[Freeipa-devel] [freeipa PR#619][synchronized] pytest 3.x compatibility

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/619
Author: tiran
 Title: #619: pytest 3.x compatibility
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/619/head:pr619
git checkout pr619
From 481060359a287f062340d1642eae1dabf8d102c5 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Fri, 17 Mar 2017 18:20:38 +0100
Subject: [PATCH] pytest 3.x compatibility

pytest 3.x does no longer support plain pytest.skip() on module level.

Signed-off-by: Christian Heimes 
---
 ipatests/test_cmdline/__init__.py |  6 ++
 ipatests/test_install/__init__.py |  5 ++---
 ipatests/test_integration/__init__.py |  5 ++---
 ipatests/test_ipaserver/__init__.py   |  6 ++
 ipatests/test_webui/__init__.py   |  5 ++---
 ipatests/test_xmlrpc/__init__.py  |  5 ++---
 ipatests/util.py  | 16 
 7 files changed, 28 insertions(+), 20 deletions(-)

diff --git a/ipatests/test_cmdline/__init__.py b/ipatests/test_cmdline/__init__.py
index af8867e..52eb23e 100644
--- a/ipatests/test_cmdline/__init__.py
+++ b/ipatests/test_cmdline/__init__.py
@@ -1,9 +1,7 @@
 #
 # Copyright (C) 2015  FreeIPA Contributors see COPYING for license
 #
+import ipatests.util
 
-import pytest
 
-
-if pytest.config.getoption('ipaclient_unittests', False):
-pytest.skip("Skip in ipaclient unittest mode")
+ipatests.util.check_ipaclient_unittests()
diff --git a/ipatests/test_install/__init__.py b/ipatests/test_install/__init__.py
index 54ef9eb..1d5fd0b 100644
--- a/ipatests/test_install/__init__.py
+++ b/ipatests/test_install/__init__.py
@@ -20,8 +20,7 @@
 """
 Package containing LDAP updates unit tests.
 """
-import pytest
+import ipatests.util
 
 
-if pytest.config.getoption('ipaclient_unittests', False):
-pytest.skip("Skip in ipaclient unittest mode")
+ipatests.util.check_ipaclient_unittests()
diff --git a/ipatests/test_integration/__init__.py b/ipatests/test_integration/__init__.py
index 8779f2f..2b4d535 100644
--- a/ipatests/test_integration/__init__.py
+++ b/ipatests/test_integration/__init__.py
@@ -16,8 +16,7 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see .
-import pytest
+import ipatests.util
 
 
-if pytest.config.getoption('ipaclient_unittests', False):
-pytest.skip("Skip in ipaclient unittest mode")
+ipatests.util.check_ipaclient_unittests()
diff --git a/ipatests/test_ipaserver/__init__.py b/ipatests/test_ipaserver/__init__.py
index 76942c7..22d36ea 100644
--- a/ipatests/test_ipaserver/__init__.py
+++ b/ipatests/test_ipaserver/__init__.py
@@ -20,9 +20,7 @@
 """
 Sub-package containing unit tests for `ipaserver` package.
 """
+import ipatests.util
 
-import pytest
 
-
-if pytest.config.getoption('ipaclient_unittests', False):
-pytest.skip("Skip in ipaclient unittest mode")
+ipatests.util.check_ipaclient_unittests()
diff --git a/ipatests/test_webui/__init__.py b/ipatests/test_webui/__init__.py
index cb2f361..3f1b63a 100644
--- a/ipatests/test_webui/__init__.py
+++ b/ipatests/test_webui/__init__.py
@@ -20,8 +20,7 @@
 """
 Sub-package containing Web UI integration tests
 """
-import pytest
+import ipatests.util
 
 
-if pytest.config.getoption('ipaclient_unittests', False):
-pytest.skip("Skip in ipaclient unittest mode")
+ipatests.util.check_ipaclient_unittests()
diff --git a/ipatests/test_xmlrpc/__init__.py b/ipatests/test_xmlrpc/__init__.py
index 720c61b..0ee42fb 100644
--- a/ipatests/test_xmlrpc/__init__.py
+++ b/ipatests/test_xmlrpc/__init__.py
@@ -20,8 +20,7 @@
 """
 Sub-package containing unit tests for `xmlrpc` package.
 """
-import pytest
+import ipatests.util
 
 
-if pytest.config.getoption('ipaclient_unittests', False):
-pytest.skip("Skip in ipaclient unittest mode")
+ipatests.util.check_ipaclient_unittests()
diff --git a/ipatests/util.py b/ipatests/util.py
index 4379c30..d877dcc 100644
--- a/ipatests/util.py
+++ b/ipatests/util.py
@@ -61,6 +61,22 @@
 unicode = str
 
 
+PYTEST_VERSION = tuple(int(v) for v in pytest.__version__.split('.'))
+
+
+def check_ipaclient_unittests(reason="Skip in ipaclient unittest mode"):
+"""Call this in a package to skip the package in ipaclient-unittest mode
+"""
+if pytest.config.getoption('ipaclient_unittests', False):
+if PYTEST_VERSION[0] >= 3:
+# pytest 3+ does no longer allow pytest.skip() on module level
+# pylint: disable=unexpected-keyword-arg
+raise pytest.skip.Exception(reason, allow_module_level=True)
+# pylint: enable=unexpected-keyword-arg
+else:
+raise pytest.skip(reason)
+
+
 class TempDir(object):
 def __init__(self):
 self.__path = tempfile.mkdtemp(prefix='ipa.tests.')
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contr

[Freeipa-devel] [freeipa PR#620][synchronized] [WIP] Fixing 6549

[felipevolpone]

   URL: https://github.com/freeipa/freeipa/pull/620
Author: felipevolpone
 Title: #620: [WIP] Fixing 6549
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/620/head:pr620
git checkout pr620
From 86510b8f703a104324c772e8bd5dbc86977db9fe Mon Sep 17 00:00:00 2001
From: felipe 
Date: Fri, 17 Mar 2017 14:31:16 -0300
Subject: [PATCH 1/2] https://pagure.io/freeipa/issue/6549

Changing replicainstall to check the domain level and then,
connect via ldap (using the right credentials).
---
 ipaserver/install/server/replicainstall.py | 9 -
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index b4463fd..5da2850 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -1391,7 +1391,14 @@ def install(installer):
 dsinstance.create_ds_user()
 
 try:
-conn.connect(ccache=ccache)
+conn.connect(bind_dn=ipaldap.DIRMAN_DN, bind_pw=config.dirman_password,
+ cacert=cafile)
+
+domain_level = current_domain_level(remote_api)
+if domain_level != 0:
+conn.disconnect()
+conn.connect(ccache=ccache)
+
 # Update and istall updated CA file
 cafile = install_ca_cert(conn, api.env.basedn, api.env.realm, cafile)
 

From 867154e0299312456e9565dd2b0a482be4501a7d Mon Sep 17 00:00:00 2001
From: felipe 
Date: Fri, 17 Mar 2017 17:27:15 -0300
Subject: [PATCH 2/2] Using the promote variable to check the domain_level

---
 ipaserver/install/server/replicainstall.py | 10 --
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 5da2850..e2a713d 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -1391,13 +1391,11 @@ def install(installer):
 dsinstance.create_ds_user()
 
 try:
-conn.connect(bind_dn=ipaldap.DIRMAN_DN, bind_pw=config.dirman_password,
- cacert=cafile)
-
-domain_level = current_domain_level(remote_api)
-if domain_level != 0:
-conn.disconnect()
+if promote:
 conn.connect(ccache=ccache)
+else:
+conn.connect(bind_dn=ipaldap.DIRMAN_DN, cacert=cafile,
+ bind_pw=config.dirman_password)
 
 # Update and istall updated CA file
 cafile = install_ca_cert(conn, api.env.basedn, api.env.realm, cafile)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#619][comment] pytest 3.x compatibility

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/619
Title: #619: pytest 3.x compatibility

MartinBasti commented:
"""
```
* Module ipatests.util
ipatests/util.py:73: [E1123(unexpected-keyword-arg), check_ipaclient_unittests] 
Unexpected keyword argument 'allow_module_level' in constructor call)
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/619#issuecomment-287457701
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#620][opened] [WIP] Fixing 6549

[felipevolpone]

   URL: https://github.com/freeipa/freeipa/pull/620
Author: felipevolpone
 Title: #620: [WIP] Fixing 6549
Action: opened

PR body:
"""
In order to fix https://pagure.io/freeipa/issue/6549. 

First of all, I tried at `ipaserver/server/install/replicainstall.py:1393`:
```python
try:
domain_level = current_domain_level(remote_api)
if domain_level != 0:
conn.connect(bind_dn=ipaldap.DIRMAN_DN, bind_pw=config.dirman_password,
 cacert=cafile)
else:
conn.connect(ccache=ccache)
```

However, the current_domain_level method was raising this exception:
```
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
ERRORldap2 is not connected (ldap2_140240602559056 in MainThread)
```

So, I created a connection first, then I check the domain level. 
If the domain level is 0 the connection is already created properly. If the 
domain level is not 0, then it should create using the ccache (how it was 
before). 

This PR fixes the error specified at the [bug 
#6549](https://pagure.io/freeipa/issue/6549), however it doesn't fix the entire 
ipa-replica-install process.  This is the output when running `sudo 
ipa-replica-install replica-info-vm-058-186.abc.idm.lab.eng.brq.redhat.com.gpg 
--skip-conncheck`

```
WARNING: conflicting time&date synchronization service 'chronyd' will
be disabled in favor of ntpd

Directory Manager (existing master) password: 

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 30 seconds
  [1/44]: creating directory server user
  [2/44]: creating directory server instance
  [3/44]: enabling ldapi
  [4/44]: configure autobind for root
  [5/44]: stopping directory server
  [6/44]: updating configuration in dse.ldif
  [7/44]: starting directory server
  [8/44]: adding default schema
  [9/44]: enabling memberof plugin
  [10/44]: enabling winsync plugin
  [11/44]: configuring replication version plugin
  [12/44]: enabling IPA enrollment plugin
  [13/44]: configuring uniqueness plugin
  [14/44]: configuring uuid plugin
  [15/44]: configuring modrdn plugin
  [16/44]: configuring DNS plugin
  [17/44]: enabling entryUSN plugin
  [18/44]: configuring lockout plugin
  [19/44]: configuring topology plugin
  [20/44]: creating indices
  [21/44]: enabling referential integrity plugin
  [22/44]: configuring TLS for DS instance
  [23/44]: configuring certmap.conf
  [24/44]: configure new location for managed entries
  [25/44]: configure dirsrv ccache
  [26/44]: enabling SASL mapping fallback
  [27/44]: restarting directory server
  [28/44]: creating DS keytab
  [29/44]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 6 seconds elapsed
Update succeeded

  [30/44]: adding sasl mappings to the directory
  [31/44]: updating schema
  [32/44]: setting Auto Member configuration
  [33/44]: enabling S4U2Proxy delegation
  [34/44]: importing CA certificates from LDAP
  [35/44]: initializing group membership
  [36/44]: adding master entry
  [37/44]: initializing domain level
  [38/44]: configuring Posix uid/gid generation
  [39/44]: adding replication acis
  [40/44]: enabling compatibility plugin
  [41/44]: activating sidgen plugin
  [42/44]: activating extdom plugin
  [43/44]: tuning directory server
  [44/44]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
  [1/4]: configuring KDC
  [2/4]: adding the password extension to the directory
  [3/4]: starting the KDC
  [4/4]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Restarting directory server to enable password extension plugin
Configuring the web interface (httpd)
  [1/22]: setting mod_nss port to 443
  [2/22]: setting mod_nss cipher suite
  [3/22]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [4/22]: setting mod_nss password file
  [5/22]: enabling mod_nss renegotiate
  [6/22]: adding URL rewriting rules
  [7/22]: configuring httpd
  [8/22]: setting up httpd keytab
  [9/22]: retrieving anonymous keytab
  [error] CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k 
/var/lib/ipa/api/anon.keytab -p WELLKNOWN/ANONYMOUS -H 
ldapi://%2fvar%2frun%2fslapd-DOM-133-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM.socket -Y 
EXTERNAL' returned non-zero exit status 9
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR
Command '/usr/sbin/ipa-getkeytab -k /var/lib/ipa/api/anon.keytab -p 
WELLKNOWN/ANONYMOUS -H 
ldapi://%2fvar%2frun%2fslapd-DOM-133-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM.socket -Y 
EXTERNAL' returned non-zero exit status 9
ipa.ipapython.install

[Freeipa-devel] [freeipa PR#618][synchronized] [WIP] Tox testing support for client wheel packages

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/618
Author: tiran
 Title: #618: [WIP] Tox testing support for client wheel packages
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/618/head:pr618
git checkout pr618
From 8d976a4c9f7f4ddf46e03ba9e7d99aa705e23ae6 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Fri, 17 Mar 2017 10:35:48 +0100
Subject: [PATCH 1/4] Constrain wheel package versions

The presence of IPA packages on PyPI revealed an interesting issue with
make wheel_bundle. pip gives final releases a higher precedence than our
development packages. make wheel_bundle downloads ipa 4.5.0 from PyPI
instead of using our own wheels.

Use a constraint file to enforce correct versions.

https://pagure.io/freeipa/issue/6468

Signed-off-by: Christian Heimes 
---
 .gitignore   |  1 +
 .wheelconstraints.in | 11 +++
 Makefile.am  | 19 ---
 3 files changed, 28 insertions(+), 3 deletions(-)
 create mode 100644 .wheelconstraints.in

diff --git a/.gitignore b/.gitignore
index 7e78a93..90d7d23 100644
--- a/.gitignore
+++ b/.gitignore
@@ -66,6 +66,7 @@ freeipa2-dev-doc
 /rpmbuild/
 # Build
 /ipasetup.py
+/.wheelconstraints
 *.egg-info
 
 # Subdirectories
diff --git a/.wheelconstraints.in b/.wheelconstraints.in
new file mode 100644
index 000..eba4ec9
--- /dev/null
+++ b/.wheelconstraints.in
@@ -0,0 +1,11 @@
+# placeholder
+freeipa == @VERSION@
+ipa == @VERSION@
+# actual packages
+ipaclient == @VERSION@
+ipalib == @VERSION@
+ipaplatform == @VERSION@
+ipapython == @VERSION@
+ipaserver == @VERSION@
+ipatests == @VERSION@
+
diff --git a/Makefile.am b/Makefile.am
index df4e05a..af22315 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -34,6 +34,11 @@ ipasetup.py: ipasetup.py.in $(CONFIG_STATUS)
 		-e 's|@VERSION[@]|$(VERSION)|g'			\
 		$< > $@
 
+.wheelconstraints: .wheelconstraints.in $(CONFIG_STATUS)
+	$(AM_V_GEN)sed		\
+		-e 's|@VERSION[@]|$(VERSION)|g'			\
+		$< > $@
+
 EXTRA_DIST = .mailmap \
 	 ACI.txt \
 	 API.txt \
@@ -46,7 +51,8 @@ EXTRA_DIST = .mailmap \
 	 doc \
 	 freeipa.spec.in \
 	 ipasetup.py.in \
-	 pylintrc
+	 pylintrc \
+	 .wheelconstraints.in
 
 clean-local:
 	rm -rf "$(RPMBUILD)"
@@ -232,8 +238,15 @@ bdist_wheel: $(WHEELDISTDIR)
 	$(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \
 	done
 
-wheel_bundle: $(WHEELBUNDLEDIR) bdist_wheel
-	$(PYTHON) -m pip wheel --wheel-dir $(WHEELBUNDLEDIR) $(WHEELDISTDIR)/*.whl
+wheel_bundle: $(WHEELBUNDLEDIR) bdist_wheel .wheelconstraints
+	rm -f $(foreach item,$(IPACLIENT_SUBDIRS),$(WHEELBUNDLEDIR)/$(item)-*.whl)
+	$(PYTHON) -m pip wheel \
+	--disable-pip-version-check \
+	--constraint .wheelconstraints \
+	--find-links $(WHEELDISTDIR) \
+	--find-links $(WHEELBUNDLEDIR) \
+	--wheel-dir $(WHEELBUNDLEDIR) \
+	$(IPACLIENT_SUBDIRS)
 
 wheel_placeholder: $(WHEELDISTDIR)
 	for dir in $(IPA_PLACEHOLDERS); do \

From 9212c59eeb4255f897763a831d35f6d7518cb0de Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Thu, 17 Nov 2016 16:43:17 +0100
Subject: [PATCH 2/4] tox testing support for client wheel packages

Signed-off-by: Christian Heimes 
---
 .gitignore   |  2 ++
 .tox-install.sh  | 72 
 Makefile.am  | 14 +++---
 configure.ac |  1 +
 ipatests/conftest.py |  1 -
 tox.ini  | 38 +++
 6 files changed, 123 insertions(+), 5 deletions(-)
 create mode 100755 .tox-install.sh
 create mode 100644 tox.ini

diff --git a/.gitignore b/.gitignore
index 90d7d23..8f4c2aa 100644
--- a/.gitignore
+++ b/.gitignore
@@ -61,6 +61,8 @@ freeipa2-dev-doc
 # Root directory
 /freeipa.spec
 /dist/
+/.tox/
+/.cache/
 /*/dist/
 /RELEASE
 /rpmbuild/
diff --git a/.tox-install.sh b/.tox-install.sh
new file mode 100755
index 000..ab4a4c5
--- /dev/null
+++ b/.tox-install.sh
@@ -0,0 +1,72 @@
+#!/bin/bash
+set -x
+
+PYTHON="$1"
+ENVSITEPACKAGESDIR="$2"
+# 3...end are package requirements
+shift 2
+
+TOXINIDIR="$(cd "$(dirname "$0")" && pwd)"
+
+# sanity checks
+if [ ! -x "${PYTHON}" ]; then
+echo "${PYTHON}: no such executable"
+exit 1
+fi
+
+if [ ! -d "${ENVSITEPACKAGESDIR}" ]; then
+echo "${ENVSITEPACKAGESDIR}: no such directory"
+exit 2
+fi
+
+if [ ! -f "${TOXINIDIR}/tox.ini" ]; then
+echo "${TOXINIDIR}: no such directory"
+exit 3
+fi
+
+# https://pip.pypa.io/en/stable/user_guide/#environment-variables
+export PIP_CACHE_DIR="${TOXINIDIR}/.tox/cache"
+mkdir -p "${PIP_CACHE_DIR}"
+
+DISTBUNDLE="${TOXINIDIR}/dist/bundle"
+mkdir -p "${DISTBUNDLE}"
+
+# create configure
+pushd "${TOXINIDIR}"
+if [ ! -f "configure" ]; then
+autoreconf -i -f
+fi
+# (re)create Makefile
+./configure --disable-server
+popd
+
+# copy pylint plugin
+cp "${TOXINIDIR}/pylint_plugins.py" "${ENVSITEPACKAGESDIR}"
+
+# build packages and bundles
+make -C "${TOXINIDIR}" \
+PYTHON="${PYTHON}" \

[Freeipa-devel] [freeipa PR#618][synchronized] [WIP] Tox testing support for client wheel packages

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/618
Author: tiran
 Title: #618: [WIP] Tox testing support for client wheel packages
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/618/head:pr618
git checkout pr618
From 8d976a4c9f7f4ddf46e03ba9e7d99aa705e23ae6 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Fri, 17 Mar 2017 10:35:48 +0100
Subject: [PATCH 1/3] Constrain wheel package versions

The presence of IPA packages on PyPI revealed an interesting issue with
make wheel_bundle. pip gives final releases a higher precedence than our
development packages. make wheel_bundle downloads ipa 4.5.0 from PyPI
instead of using our own wheels.

Use a constraint file to enforce correct versions.

https://pagure.io/freeipa/issue/6468

Signed-off-by: Christian Heimes 
---
 .gitignore   |  1 +
 .wheelconstraints.in | 11 +++
 Makefile.am  | 19 ---
 3 files changed, 28 insertions(+), 3 deletions(-)
 create mode 100644 .wheelconstraints.in

diff --git a/.gitignore b/.gitignore
index 7e78a93..90d7d23 100644
--- a/.gitignore
+++ b/.gitignore
@@ -66,6 +66,7 @@ freeipa2-dev-doc
 /rpmbuild/
 # Build
 /ipasetup.py
+/.wheelconstraints
 *.egg-info
 
 # Subdirectories
diff --git a/.wheelconstraints.in b/.wheelconstraints.in
new file mode 100644
index 000..eba4ec9
--- /dev/null
+++ b/.wheelconstraints.in
@@ -0,0 +1,11 @@
+# placeholder
+freeipa == @VERSION@
+ipa == @VERSION@
+# actual packages
+ipaclient == @VERSION@
+ipalib == @VERSION@
+ipaplatform == @VERSION@
+ipapython == @VERSION@
+ipaserver == @VERSION@
+ipatests == @VERSION@
+
diff --git a/Makefile.am b/Makefile.am
index df4e05a..af22315 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -34,6 +34,11 @@ ipasetup.py: ipasetup.py.in $(CONFIG_STATUS)
 		-e 's|@VERSION[@]|$(VERSION)|g'			\
 		$< > $@
 
+.wheelconstraints: .wheelconstraints.in $(CONFIG_STATUS)
+	$(AM_V_GEN)sed		\
+		-e 's|@VERSION[@]|$(VERSION)|g'			\
+		$< > $@
+
 EXTRA_DIST = .mailmap \
 	 ACI.txt \
 	 API.txt \
@@ -46,7 +51,8 @@ EXTRA_DIST = .mailmap \
 	 doc \
 	 freeipa.spec.in \
 	 ipasetup.py.in \
-	 pylintrc
+	 pylintrc \
+	 .wheelconstraints.in
 
 clean-local:
 	rm -rf "$(RPMBUILD)"
@@ -232,8 +238,15 @@ bdist_wheel: $(WHEELDISTDIR)
 	$(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \
 	done
 
-wheel_bundle: $(WHEELBUNDLEDIR) bdist_wheel
-	$(PYTHON) -m pip wheel --wheel-dir $(WHEELBUNDLEDIR) $(WHEELDISTDIR)/*.whl
+wheel_bundle: $(WHEELBUNDLEDIR) bdist_wheel .wheelconstraints
+	rm -f $(foreach item,$(IPACLIENT_SUBDIRS),$(WHEELBUNDLEDIR)/$(item)-*.whl)
+	$(PYTHON) -m pip wheel \
+	--disable-pip-version-check \
+	--constraint .wheelconstraints \
+	--find-links $(WHEELDISTDIR) \
+	--find-links $(WHEELBUNDLEDIR) \
+	--wheel-dir $(WHEELBUNDLEDIR) \
+	$(IPACLIENT_SUBDIRS)
 
 wheel_placeholder: $(WHEELDISTDIR)
 	for dir in $(IPA_PLACEHOLDERS); do \

From 9212c59eeb4255f897763a831d35f6d7518cb0de Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Thu, 17 Nov 2016 16:43:17 +0100
Subject: [PATCH 2/3] tox testing support for client wheel packages

Signed-off-by: Christian Heimes 
---
 .gitignore   |  2 ++
 .tox-install.sh  | 72 
 Makefile.am  | 14 +++---
 configure.ac |  1 +
 ipatests/conftest.py |  1 -
 tox.ini  | 38 +++
 6 files changed, 123 insertions(+), 5 deletions(-)
 create mode 100755 .tox-install.sh
 create mode 100644 tox.ini

diff --git a/.gitignore b/.gitignore
index 90d7d23..8f4c2aa 100644
--- a/.gitignore
+++ b/.gitignore
@@ -61,6 +61,8 @@ freeipa2-dev-doc
 # Root directory
 /freeipa.spec
 /dist/
+/.tox/
+/.cache/
 /*/dist/
 /RELEASE
 /rpmbuild/
diff --git a/.tox-install.sh b/.tox-install.sh
new file mode 100755
index 000..ab4a4c5
--- /dev/null
+++ b/.tox-install.sh
@@ -0,0 +1,72 @@
+#!/bin/bash
+set -x
+
+PYTHON="$1"
+ENVSITEPACKAGESDIR="$2"
+# 3...end are package requirements
+shift 2
+
+TOXINIDIR="$(cd "$(dirname "$0")" && pwd)"
+
+# sanity checks
+if [ ! -x "${PYTHON}" ]; then
+echo "${PYTHON}: no such executable"
+exit 1
+fi
+
+if [ ! -d "${ENVSITEPACKAGESDIR}" ]; then
+echo "${ENVSITEPACKAGESDIR}: no such directory"
+exit 2
+fi
+
+if [ ! -f "${TOXINIDIR}/tox.ini" ]; then
+echo "${TOXINIDIR}: no such directory"
+exit 3
+fi
+
+# https://pip.pypa.io/en/stable/user_guide/#environment-variables
+export PIP_CACHE_DIR="${TOXINIDIR}/.tox/cache"
+mkdir -p "${PIP_CACHE_DIR}"
+
+DISTBUNDLE="${TOXINIDIR}/dist/bundle"
+mkdir -p "${DISTBUNDLE}"
+
+# create configure
+pushd "${TOXINIDIR}"
+if [ ! -f "configure" ]; then
+autoreconf -i -f
+fi
+# (re)create Makefile
+./configure --disable-server
+popd
+
+# copy pylint plugin
+cp "${TOXINIDIR}/pylint_plugins.py" "${ENVSITEPACKAGESDIR}"
+
+# build packages and bundles
+make -C "${TOXINIDIR}" \
+PYTHON="${PYTHON}" \

[Freeipa-devel] [freeipa PR#619][opened] pytest 3.x compatibility

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/619
Author: tiran
 Title: #619: pytest 3.x compatibility
Action: opened

PR body:
"""
pytest 3.x does no longer support plain pytest.skip() on module level.

Signed-off-by: Christian Heimes 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/619/head:pr619
git checkout pr619
From 3e2ad3b16f1a12aaba768811143f12b8a042b896 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Fri, 17 Mar 2017 18:20:38 +0100
Subject: [PATCH] pytest 3.x compatibility

pytest 3.x does no longer support plain pytest.skip() on module level.

Signed-off-by: Christian Heimes 
---
 ipatests/test_cmdline/__init__.py |  6 ++
 ipatests/test_install/__init__.py |  5 ++---
 ipatests/test_integration/__init__.py |  5 ++---
 ipatests/test_ipaserver/__init__.py   |  6 ++
 ipatests/test_webui/__init__.py   |  5 ++---
 ipatests/test_xmlrpc/__init__.py  |  5 ++---
 ipatests/util.py  | 14 ++
 7 files changed, 26 insertions(+), 20 deletions(-)

diff --git a/ipatests/test_cmdline/__init__.py b/ipatests/test_cmdline/__init__.py
index af8867e..52eb23e 100644
--- a/ipatests/test_cmdline/__init__.py
+++ b/ipatests/test_cmdline/__init__.py
@@ -1,9 +1,7 @@
 #
 # Copyright (C) 2015  FreeIPA Contributors see COPYING for license
 #
+import ipatests.util
 
-import pytest
 
-
-if pytest.config.getoption('ipaclient_unittests', False):
-pytest.skip("Skip in ipaclient unittest mode")
+ipatests.util.check_ipaclient_unittests()
diff --git a/ipatests/test_install/__init__.py b/ipatests/test_install/__init__.py
index 54ef9eb..1d5fd0b 100644
--- a/ipatests/test_install/__init__.py
+++ b/ipatests/test_install/__init__.py
@@ -20,8 +20,7 @@
 """
 Package containing LDAP updates unit tests.
 """
-import pytest
+import ipatests.util
 
 
-if pytest.config.getoption('ipaclient_unittests', False):
-pytest.skip("Skip in ipaclient unittest mode")
+ipatests.util.check_ipaclient_unittests()
diff --git a/ipatests/test_integration/__init__.py b/ipatests/test_integration/__init__.py
index 8779f2f..2b4d535 100644
--- a/ipatests/test_integration/__init__.py
+++ b/ipatests/test_integration/__init__.py
@@ -16,8 +16,7 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see .
-import pytest
+import ipatests.util
 
 
-if pytest.config.getoption('ipaclient_unittests', False):
-pytest.skip("Skip in ipaclient unittest mode")
+ipatests.util.check_ipaclient_unittests()
diff --git a/ipatests/test_ipaserver/__init__.py b/ipatests/test_ipaserver/__init__.py
index 76942c7..22d36ea 100644
--- a/ipatests/test_ipaserver/__init__.py
+++ b/ipatests/test_ipaserver/__init__.py
@@ -20,9 +20,7 @@
 """
 Sub-package containing unit tests for `ipaserver` package.
 """
+import ipatests.util
 
-import pytest
 
-
-if pytest.config.getoption('ipaclient_unittests', False):
-pytest.skip("Skip in ipaclient unittest mode")
+ipatests.util.check_ipaclient_unittests()
diff --git a/ipatests/test_webui/__init__.py b/ipatests/test_webui/__init__.py
index cb2f361..3f1b63a 100644
--- a/ipatests/test_webui/__init__.py
+++ b/ipatests/test_webui/__init__.py
@@ -20,8 +20,7 @@
 """
 Sub-package containing Web UI integration tests
 """
-import pytest
+import ipatests.util
 
 
-if pytest.config.getoption('ipaclient_unittests', False):
-pytest.skip("Skip in ipaclient unittest mode")
+ipatests.util.check_ipaclient_unittests()
diff --git a/ipatests/test_xmlrpc/__init__.py b/ipatests/test_xmlrpc/__init__.py
index 720c61b..0ee42fb 100644
--- a/ipatests/test_xmlrpc/__init__.py
+++ b/ipatests/test_xmlrpc/__init__.py
@@ -20,8 +20,7 @@
 """
 Sub-package containing unit tests for `xmlrpc` package.
 """
-import pytest
+import ipatests.util
 
 
-if pytest.config.getoption('ipaclient_unittests', False):
-pytest.skip("Skip in ipaclient unittest mode")
+ipatests.util.check_ipaclient_unittests()
diff --git a/ipatests/util.py b/ipatests/util.py
index 4379c30..92c47c2 100644
--- a/ipatests/util.py
+++ b/ipatests/util.py
@@ -61,6 +61,20 @@
 unicode = str
 
 
+PYTEST_VERSION = tuple(int(v) for v in pytest.__version__.split('.'))
+
+
+def check_ipaclient_unittests(reason="Skip in ipaclient unittest mode"):
+"""Call this in a package to skip the package in ipaclient-unittest mode
+"""
+if pytest.config.getoption('ipaclient_unittests', False):
+if PYTEST_VERSION[0] >= 3:
+# pytest 3+ does no longer allow pytest.skip() on module leve
+raise pytest.skip.Exception(reason, allow_module_level=True)
+else:
+raise pytest.skip(reason)
+
+
 class TempDir(object):
 def __init__(self):
 self.__path = tempfile.mkdtemp(prefix='ipa.tests.')
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/pag

[Freeipa-devel] [freeipa PR#618][opened] [WIP] Tox testing support for client wheel packages

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/618
Author: tiran
 Title: #618: [WIP] Tox testing support for client wheel packages
Action: opened

PR body:
"""
Depends on PR #613
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/618/head:pr618
git checkout pr618
From 8d976a4c9f7f4ddf46e03ba9e7d99aa705e23ae6 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Fri, 17 Mar 2017 10:35:48 +0100
Subject: [PATCH 1/2] Constrain wheel package versions

The presence of IPA packages on PyPI revealed an interesting issue with
make wheel_bundle. pip gives final releases a higher precedence than our
development packages. make wheel_bundle downloads ipa 4.5.0 from PyPI
instead of using our own wheels.

Use a constraint file to enforce correct versions.

https://pagure.io/freeipa/issue/6468

Signed-off-by: Christian Heimes 
---
 .gitignore   |  1 +
 .wheelconstraints.in | 11 +++
 Makefile.am  | 19 ---
 3 files changed, 28 insertions(+), 3 deletions(-)
 create mode 100644 .wheelconstraints.in

diff --git a/.gitignore b/.gitignore
index 7e78a93..90d7d23 100644
--- a/.gitignore
+++ b/.gitignore
@@ -66,6 +66,7 @@ freeipa2-dev-doc
 /rpmbuild/
 # Build
 /ipasetup.py
+/.wheelconstraints
 *.egg-info
 
 # Subdirectories
diff --git a/.wheelconstraints.in b/.wheelconstraints.in
new file mode 100644
index 000..eba4ec9
--- /dev/null
+++ b/.wheelconstraints.in
@@ -0,0 +1,11 @@
+# placeholder
+freeipa == @VERSION@
+ipa == @VERSION@
+# actual packages
+ipaclient == @VERSION@
+ipalib == @VERSION@
+ipaplatform == @VERSION@
+ipapython == @VERSION@
+ipaserver == @VERSION@
+ipatests == @VERSION@
+
diff --git a/Makefile.am b/Makefile.am
index df4e05a..af22315 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -34,6 +34,11 @@ ipasetup.py: ipasetup.py.in $(CONFIG_STATUS)
 		-e 's|@VERSION[@]|$(VERSION)|g'			\
 		$< > $@
 
+.wheelconstraints: .wheelconstraints.in $(CONFIG_STATUS)
+	$(AM_V_GEN)sed		\
+		-e 's|@VERSION[@]|$(VERSION)|g'			\
+		$< > $@
+
 EXTRA_DIST = .mailmap \
 	 ACI.txt \
 	 API.txt \
@@ -46,7 +51,8 @@ EXTRA_DIST = .mailmap \
 	 doc \
 	 freeipa.spec.in \
 	 ipasetup.py.in \
-	 pylintrc
+	 pylintrc \
+	 .wheelconstraints.in
 
 clean-local:
 	rm -rf "$(RPMBUILD)"
@@ -232,8 +238,15 @@ bdist_wheel: $(WHEELDISTDIR)
 	$(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \
 	done
 
-wheel_bundle: $(WHEELBUNDLEDIR) bdist_wheel
-	$(PYTHON) -m pip wheel --wheel-dir $(WHEELBUNDLEDIR) $(WHEELDISTDIR)/*.whl
+wheel_bundle: $(WHEELBUNDLEDIR) bdist_wheel .wheelconstraints
+	rm -f $(foreach item,$(IPACLIENT_SUBDIRS),$(WHEELBUNDLEDIR)/$(item)-*.whl)
+	$(PYTHON) -m pip wheel \
+	--disable-pip-version-check \
+	--constraint .wheelconstraints \
+	--find-links $(WHEELDISTDIR) \
+	--find-links $(WHEELBUNDLEDIR) \
+	--wheel-dir $(WHEELBUNDLEDIR) \
+	$(IPACLIENT_SUBDIRS)
 
 wheel_placeholder: $(WHEELDISTDIR)
 	for dir in $(IPA_PLACEHOLDERS); do \

From 05d3e829eb773f00412f4898bfba6b50773195f4 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Thu, 17 Nov 2016 16:43:17 +0100
Subject: [PATCH 2/2] tox testing support for client wheel packages

Signed-off-by: Christian Heimes 
---
 .gitignore   |  2 ++
 .tox-install.sh  | 72 
 Makefile.am  | 14 +++---
 configure.ac |  1 +
 ipatests/conftest.py |  1 -
 tox.ini  | 42 ++
 6 files changed, 127 insertions(+), 5 deletions(-)
 create mode 100755 .tox-install.sh
 create mode 100644 tox.ini

diff --git a/.gitignore b/.gitignore
index 90d7d23..8f4c2aa 100644
--- a/.gitignore
+++ b/.gitignore
@@ -61,6 +61,8 @@ freeipa2-dev-doc
 # Root directory
 /freeipa.spec
 /dist/
+/.tox/
+/.cache/
 /*/dist/
 /RELEASE
 /rpmbuild/
diff --git a/.tox-install.sh b/.tox-install.sh
new file mode 100755
index 000..ab4a4c5
--- /dev/null
+++ b/.tox-install.sh
@@ -0,0 +1,72 @@
+#!/bin/bash
+set -x
+
+PYTHON="$1"
+ENVSITEPACKAGESDIR="$2"
+# 3...end are package requirements
+shift 2
+
+TOXINIDIR="$(cd "$(dirname "$0")" && pwd)"
+
+# sanity checks
+if [ ! -x "${PYTHON}" ]; then
+echo "${PYTHON}: no such executable"
+exit 1
+fi
+
+if [ ! -d "${ENVSITEPACKAGESDIR}" ]; then
+echo "${ENVSITEPACKAGESDIR}: no such directory"
+exit 2
+fi
+
+if [ ! -f "${TOXINIDIR}/tox.ini" ]; then
+echo "${TOXINIDIR}: no such directory"
+exit 3
+fi
+
+# https://pip.pypa.io/en/stable/user_guide/#environment-variables
+export PIP_CACHE_DIR="${TOXINIDIR}/.tox/cache"
+mkdir -p "${PIP_CACHE_DIR}"
+
+DISTBUNDLE="${TOXINIDIR}/dist/bundle"
+mkdir -p "${DISTBUNDLE}"
+
+# create configure
+pushd "${TOXINIDIR}"
+if [ ! -f "configure" ]; then
+autoreconf -i -f
+fi
+# (re)create Makefile
+./configure --disable-server
+popd
+
+# copy pylint plugin
+cp "${TOXINIDIR}/pylint_plugins.py" "${ENVSITEPACKAGESDIR}"
+
+# build packages and bundles
+make -C "${TOXIN

Re: [Freeipa-devel] [TESTING] Please test and add karma to pki-core-10.4.0-1

[Matthew Harmsen]

On 03/17/2017 10:02 AM, Lukas Slebodnik wrote:

On (17/03/17 12:14), Martin Babinsky wrote:

A new update for Dogtag PKI (pki-core-10.4.0-1.fc25) landed it Fedora 25
updates-testing yesterday.[1]


It was also pushed to fedora26
https://bodhi.fedoraproject.org/updates/FEDORA-2017-9cc27242c1


I have already provided negative karma as the update broke CA clone deployment
on FreeIPA replica install.

It would be nice if you could test it and provide +1/-1 ASAP so that we can
push it out before it hits stable and give Matthew a change to privode fixes.


The fastest will be if it will be unpushed by fedora maintainer
Adding mharmsen to CC.

LS


Lukas and Martin,

After speaking with some members of the PKI team, I have unpushed both 
the F25 and F26 builds from Bodhi.


The following unresolved issues on cloning were documented in:

 * dogtagpki Pagure Issue #2336 - IPA Replica CA configuration failed
   Clone does not have all the required certificates
   

Was this the same cloning failure that you were seeing?

If not, please file a detailed Pagure Issue describing the failure 
complete with log attachment.


As for the vault issue, we may have an idea on this as the code in that 
area has been changing.


Thanks,
-- Matt

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#613][synchronized] Constrain wheel package versions

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/613
Author: tiran
 Title: #613: Constrain wheel package versions
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/613/head:pr613
git checkout pr613
From 8d976a4c9f7f4ddf46e03ba9e7d99aa705e23ae6 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Fri, 17 Mar 2017 10:35:48 +0100
Subject: [PATCH] Constrain wheel package versions

The presence of IPA packages on PyPI revealed an interesting issue with
make wheel_bundle. pip gives final releases a higher precedence than our
development packages. make wheel_bundle downloads ipa 4.5.0 from PyPI
instead of using our own wheels.

Use a constraint file to enforce correct versions.

https://pagure.io/freeipa/issue/6468

Signed-off-by: Christian Heimes 
---
 .gitignore   |  1 +
 .wheelconstraints.in | 11 +++
 Makefile.am  | 19 ---
 3 files changed, 28 insertions(+), 3 deletions(-)
 create mode 100644 .wheelconstraints.in

diff --git a/.gitignore b/.gitignore
index 7e78a93..90d7d23 100644
--- a/.gitignore
+++ b/.gitignore
@@ -66,6 +66,7 @@ freeipa2-dev-doc
 /rpmbuild/
 # Build
 /ipasetup.py
+/.wheelconstraints
 *.egg-info
 
 # Subdirectories
diff --git a/.wheelconstraints.in b/.wheelconstraints.in
new file mode 100644
index 000..eba4ec9
--- /dev/null
+++ b/.wheelconstraints.in
@@ -0,0 +1,11 @@
+# placeholder
+freeipa == @VERSION@
+ipa == @VERSION@
+# actual packages
+ipaclient == @VERSION@
+ipalib == @VERSION@
+ipaplatform == @VERSION@
+ipapython == @VERSION@
+ipaserver == @VERSION@
+ipatests == @VERSION@
+
diff --git a/Makefile.am b/Makefile.am
index df4e05a..af22315 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -34,6 +34,11 @@ ipasetup.py: ipasetup.py.in $(CONFIG_STATUS)
 		-e 's|@VERSION[@]|$(VERSION)|g'			\
 		$< > $@
 
+.wheelconstraints: .wheelconstraints.in $(CONFIG_STATUS)
+	$(AM_V_GEN)sed		\
+		-e 's|@VERSION[@]|$(VERSION)|g'			\
+		$< > $@
+
 EXTRA_DIST = .mailmap \
 	 ACI.txt \
 	 API.txt \
@@ -46,7 +51,8 @@ EXTRA_DIST = .mailmap \
 	 doc \
 	 freeipa.spec.in \
 	 ipasetup.py.in \
-	 pylintrc
+	 pylintrc \
+	 .wheelconstraints.in
 
 clean-local:
 	rm -rf "$(RPMBUILD)"
@@ -232,8 +238,15 @@ bdist_wheel: $(WHEELDISTDIR)
 	$(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \
 	done
 
-wheel_bundle: $(WHEELBUNDLEDIR) bdist_wheel
-	$(PYTHON) -m pip wheel --wheel-dir $(WHEELBUNDLEDIR) $(WHEELDISTDIR)/*.whl
+wheel_bundle: $(WHEELBUNDLEDIR) bdist_wheel .wheelconstraints
+	rm -f $(foreach item,$(IPACLIENT_SUBDIRS),$(WHEELBUNDLEDIR)/$(item)-*.whl)
+	$(PYTHON) -m pip wheel \
+	--disable-pip-version-check \
+	--constraint .wheelconstraints \
+	--find-links $(WHEELDISTDIR) \
+	--find-links $(WHEELBUNDLEDIR) \
+	--wheel-dir $(WHEELBUNDLEDIR) \
+	$(IPACLIENT_SUBDIRS)
 
 wheel_placeholder: $(WHEELDISTDIR)
 	for dir in $(IPA_PLACEHOLDERS); do \
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [TESTING] Please test and add karma to pki-core-10.4.0-1

[Lukas Slebodnik]

On (17/03/17 12:14), Martin Babinsky wrote:
>A new update for Dogtag PKI (pki-core-10.4.0-1.fc25) landed it Fedora 25
>updates-testing yesterday.[1]
>
It was also pushed to fedora26
https://bodhi.fedoraproject.org/updates/FEDORA-2017-9cc27242c1

>I have already provided negative karma as the update broke CA clone deployment
>on FreeIPA replica install.
>
>It would be nice if you could test it and provide +1/-1 ASAP so that we can
>push it out before it hits stable and give Matthew a change to privode fixes.
>
The fastest will be if it will be unpushed by fedora maintainer
Adding mharmsen to CC.

LS

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#593][comment] Add make patchcheck for developers

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/593
Title: #593: Add make patchcheck for developers 

tiran commented:
"""
All dependencies have been merged. PR is ready for review.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/593#issuecomment-287372325
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#593][synchronized] Add make patchcheck for developers

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/593
Author: tiran
 Title: #593: Add make patchcheck for developers 
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/593/head:pr593
git checkout pr593
From 3c67b4314fb4a4dbe521d612862cc8937cebc4a7 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Wed, 15 Mar 2017 08:31:38 +0100
Subject: [PATCH] Add make patchcheck for developers

Ticket 6604 makes pylint and jsl optional dependencies. The change
is controversal, because some developers prefer that pylint and jsl
should be required unless explicitly disabled.

`make patchcheck` is my answer to address the concerns. It's a superior
solution to `make lint` as pre-commit check. It combines several
additional checks under a single, easy rememberable and convenient make
target:

* build all
* acilint, apiclient, jslint, polint
* make check
* pylint under Python 2 and 3
* subset of unit test suite

https://fedorahosted.org/freeipa/ticket/6604

Signed-off-by: Christian Heimes 
---
 Makefile.am  | 31 ++-
 configure.ac | 12 
 ipatests/util.py | 28 ++--
 3 files changed, 56 insertions(+), 15 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index df4e05a..024ea4c 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -146,6 +146,35 @@ JSLINT_TARGET = jslint
 endif WITH_JSLINT
 lint: acilint apilint $(POLINT_TARGET) $(PYLINT_TARGET) $(JSLINT_TARGET)
 
+.PHONY: patchcheck
+patchcheck: all
+if ! WITH_POLINT
+	@echo "ERROR: polint not available"; exit 1
+endif
+if ! WITH_PYLINT
+	@echo "ERROR: pylint not available"; exit 1
+endif
+if ! WITH_JSLINT
+	@echo "ERROR: jslint not available"; exit 1
+endif
+if ! WITH_PYTHON2
+	@echo "ERROR: python2 not available"; exit 1
+endif
+	@ # run all linters, tests, and check with Python 2
+	PYTHONPATH=$(top_srcdir) $(PYTHON2) ipatests/ipa-run-tests \
+	--ipaclient-unittests
+	$(MAKE) $(AM_MAKEFLAGS) acilint apilint polint jslint check
+	$(MAKE) $(AM_MAKEFLAGS) PYTHON=$(PYTHON2) pylint
+if WITH_PYTHON3
+	@ # just tests and pylint on Python 3
+	PYTHONPATH=$(top_srcdir) $(PYTHON3) ipatests/ipa-run-tests \
+	--ipaclient-unittests
+	$(MAKE) $(AM_MAKEFLAGS) PYTHON=$(PYTHON3) pylint
+else
+	@echo "WARNING: python3 not available"
+endif
+	@echo "All tests passed."
+
 .PHONY: $(top_builddir)/ipapython/version.py
 $(top_builddir)/ipapython/version.py:
 	(cd $(top_builddir)/ipapython && make version.py)
@@ -182,7 +211,7 @@ pylint: $(top_builddir)/ipapython/version.py ipasetup.py
 		-name '*~' -o \
 		-name '*.py' -print -o \
 		-type f -exec grep -qsm1 '^#!.*\bpython' '{}' \; -print`; \
-	echo "Pylint is running, please wait ..."; \
+	echo "Pylint on $(PYTHON) is running, please wait ..."; \
 	PYTHONPATH=$(top_srcdir) $(PYTHON) -m pylint \
 		--rcfile=$(top_srcdir)/pylintrc \
 		--load-plugins pylint_plugins \
diff --git a/configure.ac b/configure.ac
index 2d84426..b1a0c28 100644
--- a/configure.ac
+++ b/configure.ac
@@ -111,6 +111,18 @@ if test "x$PYTHON" = "x" ; then
 fi
 
 dnl ---
+dnl - Check for Python 2/3 for patchcheck
+dnl ---
+
+AC_PATH_PROG(PYTHON2, python2)
+AC_SUBST([PYTHON2])
+AM_CONDITIONAL([WITH_PYTHON2], [test "x${PYTHON2}" != "x"])
+
+AC_PATH_PROG(PYTHON3, python3)
+AC_SUBST([PYTHON3])
+AM_CONDITIONAL([WITH_PYTHON3], [test "x${PYTHON3}" != "x"])
+
+dnl ---
 dnl - Check for cmocka unit test framework http://cmocka.cryptomilk.org/
 dnl ---
 PKG_CHECK_EXISTS(cmocka,
diff --git a/ipatests/util.py b/ipatests/util.py
index 4379c30..0e7d2b8 100644
--- a/ipatests/util.py
+++ b/ipatests/util.py
@@ -178,9 +178,9 @@ class Fuzzy(object):
 Use of a regular expression by default implies the ``unicode`` type, so
 comparing with an ``str`` instance will evaluate to ``False``:
 
->>> phone.type
-
->>> '123-456-7890' == phone
+>>> phone.type is six.text_type
+True
+>>> b'123-456-7890' == phone
 False
 
 The *type* kwarg allows you to specify a type constraint, so you can force
@@ -220,15 +220,15 @@ class Fuzzy(object):
 >>> fuzzy = Fuzzy('.+', type=str, test=lambda other: True)
 >>> fuzzy.regex
 '.+'
->>> fuzzy.type
-
+>>> fuzzy.type is str
+True
 >>> fuzzy.test  # doctest:+ELLIPSIS
  at 0x...>
 
 To aid debugging, `Fuzzy.__repr__()` reveals these kwargs as well:
 
 >>> fuzzy  # doctest:+ELLIPSIS
-Fuzzy('.+', ,  at 0x...>)
+Fuzzy('.+', <... 'str'>,  at 0x...>)
 """
 
 def __init__(self, regex=None, type=None, test=None):
@@ -328,20 +328,20 @@ def assert_deepequal(expected, got, doc='', stack=tuple()):
 If the tests fails, it will raise an ``AssertionEr

[Freeipa-devel] [freeipa PR#470][synchronized] WebUI: Size limit warning on details pages fixed

[pvomacka]

   URL: https://github.com/freeipa/freeipa/pull/470
Author: pvomacka
 Title: #470: WebUI: Size limit warning on details pages fixed
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/470/head:pr470
git checkout pr470
From a3c4870a3af2a589df29ce53fb44334bd42c51d8 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Fri, 17 Mar 2017 15:10:42 +0100
Subject: [PATCH 1/2] WebUI: Add support for suppressing warnings

Each command can have specified an array of warning codes which will
be suppressed and won't be shown.

For specifying this it is necessary to set command property
'supressed_warnings: [codes_of_warning]'

Part of: https://pagure.io/freeipa/issue/6618
---
 install/ui/src/freeipa/rpc.js | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/install/ui/src/freeipa/rpc.js b/install/ui/src/freeipa/rpc.js
index 7ae1b64..72e1f30 100644
--- a/install/ui/src/freeipa/rpc.js
+++ b/install/ui/src/freeipa/rpc.js
@@ -72,6 +72,12 @@ rpc.command = function(spec) {
 that.options = $.extend({}, spec.options || {});
 
 /**
+ * @property {Array} suppress_warnings array of message codes which
+ * are suppressed
+ */
+that.suppress_warnings = spec.suppress_warnings || [];
+
+/**
  * Success handler
  * @property {Function}
  * @param {Object} data
@@ -219,6 +225,7 @@ rpc.command = function(spec) {
 
 for (var i=0,l=msgs.length; i -1) break;
 // escape and reformat message
 msg.message = util.beautify_message(msg.message);
 IPA.notify(msg.message, msg.type);

From b9e94b1d700b8c166b4fcdce559f0dbad5cd798d Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Fri, 17 Mar 2017 15:10:49 +0100
Subject: [PATCH 2/2] WebUI: suppress truncation warning in select widget

This widget is used on details pages and dialogs. When the size limit
is set to lower number the warning about truncation was shown every time
the details page was open.

Now, with support for suppressing warning messages from server according
to its code, we are able to disable warning with 13017 code (truncation
warning)

https://pagure.io/freeipa/issue/6618
---
 install/ui/src/freeipa/widget.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/install/ui/src/freeipa/widget.js b/install/ui/src/freeipa/widget.js
index 223b449..b7a6504 100644
--- a/install/ui/src/freeipa/widget.js
+++ b/install/ui/src/freeipa/widget.js
@@ -5012,7 +5012,8 @@ IPA.entity_select_widget = function(spec) {
 entity: that.other_entity.name,
 method: 'find',
 args: [filter],
-options: that.filter_options
+options: that.filter_options,
+suppress_warnings: [13017]
 });
 var no_members = metadata.get('@mc-opt:' + cmd.get_command() + ':no_members');
 if (no_members) {
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#475][+pushed] Add options to run only ipaclient unittests

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/475
Title: #475: Add options to run only ipaclient unittests

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#475][comment] Add options to run only ipaclient unittests

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/475
Title: #475: Add options to run only ipaclient unittests

martbab commented:
"""
master:

* fd1b4f6ec9a349196d5df510008c4745f0b1fb84 Add options to run only ipaclient 
unittests
ipa-4-5:

* 29b885a8fac82e963f5ab98d178e81854056930e Add options to run only ipaclient 
unittests
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/475#issuecomment-287362273
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#475][closed] Add options to run only ipaclient unittests

[martbab]

   URL: https://github.com/freeipa/freeipa/pull/475
Author: tiran
 Title: #475: Add options to run only ipaclient unittests
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/475/head:pr475
git checkout pr475
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#617][comment] Allow renaming of sudo rules

[abbra]

  URL: https://github.com/freeipa/freeipa/pull/617
Title: #617: Allow renaming of sudo rules

abbra commented:
"""
I don't like it is done on the client side. This will not work for Web UI, for 
example.
Additionally, no validation of cn={newname} is here to be a single value RDN. 
If we add this as --setattr, we probably want to return meaningful error, not a 
general --setattr error.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/617#issuecomment-287358727
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#475][+ack] Add options to run only ipaclient unittests

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/475
Title: #475: Add options to run only ipaclient unittests

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#617][opened] Allow renaming of sudo rules

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/617
Author: stlaz
 Title: #617: Allow renaming of sudo rules
Action: opened

PR body:
"""
This simple hack adds a rename option to client side sudorule-mod
command.

https://pagure.io/freeipa/issue/2466
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/617/head:pr617
git checkout pr617
From b3a69f71a7e6edef7792be6efa51dfd62edff820 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Thu, 16 Mar 2017 16:22:52 +0100
Subject: [PATCH] Allow renaming of sudo rules

This simple hack adds a rename option to client side sudorule-mod
command.

https://pagure.io/freeipa/issue/2466
---
 ipaclient/plugins/sudorule.py | 22 ++
 1 file changed, 22 insertions(+)

diff --git a/ipaclient/plugins/sudorule.py b/ipaclient/plugins/sudorule.py
index a876280..679ffe9 100644
--- a/ipaclient/plugins/sudorule.py
+++ b/ipaclient/plugins/sudorule.py
@@ -20,6 +20,7 @@
 from ipaclient.frontend import MethodOverride
 from ipalib.plugable import Registry
 from ipalib import _
+from ipalib.parameters import Str
 
 register = Registry()
 
@@ -55,3 +56,24 @@ def output_for_cli(self, textui, result, cn, **options):
   % dict(option=options['ipasudoopt'], rule=cn))
 super(sudorule_remove_option, self).output_for_cli(textui, result, cn,
**options)
+
+
+@register(override=True, no_fail=True)
+class sudorule_mod(MethodOverride):
+takes_options = (
+Str('rename',
+cli_name='rename',
+required=False,
+label=_('Rename'),
+doc=_('Rename the sudorule object')
+)
+)
+
+def forward(self, *options, **args):
+if 'rename' in args:
+rename_str = u'cn={newname}'.format(newname=args['rename'])
+set_opt = args.get('setattr', [])
+set_opt.append(rename_str)
+args['setattr'] = set_opt
+del args['rename']
+return super(sudorule_mod, self).forward(*options, **args)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#616][synchronized] Simplify KRA transport cert cache

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/616
Author: tiran
 Title: #616: Simplify KRA transport cert cache
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/616/head:pr616
git checkout pr616
From 3aa2cf9ead8af29bfd7d64176e000ad2a4e7cbcd Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Fri, 17 Mar 2017 10:44:38 +0100
Subject: [PATCH] Simplify KRA transport cert cache

In-memory cache causes problem in forking servers. A file based cache is
good enough. It's easier to understand and avoids performance regression
and synchronization issues when cert becomes out-of-date.

Signed-off-by: Christian Heimes 
---
 ipaclient/plugins/vault.py | 103 -
 1 file changed, 55 insertions(+), 48 deletions(-)

diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
index d677ec0..3fb4900 100644
--- a/ipaclient/plugins/vault.py
+++ b/ipaclient/plugins/vault.py
@@ -20,7 +20,6 @@
 from __future__ import print_function
 
 import base64
-import collections
 import errno
 import getpass
 import io
@@ -558,74 +557,79 @@ def forward(self, *args, **options):
 return response
 
 
-class _TransportCertCache(collections.MutableMapping):
+class _TransportCertCache(object):
 def __init__(self):
 self._dirname = os.path.join(
-USER_CACHE_PATH, 'ipa', 'kra-transport-certs')
-self._transport_certs = {}
+USER_CACHE_PATH, 'ipa', 'kra-transport-certs'
+)
 
 def _get_filename(self, domain):
 basename = DNSName(domain).ToASCII() + '.pem'
 return os.path.join(self._dirname, basename)
 
-def __getitem__(self, domain):
-try:
-transport_cert = self._transport_certs[domain]
-except KeyError:
-transport_cert = None
+def load_cert(self, domain):
+"""Load cert from cache
 
-filename = self._get_filename(domain)
+:param domain: IPA domain
+:return: cryptography.x509.Certificate or None
+"""
+filename = self._get_filename(domain)
+try:
 try:
-try:
-transport_cert = x509.load_certificate_from_file(filename)
-except EnvironmentError as e:
-if e.errno != errno.ENOENT:
-raise
-except Exception:
-logger.warning("Failed to load %s: %s", filename,
-   exc_info=True)
-
-if transport_cert is None:
-raise KeyError(domain)
-
-self._transport_certs[domain] = transport_cert
+return x509.load_certificate_from_file(filename)
+except EnvironmentError as e:
+if e.errno != errno.ENOENT:
+raise
+except Exception:
+logger.warning("Failed to load %s", filename, exc_info=True)
 
-return transport_cert
+def store_cert(self, domain, transport_cert):
+"""Store a new cert or override existing cert
 
-def __setitem__(self, domain, transport_cert):
+:param domain: IPA domain
+:param transport_cert: cryptography.x509.Certificate
+:return: True if cert was stored successfully
+"""
 filename = self._get_filename(domain)
-transport_cert_der = (
-transport_cert.public_bytes(serialization.Encoding.DER))
+pem = transport_cert.public_bytes(serialization.Encoding.PEM)
 try:
 try:
 os.makedirs(self._dirname)
 except EnvironmentError as e:
 if e.errno != errno.EEXIST:
 raise
-fd, tmpfilename = tempfile.mkstemp(dir=self._dirname)
-os.close(fd)
-x509.write_certificate(transport_cert_der, tmpfilename)
-os.rename(tmpfilename, filename)
+with tempfile.NamedTemporaryFile(dir=self._dirname, delete=False,
+ mode='wb') as f:
+try:
+f.write(pem)
+f.flush()
+os.fdatasync(f.fileno())
+f.close()
+os.rename(f.name, filename)
+except Exception:
+os.unlink(f.name)
+raise
 except Exception:
 logger.warning("Failed to save %s", filename, exc_info=True)
+return False
+else:
+return True
 
-self._transport_certs[domain] = transport_cert
+def remove_cert(self, domain):
+"""Remove a cert from cache, ignores errors
 
-def __delitem__(self, domain):
+:param domain: IPA domain
+:return: True if cert was found and removed
+"""
 filename = self._get_filename(domain)
 try:
 os.unlink(filename)
 except EnvironmentError

[Freeipa-devel] [freeipa PR#608][comment] tasks: run `systemctl daemon-reload` after httpd.service.d updates

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/608
Title: #608: tasks: run `systemctl daemon-reload` after httpd.service.d updates

martbab commented:
"""
Hmmm I just caught a following error during FreeIPA replica uninstall:

```console[root@replica1 ~]# ipa-server-install --uninstall -U
Updating DNS system records
--
Deleted IPA server "replica1.ipa.test"
--
Shutting down all IPA services
Unconfiguring ntpd
Configuring certmonger to stop tracking system certificates for KRA
Configuring certmonger to stop tracking system certificates for CA
Unconfiguring CA
Unconfiguring web server
ipa : ERRORCommand '/bin/systemctl restart httpd.service' returned 
non-zero exit status 1
```

see the excerpt of the uninstall log here: 
https://paste.fedoraproject.org/paste/TcHWFTK-TwNhO0v6~BBMG15M1UNdIGYhyRLivL9gydE=/

It looks like we need another daemon-reload in the Apache uninstallation. 
Although I don't see any reason to add it, it looks like some restore 
operations make systemd unhappy.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/608#issuecomment-287329708
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#608][-ack] tasks: run `systemctl daemon-reload` after httpd.service.d updates

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/608
Title: #608: tasks: run `systemctl daemon-reload` after httpd.service.d updates

Label: -ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [TESTING] Please test and add karma to pki-core-10.4.0-1

[Martin Babinsky]

A new update for Dogtag PKI (pki-core-10.4.0-1.fc25) landed it Fedora 25
updates-testing yesterday.[1]

I have already provided negative karma as the update broke CA clone deployment
on FreeIPA replica install.

It would be nice if you could test it and provide +1/-1 ASAP so that we can
push it out before it hits stable and give Matthew a change to privode fixes.

I would also like to ask PKI developers to not hesitate to approach us to
provide early feedback to the new updates and/or set up  some sort of CI for
them if possible.

[1] https://bodhi.fedoraproject.org/updates/FEDORA-2017-9c6007b406 

-- 
Martin Babinsky

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#616][synchronized] Simplify KRA transport cert cache

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/616
Author: tiran
 Title: #616: Simplify KRA transport cert cache
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/616/head:pr616
git checkout pr616
From 44d2c83342a2e87a35674d6cac831fc6122d9ff8 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Fri, 17 Mar 2017 10:44:38 +0100
Subject: [PATCH] Simplify KRA transport cert cache

In-memory cache causes problem in forking servers. A file based cache is
good enough. It's easier to understand and avoids performance regression
and synchronization issues when cert becomes out-of-date.

Signed-off-by: Christian Heimes 
---
 ipaclient/plugins/vault.py | 102 -
 1 file changed, 55 insertions(+), 47 deletions(-)

diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
index d677ec0..b7045b7 100644
--- a/ipaclient/plugins/vault.py
+++ b/ipaclient/plugins/vault.py
@@ -558,74 +558,79 @@ def forward(self, *args, **options):
 return response
 
 
-class _TransportCertCache(collections.MutableMapping):
+class _TransportCertCache(object):
 def __init__(self):
 self._dirname = os.path.join(
-USER_CACHE_PATH, 'ipa', 'kra-transport-certs')
-self._transport_certs = {}
+USER_CACHE_PATH, 'ipa', 'kra-transport-certs'
+)
 
 def _get_filename(self, domain):
 basename = DNSName(domain).ToASCII() + '.pem'
 return os.path.join(self._dirname, basename)
 
-def __getitem__(self, domain):
-try:
-transport_cert = self._transport_certs[domain]
-except KeyError:
-transport_cert = None
+def load_cert(self, domain):
+"""Load cert from cache
 
-filename = self._get_filename(domain)
+:param domain: IPA domain
+:return: cryptography.x509.Certificate or None
+"""
+filename = self._get_filename(domain)
+try:
 try:
-try:
-transport_cert = x509.load_certificate_from_file(filename)
-except EnvironmentError as e:
-if e.errno != errno.ENOENT:
-raise
-except Exception:
-logger.warning("Failed to load %s: %s", filename,
-   exc_info=True)
-
-if transport_cert is None:
-raise KeyError(domain)
-
-self._transport_certs[domain] = transport_cert
+return x509.load_certificate_from_file(filename)
+except EnvironmentError as e:
+if e.errno != errno.ENOENT:
+raise
+except Exception:
+logger.warning("Failed to load %s", filename, exc_info=True)
 
-return transport_cert
+def store_cert(self, domain, transport_cert):
+"""Store a new cert or override existing cert
 
-def __setitem__(self, domain, transport_cert):
+:param domain: IPA domain
+:param transport_cert: cryptography.x509.Certificate
+:return: True if cert was stored successfully
+"""
 filename = self._get_filename(domain)
-transport_cert_der = (
-transport_cert.public_bytes(serialization.Encoding.DER))
+pem = transport_cert.public_bytes(serialization.Encoding.PEM)
 try:
 try:
 os.makedirs(self._dirname)
 except EnvironmentError as e:
 if e.errno != errno.EEXIST:
 raise
-fd, tmpfilename = tempfile.mkstemp(dir=self._dirname)
-os.close(fd)
-x509.write_certificate(transport_cert_der, tmpfilename)
-os.rename(tmpfilename, filename)
+with tempfile.NamedTemporaryFile(dir=self._dirname, delete=False,
+ mode='wb') as f:
+try:
+f.write(pem)
+f.flush()
+os.fdatasync(f.fileno())
+f.close()
+os.rename(f.name, filename)
+except Exception:
+os.unlink(f.name)
+raise
 except Exception:
 logger.warning("Failed to save %s", filename, exc_info=True)
+return False
+else:
+return True
 
-self._transport_certs[domain] = transport_cert
+def remove_cert(self, domain):
+"""Remove a cert from cache, ignores errors
 
-def __delitem__(self, domain):
+:param domain: IPA domain
+:return: True if cert was found and removed
+"""
 filename = self._get_filename(domain)
 try:
 os.unlink(filename)
 except EnvironmentError as e:
 if e.errno != errno.ENOENT:
 logger.warning("Failed to remove %s", filename, exc_info=True)
-
-

[Freeipa-devel] [freeipa PR#616][comment] Simplify KRA transport cert cache

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/616
Title: #616: Simplify KRA transport cert cache

tiran commented:
"""
@HonzaCholasta I don't agree with you. Mutable mapping is too complex for a 
simple cache. My approach is KISS.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/616#issuecomment-287315292
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#517][comment] [WIP] Use Custodia 0.3 features

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/517
Title: #517: [WIP] Use Custodia 0.3 features

tiran commented:
"""
I had some issues with build system yesterday. For some reason 
```python2-python-etcd``` dependency was missing dependency on ```etcd```. I'm 
glad time heals all wounds (or some devs *g*).

F25 https://koji.fedoraproject.org/koji/taskinfo?taskID=18429524
F26 https://koji.fedoraproject.org/koji/taskinfo?taskID=18429570
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/517#issuecomment-287313565
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#616][comment] Simplify KRA transport cert cache

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/616
Title: #616: Simplify KRA transport cert cache

MartinBasti commented:
"""
Please open backport ticket and put it into commit messsage
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/616#issuecomment-287312239
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#616][comment] Simplify KRA transport cert cache

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/616
Title: #616: Simplify KRA transport cert cache

HonzaCholasta commented:
"""
NACK on the completely unnecessary changes in `_TransportCertCache` interface, 
variable names and formatting. Otherwise LGTM.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/616#issuecomment-287312193
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#616][comment] Simplify KRA transport cert cache

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/616
Title: #616: Simplify KRA transport cert cache

MartinBasti commented:
"""
Please open backport ticket and put it into commit messsage
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/616#issuecomment-287312239
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#614][edited] [4.5] Constrain wheel package versions

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/614
Author: tiran
 Title: #614: [4.5] Constrain wheel package versions
Action: edited

 Changed field: title
Original value:
"""
Constrain wheel package versions
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#616][comment] Simplify KRA transport cert cache

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/616
Title: #616: Simplify KRA transport cert cache

tiran commented:
"""
Needs to be merged into ipa-4.5 branch, too.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/616#issuecomment-287311164
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#616][opened] Simplify KRA transport cert cache

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/616
Author: tiran
 Title: #616: Simplify KRA transport cert cache
Action: opened

PR body:
"""
In-memory cache causes problem in forking servers. A file based cache is
good enough. It's easier to understand and avoids performance regression
and synchronization issues when cert becomes out-of-date.

Signed-off-by: Christian Heimes 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/616/head:pr616
git checkout pr616
From 0f0a9457ba6f2e871dedf3a1cb9491c916693c39 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Fri, 17 Mar 2017 10:44:38 +0100
Subject: [PATCH] Simplify KRA transport cert cache

In-memory cache causes problem in forking servers. A file based cache is
good enough. It's easier to understand and avoids performance regression
and synchronization issues when cert becomes out-of-date.

Signed-off-by: Christian Heimes 
---
 ipaclient/plugins/vault.py | 106 +
 1 file changed, 59 insertions(+), 47 deletions(-)

diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
index d677ec0..ca6d6da 100644
--- a/ipaclient/plugins/vault.py
+++ b/ipaclient/plugins/vault.py
@@ -558,74 +558,79 @@ def forward(self, *args, **options):
 return response
 
 
-class _TransportCertCache(collections.MutableMapping):
+class _TransportCertCache(object):
 def __init__(self):
 self._dirname = os.path.join(
-USER_CACHE_PATH, 'ipa', 'kra-transport-certs')
-self._transport_certs = {}
+USER_CACHE_PATH, 'ipa', 'kra-transport-certs'
+)
 
 def _get_filename(self, domain):
 basename = DNSName(domain).ToASCII() + '.pem'
 return os.path.join(self._dirname, basename)
 
-def __getitem__(self, domain):
-try:
-transport_cert = self._transport_certs[domain]
-except KeyError:
-transport_cert = None
+def load_cert(self, domain):
+"""Load cert from cache
 
-filename = self._get_filename(domain)
+:param domain: IPA domain
+:return: cryptography.x509.Certificate or None
+"""
+filename = self._get_filename(domain)
+try:
 try:
-try:
-transport_cert = x509.load_certificate_from_file(filename)
-except EnvironmentError as e:
-if e.errno != errno.ENOENT:
-raise
-except Exception:
-logger.warning("Failed to load %s: %s", filename,
-   exc_info=True)
-
-if transport_cert is None:
-raise KeyError(domain)
-
-self._transport_certs[domain] = transport_cert
+return x509.load_certificate_from_file(filename)
+except EnvironmentError as e:
+if e.errno != errno.ENOENT:
+raise
+except Exception:
+logger.warning("Failed to load %s", filename, exc_info=True)
 
-return transport_cert
+def store_cert(self, domain, transport_cert):
+"""Store a new cert or override existing cert
 
-def __setitem__(self, domain, transport_cert):
+:param domain: IPA domain
+:param transport_cert: cryptography.x509.Certificate
+:return: True if cert was stored successfully
+"""
 filename = self._get_filename(domain)
-transport_cert_der = (
-transport_cert.public_bytes(serialization.Encoding.DER))
+pem = transport_cert.public_bytes(serialization.Encoding.PEM)
 try:
 try:
 os.makedirs(self._dirname)
 except EnvironmentError as e:
 if e.errno != errno.EEXIST:
 raise
-fd, tmpfilename = tempfile.mkstemp(dir=self._dirname)
-os.close(fd)
-x509.write_certificate(transport_cert_der, tmpfilename)
-os.rename(tmpfilename, filename)
+with tempfile.NamedTemporaryFile(dir=self._dirname, delete=False,
+ mode='wb') as f:
+try:
+f.write(pem)
+f.flush()
+os.fdatasync(f.fileno())
+f.close()
+os.rename(f.name, filename)
+except Exception:
+os.unlink(f.name)
+raise
 except Exception:
 logger.warning("Failed to save %s", filename, exc_info=True)
+return False
+else:
+return True
 
-self._transport_certs[domain] = transport_cert
+def remove_cert(self, domain):
+"""Remove a cert from cache, ignores errors
 
-def __delitem__(self, domain):
+:param domain: IPA domain
+:return: True if cert was found and removed
+"""
 fi

[Freeipa-devel] [freeipa PR#614][opened] Constrain wheel package versions

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/614
Author: tiran
 Title: #614: Constrain wheel package versions
Action: opened

PR body:
"""
The presence of IPA packages on PyPI revealed an interesting issue with
make wheel_bundle. pip gives final releases a higher precedence than our
development packages. make wheel_bundle downloads ipa 4.5.0 from PyPI
instead of using our own wheels.

Use a constraint file to enforce correct versions.

https://pagure.io/freeipa/issue/6468

Signed-off-by: Christian Heimes 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/614/head:pr614
git checkout pr614
From 0443ae32557a6d80d744b01235ea1b9e9cb088fa Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Fri, 17 Mar 2017 10:35:48 +0100
Subject: [PATCH] Constrain wheel package versions

The presence of IPA packages on PyPI revealed an interesting issue with
make wheel_bundle. pip gives final releases a higher precedence than our
development packages. make wheel_bundle downloads ipa 4.5.0 from PyPI
instead of using our own wheels.

Use a constraint file to enforce correct versions.

https://pagure.io/freeipa/issue/6468

Signed-off-by: Christian Heimes 
---
 .gitignore   |  1 +
 .wheelconstraints.in | 11 +++
 Makefile.am  | 19 ---
 3 files changed, 28 insertions(+), 3 deletions(-)
 create mode 100644 .wheelconstraints.in

diff --git a/.gitignore b/.gitignore
index 7e78a93..90d7d23 100644
--- a/.gitignore
+++ b/.gitignore
@@ -66,6 +66,7 @@ freeipa2-dev-doc
 /rpmbuild/
 # Build
 /ipasetup.py
+/.wheelconstraints
 *.egg-info
 
 # Subdirectories
diff --git a/.wheelconstraints.in b/.wheelconstraints.in
new file mode 100644
index 000..eba4ec9
--- /dev/null
+++ b/.wheelconstraints.in
@@ -0,0 +1,11 @@
+# placeholder
+freeipa == @VERSION@
+ipa == @VERSION@
+# actual packages
+ipaclient == @VERSION@
+ipalib == @VERSION@
+ipaplatform == @VERSION@
+ipapython == @VERSION@
+ipaserver == @VERSION@
+ipatests == @VERSION@
+
diff --git a/Makefile.am b/Makefile.am
index df4e05a..af22315 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -34,6 +34,11 @@ ipasetup.py: ipasetup.py.in $(CONFIG_STATUS)
 		-e 's|@VERSION[@]|$(VERSION)|g'			\
 		$< > $@
 
+.wheelconstraints: .wheelconstraints.in $(CONFIG_STATUS)
+	$(AM_V_GEN)sed		\
+		-e 's|@VERSION[@]|$(VERSION)|g'			\
+		$< > $@
+
 EXTRA_DIST = .mailmap \
 	 ACI.txt \
 	 API.txt \
@@ -46,7 +51,8 @@ EXTRA_DIST = .mailmap \
 	 doc \
 	 freeipa.spec.in \
 	 ipasetup.py.in \
-	 pylintrc
+	 pylintrc \
+	 .wheelconstraints.in
 
 clean-local:
 	rm -rf "$(RPMBUILD)"
@@ -232,8 +238,15 @@ bdist_wheel: $(WHEELDISTDIR)
 	$(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \
 	done
 
-wheel_bundle: $(WHEELBUNDLEDIR) bdist_wheel
-	$(PYTHON) -m pip wheel --wheel-dir $(WHEELBUNDLEDIR) $(WHEELDISTDIR)/*.whl
+wheel_bundle: $(WHEELBUNDLEDIR) bdist_wheel .wheelconstraints
+	rm -f $(foreach item,$(IPACLIENT_SUBDIRS),$(WHEELBUNDLEDIR)/$(item)-*.whl)
+	$(PYTHON) -m pip wheel \
+	--disable-pip-version-check \
+	--constraint .wheelconstraints \
+	--find-links $(WHEELDISTDIR) \
+	--find-links $(WHEELBUNDLEDIR) \
+	--wheel-dir $(WHEELBUNDLEDIR) \
+	$(IPACLIENT_SUBDIRS)
 
 wheel_placeholder: $(WHEELDISTDIR)
 	for dir in $(IPA_PLACEHOLDERS); do \
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#608][+ack] tasks: run `systemctl daemon-reload` after httpd.service.d updates

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/608
Title: #608: tasks: run `systemctl daemon-reload` after httpd.service.d updates

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#615][opened] httpinstance: clean up /etc/httpd/alias on uninstall

[HonzaCholasta]

   URL: https://github.com/freeipa/freeipa/pull/615
Author: HonzaCholasta
 Title: #615: httpinstance: clean up /etc/httpd/alias on uninstall
Action: opened

PR body:
"""
**certs: do not implicitly create DS pin.txt**

Do not implicitly create DS pin.txt in `CertDB.init_from_pkcs12()`, create
it explicitly in `DSInstance.__enable_ssl()`.

This stops the file from being created in /etc/httpd/alias during classic
replica install.

**httpinstance: clean up /etc/httpd/alias on uninstall**

Restore cert8.db, key3.db, pwdfile.txt and secmod.db in /etc/httpd/alias
from backup on uninstall.

Files modified by IPA are kept with .ipasave suffix.

https://pagure.io/freeipa/issue/4639
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/615/head:pr615
git checkout pr615
From d1dd53e39042925a5b8ec8ded5d3cc46111f939d Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Tue, 14 Mar 2017 09:32:17 +0100
Subject: [PATCH 1/2] certs: do not implicitly create DS pin.txt

Do not implicitly create DS pin.txt in `CertDB.init_from_pkcs12()`, create
it explicitly in `DSInstance.__enable_ssl()`.

This stops the file from being created in /etc/httpd/alias during classic
replica install.

https://pagure.io/freeipa/issue/4639
---
 ipaserver/install/certs.py  | 1 -
 ipaserver/install/dsinstance.py | 3 ++-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 63e7887..9f340b8 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -635,7 +635,6 @@ def init_from_pkcs12(self, pkcs12_fname, pkcs12_passwd,
 self.cacert_name = ca_names[-1]
 self.trust_root_cert(self.cacert_name, trust_flags)
 
-self.create_pin_file()
 self.export_ca_cert(nickname, False)
 
 def publish_ca_cert(self, location):
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 91cc180..79dc90e 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -838,7 +838,8 @@ def __enable_ssl(self):
 certmonger.modify_ca_helper('IPA', prev_helper)
 
 self.dercert = dsdb.get_cert_from_db(self.nickname, pem=False)
-dsdb.create_pin_file()
+
+dsdb.create_pin_file()
 
 self.cacert_name = dsdb.cacert_name
 

From cd8d3bac3a26c9d084aeea139011067ac5187af9 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 8 Mar 2017 14:24:15 +
Subject: [PATCH 2/2] httpinstance: clean up /etc/httpd/alias on uninstall

Restore cert8.db, key3.db, pwdfile.txt and secmod.db in /etc/httpd/alias
from backup on uninstall.

Files modified by IPA are kept with .ipasave suffix.

https://pagure.io/freeipa/issue/4639
---
 ipapython/certdb.py   | 13 +
 ipaserver/install/certs.py|  3 +++
 ipaserver/install/httpinstance.py |  3 +++
 3 files changed, 19 insertions(+)

diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 6c89e77..f1410e5 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -169,6 +169,19 @@ def create_db(self, user=None, group=None, mode=None, backup=False):
 new_mode = filemode
 os.chmod(path, new_mode)
 
+def restore(self):
+for filename in NSS_FILES:
+path = os.path.join(self.secdir, filename)
+backup_path = path + '.orig'
+save_path = path + '.ipasave'
+try:
+if os.path.exists(path):
+os.rename(path, save_path)
+if os.path.exists(backup_path):
+os.rename(backup_path, path)
+except OSError as e:
+root_logger.debug(e)
+
 def list_certs(self):
 """Return nicknames and cert flags for all certs in the database
 
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 9f340b8..0ca9713 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -234,6 +234,9 @@ def create_certdbs(self):
  backup=True)
 self.set_perms(self.passwd_fname, write=True)
 
+def restore(self):
+self.nssdb.restore()
+
 def list_certs(self):
 """
 Return a tuple of tuples containing (nickname, trust)
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index ca3bcc8..f6f0b0c 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -555,6 +555,9 @@ def uninstall(self):
 ca_iface.Set('org.fedorahosted.certmonger.ca',
  'external-helper', helper)
 
+db = certs.CertDB(self.realm, paths.HTTPD_ALIAS_DIR)
+db.restore()
+
 for f in [paths.HTTPD_IPA_CONF, paths.HTTPD_SSL_CONF, paths.HTTPD_NSS_CONF]:
 try:
 self.fstore.restore_file(f)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/ma

[Freeipa-devel] [freeipa PR#613][opened] Constrain wheel package versions

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/613
Author: tiran
 Title: #613: Constrain wheel package versions
Action: opened

PR body:
"""
The presence of IPA packages on PyPI revealed an interesting issue with
make wheel_bundle. pip gives final releases a higher precedence than our
development packages. make wheel_bundle downloads ipa 4.5.0 from PyPI
instead of using our own wheels.

Use a constraint file to enforce correct versions.

https://pagure.io/freeipa/issue/6468

Signed-off-by: Christian Heimes 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/613/head:pr613
git checkout pr613
From f6dd1b49430956f2404e372c4cfc12f337cb3a35 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Fri, 17 Mar 2017 10:35:48 +0100
Subject: [PATCH] Constrain wheel package versions

The presence of IPA packages on PyPI revealed an interesting issue with
make wheel_bundle. pip gives final releases a higher precedence than our
development packages. make wheel_bundle downloads ipa 4.5.0 from PyPI
instead of using our own wheels.

Use a constraint file to enforce correct versions.

https://pagure.io/freeipa/issue/6468

Signed-off-by: Christian Heimes 
---
 .gitignore   |  1 +
 .wheelconstraints.in | 11 +++
 Makefile.am  | 19 ---
 3 files changed, 28 insertions(+), 3 deletions(-)
 create mode 100644 .wheelconstraints.in

diff --git a/.gitignore b/.gitignore
index 7e78a93..90d7d23 100644
--- a/.gitignore
+++ b/.gitignore
@@ -66,6 +66,7 @@ freeipa2-dev-doc
 /rpmbuild/
 # Build
 /ipasetup.py
+/.wheelconstraints
 *.egg-info
 
 # Subdirectories
diff --git a/.wheelconstraints.in b/.wheelconstraints.in
new file mode 100644
index 000..eba4ec9
--- /dev/null
+++ b/.wheelconstraints.in
@@ -0,0 +1,11 @@
+# placeholder
+freeipa == @VERSION@
+ipa == @VERSION@
+# actual packages
+ipaclient == @VERSION@
+ipalib == @VERSION@
+ipaplatform == @VERSION@
+ipapython == @VERSION@
+ipaserver == @VERSION@
+ipatests == @VERSION@
+
diff --git a/Makefile.am b/Makefile.am
index df4e05a..af22315 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -34,6 +34,11 @@ ipasetup.py: ipasetup.py.in $(CONFIG_STATUS)
 		-e 's|@VERSION[@]|$(VERSION)|g'			\
 		$< > $@
 
+.wheelconstraints: .wheelconstraints.in $(CONFIG_STATUS)
+	$(AM_V_GEN)sed		\
+		-e 's|@VERSION[@]|$(VERSION)|g'			\
+		$< > $@
+
 EXTRA_DIST = .mailmap \
 	 ACI.txt \
 	 API.txt \
@@ -46,7 +51,8 @@ EXTRA_DIST = .mailmap \
 	 doc \
 	 freeipa.spec.in \
 	 ipasetup.py.in \
-	 pylintrc
+	 pylintrc \
+	 .wheelconstraints.in
 
 clean-local:
 	rm -rf "$(RPMBUILD)"
@@ -232,8 +238,15 @@ bdist_wheel: $(WHEELDISTDIR)
 	$(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \
 	done
 
-wheel_bundle: $(WHEELBUNDLEDIR) bdist_wheel
-	$(PYTHON) -m pip wheel --wheel-dir $(WHEELBUNDLEDIR) $(WHEELDISTDIR)/*.whl
+wheel_bundle: $(WHEELBUNDLEDIR) bdist_wheel .wheelconstraints
+	rm -f $(foreach item,$(IPACLIENT_SUBDIRS),$(WHEELBUNDLEDIR)/$(item)-*.whl)
+	$(PYTHON) -m pip wheel \
+	--disable-pip-version-check \
+	--constraint .wheelconstraints \
+	--find-links $(WHEELDISTDIR) \
+	--find-links $(WHEELBUNDLEDIR) \
+	--wheel-dir $(WHEELBUNDLEDIR) \
+	$(IPACLIENT_SUBDIRS)
 
 wheel_placeholder: $(WHEELDISTDIR)
 	for dir in $(IPA_PLACEHOLDERS); do \
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#606][comment] [ipa-4-4] ipa-kdb: support KDB DAL version 6.1

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/606
Title: #606: [ipa-4-4] ipa-kdb: support KDB DAL version 6.1

tomaskrizek commented:
"""
Created the ticket and linked it in the commit message.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/606#issuecomment-287302249
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#606][synchronized] [ipa-4-4] ipa-kdb: support KDB DAL version 6.1

[tomaskrizek]

   URL: https://github.com/freeipa/freeipa/pull/606
Author: tomaskrizek
 Title: #606: [ipa-4-4] ipa-kdb: support KDB DAL version 6.1
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/606/head:pr606
git checkout pr606
From b436e0def7542eb0dbccbd60e061c2774cd86c47 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Tue, 24 Jan 2017 11:02:30 +0200
Subject: [PATCH] ipa-kdb: support KDB DAL version 6.1

DAL version 6.0 removed support for a callback to free principal.
This broke KDB drivers which had complex e_data structure within
the principal structure. As result, FreeIPA KDB driver was leaking
memory with DAL version 6.0 (krb5 1.15).

DAL version 6.1 added a special callback for freeing e_data structure.
See details at krb5/krb5#596

Restructure KDB driver code to provide this callback in case
we are built against DAL version that supports it. For DAL version
prior to 6.0 use this callback in the free_principal callback to
tidy the code.

Use explicit KDB version dependency in Fedora 26+ via BuildRequires.

With new DAL version, freeipa package will fail to build and
we'll have to add a support for new DAL version explicitly.

https://pagure.io/freeipa/issue/6776
---
 daemons/configure.ac |  21 ++
 daemons/ipa-kdb/ipa_kdb.c| 140 +--
 daemons/ipa-kdb/ipa_kdb.h|   2 +
 daemons/ipa-kdb/ipa_kdb_principals.c |  42 ++-
 freeipa.spec.in  |   9 +++
 5 files changed, 157 insertions(+), 57 deletions(-)

diff --git a/daemons/configure.ac b/daemons/configure.ac
index 5c5a104..77a3be0 100644
--- a/daemons/configure.ac
+++ b/daemons/configure.ac
@@ -66,6 +66,27 @@ AC_SUBST(KRB5_LIBS)
 AC_SUBST(KRAD_LIBS)
 AC_SUBST(krb5rundir)
 
+AC_CHECK_HEADER(kdb.h, [], [AC_MSG_ERROR([kdb.h not found])])
+AC_CHECK_MEMBER(
+	[kdb_vftabl.free_principal],
+	[AC_DEFINE([HAVE_KDB_FREEPRINCIPAL], [1],
+		   [KDB driver API has free_principal callback])],
+	[AC_MSG_NOTICE([KDB driver API has no free_principal callback])],
+	[[#include ]])
+AC_CHECK_MEMBER(
+	[kdb_vftabl.free_principal_e_data],
+	[AC_DEFINE([HAVE_KDB_FREEPRINCIPAL_EDATA], [1],
+		   [KDB driver API has free_principal_e_data callback])],
+	[AC_MSG_NOTICE([KDB driver API has no free_principal_e_data callback])],
+	[[#include ]])
+
+if test "x$ac_cv_member_kdb_vftabl_free_principal" = "xno" \
+		-a "x$ac_cv_member_kdb_vftable_free_principal_e_data" = "xno" ; then
+AC_MSG_WARN([KDB driver API does not allow to free Kerberos principal data.])
+AC_MSG_WARN([KDB driver will leak memory on Kerberos principal use])
+AC_MSG_WARN([See https://github.com/krb5/krb5/pull/596 for details])
+fi
+
 dnl ---
 dnl - Check for Mozilla LDAP and OpenLDAP SDK
 dnl ---
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index fbcb03b..e74ab56 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -625,45 +625,107 @@ static void ipadb_free(krb5_context context, void *ptr)
 
 /* KDB Virtual Table */
 
+/* We explicitly want to keep different ABI tables below separate. */
+/* Do not merge them together. Older ABI does not need to be updated */
+
+#if KRB5_KDB_DAL_MAJOR_VERSION == 5
+kdb_vftabl kdb_function_table = {
+.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
+.min_ver = 0,
+.init_library = ipadb_init_library,
+.fini_library = ipadb_fini_library,
+.init_module = ipadb_init_module,
+.fini_module = ipadb_fini_module,
+.create = ipadb_create,
+.get_age = ipadb_get_age,
+.get_principal = ipadb_get_principal,
+.free_principal = ipadb_free_principal,
+.put_principal = ipadb_put_principal,
+.delete_principal = ipadb_delete_principal,
+.iterate = ipadb_iterate,
+.create_policy = ipadb_create_pwd_policy,
+.get_policy = ipadb_get_pwd_policy,
+.put_policy = ipadb_put_pwd_policy,
+.iter_policy = ipadb_iterate_pwd_policy,
+.delete_policy = ipadb_delete_pwd_policy,
+.free_policy = ipadb_free_pwd_policy,
+.alloc = ipadb_alloc,
+.free = ipadb_free,
+.fetch_master_key = ipadb_fetch_master_key,
+.store_master_key_list = ipadb_store_master_key_list,
+.change_pwd = ipadb_change_pwd,
+.sign_authdata = ipadb_sign_authdata,
+.check_transited_realms = ipadb_check_transited_realms,
+.check_policy_as = ipadb_check_policy_as,
+.audit_as_req = ipadb_audit_as_req,
+.check_allowed_to_delegate = ipadb_check_allowed_to_delegate
+};
+#endif
+
+#if (KRB5_KDB_DAL_MAJOR_VERSION == 6) && !defined(HAVE_KDB_FREEPRINCIPAL_EDATA)
 kdb_vftabl kdb_function_table = {
-KRB5_KDB_DAL_MAJOR_VERSION, /* major version number */
-0,  /* minor version number */
-ipadb_init_library, /* init_library */

[Freeipa-devel] [freeipa PR#517][comment] [WIP] Use Custodia 0.3 features

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/517
Title: #517: [WIP] Use Custodia 0.3 features

martbab commented:
"""
@MartinBasti ok there should be no problems with that (built it on F25 VM but 
threw it away afterwards, oh well)
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/517#issuecomment-287295476
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#517][comment] [WIP] Use Custodia 0.3 features

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/517
Title: #517: [WIP] Use Custodia 0.3 features

MartinBasti commented:
"""
@martbab I will test it manually (when I receive f25/F26 rpms), if works then I 
will update master copr
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/517#issuecomment-287292769
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#612][opened] [4.5] Add debug log in case cookie retrieval went wrong

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/612
Author: stlaz
 Title: #612: [4.5] Add debug log in case cookie retrieval went wrong
Action: opened

PR body:
"""
https://pagure.io/freeipa/issue/6774
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/612/head:pr612
git checkout pr612
From f7774068ac15dcc92e1abd333f4a9a14ff4dd62a Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 17 Mar 2017 08:55:30 +0100
Subject: [PATCH] Add debug log in case cookie retrieval went wrong

https://pagure.io/freeipa/issue/6774
---
 ipalib/rpc.py | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 16ffb8b..499ddeb 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -849,7 +849,10 @@ def get_session_cookie_from_persistent_storage(self, principal):
 session_cookie = Cookie.get_named_cookie_from_string(
 cookie_string, COOKIE_NAME,
 timestamp=datetime.datetime.utcnow())
-except Exception:
+except Exception as e:
+self.log.debug(
+'Error retrieving cookie from the persistent storage: {err}'
+.format(err=e))
 return None
 
 return session_cookie
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#609][synchronized] [4.4] Fix cookie with Max-Age processing

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/609
Author: stlaz
 Title: #609: [4.4] Fix cookie with Max-Age processing
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/609/head:pr609
git checkout pr609
From 170036fabb2f0d9d79a55b47b78268da3bb9ce54 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Thu, 2 Mar 2017 09:11:34 +0100
Subject: [PATCH 1/2] Fix cookie with Max-Age processing

When cookie has Max-Age set it tries to get expiration by adding
to a timestamp. Without this patch the timestamp would be set to
None and thus the addition of timestamp + max_age fails

https://pagure.io/freeipa/issue/6774
---
 ipalib/rpc.py   | 13 +
 ipapython/cookie.py |  5 -
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 1c00289..cd14d91 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -699,8 +699,11 @@ def store_session_cookie(self, cookie_header):
 
 # Search for the session cookie
 try:
-session_cookie = Cookie.get_named_cookie_from_string(cookie_header,
- COOKIE_NAME, request_url)
+session_cookie = (
+Cookie.get_named_cookie_from_string(
+cookie_header, COOKIE_NAME, request_url,
+timestamp=datetime.datetime.utcnow())
+)
 except Exception as e:
 root_logger.error("unable to parse cookie header '%s': %s", cookie_header, e)
 return
@@ -794,8 +797,10 @@ def get_session_cookie_from_persistent_storage(self, principal):
 
 # Search for the session cookie within the cookie string
 try:
-session_cookie = Cookie.get_named_cookie_from_string(cookie_string, COOKIE_NAME)
-except Exception as e:
+session_cookie = Cookie.get_named_cookie_from_string(
+cookie_string, COOKIE_NAME,
+timestamp=datetime.datetime.utcnow())
+except Exception:
 return None
 
 return session_cookie
diff --git a/ipapython/cookie.py b/ipapython/cookie.py
index 89c3e3c..2831394 100644
--- a/ipapython/cookie.py
+++ b/ipapython/cookie.py
@@ -320,7 +320,8 @@ def parse(cls, cookie_string, request_url=None):
 return cookies
 
 @classmethod
-def get_named_cookie_from_string(cls, cookie_string, cookie_name, request_url=None):
+def get_named_cookie_from_string(cls, cookie_string, cookie_name,
+ request_url=None, timestamp=None):
 '''
 A cookie string may contain multiple cookies, parse the cookie
 string and return the last cookie in the string matching the
@@ -342,6 +343,8 @@ def get_named_cookie_from_string(cls, cookie_string, cookie_name, request_url=No
 if cookie.key == cookie_name:
 target_cookie = cookie
 
+if timestamp is not None:
+target_cookie.timestamp = timestamp
 if request_url is not None:
 target_cookie.normalize(request_url)
 return target_cookie

From 50ee5c67014ffa213c49658fe0a40fe9a76d0464 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 17 Mar 2017 08:55:30 +0100
Subject: [PATCH 2/2] Add debug log in case cookie retrieval went wrong

https://pagure.io/freeipa/issue/6774
---
 ipalib/rpc.py | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index cd14d91..31e1518 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -800,7 +800,10 @@ def get_session_cookie_from_persistent_storage(self, principal):
 session_cookie = Cookie.get_named_cookie_from_string(
 cookie_string, COOKIE_NAME,
 timestamp=datetime.datetime.utcnow())
-except Exception:
+except Exception as e:
+self.log.debug(
+'Error retrieving cookie from the persistent storage: {err}'
+.format(err=e))
 return None
 
 return session_cookie
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#610][comment] [4.3] Fix cookie with Max-Age processing

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/610
Title: #610: [4.3] Fix cookie with Max-Age processing

stlaz commented:
"""
The ticket's already there, I just recycled the old commit message and forgot 
to replace it.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/610#issuecomment-287290891
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#610][synchronized] [4.3] Fix cookie with Max-Age processing

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/610
Author: stlaz
 Title: #610: [4.3] Fix cookie with Max-Age processing
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/610/head:pr610
git checkout pr610
From e717a37eb83960e0c2540cc09f21ac18a7011b6f Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Thu, 2 Mar 2017 09:11:34 +0100
Subject: [PATCH 1/2] Fix cookie with Max-Age processing

When cookie has Max-Age set it tries to get expiration by adding
to a timestamp. Without this patch the timestamp would be set to
None and thus the addition of timestamp + max_age fails

https://pagure.io/freeipa/issue/6774
---
 ipalib/rpc.py   | 13 +
 ipapython/cookie.py |  5 -
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 207149e..ef3a2a7 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -693,8 +693,11 @@ def store_session_cookie(self, cookie_header):
 
 # Search for the session cookie
 try:
-session_cookie = Cookie.get_named_cookie_from_string(cookie_header,
- COOKIE_NAME, request_url)
+session_cookie = (
+Cookie.get_named_cookie_from_string(
+cookie_header, COOKIE_NAME, request_url,
+timestamp=datetime.datetime.utcnow())
+)
 except Exception as e:
 root_logger.error("unable to parse cookie header '%s': %s", cookie_header, e)
 return
@@ -788,8 +791,10 @@ def get_session_cookie_from_persistent_storage(self, principal):
 
 # Search for the session cookie within the cookie string
 try:
-session_cookie = Cookie.get_named_cookie_from_string(cookie_string, COOKIE_NAME)
-except Exception as e:
+session_cookie = Cookie.get_named_cookie_from_string(
+cookie_string, COOKIE_NAME,
+timestamp=datetime.datetime.utcnow())
+except Exception:
 return None
 
 return session_cookie
diff --git a/ipapython/cookie.py b/ipapython/cookie.py
index d32640a..6f7bc6c 100644
--- a/ipapython/cookie.py
+++ b/ipapython/cookie.py
@@ -321,7 +321,8 @@ def parse(cls, cookie_string, request_url=None):
 return cookies
 
 @classmethod
-def get_named_cookie_from_string(cls, cookie_string, cookie_name, request_url=None):
+def get_named_cookie_from_string(cls, cookie_string, cookie_name,
+ request_url=None, timestamp=None):
 '''
 A cookie string may contain multiple cookies, parse the cookie
 string and return the last cookie in the string matching the
@@ -343,6 +344,8 @@ def get_named_cookie_from_string(cls, cookie_string, cookie_name, request_url=No
 if cookie.key == cookie_name:
 target_cookie = cookie
 
+if timestamp is not None:
+target_cookie.timestamp = timestamp
 if request_url is not None:
 target_cookie.normalize(request_url)
 return target_cookie

From 0612ea603c59c0818c1a32313fd442a6c5c3ce92 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 17 Mar 2017 08:55:30 +0100
Subject: [PATCH 2/2] Add debug log in case cookie retrieval went wrong

https://pagure.io/freeipa/issue/6774
---
 ipalib/rpc.py | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index ef3a2a7..556e5c2 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -794,7 +794,10 @@ def get_session_cookie_from_persistent_storage(self, principal):
 session_cookie = Cookie.get_named_cookie_from_string(
 cookie_string, COOKIE_NAME,
 timestamp=datetime.datetime.utcnow())
-except Exception:
+except Exception as e:
+self.log.debug(
+'Error retrieving cookie from the persistent storage: {err}'
+.format(err=e))
 return None
 
 return session_cookie
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#611][opened] Add debug log in case cookie retrieval went wrong

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/611
Author: stlaz
 Title: #611: Add debug log in case cookie retrieval went wrong
Action: opened

PR body:
"""
When backporting the fix, @MartinBasti pointed out we could use a debug log.

https://pagure.io/freeipa/issue/6774
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/611/head:pr611
git checkout pr611
From b5d89e324af72493aac7e8b601a0136f8537236a Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 17 Mar 2017 08:55:30 +0100
Subject: [PATCH] Add debug log in case cookie retrieval went wrong

https://pagure.io/freeipa/issue/6774
---
 ipalib/rpc.py | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 16ffb8b..499ddeb 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -849,7 +849,10 @@ def get_session_cookie_from_persistent_storage(self, principal):
 session_cookie = Cookie.get_named_cookie_from_string(
 cookie_string, COOKIE_NAME,
 timestamp=datetime.datetime.utcnow())
-except Exception:
+except Exception as e:
+self.log.debug(
+'Error retrieving cookie from the persistent storage: {err}'
+.format(err=e))
 return None
 
 return session_cookie
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#475][comment] Add options to run only ipaclient unittests

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/475
Title: #475: Add options to run only ipaclient unittests

martbab commented:
"""
I have one small question and am going to try out some integration tests to see 
if we did not break something in them as Travis  won't catch that.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/475#issuecomment-287287386
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#606][comment] [ipa-4-4] ipa-kdb: support KDB DAL version 6.1

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/606
Title: #606: [ipa-4-4] ipa-kdb: support KDB DAL version 6.1

martbab commented:
"""
Since the original ticket is in already closed milestone open a separate one 
for backport to 4-4 branch please.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/606#issuecomment-287285298
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#517][comment] [WIP] Use Custodia 0.3 features

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/517
Title: #517: [WIP] Use Custodia 0.3 features

martbab commented:
"""
@tiran we first need a copr build on F25 to unblock Travis CI. Can you provide 
a copr repo and modify test runner config to add it during builddep phase?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/517#issuecomment-287283578
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code