Re: [Freeipa-devel] [PATCH 0070] install: Run all validators at once.

[Jan Cholasta]

On 8.12.2015 07:51, David Kupka wrote:

On 07/12/15 14:05, David Kupka wrote:

Running validators after all Knobs are set allows use of other Knob
value during validation.


Updated patch attached.


Works for me, ACK.

Pushed to master: 2c5a662fd80f7152834dfebf45628d3a7b8a68bf

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0070] install: Run all validators at once.

[David Kupka]

On 07/12/15 14:05, David Kupka wrote:

Running validators after all Knobs are set allows use of other Knob
value during validation.


Updated patch attached.

--
David Kupka
From 7f18ac0d8b78ea08ed797ceb9393c6b3121b734d Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Mon, 7 Dec 2015 13:35:49 +0100
Subject: [PATCH] install: Run all validators at once.

---
 ipapython/install/core.py | 31 +++
 1 file changed, 19 insertions(+), 12 deletions(-)

diff --git a/ipapython/install/core.py b/ipapython/install/core.py
index 8e3ba58021adba263eb038c5cb70603e4e8c9352..2f62b8568fea129255e42b404789fd29b70dca7c 100644
--- a/ipapython/install/core.py
+++ b/ipapython/install/core.py
@@ -118,16 +118,6 @@ class KnobBase(PropertyBase):
 def __init__(self, outer):
 self.outer = outer
 
-def __set__(self, obj, value):
-try:
-self.validate(value)
-except KnobValueError:
-raise
-except ValueError as e:
-raise KnobValueError(self.__outer_name__, str(e))
-
-super(KnobBase, self).__set__(obj, value)
-
 def validate(self, value):
 pass
 
@@ -253,8 +243,25 @@ class Configurable(six.with_metaclass(abc.ABCMeta, object)):
 except KeyError:
 pass
 else:
-prop = prop_cls(self)
-prop.__set__(self, value)
+setattr(self, name, value)
+
+for owner_cls, name in cls.knobs():
+if name.startswith('_'):
+continue
+if not isinstance(self, owner_cls):
+continue
+value = getattr(self, name, None)
+if value is None:
+continue
+
+prop_cls = getattr(owner_cls, name)
+prop = prop_cls(self)
+try:
+prop.validate(value)
+except KnobValueError:
+raise
+except ValueError as e:
+raise KnobValueError(name, str(e))
 
 if kwargs:
 extra = sorted(kwargs)
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0391] replicainstall: Add check for domain if server is specified

[Jan Cholasta]

On 7.12.2015 16:43, Martin Kosek wrote:

On 12/07/2015 02:17 PM, Tomas Babej wrote:



On 12/04/2015 08:22 PM, Rob Crittenden wrote:

Martin Kosek wrote:

On 12/04/2015 07:17 PM, Tomas Babej wrote:

Hi,

Avoids failing in the later stages during the ipa-client-install
command.

Tomas


Is this change needed? Wouldn't it be better to update
ipa-client-install or ipa-replica-install to not require the --domain
option? I would hope that --domain can be figured out during
installation and not passed to ipa-replica-install manually by the admin.

I just think that calling
# ipa-replica-install --server=master.example.com
is better than
# ipa-replica-install --server=master.example.com --domain example.com
if possible.


IIRC this is for service discovery when using a specific server and not
LDAP. This is the domain used to search for the kerberos realm, for
example.

That isn't to say this isn't discoverable but it would require another
function in discovery to query what the IPA domain is from the given
master but it gets tricky if anonymous search is disabled, for example.

rob



Needed or not, this is the behaviour that ipa-client-install has now.
Adding a domain detection method would be a RFE for ipa-client-install
(and imho not something we should be adding at this point).

This patch only focuses on making the ipa-replica-install work more
smoothly.


I am just thinking that client promotion (ipa-replica-install) and
ipa-client-install are a bit different use cases. While ipa-client-install
should be typically run in auto-discovery and you thus do not use --server
option much, while with ipa-replica-install, you want to make sure you have the
expected topology and should use --server all the time without gambling on it.

But I do not think it has to be there since 4.3 GA, can you please file a
ticket for this gap?


I would rather do it now, because the change from optional to mandatory 
is backward incompatible. (We don't want to break users' scripts, right?)


--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0058, 0064] dns: do not add (forward)zone if it is already resolvable.

[Petr Spacek]

On 7.12.2015 14:41, David Kupka wrote:
> +def is_host_resolvable(fqdn):
> +if not isinstance(fqdn, DNSName):
> +fqdn = DNSName(fqdn)
> +for rdtype in (rdatatype.A, rdatatype.):
> +try:
> +resolver.query(fqdn.make_absolute(), rdtype)
> +except DNSException:
> +continue
> +else:
> +return True
> +
> +return False
>  

NACK, you are re-introducing duplicate function which was removed in
498471e4aed1367b72cd74d15811d0584a6ee268.

Please amend the patch ASAP to use new verify_host_resolvable() function so I
can test it and get it into 4.3.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0391] replicainstall: Add check for domain if server is specified

[Martin Kosek]

On 12/08/2015 07:57 AM, Jan Cholasta wrote:
> On 7.12.2015 16:43, Martin Kosek wrote:
>> On 12/07/2015 02:17 PM, Tomas Babej wrote:
>>>
>>>
>>> On 12/04/2015 08:22 PM, Rob Crittenden wrote:
 Martin Kosek wrote:
> On 12/04/2015 07:17 PM, Tomas Babej wrote:
>> Hi,
>>
>> Avoids failing in the later stages during the ipa-client-install
>> command.
>>
>> Tomas
>
> Is this change needed? Wouldn't it be better to update
> ipa-client-install or ipa-replica-install to not require the --domain
> option? I would hope that --domain can be figured out during
> installation and not passed to ipa-replica-install manually by the admin.
>
> I just think that calling
> # ipa-replica-install --server=master.example.com
> is better than
> # ipa-replica-install --server=master.example.com --domain example.com
> if possible.

 IIRC this is for service discovery when using a specific server and not
 LDAP. This is the domain used to search for the kerberos realm, for
 example.

 That isn't to say this isn't discoverable but it would require another
 function in discovery to query what the IPA domain is from the given
 master but it gets tricky if anonymous search is disabled, for example.

 rob

>>>
>>> Needed or not, this is the behaviour that ipa-client-install has now.
>>> Adding a domain detection method would be a RFE for ipa-client-install
>>> (and imho not something we should be adding at this point).
>>>
>>> This patch only focuses on making the ipa-replica-install work more
>>> smoothly.
>>
>> I am just thinking that client promotion (ipa-replica-install) and
>> ipa-client-install are a bit different use cases. While ipa-client-install
>> should be typically run in auto-discovery and you thus do not use --server
>> option much, while with ipa-replica-install, you want to make sure you have 
>> the
>> expected topology and should use --server all the time without gambling on 
>> it.
>>
>> But I do not think it has to be there since 4.3 GA, can you please file a
>> ticket for this gap?
> 
> I would rather do it now, because the change from optional to mandatory is
> backward incompatible. (We don't want to break users' scripts, right?)

I think it is the other way around - with the change I was suggesting
(autodetecting --domain option instead of always requesting it, as in Tomas'
patch which we can merge if my proposal is not doable for 4.3 GA).

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 522] replica promotion: allow OTP bulk client enrollment

[Jan Cholasta]

On 7.12.2015 21:11, Martin Basti wrote:



On 07.12.2015 08:21, Jan Cholasta wrote:

On 2.12.2015 16:23, Jan Cholasta wrote:

Hi,

the attached patch fixes .

Note that you still have to provide admin password in
ipa-replica-install, either using --admin-password or interactively,
because:

a) Admin password is required for replica promotion. This will be fixed
with .

Patches are on the list:
.



Pushed.




b) Admin password is required for connection check. This will be fixed
with .


Martin Basti pointed out that admin password should not be asked
interactively during OTP replica promotion. Fixed.

Updated and rebased patch attached.





1)
[root@vm-058-138 ~]# ipa-replica-install --server
vm-058-137.abc.idm.lab.eng.brq.redhat.com --domain
abc.idm.lab.eng.brq.redhat.com --password=bubak  --setup-ca
Configuring client side components
Password for ad...@abc.idm.lab.eng.brq.redhat.com:

IMO password should be asked first, before any installation begins (IMO
this is for conncheck)


The same thing happens without my patch. Could you file a ticket?



2)
When host is not in ipaservers hostgroup. Also I would expect different
error message
ipa-replica-install --server vm-058-137.abc.idm.lab.eng.brq.redhat.com
--domain abc.idm.lab.eng.brq.redhat.com --password=bubak  --setup-ca
--skip-conncheck


 step()
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 352, in 
 step = lambda: next(self.__gen)
   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 81, in run_generator_with_yield_from
 six.reraise(*exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 59, in run_generator_with_yield_from
 value = gen.send(prev_value)
   File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
line 63, in _install
 for nothing in self._installer(self.parent):
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 1507, in main
 promote_check(self)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 374, in decorated
 func(installer)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 1002, in promote_check
 conn.connect(ccache=installer._ccache)
   File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66,
in connect
 conn = self.create_connection(*args, **kw)
   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py",
line 199, in create_connection
 principal = krb_utils.get_principal(ccache_name=ccache)
   File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line
184, in get_principal
 raise errors.CCacheError(message=unicode(e))

2015-12-07T16:23:40Z DEBUG The ipa-replica-install command failed,
exception: CCacheError: Major (851968): Unspecified GSS failure. Minor
code may provide more information, Minor (2529639053): No Kerberos
credentials available
2015-12-07T16:23:40Z ERROR Major (851968): Unspecified GSS failure.
Minor code may provide more information, Minor (2529639053): No Kerberos
credentials available


Fixed.




3)
This case is not handle very well:
a) install client with OTP password
b) install replica with the same OTP password (when host is no in
ipaservers group, if host is in ipaservers group it works)

ipa.ipapython.install.cli.install_tool(Replica): ERRORMajor
(851968): Unspecified GSS failure.  Minor code may provide more
information, Minor (2529639053): No Kerberos credentials available
ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
ipa-replica-install command failed. See /var/log/ipareplica-install.log
for more information


This is the same as 2).



4)
This is not user friendly
I used wrong OTP password, can we somehow propagate the actual error
from client install to stderr?

ipa.ipapython.install.cli.install_tool(Replica): ERROR Configuration of
client side components failed!
ipa-client-install returned: Command ''/usr/sbin/ipa-client-install'
'--unattended' '--domain' 'abc.idm.lab.eng.brq.redhat.com' '--server'
'vm-058-137.abc.idm.lab.eng.brq.redhat.com' '--password' 'buba''
returned non-zero exit status 1
ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
ipa-replica-install command failed. See /var/log/ipareplica-install.log
for more information


The same thing happens without my patch for any other error. Could you 
file a ticket?


Updated patch attached.

--
Jan Cholasta
From 6652e17c952405c5cfcd21ac5aed07e40a1d3284 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 2 Dec 2015 15:57:59 +0100
Subject: [PATCH] replica promotion: allow OTP bulk client enrollment

https://fedorahosted.org/freeipa/ticket/5498
---
 

Re: [Freeipa-devel] [PATCH 0391] replicainstall: Add check for domain if server is specified

[Jan Cholasta]

On 8.12.2015 08:23, Martin Kosek wrote:

On 12/08/2015 07:57 AM, Jan Cholasta wrote:

On 7.12.2015 16:43, Martin Kosek wrote:

On 12/07/2015 02:17 PM, Tomas Babej wrote:



On 12/04/2015 08:22 PM, Rob Crittenden wrote:

Martin Kosek wrote:

On 12/04/2015 07:17 PM, Tomas Babej wrote:

Hi,

Avoids failing in the later stages during the ipa-client-install
command.

Tomas


Is this change needed? Wouldn't it be better to update
ipa-client-install or ipa-replica-install to not require the --domain
option? I would hope that --domain can be figured out during
installation and not passed to ipa-replica-install manually by the admin.

I just think that calling
# ipa-replica-install --server=master.example.com
is better than
# ipa-replica-install --server=master.example.com --domain example.com
if possible.


IIRC this is for service discovery when using a specific server and not
LDAP. This is the domain used to search for the kerberos realm, for
example.

That isn't to say this isn't discoverable but it would require another
function in discovery to query what the IPA domain is from the given
master but it gets tricky if anonymous search is disabled, for example.

rob



Needed or not, this is the behaviour that ipa-client-install has now.
Adding a domain detection method would be a RFE for ipa-client-install
(and imho not something we should be adding at this point).

This patch only focuses on making the ipa-replica-install work more
smoothly.


I am just thinking that client promotion (ipa-replica-install) and
ipa-client-install are a bit different use cases. While ipa-client-install
should be typically run in auto-discovery and you thus do not use --server
option much, while with ipa-replica-install, you want to make sure you have the
expected topology and should use --server all the time without gambling on it.

But I do not think it has to be there since 4.3 GA, can you please file a
ticket for this gap?


I would rather do it now, because the change from optional to mandatory is
backward incompatible. (We don't want to break users' scripts, right?)


I think it is the other way around - with the change I was suggesting
(autodetecting --domain option instead of always requesting it, as in Tomas'
patch which we can merge if my proposal is not doable for 4.3 GA).



"with ipa-replica-install, you want to make sure you have the expected 
topology and should use --server all the time" sounds like you want to 
make --server mandatory for ipa-replica-install, which should be done 
either before 4.3 GA or never.


--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] You cannot specify '--admin-password' option(s) with replica file

[Tomas Babej]

On 12/07/2015 10:36 AM, Oleg Fayans wrote:
> This is an error message that I received at the attempt to install
> replica with the following command:
> 
> ipa-replica-install --setup-ca -p  -w 
> /var/lib/ipa/replica-info-replica2.justfor.test.gpg
> 
> However, if I remove the '-w ', then I get the password
> prompt for admin password interactively. The domain level is 0. The
> packages are built last Friday from upstream code.
> 

This is a legitimate issue, can you file a ticket?

Thanks,
Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0393] replicainstall: Admin password should not conflict with

[Tomas Babej]

On 12/07/2015 02:33 PM, Tomas Babej wrote:
> Hi,
> 
> The --admin-password (-w) has its use both in domain level 0 and 1.
> 
> https://fedorahosted.org/freeipa/ticket/5517
> 
> 
> 

ACK.
Pushed to master: dcb6626e870bcededb62d801720721d5d6c9795f

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0372] CI: installation tests

[Oleg Fayans]

Hi,

On 12/07/2015 02:37 PM, Martin Basti wrote:
> 
> 
> On 07.12.2015 14:32, Martin Basti wrote:
>>
>>
>> On 07.12.2015 13:24, Oleg Fayans wrote:
>>> Hi Martin,
>>>
>>> I would prefer both install_kra and install_ca methods to have
>>> raiseonerr parameter set to True by default. We need a way to test
>>> negatives and analyze results.
>>> Mine looks like this:
>>>
>>> def install_kra(host, domain_level=None,
>>>  first_instance=False, raiseonerr=True):
>>>  if not domain_level:
>>> domain_level = host.config.domain_level
>>>  command = ["ipa-kra-install", "-U", "-p",
>>> host.config.dirman_password]
>>>  if domain_level == DOMAIN_LEVEL_0 and not first_instance:
>>>  replica_file = get_replica_filename(host)
>>>  command.append(replica_file)
>>>  return host.run_command(command, raiseonerr=raiseonerr)
>>>
>>> The rest looks good to me, but I did not run the tests yet.
>> Sounds good, I will amend the patche later.
> 
> I changed my mind, should not be the domain_level value get from
> function domainlevel(host)?

We should have a way to test negatives, like providing replica file at
domain level=1 and not providing at domain level=0. So these functions
should either accept replica file as a parameter, or arbitrary domain level

> Martin^2
> 
>>
>>>
>>> On 12/06/2015 10:22 PM, Martin Basti wrote:
 My favorite today \o/ --> 67 <-- \o/ test cases, no more manual testing
 of installers \o/.

 Test suite contains: 6 combination how to install components on replica
 X 4 combinations of server installation + 3 extra server tests

 To save time tests install 1 master and 3 replicas per test class
 (except extra server tests):
 Class name  specifies what is installed on master.

 Remember, option "-k" is your friend
 $ ipa-run-tests -k ''
 otherwise you will need a lot of time until tests finish.

 To list all tests:
 $ ipa-run-tests test_integration/test_installation.py --collect-only


 Patch attached, it needs to have attached all patches I sent today and
 also attached workaround patch (Martin3 will provide proper fix)

 I haven't had time/mood/resources to test this patch with domain level
 0, so testing this patch with domain level 0 is appreciated.


 Oleg, I added some methods to tasks.py which you may want to reuse.

 Martin^2

>>
> 

-- 
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0391] replicainstall: Add check for domain if server is specified

[Martin Kosek]

On 12/07/2015 02:17 PM, Tomas Babej wrote:
> 
> 
> On 12/04/2015 08:22 PM, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On 12/04/2015 07:17 PM, Tomas Babej wrote:
 Hi,

 Avoids failing in the later stages during the ipa-client-install
 command.

 Tomas
>>>
>>> Is this change needed? Wouldn't it be better to update
>>> ipa-client-install or ipa-replica-install to not require the --domain
>>> option? I would hope that --domain can be figured out during
>>> installation and not passed to ipa-replica-install manually by the admin.
>>>
>>> I just think that calling
>>> # ipa-replica-install --server=master.example.com
>>> is better than
>>> # ipa-replica-install --server=master.example.com --domain example.com
>>> if possible.
>>
>> IIRC this is for service discovery when using a specific server and not
>> LDAP. This is the domain used to search for the kerberos realm, for
>> example.
>>
>> That isn't to say this isn't discoverable but it would require another
>> function in discovery to query what the IPA domain is from the given
>> master but it gets tricky if anonymous search is disabled, for example.
>>
>> rob
>>
> 
> Needed or not, this is the behaviour that ipa-client-install has now.
> Adding a domain detection method would be a RFE for ipa-client-install
> (and imho not something we should be adding at this point).
> 
> This patch only focuses on making the ipa-replica-install work more
> smoothly.

I am just thinking that client promotion (ipa-replica-install) and
ipa-client-install are a bit different use cases. While ipa-client-install
should be typically run in auto-discovery and you thus do not use --server
option much, while with ipa-replica-install, you want to make sure you have the
expected topology and should use --server all the time without gambling on it.

But I do not think it has to be there since 4.3 GA, can you please file a
ticket for this gap?

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0370] CI: test various topologies with 3 replicas

[Martin Basti]

On 07.12.2015 15:55, Oleg Fayans wrote:

ACK

On 12/06/2015 10:01 PM, Martin Basti wrote:

Patch attached, to work properly it requires all patches I sent today +
workaround patch attached (Martin3 will provide proper fix).

The last two test are failing due to bug in test framework
(ipa-replica-manage should not be used with domain level1)

Martin^2

Pushed to master: bee222372aef6d8dbc353458392efc6b0ad225ea

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0026] Workarounds for SELinux execmem violations in cryptography

[Christian Heimes]

The patch fixes SELinux violations in Fedora 23.

Background: Recent versions of cryptography cause SELinux violation
which will lead to a segfault, see
https://bugzilla.redhat.com/show_bug.cgi?id=1277224 . The segfault only
occurs in the context of Apache HTTPD (FreeIPA web ui) when
cryptography.hazmat.backends.default_backend() is initialized. I'm
working on a fix for cryptography but it will take a while. First I have
to wait for a new upstream release of python-cffi. Armin Ronacher plans
to release cffi 1.4 in two weeks.


ipaserver.dcerpc uses M2Crypto again on Python 2.7 and Dogtag's
pki.client no longer tries to use PyOpenSSL instead of Python's ssl
module.

Some dependencies like Dogtag's pki.client library and custodia use
python-requsts to make HTTPS connection. python-requests prefers
PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
of python-cryptography which trigger a execmem SELinux violation
in the context of Apache HTTPD (httpd_execmem).
When requests is imported, it always tries to import pyopenssl glue
code from urllib3's contrib directory. The import of PyOpenSSL is
enough to trigger the SELinux denial.
A hack in wsgi.py prevents the import by raising an ImportError.
From 5ac052f085c74f058703c5da29d59849c11e571f Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Thu, 3 Dec 2015 14:26:19 +0100
Subject: [PATCH 26/26] Workarounds for SELinux execmem violations in
 cryptography

ipaserver.dcerpc uses M2Crypto again on Python 2.7 and Dogtag's
pki.client no longer tries to use PyOpenSSL instead of Python's ssl
module.

Some dependencies like Dogtag's pki.client library and custodia use
python-requsts to make HTTPS connection. python-requests prefers
PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
of python-cryptography which trigger a execmem SELinux violation
in the context of Apache HTTPD (httpd_execmem).
When requests is imported, it always tries to import pyopenssl glue
code from urllib3's contrib directory. The import of PyOpenSSL is
enough to trigger the SELinux denial.
A hack in wsgi.py prevents the import by raising an ImportError.
---
 freeipa.spec.in   |  2 ++
 install/share/wsgi.py | 14 ++
 ipaserver/dcerpc.py   | 32 +++-
 3 files changed, 39 insertions(+), 9 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index a60d9b63f363773b6ca1b0969fa56b369a94092f..4fe8a911f0ae08882287bfea262064f5a2386ec1 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -66,6 +66,7 @@ BuildRequires:  python-ldap
 BuildRequires:  python-setuptools
 BuildRequires:  python-nss
 BuildRequires:  python-cryptography
+BuildRequires:  m2crypto
 BuildRequires:  python-netaddr
 BuildRequires:  python-gssapi >= 1.1.2
 BuildRequires:  python-rhsm
@@ -322,6 +323,7 @@ Requires: keyutils
 Requires: pyOpenSSL
 Requires: python-nss >= 0.16
 Requires: python-cryptography
+Requires: m2crypto
 Requires: python-lxml
 Requires: python-netaddr
 Requires: python-libipa_hbac
diff --git a/install/share/wsgi.py b/install/share/wsgi.py
index ee9311e4eab8b95b5143170469cac7dc0b8b8e5e..ba42c343228da21f8e2ae9ea717450bada93359d 100644
--- a/install/share/wsgi.py
+++ b/install/share/wsgi.py
@@ -23,6 +23,20 @@
 """
 WSGI appliction for IPA server.
 """
+import sys
+
+# Some dependencies like Dogtag's pki.client library and custodia use
+# python-requsts to make HTTPS connection. python-requests prefers
+# PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
+# of python-cryptography which trigger a execmem SELinux violation
+# in the context of Apache HTTPD (httpd_execmem).
+# When requests is imported, it always tries to import pyopenssl glue
+# code from urllib3's contrib directory. The import of PyOpenSSL is
+# enough to trigger the SELinux denial.
+# This hack prevents the import by raising an ImportError.
+
+sys.modules['request.packages.urllib3.contrib.pyopenssl'] = None
+
 from ipalib import api
 from ipalib.config import Env
 from ipalib.constants import DEFAULT_CONFIG
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 2e412861ebc265a9b07c8634068151181a3e9b9e..15d8e192e397868a0bf623d8a23c4a2489126bcb 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -42,8 +42,6 @@ from samba.ndr import ndr_pack, ndr_print
 from samba import net
 import samba
 import random
-from cryptography.hazmat.primitives.ciphers import Cipher, algorithms
-from cryptography.hazmat.backends import default_backend
 try:
 from ldap.controls import RequestControl as LDAPControl #pylint: disable=F0401
 except ImportError:
@@ -65,6 +63,29 @@ if six.PY3:
 unicode = str
 long = int
 
+# Some versions of python-cryptography depend on python-cffi callbacks which
+# are built on top of libffi's closure API. The closures require writeable
+# and executable anonymous memory mappings, which violate SELinux execmem
+# rules such as 'httpd_execmem'. Prefer M2Crypto on Python 2.
+try:
+from M2Crypto 

Re: [Freeipa-devel] [PATCH] 0749 Package ipapython, ipalib, ipaplatform, ipatests for Python 3

[Jan Cholasta]

On 2.12.2015 13:38, Petr Viktorin wrote:

On 12/01/2015 02:37 PM, Jan Cholasta wrote:
[...]

/etc/ipa/default.conf is managed by freeipa-client and thus should be owned by 
it.

This is a common pattern in other packages (even other FreeIPA
sub-packages) and I don't see any reason not to follow it here as well.


OK. After your patch is applied this won't be a problem, though.


Turns out we forgot about translation files, so -common subpackage is 
actually necessary.




[...]

- python-ipap11helper has compiled code: with this pulled out,
python3-ipalib can be noarch


This is not the goal here, but if you insist on doing it, do it for
Python 2 as well.


It is definitely the goal of this patch to make the py3 packages as good
as possible. That includes making them noarch.


It is completely unnecessary for the initial py3 support.

I would rather maintain internal consistency than make the py3 packages
"perfect".


On the other hand improving the py2 packages is not a goal of this
particular patch.


Which is exactly the reason I have provided patches for py2 packages
myself.


As far as I'm concerned, the patches look good, except for consistency
the package name should be "python2-ipalib".


Fixed.


Unless the process changed, you still need them reviewed by a core
FreeIPA developer.







- python3-ipatests is needed if we want to start testing the py3
packages in  CI


Right.



As for new provides, Fedora's Python packaging guidelines say:

"""
Using a fictional module named "example", the subpackage containing
the python2 version must provide python2-example. This is of course
always the case if the subpackage is named python2-example [...]
If the subpackage has some other name then then Provides:
python2-example
must be added explicitly (but see the %python_provide macro below).

The python3 subpackage must provide python3-example. However, as the
naming guidelines mandate that the python3 subpackage be named
python3-example, this will happen automatically.
"""

so I'm now adding Provides for the top-level modules.


The goal of this work is to add support for Python 3, not to comply with
Fedora packaging guidelines. FreeIPA on Fedora uses its own spec file
anyway.


The goal of this patch is to add new packages that support Python 3.
Yes, the Fedora spec is different, but it's heavily based on the
upstream one, and this is a good thing. I consider the Fedora guidelines
the standard in Python RPM packaging. If IPA uses different packaging
guidelines, can you point me to them?


FreeIPA never fully complied to Fedora packaging guidelines AFAIK and I
don't see any reason to start now, since nobody seemed to care so far.
Following them in just py3 sub-packages does not improve the state of
FreeIPA as a whole and only brings inconsistency into it, so there's no
benefit in doing it at all.


Again, if you insist on doing this, do it for Python 2 as well.


OK, when your patches are ACKed I'll send patches to both improve py2
packaging and add the new packages.



See above.

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] You cannot specify '--admin-password' option(s) with replica file

[Oleg Fayans]

Hi,

On 12/07/2015 02:22 PM, Tomas Babej wrote:
> 
> 
> On 12/07/2015 10:36 AM, Oleg Fayans wrote:
>> This is an error message that I received at the attempt to install
>> replica with the following command:
>>
>> ipa-replica-install --setup-ca -p  -w 
>> /var/lib/ipa/replica-info-replica2.justfor.test.gpg
>>
>> However, if I remove the '-w ', then I get the password
>> prompt for admin password interactively. The domain level is 0. The
>> packages are built last Friday from upstream code.
>>
> 
> This is a legitimate issue, can you file a ticket?
Already done this
https://fedorahosted.org/freeipa/ticket/5517

> 
> Thanks,
> Tomas
> 

-- 
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0065]

[Gabe Alford]

Bump for review.

On Mon, Nov 30, 2015 at 7:31 PM, Gabe Alford  wrote:

> Hello,
>
> Patch fix for the following tickets:
>
> https://fedorahosted.org/freeipa/ticket/5022
> https://fedorahosted.org/freeipa/ticket/5320
>
> Thanks,
>
> Gabe
>
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0364, 0367] ipa-kra-install: allow first KRA to be installed on replica

[Martin Basti]

On 07.12.2015 14:32, Martin Babinsky wrote:

On 11/30/2015 07:24 PM, Simo Sorce wrote:

On Mon, 2015-11-30 at 19:22 +0100, Martin Basti wrote:


On 30.11.2015 19:20, Simo Sorce wrote:

On Mon, 2015-11-30 at 18:29 +0100, Martin Basti wrote:

On 30.11.2015 14:16, Martin Babinsky wrote:

On 11/27/2015 05:02 PM, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/5460

I tested just master, I will test ipa-4-2 later.
patch attached.



ACK for the master branch.

Thanks, additional patch improves error message when 
ipa-replica-install
--setup-ca --setup-kra is executed and KRA is not installed 
anywhere yet.


I'm working on patches for ipa-4-2 branch

Question, shouldn't we just go ahead an install the first KRA ?

Simo.


On meeting today Alexander told that this we do not want.
Also Honza do not want to have KRA installed by default.


Ok, I wasn't sure, fine by me.

Simo.


The pacth 367 for master has been forgotten somehow. ACK.


Nope. Both has been pushed.
git show bbbe411f357b7fbad533b5211a90bb0558b1abbe
git show bbbe411f357b7fbad533b5211a90bb0558b1abbe^

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0372] CI: installation tests

[Oleg Fayans]

On 12/07/2015 03:51 PM, Martin Basti wrote:
> 
> 
> On 07.12.2015 15:49, Oleg Fayans wrote:
>> Hi,
>>
>> On 12/07/2015 02:37 PM, Martin Basti wrote:
>>>
>>> On 07.12.2015 14:32, Martin Basti wrote:

 On 07.12.2015 13:24, Oleg Fayans wrote:
> Hi Martin,
>
> I would prefer both install_kra and install_ca methods to have
> raiseonerr parameter set to True by default. We need a way to test
> negatives and analyze results.
> Mine looks like this:
>
> def install_kra(host, domain_level=None,
>   first_instance=False, raiseonerr=True):
>   if not domain_level:
>  domain_level = host.config.domain_level
>   command = ["ipa-kra-install", "-U", "-p",
> host.config.dirman_password]
>   if domain_level == DOMAIN_LEVEL_0 and not first_instance:
>   replica_file = get_replica_filename(host)
>   command.append(replica_file)
>   return host.run_command(command, raiseonerr=raiseonerr)
>
> The rest looks good to me, but I did not run the tests yet.
 Sounds good, I will amend the patche later.
>>> I changed my mind, should not be the domain_level value get from
>>> function domainlevel(host)?
>> We should have a way to test negatives, like providing replica file at
>> domain level=1 and not providing at domain level=0. So these functions
>> should either accept replica file as a parameter, or arbitrary domain
>> level
> Agree, but I meant this
> 
>  if not domain_level:
> -domain_level = host.config.domain_level
> +domain_level = domainlevel(host)

Oh, yes, you are right, that's better.

> 
> 
>>
>>> Martin^2
>>>
> On 12/06/2015 10:22 PM, Martin Basti wrote:
>> My favorite today \o/ --> 67 <-- \o/ test cases, no more manual
>> testing
>> of installers \o/.
>>
>> Test suite contains: 6 combination how to install components on
>> replica
>> X 4 combinations of server installation + 3 extra server tests
>>
>> To save time tests install 1 master and 3 replicas per test class
>> (except extra server tests):
>> Class name  specifies what is installed on master.
>>
>> Remember, option "-k" is your friend
>> $ ipa-run-tests -k ''
>> otherwise you will need a lot of time until tests finish.
>>
>> To list all tests:
>> $ ipa-run-tests test_integration/test_installation.py --collect-only
>>
>>
>> Patch attached, it needs to have attached all patches I sent today
>> and
>> also attached workaround patch (Martin3 will provide proper fix)
>>
>> I haven't had time/mood/resources to test this patch with domain
>> level
>> 0, so testing this patch with domain level 0 is appreciated.
>>
>>
>> Oleg, I added some methods to tasks.py which you may want to reuse.
>>
>> Martin^2
>>
> 

-- 
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0393] replicainstall: Admin password should not conflict with

[Tomas Babej]

Hi,

The --admin-password (-w) has its use both in domain level 0 and 1.

https://fedorahosted.org/freeipa/ticket/5517
From 9f5a6c6b257955ccad03840090d1b8fd2463bf6d Mon Sep 17 00:00:00 2001
From: Tomas Babej 
Date: Mon, 7 Dec 2015 14:32:11 +0100
Subject: [PATCH] replicainstall: Admin password should not conflict with
 replica file

The --admin-password (-w) has its use both in domain level 0 and 1.

https://fedorahosted.org/freeipa/ticket/5517
---
 ipaserver/install/server/replicainstall.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 4ab40256d15bbd534e910c0ca008bb79a15b268b..683d157c78e876dc690d20139f1b5e27ebe20c36 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -1377,7 +1377,6 @@ class Replica(BaseServer):
 CLIKnob(self.domain_name, '--domain'),
 CLIKnob(self.host_name, '--hostname'),
 CLIKnob(self.server, '--server'),
-CLIKnob(self.admin_password, '--admin-password'),
 CLIKnob(self.principal, '--principal'),
 )
 
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0372] CI: installation tests

[Martin Basti]

On 07.12.2015 14:32, Martin Basti wrote:



On 07.12.2015 13:24, Oleg Fayans wrote:

Hi Martin,

I would prefer both install_kra and install_ca methods to have
raiseonerr parameter set to True by default. We need a way to test
negatives and analyze results.
Mine looks like this:

def install_kra(host, domain_level=None,
 first_instance=False, raiseonerr=True):
 if not domain_level:
domain_level = host.config.domain_level
 command = ["ipa-kra-install", "-U", "-p",
host.config.dirman_password]
 if domain_level == DOMAIN_LEVEL_0 and not first_instance:
 replica_file = get_replica_filename(host)
 command.append(replica_file)
 return host.run_command(command, raiseonerr=raiseonerr)

The rest looks good to me, but I did not run the tests yet.

Sounds good, I will amend the patche later.


I changed my mind, should not be the domain_level value get from 
function domainlevel(host)?

Martin^2





On 12/06/2015 10:22 PM, Martin Basti wrote:

My favorite today \o/ --> 67 <-- \o/ test cases, no more manual testing
of installers \o/.

Test suite contains: 6 combination how to install components on replica
X 4 combinations of server installation + 3 extra server tests

To save time tests install 1 master and 3 replicas per test class
(except extra server tests):
Class name  specifies what is installed on master.

Remember, option "-k" is your friend
$ ipa-run-tests -k ''
otherwise you will need a lot of time until tests finish.

To list all tests:
$ ipa-run-tests test_integration/test_installation.py --collect-only


Patch attached, it needs to have attached all patches I sent today and
also attached workaround patch (Martin3 will provide proper fix)

I haven't had time/mood/resources to test this patch with domain level
0, so testing this patch with domain level 0 is appreciated.


Oleg, I added some methods to tasks.py which you may want to reuse.

Martin^2





--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0370] CI: test various topologies with 3 replicas

[Oleg Fayans]

ACK

On 12/06/2015 10:01 PM, Martin Basti wrote:
> Patch attached, to work properly it requires all patches I sent today +
> workaround patch attached (Martin3 will provide proper fix).
> 
> The last two test are failing due to bug in test framework
> (ipa-replica-manage should not be used with domain level1)
> 
> Martin^2

-- 
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0026] Workarounds for SELinux execmem violations in cryptography

[Christian Heimes]

On 2015-12-07 16:17, Alexander Bokovoy wrote:
> On Mon, 07 Dec 2015, Christian Heimes wrote:
>> The patch fixes SELinux violations in Fedora 23.
>>
>> Background: Recent versions of cryptography cause SELinux violation
>> which will lead to a segfault, see
>> https://bugzilla.redhat.com/show_bug.cgi?id=1277224 . The segfault only
>> occurs in the context of Apache HTTPD (FreeIPA web ui) when
>> cryptography.hazmat.backends.default_backend() is initialized. I'm
>> working on a fix for cryptography but it will take a while. First I have
>> to wait for a new upstream release of python-cffi. Armin Ronacher plans
>> to release cffi 1.4 in two weeks.
>>
>>
>> ipaserver.dcerpc uses M2Crypto again on Python 2.7 and Dogtag's
>> pki.client no longer tries to use PyOpenSSL instead of Python's ssl
>> module.
>>
>> Some dependencies like Dogtag's pki.client library and custodia use
>> python-requsts to make HTTPS connection. python-requests prefers
>> PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
>> of python-cryptography which trigger a execmem SELinux violation
>> in the context of Apache HTTPD (httpd_execmem).
>> When requests is imported, it always tries to import pyopenssl glue
>> code from urllib3's contrib directory. The import of PyOpenSSL is
>> enough to trigger the SELinux denial.
>> A hack in wsgi.py prevents the import by raising an ImportError.
> ACK. Thanks for these patches.
> 
> Note to Debian/Ubuntu maintainers: AppArmor 'support' in python-cffi
> already detects apparmor by looking into /proc and disabling the use of
> writeable and executable memory. On those platforms I suspect recent
> enough python-cryptography would work without problem by downgrading own
> feature set. The code in this patches should be harmless, though.

Cryptography's core depends on dynamic callbacks. There is no "downgrade
feature-set" feature.

I guess the libffi uses the broken and potential dangerous workaround
with two shared mmap() with file backend.
(http://www.akkadia.org/drepper/selinux-mem.html). The approach requires
a writeable, executable temp file and breaks isolation between a parent
process and all its forked child processes.

Christian




signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0364, 0367] ipa-kra-install: allow first KRA to be installed on replica

[Martin Babinsky]

On 12/02/2015 05:24 PM, Martin Basti wrote:



On 02.12.2015 14:52, Martin Babinsky wrote:

On 11/30/2015 06:29 PM, Martin Basti wrote:



On 30.11.2015 14:16, Martin Babinsky wrote:

On 11/27/2015 05:02 PM, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/5460

I tested just master, I will test ipa-4-2 later.
patch attached.




ACK for the master branch.


Thanks, additional patch improves error message when ipa-replica-install
--setup-ca --setup-kra is executed and KRA is not installed anywhere
yet.

I'm working on patches for ipa-4-2 branch

Martin


ACK for patch 367.


Pushed to master: bbbe411f357b7fbad533b5211a90bb0558b1abbe

IPA 4.2 patches attached.


ACK.

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin

[Aleš Mareček]

NACK.

$ ./make-lint 
* Module ipatests.test_xmlrpc.test_user_plugin
ipatests/test_xmlrpc/test_user_plugin.py:42: [E0611(no-name-in-module), ] No 
name 'ldaptracker' in module 'ipatests.test_xmlrpc')

$ grep ldaptracker ipatests/test_xmlrpc/test_user_plugin.py 
from ipatests.test_xmlrpc.ldaptracker import Tracker
$ ls ipatests/test_xmlrpc/ldaptracker*
ls: cannot access ipatests/test_xmlrpc/ldaptracker*: No such file or directory


- Original Message -
> From: "Filip Škola" 
> To: "Milan Kubík" 
> Cc: freeipa-devel@redhat.com
> Sent: Thursday, December 3, 2015 5:38:43 PM
> Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin
> 
> Hi,
> 
> sending corrected version.
> 
> F.
> 
> On Thu, 12 Nov 2015 14:03:19 +0100
> Milan Kubík  wrote:
> 
> > On 11/10/2015 12:13 PM, Filip Škola wrote:
> > > Hi,
> > >
> > > fixed.
> > >
> > > F.
> > >
> > > On Tue, 10 Nov 2015 10:52:45 +0100
> > > Milan Kubík  wrote:
> > >
> > >> On 11/09/2015 04:35 PM, Filip Škola wrote:
> > >>> Another patch was applied in the meantime.
> > >>>
> > >>> Attaching an updated version.
> > >>>
> > >>> F.
> > >>>
> > >>> On Mon, 9 Nov 2015 13:35:02 +0100
> > >>> Milan Kubík  wrote:
> > >>>
> >  On 11/06/2015 11:32 AM, Filip Škola wrote:
> >  Hi,
> >  the patch doesn't apply.
> > 
> > >> Please fix this.
> > >>
> > >>   ipatests/test_xmlrpc/test_user_plugin.py:1419:
> > >> [E0602(undefined-variable),
> > >> TestDeniedBindWithExpiredPrincipal.teardown_class] Undefined
> > >> variable 'user1')
> > >>
> > >> Also, use the version numbers for your changed patches.
> > >>
> > >
> > >
> > Thanks for the patch. Several issues:
> > 
> > 1. Use dict.items instead of dict.iteritems, for python3 compatibility
> > 
> > 2. What is the purpose of TestPrepare class? The 'purge' methods do
> > not call any ipa commands.
> > Tracker.make_fixture should be used to make the Tracked resources
> > clean themselves up when they're out of scope.
> > 
> > 3. Why reference the resources by hardcoded name if they have a
> > fixture representation?
> > 
> > 4. Rewrite {create,delete}_test_group to a fixture. You may want to
> > use different scope (or not).
> > 
> > 5. In `def atest_rename_to_invalid_login(self, user):` - use
> > pytest.skipif decorator and provide a reason if you must,
> > do not obfuscate method name in order not to run it.
> > 
> > 
> 
> 
> --
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0372] CI: installation tests

[Martin Basti]

On 07.12.2015 15:49, Oleg Fayans wrote:

Hi,

On 12/07/2015 02:37 PM, Martin Basti wrote:


On 07.12.2015 14:32, Martin Basti wrote:


On 07.12.2015 13:24, Oleg Fayans wrote:

Hi Martin,

I would prefer both install_kra and install_ca methods to have
raiseonerr parameter set to True by default. We need a way to test
negatives and analyze results.
Mine looks like this:

def install_kra(host, domain_level=None,
  first_instance=False, raiseonerr=True):
  if not domain_level:
 domain_level = host.config.domain_level
  command = ["ipa-kra-install", "-U", "-p",
host.config.dirman_password]
  if domain_level == DOMAIN_LEVEL_0 and not first_instance:
  replica_file = get_replica_filename(host)
  command.append(replica_file)
  return host.run_command(command, raiseonerr=raiseonerr)

The rest looks good to me, but I did not run the tests yet.

Sounds good, I will amend the patche later.

I changed my mind, should not be the domain_level value get from
function domainlevel(host)?

We should have a way to test negatives, like providing replica file at
domain level=1 and not providing at domain level=0. So these functions
should either accept replica file as a parameter, or arbitrary domain level

Agree, but I meant this

 if not domain_level:
-domain_level = host.config.domain_level
+domain_level = domainlevel(host)





Martin^2


On 12/06/2015 10:22 PM, Martin Basti wrote:

My favorite today \o/ --> 67 <-- \o/ test cases, no more manual testing
of installers \o/.

Test suite contains: 6 combination how to install components on replica
X 4 combinations of server installation + 3 extra server tests

To save time tests install 1 master and 3 replicas per test class
(except extra server tests):
Class name  specifies what is installed on master.

Remember, option "-k" is your friend
$ ipa-run-tests -k ''
otherwise you will need a lot of time until tests finish.

To list all tests:
$ ipa-run-tests test_integration/test_installation.py --collect-only


Patch attached, it needs to have attached all patches I sent today and
also attached workaround patch (Martin3 will provide proper fix)

I haven't had time/mood/resources to test this patch with domain level
0, so testing this patch with domain level 0 is appreciated.


Oleg, I added some methods to tasks.py which you may want to reuse.

Martin^2



--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCHES 516-517] spec file: put Python modules into standalone packages

[Jan Cholasta]

Hi,

the attached patches partially fix 
. This is done to allow 
the addition of Python 3 packages, see 
. 
See commit messages for more information.


In order to test:
1. make rpms
2. 


3. Test with both dnf and yum-deprecated.

Beware that when you run "yum-deprecated clean all", it does not remove 
cache for the on-disk repository created in step 2, you have to remove 
the /var/cache/yum/$basearch/$releasever/$reponame directory manually.


Honza

--
Jan Cholasta
From df7b8fda81297f6cccdf999fe17cb2ac6b8b61b2 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Thu, 26 Nov 2015 10:52:07 +0100
Subject: [PATCH 1/2] spec file: remove config files from freeipa-python

/etc/ipa/dnssec is now owned by freeipa-server. The remaining files are now
owned by freeipa-client.

https://fedorahosted.org/freeipa/ticket/3197
---
 freeipa.spec.in | 24 +---
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index a60d9b6..f776def 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -503,6 +503,9 @@ install daemons/dnssec/ipa-ods-exporter %{buildroot}%{_libexecdir}/ipa/ipa-ods-e
 # Web UI plugin dir
 mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins
 
+# DNSSEC config
+mkdir -p %{buildroot}%{_sysconfdir}/ipa/dnssec
+
 # KDC proxy config (Apache config sets KDCPROXY_CONFIG to load this file)
 mkdir -p %{buildroot}%{_sysconfdir}/ipa/kdcproxy/
 install -m 644 install/share/kdcproxy.conf %{buildroot}%{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf
@@ -536,7 +539,6 @@ mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup
 mkdir -p %{buildroot}%{_sysconfdir}/ipa/
 /bin/touch %{buildroot}%{_sysconfdir}/ipa/default.conf
 /bin/touch %{buildroot}%{_sysconfdir}/ipa/ca.crt
-mkdir -p %{buildroot}%{_sysconfdir}/ipa/dnssec
 mkdir -p %{buildroot}%{_sysconfdir}/ipa/nssdb
 mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa-client/sysrestore
 mkdir -p %{buildroot}%{_sysconfdir}/bash_completion.d
@@ -840,6 +842,7 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf
+%dir %attr(0755,root,root) %{_sysconfdir}/ipa/dnssec
 %{_usr}/share/ipa/ipa.conf
 %{_usr}/share/ipa/ipa-rewrite.conf
 %{_usr}/share/ipa/ipa-pki-proxy.conf
@@ -928,6 +931,15 @@ fi
 %{_sbindir}/ipa-getkeytab
 %{_sbindir}/ipa-rmkeytab
 %{_sbindir}/ipa-join
+%dir %attr(0755,root,root) %{_sysconfdir}/ipa/
+%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
+%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
+%dir %attr(0755,root,root) %{_sysconfdir}/ipa/nssdb
+%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert8.db
+%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/key3.db
+%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/secmod.db
+%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/pwdfile.txt
+%ghost %config(noreplace) %{_sysconfdir}/pki/ca-trust/source/ipa.p11-kit
 %dir %{_usr}/share/ipa
 %dir %{_localstatedir}/lib/ipa-client
 %dir %{_localstatedir}/lib/ipa-client/sysrestore
@@ -972,16 +984,6 @@ fi
 %{python_sitelib}/ipaplatform-*.egg-info
 %{python_sitearch}/python_default_encoding-*.egg-info
 %{python_sitearch}/_ipap11helper-*.egg-info
-%dir %attr(0755,root,root) %{_sysconfdir}/ipa/
-%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
-%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
-%dir %attr(0755,root,root) %{_sysconfdir}/ipa/nssdb
-%dir %attr(0755,root,root) %{_sysconfdir}/ipa/dnssec
-%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert8.db
-%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/key3.db
-%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/secmod.db
-%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/pwdfile.txt
-%ghost %config(noreplace) %{_sysconfdir}/pki/ca-trust/source/ipa.p11-kit
 
 %if ! %{ONLY_CLIENT}
 %files tests -f tests-python.list
-- 
2.4.3

From 2b77ee2654c18b71d607c5818fdbb721e52aeaca Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Mon, 7 Dec 2015 13:52:38 +0100
Subject: [PATCH 2/2] spec file: put Python modules into standalone packages

Make the following changes in packaging:

* freeipa-server - split off python2-ipaserver and freeipa-server-common,
* freeipa-server-dns - build as noarch,
* freeipa-client - split off python2-ipaclient and freeipa-client-common,
* freeipa-admintools - build as noarch,
* freeipa-python - split into python2-ipalib and freeipa-common, provide
  freeipa-python-compat for upgrades,
* freeipa-tests - rename to python2-ipatests and 

Re: [Freeipa-devel] [PATCH 0372] CI: installation tests

[Martin Basti]

On 07.12.2015 13:24, Oleg Fayans wrote:

Hi Martin,

I would prefer both install_kra and install_ca methods to have
raiseonerr parameter set to True by default. We need a way to test
negatives and analyze results.
Mine looks like this:

def install_kra(host, domain_level=None,
 first_instance=False, raiseonerr=True):
 if not domain_level:
domain_level = host.config.domain_level
 command = ["ipa-kra-install", "-U", "-p",
host.config.dirman_password]
 if domain_level == DOMAIN_LEVEL_0 and not first_instance:
 replica_file = get_replica_filename(host)
 command.append(replica_file)
 return host.run_command(command, raiseonerr=raiseonerr)

The rest looks good to me, but I did not run the tests yet.

Sounds good, I will amend the patche later.



On 12/06/2015 10:22 PM, Martin Basti wrote:

My favorite today \o/ --> 67 <-- \o/ test cases, no more manual testing
of installers \o/.

Test suite contains: 6 combination how to install components on replica
X 4 combinations of server installation + 3 extra server tests

To save time tests install 1 master and 3 replicas per test class
(except extra server tests):
Class name  specifies what is installed on master.

Remember, option "-k" is your friend
$ ipa-run-tests -k ''
otherwise you will need a lot of time until tests finish.

To list all tests:
$ ipa-run-tests test_integration/test_installation.py --collect-only


Patch attached, it needs to have attached all patches I sent today and
also attached workaround patch (Martin3 will provide proper fix)

I haven't had time/mood/resources to test this patch with domain level
0, so testing this patch with domain level 0 is appreciated.


Oleg, I added some methods to tasks.py which you may want to reuse.

Martin^2



--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0364, 0367] ipa-kra-install: allow first KRA to be installed on replica

[Martin Babinsky]

On 11/30/2015 07:24 PM, Simo Sorce wrote:

On Mon, 2015-11-30 at 19:22 +0100, Martin Basti wrote:


On 30.11.2015 19:20, Simo Sorce wrote:

On Mon, 2015-11-30 at 18:29 +0100, Martin Basti wrote:

On 30.11.2015 14:16, Martin Babinsky wrote:

On 11/27/2015 05:02 PM, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/5460

I tested just master, I will test ipa-4-2 later.
patch attached.



ACK for the master branch.


Thanks, additional patch improves error message when ipa-replica-install
--setup-ca --setup-kra is executed and KRA is not installed anywhere yet.

I'm working on patches for ipa-4-2 branch

Question, shouldn't we just go ahead an install the first KRA ?

Simo.


On meeting today Alexander told that this we do not want.
Also Honza do not want to have KRA installed by default.


Ok, I wasn't sure, fine by me.

Simo.


The pacth 367 for master has been forgotten somehow. ACK.

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0058, 0064] dns: do not add (forward)zone if it is already resolvable.

[David Kupka]

On 07/12/15 14:06, David Kupka wrote:

On 09/09/15 13:39, Petr Spacek wrote:

On 8.9.2015 16:30, David Kupka wrote:

On 28/08/15 13:36, Martin Basti wrote:



On 08/28/2015 10:03 AM, Petr Spacek wrote:

On 27.8.2015 14:22, David Kupka wrote:

@@ -2101,11 +2101,25 @@ class DNSZoneBase(LDAPObject):
   class DNSZoneBase_add(LDAPCreate):
+takes_options = LDAPCreate.takes_options + (
+Flag('force',
+ label=_('Force'),
+ doc=_('Force DNS zone creation.')
+),
+Flag('skip_overlap_check',
+ doc=_('Force DNS zone creation even if it will overlap
with '
+   'existing zone.')
+),
+)
+
   has_output_params = LDAPCreate.has_output_params +
dnszone_output_params
   def pre_callback(self, ldap, dn, entry_attrs, attrs_list,
*keys, **options):
   assert isinstance(dn, DN)
+if options['force']:
+options['skip_overlap_check'] = True
+
   try:
   entry = ldap.get_entry(dn)
   except errors.NotFound:
@@ -2120,6 +2134,12 @@ class DNSZoneBase_add(LDAPCreate):
   entry_attrs['idnszoneactive'] = 'TRUE'
+if not options['skip_overlap_check']:
+try:
+check_zone_overlap(keys[-1])
+except RuntimeError as e:
+raise errors.InvocationError(e.message)
+
   return dn
@@ -2673,9 +2693,9 @@ class dnszone_add(DNSZoneBase_add):
   __doc__ = _('Create new DNS zone (SOA record).')
   takes_options = DNSZoneBase_add.takes_options + (
-Flag('force',
- label=_('Force'),
- doc=_('Force DNS zone creation even if nameserver is
not resolvable.'),
+Flag('skip_nameserver_check',
+ doc=_('Force DNS zone creation even if nameserver is
not '
+   'resolvable.')
   ),
   # Deprecated
@@ -2699,6 +2719,9 @@ class dnszone_add(DNSZoneBase_add):
   def pre_callback(self, ldap, dn, entry_attrs, attrs_list,
*keys, **options):
   assert isinstance(dn, DN)
+if options['force']:
+options['skip_nameserver_check'] = True

Why is it in DNSZoneBase_add.pre_callback?

Shouldn't the equation force = (skip_nameserver_check +
skip_nameserver_check)
be handled in parameter parsing & validation? (Again, I do not know
the IPA
framework :-))


+
   dn = super(dnszone_add, self).pre_callback(
   ldap, dn, entry_attrs, attrs_list, *keys, **options)
@@ -2713,7 +2736,7 @@ class dnszone_add(DNSZoneBase_add):
   error=_("Nameserver for reverse zone cannot be
a relative DNS name"))
   # verify if user specified server is resolvable
-if not options['force']:
+if not options['skip_nameserver_check']:
   check_ns_rec_resolvable(keys[0],
entry_attrs['idnssoamname'])
   # show warning about --name-server option
   context.show_warning_nameserver_option = True
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index
d959bb369d946217acd080e78483cc9013dda4c7..18f477d4fb6620090b7073689c8df51b65a8307a


100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -924,6 +924,20 @@ def host_exists(host):
   else:
   return True
+def check_zone_overlap(zone):
+if resolver.zone_for_name(zone) == zone:
+try:
+ns = [ans.to_text() for ans in resolver.query(zone,
'NS')]
+except DNSException as e:
+root_logger.debug("Failed to resolve nameserver(s) for
domain"
+" {0}: {1}".format(zone, e))
+ns = []
+
+msg = u"DNS zone {0} already exists".format(zone)

Nitpick: I would say "already exists in DNS" to make it absolutely
clear. Just
'already exists' might be confusing because ipa dnszone-show will say
that the
zone does not exist ...


+if ns:
+msg += u" and is handled by server(s): {0}".format(',
'.join(ns))
+raise RuntimeError(msg)
+
   def get_ipa_basedn(conn):
   """
   Get base DN of IPA suffix in given LDAP server.

0064
NACK

ipa-replica-install should have the --skip-overlap-check too, because
any replica can be the first DNS server.


Thanks for the catch, added.



0064+0058
Can be the options --allow-zone-overlap and --skip-overlap-check merged
into an one name, to have just one name for same thing?



Each option has bit different behavior:
The '--skip-overlap-check' option in API call prevent the check to be
performed and thus no error or warning is raised. This is the way
'--force'
option was originally working.

The '--allow-zone-overlap' options in installers do not skip the
check but
change the error to warning instead and let the installation continue.

If you think that this can confuse users we need to change the names
or even
the logic.

Updated patches attached.


Hello,

thank you very much for updating the patch.

Unfortunately it is not yet ready, but we are getting there.


* 

Re: [Freeipa-devel] [PATCH 0065]

[Gabe Alford]

Yup you are right. I meant to bump the other one.

> It is on my TODO list.
Awesome.

On Mon, Dec 7, 2015 at 7:20 AM, Martin Basti  wrote:

>
>
> On 07.12.2015 14:55, Gabe Alford wrote:
>
> Bump for review.
>
> On Mon, Nov 30, 2015 at 7:31 PM, Gabe Alford 
> wrote:
>
>> Hello,
>>
>> Patch fix for the following tickets:
>>
>> https://fedorahosted.org/freeipa/ticket/5022
>> https://fedorahosted.org/freeipa/ticket/5320
>>
>> Thanks,
>>
>> Gabe
>>
>
>
>
> Hello, IIRC you said that we should ignore this in thread
> [PATCH 0065] ipa-replica-install prints incorrect error message when
> replica is already installed
>
> It is on my TODO list.
>
> Martin^2
>
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] ca-less tests updated - POC

[Oleg Fayans]

Anyone to review it guys?

On 11/06/2015 02:04 PM, Oleg Fayans wrote:
> Hi Jan,
> 
> On 11/06/2015 09:01 AM, Jan Cholasta wrote:
>> Actually it might be better to keep them, but fix them to expect
>> ipa-server-certinstall to success.
> 
> Done. Updated patch attached.
> Also in the patch 0013 I removed a trailing whitespace which caused lint
> to complain
> 
> Now with domain level 0 the test output looks like this:
> 
> [11:40:51]ofayans@vm-076:~]$ ipa-run-tests test_integration/test_caless.py
> 
> test session starts
> =
> 
> platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.6.4
> plugins: multihost, sourceorder
> collected 88 items
> 
> test_integration/test_caless.py
> ..xx..ss...xxssxx..ss...
> 
> 
> = 76
> passed, 6 skipped, 6 xfailed in 7871.10 seconds
> =
> 
> 
>>
>> On 6.11.2015 08:47, Jan Cholasta wrote:
>>> Hi Oleg,
>>>
>>> I think you can just remove
>>> TestCertinstall.test_{http,ds}_intermediate_ca, the certificates are
>>> imported correctly in this case and I didn't see anything break.
>>>
>>> Honza
>>>
>>> On 5.11.2015 20:20, Oleg Fayans wrote:
 Patch 0014 updated and passes lint

 On 11/05/2015 03:41 PM, Oleg Fayans wrote:
> Wait a bit, the patch has problems with pylint: it does not build :)
> The updated version (without the setupmaster nonsense) is being tested
> now.
>
> On 11/05/2015 08:45 AM, Oleg Fayans wrote:
>> Hi Jan,
>>
>> Could you take a look at these, whenever you are free?
>>
>> On 10/30/2015 02:57 PM, Oleg Fayans wrote:
>>> Hi,
>>>
>>> The following patches contain updates to ca-less integration tests.
>>> It's still a proof of concept: 2 tests still fail seemingly due to
>>> the
>>> change in target system logic (marked as xfail with "ask jcholast
>>> comment")
>>>
>>> The test output looks like this:
>>>
>>> $ ipa-run-tests test_integration/test_caless.py --pdb
>>> 
>>>
>>>
>>>
>>>
>>>
>>>
>>> test session starts
>>> =
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.6.4
>>> plugins: multihost, sourceorder
>>> collected 88 items
>>>
>>> test_integration/test_caless.py
>>> ..xx..sssss.ss.xx..ssxx.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> 
>>> 53
>>>
>>> passed, 29 skipped, 6 xfailed in 5620.17 seconds
>>> =
>>>
>>>
>>> Numerous skips correspond to the tests related to
>>> ipa-replica-prepare
>>> (unsupported under domain level 1)
>>>
>>>
>>>
>>
>



>>>
>>>
>>
>>
> 
> 
> 

-- 
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0111] prevent crashes of server uninstall check caused by failed, 5 LDAP connections

[Martin Babinsky]

On 12/04/2015 08:49 PM, Rob Crittenden wrote:

Martin Babinsky wrote:

https://fedorahosted.org/freeipa/ticket/5409


Should it also warn about the potential loss of the DNSSEC master?

rob



Probably, but that warrants a separate ticket IMHO.

IIRC these checks are a part of replica deletion code at domain level 1 
in ipa-replica-manage, so it should be possible to transplant them on 
server uninstaller.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0026] Workarounds for SELinux execmem violations in cryptography

[Alexander Bokovoy]

On Mon, 07 Dec 2015, Christian Heimes wrote:

The patch fixes SELinux violations in Fedora 23.

Background: Recent versions of cryptography cause SELinux violation
which will lead to a segfault, see
https://bugzilla.redhat.com/show_bug.cgi?id=1277224 . The segfault only
occurs in the context of Apache HTTPD (FreeIPA web ui) when
cryptography.hazmat.backends.default_backend() is initialized. I'm
working on a fix for cryptography but it will take a while. First I have
to wait for a new upstream release of python-cffi. Armin Ronacher plans
to release cffi 1.4 in two weeks.


ipaserver.dcerpc uses M2Crypto again on Python 2.7 and Dogtag's
pki.client no longer tries to use PyOpenSSL instead of Python's ssl
module.

Some dependencies like Dogtag's pki.client library and custodia use
python-requsts to make HTTPS connection. python-requests prefers
PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
of python-cryptography which trigger a execmem SELinux violation
in the context of Apache HTTPD (httpd_execmem).
When requests is imported, it always tries to import pyopenssl glue
code from urllib3's contrib directory. The import of PyOpenSSL is
enough to trigger the SELinux denial.
A hack in wsgi.py prevents the import by raising an ImportError.

ACK. Thanks for these patches.

Note to Debian/Ubuntu maintainers: AppArmor 'support' in python-cffi
already detects apparmor by looking into /proc and disabling the use of
writeable and executable memory. On those platforms I suspect recent
enough python-cryptography would work without problem by downgrading own
feature set. The code in this patches should be harmless, though.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0002] Refactor test_group_plugin

[Milan Kubík]

On 12/03/2015 08:15 PM, Filip Škola wrote:

On Mon, 30 Nov 2015 17:18:30 +0100
Milan Kubík  wrote:


On 11/23/2015 04:42 PM, Filip Škola wrote:

Sending updated patch.

F.

On Mon, 23 Nov 2015 14:59:34 +0100
Filip Škola  wrote:


Found couple of issues (broke some dependencies).

NACK

F.

On Fri, 20 Nov 2015 13:56:36 +0100
Filip Škola  wrote:


Another one.

F.



Hi, the tests look good. Few remarks, though.

1. Please, use the shortes copyright notice in new modules.

  #
  # Copyright (C) 2015  FreeIPA Contributors see COPYING for
license #

2. The tests `test_group_remove_group_from_protected_group` and
`test_group_full_set_of_objectclass_not_available_post_detach`
were not ported. Please, include them in the patch.

Also, for less hassle, please rebase your patches on top of
freeipa-mkubik-0025-3-Separated-Tracker-implementations-into-standalone-pa.patch
Which changes the location of tracker implementations and prevents
circular imports.

Thanks.




Hi,

these cases are there, in corresponding classes. They are marked with
the original comments. (However I can move them to separate class if
desirable.)

The copyright notice is changed. Also included a few changes in the
test with user without private group.

Filip

NACK

linter:
* Module tracker.group_plugin
ipatests/test_xmlrpc/tracker/group_plugin.py:257: 
[E0102(function-redefined), GroupTracker.check_remove_member] method 
already defined line 253)


Probably a leftover after the rebase made on top of my patch. Please fix 
it. You can check youch changes by make-lint script before sending them.


Thanks

--
Milan Kubik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0369] Force creation of service during replica install

[Martin Babinsky]

On 12/06/2015 09:45 PM, Martin Basti wrote:

Replica install should not fail due a missing A record, if there are
proper entries in hosts.

Patch attached.



ACK.

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0392] tests: Fix incorrect uninstall method invocation

[Tomas Babej]

On 12/07/2015 10:58 AM, Tomas Babej wrote:
> Hi,
> 
> this fixes: https://fedorahosted.org/freeipa/ticket/5516
> 
> Tomas
> 

Pushed under oneliner rule:
master: 5cb003f0b4b85dce47499f594c410b34b5c961e2
ipa-4-2: e5189ef6e23e4691f6c74541da5bc1a0b0f2e73f

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0112] CI tests: ignore disconnected domain level 1 topology on IPA master teardown

[Martin Babinsky]

This patch should fix teardown methods in replication-related CI tests 
ran at non-zero domain level.


--
Martin^3 Babinsky
From 52919ed0237c4bf6fe5580a9d99af79661a9bf53 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Fri, 4 Dec 2015 18:24:31 +0100
Subject: [PATCH] CI tests: ignore disconnected domain level 1 topology on IPA
 master teardown

---
 ipatests/test_integration/tasks.py | 19 +--
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index e75fe505f5ad9b5ffe680f7e37dec6873616ca05..071a2952e9927fab9347aa855aa8f124227d2de1 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -30,6 +30,7 @@ import dns
 from ldif import LDIFWriter
 from six import StringIO
 
+from env_config import get_global_config
 from ipapython import ipautil
 from ipaplatform.paths import paths
 from ipapython.dn import DN
@@ -38,12 +39,13 @@ from ipatests.test_integration import util
 from ipatests.test_integration.env_config import env_to_script
 from ipatests.test_integration.host import Host
 from ipalib.util import get_reverse_zone_default
-from ipalib.constants import DOMAIN_SUFFIX_NAME
+from ipalib.constants import  DOMAIN_LEVEL_0, DOMAIN_SUFFIX_NAME
 
 log = log_mgr.get_logger(__name__)
 
 IPATEST_NM_CONFIG = '20-ipatest-unmanaged-resolv.conf'
 
+CONFIGURED_DOMAIN_LEVEL = get_global_config().domain_level
 
 def check_arguments_are(slice, instanceof):
 """
@@ -342,7 +344,7 @@ def install_replica(master, replica, setup_ca=True, setup_dns=False,
 '--setup-dns',
 '--forwarder', replica.config.dns_forwarder
 ])
-if domainlevel(master) == 0:
+if domainlevel(master) == DOMAIN_LEVEL_0:
 apply_common_fixes(replica)
 # prepare the replica file on master and put it to replica, AKA "old way"
 replica_prepare(master, replica)
@@ -364,7 +366,7 @@ def install_replica(master, replica, setup_ca=True, setup_dns=False,
 "-p", replica.config.dirman_password,
 "-U",
 ]
-if domainlevel(master) == 0:
+if domainlevel(master) == DOMAIN_LEVEL_0:
 args.append(replica_filename)
 replica.run_command(args)
 
@@ -614,11 +616,16 @@ def kinit_admin(host):
  stdin_text=host.config.admin_password)
 
 
-def uninstall_master(host):
+def uninstall_master(host, ignore_topology_disconnect=True):
 host.collect_log(paths.IPASERVER_UNINSTALL_LOG)
+uninstall_cmd = ['ipa-server-install', '--uninstall', '-U']
 
-host.run_command(['ipa-server-install', '--uninstall', '-U'],
- raiseonerr=False)
+host_domain_level = domainlevel(host)
+
+if ignore_topology_disconnect and host_domain_level != DOMAIN_LEVEL_0:
+uninstall_cmd.append('--ignore-topology-disconnect')
+
+host.run_command(uninstall_cmd, raiseonerr=False)
 host.run_command(['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'],
  raiseonerr=False)
 host.run_command(['rm', '-rf',
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0392] tests: Fix incorrect uninstall method invocation

[Tomas Babej]

Hi,

this fixes: https://fedorahosted.org/freeipa/ticket/5516

Tomas
From efd1304be61c792c23c8e8560db6508c63fdd5e6 Mon Sep 17 00:00:00 2001
From: Tomas Babej 
Date: Sat, 5 Dec 2015 16:54:04 +0100
Subject: [PATCH] tests: Fix incorrect uninstall method invocation

https://fedorahosted.org/freeipa/ticket/5516
---
 ipatests/test_integration/test_caless.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index 9cfba3ee29114badf5a703ccc1d47a1d3e0c41b7..4dda79bf9baac65aeab97ed1a4ac2786bf3102a2 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -118,7 +118,7 @@ class CALessBase(IntegrationTest):
 '-n', 'External CA cert'],
raiseonerr=False)
 
-super(CALessBase, cls).uninstall()
+super(CALessBase, cls).uninstall(mh)
 
 @classmethod
 def install_server(cls, host=None,
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0392] tests: Fix incorrect uninstall method invocation

[Oleg Fayans]

Hi Tomaš,

Could you please review my patch regarding caless tests. I's been on the
list since ages. It contains this particular change together with a lot
more of them.

On 12/07/2015 10:59 AM, Tomas Babej wrote:
> On 12/07/2015 10:58 AM, Tomas Babej wrote:
>> Hi,
>>
>> this fixes: https://fedorahosted.org/freeipa/ticket/5516
>>
>> Tomas
>>
> 
> Pushed under oneliner rule:
> master: 5cb003f0b4b85dce47499f594c410b34b5c961e2
> ipa-4-2: e5189ef6e23e4691f6c74541da5bc1a0b0f2e73f
> 

-- 
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] You cannot specify '--admin-password' option(s) with replica file

[Oleg Fayans]

This is an error message that I received at the attempt to install
replica with the following command:

ipa-replica-install --setup-ca -p  -w 
/var/lib/ipa/replica-info-replica2.justfor.test.gpg

However, if I remove the '-w ', then I get the password
prompt for admin password interactively. The domain level is 0. The
packages are built last Friday from upstream code.

-- 
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0112] CI tests: ignore disconnected domain level 1 topology on IPA master teardown

[Oleg Fayans]

Hi Martin,

CONFIGURED_DOMAIN_LEVEL is declared, but not used. The rest looks fine to me

On 12/07/2015 11:05 AM, Martin Babinsky wrote:
> This patch should fix teardown methods in replication-related CI tests
> ran at non-zero domain level.
> 
> 
> 

-- 
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0004] Refactor test_attr

[Filip Škola]

Now the tier marker have lost somewhere on the way... which is
corrected in this patch.

/me apologizes for the noise

F.

On Mon, 7 Dec 2015 13:00:41 +0100
Filip Škola  wrote:

> Self-NACK, resubmitting with the last commit which includes
> UserTracker from the right location...
> 
> F.
> 
> On Fri, 4 Dec 2015 16:24:16 +0100
> Filip Škola  wrote:
> 
> > Hi,
> > 
> > sending a new version of test_attr.
> > 
> > F.

>From 13af34b6f8fa4d419673578cfd55c9f87fd651fc Mon Sep 17 00:00:00 2001
From: Filip Skola 
Date: Fri, 27 Nov 2015 15:41:47 +0100
Subject: [PATCH] Refactor test_attr

---
 ipatests/test_xmlrpc/test_attr.py | 667 --
 1 file changed, 280 insertions(+), 387 deletions(-)

diff --git a/ipatests/test_xmlrpc/test_attr.py b/ipatests/test_xmlrpc/test_attr.py
index 9248ce0448cfd08fcfe194d402c6819a283c2c07..83a51b56b82731d55c5fbdfa2b4f3a1097ebc340 100644
--- a/ipatests/test_xmlrpc/test_attr.py
+++ b/ipatests/test_xmlrpc/test_attr.py
@@ -1,5 +1,6 @@
 # Authors:
 #   Rob Crittenden 
+#   Filip Skola 
 #
 # Copyright (C) 2010  Red Hat
 # see file 'COPYING' for use and warranty information
@@ -22,397 +23,289 @@ Test --setattr and --addattr and other attribute-specific issues
 """
 
 from ipalib import errors
-from ipatests.test_xmlrpc.xmlrpc_test import Declarative
-from ipatests.test_xmlrpc.test_user_plugin import get_user_result
+from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test, raises_exact
+from ipatests.test_xmlrpc.tracker.user_plugin import UserTracker
 import pytest
 
-user1=u'tuser1'
+
+@pytest.fixture(scope='class')
+def user(request):
+tracker = UserTracker(name=u'user1', givenname=u'Test', sn=u'User1')
+return tracker.make_fixture(request)
+
+
+@pytest.mark.tier1
+class TestAttrOnUser(XMLRPC_test):
+def test_add_user_with_singlevalue_addattr(self):
+""" Try to add a user with single-value attribute
+set via option and --addattr """
+user = UserTracker(name=u'user', givenname=u'Test', sn=u'User1',
+   addattr=u'sn=User2')
+command = user.make_create_command()
+with raises_exact(errors.OnlyOneValueAllowed(attr='sn')):
+command()
+
+def test_create_user(self, user):
+""" Create a test user """
+user.ensure_exists()
+
+def test_change_givenname_add_mail_user(self, user):
+""" Change givenname, add mail to user """
+user.ensure_exists()
+user.update(
+dict(setattr=(u'givenname=Finkle', u'mail=t...@example.com')),
+dict(givenname=[u'Finkle'], mail=[u't...@example.com'], setattr='')
+)
+
+def test_add_another_mail_user(self, user):
+""" Add another mail to user """
+user.ensure_exists()
+update = u'te...@example.com'
+user.attrs['mail'].append(update)
+user.update(dict(addattr='mail='+update),
+dict(addattr=''))
+
+def test_add_two_phone_numbers_at_once_user(self, user):
+""" Add two phone numbers at once to user """
+user.ensure_exists()
+update1 = u'410-555-1212'
+update2 = u'301-555-1212'
+user.update(
+dict(setattr=u'telephoneNumber='+update1,
+ addattr=u'telephoneNumber='+update2),
+dict(addattr='', setattr='',
+ telephonenumber=[update1, update2]))
+
+def test_go_from_two_phone_numbers_to_one(self, user):
+""" Go from two phone numbers to one for user """
+update = u'301-555-1212'
+user.ensure_exists()
+user.update(dict(setattr=u'telephoneNumber='+update),
+dict(setattr='', telephonenumber=[update]))
+
+def test_add_two_more_phone_numbers(self, user):
+""" Add two more phone numbers to user """
+user.ensure_exists()
+update1 = u'703-555-1212'
+update2 = u'202-888-9833'
+user.attrs['telephonenumber'].extend([update1, update2])
+user.update(dict(addattr=(u'telephoneNumber='+update1,
+  u'telephoneNumber='+update2)),
+dict(addattr=''))
+
+def test_delete_one_phone_number(self, user):
+""" Delete one phone number for user """
+user.ensure_exists()
+update = u'301-555-1212'
+user.attrs['telephonenumber'].remove(update)
+user.update(dict(delattr=u'telephoneNumber='+update), dict(delattr=''))
+
+def test_delete_the_number_again(self, user):
+""" Try deleting the number again for user """
+user.ensure_exists()
+update = u'301-555-1212'
+command = user.make_update_command(
+dict(delattr=u'telephoneNumber='+update))
+with raises_exact(errors.AttrValueNotFound(
+attr=u'telephonenumber', value=update)):
+command()
+
+def 

Re: [Freeipa-devel] [PATCH 0372] CI: installation tests

[Oleg Fayans]

Hi Martin,

I would prefer both install_kra and install_ca methods to have
raiseonerr parameter set to True by default. We need a way to test
negatives and analyze results.
Mine looks like this:

def install_kra(host, domain_level=None,
first_instance=False, raiseonerr=True):
if not domain_level:
   domain_level = host.config.domain_level
command = ["ipa-kra-install", "-U", "-p",
host.config.dirman_password]
if domain_level == DOMAIN_LEVEL_0 and not first_instance:
replica_file = get_replica_filename(host)
command.append(replica_file)
return host.run_command(command, raiseonerr=raiseonerr)

The rest looks good to me, but I did not run the tests yet.


On 12/06/2015 10:22 PM, Martin Basti wrote:
> My favorite today \o/ --> 67 <-- \o/ test cases, no more manual testing
> of installers \o/.
> 
> Test suite contains: 6 combination how to install components on replica
> X 4 combinations of server installation + 3 extra server tests
> 
> To save time tests install 1 master and 3 replicas per test class
> (except extra server tests):
> Class name  specifies what is installed on master.
> 
> Remember, option "-k" is your friend
> $ ipa-run-tests -k ''
> otherwise you will need a lot of time until tests finish.
> 
> To list all tests:
> $ ipa-run-tests test_integration/test_installation.py --collect-only
> 
> 
> Patch attached, it needs to have attached all patches I sent today and
> also attached workaround patch (Martin3 will provide proper fix)
> 
> I haven't had time/mood/resources to test this patch with domain level
> 0, so testing this patch with domain level 0 is appreciated.
> 
> 
> Oleg, I added some methods to tasks.py which you may want to reuse.
> 
> Martin^2
> 

-- 
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0004] Refactor test_attr

[Filip Škola]

Self-NACK, resubmitting with the last commit which includes UserTracker
from the right location...

F.

On Fri, 4 Dec 2015 16:24:16 +0100
Filip Škola  wrote:

> Hi,
> 
> sending a new version of test_attr.
> 
> F.
>From 786b0004f3793bb557b8c9b2b7e034784969da8e Mon Sep 17 00:00:00 2001
From: Filip Skola 
Date: Fri, 27 Nov 2015 15:41:47 +0100
Subject: [PATCH] Refactor test_attr

---
 ipatests/test_xmlrpc/test_attr.py | 671 --
 1 file changed, 281 insertions(+), 390 deletions(-)

diff --git a/ipatests/test_xmlrpc/test_attr.py b/ipatests/test_xmlrpc/test_attr.py
index 9248ce0448cfd08fcfe194d402c6819a283c2c07..cb5c47910794852dcd7202ca73b0e9b9b5961573 100644
--- a/ipatests/test_xmlrpc/test_attr.py
+++ b/ipatests/test_xmlrpc/test_attr.py
@@ -1,5 +1,6 @@
 # Authors:
 #   Rob Crittenden 
+#   Filip Skola 
 #
 # Copyright (C) 2010  Red Hat
 # see file 'COPYING' for use and warranty information
@@ -22,397 +23,287 @@ Test --setattr and --addattr and other attribute-specific issues
 """
 
 from ipalib import errors
-from ipatests.test_xmlrpc.xmlrpc_test import Declarative
-from ipatests.test_xmlrpc.test_user_plugin import get_user_result
+from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test, raises_exact
+from ipatests.test_xmlrpc.tracker.user_plugin import UserTracker
 import pytest
 
-user1=u'tuser1'
-
-
-@pytest.mark.tier1
-class test_attr(Declarative):
-
-cleanup_commands = [
-('user_del', [user1], {}),
-]
-
-tests = [
-
-dict(
-desc='Try to add user %r with single-value attribute set via '
- 'option and --addattr' % user1,
-command=(
-'user_add', [user1], dict(givenname=u'Test', sn=u'User1',
-addattr=u'sn=User2')
-),
-expected=errors.OnlyOneValueAllowed(attr='sn'),
-),
-
-dict(
-desc='Create %r' % user1,
-command=(
-'user_add', [user1], dict(givenname=u'Test', sn=u'User1',
-setattr=None)
-),
-expected=dict(
-value=user1,
-summary=u'Added user "tuser1"',
-result=get_user_result(user1, u'Test', u'User1', 'add'),
-),
-),
-
-
-dict(
-desc='Change givenname, add mail %r' % user1,
-command=(
-'user_mod', [user1], dict(setattr=(u'givenname=Finkle', u'mail=t...@example.com'))
-),
-expected=dict(
-result=get_user_result(
-user1, u'Finkle', u'User1', 'mod',
-mail=[u't...@example.com'],
-),
-summary=u'Modified user "tuser1"',
-value=user1,
-),
-),
-
-
-dict(
-desc='Add another mail %r' % user1,
-command=(
-'user_mod', [user1], dict(addattr=u'mail=te...@example.com')
-),
-expected=dict(
-result=get_user_result(
-user1, u'Finkle', u'User1', 'mod',
-mail=[u't...@example.com', u'te...@example.com'],
-),
-summary=u'Modified user "tuser1"',
-value=user1,
-),
-),
-
-
-dict(
-desc='Add two phone numbers at once %r' % user1,
-command=(
-'user_mod', [user1], dict(setattr=u'telephoneNumber=410-555-1212', addattr=u'telephoneNumber=301-555-1212')
-),
-expected=dict(
-result=get_user_result(
-user1, u'Finkle', u'User1', 'mod',
-mail=[u't...@example.com', u'te...@example.com'],
-telephonenumber=[u'410-555-1212', u'301-555-1212'],
-),
-summary=u'Modified user "tuser1"',
-value=user1,
-),
-),
-
-
-dict(
-desc='Go from two phone numbers to one %r' % user1,
-command=(
-'user_mod', [user1], dict(setattr=u'telephoneNumber=301-555-1212')
-),
-expected=dict(
-result=get_user_result(
-user1, u'Finkle', u'User1', 'mod',
-mail=[u't...@example.com', u'te...@example.com'],
-telephonenumber=[u'301-555-1212'],
-),
-summary=u'Modified user "tuser1"',
-value=user1,
-),
-),
-
-
-dict(
-desc='Add two more phone numbers %r' % user1,
-command=(
-'user_mod', [user1], dict(addattr=(u'telephoneNumber=703-555-1212', u'telephoneNumber=202-888-9833'))
-),
-expected=dict(
-result=get_user_result(
-user1, u'Finkle', u'User1', 'mod',
-  

[Freeipa-devel] [PATCH] bz 1288863 Fix minor typos

[Petr Vobornik]

attached patch was attached to 
https://bugzilla.redhat.com/show_bug.cgi?id=1288863


ACK

Pushed to master: 2180d5db8a8e99007c39466c19759a4b1bf098fa
--
Petr Vobornik
From 782d40bd434a57b88a72c53debf090f155b05fb9 Mon Sep 17 00:00:00 2001
From: Yuri Chornoivan 
Date: Sun, 6 Dec 2015 19:33:08 +0200
Subject: [PATCH] Fix minor typos

---
 ipalib/plugins/idviews.py  | 2 +-
 ipalib/plugins/realmdomains.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py
index aeaf9d1..6f8bdc7 100644
--- a/ipalib/plugins/idviews.py
+++ b/ipalib/plugins/idviews.py
@@ -468,7 +468,7 @@ def verify_trusted_domain_object_type(validator, desired_type, name_or_sid):
 raise errors.ConversionError(
 name='identifier',
 error=_('You are trying to reference a magic private group '
-'which is not allowed to be overriden. '
+'which is not allowed to be overridden. '
 'Try overriding the GID attribute of the '
 'corresponding user instead.')
 )
diff --git a/ipalib/plugins/realmdomains.py b/ipalib/plugins/realmdomains.py
index 46f3988..d304efc 100644
--- a/ipalib/plugins/realmdomains.py
+++ b/ipalib/plugins/realmdomains.py
@@ -193,7 +193,7 @@ class realmdomains_mod(LDAPUpdate):
 raise errors.ValidationError(
 name='domain',
 error=_(
-'The realm of the folllowing domains could '
+'The realm of the following domains could '
 'not be detected: %(domains)s. If these are '
 'domains that belong to the this realm, please '
 'create a _kerberos TXT record containing "%(realm)s" '
-- 
2.3.10

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0112] CI tests: ignore disconnected domain level 1 topology on IPA master teardown

[Martin Babinsky]

On 12/07/2015 12:07 PM, Oleg Fayans wrote:

Hi Martin,

CONFIGURED_DOMAIN_LEVEL is declared, but not used. The rest looks fine to me

On 12/07/2015 11:05 AM, Martin Babinsky wrote:

This patch should fix teardown methods in replication-related CI tests
ran at non-zero domain level.






Ah that was a leftover from previous implementation. Here's updated patch.

--
Martin^3 Babinsky
From b6cfb98e29789da2c6e3fefd2cd7f86155a17f11 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Fri, 4 Dec 2015 18:24:31 +0100
Subject: [PATCH] CI tests: ignore disconnected domain level 1 topology on IPA
 master teardown

---
 ipatests/test_integration/tasks.py | 17 +++--
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index e75fe505f5ad9b5ffe680f7e37dec6873616ca05..69a608b6df92bc563a9ec5a97fcb7832e376a3f3 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -38,7 +38,7 @@ from ipatests.test_integration import util
 from ipatests.test_integration.env_config import env_to_script
 from ipatests.test_integration.host import Host
 from ipalib.util import get_reverse_zone_default
-from ipalib.constants import DOMAIN_SUFFIX_NAME
+from ipalib.constants import  DOMAIN_LEVEL_0, DOMAIN_SUFFIX_NAME
 
 log = log_mgr.get_logger(__name__)
 
@@ -342,7 +342,7 @@ def install_replica(master, replica, setup_ca=True, setup_dns=False,
 '--setup-dns',
 '--forwarder', replica.config.dns_forwarder
 ])
-if domainlevel(master) == 0:
+if domainlevel(master) == DOMAIN_LEVEL_0:
 apply_common_fixes(replica)
 # prepare the replica file on master and put it to replica, AKA "old way"
 replica_prepare(master, replica)
@@ -364,7 +364,7 @@ def install_replica(master, replica, setup_ca=True, setup_dns=False,
 "-p", replica.config.dirman_password,
 "-U",
 ]
-if domainlevel(master) == 0:
+if domainlevel(master) == DOMAIN_LEVEL_0:
 args.append(replica_filename)
 replica.run_command(args)
 
@@ -614,11 +614,16 @@ def kinit_admin(host):
  stdin_text=host.config.admin_password)
 
 
-def uninstall_master(host):
+def uninstall_master(host, ignore_topology_disconnect=True):
 host.collect_log(paths.IPASERVER_UNINSTALL_LOG)
+uninstall_cmd = ['ipa-server-install', '--uninstall', '-U']
 
-host.run_command(['ipa-server-install', '--uninstall', '-U'],
- raiseonerr=False)
+host_domain_level = domainlevel(host)
+
+if ignore_topology_disconnect and host_domain_level != DOMAIN_LEVEL_0:
+uninstall_cmd.append('--ignore-topology-disconnect')
+
+host.run_command(uninstall_cmd, raiseonerr=False)
 host.run_command(['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'],
  raiseonerr=False)
 host.run_command(['rm', '-rf',
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0046 Create server certs with DNS altname

[Martin Kosek]

On 12/07/2015 06:26 AM, Fraser Tweedale wrote:
> The attached patch fixes
> https://fedorahosted.org/freeipa/ticket/4970.
> 
> Note that the problem is addressed by adding the appropriate request
> extension to the CSR; the fix does not involve changing the default
> profile behaviour, which is complicated (see ticket for details).

Thanks for the patch! This is something we should really fix, I already get
warnings in my Python scripts when I hit sites protected by such HTTPS cert:

/usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:264:
SubjectAltNameWarning: Certificate for projects.engineering.redhat.com has no
`subjectAltName`, falling back to check for a `commonName` for now. This
feature is being removed by major browsers and deprecated by RFC 2818. (See
https://github.com/shazow/urllib3/issues/497 for details.)

Should we split ticket 4970, for the FreeIPA server part and then for cert
profile part? As it looks like the FreeIPA server will be fixed even in FreeIPA
4.3.x and the other part later.

How difficult do you see the general FreeIPA Certificate Profile part of this
request? Is it a too big task to handle in 4.4 time frame?

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0392] tests: Fix incorrect uninstall method invocation

[Lukas Slebodnik]

On (07/12/15 11:12), Oleg Fayans wrote:
>Hi Tomaš,
>
>Could you please review my patch regarding caless tests. I's been on the
>list since ages. It contains this particular change together with a lot
>more of them.
>
We are used to sending "bump" mails on sssd-devel.

It's better then sending mail to another thread.
Personally, I do not have a problem to send "bump" mail even every day :-)

LS

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0070] install: Run all validators at once.

[David Kupka]

Running validators after all Knobs are set allows use of other Knob 
value during validation.

--
David Kupka
From b9a8ae178e770a4b84fc8d05d04218531642d3eb Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Mon, 7 Dec 2015 13:35:49 +0100
Subject: [PATCH] install: Run all validators at once.

---
 ipapython/install/core.py | 33 +
 1 file changed, 21 insertions(+), 12 deletions(-)

diff --git a/ipapython/install/core.py b/ipapython/install/core.py
index 8e3ba58021adba263eb038c5cb70603e4e8c9352..62c1fb61797863da49402d3f86d14e3c6389d932 100644
--- a/ipapython/install/core.py
+++ b/ipapython/install/core.py
@@ -118,16 +118,6 @@ class KnobBase(PropertyBase):
 def __init__(self, outer):
 self.outer = outer
 
-def __set__(self, obj, value):
-try:
-self.validate(value)
-except KnobValueError:
-raise
-except ValueError as e:
-raise KnobValueError(self.__outer_name__, str(e))
-
-super(KnobBase, self).__set__(obj, value)
-
 def validate(self, value):
 pass
 
@@ -253,8 +243,27 @@ class Configurable(six.with_metaclass(abc.ABCMeta, object)):
 except KeyError:
 pass
 else:
-prop = prop_cls(self)
-prop.__set__(self, value)
+setattr(self, name, value)
+
+for owner_cls, name in cls.knobs():
+if name.startswith('_'):
+continue
+if not isinstance(self, owner_cls):
+continue
+if name not in self.__dict__:
+continue
+try:
+value = getattr(self, name)
+except AttributeError:
+continue
+prop_cls = getattr(owner_cls, name)
+prop = prop_cls(self)
+try:
+prop.validate(value)
+except KnobValueError:
+raise
+except ValueError as e:
+raise KnobValueError(name, str(e))
 
 if kwargs:
 extra = sorted(kwargs)
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0058, 0064] dns: do not add (forward)zone if it is already resolvable.

[David Kupka]

On 09/09/15 13:39, Petr Spacek wrote:

On 8.9.2015 16:30, David Kupka wrote:

On 28/08/15 13:36, Martin Basti wrote:



On 08/28/2015 10:03 AM, Petr Spacek wrote:

On 27.8.2015 14:22, David Kupka wrote:

@@ -2101,11 +2101,25 @@ class DNSZoneBase(LDAPObject):
   class DNSZoneBase_add(LDAPCreate):
+takes_options = LDAPCreate.takes_options + (
+Flag('force',
+ label=_('Force'),
+ doc=_('Force DNS zone creation.')
+),
+Flag('skip_overlap_check',
+ doc=_('Force DNS zone creation even if it will overlap
with '
+   'existing zone.')
+),
+)
+
   has_output_params = LDAPCreate.has_output_params +
dnszone_output_params
   def pre_callback(self, ldap, dn, entry_attrs, attrs_list,
*keys, **options):
   assert isinstance(dn, DN)
+if options['force']:
+options['skip_overlap_check'] = True
+
   try:
   entry = ldap.get_entry(dn)
   except errors.NotFound:
@@ -2120,6 +2134,12 @@ class DNSZoneBase_add(LDAPCreate):
   entry_attrs['idnszoneactive'] = 'TRUE'
+if not options['skip_overlap_check']:
+try:
+check_zone_overlap(keys[-1])
+except RuntimeError as e:
+raise errors.InvocationError(e.message)
+
   return dn
@@ -2673,9 +2693,9 @@ class dnszone_add(DNSZoneBase_add):
   __doc__ = _('Create new DNS zone (SOA record).')
   takes_options = DNSZoneBase_add.takes_options + (
-Flag('force',
- label=_('Force'),
- doc=_('Force DNS zone creation even if nameserver is
not resolvable.'),
+Flag('skip_nameserver_check',
+ doc=_('Force DNS zone creation even if nameserver is not '
+   'resolvable.')
   ),
   # Deprecated
@@ -2699,6 +2719,9 @@ class dnszone_add(DNSZoneBase_add):
   def pre_callback(self, ldap, dn, entry_attrs, attrs_list,
*keys, **options):
   assert isinstance(dn, DN)
+if options['force']:
+options['skip_nameserver_check'] = True

Why is it in DNSZoneBase_add.pre_callback?

Shouldn't the equation force = (skip_nameserver_check +
skip_nameserver_check)
be handled in parameter parsing & validation? (Again, I do not know
the IPA
framework :-))


+
   dn = super(dnszone_add, self).pre_callback(
   ldap, dn, entry_attrs, attrs_list, *keys, **options)
@@ -2713,7 +2736,7 @@ class dnszone_add(DNSZoneBase_add):
   error=_("Nameserver for reverse zone cannot be
a relative DNS name"))
   # verify if user specified server is resolvable
-if not options['force']:
+if not options['skip_nameserver_check']:
   check_ns_rec_resolvable(keys[0],
entry_attrs['idnssoamname'])
   # show warning about --name-server option
   context.show_warning_nameserver_option = True
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index
d959bb369d946217acd080e78483cc9013dda4c7..18f477d4fb6620090b7073689c8df51b65a8307a

100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -924,6 +924,20 @@ def host_exists(host):
   else:
   return True
+def check_zone_overlap(zone):
+if resolver.zone_for_name(zone) == zone:
+try:
+ns = [ans.to_text() for ans in resolver.query(zone, 'NS')]
+except DNSException as e:
+root_logger.debug("Failed to resolve nameserver(s) for
domain"
+" {0}: {1}".format(zone, e))
+ns = []
+
+msg = u"DNS zone {0} already exists".format(zone)

Nitpick: I would say "already exists in DNS" to make it absolutely
clear. Just
'already exists' might be confusing because ipa dnszone-show will say
that the
zone does not exist ...


+if ns:
+msg += u" and is handled by server(s): {0}".format(',
'.join(ns))
+raise RuntimeError(msg)
+
   def get_ipa_basedn(conn):
   """
   Get base DN of IPA suffix in given LDAP server.

0064
NACK

ipa-replica-install should have the --skip-overlap-check too, because
any replica can be the first DNS server.


Thanks for the catch, added.



0064+0058
Can be the options --allow-zone-overlap and --skip-overlap-check merged
into an one name, to have just one name for same thing?



Each option has bit different behavior:
The '--skip-overlap-check' option in API call prevent the check to be
performed and thus no error or warning is raised. This is the way '--force'
option was originally working.

The '--allow-zone-overlap' options in installers do not skip the check but
change the error to warning instead and let the installation continue.

If you think that this can confuse users we need to change the names  or even
the logic.

Updated patches attached.


Hello,

thank you very much for updating the patch.

Unfortunately it is not yet ready, but we are getting there.


* Serious problems:

a) 

Re: [Freeipa-devel] [PATCH 0391] replicainstall: Add check for domain if server is specified

[Tomas Babej]

On 12/04/2015 08:22 PM, Rob Crittenden wrote:
> Martin Kosek wrote:
>> On 12/04/2015 07:17 PM, Tomas Babej wrote:
>>> Hi,
>>>
>>> Avoids failing in the later stages during the ipa-client-install
>>> command.
>>>
>>> Tomas
>>
>> Is this change needed? Wouldn't it be better to update
>> ipa-client-install or ipa-replica-install to not require the --domain
>> option? I would hope that --domain can be figured out during
>> installation and not passed to ipa-replica-install manually by the admin.
>>
>> I just think that calling
>> # ipa-replica-install --server=master.example.com
>> is better than
>> # ipa-replica-install --server=master.example.com --domain example.com
>> if possible.
> 
> IIRC this is for service discovery when using a specific server and not
> LDAP. This is the domain used to search for the kerberos realm, for
> example.
> 
> That isn't to say this isn't discoverable but it would require another
> function in discovery to query what the IPA domain is from the given
> master but it gets tricky if anonymous search is disabled, for example.
> 
> rob
> 

Needed or not, this is the behaviour that ipa-client-install has now.
Adding a domain detection method would be a RFE for ipa-client-install
(and imho not something we should be adding at this point).

This patch only focuses on making the ipa-replica-install work more
smoothly.

Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 522] replica promotion: allow OTP bulk client enrollment

[Martin Basti]

On 07.12.2015 08:21, Jan Cholasta wrote:

On 2.12.2015 16:23, Jan Cholasta wrote:

Hi,

the attached patch fixes .

Note that you still have to provide admin password in
ipa-replica-install, either using --admin-password or interactively,
because:

a) Admin password is required for replica promotion. This will be fixed
with .

Patches are on the list:
. 



Pushed.




b) Admin password is required for connection check. This will be fixed
with .


Martin Basti pointed out that admin password should not be asked 
interactively during OTP replica promotion. Fixed.


Updated and rebased patch attached.





1)
[root@vm-058-138 ~]# ipa-replica-install --server 
vm-058-137.abc.idm.lab.eng.brq.redhat.com --domain 
abc.idm.lab.eng.brq.redhat.com --password=bubak  --setup-ca

Configuring client side components
Password for ad...@abc.idm.lab.eng.brq.redhat.com:

IMO password should be asked first, before any installation begins (IMO 
this is for conncheck)


2)
When host is not in ipaservers hostgroup. Also I would expect different 
error message
ipa-replica-install --server vm-058-137.abc.idm.lab.eng.brq.redhat.com 
--domain abc.idm.lab.eng.brq.redhat.com --password=bubak  --setup-ca 
--skip-conncheck



step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 352, in 

step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", 
line 81, in run_generator_with_yield_from

six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", 
line 59, in run_generator_with_yield_from

value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", 
line 63, in _install

for nothing in self._installer(self.parent):
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 
line 1507, in main

promote_check(self)
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 
line 374, in decorated

func(installer)
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 
line 1002, in promote_check

conn.connect(ccache=installer._ccache)
  File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, 
in connect

conn = self.create_connection(*args, **kw)
  File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", 
line 199, in create_connection

principal = krb_utils.get_principal(ccache_name=ccache)
  File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line 
184, in get_principal

raise errors.CCacheError(message=unicode(e))

2015-12-07T16:23:40Z DEBUG The ipa-replica-install command failed, 
exception: CCacheError: Major (851968): Unspecified GSS failure. Minor 
code may provide more information, Minor (2529639053): No Kerberos 
credentials available
2015-12-07T16:23:40Z ERROR Major (851968): Unspecified GSS failure. 
Minor code may provide more information, Minor (2529639053): No Kerberos 
credentials available



3)
This case is not handle very well:
a) install client with OTP password
b) install replica with the same OTP password (when host is no in 
ipaservers group, if host is in ipaservers group it works)


ipa.ipapython.install.cli.install_tool(Replica): ERRORMajor 
(851968): Unspecified GSS failure.  Minor code may provide more 
information, Minor (2529639053): No Kerberos credentials available
ipa.ipapython.install.cli.install_tool(Replica): ERRORThe 
ipa-replica-install command failed. See /var/log/ipareplica-install.log 
for more information


4)
This is not user friendly
I used wrong OTP password, can we somehow propagate the actual error 
from client install to stderr?


ipa.ipapython.install.cli.install_tool(Replica): ERROR Configuration of 
client side components failed!
ipa-client-install returned: Command ''/usr/sbin/ipa-client-install' 
'--unattended' '--domain' 'abc.idm.lab.eng.brq.redhat.com' '--server' 
'vm-058-137.abc.idm.lab.eng.brq.redhat.com' '--password' 'buba'' 
returned non-zero exit status 1
ipa.ipapython.install.cli.install_tool(Replica): ERRORThe 
ipa-replica-install command failed. See /var/log/ipareplica-install.log 
for more information


-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 564] Implement pwd policy iteration in the kdb driver

[Simo Sorce]

Subject says it all.
Tested via kadmin.local list_policies
Ticket: 3015

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
From f3f6e6d1e80aa2cce042022c102d156998576545 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Mon, 7 Dec 2015 14:09:35 -0500
Subject: [PATCH] Implement pwd policy iterator

Signed-off-by: Simo Sorce 

Ticket: https://fedorahosted.org/freeipa/ticket/3015
---
 daemons/ipa-kdb/ipa_kdb_pwdpolicy.c | 165 
 1 file changed, 110 insertions(+), 55 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
index 076314a12840881a340763ab5693131aaccafec6..4718601463211bb1fa70efd45d981f0198832489 100644
--- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
+++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
@@ -34,7 +34,7 @@ char *std_pwdpolicy_attrs[] = {
 "krbpwdmaxfailure",
 "krbpwdfailurecountinterval",
 "krbpwdlockoutduration",
-
+"cn",
 NULL
 };
 
@@ -133,62 +133,40 @@ krb5_error_code ipadb_create_pwd_policy(krb5_context kcontext,
 return KRB5_PLUGIN_OP_NOTSUPP;
 }
 
-krb5_error_code ipadb_get_pwd_policy(krb5_context kcontext, char *name,
- osa_policy_ent_t *policy)
+void ipadb_free_pwd_policy(krb5_context kcontext, osa_policy_ent_t val)
+{
+if (val) {
+free(val->name);
+free(val->allowed_keysalts);
+free(val);
+}
+}
+
+krb5_error_code ipadb_parse_pwd_policy_entry(struct ipadb_context *ipactx,
+ LDAPMessage *lentry,
+ osa_policy_ent_t *policy)
 {
-struct ipadb_context *ipactx;
-char *esc_name = NULL;
-char *src_filter = NULL;
-krb5_error_code kerr;
-LDAPMessage *res = NULL;
-LDAPMessage *lentry;
 osa_policy_ent_t pentry = NULL;
+krb5_error_code kerr;
 uint32_t result;
 int ret;
 
-ipactx = ipadb_get_context(kcontext);
-if (!ipactx) {
-return KRB5_KDB_DBNOTINITED;
-}
-
-esc_name = ipadb_filter_escape(name, true);
-if (!esc_name) {
-return ENOMEM;
-}
-
-ret = asprintf(_filter, POLICY_SEARCH_FILTER, esc_name);
-if (ret == -1) {
-kerr = KRB5_KDB_INTERNAL_ERROR;
-goto done;
-}
-
-kerr = ipadb_simple_search(ipactx,
-   ipactx->realm_base, LDAP_SCOPE_SUBTREE,
-   src_filter, std_pwdpolicy_attrs, );
-if (kerr) {
-goto done;
-}
-
-lentry = ldap_first_entry(ipactx->lcontext, res);
-if (!lentry) {
-kerr = KRB5_KDB_INTERNAL_ERROR;
-goto done;
-}
-
 pentry = calloc(1, sizeof(osa_policy_ent_rec));
 if (!pentry) {
 kerr = ENOMEM;
 goto done;
 }
 pentry->version = 1;
-pentry->name = strdup(name);
-if (!pentry->name) {
-kerr = ENOMEM;
-goto done;
-}
 
 /* FIXME: what to do with missing attributes ? */
 
+ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
+ "cn", >name);
+if (ret != 0) {
+kerr = KRB5_KDB_INTERNAL_ERROR;
+goto done;
+}
+
 ret = ipadb_ldap_attr_to_uint32(ipactx->lcontext, lentry,
 "krbMinPwdLife", );
 if (ret == 0) {
@@ -245,15 +223,73 @@ krb5_error_code ipadb_get_pwd_policy(krb5_context kcontext, char *name,
 }
 
 *policy = pentry;
+kerr = 0;
 
 done:
 if (kerr) {
-free(pentry);
+ipadb_free_pwd_policy(NULL, pentry);
 }
+
+return kerr;
+}
+
+static krb5_error_code search_pwd_policy_entry(struct ipadb_context *ipactx,
+   char *match_entry, bool exact,
+   LDAPMessage **res)
+{
+char *src_filter = NULL;
+char *esc_name = NULL;
+krb5_error_code kerr;
+int ret;
+
+esc_name = ipadb_filter_escape((match_entry ? match_entry : "*"), exact);
+if (!esc_name) {
+return ENOMEM;
+}
+
+ret = asprintf(_filter, POLICY_SEARCH_FILTER, esc_name);
+if (ret == -1) {
+kerr = KRB5_KDB_INTERNAL_ERROR;
+goto done;
+}
+
+kerr = ipadb_simple_search(ipactx,
+   ipactx->realm_base, LDAP_SCOPE_SUBTREE,
+   src_filter, std_pwdpolicy_attrs, res);
+
+done:
 free(esc_name);
 free(src_filter);
+
+return kerr;
+}
+
+krb5_error_code ipadb_get_pwd_policy(krb5_context kcontext, char *name,
+ osa_policy_ent_t *policy)
+{
+struct ipadb_context *ipactx;
+krb5_error_code kerr;
+LDAPMessage *res = NULL;
+LDAPMessage *lentry;
+
+ipactx = ipadb_get_context(kcontext);
+if (!ipactx) {
+return KRB5_KDB_DBNOTINITED;
+}
+
+kerr = search_pwd_policy_entry(ipactx, name, true, );
+if (kerr) return kerr;
+
+lentry = ldap_first_entry(ipactx->lcontext, res);
+if 

Re: [Freeipa-devel] [PATCH 0372] CI: installation tests

[Martin Basti]

On 07.12.2015 15:51, Oleg Fayans wrote:


On 12/07/2015 03:51 PM, Martin Basti wrote:


On 07.12.2015 15:49, Oleg Fayans wrote:

Hi,

On 12/07/2015 02:37 PM, Martin Basti wrote:

On 07.12.2015 14:32, Martin Basti wrote:

On 07.12.2015 13:24, Oleg Fayans wrote:

Hi Martin,

I would prefer both install_kra and install_ca methods to have
raiseonerr parameter set to True by default. We need a way to test
negatives and analyze results.
Mine looks like this:

def install_kra(host, domain_level=None,
   first_instance=False, raiseonerr=True):
   if not domain_level:
  domain_level = host.config.domain_level
   command = ["ipa-kra-install", "-U", "-p",
host.config.dirman_password]
   if domain_level == DOMAIN_LEVEL_0 and not first_instance:
   replica_file = get_replica_filename(host)
   command.append(replica_file)
   return host.run_command(command, raiseonerr=raiseonerr)

The rest looks good to me, but I did not run the tests yet.

Sounds good, I will amend the patche later.

I changed my mind, should not be the domain_level value get from
function domainlevel(host)?

We should have a way to test negatives, like providing replica file at
domain level=1 and not providing at domain level=0. So these functions
should either accept replica file as a parameter, or arbitrary domain
level

Agree, but I meant this

  if not domain_level:
-domain_level = host.config.domain_level
+domain_level = domainlevel(host)

Oh, yes, you are right, that's better.




Martin^2


On 12/06/2015 10:22 PM, Martin Basti wrote:

My favorite today \o/ --> 67 <-- \o/ test cases, no more manual
testing
of installers \o/.

Test suite contains: 6 combination how to install components on
replica
X 4 combinations of server installation + 3 extra server tests

To save time tests install 1 master and 3 replicas per test class
(except extra server tests):
Class name  specifies what is installed on master.

Remember, option "-k" is your friend
$ ipa-run-tests -k ''
otherwise you will need a lot of time until tests finish.

To list all tests:
$ ipa-run-tests test_integration/test_installation.py --collect-only


Patch attached, it needs to have attached all patches I sent today
and
also attached workaround patch (Martin3 will provide proper fix)

I haven't had time/mood/resources to test this patch with domain
level
0, so testing this patch with domain level 0 is appreciated.


Oleg, I added some methods to tasks.py which you may want to reuse.

Martin^2


Updated patch attached.

Still some tests are failing, not sure if it is test issue or bugs. I 
will test later.
From 77b7e638890b202689682691ba33874df34ceba0 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Fri, 4 Dec 2015 17:12:05 +0100
Subject: [PATCH] CI: installation tests

---
 ipatests/test_integration/tasks.py |  32 
 ipatests/test_integration/test_installation.py | 200 +
 2 files changed, 232 insertions(+)
 create mode 100644 ipatests/test_integration/test_installation.py

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index a0d599d52d4edb9471b6a0cedd155a8590d0889b..f1b71d274087f3c837a0542e7a3b0b98adab99f0 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -39,6 +39,7 @@ from ipatests.test_integration.env_config import env_to_script
 from ipatests.test_integration.host import Host
 from ipalib.util import get_reverse_zone_default
 from ipalib.constants import DOMAIN_SUFFIX_NAME
+from ipalib.constants import DOMAIN_LEVEL_0
 
 log = log_mgr.get_logger(__name__)
 
@@ -924,3 +925,34 @@ def resolve_record(nameserver, query, rtype="SOA", retry=True, timeout=100):
 if not retry:
 raise
 time.sleep(1)
+
+
+def install_kra(host, domain_level=None, first_instance=False, raiseonerr=True):
+if not domain_level:
+   domain_level = domainlevel(host)
+command = ["ipa-kra-install", "-U", "-p", host.config.dirman_password]
+if domain_level == DOMAIN_LEVEL_0 and not first_instance:
+replica_file = get_replica_filename(host)
+command.append(replica_file)
+return host.run_command(command, raiseonerr=raiseonerr)
+
+
+def install_ca(host, domain_level=None, first_instance=False, raiseonerr=True):
+if not domain_level:
+   domain_level = domainlevel(host)
+command = ["ipa-ca-install", "-U", "-p", host.config.dirman_password,
+   "-P", 'admin', "-w", host.config.admin_password]
+if domain_level == DOMAIN_LEVEL_0 and not first_instance:
+replica_file = get_replica_filename(host)
+command.append(replica_file)
+return host.run_command(command, raiseonerr=raiseonerr)
+
+
+def install_dns(host, raiseonerr=True):
+args = [
+"ipa-dns-install",
+"--forwarder", host.config.dns_forwarder,
+"-p", host.config.dirman_password,
+"-U",
+]
+return 

Re: [Freeipa-devel] [PATCH] 0046 Create server certs with DNS altname

[Fraser Tweedale]

On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote:
> On 12/07/2015 06:26 AM, Fraser Tweedale wrote:
> > The attached patch fixes
> > https://fedorahosted.org/freeipa/ticket/4970.
> > 
> > Note that the problem is addressed by adding the appropriate request
> > extension to the CSR; the fix does not involve changing the default
> > profile behaviour, which is complicated (see ticket for details).
> 
> Thanks for the patch! This is something we should really fix, I already get
> warnings in my Python scripts when I hit sites protected by such HTTPS cert:
> 
> /usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:264:
> SubjectAltNameWarning: Certificate for projects.engineering.redhat.com has no
> `subjectAltName`, falling back to check for a `commonName` for now. This
> feature is being removed by major browsers and deprecated by RFC 2818. (See
> https://github.com/shazow/urllib3/issues/497 for details.)
> 
> Should we split ticket 4970, for the FreeIPA server part and then for cert
> profile part? As it looks like the FreeIPA server will be fixed even in 
> FreeIPA
> 4.3.x and the other part later.
> 
> How difficult do you see the general FreeIPA Certificate Profile part of this
> request? Is it a too big task to handle in 4.4 time frame?
>
I will split the ticket and would suggest 4.4 Backlog - it might be
doable but is a lower priority than e.g. Sub-CAs.

Cheers,
Fraser

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0046 Create server certs with DNS altname

[Rob Crittenden]

Fraser Tweedale wrote:
> On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote:
>> On 12/07/2015 06:26 AM, Fraser Tweedale wrote:
>>> The attached patch fixes
>>> https://fedorahosted.org/freeipa/ticket/4970.
>>>
>>> Note that the problem is addressed by adding the appropriate request
>>> extension to the CSR; the fix does not involve changing the default
>>> profile behaviour, which is complicated (see ticket for details).
>>
>> Thanks for the patch! This is something we should really fix, I already get
>> warnings in my Python scripts when I hit sites protected by such HTTPS cert:
>>
>> /usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:264:
>> SubjectAltNameWarning: Certificate for projects.engineering.redhat.com has no
>> `subjectAltName`, falling back to check for a `commonName` for now. This
>> feature is being removed by major browsers and deprecated by RFC 2818. (See
>> https://github.com/shazow/urllib3/issues/497 for details.)
>>
>> Should we split ticket 4970, for the FreeIPA server part and then for cert
>> profile part? As it looks like the FreeIPA server will be fixed even in 
>> FreeIPA
>> 4.3.x and the other part later.
>>
>> How difficult do you see the general FreeIPA Certificate Profile part of this
>> request? Is it a too big task to handle in 4.4 time frame?
>>
> I will split the ticket and would suggest 4.4 Backlog - it might be
> doable but is a lower priority than e.g. Sub-CAs.

If you are going to defer the profile part then you should probably
update the client to also include a SAN if --request-cert is provided.

rob

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0369] Force creation of service during replica install

[Martin Basti]

On 07.12.2015 18:27, Martin Babinsky wrote:

On 12/06/2015 09:45 PM, Martin Basti wrote:

Replica install should not fail due a missing A record, if there are
proper entries in hosts.

Patch attached.



ACK.


Pushed to master: cac756b87d2eb521f038d0fb2ddb2a98569cf1af

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0046 Create server certs with DNS altname

[Fraser Tweedale]

On Tue, Dec 08, 2015 at 08:46:39AM +1000, Fraser Tweedale wrote:
> On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote:
> > On 12/07/2015 06:26 AM, Fraser Tweedale wrote:
> > > The attached patch fixes
> > > https://fedorahosted.org/freeipa/ticket/4970.
> > > 
> > > Note that the problem is addressed by adding the appropriate request
> > > extension to the CSR; the fix does not involve changing the default
> > > profile behaviour, which is complicated (see ticket for details).
> > 
> > Thanks for the patch! This is something we should really fix, I already get
> > warnings in my Python scripts when I hit sites protected by such HTTPS cert:
> > 
> > /usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:264:
> > SubjectAltNameWarning: Certificate for projects.engineering.redhat.com has 
> > no
> > `subjectAltName`, falling back to check for a `commonName` for now. This
> > feature is being removed by major browsers and deprecated by RFC 2818. (See
> > https://github.com/shazow/urllib3/issues/497 for details.)
> > 
> > Should we split ticket 4970, for the FreeIPA server part and then for cert
> > profile part? As it looks like the FreeIPA server will be fixed even in 
> > FreeIPA
> > 4.3.x and the other part later.
> > 
> > How difficult do you see the general FreeIPA Certificate Profile part of 
> > this
> > request? Is it a too big task to handle in 4.4 time frame?
> >
> I will split the ticket and would suggest 4.4 Backlog - it might be
> doable but is a lower priority than e.g. Sub-CAs.
> 
PKI ticket: https://fedorahosted.org/pki/ticket/1710
IPA tracker: https://fedorahosted.org/freeipa/ticket/5523

> Cheers,
> Fraser
> 
> -- 
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code