[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server lslebodn commented: """ It works quite good with the following change ``` diff --git a/Makefile.am b/Makefile.am index 311f6121f..13e5a87b0 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,13 +1,13 @@ ACLOCAL_AMFLAGS = -I m4 if ENABLE_SERVER -SERVER_SUBDIRS = daemons init install ipaserver +SERVER_SUBDIRS = daemons init install ipaserver ipatests else SERVER_SUBDIRS = endif IPACLIENT_SUBDIRS = ipaclient ipalib ipapython SUBDIRS = asn1 util client contrib po \ - $(IPACLIENT_SUBDIRS) ipaplatform ipatests $(SERVER_SUBDIRS) + $(IPACLIENT_SUBDIRS) ipaplatform $(SERVER_SUBDIRS) MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \ ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-279003293 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ So I am not sure what is going on here, after fiddling with the failing tests to print out what was going on, they suddenly started working (and a 3 other started failing). It is not clear to me what is going on, but it may be unclean environment too.. after running testes a few times for example I found out my user KRB5CCNAME environment variable had been changed (this is not ok it's a bug in the tests and will make things unreliable). Anyway after a full rebuild and reinstall I was not able to go back to a state where I could reproduce the issues in caacl tests. I rebased the patchset on latest master and pushed it, let's see what CI says. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-278981716 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#448][comment] Tests: Basic coverage with tree root domain
URL: https://github.com/freeipa/freeipa/pull/448 Title: #448: Tests: Basic coverage with tree root domain gkaihorodova commented: """ Yes, sure I'll work on these issues """ See the full comment at https://github.com/freeipa/freeipa/pull/448#issuecomment-278975336 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#458][comment] Enable Bytes and deprecation warnings
URL: https://github.com/freeipa/freeipa/pull/458 Title: #458: Enable Bytes and deprecation warnings MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/a33b25dea988aa34844869a8adc57d5cd396d3aa https://fedorahosted.org/freeipa/changeset/3d9bec2e879d60e6bb7b2602084d3314765a6283 https://fedorahosted.org/freeipa/changeset/e6129a76e7093b8f9f7717e5f63ed06f9e9ef30a https://fedorahosted.org/freeipa/changeset/4965735382425356ece27e7827e2a91bc2ab2055 https://fedorahosted.org/freeipa/changeset/8d3bea8accb9814b3a973f4a606110fee78baf72 """ See the full comment at https://github.com/freeipa/freeipa/pull/458#issuecomment-278971542 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#448][comment] Tests: Basic coverage with tree root domain
URL: https://github.com/freeipa/freeipa/pull/448 Title: #448: Tests: Basic coverage with tree root domain martbab commented: """ Well you still have some issues to fix, notably the failing Travis CI and the not-so nice multiline-string literal. """ See the full comment at https://github.com/freeipa/freeipa/pull/448#issuecomment-278973164 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#458][closed] Enable Bytes and deprecation warnings
URL: https://github.com/freeipa/freeipa/pull/458 Author: tiran Title: #458: Enable Bytes and deprecation warnings Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/458/head:pr458 git checkout pr458 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#458][+pushed] Enable Bytes and deprecation warnings
URL: https://github.com/freeipa/freeipa/pull/458 Title: #458: Enable Bytes and deprecation warnings Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#458][+ack] Enable Bytes and deprecation warnings
URL: https://github.com/freeipa/freeipa/pull/458 Title: #458: Enable Bytes and deprecation warnings Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#448][comment] Tests: Basic coverage with tree root domain
URL: https://github.com/freeipa/freeipa/pull/448 Title: #448: Tests: Basic coverage with tree root domain gkaihorodova commented: """ Thank you for explanation and tips. I noticed it as well and I agree that it (and not only that) worth refactoring. Yes, my PR is more or less copy-paste, because I was following existing pattern in the code. Also I think PR can be pushed and at the same time feel free to open ticket/request or whatever is more suitable for refactoring task and signed it to me. Please, don t be grieve, it makes me sad """ See the full comment at https://github.com/freeipa/freeipa/pull/448#issuecomment-278961376 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#450][comment] Add FIPS-token password of HTTPD NSS database
URL: https://github.com/freeipa/freeipa/pull/450 Title: #450: Add FIPS-token password of HTTPD NSS database stlaz commented: """ That was my original approach to it but we had offline talk with @HonzaCholasta and got to the point that it might be better to do it this way. From my point of view it's more fool-proof for the people who would install FreeIPA in non-FIPS mode but then thought it'd be cool to turn FIPS on. Anyone reading this in the future - that is **NOT SUPPORTED**. There would probably be more different issues, let this not be one. """ See the full comment at https://github.com/freeipa/freeipa/pull/450#issuecomment-278958767 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server tiran commented: """ In the latest version, ```--disable-server``` does not affect ```make dist```. It only changes the components that are built by ```make``` and installed by ```make install```. ```--disable-server ``` is already documented at http://www.freeipa.org/page/V4/Build_system_refactoring#Configuration . After the PR has landed, I'll update the table. """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-278953837 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server lslebodn commented: """ On (10/02/17 06:11), Petr Vobornik wrote: >I still think that this use case needs to be documented in >http://www.freeipa.org/page/V4/Build_system_refactoring#How_to_Use . > >IMHO `make dist` can fail with --disable-server. Use case for `make dist` is >releasing and there is no point to do release without server bitw. But make >sure to document it and test that `make dist` works without it ;) . > Petr FYI: make dist should include all files into tarball even though configure was invoked with parameter --disable-server. LS """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-278952140 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#450][comment] Add FIPS-token password of HTTPD NSS database
URL: https://github.com/freeipa/freeipa/pull/450 Title: #450: Add FIPS-token password of HTTPD NSS database rcritten commented: """ I guess this is one approach to fix the problem. Would it be cleaner to pass in, or detect, FIPS mode, and only write out the token that will actually be used? """ See the full comment at https://github.com/freeipa/freeipa/pull/450#issuecomment-278951822 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server pvoborni commented: """ I still think that this use case needs to be documented in http://www.freeipa.org/page/V4/Build_system_refactoring#How_to_Use . IMHO `make dist` can fail with --disable-server. Use case for `make dist` is releasing and there is no point to do release without server bitw. But make sure to document it and test that `make dist` works without it ;) . """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-278950622 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#458][comment] Enable Bytes and deprecation warnings
URL: https://github.com/freeipa/freeipa/pull/458 Title: #458: Enable Bytes and deprecation warnings abbra commented: """ Thanks. LGTM. """ See the full comment at https://github.com/freeipa/freeipa/pull/458#issuecomment-278949308 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#458][edited] Enable Bytes and deprecation warnings
URL: https://github.com/freeipa/freeipa/pull/458 Author: tiran Title: #458: Enable Bytes and deprecation warnings Action: edited Changed field: title Original value: """ Bytes deprecation warnings """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#457][comment] adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab
URL: https://github.com/freeipa/freeipa/pull/457 Title: #457: adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab martbab commented: """ Sorry I just got confused for a bit. Fixed the docstring now refer only to 'samba keytab'. """ See the full comment at https://github.com/freeipa/freeipa/pull/457#issuecomment-278949030 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#457][synchronized] adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab
URL: https://github.com/freeipa/freeipa/pull/457
Author: martbab
Title: #457: adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/457/head:pr457
git checkout pr457
From fc839dbff0c74aaf94f42a3583225e69b81f474c Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Fri, 3 Feb 2017 17:14:20 +0100
Subject: [PATCH 1/2] allow for more flexibility when requesting service keytab
The service installers can now override the methods for cleaning up
stale keytabs and changing file ownership of the newly acquired keytabs.
The default actions should be usable by most installers without specific
overriding.
https://fedorahosted.org/freeipa/ticket/6638
---
ipaserver/install/service.py | 30 ++
1 file changed, 18 insertions(+), 12 deletions(-)
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index fbe3f23..3480e96 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -540,6 +540,20 @@ def _add_service_principal(self):
except errors.DuplicateEntry:
pass
+def _clean_previous_keytab(self):
+self.fstore.backup_file(self.keytab)
+try:
+os.unlink(self.keytab)
+except OSError:
+pass
+
+def _set_keytab_owner(self):
+if self.service_user is None:
+raise NotImplementedError("Service user name is not defined")
+
+pent = pwd.getpwnam(self.service_user)
+os.chown(self.keytab, pent.pw_uid, pent.pw_gid)
+
def _run_getkeytab(self):
"""
backup and remove old service keytab (if present) and fetch a new one
@@ -550,12 +564,6 @@ def _run_getkeytab(self):
* self.dm_password is not none, then DM credentials are used to
fetch keytab
"""
-self.fstore.backup_file(self.keytab)
-try:
-os.unlink(self.keytab)
-except OSError:
-pass
-
ldap_uri = self.api.env.ldap_uri
args = [paths.IPA_GETKEYTAB,
'-k', self.keytab,
@@ -574,17 +582,15 @@ def _run_getkeytab(self):
ipautil.run(args, nolog=nolog)
def _request_service_keytab(self):
-if any(attr is None for attr in (self.principal, self.keytab,
- self.service_user)):
+if any(attr is None for attr in (self.principal, self.keytab)):
raise NotImplementedError(
"service must have defined principal "
-"name, keytab, and username")
+"name and keytab")
self._add_service_principal()
+self._clean_previous_keytab()
self._run_getkeytab()
-
-pent = pwd.getpwnam(self.service_user)
-os.chown(self.keytab, pent.pw_uid, pent.pw_gid)
+self._set_keytab_owner()
class SimpleServiceInstance(Service):
From 5322384b23db1438f724d883fe7f36e2734190d4 Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Fri, 3 Feb 2017 17:16:59 +0100
Subject: [PATCH 2/2] use the methods of the parent class to retrieve CIFS
kerberos keys
adtrustinstance will now use parent's methods to retrieve keys for CIFS
principal. Since the keys are appended to the host keytab
(/etc/krb5.keytab) we need to make sure that only the stale CIFS keys
are purged from the file and that we do not re-set its ownership.
https://fedorahosted.org/freeipa/ticket/6638
---
ipaserver/install/adtrustinstance.py | 30 +++---
1 file changed, 11 insertions(+), 19 deletions(-)
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index c866cdd..8efc951 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -530,27 +530,18 @@ def __setup_group_membership(self):
api.Backend.ldap2, self.smb_dn, "member",
[self.cifs_agent, self.host_princ])
-def __setup_principal(self):
-try:
-api.Command.service_add(unicode(self.principal))
-except errors.DuplicateEntry:
-# CIFS principal already exists, it is not the first time
-# adtrustinstance is managed
-# That's fine, we we'll re-extract the key again.
-pass
-except Exception as e:
-self.print_msg("Cannot add CIFS service: %s" % e)
-
+def _clean_previous_keytab(self):
+"""
+Purge old CIFS keys from samba and clean up samba ccache
+"""
self.clean_samba_keytab()
installutils.remove_ccache(paths.KRB5CC_SAMBA)
-try:
-ipautil.run(["ipa-getkeytab", "--server", self.fqdn,
- "--principal", self.principal,
- "-k", self.keytab])
-except ipautil.CalledProcessError:
-root_logger.critical("Failed
[Freeipa-devel] [freeipa PR#437][synchronized] FIPS: replica install check
URL: https://github.com/freeipa/freeipa/pull/437
Author: tomaskrizek
Title: #437: FIPS: replica install check
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/437/head:pr437
git checkout pr437
From 85cd763e945167db48a675fead0d1bcf29c57440 Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Mon, 6 Feb 2017 13:08:11 +0100
Subject: [PATCH 1/5] Add fips_mode variable to env
Variable fips_mode indicating whether machine is running in
FIPS-enabled mode was added to env.
https://fedorahosted.org/freeipa/ticket/5695
---
ipalib/config.py | 8
1 file changed, 8 insertions(+)
diff --git a/ipalib/config.py b/ipalib/config.py
index 20591db..c7caeef 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -44,6 +44,10 @@
from ipalib.constants import CONFIG_SECTION
from ipalib.constants import OVERRIDE_ERROR, SET_ERROR, DEL_ERROR
from ipalib import errors
+try:
+from ipaplatform.tasks import tasks
+except ImportError:
+tasks = None
if six.PY3:
unicode = str
@@ -440,6 +444,10 @@ def _bootstrap(self, **overrides):
self.bin = path.dirname(self.script)
self.home = os.environ.get('HOME', None)
+# Set fips_mode only if ipaplatform module was loaded
+if tasks is not None:
+self.fips_mode = tasks.is_fips_enabled()
+
# Merge in overrides:
self._merge(**overrides)
From 131f4108b101c700d6f98b401e63b03396bd4886 Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Wed, 8 Feb 2017 16:53:44 +0100
Subject: [PATCH 2/5] test_config: fix tests for env.fips_mode
Remove optional key fips_mode from Env object.
https://fedorahosted.org/freeipa/ticket/5695
---
ipatests/test_ipalib/test_config.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipatests/test_ipalib/test_config.py b/ipatests/test_ipalib/test_config.py
index 1df9a39..095f188 100644
--- a/ipatests/test_ipalib/test_config.py
+++ b/ipatests/test_ipalib/test_config.py
@@ -563,7 +563,7 @@ def test_finalize_core(self):
# Test using DEFAULT_CONFIG:
defaults = dict(constants.DEFAULT_CONFIG)
(o, home) = self.finalize_core(None, **defaults)
-assert list(o) == sorted(defaults)
+assert set(o).issuperset(set(defaults))
for (key, value) in defaults.items():
if value is object:
continue
From 5410a14a59cdd2e0340ee6936f2ca641b55392c1 Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Mon, 6 Feb 2017 17:17:49 +0100
Subject: [PATCH 3/5] check_remote_version: update exception and docstring
Refactor function to use ScriptError exception and provide docstring.
---
ipaserver/install/server/replicainstall.py | 9 -
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 7d7a499..ad43aa2 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -509,6 +509,13 @@ def promote_openldap_conf(hostname, master):
def check_remote_version(api):
+"""
+Perform a check to verify remote server's version
+
+:param api: remote API
+
+:raises: ``ScriptError`` if the checks fails
+"""
client = rpc.jsonclient(api)
client.finalize()
@@ -521,7 +528,7 @@ def check_remote_version(api):
remote_version = parse_version(env['version'])
api_version = parse_version(api.env.version)
if remote_version > api_version:
-raise RuntimeError(
+raise ScriptError(
"Cannot install replica of a server of higher version ({}) than"
"the local version ({})".format(remote_version, api_version))
From ecac6ac6cb879e2f5f392a6fa243e40faf5f1117 Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Tue, 7 Feb 2017 10:42:54 +0100
Subject: [PATCH 4/5] replicainstall: add context manager for rpc client
Abstract creating rpc client into a context manager to allow re-use.
---
ipaserver/install/server/replicainstall.py | 33 --
1 file changed, 22 insertions(+), 11 deletions(-)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index ad43aa2..4a8b9d6 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -4,6 +4,7 @@
from __future__ import print_function
+import contextlib
import dns.exception as dnsexception
import dns.name as dnsname
import dns.resolver as dnsresolver
@@ -508,29 +509,37 @@ def promote_openldap_conf(hostname, master):
root_logger.info("Failed to update {}: {}".format(ldap_conf, e))
-def check_remote_version(api):
+@contextlib.contextmanager
+def rpc_client(api):
"""
-Perform a check to verify remote server's version
+Context manager for JSON RPC client.
-:param api: remote API
-
-:raises: ``ScriptError`` if the checks fails
+:p
[Freeipa-devel] [freeipa PR#458][synchronized] Bytes deprecation warnings
URL: https://github.com/freeipa/freeipa/pull/458
Author: tiran
Title: #458: Bytes deprecation warnings
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/458/head:pr458
git checkout pr458
From 5b17ca0069867b620e1ba5bfc58830a4e26b858d Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Fri, 10 Feb 2017 14:19:07 +0100
Subject: [PATCH 1/5] Enable additional warnings (BytesWarning,
DeprecationWarning)
Closes: https://fedorahosted.org/freeipa/ticket/6631
Signed-off-by: Christian Heimes
---
ipalib/__init__.py | 46 +++---
ipatests/ipa-run-tests | 1 +
2 files changed, 40 insertions(+), 7 deletions(-)
diff --git a/ipalib/__init__.py b/ipalib/__init__.py
index 4f09090..7949086 100644
--- a/ipalib/__init__.py
+++ b/ipalib/__init__.py
@@ -880,8 +880,46 @@ class my_command(Command):
http://freeipa.org/page/Contribute
'''
+version_info = (2, 0, 0, 'alpha', 0)
+if version_info[3] == 'final':
+__version__ = '%d.%d.%d' % version_info[:3]
+else:
+__version__ = '%d.%d.%d.%s.%d' % version_info
+
-import os
+def _enable_warnings(error=False):
+"""Enable additional warnings during development
+"""
+import ctypes
+import warnings
+
+# get reference to Py_BytesWarningFlag from Python CAPI
+byteswarnings = ctypes.c_int.in_dll( # pylint: disable=no-member
+ctypes.pythonapi, 'Py_BytesWarningFlag')
+
+if byteswarnings.value >= 2:
+# bytes warnings flag already set to error
+return
+
+# default warning mode for all modules: warn once per location
+warnings.simplefilter('default', BytesWarning)
+if error:
+byteswarnings.value = 2
+action = 'error'
+else:
+byteswarnings.value = 1
+action = 'default'
+
+module = '(ipa.*|__main__)'
+warnings.filterwarnings(action, category=BytesWarning, module=module)
+warnings.filterwarnings(action, category=DeprecationWarning,
+module=module)
+
+# call this as early as possible
+if version_info[3] != 'final':
+_enable_warnings(False)
+
+# noqa: E402
from ipalib import plugable
from ipalib.backend import Backend
from ipalib.frontend import Command, LocalOrRemote, Updater
@@ -893,12 +931,6 @@ class my_command(Command):
from ipalib.errors import SkipPluginModule
from ipalib.text import _, ngettext, GettextFactory, NGettextFactory
-version_info = (2, 0, 0, 'alpha', 0)
-if version_info[3] == 'final':
-__version__ = '%d.%d.%d' % version_info[:3]
-else:
-__version__ = '%d.%d.%d.%s.%d' % version_info
-
Registry = plugable.Registry
diff --git a/ipatests/ipa-run-tests b/ipatests/ipa-run-tests
index cafd993..6b2070b 100755
--- a/ipatests/ipa-run-tests
+++ b/ipatests/ipa-run-tests
@@ -32,6 +32,7 @@ import sys
import pytest
+import ipalib
import ipatests
# This is set to store --with-xunit report in an accessible place:
From 64704c317d55729e9a90be55c9fc0422fae0fe08 Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Fri, 10 Feb 2017 14:20:22 +0100
Subject: [PATCH 2/5] cryptography has deprecated serial in favor of
serial_number
Signed-off-by: Christian Heimes
---
ipalib/install/certstore.py | 2 +-
ipaserver/install/cainstance.py | 4 ++--
ipaserver/plugins/cert.py| 4 ++--
ipaserver/plugins/service.py | 4 ++--
ipatests/test_ipalib/test_x509.py| 2 +-
ipatests/test_ipaserver/test_ldap.py | 8
6 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/ipalib/install/certstore.py b/ipalib/install/certstore.py
index 70ae942..310e08e 100644
--- a/ipalib/install/certstore.py
+++ b/ipalib/install/certstore.py
@@ -33,7 +33,7 @@ def _parse_cert(dercert):
cert = x509.load_certificate(dercert, x509.DER)
subject = DN(cert.subject)
issuer = DN(cert.issuer)
-serial_number = cert.serial
+serial_number = cert.serial_number
public_key_info = x509.get_der_public_key_info(dercert, x509.DER)
except (ValueError, PyAsn1Error) as e:
raise ValueError("failed to decode certificate: %s" % e)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index a73a9c4..d869641 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -702,7 +702,7 @@ def __create_ca_agent(self):
userstate=["1"],
userCertificate=[cert_data],
description=['2;%s;%s;%s' % (
-cert.serial,
+cert.serial_number,
DN(self.ca_subject),
DN(('CN', 'IPA RA'), self.subject_base))])
conn.add_entry(entry)
@@ -1437,7 +1437,7 @@ def make_filter(dercert):
def make_entry(dercert, entry):
cert = x509.load_certificate(dercert, datatype=x509.DER)
-entry['authoritySerial'] = cert.serial
+entry['authoritySerial'] = cert.serial_number
[Freeipa-devel] [freeipa PR#458][opened] Bytes deprecation warnings
URL: https://github.com/freeipa/freeipa/pull/458
Author: tiran
Title: #458: Bytes deprecation warnings
Action: opened
PR body:
"""
* Enable bytes and deprecation warnings
* Fix a couple of bytes and deprecation warnings
https://fedorahosted.org/freeipa/ticket/6631
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/458/head:pr458
git checkout pr458
From 5b17ca0069867b620e1ba5bfc58830a4e26b858d Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Fri, 10 Feb 2017 14:19:07 +0100
Subject: [PATCH 1/4] Enable additional warnings (BytesWarning,
DeprecationWarning)
Closes: https://fedorahosted.org/freeipa/ticket/6631
Signed-off-by: Christian Heimes
---
ipalib/__init__.py | 46 +++---
ipatests/ipa-run-tests | 1 +
2 files changed, 40 insertions(+), 7 deletions(-)
diff --git a/ipalib/__init__.py b/ipalib/__init__.py
index 4f09090..7949086 100644
--- a/ipalib/__init__.py
+++ b/ipalib/__init__.py
@@ -880,8 +880,46 @@ class my_command(Command):
http://freeipa.org/page/Contribute
'''
+version_info = (2, 0, 0, 'alpha', 0)
+if version_info[3] == 'final':
+__version__ = '%d.%d.%d' % version_info[:3]
+else:
+__version__ = '%d.%d.%d.%s.%d' % version_info
+
-import os
+def _enable_warnings(error=False):
+"""Enable additional warnings during development
+"""
+import ctypes
+import warnings
+
+# get reference to Py_BytesWarningFlag from Python CAPI
+byteswarnings = ctypes.c_int.in_dll( # pylint: disable=no-member
+ctypes.pythonapi, 'Py_BytesWarningFlag')
+
+if byteswarnings.value >= 2:
+# bytes warnings flag already set to error
+return
+
+# default warning mode for all modules: warn once per location
+warnings.simplefilter('default', BytesWarning)
+if error:
+byteswarnings.value = 2
+action = 'error'
+else:
+byteswarnings.value = 1
+action = 'default'
+
+module = '(ipa.*|__main__)'
+warnings.filterwarnings(action, category=BytesWarning, module=module)
+warnings.filterwarnings(action, category=DeprecationWarning,
+module=module)
+
+# call this as early as possible
+if version_info[3] != 'final':
+_enable_warnings(False)
+
+# noqa: E402
from ipalib import plugable
from ipalib.backend import Backend
from ipalib.frontend import Command, LocalOrRemote, Updater
@@ -893,12 +931,6 @@ class my_command(Command):
from ipalib.errors import SkipPluginModule
from ipalib.text import _, ngettext, GettextFactory, NGettextFactory
-version_info = (2, 0, 0, 'alpha', 0)
-if version_info[3] == 'final':
-__version__ = '%d.%d.%d' % version_info[:3]
-else:
-__version__ = '%d.%d.%d.%s.%d' % version_info
-
Registry = plugable.Registry
diff --git a/ipatests/ipa-run-tests b/ipatests/ipa-run-tests
index cafd993..6b2070b 100755
--- a/ipatests/ipa-run-tests
+++ b/ipatests/ipa-run-tests
@@ -32,6 +32,7 @@ import sys
import pytest
+import ipalib
import ipatests
# This is set to store --with-xunit report in an accessible place:
From 64704c317d55729e9a90be55c9fc0422fae0fe08 Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Fri, 10 Feb 2017 14:20:22 +0100
Subject: [PATCH 2/4] cryptography has deprecated serial in favor of
serial_number
Signed-off-by: Christian Heimes
---
ipalib/install/certstore.py | 2 +-
ipaserver/install/cainstance.py | 4 ++--
ipaserver/plugins/cert.py| 4 ++--
ipaserver/plugins/service.py | 4 ++--
ipatests/test_ipalib/test_x509.py| 2 +-
ipatests/test_ipaserver/test_ldap.py | 8
6 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/ipalib/install/certstore.py b/ipalib/install/certstore.py
index 70ae942..310e08e 100644
--- a/ipalib/install/certstore.py
+++ b/ipalib/install/certstore.py
@@ -33,7 +33,7 @@ def _parse_cert(dercert):
cert = x509.load_certificate(dercert, x509.DER)
subject = DN(cert.subject)
issuer = DN(cert.issuer)
-serial_number = cert.serial
+serial_number = cert.serial_number
public_key_info = x509.get_der_public_key_info(dercert, x509.DER)
except (ValueError, PyAsn1Error) as e:
raise ValueError("failed to decode certificate: %s" % e)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index a73a9c4..d869641 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -702,7 +702,7 @@ def __create_ca_agent(self):
userstate=["1"],
userCertificate=[cert_data],
description=['2;%s;%s;%s' % (
-cert.serial,
+cert.serial_number,
DN(self.ca_subject),
DN(('CN', 'IPA RA'), self.subject_base))])
conn.add_entry(entry)
@@ -1437,7 +1437,7 @@ def make_filter(dercert):
def make_entry(dercert, entry):
cert = x509.load_cer
[Freeipa-devel] [freeipa PR#446][synchronized] No NSS database passwords in ipa-client-install
URL: https://github.com/freeipa/freeipa/pull/446
Author: stlaz
Title: #446: No NSS database passwords in ipa-client-install
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/446/head:pr446
git checkout pr446
From 5f074ff8bced43ef88dc892baa8946ee21ec085a Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka
Date: Tue, 6 Dec 2016 09:14:54 +0100
Subject: [PATCH 1/3] Add password to certutil calls in NSSDatabase
NSSDatabases should have the ability to run certutil with
a password if location of the file containing it is known.
https://fedorahosted.org/freeipa/ticket/5695
---
install/tools/ipa-replica-conncheck | 11 +++
ipaclient/install/client.py | 23 ---
ipapython/certdb.py | 19 +--
ipaserver/install/certs.py | 2 +-
ipaserver/install/installutils.py | 18 --
ipaserver/install/ipa_cacert_manage.py | 8
ipaserver/install/ipa_server_certinstall.py | 7 +++
ipaserver/install/kra.py| 7 ---
8 files changed, 48 insertions(+), 47 deletions(-)
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 04e23de..896fddc 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -542,12 +542,9 @@ def main():
with certdb.NSSDatabase(nss_dir) as nss_db:
if options.ca_cert_file:
-nss_dir = nss_db.secdir
-
-password = ipautil.ipa_generate_password()
-password_file = ipautil.write_tmp_file(password)
-nss_db.create_db(password_file.name)
-
+nss_db.create_passwd_file(
+ipautil.ipa_generate_password())
+nss_db.create_db()
ca_certs = x509.load_certificate_list_from_file(
options.ca_cert_file)
for ca_cert in ca_certs:
@@ -555,8 +552,6 @@ def main():
serialization.Encoding.DER)
nss_db.add_cert(
data, str(DN(ca_cert.subject)), 'C,,')
-else:
-nss_dir = None
api.bootstrap(context='client',
confdir=paths.ETC_IPA,
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index aa3449c..abb5e1a 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -2288,26 +2288,26 @@ def install_check(options):
def create_ipa_nssdb():
-db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
-pwdfile = os.path.join(db.secdir, 'pwdfile.txt')
+db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR,
+os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt'))
-ipautil.backup_file(pwdfile)
+ipautil.backup_file(db.password_file)
ipautil.backup_file(os.path.join(db.secdir, 'cert8.db'))
ipautil.backup_file(os.path.join(db.secdir, 'key3.db'))
ipautil.backup_file(os.path.join(db.secdir, 'secmod.db'))
-with open(pwdfile, 'w') as f:
-f.write(ipautil.ipa_generate_password())
-os.chmod(pwdfile, 0o600)
+db.create_passwd_file(ipautil.ipa_generate_password())
+os.chmod(db.password_file, 0o600)
-db.create_db(pwdfile)
+db.create_db()
os.chmod(os.path.join(db.secdir, 'cert8.db'), 0o644)
os.chmod(os.path.join(db.secdir, 'key3.db'), 0o644)
os.chmod(os.path.join(db.secdir, 'secmod.db'), 0o644)
def update_ipa_nssdb():
-ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
+ipa_db = certdb.NSSDatabase(
+paths.IPA_NSSDB_DIR, os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt'))
sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
if not os.path.exists(os.path.join(ipa_db.secdir, 'cert8.db')):
@@ -2672,8 +2672,8 @@ def _install(options):
for cert in ca_certs
]
try:
-pwd_file = ipautil.write_tmp_file(ipautil.ipa_generate_password())
-tmp_db.create_db(pwd_file.name)
+tmp_db.create_passwd_file(ipautil.ipa_generate_password())
+tmp_db.create_db()
for i, cert in enumerate(ca_certs):
tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,')
@@ -3031,7 +3031,8 @@ def uninstall(options):
if hostname is None:
hostname = socket.getfqdn()
-ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
+ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR,
+os.path.join('pwdfile.txt'))
sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
cmonger = services.knownservices.certmonger
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 9481326..88fbcbb 100644
--- a/ipapython/
[Freeipa-devel] [freeipa PR#448][comment] Tests: Basic coverage with tree root domain
URL: https://github.com/freeipa/freeipa/pull/448 Title: #448: Tests: Basic coverage with tree root domain martbab commented: """ If you look at the test cases (e.g. test_login_ipa-user, test_login_ad_user, test_login_subdomain_user are the 'best: examples) you can see that the function body is the same code copy-pasted with slight alterations so that it works for the new case. Your patch adds a *fourth* level of copy-pasta to the code, which is something that grieves me greatly. Clearly, you can group the common code into a private method that can be only called with the use-case specific parameters for each test case. Or you can expand the existing mixing hierarchy to achieve this. Then it would also be simpler to extend the test cases for tree-root domains. """ See the full comment at https://github.com/freeipa/freeipa/pull/448#issuecomment-278939703 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#455][+ack] Backup /root/kracert.p12
URL: https://github.com/freeipa/freeipa/pull/455 Title: #455: Backup /root/kracert.p12 Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#455][comment] Backup /root/kracert.p12
URL: https://github.com/freeipa/freeipa/pull/455 Title: #455: Backup /root/kracert.p12 stlaz commented: """ Works as expected, ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/455#issuecomment-278939314 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#428][comment] [Py3] ipa-server-install
URL: https://github.com/freeipa/freeipa/pull/428 Title: #428: [Py3] ipa-server-install HonzaCholasta commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/88b192a37ead1538e6d840c2f686f8d21a948542 https://fedorahosted.org/freeipa/changeset/2674a217acc2864a5fed98d7ef1e7031eae4f866 https://fedorahosted.org/freeipa/changeset/c27a46177c710fb18bf5b02beab4bd82c191a4bc https://fedorahosted.org/freeipa/changeset/8660b9e96801a764e808ca69c3c14a4a019d4eb8 https://fedorahosted.org/freeipa/changeset/d4aa75d10582443b38447985c3fce8e65fcd48a6 https://fedorahosted.org/freeipa/changeset/f31d73b79aaa1746f7d32576658fcd4136870115 https://fedorahosted.org/freeipa/changeset/7fd36e4d3651f327a8c3a2f13b92a2a304352dfd https://fedorahosted.org/freeipa/changeset/47f912e16ba6de2f3579de610b0d902cf3e621a2 https://fedorahosted.org/freeipa/changeset/488d01ced715929d47f6766a63b7d6c597125562 https://fedorahosted.org/freeipa/changeset/69072cb80f8c4b7f6eff0c7cdfe6545fe59ea7b5 https://fedorahosted.org/freeipa/changeset/dd119f8aadb13e95e4db43053bc36c70977b001e """ See the full comment at https://github.com/freeipa/freeipa/pull/428#issuecomment-278936205 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#428][closed] [Py3] ipa-server-install
URL: https://github.com/freeipa/freeipa/pull/428 Author: MartinBasti Title: #428: [Py3] ipa-server-install Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/428/head:pr428 git checkout pr428 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#428][+pushed] [Py3] ipa-server-install
URL: https://github.com/freeipa/freeipa/pull/428 Title: #428: [Py3] ipa-server-install Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#428][+ack] [Py3] ipa-server-install
URL: https://github.com/freeipa/freeipa/pull/428 Title: #428: [Py3] ipa-server-install Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#457][opened] adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab
URL: https://github.com/freeipa/freeipa/pull/457
Author: martbab
Title: #457: adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab
Action: opened
PR body:
"""
In order to be able to function as a part of composite installer, samba
configuration code must be able to work without admin credentials. This
requires changes in the CIFS principal key retrieval method so that it is not
bound to the presence of privileged user ccache. This is achieved by slightly
altering and re-using the recently developed code for service keytab retrieval.
https://fedorahosted.org/freeipa/ticket/6638
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/457/head:pr457
git checkout pr457
From fc839dbff0c74aaf94f42a3583225e69b81f474c Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Fri, 3 Feb 2017 17:14:20 +0100
Subject: [PATCH 1/2] allow for more flexibility when requesting service keytab
The service installers can now override the methods for cleaning up
stale keytabs and changing file ownership of the newly acquired keytabs.
The default actions should be usable by most installers without specific
overriding.
https://fedorahosted.org/freeipa/ticket/6638
---
ipaserver/install/service.py | 30 ++
1 file changed, 18 insertions(+), 12 deletions(-)
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index fbe3f23..3480e96 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -540,6 +540,20 @@ def _add_service_principal(self):
except errors.DuplicateEntry:
pass
+def _clean_previous_keytab(self):
+self.fstore.backup_file(self.keytab)
+try:
+os.unlink(self.keytab)
+except OSError:
+pass
+
+def _set_keytab_owner(self):
+if self.service_user is None:
+raise NotImplementedError("Service user name is not defined")
+
+pent = pwd.getpwnam(self.service_user)
+os.chown(self.keytab, pent.pw_uid, pent.pw_gid)
+
def _run_getkeytab(self):
"""
backup and remove old service keytab (if present) and fetch a new one
@@ -550,12 +564,6 @@ def _run_getkeytab(self):
* self.dm_password is not none, then DM credentials are used to
fetch keytab
"""
-self.fstore.backup_file(self.keytab)
-try:
-os.unlink(self.keytab)
-except OSError:
-pass
-
ldap_uri = self.api.env.ldap_uri
args = [paths.IPA_GETKEYTAB,
'-k', self.keytab,
@@ -574,17 +582,15 @@ def _run_getkeytab(self):
ipautil.run(args, nolog=nolog)
def _request_service_keytab(self):
-if any(attr is None for attr in (self.principal, self.keytab,
- self.service_user)):
+if any(attr is None for attr in (self.principal, self.keytab)):
raise NotImplementedError(
"service must have defined principal "
-"name, keytab, and username")
+"name and keytab")
self._add_service_principal()
+self._clean_previous_keytab()
self._run_getkeytab()
-
-pent = pwd.getpwnam(self.service_user)
-os.chown(self.keytab, pent.pw_uid, pent.pw_gid)
+self._set_keytab_owner()
class SimpleServiceInstance(Service):
From 5422ffa7c0fe6fc26f821ac041be307a4bf6e0d8 Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Fri, 3 Feb 2017 17:16:59 +0100
Subject: [PATCH 2/2] use the methods of the parent class to retrieve CIFS
kerberos keys
adtrustinstance will now use parent's methods to retrieve keys for CIFS
principal. Since the keys are appended to the host keytab
(/etc/krb5.keytab) we need to make sure that only the stale CIFS keys
are purged from the file and that we do not re-set its ownership.
https://fedorahosted.org/freeipa/ticket/6638
---
ipaserver/install/adtrustinstance.py | 30 +++---
1 file changed, 11 insertions(+), 19 deletions(-)
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index c866cdd..321bbcc 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -530,27 +530,18 @@ def __setup_group_membership(self):
api.Backend.ldap2, self.smb_dn, "member",
[self.cifs_agent, self.host_princ])
-def __setup_principal(self):
-try:
-api.Command.service_add(unicode(self.principal))
-except errors.DuplicateEntry:
-# CIFS principal already exists, it is not the first time
-# adtrustinstance is managed
-# That's fine, we we'll re-extract the key again.
-pass
-except Exception as e:
-self.print_msg("Cannot add CIFS service: %s" % e)
-
+def _clean_previous_keytab(self):
+"""
+Purge old CIFS keys from /et
[Freeipa-devel] [freeipa PR#450][synchronized] Add FIPS-token password of HTTPD NSS database
URL: https://github.com/freeipa/freeipa/pull/450
Author: stlaz
Title: #450: Add FIPS-token password of HTTPD NSS database
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/450/head:pr450
git checkout pr450
From b88ef3fcfab2de6d06abe4e3fa26522abe487397 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka
Date: Mon, 9 Jan 2017 08:45:33 +0100
Subject: [PATCH] Add FIPS-token password of HTTPD NSS database
This change is required for httpd to function properly in FIPS
https://fedorahosted.org/freeipa/ticket/5695
---
ipaserver/install/certs.py | 17 +++--
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 80918d4..45833ae 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -501,12 +501,17 @@ def create_password_conf(self):
This is the format of mod_nss pin files.
"""
ipautil.backup_file(self.pwd_conf)
-f = open(self.pwd_conf, "w")
-f.write("internal:")
-pwdfile = open(self.passwd_fname)
-f.write(pwdfile.read())
-f.close()
-pwdfile.close()
+
+with open(self.passwd_fname) as pwdfile:
+password = pwdfile.read()
+
+with open(self.pwd_conf, "w") as f:
+f.write("internal:")
+f.write(password)
+f.write("\nNSS FIPS 140-2 Certificate DB:")
+f.write(password)
+# make sure other processes can access the file contents ASAP
+f.flush()
self.set_perms(self.pwd_conf, uid=constants.HTTPD_USER)
def find_root_cert(self, nickname):
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#456][closed] bindinstance: fix named.conf parsing regexs
URL: https://github.com/freeipa/freeipa/pull/456 Author: tomaskrizek Title: #456: bindinstance: fix named.conf parsing regexs Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/456/head:pr456 git checkout pr456 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#456][comment] bindinstance: fix named.conf parsing regexs
URL: https://github.com/freeipa/freeipa/pull/456 Title: #456: bindinstance: fix named.conf parsing regexs MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/52582ae9284b80c22a272f0793f0cddfb761f6dc https://fedorahosted.org/freeipa/changeset/2f4442fff52090bad95a9b1f4f078e4d9acc8069 """ See the full comment at https://github.com/freeipa/freeipa/pull/456#issuecomment-278924269 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#456][+ack] bindinstance: fix named.conf parsing regexs
URL: https://github.com/freeipa/freeipa/pull/456 Title: #456: bindinstance: fix named.conf parsing regexs Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#456][+pushed] bindinstance: fix named.conf parsing regexs
URL: https://github.com/freeipa/freeipa/pull/456 Title: #456: bindinstance: fix named.conf parsing regexs Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#452][comment] [ WIP] ipa-run-tests: allow to run tests with server-api
URL: https://github.com/freeipa/freeipa/pull/452 Title: #452: [ WIP] ipa-run-tests: allow to run tests with server-api tiran commented: """ It's going to get simpler when privilege separation patch has landet. """ See the full comment at https://github.com/freeipa/freeipa/pull/452#issuecomment-278921964 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#452][+rejected] [ WIP] ipa-run-tests: allow to run tests with server-api
URL: https://github.com/freeipa/freeipa/pull/452 Title: #452: [ WIP] ipa-run-tests: allow to run tests with server-api Label: +rejected -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#452][comment] [ WIP] ipa-run-tests: allow to run tests with server-api
URL: https://github.com/freeipa/freeipa/pull/452 Title: #452: [ WIP] ipa-run-tests: allow to run tests with server-api MartinBasti commented: """ There are too many issues, it is not possible to run tests with server api easily, too many changes required. """ See the full comment at https://github.com/freeipa/freeipa/pull/452#issuecomment-278921678 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#452][closed] [ WIP] ipa-run-tests: allow to run tests with server-api
URL: https://github.com/freeipa/freeipa/pull/452 Author: MartinBasti Title: #452: [ WIP] ipa-run-tests: allow to run tests with server-api Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/452/head:pr452 git checkout pr452 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] FreeIPA and wildcard certificates
On 02/10/2017 10:37 AM, Fraser Tweedale wrote: > On Fri, Feb 10, 2017 at 09:23:10AM +0100, Martin Kosek wrote: >> On 02/09/2017 10:44 PM, Fraser Tweedale wrote: >>> On Thu, Feb 09, 2017 at 08:37:23AM +0100, Martin Kosek wrote: On 02/09/2017 02:12 AM, Fraser Tweedale wrote: > On Wed, Feb 08, 2017 at 10:19:54AM +0200, Alexander Bokovoy wrote: >> On ke, 08 helmi 2017, Martin Kosek wrote: >>> Hi Fraser and the list, >>> >>> I recently was in a conversation about integrating OpenShift with >>> FreeIPA. One >>> of the gaps was around generating a wildcard certificate by FreeIPA >>> that will >>> be used in the default OpenShift router for applications that do not >>> deploy own >>> certificates [1]. >>> >>> Is there any way that FreeIPA can generate it? I was thinking that >>> uploading >>> some custom certificate profile in FreeIPA may let us get such >>> certificate... >>> Or is the the only way we can add it by adding a new RFE in FreeIPA, >>> tracked in >>> [2]? >> Yes, we need a new RFE. There are checks in IPA that prevent wildcard >> certificates to be issued: >> >> - we ensure subject 'cn' of the certificate matches a Kerberos principal >> specified in the request >> >> - we validate that host object exists in IPA when the Kerberos >> principal is host/... >> >> We could lift off these two limitations for 'cn=*,$suffix' but there is >> still a need to apply proper ACLs when issuing the cert -- e.g. some >> object has to be used for performing access rights check. The wildcard >> certificate does not need to be stored anywhere in the tree, but a >> check still needs to be done. >> >> For example, for Kerberos PKINIT certificate which is issued to KDC we >> don't store public certificate in LDAP either but we do two checks: >> - a special KDC certificate profile is used to issue the cert >> - a special hostname check is done so that only IPA masters are able to >> request this certificate >> >> For the wildcard certificate I think we could have following: >> - use a separate profile for the wildcard, associated with a sub-CA >> - hardcode CN default in the profile to always be 'CN=*, >> O=$SUB_CA_SUBJECT' so that >> actual certificate ignores requested CN. >> - a special check to be done so that only wildcard-based subject >> alternative names can be added to a wildcard certificate request >> - all Kerberos principal / hostname checks are skipped. >> - actual ACL check is done by CA ACL. >> > Issuing wildcard certs is a deprecated practice[1]. I am not > dismissing the needs of OpenShift (or PaaS/IaaS solutions in > general) but I'd like to have a discussion with them about how > they're currently dealing with certs and whether a different > direction other than wildcard certs is feasible. Martin, who should > I reach out to? Feel free to copy them into this discussion. Right now, I am talking to a Solution Architect, i.e. someone who is building GAed solutions, not developers. This is not something we would change short-term anyway, this is how current OpenShift v2 or v3 behaves, despite the RFC. While I understand why having certificate *.lab.example.com and using it for my lab machines is a bad idea and increases the attack vector, I do not see it that way for OpenShift. There, applications get URL like ".myopenshift.test" and all is routed by one entity, the OpenShift broker. So the key.cert is on one location, just serving different names that are provisioned with OpenShift. I can understand that issuing a new certificate for every application provisioned by OpenShift and then renewing it complicates the design significantly. I am trying to be creative and see if current OpenShift could leverage FreeIPA CA and issue the broker cert, with current profile capabilities or with small change. >>> I believe OpenShift supports per-application certificates (i.e. when >>> app developers/maintainers supply their own cert for a custom >>> domain). So it might be possible in v2 or v3 to provision a cert >>> for every app. >> >> Right, it supports this. But then issuing the certificate and renewal is a >> responsibility of app developer, AFAIK. I do not think if OpenShift has all >> the >> needed hooks to do this automatically and call certmonger for example. >> >> TLDR; adding a support of certmonger and issuing a certificate for every new >> application is a whole another degree of complexity than just issuing a >> Wildcard certificate for the router. I am not saying it should not be done, I >> am just saying that being able to generate a wildcard certificate with >> FreeIPA >> would let us integrate with OpenShift much better than now and with >
[Freeipa-devel] [freeipa PR#456][opened] bindinstance: fix named.conf parsing regexs
URL: https://github.com/freeipa/freeipa/pull/456
Author: tomaskrizek
Title: #456: bindinstance: fix named.conf parsing regexs
Action: opened
PR body:
"""
Since named.conf API for bind-dyndb-ldap was updated, our parsing
regexes have to change.
https://fedorahosted.org/freeipa/ticket/6565
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/456/head:pr456
git checkout pr456
From 8773bd45d8ca4d70dc49b5a6aabb3d601d43a973 Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Fri, 10 Feb 2017 11:30:40 +0100
Subject: [PATCH 1/2] PEP8: fix line length for regexs in bindinstance
---
ipaserver/install/bindinstance.py | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index c9097c2..cccab87 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -68,12 +68,15 @@
named_conf_section_ipa_start_re = re.compile('\s*dynamic-db\s+"ipa"\s+{')
named_conf_section_options_start_re = re.compile('\s*options\s+{')
named_conf_section_end_re = re.compile('};')
-named_conf_arg_ipa_re = re.compile(r'(?P\s*)arg\s+"(?P\S+)\s(?P[^"]+)";')
-named_conf_arg_options_re = re.compile(r'(?P\s*)(?P\S+)\s+"(?P[^"]+)"\s*;')
+named_conf_arg_ipa_re = re.compile(
+r'(?P\s*)arg\s+"(?P\S+)\s(?P[^"]+)";')
+named_conf_arg_options_re = re.compile(
+r'(?P\s*)(?P\S+)\s+"(?P[^"]+)"\s*;')
named_conf_arg_ipa_template = "%(indent)sarg \"%(name)s %(value)s\";\n"
named_conf_arg_options_template = "%(indent)s%(name)s \"%(value)s\";\n"
# non string args for options section
-named_conf_arg_options_re_nonstr = re.compile(r'(?P\s*)(?P\S+)\s+(?P[^"]+)\s*;')
+named_conf_arg_options_re_nonstr = re.compile(
+r'(?P\s*)(?P\S+)\s+(?P[^"]+)\s*;')
named_conf_arg_options_template_nonstr = "%(indent)s%(name)s %(value)s;\n"
# include directive
named_conf_include_re = re.compile(r'\s*include\s+"(?P)"\s*;')
From c99321436f39c2c0a31fdfae83bb52f43d627a7a Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Fri, 10 Feb 2017 11:16:56 +0100
Subject: [PATCH 2/2] bindinstance: fix named.conf parsing regexs
Since named.conf API for bind-dyndb-ldap was updated, our parsing
regexes have to change.
https://fedorahosted.org/freeipa/ticket/6565
---
ipaserver/install/bindinstance.py | 13 ++---
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index cccab87..b1024aa 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -65,14 +65,14 @@
NAMED_CONF = paths.NAMED_CONF
RESOLV_CONF = paths.RESOLV_CONF
-named_conf_section_ipa_start_re = re.compile('\s*dynamic-db\s+"ipa"\s+{')
+named_conf_section_ipa_start_re = re.compile('\s*dyndb\s+"ipa"\s+"[^"]+"\s+{')
named_conf_section_options_start_re = re.compile('\s*options\s+{')
named_conf_section_end_re = re.compile('};')
named_conf_arg_ipa_re = re.compile(
-r'(?P\s*)arg\s+"(?P\S+)\s(?P[^"]+)";')
+r'(?P\s*)(?P\S+)\s"(?P[^"]+)";')
named_conf_arg_options_re = re.compile(
r'(?P\s*)(?P\S+)\s+"(?P[^"]+)"\s*;')
-named_conf_arg_ipa_template = "%(indent)sarg \"%(name)s %(value)s\";\n"
+named_conf_arg_ipa_template = "%(indent)s%(name)s \"%(value)s\";\n"
named_conf_arg_options_template = "%(indent)s%(name)s \"%(value)s\";\n"
# non string args for options section
named_conf_arg_options_re_nonstr = re.compile(
@@ -91,13 +91,12 @@ def create_reverse():
def named_conf_exists():
try:
-named_fd = open(NAMED_CONF, 'r')
+with open(NAMED_CONF, 'r') as named_fd:
+lines = named_fd.readlines()
except IOError:
return False
-lines = named_fd.readlines()
-named_fd.close()
for line in lines:
-if line.startswith('dynamic-db "ipa"'):
+if named_conf_section_ipa_start_re.match(line):
return True
return False
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#455][opened] Backup /root/kracert.p12
URL: https://github.com/freeipa/freeipa/pull/455 Author: tiran Title: #455: Backup /root/kracert.p12 Action: opened PR body: """ ipa-backup now backs up /root/kracert.p12. The file contains the certs and encrypted private keys for KRA transport, storage and audit. Closes: https://fedorahosted.org/freeipa/ticket/6659 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/455/head:pr455 git checkout pr455 From 64d3ee680976d4ed8e6ebe4ffdbd251a6c6c06cb Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Fri, 10 Feb 2017 10:41:12 +0100 Subject: [PATCH] Backup /root/kracert.p12 ipa-backup now backs up /root/kracert.p12. The file contains the certs and encrypted private keys for KRA transport, storage and audit. Closes: https://fedorahosted.org/freeipa/ticket/6659 Signed-off-by: Christian Heimes --- ipaserver/install/ipa_backup.py | 1 + 1 file changed, 1 insertion(+) diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py index c11120b..5369146 100644 --- a/ipaserver/install/ipa_backup.py +++ b/ipaserver/install/ipa_backup.py @@ -157,6 +157,7 @@ class Backup(admintool.AdminTool): paths.DOGTAG_ADMIN_P12, paths.KRA_AGENT_PEM, paths.CACERT_P12, +paths.KRACERT_P12, paths.KRB5KDC_KDC_CONF, paths.SYSTEMD_IPA_SERVICE, paths.SYSTEMD_SSSD_SERVICE, -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#450][synchronized] Add FIPS-token password of HTTPD NSS database
URL: https://github.com/freeipa/freeipa/pull/450
Author: stlaz
Title: #450: Add FIPS-token password of HTTPD NSS database
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/450/head:pr450
git checkout pr450
From 984d80eff07b1ae30625607244d7326c7da6d4d8 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka
Date: Mon, 9 Jan 2017 08:45:33 +0100
Subject: [PATCH] Add FIPS-token password of HTTPD NSS database
This change is required for httpd to function properly in FIPS
https://fedorahosted.org/freeipa/ticket/5695
---
ipaserver/install/certs.py | 20 +---
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 80918d4..9170e35 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -501,13 +501,19 @@ def create_password_conf(self):
This is the format of mod_nss pin files.
"""
ipautil.backup_file(self.pwd_conf)
-f = open(self.pwd_conf, "w")
-f.write("internal:")
-pwdfile = open(self.passwd_fname)
-f.write(pwdfile.read())
-f.close()
-pwdfile.close()
-self.set_perms(self.pwd_conf, uid=constants.HTTPD_USER)
+
+with open(self.passwd_fname) as pwdfile:
+password = pwdfile.read()
+
+with open(self.pwd_conf, "w") as f:
+f.write("internal:")
+f.write(password)
+f.write("\nNSS FIPS 140-2 Certificate DB:")
+f.write(password)
+# make sure other processes can access the file contents ASAP
+f.flush()
+if os.path.exists(self.pwd_conf):
+self.set_perms(self.pwd_conf, uid=constants.HTTPD_USER)
def find_root_cert(self, nickname):
"""
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] FreeIPA and wildcard certificates
On Fri, Feb 10, 2017 at 09:23:10AM +0100, Martin Kosek wrote: > On 02/09/2017 10:44 PM, Fraser Tweedale wrote: > > On Thu, Feb 09, 2017 at 08:37:23AM +0100, Martin Kosek wrote: > >> On 02/09/2017 02:12 AM, Fraser Tweedale wrote: > >>> On Wed, Feb 08, 2017 at 10:19:54AM +0200, Alexander Bokovoy wrote: > On ke, 08 helmi 2017, Martin Kosek wrote: > > Hi Fraser and the list, > > > > I recently was in a conversation about integrating OpenShift with > > FreeIPA. One > > of the gaps was around generating a wildcard certificate by FreeIPA > > that will > > be used in the default OpenShift router for applications that do not > > deploy own > > certificates [1]. > > > > Is there any way that FreeIPA can generate it? I was thinking that > > uploading > > some custom certificate profile in FreeIPA may let us get such > > certificate... > > Or is the the only way we can add it by adding a new RFE in FreeIPA, > > tracked in > > [2]? > Yes, we need a new RFE. There are checks in IPA that prevent wildcard > certificates to be issued: > > - we ensure subject 'cn' of the certificate matches a Kerberos principal > specified in the request > > - we validate that host object exists in IPA when the Kerberos > principal is host/... > > We could lift off these two limitations for 'cn=*,$suffix' but there is > still a need to apply proper ACLs when issuing the cert -- e.g. some > object has to be used for performing access rights check. The wildcard > certificate does not need to be stored anywhere in the tree, but a > check still needs to be done. > > For example, for Kerberos PKINIT certificate which is issued to KDC we > don't store public certificate in LDAP either but we do two checks: > - a special KDC certificate profile is used to issue the cert > - a special hostname check is done so that only IPA masters are able to > request this certificate > > For the wildcard certificate I think we could have following: > - use a separate profile for the wildcard, associated with a sub-CA > - hardcode CN default in the profile to always be 'CN=*, > O=$SUB_CA_SUBJECT' so that > actual certificate ignores requested CN. > - a special check to be done so that only wildcard-based subject > alternative names can be added to a wildcard certificate request > - all Kerberos principal / hostname checks are skipped. > - actual ACL check is done by CA ACL. > > >>> Issuing wildcard certs is a deprecated practice[1]. I am not > >>> dismissing the needs of OpenShift (or PaaS/IaaS solutions in > >>> general) but I'd like to have a discussion with them about how > >>> they're currently dealing with certs and whether a different > >>> direction other than wildcard certs is feasible. Martin, who should > >>> I reach out to? Feel free to copy them into this discussion. > >> > >> Right now, I am talking to a Solution Architect, i.e. someone who is > >> building > >> GAed solutions, not developers. This is not something we would change > >> short-term anyway, this is how current OpenShift v2 or v3 behaves, despite > >> the RFC. > >> > >> While I understand why having certificate *.lab.example.com and using it > >> for my > >> lab machines is a bad idea and increases the attack vector, I do not see it > >> that way for OpenShift. There, applications get URL like > >> ".myopenshift.test" and all is routed by one entity, the OpenShift > >> broker. So the key.cert is on one location, just serving different names > >> that > >> are provisioned with OpenShift. > >> > >> I can understand that issuing a new certificate for every application > >> provisioned by OpenShift and then renewing it complicates the design > >> significantly. I am trying to be creative and see if current OpenShift > >> could > >> leverage FreeIPA CA and issue the broker cert, with current profile > >> capabilities or with small change. > >> > > I believe OpenShift supports per-application certificates (i.e. when > > app developers/maintainers supply their own cert for a custom > > domain). So it might be possible in v2 or v3 to provision a cert > > for every app. > > Right, it supports this. But then issuing the certificate and renewal is a > responsibility of app developer, AFAIK. I do not think if OpenShift has all > the > needed hooks to do this automatically and call certmonger for example. > > TLDR; adding a support of certmonger and issuing a certificate for every new > application is a whole another degree of complexity than just issuing a > Wildcard certificate for the router. I am not saying it should not be done, I > am just saying that being able to generate a wildcard certificate with FreeIPA > would let us integrate with OpenShift much better than now and with > (hopefully) > low effort involved, i.e. faster. > > > An auto
Re: [Freeipa-devel] FreeIPA and wildcard certificates
On 02/09/2017 10:44 PM, Fraser Tweedale wrote: > On Thu, Feb 09, 2017 at 08:37:23AM +0100, Martin Kosek wrote: >> On 02/09/2017 02:12 AM, Fraser Tweedale wrote: >>> On Wed, Feb 08, 2017 at 10:19:54AM +0200, Alexander Bokovoy wrote: On ke, 08 helmi 2017, Martin Kosek wrote: > Hi Fraser and the list, > > I recently was in a conversation about integrating OpenShift with > FreeIPA. One > of the gaps was around generating a wildcard certificate by FreeIPA that > will > be used in the default OpenShift router for applications that do not > deploy own > certificates [1]. > > Is there any way that FreeIPA can generate it? I was thinking that > uploading > some custom certificate profile in FreeIPA may let us get such > certificate... > Or is the the only way we can add it by adding a new RFE in FreeIPA, > tracked in > [2]? Yes, we need a new RFE. There are checks in IPA that prevent wildcard certificates to be issued: - we ensure subject 'cn' of the certificate matches a Kerberos principal specified in the request - we validate that host object exists in IPA when the Kerberos principal is host/... We could lift off these two limitations for 'cn=*,$suffix' but there is still a need to apply proper ACLs when issuing the cert -- e.g. some object has to be used for performing access rights check. The wildcard certificate does not need to be stored anywhere in the tree, but a check still needs to be done. For example, for Kerberos PKINIT certificate which is issued to KDC we don't store public certificate in LDAP either but we do two checks: - a special KDC certificate profile is used to issue the cert - a special hostname check is done so that only IPA masters are able to request this certificate For the wildcard certificate I think we could have following: - use a separate profile for the wildcard, associated with a sub-CA - hardcode CN default in the profile to always be 'CN=*, O=$SUB_CA_SUBJECT' so that actual certificate ignores requested CN. - a special check to be done so that only wildcard-based subject alternative names can be added to a wildcard certificate request - all Kerberos principal / hostname checks are skipped. - actual ACL check is done by CA ACL. >>> Issuing wildcard certs is a deprecated practice[1]. I am not >>> dismissing the needs of OpenShift (or PaaS/IaaS solutions in >>> general) but I'd like to have a discussion with them about how >>> they're currently dealing with certs and whether a different >>> direction other than wildcard certs is feasible. Martin, who should >>> I reach out to? Feel free to copy them into this discussion. >> >> Right now, I am talking to a Solution Architect, i.e. someone who is building >> GAed solutions, not developers. This is not something we would change >> short-term anyway, this is how current OpenShift v2 or v3 behaves, despite >> the RFC. >> >> While I understand why having certificate *.lab.example.com and using it for >> my >> lab machines is a bad idea and increases the attack vector, I do not see it >> that way for OpenShift. There, applications get URL like >> ".myopenshift.test" and all is routed by one entity, the OpenShift >> broker. So the key.cert is on one location, just serving different names that >> are provisioned with OpenShift. >> >> I can understand that issuing a new certificate for every application >> provisioned by OpenShift and then renewing it complicates the design >> significantly. I am trying to be creative and see if current OpenShift could >> leverage FreeIPA CA and issue the broker cert, with current profile >> capabilities or with small change. >> > I believe OpenShift supports per-application certificates (i.e. when > app developers/maintainers supply their own cert for a custom > domain). So it might be possible in v2 or v3 to provision a cert > for every app. Right, it supports this. But then issuing the certificate and renewal is a responsibility of app developer, AFAIK. I do not think if OpenShift has all the needed hooks to do this automatically and call certmonger for example. TLDR; adding a support of certmonger and issuing a certificate for every new application is a whole another degree of complexity than just issuing a Wildcard certificate for the router. I am not saying it should not be done, I am just saying that being able to generate a wildcard certificate with FreeIPA would let us integrate with OpenShift much better than now and with (hopefully) low effort involved, i.e. faster. > An automated solution does not yet exist but that > doesn't mean it can't be built out of what's currently GA. > >>> [1] https://tools.ietf.org/html/rfc6125#section-7.2 >>> >>> If we do go ahead with wildcard cert support in FreeIPA, some of my >>> initial questions are: >>> >>> - Fo
[Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands
URL: https://github.com/freeipa/freeipa/pull/444 Title: #444: Allow nsaccountlock to be searched in user-find commands HonzaCholasta commented: """ Replacing `flags=['no_option']` with `flags=['no_create', 'no_update']` is not backward compatible - the `no_option` flag only hides the option in the CLI, but `no_create` / `no_update` would completely remove it from `user_add` / `user_mod`. So, @redhatrises's approach is OK, although I would rather remove the `no_option` flag in `user.takes_options` and add it back in `user_add.get_options()` and `user_mod.get_options()`. Also, now that the options is visible in CLI, you should set `cli_name='disabled'` on it, so that we have a `--disabled` option rather than `--nsaccountlock` option in `ipa user-find`. """ See the full comment at https://github.com/freeipa/freeipa/pull/444#issuecomment-278884001 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
