[Freeipa-devel] [freeipa PR#437][comment] FIPS: replica install check
URL: https://github.com/freeipa/freeipa/pull/437 Title: #437: FIPS: replica install check martbab commented: """ @tomaskrizek since you added a new key to the Env object, you will have to fix `test_ipalib/test_config.py` to account for this change, see https://travis-ci.org/freeipa/freeipa/jobs/198916106#L443 """ See the full comment at https://github.com/freeipa/freeipa/pull/437#issuecomment-277924079 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] python-pyasn1 updated in rawhide and updates-testing for F-25
I updated the Fedora pyasn1 package to the latest release, 0.2.1. I did some very basic testing against IPA 4.2 and it worked ok. The build is already up in rawhide and is on the way to updates-testing in Bohdi. It would be great to get some karma on it. I have auto-push turned off so it won't go stable in a week automatically. rob -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#437][comment] FIPS: replica install check
URL: https://github.com/freeipa/freeipa/pull/437 Title: #437: FIPS: replica install check MartinBasti commented: """ @tomaskrizek on current versions of RHEL and fedora IPA doesn't start in FIPS, but upgrading first and then enabling FIPS might be the way """ See the full comment at https://github.com/freeipa/freeipa/pull/437#issuecomment-28586 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#427][synchronized] [Py3] WSGI part 2
URL: https://github.com/freeipa/freeipa/pull/427
Author: MartinBasti
Title: #427: [Py3] WSGI part 2
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/427/head:pr427
git checkout pr427
From 162cbe92129170f45267e38e14ebdb31e09ab4cd Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Tue, 24 Jan 2017 17:49:06 +0100
Subject: [PATCH 1/8] py3: base64 encoding/decoding returns always bytes don't
mix it
Using unicode(bytes) call causes undesired side effect that is inserting
`b` character to result. This obviously causes issues with binary base64 data
https://fedorahosted.org/freeipa/ticket/4985
---
ipaserver/plugins/baseldap.py | 2 +-
ipaserver/plugins/ca.py | 4 +---
ipaserver/plugins/cert.py | 2 +-
ipaserver/secrets/client.py | 6 --
4 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/ipaserver/plugins/baseldap.py b/ipaserver/plugins/baseldap.py
index e7bf43c..24b6db7 100644
--- a/ipaserver/plugins/baseldap.py
+++ b/ipaserver/plugins/baseldap.py
@@ -1036,7 +1036,7 @@ def process_attr_options(self, entry_attrs, dn, keys, options):
except ValueError:
if isinstance(delval, bytes):
# This is a Binary value, base64 encode it
-delval = unicode(base64.b64encode(delval))
+delval = base64.b64encode(delval).decode('ascii')
raise errors.AttrValueNotFound(attr=attr, value=delval)
# normalize all values
diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py
index 4f24278..3a052a1 100644
--- a/ipaserver/plugins/ca.py
+++ b/ipaserver/plugins/ca.py
@@ -4,8 +4,6 @@
import base64
-import six
-
from ipalib import api, errors, output, Bytes, DNParam, Flag, Str
from ipalib.constants import IPA_CA_CN
from ipalib.plugable import Registry
@@ -176,7 +174,7 @@ def set_certificate_attrs(entry, options, want_cert=True):
with api.Backend.ra_lightweight_ca as ca_api:
if want_cert or full:
der = ca_api.read_ca_cert(ca_id)
-entry['certificate'] = six.text_type(base64.b64encode(der))
+entry['certificate'] = base64.b64encode(der).decode('ascii')
if want_chain or full:
pkcs7_der = ca_api.read_ca_chain(ca_id)
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 5bf4cfb..6bf5c03 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -1260,7 +1260,7 @@ def _get_cert_key(self, cert):
return (DN(cert_obj.issuer), cert_obj.serial)
def _get_cert_obj(self, cert, all, raw, pkey_only):
-obj = {'certificate': unicode(base64.b64encode(cert))}
+obj = {'certificate': base64.b64encode(cert).decode('ascii')}
full = not pkey_only and all
if not raw:
diff --git a/ipaserver/secrets/client.py b/ipaserver/secrets/client.py
index a04b9a6..a945e01 100644
--- a/ipaserver/secrets/client.py
+++ b/ipaserver/secrets/client.py
@@ -70,7 +70,8 @@ def init_creds(self):
name = gssapi.Name(self.client_service,
gssapi.NameType.hostbased_service)
store = {'client_keytab': self.keytab,
- 'ccache': 'MEMORY:Custodia_%s' % b64encode(os.urandom(8))}
+ 'ccache': 'MEMORY:Custodia_%s' % b64encode(
+ os.urandom(8)).decode('ascii')}
return gssapi.Credentials(name=name, store=store, usage='initiate')
def _auth_header(self):
@@ -78,7 +79,8 @@ def _auth_header(self):
self.creds = self.init_creds()
ctx = gssapi.SecurityContext(name=self.service_name, creds=self.creds)
authtok = ctx.step()
-return {'Authorization': 'Negotiate %s' % b64encode(authtok)}
+return {'Authorization': 'Negotiate %s' % b64encode(
+authtok).decode('ascii')}
def fetch_key(self, keyname, store=True):
From 29b280bf7e3c88de40647adc3b06bf84f4b827f1 Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Tue, 24 Jan 2017 18:31:50 +0100
Subject: [PATCH 2/8] py3: base64.b64encode requires bytes as param
Decimal must be changed to string first and then encoded to bytes
https://fedorahosted.org/freeipa/ticket/4985
---
ipalib/rpc.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 356ec42..3dc7936 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -308,7 +308,7 @@ def json_encode_binary(val, version):
encoded = encoded.decode('ascii')
return {'__base64__': encoded}
elif isinstance(val, Decimal):
-return {'__base64__': base64.b64encode(str(val))}
+return {'__base64__': base64.b64encode(str(val).encode('ascii'))}
elif isinstance(val, DN):
return str(val)
elif isinstance(val, datetime.datetime):
From 91876550e768b362fdab729ee21dfe8187937c83 Mon Sep 17 00:00:00 2001
From: Martin Ba
[Freeipa-devel] [freeipa PR#435][synchronized] py3: cert.py: create principal object from string
URL: https://github.com/freeipa/freeipa/pull/435
Author: MartinBasti
Title: #435: py3: cert.py: create principal object from string
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/435/head:pr435
git checkout pr435
From aa2169f023287e308f6541bec56720865f54b331 Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Mon, 6 Feb 2017 12:14:38 +0100
Subject: [PATCH] py3: x509.py: return principal as unicode string
X509 return principal as unicode string
https://fedorahosted.org/freeipa/ticket/4985
https://fedorahosted.org/freeipa/ticket/6640
---
ipalib/x509.py | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/ipalib/x509.py b/ipalib/x509.py
index 87d46ae..60a947b 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -361,13 +361,13 @@ class _KRB5PrincipalName(univ.Sequence):
def _decode_krb5principalname(data):
principal = decoder.decode(data, asn1Spec=_KRB5PrincipalName())[0]
-realm = (str(principal['realm']).replace('\\', '')
-.replace('@', '\\@'))
+realm = (unicode(principal['realm']).replace('\\', '')
+.replace('@', '\\@'))
name = principal['principalName']['name-string']
-name = '/'.join(str(n).replace('\\', '')
- .replace('/', '\\/')
- .replace('@', '\\@') for n in name)
-name = '%s@%s' % (name, realm)
+name = u'/'.join(unicode(n).replace('\\', '')
+ .replace('/', '\\/')
+ .replace('@', '\\@') for n in name)
+name = u'%s@%s' % (name, realm)
return name
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#435][edited] py3: fix replica install regression
URL: https://github.com/freeipa/freeipa/pull/435 Author: MartinBasti Title: #435: py3: fix replica install regression Action: edited Changed field: title Original value: """ py3: cert.py: create principal object from string """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#437][synchronized] FIPS: replica install check
URL: https://github.com/freeipa/freeipa/pull/437
Author: tomaskrizek
Title: #437: FIPS: replica install check
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/437/head:pr437
git checkout pr437
From bef382c8b3039c39aafdad7203932d92e7670162 Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Mon, 6 Feb 2017 13:08:11 +0100
Subject: [PATCH 1/3] Add fips_mode variable to env
Variable fips_mode indicating whether machine is running in
FIPS-enabled mode was added to env.
https://fedorahosted.org/freeipa/ticket/5695
---
ipalib/config.py | 5 +
1 file changed, 5 insertions(+)
diff --git a/ipalib/config.py b/ipalib/config.py
index 20591db..4002164 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -44,6 +44,7 @@
from ipalib.constants import CONFIG_SECTION
from ipalib.constants import OVERRIDE_ERROR, SET_ERROR, DEL_ERROR
from ipalib import errors
+from ipaplatform.tasks import tasks
if six.PY3:
unicode = str
@@ -497,6 +498,10 @@ def _bootstrap(self, **overrides):
if 'plugins_on_demand' not in self:
self.plugins_on_demand = (self.context == 'cli')
+# Set fips_mode:
+if 'fips_mode' not in self:
+self.fips_mode = tasks.is_fips_enabled()
+
def _finalize_core(self, **defaults):
"""
Complete initialization of standard IPA environment.
From cd8a3982dadc32fe65fc8b2e4d98c3c574a84f33 Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Mon, 6 Feb 2017 17:17:49 +0100
Subject: [PATCH 2/3] check_remote_version: update exception and string
Refactor function to use ScriptError exception and proper
string formatting.
---
ipaserver/install/server/replicainstall.py | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 18222c8..f9951b0 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -518,12 +518,15 @@ def check_remote_version(api):
finally:
client.disconnect()
+# Check version compatibility
remote_version = parse_version(env['version'])
api_version = parse_version(api.env.version)
if remote_version > api_version:
-raise RuntimeError(
-"Cannot install replica of a server of higher version ({}) than"
-"the local version ({})".format(remote_version, api_version))
+raise ScriptError(
+"Cannot install replica of a server of higher version "
+"(%(remote_version)s) than the local version (%(api_version)s)"
+% dict(remote_version=remote_version, api_version=api_version))
+
def common_check(no_ntp):
From 8b07c3bbedf1b873fd96604ea462965b08457f26 Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Mon, 6 Feb 2017 17:31:56 +0100
Subject: [PATCH 3/3] FIPS: perform replica installation check
Check status of remote server's FIPS mode and proceed with
installation only if it matches the current replica's FIPS mode.
https://fedorahosted.org/freeipa/ticket/5695
---
ipaserver/install/server/replicainstall.py | 25 ++---
1 file changed, 22 insertions(+), 3 deletions(-)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index f9951b0..620c37c 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -508,13 +508,20 @@ def promote_openldap_conf(hostname, master):
root_logger.info("Failed to update {}: {}".format(ldap_conf, e))
-def check_remote_version(api):
+def check_remote_compatibility(api):
+"""
+Perform a check to verify remote server's version and fips-mode
+
+:param api: remote api
+
+:raises: ``ScriptError`` if the checks fails
+"""
client = rpc.jsonclient(api)
client.finalize()
client.connect()
try:
-env = client.forward(u'env', u'version')['result']
+env = client.forward(u'env', u'version', u'fips_mode')['result']
finally:
client.disconnect()
@@ -527,6 +534,18 @@ def check_remote_version(api):
"(%(remote_version)s) than the local version (%(api_version)s)"
% dict(remote_version=remote_version, api_version=api_version))
+# Check FIPS mode compatibility
+remote_fips_mode = env['fips_mode']
+fips_mode = tasks.is_fips_enabled()
+if fips_mode != remote_fips_mode:
+if fips_mode:
+raise ScriptError(
+"Cannot join FIPS-enabled replica into existing topology: "
+"FIPS is not enabled on the master server.")
+else:
+raise ScriptError(
+"Cannot join replica into existing FIPS-enabled topology: "
+"FIPS has to be enabled locally first.")
def common_check(no_ntp):
@@ -1080,7 +1099,7 @@ def promote_check(installer):
remote_a
[Freeipa-devel] [freeipa PR#437][comment] FIPS: replica install check
URL: https://github.com/freeipa/freeipa/pull/437 Title: #437: FIPS: replica install check tomaskrizek commented: """ @MartinBasti Since this check is performed only during installation, the user could simply install non-FIPS replica and then turn FIPS on afterwards. There might be issues with this approach and thus it is neither recommended nor supported, as stated in the [documentation](https://www.freeipa.org/page/V4/FreeIPA-on-FIPS#Multiple_servers_in_topology). """ See the full comment at https://github.com/freeipa/freeipa/pull/437#issuecomment-277745754 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#437][comment] FIPS: replica install check
URL: https://github.com/freeipa/freeipa/pull/437 Title: #437: FIPS: replica install check MartinBasti commented: """ I'm still afraid that users may want to create a FIPS replica from the non-FIPS master, even if it is not recommended due security. How can be this achieved? """ See the full comment at https://github.com/freeipa/freeipa/pull/437#issuecomment-277743511 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#409][+ack] ipatests: nested netgroups (intg)
URL: https://github.com/freeipa/freeipa/pull/409 Title: #409: ipatests: nested netgroups (intg) Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#437][synchronized] FIPS: replica install check
URL: https://github.com/freeipa/freeipa/pull/437
Author: tomaskrizek
Title: #437: FIPS: replica install check
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/437/head:pr437
git checkout pr437
From 0bd1d63ec30eff4583ff314edb6dfa38acf28f63 Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Mon, 6 Feb 2017 13:08:11 +0100
Subject: [PATCH 1/3] Add fips_mode variabl to env
Variable fips_mode indicating whether machine is running in
FIPS-enabled mode was added to env.
https://fedorahosted.org/freeipa/ticket/5695
---
ipalib/config.py | 5 +
1 file changed, 5 insertions(+)
diff --git a/ipalib/config.py b/ipalib/config.py
index 20591db..4002164 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -44,6 +44,7 @@
from ipalib.constants import CONFIG_SECTION
from ipalib.constants import OVERRIDE_ERROR, SET_ERROR, DEL_ERROR
from ipalib import errors
+from ipaplatform.tasks import tasks
if six.PY3:
unicode = str
@@ -497,6 +498,10 @@ def _bootstrap(self, **overrides):
if 'plugins_on_demand' not in self:
self.plugins_on_demand = (self.context == 'cli')
+# Set fips_mode:
+if 'fips_mode' not in self:
+self.fips_mode = tasks.is_fips_enabled()
+
def _finalize_core(self, **defaults):
"""
Complete initialization of standard IPA environment.
From 2da87d402bdecffbb3004c87312605453edcb01e Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Mon, 6 Feb 2017 17:17:49 +0100
Subject: [PATCH 2/3] check_remote_version: update exception and string
Refactor function to use i18n string and ScriptError exception.
---
ipaserver/install/server/replicainstall.py | 11 +++
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 18222c8..06af62a 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -28,7 +28,7 @@
from ipaplatform import services
from ipaplatform.tasks import tasks
from ipaplatform.paths import paths
-from ipalib import api, constants, create_api, errors, rpc, x509
+from ipalib import _, api, constants, create_api, errors, rpc, x509
from ipalib.config import Env
from ipalib.util import (
network_ip_address_warning,
@@ -518,12 +518,15 @@ def check_remote_version(api):
finally:
client.disconnect()
+# Check version compatibility
remote_version = parse_version(env['version'])
api_version = parse_version(api.env.version)
if remote_version > api_version:
-raise RuntimeError(
-"Cannot install replica of a server of higher version ({}) than"
-"the local version ({})".format(remote_version, api_version))
+raise ScriptError(
+_("Cannot install replica of a server of higher version "
+ "(%(remote_version)s) than the local version (%(api_version)s)")
+% dict(remote_version=remote_version, api_version=api_version))
+
def common_check(no_ntp):
From 1dacf228b1bda1c4298203f8f80f3d4818eecb65 Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Mon, 6 Feb 2017 17:31:56 +0100
Subject: [PATCH 3/3] FIPS: perform replica installation check
Check status of remote server's FIPS mode and proceed with
installation only if it matches the current replica's FIPS mode.
https://fedorahosted.org/freeipa/ticket/5695
---
ipaserver/install/server/replicainstall.py | 25 ++---
1 file changed, 22 insertions(+), 3 deletions(-)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 06af62a..64ffb9a 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -508,13 +508,20 @@ def promote_openldap_conf(hostname, master):
root_logger.info("Failed to update {}: {}".format(ldap_conf, e))
-def check_remote_version(api):
+def check_remote_compatibility(api):
+"""
+Perform a check to verify remote server's version and fips-mode
+
+:param api: remote api
+
+:raises: ``ScriptError`` if the checks fails
+"""
client = rpc.jsonclient(api)
client.finalize()
client.connect()
try:
-env = client.forward(u'env', u'version')['result']
+env = client.forward(u'env', u'version', u'fips_mode')['result']
finally:
client.disconnect()
@@ -527,6 +534,18 @@ def check_remote_version(api):
"(%(remote_version)s) than the local version (%(api_version)s)")
% dict(remote_version=remote_version, api_version=api_version))
+# Check FIPS mode compatibility
+remote_fips_mode = env['fips_mode']
+fips_mode = tasks.is_fips_enabled()
+if fips_mode != remote_fips_mode:
+if fips_mode:
+raise ScriptError(
+_("Cannot join FIPS-enabled replica into existing t
[Freeipa-devel] [freeipa PR#422][+pushed] Fix reference before assignment
URL: https://github.com/freeipa/freeipa/pull/422 Title: #422: Fix reference before assignment Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#422][closed] Fix reference before assignment
URL: https://github.com/freeipa/freeipa/pull/422 Author: frasertweedale Title: #422: Fix reference before assignment Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/422/head:pr422 git checkout pr422 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#422][comment] Fix reference before assignment
URL: https://github.com/freeipa/freeipa/pull/422 Title: #422: Fix reference before assignment MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/924794f62b9d3d0f46ca18e4f9338eaed865c03e """ See the full comment at https://github.com/freeipa/freeipa/pull/422#issuecomment-277734802 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#395][synchronized] Configure PKI ajp redirection to use "localhost" instead of "::1"
URL: https://github.com/freeipa/freeipa/pull/395
Author: flo-renaud
Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1"
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/395/head:pr395
git checkout pr395
From 9e33ca9cbac1837cf779673e5479f3718ef8e759 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud
Date: Thu, 12 Jan 2017 18:17:15 +0100
Subject: [PATCH] Do not configure PKI ajp redirection to use "::1"
When ipa-server-install configures PKI, it provides a configuration file
with the parameter pki_ajp_host set to ::1. This parameter is used to configure
Tomcat redirection in /etc/pki/pki-tomcat/server.xml:
ie all requests to port 8009 are redirected to port 8443 on address ::1.
If the /etc/hosts config file does not define ::1 for localhost, then AJP
redirection fails and replica install is not able to request a certificate
for the replica.
Since PKI has been fixed (see PKI ticket 2570) to configure by default the AJP
redirection with "localhost", FreeIPA does not need any more to override
this setting.
The code now depends on pki 10.3.5-11 which provides the fix in the template
and the upgrade.
https://fedorahosted.org/freeipa/ticket/6575
---
freeipa.spec.in | 4 ++--
ipaserver/install/cainstance.py | 4
2 files changed, 2 insertions(+), 6 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index ba2e294..29d652e 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -246,8 +246,8 @@ Requires(post): systemd-units
Requires: selinux-policy >= %{selinux_policy_version}
Requires(post): selinux-policy-base >= %{selinux_policy_version}
Requires: slapi-nis >= %{slapi_nis_version}
-Requires: pki-ca >= 10.3.5-6
-Requires: pki-kra >= 10.3.5-6
+Requires: pki-ca >= 10.3.5-11
+Requires: pki-kra >= 10.3.5-11
Requires(preun): python systemd-units
Requires(postun): python systemd-units
Requires: policycoreutils >= 2.1.12-5
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index a73a9c4..1cc74de 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -594,10 +594,6 @@ def __spawn_instance(self):
config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name)
config.set("CA", "pki_external_step_two", "True")
-# PKI IPv6 Configuration
-config.add_section("Tomcat")
-config.set("Tomcat", "pki_ajp_host", "::1")
-
# Generate configuration file
with open(cfg_file, "w") as f:
config.write(f)
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#395][comment] Configure PKI ajp redirection to use "localhost" instead of "::1"
URL: https://github.com/freeipa/freeipa/pull/395 Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1" flo-renaud commented: """ Hi, PR updated with dependency on pki 10.3.5-11 (note that this package is currently available in fedora updates-testing only). """ See the full comment at https://github.com/freeipa/freeipa/pull/395#issuecomment-277734364 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#432][comment] build: Add missing dependency on libxmlrpc{, _util}
URL: https://github.com/freeipa/freeipa/pull/432
Title: #432: build: Add missing dependency on libxmlrpc{,_util}
MartinBasti commented:
"""
Needs separate PR for ipa-4-4 branch
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/432#issuecomment-277732697
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#432][+pushed] build: Add missing dependency on libxmlrpc{, _util}
URL: https://github.com/freeipa/freeipa/pull/432
Title: #432: build: Add missing dependency on libxmlrpc{,_util}
Label: +pushed
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#432][closed] build: Add missing dependency on libxmlrpc{, _util}
URL: https://github.com/freeipa/freeipa/pull/432
Author: dkupka
Title: #432: build: Add missing dependency on libxmlrpc{,_util}
Action: closed
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/432/head:pr432
git checkout pr432
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#432][comment] build: Add missing dependency on libxmlrpc{, _util}
URL: https://github.com/freeipa/freeipa/pull/432
Title: #432: build: Add missing dependency on libxmlrpc{,_util}
MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/f4088b3a00b3cbd1a0133ac90cba85e501573f76
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/432#issuecomment-277732073
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#437][opened] FIPS: replica install check
URL: https://github.com/freeipa/freeipa/pull/437
Author: tomaskrizek
Title: #437: FIPS: replica install check
Action: opened
PR body:
"""
PR depends on the rest of the FIPS patches.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/437/head:pr437
git checkout pr437
From 0bd1d63ec30eff4583ff314edb6dfa38acf28f63 Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Mon, 6 Feb 2017 13:08:11 +0100
Subject: [PATCH 1/2] Add fips_mode variabl to env
Variable fips_mode indicating whether machine is running in
FIPS-enabled mode was added to env.
https://fedorahosted.org/freeipa/ticket/5695
---
ipalib/config.py | 5 +
1 file changed, 5 insertions(+)
diff --git a/ipalib/config.py b/ipalib/config.py
index 20591db..4002164 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -44,6 +44,7 @@
from ipalib.constants import CONFIG_SECTION
from ipalib.constants import OVERRIDE_ERROR, SET_ERROR, DEL_ERROR
from ipalib import errors
+from ipaplatform.tasks import tasks
if six.PY3:
unicode = str
@@ -497,6 +498,10 @@ def _bootstrap(self, **overrides):
if 'plugins_on_demand' not in self:
self.plugins_on_demand = (self.context == 'cli')
+# Set fips_mode:
+if 'fips_mode' not in self:
+self.fips_mode = tasks.is_fips_enabled()
+
def _finalize_core(self, **defaults):
"""
Complete initialization of standard IPA environment.
From b1eeace0fba4f36e20a4e2976cf3a4024aa57917 Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Mon, 6 Feb 2017 16:15:49 +0100
Subject: [PATCH 2/2] FIPS: perform replica installation check
Check status of remote server's FIPS mode and proceed with
installation only if it matches the current replica's FIPS mode.
https://fedorahosted.org/freeipa/ticket/5695
---
ipaserver/install/server/replicainstall.py | 30 +++---
1 file changed, 23 insertions(+), 7 deletions(-)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 18222c8..67f9e34 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -28,7 +28,7 @@
from ipaplatform import services
from ipaplatform.tasks import tasks
from ipaplatform.paths import paths
-from ipalib import api, constants, create_api, errors, rpc, x509
+from ipalib import _, api, constants, create_api, errors, rpc, x509
from ipalib.config import Env
from ipalib.util import (
network_ip_address_warning,
@@ -508,22 +508,38 @@ def promote_openldap_conf(hostname, master):
root_logger.info("Failed to update {}: {}".format(ldap_conf, e))
-def check_remote_version(api):
+def check_remote_compatibility(api):
+"""Perform a check to verify remote server's version and fips-mode."""
client = rpc.jsonclient(api)
client.finalize()
client.connect()
try:
-env = client.forward(u'env', u'version')['result']
+env = client.forward(u'env', u'version', u'fips_mode')['result']
finally:
client.disconnect()
+# Check version compatibility
remote_version = parse_version(env['version'])
api_version = parse_version(api.env.version)
if remote_version > api_version:
-raise RuntimeError(
-"Cannot install replica of a server of higher version ({}) than"
-"the local version ({})".format(remote_version, api_version))
+raise ScriptError(
+_("Cannot install replica of a server of higher version "
+ "(%(remote_version)s) than the local version (%(api_version)s)")
+% dict(remote_version=remote_version, api_version=api_version))
+
+# Check FIPS mode compatibility
+remote_fips_mode = env['fips_mode']
+fips_mode = tasks.is_fips_enabled()
+if fips_mode != remote_fips_mode:
+if fips_mode:
+raise ScriptError(
+_("Cannot join FIPS-enabled replica into existing topology: "
+ "FIPS is not enabled on the master server."))
+else:
+raise ScriptError(
+_("Cannot join replica into existing FIPS-enabled topology: "
+ "FIPS has to be enabled locally first."))
def common_check(no_ntp):
@@ -1077,7 +1093,7 @@ def promote_check(installer):
remote_api.finalize()
installer._remote_api = remote_api
-check_remote_version(remote_api)
+check_remote_compatibility(remote_api)
conn = remote_api.Backend.ldap2
replman = None
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#436][closed] x509: allow leading text in PEM files
URL: https://github.com/freeipa/freeipa/pull/436 Author: HonzaCholasta Title: #436: x509: allow leading text in PEM files Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/436/head:pr436 git checkout pr436 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#436][comment] x509: allow leading text in PEM files
URL: https://github.com/freeipa/freeipa/pull/436 Title: #436: x509: allow leading text in PEM files HonzaCholasta commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/89dfbab3ca076812590f371c21abcb51b350170b """ See the full comment at https://github.com/freeipa/freeipa/pull/436#issuecomment-277687144 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#436][+pushed] x509: allow leading text in PEM files
URL: https://github.com/freeipa/freeipa/pull/436 Title: #436: x509: allow leading text in PEM files Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#409][synchronized] ipatests: nested netgroups (intg)
URL: https://github.com/freeipa/freeipa/pull/409
Author: celestian
Title: #409: ipatests: nested netgroups (intg)
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/409/head:pr409
git checkout pr409
From 580daa224ea990753ff90d8f25d094259ca13ff2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?=
Date: Mon, 23 Jan 2017 18:46:42 +0100
Subject: [PATCH] ipatests: nested netgroups (intg)
Adds a test case for issue in SSSD that manifested in
an inability to resolve nested membership in netgroups
The test case tests for direct and indirect membership.
https://fedorahosted.org/freeipa/ticket/6439
---
Contributors.txt | 1 +
ipatests/test_integration/test_netgroup.py | 169 +
2 files changed, 170 insertions(+)
create mode 100644 ipatests/test_integration/test_netgroup.py
diff --git a/Contributors.txt b/Contributors.txt
index a003a3e..7a1913b 100644
--- a/Contributors.txt
+++ b/Contributors.txt
@@ -24,6 +24,7 @@ Developers:
Brian Cook
Rob Crittenden
Frank Cusack
+ Petr Čech
Nalin Dahyabhai
Don Davis
John Dennis
diff --git a/ipatests/test_integration/test_netgroup.py b/ipatests/test_integration/test_netgroup.py
new file mode 100644
index 000..45f2f3f
--- /dev/null
+++ b/ipatests/test_integration/test_netgroup.py
@@ -0,0 +1,169 @@
+#
+# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
+#
+
+import pytest
+
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration.tasks import clear_sssd_cache
+
+
+test_data = []
+for i in range(3):
+data = {
+'user': {
+'login': 'testuser_{}'.format(i),
+'first': 'Test_{}'.format(i),
+'last': 'User_{}'.format(i),
+},
+'netgroup': 'testgroup_{}'.format(i),
+'nested_netgroup': 'testgroup_{}'.format(i-1) if i > 0 else None
+}
+test_data.append(data)
+members = [d['user']['login'] for d in test_data]
+test_data[-1]['netgroup_nested_members'] = members
+
+
+@pytest.fixture()
+def three_netgroups(request):
+"""Prepare basic netgroups with users"""
+
+for d in test_data:
+request.cls.master.run_command(['ipa', 'user-add', d['user']['login'],
+'--first', d['user']['first'],
+'--last', d['user']['last']],
+ raiseonerr=False)
+
+request.cls.master.run_command(['ipa', 'netgroup-add', d['netgroup']],
+ raiseonerr=False)
+
+user_opt = '--users={u[login]}'.format(u=d['user'])
+request.cls.master.run_command(['ipa', 'netgroup-add-member', user_opt,
+d['netgroup']], raiseonerr=False)
+
+def teardown_three_netgroups():
+"""Clean basic netgroups with users"""
+for d in test_data:
+request.cls.master.run_command(['ipa', 'user-del',
+d['user']['login']],
+ raiseonerr=False)
+
+request.cls.master.run_command(['ipa', 'netgroup-del',
+d['netgroup']],
+ raiseonerr=False)
+
+request.addfinalizer(teardown_three_netgroups)
+
+
+class TestNetgroups(IntegrationTest):
+"""
+Test Netgroups
+"""
+
+topology = 'line'
+
+def check_users_in_netgroups(self):
+"""Check if users are in groups, no nested things"""
+master = self.master
+clear_sssd_cache(master)
+
+for d in test_data:
+result = master.run_command(['getent', 'passwd',
+ d['user']['login']], raiseonerr=False)
+assert result.returncode == 0
+
+user = '{u[first]} {u[last]}'.format(u=d['user'])
+assert user in result.stdout_text
+
+result = master.run_command(['getent', 'netgroup',
+ d['netgroup']], raiseonerr=False)
+assert result.returncode == 0
+
+netgroup = '(-,{},{})'.format(d['user']['login'],
+ self.master.domain.name)
+assert netgroup in result.stdout_text
+
+def check_nested_netgroup_hierarchy(self):
+"""Check if nested netgroups hierarchy is complete"""
+master = self.master
+clear_sssd_cache(master)
+
+for d in test_data:
+result = master.run_command(['getent', 'netgroup', d['netgroup']],
+raiseonerr=False)
+assert result.returncode == 0
+
+for member in d['netgroup_nested_members']:
+if not member:
+continue
+
+netgroup = '(-,{},{})'.format(member, self.master.domain.na
[Freeipa-devel] [freeipa PR#436][+ack] x509: allow leading text in PEM files
URL: https://github.com/freeipa/freeipa/pull/436 Title: #436: x509: allow leading text in PEM files Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1
URL: https://github.com/freeipa/freeipa/pull/410 Title: #410: ipa-kdb: support KDB DAL version 6.1 abbra commented: """ I split the tables into separate ones and also made independent #if/#endif blocks for them. Finally, I added a spec file guard to force using 1.15-5 or later version on Fedora 26 or later. """ See the full comment at https://github.com/freeipa/freeipa/pull/410#issuecomment-277669579 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#410][synchronized] ipa-kdb: support KDB DAL version 6.1
URL: https://github.com/freeipa/freeipa/pull/410
Author: abbra
Title: #410: ipa-kdb: support KDB DAL version 6.1
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/410/head:pr410
git checkout pr410
From 0972231c6637715684fb8c61c3bd6e4277988dbc Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Tue, 24 Jan 2017 11:02:30 +0200
Subject: [PATCH] ipa-kdb: support KDB DAL version 6.1
DAL version 6.0 removed support for a callback to free principal.
This broke KDB drivers which had complex e_data structure within
the principal structure. As result, FreeIPA KDB driver was leaking
memory with DAL version 6.0 (krb5 1.15).
DAL version 6.1 added a special callback for freeing e_data structure.
See details at krb5/krb5#596
Restructure KDB driver code to provide this callback in case
we are built against DAL version that supports it. For DAL version
prior to 6.0 use this callback in the free_principal callback to
tidy the code.
https://fedorahosted.org/freeipa/ticket/6619
---
configure.ac | 21 ++
daemons/ipa-kdb/ipa_kdb.c| 42 ++--
daemons/ipa-kdb/ipa_kdb.h| 2 ++
daemons/ipa-kdb/ipa_kdb_principals.c | 42
freeipa.spec.in | 4
5 files changed, 91 insertions(+), 20 deletions(-)
diff --git a/configure.ac b/configure.ac
index 6cd3a89..e2f71d7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -65,6 +65,27 @@ krb5rundir="${localstatedir}/run/krb5kdc"
AC_SUBST(KRAD_LIBS)
AC_SUBST(krb5rundir)
+AC_CHECK_HEADER(kdb.h, [], [AC_MSG_ERROR([kdb.h not found])])
+AC_CHECK_MEMBER(
+ [kdb_vftabl.free_principal],
+ [AC_DEFINE([HAVE_KDB_FREEPRINCIPAL], [1],
+ [KDB driver API has free_principal callback])],
+ [AC_MSG_NOTICE([KDB driver API has no free_principal callback])],
+ [[#include ]])
+AC_CHECK_MEMBER(
+ [kdb_vftabl.free_principal_e_data],
+ [AC_DEFINE([HAVE_KDB_FREEPRINCIPAL_EDATA], [1],
+ [KDB driver API has free_principal_e_data callback])],
+ [AC_MSG_NOTICE([KDB driver API has no free_principal_e_data callback])],
+ [[#include ]])
+
+if test "x$ac_cv_member_kdb_vftabl_free_principal" = "xno" \
+ -a "x$ac_cv_member_kdb_vftable_free_principal_e_data" = "xno" ; then
+AC_MSG_WARN([KDB driver API does not allow to free Kerberos principal data.])
+AC_MSG_WARN([KDB driver will leak memory on Kerberos principal use])
+AC_MSG_WARN([See https://github.com/krb5/krb5/pull/596 for details])
+fi
+
dnl ---
dnl - Check for OpenLDAP SDK
dnl ---
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index e96353f..e74ab56 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -625,6 +625,9 @@ static void ipadb_free(krb5_context context, void *ptr)
/* KDB Virtual Table */
+/* We explicitly want to keep different ABI tables below separate. */
+/* Do not merge them together. Older ABI does not need to be updated */
+
#if KRB5_KDB_DAL_MAJOR_VERSION == 5
kdb_vftabl kdb_function_table = {
.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
@@ -657,8 +660,9 @@ kdb_vftabl kdb_function_table = {
.audit_as_req = ipadb_audit_as_req,
.check_allowed_to_delegate = ipadb_check_allowed_to_delegate
};
+#endif
-#elif KRB5_KDB_DAL_MAJOR_VERSION == 6
+#if (KRB5_KDB_DAL_MAJOR_VERSION == 6) && !defined(HAVE_KDB_FREEPRINCIPAL_EDATA)
kdb_vftabl kdb_function_table = {
.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
.min_ver = 0,
@@ -686,8 +690,42 @@ kdb_vftabl kdb_function_table = {
.audit_as_req = ipadb_audit_as_req,
.check_allowed_to_delegate = ipadb_check_allowed_to_delegate
};
+#endif
+
+#if (KRB5_KDB_DAL_MAJOR_VERSION == 6) && defined(HAVE_KDB_FREEPRINCIPAL_EDATA)
+kdb_vftabl kdb_function_table = {
+.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
+.min_ver = 1,
+.init_library = ipadb_init_library,
+.fini_library = ipadb_fini_library,
+.init_module = ipadb_init_module,
+.fini_module = ipadb_fini_module,
+.create = ipadb_create,
+.get_age = ipadb_get_age,
+.get_principal = ipadb_get_principal,
+.put_principal = ipadb_put_principal,
+.delete_principal = ipadb_delete_principal,
+.iterate = ipadb_iterate,
+.create_policy = ipadb_create_pwd_policy,
+.get_policy = ipadb_get_pwd_policy,
+.put_policy = ipadb_put_pwd_policy,
+.iter_policy = ipadb_iterate_pwd_policy,
+.delete_policy = ipadb_delete_pwd_policy,
+.fetch_master_key = ipadb_fetch_master_key,
+.store_master_key_list = ipadb_store_master_key_list,
+.change_pwd = ipadb_change_pwd,
+.sign_authdata = ipadb_sign_authdata,
+.check_transited_realms = ipadb_check_transited_realms,
+.check_policy_as = ipadb_check_policy_as,
+.audit_as_req = ipadb_audit_as_req,
+
[Freeipa-devel] [freeipa PR#436][comment] x509: allow leading text in PEM files
URL: https://github.com/freeipa/freeipa/pull/436 Title: #436: x509: allow leading text in PEM files tiran commented: """ Yes, please keep the test. It should pass with the current regular expression, too. """ See the full comment at https://github.com/freeipa/freeipa/pull/436#issuecomment-277665259 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#436][synchronized] x509: allow leading text in PEM files
URL: https://github.com/freeipa/freeipa/pull/436 Author: HonzaCholasta Title: #436: x509: allow leading text in PEM files Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/436/head:pr436 git checkout pr436 From 44717163aa56f7e920650831d83d69a1c3ee952c Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Mon, 6 Feb 2017 13:16:11 +0100 Subject: [PATCH] tests: add test for PEM certificate files with leading text --- ipatests/test_ipalib/test_x509.py | 11 +++ 1 file changed, 11 insertions(+) diff --git a/ipatests/test_ipalib/test_x509.py b/ipatests/test_ipalib/test_x509.py index 750e086..a3e6cda 100644 --- a/ipatests/test_ipalib/test_x509.py +++ b/ipatests/test_ipalib/test_x509.py @@ -69,6 +69,17 @@ def test_1_load_base64_cert(self): x509.load_certificate((newcert,)) x509.load_certificate([newcert]) +# Load a good cert with headers and leading text +newcert = ( +'leading text\n-BEGIN CERTIFICATE-' + +goodcert + +'-END CERTIFICATE-') +x509.load_certificate(newcert) + +# Should handle list/tuple +x509.load_certificate((newcert,)) +x509.load_certificate([newcert]) + # Load a good cert with bad headers newcert = '-BEGIN CERTIFICATE-' + goodcert with pytest.raises((TypeError, ValueError)): -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#436][comment] x509: allow leading text in PEM files
URL: https://github.com/freeipa/freeipa/pull/436 Title: #436: x509: allow leading text in PEM files HonzaCholasta commented: """ Oops, didn't realize that `^` matches beginning of each line in multiline mode. I think we can keep the test, though. """ See the full comment at https://github.com/freeipa/freeipa/pull/436#issuecomment-277663630 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#436][comment] x509: allow leading text in PEM files
URL: https://github.com/freeipa/freeipa/pull/436 Title: #436: x509: allow leading text in PEM files tiran commented: """ NACK The ^ is correct because the regular expression must search for a line that starts with ```-BEGIN CERTIFICATE-```. I cannot reproduce the issue locally. The regexp matches a cert with leading text: ``` >>> import re >>> regexp = u"^-BEGIN CERTIFICATE-(.*?)-END CERTIFICATE-" >>> pem = u"leading line\n-BEGIN CERTIFICATE-\nabcd\n-END >>> CERTIFICATE-\ntrailing text" >>> re.search(regexp, pem, re.MULTILINE | re.DOTALL) <_sre.SRE_Match object at 0x7f667778d0a8> >>> re.search(regexp, pem, re.MULTILINE | re.DOTALL).group(1) u'\nabcd\n' ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/436#issuecomment-277661149 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#436][opened] x509: allow leading text in PEM files
URL: https://github.com/freeipa/freeipa/pull/436
Author: HonzaCholasta
Title: #436: x509: allow leading text in PEM files
Action: opened
PR body:
"""
This fixes a regression introduced in commit
b8d6524d43dd0667184aebc79fb77a9b8a46939a.
https://fedorahosted.org/freeipa/ticket/4985
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/436/head:pr436
git checkout pr436
From 7d1e12f773f6b184149936114789ab0d28fe8f09 Mon Sep 17 00:00:00 2001
From: Jan Cholasta
Date: Mon, 6 Feb 2017 12:45:31 +0100
Subject: [PATCH] x509: allow leading text in PEM files
This fixes a regression introduced in commit
b8d6524d43dd0667184aebc79fb77a9b8a46939a.
https://fedorahosted.org/freeipa/ticket/4985
---
ipalib/x509.py| 2 +-
ipatests/test_ipalib/test_x509.py | 11 +++
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/ipalib/x509.py b/ipalib/x509.py
index 87d46ae..33f2bdc 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -86,7 +86,7 @@ def strip_header(pem):
Remove the header and footer from a certificate.
"""
regexp = (
-u"^-BEGIN CERTIFICATE-(.*?)-END CERTIFICATE-"
+u"-BEGIN CERTIFICATE-(.*?)-END CERTIFICATE-"
)
if isinstance(pem, bytes):
regexp = regexp.encode('ascii')
diff --git a/ipatests/test_ipalib/test_x509.py b/ipatests/test_ipalib/test_x509.py
index 750e086..a3e6cda 100644
--- a/ipatests/test_ipalib/test_x509.py
+++ b/ipatests/test_ipalib/test_x509.py
@@ -69,6 +69,17 @@ def test_1_load_base64_cert(self):
x509.load_certificate((newcert,))
x509.load_certificate([newcert])
+# Load a good cert with headers and leading text
+newcert = (
+'leading text\n-BEGIN CERTIFICATE-' +
+goodcert +
+'-END CERTIFICATE-')
+x509.load_certificate(newcert)
+
+# Should handle list/tuple
+x509.load_certificate((newcert,))
+x509.load_certificate([newcert])
+
# Load a good cert with bad headers
newcert = '-BEGIN CERTIFICATE-' + goodcert
with pytest.raises((TypeError, ValueError)):
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#435][opened] py3: cert.py: create principal object from string
URL: https://github.com/freeipa/freeipa/pull/435
Author: MartinBasti
Title: #435: py3: cert.py: create principal object from string
Action: opened
PR body:
"""
Principal object must be created from string not from bytes
https://fedorahosted.org/freeipa/ticket/4985
https://fedorahosted.org/freeipa/ticket/6640
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/435/head:pr435
git checkout pr435
From 75b8399e8075be666e074a7161f1c10079ff4c08 Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Mon, 6 Feb 2017 12:14:38 +0100
Subject: [PATCH] py3: cert.py: create principal object from string
Principal object must be created from string not from bytes
https://fedorahosted.org/freeipa/ticket/4985
https://fedorahosted.org/freeipa/ticket/6640
---
ipaserver/plugins/cert.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 5bf4cfb..fb35c2d 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -772,7 +772,7 @@ def execute(self, csr, all=False, raw=False, **kw):
principal_obj['krbprincipalname'] = [
kerberos.Principal((u'krbtgt', realm), realm)]
if not _principal_name_matches_principal(
-gn.name, principal_obj):
+gn.name.decode('utf-8'), principal_obj):
raise errors.ValidationError(
name='csr',
error=_(
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#407][synchronized] New lite-server implementation
URL: https://github.com/freeipa/freeipa/pull/407 Author: tiran Title: #407: New lite-server implementation Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/407/head:pr407 git checkout pr407 From 9bce64a82038442f6d66b7974331740ed61c2570 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Sat, 21 Jan 2017 19:34:12 +0100 Subject: [PATCH] New lite-server implementation The new development server depends on werkzeug instead of paste. The werkzeug WSGI server comes with some additional features, most noticeable multi-processing server. The IPA framework is not compatible with threaded servers. Werkzeug can serve static files easily and has a fast auto-reloader. The new lite-server implementation depends on PR 314 (privilege separation). For Python 3 support, it additionally depends on PR 393. Signed-off-by: Christian Heimes --- BUILD.txt | 2 +- Makefile.am| 7 +- contrib/Makefile.am| 3 +- contrib/lite-server.py | 212 + lite-server.py | 158 5 files changed, 220 insertions(+), 162 deletions(-) create mode 100755 contrib/lite-server.py delete mode 100755 lite-server.py diff --git a/BUILD.txt b/BUILD.txt index 620adc3..10b1943 100644 --- a/BUILD.txt +++ b/BUILD.txt @@ -41,7 +41,7 @@ install the rpms and then configure IPA using ipa-server-install. Get a TGT for the admin user with: kinit admin Next you'll need 2 sessions in the source tree. In the first session run -python lite-server.py. In the second session copy /etc/ipa/default.conf into +```make lite-server```. In the second session copy /etc/ipa/default.conf into ~/.ipa/default.conf and replace xmlrpc_uri with http://127.0.0.1:/ipa/xml. Finally run the ./ipa tool and it will make requests to the lite-server listening on 127.0.0.1:. diff --git a/Makefile.am b/Makefile.am index 9bfc899..9135cd5 100644 --- a/Makefile.am +++ b/Makefile.am @@ -6,7 +6,6 @@ SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipa MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \ ignore_import_errors.pyc ignore_import_errors.pyo \ ipasetup.pyc ipasetup.pyo \ - lite-server.pyc lite-server.pyo \ pylint_plugins.pyc pylint_plugins.pyo # user-facing scripts @@ -14,7 +13,6 @@ dist_bin_SCRIPTS = ipa # files required for build but not installed dist_noinst_SCRIPTS = ignore_import_errors.py \ - lite-server.py \ makeapi \ makeaci \ make-doc \ @@ -119,6 +117,11 @@ _srpms-body: _rpms-prep cp $(RPMBUILD)/SRPMS/*$$(cat $(top_builddir)/.version)*.src.rpm $(top_builddir)/dist/srpms/ rm -f rm -f $(top_builddir)/.version +.PHONY: lite-server +lite-server: $(top_builddir)/ipapython/version.py + +$(MAKE) -C $(top_builddir)/install/ui + PYTHONPATH=$(top_srcdir) $(PYTHON) -bb contrib/lite-server.py + .PHONY: lint if WITH_POLINT POLINT_TARGET = polint diff --git a/contrib/Makefile.am b/contrib/Makefile.am index 108a808..b28f2e7 100644 --- a/contrib/Makefile.am +++ b/contrib/Makefile.am @@ -1,4 +1,5 @@ SUBDIRS = completion EXTRA_DIST = \ - nssciphersuite + nssciphersuite \ + lite-server.py diff --git a/contrib/lite-server.py b/contrib/lite-server.py new file mode 100755 index 000..24e8097 --- /dev/null +++ b/contrib/lite-server.py @@ -0,0 +1,212 @@ +#!/usr/bin/env python +# +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +# +"""In-tree development server + +The dev server requires a Kerberos TGT and a file based credential cache: + +$ mkdir -p ~/.ipa +$ export KRB5CCNAME=~/.ipa/ccache +$ kinit admin +$ make liteserver + +Optionally you can set KRB5_CONFIG to use a custom Kerberos configuration +instead of /etc/krb5.conf. + +By default the dev server supports HTTP only. To switch to HTTPS, you can put +a PEM file at ~/.ipa/lite.pem. The PEM file must contain a server certificate, +its unencrypted private key and intermediate chain certs (if applicable). + +Prerequisite + + +Additionally to build and runtime requirements of FreeIPA, the dev server +depends on the werkzeug framework and optionally watchdog for auto-reloading. +You may also have to enable a development COPR. + +$ sudo dnf install -y dnf-plugins-core +$ sudo dnf builddep --spec freeipa.spec.in +$ sudo dnf install -y python-werkzeug python2-watchdog \ +python3-werkzeug python3-watchdog +$ ./autogen.sh + +For more information see + + * http://www.freeipa.org/page/Build + * http://www.freeipa.org/page/Testing + +""" +import os +import optparse # pylint: disable=deprecated-module +import ssl +import warnings + +import ipalib +from ipalib import api +from ipalib.krb_utils import krb5_parse_ccache +from ipalib.krb_utils import krb5_unparse_ccache + +# pylint: disable=import-error +from werkzeug.exceptions import NotFound +from werkzeu
[Freeipa-devel] [freeipa PR#407][synchronized] New lite-server implementation
URL: https://github.com/freeipa/freeipa/pull/407 Author: tiran Title: #407: New lite-server implementation Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/407/head:pr407 git checkout pr407 From afca7ec0e6d55bdd5541be315815afde2292d4ab Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Sat, 21 Jan 2017 19:34:12 +0100 Subject: [PATCH] New lite-server implementation The new development server depends on werkzeug instead of paste. The werkzeug WSGI server comes with some additional features, most noticeable multi-processing server. The IPA framework is not compatible with threaded servers. Werkzeug can serve static files easily and has a fast auto-reloader. The new lite-server implementation depends on PR 314 (privilege separation). For Python 3 support, it additionally depends on PR 393. Signed-off-by: Christian Heimes --- BUILD.txt | 2 +- Makefile.am| 7 +- contrib/lite-server.py | 212 + lite-server.py | 158 4 files changed, 218 insertions(+), 161 deletions(-) create mode 100755 contrib/lite-server.py delete mode 100755 lite-server.py diff --git a/BUILD.txt b/BUILD.txt index 620adc3..10b1943 100644 --- a/BUILD.txt +++ b/BUILD.txt @@ -41,7 +41,7 @@ install the rpms and then configure IPA using ipa-server-install. Get a TGT for the admin user with: kinit admin Next you'll need 2 sessions in the source tree. In the first session run -python lite-server.py. In the second session copy /etc/ipa/default.conf into +```make lite-server```. In the second session copy /etc/ipa/default.conf into ~/.ipa/default.conf and replace xmlrpc_uri with http://127.0.0.1:/ipa/xml. Finally run the ./ipa tool and it will make requests to the lite-server listening on 127.0.0.1:. diff --git a/Makefile.am b/Makefile.am index 9bfc899..9135cd5 100644 --- a/Makefile.am +++ b/Makefile.am @@ -6,7 +6,6 @@ SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipa MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \ ignore_import_errors.pyc ignore_import_errors.pyo \ ipasetup.pyc ipasetup.pyo \ - lite-server.pyc lite-server.pyo \ pylint_plugins.pyc pylint_plugins.pyo # user-facing scripts @@ -14,7 +13,6 @@ dist_bin_SCRIPTS = ipa # files required for build but not installed dist_noinst_SCRIPTS = ignore_import_errors.py \ - lite-server.py \ makeapi \ makeaci \ make-doc \ @@ -119,6 +117,11 @@ _srpms-body: _rpms-prep cp $(RPMBUILD)/SRPMS/*$$(cat $(top_builddir)/.version)*.src.rpm $(top_builddir)/dist/srpms/ rm -f rm -f $(top_builddir)/.version +.PHONY: lite-server +lite-server: $(top_builddir)/ipapython/version.py + +$(MAKE) -C $(top_builddir)/install/ui + PYTHONPATH=$(top_srcdir) $(PYTHON) -bb contrib/lite-server.py + .PHONY: lint if WITH_POLINT POLINT_TARGET = polint diff --git a/contrib/lite-server.py b/contrib/lite-server.py new file mode 100755 index 000..24e8097 --- /dev/null +++ b/contrib/lite-server.py @@ -0,0 +1,212 @@ +#!/usr/bin/env python +# +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +# +"""In-tree development server + +The dev server requires a Kerberos TGT and a file based credential cache: + +$ mkdir -p ~/.ipa +$ export KRB5CCNAME=~/.ipa/ccache +$ kinit admin +$ make liteserver + +Optionally you can set KRB5_CONFIG to use a custom Kerberos configuration +instead of /etc/krb5.conf. + +By default the dev server supports HTTP only. To switch to HTTPS, you can put +a PEM file at ~/.ipa/lite.pem. The PEM file must contain a server certificate, +its unencrypted private key and intermediate chain certs (if applicable). + +Prerequisite + + +Additionally to build and runtime requirements of FreeIPA, the dev server +depends on the werkzeug framework and optionally watchdog for auto-reloading. +You may also have to enable a development COPR. + +$ sudo dnf install -y dnf-plugins-core +$ sudo dnf builddep --spec freeipa.spec.in +$ sudo dnf install -y python-werkzeug python2-watchdog \ +python3-werkzeug python3-watchdog +$ ./autogen.sh + +For more information see + + * http://www.freeipa.org/page/Build + * http://www.freeipa.org/page/Testing + +""" +import os +import optparse # pylint: disable=deprecated-module +import ssl +import warnings + +import ipalib +from ipalib import api +from ipalib.krb_utils import krb5_parse_ccache +from ipalib.krb_utils import krb5_unparse_ccache + +# pylint: disable=import-error +from werkzeug.exceptions import NotFound +from werkzeug.serving import run_simple +from werkzeug.utils import redirect, append_slash_redirect +from werkzeug.wsgi import DispatcherMiddleware, SharedDataMiddleware +# pylint: enable=import-error + + +BASEDIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) +IMPORTDIR = os
Re: [Freeipa-devel] [DESIGN] Dogtag GSS-API Authentication
On Mon, Feb 06, 2017 at 10:37:34AM +0200, Alexander Bokovoy wrote: > On ma, 06 helmi 2017, Jan Cholasta wrote: > > On 11.1.2017 02:09, Fraser Tweedale wrote: > > > On Tue, Jan 10, 2017 at 10:48:08AM +0100, Martin Babinsky wrote: > > > > Hi Fraser, > > > > > > > > I have some rather inane comments. I guess Jan cholasta will do a more > > > > thorough review of your design. See below: > > > > > > > > On 01/06/2017 09:08 AM, Fraser Tweedale wrote: > > > > > Hi comrades, > > > > > > > > > > I have written up the high-level details of the FreeIPA->Dogtag > > > > > GSS-API authentication design. The goal is improve security by > > > > > removing an egregious privilege separation violation: the RA Agent > > > > > cert. > > > > > > > > > > There is a fair bit of work still to do on the Dogtag side but > > > > > things are shaping up there and it's time to work out the IPA > > > > > aspects. The design is at: > > > > > > > > > > http://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication > > > > > > > > first of all, you link a internal document from publicly available > > > > design > > > > page. you should prepare a publicly visible version of the Dogtag-side > > > > design and link that. > > > > > > > Will do; thanks. > > > > > > > It would also be nice to have a high-level graphical representation of > > > > the > > > > proposed CSR processing workflow. I think you can re-use the one that > > > > is in > > > > the Dogtag part, omit the Dogtag internals and add IPA-specific parts. > > > > > > > I will definitely do this a bit later, once more details of IPA > > > design are established. > > > > > > > > > > > > > Right now, I need feedback about the Domain Level aspects: whether > > > > > it is the right approach, whether there are mechanisms to perform > > > > > update steps (specifically: LDAP updates and/or api calls) alongside > > > > > a DL bump, or if there aren't, how to deal with that (implement such > > > > > a mechanism, make admins do extra steps, ???). > > > > > > > > > > > > > Is the DL bump really necessary? Are you sure we really can not just > > > > update > > > > the profile configuration and let older Dogtag installation handle it > > > > gracefully? IIRC we have done some profile inclusion work in 4.2 > > > > development > > > > and on and never really bothered about older Dogtag understanding them. > > > > > > > The problem is that the new profiles will refer to plugins (i.e. > > > classes) that do not exist in older versions of Dogtag. Profile > > > config is replicated, so if we upgrade profile config with old > > > versions of Dogtag in the topology, it breaks them. > > > > > > I considered a mechanism where multiple versions of a profile exist > > > in LDAP (i.e. multiple attribute values), and Dogtag picks the one > > > that's "right" for it. (An example of how to do this might be > > > attribute tagging where tag indicates minimum version of Dogtag > > > containing components used in that profile version, and Dogag picks > > > the highest that it supports). The advantage of such a mechanism is > > > that we could use it for any future scenario where we introduce new > > > profile components that we want to use in IPA. The downside is that > > > it significantly complicates profile management (including for > > > administrators), and can result in the same profile having different > > > behaviour on different Dogtag instances, which could be confusing > > > and make it harder to diagnose issues. Given the tradeoffs, I think > > > a DL bump is preferable. > > > > I don't like the prospect of having to bump DL every time a new > > component is introduced. This time it might be OK, because the new DL is > > apparently required for the RA -> GSSAPI change, but IMHO in general a > > change in a certificate profile does not warrant a DL bump. > > > > I agree that maintaining multiple versions of a profile is not the way > > to go, but I think there are other options: > > > > * Change `auth.instance_id` from `raCertAuth` to a new, IPA-specific > > `ipaAuth`. Configure `auths.instance.ipaAuth` in CS.cfg to behave > > exactly the same as `raCertAuth`. This will have to be done on all > > masters, including old ones, which can receive the change in a bug fix > > update (4.4.x). Then, on upgrade to new IPA with GSSAPI enabled Dogtag, > > change `auths.instance.ipaAuth` to use external script for > > authentication. Similar thing could be done for other profile > > components. > > > > * Do not care about old masters. Update the profile and let certificate > > requests on old masters fail. This should be fine, as the situation > > where there are different version masters should be only temporary until > > all masters are upgraded. If an appropriate error is returned from > > cert-request, automated requests via certmonger will be re-attempted and > > will succeed once all masters are upgraded. > I'd prefer an option number one. Using an IPA-specific auth instance > wo
Re: [Freeipa-devel] [DESIGN] IPA permission enforcement in Dogtag
On 17.1.2017 08:57, David Kupka wrote: On 13/01/17 08:07, Fraser Tweedale wrote: Related to design: http://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication Currently there are some operations that hit the CA that involve a number of privileged operations against the CA, but for which there is only one associated IPA permission. Deleting a CA is a good example (but it is one specific case of a more general issue). Summary of current ca-del behaviour: 1. Disable LWCA in Dogtag (uses RA Agent cert) 2. Delete LWCA in Dogtag (uses RA Agent cert) 3. Delete CA entry from IPA (requires "System: Delete CA" permission) So there are two things going on under the hood: a modify operation (disable CA) and the delete. When we implement proxy authentication to Dogtag, Dogtag will enforce the IPA permissions on its operations. Disable will map to "System: Modify CA" and delete to "System: Delete CA". So to delete a CA a user will need *both* permissions. Which could be surprising. There are a couple of reasonable approaches to this. 1. Decouple the disable and delete operations. If CA is not disabled, the user will be instructed to execute the ca-disable command separately before they can disable the CA. This introduces an additional manual step for operators. 2. Just improve the error reporting. In my WIP, for a user that has 'System: Delete CA' permission but not 'System: Modify CA', the reported failure is a 403 Authorization Error from Dogtag. We can add guards to fail more gracefully. I lean towards #2 because I guess the common case will be that users either get all CA admin permissions, or none, and we don't want to make more work (in the form of more commands to run) for users in the common case. I welcome alternative views and suggestions. Thanks, Fraser Hi Fraser, as a user with "System: Delete CA" permission calling "ca-del" command I would be really surprised that I don't have enough privileges to complete the action. I would expect: a) "Cannot delete active CA, disable it first" error. b) Delete will be completed successfully. All internal and to my sight hidden operations will be allowed just because I'm allowed to perform the delete operation. I think that b) might lead to strange exceptions in authorization checking and therefore to security issues. So I would prefer decoupling ca-disable and ca-del as you're describing in 1). IMO having to disable the CA before deletion is an implementation detail and should not be exposed to the user at all. Why do we have to disable the CA from IPA in ca-del? I would expect Dogtag to disable it itself internally when it's being deleted. -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#432][+ack] build: Add missing dependency on libxmlrpc{, _util}
URL: https://github.com/freeipa/freeipa/pull/432
Title: #432: build: Add missing dependency on libxmlrpc{,_util}
Label: +ack
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][synchronized] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364
Author: tiran
Title: #364: Client-only builds with --disable-server
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/364/head:pr364
git checkout pr364
From 69533417178c583c927d2e141c7359a5ca19362d Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Tue, 3 Jan 2017 14:32:05 +0100
Subject: [PATCH] Client-only builds with --disable-server
https://fedorahosted.org/freeipa/ticket/6517
---
Makefile.am | 6 +-
configure.ac | 253 +--
server.m4| 119
3 files changed, 212 insertions(+), 166 deletions(-)
create mode 100644 server.m4
diff --git a/Makefile.am b/Makefile.am
index 9bfc899..24d31c8 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,7 +1,11 @@
ACLOCAL_AMFLAGS = -I m4
IPACLIENT_SUBDIRS = ipaclient ipalib ipapython
-SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaplatform ipaserver ipatests po
+SUBDIRS = asn1 util client contrib $(IPACLIENT_SUBDIRS) ipaplatform ipatests po
+
+if ENABLE_SERVER
+SUBDIRS += daemons init install ipaserver
+endif
MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \
ignore_import_errors.pyc ignore_import_errors.pyo \
diff --git a/configure.ac b/configure.ac
index ff5f7b6..56cae6a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -24,6 +24,17 @@ LT_INIT
AC_HEADER_STDC
+PKG_PROG_PKG_CONFIG
+
+AC_ARG_ENABLE([server],
+[ --disable-serverDisable server support],
+[case "${enableval}" in
+ yes) enable_server=true ;;
+ no) enable_server=false ;;
+ *) AC_MSG_ERROR([bad value ${enableval} for --disable-server]) ;;
+esac],[enable_server=true])
+AM_CONDITIONAL([ENABLE_SERVER], [test x$enable_server = xtrue])
+
AM_CONDITIONAL([HAVE_GCC], [test "$ac_cv_prog_gcc" = yes])
dnl ---
@@ -33,37 +44,10 @@ PKG_CHECK_MODULES([NSPR], [nspr])
PKG_CHECK_MODULES([NSS], [nss])
dnl ---
-dnl - Check for DS slapi plugin
-dnl ---
-
-# Need to hack CPPFLAGS to be able to correctly detetct slapi-plugin.h
-SAVE_CPPFLAGS=$CPPFLAGS
-CPPFLAGS=$NSPR_CFLAGS
-AC_CHECK_HEADER(dirsrv/slapi-plugin.h)
-if test "x$ac_cv_header_dirsrv_slapi-plugin_h" = "xno" ; then
- AC_MSG_ERROR([Required 389-ds header not available (389-ds-base-devel)])
-fi
-AC_CHECK_HEADER(dirsrv/repl-session-plugin.h)
-if test "x$ac_cv_header_dirsrv_repl_session_plugin_h" = "xno" ; then
- AC_MSG_ERROR([Required 389-ds header not available (389-ds-base-devel)])
-fi
-CPPFLAGS=$SAVE_CPPFLAGS
-
-if test "x$ac_cv_header_dirsrv_slapi_plugin_h" = "xno" ; then
- AC_MSG_ERROR([Required DS slapi plugin header not available (fedora-ds-base-devel)])
-fi
-
-dnl ---
dnl - Check for KRB5
dnl ---
PKG_CHECK_MODULES([KRB5], [krb5])
-AC_CHECK_HEADER(krad.h, [], [AC_MSG_ERROR([krad.h not found])])
-AC_CHECK_LIB(krad, main, [], [AC_MSG_ERROR([libkrad not found])])
-KRAD_LIBS="-lkrad"
-krb5rundir="${localstatedir}/run/krb5kdc"
-AC_SUBST(KRAD_LIBS)
-AC_SUBST(krb5rundir)
dnl ---
dnl - Check for OpenLDAP SDK
@@ -101,69 +85,6 @@ if test "x$PYTHON" = "x" ; then
fi
dnl ---
-dnl Check for ndr_krb5pac and other samba libraries
-dnl ---
-
-PKG_PROG_PKG_CONFIG()
-PKG_CHECK_MODULES([TALLOC], [talloc])
-PKG_CHECK_MODULES([TEVENT], [tevent])
-PKG_CHECK_MODULES([NDRPAC], [ndr_krb5pac])
-PKG_CHECK_MODULES([NDRNBT], [ndr_nbt])
-PKG_CHECK_MODULES([NDR], [ndr])
-PKG_CHECK_MODULES([SAMBAUTIL], [samba-util])
-SAMBA40EXTRA_LIBPATH="-L`$PKG_CONFIG --variable=libdir samba-util`/samba -Wl,-rpath=`$PKG_CONFIG --variable=libdir samba-util`/samba"
-AC_SUBST(SAMBA40EXTRA_LIBPATH)
-
-bck_cflags="$CFLAGS"
-CFLAGS="$NDRPAC_CFLAGS"
-AC_CHECK_MEMBER(
-[struct PAC_DOMAIN_GROUP_MEMBERSHIP.domain_sid],
-[AC_DEFINE([HAVE_STRUCT_PAC_DOMAIN_GROUP_MEMBERSHIP], [1],
- [struct PAC_DOMAIN_GROUP_MEMBERSHIP is available.])],
-[AC_MSG_NOTICE([struct PAC_DOMAIN_GROUP_MEMBERSHIP is not available])],
- [[#include
- #include ]])
-
-CFLAGS="$bck_cflags"
-
-LIBPDB_NAME=""
-AC_CHECK_LIB([samba-passdb],
- [make_pdb_method],
- [LIBPDB_NAME="samba-passdb"; HAVE_LIBPDB=1],
- [LIBPDB_NAME="pdb"],
- [$SAMBA40EXTRA_LIBPATH])
-
-if test "x$LIB_PDB_NAME" = "xpdb" ; then
- AC_CHECK_LIB([$LIBPDB_NAME],
- [make_pdb_method],
- [H
Re: [Freeipa-devel] [DESIGN] Dogtag GSS-API Authentication
On ma, 06 helmi 2017, Jan Cholasta wrote: On 11.1.2017 02:09, Fraser Tweedale wrote: On Tue, Jan 10, 2017 at 10:48:08AM +0100, Martin Babinsky wrote: Hi Fraser, I have some rather inane comments. I guess Jan cholasta will do a more thorough review of your design. See below: On 01/06/2017 09:08 AM, Fraser Tweedale wrote: Hi comrades, I have written up the high-level details of the FreeIPA->Dogtag GSS-API authentication design. The goal is improve security by removing an egregious privilege separation violation: the RA Agent cert. There is a fair bit of work still to do on the Dogtag side but things are shaping up there and it's time to work out the IPA aspects. The design is at: http://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication first of all, you link a internal document from publicly available design page. you should prepare a publicly visible version of the Dogtag-side design and link that. Will do; thanks. It would also be nice to have a high-level graphical representation of the proposed CSR processing workflow. I think you can re-use the one that is in the Dogtag part, omit the Dogtag internals and add IPA-specific parts. I will definitely do this a bit later, once more details of IPA design are established. Right now, I need feedback about the Domain Level aspects: whether it is the right approach, whether there are mechanisms to perform update steps (specifically: LDAP updates and/or api calls) alongside a DL bump, or if there aren't, how to deal with that (implement such a mechanism, make admins do extra steps, ???). Is the DL bump really necessary? Are you sure we really can not just update the profile configuration and let older Dogtag installation handle it gracefully? IIRC we have done some profile inclusion work in 4.2 development and on and never really bothered about older Dogtag understanding them. The problem is that the new profiles will refer to plugins (i.e. classes) that do not exist in older versions of Dogtag. Profile config is replicated, so if we upgrade profile config with old versions of Dogtag in the topology, it breaks them. I considered a mechanism where multiple versions of a profile exist in LDAP (i.e. multiple attribute values), and Dogtag picks the one that's "right" for it. (An example of how to do this might be attribute tagging where tag indicates minimum version of Dogtag containing components used in that profile version, and Dogag picks the highest that it supports). The advantage of such a mechanism is that we could use it for any future scenario where we introduce new profile components that we want to use in IPA. The downside is that it significantly complicates profile management (including for administrators), and can result in the same profile having different behaviour on different Dogtag instances, which could be confusing and make it harder to diagnose issues. Given the tradeoffs, I think a DL bump is preferable. I don't like the prospect of having to bump DL every time a new component is introduced. This time it might be OK, because the new DL is apparently required for the RA -> GSSAPI change, but IMHO in general a change in a certificate profile does not warrant a DL bump. I agree that maintaining multiple versions of a profile is not the way to go, but I think there are other options: * Change `auth.instance_id` from `raCertAuth` to a new, IPA-specific `ipaAuth`. Configure `auths.instance.ipaAuth` in CS.cfg to behave exactly the same as `raCertAuth`. This will have to be done on all masters, including old ones, which can receive the change in a bug fix update (4.4.x). Then, on upgrade to new IPA with GSSAPI enabled Dogtag, change `auths.instance.ipaAuth` to use external script for authentication. Similar thing could be done for other profile components. * Do not care about old masters. Update the profile and let certificate requests on old masters fail. This should be fine, as the situation where there are different version masters should be only temporary until all masters are upgraded. If an appropriate error is returned from cert-request, automated requests via certmonger will be re-attempted and will succeed once all masters are upgraded. I'd prefer an option number one. Using an IPA-specific auth instance would allow us to be more flexible in manipulating the properties of it in future without worrying to break older setups. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#432][comment] build: Add missing dependency on libxmlrpc{, _util}
URL: https://github.com/freeipa/freeipa/pull/432
Title: #432: build: Add missing dependency on libxmlrpc{,_util}
tiran commented:
"""
ACK
ipa-join uses functions from ```libxmlrpc.so``` (e.g. ```xmlrpc_string_new```)
and from ```libxmlrpc_util.so``` (e.g. ```xmlrpc_env_init```). In the past it
was no problem because ```libxmlrpc_client.so``` depends on both libraries and
pulled the function in. Nowadays indirect linking triggers a DSO error. All
libraries must be linked directly.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/432#issuecomment-277613117
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [DESIGN] Dogtag GSS-API Authentication
On 11.1.2017 02:09, Fraser Tweedale wrote: On Tue, Jan 10, 2017 at 10:48:08AM +0100, Martin Babinsky wrote: Hi Fraser, I have some rather inane comments. I guess Jan cholasta will do a more thorough review of your design. See below: On 01/06/2017 09:08 AM, Fraser Tweedale wrote: Hi comrades, I have written up the high-level details of the FreeIPA->Dogtag GSS-API authentication design. The goal is improve security by removing an egregious privilege separation violation: the RA Agent cert. There is a fair bit of work still to do on the Dogtag side but things are shaping up there and it's time to work out the IPA aspects. The design is at: http://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication first of all, you link a internal document from publicly available design page. you should prepare a publicly visible version of the Dogtag-side design and link that. Will do; thanks. It would also be nice to have a high-level graphical representation of the proposed CSR processing workflow. I think you can re-use the one that is in the Dogtag part, omit the Dogtag internals and add IPA-specific parts. I will definitely do this a bit later, once more details of IPA design are established. Right now, I need feedback about the Domain Level aspects: whether it is the right approach, whether there are mechanisms to perform update steps (specifically: LDAP updates and/or api calls) alongside a DL bump, or if there aren't, how to deal with that (implement such a mechanism, make admins do extra steps, ???). Is the DL bump really necessary? Are you sure we really can not just update the profile configuration and let older Dogtag installation handle it gracefully? IIRC we have done some profile inclusion work in 4.2 development and on and never really bothered about older Dogtag understanding them. The problem is that the new profiles will refer to plugins (i.e. classes) that do not exist in older versions of Dogtag. Profile config is replicated, so if we upgrade profile config with old versions of Dogtag in the topology, it breaks them. I considered a mechanism where multiple versions of a profile exist in LDAP (i.e. multiple attribute values), and Dogtag picks the one that's "right" for it. (An example of how to do this might be attribute tagging where tag indicates minimum version of Dogtag containing components used in that profile version, and Dogag picks the highest that it supports). The advantage of such a mechanism is that we could use it for any future scenario where we introduce new profile components that we want to use in IPA. The downside is that it significantly complicates profile management (including for administrators), and can result in the same profile having different behaviour on different Dogtag instances, which could be confusing and make it harder to diagnose issues. Given the tradeoffs, I think a DL bump is preferable. I don't like the prospect of having to bump DL every time a new component is introduced. This time it might be OK, because the new DL is apparently required for the RA -> GSSAPI change, but IMHO in general a change in a certificate profile does not warrant a DL bump. I agree that maintaining multiple versions of a profile is not the way to go, but I think there are other options: * Change `auth.instance_id` from `raCertAuth` to a new, IPA-specific `ipaAuth`. Configure `auths.instance.ipaAuth` in CS.cfg to behave exactly the same as `raCertAuth`. This will have to be done on all masters, including old ones, which can receive the change in a bug fix update (4.4.x). Then, on upgrade to new IPA with GSSAPI enabled Dogtag, change `auths.instance.ipaAuth` to use external script for authentication. Similar thing could be done for other profile components. * Do not care about old masters. Update the profile and let certificate requests on old masters fail. This should be fine, as the situation where there are different version masters should be only temporary until all masters are upgraded. If an appropriate error is returned from cert-request, automated requests via certmonger will be re-attempted and will succeed once all masters are upgraded. Anyway I guess we can call `certprofile-import' to load ExternalProcessConstraint-enabled profile upon setting domain level to 2, we just have to know where on the FS it is located. Of course, any other general or specific feedback is welcome. Thanks, Fraser So if I understand correctly there will be no change in CA ACL management interface and only the code which evaluates them will be factored out into 'ipa-pki-validate-cert-request' command? Also, wouldn't it simpler if the CA ACL evaluation was delegated to a separate API command instead? ExternalProcessConstraint would then only ask IPA JSON api and process the response. There are no changes to CA ACL management interface as part of this design, but there are proposals to extend/rework it in future, e.g. #6424, #6425, #6426
