[Freeipa-devel] [freeipa PR#462][closed] [WIP] pylint: add custom check for forbidden imports

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/462
Author: MartinBasti
 Title: #462: [WIP] pylint: add custom check for forbidden imports
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/462/head:pr462
git checkout pr462
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#462][comment] [WIP] pylint: add custom check for forbidden imports

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/462
Title: #462: [WIP] pylint: add custom check for forbidden imports

MartinBasti commented:
"""
@HonzaCholasta has some WIP patches for this in his drawer which may be better 
than this, so closing this PR in favor of Honza's patches
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/462#issuecomment-279633108
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#462][comment] [WIP] pylint: add custom check for forbidden imports

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/462
Title: #462: [WIP] pylint: add custom check for forbidden imports

tiran commented:
"""
Can you turn module matching into a regular expression? We need bit more 
advanced checks, e.g. ```ipalib``` should not import from ```ipaplatform``` 
except for modules in ```ipalib.install```.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/462#issuecomment-279628559
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#459][comment] [WIP] Faster JSON encoder/decoder

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/459
Title: #459: [WIP] Faster JSON encoder/decoder

tiran commented:
"""
@pvoborni I have modified the PR and added a pretty_print option. JSON is now 
pretty printed for verbose level 2 and higher.

The old implementation converted all list to tuples. With ```obj_hook```, only 
lists in a JSON objects are converted at the moment. Nested lists are not fully 
converted, which causes a test failure. I wonder why we decided to convert 
lists to tuples in the first place? Can we drop the conversion and just use 
lists here?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/459#issuecomment-279627304
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#459][synchronized] [WIP] Faster JSON encoder/decoder

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/459
Author: tiran
 Title: #459: [WIP] Faster JSON encoder/decoder
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/459/head:pr459
git checkout pr459
From e685e106dbcfb54d1651c97d6a07a17c3417127f Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Mon, 13 Feb 2017 09:46:39 +0100
Subject: [PATCH 1/3] Faster JSON encoder/decoder

Improve performance of FreeIPA's JSON serializer and deserializer.

* Don't indent and sort keys. Both options trigger a slow path in
  Python's json package. Without indention and sorting, encoding
  mostly happens in optimized C code.
* Replace O(n) type checks with O(1) type lookup and eliminate
  the use of isinstance().
* Check each client capability only once for every conversion.
* Use decoder's obj_hook feature to traverse the object tree once and
  to eliminate calls to isinstance().

Closes: https://fedorahosted.org/freeipa/ticket/6655
Signed-off-by: Christian Heimes 
---
 ipalib/rpc.py  | 211 +++--
 ipaserver/rpcserver.py |   7 +-
 2 files changed, 134 insertions(+), 84 deletions(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 7d9f6ec..6cad397 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -51,7 +51,7 @@
 from ipalib.backend import Connectible
 from ipalib.constants import LDAP_GENERALIZED_TIME_FORMAT
 from ipalib.errors import (public_errors, UnknownError, NetworkError,
-KerberosError, XMLRPCMarshallError, JSONError, ConversionError)
+KerberosError, XMLRPCMarshallError, JSONError)
 from ipalib import errors, capabilities
 from ipalib.request import context, Connection
 from ipapython.ipa_log_manager import root_logger
@@ -274,67 +274,140 @@ def xml_dumps(params, version, methodname=None, methodresponse=False,
 )
 
 
-def json_encode_binary(val, version):
-'''
-   JSON cannot encode binary values. We encode binary values in Python str
-   objects and text in Python unicode objects. In order to allow a binary
-   object to be passed through JSON we base64 encode it thus converting it to
-   text which JSON can transport. To assure we recognize the value is a base64
-   encoded representation of the original binary value and not confuse it with
-   other text we convert the binary value to a dict in this form:
-
-   {'__base64__' : base64_encoding_of_binary_value}
-
-   This modification of the original input value cannot be done "in place" as
-   one might first assume (e.g. replacing any binary items in a container
-   (e.g. list, tuple, dict) with the base64 dict because the container might be
-   an immutable object (i.e. a tuple). Therefore this function returns a copy
-   of any container objects it encounters with tuples replaced by lists. This
-   is O.K. because the JSON encoding will map both lists and tuples to JSON
-   arrays.
-   '''
-
-if isinstance(val, dict):
-new_dict = {}
-for k, v in val.items():
-new_dict[k] = json_encode_binary(v, version)
-return new_dict
-elif isinstance(val, (list, tuple)):
-new_list = [json_encode_binary(v, version) for v in val]
-return new_list
-elif isinstance(val, bytes):
-encoded = base64.b64encode(val)
-if not six.PY2:
-encoded = encoded.decode('ascii')
-return {'__base64__': encoded}
-elif isinstance(val, Decimal):
-return unicode(val)
-elif isinstance(val, DN):
-return str(val)
-elif isinstance(val, datetime.datetime):
-if capabilities.client_has_capability(version, 'datetime_values'):
+class _JSONConverter(dict):
+__slots__ = ('version', '_cap_datetime', '_cap_dnsname')
+
+_identity = object()
+
+def __init__(self, version, _identity=_identity):
+super(_JSONConverter, self).__init__()
+self.version = version
+self._cap_datetime = None
+self._cap_dnsname = None
+self.update({
+unicode: _identity,
+bool: _identity,
+type(None): _identity,
+float: _identity,
+Decimal: unicode,
+DN: str,
+Principal: unicode,
+DNSName: self._enc_dnsname,
+datetime.datetime: self._enc_datetime,
+bytes: self._enc_bytes,
+list: self._enc_list,
+tuple: self._enc_list,
+dict: self._enc_dict,
+})
+# int, long
+for t in six.integer_types:
+self[t] = _identity
+
+def __missing__(self, typ):
+# walk MRO to find best match
+for c in typ.__mro__:
+if c in self:
+self[typ] = self[c]
+return self[c]
+# use issubclass to check for registered ABCs
+for c in self:
+if issubclass(typ, c):
+self[typ] = self[c]
+return 

[Freeipa-devel] [freeipa PR#462][synchronized] [WIP] pylint: add custom check for forbidden imports

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/462
Author: MartinBasti
 Title: #462: [WIP] pylint: add custom check for forbidden imports
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/462/head:pr462
git checkout pr462
From 9a553e75595bacc43a17fdf372d93254150dba5f Mon Sep 17 00:00:00 2001
From: Martin 
Date: Tue, 14 Feb 2017 01:14:25 +0100
Subject: [PATCH] pylint: add custom check for forbidden imports

Some modules of FreeIPA should not be importe to some other FreeIPA
modules, like ipalib into ipapython
---
 pylint_plugins.py | 68 +++
 1 file changed, 64 insertions(+), 4 deletions(-)

diff --git a/pylint_plugins.py b/pylint_plugins.py
index fc2ce9b..8405568 100644
--- a/pylint_plugins.py
+++ b/pylint_plugins.py
@@ -9,10 +9,9 @@
 
 from astroid import MANAGER
 from astroid import scoped_nodes
-
-
-def register(linter):
-pass
+from pylint.checkers import BaseChecker
+from pylint.checkers.utils import check_messages
+from pylint.interfaces import IAstroidChecker
 
 
 def _warning_already_exists(cls, member):
@@ -249,9 +248,70 @@ def fake_class(name_or_class_obj, members=()):
 }
 
 
+# prefix match is used for all values specified here --> all submodules are
+# matched
+# module names must be specified in absolute path
+FORBIDDEN_IMPORTS = (
+# ( checked module, [# forbidden.import.1, # forbidden.import.2])
+('ipapython', ('ipalib',)),
+)
+
+
 def fix_ipa_classes(cls):
 class_name_with_module = "{}.{}".format(cls.root().name, cls.name)
 if class_name_with_module in ipa_class_members:
 fake_class(cls, ipa_class_members[class_name_with_module])
 
+
+class IPAImportChecker(BaseChecker):
+"""Check for specified imports from FORBIDDEN_IMPORTS and return
+warning when module is not allowed ot be imported
+into the particular module"""
+
+__implements__ = IAstroidChecker
+
+name = 'ipa-imports'
+msgs = {
+'W': (
+'IPA: forbidden import "%s" ("%s" should not import "%s")',
+'ipa-forbidden-import',
+'Used when import of module is not '
+'allowed in the particular module.'
+),
+}
+priority = -2
+
+def _check_imports(self, node, import_abs_name):
+# name of the module where import statement is
+current = node.root().name
+for importer, imports in FORBIDDEN_IMPORTS:
+if current.startswith(importer):
+# current node is listed in rules
+for imprt in imports:
+if import_abs_name.startswith(imprt):
+self.add_message(
+'ipa-forbidden-import',
+args=(import_abs_name, importer, imprt),
+node=node)
+break
+break
+
+@check_messages('ipa-forbidden-import')
+def visit_import(self, node):
+"""triggered when an import statement is seen"""
+modnode = [name for name, _obj in node.names]
+for m in modnode:
+self._check_imports(node, m)
+
+@check_messages('ipa-forbidden-import')
+def visit_importfrom(self, node):
+"""triggered when a from statement is seen"""
+basename = node.modname
+self._check_imports(node, basename)
+
+
+def register(linter):
+linter.register_checker(IPAImportChecker(linter))
+
+
 MANAGER.register_transform(scoped_nodes.Class, fix_ipa_classes)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#462][opened] [WIP] pylint: add custom check for forbidden imports

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/462
Author: MartinBasti
 Title: #462: [WIP] pylint: add custom check for forbidden imports
Action: opened

PR body:
"""
Some modules of FreeIPA should not be imported to some other FreeIPA
modules, like ipalib into ipapython

This is WIP, it misses a lot of rules and I had hard time with naming 
variables, feedback more than welcome.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/462/head:pr462
git checkout pr462
From aaf13c5ed25ec619aab9c1566248812593fd6342 Mon Sep 17 00:00:00 2001
From: Martin 
Date: Tue, 14 Feb 2017 01:14:25 +0100
Subject: [PATCH] pylint: add custom check for forbidden imports

Some modules of FreeIPA should not be importe to some other FreeIPA
modules, like ipalib into ipapython
---
 pylint_plugins.py | 68 +++
 1 file changed, 64 insertions(+), 4 deletions(-)

diff --git a/pylint_plugins.py b/pylint_plugins.py
index fc2ce9b..078a802 100644
--- a/pylint_plugins.py
+++ b/pylint_plugins.py
@@ -9,10 +9,9 @@
 
 from astroid import MANAGER
 from astroid import scoped_nodes
-
-
-def register(linter):
-pass
+from pylint.checkers import BaseChecker
+from pylint.checkers.utils import check_messages
+from pylint.interfaces import IAstroidChecker
 
 
 def _warning_already_exists(cls, member):
@@ -249,9 +248,70 @@ def fake_class(name_or_class_obj, members=()):
 }
 
 
+# prefix match is used for all values specified here --> all submodules are
+# matched
+# module names must be specified in absolute path
+FORBIDDEN_IMPORTS = (
+# ( checked module, [# forbidden.import.1, # forbidden.import.2])
+('ipapython', ('ipalib',)),
+)
+
+
 def fix_ipa_classes(cls):
 class_name_with_module = "{}.{}".format(cls.root().name, cls.name)
 if class_name_with_module in ipa_class_members:
 fake_class(cls, ipa_class_members[class_name_with_module])
 
+
+class IPAImportChecker(BaseChecker):
+"""Check for specified imports from FORBIDDEN_IMPORTS and return
+warning when module is not allowed ot be imported
+into the particular module"""
+
+__implements__ = IAstroidChecker
+
+name = 'ipa-imports'
+msgs = {
+'W': (
+'IPA: forbidden import "%s" ("%s" should not import "%s")',
+'ipa-forbidden-import',
+'Used when import of module is not '
+'allowed in the particular module.'
+),
+}
+priority = -2
+
+def _check_imports(self, node, import_abs_name):
+# name of the module where import statement is
+current = node.root().name
+for importer, imports in FORBIDDEN_IMPORTS:
+if current.startswith(importer):
+# current node is listed in rules
+for imprt in imports:
+if import_abs_name.startswith(imprt):
+self.add_message(
+'ipa-forbidden-import',
+args=(import_abs_name, importer, imprt),
+node=node)
+break
+break
+
+@check_messages('ipa-forbidden-import')
+def visit_import(self, node):
+"""triggered when an import statement is seen"""
+modnode = [name for name, _ in node.names]
+for m in modnode:
+self._check_imports(node, m)
+
+@check_messages('ipa-forbidden-import')
+def visit_importfrom(self, node):
+"""triggered when a from statement is seen"""
+basename = node.modname
+self._check_imports(node, basename)
+
+
+def register(linter):
+linter.register_checker(IPAImportChecker(linter))
+
+
 MANAGER.register_transform(scoped_nodes.Class, fix_ipa_classes)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
@HonzaCholasta push it before we break it again! :-)
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-279538680
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping

[flo-renaud]

   URL: https://github.com/freeipa/freeipa/pull/398
Author: flo-renaud
 Title: #398: Support for Certificate Identity Mapping
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/398/head:pr398
git checkout pr398
From 8e9eeb0619f8a11767a37bce112c3ea6b19f7091 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Tue, 20 Dec 2016 16:21:58 +0100
Subject: [PATCH] Support for Certificate Identity Mapping

See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping

https://fedorahosted.org/freeipa/ticket/6542
---
 ACI.txt|  16 +-
 API.txt| 181 
 VERSION.m4 |   4 +-
 install/share/73certmap.ldif   |  16 ++
 install/share/Makefile.am  |   1 +
 install/updates/73-certmap.update  |  27 +++
 install/updates/Makefile.am|   1 +
 ipalib/constants.py|   4 +
 ipapython/dn.py|   8 +-
 ipaserver/install/dsinstance.py|   1 +
 ipaserver/plugins/baseuser.py  | 152 -
 ipaserver/plugins/certmap.py   | 336 +
 ipaserver/plugins/stageuser.py |  16 +-
 ipaserver/plugins/user.py  |  23 ++-
 ipatests/test_ipapython/test_dn.py |  20 +++
 15 files changed, 794 insertions(+), 12 deletions(-)
 create mode 100644 install/share/73certmap.ldif
 create mode 100644 install/updates/73-certmap.update
 create mode 100644 ipaserver/plugins/certmap.py

diff --git a/ACI.txt b/ACI.txt
index 0b47489..2bde577 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=caacls,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;)
+dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || description || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all;;)
 dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
@@ -337,6 +349,8 @@ aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:S
 dn: cn=users,cn=accounts,dc=ipa,dc=example
 

[Freeipa-devel] [freeipa PR#459][comment] [WIP] Faster JSON encoder/decoder

[pvoborni]

  URL: https://github.com/freeipa/freeipa/pull/459
Title: #459: [WIP] Faster JSON encoder/decoder

pvoborni commented:
"""
As mention on meeting, if rpcserver prettyprints into output in debug mode then 
it is fine. 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/459#issuecomment-279466497
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#461][opened] Bump required version of bind-dyndb-ldap to 11.0-2

[tomaskrizek]

   URL: https://github.com/freeipa/freeipa/pull/461
Author: tomaskrizek
 Title: #461: Bump required version of bind-dyndb-ldap to 11.0-2
Action: opened

PR body:
"""
Fedora release bind-dyndb-ldap 11.0-2 transforms existing named.conf
old style API to the new style API. This package version is required
to enable upgrade of existing IPA installations to new version.

https://fedorahosted.org/freeipa/ticket/6565
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/461/head:pr461
git checkout pr461
From d6d8ef7ffde060120a617ed295cb6a0fac9e9481 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 13 Feb 2017 18:36:12 +0100
Subject: [PATCH] Bump required version of bind-dyndb-ldap to 11.0-2

Fedora release bind-dyndb-ldap 11.0-2 transforms existing named.conf
old style API to the new style API. This package version is required
to enable upgrade of existing IPA installations to new version.

https://fedorahosted.org/freeipa/ticket/6565
---
 freeipa.spec.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 26481ff..3ccfeca 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -373,7 +373,7 @@ Summary: IPA integrated DNS server with support for automatic DNSSEC signing
 Group: System Environment/Base
 BuildArch: noarch
 Requires: %{name}-server = %{version}-%{release}
-Requires: bind-dyndb-ldap >= 11.0
+Requires: bind-dyndb-ldap >= 11.0-2
 Requires: bind >= 9.11.0-6.P2
 Requires: bind-utils >= 9.11.0-6.P2
 Requires: bind-pkcs11 >= 9.11.0-6.P2
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#445][comment] Remove is_fips_enabled checks in installers and ipactl

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/445
Title: #445: Remove is_fips_enabled checks in installers and ipactl

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/08c71703a44d8aec308781351c3a9dd4a4ba94a7
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/445#issuecomment-279456586
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#445][closed] Remove is_fips_enabled checks in installers and ipactl

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/445
Author: stlaz
 Title: #445: Remove is_fips_enabled checks in installers and ipactl
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/445/head:pr445
git checkout pr445
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#445][+pushed] Remove is_fips_enabled checks in installers and ipactl

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/445
Title: #445: Remove is_fips_enabled checks in installers and ipactl

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/444
Title: #444: Allow nsaccountlock to be searched in user-find commands

MartinBasti commented:
"""
LGTM, I'll test it later
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/444#issuecomment-279455811
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping

[flo-renaud]

   URL: https://github.com/freeipa/freeipa/pull/398
Author: flo-renaud
 Title: #398: Support for Certificate Identity Mapping
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/398/head:pr398
git checkout pr398
From 5a6a88db9a843a0636875fb3b1ee02e40291443a Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Tue, 20 Dec 2016 16:21:58 +0100
Subject: [PATCH] Support for Certificate Identity Mapping

See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping

https://fedorahosted.org/freeipa/ticket/6542
---
 ACI.txt|  16 +-
 API.txt| 181 
 VERSION.m4 |   4 +-
 install/share/73certmap.ldif   |  16 ++
 install/share/Makefile.am  |   1 +
 install/updates/73-certmap.update  |  27 +++
 install/updates/Makefile.am|   1 +
 ipalib/constants.py|   4 +
 ipapython/dn.py|   8 +-
 ipaserver/install/dsinstance.py|   1 +
 ipaserver/plugins/baseuser.py  | 152 -
 ipaserver/plugins/certmap.py   | 336 +
 ipaserver/plugins/stageuser.py |  16 +-
 ipaserver/plugins/user.py  |  23 ++-
 ipatests/test_ipapython/test_dn.py |  20 +++
 15 files changed, 794 insertions(+), 12 deletions(-)
 create mode 100644 install/share/73certmap.ldif
 create mode 100644 install/updates/73-certmap.update
 create mode 100644 ipaserver/plugins/certmap.py

diff --git a/ACI.txt b/ACI.txt
index 0b47489..2bde577 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=caacls,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;)
+dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || description || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all;;)
 dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
@@ -337,6 +349,8 @@ aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:S
 dn: cn=users,cn=accounts,dc=ipa,dc=example
 

[Freeipa-devel] [freeipa PR#460][synchronized] [Py3] ipa-server-install, ipa-server-upgrade fixes

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/460
Author: MartinBasti
 Title: #460: [Py3] ipa-server-install, ipa-server-upgrade fixes
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/460/head:pr460
git checkout pr460
From 28e19fd55154ad588dffe09a208fa03e394e1dca Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Fri, 10 Feb 2017 17:05:02 +0100
Subject: [PATCH 1/8] py3: use ConfigParser instead of SafeConfigParser

DeprecationWarning: The SafeConfigParser class has been renamed
to ConfigParser in Python 3.2. This alias will be removed in
future versions. Use ConfigParser directly instead.

https://fedorahosted.org/freeipa/ticket/4985
---
 ipalib/install/sysrestore.py | 6 +-
 ipaserver/install/installutils.py| 7 ++-
 ipaserver/install/ipa_backup.py  | 7 ++-
 ipaserver/install/ipa_replica_prepare.py | 7 ++-
 ipaserver/install/ipa_restore.py | 7 ++-
 ipaserver/install/server/upgrade.py  | 6 +-
 6 files changed, 34 insertions(+), 6 deletions(-)

diff --git a/ipalib/install/sysrestore.py b/ipalib/install/sysrestore.py
index b1bf4b9..5c21956 100644
--- a/ipalib/install/sysrestore.py
+++ b/ipalib/install/sysrestore.py
@@ -31,7 +31,11 @@
 
 import six
 # pylint: disable=import-error
-from six.moves.configparser import SafeConfigParser
+if six.PY3:
+# The SafeConfigParser class has been renamed to ConfigParser in Py3
+from configparser import ConfigParser as SafeConfigParser
+else:
+from ConfigParser import SafeConfigParser
 # pylint: enable=import-error
 
 from ipaplatform.tasks import tasks
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index ab2596c..a774200 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -41,7 +41,12 @@
 import ldapurl
 import six
 # pylint: disable=import-error
-from six.moves.configparser import SafeConfigParser, NoOptionError
+if six.PY3:
+# The SafeConfigParser class has been renamed to ConfigParser in Py3
+from configparser import ConfigParser as SafeConfigParser
+else:
+from ConfigParser import SafeConfigParser
+from six.moves.configparser import NoOptionError
 # pylint: enable=import-error
 
 from ipalib.install import sysrestore
diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py
index c11120b..1dd8044 100644
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -23,8 +23,13 @@
 import time
 import pwd
 
+import six
 # pylint: disable=import-error
-from six.moves.configparser import SafeConfigParser
+if six.PY3:
+# The SafeConfigParser class has been renamed to ConfigParser in Py3
+from configparser import ConfigParser as SafeConfigParser
+else:
+from ConfigParser import SafeConfigParser
 # pylint: enable=import-error
 
 from ipaplatform.paths import paths
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index e7070b6..8b24c39 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -30,8 +30,13 @@
 # pylint: enable=deprecated-module
 
 import dns.resolver
+import six
 # pylint: disable=import-error
-from six.moves.configparser import SafeConfigParser
+if six.PY3:
+# The SafeConfigParser class has been renamed to ConfigParser in Py3
+from configparser import ConfigParser as SafeConfigParser
+else:
+from ConfigParser import SafeConfigParser
 # pylint: enable=import-error
 
 from ipaserver.install import certs, installutils, bindinstance, dsinstance
diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py
index 89cf9e6..42dd03e 100644
--- a/ipaserver/install/ipa_restore.py
+++ b/ipaserver/install/ipa_restore.py
@@ -25,8 +25,13 @@
 import ldif
 import itertools
 
+import six
 # pylint: disable=import-error
-from six.moves.configparser import SafeConfigParser
+if six.PY3:
+# The SafeConfigParser class has been renamed to ConfigParser in Py3
+from configparser import ConfigParser as SafeConfigParser
+else:
+from ConfigParser import SafeConfigParser
 # pylint: enable=import-error
 
 from ipaclient.install.client import update_ipa_nssdb
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 0e034ef..5413b48 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -15,7 +15,11 @@
 
 import six
 # pylint: disable=import-error
-from six.moves.configparser import SafeConfigParser
+if six.PY3:
+# The SafeConfigParser class has been renamed to ConfigParser in Py3
+from configparser import ConfigParser as SafeConfigParser
+else:
+from ConfigParser import SafeConfigParser
 # pylint: enable=import-error
 
 from ipalib import api

From a6b9b5aa2687160e113a37e369a20c1899032f5c Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: 

[Freeipa-devel] [freeipa PR#460][opened] [Py3] ipa-server-install, ipa-server-upgrade fixes

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/460
Author: MartinBasti
 Title: #460: [Py3] ipa-server-install, ipa-server-upgrade fixes
Action: opened

PR body:
"""
ipa-server-install --setup-dns now work without BytesWarnings under python3, 
ipa-server-upgrade should work on IPA side but there are issues on pyldap side.

"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/460/head:pr460
git checkout pr460
From 28e19fd55154ad588dffe09a208fa03e394e1dca Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Fri, 10 Feb 2017 17:05:02 +0100
Subject: [PATCH 1/8] py3: use ConfigParser instead of SafeConfigParser

DeprecationWarning: The SafeConfigParser class has been renamed
to ConfigParser in Python 3.2. This alias will be removed in
future versions. Use ConfigParser directly instead.

https://fedorahosted.org/freeipa/ticket/4985
---
 ipalib/install/sysrestore.py | 6 +-
 ipaserver/install/installutils.py| 7 ++-
 ipaserver/install/ipa_backup.py  | 7 ++-
 ipaserver/install/ipa_replica_prepare.py | 7 ++-
 ipaserver/install/ipa_restore.py | 7 ++-
 ipaserver/install/server/upgrade.py  | 6 +-
 6 files changed, 34 insertions(+), 6 deletions(-)

diff --git a/ipalib/install/sysrestore.py b/ipalib/install/sysrestore.py
index b1bf4b9..5c21956 100644
--- a/ipalib/install/sysrestore.py
+++ b/ipalib/install/sysrestore.py
@@ -31,7 +31,11 @@
 
 import six
 # pylint: disable=import-error
-from six.moves.configparser import SafeConfigParser
+if six.PY3:
+# The SafeConfigParser class has been renamed to ConfigParser in Py3
+from configparser import ConfigParser as SafeConfigParser
+else:
+from ConfigParser import SafeConfigParser
 # pylint: enable=import-error
 
 from ipaplatform.tasks import tasks
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index ab2596c..a774200 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -41,7 +41,12 @@
 import ldapurl
 import six
 # pylint: disable=import-error
-from six.moves.configparser import SafeConfigParser, NoOptionError
+if six.PY3:
+# The SafeConfigParser class has been renamed to ConfigParser in Py3
+from configparser import ConfigParser as SafeConfigParser
+else:
+from ConfigParser import SafeConfigParser
+from six.moves.configparser import NoOptionError
 # pylint: enable=import-error
 
 from ipalib.install import sysrestore
diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py
index c11120b..1dd8044 100644
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -23,8 +23,13 @@
 import time
 import pwd
 
+import six
 # pylint: disable=import-error
-from six.moves.configparser import SafeConfigParser
+if six.PY3:
+# The SafeConfigParser class has been renamed to ConfigParser in Py3
+from configparser import ConfigParser as SafeConfigParser
+else:
+from ConfigParser import SafeConfigParser
 # pylint: enable=import-error
 
 from ipaplatform.paths import paths
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index e7070b6..8b24c39 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -30,8 +30,13 @@
 # pylint: enable=deprecated-module
 
 import dns.resolver
+import six
 # pylint: disable=import-error
-from six.moves.configparser import SafeConfigParser
+if six.PY3:
+# The SafeConfigParser class has been renamed to ConfigParser in Py3
+from configparser import ConfigParser as SafeConfigParser
+else:
+from ConfigParser import SafeConfigParser
 # pylint: enable=import-error
 
 from ipaserver.install import certs, installutils, bindinstance, dsinstance
diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py
index 89cf9e6..42dd03e 100644
--- a/ipaserver/install/ipa_restore.py
+++ b/ipaserver/install/ipa_restore.py
@@ -25,8 +25,13 @@
 import ldif
 import itertools
 
+import six
 # pylint: disable=import-error
-from six.moves.configparser import SafeConfigParser
+if six.PY3:
+# The SafeConfigParser class has been renamed to ConfigParser in Py3
+from configparser import ConfigParser as SafeConfigParser
+else:
+from ConfigParser import SafeConfigParser
 # pylint: enable=import-error
 
 from ipaclient.install.client import update_ipa_nssdb
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 0e034ef..5413b48 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -15,7 +15,11 @@
 
 import six
 # pylint: disable=import-error
-from six.moves.configparser import SafeConfigParser
+if six.PY3:
+# The SafeConfigParser class has been renamed to ConfigParser in Py3
+from configparser import ConfigParser as SafeConfigParser
+else:
+from ConfigParser import SafeConfigParser
 # 

[Freeipa-devel] [bind-dyndb-ldap PR#9][comment] Remove duplicate const declaration specifier

[tomaskrizek]

  URL: https://github.com/freeipa/bind-dyndb-ldap/pull/9
Title: #9: Remove duplicate const declaration specifier

tomaskrizek commented:
"""
@pemensik Hi, could you please take a look at this PR and ACK?

It's just a typo that was preventing a build on fedora rawhide to due some 
warnings.
"""

See the full comment at 
https://github.com/freeipa/bind-dyndb-ldap/pull/9#issuecomment-279451102
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping

[flo-renaud]

   URL: https://github.com/freeipa/freeipa/pull/398
Author: flo-renaud
 Title: #398: Support for Certificate Identity Mapping
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/398/head:pr398
git checkout pr398
From 35263ec9625865eb2e786cbedf412d11d92c73f5 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Tue, 20 Dec 2016 16:21:58 +0100
Subject: [PATCH] Support for Certificate Identity Mapping

See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping

https://fedorahosted.org/freeipa/ticket/6542
---
 ACI.txt|  16 +-
 API.txt| 181 
 VERSION.m4 |   4 +-
 install/share/73certmap.ldif   |  16 ++
 install/share/Makefile.am  |   1 +
 install/updates/73-certmap.update  |  27 +++
 install/updates/Makefile.am|   1 +
 ipalib/constants.py|   4 +
 ipapython/dn.py|  17 +-
 ipaserver/install/dsinstance.py|   1 +
 ipaserver/plugins/baseuser.py  | 158 -
 ipaserver/plugins/certmap.py   | 336 +
 ipaserver/plugins/stageuser.py |  16 +-
 ipaserver/plugins/user.py  |  23 ++-
 ipatests/test_ipapython/test_dn.py |  20 +++
 15 files changed, 809 insertions(+), 12 deletions(-)
 create mode 100644 install/share/73certmap.ldif
 create mode 100644 install/updates/73-certmap.update
 create mode 100644 ipaserver/plugins/certmap.py

diff --git a/ACI.txt b/ACI.txt
index 0b47489..2bde577 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=caacls,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;)
+dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || description || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all;;)
 dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
@@ -337,6 +349,8 @@ aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:S
 dn: cn=users,cn=accounts,dc=ipa,dc=example
 

[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server

[lslebodn]

  URL: https://github.com/freeipa/freeipa/pull/364
Title: #364: Client-only builds with --disable-server

lslebodn commented:
"""
On (13/02/17 05:05), Christian Heimes wrote:
>I'm following the development principals of **minimum viable product**. This 
>PR solves a critical use case for me. With the PR I can build FreeIPA client 
>packages in a lean and clean build container. Without the 
>```--disable-server``` flag I'm forced to bloat my build env with lots of 
>additional dependencies and then throw away all the extra stuff.
>

My comments are about semantic of this option.
`--disable-server` should disable all parts which depends on server.

I know that your use case is a little bit different but I do not like
misusing of `--disable-server` for different use-cases (from semantic POV)

That's the reason why I proposed compromise/alternative solution
for installing `ipatests` which needn't be tight together
with `--disable-server`.

>My changes don't solve https://fedorahosted.org/freeipa/ticket/6517 to its 
>full extend. The PR provides enough of 
>https://fedorahosted.org/freeipa/ticket/6517 to enable me to finish some time 
>critical as soon as possible. RPM packaging changes and ipatests improvements 
>for client-only builds can be implemented another time. I consider these 
>changes sugar coating (aka stretch goals).
>

One more time; it will be solved with my proposed change to `ipatests`
+ small tweak to spec file (due to python2/3 changes)

That is exactly way how I tested it. A little bit hacky way but works
for testing: https://paste.fedoraproject.org/556868/48699519

LS

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/364#issuecomment-279405767
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands

[redhatrises]

  URL: https://github.com/freeipa/freeipa/pull/444
Title: #444: Allow nsaccountlock to be searched in user-find commands

redhatrises commented:
"""
@MartinBasti I believe that this is ready for your review.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/444#issuecomment-279404707
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#9][opened] Remove duplicate const declaration specifier

[tomaskrizek]

   URL: https://github.com/freeipa/bind-dyndb-ldap/pull/9
Author: tomaskrizek
 Title: #9: Remove duplicate const declaration specifier
Action: opened

PR body:
"""

"""

To pull the PR as Git branch:
git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap
git fetch ghbind-dyndb-ldap pull/9/head:pr9
git checkout pr9
From 7444264b2bbf2c8920a2fb76740995e73c07919f Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Thu, 9 Feb 2017 17:52:59 +0100
Subject: [PATCH] Remove duplicate const declaration specifier

---
 src/ldap_helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index 5de9f69..1fa0ec9 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -2349,7 +2349,7 @@ free_rdatalist(isc_mem_t *mctx, dns_rdatalist_t *rdlist)
  * @retval  others Unexpected errors.
  */
 static isc_result_t ATTR_NONNULLS ATTR_CHECKRESULT
-ldap_substitute_rr_template(isc_mem_t *mctx, const settings_set_t const * set,
+ldap_substitute_rr_template(isc_mem_t *mctx, const settings_set_t * set,
 			ld_string_t *orig_val, ld_string_t **output) {
 	isc_result_t result;
 	regex_t regex;
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/364
Title: #364: Client-only builds with --disable-server

tiran commented:
"""
I'm following the development principals of **minimum viable product**. This PR 
solves a critical use case for me. With the PR I can build FreeIPA client 
packages in a lean and clean build container. Without the 
```--disable-server``` flag I'm forced to bloat my build env with lots of 
additional dependencies and then throw away all the extra stuff.

My changes don't solve https://fedorahosted.org/freeipa/ticket/6517 to its full 
extend. The PR provides enough of https://fedorahosted.org/freeipa/ticket/6517 
to enable me to finish some time critical as soon as possible. RPM packaging 
changes and ipatests improvements for client-only builds can be implemented 
another time. I consider these changes sugar coating (aka stretch goals).
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/364#issuecomment-279387199
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server

[lslebodn]

  URL: https://github.com/freeipa/freeipa/pull/364
Title: #364: Client-only builds with --disable-server

lslebodn commented:
"""
On (13/02/17 04:32), Christian Heimes wrote:
>No, the test runner should either detect missing packages and skip tests 
>automatically, or should grow an option to load and execute client tests only. 
>It's a separate issue.
>

I have a different opinion. It is not a separate issue.
For me, the name of configure option is crystall clear.
It should not install anything related to daemon part; even thought it is test.

Maybe we can add another option to install tests (--with-tests?? +default yes)
It would work for your use-case and still allow old `CLIENT_ONLY` build
(equivalent to 4.4)

Or you can propose another compromise.

LS

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/364#issuecomment-279381495
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/364
Title: #364: Client-only builds with --disable-server

tiran commented:
"""
No, the test runner should either detect missing packages and skip tests 
automatically, or should grow an option to load and execute client tests only. 
It's a separate issue.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/364#issuecomment-279376400
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#459][comment] [WIP] Faster JSON encoder/decoder

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/459
Title: #459: [WIP] Faster JSON encoder/decoder

tiran commented:
"""
```curl url | python -m json.tool```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/459#issuecomment-279375693
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#459][comment] [WIP] Faster JSON encoder/decoder

[pvoborni]

  URL: https://github.com/freeipa/freeipa/pull/459
Title: #459: [WIP] Faster JSON encoder/decoder

pvoborni commented:
"""
It's usually quicker to read raw response in browser than the folded "preview" 
because everything is visible and no clicking is required. Same for curl 
testing. But for curl I can imagine piping it to some tool. 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/459#issuecomment-279370915
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#459][comment] [WIP] Faster JSON encoder/decoder

[abbra]

  URL: https://github.com/freeipa/freeipa/pull/459
Title: #459: [WIP] Faster JSON encoder/decoder

abbra commented:
"""
Right, as long as ipa CLI is capable to print formatted debug output, that's 
enough.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/459#issuecomment-279369801
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#459][comment] [WIP] Faster JSON encoder/decoder

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/459
Title: #459: [WIP] Faster JSON encoder/decoder

tiran commented:
"""
Why would you want to sort or indent the raw output? The extra verbose output 
of ```ipa``` just loads and dumps the output a second time. It's less efficient 
but who cares about minor efficiency issues of a debug feature? For browser 
testing, any web developer tool will give you nicely formatted JSON, too.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/459#issuecomment-279368825
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server

[lslebodn]

  URL: https://github.com/freeipa/freeipa/pull/364
Title: #364: Client-only builds with --disable-server

lslebodn commented:
"""
On (13/02/17 03:56), Christian Heimes wrote:
>Two reasons
>
>1. ```make install```
>2. I need ipatests to be part of the build process in order to get a Python 
>package for tox later.
>

OK, thank you for explanation.

Then we should install just tests from directory `ipatests`
which does not require daemon for execution.

LS

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/364#issuecomment-279368656
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/364
Title: #364: Client-only builds with --disable-server

tiran commented:
"""
Two reasons

1. ```make install```
2. I need ipatests to be part of the build process in order to get a Python 
package for tox later.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/364#issuecomment-279367184
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#459][comment] [WIP] Faster JSON encoder/decoder

[pvoborni]

  URL: https://github.com/freeipa/freeipa/pull/459
Title: #459: [WIP] Faster JSON encoder/decoder

pvoborni commented:
"""
Is there a way(I did not read changes thoroughly) to enable sorting and 
indentation, e.g. for testing purposes?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/459#issuecomment-279365267
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server

[lslebodn]

  URL: https://github.com/freeipa/freeipa/pull/364
Title: #364: Client-only builds with --disable-server

lslebodn commented:
"""
On (13/02/17 03:08), Christian Heimes wrote:
>Packaging is a different issue. The PR does not provide RPM packaging for 
>client-only build. It merely implements configuration and building without 
>server components.
>

I mentioned old version of `CLIENT_ONLY` build because I consider it
as a referential implementation. And `ipa tests` were not installed in 4.4
for client only build.


>For client-only builds I need ipatests to run part of the test suite to verify 
>client code. Test suites ```test_ipapython, test_ipalib, test_pkcs10``` 
>without ```test_ipalib.test_rpc``` work without ```ipaserver```.
>

I expected a little bit more details.

Do you need to run `make install` and then run tests in installed directory?
Or how do you want to "run part of the test suite".

Because if you needn't run "make install" for your use-case then
my proposed patch would work.

BTW `ipatests` will still be part of tarball and/or git. You can run them
even thought they will not be installed with `make install`

LS

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/364#issuecomment-279362399
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/364
Title: #364: Client-only builds with --disable-server

tiran commented:
"""
Packaging is a different issue. The PR does not provide RPM packaging for 
client-only build. It merely implements configuration and building without 
server components.

For client-only builds I need ipatests to run part of the test suite to verify 
client code. Test suites ```test_ipapython, test_ipalib, test_pkcs10``` without 
```test_ipalib.test_rpc``` work without ```ipaserver```.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/364#issuecomment-279357147
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server

[lslebodn]

  URL: https://github.com/freeipa/freeipa/pull/364
Title: #364: Client-only builds with --disable-server

lslebodn commented:
"""
On (13/02/17 01:25), Christian Heimes wrote:
>@lslebodn it works even better without your proposed changes. Parts 
>```ipatests``` work fine for ```--disable-server``` builds. I need the package 
>to run tests.
>

The old version (4.4) of `CLIENT_ONLY` build did not package
ipatests.

Could you describe a reason/use-case for installing `ipatests`
without server?

LS

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/364#issuecomment-279349836
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#459][synchronized] [WIP] Faster JSON encoder/decoder

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/459
Author: tiran
 Title: #459: [WIP] Faster JSON encoder/decoder
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/459/head:pr459
git checkout pr459
From e685e106dbcfb54d1651c97d6a07a17c3417127f Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Mon, 13 Feb 2017 09:46:39 +0100
Subject: [PATCH 1/2] Faster JSON encoder/decoder

Improve performance of FreeIPA's JSON serializer and deserializer.

* Don't indent and sort keys. Both options trigger a slow path in
  Python's json package. Without indention and sorting, encoding
  mostly happens in optimized C code.
* Replace O(n) type checks with O(1) type lookup and eliminate
  the use of isinstance().
* Check each client capability only once for every conversion.
* Use decoder's obj_hook feature to traverse the object tree once and
  to eliminate calls to isinstance().

Closes: https://fedorahosted.org/freeipa/ticket/6655
Signed-off-by: Christian Heimes 
---
 ipalib/rpc.py  | 211 +++--
 ipaserver/rpcserver.py |   7 +-
 2 files changed, 134 insertions(+), 84 deletions(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 7d9f6ec..6cad397 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -51,7 +51,7 @@
 from ipalib.backend import Connectible
 from ipalib.constants import LDAP_GENERALIZED_TIME_FORMAT
 from ipalib.errors import (public_errors, UnknownError, NetworkError,
-KerberosError, XMLRPCMarshallError, JSONError, ConversionError)
+KerberosError, XMLRPCMarshallError, JSONError)
 from ipalib import errors, capabilities
 from ipalib.request import context, Connection
 from ipapython.ipa_log_manager import root_logger
@@ -274,67 +274,140 @@ def xml_dumps(params, version, methodname=None, methodresponse=False,
 )
 
 
-def json_encode_binary(val, version):
-'''
-   JSON cannot encode binary values. We encode binary values in Python str
-   objects and text in Python unicode objects. In order to allow a binary
-   object to be passed through JSON we base64 encode it thus converting it to
-   text which JSON can transport. To assure we recognize the value is a base64
-   encoded representation of the original binary value and not confuse it with
-   other text we convert the binary value to a dict in this form:
-
-   {'__base64__' : base64_encoding_of_binary_value}
-
-   This modification of the original input value cannot be done "in place" as
-   one might first assume (e.g. replacing any binary items in a container
-   (e.g. list, tuple, dict) with the base64 dict because the container might be
-   an immutable object (i.e. a tuple). Therefore this function returns a copy
-   of any container objects it encounters with tuples replaced by lists. This
-   is O.K. because the JSON encoding will map both lists and tuples to JSON
-   arrays.
-   '''
-
-if isinstance(val, dict):
-new_dict = {}
-for k, v in val.items():
-new_dict[k] = json_encode_binary(v, version)
-return new_dict
-elif isinstance(val, (list, tuple)):
-new_list = [json_encode_binary(v, version) for v in val]
-return new_list
-elif isinstance(val, bytes):
-encoded = base64.b64encode(val)
-if not six.PY2:
-encoded = encoded.decode('ascii')
-return {'__base64__': encoded}
-elif isinstance(val, Decimal):
-return unicode(val)
-elif isinstance(val, DN):
-return str(val)
-elif isinstance(val, datetime.datetime):
-if capabilities.client_has_capability(version, 'datetime_values'):
+class _JSONConverter(dict):
+__slots__ = ('version', '_cap_datetime', '_cap_dnsname')
+
+_identity = object()
+
+def __init__(self, version, _identity=_identity):
+super(_JSONConverter, self).__init__()
+self.version = version
+self._cap_datetime = None
+self._cap_dnsname = None
+self.update({
+unicode: _identity,
+bool: _identity,
+type(None): _identity,
+float: _identity,
+Decimal: unicode,
+DN: str,
+Principal: unicode,
+DNSName: self._enc_dnsname,
+datetime.datetime: self._enc_datetime,
+bytes: self._enc_bytes,
+list: self._enc_list,
+tuple: self._enc_list,
+dict: self._enc_dict,
+})
+# int, long
+for t in six.integer_types:
+self[t] = _identity
+
+def __missing__(self, typ):
+# walk MRO to find best match
+for c in typ.__mro__:
+if c in self:
+self[typ] = self[c]
+return self[c]
+# use issubclass to check for registered ABCs
+for c in self:
+if issubclass(typ, c):
+self[typ] = self[c]
+return 

[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/364
Title: #364: Client-only builds with --disable-server

tiran commented:
"""
@lslebodn it works even better without your proposed changes. Parts 
```ipatests``` work fine for ```--disable-server``` builds. I need the package 
to run tests.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/364#issuecomment-279333838
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#459][edited] [WIP] Faster JSON encoder/decoder

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/459
Author: tiran
 Title: #459: [WIP] Faster JSON encoder/decoder
Action: edited

 Changed field: title
Original value:
"""
Faster JSON encoder/decoder
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#459][opened] Faster JSON encoder/decoder

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/459
Author: tiran
 Title: #459: Faster JSON encoder/decoder
Action: opened

PR body:
"""
Improve performance of FreeIPA's JSON serializer and deserializer.

* Don't indent and sort keys. Both options trigger a slow path in
  Python's json package. Without indention and sorting, encoding
  mostly happens in optimized C code.
* Replace O(n) type checks with O(1) type lookup and eliminate
  the use of isinstance().
* Check each client capability only once for every conversion.
* Use decoder's obj_hook feature to traverse the object tree once and
  to eliminate calls to isinstance().

Closes: https://fedorahosted.org/freeipa/ticket/6655
Signed-off-by: Christian Heimes 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/459/head:pr459
git checkout pr459
From d00d547d0024fe5712a33ccabcd5c03564b10223 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Mon, 13 Feb 2017 09:46:39 +0100
Subject: [PATCH] Faster JSON encoder/decoder

Improve performance of FreeIPA's JSON serializer and deserializer.

* Don't indent and sort keys. Both options trigger a slow path in
  Python's json package. Without indention and sorting, encoding
  mostly happens in optimized C code.
* Replace O(n) type checks with O(1) type lookup and eliminate
  the use of isinstance().
* Check each client capability only once for every conversion.
* Use decoder's obj_hook feature to traverse the object tree once and
  to eliminate calls to isinstance().

Closes: https://fedorahosted.org/freeipa/ticket/6655
Signed-off-by: Christian Heimes 
---
 ipalib/rpc.py  | 209 +++--
 ipaserver/rpcserver.py |   6 +-
 2 files changed, 133 insertions(+), 82 deletions(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 7d9f6ec..25abc7f 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -274,67 +274,140 @@ def xml_dumps(params, version, methodname=None, methodresponse=False,
 )
 
 
-def json_encode_binary(val, version):
-'''
-   JSON cannot encode binary values. We encode binary values in Python str
-   objects and text in Python unicode objects. In order to allow a binary
-   object to be passed through JSON we base64 encode it thus converting it to
-   text which JSON can transport. To assure we recognize the value is a base64
-   encoded representation of the original binary value and not confuse it with
-   other text we convert the binary value to a dict in this form:
-
-   {'__base64__' : base64_encoding_of_binary_value}
-
-   This modification of the original input value cannot be done "in place" as
-   one might first assume (e.g. replacing any binary items in a container
-   (e.g. list, tuple, dict) with the base64 dict because the container might be
-   an immutable object (i.e. a tuple). Therefore this function returns a copy
-   of any container objects it encounters with tuples replaced by lists. This
-   is O.K. because the JSON encoding will map both lists and tuples to JSON
-   arrays.
-   '''
-
-if isinstance(val, dict):
-new_dict = {}
-for k, v in val.items():
-new_dict[k] = json_encode_binary(v, version)
-return new_dict
-elif isinstance(val, (list, tuple)):
-new_list = [json_encode_binary(v, version) for v in val]
-return new_list
-elif isinstance(val, bytes):
-encoded = base64.b64encode(val)
-if not six.PY2:
-encoded = encoded.decode('ascii')
-return {'__base64__': encoded}
-elif isinstance(val, Decimal):
-return unicode(val)
-elif isinstance(val, DN):
-return str(val)
-elif isinstance(val, datetime.datetime):
-if capabilities.client_has_capability(version, 'datetime_values'):
+class _JSONConverter(dict):
+__slots__ = ('version', '_cap_datetime', '_cap_dnsname')
+
+_identity = object()
+
+def __init__(self, version, _identity=_identity):
+super(_JSONConverter, self).__init__()
+self.version = version
+self._cap_datetime = None
+self._cap_dnsname = None
+self.update({
+unicode: _identity,
+bool: _identity,
+type(None): _identity,
+float: _identity,
+Decimal: unicode,
+DN: str,
+Principal: unicode,
+DNSName: self._enc_dnsname,
+datetime.datetime: self._enc_datetime,
+bytes: self._enc_bytes,
+list: self._enc_list,
+tuple: self._enc_list,
+dict: self._enc_dict,
+})
+# int, long
+for t in six.integer_types:
+self[t] = _identity
+
+def __missing__(self, typ):
+# walk MRO to find best match
+for c in typ.__mro__:
+if c in self:
+self[typ] = self[c]
+return self[c]
+# use 

[Freeipa-devel] [freeipa PR#445][+ack] Remove is_fips_enabled checks in installers and ipactl

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/445
Title: #445: Remove is_fips_enabled checks in installers and ipactl

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code