[Freeipa-devel] [freeipa PR#682][synchronized] ipaserver/dcerpc: unify error processing
URL: https://github.com/freeipa/freeipa/pull/682
Author: abbra
Title: #682: ipaserver/dcerpc: unify error processing
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/682/head:pr682
git checkout pr682
From 25d8a94c862c51300198ea4956842521935e53f8 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Mon, 3 Apr 2017 10:29:21 +0300
Subject: [PATCH 1/2] ipaserver/dcerpc: unify error processing
Samba error code reporting changes from version to version but we also
did not provide proper input into DCE RPC error processing method we
have.
Unify error processing and add few more fallback entries.
With Samba 4.7 we'll have to change it again because error code
processing for Samba Python modules will change with introduction of
samba.ntstatus and samba.werror modules.
Note that this commit also changes a message returned for error code
-1073741772 (NT_STATUS_OBJECT_NOT_FOUND) because it is more general one.
Fixes https://pagure.io/freeipa/issue/6859
---
ipaserver/dcerpc.py | 23 +--
1 file changed, 17 insertions(+), 6 deletions(-)
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 2d9d7e5..d684a17 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -117,19 +117,27 @@ def is_sid_valid(sid):
# we simply will skip the binding
access_denied_error,
-1073741772: # NT_STATUS_OBJECT_NAME_NOT_FOUND
-errors.RemoteRetrieveError(
-reason=_('CIFS server configuration does not allow '
- 'access to pipe\\lsarpc')),
+errors.NotFound(
+reason=_('Cannot find specified domain or server name')),
}
dcerpc_error_messages = {
"NT_STATUS_OBJECT_NAME_NOT_FOUND":
errors.NotFound(
reason=_('Cannot find specified domain or server name')),
+"The object name is not found.":
+errors.NotFound(
+reason=_('Cannot find specified domain or server name')),
"WERR_NO_LOGON_SERVERS":
errors.RemoteRetrieveError(
reason=_('AD DC was unable to reach any IPA domain controller. '
'Most likely it is a DNS or firewall issue')),
+# This is a very long key, don't change it
+"There are currently no logon servers available to "
+"service the logon request.":
+errors.RemoteRetrieveError(
+reason=_('AD DC was unable to reach any IPA domain controller. '
+ 'Most likely it is a DNS or firewall issue')),
"NT_STATUS_INVALID_PARAMETER_MIX":
errors.RequirementError(
name=_('At least the domain or IP address should be specified')),
@@ -802,7 +810,8 @@ def __retrieve_trusted_domain_gc_list(self, domain):
# Both methods should not fail at the same time
if finddc_error and len(info['gc']) == 0:
-raise assess_dcerpc_exception(message=str(finddc_error))
+num, message = e.args # pylint: disable=unpacking-non-sequence
+raise assess_dcerpc_exception(num=num, message=message)
self._info[domain] = info
return info
@@ -908,7 +917,8 @@ def retrieve_anonymously(self, remote_host,
else:
result = netrc.finddc(address=remote_host, flags=flags)
except RuntimeError as e:
-raise assess_dcerpc_exception(message=str(e))
+num, message = e.args # pylint: disable=unpacking-non-sequence
+raise assess_dcerpc_exception(num=num, message=message)
if not result:
return False
@@ -1408,7 +1418,8 @@ def communicate(td):
result = netrc.finddc(domain=trustdomain,
flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS)
except RuntimeError as e:
-raise assess_dcerpc_exception(message=str(e))
+num, message = e.args # pylint: disable=unpacking-non-sequence
+raise assess_dcerpc_exception(num=num, message=message)
td.info['dc'] = unicode(result.pdc_dns_name)
td.info['name'] = unicode(result.dns_domain)
From 4f6054693e797215192388188b0b889342882dcf Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Wed, 5 Apr 2017 12:37:10 +0300
Subject: [PATCH 2/2] trust: always use oddjobd helper for fetching trust
information
Since introduction of privilege separation in IPA framework none of the
operations that require direct access to the framework's credentials can
be done. All authentication has to be performed with GSSAPI.
As result, we cannot obtain TGT for HTTP/.. principal with kinit
anymore, so it is better to re-route all types of trust to oddjobd
helper and get rid of casing out two-way trust.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1438366
---
ipaserver/plugins/trust.py | 42 +-
1 file changed, 9 insertions(+), 33 deletions(-)
diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/tr
[Freeipa-devel] [freeipa PR#682][edited] ipaserver/dcerpc: unify error processing
URL: https://github.com/freeipa/freeipa/pull/682 Author: abbra Title: #682: ipaserver/dcerpc: unify error processing Action: edited Changed field: title Original value: """ ipserver/dcerpc: unify error processing """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#682][synchronized] ipserver/dcerpc: unify error processing
URL: https://github.com/freeipa/freeipa/pull/682
Author: abbra
Title: #682: ipserver/dcerpc: unify error processing
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/682/head:pr682
git checkout pr682
From 25d8a94c862c51300198ea4956842521935e53f8 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Mon, 3 Apr 2017 10:29:21 +0300
Subject: [PATCH 1/2] ipaserver/dcerpc: unify error processing
Samba error code reporting changes from version to version but we also
did not provide proper input into DCE RPC error processing method we
have.
Unify error processing and add few more fallback entries.
With Samba 4.7 we'll have to change it again because error code
processing for Samba Python modules will change with introduction of
samba.ntstatus and samba.werror modules.
Note that this commit also changes a message returned for error code
-1073741772 (NT_STATUS_OBJECT_NOT_FOUND) because it is more general one.
Fixes https://pagure.io/freeipa/issue/6859
---
ipaserver/dcerpc.py | 23 +--
1 file changed, 17 insertions(+), 6 deletions(-)
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 2d9d7e5..d684a17 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -117,19 +117,27 @@ def is_sid_valid(sid):
# we simply will skip the binding
access_denied_error,
-1073741772: # NT_STATUS_OBJECT_NAME_NOT_FOUND
-errors.RemoteRetrieveError(
-reason=_('CIFS server configuration does not allow '
- 'access to pipe\\lsarpc')),
+errors.NotFound(
+reason=_('Cannot find specified domain or server name')),
}
dcerpc_error_messages = {
"NT_STATUS_OBJECT_NAME_NOT_FOUND":
errors.NotFound(
reason=_('Cannot find specified domain or server name')),
+"The object name is not found.":
+errors.NotFound(
+reason=_('Cannot find specified domain or server name')),
"WERR_NO_LOGON_SERVERS":
errors.RemoteRetrieveError(
reason=_('AD DC was unable to reach any IPA domain controller. '
'Most likely it is a DNS or firewall issue')),
+# This is a very long key, don't change it
+"There are currently no logon servers available to "
+"service the logon request.":
+errors.RemoteRetrieveError(
+reason=_('AD DC was unable to reach any IPA domain controller. '
+ 'Most likely it is a DNS or firewall issue')),
"NT_STATUS_INVALID_PARAMETER_MIX":
errors.RequirementError(
name=_('At least the domain or IP address should be specified')),
@@ -802,7 +810,8 @@ def __retrieve_trusted_domain_gc_list(self, domain):
# Both methods should not fail at the same time
if finddc_error and len(info['gc']) == 0:
-raise assess_dcerpc_exception(message=str(finddc_error))
+num, message = e.args # pylint: disable=unpacking-non-sequence
+raise assess_dcerpc_exception(num=num, message=message)
self._info[domain] = info
return info
@@ -908,7 +917,8 @@ def retrieve_anonymously(self, remote_host,
else:
result = netrc.finddc(address=remote_host, flags=flags)
except RuntimeError as e:
-raise assess_dcerpc_exception(message=str(e))
+num, message = e.args # pylint: disable=unpacking-non-sequence
+raise assess_dcerpc_exception(num=num, message=message)
if not result:
return False
@@ -1408,7 +1418,8 @@ def communicate(td):
result = netrc.finddc(domain=trustdomain,
flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS)
except RuntimeError as e:
-raise assess_dcerpc_exception(message=str(e))
+num, message = e.args # pylint: disable=unpacking-non-sequence
+raise assess_dcerpc_exception(num=num, message=message)
td.info['dc'] = unicode(result.pdc_dns_name)
td.info['name'] = unicode(result.dns_domain)
From 662914834ebe3b75a85f66ebc4ef95315f9683f0 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Wed, 5 Apr 2017 12:37:10 +0300
Subject: [PATCH 2/2] trust: always use oddjobd helper for fetching trust
information
Since introduction of privilege separation in IPA framework none of the
operations that require direct access to the framework's credentials can
be done. All authentication has to be performed with GSSAPI.
As result, we cannot obtain TGT for HTTP/.. principal with kinit
anymore, so it is better to re-route all types of trust to oddjobd
helper and get rid of casing out two-way trust.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1438366
---
ipaserver/plugins/trust.py | 38 +++---
1 file changed, 7 insertions(+), 31 deletions(-)
diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.p
[Freeipa-devel] [freeipa PR#682][synchronized] ipserver/dcerpc: unify error processing
URL: https://github.com/freeipa/freeipa/pull/682
Author: abbra
Title: #682: ipserver/dcerpc: unify error processing
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/682/head:pr682
git checkout pr682
From 4601201f919ebf97e2ea82bd8c5f66ee23a8aa6d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Mon, 3 Apr 2017 10:29:21 +0300
Subject: [PATCH 1/2] ipserver/dcerpc: unify error processing
Samba error code reporting changes from version to version but we also
did not provide proper input into DCE RPC error processing method we
have.
Unify error processing and add few more fallback entries.
With Samba 4.7 we'll have to change it again because error code
processing for Samba Python modules will change with introduction of
samba.ntstatus and samba.werror modules.
Note that this commit also changes a message returned for error code
-1073741772 (NT_STATUS_OBJECT_NOT_FOUND) because it is more general one.
Fixes https://pagure.io/freeipa/issue/6859
---
ipaserver/dcerpc.py | 23 +--
1 file changed, 17 insertions(+), 6 deletions(-)
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 2d9d7e5..d684a17 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -117,19 +117,27 @@ def is_sid_valid(sid):
# we simply will skip the binding
access_denied_error,
-1073741772: # NT_STATUS_OBJECT_NAME_NOT_FOUND
-errors.RemoteRetrieveError(
-reason=_('CIFS server configuration does not allow '
- 'access to pipe\\lsarpc')),
+errors.NotFound(
+reason=_('Cannot find specified domain or server name')),
}
dcerpc_error_messages = {
"NT_STATUS_OBJECT_NAME_NOT_FOUND":
errors.NotFound(
reason=_('Cannot find specified domain or server name')),
+"The object name is not found.":
+errors.NotFound(
+reason=_('Cannot find specified domain or server name')),
"WERR_NO_LOGON_SERVERS":
errors.RemoteRetrieveError(
reason=_('AD DC was unable to reach any IPA domain controller. '
'Most likely it is a DNS or firewall issue')),
+# This is a very long key, don't change it
+"There are currently no logon servers available to "
+"service the logon request.":
+errors.RemoteRetrieveError(
+reason=_('AD DC was unable to reach any IPA domain controller. '
+ 'Most likely it is a DNS or firewall issue')),
"NT_STATUS_INVALID_PARAMETER_MIX":
errors.RequirementError(
name=_('At least the domain or IP address should be specified')),
@@ -802,7 +810,8 @@ def __retrieve_trusted_domain_gc_list(self, domain):
# Both methods should not fail at the same time
if finddc_error and len(info['gc']) == 0:
-raise assess_dcerpc_exception(message=str(finddc_error))
+num, message = e.args # pylint: disable=unpacking-non-sequence
+raise assess_dcerpc_exception(num=num, message=message)
self._info[domain] = info
return info
@@ -908,7 +917,8 @@ def retrieve_anonymously(self, remote_host,
else:
result = netrc.finddc(address=remote_host, flags=flags)
except RuntimeError as e:
-raise assess_dcerpc_exception(message=str(e))
+num, message = e.args # pylint: disable=unpacking-non-sequence
+raise assess_dcerpc_exception(num=num, message=message)
if not result:
return False
@@ -1408,7 +1418,8 @@ def communicate(td):
result = netrc.finddc(domain=trustdomain,
flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS)
except RuntimeError as e:
-raise assess_dcerpc_exception(message=str(e))
+num, message = e.args # pylint: disable=unpacking-non-sequence
+raise assess_dcerpc_exception(num=num, message=message)
td.info['dc'] = unicode(result.pdc_dns_name)
td.info['name'] = unicode(result.dns_domain)
From db9bff4ecc184f359b858119ba5e8cfc9c8a635f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Wed, 5 Apr 2017 12:37:10 +0300
Subject: [PATCH 2/2] trust: always use oddjobd helper for fetching trust
information
Since introduction of privilege separation in IPA framework none of the
operations that require direct access to the framework's credentials can
be done. All authentication has to be performed with GSSAPI.
As result, we cannot obtain TGT for HTTP/.. principal with kinit
anymore, so it is better to re-route all types of trust to oddjobd
helper and get rid of casing out two-way trust.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1438366
---
ipaserver/plugins/trust.py | 38 +++---
1 file changed, 7 insertions(+), 31 deletions(-)
diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
[Freeipa-devel] [freeipa PR#705][synchronized] ipatests: Add krbpasswordexpiration tests
URL: https://github.com/freeipa/freeipa/pull/705 Author: redhatrises Title: #705: ipatests: Add krbpasswordexpiration tests Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/705/head:pr705 git checkout pr705 From be913cd2ab08c76aaba3b690438bd68143c57748 Mon Sep 17 00:00:00 2001 From: Gabe Date: Mon, 10 Apr 2017 11:29:42 -0600 Subject: [PATCH] ipatests: Add krbpasswordexpiration tests --- ipatests/test_xmlrpc/test_user_plugin.py | 18 ++ 1 file changed, 18 insertions(+) diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py index 098163d..6d786d6 100644 --- a/ipatests/test_xmlrpc/test_user_plugin.py +++ b/ipatests/test_xmlrpc/test_user_plugin.py @@ -68,6 +68,7 @@ u'en-us;q=0.1234', u'en-us;q=1.1', u'en-us;q=1.' } +password_expiration_now = datetime.datetime.utcnow() principal_expiration_string = "2020-12-07T19:54:13Z" principal_expiration_date = datetime.datetime(2020, 12, 7, 19, 54, 13) @@ -439,6 +440,23 @@ def test_set_random_password(self, user): ) user.delete() +def test_set_immediate_password_expiration(self, user): +""" Set immediate password expiration for user """ +user.ensure_exists() +command = user.make_update_command( +updates=dict(krbpasswordexpiration=u'now') +) +result = command() +user.check_update(result) + +def test_set_delayed_password_expiration(self, user): +""" Set delayed expiration for user """ +user.ensure_exists() +user.update( +dict(krbpasswordexpiration=principal_expiration_string), +dict(krbpasswordexpiration=[principal_expiration_date]) +) + def test_rename_to_invalid_login(self, user): """ Try to change user login to an invalid value """ user.ensure_exists() -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#705][synchronized] ipatests: Add krbpasswordexpiration tests
URL: https://github.com/freeipa/freeipa/pull/705 Author: redhatrises Title: #705: ipatests: Add krbpasswordexpiration tests Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/705/head:pr705 git checkout pr705 From d86f8bb2f4a9d39d5f467c1f224ad9515423af33 Mon Sep 17 00:00:00 2001 From: Gabe Date: Mon, 10 Apr 2017 10:54:03 -0600 Subject: [PATCH] ipatests: Add krbpasswordexpiration tests --- ipatests/test_xmlrpc/test_user_plugin.py | 17 + 1 file changed, 17 insertions(+) diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py index 098163d..716b292 100644 --- a/ipatests/test_xmlrpc/test_user_plugin.py +++ b/ipatests/test_xmlrpc/test_user_plugin.py @@ -68,6 +68,7 @@ u'en-us;q=0.1234', u'en-us;q=1.1', u'en-us;q=1.' } +password_expiration_now = datetime.datetime.utcnow() principal_expiration_string = "2020-12-07T19:54:13Z" principal_expiration_date = datetime.datetime(2020, 12, 7, 19, 54, 13) @@ -439,6 +440,22 @@ def test_set_random_password(self, user): ) user.delete() +def test_set_immediate_password_expiration(self, user): +""" Set immediate password expiration for user """ +user.ensure_exists() +user.update( +dict(krbpasswordexpiration=u'now'), +dict(krbpasswordexpiration=[password_expiration_now]) +) + +def test_set_delayed_password_expiration(self, user): +""" Set delayed expiration for user """ +user.ensure_exists() +user.update( +dict(krbpasswordexpiration=principal_expiration_string), +dict(krbpasswordexpiration=[principal_expiration_date]) +) + def test_rename_to_invalid_login(self, user): """ Try to change user login to an invalid value """ user.ensure_exists() -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#705][synchronized] ipatests: Add krbpasswordexpiration tests
URL: https://github.com/freeipa/freeipa/pull/705 Author: redhatrises Title: #705: ipatests: Add krbpasswordexpiration tests Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/705/head:pr705 git checkout pr705 From bff8185b83a5c257d9832ea1c4f41b751fd7daf2 Mon Sep 17 00:00:00 2001 From: Gabe Date: Mon, 10 Apr 2017 09:15:58 -0600 Subject: [PATCH] ipatests: Add krbpasswordexpiration tests --- ipatests/test_xmlrpc/test_user_plugin.py | 15 +++ 1 file changed, 15 insertions(+) diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py index 098163d..e108bc0 100644 --- a/ipatests/test_xmlrpc/test_user_plugin.py +++ b/ipatests/test_xmlrpc/test_user_plugin.py @@ -439,6 +439,21 @@ def test_set_random_password(self, user): ) user.delete() +def test_set_immediate_password_expiration(self, user): +""" Set immediate password expiration for user """ +user.ensure_exists() +user.update( +dict(krbpasswordexpiration=u'now') +) + +def test_set_delayed_password_expiration(self, user): +""" Set delayed expiration for user """ +user.ensure_exists() +user.update( +dict(krbpasswordexpiration=principal_expiration_string), +dict(krbpasswordexpiration=[principal_expiration_date]) +) + def test_rename_to_invalid_login(self, user): """ Try to change user login to an invalid value """ user.ensure_exists() -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#704][+ack] WebUI: cert login: Configure name of parameter used to pass username
URL: https://github.com/freeipa/freeipa/pull/704 Title: #704: WebUI: cert login: Configure name of parameter used to pass username Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#704][comment] WebUI: cert login: Configure name of parameter used to pass username
URL: https://github.com/freeipa/freeipa/pull/704 Title: #704: WebUI: cert login: Configure name of parameter used to pass username flo-renaud commented: """ Hi @dkupka thank you for the patch, everything works as expected with a single certificate mapped to multiple users. """ See the full comment at https://github.com/freeipa/freeipa/pull/704#issuecomment-292969006 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#705][opened] ipatests: Add krbpasswordexpiration tests
URL: https://github.com/freeipa/freeipa/pull/705 Author: redhatrises Title: #705: ipatests: Add krbpasswordexpiration tests Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/705/head:pr705 git checkout pr705 From 8d578a7244abc4c44b3e7d610a0235fdedfe044b Mon Sep 17 00:00:00 2001 From: Gabe Date: Mon, 10 Apr 2017 08:10:47 -0600 Subject: [PATCH] ipatests: Add krbpasswordexpiration tests --- ipatests/test_xmlrpc/test_user_plugin.py | 15 +++ 1 file changed, 15 insertions(+) diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py index 098163d..cc2710d 100644 --- a/ipatests/test_xmlrpc/test_user_plugin.py +++ b/ipatests/test_xmlrpc/test_user_plugin.py @@ -439,6 +439,21 @@ def test_set_random_password(self, user): ) user.delete() +def test_set_immediate_password_expiration(self, user): +""" Set immediate password expiration for user """ +user.ensure_exists() +user.update( +dict(krbpasswordexpiration=u'now'), +) + +def test_set_delayed_password_expiration(self, user): +""" Set delayed expiration for user """ +user.ensure_exists() +user.update( +dict(krbpasswordexpiration=principal_expiration_string), +dict(krbpasswordexpiration=[principal_expiration_date]) +) + def test_rename_to_invalid_login(self, user): """ Try to change user login to an invalid value """ user.ensure_exists() -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#704][opened] WebUI: cert login: Configure name of parameter used to pass username
URL: https://github.com/freeipa/freeipa/pull/704 Author: dkupka Title: #704: WebUI: cert login: Configure name of parameter used to pass username Action: opened PR body: """ Directive LookupUserByCertificateParamName tells mod_lookup_identity module the name of GET parameter that is used to provide username in case certificate is mapped to multiple user accounts. Without this directive login with certificate that's mapped to multiple users doesn't work. https://pagure.io/freeipa/issue/6860 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/704/head:pr704 git checkout pr704 From 1b4e5347f2fae112276179a156063b8b1f42fc27 Mon Sep 17 00:00:00 2001 From: David Kupka Date: Mon, 10 Apr 2017 13:11:13 +0200 Subject: [PATCH] WebUI: cert login: Configure name of parameter used to pass username Directive LookupUserByCertificateParamName tells mod_lookup_identity module the name of GET parameter that is used to provide username in case certificate is mapped to multiple user accounts. Without this directive login with certificate that's mapped to multiple users doesn't work. https://pagure.io/freeipa/issue/6860 --- install/conf/ipa.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index e1f1a58..75c122e 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -117,6 +117,7 @@ Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login" NSSVerifyClient require NSSUserName SSL_CLIENT_CERT LookupUserByCertificate On + LookupUserByCertificateParamName "username" WSGIProcessGroup ipa WSGIApplicationGroup ipa GssapiImpersonate On -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#697][synchronized] Create system users for FreeIPA services during package installation
URL: https://github.com/freeipa/freeipa/pull/697
Author: dkupka
Title: #697: Create system users for FreeIPA services during package
installation
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/697/head:pr697
git checkout pr697
From 58d2ae5206f212c117631905a543dfb01f2e134f Mon Sep 17 00:00:00 2001
From: David Kupka
Date: Mon, 10 Apr 2017 15:21:40 +0200
Subject: [PATCH] Create system users for FreeIPA services during package
installation
Previously system users needed by FreeIPA server services was created during
ipa-server-install. This led to problem when DBus policy was configured during
package installation but the user specified in the policy didn't exist yet
(and potentionally similar ones). Now the users will be created in package %pre
section so all users freeipa-server package needs exist before any installation
or configuration begins.
Another possibility would be using systemd-sysusers(8) for this purpose but
given that systemd is not available during container build the traditional
approach is superior.
Also dirsrv and pkiuser users are no longer created by FreeIPA instead it
depends on 389ds and dogtag to create those users.
https://pagure.io/freeipa/issue/6743
---
configure.ac | 4 ++-
freeipa.spec.in| 21
ipaplatform/base/tasks.py | 53 --
ipaplatform/redhat/tasks.py| 26 ---
ipaserver/install/cainstance.py| 12 ---
ipaserver/install/dsinstance.py| 11 ---
ipaserver/install/httpinstance.py | 13
ipaserver/install/installutils.py | 13
ipaserver/install/ipa_restore.py | 7
ipaserver/install/server/install.py| 6 +---
ipaserver/install/server/replicainstall.py | 6 +---
ipaserver/install/server/upgrade.py| 2 --
server.m4 | 30 +
13 files changed, 56 insertions(+), 148 deletions(-)
diff --git a/configure.ac b/configure.ac
index 8f8751a..36ecc37 100644
--- a/configure.ac
+++ b/configure.ac
@@ -628,7 +628,9 @@ AM_COND_IF([ENABLE_SERVER], [
krb5rundir: ${krb5rundir}
systemdsystemunitdir: ${systemdsystemunitdir}
systemdtmpfilesdir: ${systemdtmpfilesdir}
-build mode: server & client"
+build mode: server & client
+ipaapi UID, GID: ${ipaapi_uid}, ${ipaapi_gid}
+kdcproxy UID, GID:${kdcproxy_uid}, ${kdcproxy_gid}"
], [
echo "\
build mode: client only"
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 61e9acd..d53309d 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1024,7 +1024,28 @@ if [ -e /usr/sbin/ipa_kpasswd ]; then
/bin/systemctl stop ipa_kpasswd.service >/dev/null 2>&1 || :
# END
fi
+# create users and groups
+# create kdcproxy group and user preferably with preallocated GID and UID
+getent group kdcproxy >/dev/null || groupadd -f -g %{kdcproxy_gid} -r kdcproxy
+if ! getent passwd kdcproxy >/dev/null ; then
+if ! getent passwd %{kdcproxy_uid} >/dev/null ; then
+ useradd -r -u %{kdcproxy_uid} -g kdcproxy -s /sbin/nologin -c "IPA KDC Proxy User" kdcproxy
+else
+ useradd -r -g kdcproxy -s /sbin/nologin -c "IPA KDC Proxy User" kdcproxy
+fi
+fi
+# create ipaapi group and user preferably with preallocated GID and UID
+getent group ipaapi >/dev/null || groupadd -f -g %{ipaapi_gid} -r ipaapi
+if ! getent passwd ipaapi >/dev/null ; then
+if ! getent passwd %{ipaapi_uid} >/dev/null ; then
+ useradd -r -u %{ipaapi_uid} -g ipaapi -s /sbin/nologin -c "IPA Framework User" ipaapi
+else
+ useradd -r -g ipaapi -s /sbin/nologin -c "IPA Framework User" ipaapi
+fi
+fi
+# add apache to ipaaapi group
+id -Gn apache | grep '\bipaapi\b' >/dev/null || usermod apache -a -G ipaapi
%postun server-trust-ad
if [ "$1" -ge "1" ]; then
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index 9f91fef..3358b7d 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -22,9 +22,6 @@
This module contains default platform-specific implementations of system tasks.
'''
-import pwd
-import grp
-
from pkg_resources import parse_version
from ipaplatform.paths import paths
@@ -186,56 +183,6 @@ def set_selinux_booleans(self, required_settings, backup_func=None):
raise NotImplementedError()
-def create_system_user(self, name, group, homedir, shell,
- uid=None, gid=None, comment=None,
- create_homedir=False, groups=None):
-"""Create a system user with a corresponding group"""
-try:
-grp.getgrnam(group)
-except KeyError:
-log.debug('Adding group %s', group)
-args = [pat
[Freeipa-devel] [freeipa PR#703][+ack] Remove surplus 'the' in output of ipa-adtrust-install
URL: https://github.com/freeipa/freeipa/pull/703 Title: #703: Remove surplus 'the' in output of ipa-adtrust-install Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#699][comment] ipaclient/ipapython macOS compatibility fixes
URL: https://github.com/freeipa/freeipa/pull/699 Title: #699: ipaclient/ipapython macOS compatibility fixes abbra commented: """ Ok, so far I cannot build a wheel from git repo on Mac OS X as we have a number of limitations ourselves -- we need to fix our configure to allow just generating enough of `ipasetup.py` and make files to run python wheels code. I'll supply a separate PR for this. """ See the full comment at https://github.com/freeipa/freeipa/pull/699#issuecomment-292927905 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#703][opened] Remove surplus 'the' in output of ipa-adtrust-install
URL: https://github.com/freeipa/freeipa/pull/703
Author: MartinBasti
Title: #703: Remove surplus 'the' in output of ipa-adtrust-install
Action: opened
PR body:
"""
Fixing the typo
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/703/head:pr703
git checkout pr703
From 12d901999d7b5a5db341bc855031bbfd3d3a502f Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Mon, 10 Apr 2017 13:39:24 +0200
Subject: [PATCH] Remove surplus 'the' in output of ipa-adtrust-install
Fixing the typo
---
ipaserver/install/adtrust.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/adtrust.py b/ipaserver/install/adtrust.py
index b0037e0..69eae38 100644
--- a/ipaserver/install/adtrust.py
+++ b/ipaserver/install/adtrust.py
@@ -226,7 +226,7 @@ def retrieve_and_ask_about_sids(api, options):
print("Installer can run a task to have ipa-sidgen "
"Directory Server plugin generate")
print("the SID identifier for all these users. Please note, "
- "the in case of a high")
+ "in case of a high")
print("number of users and groups, the operation might "
"lead to high replication")
print("traffic and performance degradation. Refer to "
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#697][synchronized] Create system users for FreeIPA services during package installation
URL: https://github.com/freeipa/freeipa/pull/697
Author: dkupka
Title: #697: Create system users for FreeIPA services during package
installation
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/697/head:pr697
git checkout pr697
From bf6c9b375b7b24cdb2b3d1a50286cd189b633c3d Mon Sep 17 00:00:00 2001
From: David Kupka
Date: Thu, 6 Apr 2017 12:35:35 +0200
Subject: [PATCH] Create system users for FreeIPA services during package
installation
Previously system users needed by FreeIPA server services was created during
ipa-server-install. This led to problem when DBus policy was configured during
package installation but the user specified in the policy didn't exist yet
(and potentionally similar ones). Now the users will be created in package %pre
section so all users freeipa-server package needs exist before any installation
or configuration begins.
Another possibility would be using systemd-sysusers(8) for this purpose but
given that systemd is not available during container build the traditional
approach is superior.
Also dirsrv and pkiuser users are no longer created by FreeIPA instead it
depends on 389ds and dogtag to create those users.
https://pagure.io/freeipa/issue/6743
---
freeipa.spec.in| 6
ipaplatform/base/tasks.py | 53 --
ipaplatform/redhat/tasks.py| 26 ---
ipaserver/install/cainstance.py| 12 ---
ipaserver/install/dsinstance.py| 11 ---
ipaserver/install/httpinstance.py | 13
ipaserver/install/installutils.py | 13
ipaserver/install/ipa_restore.py | 7
ipaserver/install/server/install.py| 6 +---
ipaserver/install/server/replicainstall.py | 6 +---
ipaserver/install/server/upgrade.py| 2 --
11 files changed, 8 insertions(+), 147 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 61e9acd..c8dc02c 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1024,7 +1024,13 @@ if [ -e /usr/sbin/ipa_kpasswd ]; then
/bin/systemctl stop ipa_kpasswd.service >/dev/null 2>&1 || :
# END
fi
+# create users and groups
+getent group kdcproxy >/dev/null || groupadd -r kdcproxy
+getent passwd kdcproxy >/dev/null || useradd -r kdcproxy -g kdcproxy -c "IPA KDC Proxy User"
+getent group ipaapi >/dev/null || groupadd -r ipaapi
+getent passwd ipaapi >/dev/null || useradd -r ipaapi -g ipaapi -c "IPA Framework User"
+id -Gn apache | grep '\bipaapi\b' || usermod apache -a -G ipaapi
%postun server-trust-ad
if [ "$1" -ge "1" ]; then
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index 9f91fef..3358b7d 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -22,9 +22,6 @@
This module contains default platform-specific implementations of system tasks.
'''
-import pwd
-import grp
-
from pkg_resources import parse_version
from ipaplatform.paths import paths
@@ -186,56 +183,6 @@ def set_selinux_booleans(self, required_settings, backup_func=None):
raise NotImplementedError()
-def create_system_user(self, name, group, homedir, shell,
- uid=None, gid=None, comment=None,
- create_homedir=False, groups=None):
-"""Create a system user with a corresponding group"""
-try:
-grp.getgrnam(group)
-except KeyError:
-log.debug('Adding group %s', group)
-args = [paths.GROUPADD, '-r', group]
-if gid:
-args += ['-g', str(gid)]
-try:
-ipautil.run(args)
-log.debug('Done adding group')
-except ipautil.CalledProcessError as e:
-log.critical('Failed to add group: %s', e)
-raise
-else:
-log.debug('group %s exists', group)
-
-try:
-pwd.getpwnam(name)
-except KeyError:
-log.debug('Adding user %s', name)
-args = [
-paths.USERADD,
-'-g', group,
-'-d', homedir,
-'-s', shell,
-'-r', name,
-]
-if uid:
-args += ['-u', str(uid)]
-if comment:
-args += ['-c', comment]
-if create_homedir:
-args += ['-m']
-else:
-args += ['-M']
-if groups is not None:
-args += ['-G', groups.join(',')]
-try:
-ipautil.run(args)
-log.debug('Done adding user')
-except ipautil.CalledProcessError as e:
-log.critical('Failed to add user: %s', e)
-raise
-else:
-log.debug('user %s exists', name)
-
@staticmethod
def parse_ipa_version(version):
"""
diff -
[Freeipa-devel] [freeipa PR#682][comment] ipserver/dcerpc: unify error processing
URL: https://github.com/freeipa/freeipa/pull/682 Title: #682: ipserver/dcerpc: unify error processing pvoborni commented: """ A ticket was created for this PR: https://pagure.io/freeipa/issue/6859 """ See the full comment at https://github.com/freeipa/freeipa/pull/682#issuecomment-292910558 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#699][comment] ipaclient/ipapython macOS compatibility fixes
URL: https://github.com/freeipa/freeipa/pull/699 Title: #699: ipaclient/ipapython macOS compatibility fixes abbra commented: """ I still need to test the whole set on Mac OS X myself as we have no way to test that in CI. Thus, this PR will depend on me (or some one else from FreeIPA team) to actually test the code on Mac OS X. """ See the full comment at https://github.com/freeipa/freeipa/pull/699#issuecomment-292880002 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#671][synchronized] Slim down dependencies
URL: https://github.com/freeipa/freeipa/pull/671
Author: tiran
Title: #671: Slim down dependencies
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/671/head:pr671
git checkout pr671
From ce8abac5b4f0b8a98b2def8c67c0f853310892f8 Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Mon, 10 Apr 2017 10:00:23 +0200
Subject: [PATCH 1/2] Correct PyPI package dependencies
* Remove unused install requires
* Correct dependencies for yubico otptoken
* Add explicit dependency on cffi for csrgen
* Python 2 uses python-ldap, Python 3 pyldap
Signed-off-by: Christian Heimes
---
ipaclient/setup.py | 5 ++---
ipapython/setup.py | 6 ++
ipaserver/setup.py | 3 ++-
ipasetup.py.in | 16
ipatests/setup.py | 3 ++-
5 files changed, 20 insertions(+), 13 deletions(-)
diff --git a/ipaclient/setup.py b/ipaclient/setup.py
index f5be7ea..64dc47a 100644
--- a/ipaclient/setup.py
+++ b/ipaclient/setup.py
@@ -51,18 +51,17 @@
],
},
install_requires=[
+"cffi",
"cryptography",
"ipalib",
"ipapython",
"jinja2",
-"python-yubico",
-"pyusb",
"qrcode",
"six",
],
extras_require={
"install": ["ipaplatform"],
-"otptoken_yubikey": ["yubico", "usb"]
+"otptoken_yubikey": ["python-yubico", "pyusb"],
},
zip_safe=False,
)
diff --git a/ipapython/setup.py b/ipapython/setup.py
index f4bc3f8..4f71530 100755
--- a/ipapython/setup.py
+++ b/ipapython/setup.py
@@ -41,16 +41,14 @@
"cryptography",
"dnspython",
"gssapi",
-"jwcrypto",
# "ipalib", # circular dependency
-"pyldap",
"netaddr",
"netifaces",
-"requests",
"six",
],
extras_require={
-":python_version<'3'": ["enum34"],
+":python_version<'3'": ["enum34", "python-ldap"],
+":python_version>='3'": ["pyldap"],
"install": ["dbus-python"], # for certmonger
},
)
diff --git a/ipaserver/setup.py b/ipaserver/setup.py
index 097508f..307e7a8 100755
--- a/ipaserver/setup.py
+++ b/ipaserver/setup.py
@@ -58,7 +58,6 @@
"lxml",
"netaddr",
"pyasn1",
-"pyldap",
"six",
],
entry_points={
@@ -70,6 +69,8 @@
],
},
extras_require={
+":python_version<'3'": ["python-ldap"],
+":python_version>='3'": ["pyldap"],
# These packages are currently not available on PyPI.
"dcerpc": ["samba", "pysss", "pysss_nss_idmap"],
"hbactest": ["pyhbac"],
diff --git a/ipasetup.py.in b/ipasetup.py.in
index b0a5051..2ad57e2 100644
--- a/ipasetup.py.in
+++ b/ipasetup.py.in
@@ -101,6 +101,7 @@ common_args = dict(
"Programming Language :: Python :: 2.7",
"Programming Language :: Python :: 3",
"Programming Language :: Python :: 3.5",
+"Programming Language :: Python :: 3.6",
"Programming Language :: Python :: Implementation :: CPython",
"Operating System :: POSIX",
"Operating System :: POSIX :: Linux",
@@ -138,13 +139,20 @@ def ipasetup(name, doc, **kwargs):
cmdclass = setup_kwargs.setdefault('cmdclass', {})
cmdclass['build_py'] = build_py
-# Env markers like ":python_version<'3.3'" are not supported by
+# Env markers like ":python_version<'3'" are not supported by
# setuptools < 18.0.
if 'extras_require' in setup_kwargs and SETUPTOOLS_VERSION < (18, 0, 0):
for k in list(setup_kwargs['extras_require']):
-if k.startswith(':'):
-req = setup_kwargs.setdefault('install_requires', [])
-req.extend(setup_kwargs['extras_require'].pop(k))
+if not k.startswith(':'):
+continue
+values = setup_kwargs['extras_require'].pop(k)
+req = setup_kwargs.setdefault('install_requires', [])
+if k == ":python_version<'3'" and sys.version_info.major == 2:
+req.extend(values)
+elif k == ":python_version>='3'" and sys.version_info.major >= 3:
+req.extend(values)
+else:
+raise ValueError(k, values)
os.chdir(local_path)
try:
diff --git a/ipatests/setup.py b/ipatests/setup.py
index 4c02c79..00b9334 100644
--- a/ipatests/setup.py
+++ b/ipatests/setup.py
@@ -68,12 +68,13 @@
"ipapython",
"nose",
"polib",
-"pyldap",
"pytest",
"pytest_multihost",
"six",
],
extras_require={
+":python_version<'3'": ["python-ldap"],
+":python_version>='3'": ["pyldap"],
[Freeipa-devel] [freeipa PR#702][opened] Correct PyPI package dependencies
URL: https://github.com/freeipa/freeipa/pull/702
Author: tiran
Title: #702: Correct PyPI package dependencies
Action: opened
PR body:
"""
* Remove unused install requires
* Correct dependencies for yubico otptoken
* Add explicit dependency on cffi for csrgen
* Python 2 uses python-ldap, Python 3 pyldap
Signed-off-by: Christian Heimes
Needs backport to 4.5 for 4.5.1 PyPI packaging.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/702/head:pr702
git checkout pr702
From ce8abac5b4f0b8a98b2def8c67c0f853310892f8 Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Mon, 10 Apr 2017 10:00:23 +0200
Subject: [PATCH] Correct PyPI package dependencies
* Remove unused install requires
* Correct dependencies for yubico otptoken
* Add explicit dependency on cffi for csrgen
* Python 2 uses python-ldap, Python 3 pyldap
Signed-off-by: Christian Heimes
---
ipaclient/setup.py | 5 ++---
ipapython/setup.py | 6 ++
ipaserver/setup.py | 3 ++-
ipasetup.py.in | 16
ipatests/setup.py | 3 ++-
5 files changed, 20 insertions(+), 13 deletions(-)
diff --git a/ipaclient/setup.py b/ipaclient/setup.py
index f5be7ea..64dc47a 100644
--- a/ipaclient/setup.py
+++ b/ipaclient/setup.py
@@ -51,18 +51,17 @@
],
},
install_requires=[
+"cffi",
"cryptography",
"ipalib",
"ipapython",
"jinja2",
-"python-yubico",
-"pyusb",
"qrcode",
"six",
],
extras_require={
"install": ["ipaplatform"],
-"otptoken_yubikey": ["yubico", "usb"]
+"otptoken_yubikey": ["python-yubico", "pyusb"],
},
zip_safe=False,
)
diff --git a/ipapython/setup.py b/ipapython/setup.py
index f4bc3f8..4f71530 100755
--- a/ipapython/setup.py
+++ b/ipapython/setup.py
@@ -41,16 +41,14 @@
"cryptography",
"dnspython",
"gssapi",
-"jwcrypto",
# "ipalib", # circular dependency
-"pyldap",
"netaddr",
"netifaces",
-"requests",
"six",
],
extras_require={
-":python_version<'3'": ["enum34"],
+":python_version<'3'": ["enum34", "python-ldap"],
+":python_version>='3'": ["pyldap"],
"install": ["dbus-python"], # for certmonger
},
)
diff --git a/ipaserver/setup.py b/ipaserver/setup.py
index 097508f..307e7a8 100755
--- a/ipaserver/setup.py
+++ b/ipaserver/setup.py
@@ -58,7 +58,6 @@
"lxml",
"netaddr",
"pyasn1",
-"pyldap",
"six",
],
entry_points={
@@ -70,6 +69,8 @@
],
},
extras_require={
+":python_version<'3'": ["python-ldap"],
+":python_version>='3'": ["pyldap"],
# These packages are currently not available on PyPI.
"dcerpc": ["samba", "pysss", "pysss_nss_idmap"],
"hbactest": ["pyhbac"],
diff --git a/ipasetup.py.in b/ipasetup.py.in
index b0a5051..2ad57e2 100644
--- a/ipasetup.py.in
+++ b/ipasetup.py.in
@@ -101,6 +101,7 @@ common_args = dict(
"Programming Language :: Python :: 2.7",
"Programming Language :: Python :: 3",
"Programming Language :: Python :: 3.5",
+"Programming Language :: Python :: 3.6",
"Programming Language :: Python :: Implementation :: CPython",
"Operating System :: POSIX",
"Operating System :: POSIX :: Linux",
@@ -138,13 +139,20 @@ def ipasetup(name, doc, **kwargs):
cmdclass = setup_kwargs.setdefault('cmdclass', {})
cmdclass['build_py'] = build_py
-# Env markers like ":python_version<'3.3'" are not supported by
+# Env markers like ":python_version<'3'" are not supported by
# setuptools < 18.0.
if 'extras_require' in setup_kwargs and SETUPTOOLS_VERSION < (18, 0, 0):
for k in list(setup_kwargs['extras_require']):
-if k.startswith(':'):
-req = setup_kwargs.setdefault('install_requires', [])
-req.extend(setup_kwargs['extras_require'].pop(k))
+if not k.startswith(':'):
+continue
+values = setup_kwargs['extras_require'].pop(k)
+req = setup_kwargs.setdefault('install_requires', [])
+if k == ":python_version<'3'" and sys.version_info.major == 2:
+req.extend(values)
+elif k == ":python_version>='3'" and sys.version_info.major >= 3:
+req.extend(values)
+else:
+raise ValueError(k, values)
os.chdir(local_path)
try:
diff --git a/ipatests/setup.py b/ipatests/setup.py
index 4c02c79..00b9334 100644
--- a/ipatests/setup.py
+++ b/ipatests/setup.py
@@ -68,12 +68,13 @@
"ipapython",
"nose",
[Freeipa-devel] [freeipa PR#618][synchronized] Tox testing support for client wheel packages
URL: https://github.com/freeipa/freeipa/pull/618
Author: tiran
Title: #618: Tox testing support for client wheel packages
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/618/head:pr618
git checkout pr618
From 5aef9ff020a241162145fc4c3113774cf5e5faf5 Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Thu, 17 Nov 2016 16:43:17 +0100
Subject: [PATCH] tox testing support for client wheel packages
Add tox infrastructure to test client wheel packages workflow:
* build client packages
* install client packages
* ipa-run-tests --ipaclient-unittests under Python 2 and 3
* pylint of client packages under Python 2 and 3
* placeholder packages work as expected
Signed-off-by: Christian Heimes
---
.gitignore | 2 ++
.tox-install.sh | 94
Makefile.am | 22 +---
configure.ac | 1 +
ipatests/conftest.py | 4 ++-
pypi/test_placeholder.py | 47
tox.ini | 56 +
7 files changed, 220 insertions(+), 6 deletions(-)
create mode 100755 .tox-install.sh
create mode 100644 pypi/test_placeholder.py
create mode 100644 tox.ini
diff --git a/.gitignore b/.gitignore
index 8941fd8..8b57dbc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -61,6 +61,8 @@ freeipa2-dev-doc
# Root directory
/freeipa.spec
/dist/
+/.tox/
+/.cache/
/*/dist/
/RELEASE
/rpmbuild/
diff --git a/.tox-install.sh b/.tox-install.sh
new file mode 100755
index 000..8f9d221
--- /dev/null
+++ b/.tox-install.sh
@@ -0,0 +1,94 @@
+#!/bin/bash
+set -ex
+
+FLAVOR="$1"
+ENVPYTHON="$2"
+ENVSITEPACKAGESDIR="$3"
+# 3...end are package requirements
+shift 3
+
+TOXINIDIR="$(cd "$(dirname "$0")" && pwd)"
+
+# sanity checks
+if [ ! -x "${ENVPYTHON}" ]; then
+echo "${ENVPYTHON}: no such executable"
+exit 1
+fi
+
+if [ ! -d "${ENVSITEPACKAGESDIR}" ]; then
+echo "${ENVSITEPACKAGESDIR}: no such directory"
+exit 2
+fi
+
+if [ ! -f "${TOXINIDIR}/tox.ini" ]; then
+echo "${TOXINIDIR}: no such directory"
+exit 3
+fi
+
+# https://pip.pypa.io/en/stable/user_guide/#environment-variables
+export PIP_CACHE_DIR="${TOXINIDIR}/.tox/cache"
+mkdir -p "${PIP_CACHE_DIR}"
+
+DISTBUNDLE="${TOXINIDIR}/dist/bundle"
+mkdir -p "${DISTBUNDLE}"
+
+DISTPYPI="${TOXINIDIR}/dist/pypi"
+mkdir -p "${DISTPYPI}"
+
+# create configure
+pushd "${TOXINIDIR}"
+if [ ! -f "configure" ]; then
+autoreconf -i -f
+fi
+# (re)create Makefile
+./configure --disable-server
+popd
+
+case $FLAVOR in
+wheel_bundle)
+# copy pylint plugin
+cp "${TOXINIDIR}/pylint_plugins.py" "${ENVSITEPACKAGESDIR}"
+
+# build packages and bundles
+make -C "${TOXINIDIR}" \
+wheel_bundle \
+PYTHON="${ENVPYTHON}" \
+IPA_EXTRA_WHEELS="$*"
+
+# chdir to prevent local .egg-info from messing up pip
+pushd "${ENVSITEPACKAGESDIR}"
+
+# Install packages with dist/bundle/ as extra source for wheels while ignoring
+# upstream Python Package Index.
+$ENVPYTHON -m pip install \
+--no-index \
+--disable-pip-version-check \
+--constraint "${TOXINIDIR}/.wheelconstraints" \
+--find-links "${DISTBUNDLE}" \
+$@
+
+popd
+;;
+pypi_packages)
+# build packages and bundles
+make -C "${TOXINIDIR}" \
+pypi_packages \
+PYTHON="${ENVPYTHON}"
+
+# chdir to prevent local .egg-info from messing up pip
+pushd "${ENVSITEPACKAGESDIR}"
+
+# Install packages from dist/pypi
+$ENVPYTHON -m pip install \
+--disable-pip-version-check \
+--constraint "${TOXINIDIR}/.wheelconstraints" \
+--find-links "${DISTPYPI}" \
+$@
+
+popd
+;;
+*)
+echo "Unknown install flavor $FLAVOR"
+exit 1
+;;
+esac
diff --git a/Makefile.am b/Makefile.am
index 1989b19..7608dfa 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -57,6 +57,7 @@ EXTRA_DIST = .mailmap \
clean-local:
rm -rf "$(RPMBUILD)"
rm -rf "$(top_builddir)/dist"
+ rm -rf "$(top_builddir)/.tox"
rm -rf "$(top_srcdir)/__pycache__"
rm -f "$(top_builddir)"/$(PACKAGE)-*.tar.gz
@@ -212,6 +213,7 @@ pylint: $(top_builddir)/ipapython/version.py ipasetup.py
-path './freeipa-*' -prune -o \
-path './dist' -prune -o \
-path './pypi' -prune -o \
+ -path './.tox' -prune -o \
-name '.*' -o \
-name '*.in' -o \
-name '*~' -o \
@@ -254,6 +256,7 @@ endif # WITH_JSLINT
.PHONY: bdist_wheel wheel_bundle wheel_placeholder pypi_packages
WHEELDISTDIR = $(top_builddir)/dist/wheels
+WHEELPYPIDIR = $(top_builddir)/dist/pypi
WHEELBUNDLEDIR = $(top_builddir)/dist/bundle
@MK_IFEQ@ ($(IPA_SERVER_WHEELS),1)
@@ -273,6 +276,9 @@ $(WHEELDISTDIR):
$(WHEELBUNDLEDIR):
mkdir -p $(WHEELBUNDLEDIR)
+$(WHEELPYPIDIR):
+ mkdir -p $(WHEELPYPIDIR)
+
bdist_wheel: $(WHEELDISTDIR)
rm -f $(foreach item,$(IPA_WHEEL_PACKAGES) ipatests,$(WHEELDISTDIR)/$(item)-*.whl)
[Freeipa-devel] [bind-dyndb-ldap PR#16][comment] spec: remove unnecessary bind-pkcs11 dependency
URL: https://github.com/freeipa/bind-dyndb-ldap/pull/16 Title: #16: spec: remove unnecessary bind-pkcs11 dependency MartinBasti commented: """ @lslebodn `bind-pkcs11` requires `bind` package """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/16#issuecomment-292868635 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#699][comment] ipaclient/ipapython macOS compatibility fixes
URL: https://github.com/freeipa/freeipa/pull/699 Title: #699: ipaclient/ipapython macOS compatibility fixes tiran commented: """ No, we don't need to sync the directory. These are cache files. It's only important that we don't have half-written cache files on disk. A missing cache file is fine. """ See the full comment at https://github.com/freeipa/freeipa/pull/699#issuecomment-292865960 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
