date:20161205

  URL: https://github.com/freeipa/freeipa/pull/279
Title: #279: installer: Stop adding distro-specific NTP servers into ntp.conf

pspacek commented:
"""
NACK
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/279#issuecomment-265084090
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#279][synchronized] installer: Stop adding distro-specific NTP servers into ntp.conf

2016-12-05 Thread dkupka

   URL: https://github.com/freeipa/freeipa/pull/279
Author: dkupka
 Title: #279: installer: Stop adding distro-specific NTP servers into ntp.conf
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/279/head:pr279
git checkout pr279
From ea389fa57f485ea4778300b1515aa9997a249c4b Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Mon, 28 Nov 2016 15:56:30 +0100
Subject: [PATCH] installer: Stop adding distro-specific NTP servers into
 ntp.conf

Distribution packaged ntpd has servers preconfigured in ntp.conf so
there's no point in trying to add them again during FreeIPA server
installation.
Also fix the code to always put fudge line right after the local server
line as required by ntpd.

https://fedorahosted.org/freeipa/ticket/6486
---
 ipaserver/install/ntpinstance.py | 49 ++--
 1 file changed, 7 insertions(+), 42 deletions(-)

diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py
index 716eb08..3d8db2d 100644
--- a/ipaserver/install/ntpinstance.py
+++ b/ipaserver/install/ntpinstance.py
@@ -20,7 +20,6 @@
 
 from ipaserver.install import service
 from ipaserver.install import sysupgrade
-from ipapython import ipautil
 from ipaplatform.constants import constants
 from ipaplatform.paths import paths
 from ipapython.ipa_log_manager import root_logger
@@ -60,26 +59,10 @@ def __write_config(self):
 self.fstore.backup_file(paths.NTP_CONF)
 self.fstore.backup_file(paths.SYSCONFIG_NTPD)
 
-# We use the OS variable to point it towards either the rhel
-# or fedora pools. Other distros should be added in the future
-# or we can get our own pool.
-os = ""
-if ipautil.file_exists(paths.ETC_FEDORA_RELEASE):
-os = "fedora"
-elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE):
-os = "rhel"
-
-srv_vals = []
-srv_vals.append("0.%s.pool.ntp.org" % os)
-srv_vals.append("1.%s.pool.ntp.org" % os)
-srv_vals.append("2.%s.pool.ntp.org" % os)
-srv_vals.append("3.%s.pool.ntp.org" % os)
-srv_vals.append("127.127.1.0")
+local_srv = "127.127.1.0"
 fudge = ["fudge", "127.127.1.0", "stratum", "10"]
 
 #read in memory, change it, then overwrite file
-file_changed = False
-fudge_present = False
 ntpconf = []
 fd = open(paths.NTP_CONF, "r")
 for line in fd:
@@ -88,37 +71,19 @@ def __write_config(self):
 ntpconf.append(line)
 continue
 
-if opt[0] == "server":
-match = False
-for srv in srv_vals:
-if opt[1] == srv:
-match = True
-break
-if match:
-srv_vals.remove(srv)
-else:
-file_changed = True
-line = ""
+if opt[0] == "server" and opt[1] == local_srv:
+line = ""
 elif opt[0] == "fudge":
-if opt[0:4] == fudge[0:4]:
-fudge_present = True
-else:
-file_changed = True
-line = ""
+line = ""
 
 ntpconf.append(line)
 
-if file_changed or len(srv_vals) != 0 or not fudge_present:
-fd = open(paths.NTP_CONF, "w")
+with open(paths.NTP_CONF, "w") as fd:
 for line in ntpconf:
 fd.write(line)
 fd.write("\n### Added by IPA Installer ###\n")
-if len(srv_vals) != 0:
-for srv in srv_vals:
-fd.write("server "+srv+" iburst\n")
-if not fudge_present:
-fd.write("fudge 127.127.1.0 stratum 10\n")
-fd.close()
+fd.write("server {} iburst\n".format(local_srv))
+fd.write("{}\n".format(' '.join(fudge)))
 
 #read in memory, find OPTIONS, check/change it, then overwrite file
 needopts = [ {'val':'-x', 'need':True},
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#292][synchronized] Increase the timeout waiting for certificate issuance in installer

2016-12-05 Thread flo-renaud

   URL: https://github.com/freeipa/freeipa/pull/292
Author: flo-renaud
 Title: #292: Increase the timeout waiting for certificate issuance in installer
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/292/head:pr292
git checkout pr292
From 70fc8c17bc7b1a8c2379c45b3f00e0655283e3e0 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Wed, 30 Nov 2016 16:34:16 +0100
Subject: [PATCH] Increase the timeout waiting for certificate issuance in
 installer

During the server installation, the installer requests certificates
through certmonger. The current timeout is 60s and is too low.
Increase this timeout to api.env.startup_timeout + 60 as done in
ipa_cacert_manage or ipa_certupdate.py
(the code checks the status each 5s up to the timeout value).

https://fedorahosted.org/freeipa/ticket/6433
---
 ipalib/install/certmonger.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ipalib/install/certmonger.py b/ipalib/install/certmonger.py
index 3ea900b..ac65d56 100644
--- a/ipalib/install/certmonger.py
+++ b/ipalib/install/certmonger.py
@@ -30,6 +30,7 @@
 import shlex
 import subprocess
 import tempfile
+from ipalib import api
 from ipapython.ipa_log_manager import root_logger
 from ipaplatform.paths import paths
 from ipaplatform import services
@@ -309,7 +310,8 @@ def request_and_wait_for_cert(
 reqId = request_cert(nssdb, nickname, subject, principal,
  passwd_fname, dns, ca, profile,
  pre_command, post_command)
-state = wait_for_request(reqId, timeout=60)
+timeout = api.env.startup_timeout + 60
+state = wait_for_request(reqId, timeout)
 ca_error = get_request_value(reqId, 'ca-error')
 if state != 'MONITORING' or ca_error:
 raise RuntimeError("Certificate issuance failed ({})".format(state))
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#293][comment] Run out-of-tree tests in Travis CI

2016-12-05 Thread stlaz

  URL: https://github.com/freeipa/freeipa/pull/293
Title: #293: Run out-of-tree tests in Travis CI

stlaz commented:
"""
Since I recently run into issues with ipa-server-install and low entropy 
somewhere around creation of kdb proxy which drastically increased install 
time, would it make sense to install haveged atop of our rpms to possibly 
mitigate the problem?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/293#issuecomment-264906938
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] CSR autogeneration next steps

2016-12-05 Thread Ben Lipton


Hi Jan, thanks for the comments.


On 12/05/2016 04:25 AM, Jan Cholasta wrote:

Hi Ben,

On 3.11.2016 00:12, Ben Lipton wrote:

Hi everybody,

Soon I'm going to have to reduce the amount of time I spend on new
development work for the CSR autogeneration project, and I want to leave
the project in as organized a state as possible. So, I'm taking
inventory of the work I've done in order to make sure that what's ready
for review can get reviewed and the ideas that have been discussed get
prototyped or at least recorded so they won't be forgotten.


Thanks, I have some questions and comments, see below.



Code that's ready for review (I will continue to put in as much time as
needed to help get these ready for submission):

- Current PR: https://github.com/freeipa/freeipa/pull/10


How hard would it be to update the PR to use the "new" interface from 
the design thread? By this I mean that currently there is a command 
(cert_get_requestdata), which creates a CSR from profile id + 
principal + helper, but in the design we discussed a command which 
creates a CertificationRequestInfo from profile id + principal + 
public key.


Internally it could use the OpenSSL helper, no need to implement the 
full "new" design. With your build_requestinfo.c code below it looks 
like it should be pretty straightforward.


This is probably doable with the cffi, but I'm concerned about 
usability. A user can run the current command to get a (reusable) 
script, and run the script to get a CSR. It works with keys in both PEM 
files and NSS databases already. If we change to outputting a 
CertificationRequestInfo, in order to make this usable on the command 
line, we'll need:
- An additional tool to sign a CSR given a CertificationRequestInfo (for 
both types of key storage).
- A way to extract a SubjectPublicKeyInfo structure from a key within 
the ipa command (like [1] but we need it for both types of key storage)
Since as far as I know there's no standard encoding for files containing 
only a CertificationRequestInfo or a SubjectPublicKeyInfo, we'll be 
writing and distributing these ourselves. I think that's where most of 
the extra work will come in.


Would it be ok to stick with the current design in this PR? I'd feel 
much better if we could get the basic functionality into the repo and 
then iterate on it rather than changing the plan at this point. I can 
create a separate PR to change cert_get_requestdata to this new 
interface and at the same time add the necessary adapters (bullet points 
above) to make it user-friendly.


I would probably just implement the adapters within the 
cert_build/cert_request client code unless you think having standalone 
tools is valuable. I suppose certmonger is going to need these features 
too, but I don't know how well sharing code between them is going to work.




- Allow some fields to be specified by the user at creation time:
https://github.com/LiptonB/freeipa/commits/local-user-data


Good idea :-)



- Automation for the full process from getting CSR data to requesting
cert: https://github.com/LiptonB/freeipa/commits/local-cert-build


LGTM, although I would prefer if this was a client-side extension of 
cert-request rather than a completely new command.


I did try that at first, but I struggled to figure out the interface for 
the modified cert-request. (Not that the current solution is so great, 
what with the copying of options from cert_request and certreq.) If I 
remember correctly, I was uncertain how to implement parameters that are 
required/invalid based on other parameters: the current cert-request 
takes a signed CSR (required), a principal (required), and a profile ID; 
the new cert-request (what I implemented as cert-build) takes a 
principal (required), a profile ID (required), and a key location 
(required). I can't remember if that was the only problem, but I'll try 
again to merge the commands and get back to you.




Other prototypes and design ideas that aren't ready for submission yet:

- Utility written in C to build a CertificationRequestInfo from a
SubjectPublicKeyInfo and an openssl-style config file. The purpose of
this is to take a config that my code already knows how to generate, and
put it in a form that certmonger can use. This is nearly done and
available at:
https://github.com/LiptonB/freeipa-prototypes/blob/master/build_requestinfo.c 



Nice! As I said above, this could really make implementing the "new" 
csrgen interface simple.





- Ideally it should be possible to use this tool to reimplement the full
cert-request automation (local-cert-build branch) without a dependency
on the certutil/openssl tools. However, I don't think any of the python
crypto libraries have bindings for the functions that deal with
CertificationRequestInfo objects, so I don't think I can do this in the
short term.


You can use python-cffi to write your own minimal bindings. It's 
fairly straightforward, take a look at FreeIPA commit 500ee7e2 for an 
example of

[Freeipa-devel] [freeipa PR#308][+pushed] Add 'env_confdir' to constants

  URL: https://github.com/freeipa/freeipa/pull/308
Title: #308: Add 'env_confdir' to constants

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#308][closed] Add 'env_confdir' to constants

   URL: https://github.com/freeipa/freeipa/pull/308
Author: martbab
 Title: #308: Add 'env_confdir' to constants
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/308/head:pr308
git checkout pr308
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#293][synchronized] Run out-of-tree tests in Travis CI

   URL: https://github.com/freeipa/freeipa/pull/293
Author: martbab
 Title: #293: Run out-of-tree tests in Travis CI
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/293/head:pr293
git checkout pr293
From e2207f94b215091b0f9e42f7e035107596fb768a Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Wed, 30 Nov 2016 10:30:04 +0100
Subject: [PATCH 1/2] Configuration file for ipa-docker-test-runner

Prepare a configuration file for
https://github.com/martbab/ipa-docker-test-runner. The latest
freeipa-fedora-test-runner Docker image (F25 as of time of writing this
message) will be used to run tests. Some of them will be purposefuly excluded
from the test suite, namely:

* test_integration and test_webui: for obvious reasons, CI tests require
  complicated multi-host setup which is currently not achievable in Travis CI
* test_ipapython/test_keyring: Docker can not cope with storing and retrieving
  secrets from Kernel keyring, that is a known issue
* test_xmlrpc/test_dns_plugin.py:test_dns_soa: There are 2-3 non-deterministic
  failures in this suite in Travis CI, this suite was disabled until the root
  cause is discovered and fixed/workarounded
---
 .test_runner_config.yaml | 50 
 1 file changed, 50 insertions(+)
 create mode 100644 .test_runner_config.yaml

diff --git a/.test_runner_config.yaml b/.test_runner_config.yaml
new file mode 100644
index 000..f1205e8
--- /dev/null
+++ b/.test_runner_config.yaml
@@ -0,0 +1,50 @@
+container:
+  detach: true
+  hostname: master.ipa.test
+  working_dir: /freeipa
+host:
+  binds:
+  - /sys/fs/cgroup:/sys/fs/cgroup:ro
+  - /dev/urandom:/dev/random:ro
+  privileged: true
+  security_opt:
+  - label:disable
+  tmpfs:
+  - /tmp
+  - /run
+server:
+  domain: ipa.test
+  password: Secret123
+  realm: IPA.TEST
+steps:
+  build:
+  - make V=0 ${make_target}
+  builddep:
+  - rm -rf /var/cache/dnf/*
+  - "dnf makecache fast || :"
+  - dnf builddep -y ${builddep_opts} --spec freeipa.spec.in --best --allowerasing
+  cleanup:
+  - chown -R ${uid}:${gid} ${container_working_dir}
+  configure:
+  - ./autogen.sh
+  install_packages:
+  - dnf install -y ${container_working_dir}/dist/rpms/*.rpm --best --allowerasing
+  install_server:
+  - ipa-server-install -U --domain ${server_domain} --realm ${server_realm} -p ${server_password}
+-a ${server_password} --setup-dns --auto-forwarders
+  - ipa-kra-install -p ${server_password}
+  lint:
+  - make V=0 lint
+  prepare_tests:
+  - echo ${server_password} | kinit admin && ipa ping
+  - cp -r /etc/ipa/* ~/.ipa/
+  - echo ${server_password} > ~/.ipa/.dmpw
+  - echo 'wait_for_dns=5' >> ~/.ipa/default.conf
+  run_tests:
+  - ipa-run-tests ${tests_ignore} -k-test_dns_soa ${tests_verbose} ${path}
+tests:
+  ignore:
+  - test_integration
+  - test_webui
+  - test_ipapython/test_keyring.py
+  verbose: true

From e398793c0a9e5ea24a569e224abc36732a79496e Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Wed, 30 Nov 2016 10:37:46 +0100
Subject: [PATCH 2/2] Use ipa-docker-test-runner to run tests in Travis CI

https://github.com/martbab/ipa-docker-test-runner is now used to run the
following tasks in Travis CI:

* pull in a FreeIPA test runner Docker image
* configure/make lint/make rpms
* install rpms
* install FreeIPA server and KRA
* run out-of-tree tests

For performance reasons (last two steps are very time-consuming) the available
tests were split roughly in half and are run as two separate jobs to speed up
the process.

AD trust is not installed as part of tests since the enabled compat plugin
causes false negative errors.
---
 .travis.yml | 36 
 1 file changed, 32 insertions(+), 4 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index 44a2ee6..e870213 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,16 +1,44 @@
 services:
 - docker
 
+env:
+global:
+- TEST_RUNNER_IMAGE="martbab/freeipa-fedora-test-runner:master-latest"
+matrix:
+- TESTS_TO_RUN="test_xmlrpc/test_[a-k]*.py"
+- >
+TESTS_TO_RUN="test_cmdline
+test_install
+test_ipalib
+test_ipapython
+test_ipaserver
+test_pkcs10
+test_xmlrpc/test_[l-z]*.py"
 before_install:
 - pip install pep8
+- >
+  pip3 install
+  git+https://github.com/freeipa/ipa-docker-test-runner@release-0-2-0
 
 script:
 - >
 if [[ "$TRAVIS_EVENT_TYPE" == "pull_request" ]];
 then
-git diff origin/${TRAVIS_BRANCH} -U0 | pep8 --diff;
+git diff origin/${TRAVIS_BRANCH} -U0 | pep8 --diff &> pep8_errors.log;
 fi
+- "pushd ipatests; test_set=`ls -d -1 $TESTS_TO_RUN 2> /dev/null`; popd"
+# use travis_wait so that long running tasks (tests) which produce no
+# output do not cause premature termination of the

[Freeipa-devel] [freeipa PR#308][comment] Add 'env_confdir' to constants

  URL: https://github.com/freeipa/freeipa/pull/308
Title: #308: Add 'env_confdir' to constants

martbab commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/1300381d45a23073261e62cb031cf4285a34f641
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/308#issuecomment-264884316
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#292][comment] Increase the timeout waiting for certificate issuance in installer

  URL: https://github.com/freeipa/freeipa/pull/292
Title: #292: Increase the timeout waiting for certificate issuance in installer

martbab commented:
"""
IMHO anything is better than hardcoded values so you have my blessing.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/292#issuecomment-264882789
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#292][comment] Increase the timeout waiting for certificate issuance in installer

2016-12-05 Thread flo-renaud

  URL: https://github.com/freeipa/freeipa/pull/292
Title: #292: Increase the timeout waiting for certificate issuance in installer

flo-renaud commented:
"""
@martbab @mbasti-rh: I checked the code and some parts already use 
api.env.startup_timeout for certmonger requests (in ipa_certupdate.py or 
ipa_cacert_manage.py for instance). Is it OK for you if I replace my hardcoded 
value with api.env.startup_timeout?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/292#issuecomment-264880484
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#279][synchronized] installer: Stop adding distro-specific NTP servers into ntp.conf

2016-12-05 Thread dkupka

   URL: https://github.com/freeipa/freeipa/pull/279
Author: dkupka
 Title: #279: installer: Stop adding distro-specific NTP servers into ntp.conf
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/279/head:pr279
git checkout pr279
From 4ddca08b72fb27ed46a2ad0d057bf38cb8ac92c8 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Mon, 28 Nov 2016 15:56:30 +0100
Subject: [PATCH] installer: Stop adding distro-specific NTP servers into
 ntp.conf

Distribution packaged ntpd has servers preconfigured in ntp.conf so
there's no point in trying to add them again during FreeIPA server
installation.
Also fix the code to always put fudge line right after the local server
line as required by ntpd.

https://fedorahosted.org/freeipa/ticket/6486
---
 ipaserver/install/ntpinstance.py | 49 ++--
 1 file changed, 7 insertions(+), 42 deletions(-)

diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py
index 716eb08..fe7c665 100644
--- a/ipaserver/install/ntpinstance.py
+++ b/ipaserver/install/ntpinstance.py
@@ -20,7 +20,6 @@
 
 from ipaserver.install import service
 from ipaserver.install import sysupgrade
-from ipapython import ipautil
 from ipaplatform.constants import constants
 from ipaplatform.paths import paths
 from ipapython.ipa_log_manager import root_logger
@@ -60,26 +59,10 @@ def __write_config(self):
 self.fstore.backup_file(paths.NTP_CONF)
 self.fstore.backup_file(paths.SYSCONFIG_NTPD)
 
-# We use the OS variable to point it towards either the rhel
-# or fedora pools. Other distros should be added in the future
-# or we can get our own pool.
-os = ""
-if ipautil.file_exists(paths.ETC_FEDORA_RELEASE):
-os = "fedora"
-elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE):
-os = "rhel"
-
-srv_vals = []
-srv_vals.append("0.%s.pool.ntp.org" % os)
-srv_vals.append("1.%s.pool.ntp.org" % os)
-srv_vals.append("2.%s.pool.ntp.org" % os)
-srv_vals.append("3.%s.pool.ntp.org" % os)
-srv_vals.append("127.127.1.0")
+local_srv = "127.127.1.0"
 fudge = ["fudge", "127.127.1.0", "stratum", "10"]
 
 #read in memory, change it, then overwrite file
-file_changed = False
-fudge_present = False
 ntpconf = []
 fd = open(paths.NTP_CONF, "r")
 for line in fd:
@@ -88,37 +71,19 @@ def __write_config(self):
 ntpconf.append(line)
 continue
 
-if opt[0] == "server":
-match = False
-for srv in srv_vals:
-if opt[1] == srv:
-match = True
-break
-if match:
-srv_vals.remove(srv)
-else:
-file_changed = True
-line = ""
+if opt[0] == "server" and opt[1] == local_srv:
+line = ""
 elif opt[0] == "fudge":
-if opt[0:4] == fudge[0:4]:
-fudge_present = True
-else:
-file_changed = True
-line = ""
+line = ""
 
 ntpconf.append(line)
 
-if file_changed or len(srv_vals) != 0 or not fudge_present:
-fd = open(paths.NTP_CONF, "w")
+with open(paths.NTP_CONF, "w") as fd:
 for line in ntpconf:
 fd.write(line)
 fd.write("\n### Added by IPA Installer ###\n")
-if len(srv_vals) != 0:
-for srv in srv_vals:
-fd.write("server "+srv+" iburst\n")
-if not fudge_present:
-fd.write("fudge 127.127.1.0 stratum 10\n")
-fd.close()
+fd.write("server {} iburst\n".format(local_srv_present))
+fd.write("{}\n".format(' '.join(fudge)))
 
 #read in memory, find OPTIONS, check/change it, then overwrite file
 needopts = [ {'val':'-x', 'need':True},
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#308][comment] Add 'env_confdir' to constants

  URL: https://github.com/freeipa/freeipa/pull/308
Title: #308: Add 'env_confdir' to constants

tiran commented:
"""
```env_confdir ``` was added in PR #302. This PR is required to make test 
passing.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/308#issuecomment-264862403
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#308][+ack] Add 'env_confdir' to constants

  URL: https://github.com/freeipa/freeipa/pull/308
Title: #308: Add 'env_confdir' to constants

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#309][+ack] ipa-replica-conncheck: fix race condition

  URL: https://github.com/freeipa/freeipa/pull/309
Title: #309: ipa-replica-conncheck: fix race condition

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#307][comment] Lowered the version of gettext

  URL: https://github.com/freeipa/freeipa/pull/307
Title: #307: Lowered the version of gettext

pspacek commented:
"""
If the file `Rules-quot` is generated by `autoreconf -i`, please remove it 
completely and add it into `.gitignore`.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/307#issuecomment-264858929
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#227][+ack] cert-request: match names against principal aliases

  URL: https://github.com/freeipa/freeipa/pull/227
Title: #227: cert-request: match names against principal aliases

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#227][comment] cert-request: match names against principal aliases

2016-12-05 Thread apophys

  URL: https://github.com/freeipa/freeipa/pull/227
Title: #227: cert-request: match names against principal aliases

apophys commented:
"""
The tests look good to me.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/227#issuecomment-264854251
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#309][opened] ipa-replica-conncheck: fix race condition

2016-12-05 Thread tomaskrizek

   URL: https://github.com/freeipa/freeipa/pull/309
Author: tomaskrizek
 Title: #309: ipa-replica-conncheck: fix race condition
Action: opened

PR body:
"""
When the thread that opens ports would execute notify() before the
original thread could call wait(), the original thread would wait
indefinitely for a notify() call.

https://fedorahosted.org/freeipa/ticket/6487
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/309/head:pr309
git checkout pr309
From 48e074f90fa21ccb42d055e532bd437bdf1c12da Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 5 Dec 2016 14:01:01 +0100
Subject: [PATCH] ipa-replica-conncheck: fix race condition

When the thread that opens ports would execute notify() before the
original thread could call wait(), the original thread would wait
indefinitely for a notify() call.

https://fedorahosted.org/freeipa/ticket/6487
---
 install/tools/ipa-replica-conncheck | 17 +++--
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 121f068..cd1b138 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -297,16 +297,18 @@ class PortResponder(threading.Thread):
 self._close = False
 self._close_lock = threading.Lock()
 self.responder_data = 'FreeIPA'
-self.ports_open = threading.Condition()
+self.ports_opened = False
+self.ports_open_cond = threading.Condition()
 
 def run(self):
 root_logger.debug('Starting listening thread.')
 
 for port in self.ports:
 self._bind_to_port(port.port, port.port_type)
-with self.ports_open:
+with self.ports_open_cond:
+self.ports_opened = True
 root_logger.debug('Ports opened, notify original thread')
-self.ports_open.notify()
+self.ports_open_cond.notify()
 
 while not self._is_closing():
 ready_socks, _socks1, _socks2 = select.select(
@@ -462,9 +464,12 @@ def main():
 
 RESPONDER = PortResponder(required_ports)
 RESPONDER.start()
-with RESPONDER.ports_open:
-RESPONDER.ports_open.wait()
-root_logger.debug('Original thread resumed')
+
+with RESPONDER.ports_open_cond:
+if not RESPONDER.ports_opened:
+root_logger.debug('Original thread stopped')
+RESPONDER.ports_open_cond.wait()
+root_logger.debug('Original thread resumed')
 
 remote_check_opts = ['--replica %s' % options.hostname]
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [RFC] Matching and Mapping Certificates

2016-12-05 Thread Jan Cholasta

On 25.11.2016 15:55, Sumit Bose wrote:

On Fri, Nov 25, 2016 at 02:19:10PM +0100, Jan Cholasta wrote:

Bump, Sumit, have you seen my comments? I haven't heard back from you.

Yes, I've seen it and added a comment about it on the page
https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates#Matching-alternativeRFC4523syntax
To cut it short I would prefer to use a standard, but I think RFC4523
currently does nit meet out needs. But I would be happy if there are
ways to mitigate my concerns.

What I actually had in mind was not to use the full RFC 4523 syntax, but
rather re-use the concepts used in it - for example, instead of using
regular expressions to match subject names, we could use a scheme based
on name constraints, where the subject name is matched using base +
minimum distance + maximum distance, which could look like this, written
down using glob-like syntax:

directoryName=CN=a,O=b
(base = CN=a,O=b, minimum distance = 0, maximum distance = 0)

directoryName=*,O=b
(base = O=b, minimum distance = 1, maximum distance = 1)

directoryName=*,*,O=b
(base = O=b, minimum distance = 2, maximum distance = 2)

directoryName=**,*,O=b
(base = O=b, minimum distance = 1, maximum distance unspecified)

I'm working on updating and changing other sections as well and planned
to reply when I'm done with the other sections as well.

OK, thanks for the heads up.

bye,
Sumit

On 17.10.2016 09:50, Jan Cholasta wrote:

Hi,

On 13.10.2016 18:52, Sumit Bose wrote:

On Tue, Oct 11, 2016 at 01:37:09PM +0200, Sumit Bose wrote:

On Thu, Oct 06, 2016 at 12:49:30PM +0200, Sumit Bose wrote:

Hi,

I've started to write a SSSD design page about enhancing the current
mapping of certificates to users and how to select/match a suitable
certificate if multiple certificates are on a Smartcard.

My currently thoughts and idea and be found at
https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates

and for your convenience below as well.

Comments and suggestions are welcome. Please let me know about
concerns,
alternatives and missing use-cases/user-stories.

bye,
Sumit

Hi,

Rob, Fraser, Alexander, thank you for your comments. I think both the
issuer specific matching and the OID in the SUBJECT matching are good
ideas. I updated the design page accordingly. The changes can be shown
with
https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates?action=diff=9_version=6

The updated version can be found below as well. Of course more
comments and
suggestions are still very welcome.

I did another update. A "Compatibility with Active Director" section is
added which made me realize that there are use-cases for using the
issuer in the mapping as well and the sub-strings in LDAP search filters
might be useful as well.

The changes can be seen with
https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates?action=diff=10_version=9

Please let me know your comments and suggestions.

bye,
Sumit

= Matching and Mapping Certificates =

Related ticket(s):
*
http://www.freeipa.org/page/V4/User_Certificates#Certificate_Identity_Mapping

=== Problem statement ===
Mapping
Currently it is required that a certificate used for authentication is
either stored in the LDAP user entry or in a matching override. This
might not always be applicable and other ways are needed to relate a
user with a certificate.

Matching
Even if SSSD will support multiple certificates on a Smartcard in the
context of https://fedorahosted.org/sssd/ticket/3050 it might be
necessary to restrict (or relax) the current certificate selection in
certain environments.

=== Use cases ===
Mapping
In some environments it might not be possible or would cause unwanted
effort to add certificates to the LDAP entry of the users to allow
Smartcard based authentication. Reasons might be:
* Certificates/Smartcards are issued externally
* LDAP schema extension is not possible or not allowed

Matching
A user might have multiple certificate on a Smartcard which are
suitable for authentication. But on some host in the environment only
certificates from a specific CA (while all other CAs are trusted as
well) or with some special extension should be valid for login.

=== Overview of the solution ===
To match a certificate a language/syntax has to be defined which
allows to reference items from the certificate and compare the values
with the expected data. To map the certificates to a user the
language/syntax should allow to relate certificate items with LDAP
attributes so that the value(s) from the certificate item can be used
in a LDAP search filter.

Note that in some cases it might be possible to map a certificate to a
user without having to do an extra LDAP search, for example when the
certificate contains the principal name of the user. Does the design
allow this? Or is there no extra LDAP search?

=== Implementation details

[Freeipa-devel] [freeipa PR#303][comment] Add python-pyasn1-modules into dependencies

  URL: https://github.com/freeipa/freeipa/pull/303
Title: #303: Add python-pyasn1-modules into dependencies

martbab commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/a8b7dbff8ac660a28faf7ef43c7a0952171423b8
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/303#issuecomment-264847546
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#303][+pushed] Add python-pyasn1-modules into dependencies

  URL: https://github.com/freeipa/freeipa/pull/303
Title: #303: Add python-pyasn1-modules into dependencies

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#303][+ack] Add python-pyasn1-modules into dependencies

  URL: https://github.com/freeipa/freeipa/pull/303
Title: #303: Add python-pyasn1-modules into dependencies

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#303][comment] Add python-pyasn1-modules into dependencies

2016-12-05 Thread pvomacka

  URL: https://github.com/freeipa/freeipa/pull/303
Title: #303: Add python-pyasn1-modules into dependencies

pvomacka commented:
"""
Added, I also added more information into commit message.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/303#issuecomment-264845609
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#303][synchronized] Add python-pyasn1-modules into dependencies

2016-12-05 Thread pvomacka

   URL: https://github.com/freeipa/freeipa/pull/303
Author: pvomacka
 Title: #303: Add python-pyasn1-modules into dependencies
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/303/head:pr303
git checkout pr303
From f20e47fd6d6e54f4d67e9b1dfd756cfea1f5915f Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Fri, 2 Dec 2016 17:09:48 +0100
Subject: [PATCH] Add python-pyasn1-modules into dependencies

Python-pyasn1-modules is needed because of this import:
 from pyasn1_modules import rfc2459
in ipalib/x509.py.

Python-pyasn1-modules is required only by python-ldap package, but it would be
good to not rely on another package and rather say explicitely that
this package is necessary.

https://fedorahosted.org/freeipa/ticket/6398
---
 freeipa.spec.in | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 15c3e68..cba40c2 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -102,6 +102,7 @@ BuildRequires:  python-ldap
 BuildRequires:  python-nss
 BuildRequires:  python-netaddr
 BuildRequires:  python-pyasn1
+BuildRequires:  python-pyasn1-modules
 BuildRequires:  python-dns
 BuildRequires:  python-six
 BuildRequires:  python-libsss_nss_idmap
@@ -515,6 +516,7 @@ Requires: python-netaddr
 Requires: python-libipa_hbac
 Requires: python-qrcode-core >= 5.0.0
 Requires: python-pyasn1
+Requires: python-pyasn1-modules
 Requires: python-dateutil
 Requires: python-yubico >= 1.2.3
 Requires: python-sss-murmur
@@ -564,6 +566,7 @@ Requires: python3-netaddr
 Requires: python3-libipa_hbac
 Requires: python3-qrcode-core >= 5.0.0
 Requires: python3-pyasn1
+Requires: python3-pyasn1-modules
 Requires: python3-dateutil
 Requires: python3-yubico >= 1.2.3
 Requires: python3-sss-murmur
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#308][opened] Add 'env_confdir' to constants

   URL: https://github.com/freeipa/freeipa/pull/308
Author: martbab
 Title: #308: Add 'env_confdir' to constants
Action: opened

PR body:
"""
Env confdir is always populated so it should be listed among variables
set during a call to `Env._bootstrap()`.

https://fedorahosted.org/freeipa/ticket/6389
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/308/head:pr308
git checkout pr308
From 26635cf3591e23fe437ec6f51d7e56a33227a6ad Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Mon, 5 Dec 2016 13:39:42 +0100
Subject: [PATCH] Add 'env_confdir' to constants

Env confdir is always populated so it should be listed among variables
set during a call to `Env._bootstrap()`.

https://fedorahosted.org/freeipa/ticket/6389
---
 ipalib/constants.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ipalib/constants.py b/ipalib/constants.py
index 80bbdbc..81643da 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -221,6 +221,7 @@
 ('dot_ipa', object),  # ~/.ipa directory
 ('context', object),  # Name of context, default is 'default'
 ('confdir', object),  # Directory containing config files
+('env_confdir', None),  # conf dir specified by IPA_CONFDIR env variable
 ('conf', object),  # File containing context specific config
 ('conf_default', object),  # File containing context independent config
 ('plugins_on_demand', object),  # Whether to finalize plugins on-demand (bool)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#307][opened] Lowered the version of gettext

2016-12-05 Thread pvomacka

   URL: https://github.com/freeipa/freeipa/pull/307
Author: pvomacka
 Title: #307: Lowered the version of gettext
Action: opened

PR body:
"""
The lower version is needed while building on RHEL.
Also regenerated Rules-quot file.

https://fedorahosted.org/freeipa/ticket/6418
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/307/head:pr307
git checkout pr307
From 5afa4bc62419d3bc14ab2d70c4f3f6bb95125c78 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Fri, 25 Nov 2016 15:02:14 +0100
Subject: [PATCH] Lowered the version of gettext

The lower version is needed while building on RHEL.
Also regenerated Rules-quot file.

https://fedorahosted.org/freeipa/ticket/6418
---
 configure.ac  |  2 +-
 po/Rules-quot | 15 ++-
 2 files changed, 3 insertions(+), 14 deletions(-)

diff --git a/configure.ac b/configure.ac
index 66e6e9b..5674d27 100644
--- a/configure.ac
+++ b/configure.ac
@@ -299,7 +299,7 @@ AC_CONFIG_COMMANDS([po/POTFILES.in],
 			> po/POTFILES.in && dnl
 			cd "${find_start_pwd}"])
 AC_SUBST(GETTEXT_DOMAIN, [ipa])
-AM_GNU_GETTEXT_VERSION([0.19.8])
+AM_GNU_GETTEXT_VERSION([0.18.2])
 AM_GNU_GETTEXT([external])
 
 dnl integrate our custom hacks into gettextize infrastructure
diff --git a/po/Rules-quot b/po/Rules-quot
index baf6528..d2ac20d 100644
--- a/po/Rules-quot
+++ b/po/Rules-quot
@@ -1,4 +1,3 @@
-# This file, Rules-quot, can be copied and used freely without restrictions.
 # Special Makefile rules for English message catalogs with quotation marks.
 
 DISTFILES.common.extra1 = quot.sed boldquot.sed en@quot.header en@boldquot.header insert-header.sin Rules-quot
@@ -15,23 +14,13 @@ e...@boldquot.po-update: e...@boldquot.po-update-en
 
 .insert-header.po-update-en:
 	@lang=`echo $@ | sed -e 's/\.po-update-en$$//'`; \
-	if test "$(PACKAGE)" = "gettext-tools" && test "$(CROSS_COMPILING)" != "yes"; then PATH=`pwd`/../src:$$PATH; GETTEXTLIBDIR=`cd $(top_srcdir)/src && pwd`; export GETTEXTLIBDIR; fi; \
+	if test "$(PACKAGE)" = "gettext-tools"; then PATH=`pwd`/../src:$$PATH; GETTEXTLIBDIR=`cd $(top_srcdir)/src && pwd`; export GETTEXTLIBDIR; fi; \
 	tmpdir=`pwd`; \
 	echo "$$lang:"; \
 	ll=`echo $$lang | sed -e 's/@.*//'`; \
 	LC_ALL=C; export LC_ALL; \
 	cd $(srcdir); \
-	if $(MSGINIT) $(MSGINIT_OPTIONS) -i $(DOMAIN).pot --no-translator -l $$lang -o - 2>/dev/null \
-	   | $(SED) -f $$tmpdir/$$lang.insert-header | $(MSGCONV) -t UTF-8 | \
-	   { case `$(MSGFILTER) --version | sed 1q | sed -e 's,^[^0-9]*,,'` in \
-	 '' | 0.[0-9] | 0.[0-9].* | 0.1[0-8] | 0.1[0-8].*) \
-	   $(MSGFILTER) $(SED) -f `echo $$lang | sed -e 's/.*@//'`.sed \
-	   ;; \
-	 *) \
-	   $(MSGFILTER) `echo $$lang | sed -e 's/.*@//'` \
-	   ;; \
-	 esac } 2>/dev/null > $$tmpdir/$$lang.new.po \
-	 ; then \
+	if $(MSGINIT) -i $(DOMAIN).pot --no-translator -l $$lang -o - 2>/dev/null | sed -f $$tmpdir/$$lang.insert-header | $(MSGCONV) -t UTF-8 | $(MSGFILTER) sed -f `echo $$lang | sed -e 's/.*@//'`.sed 2>/dev/null > $$tmpdir/$$lang.new.po; then \
 	  if cmp $$lang.po $$tmpdir/$$lang.new.po >/dev/null 2>&1; then \
 	rm -f $$tmpdir/$$lang.new.po; \
 	  else \
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#227][synchronized] cert-request: match names against principal aliases

2016-12-05 Thread frasertweedale

   URL: https://github.com/freeipa/freeipa/pull/227
Author: frasertweedale
 Title: #227: cert-request: match names against principal aliases
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/227/head:pr227
git checkout pr227
From c347ff830e21dcc8167149d8fead61882c4ba704 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Wed, 26 Oct 2016 09:48:19 +1000
Subject: [PATCH] cert-request: match names against principal aliases

Currently we do not check Kerberos principal aliases when validating
a CSR.  Enhance cert-request to accept the following scenarios:

- for hosts and services: CN and SAN dnsNames match a principal
  alias (realm and service name must be same as nominated principal)

- for all principal types: UPN or KRB5PrincipalName othername match
  any principal alias.

Fixes: https://fedorahosted.org/freeipa/ticket/6295
---
 ipaserver/plugins/cert.py  | 113 -
 .../test_xmlrpc/test_caacl_profile_enforcement.py  |  85 +---
 2 files changed, 158 insertions(+), 40 deletions(-)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 3571ef1..e4efa7d 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -649,11 +649,13 @@ def execute(self, csr, all=False, raw=False, **kw):
 cn = cns[-1].value  # "most specific" is end of list
 
 if principal_type in (SERVICE, HOST):
-if cn.lower() != principal.hostname.lower():
-raise errors.ACIError(
-info=_("hostname in subject of request '%(cn)s' "
-"does not match principal hostname '%(hostname)s'")
-% dict(cn=cn, hostname=principal.hostname))
+if not _dns_name_matches_principal(cn, principal, principal_obj):
+raise errors.ValidationError(
+name='csr',
+error=_(
+"hostname in subject of request '%(cn)s' does not "
+"match name or aliases of principal '%(principal)s'"
+) % dict(cn=cn, principal=principal))
 elif principal_type == USER:
 # check user name
 if cn != principal.username:
@@ -686,26 +688,32 @@ def execute(self, csr, all=False, raw=False, **kw):
 generalnames = x509.process_othernames(ext_san.value)
 for gn in generalnames:
 if isinstance(gn, cryptography.x509.general_name.DNSName):
+if principal.is_user:
+raise errors.ValidationError(
+name='csr',
+error=_(
+"subject alt name type %s is forbidden "
+"for user principals") % "DNSName"
+)
+
 name = gn.value
-alt_principal = None
+
+if _dns_name_matches_principal(name, principal, principal_obj):
+continue  # nothing more to check for this alt name
+
+# no match yet; check for an alternative principal with
+# same realm and service type as subject principal.
+components = list(principal.components)
+components[-1] = name
+alt_principal = kerberos.Principal(components, principal.realm)
 alt_principal_obj = None
 try:
 if principal_type == HOST:
-alt_principal = kerberos.Principal(
-(u'host', name), principal.realm)
-alt_principal_obj = api.Command['host_show'](name, all=True)
+alt_principal_obj = api.Command['host_show'](
+name, all=True)
 elif principal_type == SERVICE:
-alt_principal = kerberos.Principal(
-(principal.service_name, name), principal.realm)
 alt_principal_obj = api.Command['service_show'](
 alt_principal, all=True)
-elif principal_type == USER:
-raise errors.ValidationError(
-name='csr',
-error=_(
-"subject alt name type %s is forbidden "
-"for user principals") % "DNSName"
-)
 except errors.NotFound:
 # We don't want to issue any certificates referencing
 # machines we don't know about. Nothing is stored in this
@@ -713,18 +721,23 @@ def execute(self, csr, all=False, raw=False, **kw):
 raise errors.NotFound(reason=_('The service principal for '
 'subject alt name %s in certificate request does not '

[Freeipa-devel] [freeipa PR#227][synchronized] cert-request: match names against principal aliases

2016-12-05 Thread frasertweedale

   URL: https://github.com/freeipa/freeipa/pull/227
Author: frasertweedale
 Title: #227: cert-request: match names against principal aliases
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/227/head:pr227
git checkout pr227
From b84e266b1fdb82fde2a2f6a518c7ce6dc8976e3b Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Wed, 26 Oct 2016 09:48:19 +1000
Subject: [PATCH] cert-request: match names against principal aliases

Currently we do not check Kerberos principal aliases when validating
a CSR.  Enhance cert-request to accept the following scenarios:

- for hosts and services: CN and SAN dnsNames match a principal
  alias (realm and service name must be same as nominated principal)

- for all principal types: UPN or KRB5PrincipalName othername match
  any principal alias.

Fixes: https://fedorahosted.org/freeipa/ticket/6295
---
 ipaserver/plugins/cert.py  | 113 -
 .../test_xmlrpc/test_caacl_profile_enforcement.py  |  85 +---
 2 files changed, 158 insertions(+), 40 deletions(-)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 3571ef1..ca94b85 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -649,11 +649,13 @@ def execute(self, csr, all=False, raw=False, **kw):
 cn = cns[-1].value  # "most specific" is end of list
 
 if principal_type in (SERVICE, HOST):
-if cn.lower() != principal.hostname.lower():
-raise errors.ACIError(
-info=_("hostname in subject of request '%(cn)s' "
-"does not match principal hostname '%(hostname)s'")
-% dict(cn=cn, hostname=principal.hostname))
+if not _dns_name_matches_principal(cn, principal, principal_obj):
+raise errors.ValidationError(
+name='csr',
+error=_(
+"hostname in subject of request '%(cn)s' does not "
+"match name or aliases of principal '%(principal)s'"
+) % dict(cn=cn, principal=principal))
 elif principal_type == USER:
 # check user name
 if cn != principal.username:
@@ -686,26 +688,32 @@ def execute(self, csr, all=False, raw=False, **kw):
 generalnames = x509.process_othernames(ext_san.value)
 for gn in generalnames:
 if isinstance(gn, cryptography.x509.general_name.DNSName):
+if principal.is_user:
+raise errors.ValidationError(
+name='csr',
+error=_(
+"subject alt name type %s is forbidden "
+"for user principals") % "DNSName"
+)
+
 name = gn.value
-alt_principal = None
+
+if _dns_name_matches_principal(name, principal, principal_obj):
+continue  # nothing more to check for this alt name
+
+# no match yet; check for an alternative principal with
+# same realm and service type as subject principal.
+components = list(principal.components)
+components[-1] = name
+alt_principal = kerberos.Principal(components, principal.realm)
 alt_principal_obj = None
 try:
 if principal_type == HOST:
-alt_principal = kerberos.Principal(
-(u'host', name), principal.realm)
-alt_principal_obj = api.Command['host_show'](name, all=True)
+alt_principal_obj = api.Command['host_show'](
+name, all=True)
 elif principal_type == SERVICE:
-alt_principal = kerberos.Principal(
-(principal.service_name, name), principal.realm)
 alt_principal_obj = api.Command['service_show'](
 alt_principal, all=True)
-elif principal_type == USER:
-raise errors.ValidationError(
-name='csr',
-error=_(
-"subject alt name type %s is forbidden "
-"for user principals") % "DNSName"
-)
 except errors.NotFound:
 # We don't want to issue any certificates referencing
 # machines we don't know about. Nothing is stored in this
@@ -713,18 +721,23 @@ def execute(self, csr, all=False, raw=False, **kw):
 raise errors.NotFound(reason=_('The service principal for '
 'subject alt name %s in certificate request does not '

[Freeipa-devel] [freeipa PR#304][comment] Relax check for .git to support freeipa in submodules

  URL: https://github.com/freeipa/freeipa/pull/304
Title: #304: Relax check for .git to support freeipa in submodules

martbab commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/cac0c2d951e10d49372a038c73f796dc3beb62b9
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/304#issuecomment-264828226
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#304][+pushed] Relax check for .git to support freeipa in submodules

  URL: https://github.com/freeipa/freeipa/pull/304
Title: #304: Relax check for .git to support freeipa in submodules

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#304][closed] Relax check for .git to support freeipa in submodules

   URL: https://github.com/freeipa/freeipa/pull/304
Author: tiran
 Title: #304: Relax check for .git to support freeipa in submodules
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/304/head:pr304
git checkout pr304
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#306][comment] Ignore backup~ files like config.h.in~

  URL: https://github.com/freeipa/freeipa/pull/306
Title: #306: Ignore backup~ files like config.h.in~

martbab commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/86295a8c2ea5c0546b070053d490b3a8b8013012
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/306#issuecomment-264827081
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#306][closed] Ignore backup~ files like config.h.in~

   URL: https://github.com/freeipa/freeipa/pull/306
Author: tiran
 Title: #306: Ignore backup~ files like config.h.in~
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/306/head:pr306
git checkout pr306
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#306][+pushed] Ignore backup~ files like config.h.in~

  URL: https://github.com/freeipa/freeipa/pull/306
Title: #306: Ignore backup~ files like config.h.in~

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#306][+ack] Ignore backup~ files like config.h.in~

  URL: https://github.com/freeipa/freeipa/pull/306
Title: #306: Ignore backup~ files like config.h.in~

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#306][opened] Ignore backup~ files like config.h.in~

   URL: https://github.com/freeipa/freeipa/pull/306
Author: tiran
 Title: #306: Ignore backup~ files like config.h.in~
Action: opened

PR body:
"""
Signed-off-by: Christian Heimes 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/306/head:pr306
git checkout pr306
From 27d97c72975f9f5514a27063558859b7ccad425a Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Mon, 5 Dec 2016 11:54:20 +0100
Subject: [PATCH] Ignore backup~ files like config.h.in~

Signed-off-by: Christian Heimes 
---
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index 86389ef..a9c71e4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -27,6 +27,7 @@ Makefile.in
 *.log
 *.o
 *.trs
+*~
 version.m4
 aclocal.m4
 autom4te.cache/
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#305][closed] Fetch correct exception in IPA_CONFDIR test

   URL: https://github.com/freeipa/freeipa/pull/305
Author: tiran
 Title: #305: Fetch correct exception in IPA_CONFDIR test
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/305/head:pr305
git checkout pr305
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#305][+pushed] Fetch correct exception in IPA_CONFDIR test

  URL: https://github.com/freeipa/freeipa/pull/305
Title: #305: Fetch correct exception in IPA_CONFDIR test

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#305][comment] Fetch correct exception in IPA_CONFDIR test

  URL: https://github.com/freeipa/freeipa/pull/305
Title: #305: Fetch correct exception in IPA_CONFDIR test

jcholast commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/34bd2b6332f3dabc0eb36f7021238df286a6
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/305#issuecomment-264823975
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#305][+ack] Fetch correct exception in IPA_CONFDIR test

  URL: https://github.com/freeipa/freeipa/pull/305
Title: #305: Fetch correct exception in IPA_CONFDIR test

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#304][+ack] Relax check for .git to support freeipa in submodules

  URL: https://github.com/freeipa/freeipa/pull/304
Title: #304: Relax check for .git to support freeipa in submodules

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#305][opened] Fetch correct exception in IPA_CONFDIR test