Re: [Freeipa-devel] [PATCH] 434 fix ipa-join segfault
On Wed, 2010-05-05 at 11:14 -0400, Rob Crittenden wrote: I set MALLOC_PERTURB_ and ipa-join generated a segfault. This was caused by some uninitialized XML-RPC structures. This patch should fix it up. I also re-arrange some code around determining the server. I got a bit overzealous in my previous attempt to not spew bogus error messages when we don't need to read /etc/ipa/default.conf. rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 435 more client install/uninstall fixes
On Wed, 2010-05-05 at 14:57 -0400, Rob Crittenden wrote: Lots of small fixes in the client installer/uninstaller to make it work nicer (or at all): - Move the ipa-getcert request to after we set up /etc/krb5.conf - Don't try removing certificates that don't exist - Don't tell certmonger to stop tracking a cert that doesn't exist - Allow --password/-w to be the kerberos password - Print an error if prompting for a password would happen in unattended mode - Still support echoing a password in when in unattended mode rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 437 detect client installation
On Thu, 2010-05-06 at 16:51 -0400, Rob Crittenden wrote: Detect if the IPA client is already configured and bail if it is. This should help prevent problems, particularly with certmonger. It will refuse to generate a new CSR for a certificate it is already tracking (and this is a good thing). So if you configure the client, then configure the client again bad things could happen, don't allow it. If things every got out-of-sync a user could always remove /var/lib/ipa-client/sysrestore/* to be able to install again. rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 436 make service/chkconfig more fault tolerant
On Thu, 2010-05-06 at 15:39 -0400, Rob Crittenden wrote: If we try to use service/chkconfig in the client installer on a service that doesn't exist then it would throw lots of bogus errors. This is an attempt to be a little smarter about it. rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 431 better CSR header handling
On Mon, 2010-05-03 at 17:41 -0400, Rob Crittenden wrote: Properly handle CSRs whether they have NEW in the header block or not. The code was looking for headers without NEW in it but in that case would cut the first 4 characters of the request off, causing decoding to fail. I also consolidate some duplicate code. rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 430 AccessTime tests
On Fri, 2010-04-30 at 12:04 -0400, Rob Crittenden wrote: I added some tests for the AccessTime parameter type. During test development I fixed a few bugs in the parameter and hopefully added some improved error messages to nudge the user in the right direction. The time syntax is quite difficult to understand. I noticed that the 'weekly' periodic type wasn't implemented. I'm not sure if this was an oversight or not. rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 397 raise exception on empty mod
On Fri, 2010-03-05 at 13:47 -0500, Rob Crittenden wrote: Raise an error if no modifications were performed in an update. This will alert the user that nothing was done and is handy when used with --attr=''. This can be used to delete a non-required attribute but can be set to any valid attribute, present or not. We should alert the user if they attempt to delete a non-existant value. rob Tiny conflict, but I'm not going to guess. :) Can you rebase this? error: patch failed: ipalib/plugins/baseldap.py:272 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 403 correct installation CA output
On Wed, 2010-03-10 at 12:00 -0500, Rob Crittenden wrote: Better customize the message regarding the CA based on the install options. There are now 3 cases: - Install a dogtag CA and issue server certs using that - Install a selfsign CA and issue server certs using that - Install using either dogtag or selfsign and use the provided PKCS#12 files for the server certs. The installed CA will still be used by the cert plugin to issue any server certs. rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 402 location of root CA
On Wed, 2010-03-10 at 11:59 -0500, Rob Crittenden wrote: Make CA PKCS#12 location arg for ipa-replica-prepare, default /root/cacert.p12 pki-silent puts a copy of the root CA into /root/tmp-ca.p12. Rename this to /root/cacert.p12. rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 400 fix pwpolicy plugin
On Fri, 2010-03-05 at 16:15 -0500, Rob Crittenden wrote: This patch relies on patch #399 Fix a number of bugs in the pwpolicy plugin This fixes: - Consistent usage of priority vs cospriority in options - Fixes bug introduced with recent patch where global policy couldn't be updated - Doesn't allow cospriority to be removed for groups (#570536) - returns the priority with group policy so it can be displayed - Properly unicode encode group names for display rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 399 Include params in Method.output_params
On Tue, 2010-03-09 at 16:50 -0500, Rob Crittenden wrote: Pavel Zuna wrote: Rob Crittenden wrote: Method overrides the Command get_output_params() method and only returns the object params, not anything defined within the method itself. Return those as well so they are displayed in output. Some care needs to be taken to avoid returning duplicate values. In the case of duplicates the value in obj.params wins. I tested this with the pwpolicy plugin which is a Method and defines its own takes_options. I need this to display the priority to the user. rob Applies with minor modifications due to recent gettext patches. Shouldn't there be a check for 'no_output' when going through self.obj.params? Pavel Yup, new patch attached, good catch. rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 404 ensure priority is unique
On Fri, 2010-03-12 at 18:01 -0500, Rob Crittenden wrote: Ensure that the group policy priority is unique. We use CoS to determine the order in which group policy is applied. The behavior in CoS is undefined for multiple entries with the same cospriority. This likely relies on some other outstanding pwpolicy patches. rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 405 Fix the client make target
On Mon, 2010-03-15 at 13:41 -0400, Rob Crittenden wrote: Fix the client make target. It was broken due to the addition of the i18n code which lives inside the server code. rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 406 add option for pam_mkhomedirs to client installer
On Mon, 2010-03-15 at 13:42 -0400, Rob Crittenden wrote: Add a new option, --mkhomedirs, to the ipa-client-install script. We pass this along to authconfig so that pam_mkhomedirs is configured. rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 392 retrieve schema using kerberos credentials
On Wed, 2010-03-17 at 10:02 -0400, Rob Crittenden wrote: Jason Gerard DeRose wrote: On Fri, 2010-02-26 at 11:26 -0500, Rob Crittenden wrote: Retrieve the LDAP schema using kerberos credentials. This is required so we can disable anonymous access in 389-ds. rob I'm getting a merge conflict with the migration plugin: error: patch failed: ipalib/plugins/migration.py:30 Sorry this patch slipped through the cracks for so long. Updated patch attached. thanks. ack, pushed to master. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 369 fix word usage in installer
On Wed, 2010-02-03 at 14:57 -0500, Rob Crittenden wrote: Proper use of set up vs setup. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 372 check for group but no user
On Tue, 2010-03-16 at 17:57 -0400, Rob Crittenden wrote: Handle the case where the DS group exists but the user does not If the group exists but the user doesn't then useradd blows up trying to create the user and group. So test to see if the group exists and if it does pass along the -g argument to useradd. rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] jderose 052 Finish deferred translation mechanism
On Fri, 2010-03-12 at 11:31 -0500, John Dennis wrote: On 03/08/2010 11:25 PM, Jason Gerard DeRose wrote: This patch finishes the the LazyText functionality in the ipalib.text module. This patch includes extensive docstrings in text.py that should hopefully explain everything pretty well. There's also now pretty darn complete test coverage. Still to do: 1. Have Backend.session extract the locale and set context.languages... I have an rpcserver cleanup patch I've been working on which will include this change. 2. Remove deprecated gettext stuff in ipalib.request... this is a small change, but I left it out of this patch so it's easier to review I'll have these next two patches later this week. I've tested this and it works for me and seems pretty clean, a good patch. Thank you Jason. However I do have one thing which I'd like to see cleaned up, it's a few naming issues (see below). Well, naming issues aside, is this an ack? Do you mind if I push this patch and then possibly push a tune-up patch? In a moment I'm going to follow up with a patch that extends tests/test_ipalib/test_text.py to utilize the test language you asked for and is currently in install/po. That test is implemented and working so look for the patch in a moment. Naming Issues: The thread local object can be assigned attributes directly and it's attributes can be referenced directly. Using context.__dict__ seems odd Although it isn't usually standard to use an instance dictionary like this, the Python threading.local documentation specifically endorses it. After reading the docstring in /usr/lib64/python2.6/_threading_local.py, my impression is that threading.local is indented to be used both as an instance to store thread-local attributes, and as a dict to store thread-local items (regardless of whether the keys are valid attribute names). John, could you take a look at this documentation and let me know if you concur? and unnecessary to store the language keys. I presume you're doing that because you can't have a tuple as an attribute name on the context. Directly accessing the __dict__ of an object feels like something we should avoid if possible. Also we're stuffing unrelated items in context.__dict__, for example the Connection and language keys are being stored together. Wouldn't be cleaner to keep the language keys in their own name space and to use constructs like this: context = threading.local() context.connection = Connection() context.language_keys = {} context.language_keys[key] = translation if key in context.language_keys As you have it above, context.language_keys only exists in the current thread. So each time we would have to check if the language_keys dict has been created in the current thread, then check if the key is present. If you want these separated, I personally think a second threading.local instance should be used, something like: language_keys = threading.local() I actually had them separated like this initially but decided to combine them so there is only one threading.local instance we need to clear() after processing a request. Also, though it seems messy to combine all of these in the context, the name-spaces don't overlap... a tuple will never equal an attribute name (str), so the translations can't conflict with any attributes we store on the context. rather than context.__dict__[key] = translation if key in context.__dict__ This also means when you clear the context you don't have to iterate over the members of context.__dict__ and special case the values as is currently being done with: for (name, value) in context.__dict__.items(): if isinstance(value, Connection): value.disconnect() Wouldn't this be cleaner as: if context.connection: context.connection.disconnect() We can have multiple connections, which is why we do this iteration with type checking. An LDAP connection is always created, but other connections might also be created. Currently the only place we are doing this is for a connection to the certificate server, but we should allow plugins to create additional connections, and have them explicitly disconnected by request.destroy_context(). Keeping the language keys separately would also allow us to clear the language keys independently of anything else in the context without having to worry about what else we might clobber in the context. I have no problem using a separate threading.local() instance for the translations if you feel that is the better approach. Small change. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 5/5] localize doc strings
On Fri, 2010-03-05 at 16:21 -0500, John Dennis wrote: A number of doc strings were not localized, wrap them in _(). Some messages were not localized, wrap them in _() Fix a couple of failing tests: The method name in RPC should not be unicode. The doc attribute must use the .msg attribute for comparison. Also clean up imports of _() The import should come from ipalib or ipalib.text, not ugettext from request. Pavel: You'll need to make a fix to plugins/migration.py, look for the FIXME comment. What you're doing with the doc string won't work with our localization framework. I implemented a workaround for the time being. ack. pushed to master. John, for me your 'the_method' change broke the test, which was previously working. I pushed this anyway as this patch touches a lot of files and I don't want us to get into merge hell. We can fix this small issue in a separate patch. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] jderose 049 Consolidate to single WSGI entry point
On Mon, 2010-03-01 at 14:53 -0500, Rob Crittenden wrote: Jason Gerard DeRose wrote: This is part1 of the mod_wsgi transition. It provides a new plugin: api.Backend.session. This is a WSGI middleware component that will create the LDAP connection and then route the request to the appropriate WSGI application (/xml or /json or /ui). The end result is that we have a single entry point (/ipa) instead of 3, and we also use the exact same code path to create and destroy the LDAP connection (which is obviously good for security). All this still is running under mod_python, but my next patch switches things to mod_wsgi (still have a few issues on that front). Ack. rob pushed to master. thanks for the review. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 051 Fix spec
This has already been pushed to master. This is a follow up to Rob's conditional ack of my 050 patch. From 3b4c4acfd24fcfd1d4b34a355a684f0683edee38 Mon Sep 17 00:00:00 2001 From: Jason Gerard DeRose jder...@redhat.com Date: Mon, 1 Mar 2010 21:41:41 -0700 Subject: [PATCH] Fixed ipa.spec.in to include share/ipa/wsgi.py* --- ipa.spec.in |5 - 1 files changed, 4 insertions(+), 1 deletions(-) diff --git a/ipa.spec.in b/ipa.spec.in index f7f3a29..154bac6 100644 --- a/ipa.spec.in +++ b/ipa.spec.in @@ -384,7 +384,7 @@ fi %{python_sitelib}/ipaserver/* %{python_sitelib}/ipawebui/* %dir %{_usr}/share/ipa -%{_usr}/share/ipa/wsgi.py +%{_usr}/share/ipa/wsgi.py* %{_usr}/share/ipa/*.ldif %{_usr}/share/ipa/*.uldif %{_usr}/share/ipa/*.template @@ -499,6 +499,9 @@ fi %endif %changelog +* Mon Mar 1 2010 Jason Gerard DeRose jder...@redhat.com - 1.99-18 +- Fixed share/ipa/wsgi.py so .pyc, .pyo files are included + * Wed Feb 24 2010 Jason Gerard DeRose jder...@redhat.com - 1.99-17 - Added Require mod_wsgi, added share/ipa/wsgi.py -- 1.6.3.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] jderose 050 Run ipaserver under mod_wsgi
On Mon, 2010-03-01 at 14:56 -0500, Rob Crittenden wrote: Jason Gerard DeRose wrote: This patch completes the transition to running under mod_wsgi. It requires my previous 049 Consolidate to single WSGI entry point patch. This is pretty strait forward, but a few things need highlighting: 1. mod_wsgi requires an entry point script (you can't give it a Python package name like we were doing with mod_python). Based on my reading of the Filesystem Hierarchy Standard, it seems this should be in share/ipa, so that's what I did. The script is /usr/share/ipa/wsgi.py I was expecting this to cause SELinux problems, but things seem to work fine. 2. We are running mod_wsgi in daemon mode, which is the preferred way of deploying it. The mod_wsgi daemon has both multi-process and multi-threading capabilities. As we haven't actually used threaded code much in IPA thus far (although lite-server.py is threaded), for now I have the daemon running 2 processes and 1 thread (aka it's not threaded). For production I think we probably should run something like 4 processes and 8 threads per process. This can be a later change (just requires a change in our ipa.conf Apache config file). 3. As ipaserver is now running inside the mod_wsgi daemon, we can changed from using the Apache prefork MPM to using worker, which is far superior for static content. I haven't changed this yet, but we should put this on our TODO. I pretty much had this patch all done last Friday, but I've let things slow-roast for several days to make sure it's stable. I feel confident that this is a low risk change. All the same, I think we should get this pushed as soon as possible so we can shake out any remaining issues. I'm going to go ahead and ack this if you fix one thing before you push. In ipa.spec.in you need to change: -%{_usr}/share/ipa/wsgi.py +%{_usr}/share/ipa/wsgi.py* pushed to master, along with my 051 patch making the changes you asked for. I don't think we need the Location entries at the top of ipa.conf setting no handler. It worked ok for me without them, the similar setting in the Directory should take care of things. More testing is probably needed. In my testing, the Location tag with Handler none was the only way I could prevent the WSGI handler from gobbling up these URIs. I think this is because of the order in which Directory and Location are applied. This doesn't work on my F-11 box, I think primarily because /var/run/httpd/ has the wrong permissions. I'll investigate fixing this up but since F-11 won't be supported for a whole lot longer I'm not going to worry about this too much. I'll fix this in a follow-up patch. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] commit policy for translations (.po files)
On Fri, 2010-02-26 at 13:19 -0500, John Dennis wrote: I'd like to propose that for translations (e.g. .po files) we skip the review process on the patch and just push them to master. Realistically few of us will be able to verify whether the string translations are correct or not. +1. Whoever pushes it can just make sure it isn't touching anything code related and push the patch. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] jderose 049 Consolidate to single WSGI entry point
This is part1 of the mod_wsgi transition. It provides a new plugin: api.Backend.session. This is a WSGI middleware component that will create the LDAP connection and then route the request to the appropriate WSGI application (/xml or /json or /ui). The end result is that we have a single entry point (/ipa) instead of 3, and we also use the exact same code path to create and destroy the LDAP connection (which is obviously good for security). All this still is running under mod_python, but my next patch switches things to mod_wsgi (still have a few issues on that front). From 541616b0290d309a686bf66febb370ef0cade06a Mon Sep 17 00:00:00 2001 From: Jason Gerard DeRose jder...@redhat.com Date: Tue, 23 Feb 2010 10:53:47 -0700 Subject: [PATCH] Consolidate to single WSGI entry point --- install/conf/ipa.conf | 81 +++-- ipalib/constants.py|2 +- ipaserver/__init__.py |4 + ipaserver/plugins/xmlserver.py | 10 +-- ipaserver/rpcserver.py | 149 +--- ipawebui/__init__.py | 11 +-- lite-server.py |6 +- tests/test_ipaserver/test_rpcserver.py | 96 - 8 files changed, 276 insertions(+), 83 deletions(-) diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index b956293..f5987fb 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -11,14 +11,6 @@ PythonImport ipaserver main_interpreter # This is required so the auto-configuration works with Firefox 2+ AddType application/java-archivejar -# This is where we redirect on failed auth -Alias /ipa/errors /usr/share/ipa/html - -# For the MIT Windows config files -Alias /ipa/config /usr/share/ipa/html - -# For CRL publishing -Alias /ipa/crl /var/lib/pki-ca/publish Location /ipa @@ -32,34 +24,42 @@ Alias /ipa/crl /var/lib/pki-ca/publish KrbSaveCredentials on Require valid-user ErrorDocument 401 /ipa/errors/unauthorized.html -/Location -Location /ipa/xml SetHandler python-program PythonInterpreter main_interpreter - PythonHandler ipaserver::xmlrpc + PythonHandler ipaserver::handler PythonDebug Off - PythonOption SCRIPT_NAME /ipa/xml + PythonOption SCRIPT_NAME /ipa PythonAutoReload Off -/Location -Location /ipa/json - SetHandler python-program - PythonInterpreter main_interpreter - PythonHandler ipaserver::jsonrpc - PythonDebug Off - PythonOption SCRIPT_NAME /ipa/json - PythonAutoReload Off /Location -Location /ipa/ui - SetHandler python-program - PythonInterpreter main_interpreter - PythonHandler ipaserver::webui - PythonDebug Off - PythonOption SCRIPT_NAME /ipa/ui - PythonAutoReload Off -/Location +#Location /ipa/xml +# SetHandler python-program +# PythonInterpreter main_interpreter +# PythonHandler ipaserver::xmlrpc +# PythonDebug Off +# PythonOption SCRIPT_NAME /ipa/xml +# PythonAutoReload Off +#/Location + +#Location /ipa/json +# SetHandler python-program +# PythonInterpreter main_interpreter +# PythonHandler ipaserver::jsonrpc +# PythonDebug Off +# PythonOption SCRIPT_NAME /ipa/json +# PythonAutoReload Off +#/Location + +#Location /ipa/ui +# SetHandler python-program +# PythonInterpreter main_interpreter +# PythonHandler ipaserver::webui +# PythonDebug Off +# PythonOption SCRIPT_NAME /ipa/ui +# PythonAutoReload Off +#/Location Alias /ipa-assets/ /var/cache/ipa/assets/ Directory /var/cache/ipa/assets @@ -72,14 +72,39 @@ Alias /ipa-assets/ /var/cache/ipa/assets/ /Directory +Location /ipa/errors + SetHandler None +/Location + +Location /ipa/config + SetHandler None +/Location + +Location /ipa/crl + SetHandler None +/Location + + +# This is where we redirect on failed auth +Alias /ipa/errors /usr/share/ipa/html + +# For the MIT Windows config files +Alias /ipa/config /usr/share/ipa/html + # Do no authentication on the directory that contains error messages Directory /usr/share/ipa/html + SetHandler None AllowOverride None Satisfy Any Allow from all /Directory + +# For CRL publishing +Alias /ipa/crl /var/lib/pki-ca/publish + Directory /var/lib/pki-ca/publish + SetHandler None AllowOverride None Options Indexes FollowSymLinks Satisfy Any diff --git a/ipalib/constants.py b/ipalib/constants.py index 79ddbca..a942076 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -108,7 +108,7 @@ DEFAULT_CONFIG = ( ('mount_ipa', '/ipa/'), ('mount_xmlserver', 'xml'), ('mount_jsonserver', 'json'), -('mount_webui', 'ui/'), +('mount_webui', 'ui'), ('mount_webui_assets', '/ipa-assets/'), # WebUI stuff: diff --git a/ipaserver/__init__.py b/ipaserver/__init__.py index 1b62255..874ac3e 100644 --- a/ipaserver/__init__.py +++ b/ipaserver/__init__.py @@ -222,3 +222,7 @@ def webui(req): mod_python handler for web-UI requests (place holder). return adapter(req, ui) + + +def handler(req): +return adapter(req
Re: [Freeipa-devel] [PATCH] fix i18n build problem
On Mon, 2010-02-22 at 16:21 -0500, John Dennis wrote: There was a typo in install/po/Makefile.in which caused (some) of the .po files to be overwritten because the test to see if a po file existed had a typo in it. This patch also removes the unnecessary rebuilding of the pot which was happening when using the all target (the default). The pot file now must be manually remade, which is what we want. Added a new target mo-files to manually generate the .mo files. This is useful to run before checking in a new .po file just to assure it compiles and we don't have to discover this during a build. ack. pushed to master. I confirmed that this fixes the build problem in my tree. Thanks. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] minor makefile cleanup
On Mon, 2010-02-22 at 16:54 -0500, John Dennis wrote: Nalin correctly identified two minor issues in the install/po/Makefile he noticed after my last patch. The empty rule for the all target is bad style. The newly added target mo-files should have been listed in the .PHONY list. Neither one should cause problem, but they should be cleaned up. ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] jderose 045 Remove bugfix widgets
We were overriding some wehjit builtins with bugfix widgets, but these have all been fixed as of wehjit 0.2.1, so we don't need them anymore. From ed78ef79d33b9cf60eff3611cf05a7fac9afdb62 Mon Sep 17 00:00:00 2001 From: Jason Gerard DeRose jder...@redhat.com Date: Thu, 18 Feb 2010 17:29:31 -0700 Subject: [PATCH] Remove bugfix widgets --- ipawebui/widgets.py | 152 --- 1 files changed, 0 insertions(+), 152 deletions(-) diff --git a/ipawebui/widgets.py b/ipawebui/widgets.py index d05b5b4..9d6170f 100644 --- a/ipawebui/widgets.py +++ b/ipawebui/widgets.py @@ -246,154 +246,6 @@ class LandingPage(base.Widget): -class Form(builtins.Form): -js_class = 'Form' - -javascript = -Wehjit.bases.Form = new Class({ -Extends: Wehjit.bases.Widget, - -post_init: function() { -this.focused = null; -$each(this.el.elements, function(field) { -field.connect('focus', this); -}, this); -var parent = this.get_parent(); -if (parent parent.klass == 'Dialog') { -parent.addEvent('run', this.on_run.bind(this)); -this.parent = parent; -} -this.formdata = null; -}, - -on_focus: function(field, event) { -this.focused = field; -}, - -on_run: function(dialog, params) { -console.assert(dialog == this.parent); -this.refocus(); -}, - -refocus: function() { -console.log('refocus', this.id, this.focused); -if (this.focused) { -this.focused.focus(); -return true; -} -if (this.el.elements.length 0) { -this.el.elements[0].focus(); -return true; -} -return false; -}, - -get_data: function() { -console.log('Form.get_data'); -var rawdata = this.el.get_data(); -var data = {}; - -if (this.formdata == null) { -$each(rawdata, function(value, key) { -if (value !== '') { -data[key] = value; -} -}); -} -else { -$each(rawdata, function(value, key) { -var old = this.formdata[key]; -if (old == undefined value === '') { -return; -} -if (old != value) { -console.log('changed: %s = %s', key, value); -data[key] = value; -} -}, this); -} - -return data; - -}, - -set_data: function(data) { -console.log('Form.set_data', data); -this.focused = null; -if ($type(data) == 'object') { -this.formdata = data; -} -else { -this.formdata = null; -} -this.el.set_data(data); -}, - -reset: function() { -this.formdata = null; -this.focused = null; -this.el.reset(); -}, - -}); - - - -class CRUDS(builtins.CRUDS): -display_cols = Static('display_cols', json=True, default=tuple()) - - -class Display(builtins.Display): -cols = None - -javascript = -Wehjit.bases.Display = new Class({ -Extends: Wehjit.bases.Widget, - -post_init: function() { -var parent = this.get_parent(); -console.assert(parent); -parent.addEvent('run', this.on_run.bind(this)); -this.cruds = Wehjit.get('cruds'); -this.cols = this.cruds.data.display_cols; -console.assert(this.cols); -if (this.cols.length == 0) { -this.cols = Wehjit.data.grid.cols; -} -}, - -on_run: function(dialog, row) { -console.log('Display.on_run(%s, %s)', dialog, row); -this.el.empty(); -if ($type(row) != 'object') { -return; -} -this.cols.each(function(col) { -var tr = new Element('tr'); -var th = new Element('th'); -th.textContent = col.label + ':'; -tr.appendChild(th); -this.el.appendChild(tr); -var td = new Element('td'); -var value = row[col.name]; -if ($type(value) == 'array') { -var value = value.join(','); -} -if ($type(value) != 'string') { -var value = ''; -} -td.textContent = value; -tr.appendChild(td); -}, this); -}, - -}); - - - - - - def create_widgets(): widgets = Collection('freeIPA
[Freeipa-devel] [PATCH] jderose 046 Add buildrequires script
I want to make our development process more easily automated and repeatable, so I started on this script to install all the packages a person would likely need to hack on the server. I'm using this to bootstrap fresh VMs. Plus this lowers the barrier for new developers. From 08d97541088df605f87447df4bce6946e64eed9b Mon Sep 17 00:00:00 2001 From: Jason Gerard DeRose jder...@redhat.com Date: Thu, 18 Feb 2010 18:43:54 -0700 Subject: [PATCH] Add buildrequires script to help new developers --- contrib/install-buildrequires.sh | 48 ++ 1 files changed, 48 insertions(+), 0 deletions(-) create mode 100755 contrib/install-buildrequires.sh diff --git a/contrib/install-buildrequires.sh b/contrib/install-buildrequires.sh new file mode 100755 index 000..81faec8 --- /dev/null +++ b/contrib/install-buildrequires.sh @@ -0,0 +1,48 @@ +#!/bin/sh + +# This should install pretty much everything you might need to work on FreeIPA, +# and then some. Let's try to keep this up-to-date to make things easier for +# new developers. + +packages=\ +389-ds-base-devel \ +autoconf \ +automake \ +bzr \ +e2fsprogs-devel \ +epydoc \ +gettext \ +git \ +krb5-devel \ +libcap-devel \ +libtool \ +m4 \ +make \ +mozldap-devel \ +nspr-devel \ +nss-devel \ +openldap-clients \ +openldap-devel \ +openssl-devel \ +policycoreutils \ +popt-devel \ +pyOpenSSL \ +python-configobj \ +python-devel \ +python-docutils \ +python-genshi \ +python-kerberos \ +python-krbV \ +python-ldap \ +python-lxml \ +python-nose \ +python-pyasn1 \ +python-pygments \ +python-sqlalchemy \ +python-wehjit \ +rpm-build \ +svrcore-devel \ +xmlrpc-c-devel \ + + +yum install $packages -- 1.6.3.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] jderose 047 Fix tests
This fixes some tests (non XML-RPC) that got broken in the last few days. Please please update tests in the same patch if your patch breaks them. :) From b3e6ccfefd18e41714b48b4a1e733162516136d3 Mon Sep 17 00:00:00 2001 From: Jason Gerard DeRose jder...@redhat.com Date: Fri, 19 Feb 2010 03:13:11 -0700 Subject: [PATCH] Fix non XML-RPC tests --- ipalib/cli.py |9 - ipalib/crud.py |4 ++-- tests/test_ipalib/test_crud.py | 21 + 3 files changed, 15 insertions(+), 19 deletions(-) diff --git a/ipalib/cli.py b/ipalib/cli.py index 213a9c4..715f2e1 100644 --- a/ipalib/cli.py +++ b/ipalib/cli.py @@ -293,15 +293,6 @@ class textui(backend.Backend): one_value_per_line=True): Print an ldap entry dict. - -For example: - - entry = dict(sn='Last', givenname='First', uid='flast') - ui = textui() - ui.print_entry(entry) - givenname: First - sn: Last - uid: flast assert isinstance(entry, dict) assert isinstance(attr_map, dict) diff --git a/ipalib/crud.py b/ipalib/crud.py index 77c97f3..fa8b9ad 100644 --- a/ipalib/crud.py +++ b/ipalib/crud.py @@ -76,7 +76,7 @@ us: list(api.Command.user_add.args) ['login'] list(api.Command.user_add.options) -['first', 'last'] +['first', 'last', 'all', 'raw'] Notice that ``'ipauniqueid'`` isn't included in the options for our ``user_add`` plugin. This is because of the ``'no_create'`` flag we used when defining the @@ -94,7 +94,7 @@ class created them for us: list(api.Command.user_show.args) ['login'] list(api.Command.user_show.options) -[] +['all', 'raw'] As you can see, `Retrieve` plugins take a single argument (the primary key) and no options. If needed, you can still specify options for your `Retrieve` plugin diff --git a/tests/test_ipalib/test_crud.py b/tests/test_ipalib/test_crud.py index 969fb4f..b8399e5 100644 --- a/tests/test_ipalib/test_crud.py +++ b/tests/test_ipalib/test_crud.py @@ -74,12 +74,12 @@ class test_Create(CrudChecker): api = self.get_api() assert list(api.Method.user_verb.options) == \ -['givenname', 'sn', 'initials'] +['givenname', 'sn', 'initials', 'all', 'raw'] for param in api.Method.user_verb.options(): assert param.required is True api = self.get_api(options=('extra?',)) assert list(api.Method.user_verb.options) == \ -['givenname', 'sn', 'initials', 'extra'] +['givenname', 'sn', 'initials', 'extra', 'all', 'raw'] assert api.Method.user_verb.options.extra.required is False @@ -104,9 +104,12 @@ class test_Update(CrudChecker): api = self.get_api() assert list(api.Method.user_verb.options) == \ -['givenname', 'initials', 'uidnumber'] +['givenname', 'initials', 'uidnumber', 'all', 'raw'] for param in api.Method.user_verb.options(): -assert param.required is False +if param.name in ['all', 'raw']: +assert param.required is True +else: +assert param.required is False class test_Retrieve(CrudChecker): @@ -129,8 +132,7 @@ class test_Retrieve(CrudChecker): Test the `ipalib.crud.Retrieve.get_options` method. api = self.get_api() -assert list(api.Method.user_verb.options) == [] -assert len(api.Method.user_verb.options) == 0 +assert list(api.Method.user_verb.options) == ['all', 'raw'] class test_Delete(CrudChecker): @@ -178,9 +180,12 @@ class test_Search(CrudChecker): api = self.get_api() assert list(api.Method.user_verb.options) == \ -['givenname', 'sn', 'uid', 'initials'] +['givenname', 'sn', 'uid', 'initials', 'all', 'raw'] for param in api.Method.user_verb.options(): -assert param.required is False +if param.name in ['all', 'raw']: +assert param.required is True +else: +assert param.required is False class test_CrudBackend(ClassChecker): -- 1.6.3.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 382 fix pwpolicy output
On Tue, 2010-02-16 at 23:01 -0500, Rob Crittenden wrote: Convert the pwpolicy plugin to use the new output system. Otherwise some of these commands output nothing at all, or at best something not quite useful. rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 377 fix deprecation warning
On Fri, 2010-02-12 at 10:56 -0500, Rob Crittenden wrote: Fix a deprecation warning importing sha. rob nack. There is no `sha` attribute in the `hashlib` module; instead, you'll need to use `hashlib.sha1`, like this: try: from hashlib import sha1 as sha except ImportError: from sha import sha I'd like to start consolidating these Python compatibility hacks in the `ipalib.compat` module. But in the case of the `uuid` module, with its funky imports inside of functions, we should probably keep our modifications to a minimum. So I agree with your approach. ack once you fix the import. ;) ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] jderose 044 Add sha1, md5 to compat
This patch adds `sha1` and `md5` classes to the `compat` module. These will work in Python 2.4 - 2.5 without raising a `DeprecationWarning`. From fc8710cf1371d0b71341ec3cb162e19699090ffb Mon Sep 17 00:00:00 2001 From: Jason Gerard DeRose jder...@redhat.com Date: Fri, 12 Feb 2010 13:03:14 -0700 Subject: [PATCH] Add sha1, md5 to compat --- ipalib/compat.py | 38 ++ 1 files changed, 34 insertions(+), 4 deletions(-) diff --git a/ipalib/compat.py b/ipalib/compat.py index 70f098b..fcf33fd 100644 --- a/ipalib/compat.py +++ b/ipalib/compat.py @@ -18,11 +18,14 @@ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -Abstracts some compatability issues for Python2.4 - Python2.6. +Abstracts some compatibility issues for Python 2.4 - Python 2.6. -The ``json`` module was added in Python2.6, which previously was in a seperate -package and called ``simplejson``. This hack abstracts the difference so you -can use the ``json`` module generically like this: +Python 2.6 +== + +The ``json`` module was added in Python 2.6, which previously was in an external +package and called ``simplejson``. The `compat` module abstracts the difference +so you can use the ``json`` module generically like this: from compat import json json.dumps({'hello': 'world'}) @@ -40,6 +43,28 @@ future-proofing here so you can import ``parse_qs()`` generically like this: For more information, see *What's New in Python 2.6*: http://docs.python.org/whatsnew/2.6.html + + +Python 2.5 +== + +The ``hashlib`` module was added in Python2.5, after which use of the ``sha`` +and ``md5`` modules is deprecated. You can generically import a ``sha1`` class +from the `compat` module like this: + + from compat import sha1 + sha1('hello world').hexdigest() +'2aae6c35c94fcfb415dbe95f408b9ce91ee846ed' + +And generically import an ``md5`` class like this: + + from compat import md5 + md5('hello world').hexdigest() +'5eb63bbbe01eeed093cb22bb8f5acdc3' + +For more information, see *What's New in Python 2.5*: + +http://python.org/doc/2.5/whatsnew/whatsnew25.html import sys @@ -49,3 +74,8 @@ if sys.version_info[:2] = (2, 6): else: import simplejson as json from cgi import parse_qs +try: +from hashlib import sha1, md5 +except ImportError: +from sha import new as sha1 +from md5 import new as md5 -- 1.6.3.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 378 allow one-character Param names
On Fri, 2010-02-12 at 11:03 -0500, Rob Crittenden wrote: Loosen up the variable name restrictions in Params so we can handle the attribute l (localityname). rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH[ 376 fix ipa-join segfault
On Tue, 2010-02-09 at 23:04 -0500, Rob Crittenden wrote: Make sure incoming data isn't NULL before trying to strdup() it. Bad things happen otherwise. rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] jderose 042 output_params
As discussed with Rob on IRC, this patch changes the Command.get_output_params() method so that by default your Command.output_params will be the same as your Command.params. This make the behavior similar to how Method.get_output_params() fills your Method.params with the params in the corresponding Object.params. If you have args or options that you *don't* want in output_params, add the 'no_output' flag, like this: Str('foo', flags=['no_output']) This is similar to the 'no_create', 'no_update', and 'no_search' flags for Method plugins. If you need output that wont be in your args or options, add them in a `has_output_params` tuple, like this: has_output_params = ( 'bar', 'baz', ) I'll add docstrings in another patch, but this is blocking Rob, so I made it a quickie. From 0ff22e4a0fa946e6011e77554fd55f005d40d8d2 Mon Sep 17 00:00:00 2001 From: Jason Gerard DeRose jder...@redhat.com Date: Wed, 10 Feb 2010 21:15:47 -0700 Subject: [PATCH] Command.output_params not contains params in Command.params --- ipalib/frontend.py |7 +++ tests/test_ipalib/test_frontend.py | 27 +++ 2 files changed, 34 insertions(+), 0 deletions(-) diff --git a/ipalib/frontend.py b/ipalib/frontend.py index 1cc2ea2..0abb35b 100644 --- a/ipalib/frontend.py +++ b/ipalib/frontend.py @@ -810,6 +810,13 @@ class Command(HasParam): def get_output_params(self): for param in self._get_param_iterable('output_params', verb='has'): yield param +if self.params is None: +return +for param in self.params(): +if 'no_output' in param.flags: +continue +yield param + def output_for_cli(self, textui, output, *args, **options): if not isinstance(output, dict): diff --git a/tests/test_ipalib/test_frontend.py b/tests/test_ipalib/test_frontend.py index b5ecd05..7c67d6c 100644 --- a/tests/test_ipalib/test_frontend.py +++ b/tests/test_ipalib/test_frontend.py @@ -28,6 +28,7 @@ from ipalib.constants import TYPE_ERROR from ipalib.base import NameSpace from ipalib import frontend, backend, plugable, errors, parameters, config from ipalib import output +from ipalib.parameters import Str def test_RULE_FLAG(): assert frontend.RULE_FLAG == 'validation_rule' @@ -654,6 +655,32 @@ class test_Command(ClassChecker): 'nested', 'Subclass', 'world', 4, dict, tuple, nope ) +def test_get_output_params(self): + +Test the `ipalib.frontend.Command.get_output_params` method. + +class example(self.cls): +has_output_params = ( +'one', +'two', +'three', +) +takes_args = ( +'foo', +) +takes_options = ( +Str('bar', flags='no_output'), +'baz', +) + +inst = example() +assert list(inst.get_output_params()) == ['one', 'two', 'three'] +inst.finalize() +assert list(inst.get_output_params()) == [ +'one', 'two', 'three', inst.params.foo, inst.params.baz +] +assert list(inst.output_params) == ['one', 'two', 'three', 'foo', 'baz'] + class test_LocalOrRemote(ClassChecker): -- 1.6.3.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 361 fix cert tests
On Thu, 2010-01-28 at 16:18 -0500, Rob Crittenden wrote: This fixes some problems with the cert plugin tests. - It checks to see if a self-signed CA is available in ~/.ipa/alias. If not the tests are skipped - Be a bit smarter about cleaning up by moving it to a separate test - This relies on patch the service fix in 360. Some binary certs were being decoded as base64 resulting in an unparsable cert for the ASN.1 parser. I also added a bit of documentation on how to set up the self-signed CA. It is a one-time thing. rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 371 add status to ipactl
On Wed, 2010-02-03 at 16:33 -0500, Rob Crittenden wrote: We had an RFE for adding status to ipactl, seemed like low-hanging fruit (bug 503437) rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] jderose 041 Fix logging
On Mon, 2010-02-08 at 11:38 -0500, Rob Crittenden wrote: Jason Gerard DeRose wrote: I lied one, more. Rob, I see you changed how the log level on the root logger is set in API.bootstrap()... unfortunately, under the server and CLI, the result is that the root logger always stays at its default level of logging.WARNING, so none of our info() nor debug() messages are going into the server log nor out to stderr (even with --debug). My solution is to unconditionally set the root logger to logging.DEBUG, the most verbose we use, and then configure the levels on individual handlers as appropriate (which we already do). Rob, I know you make this change because of problems with logging from the installer, so can you see if still works the way you want it to with this patch? By the way, are you setting up your own logging handler in the installer, or using the ones configured in API.bootstrap()? Anyway, we really shouldn't release our alpha with broken logging. Not nice to our brave and helpful testers. ;) Jason, I think we can instead test for len(log.handlers) == 0 to determine if we have already configured a file handler for it. Can you confirm this? So if there are no handlers configured we set the log level, otherwise we skip it. rob Yep, that fixes it. Updated patch attached (replaces my original 041 patch). From d441e08c356f5003dafef409a9dc059b75bf4f3d Mon Sep 17 00:00:00 2001 From: Jason Gerard DeRose jder...@redhat.com Date: Tue, 9 Feb 2010 04:57:23 -0700 Subject: [PATCH] Fix logging in CLI and server (take 2) --- ipalib/plugable.py | 15 ++- 1 files changed, 10 insertions(+), 5 deletions(-) diff --git a/ipalib/plugable.py b/ipalib/plugable.py index 6b2c6f7..4473409 100644 --- a/ipalib/plugable.py +++ b/ipalib/plugable.py @@ -365,11 +365,16 @@ class API(DictProxy): self.env._finalize_core(**dict(DEFAULT_CONFIG)) log = logging.getLogger() object.__setattr__(self, 'log', log) -if log.level == logging.NOTSET: -if self.env.debug: -log.setLevel(logging.DEBUG) -else: -log.setLevel(logging.INFO) + +# If logging has already been configured somewhere else (like in the +# installer), don't add handlers or change levels: +if len(log.handlers) 0: +return + +if self.env.debug: +log.setLevel(logging.DEBUG) +else: +log.setLevel(logging.INFO) # Add stderr handler: stderr = logging.StreamHandler() -- 1.6.3.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] FYI: python-wehjit and python-assets in Fedora 11
python-wehjit 0.2.0 and python-assets 0.1.1 have landed in Fedora 11. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Implementing --all as a global option
On Thu, 2010-02-04 at 15:55 +0100, Pavel Zuna wrote: Pavel Zuna wrote: I've run into a little problem when implementing --all as a global option. The problem is that I can't see a way, to propagate it to the server side. Plugins could always retrieve all attributes and the client would choose what to display, but that would be very ineffective (especially when executing *-find commands). Either we add a way to pass additional information over XML-RPC (command independent flags) or we go back to non-global --all options. Thoughts? Pavel Hey Jason, we talked about this a bit on Tuesday meeting and you mentioned having some plans about extending the information being transmitted over XML-RPC. I remember something about extras and cookies, but that's pretty much it. If you could just summarize what you had in mind, I'll start figuring stuff out and implementing it. Pavel Sure. XML-RPC arguments are supplied in a single params list (this is the XML-RPC spec, not an IPA specific thing). Right now our calling signature is: [arg1, arg2, ..., argN, options?] We make an educated guess as to whether the last argument is in fact an options dict based on its type. This works for now as the parameter system doesn't yet support compound dict values (it only supports compound list values, which you create using multivalue=True). I'm sure it's only a matter of time till we need compound dict values, so we really need to change the XML-RPC signature before we release v2 and become obligated to stay backward compatible. I propose we change the signature to: [args, options, extra] Where: `args` is a list of arguments for the command (can be empty) `options` is a dict of options for the command (can be empty) `extra` is a dict of extensible special variables (can be empty) We really need the `extra` dict because a lot of XML-RPC libraries don't make it especially easy (if even possible) to set HTTP headers (the Python implementation included). So my main use case for `extra` is to pass things like cookies and the locale when they can't be supplied in the HTTP headers. Global options like --all are also a great use case for `extra`, and I'm sure we'll have more down the road. If something like the locale is present in both the HTTP headers and in `extra`, the value in `extra` should take precedence. We should allow `extra`, `options`, and `args` to be missing in the call so that all of these would be valid calls: [] # Implies [[], {}, {}] [['foo']] # Implies [['foo'], {}, {}] [[], {'foo': 'bar'}] # Implies [[], {'foo': 'bar'}, {}] [[], {}, {'foo': 'bar'}] Make sense? Does anyone disagree with this approach, have suggestions? The JSON-RPC call signature is already [args, options]... and I'll change this to [args, options, extra] shorty after the alpha release. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] jderose 039 Add support for the 'no_create', 'no_update', and 'no_search' Param flags
This feature will help restore some missing CLI functionality. It's also a step toward making sure all our attribute metadata is plugable with a per-attribute granularity. See the new module docstring in ipalib/crud.py for details. From b8a67200ba1b2b7ce843dda7e3765bc921f03dcb Mon Sep 17 00:00:00 2001 From: Jason Gerard DeRose jder...@redhat.com Date: Thu, 4 Feb 2010 09:52:33 -0700 Subject: [PATCH] Add support for the 'no_create', 'no_update', and 'no_search' Param flags --- ipalib/crud.py | 112 ++- tests/test_ipalib/test_crud.py |8 ++- 2 files changed, 114 insertions(+), 6 deletions(-) diff --git a/ipalib/crud.py b/ipalib/crud.py index 173fefc..77c97f3 100644 --- a/ipalib/crud.py +++ b/ipalib/crud.py @@ -16,14 +16,114 @@ # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + Base classes for standard CRUD operations. + +These base classes are for `Method` plugins that provide standard +Create, Retrieve, Updated, and Delete operations (CRUD) for their corresponding +`Object` plugin. In particuar, these base classes provide logic to +automatically create the plugin args and options by inspecting the params on +their corresponding `Object` plugin. This provides a single point of definition +for LDAP attributes and enforces a simple, consistent API for CRUD operations. + +For example, say we want CRUD operations on a hypothetical user entry. First +we need an `Object` plugin: + + from ipalib import Object, Str + class user(Object): +... takes_params = ( +... Str('login', primary_key=True), +... Str('first'), +... Str('last'), +... Str('ipauniqueid', flags=['no_create', 'no_update']), +... ) +... + +Next we need `Create`, `Retrieve`, `Updated`, and `Delete` plugins, and +optionally a `Search` plugin. For brevity, we'll just define `Create` and +`Retrieve` plugins: + + from ipalib import crud + class user_add(crud.Create): +... pass +... + class user_show(crud.Retrieve): +... pass +... + +Now we'll register the plugins and finalize the `plugable.API` instance: + + from ipalib import create_api + api = create_api() + api.register(user) + api.register(user_add) + api.register(user_show) + api.finalize() + +First, notice that our ``user`` `Object` has the params we defined with the +``takes_params`` tuple: + + list(api.Object.user.params) +['login', 'first', 'last', 'ipauniqueid'] + api.Object.user.params.login +Str('login', primary_key=True) + +Although we defined neither ``takes_args`` nor ``takes_options`` for our +``user_add`` plugin, the `Create` base class automatically generated them for +us: + + list(api.Command.user_add.args) +['login'] + list(api.Command.user_add.options) +['first', 'last'] + +Notice that ``'ipauniqueid'`` isn't included in the options for our ``user_add`` +plugin. This is because of the ``'no_create'`` flag we used when defining the +``ipauniqueid`` param. Often times there are LDAP attributes that are +automatically created by the server and therefor should not be supplied as an +option to the `Create` plugin. Often these same attributes shouldn't be +update-able either, in which case you can also supply the ``'no_update'`` flag, +as we did with our ``ipauniqueid`` param. Lastly, you can also use the ``'no_search'`` flag for attributes that shouldn't be search-able (because, for +example, the attribute isn't indexed). + +As with our ``user_add` plugin, we defined neither ``takes_args`` nor +``takes_options`` for our ``user_show`` plugin; instead the `Retrieve` base +class created them for us: + + list(api.Command.user_show.args) +['login'] + list(api.Command.user_show.options) +[] + +As you can see, `Retrieve` plugins take a single argument (the primary key) and +no options. If needed, you can still specify options for your `Retrieve` plugin +with a ``takes_options`` tuple. + +Flags like ``'no_create'`` remove LDAP attributes from those that can be +supplied as *input* to a `Method`, but they don't effect the attributes that can +be returned as *output*. Regardless of what flags have been used, the output +entry (or list of entries) can contain all the attributes defined on the +`Object` plugin (in our case, the above ``user.params``). + +For example, compare ``user.params`` with ``user_add.output_params`` and +``user_show.output_params``: + + list(api.Object.user.params) +['login', 'first', 'last', 'ipauniqueid'] + list(api.Command.user_add.output_params) +['login', 'first', 'last', 'ipauniqueid'] + list(api.Command.user_show.output_params) +['login', 'first', 'last', 'ipauniqueid'] + +Note that the above are all equal. +from frontend import Method, Object import backend, frontend, parameters, output -class Create(frontend.Method): +class Create(Method): Create a new entry. @@ -39,13
Re: [Freeipa-devel] [PATCH] Remove (un)wrap_binary_data cruft from */ipautil.py
On Thu, 2010-01-28 at 12:35 -0500, John Dennis wrote: Remove SAFE_STRING_PATTERN, safe_string_re, needs_base64(), wrap_binary_data(), unwrap_binary_data() from both instances of ipautil.py. This code is no longer in use and the SAFE_STRING_PATTERN regular expression string was causing xgettext to abort because it wasn't a valid ASCII string. --- ipapython/ipautil.py | 62 -- ipaserver/ipautil.py | 62 -- 2 files changed, 0 insertions(+), 124 deletions(-) Patch looks good, but I get an error when trying to apply with `git am`: Patch does not have a valid e-mail address. Did you figure out your attachment problem? For what it's worth, I prepare patches with `git format-patch -1` and then manually attach the patch to an email (I'm using Evolution). Could you submit this again? Or if someone with more git experience could instruct me as to a work-around. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] jderose 038 Fix ipalib doctest
This patch fixes doctests in ipalib/__init__.py that were broken by Rob's 364 base64-encode binary data... patch. This patch also removes the unneeded use of textui.encode_binary() in the textui.print_keyval() method. repr('cannot print me') will escape non-ascii characters using the Python \xHH hexadecimal literal notation... so the output will be terminal safe even without base64 encoding. textui.print_keyval() isn't being used at the moment, AFAIK, but it's indented for developer-centric debugging type commands where printing the repr() is helpful. P.S.: I think it might have got lost in the shuffle, but could someone ack my 037 patch? With 037 and this patch, all the unit tests should be working again. From 0a6d49498c59337e66685102bfd03a822f037910 Mon Sep 17 00:00:00 2001 From: Jason Gerard DeRose jder...@redhat.com Date: Wed, 3 Feb 2010 04:03:58 -0700 Subject: [PATCH] Fixed doctests for ipalib package docstring; fixed unneeded use of textui.encode_binary() in textui.print_keyval() --- ipalib/__init__.py | 20 ++-- ipalib/cli.py |4 +++- 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/ipalib/__init__.py b/ipalib/__init__.py index 83956e1..beaf0ab 100644 --- a/ipalib/__init__.py +++ b/ipalib/__init__.py @@ -584,9 +584,9 @@ For example, say we setup a command like this: ... ... def execute(self, key, **options): ... items = dict( -... fruit='apple', -... pet='dog', -... city='Berlin', +... fruit=u'apple', +... pet=u'dog', +... city=u'Berlin', ... ) ... if key in items: ... return dict(result=items[key]) @@ -627,9 +627,9 @@ through the ``ipa`` script basically will do the following: --- show-items: --- - city = 'Berlin' - fruit = 'apple' - pet = 'dog' + city = u'Berlin' + fruit = u'apple' + pet = u'dog' --- 3 items --- @@ -641,9 +641,9 @@ Similarly, calling it with ``reverse=True`` would result in the following: --- show-items: --- - pet = 'dog' - fruit = 'apple' - city = 'Berlin' + pet = u'dog' + fruit = u'apple' + city = u'Berlin' -- 3 items (in reverse order) -- @@ -652,7 +652,7 @@ Lastly, providing a ``key`` would result in the following: result = api.Command.show_items(u'city') api.Command.show_items.output_for_cli(textui, result, 'city', reverse=False) -city = 'Berlin' +city = u'Berlin' See the `ipalib.cli.textui` plugin for a description of its methods. diff --git a/ipalib/cli.py b/ipalib/cli.py index b398094..124b625 100644 --- a/ipalib/cli.py +++ b/ipalib/cli.py @@ -244,7 +244,9 @@ class textui(backend.Backend): Also see `textui.print_indented`. for (key, value) in rows: -self.print_indented('%s = %r' % (key, self.encode_binary(value)), indent) +# Note that self.encode_binary(value) isn't needed as repr(value) +# will escape an `str` using \xHH hexidicimal: +self.print_indented('%s = %r' % (key, value), indent) def print_attribute(self, attr, value, indent=1, one_value_per_line=True): -- 1.6.3.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix File parameter validation when prompting.
On Wed, 2010-01-27 at 17:53 +0100, Pavel Zuna wrote: cli.prompt_interactively now loads files before validating the parameter value. It also populates a list of already loaded files, so that cli.load_files knows when a parameter already contains the file contents. Fix #557163 Pavel ack. This looks reasonable to me, but I'd really like you to add some tests for this, especially testing that it works correctly for a command with multiple File params. Rob and John, do you see any problems with this approach? Does this address the needs of the cert plugins? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 355 allow named to use ldapi
On Wed, 2010-01-27 at 14:53 -0500, Rob Crittenden wrote: Add SELinux rules so named can communicate to the DS over ldapi. This should fix the installation error when --setup-dns is set and SELinux is enforcing. rob I'm trying to test this out, but I'm not sure what I need to enter for the DNS forwarder: Enter IP address for a DNS forwarder (empty to stop): Any advice? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] jderose 035 Update spec to require python-wehjit = 0.2.0
The webui now requires wehjit 0.2.0. From 6f7aa9f687de72c16ef9b0883a0f2de8b2089a3d Mon Sep 17 00:00:00 2001 From: Jason Gerard DeRose jder...@redhat.com Date: Wed, 27 Jan 2010 00:44:00 -0700 Subject: [PATCH] Update spec to require python-wehjit = 0.2.0 --- ipa.spec.in |5 - 1 files changed, 4 insertions(+), 1 deletions(-) diff --git a/ipa.spec.in b/ipa.spec.in index 5f792e1..85ea6f8 100644 --- a/ipa.spec.in +++ b/ipa.spec.in @@ -83,7 +83,7 @@ Requires: mod_nss Requires: python-ldap Requires: python-krbV Requires: python-assets -Requires: python-wehjit +Requires: python-wehjit = 0.2.0 Requires: acl Requires: python-pyasn1 = 0.0.9a Requires: libcap @@ -490,6 +490,9 @@ fi %endif %changelog +* Wed Jan 27 2010 Jason Gerard DeRose jder...@redhat.com - 1.99-14 +- Require python-wehjit = 0.2.0 + * Fri Dec 4 2009 Rob Crittenden rcrit...@redhat.com - 1.99-13 - Add ipa-rmkeytab tool -- 1.6.3.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Why do we have so much duplicated code?
On Tue, 2010-01-26 at 18:55 -0500, John Dennis wrote: I constantly find identical code spread across multiple files. Is there a reason for this code duplication? (Perhaps trying to keep import name spaces isolated?) It seems to me code duplication is bad software practice for obvious reasons. If there isn't a compelling design justification for the duplication can we start moving some of this stuff to common libraries? John, where's the duplication you're talking about? We know there's a lot of lingering duplication between the legacy code from v1 (ipapython, the installer) and the new plugable v2 code (ipalib, ipaserver). We've slowly been migrating away from this legacy code, but the process obviously isn't yet complete. AFAIK, there isn't really any duplication within the v2 code itself, but if you've spotted some, I'd like to know about it. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] jderose 037 Fix broken unit tests
This patch gets (almost) all the XML-RPC tests working again under Fedora12. Some may not pass under Fedora11 due to 389 schema changes, but Fedora12 should be our primary test target at this point, IHMO. Does anyone disagree? 3 cert tests still fail, but I'm not familiar enough with the cert plugins to confidently decide whether the tests need to be updated or whether something is broken. Rob or John, could you take a look at these when you get a chance? We really need to get strict about patches with regard to tests. If a patch breaks a test, the test needs to be updated in that same patch (or if the test is correct, the code needs to be updated). If a patch introduces new functionality, it must be accompanied by tests. Rob and Pavel, I'm looking at you. If tests no passy, no acky-acky. ;) I know I've been at fault too, but I've already scolded myself off-list. From b7c5a456693cae3d6ecbb717114c5a6bbf205acd Mon Sep 17 00:00:00 2001 From: Jason Gerard DeRose jder...@redhat.com Date: Wed, 27 Jan 2010 07:16:06 -0700 Subject: [PATCH] Fix broken XML-RPC tests --- tests/test_xmlrpc/objectclasses.py |1 + tests/test_xmlrpc/test_group_plugin.py |6 -- tests/test_xmlrpc/test_host_plugin.py | 20 ++-- tests/test_xmlrpc/test_hostgroup_plugin.py | 17 + tests/test_xmlrpc/test_rolegroup_plugin.py |8 +--- tests/test_xmlrpc/test_taskgroup_plugin.py |9 ++--- tests/test_xmlrpc/test_user_plugin.py |8 ++-- 7 files changed, 41 insertions(+), 28 deletions(-) diff --git a/tests/test_xmlrpc/objectclasses.py b/tests/test_xmlrpc/objectclasses.py index 5f95cd7..857147d 100644 --- a/tests/test_xmlrpc/objectclasses.py +++ b/tests/test_xmlrpc/objectclasses.py @@ -29,6 +29,7 @@ user = [ u'inetuser', u'posixaccount', u'krbprincipalaux', +u'krbticketpolicyaux', u'radiusprofile', u'ipaobject', ] diff --git a/tests/test_xmlrpc/test_group_plugin.py b/tests/test_xmlrpc/test_group_plugin.py index a6d98f6..b794f44 100644 --- a/tests/test_xmlrpc/test_group_plugin.py +++ b/tests/test_xmlrpc/test_group_plugin.py @@ -110,6 +110,7 @@ class test_group(Declarative): ), expected=dict( result=dict( +cn=[group1], description=[u'New desc 1'], ), summary=u'Modified group testgroup1', @@ -143,8 +144,8 @@ class test_group(Declarative): result=dict( cn=[group1], description=[u'New desc 1'], -objectclass=objectclasses.group + [u'posixgroup'], -ipauniqueid=[fuzzy_uuid], +#objectclass=objectclasses.group + [u'posixgroup'], +#ipauniqueid=[fuzzy_uuid], gidnumber=[fuzzy_digits], ), value=group1, @@ -261,6 +262,7 @@ class test_group(Declarative): ), expected=dict( result=dict( +cn=[group2], description=[u'New desc 2'], ), summary=u'Modified group testgroup2', diff --git a/tests/test_xmlrpc/test_host_plugin.py b/tests/test_xmlrpc/test_host_plugin.py index 167481a..4127663 100644 --- a/tests/test_xmlrpc/test_host_plugin.py +++ b/tests/test_xmlrpc/test_host_plugin.py @@ -73,14 +73,13 @@ class test_host(Declarative): summary=u'Added host %s' % fqdn1, result=dict( dn=dn1, -cn=[fqdn1], # FIXME: we should only return fqdn fqdn=[fqdn1], description=[u'Test host 1'], -localityname=[u'Undisclosed location 1'], -krbprincipalname=[u'host/%...@%s' % (fqdn1, api.env.realm)], -serverhostname=[u'testhost1'], +#localityname=[u'Undisclosed location 1'], +#krbprincipalname=[u'host/%...@%s' % (fqdn1, api.env.realm)], +#serverhostname=[u'testhost1'], objectclass=objectclasses.host, -managedby=[dn1], +#managedby=[dn1], ipauniqueid=[fuzzy_uuid], ), ), @@ -109,7 +108,7 @@ class test_host(Declarative): dn=dn1, fqdn=[fqdn1], description=[u'Test host 1'], -localityname=[u'Undisclosed location 1'], +#localityname=[u'Undisclosed location 1'], ), ), ), @@ -130,7 +129,7 @@ class test_host(Declarative): # It is intuitive for --all to return additional attributes, # but not to return existing attributes under different # names. -l=[u'Undisclosed location 1
[Freeipa-devel] [PATCH] jderose 034 Enable WebUI CRUDS using wehjit 0.2.0
This patch enables webUI Create-Retrieve-Updated-Delete-Search operations for all api.Object plugins that: 1. implement all the required CRUDS methods 2. have a primary_key Last night I realized that the upgrade to wehjit 0.2.0 broke the installer, so I hurried this patch a bit, left out some niceties that still need a bit more testing and tweaking. From 073cea91cca082ec0f8d4d0644ff9db1961bfba9 Mon Sep 17 00:00:00 2001 From: Jason Gerard DeRose jder...@redhat.com Date: Tue, 26 Jan 2010 06:39:00 -0700 Subject: [PATCH] Enabled CRUDS in webUI using wehjit 0.2.0 --- ipalib/plugable.py |2 + ipalib/plugins/baseldap.py |7 +- ipalib/plugins/user.py |3 + ipaserver/rpcserver.py |3 + ipawebui/engine.py | 124 +++--- ipawebui/widgets.py| 301 ++-- 6 files changed, 241 insertions(+), 199 deletions(-) diff --git a/ipalib/plugable.py b/ipalib/plugable.py index 3ee2bd5..ecccb79 100644 --- a/ipalib/plugable.py +++ b/ipalib/plugable.py @@ -531,6 +531,8 @@ class API(DictProxy): value = getattr(options, key, None) if value is not None: overrides[key] = value +if hasattr(options, 'prod'): +overrides['webui_prod'] = options.prod if context is not None: overrides['context'] = context self.bootstrap(**overrides) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 17db048..eeea7a6 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -133,6 +133,7 @@ class LDAPCreate(crud.Create): Create a new entry in LDAP. + takes_options = ( Flag('raw', cli_name='raw', @@ -142,6 +143,7 @@ class LDAPCreate(crud.Create): Flag('all', cli_name='all', doc='retrieve all attributes', +exclude='webui', ), Str('addattr*', validate_add_attribute, cli_name='addattr', @@ -291,14 +293,17 @@ class LDAPUpdate(LDAPQuery, crud.Update): Update an LDAP entry. + takes_options = ( Flag('raw', cli_name='raw', doc='print entries as they are stored in LDAP', +exclude='webui', ), Flag('all', cli_name='all', doc='retrieve all attributes', +exclude='webui', ), Str('addattr*', validate_add_attribute, cli_name='addattr', @@ -456,6 +461,7 @@ class LDAPModMember(LDAPQuery): Flag('raw', cli_name='raw', doc='print entries as they are stored in LDAP', +exclude='webui', ), ) @@ -751,4 +757,3 @@ class LDAPSearch(crud.Search): def post_callback(self, ldap, entries, truncated, *args, **options): pass - diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 97641a4..1686d67 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -113,6 +113,9 @@ class user(LDAPObject): cli_name='password', label='Password', doc='Set the user password', +# FIXME: This is temporary till bug is fixed causing updates to +# bomb out via the webUI. +exclude='webui', ), Int('uidnumber?', cli_name='uid', diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index a42c3d0..e84cb07 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -273,4 +273,7 @@ class jsonserver(WSGIExecutioner): raise JSONError( error='params[1] (aka options) must be a dict' ) +options = dict((str(k), v) for (k, v) in options.iteritems()) +print 'args = %r' % (args,) +print 'options = %r' % (options,) return (method, args, options, _id) diff --git a/ipawebui/engine.py b/ipawebui/engine.py index a90a450..01b271a 100644 --- a/ipawebui/engine.py +++ b/ipawebui/engine.py @@ -65,7 +65,17 @@ class ParamMapper(object): ) +def filter_params(namespace): +for param in namespace(): +if param.exclude and 'webui' in param.exclude: +continue +yield param + + class Engine(object): + +cruds = frozenset(['add', 'show', 'mod', 'del', 'find']) + def __init__(self, api, app): self.api = api self.app = app @@ -86,11 +96,21 @@ class Engine(object): ) def build(self): -for cmd in self.api.Object.user.methods(): -self.pages[cmd.name] = self.build_page(cmd) -for page in self.pages.itervalues(): -page.menu.label = 'Users' -self.add_object_menuitems(page.menu, 'user') +for obj in self.api.Object(): +if self.cruds.issubset(obj.methods) and obj.primary_key is not None: +self.pages[obj.name] = self.build_cruds_page(obj) + +# Add landing page
Re: [Freeipa-devel] not ascii, not utf-8, what's a parser supposed to do?
On Tue, 2010-01-26 at 17:28 -0500, John Dennis wrote: I've run into a small problem with xgettext. By default xgettext expects all strings in an input file to be encoded in ascii. It will also allow you to override that by specifying the strings in the input file are utf-8. In ipappython/ipautil.py line 296 is the following string: SAFE_STRING_PATTERN = '(^(\000|\n|\r| |:|)|[\000\n\r\200-\377]+|[ ]+$)' ipapython still has a lot of legacy code, so first thing we should do is check if we even use SAFE_STRING_PATTERN. Rob, do you know off hand? In it's default ascii mode xgettext throws an error claiming the string is not ascii. In fact xgettext is correct, the string is not ascii. (You may be wondering why xgettext even cares since it's not marked as translatable, but xgettext fully parses the input before deciding what is marked as translatable, bottom line: all strings get parsed and decoded). If I override the default ascii input by telling xgettext the input strings are encoded in utf-8 xgettext stops complaining, the string is properly skipped. But ... the string isn't really utf-8 either and I'm not sure how comfortable I feel about telling xgettext every string in IPA is encoded in utf-8 (when it isn't) just to get around this failure, especially since the offending string isn't even utf-8. (However, maybe we should allow utf-8 as an input format since ascii is a subset of utf-8, we might want to use utf-8 in the future and we can just hold our noses with respect to the above regular expression). Do we have a stake in the ground as to what our input strings are encoded in? Can you think of another way to express the offending string such that it doesn't trigger the non-ascii error? The only thing I could think of and get to work was this: SAFE_STRING_PATTERN='%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c' % \ (40,94,40,0,124,10,124,13,124,32,124,58,124,60,41,124,91,0,10,13,128,45,255,93,43,124,91,32,93,43,36,41) Which is pretty unreadable, but with sufficient comments could be acceptable. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Announcing wehjit 0.2.0
FYI, wehjit 0.2.0 has landed in Fedora 12. Just `yum install python-wehjit`. On Thu, 2010-01-21 at 09:46 -0700, Jason Gerard DeRose wrote: Whats new = This release adds significant client-side functionality and several new widgets. The Python API remains mostly unchanged, with the exception of one major addition: you can now make any state variable available client-side by simply creating the state descriptor with a `json=True` kwarg. For example, say you have a widget with a state variable called `stuff`: class MyWidget(wehjit.Widget): stuff = wejhit.Static('stuff') To make `stuff` available client-side, just add `json=True` like this: class MyWidget(wehjit.Widget): stuff = wejhit.Static('stuff', json=True) As far as new widgets, highlights include: * Grid: an AJAX table with client-side sorting, row select (click) and activate (double click) events, and asynchronous updates via JSON-RPC. * Dialog: a generic widget for transient client-side dialog boxes. * DialogSet: controls the available Dialogs in a page. * CRUDS: works in combination with Grid, Dialog, and DialogSet for AJAX Create, Retrieve, Update, Delete, and Search operations. There is likewise quite a bit of new supporting JavaScript for the above widgets. The demo has a new AJAX Demo example. However, as CRUDS must talk to a live JSON-RPC server, it doesn't work in the statically rendered demo. But you can run the demo from the source tree like this: ./wehjit-demo Then just point your browser to http://127.0.0.1:8080/e4_grid Lastly, the Menu widget has changed and wont display the MenuItems till you click on the Menu (previously it displayed on mouse over). Download The source tarball, API documentation, and statically rendered demo are all available here: http://jderose.fedorapeople.org/wehjit/0.2.0/ Updated packages for Fedora 12 and rawhide will be available in the next several days (yum install python-wehjit). An unofficial Ubuntu Karmic package is available in my PPA (apt-get install python-wehjit): https://edge.launchpad.net/~jderose/+archive/ppa Finally, you can use Bazaar to get my current code from either my fedorapeople page: bzr branch http://jderose.fedorapeople.org/bzr/wehjit/ Or from Launchpad: bzr branch lp:wehjit ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] jderose 033 Fix fuzzy digigits under Fedora12
I'm not sure why the difference, but the uidnumber, gidnumber, etc. are being returned as `unicode` instead of `str` under Fedora12. Returning as `unicode` is correct, but this patch allows the test to still work under Fedora11 for the time being. From dafbfc22cccff32ff847a2e2eced09ac8c881378 Mon Sep 17 00:00:00 2001 From: Jason Gerard DeRose jder...@redhat.com Date: Sun, 10 Jan 2010 17:47:15 -0700 Subject: [PATCH] Fixed xmlrpc_test.fuzzy_digits for Fedora12 --- tests/test_xmlrpc/xmlrpc_test.py |2 +- tests/util.py|2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/test_xmlrpc/xmlrpc_test.py b/tests/test_xmlrpc/xmlrpc_test.py index 02b1f92..61fca50 100644 --- a/tests/test_xmlrpc/xmlrpc_test.py +++ b/tests/test_xmlrpc/xmlrpc_test.py @@ -32,7 +32,7 @@ from ipalib import errors # Matches a gidnumber like '1391016742' # FIXME: Does it make more sense to return gidnumber, uidnumber, etc. as `int` # or `long`? If not, we still need to return them as `unicode` instead of `str`. -fuzzy_digits = Fuzzy('^\d+$', type=str) +fuzzy_digits = Fuzzy('^\d+$', type=basestring) # Matches an ipauniqueid like u'784d85fd-eae7-11de-9d01-54520012478b' fuzzy_uuid = Fuzzy( diff --git a/tests/util.py b/tests/util.py index ed8ecad..4d5fea6 100644 --- a/tests/util.py +++ b/tests/util.py @@ -210,7 +210,7 @@ class Fuzzy(object): self.re = re.compile(regex) if type is None: type = unicode -assert type in (unicode, str) +assert type in (unicode, str, basestring) self.regex = regex self.type = type self.test = test -- 1.6.3.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Improve modlist generation in ldap2. Some code cleanup as bonus.
On Tue, 2010-01-05 at 15:01 +0100, Pavel Zuna wrote: ldap2._generate_modlist now uses more sophisticated means to decide when to use MOD_ADD+MOD_DELETE instead of MOD_REPLACE. Before it did MOD_REPLACE only on attributes explicitly specified in ldap2._FORCE_REPLACE_ON_UPDATE_ATTRS. Now it does MOD_REPLACE for all single value attributes and never for multi value. This patch also silently fixes a bug: ldap2 didn't check for the existence of attributes that were being deleted by setting them to None. Pavel ack. pushed to master. This patch looks fine and doesn't appear to break anything, but we *really* need tests for ldap2. It's low in our stack and almost every plugin uses it, so problems here have a high cost for us time-wise. So, Pavel, please provide tests in subsequent patch. I think this modlist functionality should be split out into functions that can be tested easily without requiring an LDAP connection. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 342 control the certificate subject in dogtag
On Fri, 2009-12-18 at 11:05 -0500, Rob Crittenden wrote: Use the caIPAserviceCert profile for issuing service certs. This profile enables subject validation and ensures that the subject that the CA issues is uniform. The client can only request a specific CN, the rest of the subject is fixed. This is the first step of allowing the subject to be set at installation time. Also fix 2 more issues related to the return results migration. Note that with the selfsign plugin it will still issue the subject that was in the CSR. rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Allow creation of new connections by unshared instances of backend.Connectible.
On Tue, 2010-01-05 at 14:10 +0100, Pavel Zuna wrote: The backend.Connectible base class was designed, so that only one instance of each subclass is used at a time. Connectible generates a Connection object for each thread and stores it in thread-local storage (context). Subclasses access this object through the Connectible.conn property. This is a good thing, because one instance of the class can be shared by all threads and each thread has its own connection. Unfortunately, this is also a limitation. If a thread needs a second connection (to a different host for example) - it can't do it. Not even by creating a new instance of the Connectible subclass. Ok, let's move from theory to practice: The LDAP backend is currently only used by the Executioner backend, so that plugins can connect to the IPA DS. In the migration plugin, we need a second connection to the DS we're migrating from. The last version had to use low level python-ldap calls to achieve this. In the installer we're still using legacy code from v1. Using ldap2 would be simpler and we could drop ~1000 lines code. (I already started rewriting a few parts to see if it would work.) Proposed solution: Make it possible to create unshared instances of Connectible subclasses. This would be achieved by passing shared_instance=False (couldn't come up with a better name) to the object constructor explicitly. Normally, Connection objects are stored in thread-local storage under the subclass name (e.g. ldap2). Unshared instances would store their Connection objects under subclass name + unique instances ID (e.g. ldap2_218adsfka7). This is the only solution I could come up with, that doesn't involve breaking a lot of stuff - it just adds a new way of using the code we already have. The attached patches show how it would be done. Pavel I'm fine with this approach as the solution you propose is quite unobtrusive. Is this the final patch then, or will you make further changes or bundle it with another patch? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 338 make hosts more like IPA services
On Wed, 2009-12-16 at 16:16 -0500, Rob Crittenden wrote: Since the host entry contains the host/ principal it needs to look a bit more like a service in order to be able to store certificates in it. This should make IPA work better with certmonger. rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] jderose 029 host and hostgroup messages, tests
I attached this again in case the incorrect .pach extension caused problems for anyone. On Mon, 2009-12-14 at 13:37 -0700, Jason Gerard DeRose wrote: This patch: * Adds correct translatable `msg_summary` attributes on the host and hostgroup plugins * Rewrites the host and hostgroup unit tests as `Declarative` based tests and expands there coverage somewhat * Adds new tests.test_xmlrpc.objectclasses module where we can define the expected object classes is a single location ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel From 4b21511db40515af35884bfab82ada72ace79c5e Mon Sep 17 00:00:00 2001 From: Jason Gerard DeRose jder...@redhat.com Date: Mon, 14 Dec 2009 13:25:12 -0700 Subject: [PATCH] host and hostgroup summary messages, declarative tests --- ipalib/plugins/hostgroup.py| 17 +- tests/test_xmlrpc/objectclasses.py | 40 tests/test_xmlrpc/test_host_plugin.py | 325 +++ tests/test_xmlrpc/test_hostgroup_plugin.py | 336 ++-- 4 files changed, 498 insertions(+), 220 deletions(-) create mode 100644 tests/test_xmlrpc/objectclasses.py diff --git a/ipalib/plugins/hostgroup.py b/ipalib/plugins/hostgroup.py index 8e5cf5f..2a13170 100644 --- a/ipalib/plugins/hostgroup.py +++ b/ipalib/plugins/hostgroup.py @@ -21,9 +21,8 @@ Groups of hosts. -from ipalib import api -from ipalib import Int from ipalib.plugins.baseldap import * +from ipalib import api, Int, _, ngettext class hostgroup(LDAPObject): @@ -50,7 +49,8 @@ class hostgroup(LDAPObject): takes_params = ( Str('cn', cli_name='name', -doc='group name', +doc='host group name', +label='Host Group Name', primary_key=True, normalizer=lambda value: value.lower(), ), @@ -68,6 +68,8 @@ class hostgroup_add(LDAPCreate): Create new hostgroup. +msg_summary = _('Added hostgroup %(value)s') + api.register(hostgroup_add) @@ -76,6 +78,8 @@ class hostgroup_del(LDAPDelete): Delete hostgroup. +msg_summary = _('Deleted hostgroup %(value)s') + api.register(hostgroup_del) @@ -84,6 +88,8 @@ class hostgroup_mod(LDAPUpdate): Modify hostgroup. +msg_summary = _('Modified hostgroup %(value)s') + api.register(hostgroup_mod) @@ -92,6 +98,10 @@ class hostgroup_find(LDAPSearch): Search for hostgroups. +msg_summary = ngettext( +'%(count)d hostgroup matched', '%(count)d hostgroups matched' +) + api.register(hostgroup_find) @@ -117,4 +127,3 @@ class hostgroup_remove_member(LDAPRemoveMember): api.register(hostgroup_remove_member) - diff --git a/tests/test_xmlrpc/objectclasses.py b/tests/test_xmlrpc/objectclasses.py new file mode 100644 index 000..58a3671 --- /dev/null +++ b/tests/test_xmlrpc/objectclasses.py @@ -0,0 +1,40 @@ +# Authors: +# Jason Gerard DeRose jder...@redhat.com +# +# Copyright (C) 2008 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + + +Defines the expected objectclass for various entries. + + +host = ( +u'ipaobject', +u'nshost', +u'ipahost', +u'pkiuser', +u'krbprincipalaux', +u'krbprincipal', +u'top', +) + +hostgroup = ( +u'ipaobject', +u'ipahostgroup', +u'nestedGroup', +u'groupOfNames', +u'top', +) diff --git a/tests/test_xmlrpc/test_host_plugin.py b/tests/test_xmlrpc/test_host_plugin.py index 009e98e..6bb6277 100644 --- a/tests/test_xmlrpc/test_host_plugin.py +++ b/tests/test_xmlrpc/test_host_plugin.py @@ -2,7 +2,7 @@ # Rob Crittenden rcrit...@redhat.com # Pavel Zuna pz...@redhat.com # -# Copyright (C) 2008 Red Hat +# Copyright (C) 2008, 2009 Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can redistribute it and/or @@ -17,105 +17,230 @@ # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + -Test the `ipalib/plugins/host.py` module. +Test the `ipalib.plugins.host` module. -import sys -from xmlrpc_test import
Re: [Freeipa-devel] [PATCH] 332 aci return values
On Fri, 2009-12-11 at 17:42 -0500, Rob Crittenden wrote: Convert the aci plugin to understand the new return values system. I had to do some hacks here because the aci plugin returns a single unicode value back representing the aci, not a set of attributes. rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 334 add aci tests
On Fri, 2009-12-11 at 17:43 -0500, Rob Crittenden wrote: Add an extremely simple set of tests for the aci plugin. At this point something is better than nothing. rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 328 force deletion of replica
On Mon, 2009-12-07 at 23:06 -0500, Rob Crittenden wrote: This adds an option to ipa-replica-manage, --force, that will let you force the deletion of a replication agreement. Before this both ends had to be up and running for this to work, so that the agreement could be removed on both sides. But what if the remote has already been destroyed, either through an uninstall or the host went bye bye. This will let you force remove it from the local instance. I run into this a lot with replication testing because I always forget to remove the agreement before destroying a replica installation. rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 330 remove delegation patch
On Fri, 2009-12-11 at 17:39 -0500, Rob Crittenden wrote: The delegation patch was migrated from v1 and pretty much deprecated from the get-go. Lets finally put this thing down. It was replaced by the aci plugin. rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 331 add more options to make-test
On Fri, 2009-12-11 at 17:41 -0500, Rob Crittenden wrote: I like using the --pdb and --pdb-failures options with make-test. Add these to the make-test script to be passed along to nosetests. rob Thanks for adding this, Rob. ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 329 real services
On Mon, 2009-12-07 at 23:21 -0500, Rob Crittenden wrote: Make the IPA server host and its services real IPA entries We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of protecting the services from modification by an admin (which would likely break the server). Unfortunately this also means that the services can't be managed by useful utilities such as certmonger. So we have to create them as real services instead. This is a relatively manual process so if the schema for hosts or services changes this may require updates as well. There remains a minor problem. If you create a replica, during the installation of that replica it will create host and service entries too. But if you retire this replica those entries will remain. The next time you try to install the replica it will fail with dupliate entries. I'll address this in the future as the easy workaround is to run `ipa host-del replica.example.com` and re-install the replica. rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] jderose 027 Extensible return values
On Wed, 2009-12-09 at 23:08 -0500, Rob Crittenden wrote: Jason Gerard DeRose wrote: Okay, here's a revised patch. Significant additions/changes from the previous version are: 1. The return value dict now includes a 'summary' value, something like 'Added user jdoe'. This summary is used by the CLI and webUI. Previously I was generating the summary in the CLI and webUI separately. This removes the duplication and allows the commands to easily produce arbitrary summaries (before they were limited a single summary format like 'Added user %(primary_key)s'. This also makes it easier for 3rd-party tools to provide UIs without having to introspect the Python API (because they happen to be written in PHP, whatever). 2. I renamed the 'primary_key' member in the return value dict to 'value'. This is simpler and will be will be easier on translators ('Added user %(primary_key)s' vs 'Added user %(value)s'). I'm also thinking of returning the name of the primary_key (e.g., 'uid') when returning an entry or a list of entries, so this opens the door for me to use 'key' in the future without confusion. Note this change is only relative to my previous proposed patch. The use of the return value dict hasn't yet hit master. 3. XMLRPC_test.setUp() no longer tests for server availability with `user-show notfound` prior to each test running. Instead, I try to connect to the server just once when the `xmlrcp_test` module loads, which sets the `server_available` module attribute. XMLRPC_test.setUp() will still raise nose.SkipTest for each test as before. This change helps the XMLRPC tests run much faster and also makes problems easier to debug server-side as there isn't all the `user-show notfound` background noise. 4. This adds my new `Declarative` base class for the XMLRPC tests which allows you to define the XMLRPC tests using simple data structures, letting the base class do the tedious stuff. IHMO, the tests are considerably faster and easier to write this way, but just as important is the fact that Declarative takes care of reporting the errors when a command's return value doesn't match what we expected. We have pretty good coverage in the XMLRCP tests, but we don't have very good reporting when something goes wrong. I've put a lot of effort into making sure typical error reports contain the information needed to quickly focus in on the problem. The most important part of the error reporting is in the new tests.util.assert_deepequal() function, which can be used by any test to compare two nested data structures. Currently only the test_user_plugin and test_group_plugin tests are using `Declarative`, but the rest will follow. 5. I rewrote the make-test script in Python and added a feature John asked for and one I wanted. John wanted the ability to easily run only the tests in one or more modules. You can now be specifying the module in Python notation or the module file. For example: ./make-test tests.test_xmlrpc.test_user_plugin Or equivalently: ./make-test tests/test_xmlrpc/test_user_plugin.py I wanted an easy way to use the nosetests --stop option, which causes the testing to abort upon reaching the first error, which I have found useful when updating plugins to one of my incompatible API changes. Use it like this: ./make-test --stop Yup, big! May my patch reviewers one day forgive me. -Jason Ack. There are a couple of things we need to address such as porting the rest of the plugins to work with this new return value scheme but we can do that post-push. IMHO it is better to get this in now and clean up the few remaining items than to delay any further. We also need to try to avoid hardcoding domains in the tests. A couple of user tests look for dc=example,dc=com instead of api.env.basedn. rob Thanks. Pushed to master. I'll get on porting the few remaining plugins. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] jderose 028 Lossless datetime round-trip
On Thu, 2009-12-03 at 11:56 -0500, Rob Crittenden wrote: Jason Gerard DeRose wrote: As per John's request, this patch allows lossless round-tripping of Python datetime.datetime objects. Unfortunately, the xmlrpclib dumps() and loads() functions use funny wrapper objects like xmlrpclib.DateTime rather than directly serializing to/from standard Python types like datetime.datetime. This makes lossless round-tripping pretty cumbersome to implement. Doing a loads(foo, use_datetime=True) would work, but the `use_datetime` kwarg is only available in Python2.5 and newer, so I instead extended my xml_wrap() and xml_unwrap() functions. What should this do it if the incoming DateTime value is not parsed correctly by datetime.datetime()? rob I don't believe this can happen... DateTime and datetime are both stored in a time.struct_time, so if the XML contains an invalid date, things will have already blown-up when the DateTime was created. I image xmlrpclib will raise a ProtocolError error, but I can add a test for this. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 326 bump IPA install version
On Wed, 2009-12-02 at 16:26 -0500, Rob Crittenden wrote: We store a rough version of IPA at install time in the base object, bump this up to V2.0 rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] jderose 028 Lossless datetime round-trip
As per John's request, this patch allows lossless round-tripping of Python datetime.datetime objects. Unfortunately, the xmlrpclib dumps() and loads() functions use funny wrapper objects like xmlrpclib.DateTime rather than directly serializing to/from standard Python types like datetime.datetime. This makes lossless round-tripping pretty cumbersome to implement. Doing a loads(foo, use_datetime=True) would work, but the `use_datetime` kwarg is only available in Python2.5 and newer, so I instead extended my xml_wrap() and xml_unwrap() functions. From 92ce9fa408f4b2e05cb61e3e40498b56cb709960 Mon Sep 17 00:00:00 2001 From: Jason Gerard DeRose jder...@redhat.com Date: Wed, 2 Dec 2009 21:41:24 -0700 Subject: [PATCH] Allow lossless round-trip of datetime objects over XML-RPC --- ipalib/rpc.py |9 +++-- tests/test_ipalib/test_rpc.py | 28 +--- 2 files changed, 32 insertions(+), 5 deletions(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 62f1d77..61af52d 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -35,7 +35,10 @@ import threading import socket import os import errno -from xmlrpclib import Binary, Fault, dumps, loads, ServerProxy, Transport, ProtocolError +from datetime import datetime +from xmlrpclib import dumps, loads +from xmlrpclib import Binary, Fault, DateTime, ProtocolError +from xmlrpclib import ServerProxy, Transport import kerberos from ipalib.backend import Connectible from ipalib.errors import public_errors, PublicError, UnknownError, NetworkError @@ -89,7 +92,7 @@ def xml_wrap(value): ) if type(value) is str: return Binary(value) -assert type(value) in (unicode, int, float, bool, NoneType) +assert type(value) in (unicode, int, float, bool, datetime, NoneType) return value @@ -122,6 +125,8 @@ def xml_unwrap(value, encoding='UTF-8'): if isinstance(value, Binary): assert type(value.data) is str return value.data +if isinstance(value, DateTime): +return datetime(*value.timetuple()[0:6]) assert type(value) in (unicode, int, float, bool, NoneType) return value diff --git a/tests/test_ipalib/test_rpc.py b/tests/test_ipalib/test_rpc.py index d5dd38c..ea0620f 100644 --- a/tests/test_ipalib/test_rpc.py +++ b/tests/test_ipalib/test_rpc.py @@ -22,7 +22,8 @@ Test the `ipalib.rpc` module. import threading -from xmlrpclib import Binary, Fault, dumps, loads, ServerProxy +from xmlrpclib import Binary, DateTime, Fault, dumps, loads, ServerProxy +from datetime import datetime from tests.util import raises, assert_equal, PluginTester, DummyClass from tests.data import binary_bytes, utf8_bytes, unicode_str from ipalib.frontend import Command @@ -53,6 +54,9 @@ def test_round_trip(): This tests the two functions together with ``xmlrpclib.dumps()`` and ``xmlrpclib.loads()`` in a full wrap/dumps/loads/unwrap round trip. +dt_utc = datetime.utcfromtimestamp(1234567890) +dt_loc = datetime.fromtimestamp(1234567890) + # We first test that our assumptions about xmlrpclib module in the Python # standard library are correct: assert_equal(dump_n_load(utf8_bytes), unicode_str) @@ -65,6 +69,13 @@ def test_round_trip(): assert_equal(dump_n_load(u''), '') assert dump_n_load(None) is None +dnl_utc = dump_n_load(dt_utc) +assert_equal(dnl_utc, DateTime(dt_utc)) +assert isinstance(dnl_utc, DateTime) +dnl_loc = dump_n_load(dt_loc) +assert_equal(dnl_loc, DateTime(1234567890)) +assert isinstance(dnl_loc, DateTime) + # Now we test our wrap and unwrap methods in combination with dumps, loads: # All str should come back str (because they get wrapped in # xmlrpclib.Binary(). All unicode should come back unicode because str @@ -78,8 +89,19 @@ def test_round_trip(): assert_equal(round_trip(''), '') assert_equal(round_trip(u''), u'') assert round_trip(None) is None -compound = [utf8_bytes, None, binary_bytes, (None, unicode_str), -dict(utf8=utf8_bytes, chars=unicode_str, data=binary_bytes) + +assert_equal(round_trip(dt_utc), dt_utc) +assert isinstance(dt_utc, datetime) +assert_equal(round_trip(dt_loc), dt_loc) +assert isinstance(dt_loc, datetime) + +compound = [utf8_bytes, None, binary_bytes, (None, unicode_str), dt_loc, +dict( +utf8=utf8_bytes, +chars=unicode_str, +data=binary_bytes, +datetime=dt_utc, +), ] assert round_trip(compound) == tuple(compound) -- 1.6.3.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 320 remove /etc/ipa/ipa.conf
On Tue, 2009-12-01 at 10:36 -0500, Rob Crittenden wrote: Jason Gerard DeRose wrote: On Wed, 2009-11-25 at 17:43 -0500, Rob Crittenden wrote: The configuration file /etc/ipa/ipa.conf was used by the v1 clients and servers to manually set realm, domain and server(s). This has been renamed to /etc/ipa/default.conf in v2. Some old utilities still referenced this old file and we still created it. This patch should completely remove it. rob This isn't applying to the current master: Applying: Replace /etc/ipa/ipa.conf with /etc/ipa/default.conf error: patch failed: ipa.spec.in:473 error: ipa.spec.in: patch does not apply Patch failed at 0001 Replace /etc/ipa/ipa.conf with /etc/ipa/default.conf Boy that spec file trips me up ever time. New patch attached. rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 323 type argument for x509.load_certificate()
On Tue, 2009-12-01 at 17:20 -0500, Rob Crittenden wrote: Add a type argument (PEM or DER) for x509.load_certificate(). Certs are coming out of LDAP as binary so we need to be able to handle that too. Seems more sane to add an argument that to base64-encode it. rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 324 add errors.NotImplementedError
On Tue, 2009-12-01 at 17:23 -0500, Rob Crittenden wrote: This deprecates a similar patch from John last month. The server-side baseclass rabase defines a framework for CA plugins. When I added this code I set it up to return errors.NotImplementedError but didn't actually include that error class in the commit. I'm adding that in now, favoring it over the python built-in exception of the same name because it is more friendly to the client (they get a command not implemented instead of an InternalError. Ideally we should not register commands that aren't implemented, I'll tackle that soon but for now this will fill in the gap. This also wraps the call to cert_revoke() in the service plugin to not blow up if using the selfsign CA which doesn't implement revocation. rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 318 add PKCS#10 parser
On Tue, 2009-11-24 at 16:17 -0500, Rob Crittenden wrote: The pyOpenSSL PKCS#10 parser doesn't provide a way to get to attributes so we can't get the subject alt names (or other interesting bits). This pyasn1-based parser adds that support. I'm also switching to the pyasn1 X509v3 support because older releases of pyOpenSSL lacked the get_components() method on subjects making it difficult to get a usable subject. This PKCS#10 parser cannot handle all possible attribute types. It should be robust enough to not blow up if it gets something it knows nothing about. If a subjectaltname extension is present in a CSR we: - require that the host(s) exist in IPA - If the requestor is a machine then the alt names must be present in the services managedBy attribute. This is so we can control what hosts(s) a machine can request a cert for. I'm working on a way to be able to set the service principal within the reuqest. Nalin's certmonger program will set it as an otherName in the GeneralNames attribute. We should be able to make principal an optional argument to cert-request and use the value from the CSR (and blow up if we get it neither way). rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 319 add -s option to ipa-join
On Wed, 2009-11-25 at 11:37 -0500, Rob Crittenden wrote: In ipa-client-install we do the ipa-join before creating any of the configuration files. I added a -s option to ipa-join to specify the IPA server since it won't be defined in /etc/ipa/default.conf yet. I discovered to my chagrin that previous testing of this worked because /etc/ipa/default.conf isn't owned by our packages. I'll fix this in a future patch. rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 320 remove /etc/ipa/ipa.conf
On Wed, 2009-11-25 at 17:43 -0500, Rob Crittenden wrote: The configuration file /etc/ipa/ipa.conf was used by the v1 clients and servers to manually set realm, domain and server(s). This has been renamed to /etc/ipa/default.conf in v2. Some old utilities still referenced this old file and we still created it. This patch should completely remove it. rob This isn't applying to the current master: Applying: Replace /etc/ipa/ipa.conf with /etc/ipa/default.conf error: patch failed: ipa.spec.in:473 error: ipa.spec.in: patch does not apply Patch failed at 0001 Replace /etc/ipa/ipa.conf with /etc/ipa/default.conf ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 313 fix aci plugin host helper
On Thu, 2009-11-12 at 13:23 -0500, Rob Crittenden wrote: When creating an aci to cover host objects the wrong attribute is used in the DN. It should be using fqdn, not cn. rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 285 CRL publishing
On Wed, 2009-11-25 at 15:09 -0500, Rob Crittenden wrote: Jason Gerard DeRose wrote: On Wed, 2009-11-25 at 13:45 -0500, Rob Crittenden wrote: Jason Gerard DeRose wrote: On Tue, 2009-11-17 at 15:06 -0500, Rob Crittenden wrote: This enables CRL publishing by dogtag to a place where Apache can get the files. I have to do a couple of tricks here because dogtag is an optional component. This is why in the installer I first see if the dogtag SELinux policy is installed and if not add it. Similarly the installer will remove it upon uninstall. The policy itself just lets dogtag write to some Apache-labeled directories. dogtag uses symlinks to mark the latest CRL hence the permissions for links. rob can't get this to apply: Applying: Add SELinux policy for CRL file publishing. error: patch failed: ipa.spec.in:379 error: ipa.spec.in: patch does not apply error: patch failed: selinux/Makefile:1 error: selinux/Makefile: patch does not apply Patch failed at 0001 Add SELinux policy for CRL file publishing. When you have resolved this problem run git am --resolved. If you would prefer to skip this patch, instead run git am --skip. To restore the original branch and stop patching run git am --abort. Rebased patch attached. nack. This seems to be breaking the installer. This was a clean build and install: Failed to populate the realm structure in kerberos Command '/usr/kerberos/sbin/kdb5_ldap_util -D uid=kdc,cn=sysaccounts,cn=etc,dc=example,dc=com -w Xlt%3j8}VX create -s -P grbc/F+Sh` -r EXAMPLE.COM -subtrees dc=example,dc=com -sscope sub' returned non-zero exit status 1 [6/13]: adding default keytypes root: CRITICAL Failed to load default-keytypes.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpdRo9BD -f /tmp/tmpdls3uk' returned non-zero exit status 32 ipa: CRITICAL: Failed to load default-keytypes.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpdRo9BD -f /tmp/tmpdls3uk' returned non-zero exit status 32 [7/13]: creating a keytab for the directory Unexpected error - see ipaserver-install.log for details: Command '/usr/kerberos/sbin/kadmin.local -q addprinc -randkey ldap/fedora11.example@example.com' returned non-zero exit status 1 I attached the log. Very strange, I can't reproduce this. What release are you on? What version of krb5-server do you have installed? rob Hmm, I must have had something weird in my tree. I just did two clean build and installs without error. ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Print only one line of docstrings in command listings.
On Thu, 2009-11-19 at 15:57 +0100, Pavel Zuna wrote: Full docstring is shown on `ipa help COMMAND` Pavel nack. There is already a Plugin.summary attribute containing the first line of the docstring. See ipalib/plugable.py line 170. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 307 enforce scalar
On Wed, 2009-11-04 at 09:46 -0500, Rob Crittenden wrote: _convert_scalar() should not handle tuples/lists (by definition). A parameter may be mutivalued but even then _convert_scalar() gets the values one at a time. rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 308 manage arbitrary attributes
On Tue, 2009-11-10 at 12:28 -0500, Rob Crittenden wrote: Jason Gerard DeRose wrote: Oops, was this missing the attachment? ;) Bah, here it is. rob ack. pushed to master. On Wed, 2009-11-04 at 16:04 -0500, Rob Crittenden wrote: This adds 2 new parameters, --setattr and --addattr and lets you manage whatever attribute you want (within the given set of objectclasses). Both take a name/value pair. --setattr sets the attribute to the given value --addattr adds the value to an attribute. Can be used to manage multi-valued attributes For example: ipa user-mod --addattr=postalcode=90210 jsmith If the attribute to be modified is an another param then the value is silently dropped. You can include multiples of these on a single command-line: ipa user-mod --addattr=postalcode=20601 --addattr=postalcode=30330 jsmith Setting an attribute to deletes it: ipa user-mod --setattr=postalcode= jsmith rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 309 make exception from ipautil.run() optional
On Wed, 2009-11-11 at 11:41 -0500, Rob Crittenden wrote: Rob Crittenden wrote: There are probably occasions where a caller will want more control over what happens when running a command fails. I've added an optional argument to run where it will not raise an exception on errors. I've also added returncode to the tuple of things returned. rob I forgot to include this additional change in the patch. When acked I'll add this bit too and commit it. --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -100,7 +100,7 @@ class HTTPInstance(service.Service): if selinux: try: # returns e.g. httpd_can_network_connect -- off -(stdout, stderr) = ipautil.run([/usr/sbin/getsebool, +(stdout, stderr, returncode) = ipautil.run([/usr/sbin/getsebool, httpd_can_network_connect]) self.backup_state(httpd_can_network_connect, stdout.split()[2]) except: ack. It all looks fine to me, although I can't get this patch to apply. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Return values, CRUD, webUI
The vast majority of our Command plugins subclass from one of the CRUD base classes, so in terms of return value consistency and API style, we need to focus most on them (and then adapt their style to the few non-CRUD commands). While hooking up the webUI there have been many, many small problems in the core library and plugins that have caused unexpected setbacks for me. Some features that I needed got changed without me noticing, some of my half-baked designs needed more baking, some features were missing, and some new code I was just unfamiliar with. Point is, I've spent a lot of time battling little gotchas and thinking about how best to clean these things up. Here are the guidelines I propose we follow: A return value dict === As much as possible, I want to keep our return values very simple and regular. This 1) makes our API easy to learn and use, and 2) makes it easy to use the return values to drive UI logic on both the CLI and webUI. One current source of irregularity is the need to pass the this isn't all the entries flag from LDAP when we do searches. For example, `user_find` returns an (entry_list, more_remains) tuple. The problem is that most of the code paths don't care about the `more_remains` flag... they just need to know whether a list of entries was returned (result is a list) or whether a single entry was returned (result is a dict). At the same time, we obviously need a way to pass extra data like the `more_remains` flag and it would be nice to be able to extend a return value with additional special data without breaking code or causing an explosion of special cases. So I propose that our return values always be a dict containing at least a 'result', leaving us the option to extend the return value without breaking code that just looks at ret['result']. So in the case of a search, instead of: ([{'uid': 'foo'}, {'uid': 'bar'}, ...], True) We should return: { 'result': [{'uid': 'foo'}, {'uid': 'bar'}, ...], 'more_remains': True, ... 'extend': 'as-needed', } The following all assume we are returning {'result': blah} even though they don't show it... Entries === 95% of our return values are LDAP entries. Currently we're returning pretty much the raw value from python-ldap (although we are decoding UTF-8 into `unicode` objects for use in the Python pipeline and encoding back to UTF-8 on the way out, which is good). But the data structure returned from python-ldap is pretty awkward to work with. First, at the top it's typically a (dn, entry) tuple. Assuming the 'dn' key doesn't conflict with any sane LDAP attribute names, I think we should return a single dict with the dn stored under the 'dn' key. So instead of: ('uid=jdoe,cn=users,cn=accounts,dc=example,dc=com', {'sn': ['Doe']}) We should return: {'dn': 'uid=jdoe,cn=users,cn=accounts,dc=example,dc=com', 'sn': ['Doe']} Second, currently we return all attribute values inside a list whether or not they're multi-value. This leads to lots of special cases throughout the code that would be better dealt with in a single place, in LDAP Backend adapter, IHMO. So instead of: {'uid': ['jdoe'], 'group': ['foo', 'bar']} We should return: {'uid': 'jdoe', 'group': ['foo', 'bar']} Lists of Entries When a command returns multiple entries, the entries should be in the same form as they are from commands that return only one entry. For example, currently user-find returns each entry as a (uid, entry) tuple. I think this should again be replaced with a single dict without the uid being duplicated. Create == If successful, we should return the resulting entry in standard form. If any error occurs, we should raise an appropriate exception. Retrieve If successful, we should return the entry in standard form. If no such entry exists we should raise a NotFound exception. If any other error occurs, we should raise an appropriate exception. Update == (Same as Create.) Delete == (Same as Retrieve.) Search == If one or more entries matches the search criteria, we should return a list of entries, where the each entry is in standard form. If no entries match, we should return an empty list. If an error occurs, we should raise an appropriate exception. Thoughts? -Jason ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Use File parameter for CSR in cert_request command plugin.
On Fri, 2009-11-06 at 11:47 +0100, Pavel Zuna wrote: Makes use of the new File parameter introduced in my previous patch. Pavel ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 306 selinux policy for assets
On Tue, 2009-11-03 at 15:29 -0500, Rob Crittenden wrote: This adds some SELinux policy for /var/cache/ipa/assets and /var/cache/ipa/sessions. I've also disabled Indexing on /ipa-assets and removed the deprecated IPADebug option. This effectively removes ipa_webgui too. I've left the directory there for now (mostly for reference). rob ack. I pushed this and my 026 patch to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 304 hosts requesting certificates
On Tue, 2009-11-03 at 09:37 -0500, Rob Crittenden wrote: Jason Gerard DeRose wrote: On Wed, 2009-10-28 at 17:41 -0400, Rob Crittenden wrote: I had originally implemented allowing a host to request certificates for other hosts using the requesting IP address. That was a pretty lousy way to do it. This patch uses the DS ACI system instead. We came up with a clever ACI that lets hosts listed in the managedBy attribute in the service modify the userCertificate attribute. So you can use this to delegate which hosts can request certificates for which services, even for other machines. I also re-ordered the request_certificate() method a bit. We want all the service work done before we do the certificate request. It was previously adding the service after the cert request was done. This could mean a failed request if the requestor isn't allowed to add services. But it is also too late because the cert had already been issued. I documented how this works a bit at http://www.freeipa.org/page/Certificate_Authority rob I'm having problems applying this patch: error: install/share/60basev2.ldif: patch does not apply It was because the syntax of the fqdn attribute in 60basev2.ldif changed and it was in the context of this patch. New patch attached. rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 305 remove a principal from a keytab
On Fri, 2009-10-30 at 16:30 -0400, Rob Crittenden wrote: I wasn't able to find a command-line program to remove principals from a keytab so I wrote my own. ktutil can do it but it doesn't take command-line arguments. Java ships a utility named ktab but adding a huge dependency for one app seem a bit much :-) In any case, this program has 2 modes: 1. Given a keytab and a principal, remove all entries of that principal from the keytab. This removes all versions and encryption types. 2. Given a realm remove all principals in that realm. I cheat a little and insert an @ before the principal name because all this really does is a strstr() to see if the principal in the keytab is in the realm provided. This utility will be added to the ipa-client-uninstall script at some point to clean up /etc/krb5.keytab. rob ack. Rob walked me through its use on #freeipa, and it works as advertised. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Fedora12: Looping detected inside krb5_get_in_tkt
On Thu, 2009-10-22 at 19:57 -0400, Nalin Dahyabhai wrote: On Mon, Oct 12, 2009 at 10:17:21PM -0600, Jason Gerard DeRose wrote: To help ensure that my new UI patch wont break our daily builds, I've tried building it under Fedora 12 as it has python-assets and python-wehjit. It builds fine, but when I kinit, I get this error: [r...@fedora12 ~]# kinit ad...@example.com Password for ad...@example.com: kinit: Looping detected inside krb5_get_in_tkt while getting initial credentials Anyone have any ideas? This came up on the upstream list recently; I haven't reproduced it myself, but it looks like it'll happen if you fail to preauthenticate in a number of ways where the KDC doesn't return a more-specific error code. Does the database entry for ad...@example.com have keys in it? Did you type the right password? Is there anything in the KDC logs that provides more detail? Do you have a packet capture? The size and contents of the e-data returned with the error can help narrow it down. HTH, Nalin How do I check whether the database entry for ad...@example.com has keys in it? Yes, I'm typing the password correctly, and I get the same error even when I deliberately type the wrong password. The /var/log/krb5kdc.log file has this repeated over and over again: Oct 25 21:59:21 fedora12.example.com krb5kdc[27434](info): preauth (timestamp) verify failure: No matching key in entry Oct 25 21:59:21 fedora12.example.com krb5kdc[27434](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.122.12: PREAUTH_FAILED: ad...@example.com for krbtgt/example@example.com, Preauthentication failed Oct 25 21:59:21 fedora12.example.com krb5kdc[27434](info): preauth (timestamp) verify failure: No matching key in entry Oct 25 21:59:21 fedora12.example.com krb5kdc[27434](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.122.12: PREAUTH_FAILED: ad...@example.com for krbtgt/example@example.com, Preauthentication failed Oct 25 21:59:21 fedora12.example.com krb5kdc[27434](info): preauth (timestamp) verify failure: No matching key in entry Oct 25 21:59:21 fedora12.example.com krb5kdc[27434](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.122.12: PREAUTH_FAILED: ad...@example.com for krbtgt/example@example.com, Preauthentication failed Oct 25 21:59:21 fedora12.example.com krb5kdc[27434](info): preauth (timestamp) verify failure: No matching key in entry Oct 25 21:59:21 fedora12.example.com krb5kdc[27434](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.122.12: PREAUTH_FAILED: ad...@example.com for krbtgt/example@example.com, Preauthentication failed I'm running this on a VM that I installed from Fedora 12 alpha, but have updated since. I snapshot prior to building and installing freeipa, so this is a fairly clean setup. ipa-server-install appears to succeed, but upon trying to kinit as ad...@example.com, I get the above error. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 302 clean up join plugin
On Fri, 2009-10-23 at 18:40 +0200, Pavel Zůna wrote: Rob Crittenden wrote: Remove a bunch of unused imports, add some docstrings, etc. rob ack. Pavel ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] validating return values in XML-RPC
So I've been thinking about this as I've been doing the UI tuning (extending meta-data and making the engine smarter). I agree with John that we need to describe the return values programatically. We can also kill two birds with one stone here because the description of the return values is a great way to provide some of the meta-data the UI needs (and the CLI... there is something in place now, but it's not easily plugable). I personally feel the design of the Param system has held up pretty well (Rob and Pavel, speak now or forever hold your peace), so I think we should use the Param classes to describe the return values. This will really help us reduce code duplication and allow for good plugability because, as usual, most of our commands are CRUD operations, so we can generally use some auto-magic to deduce the return values from the corresponding Object params. Thoughts? On Wed, 2009-10-07 at 19:48 -0400, John Dennis wrote: Sorry to harp on this :-) But the more I work with the XML-RPC interface from non-python code the more I think we've got a problem. The first problem is what was discussed in the team meeting. You don't know what a function is going to return and nothing enforces the consistency of return values. Jason has done an awesome job of enforcing the consistency of input arguments, but that's only half the battle. What gets returned is purely a function of what the plugin author happens to stuff into the plugin's return statement. There is no enforcement of how many values get returned, what their types are, what is optional, what is mandatory, etc. In other words everything which is enforced on the input side of the call is absent on the output side, it should be obvious why this is a problem, especially for any callers of XML-RPC which are *not* in the python plugin framework. The second problem I've run into with return values is especially pernicious because the plugin framework is hiding a very fundamental and apparently common error. Here is the issue: * We've adopted the convention that *all* strings will be unicode objects. * str objects will be treated as binary data * Python will in many instances freely convert between str objects and unicode objects. * If a plugin wants to return a string it *must* return a unicode object. If the plugin mistakenly returns a str object (a very very easy mistake to make) then what gets returned through XML-RPC is a *binary* base64 encoded blob, not an XML-RPC *string* value! The above is so critical let me repeat it: FAILING TO ASSURE A RETURNED STRING IS UNICODE AND NOT STR RESULTS IN BINARY BLOBS ON THE RECEIVING END INSTEAD OF A STRING. * However, the python framework *hides* the error on the return side because it decodes the base64 binary value back into a str object. Because str objects and unicode objects are often interchangeable the python code receiving the return value thinks it sees the right result even though it's not. If we're going to have other clients of the XML-RPC interface then that client *must* know what the return values are and what their type is. It can't (or shouldn't) do things like: * I was expecting a string but I got a binary blob so that must have been a mistake so I'll treat the binary blob as a string and hope it's correct. -or- * I was expecting an integer but I actually got a string (yes there are plugins which do this), so I'll try to read an integer value out of the string. But wait, suppose the plugin author who returned the integer as a string forget to assure that the string representing the integer was a unicode object and not a str object, then the receiver really has to start guessing because he's gotten back a binary blob. Is that binary blob a 2's compliment representation of a signed integer, is it unsigned integer, or is the binary blob a string representation of the integer? Clearly this doesn't work. Now let's suppose another common scenario. The plugin author discovers he has mistakenly returned a str object when it should have been a unicode object and corrects his mistake, seemingly innocent because everything continues to work (but only in python). We have a non-python client of the XML-RPC interface who has corrected for the mistake by expecting binary data for the string, now that client fails! Or let's say the plugin was correctly returning a unicode object but some seemingly innocent change is made and the value ends up being a str object instead. Once again the python code continues to work correctly but the non-python code fails. So how easy it for Python programmers to make the mistake between str and unicode? *VERY VERY EASY!* In fact it's so easy even Jason's documentation and examples sometimes make the mistake. It's especially easy mistake to make when calling another function because the vast majority of existing Python libraries return
Re: [Freeipa-devel] Integer parameters
On Mon, 2009-10-19 at 10:24 -0400, John Dennis wrote: On 10/19/2009 09:12 AM, Pavel Zuna wrote: John Dennis wrote: I wanted to assure myself if a command was expecting an integer value, it could be input in whatever radix the user desires and be correctly converted. If I understand correctly this code is in parameters.py and is implemented by the _convert_scalar member function. The Int and Float classes derive from the Number class and inherit Number._convert_scalar which attempts to call the type (e.g. constructor). However the int class only supports base 10 radix strings in it's constructor, it will not do radix conversion. Shouldn't the Int parameter class have it's own _convert_scalar which invokes int(value, 0)? (Note: the second argument to the int constructor is the radix base, with 0 being a special value indicating the radix is to be derived from the prefix) Int only accepts base 10. As you say, we could extend _convert_scalar and have it accept different bases. The question is, do we need/want it to? If we do, then it shouldn't be too hard to implement (and I volunteer to do it). Thanks, but I've already made the code change and it will show up in a patch shortly. My main concern was this would alter the UI (accepting a radix other than base 10) and I wanted to make sure this did not occur without some discussion and/or awareness of the change. My personal feeling is the desired behavior for our interfaces is: * By default all integers are accepted as base 10 and presented in the UI as base 10. * However to be friendly and to conform to some other external conventions, it should be possible to supply a value in hex and have the UI properly handle it. It's less clear to me whether the UI should ever present an integral value in hex even if there is some president for that particular value being presented in hex. I think this sounds reasonable: allow int's to be specified in any base for which a Python literal repr exist (so I think that's base 10, 16, 8, and 2), but always display base 10 to the user. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] jderose 019 remove some cruft
On Wed, 2009-10-14 at 17:21 -0400, Rob Crittenden wrote: Jason Gerard DeRose wrote: On Tue, 2009-10-13 at 22:45 -0600, Jason Gerard DeRose wrote: This removes the util.add_global_options() function and the frontend.Application class, neither of which are now needed. And *this* actually attaches the patch. ;) ack pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] jderose 021 Fixed try/except/finally for Python 2.4 compatability
This should fix the build failure in the daily build. From 5fad455ff41c7ab8acb8b41ea1c9c752830ce1ea Mon Sep 17 00:00:00 2001 From: Jason Gerard DeRose jder...@redhat.com Date: Thu, 15 Oct 2009 15:00:57 -0600 Subject: [PATCH] Fixed try/except/finally for Python 2.4 compatability --- ipaserver/rpcserver.py | 39 --- 1 files changed, 20 insertions(+), 19 deletions(-) diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 06fb5ae..72f2219 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -103,25 +103,26 @@ class WSGIExecutioner(Executioner): error = None _id = None try: -self.create_context(ccache=environ.get('KRB5CCNAME')) -if ( -environ.get('CONTENT_TYPE', '').startswith(self.content_type) -and environ['REQUEST_METHOD'] == 'POST' -): -data = read_input(environ) -(name, args, options, _id) = self.unmarshal(data) -else: -(name, args, options, _id) = self.simple_unmarshal(environ) -if name not in self.Command: -raise CommandError(name=name) -result = self.Command[name](*args, **options) -except PublicError, e: -error = e -except StandardError, e: -self.exception( -'non-public: %s: %s', e.__class__.__name__, str(e) -) -error = InternalError() +try: +self.create_context(ccache=environ.get('KRB5CCNAME')) +if ( +environ.get('CONTENT_TYPE', '').startswith(self.content_type) +and environ['REQUEST_METHOD'] == 'POST' +): +data = read_input(environ) +(name, args, options, _id) = self.unmarshal(data) +else: +(name, args, options, _id) = self.simple_unmarshal(environ) +if name not in self.Command: +raise CommandError(name=name) +result = self.Command[name](*args, **options) +except PublicError, e: +error = e +except StandardError, e: +self.exception( +'non-public: %s: %s', e.__class__.__name__, str(e) +) +error = InternalError() finally: destroy_context() return self.marshal(result, error, _id) -- 1.6.3.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] jderose 020 Make plugin browser show plugin parent class
It's very helpful if the plugin browser shows the parent class (or classes) that a plugin subclasses from. This small patch adds this feature. From 8dc21d6f30d1466f07b38e0d015de39a8c0d29d2 Mon Sep 17 00:00:00 2001 From: Jason Gerard DeRose jder...@redhat.com Date: Wed, 14 Oct 2009 15:08:30 -0600 Subject: [PATCH] Make plugin browser show plugin parent class --- ipalib/plugable.py |3 +++ ipawebui/widgets.py |5 + 2 files changed, 8 insertions(+), 0 deletions(-) diff --git a/ipalib/plugable.py b/ipalib/plugable.py index dceb41f..12746c1 100644 --- a/ipalib/plugable.py +++ b/ipalib/plugable.py @@ -163,6 +163,9 @@ class Plugin(ReadOnly): self.name = cls.__name__ self.module = cls.__module__ self.fullname = '%s.%s' % (self.module, self.name) +self.bases = tuple( +'%s.%s' % (b.__module__, b.__name__) for b in cls.__bases__ +) self.doc = inspect.getdoc(cls) if self.doc is None: self.summary = '%s' % self.fullname diff --git a/ipawebui/widgets.py b/ipawebui/widgets.py index 71eee92..74b9d7e 100644 --- a/ipawebui/widgets.py +++ b/ipawebui/widgets.py @@ -58,6 +58,11 @@ class IPAPlugins(base.Container): /td /tr +tr class=${row.next()} +tdbase(s)/td +td py:content=', '.join(p.bases) / +/tr + tr py:if=p.doc class=${row.next()} tddocstring/td tdpre py:content=p.doc //td -- 1.6.3.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] jderose 017-2 Giant webui patch take 2
On Tue, 2009-10-13 at 15:21 -0400, Rob Crittenden wrote: Jason Gerard DeRose wrote: Okay, finally here is the revised webui patch. Since the last version, I: * Ported to various API changed between wehjit 0.0.1 and 0.1.0 * Removed the session.py stuff, which will be in a separate patch * Added the plugin browser to help developers inspect the plugins The webui is still in a similar dumb state till I extend various meta-data in ipalib, which I will work on this week and will quickly get the UI into a more impressive state. I just can't let this patch get any larger... stop the madness! ;) There currently isn't a top-level webui-page at /ipa/ui, but pages exist for each command plugin, i.e., /ipa/ui/user_add This patch is big, but tries to be non-intrusive: the new webui stuff only runs from the new lite-server.py script, not for the installed version running under Apache. As far as I know, no existing functionality is disrupted by this patch. After making the meta-data changes, I will enable the new functionality under Apache also. I hope everyone will find the plugin-browser quite helpful. To run it, launch lite-server.py like this: ./lite-server.py And then point your browser to: http://127.0.0.1:/ipa/ui/Command All plugins in all namespaces are available in the browser, but details are currently only available for the Command and Object namespaces. I will also soon add an easy way to render the plugin browser to static pages to put on freeipa.org. This patch requires python-wehjit and python-assets, which are in Fedora12 and rawhide. Or you can install from tarballs here: http://jderose.fedorapeople.org/assets/current/ http://jderose.fedorapeople.org/wehjit/current/ A couple of weekends ago I also packaged assets and wehjit for Debian/Ubuntu. Karmic packages are available in my PPA: https://launchpad.net/~jderose/+archive/ppa Sorry the patch is so large, subsequent ones wont be. ack. rob That's the ol' pepper. Pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Re: [PATCH] Fix bug in HBAC and netgroup plugin get_primary_key_from_dn methods.
On Mon, 2009-10-12 at 10:22 -0400, Rob Crittenden wrote: Pavel Zuna wrote: Rob Crittenden wrote: Pavel Zuna wrote: The method was returning tuples instead of strings in both plugins causing a mess in other plugins, when displaying netgroup/HBAC information. Pavel Assuming that the primary key doesn't exist, what meaning does returning '' have? For these 2 plugins shouldn't it always have a primary key? rob In most plugins, retrieving the primary key from DN is easy, because it is part of the DN (RDN attribute == primary key attribute). With netgroups and HBAC it is a bit more complicated, because the RDN attribute is 'ipauniqueid' and the primary key is 'cn' - we have to do a search to retrieve it. If the search fails for some reason (someone deletes the entry in parallel for example), we return an empty string, which is fail-safe. Pavel Ok, Jason does 11 ET work for you, say on Wed and Fri? rob Yep, sounds good. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 280 add option to not normalize on adds/updates
ack. pushed to master. On Fri, 2009-10-02 at 16:02 +0200, Pavel Zuna wrote: Rob Crittenden wrote: Add an option to not run the normalizer against the DN on adds/updates. The MIT ldap plugin is extremely picky about the format of DNs it adds and it does not like the way we normalize things so I need to set it up right in the plugin and commit it that way. rob ack. Although I would rather have the param called 'normalize_dn' instead of 'normalize', so everyone knows what is being normalized. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 272 Add delete option to LDAP updater, unit tests
ack. pushed to master. On Mon, 2009-10-05 at 15:19 -0400, Rob Crittenden wrote: This gives the updater the ability to delete entries and adds some unit test cases. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 281 minor fix for updater
ack too. pushed to master. On Fri, 2009-10-02 at 16:02 +0200, Pavel Zuna wrote: Rob Crittenden wrote: Robustness fix for ipa-ldap-updater to not blow up if no updates are set yet. rob ack. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 282 update the KDC aci
On Fri, 2009-10-02 at 09:37 -0400, Rob Crittenden wrote: The API protecting the kerberos master key was a bit broad, also preventing adds and deletes to its subtree. I've relaxed that so I can add password policy entries which must be stored under the realm entry. I also changed the formatting of the code. It was getting written to the DS with leading and trailing \n causing DS to base64-encode the value when displaying it. I'm hoping this wasn't done on purpose :-) rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 283 allow no primary key in crud classes
On Fri, 2009-10-02 at 16:04 +0200, Pavel Zuna wrote: Rob Crittenden wrote: The crud classes required a primary key to be set in order to work. I've relaxed that as the pwpolicy plugin has no primary key but I still want to take advantage of other aspects of it. rob ack. LDAP* base classes already have this, but I guess it can't hurt to also have it on a lower level. Pavel ack too. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 284 per-group password policy
On Fri, 2009-10-02 at 16:07 +0200, Pavel Zuna wrote: Rob Crittenden wrote: Add support for per-group kerberos password policy. This uses a Class of Service to based on group membership to determine which policy should apply. The design doc called for non-overlapping groups but we can support that with cospriority. You can pass a user to the pwpolicy plugin to see what policy applies to them to help debug overlapping issues if they come up. rob ack. You could have taken my latest pwpolicy plugin as a base for this, but no big deal - I'll merge the changes and post an updated version. :) Pavel ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 273 join a host to an IPA domain
ack. pushed to master. This patch was missing a BuildRequires: xmlrpc-c-devel, which I fixed in my attached patch. I pushed it to master under 1-line rule. On Mon, 2009-09-14 at 17:07 -0400, Rob Crittenden wrote: NOTE, this patch replaces a previous patch to do the same thing. I fixed a few problems Simo pointed out and re-based it against the current master. This largish patch adds host enrollment. There are several scenarios that are covered. All of these assume that the IPA client machine has already been set up (ipa-client-install): 1. Full admin enrollment. This will create the host entry, a host/ service principal and a keytab for that principal in /etc/krb5.keytab. 2. Junior admin enrollment. There are lots of levels of delegation possible here, but at a minimum they would be able to enroll an existing host by creating the service principal and keytab. Additional rights such as adding a host could be added as well. 3. Bulk enrollment. If a host entry is pre-created by another admin and it contains an enrollment password (in the userPassword attribute) then an LDAP-based enrollment can take place. The client binds as the host and generates a keytab for itself. One really significant change is I've switch to openldap as the LDAP client. Doing SSL with mozldap would have required a significant amount of more code (because we can't assume there is already an NSS db lying around that trusts the IPA CA). I didn't completely disable the mozldap option but by default things will build with openldap now. This also adds a first pass at Get Effective Rights support. This is so we can know in advance if an operation would succeed and makes things generally nicer. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel From e2ecf02822867170e3b4f19f5ba749d3c94d899c Mon Sep 17 00:00:00 2001 From: Jason Gerard DeRose jder...@redhat.com Date: Thu, 24 Sep 2009 17:49:16 -0600 Subject: [PATCH] Added BuildRequires: xmlrpc-c-devel --- ipa.spec.in |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/ipa.spec.in b/ipa.spec.in index 713a4c5..2408b07 100644 --- a/ipa.spec.in +++ b/ipa.spec.in @@ -38,6 +38,7 @@ BuildRequires: policycoreutils = %{POLICYCOREUTILSVER} BuildRequires: python-cherrypy BuildRequires: python-setuptools BuildRequires: python-krbV +BuildRequires: xmlrpc-c-devel %description IPA is an integrated solution to provide centrally managed Identity (machine, -- 1.6.0.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel