[Freeipa-devel] [freeipa PR#10] Client-side CSR autogeneration (synchronize)
LiptonB's pull request #10: "Client-side CSR autogeneration" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/10 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/10/head:pr10 git checkout pr10 From eeeb57fa9ff1642dbd1e32fbfe435052de2541ee Mon Sep 17 00:00:00 2001 From: Ben LiptonDate: Tue, 5 Jul 2016 14:19:35 -0400 Subject: [PATCH 01/10] Add code to generate scripts that generate CSRs Adds a library that uses jinja2 to format a script that, when run, will build a CSR. Also adds a CLI command, 'cert-get-requestdata', that uses this library and builds the script for a given principal. The rules are read from json files in /usr/share/ipa/csr, but the rule provider is a separate class so that it can be replaced easily. https://fedorahosted.org/freeipa/ticket/4899 --- freeipa.spec.in | 8 + install/configure.ac| 1 + install/share/Makefile.am | 1 + install/share/csr/Makefile.am | 27 +++ install/share/csr/templates/certutil_base.tmpl | 14 ++ install/share/csr/templates/ipa_macros.tmpl | 42 install/share/csr/templates/openssl_base.tmpl | 35 +++ install/share/csr/templates/openssl_macros.tmpl | 29 +++ ipaclient/plugins/certmapping.py| 105 + ipalib/certmapping.py | 285 ipalib/errors.py| 9 + ipapython/templating.py | 31 +++ 12 files changed, 587 insertions(+) create mode 100644 install/share/csr/Makefile.am create mode 100644 install/share/csr/templates/certutil_base.tmpl create mode 100644 install/share/csr/templates/ipa_macros.tmpl create mode 100644 install/share/csr/templates/openssl_base.tmpl create mode 100644 install/share/csr/templates/openssl_macros.tmpl create mode 100644 ipaclient/plugins/certmapping.py create mode 100644 ipalib/certmapping.py create mode 100644 ipapython/templating.py diff --git a/freeipa.spec.in b/freeipa.spec.in index e3ad5b6..ab8e8e6 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -507,6 +507,7 @@ Requires: python-custodia Requires: python-dns >= 1.11.1 Requires: python-netifaces >= 0.10.4 Requires: pyusb +Requires: python-jinja2 Conflicts: %{alt_name}-python < %{version} @@ -1178,6 +1179,13 @@ fi %{_usr}/share/ipa/advise/legacy/*.template %dir %{_usr}/share/ipa/profiles %{_usr}/share/ipa/profiles/*.cfg +%dir %{_usr}/share/ipa/csr +%dir %{_usr}/share/ipa/csr/templates +%{_usr}/share/ipa/csr/templates/*.tmpl +%dir %{_usr}/share/ipa/csr/profiles +%{_usr}/share/ipa/csr/profiles/*.json +%dir %{_usr}/share/ipa/csr/rules +%{_usr}/share/ipa/csr/rules/*.json %dir %{_usr}/share/ipa/ffextension %{_usr}/share/ipa/ffextension/bootstrap.js %{_usr}/share/ipa/ffextension/install.rdf diff --git a/install/configure.ac b/install/configure.ac index 81f17b9..365f0e9 100644 --- a/install/configure.ac +++ b/install/configure.ac @@ -87,6 +87,7 @@ AC_CONFIG_FILES([ share/Makefile share/advise/Makefile share/advise/legacy/Makefile +share/csr/Makefile share/profiles/Makefile share/schema.d/Makefile ui/Makefile diff --git a/install/share/Makefile.am b/install/share/Makefile.am index d8845ee..0a15635 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -2,6 +2,7 @@ NULL = SUBDIRS = \ advise\ + csr\ profiles \ schema.d \ $(NULL) diff --git a/install/share/csr/Makefile.am b/install/share/csr/Makefile.am new file mode 100644 index 000..5a8ef5c --- /dev/null +++ b/install/share/csr/Makefile.am @@ -0,0 +1,27 @@ +NULL = + +profiledir = $(IPA_DATA_DIR)/csr/profiles +profile_DATA =\ + $(NULL) + +ruledir = $(IPA_DATA_DIR)/csr/rules +rule_DATA =\ + $(NULL) + +templatedir = $(IPA_DATA_DIR)/csr/templates +template_DATA = \ + templates/certutil_base.tmpl \ + templates/openssl_base.tmpl \ + templates/openssl_macros.tmpl \ + templates/ipa_macros.tmpl \ + $(NULL) + +EXTRA_DIST =\ + $(profile_DATA) \ + $(rule_DATA) \ + $(template_DATA) \ + $(NULL) + +MAINTAINERCLEANFILES = \ + *~\ + Makefile.in diff --git a/install/share/csr/templates/certutil_base.tmpl b/install/share/csr/templates/certutil_base.tmpl new file mode 100644 index 000..6c6425f --- /dev/null +++ b/install/share/csr/templates/certutil_base.tmpl @@ -0,0 +1,14 @@ +{% raw -%} +{% import "ipa_macros.tmpl" as ipa -%} +{%- endraw %} +#!/bin/bash -e + +if [[ $# -lt 1 ]]; then +echo "Usage: $0 [ ]" +echo "Called as: $0 $@" +exit 1 +fi + +CSR="$1" +shift +certutil -R -a -z <(head -c 4096 /dev/urandom) -o "$CSR" {{ options|join(' ') }} "$@" diff --git a/install/share/csr/templates/ipa_macros.tmpl b/install/share/csr/templates/ipa_macros.tmpl new file mode 100644 index 000..e790d4e --- /dev/null +++
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
On Wed, 14 Sep 2016, Martin Basti wrote: On 14.09.2016 17:53, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: On 14.09.2016 17:41, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? You cannot add non-AD user to 'default trust view', so you will not be able to set up certificates to ID override which does not exist. For non-'default trust view' you can add both IPA and AD users, so using some other view and then assign certificate for a ID override in that one. Ok then, but anyway I would like to see API/CLI tests for this feature with proper output validation. How can be this tested with SSSD? You need to log into the system with a certificate... Is this possible from test? We are logged remotely as root, is there any cmdline util which allows us to test certificate against AD user? https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationTestingWithAD The only thing that differentiates AD user from IPA is the fact that you'd need to trust a certificate authority that issued the certificate for this user. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: > > > On 14.09.2016 17:53, Alexander Bokovoy wrote: > > On Wed, 14 Sep 2016, Martin Basti wrote: > > > > > > > > > On 14.09.2016 17:41, Alexander Bokovoy wrote: > > > > On Wed, 14 Sep 2016, Martin Basti wrote: > > > > > 1) > > > > > I still don't see the reason why AD trust is needed. Default > > > > > trust ID view is added just by ipa-adtrust-install, adding > > > > > trust is not needed for current implementation. You don't > > > > > need AD for this, IDviews is generic feature not just for > > > > > AD. Is that user configured on AD side? > > > > You cannot add non-AD user to 'default trust view', so you will not be > > > > able to set up certificates to ID override which does not exist. > > > > > > > > For non-'default trust view' you can add both IPA and AD users, > > > > so using > > > > some other view and then assign certificate for a ID override in that > > > > one. > > > > > > > > > > Ok then, but anyway I would like to see API/CLI tests for this > > > feature with proper output validation. > > > > > > > > > How can be this tested with SSSD? > > You need to log into the system with a certificate... > Is this possible from test? We are logged remotely as root, is there any > cmdline util which allows us to test certificate against AD user? You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should return the ssh key derived from the public key in the certificate. This should work for certificate stored in AD as well as for overrides. You can also you the DBus lookup by certificate as described in https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate . HTH bye, Sumit > > Martin^2 > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
On 14.09.2016 17:41, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? You cannot add non-AD user to 'default trust view', so you will not be able to set up certificates to ID override which does not exist. For non-'default trust view' you can add both IPA and AD users, so using some other view and then assign certificate for a ID override in that one. Ok then, but anyway I would like to see API/CLI tests for this feature with proper output validation. How can be this tested with SSSD? -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
On Wed, 14 Sep 2016, Martin Basti wrote: 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? You cannot add non-AD user to 'default trust view', so you will not be able to set up certificates to ID override which does not exist. For non-'default trust view' you can add both IPA and AD users, so using some other view and then assign certificate for a ID override in that one. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
On 06.09.2016 13:57, Oleg Fayans wrote: The test is updated to clean up after itself On 09/06/2016 12:57 PM, Oleg Fayans wrote: Hi Martin, Thanks for the review. The updated patches are attached. Please, see my comments below On 08/30/2016 01:58 PM, Martin Basti wrote: On 22.08.2016 13:18, Oleg Fayans wrote: ping for review On 08/02/2016 01:11 PM, Oleg Fayans wrote: Hi Martin, I did! Thank you! On 08/02/2016 12:31 PM, Martin Basti wrote: On 01.08.2016 22:46, Oleg Fayans wrote: The test was redesigned so that it actually tests against an AD user. cleanly applies, passes lint and passes https://paste.fedoraproject.org/399504/00843641/ Okay Did you forget to send patches? Martin^2 On 06/28/2016 01:40 PM, Oleg Fayans wrote: Patch-0050 rebased against latest upstream branch On 06/28/2016 10:45 AM, Oleg Fayans wrote: Passing test output: https://paste.fedoraproject.org/385774/71035231/ NACK for 0049.1 1) PEP8: you must use 2 empty lines between functions Fixed 2) +new_args = " ".join(new_args + args) you don't need this, run_command takes list as argument too new_args.extend(args) The list-based approach does not work with shell redirects which are heavily used in the certs_id_idoverrides test. Thus, this trick is really needed 3) To make it more usable you should add raiseonerr as kwarg to run_certutil (True as default) Done NACK for 0050.2 1) +tasks.run_certutil(master, ['-L', '-n', cls.adcert1, '-a', '>', +cls.adcert1_file], cls.reqdir) +tasks.run_certutil(master, ['-L', '-n', cls.adcert2, '-a', '>', +cls.adcert2_file], cls.reqdir) IMO thus should raise an error if failed, but previously you set raiseonerr=False (multiple times) Agreed. Done 2) +cls.ad = cls.ad_domains[0].ads[0] +cls.ad_domain = cls.ad.domain.name +cls.aduser = "testuser@%s" % cls.ad_domain +cls.adcert1 = 'MyCert1' +cls.adcert2 = 'MyCert2' +cls.adcert1_file = cls.adcert1 + '.crt' +cls.adcert2_file = cls.adcert2 + '.crt' New definitions of variables/constants should be directly in class not in install method, adding new class variables in classmethod is the same evil as adding instance variables outside __init__ Fair point. Fixed 3) I have question, why do you need AD for this test? AFAIK you can use ID overrides without AD Correct. You can, but the workflow would be slightly different. For example, you can not issue and sign cert requests for AD-users the way you would do it for local users. We want to have tests that can be taken by end-users as example how to use our software, that's why it is better to be as close to real-world use-cases as it is possible. Martin^3 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? 2) The test itself looks for me as just API/CLI test. IMO it can be in ipatests/test_xmlrpc/test_idviews_plugin.py or ipatests/test_xmlrpc/test_add_remove_cert_cmd.py 3) I don't see any integration with SSSD in that test, just pure IPA CLI test, shouldn't be this tested against SSSD here? Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#78] Fix Ip-addr validation (comment)
dkupka commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/1c96ff7a6c7e1733a6492f9b3c93265f5bc8ff5b https://fedorahosted.org/freeipa/changeset/cd2c10d7ca97ffc76682159ad58161eab413532d https://fedorahosted.org/freeipa/changeset/d13a4c2f395c08b514a51a19eaad3fa7d32e7538 ipa-4-4: https://fedorahosted.org/freeipa/changeset/dee950d88ec969b36c1271a3ef9fe4e4f5b48b01 https://fedorahosted.org/freeipa/changeset/b7fcbe9a59cbb748087f8f2b29511d2ead484e1c https://fedorahosted.org/freeipa/changeset/bb2c1790ea14381fa3e0f6ab11484300a2bcb746 """ See the full comment at https://github.com/freeipa/freeipa/pull/78#issuecomment-247013555 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#78] Fix Ip-addr validation (closed)
mbasti-rh's pull request #78: "Fix Ip-addr validation" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/78 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/78/head:pr78 git checkout pr78 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#78] Fix Ip-addr validation (+pushed)
mbasti-rh's pull request #78: "Fix Ip-addr validation" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/78 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#78] Fix Ip-addr validation (+ack)
mbasti-rh's pull request #78: "Fix Ip-addr validation" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/78 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#81] Fix emptyzones dns upgrade (closed)
mbasti-rh's pull request #81: "Fix emptyzones dns upgrade" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/81 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/81/head:pr81 git checkout pr81 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#81] Fix emptyzones dns upgrade (comment)
martbab commented on a pull request """ Fixed upstream ipa-4-3: https://fedorahosted.org/freeipa/changeset/2d011b97c8a56d9eabae2ca3d88c30314e0adb58 https://fedorahosted.org/freeipa/changeset/93756dc719723bbec93497ecd6e06e325e6eecbd ipa-4-4: https://fedorahosted.org/freeipa/changeset/afeb4bd8a6039173c24201803f1253fae2529a83 https://fedorahosted.org/freeipa/changeset/e39cc53d90175e3cae6805302f318a96bc0e1af1 master: https://fedorahosted.org/freeipa/changeset/22fd6f020940b5b2a1258f8e0e6058c95f7a1ba5 https://fedorahosted.org/freeipa/changeset/271a4f098230112ee0e3ea3ffb3a509977ee7330 """ See the full comment at https://github.com/freeipa/freeipa/pull/81#issuecomment-247004156 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#81] Fix emptyzones dns upgrade (+pushed)
mbasti-rh's pull request #81: "Fix emptyzones dns upgrade" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/81 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (closed)
ofayans's pull request #52: "Removed incorrect check for returncode" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/52 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/52/head:pr52 git checkout pr52 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#80] ipa passwd: use correct normalizer for user principals (+pushed)
martbab's pull request #80: "ipa passwd: use correct normalizer for user principals" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/80 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#80] ipa passwd: use correct normalizer for user principals (comment)
martbab commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/f3f9087ee8d1b1531730cf1e91fe404092e8c81d ipa-4-4: https://fedorahosted.org/freeipa/changeset/0fe08fdce78b8a26cae1ad238cfea20fe86b8332 """ See the full comment at https://github.com/freeipa/freeipa/pull/80#issuecomment-246979841 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#80] ipa passwd: use correct normalizer for user principals (closed)
martbab's pull request #80: "ipa passwd: use correct normalizer for user principals" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/80 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/80/head:pr80 git checkout pr80 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#82] Fix regexp in user/group name (opened)
mbasti-rh's pull request #82: "Fix regexp in user/group name" was opened PR body: """ Regexp should not enforce lenght of string, we have different checks for that. Secondly regexp with length specified produces an incorrect error message. https://fedorahosted.org/freeipa/ticket/5822 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/82 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/82/head:pr82 git checkout pr82 From e387fb3bb71f59d8554a7ae046fc534eaf07d470 Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Wed, 14 Sep 2016 12:55:01 +0200 Subject: [PATCH] Fix regexp in user/group name Regexp should not enforce lenght of string, we have different checks for that. Secondly regexp with length specified produces an incorrect error message. https://fedorahosted.org/freeipa/ticket/5822 --- ipaserver/plugins/baseuser.py | 2 +- ipaserver/plugins/group.py| 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py index 5e36a66..608e2d4 100644 --- a/ipaserver/plugins/baseuser.py +++ b/ipaserver/plugins/baseuser.py @@ -172,7 +172,7 @@ class baseuser(LDAPObject): takes_params = ( Str('uid', -pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', +pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$', pattern_errmsg='may only include letters, numbers, _, -, . and $', maxlength=255, cli_name='login', diff --git a/ipaserver/plugins/group.py b/ipaserver/plugins/group.py index dcd4a91..5f0e9af 100644 --- a/ipaserver/plugins/group.py +++ b/ipaserver/plugins/group.py @@ -260,7 +260,7 @@ class group(LDAPObject): takes_params = ( Str('cn', -pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', +pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$', pattern_errmsg='may only include letters, numbers, _, -, . and $', maxlength=255, cli_name='group_name', -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#27] [master, ipa-4-3] Tests: Fix integration sudo tests setup and checks (comment)
mbasti-rh commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/7cac8392036bf6d6bbd74f5a781986dec21149d6 ipa-4-3: https://fedorahosted.org/freeipa/changeset/6d04220dc3071782cf303b2e94e06da4ee26e512 ipa-4-4: https://fedorahosted.org/freeipa/changeset/32a6528dade8a6bcf1be2885b0ae714669a06d62 """ See the full comment at https://github.com/freeipa/freeipa/pull/27#issuecomment-246975562 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#27] [master, ipa-4-3] Tests: Fix integration sudo tests setup and checks (+pushed)
mirielka's pull request #27: "[master, ipa-4-3] Tests: Fix integration sudo tests setup and checks" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/27 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#27] [master, ipa-4-3] Tests: Fix integration sudo tests setup and checks (closed)
mirielka's pull request #27: "[master, ipa-4-3] Tests: Fix integration sudo tests setup and checks" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/27 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/27/head:pr27 git checkout pr27 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#27] [master, ipa-4-3] Tests: Fix integration sudo tests setup and checks (+ack)
mirielka's pull request #27: "[master, ipa-4-3] Tests: Fix integration sudo tests setup and checks" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/27 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#27] [master, ipa-4-3] Tests: Fix integration sudo tests setup and checks (comment)
lslebodn commented on a pull request """ Test passed on fedora 24 + freeipa-4_4. ACK """ See the full comment at https://github.com/freeipa/freeipa/pull/27#issuecomment-246969936 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
Ping for review. On 09/06/2016 01:57 PM, Oleg Fayans wrote: The test is updated to clean up after itself On 09/06/2016 12:57 PM, Oleg Fayans wrote: Hi Martin, Thanks for the review. The updated patches are attached. Please, see my comments below On 08/30/2016 01:58 PM, Martin Basti wrote: On 22.08.2016 13:18, Oleg Fayans wrote: ping for review On 08/02/2016 01:11 PM, Oleg Fayans wrote: Hi Martin, I did! Thank you! On 08/02/2016 12:31 PM, Martin Basti wrote: On 01.08.2016 22:46, Oleg Fayans wrote: The test was redesigned so that it actually tests against an AD user. cleanly applies, passes lint and passes https://paste.fedoraproject.org/399504/00843641/ Okay Did you forget to send patches? Martin^2 On 06/28/2016 01:40 PM, Oleg Fayans wrote: Patch-0050 rebased against latest upstream branch On 06/28/2016 10:45 AM, Oleg Fayans wrote: Passing test output: https://paste.fedoraproject.org/385774/71035231/ NACK for 0049.1 1) PEP8: you must use 2 empty lines between functions Fixed 2) +new_args = " ".join(new_args + args) you don't need this, run_command takes list as argument too new_args.extend(args) The list-based approach does not work with shell redirects which are heavily used in the certs_id_idoverrides test. Thus, this trick is really needed 3) To make it more usable you should add raiseonerr as kwarg to run_certutil (True as default) Done NACK for 0050.2 1) +tasks.run_certutil(master, ['-L', '-n', cls.adcert1, '-a', '>', +cls.adcert1_file], cls.reqdir) +tasks.run_certutil(master, ['-L', '-n', cls.adcert2, '-a', '>', +cls.adcert2_file], cls.reqdir) IMO thus should raise an error if failed, but previously you set raiseonerr=False (multiple times) Agreed. Done 2) +cls.ad = cls.ad_domains[0].ads[0] +cls.ad_domain = cls.ad.domain.name +cls.aduser = "testuser@%s" % cls.ad_domain +cls.adcert1 = 'MyCert1' +cls.adcert2 = 'MyCert2' +cls.adcert1_file = cls.adcert1 + '.crt' +cls.adcert2_file = cls.adcert2 + '.crt' New definitions of variables/constants should be directly in class not in install method, adding new class variables in classmethod is the same evil as adding instance variables outside __init__ Fair point. Fixed 3) I have question, why do you need AD for this test? AFAIK you can use ID overrides without AD Correct. You can, but the workflow would be slightly different. For example, you can not issue and sign cert requests for AD-users the way you would do it for local users. We want to have tests that can be taken by end-users as example how to use our software, that's why it is better to be as close to real-world use-cases as it is possible. Martin^3 -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][patch-0058] Fixed topology tests failures in CI
Again ping for review, please it completely blocks the whole job. On 09/07/2016 03:27 PM, Oleg Fayans wrote: ping for review On 08/24/2016 01:58 PM, Oleg Fayans wrote: And here is how the run looks like: $ ipa-run-tests test_integration/test_topology.py WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission denied: 'lextab.py' WARNING: yacc table file version is out of date WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 'yacctab.py' test session starts = platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini plugins: sourceorder-0.5, multihost-1.0 collected 3 items test_integration/test_topology.py ..x === 2 passed, 1 xfailed in 1558.66 seconds === On 08/12/2016 04:05 PM, Martin Basti wrote: On 12.08.2016 15:48, Oleg Fayans wrote: Hi Martin, On 08/11/2016 10:05 AM, Martin Basti wrote: On 10.08.2016 20:32, Oleg Fayans wrote: Hello, before we jump into fixing tests, my question is: Was this planned change and not reflected by test, or switched values are unwanted side effect and thus bug for us? That's a marvelous question! The test used to pass, which means that at some point the convention of naming the segments must have changed. Is it a bug? I do not think so: the feature still works as expected. Ludwig, do you know details about this change, why positions of server names are different than used to be in topology name? Ticket contains almost no info, except a traceback and it says nothing. Commit message says at least something. I'm not sure if this patch fixes that ticket, because traceback in test shows error message that "removal of segment will disconnect topology", but this patch only swap order of replica names in segment name. I would expect that you should get different error, something like segment does not exist. Which I do get in jenkins job N 37: "segment not found" In fact, the error in the issue is unrelated to the fix, you are right. To tell the truth, I just put a random error from one of the jenkins topology testruns into the issue. This is very good way how to report tickets: * nobody knows what happened * nobody can search in current tickets, what is wrong without proper description * developers cannot investigate issue, because there is even no name of exact test in ticket, no steps to reproduce, nothing * without proper tickets it is hard to backport patches correctly, if patch fixes different issue than is reported I'm closing ticket as invalid, please follow http://www.chiark.greenend.org.uk/~sgtatham/bugs.html and file a new proper ticket. This particular error message was caused by a previous replica installation failure, which resulted in existing only one segment instead of three: master <-> replica1 instead of: master <-> replica1, master <-> replica2 replica1 <-> replica2 In fact the patch supplied fixes 2 tests at once: The first test tries to remove the unexisting segment master <-> replica2 and fails, the second test expects the line topology master <-> replica1 <-> replica2. It removes the connection between replica1 and replica2, expects the operation to fail but it does not because the connection between master and replica2 exists the output from the testrun with the patch applied: -bash-4.3$ ipa-run-tests test_integration/test_topology.py --pdb WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission denied: 'lextab.py' WARNING: yacc table file version is out of date WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 'yacctab.py' test session starts = platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini plugins: sourceorder-0.5, multihost-1.0 collected 3 items test_integration/test_topology.py ... 3 passed in 2156.82 seconds = I don't care about test output until there is no valid description of problem, fixing test may just cover real issue. Martin^2 Martin^2 -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA:
[Freeipa-devel] [freeipa PR#79] trust-fetch-domains: contact forest DCs when fetching trust domain info (+pushed)
martbab's pull request #79: "trust-fetch-domains: contact forest DCs when fetching trust domain info" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/79 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#79] trust-fetch-domains: contact forest DCs when fetching trust domain info (comment)
martbab commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/b0d40b80e8d9a4960296ce70d843ad987657696b ipa-4-4: https://fedorahosted.org/freeipa/changeset/6755cbbc3346910bcd4be1577351cc15ab7d3140 """ See the full comment at https://github.com/freeipa/freeipa/pull/79#issuecomment-246944496 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#79] trust-fetch-domains: contact forest DCs when fetching trust domain info (closed)
martbab's pull request #79: "trust-fetch-domains: contact forest DCs when fetching trust domain info" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/79 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/79/head:pr79 git checkout pr79 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#79] trust-fetch-domains: contact forest DCs when fetching trust domain info (+ack)
martbab's pull request #79: "trust-fetch-domains: contact forest DCs when fetching trust domain info" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/79 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#79] trust-fetch-domains: contact forest DCs when fetching trust domain info (comment)
abbra commented on a pull request """ LGTM. We discussed the placement of populate_remote_domain() but decided to keep it there. """ See the full comment at https://github.com/freeipa/freeipa/pull/79#issuecomment-246935619 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (+pushed)
ofayans's pull request #52: "Removed incorrect check for returncode" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/52 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (comment)
mbasti-rh commented on a pull request """ **Xfailed the tests due to a known bug with replica preparation** Fixed upstream master: https://fedorahosted.org/freeipa/changeset/1e484d010b653b8ac06425ca602ba5c9e950ed89 """ See the full comment at https://github.com/freeipa/freeipa/pull/52#issuecomment-246934600 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (comment)
mbasti-rh commented on a pull request """ **Changed addressing to the client hosts to be replicas** Fixed upstream master: https://fedorahosted.org/freeipa/changeset/ac78d191ded6721cf1051413cdd6862c0362e66b ipa-4-4: https://fedorahosted.org/freeipa/changeset/de4a1fc0df5474f268c7ed08ffb802110631c13f ipa-4-3: https://fedorahosted.org/freeipa/changeset/8ed4a4ba6392deb7972ddc07593d649926065c72 """ See the full comment at https://github.com/freeipa/freeipa/pull/52#issuecomment-246934259 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (comment)
mbasti-rh commented on a pull request """ **Several fixes in replica_promotion tests** Fixed upstream master: https://fedorahosted.org/freeipa/changeset/39c15ecdcdcbc2a0b651b0f89080789dd806e998 ipa-4-4: https://fedorahosted.org/freeipa/changeset/cd6adafbf699da48ab877e77ac9c1cc1dd26bf61 """ See the full comment at https://github.com/freeipa/freeipa/pull/52#issuecomment-246933583 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (comment)
mbasti-rh commented on a pull request """ **Removed incorrect check for returncode** Fixed upstream master: https://fedorahosted.org/freeipa/changeset/22b0e8a9eb9eb3d47131c6784d70dd409d5b889b ipa-4-4: https://fedorahosted.org/freeipa/changeset/e265853d055caf7e3d17316eee6e25aa26bbf2a9 """ See the full comment at https://github.com/freeipa/freeipa/pull/52#issuecomment-246933097 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#80] ipa passwd: use correct normalizer for user principals (+ack)
martbab's pull request #80: "ipa passwd: use correct normalizer for user principals" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/80 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#80] ipa passwd: use correct normalizer for user principals (comment)
abbra commented on a pull request """ Looks good, thanks! """ See the full comment at https://github.com/freeipa/freeipa/pull/80#issuecomment-246931189 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#81] Fix emptyzones dns upgrade (synchronize)
mbasti-rh's pull request #81: "Fix emptyzones dns upgrade" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/81 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/81/head:pr81 git checkout pr81 From b1aeee9e57fdaa39545a437d65f6520f1cfbff53 Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Tue, 13 Sep 2016 18:37:43 +0200 Subject: [PATCH 1/2] Start named during configuration upgrade. Some upgrade steps require bind running, to be succesfull. Upgrader makes sure that bind starts. https://fedorahosted.org/freeipa/ticket/6205 --- ipaserver/install/server/upgrade.py | 12 1 file changed, 12 insertions(+) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index aec84dc..19ea8ca 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1706,6 +1706,15 @@ def upgrade_configuration(): cleanup_kdc(fstore) cleanup_adtrust(fstore) setup_firefox_extension(fstore) + +bind = bindinstance.BindInstance(fstore) +if bind.is_configured() and not bind.is_running(): +# some upgrade steps may require bind running +bind_started = True +bind.start() +else: +bind_started = False + add_ca_dns_records() # Any of the following functions returns True iff the named.conf file @@ -1737,6 +1746,9 @@ def upgrade_configuration(): except ipautil.CalledProcessError as e: root_logger.error("Failed to restart %s: %s", bind.service_name, e) +if bind_started: +bind.stop() + custodia = custodiainstance.CustodiaInstance(api.env.host, api.env.realm) custodia.upgrade_instance() From 7c81de901f66c279238b164e1dfbf829ea670533 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Tue, 13 Sep 2016 19:12:40 +0200 Subject: [PATCH 2/2] Catch DNS exceptions during emptyzones named.conf upgrade For some reasons named may not be runnig and this cause fail of this upgrade step. This step is not critical so only ERROR message with recommendation is shown. https://fedorahosted.org/freeipa/ticket/6205 --- ipaserver/install/server/upgrade.py | 17 ++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 19ea8ca..b47d8fa 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -11,6 +11,8 @@ import fileinput import sys +import dns.exception + import six from six.moves.configparser import SafeConfigParser @@ -840,9 +842,18 @@ def named_update_global_forwarder_policy(): 'forward_policy_conflict_with_empty_zones_handled', True ) -if not dnsutil.has_empty_zone_addresses(api.env.host): -# guess: local server does not have IP addresses from private ranges -# so hopefully automatic empty zones are not a problem +try: +if not dnsutil.has_empty_zone_addresses(api.env.host): +# guess: local server does not have IP addresses from private +# ranges so hopefully automatic empty zones are not a problem +return False +except dns.exception.DNSException as ex: +root_logger.error( +'Skipping update of global DNS forwarder in named.conf: ' +'Unable to determine if local server is using an ' +'IP address belonging to an automatic empty zone. ' +'Consider changing forwarding policy to "only". ' +'DNS exception: %s', ex) return False if bindinstance.named_conf_get_directive( -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (+ack)
ofayans's pull request #52: "Removed incorrect check for returncode" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/52 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#50] Add cert checks in ipa-server-certinstall (comment)
flo-renaud commented on a pull request """ Bump for review """ See the full comment at https://github.com/freeipa/freeipa/pull/50#issuecomment-246921696 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code