[Freeipa-devel] [freeipa PR#337][comment] Client-side CSR autogeneration (take 2)
URL: https://github.com/freeipa/freeipa/pull/337 Title: #337: Client-side CSR autogeneration (take 2) tiran commented: """ @LiptonB yes, it's correct. """ See the full comment at https://github.com/freeipa/freeipa/pull/337#issuecomment-273705203 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#403][comment] Add new ipa passwd-generate command
URL: https://github.com/freeipa/freeipa/pull/403 Title: #403: Add new ipa passwd-generate command stlaz commented: """ Hello and thank you for the contribution! However, I do not see what's in this for us. I do not think FreeIPA is intended to be used as a password generator. There are other tools that do this just right, `pwgen` being just an example. """ See the full comment at https://github.com/freeipa/freeipa/pull/403#issuecomment-273697438 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#113][comment] ipalib.constants: Remove default domain, realm, basedn, xmlrpc_uri, ldap_uri
URL: https://github.com/freeipa/freeipa/pull/113 Title: #113: ipalib.constants: Remove default domain, realm, basedn, xmlrpc_uri, ldap_uri HonzaCholasta commented: """ @pvoborni, my plan is to amend / extend this patch. """ See the full comment at https://github.com/freeipa/freeipa/pull/113#issuecomment-273696077 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#403][opened] Add new ipa passwd-generate command
URL: https://github.com/freeipa/freeipa/pull/403 Author: redhatrises Title: #403: Add new ipa passwd-generate command Action: opened PR body: """ This PR adds a new command line option `ipa passwd-generate` that uses the refactored `ipa_password_generate()` function. This is useful for generating secure passwords for service and system accounts or passwords for applications that may not be able to handle all character types. This could also be useful in the future for generating a temporary password for any portal efforts. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/403/head:pr403 git checkout pr403 From 4b454ecbf89ad87e46a160412defff881d0b6f26 Mon Sep 17 00:00:00 2001 From: GabeDate: Wed, 18 Jan 2017 20:40:37 -0700 Subject: [PATCH] Add new ipa passwd-generate command Adds new `ipa passwd-generate` command which has the ability to create complex passwords using the refactored ipa_generate_password function which is useful for deriving secure passwords for system/service accounts rather than relying on system administrators to come up with their own form of password. --- API.txt | 11 +++ VERSION.m4 | 4 +-- ipaserver/plugins/passwd.py | 78 - 3 files changed, 90 insertions(+), 3 deletions(-) diff --git a/API.txt b/API.txt index 543cec5..ddf38b3 100644 --- a/API.txt +++ b/API.txt @@ -3461,6 +3461,16 @@ option: Str('version?') output: Output('result', type=[]) output: Output('summary', type=[, ]) output: Output('value', type=[]) +command: passwd_generate/1 +args: 0,7,1 +option: Int('digits?') +option: Int('entropy?') +option: Int('length?') +option: Int('lowercase?') +option: Int('special?') +option: Int('uppercase?') +option: Str('version?') +output: Output('summary', type=[, ]) command: permission_add/1 args: 1,21,3 arg: Str('cn', cli_name='name') @@ -6546,6 +6556,7 @@ default: param/1 default: param_find/1 default: param_show/1 default: passwd/1 +default: passwd_generate/1 default: permission/1 default: permission_add/1 default: permission_add_member/1 diff --git a/VERSION.m4 b/VERSION.m4 index 36929ee..c4fd931 100644 --- a/VERSION.m4 +++ b/VERSION.m4 @@ -73,8 +73,8 @@ define(IPA_DATA_VERSION, 2010061412) # # define(IPA_API_VERSION_MAJOR, 2) -define(IPA_API_VERSION_MINOR, 217) -# Last change: Add options to write lightweight CA cert or chain to file +define(IPA_API_VERSION_MINOR, 218) +# Last change: Add new command line option to generate a password diff --git a/ipaserver/plugins/passwd.py b/ipaserver/plugins/passwd.py index 8cac145..a501bcb 100644 --- a/ipaserver/plugins/passwd.py +++ b/ipaserver/plugins/passwd.py @@ -21,7 +21,7 @@ from ipalib import api, errors, krb_utils from ipalib import Command -from ipalib import Password +from ipalib import Password, Int from ipalib import _ from ipalib import output from ipalib.parameters import Principal @@ -29,6 +29,7 @@ from ipalib.request import context from ipapython import kerberos from ipapython.dn import DN +from ipapython.ipautil import ipa_generate_password from ipaserver.plugins.baseuser import normalize_user_principal from ipaserver.plugins.service import validate_realm @@ -147,3 +148,78 @@ def execute(self, principal, password, current_password, **options): result=True, value=principal, ) + + +@register() +class passwd_generate(Command): +__doc__ = _("Autogenerate a password.") + +takes_options = ( +Int('uppercase', +label=_('Uppercase'), +doc=_('Number of uppercase characters'), +required=False, +), +Int('lowercase', +label=_('Lowercase'), +doc=_('Number of lowercase characters'), +required=False, +), +Int('digits', +label=_('Digits'), +doc=_('Number of digits'), +required=False, +), +Int('special', +label=_('Special characters'), +doc=_('Number of special characters'), +required=False, +), +Int('length', +label=_('Length'), +doc=_('Password Length'), +required=False, +), +Int('entropy', +label=_('Entropy'), +doc=_('Number of entropy bits'), +required=False, +), +) + +has_output = ( +output.summary, +) + +def execute(self, *keys, **options): +pwd_length = options.get('length') +entropy = options.get('entropy') +ucase = options.get('uppercase') +lcase = options.get('lowercase') +numbers = options.get('digits') +schar =
[Freeipa-devel] [freeipa PR#337][comment] Client-side CSR autogeneration (take 2)
URL: https://github.com/freeipa/freeipa/pull/337 Title: #337: Client-side CSR autogeneration (take 2) LiptonB commented: """ @tiran Thanks to the team for resuming the review, too! Added the dependency, does that look right? """ See the full comment at https://github.com/freeipa/freeipa/pull/337#issuecomment-273658159 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#337][synchronized] Client-side CSR autogeneration (take 2)
URL: https://github.com/freeipa/freeipa/pull/337 Author: LiptonB Title: #337: Client-side CSR autogeneration (take 2) Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/337/head:pr337 git checkout pr337 From 4ead459036761600c43c414cb91a21c591ad906a Mon Sep 17 00:00:00 2001 From: Ben LiptonDate: Tue, 5 Jul 2016 14:19:35 -0400 Subject: [PATCH 1/8] Add code to generate scripts that generate CSRs Adds a library that uses jinja2 to format a script that, when run, will build a CSR. Also adds a CLI command, 'cert-get-requestdata', that uses this library and builds the script for a given principal. The rules are read from json files in /usr/share/ipa/csr, but the rule provider is a separate class so that it can be replaced easily. https://fedorahosted.org/freeipa/ticket/4899 --- configure.ac | 1 + freeipa.spec.in| 9 + install/share/Makefile.am | 1 + install/share/csr/templates/ipa_macros.tmpl| 42 +++ install/share/csrgen/Makefile.am | 27 ++ install/share/csrgen/templates/certutil_base.tmpl | 14 + install/share/csrgen/templates/openssl_base.tmpl | 35 +++ install/share/csrgen/templates/openssl_macros.tmpl | 29 ++ ipaclient/csrgen.py| 320 + ipaclient/plugins/csrgen.py| 116 ipalib/errors.py | 28 ++ ipaplatform/base/paths.py | 1 + 12 files changed, 623 insertions(+) create mode 100644 install/share/csr/templates/ipa_macros.tmpl create mode 100644 install/share/csrgen/Makefile.am create mode 100644 install/share/csrgen/templates/certutil_base.tmpl create mode 100644 install/share/csrgen/templates/openssl_base.tmpl create mode 100644 install/share/csrgen/templates/openssl_macros.tmpl create mode 100644 ipaclient/csrgen.py create mode 100644 ipaclient/plugins/csrgen.py diff --git a/configure.ac b/configure.ac index e8a4701..01fc81e 100644 --- a/configure.ac +++ b/configure.ac @@ -530,6 +530,7 @@ AC_CONFIG_FILES([ install/share/Makefile install/share/advise/Makefile install/share/advise/legacy/Makefile +install/share/csrgen/Makefile install/share/profiles/Makefile install/share/schema.d/Makefile install/ui/Makefile diff --git a/freeipa.spec.in b/freeipa.spec.in index c4420a0..8396105 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -147,6 +147,7 @@ BuildRequires: python-sssdconfig BuildRequires: python-nose BuildRequires: python-paste BuildRequires: systemd-python +BuildRequires: python2-jinja2 %if 0%{?with_python3} # FIXME: this depedency is missing - server will not work @@ -602,6 +603,7 @@ Requires: python-dns >= 1.15 Requires: python-enum34 Requires: python-netifaces >= 0.10.4 Requires: pyusb +Requires: python2-jinja2 Conflicts: %{alt_name}-python < %{version} @@ -1208,6 +1210,13 @@ fi %{_usr}/share/ipa/advise/legacy/*.template %dir %{_usr}/share/ipa/profiles %{_usr}/share/ipa/profiles/*.cfg +%dir %{_usr}/share/ipa/csrgen +%dir %{_usr}/share/ipa/csrgen/templates +%{_usr}/share/ipa/csrgen/templates/*.tmpl +%dir %{_usr}/share/ipa/csrgen/profiles +%{_usr}/share/ipa/csrgen/profiles/*.json +%dir %{_usr}/share/ipa/csrgen/rules +%{_usr}/share/ipa/csrgen/rules/*.json %dir %{_usr}/share/ipa/html %{_usr}/share/ipa/html/ffconfig.js %{_usr}/share/ipa/html/ffconfig_page.js diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 10de84d..715912d 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -2,6 +2,7 @@ NULL = SUBDIRS = \ advise\ + csrgen\ profiles \ schema.d \ $(NULL) diff --git a/install/share/csr/templates/ipa_macros.tmpl b/install/share/csr/templates/ipa_macros.tmpl new file mode 100644 index 000..e790d4e --- /dev/null +++ b/install/share/csr/templates/ipa_macros.tmpl @@ -0,0 +1,42 @@ +{% set rendersyntax = {} %} + +{% set renderdata = {} %} + +{# Wrapper for syntax rules. We render the contents of the rule into a +variable, so that if we find that none of the contained data rules rendered we +can suppress the whole syntax rule. That is, a syntax rule is rendered either +if no data rules are specified (unusual) or if at least one of the data rules +rendered successfully. #} +{% macro syntaxrule() -%} +{% do rendersyntax.update(none=true, any=false) -%} +{% set contents -%} +{{ caller() -}} +{% endset -%} +{% if rendersyntax['none'] or rendersyntax['any'] -%} +{{ contents -}} +{% endif -%} +{% endmacro %} + +{# Wrapper for data rules. A data rule is rendered only when all of the data +fields it contains have data available. #} +{% macro datarule() -%} +{% do rendersyntax.update(none=false) -%} +{% do renderdata.update(all=true) -%} +{% set contents -%} +{{ caller() -}} +{%
[Freeipa-devel] [freeipa PR#181][synchronized] Tests : User Tracker creation of user with minimal values
URL: https://github.com/freeipa/freeipa/pull/181 Author: gkaihorodova Title: #181: Tests : User Tracker creation of user with minimal values Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/181/head:pr181 git checkout pr181 From 101bbd93b832787ab0c7d252ac6e9018536ddc77 Mon Sep 17 00:00:00 2001 From: Ganna KaihorodovaDate: Thu, 8 Dec 2016 15:06:36 +0100 Subject: [PATCH 1/2] User Tracker: creation of user with minimal values Fix provide possibility to create user-add test with minimal values, where uid is not specified, to provide better coverage. Also provide check for non-empty unicode string for attributes required in init method https://fedorahosted.org/freeipa/ticket/6126 --- ipatests/test_xmlrpc/tracker/user_plugin.py | 42 + 1 file changed, 31 insertions(+), 11 deletions(-) diff --git a/ipatests/test_xmlrpc/tracker/user_plugin.py b/ipatests/test_xmlrpc/tracker/user_plugin.py index 1b35a5c..d57db93 100644 --- a/ipatests/test_xmlrpc/tracker/user_plugin.py +++ b/ipatests/test_xmlrpc/tracker/user_plugin.py @@ -62,22 +62,42 @@ class UserTracker(KerberosAliasMixin, Tracker): primary_keys = {u'uid', u'dn'} -def __init__(self, name, givenname, sn, **kwargs): +def __init__(self, name=None, givenname=None, sn=None, **kwargs): +""" Check for non-empty unicode string for the required attributes +in the init method """ + +if not (isinstance(givenname, six.string_types) and givenname): +raise ValueError( +"Invalid first name provided: {!r}".format(givenname) +) +if not (isinstance(sn, six.string_types) and sn): +raise ValueError("Invalid second name provided: {!r}".format(sn)) + super(UserTracker, self).__init__(default_version=None) -self.uid = name -self.givenname = givenname -self.sn = sn +self.uid = unicode(name) +self.givenname = unicode(givenname) +self.sn = unicode(sn) self.dn = DN(('uid', self.uid), api.env.container_user, api.env.basedn) self.kwargs = kwargs -def make_create_command(self): -""" Make function that crates a user using user-add """ -return self.make_command( -'user_add', self.uid, -givenname=self.givenname, -sn=self.sn, **self.kwargs -) +def make_create_command(self, force=None): + +""" Make function that creates a user using user-add +with all set of attributes and with minimal values, +where uid is not specified """ + +if self.uid is not None: +return self.make_command( +'user_add', self.uid, +givenname=self.givenname, +sn=self.sn, **self.kwargs +) +else: +return self.make_command( +'user_add', givenname=self.givenname, +sn=self.sn, **self.kwargs +) def make_delete_command(self, no_preserve=True, preserve=False): """ Make function that deletes a user using user-del From 43ee2ff50b9bf0a86eafb2fb5226c30216c1edb4 Mon Sep 17 00:00:00 2001 From: Ganna Kaihorodova Date: Thu, 8 Dec 2016 15:08:41 +0100 Subject: [PATCH 2/2] User Tracker: Test to create user with minimal values Test to create user with minimal values, where uid is not specified https://fedorahosted.org/freeipa/ticket/6126 --- ipatests/test_xmlrpc/test_user_plugin.py | 13 + 1 file changed, 13 insertions(+) diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py index c09d793..d33c4d7 100644 --- a/ipatests/test_xmlrpc/test_user_plugin.py +++ b/ipatests/test_xmlrpc/test_user_plugin.py @@ -79,6 +79,13 @@ @pytest.fixture(scope='class') +def user_min(request): +""" User tracker fixture for testing user with uid no specified """ +tracker = UserTracker(givenname=u'Testmin', sn=u'Usermin') +return tracker.make_fixture(request) + + +@pytest.fixture(scope='class') def user(request): tracker = UserTracker(name=u'user1', givenname=u'Test', sn=u'User1') return tracker.make_fixture(request) @@ -405,6 +412,12 @@ def test_rename_to_invalid_login(self, user): @pytest.mark.tier1 class TestCreate(XMLRPC_test): +def test_create_user_with_min_values(self, user_min): +""" Create user with uid not specified """ +user_min.ensure_missing() +command = user_min.make_create_command() +command() + def test_create_with_krb_ticket_policy(self): """ Try to create user with krbmaxticketlife set """ testuser = UserTracker( -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#210][synchronized] Tests: Stage User Tracker implementation
URL: https://github.com/freeipa/freeipa/pull/210 Author: gkaihorodova Title: #210: Tests: Stage User Tracker implementation Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/210/head:pr210 git checkout pr210 From dbdf3f26a5a4f2663a0ed0fd9be3267f45299db6 Mon Sep 17 00:00:00 2001 From: Ganna KaihorodovaDate: Wed, 2 Nov 2016 15:02:30 +0100 Subject: [PATCH 1/2] Tests: Stage User Tracker implementation Fix provide possibility of creation stage user with minimal values, with uid not specified and check for non-empty unicode string for attributes requested in init method https://fedorahosted.org/freeipa/ticket/6448 --- ipatests/test_xmlrpc/tracker/stageuser_plugin.py | 38 +++- 1 file changed, 30 insertions(+), 8 deletions(-) diff --git a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py index 4f87163..27f56d3 100644 --- a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py +++ b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py @@ -61,23 +61,45 @@ class StageUserTracker(Tracker): find_keys = retrieve_keys - {u'has_keytab', u'has_password'} find_all_keys = retrieve_all_keys - {u'has_keytab', u'has_password'} -def __init__(self, name, givenname, sn, **kwargs): +def __init__(self, name=None, givenname=None, sn=None, **kwargs): +""" Check for non-empty unicode string for the required attributes +in the init method """ + +if not (isinstance(givenname, six.string_types) and givenname): +raise ValueError( +"Invalid first name provided: {!r}".format(givenname) +) +if not (isinstance(sn, six.string_types) and sn): +raise ValueError("Invalid second name provided: {!r}".format(sn)) + super(StageUserTracker, self).__init__(default_version=None) -self.uid = name -self.givenname = givenname -self.sn = sn +self.uid = unicode(name) +self.givenname = unicode(givenname) +self.sn = unicode(sn) self.dn = DN( ('uid', self.uid), api.env.container_stageuser, api.env.basedn) self.kwargs = kwargs def make_create_command(self, options=None): -""" Make function that creates a staged user using stageuser-add """ +""" Make function that creates a staged user using stageuser-add +with all set of attributes and with minimal values, +where uid is not specified """ + if options is not None: self.kwargs = options -return self.make_command('stageuser_add', self.uid, - givenname=self.givenname, - sn=self.sn, **self.kwargs) +if self.uid is not None: +return self.make_command( +'stageuser_add', self.uid, +givenname=self.givenname, +sn=self.sn, **self.kwargs +) +else: +return self.make_command( +'stageuser_add', +givenname=self.givenname, +sn=self.sn, **self.kwargs +) def make_delete_command(self): """ Make function that deletes a staged user using stageuser-del """ From e3b0ab2aedd1027bad44f066c2491f3fcb35b46a Mon Sep 17 00:00:00 2001 From: Ganna Kaihorodova Date: Mon, 12 Dec 2016 14:11:52 +0100 Subject: [PATCH 2/2] Stage User: Test to create stage user with minimal values Test to create stage user with minimal values, where uid is not specified https://fedorahosted.org/freeipa/ticket/6448 --- ipatests/test_xmlrpc/test_stageuser_plugin.py | 11 +++ 1 file changed, 11 insertions(+) diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py index e61bf7a..a2f0650 100644 --- a/ipatests/test_xmlrpc/test_stageuser_plugin.py +++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py @@ -85,6 +85,11 @@ def stageduser(request): return tracker.make_fixture(request) +@pytest.fixture(scope='class') +def stageduser_min(request): +tracker = StageUserTracker(givenname=u'stagedmin', sn=u'usermin') +return tracker.make_fixture(request) + @pytest.fixture(scope='class', params=options_ok, ids=options_ids) def stageduser2(request): tracker = StageUserTracker(u'suser2', u'staged', u'user', **request.param) @@ -191,6 +196,12 @@ def test_activate_nonexistent(self, stageduser): @pytest.mark.tier1 class TestStagedUser(XMLRPC_test): +def test_create_with_min_values(self, stageduser_min): +""" Create user with uid not specified """ +stageduser_min.ensure_missing() +command = stageduser_min.make_create_command() +command() + def test_create_duplicate(self, stageduser): stageduser.ensure_exists() command =
[Freeipa-devel] [freeipa PR#402][opened] [master] wait_for_entry improvements
URL: https://github.com/freeipa/freeipa/pull/402 Author: MartinBasti Title: #402: [master] wait_for_entry improvements Action: opened PR body: """ Backport useful commits from #401 to master """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/402/head:pr402 git checkout pr402 From 3344c7001d68560be2a88daa65396b9d7f8c357c Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Wed, 18 Jan 2017 12:55:13 +0100 Subject: [PATCH 1/2] wait_for_entry: use only DN as parameter Using the whole entry is not needed as parameter because only DN is used and it prevents easier usage of this function https://fedorahosted.org/freeipa/ticket/6588 --- ipaserver/install/dogtaginstance.py | 2 +- ipaserver/install/replication.py| 6 ++ 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index 4c02d73..2ebff6b 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -459,7 +459,7 @@ def setup_admin(self): ldap_uri = ipaldap.get_ldap_uri(self.master_host) master_conn = ipaldap.LDAPClient(ldap_uri) master_conn.gssapi_bind() -replication.wait_for_entry(master_conn, entry) +replication.wait_for_entry(master_conn, entry.dn) del master_conn def __remove_admin_from_group(self, group): diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index 9ce93fc..c4260dd 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -155,7 +155,7 @@ def wait_for_task(conn, dn): return exit_code -def wait_for_entry(connection, entry, timeout=7200, attr='', quiet=True): +def wait_for_entry(connection, dn, timeout=7200, attr='', quiet=True): """Wait for entry and/or attr to show up""" filter = "(objectclass=*)" @@ -165,8 +165,6 @@ def wait_for_entry(connection, entry, timeout=7200, attr='', quiet=True): attrlist.append(attr) timeout += int(time.time()) -dn = entry.dn - if not quiet: sys.stdout.write("Waiting for %s %s:%s " % (connection, dn, attr)) sys.stdout.flush() @@ -733,7 +731,7 @@ def setup_agreement(self, a_conn, b_hostname, port=389, # that we will have to set the memberof fixup task self.need_memberof_fixup = True -wait_for_entry(a_conn, entry) +wait_for_entry(a_conn, entry.dn) def needs_memberof_fixup(self): return self.need_memberof_fixup From de575f6df7bb0aaf0c0de665f259d51c81636b2f Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 18 Jan 2017 17:08:19 +0100 Subject: [PATCH 2/2] Use proper logging for error messages https://fedorahosted.org/freeipa/ticket/6588r --- ipaserver/install/replication.py | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index c4260dd..1f13783 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -176,7 +176,7 @@ def wait_for_entry(connection, dn, timeout=7200, attr='', quiet=True): except errors.NotFound: pass # no entry yet except Exception as e: # badness -print("\nError reading entry", dn, e) +root_logger.error("Error reading entry %s: %s", dn, e) break if not entry: if not quiet: @@ -185,11 +185,13 @@ def wait_for_entry(connection, dn, timeout=7200, attr='', quiet=True): time.sleep(1) if not entry and int(time.time()) > timeout: -print("\nwait_for_entry timeout for %s for %s" % (connection, dn)) +root_logger.error( +"wait_for_entry timeout for %s for %s", connection, dn) elif entry and not quiet: -print("\nThe waited for entry is:", entry) +root_logger.error("The waited for entry is: %s", entry) elif not entry: -print("\nError: could not read entry %s from %s" % (dn, connection)) +root_logger.error( +"Error: could not read entry %s from %s", dn, connection) class ReplicationManager(object): -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#401][synchronized] [4.4] Wait until http principal entry is replicated to replica
URL: https://github.com/freeipa/freeipa/pull/401 Author: MartinBasti Title: #401: [4.4] Wait until http principal entry is replicated to replica Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/401/head:pr401 git checkout pr401 From 045413aeec8862d9cdd0f3057671f28bb85735a1 Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Wed, 18 Jan 2017 12:55:13 +0100 Subject: [PATCH 1/3] wait_for_entry: use only DN as parameter Using the whole entry is not needed as parameter because only DN is used and it prevents easier usage of this function https://fedorahosted.org/freeipa/ticket/6588 --- ipaserver/install/dogtaginstance.py | 2 +- ipaserver/install/replication.py| 6 ++ 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index b656282..2a2ab6f 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -470,7 +470,7 @@ def setup_admin(self): port=389, protocol='ldap') master_conn.do_sasl_gssapi_bind() -replication.wait_for_entry(master_conn, entry) +replication.wait_for_entry(master_conn, entry.dn) del master_conn def __remove_admin_from_group(self, group): diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index fe62626..d0e4a20 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -152,7 +152,7 @@ def wait_for_task(conn, dn): return exit_code -def wait_for_entry(connection, entry, timeout=7200, attr='', quiet=True): +def wait_for_entry(connection, dn, timeout=7200, attr='', quiet=True): """Wait for entry and/or attr to show up""" filter = "(objectclass=*)" @@ -162,8 +162,6 @@ def wait_for_entry(connection, entry, timeout=7200, attr='', quiet=True): attrlist.append(attr) timeout += int(time.time()) -dn = entry.dn - if not quiet: sys.stdout.write("Waiting for %s %s:%s " % (connection, dn, attr)) sys.stdout.flush() @@ -734,7 +732,7 @@ def setup_agreement(self, a_conn, b_hostname, port=389, # that we will have to set the memberof fixup task self.need_memberof_fixup = True -wait_for_entry(a_conn, entry) +wait_for_entry(a_conn, entry.dn) def needs_memberof_fixup(self): return self.need_memberof_fixup From 3838aa549710f6447a9e7d62013eb6c3d88df35c Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 18 Jan 2017 13:56:24 +0100 Subject: [PATCH 2/3] Wait until HTTPS principal entry is replicated to replica Without HTTP principal the steps later fails. https://fedorahosted.org/freeipa/ticket/6588 --- ipaserver/install/server/replicainstall.py | 10 +- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index aefe158..5b613ba 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -40,7 +40,7 @@ from ipaserver.install.installutils import ( create_replica_config, ReplicaConfig, load_pkcs12, is_ipa_configured) from ipaserver.install.replication import ( -ReplicationManager, replica_conn_check) +ReplicationManager, replica_conn_check, wait_for_entry) import SSSDConfig from subprocess import CalledProcessError from binascii import hexlify @@ -90,6 +90,14 @@ def install_http_certs(config, fstore, remote_api): config.master_host_name, paths.IPA_KEYTAB, force_service_add=True) +dn = DN( +('krbprincipalname', principal), +api.env.container_service, api.env.basedn +) +conn = ipaldap.IPAdmin(realm=config.realm_name, ldapi=True) +conn.do_external_bind() +wait_for_entry(conn, dn) +conn.unbind() # Obtain certificate for the HTTP service nssdir = certs.NSS_DIR From 42050b4fae9326dc4b35e19428014ca82c355da8 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 18 Jan 2017 17:08:19 +0100 Subject: [PATCH 3/3] Use proper logging for error messages https://fedorahosted.org/freeipa/ticket/6588r --- ipaserver/install/replication.py | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index d0e4a20..5da96e7 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -173,7 +173,7 @@ def wait_for_entry(connection, dn, timeout=7200, attr='', quiet=True): except errors.NotFound: pass # no entry yet except Exception as e: # badness -print("\nError reading
[Freeipa-devel] [freeipa PR#113][comment] ipalib.constants: Remove default domain, realm, basedn, xmlrpc_uri, ldap_uri
URL: https://github.com/freeipa/freeipa/pull/113 Title: #113: ipalib.constants: Remove default domain, realm, basedn, xmlrpc_uri, ldap_uri pvoborni commented: """ @HonzaCholasta with @pspacek no longer caring about this PR, we should close it. But before we do it, what are your thoughts on what should be the right approach. Are you going to amend this path or replace it with something different? """ See the full comment at https://github.com/freeipa/freeipa/pull/113#issuecomment-273537412 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Author: flo-renaud Title: #398: Support for Certificate Identity Mapping Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/398/head:pr398 git checkout pr398 From 068cbf841121bab1df02cbe6200c1e675c48385f Mon Sep 17 00:00:00 2001 From: Florence Blanc-RenaudDate: Tue, 20 Dec 2016 16:21:58 +0100 Subject: [PATCH] Support for Certificate Identity Mapping See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542 --- ACI.txt| 16 +- API.txt| 184 +++ VERSION.m4 | 4 +- install/share/73certmap.ldif | 17 ++ install/share/Makefile.am | 1 + install/updates/73-certmap.update | 27 +++ install/updates/Makefile.am| 1 + ipalib/constants.py| 4 + ipapython/dn.py| 7 + ipaserver/install/dsinstance.py| 1 + ipaserver/plugins/baseuser.py | 175 +- ipaserver/plugins/certmap.py | 357 + ipaserver/plugins/stageuser.py | 16 +- ipaserver/plugins/user.py | 23 ++- ipatests/test_ipapython/test_dn.py | 24 +++ 15 files changed, 846 insertions(+), 11 deletions(-) create mode 100644 install/share/73certmap.ldif create mode 100644 install/updates/73-certmap.update create mode 100644 ipaserver/plugins/certmap.py diff --git a/ACI.txt b/ACI.txt index 0b47489..a87fec1 100644 --- a/ACI.txt +++ b/ACI.txt @@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || description || ipacertmapissuer || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapissuer || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all;;) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example @@ -337,6 +349,8 @@ aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:S dn:
[Freeipa-devel] [freeipa PR#401][synchronized] [4.4] Wait until http principal entry is replicated to replica
URL: https://github.com/freeipa/freeipa/pull/401 Author: MartinBasti Title: #401: [4.4] Wait until http principal entry is replicated to replica Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/401/head:pr401 git checkout pr401 From 045413aeec8862d9cdd0f3057671f28bb85735a1 Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Wed, 18 Jan 2017 12:55:13 +0100 Subject: [PATCH 1/3] wait_for_entry: use only DN as parameter Using the whole entry is not needed as parameter because only DN is used and it prevents easier usage of this function https://fedorahosted.org/freeipa/ticket/6588 --- ipaserver/install/dogtaginstance.py | 2 +- ipaserver/install/replication.py| 6 ++ 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index b656282..2a2ab6f 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -470,7 +470,7 @@ def setup_admin(self): port=389, protocol='ldap') master_conn.do_sasl_gssapi_bind() -replication.wait_for_entry(master_conn, entry) +replication.wait_for_entry(master_conn, entry.dn) del master_conn def __remove_admin_from_group(self, group): diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index fe62626..d0e4a20 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -152,7 +152,7 @@ def wait_for_task(conn, dn): return exit_code -def wait_for_entry(connection, entry, timeout=7200, attr='', quiet=True): +def wait_for_entry(connection, dn, timeout=7200, attr='', quiet=True): """Wait for entry and/or attr to show up""" filter = "(objectclass=*)" @@ -162,8 +162,6 @@ def wait_for_entry(connection, entry, timeout=7200, attr='', quiet=True): attrlist.append(attr) timeout += int(time.time()) -dn = entry.dn - if not quiet: sys.stdout.write("Waiting for %s %s:%s " % (connection, dn, attr)) sys.stdout.flush() @@ -734,7 +732,7 @@ def setup_agreement(self, a_conn, b_hostname, port=389, # that we will have to set the memberof fixup task self.need_memberof_fixup = True -wait_for_entry(a_conn, entry) +wait_for_entry(a_conn, entry.dn) def needs_memberof_fixup(self): return self.need_memberof_fixup From c60a897a0feb1208aaf83ec5621bbb7c2bda2235 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 18 Jan 2017 13:56:24 +0100 Subject: [PATCH 2/3] Wait until HTTPS principal entry is replicated to replica Without HTTP principal the steps later fails. https://fedorahosted.org/freeipa/ticket/6588 --- ipaserver/install/server/replicainstall.py | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index aefe158..fa4a6d2 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -40,7 +40,7 @@ from ipaserver.install.installutils import ( create_replica_config, ReplicaConfig, load_pkcs12, is_ipa_configured) from ipaserver.install.replication import ( -ReplicationManager, replica_conn_check) +ReplicationManager, replica_conn_check, wait_for_entry) import SSSDConfig from subprocess import CalledProcessError from binascii import hexlify @@ -90,6 +90,13 @@ def install_http_certs(config, fstore, remote_api): config.master_host_name, paths.IPA_KEYTAB, force_service_add=True) +dn = DN( +('krbprincipalname', principal), +api.env.container_service, api.env.basedn +) +api.Backend.ldap2.connect(autobind=True) +wait_for_entry(api.Backend.ldap2, dn) +api.Backend.ldap2.disconnect() # Obtain certificate for the HTTP service nssdir = certs.NSS_DIR From 60ec3905c46805a14e0e5fb192546c0fa1ead1a9 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 18 Jan 2017 17:08:19 +0100 Subject: [PATCH 3/3] Use proper logging for error messages https://fedorahosted.org/freeipa/ticket/6588r --- ipaserver/install/replication.py | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index d0e4a20..5da96e7 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -173,7 +173,7 @@ def wait_for_entry(connection, dn, timeout=7200, attr='', quiet=True): except errors.NotFound: pass # no entry yet except Exception as e: # badness -print("\nError reading entry", dn, e) +
[Freeipa-devel] [freeipa PR#401][synchronized] [4.4] Wait until http principal entry is replicated to replica
URL: https://github.com/freeipa/freeipa/pull/401 Author: MartinBasti Title: #401: [4.4] Wait until http principal entry is replicated to replica Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/401/head:pr401 git checkout pr401 From 045413aeec8862d9cdd0f3057671f28bb85735a1 Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Wed, 18 Jan 2017 12:55:13 +0100 Subject: [PATCH 1/2] wait_for_entry: use only DN as parameter Using the whole entry is not needed as parameter because only DN is used and it prevents easier usage of this function https://fedorahosted.org/freeipa/ticket/6588 --- ipaserver/install/dogtaginstance.py | 2 +- ipaserver/install/replication.py| 6 ++ 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index b656282..2a2ab6f 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -470,7 +470,7 @@ def setup_admin(self): port=389, protocol='ldap') master_conn.do_sasl_gssapi_bind() -replication.wait_for_entry(master_conn, entry) +replication.wait_for_entry(master_conn, entry.dn) del master_conn def __remove_admin_from_group(self, group): diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index fe62626..d0e4a20 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -152,7 +152,7 @@ def wait_for_task(conn, dn): return exit_code -def wait_for_entry(connection, entry, timeout=7200, attr='', quiet=True): +def wait_for_entry(connection, dn, timeout=7200, attr='', quiet=True): """Wait for entry and/or attr to show up""" filter = "(objectclass=*)" @@ -162,8 +162,6 @@ def wait_for_entry(connection, entry, timeout=7200, attr='', quiet=True): attrlist.append(attr) timeout += int(time.time()) -dn = entry.dn - if not quiet: sys.stdout.write("Waiting for %s %s:%s " % (connection, dn, attr)) sys.stdout.flush() @@ -734,7 +732,7 @@ def setup_agreement(self, a_conn, b_hostname, port=389, # that we will have to set the memberof fixup task self.need_memberof_fixup = True -wait_for_entry(a_conn, entry) +wait_for_entry(a_conn, entry.dn) def needs_memberof_fixup(self): return self.need_memberof_fixup From 01eddb7b33a7802d7949b0b5572bf2d1dda5e47b Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 18 Jan 2017 13:56:24 +0100 Subject: [PATCH 2/2] Wait until HTTPS principal entry is replicated to replica Without HTTP principal the steps later fails. https://fedorahosted.org/freeipa/ticket/6588 --- ipaserver/install/server/replicainstall.py | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index aefe158..9dbe4b0 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -40,7 +40,7 @@ from ipaserver.install.installutils import ( create_replica_config, ReplicaConfig, load_pkcs12, is_ipa_configured) from ipaserver.install.replication import ( -ReplicationManager, replica_conn_check) +ReplicationManager, replica_conn_check, wait_for_entry) import SSSDConfig from subprocess import CalledProcessError from binascii import hexlify @@ -90,6 +90,13 @@ def install_http_certs(config, fstore, remote_api): config.master_host_name, paths.IPA_KEYTAB, force_service_add=True) +dn = DN( +('krbprincipalname', principal), +api.env.container_service, api.env.basedn +) +api.Backend.ldap2.connect(ldapi=True) +wait_for_entry(api.Backend.ldap2, dn) +api.Backend.ldap2.disconnect() # Obtain certificate for the HTTP service nssdir = certs.NSS_DIR -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#336][comment] [py3] pki: add missing depedency pki-base[-python3]
URL: https://github.com/freeipa/freeipa/pull/336 Title: #336: [py3] pki: add missing depedency pki-base[-python3] tomaskrizek commented: """ @HonzaCholasta Perhaps it's more of a personal preference, but I'd rather see an existing version of a certain package. Since the spec file is processed automatically, I guess it doesn't make a difference. But it could confuse someone who reads the file and looks for a certain version of the mentioned package. """ See the full comment at https://github.com/freeipa/freeipa/pull/336#issuecomment-273521294 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#386][comment] Tests: Add tree root domain role in legacy client tests
URL: https://github.com/freeipa/freeipa/pull/386 Title: #386: Tests: Add tree root domain role in legacy client tests martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/822a119100f8ab93aacdb14b982609f1dc69531d ipa-4-4: https://fedorahosted.org/freeipa/changeset/52527d6323eec1a2ae4bf01dd64412a3822c516d """ See the full comment at https://github.com/freeipa/freeipa/pull/386#issuecomment-273510158 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#386][closed] Tests: Add tree root domain role in legacy client tests
URL: https://github.com/freeipa/freeipa/pull/386 Author: gkaihorodova Title: #386: Tests: Add tree root domain role in legacy client tests Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/386/head:pr386 git checkout pr386 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#386][+pushed] Tests: Add tree root domain role in legacy client tests
URL: https://github.com/freeipa/freeipa/pull/386 Title: #386: Tests: Add tree root domain role in legacy client tests Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#336][comment] [py3] pki: add missing depedency pki-base[-python3]
URL: https://github.com/freeipa/freeipa/pull/336 Title: #336: [py3] pki: add missing depedency pki-base[-python3] HonzaCholasta commented: """ I see, didn't notice that. In this case, IMO either the current `pki-base >= 10.2.1` or an unversioned `pki-base-python2` is fine. """ See the full comment at https://github.com/freeipa/freeipa/pull/336#issuecomment-273498651 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#336][comment] [py3] pki: add missing depedency pki-base[-python3]
URL: https://github.com/freeipa/freeipa/pull/336 Title: #336: [py3] pki: add missing depedency pki-base[-python3] tiran commented: """ You would still depend on potentially non-existing package. ```pki-base-python2``` was introduced in 10.3. ```pki-base``` will switch to Python 3 as soon as RHEL has Python 3 in its base distribution. """ See the full comment at https://github.com/freeipa/freeipa/pull/336#issuecomment-273493381 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#336][comment] [py3] pki: add missing depedency pki-base[-python3]
URL: https://github.com/freeipa/freeipa/pull/336 Title: #336: [py3] pki: add missing depedency pki-base[-python3] HonzaCholasta commented: """ @tiran, I'm sorry to have to point this out, but the decision whether this PR is accepted or not is not yours to make, you are not a member of the core team and this is in no way related to your integration work. As a maintainer of IPA packages in RHEL I obviously prefer it my way. What you prefer when you co-maintain PKI Python packages is your bussiness and is not relevant here. A compromise I would be willing to accept is that the `pki-base-python3` dependency will be unversioned, but `pki-base-python2` must stay `>= 10.2.1`. @tomaskrizek, why do you think it's a bad practice? The condition merely limits the set of package versions that satisfy the dependency, but the set is still infinite and an infinite number of non-existents packages *always* fall in the set. Strictly speaking, `10.3.5-6` is not an existing package version either, you won't find an `pki-base-python2-10.3.5-6.rpm` anywhere. """ See the full comment at https://github.com/freeipa/freeipa/pull/336#issuecomment-273488422 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#399][synchronized] Certificate mapping test
URL: https://github.com/freeipa/freeipa/pull/399 Author: dkupka Title: #399: Certificate mapping test Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/399/head:pr399 git checkout pr399 From fb73c25fa30d0d374010cfc2245fbe60726f7389 Mon Sep 17 00:00:00 2001 From: David KupkaDate: Fri, 13 Jan 2017 13:17:35 +0100 Subject: [PATCH 1/2] test_xmlrpc: tracker: Add enable and disable methods to tracker Prepare tracker for easier testing of *-{en,dis}able commands. --- ipatests/test_xmlrpc/tracker/base.py | 26 ++ 1 file changed, 26 insertions(+) diff --git a/ipatests/test_xmlrpc/tracker/base.py b/ipatests/test_xmlrpc/tracker/base.py index aa88e6b..d8cd3a6 100644 --- a/ipatests/test_xmlrpc/tracker/base.py +++ b/ipatests/test_xmlrpc/tracker/base.py @@ -198,6 +198,14 @@ def make_update_command(self, updates): """Make function that modifies the entry using ${CMD}_mod""" raise NotImplementedError(self._override_me_msg) +def make_enable_command(self): +"""Make function that enables the entry using ${CMD}_enable""" +raise NotImplementedError(self._override_me_msg) + +def make_disable_command(self): +"""Make function that disables the entry using ${CMD}_disable""" +raise NotImplementedError(self._override_me_msg) + def create(self): """Helper function to create an entry and check the result""" self.track_create() @@ -285,3 +293,21 @@ def update(self, updates, expected_updates=None): def check_update(self, result, extra_keys=()): """Check the plugin's `mod` command result""" raise NotImplementedError(self._override_me_msg) + +def enable(self): +command = self.make_enable_command() +result = command() +self.check_enable(result) + +def check_enable(self, result): +"""Check the plugin's `enable` command result""" +raise NotImplementedError(self._override_me_msg) + +def disable(self): +command = self.make_disable_command() +result = command() +self.check_disable(result) + +def check_disable(self, result): +"""Check the plugin's `disable` command result""" +raise NotImplementedError(self._override_me_msg) From 0f5f8531edce915c02cabdcb215f0f2134b880a1 Mon Sep 17 00:00:00 2001 From: David Kupka Date: Fri, 13 Jan 2017 13:22:45 +0100 Subject: [PATCH 2/2] test: certmap: Add basic tests for certmaprule commands. https://fedorahosted.org/freeipa/ticket/6542 --- ipatests/test_xmlrpc/objectclasses.py | 5 + ipatests/test_xmlrpc/test_certmap_plugin.py| 101 +++ ipatests/test_xmlrpc/tracker/certmap_plugin.py | 167 + 3 files changed, 273 insertions(+) create mode 100644 ipatests/test_xmlrpc/test_certmap_plugin.py create mode 100644 ipatests/test_xmlrpc/tracker/certmap_plugin.py diff --git a/ipatests/test_xmlrpc/objectclasses.py b/ipatests/test_xmlrpc/objectclasses.py index 1ea020b..0a15a21 100644 --- a/ipatests/test_xmlrpc/objectclasses.py +++ b/ipatests/test_xmlrpc/objectclasses.py @@ -227,3 +227,8 @@ u'top', u'ipaca', ] + +certmaprule = [ +u'top', +u'ipacertmaprule', +] diff --git a/ipatests/test_xmlrpc/test_certmap_plugin.py b/ipatests/test_xmlrpc/test_certmap_plugin.py new file mode 100644 index 000..4086333 --- /dev/null +++ b/ipatests/test_xmlrpc/test_certmap_plugin.py @@ -0,0 +1,101 @@ +# +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +# + +import pytest +import itertools + +from ipapython.dn import DN +from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test +from ipatests.test_xmlrpc.tracker.certmap_plugin import CertmapruleTracker + +certmaprule_create_params = { +u'cn': u'test_rule', +u'description': u'Certificate mapping and matching rule for test ' +u'purposes', +u'ipacertmapissuer': DN('CN=CA,O=EXAMPLE.ORG'), +u'ipacertmapmaprule': u'arbitrary free-form mapping rule defined and ' + u'consumed by SSSD', +u'ipacertmapmatchrule': u'arbitrary free-form matching rule defined ' +u'and consumed by SSSD', +u'associateddomain': u'example.org', +u'ipacertmappriority': u'1', +} + +certmaprule_update_params = { +u'description': u'Changed description', +u'ipacertmapissuer': DN('CN=Changed CA,O=OTHER.ORG'), +u'ipacertmapmaprule': u'changed arbitrary mapping rule', +u'ipacertmapmatchrule': u'changed arbitrary maching rule', +u'associateddomain': u'changed.example.org', +u'ipacertmappriority': u'5', +} + +certmaprule_optional_params = ( +'description', +'ipacertmapissuer', +'ipacertmapmaprule', +'ipacertmapmatchrule', +'ipaassociateddomain', +'ipacertmappriority', +) + +
[Freeipa-devel] [freeipa PR#336][comment] [py3] pki: add missing depedency pki-base[-python3]
URL: https://github.com/freeipa/freeipa/pull/336 Title: #336: [py3] pki: add missing depedency pki-base[-python3] tomaskrizek commented: """ I agree with @tiran here. Even though `>= 10.2.1` will match the correct package, I don't think it's a good practice to use non-existent package numbers in `BuildRequires`. """ See the full comment at https://github.com/freeipa/freeipa/pull/336#issuecomment-273468841 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#336][comment] [py3] pki: add missing depedency pki-base[-python3]
URL: https://github.com/freeipa/freeipa/pull/336 Title: #336: [py3] pki: add missing depedency pki-base[-python3] tiran commented: """ I can't see a valid argument in your response. As a co-maintainer of PKI's Python packages I'm strictly against claiming compatibility with a non-existing package version range. The PR is fine as it stands and I'm going to ACK it tomorrow. If you still like to veto against my ACK, please start a motion on the developer list and ask the rest of the team for their opinion. You also mentioned that CI might not pick up build requirements correctly. I agree that this is a problem and must be fixed ASAP. We must be able to rely on CI tests. Please open a separate ticket. """ See the full comment at https://github.com/freeipa/freeipa/pull/336#issuecomment-273465183 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#336][comment] [py3] pki: add missing depedency pki-base[-python3]
URL: https://github.com/freeipa/freeipa/pull/336 Title: #336: [py3] pki: add missing depedency pki-base[-python3] HonzaCholasta commented: """ That is of no concern to us. `pki-base-python3 >= 10.2.1` will get us the correct package in all cases and under no circumstances will it cause an attempt to install a non-existent package. Note that `pki-base-python2 >= 10.2.1` means that FreeIPA is also compatible with `pki-base-python2-10.2.1.0.1.2.3`, which clearly doesn't exist either, but that doesn't make the dependency wrong in any way whatsoever. """ See the full comment at https://github.com/freeipa/freeipa/pull/336#issuecomment-273459096 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#394][comment] Add fix for ipa plugins command
URL: https://github.com/freeipa/freeipa/pull/394 Title: #394: Add fix for ipa plugins command MartinBasti commented: """ I would like to have `py3 str` <=> `py2 unicode`, `py3 bytes` <=> `py2 str`, but framework is far away from this ideal state. So I have no strong opinion, and once we will drop py2, so I'm not sure if we want to migrate everything in py2 to unicode if it work in other cases. """ See the full comment at https://github.com/freeipa/freeipa/pull/394#issuecomment-273450333 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#394][comment] Add fix for ipa plugins command
URL: https://github.com/freeipa/freeipa/pull/394 Title: #394: Add fix for ipa plugins command HonzaCholasta commented: """ We are OK with the patch because fixing the root cause is out of the scope of this PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/394#issuecomment-273448687 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#244][comment] Add templating to ipaplatform path [RFC]
URL: https://github.com/freeipa/freeipa/pull/244 Title: #244: Add templating to ipaplatform path [RFC] tiran commented: """ My PoC is a bit too magic and complicated. PR #373 for Debian support comes along nicely without additional magic. I'm closing the PR. I'll keep the branch around in case we want to tackle the problem in the future. """ See the full comment at https://github.com/freeipa/freeipa/pull/244#issuecomment-273437189 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#244][closed] Add templating to ipaplatform path [RFC]
URL: https://github.com/freeipa/freeipa/pull/244 Author: tiran Title: #244: Add templating to ipaplatform path [RFC] Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/244/head:pr244 git checkout pr244 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Certificate Identity Mapping
On Wed, Jan 18, 2017 at 09:59:49AM +0100, David Kupka wrote: > Hello everyone! > I would like to bring your attention to just published PRs implementing > FreeIPA part of Certificate Identity Mapping feature [0]: > > - certmap plugin [1] by Flo > - WebUI for certmap plugin [3] by Pavel > - tests for certmap plugin [2] by me > > Also please think about names of the commands, parameters, entries and > attributes. We've figured them somehow but if you have any suggestion that > would improve the understanding please share. Hi, thank you for the patches. Just a general comment about an open question in the design. Honza suggested to use a priority instead of an issuer name to make sure that only specific rules are used for a given issuer. The latest mail in the thread about it is https://www.redhat.com/archives/freeipa-devel/2017-January/msg00229.html. Do you have any opinions here? I think it won't change much in your patches but we should find an agreement before e.g. the OID are registered. bye, Sumit > > Please review them thoroughly, thanks! > > [0] https://www.freeipa.org/page/V4/Certificate_Identity_Mapping > [1] https://github.com/freeipa/freeipa/pull/398 > [2] https://github.com/freeipa/freeipa/pull/399 > [3] https://github.com/freeipa/freeipa/pull/400 > > -- > David Kupka > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#394][comment] Add fix for ipa plugins command
URL: https://github.com/freeipa/freeipa/pull/394 Title: #394: Add fix for ipa plugins command HonzaCholasta commented: """ @tiran, namespace keys are always ASCII. But feel free to open a ticket to convert all remaining uses of `str` as text to `unicode`, changing it for one random bit in this unrelated PR isn't particularly helpful when you take the big picture into account. """ See the full comment at https://github.com/freeipa/freeipa/pull/394#issuecomment-273429342 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Title: #398: Support for Certificate Identity Mapping MartinBasti commented: """ I put some inline commets, @flo-renaud if you don't know where to register OIDs feel free to ping me """ See the full comment at https://github.com/freeipa/freeipa/pull/398#issuecomment-273428118 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#379][synchronized] Packaging: Add placeholder and IPA commands packages
URL: https://github.com/freeipa/freeipa/pull/379 Author: tiran Title: #379: Packaging: Add placeholder and IPA commands packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/379/head:pr379 git checkout pr379 From 9cc925ee9beae054d114f0f98d278230ff16f9ca Mon Sep 17 00:00:00 2001 From: Christian HeimesDate: Mon, 9 Jan 2017 11:02:25 +0100 Subject: [PATCH] Packaging: Add placeholder and IPA commands packages The ipacommands package contains ipa-getkeytab and ipa-rmkeytab for installation in a virtual env. The programs are compiled with distutils / setuptools. The ipa and freeipa packages are placeholders to prevent PyPI squashing attacks and reserve the names for future use. `pip install ipa` installs ipaclient. https://fedorahosted.org/freeipa/ticket/6484 Signed-off-by: Christian Heimes --- .gitignore| 7 ++ Makefile.am | 5 +- configure.ac | 4 + packaging/Makefile.am | 11 +++ packaging/freeipa/Makefile.am | 1 + packaging/freeipa/README.txt | 2 + packaging/freeipa/setup.cfg | 6 ++ packaging/freeipa/setup.py| 36 +++ packaging/ipa/Makefile.am | 1 + packaging/ipa/README.txt | 2 + packaging/ipa/setup.cfg | 6 ++ packaging/ipa/setup.py| 36 +++ packaging/ipacommands/MANIFEST.in | 25 + packaging/ipacommands/Makefile.am | 72 ++ packaging/ipacommands/setup.cfg | 5 + packaging/ipacommands/setup.py| 194 ++ 16 files changed, 412 insertions(+), 1 deletion(-) create mode 100644 packaging/Makefile.am create mode 100644 packaging/freeipa/Makefile.am create mode 100644 packaging/freeipa/README.txt create mode 100644 packaging/freeipa/setup.cfg create mode 100755 packaging/freeipa/setup.py create mode 100644 packaging/ipa/Makefile.am create mode 100644 packaging/ipa/README.txt create mode 100644 packaging/ipa/setup.cfg create mode 100755 packaging/ipa/setup.py create mode 100644 packaging/ipacommands/MANIFEST.in create mode 100644 packaging/ipacommands/Makefile.am create mode 100644 packaging/ipacommands/setup.cfg create mode 100644 packaging/ipacommands/setup.py diff --git a/.gitignore b/.gitignore index 04553fd..249f158 100644 --- a/.gitignore +++ b/.gitignore @@ -112,3 +112,10 @@ freeipa2-dev-doc /ipaplatform/paths.py /ipaplatform/services.py /ipaplatform/tasks.py + +/packaging/ipacommands/COPYING +/packaging/ipacommands/Contributors.txt +/packaging/ipacommands/asn1 +/packaging/ipacommands/client +/packaging/ipacommands/ipasetup.py +/packaging/ipacommands/util diff --git a/Makefile.am b/Makefile.am index 9bfc899..e25cea3 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,7 +1,7 @@ ACLOCAL_AMFLAGS = -I m4 IPACLIENT_SUBDIRS = ipaclient ipalib ipapython -SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaplatform ipaserver ipatests po +SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaplatform ipaserver ipatests packaging po MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \ ignore_import_errors.pyc ignore_import_errors.pyo \ @@ -202,6 +202,9 @@ $(WHEELBUNDLEDIR): mkdir -p $(WHEELBUNDLEDIR) bdist_wheel: $(WHEELDISTDIR) + $(MAKE) $(AM_MAKEFLAGS) -C packaging/ipacommands sdist || exit 1; + $(MAKE) $(AM_MAKEFLAGS) -C packaging/ipa bdist_wheel || exit 1; + $(MAKE) $(AM_MAKEFLAGS) -C packaging/freeipa bdist_wheel || exit 1; for dir in $(IPACLIENT_SUBDIRS); do \ $(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \ done diff --git a/configure.ac b/configure.ac index 6cd3a89..12bc880 100644 --- a/configure.ac +++ b/configure.ac @@ -556,6 +556,10 @@ AC_CONFIG_FILES([ ipaserver/Makefile ipatests/Makefile ipatests/man/Makefile +packaging/Makefile +packaging/freeipa/Makefile +packaging/ipa/Makefile +packaging/ipacommands/Makefile po/Makefile.in po/Makefile.hack util/Makefile diff --git a/packaging/Makefile.am b/packaging/Makefile.am new file mode 100644 index 000..e033673 --- /dev/null +++ b/packaging/Makefile.am @@ -0,0 +1,11 @@ +# This file will be processed with automake-1.7 to create Makefile.in +# +AUTOMAKE_OPTIONS = 1.7 subdir-objects + +NULL = + +SUBDIRS = \ + freeipa \ + ipa \ + ipacommands \ + $(NULL) diff --git a/packaging/freeipa/Makefile.am b/packaging/freeipa/Makefile.am new file mode 100644 index 000..8be72b2 --- /dev/null +++ b/packaging/freeipa/Makefile.am @@ -0,0 +1 @@ +include $(top_srcdir)/Makefile.python.am diff --git a/packaging/freeipa/README.txt b/packaging/freeipa/README.txt new file mode 100644 index 000..b58448f --- /dev/null +++ b/packaging/freeipa/README.txt @@ -0,0 +1,2 @@ +This is a dummy package for FreeIPA's ipaclient. + diff --git a/packaging/freeipa/setup.cfg
[Freeipa-devel] [freeipa PR#393][comment] [Py3] allow to run wsgi - part1
URL: https://github.com/freeipa/freeipa/pull/393 Title: #393: [Py3] allow to run wsgi - part1 tiran commented: """ @MartinBasti cert tests are failing. I have restarted the failing job. Let's see if the error persists or was just caused by a Travis hick up. """ See the full comment at https://github.com/freeipa/freeipa/pull/393#issuecomment-273426124 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#336][comment] [py3] pki: add missing depedency pki-base[-python3]
URL: https://github.com/freeipa/freeipa/pull/336 Title: #336: [py3] pki: add missing depedency pki-base[-python3] tiran commented: """ ```pki-base-python3 >= 10.2.1``` would mean that FreeIPA is compatible with ```pki-base-python2 == 10.2.1``` which clearly does not exist. """ See the full comment at https://github.com/freeipa/freeipa/pull/336#issuecomment-273425618 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#386][comment] Tests: Add tree root domain role in legacy client tests
URL: https://github.com/freeipa/freeipa/pull/386 Title: #386: Tests: Add tree root domain role in legacy client tests martbab commented: """ Looks good, let's see if it fixes our CI """ See the full comment at https://github.com/freeipa/freeipa/pull/386#issuecomment-273425390 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#386][+ack] Tests: Add tree root domain role in legacy client tests
URL: https://github.com/freeipa/freeipa/pull/386 Title: #386: Tests: Add tree root domain role in legacy client tests Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#394][comment] Add fix for ipa plugins command
URL: https://github.com/freeipa/freeipa/pull/394 Title: #394: Add fix for ipa plugins command tiran commented: """ In Python 2 str is a Chimera with the head of a text object and the body of a bytes object. It's just text if all text you got is ASCII. For clean polyglot code it's highly recommended to avoid Python 2 str and use Python 2's unicode for all text. Most of FreeIPA's Python code has been adopted to unicode for text very well. This one of the few places that slipped through. The benefits are consistent treatment of text as Python 2 unicode, which leads to a proper fix instead of a patch (in this case decoding with six.text_type). """ See the full comment at https://github.com/freeipa/freeipa/pull/394#issuecomment-273424928 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#394][comment] Add fix for ipa plugins command
URL: https://github.com/freeipa/freeipa/pull/394 Title: #394: Add fix for ipa plugins command HonzaCholasta commented: """ The namespace keys *are* text (`str`) in both Python 2 and 3. The issue here is that the RPC layer assumes that `str` is binary data, which the patch correctly fixes by converting the keys to `unicode` before they enter the RPC layer. There is no benefit in making the keys themselves `unicode`. """ See the full comment at https://github.com/freeipa/freeipa/pull/394#issuecomment-273422664 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#394][comment] Add fix for ipa plugins command
URL: https://github.com/freeipa/freeipa/pull/394 Title: #394: Add fix for ipa plugins command tiran commented: """ Why should *Python 2 class names are str instances* prevent us from making the namespace keys text? In Python 2 ASCII str and ASCII unicode are equivalent dict keys (same hash, compare equaly). In Python 3 the keys are going to be text anyway. """ See the full comment at https://github.com/freeipa/freeipa/pull/394#issuecomment-273420986 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#394][comment] Add fix for ipa plugins command
URL: https://github.com/freeipa/freeipa/pull/394 Title: #394: Add fix for ipa plugins command tiran commented: """ Why should *Python 2 class names are str instances* prevent us from making the namespace keys text? In Python 2 ASCII str and ASCII unicode are equivalent dict keys (same hash, compare equaly). In Python 3 the keys are going to be text anyway. """ See the full comment at https://github.com/freeipa/freeipa/pull/394#issuecomment-273420986 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#336][comment] [py3] pki: add missing depedency pki-base[-python3]
URL: https://github.com/freeipa/freeipa/pull/336 Title: #336: [py3] pki: add missing depedency pki-base[-python3] HonzaCholasta commented: """ @tiran, the dependency says `>= 10.2.1`, not `== 10.2.1`, so we are not depending on any non-existent packages. """ See the full comment at https://github.com/freeipa/freeipa/pull/336#issuecomment-273420737 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#394][comment] Add fix for ipa plugins command
URL: https://github.com/freeipa/freeipa/pull/394 Title: #394: Add fix for ipa plugins command Akasurde commented: """ @martbab Yes, I will write a test case for this scenario and attach here. """ See the full comment at https://github.com/freeipa/freeipa/pull/394#issuecomment-273420038 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#387][comment] Update warning message for ipa server uninstall
URL: https://github.com/freeipa/freeipa/pull/387 Title: #387: Update warning message for ipa server uninstall Akasurde commented: """ @martbab Thanks for review. """ See the full comment at https://github.com/freeipa/freeipa/pull/387#issuecomment-273419794 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#179][comment] Fix for handling CalledProcessError in authconfig
URL: https://github.com/freeipa/freeipa/pull/179 Title: #179: Fix for handling CalledProcessError in authconfig Akasurde commented: """ @tomaskrizek @martbab Thanks for review. """ See the full comment at https://github.com/freeipa/freeipa/pull/179#issuecomment-273419730 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] Certificate Identity Mapping
Hello everyone! I would like to bring your attention to just published PRs implementing FreeIPA part of Certificate Identity Mapping feature [0]: - certmap plugin [1] by Flo - WebUI for certmap plugin [3] by Pavel - tests for certmap plugin [2] by me Also please think about names of the commands, parameters, entries and attributes. We've figured them somehow but if you have any suggestion that would improve the understanding please share. Please review them thoroughly, thanks! [0] https://www.freeipa.org/page/V4/Certificate_Identity_Mapping [1] https://github.com/freeipa/freeipa/pull/398 [2] https://github.com/freeipa/freeipa/pull/399 [3] https://github.com/freeipa/freeipa/pull/400 -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#372][closed] Restore IPA 3.0 compatibility of copy-schema-to-ca.py
URL: https://github.com/freeipa/freeipa/pull/372 Author: tiran Title: #372: Restore IPA 3.0 compatibility of copy-schema-to-ca.py Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/372/head:pr372 git checkout pr372 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#372][comment] Restore IPA 3.0 compatibility of copy-schema-to-ca.py
URL: https://github.com/freeipa/freeipa/pull/372 Title: #372: Restore IPA 3.0 compatibility of copy-schema-to-ca.py tiran commented: """ I have updated the ticket https://fedorahosted.org/freeipa/ticket/6540#comment:5 with the result of this discussion. I'm going to close the PR. Let's start a new one to remove it and update ```ipaserver/install/cainstance.py``` plus builds. """ See the full comment at https://github.com/freeipa/freeipa/pull/372#issuecomment-273418019 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#400][edited] WebUI: Certificate Mapping
URL: https://github.com/freeipa/freeipa/pull/400 Author: pvomacka Title: #400: WebUI: Certificate Mapping Action: edited Changed field: body Original value: """ Add WebUI for certificate mapping """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#400][opened] WebUI: Certificate Mapping
URL: https://github.com/freeipa/freeipa/pull/400 Author: pvomacka Title: #400: WebUI: Certificate Mapping Action: opened PR body: """ Add WebUI for certificate mapping """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/400/head:pr400 git checkout pr400 From 0044846ee2c657179ec586b61ccec56876b3d6e2 Mon Sep 17 00:00:00 2001 From: Pavel VomackaDate: Mon, 16 Jan 2017 13:59:16 +0100 Subject: [PATCH 1/4] WebUI: Add possibility to set widget always writable If widget will have set attribute 'always_writable' to true, then 'no_update' flag will be ingored. Used in command user-{add,remove}-certmap which needs to be writable in WebUI and also needs to be omitted from user-mod command. Part of: https://fedorahosted.org/freeipa/ticket/6601 --- install/ui/src/freeipa/field.js | 11 ++- install/ui/src/freeipa/widget.js | 2 ++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/install/ui/src/freeipa/field.js b/install/ui/src/freeipa/field.js index d70a778..2d05ab1 100644 --- a/install/ui/src/freeipa/field.js +++ b/install/ui/src/freeipa/field.js @@ -484,7 +484,16 @@ field.field = IPA.field = function(spec) { writable = false; } -if (that.metadata.flags && array.indexOf(that.metadata.flags, 'no_update') > -1) { +// In case that widget has set always_writable attribute, then +// 'no_update' flag is ignored in WebUI. It is done because of +// commands like user-{add,remove}-certmap. They operate with user's +// attribute, which cannot be changed using user-mod, but only +// using command user-{add,remove}-certmap. Therefore it has set +// 'no_update' flag, but we need to show 'Add', 'Remove' buttons in +// WebUI. +if (that.metadata.flags && +array.indexOf(that.metadata.flags, 'no_update') > -1 && +that.widget && !that.widget.always_writable) { writable = false; } } diff --git a/install/ui/src/freeipa/widget.js b/install/ui/src/freeipa/widget.js index 6ad8aad..e6dfef9 100644 --- a/install/ui/src/freeipa/widget.js +++ b/install/ui/src/freeipa/widget.js @@ -1516,6 +1516,8 @@ IPA.custom_command_multivalued_widget = function(spec) { var that = IPA.multivalued_widget(spec); +that.always_writable = spec.always_writable || true; + that.item_name = spec.item_name || ''; that.adder_dialog_spec = spec.adder_dialog_spec; From 4adde09f3fbb7471d1ef2a0aacd4e92c8e66c280 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Mon, 16 Jan 2017 14:12:23 +0100 Subject: [PATCH 2/4] WebUI: Send option:false if checkbox is not checked A checkbox can have true (checked) as default value, then we need to send false in case that user uncheck the checkbox. Part of: https://fedorahosted.org/freeipa/ticket/6601 --- install/ui/src/freeipa/field.js | 12 1 file changed, 12 insertions(+) diff --git a/install/ui/src/freeipa/field.js b/install/ui/src/freeipa/field.js index 2d05ab1..01411e4 100644 --- a/install/ui/src/freeipa/field.js +++ b/install/ui/src/freeipa/field.js @@ -1167,6 +1167,18 @@ field.checkbox_field = IPA.checkbox_field = function(spec) { return false; }; +/** Returns false when checkbox is not checked. + * Necessary for checkboxes which has true as default value. i.e. + * certmaprule_add + */ +that.get_value = function() { + +if(that.value.length === 0) { +that.value = [false]; +} +return that.value; +}; + return that; }; From caef2cbe531e83a9bade00a55eb75c76bb34ae63 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Mon, 16 Jan 2017 14:13:42 +0100 Subject: [PATCH 3/4] WebUI: Create non editable row widget for mutlivalued widget Old krb-principal widget is changed to general one. And used also for ipacertmapdata in user. This widget make every line non-editable. Part of: https://fedorahosted.org/freeipa/ticket/6601 --- install/ui/src/freeipa/host.js| 3 ++- install/ui/src/freeipa/service.js | 3 ++- install/ui/src/freeipa/user.js| 3 ++- install/ui/src/freeipa/widget.js | 26 -- 4 files changed, 22 insertions(+), 13 deletions(-) diff --git a/install/ui/src/freeipa/host.js b/install/ui/src/freeipa/host.js index 87cf264..023530a 100644 --- a/install/ui/src/freeipa/host.js +++ b/install/ui/src/freeipa/host.js @@ -93,7 +93,8 @@ return { name: 'krbprincipalname', item_name: 'principal', child_spec: { -$type: 'krb_principal' +$type: 'non_editable_row', +data_name: 'krb-principal' }
[Freeipa-devel] [freeipa PR#336][comment] [py3] pki: add missing depedency pki-base[-python3]
URL: https://github.com/freeipa/freeipa/pull/336 Title: #336: [py3] pki: add missing depedency pki-base[-python3] tiran commented: """ What's the hold up here? Martin and I discussed the necessity to raise the version requirements. Python 3 packages for PKI simply do not exist until 10.3. I don't want to depend on a non-existing package. In case there are some issues with our CI and proper updates of build requirements, then the issue should be handled by a separate ticket. """ See the full comment at https://github.com/freeipa/freeipa/pull/336#issuecomment-273416279 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#394][comment] Add fix for ipa plugins command
URL: https://github.com/freeipa/freeipa/pull/394 Title: #394: Add fix for ipa plugins command martbab commented: """ @Akasurde are you OK with writing a simple regression test for this command as a part of this PR? """ See the full comment at https://github.com/freeipa/freeipa/pull/394#issuecomment-273416076 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#399][opened] Certificate mapping test
URL: https://github.com/freeipa/freeipa/pull/399 Author: dkupka Title: #399: Certificate mapping test Action: opened PR body: """ https://fedorahosted.org/freeipa/ticket/6542 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/399/head:pr399 git checkout pr399 From fb73c25fa30d0d374010cfc2245fbe60726f7389 Mon Sep 17 00:00:00 2001 From: David KupkaDate: Fri, 13 Jan 2017 13:17:35 +0100 Subject: [PATCH 1/2] test_xmlrpc: tracker: Add enable and disable methods to tracker Prepare tracker for easier testing of *-{en,dis}able commands. --- ipatests/test_xmlrpc/tracker/base.py | 26 ++ 1 file changed, 26 insertions(+) diff --git a/ipatests/test_xmlrpc/tracker/base.py b/ipatests/test_xmlrpc/tracker/base.py index aa88e6b..d8cd3a6 100644 --- a/ipatests/test_xmlrpc/tracker/base.py +++ b/ipatests/test_xmlrpc/tracker/base.py @@ -198,6 +198,14 @@ def make_update_command(self, updates): """Make function that modifies the entry using ${CMD}_mod""" raise NotImplementedError(self._override_me_msg) +def make_enable_command(self): +"""Make function that enables the entry using ${CMD}_enable""" +raise NotImplementedError(self._override_me_msg) + +def make_disable_command(self): +"""Make function that disables the entry using ${CMD}_disable""" +raise NotImplementedError(self._override_me_msg) + def create(self): """Helper function to create an entry and check the result""" self.track_create() @@ -285,3 +293,21 @@ def update(self, updates, expected_updates=None): def check_update(self, result, extra_keys=()): """Check the plugin's `mod` command result""" raise NotImplementedError(self._override_me_msg) + +def enable(self): +command = self.make_enable_command() +result = command() +self.check_enable(result) + +def check_enable(self, result): +"""Check the plugin's `enable` command result""" +raise NotImplementedError(self._override_me_msg) + +def disable(self): +command = self.make_disable_command() +result = command() +self.check_disable(result) + +def check_disable(self, result): +"""Check the plugin's `disable` command result""" +raise NotImplementedError(self._override_me_msg) From b9773e1bf5703ee0bbb65287849d6c0062afd15d Mon Sep 17 00:00:00 2001 From: David Kupka Date: Fri, 13 Jan 2017 13:22:45 +0100 Subject: [PATCH 2/2] test: certmap: Add basic tests for certmaprule commands. https://fedorahosted.org/freeipa/ticket/6542 --- ipatests/test_xmlrpc/objectclasses.py | 5 + ipatests/test_xmlrpc/test_certmap_plugin.py| 101 +++ ipatests/test_xmlrpc/tracker/certmap_plugin.py | 168 + 3 files changed, 274 insertions(+) create mode 100644 ipatests/test_xmlrpc/test_certmap_plugin.py create mode 100644 ipatests/test_xmlrpc/tracker/certmap_plugin.py diff --git a/ipatests/test_xmlrpc/objectclasses.py b/ipatests/test_xmlrpc/objectclasses.py index 1ea020b..0a15a21 100644 --- a/ipatests/test_xmlrpc/objectclasses.py +++ b/ipatests/test_xmlrpc/objectclasses.py @@ -227,3 +227,8 @@ u'top', u'ipaca', ] + +certmaprule = [ +u'top', +u'ipacertmaprule', +] diff --git a/ipatests/test_xmlrpc/test_certmap_plugin.py b/ipatests/test_xmlrpc/test_certmap_plugin.py new file mode 100644 index 000..4086333 --- /dev/null +++ b/ipatests/test_xmlrpc/test_certmap_plugin.py @@ -0,0 +1,101 @@ +# +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +# + +import pytest +import itertools + +from ipapython.dn import DN +from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test +from ipatests.test_xmlrpc.tracker.certmap_plugin import CertmapruleTracker + +certmaprule_create_params = { +u'cn': u'test_rule', +u'description': u'Certificate mapping and matching rule for test ' +u'purposes', +u'ipacertmapissuer': DN('CN=CA,O=EXAMPLE.ORG'), +u'ipacertmapmaprule': u'arbitrary free-form mapping rule defined and ' + u'consumed by SSSD', +u'ipacertmapmatchrule': u'arbitrary free-form matching rule defined ' +u'and consumed by SSSD', +u'associateddomain': u'example.org', +u'ipacertmappriority': u'1', +} + +certmaprule_update_params = { +u'description': u'Changed description', +u'ipacertmapissuer': DN('CN=Changed CA,O=OTHER.ORG'), +u'ipacertmapmaprule': u'changed arbitrary mapping rule', +u'ipacertmapmatchrule': u'changed arbitrary maching rule', +u'associateddomain': u'changed.example.org', +u'ipacertmappriority': u'5', +} + +certmaprule_optional_params = ( +'description', +'ipacertmapissuer', +'ipacertmapmaprule', +'ipacertmapmatchrule', +
[Freeipa-devel] [freeipa PR#387][comment] Update warning message for ipa server uninstall
URL: https://github.com/freeipa/freeipa/pull/387 Title: #387: Update warning message for ipa server uninstall martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/ae2d0a221772267ecda30896dc8897a3f4b4a97b """ See the full comment at https://github.com/freeipa/freeipa/pull/387#issuecomment-273415717 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#387][+pushed] Update warning message for ipa server uninstall
URL: https://github.com/freeipa/freeipa/pull/387 Title: #387: Update warning message for ipa server uninstall Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#387][closed] Update warning message for ipa server uninstall
URL: https://github.com/freeipa/freeipa/pull/387 Author: Akasurde Title: #387: Update warning message for ipa server uninstall Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/387/head:pr387 git checkout pr387 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#387][+ack] Update warning message for ipa server uninstall
URL: https://github.com/freeipa/freeipa/pull/387 Title: #387: Update warning message for ipa server uninstall Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#181][comment] Tests : User Tracker creation of user with minimal values
URL: https://github.com/freeipa/freeipa/pull/181 Title: #181: Tests : User Tracker creation of user with minimal values MartinBasti commented: """ @gkaihorodova you haven't pushed the changes to github repo ``` git push --force ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/181#issuecomment-273414761 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#210][comment] Tests: Stage User Tracker implementation
URL: https://github.com/freeipa/freeipa/pull/210 Title: #210: Tests: Stage User Tracker implementation martbab commented: """ @gkaihorodova the PR cannot be pushed in current form because the first commit 298e1a136c6a430e8deaa558a946ba51874ffd95 is already pushed to master. So to rebase it correctly please do the following: Pull the changes from the remote repo (or any other label you have for it) into your local master branch: ```shell $ git checkout master; git pull ``` Then do the rebase against the refreshed master branch. The first commit should now disappear as git should detect that it is already there. If not, then abort the current rebase, re-start it in interactive mode (git rebase -i master) and remove the first commit manually (just remove the first line). Then force-push the changes into your fork: ```shell $ git push -f origin fix-for-6448 ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/210#issuecomment-273414412 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#398][opened] Support for Certificate Identity Mapping
URL: https://github.com/freeipa/freeipa/pull/398 Author: flo-renaud Title: #398: Support for Certificate Identity Mapping Action: opened PR body: """ See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/398/head:pr398 git checkout pr398 From 3ccb98ac3c4e38d0454e47df1c06ae61a19fb5ee Mon Sep 17 00:00:00 2001 From: Florence Blanc-RenaudDate: Tue, 20 Dec 2016 16:21:58 +0100 Subject: [PATCH] Support for Certificate Identity Mapping See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542 --- ACI.txt | 16 +- API.txt | 184 VERSION.m4| 4 +- install/share/73certmap.ldif | 17 ++ install/share/Makefile.am | 1 + install/updates/73-certmap.update | 27 +++ install/updates/Makefile.am | 1 + ipalib/constants.py | 2 + ipaserver/install/dsinstance.py | 1 + ipaserver/plugins/baseuser.py | 177 ++- ipaserver/plugins/certmap.py | 345 ++ ipaserver/plugins/stageuser.py| 14 +- ipaserver/plugins/user.py | 23 ++- 13 files changed, 801 insertions(+), 11 deletions(-) create mode 100644 install/share/73certmap.ldif create mode 100644 install/updates/73-certmap.update create mode 100644 ipaserver/plugins/certmap.py diff --git a/ACI.txt b/ACI.txt index 0b47489..ec2eeca 100644 --- a/ACI.txt +++ b/ACI.txt @@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || description || ipacertmapissuer || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapissuer || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example @@ -337,6
[Freeipa-devel] [freeipa PR#390][closed] WebUI: Fix Coverity JS bugs
URL: https://github.com/freeipa/freeipa/pull/390 Author: pvomacka Title: #390: WebUI: Fix Coverity JS bugs Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/390/head:pr390 git checkout pr390 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#378][closed] Clean / ignore make check artefact
URL: https://github.com/freeipa/freeipa/pull/378 Author: tiran Title: #378: Clean / ignore make check artefact Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/378/head:pr378 git checkout pr378 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#389][closed] Fix build in mock
URL: https://github.com/freeipa/freeipa/pull/389 Author: lslebodn Title: #389: Fix build in mock Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/389/head:pr389 git checkout pr389 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#378][+pushed] Clean / ignore make check artefact
URL: https://github.com/freeipa/freeipa/pull/378 Title: #378: Clean / ignore make check artefact Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#337][comment] Client-side CSR autogeneration (take 2)
URL: https://github.com/freeipa/freeipa/pull/337 Title: #337: Client-side CSR autogeneration (take 2) tiran commented: """ @LiptonB thanks a lot for resuming your work! Please add jinja2 to ``` ipaclient/setup.py```, too. """ See the full comment at https://github.com/freeipa/freeipa/pull/337#issuecomment-273413601 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#390][comment] WebUI: Fix Coverity JS bugs
URL: https://github.com/freeipa/freeipa/pull/390 Title: #390: WebUI: Fix Coverity JS bugs martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/a69c4448c58b2438952fd806e2515eea7575b27b https://fedorahosted.org/freeipa/changeset/9d2ef64fb9e1357dc4a3cde8d93c796daefd2f6e """ See the full comment at https://github.com/freeipa/freeipa/pull/390#issuecomment-273410950 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#389][comment] Fix build in mock
URL: https://github.com/freeipa/freeipa/pull/389 Title: #389: Fix build in mock martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/5c18feaa206bbaee692fc3640b7b79c8d9d6a638 https://fedorahosted.org/freeipa/changeset/3f91469f327d8d9f3b27e0b67c54a4f47ad845c1 https://fedorahosted.org/freeipa/changeset/b82d285a4a75e11cc9291ecca12d2fcc26f43ed1 """ See the full comment at https://github.com/freeipa/freeipa/pull/389#issuecomment-27349 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#390][+pushed] WebUI: Fix Coverity JS bugs
URL: https://github.com/freeipa/freeipa/pull/390 Title: #390: WebUI: Fix Coverity JS bugs Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#378][comment] Clean / ignore make check artefact
URL: https://github.com/freeipa/freeipa/pull/378 Title: #378: Clean / ignore make check artefact martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/d8343a96dd206c9f25cf032a50f3b48fb8166db1 """ See the full comment at https://github.com/freeipa/freeipa/pull/378#issuecomment-273411645 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#389][+pushed] Fix build in mock
URL: https://github.com/freeipa/freeipa/pull/389 Title: #389: Fix build in mock Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code