[Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping

[flo-renaud]

  URL: https://github.com/freeipa/freeipa/pull/398
Title: #398: Support for Certificate Identity Mapping

flo-renaud commented:
"""
PR updated with the check on domain in certmaprule-add/mod.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/398#issuecomment-280152942
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping

[flo-renaud]

   URL: https://github.com/freeipa/freeipa/pull/398
Author: flo-renaud
 Title: #398: Support for Certificate Identity Mapping
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/398/head:pr398
git checkout pr398
From ab4f03f6e85d44160eec148afe83d0549c5f66bb Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Tue, 20 Dec 2016 16:21:58 +0100
Subject: [PATCH] Support for Certificate Identity Mapping

See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping

https://fedorahosted.org/freeipa/ticket/6542
---
 ACI.txt|  16 +-
 API.txt| 181 +
 VERSION.m4 |   4 +-
 install/share/73certmap.ldif   |  16 ++
 install/share/Makefile.am  |   1 +
 install/updates/73-certmap.update  |  27 +++
 install/updates/Makefile.am|   1 +
 ipalib/constants.py|   4 +
 ipapython/dn.py|   8 +-
 ipaserver/install/dsinstance.py|   1 +
 ipaserver/plugins/baseuser.py  | 165 +++-
 ipaserver/plugins/certmap.py   | 396 +
 ipaserver/plugins/stageuser.py |  16 +-
 ipaserver/plugins/user.py  |  23 ++-
 ipatests/test_ipapython/test_dn.py |  20 ++
 15 files changed, 866 insertions(+), 13 deletions(-)
 create mode 100644 install/share/73certmap.ldif
 create mode 100644 install/updates/73-certmap.update
 create mode 100644 ipaserver/plugins/certmap.py

diff --git a/ACI.txt b/ACI.txt
index 0b47489..2bde577 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=caacls,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all";;)
+dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all";;)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || description || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all";;)
 dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
@@ -337,6 +349,8 @@ aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:S
 dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = 

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

stlaz commented:
"""
I would put broken KRA cert migration to lowest priority since 
https://github.com/freeipa/freeipa/pull/367 moves the original KRA cert anyway.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-280078231
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#450][closed] Add FIPS-token password of HTTPD NSS database

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/450
Author: stlaz
 Title: #450: Add FIPS-token password of HTTPD NSS database
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/450/head:pr450
git checkout pr450
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#450][+pushed] Add FIPS-token password of HTTPD NSS database

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/450
Title: #450: Add FIPS-token password of HTTPD NSS database

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#450][comment] Add FIPS-token password of HTTPD NSS database

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/450
Title: #450: Add FIPS-token password of HTTPD NSS database

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/0b9b6b52d7f2e64a52ef8fd570839711311fa254
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/450#issuecomment-280068549
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#459][comment] Faster JSON encoder/decoder

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/459
Title: #459: Faster JSON encoder/decoder

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/8159c2883bf66980582d1227c364df4e592bdd7e
https://fedorahosted.org/freeipa/changeset/b12b1e4c0b19a84ccffcc702ab608d818382a697
https://fedorahosted.org/freeipa/changeset/3cac0378e94efc2ee1070eff2984eb1147bcf463
https://fedorahosted.org/freeipa/changeset/2ff07b958079e5a8972b2e7a06881521361746cc
https://fedorahosted.org/freeipa/changeset/1d7fcfe15d279e50d9ac29464a30f8e594db1802
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/459#issuecomment-280060193
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#407][comment] New lite-server implementation

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/407
Title: #407: New lite-server implementation

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/ff6e701b0077d9c8e2aacdcaecf70f885018db92
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/407#issuecomment-280061023
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#407][closed] New lite-server implementation

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/407
Author: tiran
 Title: #407: New lite-server implementation
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/407/head:pr407
git checkout pr407
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#407][+pushed] New lite-server implementation

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/407
Title: #407: New lite-server implementation

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#459][closed] Faster JSON encoder/decoder

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/459
Author: tiran
 Title: #459: Faster JSON encoder/decoder
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/459/head:pr459
git checkout pr459
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#459][+pushed] Faster JSON encoder/decoder

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/459
Title: #459: Faster JSON encoder/decoder

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop

MartinBasti commented:
"""
@pvoborni this is the way how it this tested by QA, so that's why I added this 
kind of test to upstream. I disagree that `b)` is not supported. It is just 
emulation fo case when user ruined kerberos keytabs and service configuration 
and the one needs to restore backup on the installed server.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/468#issuecomment-280059134
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop

martbab commented:
"""
@rcritten I apologize for sounding rude. I misread your comment and interpreted 
it differently than intended.

That said, if the restore to a running IPA server is not intended to be 
supported, why do we have a number of tests for this scenario?  I have tried to 
find some discussion in the design page you posted but did not find any 
discussion of restore into running server, only the steps taken.

@tiran I tend to agree with you now. It seemed like a good idea to purge 
ccaches in the unit file when we switched from KEYRING: to FILE: for apache. 
However the restore use-case is not the only one which can result into stale 
ccache, I can also think about requesting new Apache keytab, restarting the 
service and be left with a stale ccache and key mismatch again.

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/468#issuecomment-280056786
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop

[pvoborni]

  URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop

pvoborni commented:
"""
And AFAIK b) is not supported.  @martbab , does something indicate otherwise?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/468#issuecomment-280056255
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#450][+ack] Add FIPS-token password of HTTPD NSS database

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/450
Title: #450: Add FIPS-token password of HTTPD NSS database

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop

tiran commented:
"""
I'm with @rcritten .

If we need to clean up / remove some files during a restore, then these 
clean-ups should be handled by ```ipa-restore```. The service files are IMHO 
the wrong place.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/468#issuecomment-280050792
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] Password generation in FreeIPA Python modules

[Standa Laznicka]

Hello,

Please don't use any ad-hoc cruft when generating passwords throughout 
IPA if not really really necessary. We have a nice refreshed password 
generator `ipapython.ipautil.ipa_generate_password()` default config of 
which does the work for you. It also by default generates passwords 
compatible with NSS requirements for FIPS (see 
https://dxr.mozilla.org/nss/source/nss/lib/softoken/fipstokn.c#97 for 
details).


Thanks!
Standa

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#459][+ack] Faster JSON encoder/decoder

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/459
Title: #459: Faster JSON encoder/decoder

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop

[rcritten]

  URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop

rcritten commented:
"""
Rudeness is not necessary.

You said:

"As to why a) we backup Kerberos keys, and b) support restoring into running 
IPA server that is beyond me."

The reason for a) is to restore an exact copy of what was backed up. 

As for b, the idea of restoring into a running IPA server to replace the 
existing install with a new one is something I discuss in some detail at 
http://www.freeipa.org/page/V3/Backup_and_Restore and outline the ton of 
problems associated with it. It was never intended to be supported due to these 
issues.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/468#issuecomment-280049816
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#437][synchronized] FIPS: replica install check

[tomaskrizek]

   URL: https://github.com/freeipa/freeipa/pull/437
Author: tomaskrizek
 Title: #437: FIPS: replica install check
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/437/head:pr437
git checkout pr437
From 0db599ed71fbabcaacff0082eb369b2a737df866 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 6 Feb 2017 13:08:11 +0100
Subject: [PATCH 1/5] Add fips_mode variable to env

Variable fips_mode indicating whether machine is running in
FIPS-enabled mode was added to env.

https://fedorahosted.org/freeipa/ticket/5695
---
 ipalib/config.py | 8 
 1 file changed, 8 insertions(+)

diff --git a/ipalib/config.py b/ipalib/config.py
index 20591db..c7caeef 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -44,6 +44,10 @@
 from ipalib.constants import CONFIG_SECTION
 from ipalib.constants import OVERRIDE_ERROR, SET_ERROR, DEL_ERROR
 from ipalib import errors
+try:
+from ipaplatform.tasks import tasks
+except ImportError:
+tasks = None
 
 if six.PY3:
 unicode = str
@@ -440,6 +444,10 @@ def _bootstrap(self, **overrides):
 self.bin = path.dirname(self.script)
 self.home = os.environ.get('HOME', None)
 
+# Set fips_mode only if ipaplatform module was loaded
+if tasks is not None:
+self.fips_mode = tasks.is_fips_enabled()
+
 # Merge in overrides:
 self._merge(**overrides)
 

From 1a8d34da39090d948447d8cb355d01513c434bdf Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 8 Feb 2017 16:53:44 +0100
Subject: [PATCH 2/5] test_config: fix tests for env.fips_mode

Add optional key fips_mode to Env object in tests.

https://fedorahosted.org/freeipa/ticket/5695
---
 ipatests/test_ipalib/test_config.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ipatests/test_ipalib/test_config.py b/ipatests/test_ipalib/test_config.py
index 1df9a39..53b60ef 100644
--- a/ipatests/test_ipalib/test_config.py
+++ b/ipatests/test_ipalib/test_config.py
@@ -562,6 +562,7 @@ def test_finalize_core(self):
 
 # Test using DEFAULT_CONFIG:
 defaults = dict(constants.DEFAULT_CONFIG)
+defaults['fips_mode'] = object
 (o, home) = self.finalize_core(None, **defaults)
 assert list(o) == sorted(defaults)
 for (key, value) in defaults.items():

From 5c3bab0961e871dd332fd89a2e876ed2deeed803 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 6 Feb 2017 17:17:49 +0100
Subject: [PATCH 3/5] check_remote_version: update exception and docstring

Refactor function to use ScriptError exception and provide docstring.
---
 ipaserver/install/server/replicainstall.py | 9 -
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 0d3a69f..783a716 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -512,6 +512,13 @@ def promote_openldap_conf(hostname, master):
 
 
 def check_remote_version(api):
+"""
+Perform a check to verify remote server's version
+
+:param api: remote API
+
+:raises: ``ScriptError`` if the checks fails
+"""
 client = rpc.jsonclient(api)
 client.finalize()
 
@@ -524,7 +531,7 @@ def check_remote_version(api):
 remote_version = parse_version(env['version'])
 api_version = parse_version(api.env.version)
 if remote_version > api_version:
-raise RuntimeError(
+raise ScriptError(
 "Cannot install replica of a server of higher version ({}) than"
 "the local version ({})".format(remote_version, api_version))
 

From e5bc6ff9cfee1f4686b2ead0ab05e2650379d738 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Tue, 7 Feb 2017 10:42:54 +0100
Subject: [PATCH 4/5] replicainstall: add context manager for rpc client

Abstract creating rpc client into a context manager to allow re-use.
---
 ipaserver/install/server/replicainstall.py | 33 --
 1 file changed, 22 insertions(+), 11 deletions(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 783a716..216ed55 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -4,6 +4,7 @@
 
 from __future__ import print_function
 
+import contextlib
 import dns.exception as dnsexception
 import dns.name as dnsname
 import dns.resolver as dnsresolver
@@ -511,29 +512,37 @@ def promote_openldap_conf(hostname, master):
 root_logger.info("Failed to update {}: {}".format(ldap_conf, e))
 
 
-def check_remote_version(api):
+@contextlib.contextmanager
+def rpc_client(api):
 """
-Perform a check to verify remote server's version
+Context manager for JSON RPC client.
 
-:param api: remote API
-
-:raises: ``ScriptError`` if the checks fails
+:param api: api to initiate the RPC client
 """
 client = rpc.jsonclient

[Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop

martbab commented:
"""
And indeed I can reproduce the original failure reported in 
https://fedorahosted.org/freeipa/ticket/5296 with this PR.

If I manually remove apache ccache (kdestroy -c 
/var/run/httpd/ipa/krbcache/krb5ccache) I can use the framework again.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/468#issuecomment-280048516
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop

martbab commented:
"""
@rcritten can you please re-read my comment very slowly? I wrote that we *do* 
backup keytabs.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/468#issuecomment-280046038
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop

[rcritten]

  URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop

rcritten commented:
"""
If you don't backup the keytab then how do you expect to bring the server back 
up? Fetch new keys for all services?

Full restore is very clearly documented as a recovery from complete failure in 
which case the restored master is the only one so there should be no mismatch 
between what was backed-up and what was restored.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/468#issuecomment-280045062
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop

tiran commented:
"""
Why do we back up ccache in the first place?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/468#issuecomment-280040752
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#407][+ack] New lite-server implementation

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/407
Title: #407: New lite-server implementation

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop

martbab commented:
"""
We do not backup ccache, we back up apache keytab.

During restore into installer server we back up old Kerberos keys, but without 
any mechanism to purge the new apache ccache acquired during the installation 
of new server you would end up with key mismatch and nothing would work until 
the ccache expires.

As to why a) we backup Kerberos keys, and b) support restoring into running IPA 
server that is beyond me.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/468#issuecomment-280043570
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#467][synchronized] ipaclient: schema cache: Write all schema files in concurrent-safe way

[dkupka]

   URL: https://github.com/freeipa/freeipa/pull/467
Author: dkupka
 Title: #467: ipaclient: schema cache: Write all schema files in 
concurrent-safe way
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/467/head:pr467
git checkout pr467
From 31bd8d2b21160dfb7ad535c1c5521f0174948547 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Wed, 15 Feb 2017 09:34:10 +0100
Subject: [PATCH] ipaclient: schema cache: Write all schema files in
 concurrent-safe way

https://fedorahosted.org/freeipa/ticket/6668
---
 ipaclient/remote_plugins/__init__.py |  5 -
 ipaclient/remote_plugins/schema.py   | 15 +++
 ipapython/ipautil.py | 35 +++
 3 files changed, 42 insertions(+), 13 deletions(-)

diff --git a/ipaclient/remote_plugins/__init__.py b/ipaclient/remote_plugins/__init__.py
index da7004d..7b8bdd3 100644
--- a/ipaclient/remote_plugins/__init__.py
+++ b/ipaclient/remote_plugins/__init__.py
@@ -14,6 +14,8 @@
 from ipaclient.plugins.rpcclient import rpcclient
 from ipapython.dnsutil import DNSName
 from ipapython.ipa_log_manager import log_mgr
+from ipapython.ipautil import concurrent_open
+
 
 logger = log_mgr.get_logger(__name__)
 
@@ -58,7 +60,8 @@ def _write(self):
 except EnvironmentError as e:
 if e.errno != errno.EEXIST:
 raise
-with open(self._path, 'w') as sc:
+
+with concurrent_open(self._path, 'w') as sc:
 json.dump(self._dict, sc)
 except EnvironmentError as e:
 logger.warning('Failed to write server info: {}'.format(e))
diff --git a/ipaclient/remote_plugins/schema.py b/ipaclient/remote_plugins/schema.py
index 15c03f4..36ba741 100644
--- a/ipaclient/remote_plugins/schema.py
+++ b/ipaclient/remote_plugins/schema.py
@@ -5,8 +5,6 @@
 import collections
 import contextlib
 import errno
-import fcntl
-import io
 import json
 import os
 import sys
@@ -25,6 +23,7 @@
 from ipapython.dn import DN
 from ipapython.dnsutil import DNSName
 from ipapython.ipa_log_manager import log_mgr
+from ipapython.ipautil import concurrent_open
 
 FORMAT = '1'
 
@@ -407,17 +406,9 @@ def __init__(self, client, fingerprint=None):
 @contextlib.contextmanager
 def _open(self, filename, mode):
 path = os.path.join(self._DIR, filename)
+with concurrent_open(path, mode) as f:
+yield f
 
-with io.open(path, mode) as f:
-if mode.startswith('r'):
-fcntl.flock(f, fcntl.LOCK_SH)
-else:
-fcntl.flock(f, fcntl.LOCK_EX)
-
-try:
-yield f
-finally:
-fcntl.flock(f, fcntl.LOCK_UN)
 
 def _fetch(self, client, ignore_cache=False):
 if not client.isconnected():
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 60b4a37..53bcf80 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -282,6 +282,41 @@ def write_tmp_file(txt):
 
 return fd
 
+
+@contextmanager
+def concurrent_open(filename, mode='r'):
+"""Ensure that complete file is read/written
+
+Works only for r, rb, w, w+, wb, wb+ modes. Default is r.
+
+In read mode behaves the same as build-in open. In write mode all data are
+written to the temporary file first and then moved to target path.
+This approach ensures that reading will be performed on complete file and
+writting will result in complete or none file written at all.
+"""
+if mode in ('w', 'w+', 'wb', 'wb+'):
+directory, basename = os.path.split(os.path.abspath(filename))
+with tempfile.NamedTemporaryFile(
+mode=mode, dir=directory, prefix=basename, delete=False
+) as temp_file:
+try:
+yield temp_file
+finally:
+temp_file.flush()
+os.fsync(temp_file.fileno())
+try:
+os.rename(temp_file.name, filename)
+except EnvironmentError:
+os.unlink(temp_file.name)
+raise
+elif mode in ('r', 'rb'):
+with open(filename, mode) as f:
+yield f
+else:
+raise ValueError(u"mode string must be one of 'r', 'rb', 'w', 'w+', "
+ u"'wb', 'wb+'")
+
+
 def shell_quote(string):
 if isinstance(string, str):
 return "'" + string.replace("'", "'\\''") + "'"
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop

martbab commented:
"""
I would rather keep `kdestroy` there, but only really purge the apache ccache 
explicitly:

```diff
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -452,7 +452,8 @@ class RedHatTaskNamespace(BaseTaskNamespace):
 KRB5CC_HTTPD=paths.KRB5CC_HTTPD,
 KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG,
 IPA_HTTPD_KDCPROXY=paths.IPA_HTTPD_KDCPROXY,
-POST='-{kdestroy} -A'.format(kdestroy=paths.KDESTROY)
+POST='-{kdestroy} -c {ccache}'.format(
+kdestroy=paths.KDESTROY, ccache=paths.KRB5CC_HTTPD)
 )
 )
```

Otherwise we will bump into regressions caused by stale HTTPD ccaches left over 
when backing up/restoring IPA installation. I would demonstrate it on a failing 
backup/restore tests but they are completely messed up right now.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/468#issuecomment-280038786
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#437][synchronized] FIPS: replica install check

[tomaskrizek]

   URL: https://github.com/freeipa/freeipa/pull/437
Author: tomaskrizek
 Title: #437: FIPS: replica install check
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/437/head:pr437
git checkout pr437
From 0db599ed71fbabcaacff0082eb369b2a737df866 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 6 Feb 2017 13:08:11 +0100
Subject: [PATCH 1/5] Add fips_mode variable to env

Variable fips_mode indicating whether machine is running in
FIPS-enabled mode was added to env.

https://fedorahosted.org/freeipa/ticket/5695
---
 ipalib/config.py | 8 
 1 file changed, 8 insertions(+)

diff --git a/ipalib/config.py b/ipalib/config.py
index 20591db..c7caeef 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -44,6 +44,10 @@
 from ipalib.constants import CONFIG_SECTION
 from ipalib.constants import OVERRIDE_ERROR, SET_ERROR, DEL_ERROR
 from ipalib import errors
+try:
+from ipaplatform.tasks import tasks
+except ImportError:
+tasks = None
 
 if six.PY3:
 unicode = str
@@ -440,6 +444,10 @@ def _bootstrap(self, **overrides):
 self.bin = path.dirname(self.script)
 self.home = os.environ.get('HOME', None)
 
+# Set fips_mode only if ipaplatform module was loaded
+if tasks is not None:
+self.fips_mode = tasks.is_fips_enabled()
+
 # Merge in overrides:
 self._merge(**overrides)
 

From c149adbe68d6c28c0cdbefe652b4d1b2eb57782f Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 8 Feb 2017 16:53:44 +0100
Subject: [PATCH 2/5] test_config: fix tests for env.fips_mode

Add optional key fips_mode to Env object in tests.

https://fedorahosted.org/freeipa/ticket/5695
---
 ipatests/test_ipalib/test_config.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ipatests/test_ipalib/test_config.py b/ipatests/test_ipalib/test_config.py
index 1df9a39..5ef4487 100644
--- a/ipatests/test_ipalib/test_config.py
+++ b/ipatests/test_ipalib/test_config.py
@@ -562,6 +562,7 @@ def test_finalize_core(self):
 
 # Test using DEFAULT_CONFIG:
 defaults = dict(constants.DEFAULT_CONFIG)
+defaults['fips_mode'] = None
 (o, home) = self.finalize_core(None, **defaults)
 assert list(o) == sorted(defaults)
 for (key, value) in defaults.items():

From 957f6dd533b507243ffcc8fa573aa86e2fe962e0 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 6 Feb 2017 17:17:49 +0100
Subject: [PATCH 3/5] check_remote_version: update exception and docstring

Refactor function to use ScriptError exception and provide docstring.
---
 ipaserver/install/server/replicainstall.py | 9 -
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 0d3a69f..783a716 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -512,6 +512,13 @@ def promote_openldap_conf(hostname, master):
 
 
 def check_remote_version(api):
+"""
+Perform a check to verify remote server's version
+
+:param api: remote API
+
+:raises: ``ScriptError`` if the checks fails
+"""
 client = rpc.jsonclient(api)
 client.finalize()
 
@@ -524,7 +531,7 @@ def check_remote_version(api):
 remote_version = parse_version(env['version'])
 api_version = parse_version(api.env.version)
 if remote_version > api_version:
-raise RuntimeError(
+raise ScriptError(
 "Cannot install replica of a server of higher version ({}) than"
 "the local version ({})".format(remote_version, api_version))
 

From 183de2e6f7af61b5777a666ac24aa9dfec1d5a8b Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Tue, 7 Feb 2017 10:42:54 +0100
Subject: [PATCH 4/5] replicainstall: add context manager for rpc client

Abstract creating rpc client into a context manager to allow re-use.
---
 ipaserver/install/server/replicainstall.py | 33 --
 1 file changed, 22 insertions(+), 11 deletions(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 783a716..216ed55 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -4,6 +4,7 @@
 
 from __future__ import print_function
 
+import contextlib
 import dns.exception as dnsexception
 import dns.name as dnsname
 import dns.resolver as dnsresolver
@@ -511,29 +512,37 @@ def promote_openldap_conf(hostname, master):
 root_logger.info("Failed to update {}: {}".format(ldap_conf, e))
 
 
-def check_remote_version(api):
+@contextlib.contextmanager
+def rpc_client(api):
 """
-Perform a check to verify remote server's version
+Context manager for JSON RPC client.
 
-:param api: remote API
-
-:raises: ``ScriptError`` if the checks fails
+:param api: api to initiate the RPC client
 """
 client = rpc.jsonclient(a

[Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping

[flo-renaud]

  URL: https://github.com/freeipa/freeipa/pull/398
Title: #398: Support for Certificate Identity Mapping

flo-renaud commented:
"""
@HonzaCholasta 
PR updated according to your comments. Thanks for the detailed review!
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/398#issuecomment-280034426
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping

[flo-renaud]

   URL: https://github.com/freeipa/freeipa/pull/398
Author: flo-renaud
 Title: #398: Support for Certificate Identity Mapping
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/398/head:pr398
git checkout pr398
From ca1e31fb4af22450741b6b7a4e9bc6b2c40f49fd Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Tue, 20 Dec 2016 16:21:58 +0100
Subject: [PATCH] Support for Certificate Identity Mapping

See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping

https://fedorahosted.org/freeipa/ticket/6542
---
 ACI.txt|  16 +-
 API.txt| 181 +++
 VERSION.m4 |   4 +-
 install/share/73certmap.ldif   |  16 ++
 install/share/Makefile.am  |   1 +
 install/updates/73-certmap.update  |  27 +++
 install/updates/Makefile.am|   1 +
 ipalib/constants.py|   4 +
 ipapython/dn.py|   8 +-
 ipaserver/install/dsinstance.py|   1 +
 ipaserver/plugins/baseuser.py  | 165 -
 ipaserver/plugins/certmap.py   | 355 +
 ipaserver/plugins/stageuser.py |  16 +-
 ipaserver/plugins/user.py  |  23 ++-
 ipatests/test_ipapython/test_dn.py |  20 +++
 15 files changed, 825 insertions(+), 13 deletions(-)
 create mode 100644 install/share/73certmap.ldif
 create mode 100644 install/updates/73-certmap.update
 create mode 100644 ipaserver/plugins/certmap.py

diff --git a/ACI.txt b/ACI.txt
index 0b47489..2bde577 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=caacls,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all";;)
+dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all";;)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || description || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all";;)
 dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
@@ -337,6 +349,8 @@ aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:S
 dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetatt

[Freeipa-devel] [freeipa PR#459][synchronized] Faster JSON encoder/decoder

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/459
Author: tiran
 Title: #459: Faster JSON encoder/decoder
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/459/head:pr459
git checkout pr459
From cace1ed0605bd763ea99077938eda2b6c4ed57a1 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Mon, 13 Feb 2017 09:46:39 +0100
Subject: [PATCH 1/5] Faster JSON encoder/decoder

Improve performance of FreeIPA's JSON serializer and deserializer.

* Don't indent and sort keys. Both options trigger a slow path in
  Python's json package. Without indention and sorting, encoding
  mostly happens in optimized C code.
* Replace O(n) type checks with O(1) type lookup and eliminate
  the use of isinstance().
* Check each client capability only once for every conversion.
* Use decoder's obj_hook feature to traverse the object tree once and
  to eliminate calls to isinstance().

Closes: https://fedorahosted.org/freeipa/ticket/6655
Signed-off-by: Christian Heimes 
---
 ipalib/rpc.py  | 211 +++--
 ipaserver/rpcserver.py |   8 +-
 2 files changed, 135 insertions(+), 84 deletions(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 31ed64e..d8207dc 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -51,7 +51,7 @@
 from ipalib.backend import Connectible
 from ipalib.constants import LDAP_GENERALIZED_TIME_FORMAT
 from ipalib.errors import (public_errors, UnknownError, NetworkError,
-KerberosError, XMLRPCMarshallError, JSONError, ConversionError)
+KerberosError, XMLRPCMarshallError, JSONError)
 from ipalib import errors, capabilities
 from ipalib.request import context, Connection
 from ipapython.ipa_log_manager import root_logger
@@ -274,67 +274,140 @@ def xml_dumps(params, version, methodname=None, methodresponse=False,
 )
 
 
-def json_encode_binary(val, version):
-'''
-   JSON cannot encode binary values. We encode binary values in Python str
-   objects and text in Python unicode objects. In order to allow a binary
-   object to be passed through JSON we base64 encode it thus converting it to
-   text which JSON can transport. To assure we recognize the value is a base64
-   encoded representation of the original binary value and not confuse it with
-   other text we convert the binary value to a dict in this form:
-
-   {'__base64__' : base64_encoding_of_binary_value}
-
-   This modification of the original input value cannot be done "in place" as
-   one might first assume (e.g. replacing any binary items in a container
-   (e.g. list, tuple, dict) with the base64 dict because the container might be
-   an immutable object (i.e. a tuple). Therefore this function returns a copy
-   of any container objects it encounters with tuples replaced by lists. This
-   is O.K. because the JSON encoding will map both lists and tuples to JSON
-   arrays.
-   '''
-
-if isinstance(val, dict):
-new_dict = {}
-for k, v in val.items():
-new_dict[k] = json_encode_binary(v, version)
-return new_dict
-elif isinstance(val, (list, tuple)):
-new_list = [json_encode_binary(v, version) for v in val]
-return new_list
-elif isinstance(val, bytes):
-encoded = base64.b64encode(val)
-if not six.PY2:
-encoded = encoded.decode('ascii')
-return {'__base64__': encoded}
-elif isinstance(val, Decimal):
-return unicode(val)
-elif isinstance(val, DN):
-return str(val)
-elif isinstance(val, datetime.datetime):
-if capabilities.client_has_capability(version, 'datetime_values'):
+class _JSONConverter(dict):
+__slots__ = ('version', '_cap_datetime', '_cap_dnsname')
+
+_identity = object()
+
+def __init__(self, version, _identity=_identity):
+super(_JSONConverter, self).__init__()
+self.version = version
+self._cap_datetime = None
+self._cap_dnsname = None
+self.update({
+unicode: _identity,
+bool: _identity,
+type(None): _identity,
+float: _identity,
+Decimal: unicode,
+DN: str,
+Principal: unicode,
+DNSName: self._enc_dnsname,
+datetime.datetime: self._enc_datetime,
+bytes: self._enc_bytes,
+list: self._enc_list,
+tuple: self._enc_list,
+dict: self._enc_dict,
+})
+# int, long
+for t in six.integer_types:
+self[t] = _identity
+
+def __missing__(self, typ):
+# walk MRO to find best match
+for c in typ.__mro__:
+if c in self:
+self[typ] = self[c]
+return self[c]
+# use issubclass to check for registered ABCs
+for c in self:
+if issubclass(typ, c):
+self[typ] = self[c]
+return self[c]
+raise TypeError(typ)
+
+de

[Freeipa-devel] [freeipa PR#437][synchronized] FIPS: replica install check

[tomaskrizek]

   URL: https://github.com/freeipa/freeipa/pull/437
Author: tomaskrizek
 Title: #437: FIPS: replica install check
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/437/head:pr437
git checkout pr437
From 85cd763e945167db48a675fead0d1bcf29c57440 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 6 Feb 2017 13:08:11 +0100
Subject: [PATCH 1/5] Add fips_mode variable to env

Variable fips_mode indicating whether machine is running in
FIPS-enabled mode was added to env.

https://fedorahosted.org/freeipa/ticket/5695
---
 ipalib/config.py | 8 
 1 file changed, 8 insertions(+)

diff --git a/ipalib/config.py b/ipalib/config.py
index 20591db..c7caeef 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -44,6 +44,10 @@
 from ipalib.constants import CONFIG_SECTION
 from ipalib.constants import OVERRIDE_ERROR, SET_ERROR, DEL_ERROR
 from ipalib import errors
+try:
+from ipaplatform.tasks import tasks
+except ImportError:
+tasks = None
 
 if six.PY3:
 unicode = str
@@ -440,6 +444,10 @@ def _bootstrap(self, **overrides):
 self.bin = path.dirname(self.script)
 self.home = os.environ.get('HOME', None)
 
+# Set fips_mode only if ipaplatform module was loaded
+if tasks is not None:
+self.fips_mode = tasks.is_fips_enabled()
+
 # Merge in overrides:
 self._merge(**overrides)
 

From 9adc350f5e256a83b290b13890a32b7078a768f8 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 8 Feb 2017 16:53:44 +0100
Subject: [PATCH 2/5] test_config: fix tests for env.fips_mode

Add optional key fips_mode to Env object in tests.

https://fedorahosted.org/freeipa/ticket/5695
---
 ipatests/test_ipalib/test_config.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ipatests/test_ipalib/test_config.py b/ipatests/test_ipalib/test_config.py
index 1df9a39..5ef4487 100644
--- a/ipatests/test_ipalib/test_config.py
+++ b/ipatests/test_ipalib/test_config.py
@@ -562,6 +562,7 @@ def test_finalize_core(self):
 
 # Test using DEFAULT_CONFIG:
 defaults = dict(constants.DEFAULT_CONFIG)
+defaults['fips_mode'] = None
 (o, home) = self.finalize_core(None, **defaults)
 assert list(o) == sorted(defaults)
 for (key, value) in defaults.items():

From be61b223c9d850a18695c34e8e14b846ef32756d Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 6 Feb 2017 17:17:49 +0100
Subject: [PATCH 3/5] check_remote_version: update exception and docstring

Refactor function to use ScriptError exception and provide docstring.
---
 ipaserver/install/server/replicainstall.py | 9 -
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 7d7a499..ad43aa2 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -509,6 +509,13 @@ def promote_openldap_conf(hostname, master):
 
 
 def check_remote_version(api):
+"""
+Perform a check to verify remote server's version
+
+:param api: remote API
+
+:raises: ``ScriptError`` if the checks fails
+"""
 client = rpc.jsonclient(api)
 client.finalize()
 
@@ -521,7 +528,7 @@ def check_remote_version(api):
 remote_version = parse_version(env['version'])
 api_version = parse_version(api.env.version)
 if remote_version > api_version:
-raise RuntimeError(
+raise ScriptError(
 "Cannot install replica of a server of higher version ({}) than"
 "the local version ({})".format(remote_version, api_version))
 

From 921f18118747577aea474a9281b3e4cfc2cf1ca1 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Tue, 7 Feb 2017 10:42:54 +0100
Subject: [PATCH 4/5] replicainstall: add context manager for rpc client

Abstract creating rpc client into a context manager to allow re-use.
---
 ipaserver/install/server/replicainstall.py | 33 --
 1 file changed, 22 insertions(+), 11 deletions(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index ad43aa2..4a8b9d6 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -4,6 +4,7 @@
 
 from __future__ import print_function
 
+import contextlib
 import dns.exception as dnsexception
 import dns.name as dnsname
 import dns.resolver as dnsresolver
@@ -508,29 +509,37 @@ def promote_openldap_conf(hostname, master):
 root_logger.info("Failed to update {}: {}".format(ldap_conf, e))
 
 
-def check_remote_version(api):
+@contextlib.contextmanager
+def rpc_client(api):
 """
-Perform a check to verify remote server's version
+Context manager for JSON RPC client.
 
-:param api: remote API
-
-:raises: ``ScriptError`` if the checks fails
+:param api: api to initiate the RPC client
 """
 client = rpc.jsonclient(a

[Freeipa-devel] [freeipa PR#429][comment] [py3] ipactl restart: log httplib failues as debug

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/429
Title: #429: [py3] ipactl restart: log httplib failues as debug

tiran commented:
"""
Yeah, I reported the issue as https://fedorahosted.org/freeipa/ticket/6674 . 
Feel free to close it as duplicate.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/429#issuecomment-280026495
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#429][comment] [py3] ipactl restart: log httplib failues as debug

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/429
Title: #429: [py3] ipactl restart: log httplib failues as debug

MartinBasti commented:
"""
This happens with python2.7 too, I reproduced it today
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/429#issuecomment-280024605
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#459][edited] Faster JSON encoder/decoder

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/459
Author: tiran
 Title: #459: Faster JSON encoder/decoder
Action: edited

 Changed field: title
Original value:
"""
[WIP] Faster JSON encoder/decoder
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

tiran commented:
"""
Cookie parsing bug with FreeIPA 4.4 client: 
https://fedorahosted.org/freeipa/ticket/6676
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-280012485
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#410][+pushed] ipa-kdb: support KDB DAL version 6.1

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/410
Title: #410: ipa-kdb: support KDB DAL version 6.1

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/410
Title: #410: ipa-kdb: support KDB DAL version 6.1

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/593ea7da9a732647052cb56c08ad367e40be3912
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/410#issuecomment-280009516
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#410][closed] ipa-kdb: support KDB DAL version 6.1

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/410
Author: abbra
 Title: #410: ipa-kdb: support KDB DAL version 6.1
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/410/head:pr410
git checkout pr410
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

tiran commented:
"""
FYI, KRA and vault are broken because KRA cert is not migrated: 
https://fedorahosted.org/freeipa/ticket/6675
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-280008032
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#450][synchronized] Add FIPS-token password of HTTPD NSS database

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/450
Author: stlaz
 Title: #450: Add FIPS-token password of HTTPD NSS database
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/450/head:pr450
git checkout pr450
From 618747ed33263f1a45be0855e63e0de80e55ce8a Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Mon, 9 Jan 2017 08:45:33 +0100
Subject: [PATCH] Add FIPS-token password of HTTPD NSS database

This change is required for httpd to function properly in FIPS

https://fedorahosted.org/freeipa/ticket/5695
---
 ipaserver/install/httpinstance.py | 19 ---
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 7317fba..6383e27 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -329,14 +329,19 @@ def create_password_conf(self):
 This is the format of mod_nss pin files.
 """
 pwd_conf = paths.HTTPD_PASSWORD_CONF
-
 ipautil.backup_file(pwd_conf)
-f = open(pwd_conf, "w")
-f.write("internal:")
-pwdfile = open(os.path.join(paths.HTTPD_ALIAS_DIR, 'pwdfile.txt'))
-f.write(pwdfile.read())
-f.close()
-pwdfile.close()
+
+passwd_fname = os.path.join(paths.HTTPD_ALIAS_DIR, 'pwdfile.txt')
+with open(passwd_fname, 'r') as pwdfile:
+password = pwdfile.read()
+
+with open(pwd_conf, "w") as f:
+f.write("internal:")
+f.write(password)
+f.write("\nNSS FIPS 140-2 Certificate DB:")
+f.write(password)
+# make sure other processes can access the file contents ASAP
+f.flush()
 pent = pwd.getpwnam(constants.HTTPD_USER)
 os.chown(pwd_conf, pent.pw_uid, pent.pw_gid)
 os.chmod(pwd_conf, 0o400)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/367
Author: stlaz
 Title: #367: Remove nsslib from IPA
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/367/head:pr367
git checkout pr367
From 186c84b68e541dabc51707f0bc93f0c69baa2f6e Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 20 Dec 2016 10:05:36 +0100
Subject: [PATCH 01/12] Remove NSSConnection from the Python RPC module

NSSConnection was causing a lot of trouble in the past and there is
a lot of logic around it just to make it not fail. What's more,
when using NSS to create an SSL connection in FIPS mode, NSS
always requires database password which makes the `ipa` command
totally unusable.

NSSConnection is therefore replaced with Python's
httplib.HTTPSConnection which is OpenSSL based.

The new HTTPS handling class, IPAHTTPSConnection, is prepared
to handle authentication with client certificate for connections
to Dogtag server as RA agent. It allows handling even for handling
separate client cert/private key in separate files and also for
encrypted private key files.

https://fedorahosted.org/freeipa/ticket/5695
---
 ipalib/config.py|   3 ++
 ipalib/constants.py |   1 +
 ipalib/rpc.py   |  70 +++---
 ipalib/util.py  | 106 
 4 files changed, 124 insertions(+), 56 deletions(-)

diff --git a/ipalib/config.py b/ipalib/config.py
index 20591db..8ecada6 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -493,6 +493,9 @@ def _bootstrap(self, **overrides):
 if 'nss_dir' not in self:
 self.nss_dir = self._join('confdir', 'nssdb')
 
+if 'ca_certfile' not in self:
+self.ca_certfile = self._join('confdir', 'ca.crt')
+
 # Set plugins_on_demand:
 if 'plugins_on_demand' not in self:
 self.plugins_on_demand = (self.context == 'cli')
diff --git a/ipalib/constants.py b/ipalib/constants.py
index fa20624..82147f3 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -226,6 +226,7 @@
 ('conf_default', object),  # File containing context independent config
 ('plugins_on_demand', object),  # Whether to finalize plugins on-demand (bool)
 ('nss_dir', object),  # Path to nssdb, default {confdir}/nssdb
+('ca_certfile', object),  # Path to CA cert file
 
 # Set in Env._finalize_core():
 ('in_server', object),  # Whether or not running in-server (bool)
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 31ed64e..1ea5d60 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -44,7 +44,7 @@
 import gssapi
 from dns import resolver, rdatatype
 from dns.exception import DNSException
-from nss.error import NSPRError
+from ssl import SSLError
 import six
 from six.moves import urllib
 
@@ -60,8 +60,7 @@
 from ipapython.cookie import Cookie
 from ipapython.dnsutil import DNSName
 from ipalib.text import _
-import ipapython.nsslib
-from ipapython.nsslib import NSSConnection
+from ipalib.util import IPAHTTPSConnection
 from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \
  KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, \
  KRB5_REALM_CANT_RESOLVE, KRB5_CC_NOTFOUND, get_principal
@@ -470,48 +469,20 @@ def get_host_info(self, host):
 
 return (host, extra_headers, x509)
 
+
 class SSLTransport(LanguageAwareTransport):
 """Handles an HTTPS transaction to an XML-RPC server."""
-
-def get_connection_dbdir(self):
-"""
-If there is a connections open it may have already initialized
-NSS database. Return the database location used by the connection.
-"""
-for value in context.__dict__.values():
-if not isinstance(value, Connection):
-continue
-if not isinstance(
-getattr(value.conn, '_ServerProxy__transport', None),
-SSLTransport):
-continue
-if hasattr(value.conn._ServerProxy__transport, 'dbdir'):
-return value.conn._ServerProxy__transport.dbdir
-return None
-
 def make_connection(self, host):
 host, self._extra_headers, _x509 = self.get_host_info(host)
 
 if self._connection and host == self._connection[0]:
 return self._connection[1]
 
-dbdir = context.nss_dir
-connection_dbdir = self.get_connection_dbdir()
-
-if connection_dbdir:
-# If an existing connection is already using the same NSS
-# database there is no need to re-initialize.
-no_init = dbdir == connection_dbdir
-
-else:
-# If the NSS database is already being used there is no
-# need to re-initialize.
-no_init = dbdir == ipapython.nsslib.current_dbdir
-
-conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init,
-  

[Freeipa-devel] [freeipa PR#407][comment] New lite-server implementation

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/407
Title: #407: New lite-server implementation

tiran commented:
"""
Example of a single request profile with new lite-server:

```
127.0.0.1 - - [15/Feb/2017 12:55:20] "POST /ipa/session/json HTTP/1.1" 200 -
ipa: INFO: [jsonserver_session] admin@IPA.EXAMPLE: json_metadata(None, None, 
command=u'all', version=u'2.218'): SUCCESS

PATH: '/session/json'
 6551240 function calls (4596653 primitive calls) in 1.869 seconds

   Ordered by: internal time, call count
   List reduced from 436 to 30 due to restriction <30>

   ncalls  tottime  percall  cumtime  percall filename:lineno(function)
2013370/4053700.3030.0000.4620.000 
/usr/lib64/python2.7/json/encoder.py:341(_iterencode_dict)
  17553040.2780.0000.2780.000 {isinstance}
 35560.2010.0000.4460.000 
/home/heimes/redhat/freeipa/ipalib/parameters.py:441(__init__)
187490/4460.1500.0000.9990.002 
/home/heimes/redhat/freeipa/ipalib/util.py:58(json_serialize)
 110038/10.1270.0000.2360.236 
/home/heimes/redhat/freeipa/ipalib/rpc.py:277(json_encode_binary)
 39990.0850.0000.2560.000 
/home/heimes/redhat/freeipa/ipalib/parameters.py:954(__json__)
   1735580.0750.0000.0750.000 {hasattr}
440062/3955180.0720.0000.2390.000 
/usr/lib64/python2.7/json/encoder.py:288(_iterencode_list)
   4053700.0570.0000.5200.000 
/usr/lib64/python2.7/json/encoder.py:417(_iterencode)
143774/1437720.0520.0000.0520.000 
/home/heimes/redhat/freeipa/ipalib/base.py:123(__setattr__)
   1042000.0360.0000.0700.000 {setattr}
10.0350.0350.5600.560 
/usr/lib64/python2.7/json/encoder.py:186(encode)
10.0290.0290.0290.029 {built-in method 
sasl_interactive_bind_s}
   2348420.0260.0000.0260.000 {getattr}
 4445/4460.0250.0000.4610.001 
/home/heimes/redhat/freeipa/ipalib/util.py:62()
 44490.0240.0000.0320.000 {sorted}
   2344510.0190.0000.0190.000 {method 'get' of 'dict' objects}
10.0180.0180.0180.018 {method 'encode' of 'str' objects}
   1330440.0160.0000.0160.000 {_json.encode_basestring_ascii}
249610.0110.0000.0110.000 {_codecs.utf_8_decode}
249610.0110.0000.0300.000 {method 'decode' of 'str' objects}
   1077530.0100.0000.0100.000 
/home/heimes/redhat/freeipa/ipalib/parameters.py:506()
 35560.0100.0000.0100.000 
/home/heimes/redhat/freeipa/ipalib/parameters.py:261(parse_param_spec)
133480.0080.0000.0080.000 {method 'items' of 'dict' objects}
 71760.0080.0000.0120.000 
/home/heimes/redhat/freeipa/ipalib/text.py:248(as_unicode)
918410.0070.0000.0070.000 
/usr/lib64/python2.7/json/encoder.py:361()
249610.0070.0000.0180.000 
/usr/lib64/python2.7/encodings/utf_8.py:15(decode)
 19730.0070.0000.2740.000 
/home/heimes/redhat/freeipa/ipalib/parameters.py:725(clone_retype)
 73880.0060.0000.0060.000 {method 'match' of 
'_sre.SRE_Pattern' objects}
775230.0060.0000.0060.000 {method 'pop' of 'dict' objects}
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/407#issuecomment-279992368
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#407][comment] New lite-server implementation

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/407
Title: #407: New lite-server implementation

tiran commented:
"""
PR #314 has landed. I have rebased the branch and made the lite-server even 
more convenient to use. You can now run it with ```make lite-server``` or 
```make lite-server PYTHON=python3```. It tells you how to set up a Kerberos 
ccache, too.

With the help of the lite-server, I found issue 
https://github.com/pyldap/pyldap/issues/84 within ten seconds.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/407#issuecomment-279965820
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#407][synchronized] New lite-server implementation

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/407
Author: tiran
 Title: #407: New lite-server implementation
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/407/head:pr407
git checkout pr407
From 468c3e867292b7ef21d468f45ea12920afe160cd Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Sat, 21 Jan 2017 19:34:12 +0100
Subject: [PATCH] New lite-server implementation

The new development server depends on werkzeug instead of paste. The
werkzeug WSGI server comes with some additional features, most
noticeable multi-processing server. The IPA framework is not compatible
with threaded servers. Werkzeug can serve static files easily and has a
fast auto-reloader.

The new lite-server implementation depends on PR 314 (privilege
separation). For Python 3 support, it additionally depends on PR 393.

Signed-off-by: Christian Heimes 
---
 BUILD.txt  |   2 +-
 Makefile.am|   8 +-
 contrib/Makefile.am|   3 +-
 contrib/lite-server.py | 252 +
 lite-server.py | 158 ---
 5 files changed, 261 insertions(+), 162 deletions(-)
 create mode 100755 contrib/lite-server.py
 delete mode 100755 lite-server.py

diff --git a/BUILD.txt b/BUILD.txt
index 620adc3..10b1943 100644
--- a/BUILD.txt
+++ b/BUILD.txt
@@ -41,7 +41,7 @@ install the rpms and then configure IPA using ipa-server-install.
 Get a TGT for the admin user with: kinit admin
 
 Next you'll need 2 sessions in the source tree. In the first session run
-python lite-server.py. In the second session copy /etc/ipa/default.conf into
+```make lite-server```. In the second session copy /etc/ipa/default.conf into
 ~/.ipa/default.conf and replace xmlrpc_uri with http://127.0.0.1:/ipa/xml.
 Finally run the ./ipa tool and it will make requests to the lite-server
 listening on 127.0.0.1:.
diff --git a/Makefile.am b/Makefile.am
index 9bfc899..30ad9bb 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -6,7 +6,6 @@ SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipa
 MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \
 		   ignore_import_errors.pyc ignore_import_errors.pyo \
 		   ipasetup.pyc ipasetup.pyo \
-		   lite-server.pyc lite-server.pyo \
 		   pylint_plugins.pyc pylint_plugins.pyo
 
 # user-facing scripts
@@ -14,7 +13,6 @@ dist_bin_SCRIPTS = ipa
 
 # files required for build but not installed
 dist_noinst_SCRIPTS = ignore_import_errors.py \
-		  lite-server.py \
 		  makeapi \
 		  makeaci \
 		  make-doc \
@@ -119,6 +117,12 @@ _srpms-body: _rpms-prep
 	cp $(RPMBUILD)/SRPMS/*$$(cat $(top_builddir)/.version)*.src.rpm $(top_builddir)/dist/srpms/
 	rm -f rm -f $(top_builddir)/.version
 
+.PHONY: lite-server
+lite-server: $(top_builddir)/ipapython/version.py
+	+$(MAKE) -C $(top_builddir)/install/ui
+	PYTHONPATH=$(top_srcdir) $(PYTHON) -bb \
+	contrib/lite-server.py $(LITESERVER_ARGS)
+
 .PHONY: lint
 if WITH_POLINT
 POLINT_TARGET = polint
diff --git a/contrib/Makefile.am b/contrib/Makefile.am
index 108a808..b28f2e7 100644
--- a/contrib/Makefile.am
+++ b/contrib/Makefile.am
@@ -1,4 +1,5 @@
 SUBDIRS = completion
 
 EXTRA_DIST = \
-	nssciphersuite
+	nssciphersuite \
+	lite-server.py
diff --git a/contrib/lite-server.py b/contrib/lite-server.py
new file mode 100755
index 000..1df5004
--- /dev/null
+++ b/contrib/lite-server.py
@@ -0,0 +1,252 @@
+#!/usr/bin/env python
+#
+# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
+#
+"""In-tree development server
+
+The dev server requires a Kerberos TGT and a file based credential cache:
+
+$ mkdir -p ~/.ipa
+$ export KRB5CCNAME=~/.ipa/ccache
+$ kinit admin
+$ make lite-server
+
+Optionally you can set KRB5_CONFIG to use a custom Kerberos configuration
+instead of /etc/krb5.conf.
+
+To run the lite-server with another Python interpreter:
+
+$ make lite-server PYTHON=/path/to/bin/python
+
+To enable profiling:
+
+$ make lite-server LITESERVER_ARGS='--enable-profiler=-'
+
+By default the dev server supports HTTP only. To switch to HTTPS, you can put
+a PEM file at ~/.ipa/lite.pem. The PEM file must contain a server certificate,
+its unencrypted private key and intermediate chain certs (if applicable).
+
+Prerequisite
+
+
+Additionally to build and runtime requirements of FreeIPA, the dev server
+depends on the werkzeug framework and optionally watchdog for auto-reloading.
+You may also have to enable a development COPR.
+
+$ sudo dnf install -y dnf-plugins-core
+$ sudo dnf builddep --spec freeipa.spec.in
+$ sudo dnf install -y python-werkzeug python2-watchdog \
+python3-werkzeug python3-watchdog
+$ ./autogen.sh
+
+For more information see
+
+  * http://www.freeipa.org/page/Build
+  * http://www.freeipa.org/page/Testing
+
+"""
+from __future__ import print_function
+
+import os
+import optparse  # pylint: disable=deprecated-

[Freeipa-devel] [freeipa PR#470][opened] WebUI: Size limit warning on details pages fixed

[pvomacka]

   URL: https://github.com/freeipa/freeipa/pull/470
Author: pvomacka
 Title: #470: WebUI: Size limit warning on details pages fixed
Action: opened

PR body:
"""
Entity select fields accepted globally set size limit and in situations when
there were more entries than global size limit allows then the "Truncated" 
warning
shows up. Also only subset of items was shown.
All entity select widgets now uses find methods with sizelimit set to 0
which says get all entries.

This setting is configurable using search_all_entries attribute.

https://fedorahosted.org/freeipa/ticket/6618
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/470/head:pr470
git checkout pr470
From 538285dbb7be937ce8eeae88a85d0b918f150911 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Mon, 30 Jan 2017 15:16:41 +0100
Subject: [PATCH] WebUI: Size limit warning on details pages fixed

Entity select fields accepted globally set size limit and in situations when
there were more entries than global size limit allows then the "Truncated" warning
shows up. Also only subset of items was shown.
All entity select widgets now uses find methods with sizelimit set to 0
which says get all entries.

This setting is configurable using search_all_entries attribute.

https://fedorahosted.org/freeipa/ticket/6618
---
 install/ui/src/freeipa/widget.js | 5 +
 1 file changed, 5 insertions(+)

diff --git a/install/ui/src/freeipa/widget.js b/install/ui/src/freeipa/widget.js
index 6ad8aad..2d1d231 100644
--- a/install/ui/src/freeipa/widget.js
+++ b/install/ui/src/freeipa/widget.js
@@ -5003,6 +5003,8 @@ IPA.entity_select_widget = function(spec) {
 that.other_entity = IPA.get_entity(spec.other_entity);
 that.other_field = spec.other_field;
 that.label_field = spec.label_field || spec.other_field;
+that.search_all_entries = spec.search_all_entries === undefined ? true :
+spec.search_all_entries;
 
 that.options = spec.options || [];
 that.filter_options = spec.filter_options || {};
@@ -5018,6 +5020,9 @@ IPA.entity_select_widget = function(spec) {
 if (no_members) {
 cmd.set_option('no_members', true);
 }
+if (that.search_all_entries) {
+cmd.set_option('sizelimit', 0);
+}
 return cmd;
 };
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#423][+pushed] dns-update-system-records: add support for nsupdate output format

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/423
Title: #423: dns-update-system-records: add support for nsupdate output format

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#423][closed] dns-update-system-records: add support for nsupdate output format

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/423
Author: MartinBasti
 Title: #423: dns-update-system-records: add support for nsupdate output format
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/423/head:pr423
git checkout pr423
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#423][comment] dns-update-system-records: add support for nsupdate output format

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/423
Title: #423: dns-update-system-records: add support for nsupdate output format

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/7eb2ef61905a5c6ddf04237f0aa84e7585e1186d
https://fedorahosted.org/freeipa/changeset/5bd82174233095a3cccfbbf8524622440c31b10c
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/423#issuecomment-279985268
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#331][comment] WebUI: don't change casing of Auth Indicators values

[pvoborni]

  URL: https://github.com/freeipa/freeipa/pull/331
Title: #331: WebUI: don't change casing of Auth Indicators values

pvoborni commented:
"""
LGTM (reading code).
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/331#issuecomment-279984562
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#469][opened] Ignore unlink error in ipa-otpd.socket

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/469
Author: tiran
 Title: #469: Ignore unlink error in ipa-otpd.socket
Action: opened

PR body:
"""
Don't fail in case the file does not exist.

Signed-off-by: Christian Heimes 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/469/head:pr469
git checkout pr469
From 96291d8e34f334d6c5636f050623bdacfb9b551a Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Wed, 15 Feb 2017 11:53:40 +0100
Subject: [PATCH] Ignore unlink error in ipa-otpd.socket

Don't fail in case the file does not exist.

Signed-off-by: Christian Heimes 
---
 daemons/ipa-otpd/ipa-otpd.socket.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/daemons/ipa-otpd/ipa-otpd.socket.in b/daemons/ipa-otpd/ipa-otpd.socket.in
index ce3596d..1f16fd7 100644
--- a/daemons/ipa-otpd/ipa-otpd.socket.in
+++ b/daemons/ipa-otpd/ipa-otpd.socket.in
@@ -3,7 +3,7 @@ Description=ipa-otpd socket
 
 [Socket]
 ListenStream=@krb5rundir@/DEFAULT.socket
-ExecStopPre=@UNLINK@ @krb5rundir@/DEFAULT.socket
+ExecStopPre=-@UNLINK@ @krb5rundir@/DEFAULT.socket
 SocketMode=0600
 Accept=true
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#331][synchronized] WebUI: don't change casing of Auth Indicators values

[pvomacka]

   URL: https://github.com/freeipa/freeipa/pull/331
Author: pvomacka
 Title: #331: WebUI: don't change casing of Auth Indicators values
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/331/head:pr331
git checkout pr331
From ba9275309b1f69a4f5d0f9d478cbd3a6f78310be Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Tue, 13 Dec 2016 13:21:29 +0100
Subject: [PATCH 1/2] WebUI: Allow disabling lowering text in
 custom_checkbox_widget

Add new attribute which keeps information whether each text added
using custom_checkbox_widget shoud be transformed to lowercase.

Part of: https://fedorahosted.org/freeipa/ticket/6308
---
 install/ui/src/freeipa/widget.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/install/ui/src/freeipa/widget.js b/install/ui/src/freeipa/widget.js
index 6ad8aad..bb3450e 100644
--- a/install/ui/src/freeipa/widget.js
+++ b/install/ui/src/freeipa/widget.js
@@ -2509,6 +2509,8 @@ IPA.custom_checkboxes_widget = function(spec) {
 
 var that = IPA.checkboxes_widget(spec);
 
+that.set_value_to_lowercase = spec.set_value_to_lowercase || false;
+
 that.add_dialog_title = spec.add_dialog_title ||
 "@i18n:dialogs.add_custom_value";
 that.add_field_label = spec.add_field_label ||
@@ -2626,7 +2628,7 @@ IPA.custom_checkboxes_widget = function(spec) {
 
 if (!value || value === '') continue;
 
-value = value.toLowerCase();
+if (that.set_value_to_lowercase) value = value.toLowerCase();
 that.values.push(value);
 }
 

From a05d927a095fc17ed767f064cb032d52bbc95143 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Tue, 13 Dec 2016 13:25:48 +0100
Subject: [PATCH 2/2] WebUI: don't change casing of Auth Indicators values

All values were previously converted to lowercase which was not
coresponding with CLI behaviour. Now they stay as they are
inserted. I also have to change the strings to lowercase because
the otp and radius should be inserted as lowercase words.

https://fedorahosted.org/freeipa/ticket/6308
---
 install/ui/src/freeipa/host.js| 4 ++--
 install/ui/src/freeipa/service.js | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/install/ui/src/freeipa/host.js b/install/ui/src/freeipa/host.js
index 87cf264..5dc49b8 100644
--- a/install/ui/src/freeipa/host.js
+++ b/install/ui/src/freeipa/host.js
@@ -123,11 +123,11 @@ return {
 add_field_label: '@i18n:authtype.auth_indicator',
 options: [
 {
-label: '@i18n:authtype.otp',
+label: 'otp',
 value: 'otp'
 },
 {
-label: '@i18n:authtype.type_radius',
+label: 'radius',
 value: 'radius'
 }
 ],
diff --git a/install/ui/src/freeipa/service.js b/install/ui/src/freeipa/service.js
index a6607d2..68beb17 100644
--- a/install/ui/src/freeipa/service.js
+++ b/install/ui/src/freeipa/service.js
@@ -133,11 +133,11 @@ return {
 add_field_label: '@i18n:authtype.auth_indicator',
 options: [
 {
-label: '@i18n:authtype.otp',
+label: 'otp',
 value: 'otp'
 },
 {
-label: '@i18n:authtype.type_radius',
+label: 'radius',
 value: 'radius'
 }
 ],
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#466][+ack] pkinit: make sure to have proper dictionary for Kerberos instance on upgrade

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/466
Title: #466: pkinit: make sure to have proper dictionary for Kerberos instance 
on upgrade

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#468][opened] Remove non-sensical kdestroy on https stop

[simo5]

   URL: https://github.com/freeipa/freeipa/pull/468
Author: simo5
 Title: #468: Remove non-sensical kdestroy on https stop
Action: opened

PR body:
"""
This kdestroy runs as root and wipes root's own ccachs ...
this is totally inappropriate.

https://fedorahosted.org/freeipa/ticket/6673

Signed-off-by: Simo Sorce 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/468/head:pr468
git checkout pr468
From 9bb27c8f897458a5a2225da7a3faffe0d8be4eef Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Wed, 15 Feb 2017 04:44:59 -0500
Subject: [PATCH] Remove non-sensical kdestroy on https stop

This kdestroy runs as root and wipes root's own ccachs ...
this is totally inappropriate.

https://fedorahosted.org/freeipa/ticket/6673

Signed-off-by: Simo Sorce 
---
 install/share/ipa-httpd.conf.template | 1 -
 ipaplatform/redhat/tasks.py   | 3 +--
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/install/share/ipa-httpd.conf.template b/install/share/ipa-httpd.conf.template
index a907d73..de8e88b 100644
--- a/install/share/ipa-httpd.conf.template
+++ b/install/share/ipa-httpd.conf.template
@@ -4,4 +4,3 @@
 Environment=KRB5CCNAME=$KRB5CC_HTTPD
 Environment=KDCPROXY_CONFIG=$KDCPROXY_CONFIG
 ExecStartPre=$IPA_HTTPD_KDCPROXY
-ExecStopPost=$POST
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index 9dd71b4..ea1abbf 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -451,8 +451,7 @@ def configure_httpd_service_ipa_conf(self):
 dict(
 KRB5CC_HTTPD=paths.KRB5CC_HTTPD,
 KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG,
-IPA_HTTPD_KDCPROXY=paths.IPA_HTTPD_KDCPROXY,
-POST='-{kdestroy} -A'.format(kdestroy=paths.KDESTROY)
+IPA_HTTPD_KDCPROXY=paths.IPA_HTTPD_KDCPROXY
 )
 )
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#407][comment] New lite-server implementation

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/407
Title: #407: New lite-server implementation

tiran commented:
"""
PR #314 has landed. I have rebased the branch and made the lite-server even 
more convenient to use. You can now run it with ```make lite-server``` or 
```make lite-server PYTHON=python3```. It tells you how to set up a Kerberos 
ccache, too.

With the help of the lite-server, I found issue 
https://github.com/pyldap/pyldap/issues/84 within ten seconds.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/407#issuecomment-279965820
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#450][synchronized] Add FIPS-token password of HTTPD NSS database

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/450
Author: stlaz
 Title: #450: Add FIPS-token password of HTTPD NSS database
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/450/head:pr450
git checkout pr450
From 9819e57a22318f187d3d8154e71670f0e1ea0b73 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Mon, 9 Jan 2017 08:45:33 +0100
Subject: [PATCH] Add FIPS-token password of HTTPD NSS database

This change is required for httpd to function properly in FIPS

https://fedorahosted.org/freeipa/ticket/5695
---
 ipaserver/install/httpinstance.py | 19 ---
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 7317fba..732e3cd 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -329,14 +329,19 @@ def create_password_conf(self):
 This is the format of mod_nss pin files.
 """
 pwd_conf = paths.HTTPD_PASSWORD_CONF
-
 ipautil.backup_file(pwd_conf)
-f = open(pwd_conf, "w")
-f.write("internal:")
-pwdfile = open(os.path.join(paths.HTTPD_ALIAS_DIR, 'pwdfile.txt'))
-f.write(pwdfile.read())
-f.close()
-pwdfile.close()
+passwd_fname = open(os.path.join(paths.HTTPD_ALIAS_DIR, 'pwdfile.txt'))
+
+with open(passwd_fname) as pwdfile:
+password = pwdfile.read()
+
+with open(pwd_conf, "w") as f:
+f.write("internal:")
+f.write(password)
+f.write("\nNSS FIPS 140-2 Certificate DB:")
+f.write(password)
+# make sure other processes can access the file contents ASAP
+f.flush()
 pent = pwd.getpwnam(constants.HTTPD_USER)
 os.chown(pwd_conf, pent.pw_uid, pent.pw_gid)
 os.chmod(pwd_conf, 0o400)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#400][synchronized] WebUI: Certificate Mapping

[pvomacka]

   URL: https://github.com/freeipa/freeipa/pull/400
Author: pvomacka
 Title: #400: WebUI: Certificate Mapping
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/400/head:pr400
git checkout pr400
From f93be59c887ee313ae6c8a5e0e963ee857fee2fb Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Mon, 16 Jan 2017 13:59:16 +0100
Subject: [PATCH 1/3] WebUI: Add possibility to set widget always writable

If widget will have set attribute 'always_writable' to true, then
'no_update' flag will be ingored. Used in command user-{add,remove}-certmap
which needs to be writable in WebUI and also needs to be omitted from
user-mod command.

Part of: https://fedorahosted.org/freeipa/ticket/6601
---
 install/ui/src/freeipa/field.js  | 11 ++-
 install/ui/src/freeipa/widget.js |  2 ++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/install/ui/src/freeipa/field.js b/install/ui/src/freeipa/field.js
index d70a778..2d05ab1 100644
--- a/install/ui/src/freeipa/field.js
+++ b/install/ui/src/freeipa/field.js
@@ -484,7 +484,16 @@ field.field = IPA.field = function(spec) {
 writable = false;
 }
 
-if (that.metadata.flags && array.indexOf(that.metadata.flags, 'no_update') > -1) {
+// In case that widget has set always_writable attribute, then
+// 'no_update' flag is ignored in WebUI. It is done because of
+// commands like user-{add,remove}-certmap. They operate with user's
+// attribute, which cannot be changed using user-mod, but only
+// using command user-{add,remove}-certmap. Therefore it has set
+// 'no_update' flag, but we need to show 'Add', 'Remove' buttons in
+// WebUI.
+if (that.metadata.flags &&
+array.indexOf(that.metadata.flags, 'no_update') > -1 &&
+that.widget && !that.widget.always_writable) {
 writable = false;
 }
 }
diff --git a/install/ui/src/freeipa/widget.js b/install/ui/src/freeipa/widget.js
index 6ad8aad..e6dfef9 100644
--- a/install/ui/src/freeipa/widget.js
+++ b/install/ui/src/freeipa/widget.js
@@ -1516,6 +1516,8 @@ IPA.custom_command_multivalued_widget = function(spec) {
 
 var that = IPA.multivalued_widget(spec);
 
+that.always_writable = spec.always_writable || true;
+
 that.item_name = spec.item_name || '';
 
 that.adder_dialog_spec = spec.adder_dialog_spec;

From 751c6ff6cf1118e1f1794e0f7b680809ecd2fe77 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Mon, 16 Jan 2017 14:13:42 +0100
Subject: [PATCH 2/3] WebUI: Create non editable row widget for mutlivalued
 widget

Old krb-principal widget is changed to general one. And used also for
ipacertmapdata in user.

This widget make every line non-editable.

Part of: https://fedorahosted.org/freeipa/ticket/6601
---
 install/ui/src/freeipa/host.js|  3 ++-
 install/ui/src/freeipa/service.js |  3 ++-
 install/ui/src/freeipa/user.js|  3 ++-
 install/ui/src/freeipa/widget.js  | 29 +++--
 4 files changed, 25 insertions(+), 13 deletions(-)

diff --git a/install/ui/src/freeipa/host.js b/install/ui/src/freeipa/host.js
index 87cf264..023530a 100644
--- a/install/ui/src/freeipa/host.js
+++ b/install/ui/src/freeipa/host.js
@@ -93,7 +93,8 @@ return {
 name: 'krbprincipalname',
 item_name: 'principal',
 child_spec: {
-$type: 'krb_principal'
+$type: 'non_editable_row',
+data_name: 'krb-principal'
 }
 },
 {
diff --git a/install/ui/src/freeipa/service.js b/install/ui/src/freeipa/service.js
index a6607d2..adae347 100644
--- a/install/ui/src/freeipa/service.js
+++ b/install/ui/src/freeipa/service.js
@@ -81,7 +81,8 @@ return {
 name: 'krbprincipalname',
 item_name: 'principal',
 child_spec: {
-$type: 'krb_principal'
+$type: 'non_editable_row',
+data_name: 'krb-principal'
 }
 },
 {
diff --git a/install/ui/src/freeipa/user.js b/install/ui/src/freeipa/user.js
index 7a08151..a36b65a 100644
--- a/install/ui/src/freeipa/user.js
+++ b/install/ui/src/freeipa/user.js
@@ -192,7 +192,8 @@ return {
 name: 'krbprincipalname',
 item_name: 'principal',
 child_spec: {
-$type: 'krb_principal'
+$type: 'non_editable_row',
+data_name: 'krb-principal'
  

[Freeipa-devel] [freeipa PR#407][synchronized] New lite-server implementation

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/407
Author: tiran
 Title: #407: New lite-server implementation
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/407/head:pr407
git checkout pr407
From 88f8c15035cff7cfb668e7adbb4d587b0badc186 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Sat, 21 Jan 2017 19:34:12 +0100
Subject: [PATCH] New lite-server implementation

The new development server depends on werkzeug instead of paste. The
werkzeug WSGI server comes with some additional features, most
noticeable multi-processing server. The IPA framework is not compatible
with threaded servers. Werkzeug can serve static files easily and has a
fast auto-reloader.

The new lite-server implementation depends on PR 314 (privilege
separation). For Python 3 support, it additionally depends on PR 393.

Signed-off-by: Christian Heimes 
---
 BUILD.txt  |   2 +-
 Makefile.am|   7 +-
 contrib/Makefile.am|   3 +-
 contrib/lite-server.py | 224 +
 lite-server.py | 158 --
 5 files changed, 232 insertions(+), 162 deletions(-)
 create mode 100755 contrib/lite-server.py
 delete mode 100755 lite-server.py

diff --git a/BUILD.txt b/BUILD.txt
index 620adc3..10b1943 100644
--- a/BUILD.txt
+++ b/BUILD.txt
@@ -41,7 +41,7 @@ install the rpms and then configure IPA using ipa-server-install.
 Get a TGT for the admin user with: kinit admin
 
 Next you'll need 2 sessions in the source tree. In the first session run
-python lite-server.py. In the second session copy /etc/ipa/default.conf into
+```make lite-server```. In the second session copy /etc/ipa/default.conf into
 ~/.ipa/default.conf and replace xmlrpc_uri with http://127.0.0.1:/ipa/xml.
 Finally run the ./ipa tool and it will make requests to the lite-server
 listening on 127.0.0.1:.
diff --git a/Makefile.am b/Makefile.am
index 9bfc899..9135cd5 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -6,7 +6,6 @@ SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipa
 MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \
 		   ignore_import_errors.pyc ignore_import_errors.pyo \
 		   ipasetup.pyc ipasetup.pyo \
-		   lite-server.pyc lite-server.pyo \
 		   pylint_plugins.pyc pylint_plugins.pyo
 
 # user-facing scripts
@@ -14,7 +13,6 @@ dist_bin_SCRIPTS = ipa
 
 # files required for build but not installed
 dist_noinst_SCRIPTS = ignore_import_errors.py \
-		  lite-server.py \
 		  makeapi \
 		  makeaci \
 		  make-doc \
@@ -119,6 +117,11 @@ _srpms-body: _rpms-prep
 	cp $(RPMBUILD)/SRPMS/*$$(cat $(top_builddir)/.version)*.src.rpm $(top_builddir)/dist/srpms/
 	rm -f rm -f $(top_builddir)/.version
 
+.PHONY: lite-server
+lite-server: $(top_builddir)/ipapython/version.py
+	+$(MAKE) -C $(top_builddir)/install/ui
+	PYTHONPATH=$(top_srcdir) $(PYTHON) -bb contrib/lite-server.py
+
 .PHONY: lint
 if WITH_POLINT
 POLINT_TARGET = polint
diff --git a/contrib/Makefile.am b/contrib/Makefile.am
index 108a808..b28f2e7 100644
--- a/contrib/Makefile.am
+++ b/contrib/Makefile.am
@@ -1,4 +1,5 @@
 SUBDIRS = completion
 
 EXTRA_DIST = \
-	nssciphersuite
+	nssciphersuite \
+	lite-server.py
diff --git a/contrib/lite-server.py b/contrib/lite-server.py
new file mode 100755
index 000..0d2a595
--- /dev/null
+++ b/contrib/lite-server.py
@@ -0,0 +1,224 @@
+#!/usr/bin/env python
+#
+# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
+#
+"""In-tree development server
+
+The dev server requires a Kerberos TGT and a file based credential cache:
+
+$ mkdir -p ~/.ipa
+$ export KRB5CCNAME=~/.ipa/ccache
+$ kinit admin
+$ make lite-server
+
+Optionally you can set KRB5_CONFIG to use a custom Kerberos configuration
+instead of /etc/krb5.conf.
+
+By default the dev server supports HTTP only. To switch to HTTPS, you can put
+a PEM file at ~/.ipa/lite.pem. The PEM file must contain a server certificate,
+its unencrypted private key and intermediate chain certs (if applicable).
+
+Prerequisite
+
+
+Additionally to build and runtime requirements of FreeIPA, the dev server
+depends on the werkzeug framework and optionally watchdog for auto-reloading.
+You may also have to enable a development COPR.
+
+$ sudo dnf install -y dnf-plugins-core
+$ sudo dnf builddep --spec freeipa.spec.in
+$ sudo dnf install -y python-werkzeug python2-watchdog \
+python3-werkzeug python3-watchdog
+$ ./autogen.sh
+
+For more information see
+
+  * http://www.freeipa.org/page/Build
+  * http://www.freeipa.org/page/Testing
+
+"""
+from __future__ import print_function
+
+import os
+import optparse  # pylint: disable=deprecated-module
+import ssl
+import sys
+import warnings
+
+import ipalib
+from ipalib import api
+from ipalib.krb_utils import krb5_parse_ccache
+from ipalib.krb_utils import krb5_unparse_ccache
+
+# pylint: disable=import-error
+fr

[Freeipa-devel] [freeipa PR#396][synchronized] Explicitly remove support of SSLv2

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/396
Author: stlaz
 Title: #396: Explicitly remove support of SSLv2
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/396/head:pr396
git checkout pr396
From b5bea925775bd07e867ac79db9287d06faa0189b Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 13 Jan 2017 12:31:29 +0100
Subject: [PATCH] Explicitly remove support of SSLv2

It was possible to set tls_version_min/max to 'ssl2', even though
newer versions of NSS will fail to set this as a valid TLS version.
This patch explicitly checks for deprecated TLS versions prior to
creating a TLS connection.

Also, we don't allow tls_version_min/max to be set to a random
string anymore.

https://fedorahosted.org/freeipa/ticket/6607
---
 ipalib/config.py| 27 ++--
 ipalib/constants.py | 10 +
 ipapython/nsslib.py | 60 +++--
 3 files changed, 93 insertions(+), 4 deletions(-)

diff --git a/ipalib/config.py b/ipalib/config.py
index 20591db..1a59879 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -41,8 +41,11 @@
 
 from ipapython.dn import DN
 from ipalib.base import check_name
-from ipalib.constants import CONFIG_SECTION
-from ipalib.constants import OVERRIDE_ERROR, SET_ERROR, DEL_ERROR
+from ipalib.constants import (
+CONFIG_SECTION,
+OVERRIDE_ERROR, SET_ERROR, DEL_ERROR,
+TLS_VERSIONS
+)
 from ipalib import errors
 
 if six.PY3:
@@ -578,6 +581,26 @@ def _finalize_core(self, **defaults):
 
 self._merge(**defaults)
 
+# set the best known TLS version if min/max versions are not set
+if 'tls_version_min' not in self:
+self.tls_version_min = TLS_VERSIONS[-1]
+elif self.tls_version_min not in TLS_VERSIONS:
+raise errors.EnvironmentError(
+"Unknown TLS version '{ver}' set in tls_version_min."
+.format(ver=self.tls_version_min))
+
+if 'tls_version_max' not in self:
+self.tls_version_max = TLS_VERSIONS[-1]
+elif self.tls_version_max not in TLS_VERSIONS:
+raise errors.EnvironmentError(
+"Unknown TLS version '{ver}' set in tls_version_max."
+.format(ver=self.tls_version_max))
+
+if self.tls_version_max < self.tls_version_min:
+raise errors.EnvironmentError(
+"tls_version_min is set to a higher TLS version than "
+"tls_version_max.")
+
 def _finalize(self, **lastchance):
 """
 Finalize and lock environment.
diff --git a/ipalib/constants.py b/ipalib/constants.py
index fa20624..e64324f 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -283,3 +283,13 @@
 # IPA API Framework user
 IPAAPI_USER = 'ipaapi'
 IPAAPI_GROUP = 'ipaapi'
+
+# TLS related constants
+TLS_VERSIONS = [
+"ssl2",
+"ssl3",
+"tls1.0",
+"tls1.1",
+"tls1.2"
+]
+TLS_VERSION_MINIMAL = "tls1.0"
diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py
index 08d05fc..8b02f4b 100644
--- a/ipapython/nsslib.py
+++ b/ipapython/nsslib.py
@@ -23,6 +23,8 @@
 import getpass
 import socket
 from ipapython.ipa_log_manager import root_logger
+from ipapython.ipa_log_manager import log_mgr
+from ipalib.constants import TLS_VERSIONS, TLS_VERSION_MINIMAL
 
 from nss.error import NSPRError
 import nss.io as io
@@ -38,6 +40,9 @@
 # pylint: disable=import-error
 import http.client as httplib
 
+# get a logger for this module
+logger = log_mgr.get_logger(__name__)
+
 # NSS database currently open
 current_dbdir = None
 
@@ -129,6 +134,55 @@ def client_auth_data_callback(ca_names, chosen_nickname, password, certdb):
 socket.AF_UNSPEC: io.PR_AF_UNSPEC
 }
 
+
+def get_proper_tls_version_span(tls_version_min, tls_version_max):
+"""
+This function checks whether the given TLS versions are known in FreeIPA
+and that these versions fulfill the requirements for minimal TLS version
+(see `ipalib.constants: TLS_VERSIONS, TLS_VERSION_MINIMAL`).
+
+:param tls_version_min:
+the lower value in the TLS min-max span, raised to the lowest allowed
+value if too low
+:param tls_version_max:
+the higher value in the TLS min-max span, raised to tls_version_min
+if lower than TLS_VERSION_MINIMAL
+"""
+min_allowed_idx = TLS_VERSIONS.index(TLS_VERSION_MINIMAL)
+
+try:
+min_version_idx = TLS_VERSIONS.index(tls_version_min)
+except ValueError:
+raise ValueError("tls_version_min ('{val}') is not a known "
+ "TLS version.".format(val=tls_version_min))
+
+try:
+max_version_idx = TLS_VERSIONS.index(tls_version_max)
+except ValueError:
+raise ValueError("tls_version_max ('{val}') is not a known "
+ "TLS version.".format(val=tls_version_max))
+
+if min_version_idx > max_version_idx:
+raise ValueEr

[Freeipa-devel] [freeipa PR#450][comment] Add FIPS-token password of HTTPD NSS database

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/450
Title: #450: Add FIPS-token password of HTTPD NSS database

stlaz commented:
"""
You shouldn't turn FIPS on post-install (is what I think you mean), correct.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/450#issuecomment-279958668
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#446][edited] No NSS database passwords in ipa-client-install

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/446
Author: stlaz
 Title: #446: No NSS database passwords in ipa-client-install
Action: edited

 Changed field: title
Original value:
"""
No NSS database passwords in ipa-client-install
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#446][comment] No NSS database passwords in ipa-client-install

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/446
Title: #446: No NSS database passwords in ipa-client-install

stlaz commented:
"""
This patchset seems more like a cleanup after the privilege separation one, 
although adding a password to certutil calls is still the main topic here.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/446#issuecomment-279957378
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#446][synchronized] No NSS database passwords in ipa-client-install

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/446
Author: stlaz
 Title: #446: No NSS database passwords in ipa-client-install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/446/head:pr446
git checkout pr446
From d98a7565979b8fb06ea44371a5d7550da45ce5b5 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 6 Dec 2016 09:14:54 +0100
Subject: [PATCH 1/2] Add password to certutil calls in NSSDatabase

NSSDatabases should call certutil with a password. Also, removed
`password_filename` argument from `.create_db()`.

https://fedorahosted.org/freeipa/ticket/5695
---
 install/tools/ipa-replica-conncheck|  9 +
 ipaclient/install/client.py| 17 +++--
 ipapython/certdb.py| 20 +++-
 ipaserver/install/cainstance.py| 23 +++
 ipaserver/install/ipa_cacert_manage.py |  6 ++
 ipaserver/install/server/upgrade.py|  5 +
 6 files changed, 41 insertions(+), 39 deletions(-)

diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 04e23de..fdbd4f3 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -542,12 +542,7 @@ def main():
 
 with certdb.NSSDatabase(nss_dir) as nss_db:
 if options.ca_cert_file:
-nss_dir = nss_db.secdir
-
-password = ipautil.ipa_generate_password()
-password_file = ipautil.write_tmp_file(password)
-nss_db.create_db(password_file.name)
-
+nss_db.create_db()
 ca_certs = x509.load_certificate_list_from_file(
 options.ca_cert_file)
 for ca_cert in ca_certs:
@@ -555,8 +550,6 @@ def main():
 serialization.Encoding.DER)
 nss_db.add_cert(
 data, str(DN(ca_cert.subject)), 'C,,')
-else:
-nss_dir = None
 
 api.bootstrap(context='client',
   confdir=paths.ETC_IPA,
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 2b01b0d..e43ec7b 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -2284,18 +2284,8 @@ def install_check(options):
 
 def create_ipa_nssdb():
 db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
-pwdfile = os.path.join(db.secdir, 'pwdfile.txt')
-
-ipautil.backup_file(pwdfile)
-ipautil.backup_file(os.path.join(db.secdir, 'cert8.db'))
-ipautil.backup_file(os.path.join(db.secdir, 'key3.db'))
-ipautil.backup_file(os.path.join(db.secdir, 'secmod.db'))
-
-with open(pwdfile, 'w') as f:
-f.write(ipautil.ipa_generate_password())
-os.chmod(pwdfile, 0o600)
-
-db.create_db(pwdfile)
+db.create_db(backup=True)
+os.chmod(db.pwd_file, 0o600)
 os.chmod(os.path.join(db.secdir, 'cert8.db'), 0o644)
 os.chmod(os.path.join(db.secdir, 'key3.db'), 0o644)
 os.chmod(os.path.join(db.secdir, 'secmod.db'), 0o644)
@@ -2667,8 +2657,7 @@ def _install(options):
 for cert in ca_certs
 ]
 try:
-pwd_file = ipautil.write_tmp_file(ipautil.ipa_generate_password())
-tmp_db.create_db(pwd_file.name)
+tmp_db.create_db()
 
 for i, cert in enumerate(ca_certs):
 tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,')
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index a6bfcbc..73387cf 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -17,7 +17,6 @@
 # along with this program.  If not, see .
 #
 
-import binascii
 import os
 import io
 import pwd
@@ -112,13 +111,12 @@ def __exit__(self, type, value, tb):
 def run_certutil(self, args, stdin=None, **kwargs):
 new_args = [CERTUTIL, "-d", self.secdir]
 new_args = new_args + args
+new_args.extend(['-f', self.pwd_file])
 return ipautil.run(new_args, stdin, **kwargs)
 
-def create_db(self, password_filename=None, user=None, group=None,
-  mode=None, backup=False):
+def create_db(self, user=None, group=None, mode=None, backup=False):
 """Create cert DB
 
-:param password_filename: Name of file containing the database password
 :param user: User owner the secdir
 :param group: Group owner of the secdir
 :param mode: Mode of the secdir
@@ -145,19 +143,15 @@ def create_db(self, password_filename=None, user=None, group=None,
 if not os.path.exists(self.secdir):
 os.makedirs(self.secdir, dirmode)
 
-if password_filename is None:
-password_filename = self.pwd_file
-
-if not os.path.exists(password_filename):
+if not os.

[Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/397
Title: #397: Improve wheel building and provide ipaserver wheel for local 
testing

stlaz commented:
"""
@pvoborni The remaining usages are server/CA certificates verification in 
`certdb.py` and and apparently some encryption/decryption actions in the Vault 
plugin. @HonzaCholasta already has patches for the former and getting rid of 
the latter should not be that hard as well.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/397#issuecomment-279953314
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/397
Title: #397: Improve wheel building and provide ipaserver wheel for local 
testing

stlaz commented:
"""
@pvoborni The remaining usages are server/CA certificates verification in 
`certdb.py` and and apparently some encryption/decryption actions in the Vault 
plugin. @HonzaCholasta already has patches for the former and getting rid of 
the latter should not be that hard as well.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/397#issuecomment-279953314
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#467][opened] ipaclient: schema cache: Write all schema files in concurrent-safe way

[dkupka]

   URL: https://github.com/freeipa/freeipa/pull/467
Author: dkupka
 Title: #467: ipaclient: schema cache: Write all schema files in 
concurrent-safe way
Action: opened

PR body:
"""
https://fedorahosted.org/freeipa/ticket/6668
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/467/head:pr467
git checkout pr467
From cc9cb78c3e34d946371ccde222560d92a41fa466 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Wed, 15 Feb 2017 09:34:10 +0100
Subject: [PATCH] ipaclient: schema cache: Write all schema files in
 concurrent-safe way

https://fedorahosted.org/freeipa/ticket/6668
---
 ipaclient/remote_plugins/__init__.py |  5 -
 ipaclient/remote_plugins/schema.py   | 13 +++--
 ipapython/ipautil.py | 31 +++
 3 files changed, 38 insertions(+), 11 deletions(-)

diff --git a/ipaclient/remote_plugins/__init__.py b/ipaclient/remote_plugins/__init__.py
index da7004d..7b8bdd3 100644
--- a/ipaclient/remote_plugins/__init__.py
+++ b/ipaclient/remote_plugins/__init__.py
@@ -14,6 +14,8 @@
 from ipaclient.plugins.rpcclient import rpcclient
 from ipapython.dnsutil import DNSName
 from ipapython.ipa_log_manager import log_mgr
+from ipapython.ipautil import concurrent_open
+
 
 logger = log_mgr.get_logger(__name__)
 
@@ -58,7 +60,8 @@ def _write(self):
 except EnvironmentError as e:
 if e.errno != errno.EEXIST:
 raise
-with open(self._path, 'w') as sc:
+
+with concurrent_open(self._path, 'w') as sc:
 json.dump(self._dict, sc)
 except EnvironmentError as e:
 logger.warning('Failed to write server info: {}'.format(e))
diff --git a/ipaclient/remote_plugins/schema.py b/ipaclient/remote_plugins/schema.py
index 15c03f4..2a7cd79 100644
--- a/ipaclient/remote_plugins/schema.py
+++ b/ipaclient/remote_plugins/schema.py
@@ -25,6 +25,7 @@
 from ipapython.dn import DN
 from ipapython.dnsutil import DNSName
 from ipapython.ipa_log_manager import log_mgr
+from ipapython.ipautil import concurrent_open
 
 FORMAT = '1'
 
@@ -407,17 +408,9 @@ def __init__(self, client, fingerprint=None):
 @contextlib.contextmanager
 def _open(self, filename, mode):
 path = os.path.join(self._DIR, filename)
+with concurrent_open(path, mode) as f:
+yield f
 
-with io.open(path, mode) as f:
-if mode.startswith('r'):
-fcntl.flock(f, fcntl.LOCK_SH)
-else:
-fcntl.flock(f, fcntl.LOCK_EX)
-
-try:
-yield f
-finally:
-fcntl.flock(f, fcntl.LOCK_UN)
 
 def _fetch(self, client, ignore_cache=False):
 if not client.isconnected():
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 60b4a37..2724d32 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -282,6 +282,37 @@ def write_tmp_file(txt):
 
 return fd
 
+
+@contextmanager
+def concurrent_open(path, mode='r'):
+"""Ensure that complete file is read/written
+
+Works only for r, rb, w, w+, wb, wb+ modes. Default is r.
+
+In read mode behaves the same as build-in open. In write mode all data are
+written to the temporary file first and then moved to target path.
+This approach ensures that reading will be performed on complete file and
+writting will result in complete or none file written at all.
+"""
+if mode in ('w', 'w+', 'wb', 'wb+'):
+with tempfile.NamedTemporaryFile(
+mode=mode, prefix=path, delete=False) as temp_file:
+yield temp_file
+temp_file.flush()
+os.fsync(temp_file.fileno())
+try:
+os.rename(temp_file.name, path)
+except EnvironmentError:
+os.remove(temp_file.name)
+raise
+elif mode in ('r', 'rb'):
+with open(path, mode) as f:
+yield f
+else:
+raise ValueError(u"mode string must be one of 'r', 'rb', 'w', 'w+', "
+ u"'wb', 'wb+'")
+
+
 def shell_quote(string):
 if isinstance(string, str):
 return "'" + string.replace("'", "'\\''") + "'"
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#466][opened] pkinit: make sure to have proper dictionary for Kerberos instance on upgrade

[abbra]

   URL: https://github.com/freeipa/freeipa/pull/466
Author: abbra
 Title: #466: pkinit: make sure to have proper dictionary for Kerberos instance 
on upgrade
Action: opened

PR body:
"""

When running PKINIT upgrade we need to make sure full substitution
dictionary is in place or otherwise executing LDAP updates will fail to
find proper objects because $SUFFIX, $DOMAIN, and other variables
will not be substituted.

Fixes https://fedorahosted.org/freeipa/ticket/6670
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/466/head:pr466
git checkout pr466
From 1dc4cea37c4efa74d3c8505abaeb569af87ef269 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Wed, 15 Feb 2017 10:14:58 +0200
Subject: [PATCH] pkinit: make sure to have proper dictionary for Kerberos
 instance on upgrade

When running PKINIT upgrade we need to make sure full substitution
dictionary is in place or otherwise executing LDAP updates will fail to
find proper objects because $SUFFIX, $DOMAIN, and other variables
will not be substituted.

Fixes https://fedorahosted.org/freeipa/ticket/6670
---
 ipaserver/install/server/upgrade.py | 12 
 1 file changed, 12 insertions(+)

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 509f196..41da723 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1753,6 +1753,18 @@ def upgrade_configuration():
 krb.realm = api.env.realm
 krb.suffix = ipautil.realm_to_suffix(krb.realm)
 krb.subject_base = subject_base
+krb.sub_dict = dict(FQDN=krb.fqdn,
+SUFFIX=krb.suffix,
+DOMAIN=api.env.domain,
+HOST=api.env.host,
+SERVER_ID=installutils.realm_to_serverid(krb.realm),
+REALM=krb.realm,
+KRB5KDC_KADM5_ACL=paths.KRB5KDC_KADM5_ACL,
+DICT_WORDS=paths.DICT_WORDS,
+KRB5KDC_KADM5_KEYTAB=paths.KRB5KDC_KADM5_KEYTAB,
+KDC_CERT=paths.KDC_CERT,
+KDC_KEY=paths.KDC_KEY,
+CACERT_PEM=paths.CACERT_PEM)
 if not os.path.exists(paths.KDC_CERT):
 krb.setup_pkinit()
 replacevars = dict()
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code