[Freeipa-devel] [freeipa PR#279][comment] installer: Stop adding distro-specific NTP servers into ntp.conf
URL: https://github.com/freeipa/freeipa/pull/279 Title: #279: installer: Stop adding distro-specific NTP servers into ntp.conf pspacek commented: """ NACK """ See the full comment at https://github.com/freeipa/freeipa/pull/279#issuecomment-265084090 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#279][synchronized] installer: Stop adding distro-specific NTP servers into ntp.conf
URL: https://github.com/freeipa/freeipa/pull/279 Author: dkupka Title: #279: installer: Stop adding distro-specific NTP servers into ntp.conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/279/head:pr279 git checkout pr279 From ea389fa57f485ea4778300b1515aa9997a249c4b Mon Sep 17 00:00:00 2001 From: David KupkaDate: Mon, 28 Nov 2016 15:56:30 +0100 Subject: [PATCH] installer: Stop adding distro-specific NTP servers into ntp.conf Distribution packaged ntpd has servers preconfigured in ntp.conf so there's no point in trying to add them again during FreeIPA server installation. Also fix the code to always put fudge line right after the local server line as required by ntpd. https://fedorahosted.org/freeipa/ticket/6486 --- ipaserver/install/ntpinstance.py | 49 ++-- 1 file changed, 7 insertions(+), 42 deletions(-) diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py index 716eb08..3d8db2d 100644 --- a/ipaserver/install/ntpinstance.py +++ b/ipaserver/install/ntpinstance.py @@ -20,7 +20,6 @@ from ipaserver.install import service from ipaserver.install import sysupgrade -from ipapython import ipautil from ipaplatform.constants import constants from ipaplatform.paths import paths from ipapython.ipa_log_manager import root_logger @@ -60,26 +59,10 @@ def __write_config(self): self.fstore.backup_file(paths.NTP_CONF) self.fstore.backup_file(paths.SYSCONFIG_NTPD) -# We use the OS variable to point it towards either the rhel -# or fedora pools. Other distros should be added in the future -# or we can get our own pool. -os = "" -if ipautil.file_exists(paths.ETC_FEDORA_RELEASE): -os = "fedora" -elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE): -os = "rhel" - -srv_vals = [] -srv_vals.append("0.%s.pool.ntp.org" % os) -srv_vals.append("1.%s.pool.ntp.org" % os) -srv_vals.append("2.%s.pool.ntp.org" % os) -srv_vals.append("3.%s.pool.ntp.org" % os) -srv_vals.append("127.127.1.0") +local_srv = "127.127.1.0" fudge = ["fudge", "127.127.1.0", "stratum", "10"] #read in memory, change it, then overwrite file -file_changed = False -fudge_present = False ntpconf = [] fd = open(paths.NTP_CONF, "r") for line in fd: @@ -88,37 +71,19 @@ def __write_config(self): ntpconf.append(line) continue -if opt[0] == "server": -match = False -for srv in srv_vals: -if opt[1] == srv: -match = True -break -if match: -srv_vals.remove(srv) -else: -file_changed = True -line = "" +if opt[0] == "server" and opt[1] == local_srv: +line = "" elif opt[0] == "fudge": -if opt[0:4] == fudge[0:4]: -fudge_present = True -else: -file_changed = True -line = "" +line = "" ntpconf.append(line) -if file_changed or len(srv_vals) != 0 or not fudge_present: -fd = open(paths.NTP_CONF, "w") +with open(paths.NTP_CONF, "w") as fd: for line in ntpconf: fd.write(line) fd.write("\n### Added by IPA Installer ###\n") -if len(srv_vals) != 0: -for srv in srv_vals: -fd.write("server "+srv+" iburst\n") -if not fudge_present: -fd.write("fudge 127.127.1.0 stratum 10\n") -fd.close() +fd.write("server {} iburst\n".format(local_srv)) +fd.write("{}\n".format(' '.join(fudge))) #read in memory, find OPTIONS, check/change it, then overwrite file needopts = [ {'val':'-x', 'need':True}, -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#292][synchronized] Increase the timeout waiting for certificate issuance in installer
URL: https://github.com/freeipa/freeipa/pull/292 Author: flo-renaud Title: #292: Increase the timeout waiting for certificate issuance in installer Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/292/head:pr292 git checkout pr292 From 70fc8c17bc7b1a8c2379c45b3f00e0655283e3e0 Mon Sep 17 00:00:00 2001 From: Florence Blanc-RenaudDate: Wed, 30 Nov 2016 16:34:16 +0100 Subject: [PATCH] Increase the timeout waiting for certificate issuance in installer During the server installation, the installer requests certificates through certmonger. The current timeout is 60s and is too low. Increase this timeout to api.env.startup_timeout + 60 as done in ipa_cacert_manage or ipa_certupdate.py (the code checks the status each 5s up to the timeout value). https://fedorahosted.org/freeipa/ticket/6433 --- ipalib/install/certmonger.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ipalib/install/certmonger.py b/ipalib/install/certmonger.py index 3ea900b..ac65d56 100644 --- a/ipalib/install/certmonger.py +++ b/ipalib/install/certmonger.py @@ -30,6 +30,7 @@ import shlex import subprocess import tempfile +from ipalib import api from ipapython.ipa_log_manager import root_logger from ipaplatform.paths import paths from ipaplatform import services @@ -309,7 +310,8 @@ def request_and_wait_for_cert( reqId = request_cert(nssdb, nickname, subject, principal, passwd_fname, dns, ca, profile, pre_command, post_command) -state = wait_for_request(reqId, timeout=60) +timeout = api.env.startup_timeout + 60 +state = wait_for_request(reqId, timeout) ca_error = get_request_value(reqId, 'ca-error') if state != 'MONITORING' or ca_error: raise RuntimeError("Certificate issuance failed ({})".format(state)) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#293][comment] Run out-of-tree tests in Travis CI
URL: https://github.com/freeipa/freeipa/pull/293 Title: #293: Run out-of-tree tests in Travis CI stlaz commented: """ Since I recently run into issues with ipa-server-install and low entropy somewhere around creation of kdb proxy which drastically increased install time, would it make sense to install haveged atop of our rpms to possibly mitigate the problem? """ See the full comment at https://github.com/freeipa/freeipa/pull/293#issuecomment-264906938 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] CSR autogeneration next steps
Hi Jan, thanks for the comments. On 12/05/2016 04:25 AM, Jan Cholasta wrote: Hi Ben, On 3.11.2016 00:12, Ben Lipton wrote: Hi everybody, Soon I'm going to have to reduce the amount of time I spend on new development work for the CSR autogeneration project, and I want to leave the project in as organized a state as possible. So, I'm taking inventory of the work I've done in order to make sure that what's ready for review can get reviewed and the ideas that have been discussed get prototyped or at least recorded so they won't be forgotten. Thanks, I have some questions and comments, see below. Code that's ready for review (I will continue to put in as much time as needed to help get these ready for submission): - Current PR: https://github.com/freeipa/freeipa/pull/10 How hard would it be to update the PR to use the "new" interface from the design thread? By this I mean that currently there is a command (cert_get_requestdata), which creates a CSR from profile id + principal + helper, but in the design we discussed a command which creates a CertificationRequestInfo from profile id + principal + public key. Internally it could use the OpenSSL helper, no need to implement the full "new" design. With your build_requestinfo.c code below it looks like it should be pretty straightforward. This is probably doable with the cffi, but I'm concerned about usability. A user can run the current command to get a (reusable) script, and run the script to get a CSR. It works with keys in both PEM files and NSS databases already. If we change to outputting a CertificationRequestInfo, in order to make this usable on the command line, we'll need: - An additional tool to sign a CSR given a CertificationRequestInfo (for both types of key storage). - A way to extract a SubjectPublicKeyInfo structure from a key within the ipa command (like [1] but we need it for both types of key storage) Since as far as I know there's no standard encoding for files containing only a CertificationRequestInfo or a SubjectPublicKeyInfo, we'll be writing and distributing these ourselves. I think that's where most of the extra work will come in. Would it be ok to stick with the current design in this PR? I'd feel much better if we could get the basic functionality into the repo and then iterate on it rather than changing the plan at this point. I can create a separate PR to change cert_get_requestdata to this new interface and at the same time add the necessary adapters (bullet points above) to make it user-friendly. I would probably just implement the adapters within the cert_build/cert_request client code unless you think having standalone tools is valuable. I suppose certmonger is going to need these features too, but I don't know how well sharing code between them is going to work. - Allow some fields to be specified by the user at creation time: https://github.com/LiptonB/freeipa/commits/local-user-data Good idea :-) - Automation for the full process from getting CSR data to requesting cert: https://github.com/LiptonB/freeipa/commits/local-cert-build LGTM, although I would prefer if this was a client-side extension of cert-request rather than a completely new command. I did try that at first, but I struggled to figure out the interface for the modified cert-request. (Not that the current solution is so great, what with the copying of options from cert_request and certreq.) If I remember correctly, I was uncertain how to implement parameters that are required/invalid based on other parameters: the current cert-request takes a signed CSR (required), a principal (required), and a profile ID; the new cert-request (what I implemented as cert-build) takes a principal (required), a profile ID (required), and a key location (required). I can't remember if that was the only problem, but I'll try again to merge the commands and get back to you. Other prototypes and design ideas that aren't ready for submission yet: - Utility written in C to build a CertificationRequestInfo from a SubjectPublicKeyInfo and an openssl-style config file. The purpose of this is to take a config that my code already knows how to generate, and put it in a form that certmonger can use. This is nearly done and available at: https://github.com/LiptonB/freeipa-prototypes/blob/master/build_requestinfo.c Nice! As I said above, this could really make implementing the "new" csrgen interface simple. - Ideally it should be possible to use this tool to reimplement the full cert-request automation (local-cert-build branch) without a dependency on the certutil/openssl tools. However, I don't think any of the python crypto libraries have bindings for the functions that deal with CertificationRequestInfo objects, so I don't think I can do this in the short term. You can use python-cffi to write your own minimal bindings. It's fairly straightforward, take a look at FreeIPA commit 500ee7e2 for an example of
[Freeipa-devel] [freeipa PR#308][+pushed] Add 'env_confdir' to constants
URL: https://github.com/freeipa/freeipa/pull/308 Title: #308: Add 'env_confdir' to constants Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#308][closed] Add 'env_confdir' to constants
URL: https://github.com/freeipa/freeipa/pull/308 Author: martbab Title: #308: Add 'env_confdir' to constants Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/308/head:pr308 git checkout pr308 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#293][synchronized] Run out-of-tree tests in Travis CI
URL: https://github.com/freeipa/freeipa/pull/293 Author: martbab Title: #293: Run out-of-tree tests in Travis CI Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/293/head:pr293 git checkout pr293 From e2207f94b215091b0f9e42f7e035107596fb768a Mon Sep 17 00:00:00 2001 From: Martin BabinskyDate: Wed, 30 Nov 2016 10:30:04 +0100 Subject: [PATCH 1/2] Configuration file for ipa-docker-test-runner Prepare a configuration file for https://github.com/martbab/ipa-docker-test-runner. The latest freeipa-fedora-test-runner Docker image (F25 as of time of writing this message) will be used to run tests. Some of them will be purposefuly excluded from the test suite, namely: * test_integration and test_webui: for obvious reasons, CI tests require complicated multi-host setup which is currently not achievable in Travis CI * test_ipapython/test_keyring: Docker can not cope with storing and retrieving secrets from Kernel keyring, that is a known issue * test_xmlrpc/test_dns_plugin.py:test_dns_soa: There are 2-3 non-deterministic failures in this suite in Travis CI, this suite was disabled until the root cause is discovered and fixed/workarounded --- .test_runner_config.yaml | 50 1 file changed, 50 insertions(+) create mode 100644 .test_runner_config.yaml diff --git a/.test_runner_config.yaml b/.test_runner_config.yaml new file mode 100644 index 000..f1205e8 --- /dev/null +++ b/.test_runner_config.yaml @@ -0,0 +1,50 @@ +container: + detach: true + hostname: master.ipa.test + working_dir: /freeipa +host: + binds: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + - /dev/urandom:/dev/random:ro + privileged: true + security_opt: + - label:disable + tmpfs: + - /tmp + - /run +server: + domain: ipa.test + password: Secret123 + realm: IPA.TEST +steps: + build: + - make V=0 ${make_target} + builddep: + - rm -rf /var/cache/dnf/* + - "dnf makecache fast || :" + - dnf builddep -y ${builddep_opts} --spec freeipa.spec.in --best --allowerasing + cleanup: + - chown -R ${uid}:${gid} ${container_working_dir} + configure: + - ./autogen.sh + install_packages: + - dnf install -y ${container_working_dir}/dist/rpms/*.rpm --best --allowerasing + install_server: + - ipa-server-install -U --domain ${server_domain} --realm ${server_realm} -p ${server_password} +-a ${server_password} --setup-dns --auto-forwarders + - ipa-kra-install -p ${server_password} + lint: + - make V=0 lint + prepare_tests: + - echo ${server_password} | kinit admin && ipa ping + - cp -r /etc/ipa/* ~/.ipa/ + - echo ${server_password} > ~/.ipa/.dmpw + - echo 'wait_for_dns=5' >> ~/.ipa/default.conf + run_tests: + - ipa-run-tests ${tests_ignore} -k-test_dns_soa ${tests_verbose} ${path} +tests: + ignore: + - test_integration + - test_webui + - test_ipapython/test_keyring.py + verbose: true From e398793c0a9e5ea24a569e224abc36732a79496e Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Wed, 30 Nov 2016 10:37:46 +0100 Subject: [PATCH 2/2] Use ipa-docker-test-runner to run tests in Travis CI https://github.com/martbab/ipa-docker-test-runner is now used to run the following tasks in Travis CI: * pull in a FreeIPA test runner Docker image * configure/make lint/make rpms * install rpms * install FreeIPA server and KRA * run out-of-tree tests For performance reasons (last two steps are very time-consuming) the available tests were split roughly in half and are run as two separate jobs to speed up the process. AD trust is not installed as part of tests since the enabled compat plugin causes false negative errors. --- .travis.yml | 36 1 file changed, 32 insertions(+), 4 deletions(-) diff --git a/.travis.yml b/.travis.yml index 44a2ee6..e870213 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,16 +1,44 @@ services: - docker +env: +global: +- TEST_RUNNER_IMAGE="martbab/freeipa-fedora-test-runner:master-latest" +matrix: +- TESTS_TO_RUN="test_xmlrpc/test_[a-k]*.py" +- > +TESTS_TO_RUN="test_cmdline +test_install +test_ipalib +test_ipapython +test_ipaserver +test_pkcs10 +test_xmlrpc/test_[l-z]*.py" before_install: - pip install pep8 +- > + pip3 install + git+https://github.com/freeipa/ipa-docker-test-runner@release-0-2-0 script: - > if [[ "$TRAVIS_EVENT_TYPE" == "pull_request" ]]; then -git diff origin/${TRAVIS_BRANCH} -U0 | pep8 --diff; +git diff origin/${TRAVIS_BRANCH} -U0 | pep8 --diff &> pep8_errors.log; fi +- "pushd ipatests; test_set=`ls -d -1 $TESTS_TO_RUN 2> /dev/null`; popd" +# use travis_wait so that long running tasks (tests) which produce no +# output do not cause premature termination of the
[Freeipa-devel] [freeipa PR#308][comment] Add 'env_confdir' to constants
URL: https://github.com/freeipa/freeipa/pull/308 Title: #308: Add 'env_confdir' to constants martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/1300381d45a23073261e62cb031cf4285a34f641 """ See the full comment at https://github.com/freeipa/freeipa/pull/308#issuecomment-264884316 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#292][comment] Increase the timeout waiting for certificate issuance in installer
URL: https://github.com/freeipa/freeipa/pull/292 Title: #292: Increase the timeout waiting for certificate issuance in installer martbab commented: """ IMHO anything is better than hardcoded values so you have my blessing. """ See the full comment at https://github.com/freeipa/freeipa/pull/292#issuecomment-264882789 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#292][comment] Increase the timeout waiting for certificate issuance in installer
URL: https://github.com/freeipa/freeipa/pull/292 Title: #292: Increase the timeout waiting for certificate issuance in installer flo-renaud commented: """ @martbab @mbasti-rh: I checked the code and some parts already use api.env.startup_timeout for certmonger requests (in ipa_certupdate.py or ipa_cacert_manage.py for instance). Is it OK for you if I replace my hardcoded value with api.env.startup_timeout? """ See the full comment at https://github.com/freeipa/freeipa/pull/292#issuecomment-264880484 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#279][synchronized] installer: Stop adding distro-specific NTP servers into ntp.conf
URL: https://github.com/freeipa/freeipa/pull/279 Author: dkupka Title: #279: installer: Stop adding distro-specific NTP servers into ntp.conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/279/head:pr279 git checkout pr279 From 4ddca08b72fb27ed46a2ad0d057bf38cb8ac92c8 Mon Sep 17 00:00:00 2001 From: David KupkaDate: Mon, 28 Nov 2016 15:56:30 +0100 Subject: [PATCH] installer: Stop adding distro-specific NTP servers into ntp.conf Distribution packaged ntpd has servers preconfigured in ntp.conf so there's no point in trying to add them again during FreeIPA server installation. Also fix the code to always put fudge line right after the local server line as required by ntpd. https://fedorahosted.org/freeipa/ticket/6486 --- ipaserver/install/ntpinstance.py | 49 ++-- 1 file changed, 7 insertions(+), 42 deletions(-) diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py index 716eb08..fe7c665 100644 --- a/ipaserver/install/ntpinstance.py +++ b/ipaserver/install/ntpinstance.py @@ -20,7 +20,6 @@ from ipaserver.install import service from ipaserver.install import sysupgrade -from ipapython import ipautil from ipaplatform.constants import constants from ipaplatform.paths import paths from ipapython.ipa_log_manager import root_logger @@ -60,26 +59,10 @@ def __write_config(self): self.fstore.backup_file(paths.NTP_CONF) self.fstore.backup_file(paths.SYSCONFIG_NTPD) -# We use the OS variable to point it towards either the rhel -# or fedora pools. Other distros should be added in the future -# or we can get our own pool. -os = "" -if ipautil.file_exists(paths.ETC_FEDORA_RELEASE): -os = "fedora" -elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE): -os = "rhel" - -srv_vals = [] -srv_vals.append("0.%s.pool.ntp.org" % os) -srv_vals.append("1.%s.pool.ntp.org" % os) -srv_vals.append("2.%s.pool.ntp.org" % os) -srv_vals.append("3.%s.pool.ntp.org" % os) -srv_vals.append("127.127.1.0") +local_srv = "127.127.1.0" fudge = ["fudge", "127.127.1.0", "stratum", "10"] #read in memory, change it, then overwrite file -file_changed = False -fudge_present = False ntpconf = [] fd = open(paths.NTP_CONF, "r") for line in fd: @@ -88,37 +71,19 @@ def __write_config(self): ntpconf.append(line) continue -if opt[0] == "server": -match = False -for srv in srv_vals: -if opt[1] == srv: -match = True -break -if match: -srv_vals.remove(srv) -else: -file_changed = True -line = "" +if opt[0] == "server" and opt[1] == local_srv: +line = "" elif opt[0] == "fudge": -if opt[0:4] == fudge[0:4]: -fudge_present = True -else: -file_changed = True -line = "" +line = "" ntpconf.append(line) -if file_changed or len(srv_vals) != 0 or not fudge_present: -fd = open(paths.NTP_CONF, "w") +with open(paths.NTP_CONF, "w") as fd: for line in ntpconf: fd.write(line) fd.write("\n### Added by IPA Installer ###\n") -if len(srv_vals) != 0: -for srv in srv_vals: -fd.write("server "+srv+" iburst\n") -if not fudge_present: -fd.write("fudge 127.127.1.0 stratum 10\n") -fd.close() +fd.write("server {} iburst\n".format(local_srv_present)) +fd.write("{}\n".format(' '.join(fudge))) #read in memory, find OPTIONS, check/change it, then overwrite file needopts = [ {'val':'-x', 'need':True}, -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#308][comment] Add 'env_confdir' to constants
URL: https://github.com/freeipa/freeipa/pull/308 Title: #308: Add 'env_confdir' to constants tiran commented: """ ```env_confdir ``` was added in PR #302. This PR is required to make test passing. """ See the full comment at https://github.com/freeipa/freeipa/pull/308#issuecomment-264862403 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#308][+ack] Add 'env_confdir' to constants
URL: https://github.com/freeipa/freeipa/pull/308 Title: #308: Add 'env_confdir' to constants Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#309][+ack] ipa-replica-conncheck: fix race condition
URL: https://github.com/freeipa/freeipa/pull/309 Title: #309: ipa-replica-conncheck: fix race condition Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#307][comment] Lowered the version of gettext
URL: https://github.com/freeipa/freeipa/pull/307 Title: #307: Lowered the version of gettext pspacek commented: """ If the file `Rules-quot` is generated by `autoreconf -i`, please remove it completely and add it into `.gitignore`. """ See the full comment at https://github.com/freeipa/freeipa/pull/307#issuecomment-264858929 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#227][+ack] cert-request: match names against principal aliases
URL: https://github.com/freeipa/freeipa/pull/227 Title: #227: cert-request: match names against principal aliases Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#227][comment] cert-request: match names against principal aliases
URL: https://github.com/freeipa/freeipa/pull/227 Title: #227: cert-request: match names against principal aliases apophys commented: """ The tests look good to me. """ See the full comment at https://github.com/freeipa/freeipa/pull/227#issuecomment-264854251 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#309][opened] ipa-replica-conncheck: fix race condition
URL: https://github.com/freeipa/freeipa/pull/309 Author: tomaskrizek Title: #309: ipa-replica-conncheck: fix race condition Action: opened PR body: """ When the thread that opens ports would execute notify() before the original thread could call wait(), the original thread would wait indefinitely for a notify() call. https://fedorahosted.org/freeipa/ticket/6487 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/309/head:pr309 git checkout pr309 From 48e074f90fa21ccb42d055e532bd437bdf1c12da Mon Sep 17 00:00:00 2001 From: Tomas KrizekDate: Mon, 5 Dec 2016 14:01:01 +0100 Subject: [PATCH] ipa-replica-conncheck: fix race condition When the thread that opens ports would execute notify() before the original thread could call wait(), the original thread would wait indefinitely for a notify() call. https://fedorahosted.org/freeipa/ticket/6487 --- install/tools/ipa-replica-conncheck | 17 +++-- 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index 121f068..cd1b138 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -297,16 +297,18 @@ class PortResponder(threading.Thread): self._close = False self._close_lock = threading.Lock() self.responder_data = 'FreeIPA' -self.ports_open = threading.Condition() +self.ports_opened = False +self.ports_open_cond = threading.Condition() def run(self): root_logger.debug('Starting listening thread.') for port in self.ports: self._bind_to_port(port.port, port.port_type) -with self.ports_open: +with self.ports_open_cond: +self.ports_opened = True root_logger.debug('Ports opened, notify original thread') -self.ports_open.notify() +self.ports_open_cond.notify() while not self._is_closing(): ready_socks, _socks1, _socks2 = select.select( @@ -462,9 +464,12 @@ def main(): RESPONDER = PortResponder(required_ports) RESPONDER.start() -with RESPONDER.ports_open: -RESPONDER.ports_open.wait() -root_logger.debug('Original thread resumed') + +with RESPONDER.ports_open_cond: +if not RESPONDER.ports_opened: +root_logger.debug('Original thread stopped') +RESPONDER.ports_open_cond.wait() +root_logger.debug('Original thread resumed') remote_check_opts = ['--replica %s' % options.hostname] -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [RFC] Matching and Mapping Certificates
On 25.11.2016 15:55, Sumit Bose wrote: On Fri, Nov 25, 2016 at 02:19:10PM +0100, Jan Cholasta wrote: Bump, Sumit, have you seen my comments? I haven't heard back from you. Yes, I've seen it and added a comment about it on the page https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates#Matching-alternativeRFC4523syntax To cut it short I would prefer to use a standard, but I think RFC4523 currently does nit meet out needs. But I would be happy if there are ways to mitigate my concerns. What I actually had in mind was not to use the full RFC 4523 syntax, but rather re-use the concepts used in it - for example, instead of using regular expressions to match subject names, we could use a scheme based on name constraints, where the subject name is matched using base + minimum distance + maximum distance, which could look like this, written down using glob-like syntax: directoryName=CN=a,O=b (base = CN=a,O=b, minimum distance = 0, maximum distance = 0) directoryName=*,O=b (base = O=b, minimum distance = 1, maximum distance = 1) directoryName=*,*,O=b (base = O=b, minimum distance = 2, maximum distance = 2) directoryName=**,*,O=b (base = O=b, minimum distance = 1, maximum distance unspecified) I'm working on updating and changing other sections as well and planned to reply when I'm done with the other sections as well. OK, thanks for the heads up. bye, Sumit On 17.10.2016 09:50, Jan Cholasta wrote: Hi, On 13.10.2016 18:52, Sumit Bose wrote: On Tue, Oct 11, 2016 at 01:37:09PM +0200, Sumit Bose wrote: On Thu, Oct 06, 2016 at 12:49:30PM +0200, Sumit Bose wrote: Hi, I've started to write a SSSD design page about enhancing the current mapping of certificates to users and how to select/match a suitable certificate if multiple certificates are on a Smartcard. My currently thoughts and idea and be found at https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates and for your convenience below as well. Comments and suggestions are welcome. Please let me know about concerns, alternatives and missing use-cases/user-stories. bye, Sumit Hi, Rob, Fraser, Alexander, thank you for your comments. I think both the issuer specific matching and the OID in the SUBJECT matching are good ideas. I updated the design page accordingly. The changes can be shown with https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates?action=diff=9_version=6 The updated version can be found below as well. Of course more comments and suggestions are still very welcome. I did another update. A "Compatibility with Active Director" section is added which made me realize that there are use-cases for using the issuer in the mapping as well and the sub-strings in LDAP search filters might be useful as well. The changes can be seen with https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates?action=diff=10_version=9 Please let me know your comments and suggestions. bye, Sumit = Matching and Mapping Certificates = Related ticket(s): * http://www.freeipa.org/page/V4/User_Certificates#Certificate_Identity_Mapping === Problem statement === Mapping Currently it is required that a certificate used for authentication is either stored in the LDAP user entry or in a matching override. This might not always be applicable and other ways are needed to relate a user with a certificate. Matching Even if SSSD will support multiple certificates on a Smartcard in the context of https://fedorahosted.org/sssd/ticket/3050 it might be necessary to restrict (or relax) the current certificate selection in certain environments. === Use cases === Mapping In some environments it might not be possible or would cause unwanted effort to add certificates to the LDAP entry of the users to allow Smartcard based authentication. Reasons might be: * Certificates/Smartcards are issued externally * LDAP schema extension is not possible or not allowed Matching A user might have multiple certificate on a Smartcard which are suitable for authentication. But on some host in the environment only certificates from a specific CA (while all other CAs are trusted as well) or with some special extension should be valid for login. === Overview of the solution === To match a certificate a language/syntax has to be defined which allows to reference items from the certificate and compare the values with the expected data. To map the certificates to a user the language/syntax should allow to relate certificate items with LDAP attributes so that the value(s) from the certificate item can be used in a LDAP search filter. Note that in some cases it might be possible to map a certificate to a user without having to do an extra LDAP search, for example when the certificate contains the principal name of the user. Does the design allow this? Or is there no extra LDAP search? === Implementation details
[Freeipa-devel] [freeipa PR#303][comment] Add python-pyasn1-modules into dependencies
URL: https://github.com/freeipa/freeipa/pull/303 Title: #303: Add python-pyasn1-modules into dependencies martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/a8b7dbff8ac660a28faf7ef43c7a0952171423b8 """ See the full comment at https://github.com/freeipa/freeipa/pull/303#issuecomment-264847546 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#303][+pushed] Add python-pyasn1-modules into dependencies
URL: https://github.com/freeipa/freeipa/pull/303 Title: #303: Add python-pyasn1-modules into dependencies Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#303][+ack] Add python-pyasn1-modules into dependencies
URL: https://github.com/freeipa/freeipa/pull/303 Title: #303: Add python-pyasn1-modules into dependencies Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#303][comment] Add python-pyasn1-modules into dependencies
URL: https://github.com/freeipa/freeipa/pull/303 Title: #303: Add python-pyasn1-modules into dependencies pvomacka commented: """ Added, I also added more information into commit message. """ See the full comment at https://github.com/freeipa/freeipa/pull/303#issuecomment-264845609 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#303][synchronized] Add python-pyasn1-modules into dependencies
URL: https://github.com/freeipa/freeipa/pull/303 Author: pvomacka Title: #303: Add python-pyasn1-modules into dependencies Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/303/head:pr303 git checkout pr303 From f20e47fd6d6e54f4d67e9b1dfd756cfea1f5915f Mon Sep 17 00:00:00 2001 From: Pavel VomackaDate: Fri, 2 Dec 2016 17:09:48 +0100 Subject: [PATCH] Add python-pyasn1-modules into dependencies Python-pyasn1-modules is needed because of this import: from pyasn1_modules import rfc2459 in ipalib/x509.py. Python-pyasn1-modules is required only by python-ldap package, but it would be good to not rely on another package and rather say explicitely that this package is necessary. https://fedorahosted.org/freeipa/ticket/6398 --- freeipa.spec.in | 3 +++ 1 file changed, 3 insertions(+) diff --git a/freeipa.spec.in b/freeipa.spec.in index 15c3e68..cba40c2 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -102,6 +102,7 @@ BuildRequires: python-ldap BuildRequires: python-nss BuildRequires: python-netaddr BuildRequires: python-pyasn1 +BuildRequires: python-pyasn1-modules BuildRequires: python-dns BuildRequires: python-six BuildRequires: python-libsss_nss_idmap @@ -515,6 +516,7 @@ Requires: python-netaddr Requires: python-libipa_hbac Requires: python-qrcode-core >= 5.0.0 Requires: python-pyasn1 +Requires: python-pyasn1-modules Requires: python-dateutil Requires: python-yubico >= 1.2.3 Requires: python-sss-murmur @@ -564,6 +566,7 @@ Requires: python3-netaddr Requires: python3-libipa_hbac Requires: python3-qrcode-core >= 5.0.0 Requires: python3-pyasn1 +Requires: python3-pyasn1-modules Requires: python3-dateutil Requires: python3-yubico >= 1.2.3 Requires: python3-sss-murmur -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#308][opened] Add 'env_confdir' to constants
URL: https://github.com/freeipa/freeipa/pull/308 Author: martbab Title: #308: Add 'env_confdir' to constants Action: opened PR body: """ Env confdir is always populated so it should be listed among variables set during a call to `Env._bootstrap()`. https://fedorahosted.org/freeipa/ticket/6389 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/308/head:pr308 git checkout pr308 From 26635cf3591e23fe437ec6f51d7e56a33227a6ad Mon Sep 17 00:00:00 2001 From: Martin BabinskyDate: Mon, 5 Dec 2016 13:39:42 +0100 Subject: [PATCH] Add 'env_confdir' to constants Env confdir is always populated so it should be listed among variables set during a call to `Env._bootstrap()`. https://fedorahosted.org/freeipa/ticket/6389 --- ipalib/constants.py | 1 + 1 file changed, 1 insertion(+) diff --git a/ipalib/constants.py b/ipalib/constants.py index 80bbdbc..81643da 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -221,6 +221,7 @@ ('dot_ipa', object), # ~/.ipa directory ('context', object), # Name of context, default is 'default' ('confdir', object), # Directory containing config files +('env_confdir', None), # conf dir specified by IPA_CONFDIR env variable ('conf', object), # File containing context specific config ('conf_default', object), # File containing context independent config ('plugins_on_demand', object), # Whether to finalize plugins on-demand (bool) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#307][opened] Lowered the version of gettext
URL: https://github.com/freeipa/freeipa/pull/307 Author: pvomacka Title: #307: Lowered the version of gettext Action: opened PR body: """ The lower version is needed while building on RHEL. Also regenerated Rules-quot file. https://fedorahosted.org/freeipa/ticket/6418 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/307/head:pr307 git checkout pr307 From 5afa4bc62419d3bc14ab2d70c4f3f6bb95125c78 Mon Sep 17 00:00:00 2001 From: Pavel VomackaDate: Fri, 25 Nov 2016 15:02:14 +0100 Subject: [PATCH] Lowered the version of gettext The lower version is needed while building on RHEL. Also regenerated Rules-quot file. https://fedorahosted.org/freeipa/ticket/6418 --- configure.ac | 2 +- po/Rules-quot | 15 ++- 2 files changed, 3 insertions(+), 14 deletions(-) diff --git a/configure.ac b/configure.ac index 66e6e9b..5674d27 100644 --- a/configure.ac +++ b/configure.ac @@ -299,7 +299,7 @@ AC_CONFIG_COMMANDS([po/POTFILES.in], > po/POTFILES.in && dnl cd "${find_start_pwd}"]) AC_SUBST(GETTEXT_DOMAIN, [ipa]) -AM_GNU_GETTEXT_VERSION([0.19.8]) +AM_GNU_GETTEXT_VERSION([0.18.2]) AM_GNU_GETTEXT([external]) dnl integrate our custom hacks into gettextize infrastructure diff --git a/po/Rules-quot b/po/Rules-quot index baf6528..d2ac20d 100644 --- a/po/Rules-quot +++ b/po/Rules-quot @@ -1,4 +1,3 @@ -# This file, Rules-quot, can be copied and used freely without restrictions. # Special Makefile rules for English message catalogs with quotation marks. DISTFILES.common.extra1 = quot.sed boldquot.sed en@quot.header en@boldquot.header insert-header.sin Rules-quot @@ -15,23 +14,13 @@ e...@boldquot.po-update: e...@boldquot.po-update-en .insert-header.po-update-en: @lang=`echo $@ | sed -e 's/\.po-update-en$$//'`; \ - if test "$(PACKAGE)" = "gettext-tools" && test "$(CROSS_COMPILING)" != "yes"; then PATH=`pwd`/../src:$$PATH; GETTEXTLIBDIR=`cd $(top_srcdir)/src && pwd`; export GETTEXTLIBDIR; fi; \ + if test "$(PACKAGE)" = "gettext-tools"; then PATH=`pwd`/../src:$$PATH; GETTEXTLIBDIR=`cd $(top_srcdir)/src && pwd`; export GETTEXTLIBDIR; fi; \ tmpdir=`pwd`; \ echo "$$lang:"; \ ll=`echo $$lang | sed -e 's/@.*//'`; \ LC_ALL=C; export LC_ALL; \ cd $(srcdir); \ - if $(MSGINIT) $(MSGINIT_OPTIONS) -i $(DOMAIN).pot --no-translator -l $$lang -o - 2>/dev/null \ - | $(SED) -f $$tmpdir/$$lang.insert-header | $(MSGCONV) -t UTF-8 | \ - { case `$(MSGFILTER) --version | sed 1q | sed -e 's,^[^0-9]*,,'` in \ - '' | 0.[0-9] | 0.[0-9].* | 0.1[0-8] | 0.1[0-8].*) \ - $(MSGFILTER) $(SED) -f `echo $$lang | sed -e 's/.*@//'`.sed \ - ;; \ - *) \ - $(MSGFILTER) `echo $$lang | sed -e 's/.*@//'` \ - ;; \ - esac } 2>/dev/null > $$tmpdir/$$lang.new.po \ - ; then \ + if $(MSGINIT) -i $(DOMAIN).pot --no-translator -l $$lang -o - 2>/dev/null | sed -f $$tmpdir/$$lang.insert-header | $(MSGCONV) -t UTF-8 | $(MSGFILTER) sed -f `echo $$lang | sed -e 's/.*@//'`.sed 2>/dev/null > $$tmpdir/$$lang.new.po; then \ if cmp $$lang.po $$tmpdir/$$lang.new.po >/dev/null 2>&1; then \ rm -f $$tmpdir/$$lang.new.po; \ else \ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#227][synchronized] cert-request: match names against principal aliases
URL: https://github.com/freeipa/freeipa/pull/227 Author: frasertweedale Title: #227: cert-request: match names against principal aliases Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/227/head:pr227 git checkout pr227 From c347ff830e21dcc8167149d8fead61882c4ba704 Mon Sep 17 00:00:00 2001 From: Fraser TweedaleDate: Wed, 26 Oct 2016 09:48:19 +1000 Subject: [PATCH] cert-request: match names against principal aliases Currently we do not check Kerberos principal aliases when validating a CSR. Enhance cert-request to accept the following scenarios: - for hosts and services: CN and SAN dnsNames match a principal alias (realm and service name must be same as nominated principal) - for all principal types: UPN or KRB5PrincipalName othername match any principal alias. Fixes: https://fedorahosted.org/freeipa/ticket/6295 --- ipaserver/plugins/cert.py | 113 - .../test_xmlrpc/test_caacl_profile_enforcement.py | 85 +--- 2 files changed, 158 insertions(+), 40 deletions(-) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 3571ef1..e4efa7d 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -649,11 +649,13 @@ def execute(self, csr, all=False, raw=False, **kw): cn = cns[-1].value # "most specific" is end of list if principal_type in (SERVICE, HOST): -if cn.lower() != principal.hostname.lower(): -raise errors.ACIError( -info=_("hostname in subject of request '%(cn)s' " -"does not match principal hostname '%(hostname)s'") -% dict(cn=cn, hostname=principal.hostname)) +if not _dns_name_matches_principal(cn, principal, principal_obj): +raise errors.ValidationError( +name='csr', +error=_( +"hostname in subject of request '%(cn)s' does not " +"match name or aliases of principal '%(principal)s'" +) % dict(cn=cn, principal=principal)) elif principal_type == USER: # check user name if cn != principal.username: @@ -686,26 +688,32 @@ def execute(self, csr, all=False, raw=False, **kw): generalnames = x509.process_othernames(ext_san.value) for gn in generalnames: if isinstance(gn, cryptography.x509.general_name.DNSName): +if principal.is_user: +raise errors.ValidationError( +name='csr', +error=_( +"subject alt name type %s is forbidden " +"for user principals") % "DNSName" +) + name = gn.value -alt_principal = None + +if _dns_name_matches_principal(name, principal, principal_obj): +continue # nothing more to check for this alt name + +# no match yet; check for an alternative principal with +# same realm and service type as subject principal. +components = list(principal.components) +components[-1] = name +alt_principal = kerberos.Principal(components, principal.realm) alt_principal_obj = None try: if principal_type == HOST: -alt_principal = kerberos.Principal( -(u'host', name), principal.realm) -alt_principal_obj = api.Command['host_show'](name, all=True) +alt_principal_obj = api.Command['host_show']( +name, all=True) elif principal_type == SERVICE: -alt_principal = kerberos.Principal( -(principal.service_name, name), principal.realm) alt_principal_obj = api.Command['service_show']( alt_principal, all=True) -elif principal_type == USER: -raise errors.ValidationError( -name='csr', -error=_( -"subject alt name type %s is forbidden " -"for user principals") % "DNSName" -) except errors.NotFound: # We don't want to issue any certificates referencing # machines we don't know about. Nothing is stored in this @@ -713,18 +721,23 @@ def execute(self, csr, all=False, raw=False, **kw): raise errors.NotFound(reason=_('The service principal for ' 'subject alt name %s in certificate request does not '
[Freeipa-devel] [freeipa PR#227][synchronized] cert-request: match names against principal aliases
URL: https://github.com/freeipa/freeipa/pull/227 Author: frasertweedale Title: #227: cert-request: match names against principal aliases Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/227/head:pr227 git checkout pr227 From b84e266b1fdb82fde2a2f6a518c7ce6dc8976e3b Mon Sep 17 00:00:00 2001 From: Fraser TweedaleDate: Wed, 26 Oct 2016 09:48:19 +1000 Subject: [PATCH] cert-request: match names against principal aliases Currently we do not check Kerberos principal aliases when validating a CSR. Enhance cert-request to accept the following scenarios: - for hosts and services: CN and SAN dnsNames match a principal alias (realm and service name must be same as nominated principal) - for all principal types: UPN or KRB5PrincipalName othername match any principal alias. Fixes: https://fedorahosted.org/freeipa/ticket/6295 --- ipaserver/plugins/cert.py | 113 - .../test_xmlrpc/test_caacl_profile_enforcement.py | 85 +--- 2 files changed, 158 insertions(+), 40 deletions(-) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 3571ef1..ca94b85 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -649,11 +649,13 @@ def execute(self, csr, all=False, raw=False, **kw): cn = cns[-1].value # "most specific" is end of list if principal_type in (SERVICE, HOST): -if cn.lower() != principal.hostname.lower(): -raise errors.ACIError( -info=_("hostname in subject of request '%(cn)s' " -"does not match principal hostname '%(hostname)s'") -% dict(cn=cn, hostname=principal.hostname)) +if not _dns_name_matches_principal(cn, principal, principal_obj): +raise errors.ValidationError( +name='csr', +error=_( +"hostname in subject of request '%(cn)s' does not " +"match name or aliases of principal '%(principal)s'" +) % dict(cn=cn, principal=principal)) elif principal_type == USER: # check user name if cn != principal.username: @@ -686,26 +688,32 @@ def execute(self, csr, all=False, raw=False, **kw): generalnames = x509.process_othernames(ext_san.value) for gn in generalnames: if isinstance(gn, cryptography.x509.general_name.DNSName): +if principal.is_user: +raise errors.ValidationError( +name='csr', +error=_( +"subject alt name type %s is forbidden " +"for user principals") % "DNSName" +) + name = gn.value -alt_principal = None + +if _dns_name_matches_principal(name, principal, principal_obj): +continue # nothing more to check for this alt name + +# no match yet; check for an alternative principal with +# same realm and service type as subject principal. +components = list(principal.components) +components[-1] = name +alt_principal = kerberos.Principal(components, principal.realm) alt_principal_obj = None try: if principal_type == HOST: -alt_principal = kerberos.Principal( -(u'host', name), principal.realm) -alt_principal_obj = api.Command['host_show'](name, all=True) +alt_principal_obj = api.Command['host_show']( +name, all=True) elif principal_type == SERVICE: -alt_principal = kerberos.Principal( -(principal.service_name, name), principal.realm) alt_principal_obj = api.Command['service_show']( alt_principal, all=True) -elif principal_type == USER: -raise errors.ValidationError( -name='csr', -error=_( -"subject alt name type %s is forbidden " -"for user principals") % "DNSName" -) except errors.NotFound: # We don't want to issue any certificates referencing # machines we don't know about. Nothing is stored in this @@ -713,18 +721,23 @@ def execute(self, csr, all=False, raw=False, **kw): raise errors.NotFound(reason=_('The service principal for ' 'subject alt name %s in certificate request does not '
[Freeipa-devel] [freeipa PR#304][comment] Relax check for .git to support freeipa in submodules
URL: https://github.com/freeipa/freeipa/pull/304 Title: #304: Relax check for .git to support freeipa in submodules martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/cac0c2d951e10d49372a038c73f796dc3beb62b9 """ See the full comment at https://github.com/freeipa/freeipa/pull/304#issuecomment-264828226 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#304][+pushed] Relax check for .git to support freeipa in submodules
URL: https://github.com/freeipa/freeipa/pull/304 Title: #304: Relax check for .git to support freeipa in submodules Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#304][closed] Relax check for .git to support freeipa in submodules
URL: https://github.com/freeipa/freeipa/pull/304 Author: tiran Title: #304: Relax check for .git to support freeipa in submodules Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/304/head:pr304 git checkout pr304 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#306][comment] Ignore backup~ files like config.h.in~
URL: https://github.com/freeipa/freeipa/pull/306 Title: #306: Ignore backup~ files like config.h.in~ martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/86295a8c2ea5c0546b070053d490b3a8b8013012 """ See the full comment at https://github.com/freeipa/freeipa/pull/306#issuecomment-264827081 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#306][closed] Ignore backup~ files like config.h.in~
URL: https://github.com/freeipa/freeipa/pull/306 Author: tiran Title: #306: Ignore backup~ files like config.h.in~ Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/306/head:pr306 git checkout pr306 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#306][+pushed] Ignore backup~ files like config.h.in~
URL: https://github.com/freeipa/freeipa/pull/306 Title: #306: Ignore backup~ files like config.h.in~ Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#306][+ack] Ignore backup~ files like config.h.in~
URL: https://github.com/freeipa/freeipa/pull/306 Title: #306: Ignore backup~ files like config.h.in~ Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#306][opened] Ignore backup~ files like config.h.in~
URL: https://github.com/freeipa/freeipa/pull/306 Author: tiran Title: #306: Ignore backup~ files like config.h.in~ Action: opened PR body: """ Signed-off-by: Christian Heimes""" To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/306/head:pr306 git checkout pr306 From 27d97c72975f9f5514a27063558859b7ccad425a Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 5 Dec 2016 11:54:20 +0100 Subject: [PATCH] Ignore backup~ files like config.h.in~ Signed-off-by: Christian Heimes --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 86389ef..a9c71e4 100644 --- a/.gitignore +++ b/.gitignore @@ -27,6 +27,7 @@ Makefile.in *.log *.o *.trs +*~ version.m4 aclocal.m4 autom4te.cache/ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#305][closed] Fetch correct exception in IPA_CONFDIR test
URL: https://github.com/freeipa/freeipa/pull/305 Author: tiran Title: #305: Fetch correct exception in IPA_CONFDIR test Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/305/head:pr305 git checkout pr305 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#305][+pushed] Fetch correct exception in IPA_CONFDIR test
URL: https://github.com/freeipa/freeipa/pull/305 Title: #305: Fetch correct exception in IPA_CONFDIR test Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#305][comment] Fetch correct exception in IPA_CONFDIR test
URL: https://github.com/freeipa/freeipa/pull/305 Title: #305: Fetch correct exception in IPA_CONFDIR test jcholast commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/34bd2b6332f3dabc0eb36f7021238df286a6 """ See the full comment at https://github.com/freeipa/freeipa/pull/305#issuecomment-264823975 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#305][+ack] Fetch correct exception in IPA_CONFDIR test
URL: https://github.com/freeipa/freeipa/pull/305 Title: #305: Fetch correct exception in IPA_CONFDIR test Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#304][+ack] Relax check for .git to support freeipa in submodules
URL: https://github.com/freeipa/freeipa/pull/304 Title: #304: Relax check for .git to support freeipa in submodules Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#305][opened] Fetch correct exception in IPA_CONFDIR test
URL: https://github.com/freeipa/freeipa/pull/305 Author: tiran Title: #305: Fetch correct exception in IPA_CONFDIR test Action: opened PR body: """ fixes c2934aaa Signed-off-by: Christian Heimes""" To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/305/head:pr305 git checkout pr305 From 97908927b62718949059fd7778e38f76b90d94db Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 5 Dec 2016 10:42:33 +0100 Subject: [PATCH] Fetch correct exception in IPA_CONFDIR test fixes c2934aaa Signed-off-by: Christian Heimes --- ipatests/test_ipalib/test_plugable.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ipatests/test_ipalib/test_plugable.py b/ipatests/test_ipalib/test_plugable.py index ff22446..6954610 100644 --- a/ipatests/test_ipalib/test_plugable.py +++ b/ipatests/test_ipalib/test_plugable.py @@ -28,7 +28,6 @@ import textwrap from ipalib import plugable, errors, create_api -from ipapython.admintool import ScriptError from ipatests.util import raises, read_only from ipatests.util import ClassChecker, create_test_api, TempHome @@ -301,7 +300,7 @@ def test_ipaconf_env(self): os.environ['IPA_CONFDIR'] = home.join('invalid') api = create_api(mode='unit_test') -with pytest.raises(ScriptError): +with pytest.raises(errors.EnvironmentError): api.bootstrap() finally: if ipa_confdir: -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] CSR autogeneration next steps
Hi Ben, On 3.11.2016 00:12, Ben Lipton wrote: Hi everybody, Soon I'm going to have to reduce the amount of time I spend on new development work for the CSR autogeneration project, and I want to leave the project in as organized a state as possible. So, I'm taking inventory of the work I've done in order to make sure that what's ready for review can get reviewed and the ideas that have been discussed get prototyped or at least recorded so they won't be forgotten. Thanks, I have some questions and comments, see below. Code that's ready for review (I will continue to put in as much time as needed to help get these ready for submission): - Current PR: https://github.com/freeipa/freeipa/pull/10 How hard would it be to update the PR to use the "new" interface from the design thread? By this I mean that currently there is a command (cert_get_requestdata), which creates a CSR from profile id + principal + helper, but in the design we discussed a command which creates a CertificationRequestInfo from profile id + principal + public key. Internally it could use the OpenSSL helper, no need to implement the full "new" design. With your build_requestinfo.c code below it looks like it should be pretty straightforward. - Allow some fields to be specified by the user at creation time: https://github.com/LiptonB/freeipa/commits/local-user-data Good idea :-) - Automation for the full process from getting CSR data to requesting cert: https://github.com/LiptonB/freeipa/commits/local-cert-build LGTM, although I would prefer if this was a client-side extension of cert-request rather than a completely new command. Other prototypes and design ideas that aren't ready for submission yet: - Utility written in C to build a CertificationRequestInfo from a SubjectPublicKeyInfo and an openssl-style config file. The purpose of this is to take a config that my code already knows how to generate, and put it in a form that certmonger can use. This is nearly done and available at: https://github.com/LiptonB/freeipa-prototypes/blob/master/build_requestinfo.c Nice! As I said above, this could really make implementing the "new" csrgen interface simple. - Ideally it should be possible to use this tool to reimplement the full cert-request automation (local-cert-build branch) without a dependency on the certutil/openssl tools. However, I don't think any of the python crypto libraries have bindings for the functions that deal with CertificationRequestInfo objects, so I don't think I can do this in the short term. You can use python-cffi to write your own minimal bindings. It's fairly straightforward, take a look at FreeIPA commit 500ee7e2 for an example of how to port C code to Python with python-cffi. - Certmonger "helper" program that takes in the CertificationRequestInfo that certmonger generates, calls out to IPA for profile-specific data, and returns an updated CertificationRequestInfo built from the data. Certmonger doesn't currently support this type of helper, but (if I understood correctly) this is the architecture Nalin believed would be simplest to fit in. This is not done yet, but I intend to complete it soon - it shouldn't require much code beyond what's in build_requestinfo.c. To me this sounds like it should be a new operation of the current helper rather than a completely new helper. Anyway, the ultimate goal is to move the csrgen code to the server, which means everything the helper will have to do is call a command over RPC. - Tool to convert an XER-encoded cert extension to DER, given the ASN.1 description of the extension. This would unblock Jan Cholasta's idea of using XSLT for templates rather than text-based formatting. I should be able to implement the conversion tool, but it may be a while before I have time to demo the full XSLT idea. Was there any progress on this? So: currently on my to do list are the certmonger helper and the XER->DER conversion tool. Do you have any comments about these plans, and is there anything else I can do to wrap up the project neatly? Thanks, Ben Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#276][+ack] replica-conncheck: improve error msg + logging
URL: https://github.com/freeipa/freeipa/pull/276 Title: #276: replica-conncheck: improve error msg + logging Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#276][comment] replica-conncheck: improve error msg + logging
URL: https://github.com/freeipa/freeipa/pull/276 Title: #276: replica-conncheck: improve error msg + logging stlaz commented: """ Seems to work fine, ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/276#issuecomment-264793827 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code