[Freeipa-devel] [freeipa PR#782][comment] [WIP] Improving GUI text in "Add DNS Zones" popup
URL: https://github.com/freeipa/freeipa/pull/782 Title: #782: [WIP] Improving GUI text in "Add DNS Zones" popup pvomacka commented: """ Sorry I haven't refresh the page so I didn't see @pvoborni comment before I sent mine. The suggestion which Petr wrote into Bugzilla should be discussed with @MartinBasti and if I recall correctly he did not recommend it from point of view of DNS. """ See the full comment at https://github.com/freeipa/freeipa/pull/782#issuecomment-301117428 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#782][comment] [WIP] Improving GUI text in "Add DNS Zones" popup
URL: https://github.com/freeipa/freeipa/pull/782 Title: #782: [WIP] Improving GUI text in "Add DNS Zones" popup pvomacka commented: """ Hello @felipevolpone , Thank you for your patch. For adding arbitrary text into a dialog or details page is probably the most suitable IPA.html_widget (but it has a big disadvantage - described below in section A). You can put it into the section you created. It might look like this: ``` { name: 'dnszone_title', show_header: false, fields: [ { field: false, $type: 'html', name: 'info', html: "Select the required zone type." } ], layout: { $factory: IPA.fluid_layout, widget_cls: "col-sm-12 controls", label_cls: "hide" } }, ``` Layout attribute of the section might not be needed, but I would say that here it good to add it. It hides label of field and set width of the field to 100% of the dialog. (Simpler solutions below - B and C) A) The html attribute contains text which will be displayed. Text there should be taken from translatable strings. It can be done by using `text.get('i18n:path.to.the.string')` and writing the string into ipaserver/internal.py. The main challenge here might be to find a place where the string has to be loaded. It has to be done before building the whole dialog and its sections. You will probably need to override `dialog_build_properites` attribute of entity specification and there change `$post_ops` operation which where is the function which builds adder dialog for entity (add there loading of translate string). B) (not tested) Another solution would be to set text field instead of html one and turn off the field in the same way as above and then set it non-writable and read_only. Then hide the label and there the `text.get()` should work directly in field definition. (should not be needed to change behavior of building entity's adder dialog). C) Another solution will be to create new widget, which will work in the same way as `IPA.html_widget` but it will support translatable strings. If you have any question feel free to ask. :) """ See the full comment at https://github.com/freeipa/freeipa/pull/782#issuecomment-301113031 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#785][opened] otptoken-add-yubikey: When --digits not provided use default value
URL: https://github.com/freeipa/freeipa/pull/785 Author: dkupka Title: #785: otptoken-add-yubikey: When --digits not provided use default value Action: opened PR body: """ Since Thin client was introduced default values for options are not populated in client side plugins. When option has default value and is needed in client plugin it must be handled by explicitly. https://pagure.io/freeipa/issue/6900 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/785/head:pr785 git checkout pr785 From 0e07bce2d1d57713816821235c9a2b3a9c270e4c Mon Sep 17 00:00:00 2001 From: David KupkaDate: Fri, 12 May 2017 17:17:05 +0200 Subject: [PATCH] otptoken-add-yubikey: When --digits not provided use default value Since Thin client was introduced default values for options are not populated in client side plugins. When option has default value and is needed in client plugin it must be handled by explicitly. https://pagure.io/freeipa/issue/6900 --- ipaclient/plugins/otptoken_yubikey.py | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ipaclient/plugins/otptoken_yubikey.py b/ipaclient/plugins/otptoken_yubikey.py index 9993ec8..60b73a7 100644 --- a/ipaclient/plugins/otptoken_yubikey.py +++ b/ipaclient/plugins/otptoken_yubikey.py @@ -147,7 +147,10 @@ def forward(self, *args, **kwargs): # Write the config. cfg = yk.init_config() -cfg.mode_oath_hotp(key, kwargs['ipatokenotpdigits']) +cfg.mode_oath_hotp(key, kwargs.get( +'ipatokenotpdigits', +self.get_default_of('ipatokenotpdigits') +)) cfg.extended_flag('SERIAL_API_VISIBLE', True) yk.write_config(cfg, slot=kwargs['slot']) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [WIKI DRAFT] Files to be attached to bug reports
On 05/12/2017 10:42 AM, Martin Bašti wrote: > Hello all, > > I created a wiki page that should help people to provide right logs > for investigation depending on a issue. > > https://www.freeipa.org/page/Files_to_be_attached_to_bug_report > > Feel free to fix errors, update sections, add new sections or provide > feedback. Once this page is polished I will link it to wiki on right > places. > > > Martin^2 > Thanks for the page, it's a great idea! I suggest we use '-r' option for all journalctl logs. On a running server, the journal can be quite long and someone might post an old/unrelated error by accident. Using '-r' will ensure the user will see the most recent and relevant log output. -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869 signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#757][synchronized] ca, kra install: validate DM password
URL: https://github.com/freeipa/freeipa/pull/757 Author: tomaskrizek Title: #757: ca, kra install: validate DM password Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/757/head:pr757 git checkout pr757 From 2cce2304491ce575b6803ca4dd7d8f6630c57a35 Mon Sep 17 00:00:00 2001 From: Tomas KrizekDate: Wed, 3 May 2017 10:05:25 +0200 Subject: [PATCH 1/3] ca install: merge duplicated code for DM password Extract copy-pasted code to a single function. Related https://pagure.io/freeipa/issue/6892 Signed-off-by: Tomas Krizek --- install/tools/ipa-ca-install | 40 +--- 1 file changed, 17 insertions(+), 23 deletions(-) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 60261aa..da6e5c3 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -116,9 +116,19 @@ def parse_options(): return safe_options, options, filename -def get_dirman_password(): -return installutils.read_password( -"Directory Manager (existing master)", confirm=False, validate=False) +def _get_dirman_password(password=None, unattended=False): +if not password: +if unattended: +sys.exit('Directory Manager password required') +try: +password = installutils.read_password( +"Directory Manager (existing master)", confirm=False, +validate=False) +except KeyboardInterrupt: +sys.exit(0) +if password is None: +sys.exit("Directory Manager password required") +return password def install_replica(safe_options, options, filename): @@ -142,16 +152,8 @@ def install_replica(safe_options, options, filename): check_creds(options, api.env.realm) # get the directory manager password -dirman_password = options.password -if not dirman_password: -if options.unattended: -sys.exit('Directory Manager password required') -try: -dirman_password = get_dirman_password() -except KeyboardInterrupt: -sys.exit(0) -if dirman_password is None: -sys.exit("Directory Manager password required") +dirman_password = _get_dirman_password( +options.password, options.unattended) if (not options.promote and not options.admin_password and not options.skip_conncheck and options.unattended): @@ -199,16 +201,8 @@ def install_replica(safe_options, options, filename): def install_master(safe_options, options): -dm_password = options.password -if not dm_password: -if options.unattended: -sys.exit('Directory Manager password required') -try: -dm_password = get_dirman_password() -except KeyboardInterrupt: -sys.exit(0) -if dm_password is None: -sys.exit("Directory Manager password required") +dm_password = _get_dirman_password( +options.password, options.unattended) options.realm_name = api.env.realm options.domain_name = api.env.domain From e3e8f051220970f10a34c8297b1a381d1721b663 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Wed, 3 May 2017 10:01:09 +0200 Subject: [PATCH 2/3] installutils: add DM password validator Add a validator that checks whether provided Directory Manager is valid by attempting to connect to LDAP. Related https://pagure.io/freeipa/issue/6892 Signed-off-by: Tomas Krizek --- ipaserver/install/installutils.py | 16 1 file changed, 16 insertions(+) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 9230e70..b6f0148 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -50,6 +50,7 @@ from ipapython import ipautil, admintool, version from ipapython.admintool import ScriptError from ipapython.ipa_log_manager import root_logger +from ipapython.ipaldap import DIRMAN_DN, LDAPClient from ipalib.util import validate_hostname from ipalib import api, errors, x509 from ipapython.dn import DN @@ -329,6 +330,21 @@ def _read_password_default_validator(password): if len(password) < 8: raise ValueError("Password must be at least 8 characters long") + +def validate_dm_password_ldap(password): +""" +Validate DM password by attempting to connect to LDAP. api.env has to +contain valid ldap_uri. +""" +client = LDAPClient(api.env.ldap_uri, cacert=paths.IPA_CA_CRT) +try: +client.simple_bind(DIRMAN_DN, password) +except errors.ACIError: +raise ValueError("Invalid Directory Manager password") +else: +client.unbind() + + def read_password(user, confirm=True, validate=True, retry=True, validator=_read_password_default_validator): correct = False pwd = None From
[Freeipa-devel] [freeipa PR#783][edited] Provide useful messages during cert validation
URL: https://github.com/freeipa/freeipa/pull/783 Author: stlaz Title: #783: Provide useful messages during cert validation Action: edited Changed field: body Original value: """ When the certificate verification was replaced, some error messages were omitted (like "Peer's certificate expired."). Bring these back. """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#783][edited] Provide useful messages during cert verification
URL: https://github.com/freeipa/freeipa/pull/783 Author: stlaz Title: #783: Provide useful messages during cert verification Action: edited Changed field: title Original value: """ Provide useful messages during cert verification """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#783][synchronized] Provide useful messages during cert verification
URL: https://github.com/freeipa/freeipa/pull/783 Author: stlaz Title: #783: Provide useful messages during cert verification Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/783/head:pr783 git checkout pr783 From 3c56e3d293f1ab872dddb185b368177e34796d97 Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Fri, 12 May 2017 10:41:08 +0200 Subject: [PATCH] Provide useful messages during cert validation When the certificate validation was replaced, some error messages were omitted (like "Peer's certificate expired."). Bring these back. https://pagure.io/freeipa/issue/6945 --- ipapython/certdb.py | 26 -- ipatests/test_integration/test_caless.py | 32 ++-- 2 files changed, 34 insertions(+), 24 deletions(-) diff --git a/ipapython/certdb.py b/ipapython/certdb.py index 4d7f6e7..b86a705 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -52,6 +52,8 @@ NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt") +BAD_USAGE_ERR = 'Certificate key usage inadequate for attempted operation.' + def get_ca_nickname(realm, format=CA_NICKNAME_FMT): return format % realm @@ -547,9 +549,15 @@ def verify_server_cert_validity(self, nickname, hostname): cert = x509.load_certificate(cert, x509.DER) try: -self.run_certutil(['-V', '-n', nickname, '-u', 'V']) -except ipautil.CalledProcessError: -raise ValueError('invalid for a SSL server') +self.run_certutil(['-V', '-n', nickname, '-u', 'V'], + capture_output=True) +except ipautil.CalledProcessError as e: +# certutil output in case of error is +# 'certutil: certificate is invalid: \n' +msg = e.output.split(': ')[2].strip() +if msg == BAD_USAGE_ERR: +msg = 'invalid for a SSL server.' +raise ValueError(msg) try: x509.match_hostname(cert, hostname) @@ -573,6 +581,12 @@ def verify_ca_cert_validity(self, nickname): raise ValueError("not a CA certificate") try: -self.run_certutil(['-V', '-n', nickname, '-u', 'L']) -except ipautil.CalledProcessError: -raise ValueError('invalid for a CA') +self.run_certutil(['-V', '-n', nickname, '-u', 'L'], + capture_output=True) +except ipautil.CalledProcessError as e: +# certutil output in case of error is +# 'certutil: certificate is invalid: \n' +msg = e.output.split(': ')[2].strip() +if msg == BAD_USAGE_ERR: +msg = 'invalid for a CA.' +raise ValueError(msg) diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py index d7692ec..62ebba3 100644 --- a/ipatests/test_integration/test_caless.py +++ b/ipatests/test_integration/test_caless.py @@ -38,6 +38,8 @@ assert_error = tasks.assert_error +CERT_EXPIRED_MSG = "Peer's Certificate has expired." + def get_install_stdin(cert_passwords=()): lines = [ @@ -495,9 +497,8 @@ def test_expired_http(self): result = self.install_server(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') assert_error(result, - 'The server certificate in http.p12 is not valid: ' - "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has " - 'expired.') + 'The server certificate in http.p12 is not valid: {err}' + .format(err=CERT_EXPIRED_MSG)) @server_install_teardown def test_expired_ds(self): @@ -511,9 +512,8 @@ def test_expired_ds(self): result = self.install_server(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') assert_error(result, - 'The server certificate in dirsrv.p12 is not valid: ' - "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has " - 'expired.') + 'The server certificate in dirsrv.p12 is not valid: {err}' + .format(err=CERT_EXPIRED_MSG)) @server_install_teardown def test_http_bad_usage(self): @@ -884,9 +884,8 @@ def test_expired_http(self): result = self.prepare_replica(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') assert_error(result, - 'The server certificate in http.p12 is not valid: ' - "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has " - 'expired.') + 'The server certificate in http.p12 is not valid: {err}' + .format(err=CERT_EXPIRED_MSG)) @replica_install_teardown
[Freeipa-devel] [freeipa PR#782][comment] [WIP] Improving GUI text in "Add DNS Zones" popup
URL: https://github.com/freeipa/freeipa/pull/782 Title: #782: [WIP] Improving GUI text in "Add DNS Zones" popup pvoborni commented: """ I'm not completely sure that the approach suggested in bug report is correct. That is why I suggested alternative in https://bugzilla.redhat.com/show_bug.cgi?id=1419834#c2 So before implementing it a small conversation could have happen to agree on the approach. """ See the full comment at https://github.com/freeipa/freeipa/pull/782#issuecomment-301081271 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#778][+ack] ipaclient: fix missing RPM ownership
URL: https://github.com/freeipa/freeipa/pull/778 Title: #778: ipaclient: fix missing RPM ownership Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#784][opened] ipa-replica-manage del (dl 0): remove server from defaultServerList
URL: https://github.com/freeipa/freeipa/pull/784 Author: flo-renaud Title: #784: ipa-replica-manage del (dl 0): remove server from defaultServerList Action: opened PR body: """ ipa-replica-manage del should remove the server from the entry cn=default,ou=profile,$BASE The entry contains an attribute defaultServerList: srv1.domain.com srv2.domain.com srv3.domain.com The code calls srvlist = ret.single_value.get('defaultServerList') which means that srvlist contains a single value (string) containing all the servers separated by a space, and not a list of attribute values. Because of that, srvlist[0] corresponds to the first character of the value. The fix splits srvlist and not srvlist[0]. https://pagure.io/freeipa/issue/6946 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/784/head:pr784 git checkout pr784 From 8f98b3eb08c2f7994017459c7bb3f9eeb9f50cd2 Mon Sep 17 00:00:00 2001 From: Florence Blanc-RenaudDate: Fri, 12 May 2017 09:54:40 +0200 Subject: [PATCH] ipa-replica-manage del (dl 0): remove server from defaultServerList ipa-replica-manage del should remove the server from the entry cn=default,ou=profile,$BASE The entry contains an attribute defaultServerList: srv1.domain.com srv2.domain.com srv3.domain.com The code calls srvlist = ret.single_value.get('defaultServerList') which means that srvlist contains a single value (string) containing all the servers separated by a space, and not a list of attribute values. Because of that, srvlist[0] corresponds to the first character of the value. The fix splits srvlist and not srvlist[0]. https://pagure.io/freeipa/issue/6946 --- ipaserver/install/replication.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index 3cd871e..f3bae53 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -1336,12 +1336,12 @@ def replica_cleanup(self, replica, realm, force=False): dn = DN(('cn', 'default'), ('ou', 'profile'), self.suffix) ret = self.conn.get_entry(dn) srvlist = ret.single_value.get('defaultServerList', '') -srvlist = srvlist[0].split() +srvlist = srvlist.split() if replica in srvlist: srvlist.remove(replica) attr = ' '.join(srvlist) -mod = [(ldap.MOD_REPLACE, 'defaultServerList', attr)] -self.conn.modify_s(dn, mod) +ret['defaultServerList'] = attr +self.conn.update_entry(ret) except errors.NotFound: pass except ldap.NO_SUCH_ATTRIBUTE: -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#783][synchronized] Provide useful messages during cert verification
URL: https://github.com/freeipa/freeipa/pull/783 Author: stlaz Title: #783: Provide useful messages during cert verification Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/783/head:pr783 git checkout pr783 From a811c5fb7d1ee68c8f987e1ca228af58326f9a3a Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Fri, 12 May 2017 10:41:08 +0200 Subject: [PATCH] Provide useful messages during cert verification When the certificate verification was replaced, some error messages were omitted (like "Peer's certificate expired."). Bring these back. https://pagure.io/freeipa/issue/6945 --- ipapython/certdb.py | 26 -- ipatests/test_integration/test_caless.py | 32 ++-- 2 files changed, 34 insertions(+), 24 deletions(-) diff --git a/ipapython/certdb.py b/ipapython/certdb.py index 4d7f6e7..b86a705 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -52,6 +52,8 @@ NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt") +BAD_USAGE_ERR = 'Certificate key usage inadequate for attempted operation.' + def get_ca_nickname(realm, format=CA_NICKNAME_FMT): return format % realm @@ -547,9 +549,15 @@ def verify_server_cert_validity(self, nickname, hostname): cert = x509.load_certificate(cert, x509.DER) try: -self.run_certutil(['-V', '-n', nickname, '-u', 'V']) -except ipautil.CalledProcessError: -raise ValueError('invalid for a SSL server') +self.run_certutil(['-V', '-n', nickname, '-u', 'V'], + capture_output=True) +except ipautil.CalledProcessError as e: +# certutil output in case of error is +# 'certutil: certificate is invalid: \n' +msg = e.output.split(': ')[2].strip() +if msg == BAD_USAGE_ERR: +msg = 'invalid for a SSL server.' +raise ValueError(msg) try: x509.match_hostname(cert, hostname) @@ -573,6 +581,12 @@ def verify_ca_cert_validity(self, nickname): raise ValueError("not a CA certificate") try: -self.run_certutil(['-V', '-n', nickname, '-u', 'L']) -except ipautil.CalledProcessError: -raise ValueError('invalid for a CA') +self.run_certutil(['-V', '-n', nickname, '-u', 'L'], + capture_output=True) +except ipautil.CalledProcessError as e: +# certutil output in case of error is +# 'certutil: certificate is invalid: \n' +msg = e.output.split(': ')[2].strip() +if msg == BAD_USAGE_ERR: +msg = 'invalid for a CA.' +raise ValueError(msg) diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py index d7692ec..62ebba3 100644 --- a/ipatests/test_integration/test_caless.py +++ b/ipatests/test_integration/test_caless.py @@ -38,6 +38,8 @@ assert_error = tasks.assert_error +CERT_EXPIRED_MSG = "Peer's Certificate has expired." + def get_install_stdin(cert_passwords=()): lines = [ @@ -495,9 +497,8 @@ def test_expired_http(self): result = self.install_server(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') assert_error(result, - 'The server certificate in http.p12 is not valid: ' - "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has " - 'expired.') + 'The server certificate in http.p12 is not valid: {err}' + .format(err=CERT_EXPIRED_MSG)) @server_install_teardown def test_expired_ds(self): @@ -511,9 +512,8 @@ def test_expired_ds(self): result = self.install_server(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') assert_error(result, - 'The server certificate in dirsrv.p12 is not valid: ' - "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has " - 'expired.') + 'The server certificate in dirsrv.p12 is not valid: {err}' + .format(err=CERT_EXPIRED_MSG)) @server_install_teardown def test_http_bad_usage(self): @@ -884,9 +884,8 @@ def test_expired_http(self): result = self.prepare_replica(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') assert_error(result, - 'The server certificate in http.p12 is not valid: ' - "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has " - 'expired.') + 'The server certificate in http.p12 is not valid: {err}' + .format(err=CERT_EXPIRED_MSG))
[Freeipa-devel] [freeipa PR#757][comment] ca, kra install: validate DM password
URL: https://github.com/freeipa/freeipa/pull/757 Title: #757: ca, kra install: validate DM password stlaz commented: """ You forgot an import in ipa-ca-install: ``` * Module ipa-ca-install install/tools/ipa-ca-install:37: [W0611(unused-import), ] Unused ScriptError imported from ipapython.admintool) ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/757#issuecomment-301058163 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Don't work with Pagure right now
On 05/12/2017 08:36 AM, Standa Laznicka wrote: Hello, This morning I found out that "https://pagure.io/freeipa/; resolves to a different project, originally https://pagure.io/freeIPA/. I pointed the problem to the developer of the system, we'll see what he can do about it, but for now, we're missing about 200 issues. Please, don't open any new issues, as that's just pointless and would only cause us problems as these would need to be merged back to our project (should it be recoverable, which I hope it should). Luckily enough, `git clone https://g...@pagure.io/freeipa.git` seemed to have resolved to the correct repo so our git repos should hopefully not be affected. Sorry for inconvenience, Standa Hopefully everything is back on track now. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#728][+ack] ipa-cacert-manage: add --external-ca-type
URL: https://github.com/freeipa/freeipa/pull/728 Title: #728: ipa-cacert-manage: add --external-ca-type Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#728][comment] ipa-cacert-manage: add --external-ca-type
URL: https://github.com/freeipa/freeipa/pull/728 Title: #728: ipa-cacert-manage: add --external-ca-type dkupka commented: """ Work for me. """ See the full comment at https://github.com/freeipa/freeipa/pull/728#issuecomment-301046744 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#728][comment] ipa-cacert-manage: add --external-ca-type
URL: https://github.com/freeipa/freeipa/pull/728 Title: #728: ipa-cacert-manage: add --external-ca-type stlaz commented: """ LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/728#issuecomment-301043646 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#783][opened] Provide useful messages during cert verification
URL: https://github.com/freeipa/freeipa/pull/783 Author: stlaz Title: #783: Provide useful messages during cert verification Action: opened PR body: """ When the certificate verification was replaced, some error messages were omitted (like "Peer's certificate expired."). Bring these back. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/783/head:pr783 git checkout pr783 From 159ed99baebf29fcd928e5fdbc27036564243414 Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Fri, 12 May 2017 10:41:08 +0200 Subject: [PATCH] Provide useful messages during cert verification When the certificate verification was replaced, some error messages were omitted (like "Peer's certificate expired."). Bring these back. --- ipapython/certdb.py | 26 -- ipatests/test_integration/test_caless.py | 32 ++-- 2 files changed, 34 insertions(+), 24 deletions(-) diff --git a/ipapython/certdb.py b/ipapython/certdb.py index 4d7f6e7..b86a705 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -52,6 +52,8 @@ NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt") +BAD_USAGE_ERR = 'Certificate key usage inadequate for attempted operation.' + def get_ca_nickname(realm, format=CA_NICKNAME_FMT): return format % realm @@ -547,9 +549,15 @@ def verify_server_cert_validity(self, nickname, hostname): cert = x509.load_certificate(cert, x509.DER) try: -self.run_certutil(['-V', '-n', nickname, '-u', 'V']) -except ipautil.CalledProcessError: -raise ValueError('invalid for a SSL server') +self.run_certutil(['-V', '-n', nickname, '-u', 'V'], + capture_output=True) +except ipautil.CalledProcessError as e: +# certutil output in case of error is +# 'certutil: certificate is invalid: \n' +msg = e.output.split(': ')[2].strip() +if msg == BAD_USAGE_ERR: +msg = 'invalid for a SSL server.' +raise ValueError(msg) try: x509.match_hostname(cert, hostname) @@ -573,6 +581,12 @@ def verify_ca_cert_validity(self, nickname): raise ValueError("not a CA certificate") try: -self.run_certutil(['-V', '-n', nickname, '-u', 'L']) -except ipautil.CalledProcessError: -raise ValueError('invalid for a CA') +self.run_certutil(['-V', '-n', nickname, '-u', 'L'], + capture_output=True) +except ipautil.CalledProcessError as e: +# certutil output in case of error is +# 'certutil: certificate is invalid: \n' +msg = e.output.split(': ')[2].strip() +if msg == BAD_USAGE_ERR: +msg = 'invalid for a CA.' +raise ValueError(msg) diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py index d7692ec..62ebba3 100644 --- a/ipatests/test_integration/test_caless.py +++ b/ipatests/test_integration/test_caless.py @@ -38,6 +38,8 @@ assert_error = tasks.assert_error +CERT_EXPIRED_MSG = "Peer's Certificate has expired." + def get_install_stdin(cert_passwords=()): lines = [ @@ -495,9 +497,8 @@ def test_expired_http(self): result = self.install_server(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') assert_error(result, - 'The server certificate in http.p12 is not valid: ' - "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has " - 'expired.') + 'The server certificate in http.p12 is not valid: {err}' + .format(err=CERT_EXPIRED_MSG)) @server_install_teardown def test_expired_ds(self): @@ -511,9 +512,8 @@ def test_expired_ds(self): result = self.install_server(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') assert_error(result, - 'The server certificate in dirsrv.p12 is not valid: ' - "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has " - 'expired.') + 'The server certificate in dirsrv.p12 is not valid: {err}' + .format(err=CERT_EXPIRED_MSG)) @server_install_teardown def test_http_bad_usage(self): @@ -884,9 +884,8 @@ def test_expired_http(self): result = self.prepare_replica(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') assert_error(result, - 'The server certificate in http.p12 is not valid: ' - "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has " - 'expired.') + 'The server certificate in
[Freeipa-devel] [WIKI DRAFT] Files to be attached to bug reports
Hello all, I created a wiki page that should help people to provide right logs for investigation depending on a issue. https://www.freeipa.org/page/Files_to_be_attached_to_bug_report Feel free to fix errors, update sections, add new sections or provide feedback. Once this page is polished I will link it to wiki on right places. Martin^2 -- Martin Bašti Software Engineer Red Hat Czech -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] Don't work with Pagure right now
Hello, This morning I found out that "https://pagure.io/freeipa/; resolves to a different project, originally https://pagure.io/freeIPA/. I pointed the problem to the developer of the system, we'll see what he can do about it, but for now, we're missing about 200 issues. Please, don't open any new issues, as that's just pointless and would only cause us problems as these would need to be merged back to our project (should it be recoverable, which I hope it should). Luckily enough, `git clone https://g...@pagure.io/freeipa.git` seemed to have resolved to the correct repo so our git repos should hopefully not be affected. Sorry for inconvenience, Standa -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code