[Freeipa-devel] [freeipa PR#534][synchronized] Move csrgen templates into ipaclient package

2017-03-02 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/534
Author: tiran
 Title: #534: Move csrgen templates into ipaclient package
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/534/head:pr534
git checkout pr534
From 651ea386f8b2e751a5a8e0932a1718c3b6fac162 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Thu, 2 Mar 2017 16:09:53 +0100
Subject: [PATCH 1/2] Move csrgen templates into ipaclient package

csrgen broke packaging of ipaclient for PyPI. All csrgen related
resources are now package data of ipaclient package. Package data is
accessed with Jinja's PackageLoader() or through pkg_resources.

https://pagure.io/freeipa/issue/6714

Signed-off-by: Christian Heimes 
---
 configure.ac   |  1 -
 freeipa.spec.in| 13 
 install/share/Makefile.am  |  1 -
 install/share/csrgen/Makefile.am   | 35 --
 .../share/csrgen/profiles/caIPAserviceCert.json| 15 --
 install/share/csrgen/profiles/userCert.json| 15 --
 install/share/csrgen/rules/dataDNS.json| 15 --
 install/share/csrgen/rules/dataEmail.json  | 15 --
 install/share/csrgen/rules/dataHostCN.json | 15 --
 install/share/csrgen/rules/dataSubjectBase.json| 15 --
 install/share/csrgen/rules/dataUsernameCN.json | 15 --
 install/share/csrgen/rules/syntaxSAN.json  | 15 --
 install/share/csrgen/rules/syntaxSubject.json  | 16 --
 install/share/csrgen/templates/certutil_base.tmpl  | 11 ---
 install/share/csrgen/templates/openssl_base.tmpl   | 35 --
 install/share/csrgen/templates/openssl_macros.tmpl | 29 --
 ipaclient/csrgen.py| 21 +
 ipaclient/csrgen/profiles/caIPAserviceCert.json| 15 ++
 ipaclient/csrgen/profiles/userCert.json| 15 ++
 ipaclient/csrgen/rules/dataDNS.json| 15 ++
 ipaclient/csrgen/rules/dataEmail.json  | 15 ++
 ipaclient/csrgen/rules/dataHostCN.json | 15 ++
 ipaclient/csrgen/rules/dataSubjectBase.json| 15 ++
 ipaclient/csrgen/rules/dataUsernameCN.json | 15 ++
 ipaclient/csrgen/rules/syntaxSAN.json  | 15 ++
 ipaclient/csrgen/rules/syntaxSubject.json  | 16 ++
 ipaclient/csrgen/templates/certutil_base.tmpl  | 11 +++
 ipaclient/csrgen/templates/openssl_base.tmpl   | 35 ++
 ipaclient/csrgen/templates/openssl_macros.tmpl | 29 ++
 ipaclient/setup.py | 10 ++-
 ipaplatform/base/paths.py  |  1 -
 31 files changed, 241 insertions(+), 263 deletions(-)
 delete mode 100644 install/share/csrgen/Makefile.am
 delete mode 100644 install/share/csrgen/profiles/caIPAserviceCert.json
 delete mode 100644 install/share/csrgen/profiles/userCert.json
 delete mode 100644 install/share/csrgen/rules/dataDNS.json
 delete mode 100644 install/share/csrgen/rules/dataEmail.json
 delete mode 100644 install/share/csrgen/rules/dataHostCN.json
 delete mode 100644 install/share/csrgen/rules/dataSubjectBase.json
 delete mode 100644 install/share/csrgen/rules/dataUsernameCN.json
 delete mode 100644 install/share/csrgen/rules/syntaxSAN.json
 delete mode 100644 install/share/csrgen/rules/syntaxSubject.json
 delete mode 100644 install/share/csrgen/templates/certutil_base.tmpl
 delete mode 100644 install/share/csrgen/templates/openssl_base.tmpl
 delete mode 100644 install/share/csrgen/templates/openssl_macros.tmpl
 create mode 100644 ipaclient/csrgen/profiles/caIPAserviceCert.json
 create mode 100644 ipaclient/csrgen/profiles/userCert.json
 create mode 100644 ipaclient/csrgen/rules/dataDNS.json
 create mode 100644 ipaclient/csrgen/rules/dataEmail.json
 create mode 100644 ipaclient/csrgen/rules/dataHostCN.json
 create mode 100644 ipaclient/csrgen/rules/dataSubjectBase.json
 create mode 100644 ipaclient/csrgen/rules/dataUsernameCN.json
 create mode 100644 ipaclient/csrgen/rules/syntaxSAN.json
 create mode 100644 ipaclient/csrgen/rules/syntaxSubject.json
 create mode 100644 ipaclient/csrgen/templates/certutil_base.tmpl
 create mode 100644 ipaclient/csrgen/templates/openssl_base.tmpl
 create mode 100644 ipaclient/csrgen/templates/openssl_macros.tmpl

diff --git a/configure.ac b/configure.ac
index 31bfa8a..4a3ba15 100644
--- a/configure.ac
+++ b/configure.ac
@@ -463,7 +463,6 @@ AC_CONFIG_FILES([
 install/share/Makefile
 install/share/advise/Makefile
 install/share/advise/legacy/Makefile
-install/share/csrgen/Makefile
 install/share/profiles/Makefile
 install/share/schema.d/Makefile
 install/ui/Makefile
diff --git a/freeipa.spec.in

[Freeipa-devel] [freeipa PR#534][comment] Move csrgen templates into ipaclient package

2017-03-02 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/534
Title: #534: Move csrgen templates into ipaclient package

tiran commented:
"""
In my opinion, a user should never modify a file that managed by a package 
manager and not explicitly marked as a config file. Both files in 
```/usr/share``` and ```site-packages``` are not config files.

How about http://jinja.pocoo.org/docs/2.9/api/#jinja2.ChoiceLoader and this 
idea?

```
loader = jinja2.ChoiceLoader(
jinja2.FileSystemLoader(os.path.join(api.env.conf_dir, 'csrgen/templates')),
jinja2.PackageLoader('ipaclient', 'csrgen/templates'),
)
```

This allows users to override the templates by copying them to 
```/etc/ipa/csrgen/templates```. We'd need similar code for the JSON files, too.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/534#issuecomment-283881532
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#534][comment] Move csrgen templates into ipaclient package

2017-03-02 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/534
Title: #534: Move csrgen templates into ipaclient package

tiran commented:
"""
In my opinion, a user should never modify a file that managed by a package 
manager and not explicitly marked as a config file. Both files in 
```/usr/share``` and ```site-packages``` are not config files.

How about http://jinja.pocoo.org/docs/2.9/api/#jinja2.ChoiceLoader and this 
idea?

```
loader = jinja2.ChoiceLoader(
jinja2.FileSystemLoader(os.path.join(api.env.conf_dir, 'csrgen/templates')),
jinja2.PackageLoader('ipaclient', 'csrgen/templates'),
)
```

This allows users to override the templates by copying them to 
```/etc/ipa/csrgen/templates```. We'd need similar code for the JSON files, too.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/534#issuecomment-283881532
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#534][comment] Move csrgen templates into ipaclient package

2017-03-02 Thread LiptonB 
  URL: https://github.com/freeipa/freeipa/pull/534
Title: #534: Move csrgen templates into ipaclient package

LiptonB commented:
"""
Oops, sorry about the breakage. This seems fine to me, although I hadn't really 
been thinking of the templates and rules as data files. They're intended to be 
possible to modify, more like config files. (Come to think of it, `/usr/share` 
wasn't that appropriate for them either). So, that and the fact that they're 
now duplicated between `python2.*/site-packages` and `python3.*/site-packages` 
give me pause (especially if the user might edit them), but I don't have strong 
feelings about it.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/534#issuecomment-283851563
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands

2017-03-02 Thread abbra 
  URL: https://github.com/freeipa/freeipa/pull/444
Title: #444: Allow nsaccountlock to be searched in user-find commands

abbra commented:
"""
Yes, you can add nsaccountlock attribute retrieval in the `pre_callback` and 
process it in the `post_callback`. nsaccountlock is an operational attribute so 
it needs to be requested explicitly.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/444#issuecomment-283723205
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#535][comment] add whoami command

2017-03-02 Thread abbra 
  URL: https://github.com/freeipa/freeipa/pull/535
Title: #535: add whoami command

abbra commented:
"""
Design page: http://www.freeipa.org/page/V4/Who_Am_I_Command
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/535#issuecomment-283716554
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#535][opened] add whoami command

2017-03-02 Thread abbra 
   URL: https://github.com/freeipa/freeipa/pull/535
Author: abbra
 Title: #535: add whoami command
Action: opened

PR body:
"""
`ipa whoami` command allows to query details about currently
authenticated identity. The command returns following information:

  * object class name
  * function to call to get actual details about the object
  * arguments to pass to the function
  * options to pass to the function

There are five types of objects that could bind to IPA using their
credentials. `ipa whoami` call expects one of the following:

  * users
  * staged users
  * hosts
  * Kerberos services
  * ID user override from the default trust view

The latter category of objects is automatically mapped by SASL GSSAPI
mapping rule in 389-ds for users from trusted Active Directory forests.

The command is expected to be used by Web UI to define proper view for
the authenticated identity.

Below is an example of how communication looks like for an Active
Directory user which has ID override in 'Default Trust View'.

$ ipa -vv whoami
ipa: INFO: trying https://ipa.example.com/ipa/session/json
ipa: INFO: Forwarding 'whoami/1' to json server 
'https://ipa.example.com/ipa/session/json'
ipa: INFO: Request: {
"id": 0,
"method": "whoami/1",
"params": [
[],
{
"version": "2.220"
}
]
}
ipa: INFO: Response: {
"error": null,
"id": 0,
"principal": "Administrator@AD.DOMAIN",
"result": {
"arguments": [
"default trust view",
"administrator@ad.domain"
],
"details": "idoverrideuser_show/1",
"object": "idoverrideuser",
"options": []
},
"version": ""
}

Fixes https://pagure.io/freeipa/issue/6643
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/535/head:pr535
git checkout pr535
From f400b8021a7af27e9d377d3b28fff2ace4eadffc Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Thu, 2 Mar 2017 18:03:05 +0200
Subject: [PATCH] add whoami command

`ipa whoami` command allows to query details about currently
authenticated identity. The command returns following information:

  * object class name
  * function to call to get actual details about the object
  * arguments to pass to the function
  * options to pass to the function

There are five types of objects that could bind to IPA using their
credentials. `ipa whoami` call expects one of the following:

  * users
  * staged users
  * hosts
  * Kerberos services
  * ID user override from the default trust view

The latter category of objects is automatically mapped by SASL GSSAPI
mapping rule in 389-ds for users from trusted Active Directory forests.

The command is expected to be used by Web UI to define proper view for
the authenticated identity.

Below is an example of how communication looks like for an Active
Directory user which has ID override in 'Default Trust View'.

$ ipa -vv whoami
ipa: INFO: trying https://ipa.example.com/ipa/session/json
ipa: INFO: Forwarding 'whoami/1' to json server 'https://ipa.example.com/ipa/session/json'
ipa: INFO: Request: {
"id": 0,
"method": "whoami/1",
"params": [
[],
{
"version": "2.220"
}
]
}
ipa: INFO: Response: {
"error": null,
"id": 0,
"principal": "Administrator@AD.DOMAIN",
"result": {
"arguments": [
"default trust view",
"administrator@ad.domain"
],
"details": "idoverrideuser_show/1",
"object": "idoverrideuser",
"options": []
},
"version": ""
}

Fixes https://pagure.io/freeipa/issue/6643
---
 API.txt  |   8 +++
 VERSION.m4   |   4 +-
 ipaclient/plugins/whoami.py  |  20 ++
 ipaserver/plugins/idviews.py |   5 ++
 ipaserver/plugins/whoami.py  | 141 +++
 5 files changed, 176 insertions(+), 2 deletions(-)
 create mode 100644 ipaclient/plugins/whoami.py
 create mode 100644 ipaserver/plugins/whoami.py

diff --git a/API.txt b/API.txt
index a8f8ff1..16ee0ac 100644
--- a/API.txt
+++ b/API.txt
@@ -6441,6 +6441,13 @@ option: Str('version?')
 output: Entry('result')
 output: Output('summary', type=[, ])
 output: PrimaryKey('value')
+command: whoami/1
+args: 0,1,4
+option: Str('version?')
+output: Output('arguments', type=[])
+output: Output('details', type=[])
+output: Output('object', type=[])
+output: Output('options', type=[])
 default: aci/1
 default: aci_add/1
 default: aci_del/1
@@ -7005,6 +7012,7 @@ default: vaultcontainer_add_owner/1
 default: vaultcontainer_del/1
 default: vaultcontainer_remove_owner/1
 default: vaultcontainer_show/1
+default: whoami/1
 capability: messages 2.52

[Freeipa-devel] [freeipa PR#534][synchronized] Move csrgen templates into ipaclient package

2017-03-02 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/534
Author: tiran
 Title: #534: Move csrgen templates into ipaclient package
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/534/head:pr534
git checkout pr534
From 651ea386f8b2e751a5a8e0932a1718c3b6fac162 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Thu, 2 Mar 2017 16:09:53 +0100
Subject: [PATCH] Move csrgen templates into ipaclient package

csrgen broke packaging of ipaclient for PyPI. All csrgen related
resources are now package data of ipaclient package. Package data is
accessed with Jinja's PackageLoader() or through pkg_resources.

https://pagure.io/freeipa/issue/6714

Signed-off-by: Christian Heimes 
---
 configure.ac   |  1 -
 freeipa.spec.in| 13 
 install/share/Makefile.am  |  1 -
 install/share/csrgen/Makefile.am   | 35 --
 .../share/csrgen/profiles/caIPAserviceCert.json| 15 --
 install/share/csrgen/profiles/userCert.json| 15 --
 install/share/csrgen/rules/dataDNS.json| 15 --
 install/share/csrgen/rules/dataEmail.json  | 15 --
 install/share/csrgen/rules/dataHostCN.json | 15 --
 install/share/csrgen/rules/dataSubjectBase.json| 15 --
 install/share/csrgen/rules/dataUsernameCN.json | 15 --
 install/share/csrgen/rules/syntaxSAN.json  | 15 --
 install/share/csrgen/rules/syntaxSubject.json  | 16 --
 install/share/csrgen/templates/certutil_base.tmpl  | 11 ---
 install/share/csrgen/templates/openssl_base.tmpl   | 35 --
 install/share/csrgen/templates/openssl_macros.tmpl | 29 --
 ipaclient/csrgen.py| 21 +
 ipaclient/csrgen/profiles/caIPAserviceCert.json| 15 ++
 ipaclient/csrgen/profiles/userCert.json| 15 ++
 ipaclient/csrgen/rules/dataDNS.json| 15 ++
 ipaclient/csrgen/rules/dataEmail.json  | 15 ++
 ipaclient/csrgen/rules/dataHostCN.json | 15 ++
 ipaclient/csrgen/rules/dataSubjectBase.json| 15 ++
 ipaclient/csrgen/rules/dataUsernameCN.json | 15 ++
 ipaclient/csrgen/rules/syntaxSAN.json  | 15 ++
 ipaclient/csrgen/rules/syntaxSubject.json  | 16 ++
 ipaclient/csrgen/templates/certutil_base.tmpl  | 11 +++
 ipaclient/csrgen/templates/openssl_base.tmpl   | 35 ++
 ipaclient/csrgen/templates/openssl_macros.tmpl | 29 ++
 ipaclient/setup.py | 10 ++-
 ipaplatform/base/paths.py  |  1 -
 31 files changed, 241 insertions(+), 263 deletions(-)
 delete mode 100644 install/share/csrgen/Makefile.am
 delete mode 100644 install/share/csrgen/profiles/caIPAserviceCert.json
 delete mode 100644 install/share/csrgen/profiles/userCert.json
 delete mode 100644 install/share/csrgen/rules/dataDNS.json
 delete mode 100644 install/share/csrgen/rules/dataEmail.json
 delete mode 100644 install/share/csrgen/rules/dataHostCN.json
 delete mode 100644 install/share/csrgen/rules/dataSubjectBase.json
 delete mode 100644 install/share/csrgen/rules/dataUsernameCN.json
 delete mode 100644 install/share/csrgen/rules/syntaxSAN.json
 delete mode 100644 install/share/csrgen/rules/syntaxSubject.json
 delete mode 100644 install/share/csrgen/templates/certutil_base.tmpl
 delete mode 100644 install/share/csrgen/templates/openssl_base.tmpl
 delete mode 100644 install/share/csrgen/templates/openssl_macros.tmpl
 create mode 100644 ipaclient/csrgen/profiles/caIPAserviceCert.json
 create mode 100644 ipaclient/csrgen/profiles/userCert.json
 create mode 100644 ipaclient/csrgen/rules/dataDNS.json
 create mode 100644 ipaclient/csrgen/rules/dataEmail.json
 create mode 100644 ipaclient/csrgen/rules/dataHostCN.json
 create mode 100644 ipaclient/csrgen/rules/dataSubjectBase.json
 create mode 100644 ipaclient/csrgen/rules/dataUsernameCN.json
 create mode 100644 ipaclient/csrgen/rules/syntaxSAN.json
 create mode 100644 ipaclient/csrgen/rules/syntaxSubject.json
 create mode 100644 ipaclient/csrgen/templates/certutil_base.tmpl
 create mode 100644 ipaclient/csrgen/templates/openssl_base.tmpl
 create mode 100644 ipaclient/csrgen/templates/openssl_macros.tmpl

diff --git a/configure.ac b/configure.ac
index 31bfa8a..4a3ba15 100644
--- a/configure.ac
+++ b/configure.ac
@@ -463,7 +463,6 @@ AC_CONFIG_FILES([
 install/share/Makefile
 install/share/advise/Makefile
 install/share/advise/legacy/Makefile
-install/share/csrgen/Makefile
 install/share/profiles/Makefile
 install/share/schema.d/Makefile
 install/ui/Makefile
diff --git a/freeipa.spec.in

[Freeipa-devel] [freeipa PR#534][synchronized] Move csrgen templates into ipaclient package

2017-03-02 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/534
Author: tiran
 Title: #534: Move csrgen templates into ipaclient package
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/534/head:pr534
git checkout pr534
From 1f7b6b890a38b97cc0c1b13d2dadae7bbe0b33d2 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Thu, 2 Mar 2017 16:09:53 +0100
Subject: [PATCH] Move csrgen templates into ipaclient package

csrgen broke packaging of ipaclient for PyPI. All csrgen related
resources are now package data of ipaclient package. Package data is
accessed with Jinja's PackageLoader() or through pkg_resources.

https://pagure.io/freeipa/issue/6714

Signed-off-by: Christian Heimes 
---
 configure.ac   |  1 -
 freeipa.spec.in|  7 -
 install/share/Makefile.am  |  1 -
 install/share/csrgen/Makefile.am   | 35 --
 .../share/csrgen/profiles/caIPAserviceCert.json| 15 --
 install/share/csrgen/profiles/userCert.json| 15 --
 install/share/csrgen/rules/dataDNS.json| 15 --
 install/share/csrgen/rules/dataEmail.json  | 15 --
 install/share/csrgen/rules/dataHostCN.json | 15 --
 install/share/csrgen/rules/dataSubjectBase.json| 15 --
 install/share/csrgen/rules/dataUsernameCN.json | 15 --
 install/share/csrgen/rules/syntaxSAN.json  | 15 --
 install/share/csrgen/rules/syntaxSubject.json  | 16 --
 install/share/csrgen/templates/certutil_base.tmpl  | 11 ---
 install/share/csrgen/templates/openssl_base.tmpl   | 35 --
 install/share/csrgen/templates/openssl_macros.tmpl | 29 --
 ipaclient/csrgen.py| 21 +
 ipaclient/csrgen/profiles/caIPAserviceCert.json| 15 ++
 ipaclient/csrgen/profiles/userCert.json| 15 ++
 ipaclient/csrgen/rules/dataDNS.json| 15 ++
 ipaclient/csrgen/rules/dataEmail.json  | 15 ++
 ipaclient/csrgen/rules/dataHostCN.json | 15 ++
 ipaclient/csrgen/rules/dataSubjectBase.json| 15 ++
 ipaclient/csrgen/rules/dataUsernameCN.json | 15 ++
 ipaclient/csrgen/rules/syntaxSAN.json  | 15 ++
 ipaclient/csrgen/rules/syntaxSubject.json  | 16 ++
 ipaclient/csrgen/templates/certutil_base.tmpl  | 11 +++
 ipaclient/csrgen/templates/openssl_base.tmpl   | 35 ++
 ipaclient/csrgen/templates/openssl_macros.tmpl | 29 ++
 ipaclient/setup.py | 10 ++-
 ipaplatform/base/paths.py  |  1 -
 31 files changed, 235 insertions(+), 263 deletions(-)
 delete mode 100644 install/share/csrgen/Makefile.am
 delete mode 100644 install/share/csrgen/profiles/caIPAserviceCert.json
 delete mode 100644 install/share/csrgen/profiles/userCert.json
 delete mode 100644 install/share/csrgen/rules/dataDNS.json
 delete mode 100644 install/share/csrgen/rules/dataEmail.json
 delete mode 100644 install/share/csrgen/rules/dataHostCN.json
 delete mode 100644 install/share/csrgen/rules/dataSubjectBase.json
 delete mode 100644 install/share/csrgen/rules/dataUsernameCN.json
 delete mode 100644 install/share/csrgen/rules/syntaxSAN.json
 delete mode 100644 install/share/csrgen/rules/syntaxSubject.json
 delete mode 100644 install/share/csrgen/templates/certutil_base.tmpl
 delete mode 100644 install/share/csrgen/templates/openssl_base.tmpl
 delete mode 100644 install/share/csrgen/templates/openssl_macros.tmpl
 create mode 100644 ipaclient/csrgen/profiles/caIPAserviceCert.json
 create mode 100644 ipaclient/csrgen/profiles/userCert.json
 create mode 100644 ipaclient/csrgen/rules/dataDNS.json
 create mode 100644 ipaclient/csrgen/rules/dataEmail.json
 create mode 100644 ipaclient/csrgen/rules/dataHostCN.json
 create mode 100644 ipaclient/csrgen/rules/dataSubjectBase.json
 create mode 100644 ipaclient/csrgen/rules/dataUsernameCN.json
 create mode 100644 ipaclient/csrgen/rules/syntaxSAN.json
 create mode 100644 ipaclient/csrgen/rules/syntaxSubject.json
 create mode 100644 ipaclient/csrgen/templates/certutil_base.tmpl
 create mode 100644 ipaclient/csrgen/templates/openssl_base.tmpl
 create mode 100644 ipaclient/csrgen/templates/openssl_macros.tmpl

diff --git a/configure.ac b/configure.ac
index 31bfa8a..4a3ba15 100644
--- a/configure.ac
+++ b/configure.ac
@@ -463,7 +463,6 @@ AC_CONFIG_FILES([
 install/share/Makefile
 install/share/advise/Makefile
 install/share/advise/legacy/Makefile
-install/share/csrgen/Makefile
 install/share/profiles/Makefile
 install/share/schema.d/Makefile
 install/ui/Makefile
diff --git a/freeipa.spec.in

[Freeipa-devel] [freeipa PR#534][comment] Move csrgen templates into ipaclient package

2017-03-02 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/534
Title: #534: Move csrgen templates into ipaclient package

tiran commented:
"""
@LiptonB please have a look.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/534#issuecomment-283680629
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Please review: V4/AD user short names design draft

2017-03-02 Thread Jakub Hrozek 
On Thu, Mar 02, 2017 at 02:47:24PM +0100, Martin Babinsky wrote:
> On 03/02/2017 10:25 AM, Jakub Hrozek wrote:
> > On Thu, Mar 02, 2017 at 08:12:04AM +0100, Martin Babinsky wrote:
> > > On 03/01/2017 05:28 PM, Alexander Bokovoy wrote:
> > > > On ke, 01 maalis 2017, Simo Sorce wrote:
> > > > > > > My take is: cut API/UI work, and do the underlying infrastructure 
> > > > > > > work
> > > > > > > for the widest set of serves/clients possible instead.
> > > > > > > 
> > > > > > > It is much more important to get the underlying gears done than 
> > > > > > > to add
> > > > > > > UI candy, that can be delayed.
> > > > > > > 
> > > > > > > Simo.
> > > > > > > 
> > > > > > 
> > > > > > I agree, we just have to come to agreement of *which* gears are 
> > > > > > really
> > > > > > necessary.
> > > > > 
> > > > > Indeed, but adding attributes to ipaConfig and the ID Views is not 
> > > > > hard,
> > > > > it is a matter of extending two objectclasses instead of one ... if we
> > > > > decide that Id Views are a good abstraction point.
> > > > Adding the same attribute to ID View and to ipaConfig sounds logical to
> > > > me.
> > > > 
> > > > Martin, if you want help with this, I can implement ID View-related
> > > > parts. SSSD does have code to retrieve ipaConfig already, and it also
> > > > has support for reading ID View associated with the host. The resulting
> > > > value wouldn't end up in the same place, though, but this is something
> > > > to handle on SSSD side.
> > > > 
> > > 
> > > I was thinking about this at night (insomnia FTW) and it is actually 
> > > pretty
> > > easy to extend ID view with the same attribute (see my other reply to 
> > > Simo).
> > > Given the UI will be pretty dumb, we just can add the new attribute to the
> > > ID view object and a common code will be responsible for validation of
> > > changed values.
> > 
> > (I'm sorry to come late to the discussion, but I spent yesterday
> > debugging a nasty issue in SSSD and my brain wasn't working anymore)
> > 
> > To be honest, I haven't heard about users requesting to set the feature
> > per-host. Most were interested in a global setting and given the short time
> > before the next release, I thought for users who need a per-client solution,
> > a local sssd.conf modification could also work, also considering that the
> > /only/ solution so far was to modify sssd.conf with the 
> > default_domain_suffix
> > hack.
> > 
> > On the other hand, I see Simo's point about easy migration to this new
> > setting and easier tinkering with the option if it's possible to set
> > this per-view. And more importantly, I'm quite sure someone /will/ ask to
> > set this centrally, but per host(group) eventually.
> > 
> > So as long as the final design is a) extendable to provide a per-host
> > setting in the future, even if that part is not implemented in this version
> > in the UI or not used by the clients immediatelly and b) it's easy for
> > clients to consume this setting, I'm fine.
> > 
> > I'm afraid I can't comment on the ipaConfig issues and the replication
> > concerns as I'm not that proficient with IPA internals..
> > 
> 
> If we introduce a new objectclass providing the attribute, we may then
> easily extend IDView object by it (or any other object for that matter) and
> fix the plugin code so that it can be set by framework, it is easy.
> 
> If you all agree that this is the way we want to move forward with this
> project, I can update the design page and start implementing stuff. We need
> to decide quicky, time is short.

This sounds good to me from purely the client perspective, but I'm
hardly the best person to decide IPA server-side design questions.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#504][synchronized] Add SHA256 fingerprints

2017-03-02 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/504
Author: tomaskrizek
 Title: #504: Add SHA256 fingerprints
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/504/head:pr504
git checkout pr504
From b61cfc0883bdb5fe998c95af9ed87ea9db3a794b Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Thu, 23 Feb 2017 17:03:01 +0100
Subject: [PATCH] Add SHA256 fingerprints for certs

https://fedorahosted.org/freeipa/ticket/6701
---
 install/ui/src/freeipa/certificate.js  | 6 +-
 ipaserver/plugins/cert.py  | 7 +++
 ipaserver/plugins/host.py  | 4 
 ipaserver/plugins/service.py   | 6 ++
 ipatests/test_xmlrpc/test_host_plugin.py   | 1 +
 ipatests/test_xmlrpc/test_service_plugin.py| 7 +++
 ipatests/test_xmlrpc/tracker/host_plugin.py| 1 +
 ipatests/test_xmlrpc/tracker/service_plugin.py | 4 ++--
 8 files changed, 33 insertions(+), 3 deletions(-)

diff --git a/install/ui/src/freeipa/certificate.js b/install/ui/src/freeipa/certificate.js
index b86c6cf..0cb43c7 100755
--- a/install/ui/src/freeipa/certificate.js
+++ b/install/ui/src/freeipa/certificate.js
@@ -571,6 +571,7 @@ IPA.cert.loader = function(spec) {
 serial_number: result.serial_number,
 serial_number_hex: result.serial_number_hex,
 sha1_fingerprint: result.sha1_fingerprint,
+sha256_fingerprint: result.sha256_fingerprint,
 subject: result.subject,
 valid_not_after: result.valid_not_after,
 valid_not_before: result.valid_not_before
@@ -1578,6 +1579,9 @@ exp.create_cert_metadata = function() {
 add_param('sha1_fingerprint',
 text.get('@i18n:objects.cert.sha1_fingerprint'),
 text.get('@i18n:objects.cert.sha1_fingerprint'));
+add_param('sha256_fingerprint',
+text.get('@i18n:objects.cert.sha256_fingerprint'),
+text.get('@i18n:objects.cert.sha256_fingerprint'));
 add_param('certificate',
 text.get('@i18n:objects.cert.certificate'),
 text.get('@i18n:objects.cert.certificate'));
@@ -1755,6 +1759,7 @@ return {
 'valid_not_before',
 'valid_not_after',
 'sha1_fingerprint',
+'sha256_fingerprint',
 {
 $type: 'revocation_reason',
 name: 'revocation_reason'
@@ -1871,7 +1876,6 @@ IPA.cert.details_facet = function(spec, no_init) {
 that.create_refresh_command = function() {
 
 var command = that.details_facet_create_refresh_command();
-delete command.options.all;
 delete command.options.rights;
 
 command.options = command.options || {};
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 585a70e..a60dc41 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -350,6 +350,11 @@ class BaseCertObject(Object):
 label=_('Fingerprint (SHA1)'),
 flags={'no_create', 'no_update', 'no_search'},
 ),
+Str(
+'sha256_fingerprint',
+label=_('Fingerprint (SHA256)'),
+flags={'no_create', 'no_update', 'no_search'},
+),
 Int(
 'serial_number',
 label=_('Serial number'),
@@ -390,6 +395,8 @@ def _parse(self, obj, full=True):
 if full:
 obj['sha1_fingerprint'] = x509.to_hex_with_colons(
 cert.fingerprint(hashes.SHA1()))
+obj['sha256_fingerprint'] = x509.to_hex_with_colons(
+cert.fingerprint(hashes.SHA256()))
 
 general_names = x509.process_othernames(
 x509.get_san_general_names(cert))
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index 7ceec8e..dcadd54 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -514,6 +514,10 @@ class host(LDAPObject):
 label=_('Fingerprint (SHA1)'),
 flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'},
 ),
+Str('sha256_fingerprint',
+label=_('Fingerprint (SHA256)'),
+flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'},
+),
 Str('revocation_reason?',
 label=_('Revocation reason'),
 flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'},
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index 3349889..03271d6 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -276,6 +276,8 @@ def set_certificate_attrs(entry_attrs):
 entry_attrs['valid_not_after'] = x509.format_datetime(cert.not_valid_after)
 entry_attrs['sha1_fingerprint'] = x509.to_hex_with_colons(

[Freeipa-devel] [freeipa PR#504][comment] Add SHA256 fingerprints

2017-03-02 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/504
Title: #504: Add SHA256 fingerprints

tomaskrizek commented:
"""
@pvomacka Thanks! Should be fixed now.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/504#issuecomment-283673360
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#504][synchronized] Add SHA256 fingerprints

2017-03-02 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/504
Author: tomaskrizek
 Title: #504: Add SHA256 fingerprints
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/504/head:pr504
git checkout pr504
From 3ee0bda061ec5c51b31a35a9b23f4870dd8709a0 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Thu, 23 Feb 2017 17:03:01 +0100
Subject: [PATCH] Add SHA256 fingerprints for certs

https://fedorahosted.org/freeipa/ticket/6701
---
 install/ui/src/freeipa/certificate.js  | 6 +-
 install/ui/test/data/service_show.json | 1 +
 ipaserver/plugins/cert.py  | 7 +++
 ipaserver/plugins/host.py  | 4 
 ipaserver/plugins/service.py   | 6 ++
 ipatests/test_xmlrpc/test_host_plugin.py   | 1 +
 ipatests/test_xmlrpc/test_service_plugin.py| 7 +++
 ipatests/test_xmlrpc/tracker/host_plugin.py| 1 +
 ipatests/test_xmlrpc/tracker/service_plugin.py | 4 ++--
 9 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/install/ui/src/freeipa/certificate.js b/install/ui/src/freeipa/certificate.js
index b86c6cf..0cb43c7 100755
--- a/install/ui/src/freeipa/certificate.js
+++ b/install/ui/src/freeipa/certificate.js
@@ -571,6 +571,7 @@ IPA.cert.loader = function(spec) {
 serial_number: result.serial_number,
 serial_number_hex: result.serial_number_hex,
 sha1_fingerprint: result.sha1_fingerprint,
+sha256_fingerprint: result.sha256_fingerprint,
 subject: result.subject,
 valid_not_after: result.valid_not_after,
 valid_not_before: result.valid_not_before
@@ -1578,6 +1579,9 @@ exp.create_cert_metadata = function() {
 add_param('sha1_fingerprint',
 text.get('@i18n:objects.cert.sha1_fingerprint'),
 text.get('@i18n:objects.cert.sha1_fingerprint'));
+add_param('sha256_fingerprint',
+text.get('@i18n:objects.cert.sha256_fingerprint'),
+text.get('@i18n:objects.cert.sha256_fingerprint'));
 add_param('certificate',
 text.get('@i18n:objects.cert.certificate'),
 text.get('@i18n:objects.cert.certificate'));
@@ -1755,6 +1759,7 @@ return {
 'valid_not_before',
 'valid_not_after',
 'sha1_fingerprint',
+'sha256_fingerprint',
 {
 $type: 'revocation_reason',
 name: 'revocation_reason'
@@ -1871,7 +1876,6 @@ IPA.cert.details_facet = function(spec, no_init) {
 that.create_refresh_command = function() {
 
 var command = that.details_facet_create_refresh_command();
-delete command.options.all;
 delete command.options.rights;
 
 command.options = command.options || {};
diff --git a/install/ui/test/data/service_show.json b/install/ui/test/data/service_show.json
index 213dfff..597f3ad 100644
--- a/install/ui/test/data/service_show.json
+++ b/install/ui/test/data/service_show.json
@@ -50,6 +50,7 @@
 "serial_number": "1",
 "serial_number_hex": "0x1",
 "sha1_fingerprint": "b8:4c:4b:79:4f:13:03:79:47:08:fa:6b:52:63:3d:f9:15:8e:7e:dc",
+"sha256_fingerprint": "0f:3c:77:ed:c7:2b:09:5a:27:88:26:ca:91:e0:81:26:70:14:b1:cd:8e:fe:19:79:42:18:1b:02:07:70:25:30",
 "subject": "CN=dev.example.com,O=EXAMPLE.COM",
 "usercertificate": [
 {
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 585a70e..a60dc41 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -350,6 +350,11 @@ class BaseCertObject(Object):
 label=_('Fingerprint (SHA1)'),
 flags={'no_create', 'no_update', 'no_search'},
 ),
+Str(
+'sha256_fingerprint',
+label=_('Fingerprint (SHA256)'),
+flags={'no_create', 'no_update', 'no_search'},
+),
 Int(
 'serial_number',
 label=_('Serial number'),
@@ -390,6 +395,8 @@ def _parse(self, obj, full=True):
 if full:
 obj['sha1_fingerprint'] = x509.to_hex_with_colons(
 cert.fingerprint(hashes.SHA1()))
+obj['sha256_fingerprint'] = x509.to_hex_with_colons(
+cert.fingerprint(hashes.SHA256()))
 
 general_names = x509.process_othernames(
 x509.get_san_general_names(cert))
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index 7ceec8e..dcadd54 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -514,6 +514,10 @@ class host(LDAPObject):
 label=_('Fingerprint (SHA1)'),
 flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'},
 ),
+

[Freeipa-devel] [freeipa PR#504][comment] Add SHA256 fingerprints

2017-03-02 Thread pvomacka 
  URL: https://github.com/freeipa/freeipa/pull/504
Title: #504: Add SHA256 fingerprints

pvomacka commented:
"""
@tomaskrizek so, inline comment is not possible to the line where file was not 
changed. So, please remove line 1979: delete command.options.all; . That should 
be enough to display fingerprints correctly. Thank you
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/504#issuecomment-283672713
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#504][comment] Add SHA256 fingerprints

2017-03-02 Thread pvomacka 
  URL: https://github.com/freeipa/freeipa/pull/504
Title: #504: Add SHA256 fingerprints

pvomacka commented:
"""
@tomaskrizek actually you did almost all necessary steps. Just please check 
inline comments where is described one another change. And in general you do 
not have to add anything into json files as they are present just because of 
historical reasons and will be removed soon. 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/504#issuecomment-283672011
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#520][comment] Change README to use Markdown

2017-03-02 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/520
Title: #520: Change README to use Markdown

stlaz commented:
"""
The build fails no more , ACK.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/520#issuecomment-283668339
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#520][+ack] Change README to use Markdown

2017-03-02 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/520
Title: #520: Change README to use Markdown

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#532][comment] Fix cookie with Max-Age processing

2017-03-02 Thread simo5 
  URL: https://github.com/freeipa/freeipa/pull/532
Title: #532: Fix cookie with Max-Age processing

simo5 commented:
"""
Ok, sorry for some reason I thought this was on the server side, where we do 
not care what the cookie looks like, but on the client side we indeed care.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/532#issuecomment-283666136
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#532][comment] Fix cookie with Max-Age processing

2017-03-02 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/532
Title: #532: Fix cookie with Max-Age processing

stlaz commented:
"""
If I read the code well, in a well-set-up cookie, during 
`store_session_cookie()` when `Cookie.get_named_cookie_from_string()` is 
called, the expiration gets normalized which basically means removing the 
`Max-Age` attribute and replacing it with the `Expires` attribute in the cookie 
string (see `Cookie.normalize_expiration()` and `Cookie.__str__()`). When later 
retrieving the cookie, it should not have the `Max-Age` attribute anymore but 
only `Expires`. Therefore we need to calculate it or change the way 
`normalize_expiration()` behaves.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/532#issuecomment-283665210
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#398][+pushed] Support for Certificate Identity Mapping

2017-03-02 Thread dkupka 
  URL: https://github.com/freeipa/freeipa/pull/398
Title: #398: Support for Certificate Identity Mapping

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#398][closed] Support for Certificate Identity Mapping

2017-03-02 Thread dkupka 
   URL: https://github.com/freeipa/freeipa/pull/398
Author: flo-renaud
 Title: #398: Support for Certificate Identity Mapping
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/398/head:pr398
git checkout pr398
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#476][comment] vault: cache the transport certificate on client

2017-03-02 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/476
Title: #476: vault: cache the transport certificate on client

tiran commented:
"""
I didn't see your comment regarding the in-memory cache because github hid the 
section after your most recent push.

The in-memory cache doesn't work for Custodia because Custodia is a forking 
webserver. Requests are handled in one-shot client processes. I must be able to 
forcefully download the certificate in the main process, before it starts 
listening on incoming requests.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/476#issuecomment-283662399
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#504][comment] Add SHA256 fingerprints

2017-03-02 Thread pvomacka 
  URL: https://github.com/freeipa/freeipa/pull/504
Title: #504: Add SHA256 fingerprints

pvomacka commented:
"""
@stlaz , @tomaskrizek  I will fix that today.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/504#issuecomment-283662059
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#400][comment] WebUI: Certificate Mapping

2017-03-02 Thread pvomacka 
  URL: https://github.com/freeipa/freeipa/pull/400
Title: #400: WebUI: Certificate Mapping

pvomacka commented:
"""
In last update I changed just line 33 in certmap.js file.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/400#issuecomment-283661677
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#400][synchronized] WebUI: Certificate Mapping

2017-03-02 Thread pvomacka 
   URL: https://github.com/freeipa/freeipa/pull/400
Author: pvomacka
 Title: #400: WebUI: Certificate Mapping
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/400/head:pr400
git checkout pr400
From 740a6ed90575051107bae7c0987c62f981308fc9 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Mon, 16 Jan 2017 13:59:16 +0100
Subject: [PATCH 1/4] WebUI: Add possibility to set field always writable

If field will have set attribute 'always_writable' to true, then
'no_update' flag will be ingored. Used in command user-{add,remove}-certmap
which needs to be writable in WebUI and also needs to be omitted from
user-mod command.

Part of: https://fedorahosted.org/freeipa/ticket/6601
---
 install/ui/src/freeipa/field.js  | 43 +++-
 install/ui/src/freeipa/widget.js | 35 ++--
 2 files changed, 52 insertions(+), 26 deletions(-)

diff --git a/install/ui/src/freeipa/field.js b/install/ui/src/freeipa/field.js
index d70a778..9f287dd 100644
--- a/install/ui/src/freeipa/field.js
+++ b/install/ui/src/freeipa/field.js
@@ -484,7 +484,16 @@ field.field = IPA.field = function(spec) {
 writable = false;
 }
 
-if (that.metadata.flags && array.indexOf(that.metadata.flags, 'no_update') > -1) {
+// In case that field has set always_writable attribute, then
+// 'no_update' flag is ignored in WebUI. It is done because of
+// commands like user-{add,remove}-certmap. They operate with user's
+// attribute, which cannot be changed using user-mod, but only
+// using command user-{add,remove}-certmap. Therefore it has set
+// 'no_update' flag, but we need to show 'Add', 'Remove' buttons in
+// WebUI.
+if (that.metadata.flags &&
+array.indexOf(that.metadata.flags, 'no_update') > -1 &&
+!that.always_writable) {
 writable = false;
 }
 }
@@ -1259,6 +1268,37 @@ field.certs_field = IPA.certs_field = function(spec) {
 return that;
 };
 
+
+/**
+ * Used along with custom_command_multivalued widget
+ *
+ * - by default has `w_if_no_aci` to workaround missing object class
+ * - by default has always_writable=true to workaround aci rights
+ *
+ * @class
+ * @alternateClassName IPA.custom_command_multivalued_field
+ * @extends IPA.field
+ */
+field.certmap_command_multivalued_field = function(spec) {
+
+spec = spec || {};
+spec.flags = spec.flags || ['w_if_no_aci'];
+
+var that = IPA.field(spec);
+
+/**
+ * Set field always writable in case that it is set to true
+ * @param Boolean always_writable
+ */
+that.always_writable = spec.always_writable === undefined ? true :
+spec.always_writable;
+
+return that;
+};
+
+
+IPA.custom_command_multivalued_field = field.custom_command_multivalued_field;
+
 /**
  * SSH Keys Adapter
  * @class
@@ -1652,6 +1692,7 @@ field.register = function() {
 f.register('checkbox', field.checkbox_field);
 f.register('checkboxes', field.field);
 f.register('combobox', field.field);
+f.register('certmap_multivalued', field.certmap_command_multivalued_field);
 f.register('datetime', field.datetime_field);
 f.register('enable', field.enable_field);
 f.register('entity_select', field.field);
diff --git a/install/ui/src/freeipa/widget.js b/install/ui/src/freeipa/widget.js
index 15f0126..b7028a9 100644
--- a/install/ui/src/freeipa/widget.js
+++ b/install/ui/src/freeipa/widget.js
@@ -1534,12 +1534,8 @@ IPA.custom_command_multivalued_widget = function(spec) {
  * Called on error of add command. Override point.
  */
 that.on_error_add = function(xhr, text_status, error_thrown) {
-that.adder_dialog.focus_first_element();
-
-if (error_thrown.message) {
-var msg = error_thrown.message;
-IPA.notify(msg, 'error');
-}
+that.adder_dialog.show();
+exp.focus_invalid(that.adder_dialog);
 };
 
 /**
@@ -1599,27 +1595,16 @@ IPA.custom_command_multivalued_widget = function(spec) {
 name: 'custom-add-dialog'
 };
 
-that.adder_dialog = IPA.dialog(spec);
-that.adder_dialog.create_button({
-name: 'add',
-label: '@i18n:buttons.add',
-click: function() {
-if (!that.adder_dialog.validate()) {
-exp.focus_invalid(that.adder_dialog);
-}
-else {
-that.add(that.adder_dialog);
-}
+spec.on_ok = function() {
+if (!that.adder_dialog.validate()) {
+exp.focus_invalid(that.adder_dialog);
 }
-});
-
-that.adder_dialog.create_button({
-name: 'cancel',
-label: '@i18n:buttons.cancel',
-

Re: [Freeipa-devel] Please review: V4/AD user short names design draft

2017-03-02 Thread Simo Sorce 
On Thu, 2017-03-02 at 08:10 +0100, Martin Babinsky wrote:
> In this case it would probably be a good idea to think about "forward 
> compatibility" and define a new AUX objectclass bringing in 
> 'ipaDomainResolutionOrder' instead of extending two separate 
> objectclasses. In this way we may the just extend whathever object we 
> desire to carry the override in an easy and clean way.

I agree.
Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#504][comment] Add SHA256 fingerprints

2017-03-02 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/504
Title: #504: Add SHA256 fingerprints

stlaz commented:
"""
I wanted to test this but nothing is currently shown for either SHA-1 or SHA256 
fingerprints in the WebUI so you can either fix it or we'll wait till @pvomacka 
has that done.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/504#issuecomment-283658413
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#453][+pushed] Cleanup certdb

2017-03-02 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/453
Title: #453: Cleanup certdb

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#453][comment] Cleanup certdb

2017-03-02 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/453
Title: #453: Cleanup certdb

MartinBasti commented:
"""
master:

* 22d7492c94837342a559c368454c223f566490ac Cleanup certdb
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/453#issuecomment-283656940
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#472][+pushed] Packaging: Add placeholder packages

2017-03-02 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/472
Title: #472: Packaging: Add placeholder packages

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#472][closed] Packaging: Add placeholder packages

2017-03-02 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/472
Author: tiran
 Title: #472: Packaging: Add placeholder packages
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/472/head:pr472
git checkout pr472
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages

2017-03-02 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/472
Title: #472: Packaging: Add placeholder packages

MartinBasti commented:
"""
master:

* 2e784336b0fe99baa47cf3e024f744ed56dc12ec Packaging: Add placeholder packages
* e2b9ea2fd58b98edbb8d6aec97aadeea7cf11dcb Add python-wheel as build requirement
* acdd1f59782bb836d6c4c255689918368adb8dab Add placeholders for ipaplatform, 
ipaserver and ipatests
* b4c1bf1c7d1a63e802abe6334bd1112d2d468513 Add with_wheels global to install 
wheel and PyPI packaging dependencies
* ab9f42d6eeefeaca2e4a5a9acfbb07b428be4616 Python build: use --build-base 
everywhere
* 60cfacc54167b7b94b63874ade62740d980e3746 pylint: ignore pypi placeholders
* bc1f60b3ba74032cb0895e154e02971aa380a6b3 Default to pkginstall=true without 
duplicated definitions
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/472#issuecomment-283656502
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#520][synchronized] Change README to use Markdown

2017-03-02 Thread pvoborni 
   URL: https://github.com/freeipa/freeipa/pull/520
Author: pvoborni
 Title: #520: Change README to use Markdown
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/520/head:pr520
git checkout pr520
From cad3bc057967b8d14529960d955c05183b00a279 Mon Sep 17 00:00:00 2001
From: Petr Vobornik 
Date: Tue, 28 Feb 2017 19:04:03 +0100
Subject: [PATCH] Change README to use Markdown

So that it will be nicely formatted on FreeIPA Pagure landing page.
  https://pagure.io/freeipa

Some links were updated as other projects also moved to Pagure.io.
---
 Makefile.am |  1 +
 README  | 92 -
 README.md   | 73 +
 freeipa.spec.in | 32 ++--
 4 files changed, 90 insertions(+), 108 deletions(-)
 delete mode 100644 README
 create mode 100644 README.md

diff --git a/Makefile.am b/Makefile.am
index a35d18f..c00ac2e 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -40,6 +40,7 @@ EXTRA_DIST = .mailmap \
 	 API.txt \
 	 BUILD.txt \
 	 config.rpath \
+	 README.md \
 	 Contributors.txt \
 	 COPYING.openssl \
 	 contrib \
diff --git a/README b/README
deleted file mode 100644
index ad5b081..000
--- a/README
+++ /dev/null
@@ -1,92 +0,0 @@
-
-   IPA Server
-
-  Overview
-  
-
-  FreeIPA allows Linux administrators to centrally manage identity,
-  authentication and access control aspects of Linux and UNIX systems
-  by providing simple to install and use command line and web based
-  managment tools.
-  FreeIPA is built on top of well known Open Source components and standard
-  protocols with a very strong focus on ease of management and automation
-  of installation and configuration tasks.
-  FreeIPA can seamlessly integrate into an Active Directory environment via
-  cross-realm Kerberos trust or user synchronization.
-
-  Benefits
-  
-
-  FreeIPA:
-  * Allows all your users to access all the machines with the same credentials
-and security settings
-  * Allows users to access personal files transparently from any machine in
-an authenticated and secure way
-  * Uses an advanced grouping mechanism to restrict network access to services
-and files only to specific users
-  * Allows central management of security mechanisms like passwords,
-SSH Public Keys, SUDO rules, Keytabs, Access Control Rules
-  * Enables delegation of selected administrative tasks to other power users
-  * Integrates into Active Directory environments
-
-  Components
-  --
-
-  The FreeIPA project provides unified installation and management
-  tools for the following components:
-
-  * LDAP Server - based on the 389 project (LDAP)
-http://directory.fedoraproject.org/wiki/Main_Page
-
-  * KDC - based on MIT Kerberos implementation
-http://k5wiki.kerberos.org/wiki/Main_Page
-
-  * PKI based on Dogtag project
-http://pki.fedoraproject.org/wiki/PKI_Main_Page
-
-  * Samba libraries for Active Directory integration
-http://www.samba.org/
-
-  * DNS Server based on BIND and the Bind-DynDB-LDAP plugin
-https://www.isc.org/software/bind
-https://fedorahosted.org/bind-dyndb-ldap
-
-
-  Project Website
-  ---
-
-  Releases, announcements and other information can be found on the IPA
-  server project page at .
-
-  Documentation
-  -
-
-  The most up-to-date documentation can be found at
-  .
-
-  Quick Start
-  ---
-
-  To get started quickly, start here:
-  
-
-  Licensing
-  -
-
-  Please see the file called COPYING.
-
-  Contacts
-  
-
- * If you want to be informed about new code releases, bug fixes,
-   security fixes, general news and information about the IPA server
-   subscribe to the freeipa-announce mailing list at
-   .
-
- * If you have a bug report please submit it at:
-   
-
- * If you want to participate in actively developing IPA please
-   subscribe to the freeipa-devel mailing list at
-    or join
-   us in IRC at irc://irc.freenode.net/freeipa
diff --git a/README.md b/README.md
new file mode 100644
index 000..9608453
--- /dev/null
+++ b/README.md
@@ -0,0 +1,73 @@
+# FreeIPA Server
+
+FreeIPA allows Linux administrators to centrally manage identity,
+authentication and access control aspects of Linux and UNIX systems
+by providing simple to install and use command line and web based
+managment tools.
+
+FreeIPA is built on top of well known Open Source components and standard
+protocols with a very strong focus on ease of management and automation
+of

[Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands

2017-03-02 Thread redhatrises 
  URL: https://github.com/freeipa/freeipa/pull/444
Title: #444: Allow nsaccountlock to be searched in user-find commands

redhatrises commented:
"""
Thanks guys. So can this be fixed in `pre_callback` or `post_callback` in 
`user_find`, or am I looking elsewhere? (Not super familiar with all of the IPA 
framework)
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/444#issuecomment-283652157
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#510][+pushed] Vault: port key wrapping to python-cryptography

2017-03-02 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/510
Title: #510: Vault: port key wrapping to python-cryptography

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#510][closed] Vault: port key wrapping to python-cryptography

2017-03-02 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/510
Author: tiran
 Title: #510: Vault: port key wrapping to python-cryptography
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/510/head:pr510
git checkout pr510
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#510][comment] Vault: port key wrapping to python-cryptography

2017-03-02 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/510
Title: #510: Vault: port key wrapping to python-cryptography

MartinBasti commented:
"""
master:

* ed7a03a1af8b556247b929635e2972be4f2b32e4 Vault: port key wrapping to 
python-cryptography
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/510#issuecomment-283651863
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#453][+ack] Cleanup certdb

2017-03-02 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/453
Title: #453: Cleanup certdb

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#517][synchronized] [WIP] Use Custodia 0.3 features

2017-03-02 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/517
Author: tiran
 Title: #517: [WIP] Use Custodia 0.3 features
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/517/head:pr517
git checkout pr517
From cbd232eb952504de523ccdb49de61d649d06f2ea Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 28 Feb 2017 12:07:19 +0100
Subject: [PATCH] Use Custodia 0.3 features

* Use sd-notify in ipa-custodia.service
* Introduce libexec/ipa/ipa-custodia script. It comes with correct
  default setting for IPA's config file. The new file also makes it
  simpler to run IPA's custodia instance with its own SELinux context.
* ipapython no longer depends on custodia

https://pagure.io/freeipa/issue/5825

Signed-off-by: Christian Heimes 
---
 freeipa.spec.in  | 13 -
 init/systemd/ipa-custodia.service.in |  5 ++---
 install/tools/Makefile.am|  1 +
 install/tools/ipa-custodia   |  6 ++
 ipapython/setup.py   |  1 -
 ipaserver/secrets/service.py | 30 ++
 ipaserver/setup.py   |  1 +
 ipasetup.py.in   |  1 +
 8 files changed, 49 insertions(+), 9 deletions(-)
 create mode 100755 install/tools/ipa-custodia
 create mode 100644 ipaserver/secrets/service.py

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 5c835ca..d3ab7a6 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -148,7 +148,8 @@ BuildRequires:  pki-base-python2
 BuildRequires:  python-pytest-multihost
 BuildRequires:  python-pytest-sourceorder
 BuildRequires:  python-jwcrypto
-BuildRequires:  python-custodia
+# 0.3: sd_notify (https://pagure.io/freeipa/issue/5825)
+BuildRequires:  python-custodia >= 0.3
 BuildRequires:  dbus-python
 BuildRequires:  python-dateutil
 BuildRequires:  python-enum34
@@ -184,7 +185,8 @@ BuildRequires:  pki-base-python3
 BuildRequires:  python3-pytest-multihost
 BuildRequires:  python3-pytest-sourceorder
 BuildRequires:  python3-jwcrypto
-BuildRequires:  python3-custodia
+# 0.3: sd_notify (https://pagure.io/freeipa/issue/5825)
+BuildRequires:  python3-custodia >= 0.3
 BuildRequires:  python3-dbus
 BuildRequires:  python3-dateutil
 BuildRequires:  python3-enum34
@@ -302,6 +304,7 @@ BuildArch: noarch
 Requires: %{name}-server-common = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
 Requires: python2-ipaclient = %{version}-%{release}
+Requires: python-custodia >= 0.3
 Requires: python-ldap >= 2.4.15
 Requires: python-lxml
 Requires: python-gssapi >= 1.2.0
@@ -332,6 +335,7 @@ BuildArch: noarch
 Requires: %{name}-server-common = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
 Requires: python3-ipaclient = %{version}-%{release}
+Requires: python3-custodia >= 0.3
 Requires: python3-pyldap >= 2.4.15
 Requires: python3-lxml
 Requires: python3-gssapi >= 1.2.0
@@ -361,7 +365,7 @@ BuildArch: noarch
 Requires: %{name}-client-common = %{version}-%{release}
 Requires: httpd >= 2.4.6-31
 Requires: systemd-units >= 38
-Requires: custodia
+Requires: custodia >= 0.3
 
 Provides: %{alt_name}-server-common = %{version}
 Conflicts: %{alt_name}-server-common
@@ -608,7 +612,6 @@ Requires: python-jwcrypto
 Requires: python-cffi
 Requires: python-ldap >= 2.4.15
 Requires: python-requests
-Requires: python-custodia
 Requires: python-dns >= 1.15
 Requires: python-enum34
 Requires: python-netifaces >= 0.10.4
@@ -657,7 +660,6 @@ Requires: python3-six
 Requires: python3-jwcrypto
 Requires: python3-cffi
 Requires: python3-pyldap >= 2.4.15
-Requires: python3-custodia
 Requires: python3-requests
 Requires: python3-dns >= 1.15
 Requires: python3-netifaces >= 0.10.4
@@ -1110,6 +1112,7 @@ fi
 %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
 %{_libexecdir}/certmonger/ipa-server-guard
 %dir %{_libexecdir}/ipa
+%{_libexecdir}/ipa/ipa-custodia
 %{_libexecdir}/ipa/ipa-dnskeysyncd
 %{_libexecdir}/ipa/ipa-dnskeysync-replica
 %{_libexecdir}/ipa/ipa-ods-exporter
diff --git a/init/systemd/ipa-custodia.service.in b/init/systemd/ipa-custodia.service.in
index 3f9b128..0247bd8 100644
--- a/init/systemd/ipa-custodia.service.in
+++ b/init/systemd/ipa-custodia.service.in
@@ -2,9 +2,8 @@
 Description=IPA Custodia Service
 
 [Service]
-Type=simple
-
-ExecStart=@sbindir@/custodia @IPA_SYSCONF_DIR@/custodia/custodia.conf
+Type=notify
+ExecStart=@libexecdir@/ipa/ipa-custodia @IPA_SYSCONF_DIR@/custodia/custodia.conf
 PrivateTmp=yes
 Restart=on-failure
 RestartSec=60s
diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am
index f2c2ce2..493e5ff 100644
--- a/install/tools/Makefile.am
+++ b/install/tools/Makefile.am
@@ -32,6 +32,7 @@ dist_sbin_SCRIPTS =		\
 
 appdir = $(libexecdir)/ipa/
 dist_app_SCRIPTS =		\
+	ipa-custodia		\
 	ipa-httpd-kdcproxy	\
 	ipa-pki-retrieve-key	\
 	$(NULL)
diff --git a/install/tools/ipa-custodia b/install/tools/ipa-custodia
new file

[Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card

2017-03-02 Thread flo-renaud 
  URL: https://github.com/freeipa/freeipa/pull/516
Title: #516: IdM Server: list all Employees with matching Smart Card

flo-renaud commented:
"""
@abbra ,
Thanks for your comment. Running in permissive mode I did not see any AVC 
logged in the journal.

@HonzaCholasta 
thanks for the tips re. writing API. I have followed your advice and made 
certificate a positional argument. The output will look like this:
```
---
2 users matched
---
  Domain: DOM-076.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
  Usernames: user1, user2

Number of entries returned 2

```

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/516#issuecomment-283642083
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#453][synchronized] Cleanup certdb

2017-03-02 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/453
Author: tiran
 Title: #453: Cleanup certdb
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/453/head:pr453
git checkout pr453
From 88d68db7330e7b51638a1826a1466affcc00858e Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Thu, 9 Feb 2017 14:55:45 +0100
Subject: [PATCH] Cleanup certdb

* use with statement to open/close files
* prefer fchmod/fchown when a file descriptor is available
* set permission before data is written to file

Signed-off-by: Christian Heimes 
---
 ipaserver/install/certs.py | 117 +
 1 file changed, 55 insertions(+), 62 deletions(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 4f97801..660da79 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -117,10 +117,12 @@ def __init__(self, realm, nssdir, fstore=None,
 self.host_name = host_name
 self.ca_subject = ca_subject
 self.subject_base = subject_base
+
 try:
-self.cwd = os.getcwd()
+self.cwd = os.path.abspath(os.getcwd())
 except OSError as e:
-raise RuntimeError("Unable to determine the current directory: %s" % str(e))
+raise RuntimeError(
+"Unable to determine the current directory: %s" % str(e))
 
 self.cacert_name = get_ca_nickname(self.realm)
 
@@ -163,6 +165,8 @@ def passwd_fname(self):
 def __del__(self):
 if self.reqdir is not None:
 shutil.rmtree(self.reqdir, ignore_errors=True)
+self.reqdir = None
+self.nssdb.close()
 try:
 os.chdir(self.cwd)
 except OSError:
@@ -187,16 +191,16 @@ def setup_cert_request(self):
 # sure we are in a unique place when this happens
 os.chdir(self.reqdir)
 
-def set_perms(self, fname, write=False, uid=None):
-if uid:
-pent = pwd.getpwnam(uid)
-os.chown(fname, pent.pw_uid, pent.pw_gid)
-else:
-os.chown(fname, self.uid, self.gid)
+def set_perms(self, fname, write=False):
 perms = stat.S_IRUSR
 if write:
 perms |= stat.S_IWUSR
-os.chmod(fname, perms)
+if hasattr(fname, 'fileno'):
+os.fchown(fname.fileno(), self.uid, self.gid)
+os.fchmod(fname.fileno(), perms)
+else:
+os.chown(fname, self.uid, self.gid)
+os.chmod(fname, perms)
 
 def run_certutil(self, args, stdin=None, **kwargs):
 return self.nssdb.run_certutil(args, stdin, **kwargs)
@@ -212,19 +216,18 @@ def run_signtool(self, args, stdin=None):
 def create_noise_file(self):
 if ipautil.file_exists(self.noise_fname):
 os.remove(self.noise_fname)
-f = open(self.noise_fname, "w")
-f.write(ipautil.ipa_generate_password())
-self.set_perms(self.noise_fname)
+with open(self.noise_fname, "w") as f:
+self.set_perms(f)
+f.write(ipautil.ipa_generate_password())
 
 def create_passwd_file(self, passwd=None):
 ipautil.backup_file(self.passwd_fname)
-f = open(self.passwd_fname, "w")
-if passwd is not None:
-f.write("%s\n" % passwd)
-else:
-f.write(ipautil.ipa_generate_password())
-f.close()
-self.set_perms(self.passwd_fname)
+with open(self.passwd_fname, "w") as f:
+self.set_perms(f)
+if passwd is not None:
+f.write("%s\n" % passwd)
+else:
+f.write(ipautil.ipa_generate_password())
 
 def create_certdbs(self):
 self.nssdb.create_db(user=self.user, group=self.group, mode=self.mode,
@@ -262,13 +265,13 @@ def export_ca_cert(self, nickname, create_pkcs12=False):
 # export the CA cert for use with other apps
 ipautil.backup_file(cacert_fname)
 root_nicknames = self.find_root_cert(nickname)[:-1]
-fd = open(cacert_fname, "w")
-for root in root_nicknames:
-result = self.run_certutil(["-L", "-n", root, "-a"],
-   capture_output=True)
-fd.write(result.output)
-fd.close()
-os.chmod(cacert_fname, stat.S_IRUSR | stat.S_IRGRP | stat.S_IROTH)
+with open(cacert_fname, "w") as f:
+os.fchmod(f.fileno(), stat.S_IRUSR | stat.S_IRGRP | stat.S_IROTH)
+for root in root_nicknames:
+result = self.run_certutil(["-L", "-n", root, "-a"],
+   capture_output=True)
+f.write(result.output)
+
 if create_pkcs12:
 ipautil.backup_file(self.pk12_fname)
 ipautil.run([paths.PK12UTIL, "-d", self.secdir,
@@ -283,9 +286,8 @@ def load_cacert(self, cacert_fname, trust_flags):

[Freeipa-devel] [freeipa PR#453][comment] Cleanup certdb

2017-03-02 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/453
Title: #453: Cleanup certdb

stlaz commented:
"""
The changes are fine. Please, squash the two commits together so that we can 
push it.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/453#issuecomment-283632762
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#516][synchronized] IdM Server: list all Employees with matching Smart Card

2017-03-02 Thread flo-renaud 
   URL: https://github.com/freeipa/freeipa/pull/516
Author: flo-renaud
 Title: #516: IdM Server: list all Employees with matching Smart Card
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/516/head:pr516
git checkout pr516
From 2bf231a8dbdf5f8e1e0177093bc7559b127fdf7d Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Tue, 20 Dec 2016 16:21:58 +0100
Subject: [PATCH 1/2] Support for Certificate Identity Mapping

See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping

https://fedorahosted.org/freeipa/ticket/6542
---
 ACI.txt|  16 +-
 API.txt| 181 +
 VERSION.m4 |   4 +-
 install/share/73certmap.ldif   |  14 ++
 install/share/Makefile.am  |   1 +
 install/updates/73-certmap.update  |  23 +++
 install/updates/Makefile.am|   1 +
 ipalib/constants.py|   2 +
 ipapython/dn.py|   8 +-
 ipaserver/install/dsinstance.py|   1 +
 ipaserver/plugins/baseuser.py  | 174 -
 ipaserver/plugins/certmap.py   | 391 +
 ipaserver/plugins/stageuser.py |  16 +-
 ipaserver/plugins/user.py  |  23 ++-
 ipatests/test_ipapython/test_dn.py |  20 ++
 15 files changed, 862 insertions(+), 13 deletions(-)
 create mode 100644 install/share/73certmap.ldif
 create mode 100644 install/updates/73-certmap.update
 create mode 100644 ipaserver/plugins/certmap.py

diff --git a/ACI.txt b/ACI.txt
index 0b47489..a36d460 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=caacls,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;)
+dn: cn=certmap,dc=ipa,dc=example
+aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmap,dc=ipa,dc=example
+aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;)
+dn: cn=certmaprules,cn=certmap,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || description || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all;;)
 dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
@@ -337,6 +349,8 @@ aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:S
 dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "krbprincipalkey || passwordhistory ||

[Freeipa-devel] [freeipa PR#502][synchronized] Make pylint and jsl optional

2017-03-02 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/502
Author: tiran
 Title: #502: Make pylint and jsl optional
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/502/head:pr502
git checkout pr502
From 17aaddc84ae7d6cf955ad5fa124ad031fe401484 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Wed, 22 Feb 2017 19:19:35 +0100
Subject: [PATCH] Make pylint and jsl optional

./configure no longer fails when pylint or jsl are not available. The
make targets for pylint and jsl are no longer defined without the tools.

Rational:
pylint and jsl are not required to build FreeIPA. Both are useful
developer tools. It's more user friendly to make both components
optionally with default config arguments. There is no reason to
fail building on a build system without development tools.

It's still possible to enforce dependency checks with --with-jslint and
--enable-pylint.

https://fedorahosted.org/freeipa/ticket/6604

Signed-off-by: Christian Heimes 
---
 Makefile.am | 14 +++---
 configure.ac| 47 ---
 freeipa.spec.in | 11 ---
 3 files changed, 51 insertions(+), 21 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index a35d18f..4e00053 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -146,6 +146,10 @@ JSLINT_TARGET = jslint
 endif WITH_JSLINT
 lint: acilint apilint $(POLINT_TARGET) $(PYLINT_TARGET) $(JSLINT_TARGET)
 
+.PHONY: $(top_builddir)/ipapython/version.py
+$(top_builddir)/ipapython/version.py:
+	(cd $(top_builddir)/ipapython && make version.py)
+
 .PHONY: acilint
 acilint: $(top_builddir)/ipapython/version.py
 	cd $(srcdir); ./makeaci --validate
@@ -162,10 +166,10 @@ polint:
 # folders rpmbuild, freeipa-* and dist. Skip (match, but don't print) .*,
 # *.in, *~. Finally print all python files, including scripts that do not
 # have python extension.
-.PHONY: pylint $(top_builddir)/ipapython/version.py
-$(top_builddir)/ipapython/version.py:
-	(cd $(top_builddir)/ipapython && make version.py)
 
+.PHONY: pylint
+
+if WITH_PYLINT
 pylint: $(top_builddir)/ipapython/version.py ipasetup.py
 	FILES=`find $(top_srcdir) \
 		-type d -exec test -e '{}/__init__.py' \; -print -prune -o \
@@ -180,9 +184,12 @@ pylint: $(top_builddir)/ipapython/version.py ipasetup.py
 	echo "Pylint is running, please wait ..."; \
 	PYTHONPATH=$(top_srcdir) $(PYTHON) -m pylint \
 		--rcfile=$(top_srcdir)/pylintrc $${FILES}
+endif  # WITH_PYLINT
 
 .PHONY: jslint jslint-ui jslint-ui-test jslint-html \
 	$(top_builddir)/install/ui/src/libs/loader.js
+
+if WITH_JSLINT
 jslint: jslint-ui jslint-ui-test jslint-html
 
 $(top_builddir)/install/ui/src/libs/loader.js:
@@ -205,6 +212,7 @@ jslint-ui-test:
 jslint-html:
 	cd $(top_srcdir)/install/html; \
 	jsl -nologo -nosummary -nofilelisting -conf jsl.conf
+endif  # WITH_JSLINT
 
 .PHONY: bdist_wheel wheel_bundle
 WHEELDISTDIR = $(top_builddir)/dist/wheels
diff --git a/configure.ac b/configure.ac
index 9ee281a..5cda480 100644
--- a/configure.ac
+++ b/configure.ac
@@ -372,17 +372,25 @@ AC_SUBST([i18ntests])
 AM_CONDITIONAL([WITH_POLINT], [test "x${enable_i18ntests}" == "xyes"])
 
 AC_ARG_ENABLE([pylint],
-	AS_HELP_STRING([--disable-pylint],
-			   [skip Pylint in make lint target]),
+	AS_HELP_STRING([--enable-pylint],
+			   [Require pylint. Default is autodetection with
+			"python -m pylint".]),
 	[PYLINT=$enableval],
-	[PYLINT=yes]
+	[PYLINT=check]
 )
+
 if test x$PYLINT != xno; then
 AC_MSG_CHECKING([for Pylint])
-$PYTHON -m pylint --version > /dev/null
+$PYTHON -m pylint --version >/dev/null 2>&1
 if test "$?" != "0"; then
-AC_MSG_ERROR([cannot find pylint for $PYTHON])
+if test x$PYLINT = xcheck; then
+PYLINT=no
+AC_MSG_NOTICE([cannot find optional pylint for $PYTHON])
+else
+AC_MSG_ERROR([cannot find pylint for $PYTHON])
+fi
 else
+PYLINT=yes
 AC_MSG_RESULT([yes])
 fi
 fi
@@ -394,13 +402,27 @@ AC_ARG_WITH([jslint],
 AS_HELP_STRING([--with-jslint=[FILE]],
[path to JavaScript linter. Default is autodetection of
utility "jsl" ]),
-dnl --without-jslint will set JSLINT=no
-[JSLINT=$with_jslint],
-[AC_PATH_PROG([JSLINT], [jsl])]
+[JSLINT="$withval"],
+[JSLINT=check]
+)
+
+AS_CASE([$JSLINT],
+[yes], [AC_PATH_PROG([JSLINT], [jsl], [missing])
+if test $JSLINT = missing; then
+AC_MSG_FAILURE([jsl is missing])
+fi],
+[no], [],
+[check], [AC_PATH_PROG([JSLINT], [jsl], [no])],
+dnl user setting
+[if ! test -f "$JSLINT"; then
+AC_MSG_RESULT([$JSLINT non-existing])
+AC_MSG_FAILURE([invalid value $JSLINT for jsl])
+ fi
+ if ! test -x "$JSLINT"; then
+AC_MSG_RESULT([$JSLINT non-executable])
+

[Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional

2017-03-02 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/502
Title: #502: Make pylint and jsl optional

tiran commented:
"""
Which audience is our primary concern here?

1. Should default settings be tailored towards downstream packager?
2. Or should defaults settings be user-friendly for upstream and external users?

I'm for upstream first.

Packaging is pretty much automated and scripted. A packager can easily adjust a 
script for a new version. There also just a handful of distributions 
(Fedora/RHEL/CentOS, Debian/Ubuntu, SuSE, Gentoo).
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/502#issuecomment-283628663
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#531][synchronized] httpinstance: disable system trust module in /etc/httpd/alias

2017-03-02 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/531
Author: HonzaCholasta
 Title: #531: httpinstance: disable system trust module in /etc/httpd/alias
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/531/head:pr531
git checkout pr531
From 94d380365a2fcb533db88b3651d0b4ce7334e957 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 1 Mar 2017 17:54:05 +0100
Subject: [PATCH] httpinstance: disable system trust module in /etc/httpd/alias

Currently the NSS database in /etc/httpd/alias is installed with the system
trust module enabled. This is problematic for a number of reasons:

* IPA has its own trust store, which is effectively bypassed when the
  system trust module is enabled in the database. This may cause IPA
  unrelated CAs to be trusted by httpd, or even IPA related CAs not to be
  trusted by httpd.

* On client install, the IPA trust configuration is copied to the system
  trust store for third parties. When this configuration is removed, it may
  cause loss of trust information in /etc/httpd/alias
  (https://bugzilla.redhat.com/show_bug.cgi?id=1427897).

* When a CA certificate provided by the user in CA-less install conflicts
  with a CA certificate in the system trust store, the latter may be used
  by httpd, leading to broken https
  (https://www.redhat.com/archives/freeipa-users/2016-July/msg00360.html).

Disable the system trust module on install and upgrade to prevent the
system trust store to be used in /etc/httpd/alias and fix all of the above
issues.

https://pagure.io/freeipa/issue/6132
---
 ipaplatform/base/paths.py   |  1 +
 ipaserver/install/httpinstance.py   | 14 ++
 ipaserver/install/server/upgrade.py | 16 
 3 files changed, 31 insertions(+)

diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index e4d4f2e..19a44fc 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -165,6 +165,7 @@ class BasePathNamespace(object):
 BIN_KVNO = "/usr/bin/kvno"
 LDAPMODIFY = "/usr/bin/ldapmodify"
 LDAPPASSWD = "/usr/bin/ldappasswd"
+MODUTIL = "/usr/bin/modutil"
 NET = "/usr/bin/net"
 BIN_NISDOMAINNAME = "/usr/bin/nisdomainname"
 NSUPDATE = "/usr/bin/nsupdate"
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 0c2216e..c74186f 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -349,11 +349,25 @@ def create_password_conf(self):
 os.chown(pwd_conf, pent.pw_uid, pent.pw_gid)
 os.chmod(pwd_conf, 0o400)
 
+def disable_system_trust(self):
+name = 'Root Certs'
+args = [paths.MODUTIL, '-dbdir', paths.HTTPD_ALIAS_DIR, '-force']
+
+result = ipautil.run(args + ['-list', name],
+ env={},
+ capture_output=True)
+if 'Status: Enabled' in result.output:
+ipautil.run(args + ['-disable', name], env={})
+return True
+
+return False
+
 def __setup_ssl(self):
 db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR,
   subject_base=self.subject_base, user="root",
   group=constants.HTTPD_GROUP,
   truncate=(not self.promote))
+self.disable_system_trust()
 if self.pkcs12_info:
 if self.ca_is_configured:
 trust_flags = 'CT,C,C'
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index d7271e5..bc79a9f 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1495,6 +1495,21 @@ def enable_anonymous_principal(krb):
 pass
 
 
+def disable_httpd_system_trust(http):
+ca_certs = []
+
+db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
+for nickname, trust_flags in db.list_certs():
+if 'u' not in trust_flags:
+cert = db.get_cert_from_db(nickname, pem=False)
+if cert:
+ca_certs.append((cert, nickname, trust_flags))
+
+if http.disable_system_trust():
+for cert, nickname, trust_flags in ca_certs:
+db.add_cert(cert, nickname, trust_flags)
+
+
 def upgrade_configuration():
 """
 Execute configuration upgrade of the IPA services
@@ -1630,6 +1645,7 @@ def upgrade_configuration():
 http.enable_kdcproxy()
 
 http.stop()
+disable_httpd_system_trust(http)
 update_ipa_httpd_service_conf(http)
 update_mod_nss_protocol(http)
 update_mod_nss_cipher_suite(http)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#502][synchronized] Make pylint and jsl optional

2017-03-02 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/502
Author: tiran
 Title: #502: Make pylint and jsl optional
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/502/head:pr502
git checkout pr502
From bf8bd4e36c1da9b3e9ce0bb1db07dfb61cee6c54 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Wed, 22 Feb 2017 19:19:35 +0100
Subject: [PATCH] Make pylint and jsl optional

./configure no longer fails when pylint or jsl are not available. The
make targets for pylint and jsl are no longer defined without the tools.

Rational:
pylint and jsl are not required to build FreeIPA. Both are useful
developer tools. It's more user friendly to make both components
optionally with default config arguments. There is no reason to
fail building on a build system without development tools.

It's still possible to enforce dependency checks with --with-jslint and
--enable-pylint.

https://fedorahosted.org/freeipa/ticket/6604

Signed-off-by: Christian Heimes 
---
 Makefile.am | 14 +++---
 configure.ac| 47 ---
 freeipa.spec.in | 11 +++
 3 files changed, 50 insertions(+), 22 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index a35d18f..4e00053 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -146,6 +146,10 @@ JSLINT_TARGET = jslint
 endif WITH_JSLINT
 lint: acilint apilint $(POLINT_TARGET) $(PYLINT_TARGET) $(JSLINT_TARGET)
 
+.PHONY: $(top_builddir)/ipapython/version.py
+$(top_builddir)/ipapython/version.py:
+	(cd $(top_builddir)/ipapython && make version.py)
+
 .PHONY: acilint
 acilint: $(top_builddir)/ipapython/version.py
 	cd $(srcdir); ./makeaci --validate
@@ -162,10 +166,10 @@ polint:
 # folders rpmbuild, freeipa-* and dist. Skip (match, but don't print) .*,
 # *.in, *~. Finally print all python files, including scripts that do not
 # have python extension.
-.PHONY: pylint $(top_builddir)/ipapython/version.py
-$(top_builddir)/ipapython/version.py:
-	(cd $(top_builddir)/ipapython && make version.py)
 
+.PHONY: pylint
+
+if WITH_PYLINT
 pylint: $(top_builddir)/ipapython/version.py ipasetup.py
 	FILES=`find $(top_srcdir) \
 		-type d -exec test -e '{}/__init__.py' \; -print -prune -o \
@@ -180,9 +184,12 @@ pylint: $(top_builddir)/ipapython/version.py ipasetup.py
 	echo "Pylint is running, please wait ..."; \
 	PYTHONPATH=$(top_srcdir) $(PYTHON) -m pylint \
 		--rcfile=$(top_srcdir)/pylintrc $${FILES}
+endif  # WITH_PYLINT
 
 .PHONY: jslint jslint-ui jslint-ui-test jslint-html \
 	$(top_builddir)/install/ui/src/libs/loader.js
+
+if WITH_JSLINT
 jslint: jslint-ui jslint-ui-test jslint-html
 
 $(top_builddir)/install/ui/src/libs/loader.js:
@@ -205,6 +212,7 @@ jslint-ui-test:
 jslint-html:
 	cd $(top_srcdir)/install/html; \
 	jsl -nologo -nosummary -nofilelisting -conf jsl.conf
+endif  # WITH_JSLINT
 
 .PHONY: bdist_wheel wheel_bundle
 WHEELDISTDIR = $(top_builddir)/dist/wheels
diff --git a/configure.ac b/configure.ac
index 9ee281a..5cda480 100644
--- a/configure.ac
+++ b/configure.ac
@@ -372,17 +372,25 @@ AC_SUBST([i18ntests])
 AM_CONDITIONAL([WITH_POLINT], [test "x${enable_i18ntests}" == "xyes"])
 
 AC_ARG_ENABLE([pylint],
-	AS_HELP_STRING([--disable-pylint],
-			   [skip Pylint in make lint target]),
+	AS_HELP_STRING([--enable-pylint],
+			   [Require pylint. Default is autodetection with
+			"python -m pylint".]),
 	[PYLINT=$enableval],
-	[PYLINT=yes]
+	[PYLINT=check]
 )
+
 if test x$PYLINT != xno; then
 AC_MSG_CHECKING([for Pylint])
-$PYTHON -m pylint --version > /dev/null
+$PYTHON -m pylint --version >/dev/null 2>&1
 if test "$?" != "0"; then
-AC_MSG_ERROR([cannot find pylint for $PYTHON])
+if test x$PYLINT = xcheck; then
+PYLINT=no
+AC_MSG_NOTICE([cannot find optional pylint for $PYTHON])
+else
+AC_MSG_ERROR([cannot find pylint for $PYTHON])
+fi
 else
+PYLINT=yes
 AC_MSG_RESULT([yes])
 fi
 fi
@@ -394,13 +402,27 @@ AC_ARG_WITH([jslint],
 AS_HELP_STRING([--with-jslint=[FILE]],
[path to JavaScript linter. Default is autodetection of
utility "jsl" ]),
-dnl --without-jslint will set JSLINT=no
-[JSLINT=$with_jslint],
-[AC_PATH_PROG([JSLINT], [jsl])]
+[JSLINT="$withval"],
+[JSLINT=check]
+)
+
+AS_CASE([$JSLINT],
+[yes], [AC_PATH_PROG([JSLINT], [jsl], [missing])
+if test $JSLINT = missing; then
+AC_MSG_FAILURE([jsl is missing])
+fi],
+[no], [],
+[check], [AC_PATH_PROG([JSLINT], [jsl], [no])],
+dnl user setting
+[if ! test -f "$JSLINT"; then
+AC_MSG_RESULT([$JSLINT non-existing])
+AC_MSG_FAILURE([invalid value $JSLINT for jsl])
+ fi
+ if ! test -x "$JSLINT"; then
+AC_MSG_RESULT([$JSLINT non-executable])
+

[Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional

2017-03-02 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/502
Title: #502: Make pylint and jsl optional

tiran commented:
"""
@tomaskrizek autoconf is a bit magic. ```--without-jslint``` is still there. 
The line ```AC_ARG_WITH([jslint], ...)``` provides ```--with-jslint``` and 
```--without-jslint```. But there was a bug in my check logic.

I pushed another fix that fixed a bug in my logic and replaces some complicated 
checks with a straight-forward ```AS_CASE``` block.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/502#issuecomment-283623906
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#475][synchronized] Add options to run only ipaclient unittests

2017-03-02 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/475
Author: tiran
 Title: #475: Add options to run only ipaclient unittests
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/475/head:pr475
git checkout pr475
From 9a1f7c67966e9db5402537277bd3eb194c819e03 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Fri, 17 Feb 2017 08:39:54 +0100
Subject: [PATCH 1/3] Add options to run only ipaclient unittests

A new option for ipa-run-tests makes the test runner ignore
subdirectories or skips tests that depend on the ipaserver package or on
a running framework for RPC integration tests. The new option enables
testing of client-only builds.

$ ipatests/ipa-run-tests --ipaclient-unittests
...
platform linux2 -- Python 2.7.13, pytest-2.9.2, py-1.4.32, pluggy-0.3.1
rootdir: /home/heimes/redhat, inifile: tox.ini
plugins: sourceorder-0.5, cov-2.3.0, betamax-0.7.1, multihost-1.1
collected 451 items

test_util.py 
util.py ..
test_ipaclient/test_csrgen.py .....
test_ipalib/test_aci.py ...
test_ipalib/test_backend.py 
test_ipalib/test_base.py ...
test_ipalib/test_capabilities.py .
test_ipalib/test_cli.py ...
test_ipalib/test_config.py ...
test_ipalib/test_crud.py ...
test_ipalib/test_errors.py ...
test_ipalib/test_frontend.py 
test_ipalib/test_messages.py 
test_ipalib/test_output.py ...
test_ipalib/test_parameters.py .
test_ipalib/test_plugable.py 
test_ipalib/test_rpc.py ..
test_ipalib/test_text.py .
test_ipalib/test_x509.py ...
test_ipapython/test_cookie.py 
test_ipapython/test_dn.py ...
test_ipapython/test_ipautil.py ..
test_ipapython/test_ipavalidate.py ..
test_ipapython/test_kerberos.py ..
test_ipapython/test_keyring.py ..
test_ipapython/test_ssh.py ...
test_pkcs10/test_pkcs10.py .

https://fedorahosted.org/freeipa/ticket/6517

Signed-off-by: Christian Heimes 
---
 ipatests/conftest.py   | 63 +-
 ipatests/setup.py  |  1 -
 ipatests/test_ipaclient/test_csrgen.py |  1 +
 ipatests/test_ipalib/test_rpc.py   |  2 ++
 ipatests/util.py   | 15 ++--
 5 files changed, 78 insertions(+), 4 deletions(-)

diff --git a/ipatests/conftest.py b/ipatests/conftest.py
index 511d7b7..6c13e23 100644
--- a/ipatests/conftest.py
+++ b/ipatests/conftest.py
@@ -3,17 +3,26 @@
 #
 from __future__ import print_function
 
+import fnmatch
 import os
 import pprint
+import re
 import sys
 
+import pytest
+
 from ipalib import api
 from ipalib.cli import cli_plugins
 try:
+import ipaplatform
+except ImportError:
+ipaplatform = None
+try:
 import ipaserver
 except ImportError:
 ipaserver = None
 
+HERE = os.path.dirname(os.path.abspath(__file__))
 
 pytest_plugins = [
 'ipatests.pytest_plugins.additional_config',
@@ -31,6 +40,7 @@
 'tier1: functional API tests',
 'cs_acceptance: Acceptance test suite for Dogtag Certificate Server',
 'ds_acceptance: Acceptance test suite for 389 Directory Server',
+'skip_ipaclient_unittest: Skip in ipaclient unittest mode',
 ]
 
 
@@ -46,6 +56,28 @@
 'install/share'
 ]
 
+
+SKIP_IPASERVER_PATTERNS = [
+# fnmatch patterns
+'test_cmdline/*',
+'test_install/*',
+'test_integration/*',
+'test_ipaserver/*',
+'test_webui/*',
+'test_xmlrpc/*'
+]
+
+if ipaplatform is None:
+# test depends on ipaplatform
+SKIP_IPASERVER_PATTERNS.append('test_ipaclient/test_csrgen.py')
+
+SKIP_IPASERVER_RE = re.compile(
+'(' +
+'|'.join(fnmatch.translate(pat) for pat in SKIP_IPASERVER_PATTERNS) +
+')'
+)
+
+
 INIVALUES = {
 'python_classes': ['test_', 'Test'],
 'python_files': ['test_*.py'],
@@ -75,13 +107,27 @@ def pytest_configure(config):
 config.option.doctestmodules = True
 
 
+def pytest_addoption(parser):
+group = parser.getgroup("IPA integration tests")
+group.addoption(
+'--ipaclient-unittests',
+help='Run ipaclient unit tests only (no RPC and ipaserver)',
+action='store_true'
+)
+
+
 def pytest_cmdline_main(config):
 api.bootstrap(
 context=u'cli', in_server=False, in_tree=True, fallback=False
 )
 for klass in cli_plugins:
 api.add_plugin(klass)
-api.finalize()
+
+# XXX workaround until https://fedorahosted.org/freeipa/ticket/6408 has
+# been resolved.
+if ipaserver is not None:
+api.finalize()
+
 if config.option.verbose:
 print('api.env: ')
 pprint.pprint({k: api.env[k] for k in api.env})
@@ -89,3 +135,18 @@ def

[Freeipa-devel] [freeipa PR#533][opened] WebUI: Change structure of Identity submenu

2017-03-02 Thread pvomacka 
   URL: https://github.com/freeipa/freeipa/pull/533
Author: pvomacka
 Title: #533: WebUI: Change structure of Identity submenu
Action: opened

PR body:
"""
Previously there were 'User Groups', 'Host Groups' and 'Netgroups'
separately, now these three items are grouped into one named 'Groups'
which has sidebar with three items mentioned above.

This change allows us to move ID views into Identity submenu.

https://pagure.io/freeipa/issue/6717
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/533/head:pr533
git checkout pr533
From 144b99bd9bff6e1679de60b2ce39f262c19a98a0 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Thu, 2 Mar 2017 10:31:48 +0100
Subject: [PATCH] WebUI: Change structure of Identity submenu

Previously there were 'User Groups', 'Host Groups' and 'Netgroups'
separately, now these three items are grouped into one named 'Groups'
which has sidebar with three items mentioned above.

This change allows us to move ID views into Identity submenu.

https://pagure.io/freeipa/issue/6717
---
 install/ui/src/freeipa/group.js| 16 +++-
 install/ui/src/freeipa/hostgroup.js|  6 +-
 install/ui/src/freeipa/navigation/menu_spec.js | 22 ++
 install/ui/src/freeipa/netgroup.js |  6 +-
 ipaserver/plugins/internal.py  |  5 +
 5 files changed, 48 insertions(+), 7 deletions(-)

diff --git a/install/ui/src/freeipa/group.js b/install/ui/src/freeipa/group.js
index 7a6bc91..bf718ad 100644
--- a/install/ui/src/freeipa/group.js
+++ b/install/ui/src/freeipa/group.js
@@ -32,7 +32,17 @@ define([
 './entity'],
 function(on, IPA, $, phases, reg) {
 
-var exp = IPA.group = {};
+var exp = IPA.group = {
+search_facet_group: {
+name: 'search',
+label: '@i18n:objects.group.group_categories',
+facets: {
+search_group: 'group_search',
+search_hostgroup: 'hostgroup_search',
+search_netgroup: 'netgroup_search'
+}
+}
+};
 
 var make_spec = function() {
 return {
@@ -40,6 +50,10 @@ return {
 facets: [
 {
 $type: 'search',
+tab_label: '@i18n:objects.group.user_groups',
+facet_groups: [IPA.group.search_facet_group],
+tabs_in_sidebar: true,
+disable_facet_tabs: false,
 columns: [
 'cn',
 'gidnumber',
diff --git a/install/ui/src/freeipa/hostgroup.js b/install/ui/src/freeipa/hostgroup.js
index f0d6642..c38281c 100644
--- a/install/ui/src/freeipa/hostgroup.js
+++ b/install/ui/src/freeipa/hostgroup.js
@@ -38,6 +38,10 @@ return {
 facets: [
 {
 $type: 'search',
+tab_label: '@i18n:objects.hostgroup.host_group',
+facet_groups: [IPA.group.search_facet_group],
+tabs_in_sidebar: true,
+disable_facet_tabs: false,
 columns: [
 'cn',
 'description'
@@ -105,4 +109,4 @@ exp.register = function() {
 phases.on('registration', exp.register);
 
 return exp;
-});
\ No newline at end of file
+});
diff --git a/install/ui/src/freeipa/navigation/menu_spec.js b/install/ui/src/freeipa/navigation/menu_spec.js
index 7d121d9..0e717db 100644
--- a/install/ui/src/freeipa/navigation/menu_spec.js
+++ b/install/ui/src/freeipa/navigation/menu_spec.js
@@ -52,12 +52,27 @@ var nav = {};
 }
 ]
 },
-{ entity: 'group' },
 { entity: 'host' },
-{ entity: 'hostgroup' },
-{ entity: 'netgroup' },
 { entity: 'service' },
 {
+entity: 'group',
+label: '@i18n:objects.group.groups',
+facet: 'search',
+children: [
+{
+entity: 'hostgroup',
+facet: 'search',
+hidden: true
+},
+{
+entity: 'netgroup',
+facet: 'search',
+hidden: true
+}
+]
+},
+{ entity: 'idview' },
+{
 name: 'automember',
 label: '@i18n:tabs.automember',
 children: [
@@ -201,7 +216,6 @@ var nav = {};
 ]
 },
 { entity: 'idrange' },
-{ entity: 'idview' },
 { entity: 'realmdomains' },
 {
 name: 'trusts',
diff --git a/install/ui/src/freeipa/netgroup.js b/install/ui/src/freeipa/netgroup.js
index d84aca2..3b32d41 100644
--- a/install/ui/src/freeipa/netgroup.js
+++

[Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional

2017-03-02 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/502
Title: #502: Make pylint and jsl optional

tomaskrizek commented:
"""
Since `--without-jslint` was removed, there's actually no way to explicitly 
turn off jsl (it will always be autodetected). I tried to set 
`--with-jslint=no`, but that didn't do the trick.

Pylint can be disabled with `--enable-pylint=no`, however.

I suggest the following:

- when `--with-jslint=no`, turn off jsl,
- pass `--with-jslint=no --enable-pylint=no` to `%configure` in 
`freeipa.spec.in` when `with_lint` is not defined.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/502#issuecomment-283604750
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#510][comment] Vault: port key wrapping to python-cryptography

2017-03-02 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/510
Title: #510: Vault: port key wrapping to python-cryptography

stlaz commented:
"""
Tested this and gone through the code, both was fine. ACK.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/510#issuecomment-283603907
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#510][+ack] Vault: port key wrapping to python-cryptography

2017-03-02 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/510
Title: #510: Vault: port key wrapping to python-cryptography

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#531][synchronized] httpinstance: disable system trust module in /etc/httpd/alias

2017-03-02 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/531
Author: HonzaCholasta
 Title: #531: httpinstance: disable system trust module in /etc/httpd/alias
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/531/head:pr531
git checkout pr531
From a98d2422bf38be2a383d29e6f781ef6d783688cf Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 1 Mar 2017 17:54:05 +0100
Subject: [PATCH] httpinstance: disable system trust module in /etc/httpd/alias

Currently the NSS database in /etc/httpd/alias is installed with the system
trust module enabled. This is problematic for a number of reasons:

* IPA has its own trust store, which is effectively bypassed when the
  system trust module is enabled in the database. This may cause IPA
  unrelated CAs to be trusted by httpd, or even IPA related CAs not to be
  trusted by httpd.

* On client install, the IPA trust configuration is copied to the system
  trust store for third parties. When this configuration is removed, it may
  cause loss of trust information in /etc/httpd/alias
  (https://bugzilla.redhat.com/show_bug.cgi?id=1427897).

* When a CA certificate provided by the user in CA-less install conflicts
  with a CA certificate in the system trust store, the latter may be used
  by httpd, leading to broken https
  (https://www.redhat.com/archives/freeipa-users/2016-July/msg00360.html).

Disable the system trust module on install and upgrade to prevent the
system trust store to be used in /etc/httpd/alias and fix all of the above
issues.

https://pagure.io/freeipa/issue/6132
---
 ipaplatform/base/paths.py   |  1 +
 ipaserver/install/httpinstance.py   | 12 
 ipaserver/install/server/upgrade.py | 16 
 3 files changed, 29 insertions(+)

diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index e4d4f2e..19a44fc 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -165,6 +165,7 @@ class BasePathNamespace(object):
 BIN_KVNO = "/usr/bin/kvno"
 LDAPMODIFY = "/usr/bin/ldapmodify"
 LDAPPASSWD = "/usr/bin/ldappasswd"
+MODUTIL = "/usr/bin/modutil"
 NET = "/usr/bin/net"
 BIN_NISDOMAINNAME = "/usr/bin/nisdomainname"
 NSUPDATE = "/usr/bin/nsupdate"
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 0c2216e..d042beb 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -349,11 +349,23 @@ def create_password_conf(self):
 os.chown(pwd_conf, pent.pw_uid, pent.pw_gid)
 os.chmod(pwd_conf, 0o400)
 
+def disable_system_trust(self):
+name = 'Root Certs'
+args = [paths.MODUTIL, '-dbdir', paths.HTTPD_ALIAS_DIR, '-force']
+
+result = ipautil.run(args + ['-list', name], capture_output=True)
+if 'Status: Enabled' in result.output:
+ipautil.run(args + ['-disable', name])
+return True
+
+return False
+
 def __setup_ssl(self):
 db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR,
   subject_base=self.subject_base, user="root",
   group=constants.HTTPD_GROUP,
   truncate=(not self.promote))
+self.disable_system_trust()
 if self.pkcs12_info:
 if self.ca_is_configured:
 trust_flags = 'CT,C,C'
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index d7271e5..bc79a9f 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1495,6 +1495,21 @@ def enable_anonymous_principal(krb):
 pass
 
 
+def disable_httpd_system_trust(http):
+ca_certs = []
+
+db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
+for nickname, trust_flags in db.list_certs():
+if 'u' not in trust_flags:
+cert = db.get_cert_from_db(nickname, pem=False)
+if cert:
+ca_certs.append((cert, nickname, trust_flags))
+
+if http.disable_system_trust():
+for cert, nickname, trust_flags in ca_certs:
+db.add_cert(cert, nickname, trust_flags)
+
+
 def upgrade_configuration():
 """
 Execute configuration upgrade of the IPA services
@@ -1630,6 +1645,7 @@ def upgrade_configuration():
 http.enable_kdcproxy()
 
 http.stop()
+disable_httpd_system_trust(http)
 update_ipa_httpd_service_conf(http)
 update_mod_nss_protocol(http)
 update_mod_nss_cipher_suite(http)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#531][synchronized] httpinstance: disable system trust module in /etc/httpd/alias

2017-03-02 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/531
Author: HonzaCholasta
 Title: #531: httpinstance: disable system trust module in /etc/httpd/alias
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/531/head:pr531
git checkout pr531
From fd9b868ed14e868a3e58f68370aa28b677a3a763 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 1 Mar 2017 17:54:05 +0100
Subject: [PATCH] httpinstance: disable system trust module in /etc/httpd/alias

Currently the NSS database in /etc/httpd/alias is installed with the system
trust module enabled. This is problematic for a number of reasons:

* IPA has its own trust store, which is effectively bypassed when the
  system trust module is enabled in the database. This may cause IPA
  unrelated CAs to be trusted by httpd, or even IPA related CAs not to be
  trusted by httpd.

* On client install, the IPA trust configuration is copied to the system
  trust store for third parties. When this configuration is removed, it may
  cause loss of trust information in /etc/httpd/alias
  (https://bugzilla.redhat.com/show_bug.cgi?id=1427897).

* When a CA certificate provided by the user in CA-less install conflicts
  with a CA certificate in the system trust store, the latter may be used
  by httpd, leading to broken https
  (https://www.redhat.com/archives/freeipa-users/2016-July/msg00360.html).

Disable the system trust module on install and upgrade to prevent the
system trust store to be used in /etc/httpd/alias and fix all of the above
issues.

https://pagure.io/freeipa/issue/6132
---
 ipaplatform/base/paths.py   |  1 +
 ipaserver/install/httpinstance.py   | 12 
 ipaserver/install/server/upgrade.py | 16 
 3 files changed, 29 insertions(+)

diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index e4d4f2e..19a44fc 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -165,6 +165,7 @@ class BasePathNamespace(object):
 BIN_KVNO = "/usr/bin/kvno"
 LDAPMODIFY = "/usr/bin/ldapmodify"
 LDAPPASSWD = "/usr/bin/ldappasswd"
+MODUTIL = "/usr/bin/modutil"
 NET = "/usr/bin/net"
 BIN_NISDOMAINNAME = "/usr/bin/nisdomainname"
 NSUPDATE = "/usr/bin/nsupdate"
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 0c2216e..85763b6 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -349,11 +349,23 @@ def create_password_conf(self):
 os.chown(pwd_conf, pent.pw_uid, pent.pw_gid)
 os.chmod(pwd_conf, 0o400)
 
+def disable_system_trust(self):
+name = 'Root Certs'
+args = [paths.MODUTIL, '-dbdir', paths.HTTPD_ALIAS_DIR, '-force']
+
+result = ipautil.run(args + ['-list', name])
+if 'Status: Enabled' in result.output:
+ipautil.run(args + ['-disable', name])
+return True
+
+return False
+
 def __setup_ssl(self):
 db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR,
   subject_base=self.subject_base, user="root",
   group=constants.HTTPD_GROUP,
   truncate=(not self.promote))
+self.disable_system_trust()
 if self.pkcs12_info:
 if self.ca_is_configured:
 trust_flags = 'CT,C,C'
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index d7271e5..bc79a9f 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1495,6 +1495,21 @@ def enable_anonymous_principal(krb):
 pass
 
 
+def disable_httpd_system_trust(http):
+ca_certs = []
+
+db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
+for nickname, trust_flags in db.list_certs():
+if 'u' not in trust_flags:
+cert = db.get_cert_from_db(nickname, pem=False)
+if cert:
+ca_certs.append((cert, nickname, trust_flags))
+
+if http.disable_system_trust():
+for cert, nickname, trust_flags in ca_certs:
+db.add_cert(cert, nickname, trust_flags)
+
+
 def upgrade_configuration():
 """
 Execute configuration upgrade of the IPA services
@@ -1630,6 +1645,7 @@ def upgrade_configuration():
 http.enable_kdcproxy()
 
 http.stop()
+disable_httpd_system_trust(http)
 update_ipa_httpd_service_conf(http)
 update_mod_nss_protocol(http)
 update_mod_nss_cipher_suite(http)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Please review: V4/AD user short names design draft

2017-03-02 Thread Jakub Hrozek 
On Thu, Mar 02, 2017 at 08:12:04AM +0100, Martin Babinsky wrote:
> On 03/01/2017 05:28 PM, Alexander Bokovoy wrote:
> > On ke, 01 maalis 2017, Simo Sorce wrote:
> > > > > My take is: cut API/UI work, and do the underlying infrastructure work
> > > > > for the widest set of serves/clients possible instead.
> > > > >
> > > > > It is much more important to get the underlying gears done than to add
> > > > > UI candy, that can be delayed.
> > > > >
> > > > > Simo.
> > > > >
> > > > 
> > > > I agree, we just have to come to agreement of *which* gears are really
> > > > necessary.
> > > 
> > > Indeed, but adding attributes to ipaConfig and the ID Views is not hard,
> > > it is a matter of extending two objectclasses instead of one ... if we
> > > decide that Id Views are a good abstraction point.
> > Adding the same attribute to ID View and to ipaConfig sounds logical to
> > me.
> > 
> > Martin, if you want help with this, I can implement ID View-related
> > parts. SSSD does have code to retrieve ipaConfig already, and it also
> > has support for reading ID View associated with the host. The resulting
> > value wouldn't end up in the same place, though, but this is something
> > to handle on SSSD side.
> > 
> 
> I was thinking about this at night (insomnia FTW) and it is actually pretty
> easy to extend ID view with the same attribute (see my other reply to Simo).
> Given the UI will be pretty dumb, we just can add the new attribute to the
> ID view object and a common code will be responsible for validation of
> changed values.

(I'm sorry to come late to the discussion, but I spent yesterday
debugging a nasty issue in SSSD and my brain wasn't working anymore)

To be honest, I haven't heard about users requesting to set the feature
per-host. Most were interested in a global setting and given the short time
before the next release, I thought for users who need a per-client solution,
a local sssd.conf modification could also work, also considering that the
/only/ solution so far was to modify sssd.conf with the default_domain_suffix
hack.

On the other hand, I see Simo's point about easy migration to this new
setting and easier tinkering with the option if it's possible to set
this per-view. And more importantly, I'm quite sure someone /will/ ask to
set this centrally, but per host(group) eventually.

So as long as the final design is a) extendable to provide a per-host
setting in the future, even if that part is not implemented in this version
in the UI or not used by the clients immediatelly and b) it's easy for
clients to consume this setting, I'm fine.

I'm afraid I can't comment on the ipaConfig issues and the replication
concerns as I'm not that proficient with IPA internals..

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#526][closed] server install: do not attempt to issue PKINIT cert in CA-less

2017-03-02 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/526
Author: HonzaCholasta
 Title: #526: server install: do not attempt to issue PKINIT cert in CA-less
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/526/head:pr526
git checkout pr526
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#526][+pushed] server install: do not attempt to issue PKINIT cert in CA-less

2017-03-02 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/526
Title: #526: server install: do not attempt to issue PKINIT cert in CA-less

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#526][comment] server install: do not attempt to issue PKINIT cert in CA-less

2017-03-02 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/526
Title: #526: server install: do not attempt to issue PKINIT cert in CA-less

HonzaCholasta commented:
"""
master:

* ba3c201a03cd0b224b43e45245147e48b7291f9f server install: do not attempt to 
issue PKINIT cert in CA-less
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/526#issuecomment-283596507
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#526][comment] server install: do not attempt to issue PKINIT cert in CA-less

2017-03-02 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/526
Title: #526: server install: do not attempt to issue PKINIT cert in CA-less

HonzaCholasta commented:
"""
OK, thanks.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/526#issuecomment-283596373
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#531][edited] httpinstance: disable system trust module in /etc/httpd/alias

2017-03-02 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/531
Author: HonzaCholasta
 Title: #531: httpinstance: disable system trust module in /etc/httpd/alias
Action: edited

 Changed field: body
Original value:
"""
Currently the NSS database in /etc/httpd/alias is installed with the system
trust module enabled via a /etc/httpd/alias/libnssckbi.so symlink. This is
problematic for a number of reasons:

* IPA has its own trust store, which is effectively bypassed when the
  system trust module is enabled in the database. This may cause IPA
  unrelated CAs to be trusted by httpd, or even IPA related CAs not to be
  trusted by httpd.

* On client install, the IPA trust configuration is copied to the system
  trust store for third parties. When this configuration is removed, it may
  cause loss of trust information in /etc/httpd/alias
  (https://bugzilla.redhat.com/show_bug.cgi?id=1427897).

* When a CA certificate provided by the user in CA-less install conflicts
  with a CA certificate in the system trust store, the latter may be used
  by httpd, leading to broken https
  (https://www.redhat.com/archives/freeipa-users/2016-July/msg00360.html).

Rename the symlink on install and upgrade to prevent the system trust
module to be loaded in /etc/httpd/alias and fix all of the above issues.

https://pagure.io/freeipa/issue/6132
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#531][edited] httpinstance: don't load system trust module in /etc/httpd/alias

2017-03-02 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/531
Author: HonzaCholasta
 Title: #531: httpinstance: don't load system trust module in /etc/httpd/alias
Action: edited

 Changed field: title
Original value:
"""
httpinstance: don't load system trust module in /etc/httpd/alias
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#531][synchronized] httpinstance: don't load system trust module in /etc/httpd/alias

2017-03-02 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/531
Author: HonzaCholasta
 Title: #531: httpinstance: don't load system trust module in /etc/httpd/alias
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/531/head:pr531
git checkout pr531
From 1ba0d5d73119ac45e9c4fe39440f61f448dbf3a3 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 1 Mar 2017 17:54:05 +0100
Subject: [PATCH] httpinstance: disable system trust module in /etc/httpd/alias

Currently the NSS database in /etc/httpd/alias is installed with the system
trust module enabled. This is problematic for a number of reasons:

* IPA has its own trust store, which is effectively bypassed when the
  system trust module is enabled in the database. This may cause IPA
  unrelated CAs to be trusted by httpd, or even IPA related CAs not to be
  trusted by httpd.

* On client install, the IPA trust configuration is copied to the system
  trust store for third parties. When this configuration is removed, it may
  cause loss of trust information in /etc/httpd/alias
  (https://bugzilla.redhat.com/show_bug.cgi?id=1427897).

* When a CA certificate provided by the user in CA-less install conflicts
  with a CA certificate in the system trust store, the latter may be used
  by httpd, leading to broken https
  (https://www.redhat.com/archives/freeipa-users/2016-July/msg00360.html).

Disable the system trust module on install and upgrade to prevent the
system trust store to be used in /etc/httpd/alias and fix all of the above
issues.

https://pagure.io/freeipa/issue/6132
---
 ipaplatform/base/paths.py   |  1 +
 ipaserver/install/httpinstance.py   | 12 
 ipaserver/install/server/upgrade.py | 16 
 3 files changed, 29 insertions(+)

diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index e4d4f2e..19a44fc 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -165,6 +165,7 @@ class BasePathNamespace(object):
 BIN_KVNO = "/usr/bin/kvno"
 LDAPMODIFY = "/usr/bin/ldapmodify"
 LDAPPASSWD = "/usr/bin/ldappasswd"
+MODUTIL = "/usr/bin/modutil"
 NET = "/usr/bin/net"
 BIN_NISDOMAINNAME = "/usr/bin/nisdomainname"
 NSUPDATE = "/usr/bin/nsupdate"
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 0c2216e..91b039c 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -349,11 +349,23 @@ def create_password_conf(self):
 os.chown(pwd_conf, pent.pw_uid, pent.pw_gid)
 os.chmod(pwd_conf, 0o400)
 
+def disable_system_trust(self):
+try:
+ipautil.run([paths.MODUTIL,
+ '-dbdir', paths.HTTPD_ALIAS_DIR,
+ '-disable', 'Root Certs',
+ '-force'])
+except ipautil.CalledProcessError:
+return False
+else:
+return True
+
 def __setup_ssl(self):
 db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR,
   subject_base=self.subject_base, user="root",
   group=constants.HTTPD_GROUP,
   truncate=(not self.promote))
+self.disable_system_trust()
 if self.pkcs12_info:
 if self.ca_is_configured:
 trust_flags = 'CT,C,C'
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index d7271e5..bc79a9f 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1495,6 +1495,21 @@ def enable_anonymous_principal(krb):
 pass
 
 
+def disable_httpd_system_trust(http):
+ca_certs = []
+
+db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
+for nickname, trust_flags in db.list_certs():
+if 'u' not in trust_flags:
+cert = db.get_cert_from_db(nickname, pem=False)
+if cert:
+ca_certs.append((cert, nickname, trust_flags))
+
+if http.disable_system_trust():
+for cert, nickname, trust_flags in ca_certs:
+db.add_cert(cert, nickname, trust_flags)
+
+
 def upgrade_configuration():
 """
 Execute configuration upgrade of the IPA services
@@ -1630,6 +1645,7 @@ def upgrade_configuration():
 http.enable_kdcproxy()
 
 http.stop()
+disable_httpd_system_trust(http)
 update_ipa_httpd_service_conf(http)
 update_mod_nss_protocol(http)
 update_mod_nss_cipher_suite(http)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#531][comment] httpinstance: don't load system trust module in /etc/httpd/alias

2017-03-02 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/531
Title: #531: httpinstance: don't load system trust module in /etc/httpd/alias

tiran commented:
"""
Your solution is just a temporary solution. The file is re-added every time 
mod_nss is updated. The mod_nss package needs to be changed, too.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/531#issuecomment-283588206
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional

2017-03-02 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/502
Title: #502: Make pylint and jsl optional

stlaz commented:
"""
There's an ongoing discussion about the acceptance of the patch. Removing the 
ACK label until the acceptance is agreed on. Please, @lslebodn or @tomaskrizek, 
add the label back once that is done. However, please, try to cut the 
**discussion short** and make the decision in the least comments possible.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/502#issuecomment-283587928
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#502][-ack] Make pylint and jsl optional

2017-03-02 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/502
Title: #502: Make pylint and jsl optional

Label: -ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#517][synchronized] [WIP] Use Custodia 0.3 features

2017-03-02 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/517
Author: tiran
 Title: #517: [WIP] Use Custodia 0.3 features
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/517/head:pr517
git checkout pr517
From a6d1269c8381a768d3166f8c7aa1f6bb871c9f26 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 28 Feb 2017 12:07:19 +0100
Subject: [PATCH 1/2] Use Custodia 0.3 features

* Use sd-notify in ipa-custodia.service
* Introduce libexec/ipa/ipa-custodia script. It comes with correct
  default setting for IPA's config file. The new file also makes it
  simpler to run IPA's custodia instance with its own SELinux context.

Signed-off-by: Christian Heimes 
---
 freeipa.spec.in  | 13 -
 init/systemd/ipa-custodia.service.in |  5 ++---
 install/tools/Makefile.am|  1 +
 install/tools/ipa-custodia   |  6 ++
 ipaserver/secrets/service.py | 30 ++
 ipasetup.py.in   |  1 +
 6 files changed, 48 insertions(+), 8 deletions(-)
 create mode 100755 install/tools/ipa-custodia
 create mode 100644 ipaserver/secrets/service.py

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 5c835ca..5400df9 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -148,7 +148,8 @@ BuildRequires:  pki-base-python2
 BuildRequires:  python-pytest-multihost
 BuildRequires:  python-pytest-sourceorder
 BuildRequires:  python-jwcrypto
-BuildRequires:  python-custodia
+# 0.3: sd-notify and ipaserver.secrets.service
+BuildRequires:  python-custodia >= 0.3
 BuildRequires:  dbus-python
 BuildRequires:  python-dateutil
 BuildRequires:  python-enum34
@@ -184,7 +185,8 @@ BuildRequires:  pki-base-python3
 BuildRequires:  python3-pytest-multihost
 BuildRequires:  python3-pytest-sourceorder
 BuildRequires:  python3-jwcrypto
-BuildRequires:  python3-custodia
+# 0.3: sd-notify and ipaserver.secrets.service
+BuildRequires:  python3-custodia >= 0.3
 BuildRequires:  python3-dbus
 BuildRequires:  python3-dateutil
 BuildRequires:  python3-enum34
@@ -361,7 +363,7 @@ BuildArch: noarch
 Requires: %{name}-client-common = %{version}-%{release}
 Requires: httpd >= 2.4.6-31
 Requires: systemd-units >= 38
-Requires: custodia
+Requires: custodia >= 0.3
 
 Provides: %{alt_name}-server-common = %{version}
 Conflicts: %{alt_name}-server-common
@@ -608,7 +610,7 @@ Requires: python-jwcrypto
 Requires: python-cffi
 Requires: python-ldap >= 2.4.15
 Requires: python-requests
-Requires: python-custodia
+Requires: python-custodia >= 0.3
 Requires: python-dns >= 1.15
 Requires: python-enum34
 Requires: python-netifaces >= 0.10.4
@@ -657,7 +659,7 @@ Requires: python3-six
 Requires: python3-jwcrypto
 Requires: python3-cffi
 Requires: python3-pyldap >= 2.4.15
-Requires: python3-custodia
+Requires: python3-custodia >= 0.3
 Requires: python3-requests
 Requires: python3-dns >= 1.15
 Requires: python3-netifaces >= 0.10.4
@@ -1110,6 +1112,7 @@ fi
 %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
 %{_libexecdir}/certmonger/ipa-server-guard
 %dir %{_libexecdir}/ipa
+%{_libexecdir}/ipa/ipa-custodia
 %{_libexecdir}/ipa/ipa-dnskeysyncd
 %{_libexecdir}/ipa/ipa-dnskeysync-replica
 %{_libexecdir}/ipa/ipa-ods-exporter
diff --git a/init/systemd/ipa-custodia.service.in b/init/systemd/ipa-custodia.service.in
index 3f9b128..0247bd8 100644
--- a/init/systemd/ipa-custodia.service.in
+++ b/init/systemd/ipa-custodia.service.in
@@ -2,9 +2,8 @@
 Description=IPA Custodia Service
 
 [Service]
-Type=simple
-
-ExecStart=@sbindir@/custodia @IPA_SYSCONF_DIR@/custodia/custodia.conf
+Type=notify
+ExecStart=@libexecdir@/ipa/ipa-custodia @IPA_SYSCONF_DIR@/custodia/custodia.conf
 PrivateTmp=yes
 Restart=on-failure
 RestartSec=60s
diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am
index f2c2ce2..493e5ff 100644
--- a/install/tools/Makefile.am
+++ b/install/tools/Makefile.am
@@ -32,6 +32,7 @@ dist_sbin_SCRIPTS =		\
 
 appdir = $(libexecdir)/ipa/
 dist_app_SCRIPTS =		\
+	ipa-custodia		\
 	ipa-httpd-kdcproxy	\
 	ipa-pki-retrieve-key	\
 	$(NULL)
diff --git a/install/tools/ipa-custodia b/install/tools/ipa-custodia
new file mode 100755
index 000..5deeeff
--- /dev/null
+++ b/install/tools/ipa-custodia
@@ -0,0 +1,6 @@
+#!/usr/bin/python2
+# Copyright (C) 2017  IPA Project Contributors, see COPYING for license
+from ipaserver.secrets.service import main
+
+if __name__ == '__main__':
+main()
diff --git a/ipaserver/secrets/service.py b/ipaserver/secrets/service.py
new file mode 100644
index 000..f51c46a
--- /dev/null
+++ b/ipaserver/secrets/service.py
@@ -0,0 +1,30 @@
+# Copyright (C) 2017  IPA Project Contributors, see COPYING for license
+import argparse
+
+import custodia.server
+
+
+argparser = argparse.ArgumentParser(
+prog='ipa-custodia',
+description='IPA Custodia service'
+)
+argparser.add_argument(
+'--debug',
+action='store_true',
+

[Freeipa-devel] [freeipa PR#532][opened] Fix cookie with Max-Age processing

2017-03-02 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/532
Author: stlaz
 Title: #532: Fix cookie with Max-Age processing
Action: opened

PR body:
"""
When cookie has Max-Age set it tries to get expiration by adding
to a timestamp. Without this patch the timestamp would be set to
None and thus the addition of timestamp + max_age fails

https://pagure.io/freeipa/issue/6718
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/532/head:pr532
git checkout pr532
From 01e27de70dbf65d31587b66047c3ab966ac222c9 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Thu, 2 Mar 2017 09:11:34 +0100
Subject: [PATCH] Fix cookie with Max-Age processing

When cookie has Max-Age set it tries to get expiration by adding
to a timestamp. Without this patch the timestamp would be set to
None and thus the addition of timestamp + max_age fails

https://pagure.io/freeipa/issue/6718
---
 ipalib/rpc.py   | 12 
 ipapython/cookie.py |  5 -
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index f2cdad9..ef2a811 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -759,9 +759,11 @@ def store_session_cookie(self, cookie_header):
 session_cookie = None
 try:
 for cookie in cookie_header:
-session_cookie = \
-Cookie.get_named_cookie_from_string(cookie, COOKIE_NAME,
-request_url)
+session_cookie = (
+Cookie.get_named_cookie_from_string(
+cookie, COOKIE_NAME, request_url,
+timestamp=datetime.datetime.now())
+)
 if session_cookie is not None:
 break
 except Exception as e:
@@ -861,7 +863,9 @@ def get_session_cookie_from_persistent_storage(self, principal):
 
 # Search for the session cookie within the cookie string
 try:
-session_cookie = Cookie.get_named_cookie_from_string(cookie_string, COOKIE_NAME)
+session_cookie = Cookie.get_named_cookie_from_string(
+cookie_string, COOKIE_NAME,
+timestamp=datetime.datetime.now())
 except Exception:
 return None
 
diff --git a/ipapython/cookie.py b/ipapython/cookie.py
index 57523a4..9797fc1 100644
--- a/ipapython/cookie.py
+++ b/ipapython/cookie.py
@@ -322,7 +322,8 @@ def parse(cls, cookie_string, request_url=None):
 return cookies
 
 @classmethod
-def get_named_cookie_from_string(cls, cookie_string, cookie_name, request_url=None):
+def get_named_cookie_from_string(cls, cookie_string, cookie_name,
+ request_url=None, timestamp=None):
 '''
 A cookie string may contain multiple cookies, parse the cookie
 string and return the last cookie in the string matching the
@@ -344,6 +345,8 @@ def get_named_cookie_from_string(cls, cookie_string, cookie_name, request_url=No
 if cookie.key == cookie_name:
 target_cookie = cookie
 
+if timestamp is not None:
+target_cookie.timestamp = timestamp
 if request_url is not None:
 target_cookie.normalize(request_url)
 return target_cookie
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#453][synchronized] Cleanup certdb

2017-03-02 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/453
Author: tiran
 Title: #453: Cleanup certdb
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/453/head:pr453
git checkout pr453
From a4eeabff14a3e67ecc93ddea28f49be73a328230 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Thu, 9 Feb 2017 14:55:45 +0100
Subject: [PATCH 1/2] Cleanup certdb

* use with statement to open/close files
* prefer fchmod/fchown when a file descriptor is available
* set permission before data is written to file

Signed-off-by: Christian Heimes 
---
 ipaserver/install/certs.py | 123 +
 1 file changed, 57 insertions(+), 66 deletions(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 4f97801..ed80bec 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -117,10 +117,12 @@ def __init__(self, realm, nssdir, fstore=None,
 self.host_name = host_name
 self.ca_subject = ca_subject
 self.subject_base = subject_base
+
 try:
-self.cwd = os.getcwd()
+self.cwd = os.path.abspath(os.getcwd())
 except OSError as e:
-raise RuntimeError("Unable to determine the current directory: %s" % str(e))
+raise RuntimeError(
+"Unable to determine the current directory: %s" % str(e))
 
 self.cacert_name = get_ca_nickname(self.realm)
 
@@ -163,6 +165,8 @@ def passwd_fname(self):
 def __del__(self):
 if self.reqdir is not None:
 shutil.rmtree(self.reqdir, ignore_errors=True)
+self.reqdir = None
+self.nssdb.close()
 try:
 os.chdir(self.cwd)
 except OSError:
@@ -183,22 +187,20 @@ def setup_cert_request(self):
 self.certreq_fname = self.reqdir + "/tmpcertreq"
 self.certder_fname = self.reqdir + "/tmpcert.der"
 
-# When certutil makes a request it creates a file in the cwd, make
-# sure we are in a unique place when this happens
-os.chdir(self.reqdir)
-
-def set_perms(self, fname, write=False, uid=None):
-if uid:
-pent = pwd.getpwnam(uid)
-os.chown(fname, pent.pw_uid, pent.pw_gid)
-else:
-os.chown(fname, self.uid, self.gid)
+def set_perms(self, fname, write=False):
 perms = stat.S_IRUSR
 if write:
 perms |= stat.S_IWUSR
-os.chmod(fname, perms)
+if hasattr(fname, 'fileno'):
+os.fchown(fname.fileno(), self.uid, self.gid)
+os.fchmod(fname.fileno(), perms)
+else:
+os.chown(fname, self.uid, self.gid)
+os.chmod(fname, perms)
 
 def run_certutil(self, args, stdin=None, **kwargs):
+# When certutil makes a request it creates a file in the cwd, make
+# sure we are in a unique place when this happens
 return self.nssdb.run_certutil(args, stdin, **kwargs)
 
 def run_signtool(self, args, stdin=None):
@@ -212,19 +214,18 @@ def run_signtool(self, args, stdin=None):
 def create_noise_file(self):
 if ipautil.file_exists(self.noise_fname):
 os.remove(self.noise_fname)
-f = open(self.noise_fname, "w")
-f.write(ipautil.ipa_generate_password())
-self.set_perms(self.noise_fname)
+with open(self.noise_fname, "w") as f:
+self.set_perms(f)
+f.write(ipautil.ipa_generate_password())
 
 def create_passwd_file(self, passwd=None):
 ipautil.backup_file(self.passwd_fname)
-f = open(self.passwd_fname, "w")
-if passwd is not None:
-f.write("%s\n" % passwd)
-else:
-f.write(ipautil.ipa_generate_password())
-f.close()
-self.set_perms(self.passwd_fname)
+with open(self.passwd_fname, "w") as f:
+self.set_perms(f)
+if passwd is not None:
+f.write("%s\n" % passwd)
+else:
+f.write(ipautil.ipa_generate_password())
 
 def create_certdbs(self):
 self.nssdb.create_db(user=self.user, group=self.group, mode=self.mode,
@@ -262,13 +263,13 @@ def export_ca_cert(self, nickname, create_pkcs12=False):
 # export the CA cert for use with other apps
 ipautil.backup_file(cacert_fname)
 root_nicknames = self.find_root_cert(nickname)[:-1]
-fd = open(cacert_fname, "w")
-for root in root_nicknames:
-result = self.run_certutil(["-L", "-n", root, "-a"],
-   capture_output=True)
-fd.write(result.output)
-fd.close()
-os.chmod(cacert_fname, stat.S_IRUSR | stat.S_IRGRP | stat.S_IROTH)
+with open(cacert_fname, "w") as f:
+os.fchmod(f.fileno(), stat.S_IRUSR | stat.S_IRGRP | stat.S_IROTH)
+for root in root_nicknames:
+

[Freeipa-devel] [freeipa PR#531][opened] httpinstance: don't load system trust module in /etc/httpd/alias

2017-03-02 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/531
Author: HonzaCholasta
 Title: #531: httpinstance: don't load system trust module in /etc/httpd/alias
Action: opened

PR body:
"""
Currently the NSS database in /etc/httpd/alias is installed with the system
trust module enabled via a /etc/httpd/alias/libnssckbi.so symlink. This is
problematic for a number of reasons:

* IPA has its own trust store, which is effectively bypassed when the
  system trust module is enabled in the database. This may cause IPA
  unrelated CAs to be trusted by httpd, or even IPA related CAs not to be
  trusted by httpd.

* On client install, the IPA trust configuration is copied to the system
  trust store for third parties. When this configuration is removed, it may
  cause loss of trust information in /etc/httpd/alias
  (https://bugzilla.redhat.com/show_bug.cgi?id=1427897).

* When a CA certificate provided by the user in CA-less install conflicts
  with a CA certificate in the system trust store, the latter may be used
  by httpd, leading to broken https
  (https://www.redhat.com/archives/freeipa-users/2016-July/msg00360.html).

Rename the symlink on install and upgrade to prevent the system trust
module to be loaded in /etc/httpd/alias and fix all of the above issues.

https://pagure.io/freeipa/issue/6132
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/531/head:pr531
git checkout pr531
From 8d6021f84698f1234866ebdad87b1704610c3e59 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 1 Mar 2017 17:54:05 +0100
Subject: [PATCH] httpinstance: don't load system trust module in
 /etc/httpd/alias

Currently the NSS database in /etc/httpd/alias is installed with the system
trust module enabled via a /etc/httpd/alias/libnssckbi.so symlink. This is
problematic for a number of reasons:

* IPA has its own trust store, which is effectively bypassed when the
  system trust module is enabled in the database. This may cause IPA
  unrelated CAs to be trusted by httpd, or even IPA related CAs not to be
  trusted by httpd.

* On client install, the IPA trust configuration is copied to the system
  trust store for third parties. When this configuration is removed, it may
  cause loss of trust information in /etc/httpd/alias
  (https://bugzilla.redhat.com/show_bug.cgi?id=1427897).

* When a CA certificate provided by the user in CA-less install conflicts
  with a CA certificate in the system trust store, the latter may be used
  by httpd, leading to broken https
  (https://www.redhat.com/archives/freeipa-users/2016-July/msg00360.html).

Rename the symlink on install and upgrade to prevent the system trust
module to be loaded in /etc/httpd/alias and fix all of the above issues.

https://pagure.io/freeipa/issue/6132
---
 ipaserver/install/httpinstance.py   |  5 +
 ipaserver/install/server/upgrade.py | 21 +
 2 files changed, 26 insertions(+)

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 0c2216e..cec684a 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -354,6 +354,11 @@ def __setup_ssl(self):
   subject_base=self.subject_base, user="root",
   group=constants.HTTPD_GROUP,
   truncate=(not self.promote))
+
+libnssckbi_so = os.path.join(paths.HTTPD_ALIAS_DIR, 'libnssckbi.so')
+if os.path.exists(libnssckbi_so):
+ipautil.backup_file(libnssckbi_so)
+
 if self.pkcs12_info:
 if self.ca_is_configured:
 trust_flags = 'CT,C,C'
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index d7271e5..9f780c6 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1495,6 +1495,26 @@ def enable_anonymous_principal(krb):
 pass
 
 
+def disable_httpd_system_trust():
+libnssckbi_so = os.path.join(paths.HTTPD_ALIAS_DIR, 'libnssckbi.so')
+if not os.path.exists(libnssckbi_so):
+return
+
+db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
+
+ca_certs = []
+for nickname, trust_flags in db.list_certs():
+if 'u' not in trust_flags:
+cert = db.get_cert_from_db(nickname, pem=False)
+if cert:
+ca_certs.append((cert, nickname, trust_flags))
+
+ipautil.backup_file(libnssckbi_so)
+
+for cert, nickname, trust_flags in ca_certs:
+db.add_cert(cert, nickname, trust_flags)
+
+
 def upgrade_configuration():
 """
 Execute configuration upgrade of the IPA services
@@ -1630,6 +1650,7 @@ def upgrade_configuration():
 http.enable_kdcproxy()
 
 http.stop()
+disable_httpd_system_trust()
 update_ipa_httpd_service_conf(http)
 update_mod_nss_protocol(http)
 update_mod_nss_cipher_suite(http)
-- 
Manage your subscription for the Freeipa-devel mailing

Re: [Freeipa-devel] Please review: V4/AD user short names design draft

2017-03-02 Thread Alexander Bokovoy 

On to, 02 maalis 2017, Jan Cholasta wrote:

"No value is set in configuration => use built-in default / some value
is set configuration => use the value" is perfectly user friendly and
pretty much common virtually everywhere I believe, much more so than
"empty value is set in configuration => ignore the value even if the
user deliberately set it empty and use the default value instead".

I'm not arguing with "no value is set in configuration -> use built-in
default". I do argue on having empty but present attribute because it
does not add anything useful for SSSD to decide on. And as it is not
adding anything useful, why there should be such difference at all?

This is the only question open I see in this design.


The list does not have to contain all available domains, therefore it 
can also be empty. When a domain is not present in the list, a fully 
qualified name must be used for users in that domain, therefore when 
the list is empty, fully qualified name must be used for users in all 
domains.


This might be useful to someone, and even if it wasn't, I still don't 
think it warrants making a (IMO counter-intuitive) special case out of 
the empty list.

I'm confused. I don't want to make this distinction between a missing
attribute and an empty one. You appear to be following the same path.
What we are arguing about then?

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code