value.conn, '_ServerProxy__transport', None),
 SSLTransport):
 continue
-if hasattr(value.conn._ServerProxy__transport, 'dbdir') and \
-  value.conn._ServerProxy__transport.dbdir == dbdir:
-return True
-return False
+if hasattr(value.conn._ServerProxy__transport, 'dbdir'):
+return value.conn._ServerProxy__transport.dbdir
+return None
 
 def make_connection(self, host):
 host, self._extra_headers, x509 = self.get_host_info(host)
 # Python 2.7 changed the internal class used in xmlrpclib from
 # HTTP to HTTPConnection. We need to use the proper subclass
 
-# If we an existing connection exists using the same NSS database
-# there is no need to re-initialize. Pass thsi into the NSS
-# connection creator.
 if sys.version_info = (2, 7):
 if self._connection and host == self._connection[0]:
 return self._connection[1]
 
 dbdir = getattr(context, 'nss_dir', paths.IPA_NSSDB_DIR)
-no_init = self.__nss_initialized(dbdir)
+connection_dbdir = self.get_connection_dbdir()
+
+if connection_dbdir:
+# If an existing connection is already using the same NSS
+# database there is no need to re-initialize.
+no_init = dbdir == connection_dbdir
+
+else:
+# If the NSS database is already being used there is no
+# need to re-initialize.
+no_init = dbdir == ipapython.nsslib.current_dbdir
+
 if sys.version_info  (2, 7):
 conn = NSSHTTPS(host, 443, dbdir=dbdir, no_init=no_init)
 else:
diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py
index 
93b0c56fcff4fc69841a6823aae8f694c1f76ff0..1452a2a5844a5fb017d4408aadf56f7fcfc7fa25
 100644
--- a/ipapython/nsslib.py
+++ b/ipapython/nsslib.py
@@ -31,6 +31,9 @@ import nss.ssl as ssl
 import nss.error as error
 from ipaplatform.paths import paths
 
+# NSS database currently open
+current_dbdir = None
+
 def auth_certificate_callback(sock, check_sig, is_server, certdb):
 cert_is_valid = False
 
@@ -184,19 +187,27 @@ class NSSConnection(httplib.HTTPConnection, 
NSSAddressFamilyFallback):
 httplib.HTTPConnection.__init__(self, host, port, strict)
 NSSAddressFamilyFallback.__init__(self, family)
 
-if 

Re: [Freeipa-devel] [PATCH] 352 Fixed KRA backend.

[Endi Sukma Dewata]

On 10/15/2014 10:59 PM, Endi Sukma Dewata wrote:

The KRA backend has been simplified since most of the tasks have
been moved somewhere else. The transport certificate will be
installed on the client, and it is not needed by KRA backend. The
KRA agent's PEM certificate is now generated during installation
due to permission issue. The kra_host() for now is removed since
the current ldap_enable() cannot register the KRA service, so it
is using the kra_host environment variable.

The KRA installer has been modified to use Dogtag's CLI go create
KRA agent and setup the client authentication.

The proxy settings have been updated to include KRA's URLs.

The certs.install_pem_from_p12() has been updated to generate the
proper client certificate using the -clcerts option and also take
a password file.

Some constants have been renamed for clarity. The DOGTAG_AGENT_P12
has been renamed to DOGTAG_ADMIN_P12 since file actually contains
the Dogtag admin's certificate and private key and it can be used
to access both CA and KRA. The DOGTAG_AGENT_PEM has been renamed
to KRA_AGENT_PEM since it can only be used for KRA.

Ticket #3872


New patch attached. It's identical to the previous one except I changed 
the ticket number to #4503.


--
Endi S. Dewata
From a3e5c4f872fade7e88f954452a64c310ba4ae380 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Wed, 1 Oct 2014 14:59:46 -0400
Subject: [PATCH] Fixed KRA backend.

The KRA backend has been simplified since most of the tasks have
been moved somewhere else. The transport certificate will be
installed on the client, and it is not needed by KRA backend. The
KRA agent's PEM certificate is now generated during installation
due to permission issue. The kra_host() for now is removed since
the current ldap_enable() cannot register the KRA service, so it
is using the kra_host environment variable.

The KRA installer has been modified to use Dogtag's CLI go create
KRA agent and setup the client authentication.

The proxy settings have been updated to include KRA's URLs.

The certs.install_pem_from_p12() has been updated to generate the
proper client certificate using the -clcerts option and also take
a password file.

Some constants have been renamed for clarity. The DOGTAG_AGENT_P12
has been renamed to DOGTAG_ADMIN_P12 since file actually contains
the Dogtag admin's certificate and private key and it can be used
to access both CA and KRA. The DOGTAG_AGENT_PEM has been renamed
to KRA_AGENT_PEM since it can only be used for KRA.

Ticket #4503
---
 install/conf/ipa-pki-proxy.conf  |   2 +-
 ipaplatform/base/paths.py|   4 +-
 ipaserver/install/cainstance.py  |   4 +-
 ipaserver/install/certs.py   |  10 ++--
 ipaserver/install/ipa_backup.py  |   3 +-
 ipaserver/install/krainstance.py |  83 ---
 ipaserver/plugins/dogtag.py  | 120 +--
 7 files changed, 100 insertions(+), 126 deletions(-)

diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf
index 
2370b4d7a7467a7e47c0d223915e018c9a009e83..5d21156848f3b5ddf14c42d92a26a30a9f94af36
 100644
--- a/install/conf/ipa-pki-proxy.conf
+++ b/install/conf/ipa-pki-proxy.conf
@@ -19,7 +19,7 @@ ProxyRequests Off
 /LocationMatch
 
 # matches for agent port and eeca port
-LocationMatch 
^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/kra/agent/kra/connector|^/kra/rest/agent/keyrequests|^/kra/rest/agent/keys|^/ca/rest/admin/kraconnector/remove
+LocationMatch 
^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/kra/agent/kra/connector|^/kra/rest/account|^/kra/rest/agent/keyrequests|^/kra/rest/agent/keys|^/ca/rest/admin/kraconnector/remove
 NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
 NSSVerifyClient require
 ProxyPassMatch ajp://localhost:$DOGTAG_PORT
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 
bbe6eed76ccb3c5f325fd368694ac6a2afbb72f0..01505594a7af926c860f867b817bd397c54efff5
 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -138,8 +138,8 @@ class BasePathNamespace(object):
 HOME_DIR = /home
 ROOT_IPA_CACHE = /root/.ipa_cache
 ROOT_PKI = /root/.pki
-DOGTAG_AGENT_P12 = /root/ca-agent.p12
-DOGTAG_AGENT_PEM = /etc/httpd/alias/agent.pem
+DOGTAG_ADMIN_P12 = /root/ca-agent.p12
+KRA_AGENT_PEM = /etc/httpd/alias/kra-agent.pem
 CACERT_P12 = /root/cacert.p12
 ROOT_IPA_CSR = /root/ipa.csr
 ROOT_TMP_CA_P12 = /root/tmp-ca.p12
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 
1ae39639ac9702651851e6c3964faa69788db31e..fe95201517a577b9f6dba7642afe09b4eef2328d
 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -514,7 +514,7 @@ class CAInstance(DogtagInstance):
  

Re: [Freeipa-devel] [PATCH] 773-777 ranges: prohibit setting --rid-base with ipa-trust-ad-posix type

[Tomas Babej]

Hi,

thank you for the patches, comments inline.


On 10/15/2014 02:20 PM, Petr Vobornik wrote:
 ticket: https://fedorahosted.org/freeipa/ticket/4221

 == [PATCH] 773 ranges: prohibit setting --rid-base with
 ipa-trust-ad-posix type ==

 We should not allow setting --rid-base for ranges of
 ipa-trust-ad-posix since we do not perform any RID - UID/GID mappings
 for these ranges (objects have UID/GID set in AD). Thus, setting RID
 base makes no sense.

 Since ipaBaseRID is a MUST in ipaTrustedADDomainRange object class,
 value '0' is allowed and used internally for 'ipa-trust-ad-posix'
 range type.

We probably don't want to display the first RID if it is 0 and the type
is ad-posix. This occurs in idrange-find:

[tbabej@vm-043 labtool]$ ipa idrange-find


2 ranges matched

  Range name: DOM043.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range
  First Posix ID of the range: 51480
  Number of IDs in the range: 20
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 1
  Range type: local domain range

  Range name: TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range
  First Posix ID of the range: 1
  Number of IDs in the range: 20
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726
  Range type: Active Directory trust range with POSIX attributes


Number of entries returned 2


And also idrange-show:

[tbabej@vm-043 labtool]$ ipa idrange-show 
TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range
  Range name: TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range
  First Posix ID of the range: 1
  Number of IDs in the range: 20
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726
  Range type: Active Directory trust range with POSIX attributes



 No schema change is done.

 == [PATCH] 774 unittests: baserid for ipa-ad-trust-posix idranges ==

Looks good.


 == [PATCH] 775 ldapupdater: set baserid to 0 for ipa-ad-trust-posix
 ranges ==

Can you use the paged_search=True in find_entries instead of having a
infinite loop? It would make this code quite cleaner.



 New updater plugin which sets baserid to 0 for ranges with type
 ipa-ad-trust-posix

 https://fedorahosted.org/freeipa/ticket/4221

 == [PATCH] 776 idrange: include raw range type in output ==

 iparangetype output is a localized human-readable value which is not
 suitable for machine-based API consumers

 Solved by new iparangetyperaw output attribute which contains
 iparangetype's raw value

 Note: I don't like this approach. It would be better to return just
 the raw value a do the transformation in clients. But we do have a
 precedent:
 http://www.redhat.com/archives/freeipa-devel/2012-January/msg00190.html

I am not happy about it either.. I guess we could create a capability
for this, but it would probably be a overkill.




 == [PATCH] 777 webui: prohibit setting rid base with
 ipa-trust-ad-posix type ==

 Base RID is no longer editable for ipa-trust-ad-posix range type

 Adder dialog:
 - Range type selector was moved up because it affects a field above it

 Details page:
 - Only fields relevant to range's type are visible


Looks fine.

On a related note, I added a new ticket
https://fedorahosted.org/freeipa/ticket/4661


-- 
Tomas Babej
Associate Software Engineer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org 

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 355 Added vault access control.

[Endi Sukma Dewata]

New LDAP ACIs have been added to allow users to create their own
private vault container, to allow owners to manage vaults and
containers, and to allow members to use the vaults. New CLIs have
been added to manage the owner and member list. For archive and
retrieve operations the access control has to be enforced by the
plugins because the operations only affects KRA. The LDAP schema
has been updated as well.

Ticket #3872

This patch depends on #353-2.

--
Endi S. Dewata
From ccbfa01f40e2ac4c978e5ef0f1fbe167f96793a2 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Fri, 17 Oct 2014 12:05:34 -0400
Subject: [PATCH] Added vault access control.

New LDAP ACIs have been added to allow users to create their own
private vault container, to allow owners to manage vaults and
containers, and to allow members to use the vaults. New CLIs have
been added to manage the owner and member list. For archive and
retrieve operations the access control has to be enforced by the
plugins because the operations only affects KRA. The LDAP schema
has been updated as well.

Ticket #3872
---
 API.txt | 134 +--
 VERSION |   4 +-
 install/share/60basev4.ldif |   4 +-
 install/updates/40-vault.update |   7 ++
 ipalib/plugins/vault.py | 233 +++-
 5 files changed, 366 insertions(+), 16 deletions(-)

diff --git a/API.txt b/API.txt
index 
cfa6558fcf678e5915a90407da517f9a591a41bf..a46592ec9e82e618154bf09393c83d4b854315c5
 100644
--- a/API.txt
+++ b/API.txt
@@ -4476,11 +4476,12 @@ output: Output('result', type 'bool', None)
 output: Output('summary', (type 'unicode', type 'NoneType'), None)
 output: PrimaryKey('value', None, None)
 command: vault_add
-args: 1,8,3
+args: 1,9,3
 arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, 
multivalue=False, 
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', 
primary_key=True, required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
 option: Str('description', attribute=True, cli_name='desc', multivalue=False, 
required=False)
 option: Str('in?', cli_name='in')
+option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Str('parent', attribute=False, cli_name='parent', multivalue=False, 
required=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
 option: Flag('rights', autofill=True, default=False)
@@ -4489,12 +4490,39 @@ option: Str('version?', exclude='webui')
 output: Entry('result', type 'dict', Gettext('A dictionary representing an 
LDAP entry', domain='ipa', localedir=None))
 output: Output('summary', (type 'unicode', type 'NoneType'), None)
 output: PrimaryKey('value', None, None)
+command: vault_add_member
+args: 1,7,3
+arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, 
multivalue=False, 
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', 
primary_key=True, query=True, required=True)
+option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
+option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
+option: Flag('no_members', autofill=True, default=False, exclude='webui')
+option: Str('parent?', cli_name='parent')
+option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
+option: Str('user*', alwaysask=True, cli_name='users', csv=True)
+option: Str('version?', exclude='webui')
+output: Output('completed', type 'int', None)
+output: Output('failed', type 'dict', None)
+output: Entry('result', type 'dict', Gettext('A dictionary representing an 
LDAP entry', domain='ipa', localedir=None))
+command: vault_add_owner
+args: 1,7,3
+arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, 
multivalue=False, 
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', 
primary_key=True, query=True, required=True)
+option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
+option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
+option: Flag('no_members', autofill=True, default=False, exclude='webui')
+option: Str('parent?', cli_name='parent')
+option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
+option: Str('user*', alwaysask=True, cli_name='users', csv=True)
+option: Str('version?', exclude='webui')
+output: Output('completed', type 'int', None)
+output: Output('failed', type 'dict', None)
+output: Entry('result', type 'dict', Gettext('A dictionary representing an 
LDAP entry', domain='ipa', localedir=None))
 command: vault_archive
-args: 1,10,3
+args: 1,11,3
 arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, 
multivalue=False, 
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', 
primary_key=True, query=True, required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
 option: 

Re: [Freeipa-devel] [PATCH] 353 Added initial vault implementation.

[Endi Sukma Dewata]

On 10/16/2014 4:12 PM, Endi Sukma Dewata wrote:

On 10/15/2014 10:59 PM, Endi Sukma Dewata wrote:

The NSSConnection class has to be modified not to shutdown existing
database because some of the vault clients (e.g. vault-archive and
vault-retrieve) also use a database to encrypt/decrypt the secret.


The problem is described in more detail in this ticket:
https://fedorahosted.org/freeipa/ticket/4638

The changes to the NSSConnection in the first patch caused the
installation to fail. Attached is a new patch that uses the solution
proposed by jdennis.


New patch attached. It's now using the correct OID's for the schema. It 
also has been rebased on top of #352-1 and #354.


--
Endi S. Dewata
From 2284f5684149e9fdfb7cde13865fe28e265ff5a3 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Tue, 21 Oct 2014 10:57:08 -0400
Subject: [PATCH] Added initial vault implementation.

This patch provides the initial vault implementation which allows
the admin to create a vault, archive a secret, and retrieve the
secret using a standard vault. It also included the initial LDAP
schema.

It currently has limitations including:
 - The vault only supports the standard vault type.
 - The vault can only be used by the admin user.
 - The transport certificate has to be installed manually.

These limitations, other vault features, schema and ACL changes will
be addressed in subsequent patches.

Ticket #3872
---
 API.txt| 160 
 VERSION|   4 +-
 install/share/60basev4.ldif|   3 +
 install/share/Makefile.am  |   1 +
 install/share/copy-schema-to-ca.py |   1 +
 install/updates/40-vault.update|  27 ++
 install/updates/Makefile.am|   1 +
 ipa-client/man/default.conf.5  |   1 +
 ipalib/constants.py|   1 +
 ipalib/plugins/user.py |   9 +
 ipalib/plugins/vault.py| 724 +
 ipaserver/install/dsinstance.py|   1 +
 12 files changed, 931 insertions(+), 2 deletions(-)
 create mode 100644 install/share/60basev4.ldif
 create mode 100644 install/updates/40-vault.update
 create mode 100644 ipalib/plugins/vault.py

diff --git a/API.txt b/API.txt
index 
491d7a76fd1d2d50208d314d1600839ce295..cfa6558fcf678e5915a90407da517f9a591a41bf
 100644
--- a/API.txt
+++ b/API.txt
@@ -4475,6 +4475,166 @@ option: Str('version?', exclude='webui')
 output: Output('result', type 'bool', None)
 output: Output('summary', (type 'unicode', type 'NoneType'), None)
 output: PrimaryKey('value', None, None)
+command: vault_add
+args: 1,8,3
+arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, 
multivalue=False, 
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', 
primary_key=True, required=True)
+option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
+option: Str('description', attribute=True, cli_name='desc', multivalue=False, 
required=False)
+option: Str('in?', cli_name='in')
+option: Str('parent', attribute=False, cli_name='parent', multivalue=False, 
required=False)
+option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
+option: Flag('rights', autofill=True, default=False)
+option: Bytes('secret', attribute=True, cli_name='secret', multivalue=False, 
required=False)
+option: Str('version?', exclude='webui')
+output: Entry('result', type 'dict', Gettext('A dictionary representing an 
LDAP entry', domain='ipa', localedir=None))
+output: Output('summary', (type 'unicode', type 'NoneType'), None)
+output: PrimaryKey('value', None, None)
+command: vault_archive
+args: 1,10,3
+arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, 
multivalue=False, 
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', 
primary_key=True, query=True, required=True)
+option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
+option: Bytes('encrypted_data?', cli_name='encrypted_data')
+option: Str('in?', cli_name='in')
+option: Bytes('nonce?', cli_name='nonce')
+option: Str('parent?', cli_name='parent')
+option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
+option: Flag('rights', autofill=True, default=False)
+option: Bytes('secret?', cli_name='secret')
+option: Str('version?', exclude='webui')
+option: Bytes('wrapped_session_key?', cli_name='wrapped_session_key')
+output: Entry('result', type 'dict', Gettext('A dictionary representing an 
LDAP entry', domain='ipa', localedir=None))
+output: Output('summary', (type 'unicode', type 'NoneType'), None)
+output: PrimaryKey('value', None, None)
+command: vault_del
+args: 1,3,3
+arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, 
multivalue=True, 
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', 
primary_key=True, query=True, required=True)
+option: Flag('continue', autofill=True, cli_name='continue', default=False)
+option: Str('parent?', 

[Freeipa-devel] [PATCH] 356 Added command to retrieve vault transport certificate.

[Endi Sukma Dewata]

A new command has been added to retrieve the vault transport
certificate and optionally save it into a file. The vault archive
and retrieve command has been modified to retrieve the transport
certificate and store it locally for subsequent usage. This way
it's no longer necessary to manually import the transport
certificate into the client's NSS database.

Ticket #3872

This patch depends on #355.

--
Endi S. Dewata
From abeda85904f7247f1f0d679a71a7094bb2cefe0c Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Wed, 22 Oct 2014 10:02:25 -0400
Subject: [PATCH] Added command to retrieve vault transport certificate.

A new command has been added to retrieve the vault transport
certificate and optionally save it into a file. The vault archive
and retrieve command has been modified to retrieve the transport
certificate and store it locally for subsequent usage. This way
it's no longer necessary to manually import the transport
certificate into the client's NSS database.

Ticket #3872
---
 API.txt |  5 +++
 VERSION |  4 +--
 ipalib/plugins/vault.py | 85 +++--
 3 files changed, 89 insertions(+), 5 deletions(-)

diff --git a/API.txt b/API.txt
index 
a46592ec9e82e618154bf09393c83d4b854315c5..95b86ce84f5bc9f1d879e561e07b0348d719c90e
 100644
--- a/API.txt
+++ b/API.txt
@@ -4629,6 +4629,11 @@ option: Str('version?', exclude='webui')
 output: Entry('result', type 'dict', Gettext('A dictionary representing an 
LDAP entry', domain='ipa', localedir=None))
 output: Output('summary', (type 'unicode', type 'NoneType'), None)
 output: PrimaryKey('value', None, None)
+command: vault_transport_cert
+args: 0,2,1
+option: Str('out?', cli_name='out')
+option: Str('version?', exclude='webui')
+output: Output('result', None, None)
 command: vaultcontainer_add
 args: 1,8,3
 arg: Str('cn', attribute=True, cli_name='container_name', maxlength=255, 
multivalue=False, 
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', 
primary_key=True, required=True)
diff --git a/VERSION b/VERSION
index 
c471ed80af6a2c26be7fc89281ae60fac6c68577..d0ada131b700e93faa8c4946b811db36d76341a9
 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412
 #  #
 
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=110
-# Last change: edewata - added vault access control
+IPA_API_VERSION_MINOR=111
+# Last change: edewata - added vault transport certificate
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index 
95f96859235af1c477c8f5738a27571d64aabe3a..871c3e3a25c688a64ba0ecfde5ccbd50b47fbe01
 100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -24,6 +24,8 @@ import shutil
 import string
 import tempfile
 
+import nss.nss as nss
+
 import pki
 import pki.account
 import pki.crypto
@@ -109,7 +111,7 @@ EXAMPLES:
 )
 
 register = Registry()
-transport_cert_nickname = KRA Transport Certificate
+transport_cert_filename = vault-transport.pem
 
 @register()
 class vaultcontainer(LDAPObject):
@@ -628,6 +630,63 @@ class vault_show(LDAPRetrieve):
 
 
 @register()
+class vault_transport_cert(Command):
+__doc__ = _('Retrieve vault transport certificate.')
+
+
+# list of attributes we want exported to JSON
+json_friendly_attributes = (
+'takes_args',
+)
+
+takes_options = (
+Str('out?',
+cli_name='out',
+doc=_('Output file to store the transport certificate'),
+),
+)
+
+has_output_params = (
+Str('certificate',
+label=_('Certificate'),
+),
+)
+
+def __json__(self):
+json_dict = dict(
+(a, getattr(self, a)) for a in self.json_friendly_attributes
+)
+json_dict['takes_options'] = list(self.get_json_options())
+return json_dict
+
+def execute(self, *args, **options):
+
+kra_client = api.Backend.kra.get_client()
+transport_cert = kra_client.system_certs.get_transport_cert()
+return {
+'result': {
+'certificate': transport_cert.encoded
+}
+}
+
+def forward(self, *args, **options):
+
+file = options.get('out')
+
+# don't send these parameters to server
+if 'out' in options:
+del options['out']
+
+response = super(vault_transport_cert, self).forward(*args, **options)
+
+if file:
+with open(file, 'w') as f:
+f.write(response['result']['certificate'])
+
+return response
+
+
+@register()
 class vault_archive(LDAPRetrieve):
 __doc__ = _('Archive a secret into a vault.')
 
@@ -743,7 +802,17 @@ class vault_archive(LDAPRetrieve):
 
 nonce = crypto.generate_nonce_iv()
 session_key = crypto.generate_session_key()
-nss_transport_cert = crypto.get_cert(transport_cert_nickname)
+
+