[Freeipa-devel] [freeipa PR#736][+ack] Fixing the cert-request command comparing whole email address case-sensitively.
URL: https://github.com/freeipa/freeipa/pull/736 Title: #736: Fixing the cert-request command comparing whole email address case-sensitively. Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#773][comment] [WIP] Warn in cert-request if CSR doesn't contain SAN
URL: https://github.com/freeipa/freeipa/pull/773 Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN frasertweedale commented: """ Was there agreement that this should be implemented? (I am personally against it, because the next release should update the default profile to use the new CommonNameToSanExtDefault profile component). If we do implement this, IMO it should be a per-profile configuration, because there may be legitimate use cases where SAN is not needed. If we do pursue the current approach, we should further check not only that SAN is present, but that it contains a DNSName. Put another way, with the current patch, SAN can be present, but it might contain only KRB5PrincipalName and no DNSName, and therefore the warning will not show, but it probably should have warned. """ See the full comment at https://github.com/freeipa/freeipa/pull/773#issuecomment-300351130 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#737][comment] Vault: Explicitly default to 3DES CBC
URL: https://github.com/freeipa/freeipa/pull/737 Title: #737: Vault: Explicitly default to 3DES CBC frasertweedale commented: """ Tested; fix makes it work again against Dogtag (where Dogtag does not contain Ade's fix). ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/737#issuecomment-297886621 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#737][+ack] Vault: Explicitly default to 3DES CBC
URL: https://github.com/freeipa/freeipa/pull/737 Title: #737: Vault: Explicitly default to 3DES CBC Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#633][opened] Support 8192-bit RSA keys in default cert profile
URL: https://github.com/freeipa/freeipa/pull/633 Author: frasertweedale Title: #633: Support 8192-bit RSA keys in default cert profile Action: opened PR body: """ Update the caIPAserviceCert profile to accept 8192-bit RSA keys. Affects new installs only, because there is not yet a facility to update included profiles. Fixes: https://pagure.io/freeipa/issue/6319 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/633/head:pr633 git checkout pr633 From 7fdab4eda952daff8e31874497eaac2aaf6976b8 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 22 Mar 2017 15:06:16 +1100 Subject: [PATCH] Support 8192-bit RSA keys in default cert profile Update the caIPAserviceCert profile to accept 8192-bit RSA keys. Affects new installs only, because there is not yet a facility to update included profiles. Fixes: https://pagure.io/freeipa/issue/6319 --- install/share/profiles/caIPAserviceCert.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/share/profiles/caIPAserviceCert.cfg b/install/share/profiles/caIPAserviceCert.cfg index 6c5102f..1efd206 100644 --- a/install/share/profiles/caIPAserviceCert.cfg +++ b/install/share/profiles/caIPAserviceCert.cfg @@ -32,7 +32,7 @@ policyset.serverCertSet.2.default.params.startTime=0 policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl policyset.serverCertSet.3.constraint.name=Key Constraint policyset.serverCertSet.3.constraint.params.keyType=RSA -policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,8192 policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl policyset.serverCertSet.3.default.name=Key Default policyset.serverCertSet.4.constraint.class_id=noConstraintImpl -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#539][comment] Define errors_by_code in ipalib.errors
URL: https://github.com/freeipa/freeipa/pull/539 Title: #539: Define errors_by_code in ipalib.errors frasertweedale commented: """ Righto. I'll withdraw this PR for now and it will make a comeback closer to landing the gssapi work. """ See the full comment at https://github.com/freeipa/freeipa/pull/539#issuecomment-285268049 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#539][closed] Define errors_by_code in ipalib.errors
URL: https://github.com/freeipa/freeipa/pull/539 Author: frasertweedale Title: #539: Define errors_by_code in ipalib.errors Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/539/head:pr539 git checkout pr539 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#539][comment] Define errors_by_code in ipalib.errors
URL: https://github.com/freeipa/freeipa/pull/539 Title: #539: Define errors_by_code in ipalib.errors frasertweedale commented: """ @HonzaCholasta when Dogtag execute the existing cert-request validation logic (which will be extracted to a new function), if an exception gets raised Dogtag returns it in the response, and IPA reconstructs it, so that there is no change to the user experience. """ See the full comment at https://github.com/freeipa/freeipa/pull/539#issuecomment-284379517 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#539][comment] Define errors_by_code in ipalib.errors
URL: https://github.com/freeipa/freeipa/pull/539 Title: #539: Define errors_by_code in ipalib.errors frasertweedale commented: """ @HonzaCholasta when Dogtag execute the existing cert-request validation logic (which will be extracted to a new function), if an exception gets raised Dogtag returns it in the response, and IPA reconstructs it, so that there is no change to the user experience. """ See the full comment at https://github.com/freeipa/freeipa/pull/539#issuecomment-284379517 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#540][opened] rabase.get_certificate: make serial number arg mandatory
URL: https://github.com/freeipa/freeipa/pull/540 Author: frasertweedale Title: #540: rabase.get_certificate: make serial number arg mandatory Action: opened PR body: """ In rabase.get_certificate it does not make sense for the serial_number argument to be optional. Make it a mandatory positional argument. Part of: https://pagure.io/freeipa/issue/3473 Part of: https://pagure.io/freeipa/issue/5011 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/540/head:pr540 git checkout pr540 From 96f1df7cca67e411ac0768cdbd1be6fbc0e87b57 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 6 Mar 2017 12:50:55 +1000 Subject: [PATCH] rabase.get_certificate: make serial number arg mandatory In rabase.get_certificate it does not make sense for the serial_number argument to be optional. Make it a mandatory positional argument. Part of: https://pagure.io/freeipa/issue/3473 Part of: https://pagure.io/freeipa/issue/5011 --- ipaserver/plugins/dogtag.py | 2 +- ipaserver/plugins/rabase.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 80d499e..05b759d 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1502,7 +1502,7 @@ def check_request_status(self, request_id): return cmd_result -def get_certificate(self, serial_number=None): +def get_certificate(self, serial_number): """ Retrieve an existing certificate. diff --git a/ipaserver/plugins/rabase.py b/ipaserver/plugins/rabase.py index 49a3f8b..0c8d7e2 100644 --- a/ipaserver/plugins/rabase.py +++ b/ipaserver/plugins/rabase.py @@ -59,7 +59,7 @@ def check_request_status(self, request_id): """ raise errors.NotImplementedError(name='%s.check_request_status' % self.name) -def get_certificate(self, serial_number=None): +def get_certificate(self, serial_number): """ Retrieve an existing certificate. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#539][opened] Define errors_by_code in ipalib.errors
URL: https://github.com/freeipa/freeipa/pull/539 Author: frasertweedale Title: #539: Define errors_by_code in ipalib.errors Action: opened PR body: """ The errors_by_code mapping will soon be used in more places, as part of the Dogtag GSS-API authentication work. Move its definition to ipalib.errors. Part of: https://pagure.io/freeipa/issue/5011 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/539/head:pr539 git checkout pr539 From b7733bd1b1ad5bd7ddecedf37df6edd68edcdf22 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 6 Mar 2017 12:03:44 +1000 Subject: [PATCH] Define errors_by_code in ipalib.errors The errors_by_code mapping will soon be used in more places, as part of the Dogtag GSS-API authentication work. Move its definition to ipalib.errors. Part of: https://pagure.io/freeipa/issue/5011 --- ipalib/errors.py | 2 ++ ipalib/rpc.py| 4 +--- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ipalib/errors.py b/ipalib/errors.py index 6aaca70..a17eda4 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -1995,5 +1995,7 @@ class GenericError(PublicError): public_errors = tuple(sorted( messages.iter_messages(globals(), PublicError), key=lambda E: E.errno)) +errors_by_code = dict((e.errno, e) for e in public_errors) + if __name__ == '__main__': messages.print_report('public errors', public_errors) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index f2cdad9..d77b52d 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -50,7 +50,7 @@ from ipalib.backend import Connectible from ipalib.constants import LDAP_GENERALIZED_TIME_FORMAT -from ipalib.errors import (public_errors, UnknownError, NetworkError, +from ipalib.errors import (errors_by_code, UnknownError, NetworkError, KerberosError, XMLRPCMarshallError, JSONError) from ipalib import errors, capabilities from ipalib.request import context, Connection @@ -86,8 +86,6 @@ COOKIE_NAME = 'ipa_session' KEYRING_COOKIE_NAME = '%s_cookie:%%s' % COOKIE_NAME -errors_by_code = dict((e.errno, e) for e in public_errors) - def client_session_keyring_keyname(principal): ''' -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#523][opened] cert-request: minor refactors
URL: https://github.com/freeipa/freeipa/pull/523 Author: frasertweedale Title: #523: cert-request: minor refactors Action: opened PR body: """ A couple of minor refactors done as part of GSS-API work (https://pagure.io/freeipa/issue/5011). """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/523/head:pr523 git checkout pr523 From 2d85605be3cded5025426ed61e6833fcf9975012 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 25 Jan 2017 15:51:46 +1000 Subject: [PATCH 1/2] Remove redundant principal_type argument Minor refactor to remove the redundant 'principal_type' argument from 'caacl_check' and associated functions. Part of: https://pagure.io/freeipa/issue/5011 --- ipaserver/plugins/caacl.py | 8 +++- ipaserver/plugins/cert.py | 13 + 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py index a7817c4..ff1178a 100644 --- a/ipaserver/plugins/caacl.py +++ b/ipaserver/plugins/caacl.py @@ -151,7 +151,13 @@ def _acl_make_rule(principal_type, obj): return rule -def acl_evaluate(principal_type, principal, ca_id, profile_id): +def acl_evaluate(principal, ca_id, profile_id): +if principal.is_user: +principal_type = 'user' +elif principal.is_host: +principal_type = 'host' +else: +principal_type = 'service' req = _acl_make_request(principal_type, principal, ca_id, profile_id) acls = api.Command.caacl_find(no_members=False)['result'] rules = [_acl_make_rule(principal_type, obj) for obj in acls] diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 585a70e..46518d9 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -200,11 +200,9 @@ def ca_enabled_check(_api): if not _api.Command.ca_is_enabled()['result']: raise errors.NotFound(reason=_('CA is not configured')) -def caacl_check(principal_type, principal, ca, profile_id): -principal_type_map = {USER: 'user', HOST: 'host', SERVICE: 'service'} -if not acl_evaluate( -principal_type_map[principal_type], -principal, ca, profile_id): + +def caacl_check(principal, ca, profile_id): +if not acl_evaluate(principal, ca, profile_id): raise errors.ACIError(info=_( "Principal '%(principal)s' " "is not permitted to use CA '%(ca)s' " @@ -599,7 +597,7 @@ def execute(self, csr, all=False, raw=False, **kw): if principal_type == KRBTGT: ca_kdc_check(ldap, bind_principal.hostname) else: -caacl_check(principal_type, principal, ca, profile_id) +caacl_check(principal, ca, profile_id) try: csr_obj = pkcs10.load_certificate_request(csr) @@ -756,8 +754,7 @@ def execute(self, csr, all=False, raw=False, **kw): if principal_type == KRBTGT: ca_kdc_check(ldap, alt_principal.hostname) else: -caacl_check(principal_type, alt_principal, ca, -profile_id) +caacl_check(alt_principal, ca, profile_id) elif isinstance(gn, (x509.KRB5PrincipalName, x509.UPN)): if principal_type == KRBTGT: From 4aa4ecea14827387d9e9430790d8a453a7fa9c96 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 25 Jan 2017 16:14:59 +1000 Subject: [PATCH 2/2] Extract method to map principal to princpal type Part of: https://pagure.io/freeipa/issue/5011 --- ipaserver/plugins/cert.py | 29 ++--- 1 file changed, 14 insertions(+), 15 deletions(-) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 46518d9..b53caf4 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -558,29 +558,17 @@ def execute(self, csr, all=False, raw=False, **kw): principal = kw.get('principal') principal_string = unicode(principal) +principal_type = principal_to_principal_type(principal) -if principal.is_user: -principal_type = USER -elif principal.is_host: -principal_type = HOST -elif principal.service_name == 'krbtgt': -principal_type = KRBTGT +if principal_type == KRBTGT: if profile_id != self.Backend.ra.KDC_PROFILE: raise errors.ACIError( info=_("krbtgt certs can use only the %s profile") % ( self.Backend.ra.KDC_PROFILE)) -else: -principal_type = SERVICE bind_principal = kerberos.Principal(getattr(context, 'principal'))
[Freeipa-devel] [freeipa PR#522][opened] dogtag: remove redundant property definition
URL: https://github.com/freeipa/freeipa/pull/522 Author: frasertweedale Title: #522: dogtag: remove redundant property definition Action: opened PR body: """ The dogtag `ra' backend defines a `ca_host' property, which is also defined (identically) by the `RestClient' class, which recently became a superclass of `ra'. Remove the redundant property definition. Part of: https://pagure.io/freeipa/issue/3473 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/522/head:pr522 git checkout pr522 From f9abbd4e4e950572e1256c7031ee49147826c8c0 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 10 Nov 2016 19:05:21 +1000 Subject: [PATCH] dogtag: remove redundant property definition The dogtag `ra' backend defines a `ca_host' property, which is also defined (identically) by the `RestClient' class, which recently became a superclass of `ra'. Remove the redundant property definition. Part of: https://pagure.io/freeipa/issue/3473 --- ipaserver/plugins/dogtag.py | 20 1 file changed, 20 deletions(-) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 6ff6d29..2ceadb5 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1386,26 +1386,6 @@ def raise_certificate_operation_error(self, func_name, err_msg=None, detail=None self.error('%s.%s(): %s', type(self).__name__, func_name, err_msg) raise errors.CertificateOperationError(error=err_msg) -@cachedproperty -def ca_host(self): -""" -:return: host - as str - -Select our CA host. -""" -ldap2 = self.api.Backend.ldap2 -if host_has_service(api.env.ca_host, ldap2, "CA"): -return api.env.ca_host -if api.env.host != api.env.ca_host: -if host_has_service(api.env.host, ldap2, "CA"): -return api.env.host -host = select_any_master(ldap2) -if host: -return host -else: -return api.env.ca_host - def _request(self, url, port, **kw): """ :param url: The URL to post to. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#506][comment] Use IPA CA cert in Custodia secrets client
URL: https://github.com/freeipa/freeipa/pull/506 Title: #506: Use IPA CA cert in Custodia secrets client frasertweedale commented: """ @tiran FYI custodia is also used for Lightweight CA key replication, at any time a new LWCA gets created, to propagate its signing key among replicas. So this is a useful change. """ See the full comment at https://github.com/freeipa/freeipa/pull/506#issuecomment-282611303 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#506][comment] Use IPA CA cert in Custodia secrets client
URL: https://github.com/freeipa/freeipa/pull/506 Title: #506: Use IPA CA cert in Custodia secrets client frasertweedale commented: """ @tiran FYI custodia is also used for Lightweight CA key replication, at any time a new LWCA gets created, to propagate its signing key among replicas. So this is a useful change. """ See the full comment at https://github.com/freeipa/freeipa/pull/506#issuecomment-282611303 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#480][comment] Add request_type doc string in cert-request
URL: https://github.com/freeipa/freeipa/pull/480 Title: #480: Add request_type doc string in cert-request frasertweedale commented: """ @Akasurde if we just want to hide it, I think you use a client override for the `cert_request` command and filter out the option. @HonzaCholasta can confirm. OTOH if we just want to remove it altogether, that is straightforward. It will break any clients that explicitly pass the option. I suspect it's unlikely that there are such clients out there, but we cannot know for sure, so as much as I'd like to remove it, I'm hesitant. """ See the full comment at https://github.com/freeipa/freeipa/pull/480#issuecomment-281320509 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#480][comment] Add request_type doc string in cert-request
URL: https://github.com/freeipa/freeipa/pull/480 Title: #480: Add request_type doc string in cert-request frasertweedale commented: """ I would like to NACK this. We instead want to hide or remove the option, because we only support PKCS #10 and this is unlikely to change any time soon. There is already a ticket for that: https://fedorahosted.org/freeipa/ticket/5734 """ See the full comment at https://github.com/freeipa/freeipa/pull/480#issuecomment-281209123 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#370][closed] ci: send build log to paste.fedoraproject.org
URL: https://github.com/freeipa/freeipa/pull/370 Author: frasertweedale Title: #370: ci: send build log to paste.fedoraproject.org Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/370/head:pr370 git checkout pr370 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#370][comment] ci: send build log to paste.fedoraproject.org
URL: https://github.com/freeipa/freeipa/pull/370 Title: #370: ci: send build log to paste.fedoraproject.org frasertweedale commented: """ Superseded by https://github.com/freeipa/freeipa/pull/449 ; closing. """ See the full comment at https://github.com/freeipa/freeipa/pull/370#issuecomment-278506829 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#451][comment] certdb: remove unused keysize property
URL: https://github.com/freeipa/freeipa/pull/451 Title: #451: certdb: remove unused keysize property frasertweedale commented: """ Conditional ACK: just fix the type `s/moths/months/` in the commit message. """ See the full comment at https://github.com/freeipa/freeipa/pull/451#issuecomment-278503991 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#451][comment] certdb: remove unused keysize property
URL: https://github.com/freeipa/freeipa/pull/451 Title: #451: certdb: remove unused keysize property frasertweedale commented: """ Conditional ACK: just fix the type `s/moths/months/` in the commit message. """ See the full comment at https://github.com/freeipa/freeipa/pull/451#issuecomment-278503991 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#370][comment] ci: send build log to paste.fedoraproject.org
URL: https://github.com/freeipa/freeipa/pull/370 Title: #370: ci: send build log to paste.fedoraproject.org frasertweedale commented: """ :+1: sounds good. Take what's there and run with it :) """ See the full comment at https://github.com/freeipa/freeipa/pull/370#issuecomment-278291532 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#415][closed] ca-del: require CA to already be disabled
URL: https://github.com/freeipa/freeipa/pull/415 Author: frasertweedale Title: #415: ca-del: require CA to already be disabled Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/415/head:pr415 git checkout pr415 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#415][comment] ca-del: require CA to already be disabled
URL: https://github.com/freeipa/freeipa/pull/415 Title: #415: ca-del: require CA to already be disabled frasertweedale commented: """ Shelving this PR for now. It might get resurrected later. Discussion: https://www.redhat.com/archives/freeipa-devel/2017-February/msg00150.html """ See the full comment at https://github.com/freeipa/freeipa/pull/415#issuecomment-278241186 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#370][comment] ci: send build log to paste.fedoraproject.org
URL: https://github.com/freeipa/freeipa/pull/370 Title: #370: ci: send build log to paste.fedoraproject.org frasertweedale commented: """ So... any blocker on merging this? """ See the full comment at https://github.com/freeipa/freeipa/pull/370#issuecomment-278236511 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#416][comment] replica install: relax domain level check for promotion
URL: https://github.com/freeipa/freeipa/pull/416 Title: #416: replica install: relax domain level check for promotion frasertweedale commented: """ Any other changes requested? What's preventing ack on this? """ See the full comment at https://github.com/freeipa/freeipa/pull/416#issuecomment-278236565 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#416][comment] replica install: relax domain level check for promotion
URL: https://github.com/freeipa/freeipa/pull/416 Title: #416: replica install: relax domain level check for promotion frasertweedale commented: """ @stlaz there are three considerations when "checking the DL": 1. Retrieving the current DL. 2. Checking that current DL is supported by server version. 3. Checking that attempted method of installation is supported on currently DL. Whether it makes sense to have a unified function for (3), I am not sure. I think the approach as implemented in this PR - that each replica installation method checks the DL and if necessary raises an appropriate error message - is satisfactory. Certainly it makes more sense to me to have these checks separate from the check for (2). """ See the full comment at https://github.com/freeipa/freeipa/pull/416#issuecomment-277423018 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#416][comment] replica install: relax domain level check for promotion
URL: https://github.com/freeipa/freeipa/pull/416 Title: #416: replica install: relax domain level check for promotion frasertweedale commented: """ @HonzaCholasta @MartinBasti PR updated. I extracted the specific (== 0) and (>= 1) checks to the relevant call sites. Also separated DL retrieval and "DL in range for IPA version" check into separate functions. """ See the full comment at https://github.com/freeipa/freeipa/pull/416#issuecomment-276571652 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#415][comment] ca-del: require CA to already be disabled
URL: https://github.com/freeipa/freeipa/pull/415 Title: #415: ca-del: require CA to already be disabled frasertweedale commented: """ @apophys done; PR updated. """ See the full comment at https://github.com/freeipa/freeipa/pull/415#issuecomment-276571411 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#415][synchronized] ca-del: require CA to already be disabled
URL: https://github.com/freeipa/freeipa/pull/415 Author: frasertweedale Title: #415: ca-del: require CA to already be disabled Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/415/head:pr415 git checkout pr415 From ebfbdbf2524e98aee5d14886f9345fa1d3f88c3f Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 23 Jan 2017 11:37:37 +1000 Subject: [PATCH] ca-del: require CA to already be disabled Currently ca-del disables the target CA before deleting it. Conceptually, this involves two separate permissions: modify and delete. A user with delete permission does not necessarily have modify permission. As we move toward enforcing IPA permissions in Dogtag, it is necessary to decouple disablement from deletion, otherwise the disable operation would fail if the user does not have modify permission. Although it introduces an additional step for administrators, the process is consistent, required permissions are clear, and errors are human-friendly. Part of: https://fedorahosted.org/freeipa/ticket/5011 --- ipaserver/plugins/ca.py | 7 ++- ipatests/test_xmlrpc/test_ca_plugin.py| 4 ipatests/test_xmlrpc/tracker/ca_plugin.py | 6 +- 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py index 4f24278..0d3d7d0 100644 --- a/ipaserver/plugins/ca.py +++ b/ipaserver/plugins/ca.py @@ -286,7 +286,12 @@ def pre_callback(self, ldap, dn, *keys, **options): ca_id = self.api.Command.ca_show(keys[0])['result']['ipacaid'][0] with self.api.Backend.ra_lightweight_ca as ca_api: -ca_api.disable_ca(ca_id) +data = ca_api.read_ca(ca_id) +if data['enabled']: +raise errors.ProtectedEntryError( +label=_("CA"), +key=keys[0], +reason=_("Must be disabled first")) ca_api.delete_ca(ca_id) return dn diff --git a/ipatests/test_xmlrpc/test_ca_plugin.py b/ipatests/test_xmlrpc/test_ca_plugin.py index 1e0e52f..ee826aa 100644 --- a/ipatests/test_xmlrpc/test_ca_plugin.py +++ b/ipatests/test_xmlrpc/test_ca_plugin.py @@ -87,6 +87,10 @@ def test_retrieve(self, crud_subca): def test_retrieve_all(self, crud_subca): crud_subca.retrieve(all=True) +def test_delete_while_not_disabled(self, crud_subca): +with pytest.raises(errors.ProtectedEntryError): +crud_subca.make_command('ca_del', crud_subca.name)() + def test_delete(self, crud_subca): crud_subca.delete() diff --git a/ipatests/test_xmlrpc/tracker/ca_plugin.py b/ipatests/test_xmlrpc/tracker/ca_plugin.py index e18b1c1..cb3fb70 100644 --- a/ipatests/test_xmlrpc/tracker/ca_plugin.py +++ b/ipatests/test_xmlrpc/tracker/ca_plugin.py @@ -82,7 +82,11 @@ def track_create(self): def make_delete_command(self): """Make function that deletes the plugin entry object.""" -return self.make_command('ca_del', self.name) +def disable_then_delete(): +self.make_command('ca_disable', self.name)() +return self.make_command('ca_del', self.name)() + +return disable_then_delete def check_delete(self, result): assert_deepequal(dict( -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#416][synchronized] replica install: relax domain level check for promotion
URL: https://github.com/freeipa/freeipa/pull/416 Author: frasertweedale Title: #416: replica install: relax domain level check for promotion Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/416/head:pr416 git checkout pr416 From 5517b9e47ced44bc6913fb7e3ec5202ce96a0b37 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 6 Jan 2017 16:04:10 +1000 Subject: [PATCH] replica install: relax domain level check for promotion promote_check currently requires DL == 1. Relax the check to require DL >= 1, so that things will work for future DL increases. Also separate the concerns of retrieving the current domain level, validating whether the domain level is supported by the IPA version, and validating whether the current domain level supports the replica installation method attempted (i.e. replica file versus promotion). Part of: https://fedorahosted.org/freeipa/ticket/5011 --- ipaserver/install/server/replicainstall.py | 56 -- 1 file changed, 30 insertions(+), 26 deletions(-) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 18222c8..a312079 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -556,38 +556,25 @@ def common_check(no_ntp): pass -def check_domain_level(api, expected): +def current_domain_level(api): +"""Return the current domain level. + +""" # Detect the current domain level try: -current = api.Command['domainlevel_get']()['result'] +return api.Command['domainlevel_get']()['result'] except errors.NotFound: # If we're joining an older master, domain entry is not # available -current = constants.DOMAIN_LEVEL_0 +return constants.DOMAIN_LEVEL_0 -if current == constants.DOMAIN_LEVEL_0: -message = ( -"You must provide a file generated by ipa-replica-prepare to " -"create a replica when the domain is at level 0." -) -else: -message = ( -"You used wrong mechanism to install a replica in domain level " -"{dl}:\n" -"\tDomain level 0 requires a replica file as a positional " -"arugment.\n" -"\tFor domain level 1 replica instalation, a replica file must " -"not be used but you can can join the domain by running " -"ipa-client-install first and then try" -"to run this installation again." -.format(dl=expected) -) -if current != expected: -raise RuntimeError(message) +def check_domain_level_is_supported(current): +"""Check that the given domain level is supported by this server version. -# Detect if current level is out of supported range -# for this IPA version +:raises: ScriptError if DL is out of supported range for this IPA version. + +""" under_lower_bound = current < constants.MIN_DOMAIN_LEVEL above_upper_bound = current > constants.MAX_DOMAIN_LEVEL @@ -768,7 +755,13 @@ def install_check(installer): config.host_name) raise ScriptError(msg, rval=3) -check_domain_level(remote_api, expected=constants.DOMAIN_LEVEL_0) +domain_level = current_domain_level(remote_api) +check_domain_level_is_supported(domain_level) +if domain_level != constants.DOMAIN_LEVEL_0: +raise RuntimeError( +"You must provide a file generated by ipa-replica-prepare to " +"create a replica when the domain is at level 0." +) # Check pre-existing host entry try: @@ -1088,7 +1081,18 @@ def promote_check(installer): config.master_host_name, None) promotion_check_ipa_domain(conn, remote_api.env.basedn) -check_domain_level(remote_api, expected=constants.DOMAIN_LEVEL_1) + +domain_level = current_domain_level(remote_api) +check_domain_level_is_supported(domain_level) +if domain_level < constants.DOMAIN_LEVEL_1: +raise RuntimeError( +"You used the wrong mechanism to install a replica in " +"domain level {dl}:\n" +"\tFor domain level >= 1 replica installation, first join the " +"domain by running ipa-client-install, then run " +"ipa-replica-install without a replica file." +.format(dl=domain_level) +) # Check authorization result = remote_api.Command['hostgroup_find']( -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#416][comment] replica install: relax domain level check for promotion
URL: https://github.com/freeipa/freeipa/pull/416 Title: #416: replica install: relax domain level check for promotion frasertweedale commented: """ So, what do we want the behaviour of `check_domain_level` to be? I just want to make a small change so that replica install does not break if DL > 1. """ See the full comment at https://github.com/freeipa/freeipa/pull/416#issuecomment-276529816 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#419][+ack] ipa-ca-install: do not fail without --subject-base and --ca-subject
URL: https://github.com/freeipa/freeipa/pull/419 Title: #419: ipa-ca-install: do not fail without --subject-base and --ca-subject Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#416][synchronized] replica install: relax domain level check for promotion
URL: https://github.com/freeipa/freeipa/pull/416 Author: frasertweedale Title: #416: replica install: relax domain level check for promotion Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/416/head:pr416 git checkout pr416 From aa195924b1d85d871202f37f64b6b123b3f1bd09 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 6 Jan 2017 16:04:10 +1000 Subject: [PATCH] replica install: relax domain level check for promotion promote_check currently requires DL == 1. Relax the check to require DL >= 1, so that things will work for future DL increases. Part of: https://fedorahosted.org/freeipa/ticket/5011 --- ipaserver/install/server/replicainstall.py | 16 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 18222c8..d717f14 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -556,7 +556,13 @@ def common_check(no_ntp): pass -def check_domain_level(api, expected): +def check_domain_level(api, expected=None, minimum=None): +"""Check the domain level. + +:param expected: if given, assert that current DL == expected +:param minimum: if given, assert that current DL >= minimum + +""" # Detect the current domain level try: current = api.Command['domainlevel_get']()['result'] @@ -576,14 +582,16 @@ def check_domain_level(api, expected): "{dl}:\n" "\tDomain level 0 requires a replica file as a positional " "arugment.\n" -"\tFor domain level 1 replica instalation, a replica file must " +"\tFor domain level >= 1 replica instalation, a replica file must " "not be used but you can can join the domain by running " "ipa-client-install first and then try" "to run this installation again." .format(dl=expected) ) -if current != expected: +if expected is not None and current != expected: +raise RuntimeError(message) +if minimum is not None and current < minimum: raise RuntimeError(message) # Detect if current level is out of supported range @@ -1088,7 +1096,7 @@ def promote_check(installer): config.master_host_name, None) promotion_check_ipa_domain(conn, remote_api.env.basedn) -check_domain_level(remote_api, expected=constants.DOMAIN_LEVEL_1) +check_domain_level(remote_api, minimum=constants.DOMAIN_LEVEL_1) # Check authorization result = remote_api.Command['hostgroup_find']( -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#422][opened] Fix reference before assignment
URL: https://github.com/freeipa/freeipa/pull/422 Author: frasertweedale Title: #422: Fix reference before assignment Action: opened PR body: """ In 'store_session_cookie', if the server does not set the session cookie for some reason, the 'session_cookie' variable does not get assigned, resulting in UnboundLocalError. Set an initial value of 'None'. Fixes: https://fedorahosted.org/freeipa/ticket/6636 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/422/head:pr422 git checkout pr422 From 530721a57f560e9d14264303a2a60e8d37646ff7 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 31 Jan 2017 11:23:58 +1000 Subject: [PATCH] Fix reference before assignment In 'store_session_cookie', if the server does not set the session cookie for some reason, the 'session_cookie' variable does not get assigned, resulting in UnboundLocalError. Set an initial value of 'None'. Fixes: https://fedorahosted.org/freeipa/ticket/6636 --- ipalib/rpc.py | 1 + 1 file changed, 1 insertion(+) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index fb739f8..356ec42 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -706,6 +706,7 @@ def store_session_cookie(self, cookie_header): cookie_header = [cookie_header] # Search for the session cookie +session_cookie = None try: for cookie in cookie_header: session_cookie = \ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#417][comment] private_ccache: yield ccache name
URL: https://github.com/freeipa/freeipa/pull/417 Title: #417: private_ccache: yield ccache name frasertweedale commented: """ Build failure is unrelated to patch. """ See the full comment at https://github.com/freeipa/freeipa/pull/417#issuecomment-276241458 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#416][comment] replica install: relax domain level check for promotion
URL: https://github.com/freeipa/freeipa/pull/416 Title: #416: replica install: relax domain level check for promotion frasertweedale commented: """ Build failure is unrelated to patch. """ See the full comment at https://github.com/freeipa/freeipa/pull/416#issuecomment-275988778 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#417][opened] private_ccache: yield ccache name
URL: https://github.com/freeipa/freeipa/pull/417 Author: frasertweedale Title: #417: private_ccache: yield ccache name Action: opened PR body: """ When using private_ccache, yield 'path' from the context manager. This is cleaner than inspecting 'os.environ['KRB5CCNAME']' within the context. Part of: https://fedorahosted.org/freeipa/ticket/5011 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/417/head:pr417 git checkout pr417 From a8c504216571016be89f661a65eee9e4c580d082 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 25 Jan 2017 10:51:24 +1000 Subject: [PATCH] private_ccache: yield ccache name When using private_ccache, yield 'path' from the context manager. This is cleaner than inspecting 'os.environ['KRB5CCNAME']' within the context. Part of: https://fedorahosted.org/freeipa/ticket/5011 --- ipapython/ipautil.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index c8f87ef..c810adc 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -1300,7 +1300,7 @@ def private_ccache(path=None): os.environ['KRB5CCNAME'] = path try: -yield +yield path finally: if original_value is not None: os.environ['KRB5CCNAME'] = original_value -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#416][opened] replica install: relax domain level check for promotion
URL: https://github.com/freeipa/freeipa/pull/416 Author: frasertweedale Title: #416: replica install: relax domain level check for promotion Action: opened PR body: """ promote_check currently requires DL == 1. Relax the check to require DL >= 1, so that things will work for future DL increases. Part of: https://fedorahosted.org/freeipa/ticket/5011 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/416/head:pr416 git checkout pr416 From a97b9dba6f1768356d7ce9feac8dc46da4ff8f83 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 6 Jan 2017 16:04:10 +1000 Subject: [PATCH] replica install: relax domain level check for promotion promote_check currently requires DL == 1. Relax the check to require DL >= 1, so that things will work for future DL increases. Part of: https://fedorahosted.org/freeipa/ticket/5011 --- ipaserver/install/server/replicainstall.py | 16 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 18222c8..cf29710 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -556,7 +556,13 @@ def common_check(no_ntp): pass -def check_domain_level(api, expected): +def check_domain_level(api, expected=None, minimum=None): +"""Check the domain level. + +:param expected: if given, assert that current DL == expected +:param minimum: if given, assert that current DL >= minimum + +""" # Detect the current domain level try: current = api.Command['domainlevel_get']()['result'] @@ -576,14 +582,16 @@ def check_domain_level(api, expected): "{dl}:\n" "\tDomain level 0 requires a replica file as a positional " "arugment.\n" -"\tFor domain level 1 replica instalation, a replica file must " +"\tFor domain level >= 1 replica instalation, a replica file must " "not be used but you can can join the domain by running " "ipa-client-install first and then try" "to run this installation again." .format(dl=expected) ) -if current != expected: +if current is not None and current != expected: +raise RuntimeError(message) +if minimum is not None and current < minimum: raise RuntimeError(message) # Detect if current level is out of supported range @@ -1088,7 +1096,7 @@ def promote_check(installer): config.master_host_name, None) promotion_check_ipa_domain(conn, remote_api.env.basedn) -check_domain_level(remote_api, expected=constants.DOMAIN_LEVEL_1) +check_domain_level(remote_api, minimum=constants.DOMAIN_LEVEL_1) # Check authorization result = remote_api.Command['hostgroup_find']( -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#415][opened] ca-del: require CA to already be disabled
URL: https://github.com/freeipa/freeipa/pull/415 Author: frasertweedale Title: #415: ca-del: require CA to already be disabled Action: opened PR body: """ Currently ca-del disables the target CA before deleting it. Conceptually, this involves two separate permissions: modify and delete. A user with delete permission does not necessarily have modify permission. As we move toward enforcing IPA permissions in Dogtag, it is necessary to decouple disablement from deletion, otherwise the disable operation would fail if the user does not have modify permission. Although it introduces an additional step for administrators, the process is consistent, required permissions are clear, and errors are human-friendly. Part of: https://fedorahosted.org/freeipa/ticket/5011 freeipa-devel discussion: https://www.redhat.com/archives/freeipa-devel/2017-January/msg00435.html """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/415/head:pr415 git checkout pr415 From 8ce4a54eca8719fc1ad397cae57a3de880a755df Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 23 Jan 2017 11:37:37 +1000 Subject: [PATCH] ca-del: require CA to already be disabled Currently ca-del disables the target CA before deleting it. Conceptually, this involves two separate permissions: modify and delete. A user with delete permission does not necessarily have modify permission. As we move toward enforcing IPA permissions in Dogtag, it is necessary to decouple disablement from deletion, otherwise the disable operation would fail if the user does not have modify permission. Although it introduces an additional step for administrators, the process is consistent, required permissions are clear, and errors are human-friendly. Part of: https://fedorahosted.org/freeipa/ticket/5011 --- ipaserver/plugins/ca.py | 7 ++- ipatests/test_xmlrpc/tracker/ca_plugin.py | 6 +- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py index 4f24278..0d3d7d0 100644 --- a/ipaserver/plugins/ca.py +++ b/ipaserver/plugins/ca.py @@ -286,7 +286,12 @@ def pre_callback(self, ldap, dn, *keys, **options): ca_id = self.api.Command.ca_show(keys[0])['result']['ipacaid'][0] with self.api.Backend.ra_lightweight_ca as ca_api: -ca_api.disable_ca(ca_id) +data = ca_api.read_ca(ca_id) +if data['enabled']: +raise errors.ProtectedEntryError( +label=_("CA"), +key=keys[0], +reason=_("Must be disabled first")) ca_api.delete_ca(ca_id) return dn diff --git a/ipatests/test_xmlrpc/tracker/ca_plugin.py b/ipatests/test_xmlrpc/tracker/ca_plugin.py index e18b1c1..cb3fb70 100644 --- a/ipatests/test_xmlrpc/tracker/ca_plugin.py +++ b/ipatests/test_xmlrpc/tracker/ca_plugin.py @@ -82,7 +82,11 @@ def track_create(self): def make_delete_command(self): """Make function that deletes the plugin entry object.""" -return self.make_command('ca_del', self.name) +def disable_then_delete(): +self.make_command('ca_disable', self.name)() +return self.make_command('ca_del', self.name)() + +return disable_then_delete def check_delete(self, result): assert_deepequal(dict( -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#370][comment] ci: send build log to paste.fedoraproject.org
URL: https://github.com/freeipa/freeipa/pull/370 Title: #370: ci: send build log to paste.fedoraproject.org frasertweedale commented: """ @martbab the paste looks like gobbledygook; it's gzipped. We will see it in action soon enough :) """ See the full comment at https://github.com/freeipa/freeipa/pull/370#issuecomment-275016649 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#245][synchronized] Allow full customisability of IPA CA subject DN
URL: https://github.com/freeipa/freeipa/pull/245 Author: frasertweedale Title: #245: Allow full customisability of IPA CA subject DN Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/245/head:pr245 git checkout pr245 From d3088f763ef28cc570e54cfa20601a9df412 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 11 Nov 2016 18:54:01 +1000 Subject: [PATCH 01/10] Refactor and relocate set_subject_base_in_config Refactor set_subject_base_in_config to use api.Backend.ldap2 instead of a manually created LDAP connection. Also rename the function to have a more accurate name, and move it to 'ipaserver.install.ca' to avoid cyclic import (we will eventually need to use it from within that module). Part of: https://fedorahosted.org/freeipa/ticket/2614 --- ipaserver/install/ca.py | 9 + ipaserver/install/server/install.py | 24 +--- 2 files changed, 10 insertions(+), 23 deletions(-) diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py index 4f64d99..820c6ee 100644 --- a/ipaserver/install/ca.py +++ b/ipaserver/install/ca.py @@ -48,6 +48,15 @@ external_ca_file = None +def set_subject_base_in_config(subject_base): +entry_attrs = api.Backend.ldap2.get_ipa_config() +entry_attrs['ipacertificatesubjectbase'] = [str(subject_base)] +try: +api.Backend.ldap2.update_entry(entry_attrs) +except errors.EmptyModlist: +pass + + def install_check(standalone, replica_config, options): global external_cert_file global external_ca_file diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index fc319d9..36bbb4b 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -16,7 +16,6 @@ from ipalib.install import certmonger, sysrestore from ipapython import ipautil -from ipapython.dn import DN from ipapython.ipa_log_manager import root_logger from ipapython.ipautil import ( format_netloc, ipa_generate_password, run, user_input) @@ -40,7 +39,6 @@ IPA_MODULES, BadHostError, get_fqdn, get_server_ip_address, is_ipa_configured, load_pkcs12, read_password, verify_fqdn, update_hosts_file) -from ipaserver.plugins.ldap2 import ldap2 if six.PY3: unicode = str @@ -242,25 +240,6 @@ def check_dirsrv(unattended): raise ScriptError(msg) -def set_subject_in_config(realm_name, dm_password, suffix, subject_base): -ldapuri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % ( -installutils.realm_to_serverid(realm_name) -) -try: -conn = ldap2(api, ldap_uri=ldapuri) -conn.connect(bind_dn=DN(('cn', 'directory manager')), - bind_pw=dm_password) -except errors.ExecutionError as e: -root_logger.critical("Could not connect to the Directory Server " - "on %s" % realm_name) -raise e -entry_attrs = conn.get_ipa_config() -if 'ipacertificatesubjectbase' not in entry_attrs: -entry_attrs['ipacertificatesubjectbase'] = [str(subject_base)] -conn.update_entry(entry_attrs) -conn.disconnect() - - def common_cleanup(func): def decorated(installer): success = False @@ -848,8 +827,7 @@ def install(installer): os.chmod(paths.IPA_CA_CRT, 0o644) ca_db.publish_ca_cert(paths.IPA_CA_CRT) -set_subject_in_config(realm_name, dm_password, - ipautil.realm_to_suffix(realm_name), options.subject) +ca.set_subject_base_in_config(options.subject_base) # Apply any LDAP updates. Needs to be done after the configuration file # is created. DS is restarted in the process. From efd9f21899daa3d4813ca838bbaeaa1bbe8f6118 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 16 Nov 2016 19:31:19 +1000 Subject: [PATCH 02/10] installutils: remove hardcoded subject DN assumption `installutils.load_external_cert` assumes that the IPA CA subject DN is `CN=Certificate Authority, {subject_base}`. In preparation for full customisability of IPA CA subject DN, push this assumption out of this function to call sites (which will be updated in a subsequent commit). Part of: https://fedorahosted.org/freeipa/ticket/2614 --- ipaserver/install/ca.py| 4 +++- ipaserver/install/installutils.py | 7 --- ipaserver/install/ipa_cacert_manage.py | 7 +-- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py index 820c6ee..56f6692 100644 --- a/ipaserver/install/ca.py +++ b/ipaserver/install/ca.py @@ -109,7 +109,9 @@ def install_check(standalone, replica_config, options): "--external-ca.") external_cert_file, external_
[Freeipa-devel] [freeipa PR#245][comment] Allow full customisability of IPA CA subject DN
URL: https://github.com/freeipa/freeipa/pull/245 Title: #245: Allow full customisability of IPA CA subject DN frasertweedale commented: """ @HonzaCholasta whups! Thanks for clarifying; fixed. """ See the full comment at https://github.com/freeipa/freeipa/pull/245#issuecomment-271863765 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#245][comment] Allow full customisability of IPA CA subject DN
URL: https://github.com/freeipa/freeipa/pull/245 Title: #245: Allow full customisability of IPA CA subject DN frasertweedale commented: """ @HonzaCholasta PR updated. Re ticket URL, I think 2614 is the correct one for that commit. """ See the full comment at https://github.com/freeipa/freeipa/pull/245#issuecomment-271859881 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#245][synchronized] Allow full customisability of IPA CA subject DN
URL: https://github.com/freeipa/freeipa/pull/245 Author: frasertweedale Title: #245: Allow full customisability of IPA CA subject DN Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/245/head:pr245 git checkout pr245 From d3088f763ef28cc570e54cfa20601a9df412 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 11 Nov 2016 18:54:01 +1000 Subject: [PATCH 01/10] Refactor and relocate set_subject_base_in_config Refactor set_subject_base_in_config to use api.Backend.ldap2 instead of a manually created LDAP connection. Also rename the function to have a more accurate name, and move it to 'ipaserver.install.ca' to avoid cyclic import (we will eventually need to use it from within that module). Part of: https://fedorahosted.org/freeipa/ticket/2614 --- ipaserver/install/ca.py | 9 + ipaserver/install/server/install.py | 24 +--- 2 files changed, 10 insertions(+), 23 deletions(-) diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py index 4f64d99..820c6ee 100644 --- a/ipaserver/install/ca.py +++ b/ipaserver/install/ca.py @@ -48,6 +48,15 @@ external_ca_file = None +def set_subject_base_in_config(subject_base): +entry_attrs = api.Backend.ldap2.get_ipa_config() +entry_attrs['ipacertificatesubjectbase'] = [str(subject_base)] +try: +api.Backend.ldap2.update_entry(entry_attrs) +except errors.EmptyModlist: +pass + + def install_check(standalone, replica_config, options): global external_cert_file global external_ca_file diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index fc319d9..36bbb4b 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -16,7 +16,6 @@ from ipalib.install import certmonger, sysrestore from ipapython import ipautil -from ipapython.dn import DN from ipapython.ipa_log_manager import root_logger from ipapython.ipautil import ( format_netloc, ipa_generate_password, run, user_input) @@ -40,7 +39,6 @@ IPA_MODULES, BadHostError, get_fqdn, get_server_ip_address, is_ipa_configured, load_pkcs12, read_password, verify_fqdn, update_hosts_file) -from ipaserver.plugins.ldap2 import ldap2 if six.PY3: unicode = str @@ -242,25 +240,6 @@ def check_dirsrv(unattended): raise ScriptError(msg) -def set_subject_in_config(realm_name, dm_password, suffix, subject_base): -ldapuri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % ( -installutils.realm_to_serverid(realm_name) -) -try: -conn = ldap2(api, ldap_uri=ldapuri) -conn.connect(bind_dn=DN(('cn', 'directory manager')), - bind_pw=dm_password) -except errors.ExecutionError as e: -root_logger.critical("Could not connect to the Directory Server " - "on %s" % realm_name) -raise e -entry_attrs = conn.get_ipa_config() -if 'ipacertificatesubjectbase' not in entry_attrs: -entry_attrs['ipacertificatesubjectbase'] = [str(subject_base)] -conn.update_entry(entry_attrs) -conn.disconnect() - - def common_cleanup(func): def decorated(installer): success = False @@ -848,8 +827,7 @@ def install(installer): os.chmod(paths.IPA_CA_CRT, 0o644) ca_db.publish_ca_cert(paths.IPA_CA_CRT) -set_subject_in_config(realm_name, dm_password, - ipautil.realm_to_suffix(realm_name), options.subject) +ca.set_subject_base_in_config(options.subject_base) # Apply any LDAP updates. Needs to be done after the configuration file # is created. DS is restarted in the process. From efd9f21899daa3d4813ca838bbaeaa1bbe8f6118 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 16 Nov 2016 19:31:19 +1000 Subject: [PATCH 02/10] installutils: remove hardcoded subject DN assumption `installutils.load_external_cert` assumes that the IPA CA subject DN is `CN=Certificate Authority, {subject_base}`. In preparation for full customisability of IPA CA subject DN, push this assumption out of this function to call sites (which will be updated in a subsequent commit). Part of: https://fedorahosted.org/freeipa/ticket/2614 --- ipaserver/install/ca.py| 4 +++- ipaserver/install/installutils.py | 7 --- ipaserver/install/ipa_cacert_manage.py | 7 +-- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py index 820c6ee..56f6692 100644 --- a/ipaserver/install/ca.py +++ b/ipaserver/install/ca.py @@ -109,7 +109,9 @@ def install_check(standalone, replica_config, options): "--external-ca.") external_cert_file, external_
[Freeipa-devel] [freeipa PR#370][comment] ci: send build log to paste.fedoraproject.org
URL: https://github.com/freeipa/freeipa/pull/370 Title: #370: ci: send build log to paste.fedoraproject.org frasertweedale commented: """ Note: a new fedora pastebin is forthcoming. Staging instance: https://modernpaste.stg.fedoraproject.org/ """ See the full comment at https://github.com/freeipa/freeipa/pull/370#issuecomment-270801791 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#370][edited] ci: send build log to paste.fedoraproject.org
URL: https://github.com/freeipa/freeipa/pull/370 Author: frasertweedale Title: #370: ci: send build log to paste.fedoraproject.org Action: edited Changed field: body Original value: """ This commit is just to see if we can ship our build logs off travis to a pastebin. If we can, we can refine the approach to only ship logs when the build broke, provide better output about where to find them, etc. """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#370][edited] ci: send build log to paste.fedoraproject.org
URL: https://github.com/freeipa/freeipa/pull/370 Author: frasertweedale Title: #370: ci: send build log to paste.fedoraproject.org Action: edited Changed field: title Original value: """ [EXPERIMENT] ci: send build log to paste.fedoraproject.org """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#370][synchronized] [EXPERIMENT] ci: send build log to paste.fedoraproject.org
URL: https://github.com/freeipa/freeipa/pull/370 Author: frasertweedale Title: #370: [EXPERIMENT] ci: send build log to paste.fedoraproject.org Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/370/head:pr370 git checkout pr370 From 7601eceefccd5ab844bf94b670de242cb7040d50 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 5 Jan 2017 12:24:59 +1000 Subject: [PATCH] ci: send build log to paste.fedoraproject.org When the build fails, send the whole logfile to paste.fedora.org. (because due to size constraints we currently have to tail the log for the travis-ci transcript). We send a gzipped file, because the raw log file exceeds the size limit on paste.fedoraproject.org. Due to percent-encoding of the data, the compressed file inflates by ~2.5x for transport. If this ever becomes a problem, base64url-encoding before transport will limit inflation to 1.33x. --- .travis.yml | 15 +++ 1 file changed, 15 insertions(+) diff --git a/.travis.yml b/.travis.yml index 6301974..1660be9 100644 --- a/.travis.yml +++ b/.travis.yml @@ -33,5 +33,20 @@ install: script: - travis_wait 50 ./.travis_run_task.sh after_failure: +- > + echo "Sending test runner output to paste.fedoraproject.org" + && sudo apt-get -qq update && sudo apt-get install -y jq + && gzip < ci_results_${TRAVIS_BRANCH}.log > ci_results.log.gz + && ls -l ci_results.log.gz +- > + PASTE_ID=$(curl https://paste.fedoraproject.org/~freeipa.ci/ -H Expect: + --data api_submit=true + --data mode=json + --data paste_lang=text + --data paste_expire=$(expr 86400 '*' 28) + --data-urlencode paste_data@ci_results.log.gz + | jq --raw-output .result.id) + && echo "Download gzipped logfile from: https://paste.fedoraproject.org/$PASTE_ID/raw/"; + || echo "Failed to submit paste!" - echo "Test runner output:"; tail -n $CI_BACKLOG_SIZE $CI_RESULTS_LOG - echo "PEP-8 errors:"; cat $PEP8_ERROR_LOG -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#370][comment] [EXPERIMENT] ci: send build log to paste.fedoraproject.org
URL: https://github.com/freeipa/freeipa/pull/370 Title: #370: [EXPERIMENT] ci: send build log to paste.fedoraproject.org frasertweedale commented: """ fedora-infra ticket for project name limitations: https://pagure.io/fedora-infrastructure/issue/5661 """ See the full comment at https://github.com/freeipa/freeipa/pull/370#issuecomment-270609873 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#355][comment] Set up DS TLS on replica in CA-less topology
URL: https://github.com/freeipa/freeipa/pull/355 Title: #355: Set up DS TLS on replica in CA-less topology frasertweedale commented: """ ipa-4-4 PR: #371 """ See the full comment at https://github.com/freeipa/freeipa/pull/355#issuecomment-270605522 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#371][opened] Set up DS TLS on replica in CA-less topology
URL: https://github.com/freeipa/freeipa/pull/371 Author: frasertweedale Title: #371: Set up DS TLS on replica in CA-less topology Action: opened PR body: """ Fixes: https://fedorahosted.org/freeipa/ticket/6226 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/371/head:pr371 git checkout pr371 From 23bfb40e4037d9c14077cd3d472cf69f008e5c0a Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 20 Dec 2016 23:29:22 +1000 Subject: [PATCH] Set up DS TLS on replica in CA-less topology Fixes: https://fedorahosted.org/freeipa/ticket/6226 --- ipaserver/install/dsinstance.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 26cd246..1d3ae2e 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -393,7 +393,9 @@ def create_replica(self, realm_name, master_fqdn, fqdn, if self.promote: self.step("creating DS keytab", self.__get_ds_keytab) -if self.ca_is_configured: +if self.pkcs12_info: +self.step("configuring ssl for ds instance", self.__enable_ssl) +else: self.step("retrieving DS Certificate", self.__get_ds_cert) self.step("restarting directory server", self.__restart_instance) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#370][comment] [EXPERIMENT] ci: send build log to paste.fedoraproject.org
URL: https://github.com/freeipa/freeipa/pull/370 Title: #370: [EXPERIMENT] ci: send build log to paste.fedoraproject.org frasertweedale commented: """ Additional notes about paste.fedoraproject.org projects: - seems that only names consisting entirely of alpha chars work (thus ruling out `freeipa-ci` or similar) - pastes to a project namespace appear in *both* the project archive, and the main archive. - example command: ```shell curl -v https://paste.fedoraproject.org/~freeipa/ -H Expect: \ -d api_submit=true \ -d mode=json \ -d paste_lang=text \ -d paste_data=hello+world \ -d paste_expire=300 ``` - paste can be accessed via top name space or project (or any *other*, too) """ See the full comment at https://github.com/freeipa/freeipa/pull/370#issuecomment-270592924 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#348][comment] ca: fix ca-find with --pkey-only
URL: https://github.com/freeipa/freeipa/pull/348 Title: #348: ca: fix ca-find with --pkey-only frasertweedale commented: """ Thanks @mbasti-rh ! """ See the full comment at https://github.com/freeipa/freeipa/pull/348#issuecomment-270590370 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#348][+ack] ca: fix ca-find with --pkey-only
URL: https://github.com/freeipa/freeipa/pull/348 Title: #348: ca: fix ca-find with --pkey-only Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#348][comment] ca: fix ca-find with --pkey-only
URL: https://github.com/freeipa/freeipa/pull/348 Title: #348: ca: fix ca-find with --pkey-only frasertweedale commented: """ It is an ACK. I don't have perms to add the label tho :) """ See the full comment at https://github.com/freeipa/freeipa/pull/348#issuecomment-270589226 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#370][synchronized] [EXPERIMENT] ci: send build log to paste.fedoraproject.org
URL: https://github.com/freeipa/freeipa/pull/370 Author: frasertweedale Title: #370: [EXPERIMENT] ci: send build log to paste.fedoraproject.org Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/370/head:pr370 git checkout pr370 From c2c0ac5739c46399edc3b0d74bec132832600eca Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 5 Jan 2017 12:24:59 +1000 Subject: [PATCH] ci: send build log to paste.fedoraproject.org --- .travis.yml | 14 ++ 1 file changed, 14 insertions(+) diff --git a/.travis.yml b/.travis.yml index e870213..159cbd6 100644 --- a/.travis.yml +++ b/.travis.yml @@ -15,6 +15,7 @@ env: test_pkcs10 test_xmlrpc/test_[l-z]*.py" before_install: +- sudo apt-get -qq update && sudo apt-get install -y jq - pip install pep8 - > pip3 install @@ -37,6 +38,19 @@ script: --container-image ${TEST_RUNNER_IMAGE} --git-repo ${TRAVIS_BUILD_DIR} run-tests $test_set +- echo "Sending build log to paste.fedoraproject.org" +- gzip < ci_results_${TRAVIS_BRANCH}.log > ci_results.log.gz +- ls -l ci_results.log.gz +- > + PASTE_ID=$(curl https://paste.fedoraproject.org/ -H Expect: + --data api_submit=true + --data mode=json + --data paste_lang=text + --data paste_expire=86400 + --data-urlencode paste_data@ci_results.log.gz + | jq --raw-output .result.id) + && echo "Download gzipped logfile from: https://paste.fedoraproject.org/$PASTE_ID/raw/"; + || echo "Failed to submit paste!" after_failure: - echo "Test runner output:" - tail -n 5000 ci_results_${TRAVIS_BRANCH}.log -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#370][comment] [EXPERIMENT] ci: send build log to paste.fedoraproject.org
URL: https://github.com/freeipa/freeipa/pull/370 Title: #370: [EXPERIMENT] ci: send build log to paste.fedoraproject.org frasertweedale commented: """ OK, so we can ship a paste off but paste.fedoraproject.org does not like the file size (~1.8M). In this case the HTTP response is 200 OK and the response body is the HTML frontpage. The paste does not succeed. Experimentally: a paste of < 512K succeeds, but a paste of ~1M fails. Now, fpaste is happy enough accepting binary data, e.g. a gzipped file curl https://paste.fedoraproject.org/520077/raw/ | zless The downsides to doing that are: 1. Cannot view in browser 2. Inefficiency of percent-encoding (compressed data will inflate by ~2.5x for transfer) - base64url-encoding the compressed data will avoid percent-encoding and limit inflation to 1.33x But the upside is of course that we can get these files off so developers can get at them, so I think we should do that. """ See the full comment at https://github.com/freeipa/freeipa/pull/370#issuecomment-270564366 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#370][synchronized] [EXPERIMENT] ci: send build log to paste.fedoraproject.org
URL: https://github.com/freeipa/freeipa/pull/370 Author: frasertweedale Title: #370: [EXPERIMENT] ci: send build log to paste.fedoraproject.org Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/370/head:pr370 git checkout pr370 From 699907bb0fa31464369399788f81d0fa66ce2480 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 5 Jan 2017 12:24:59 +1000 Subject: [PATCH] ci: send build log to paste.fedoraproject.org --- .travis.yml | 13 ++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/.travis.yml b/.travis.yml index e870213..9666468 100644 --- a/.travis.yml +++ b/.travis.yml @@ -5,15 +5,13 @@ env: global: - TEST_RUNNER_IMAGE="martbab/freeipa-fedora-test-runner:master-latest" matrix: -- TESTS_TO_RUN="test_xmlrpc/test_[a-k]*.py" - > TESTS_TO_RUN="test_cmdline test_install test_ipalib test_ipapython test_ipaserver -test_pkcs10 -test_xmlrpc/test_[l-z]*.py" +test_pkcs10" before_install: - pip install pep8 - > @@ -37,6 +35,15 @@ script: --container-image ${TEST_RUNNER_IMAGE} --git-repo ${TRAVIS_BUILD_DIR} run-tests $test_set +- echo "Sending build log to paste.fedoraproject.org" +- > + curl -v https://paste.fedoraproject.org/ -H Expect: + --data api_submit=true + --data mode=json + --data paste_lang=text + --data paste_expire=86400 + --data-urlencode paste_data@ci_results_${TRAVIS_BRANCH}.log + || echo "failed to submit paste" after_failure: - echo "Test runner output:" - tail -n 5000 ci_results_${TRAVIS_BRANCH}.log -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#370][synchronized] [EXPERIMENT] ci: send build log to paste.fedoraproject.org
URL: https://github.com/freeipa/freeipa/pull/370 Author: frasertweedale Title: #370: [EXPERIMENT] ci: send build log to paste.fedoraproject.org Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/370/head:pr370 git checkout pr370 From ee45e138504254588a831ee3146727fa05fc24e3 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 5 Jan 2017 12:24:59 +1000 Subject: [PATCH] ci: send build log to paste.fedoraproject.org --- .travis.yml | 17 + 1 file changed, 17 insertions(+) diff --git a/.travis.yml b/.travis.yml index e870213..03dc840 100644 --- a/.travis.yml +++ b/.travis.yml @@ -15,6 +15,15 @@ env: test_pkcs10 test_xmlrpc/test_[l-z]*.py" before_install: +- curl -V +- > + curl -v https://paste.fedoraproject.org/ -H Expect: + --data api_submit=true + --data mode=json + --data paste_lang=text + --data paste_data=hello+world + || echo "failed to submit paste" +- /bin/false - pip install pep8 - > pip3 install @@ -37,6 +46,14 @@ script: --container-image ${TEST_RUNNER_IMAGE} --git-repo ${TRAVIS_BUILD_DIR} run-tests $test_set +- echo "Sending build log to paste.fedoraproject.org" +- > + curl https://paste.fedoraproject.org/ -H Expect: + --data api_submit=true + --data mode=json + --data paste_lang=text + --data-urlencode paste_data@ci_results_${TRAVIS_BRANCH}.log + || echo "failed to submit paste" after_failure: - echo "Test runner output:" - tail -n 5000 ci_results_${TRAVIS_BRANCH}.log -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#370][synchronized] [EXPERIMENT] ci: send build log to paste.fedoraproject.org
URL: https://github.com/freeipa/freeipa/pull/370 Author: frasertweedale Title: #370: [EXPERIMENT] ci: send build log to paste.fedoraproject.org Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/370/head:pr370 git checkout pr370 From 2135ba13c4ad9653e22d817caea82d754a8034b6 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 5 Jan 2017 12:24:59 +1000 Subject: [PATCH] ci: send build log to paste.fedoraproject.org --- .travis.yml | 8 1 file changed, 8 insertions(+) diff --git a/.travis.yml b/.travis.yml index e870213..0324f8d 100644 --- a/.travis.yml +++ b/.travis.yml @@ -37,6 +37,14 @@ script: --container-image ${TEST_RUNNER_IMAGE} --git-repo ${TRAVIS_BUILD_DIR} run-tests $test_set +- echo "Sending build log to paste.fedoraproject.org" +- > + curl https://paste.fedoraproject.org/ -H Expect: + --data api_submit=true + --data mode=json + --data paste_lang=text + --data-urlencode paste_data@ci_results_${TRAVIS_BRANCH}.log + || echo "failed to submit paste" after_failure: - echo "Test runner output:" - tail -n 5000 ci_results_${TRAVIS_BRANCH}.log -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#370][opened] [EXPERIMENT] ci: send build log to paste.fedoraproject.org
URL: https://github.com/freeipa/freeipa/pull/370 Author: frasertweedale Title: #370: [EXPERIMENT] ci: send build log to paste.fedoraproject.org Action: opened PR body: """ This commit is just to see if we can ship our build logs off travis to a pastebin. If we can, we can refine the approach to only ship logs when the build broke, provide better output about where to find them, etc. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/370/head:pr370 git checkout pr370 From a86cf41441919797fad5e59d21334746b6baad77 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 5 Jan 2017 12:24:59 +1000 Subject: [PATCH] ci: send build log to paste.fedoraproject.org --- .travis.yml | 8 1 file changed, 8 insertions(+) diff --git a/.travis.yml b/.travis.yml index e870213..55d5b10 100644 --- a/.travis.yml +++ b/.travis.yml @@ -37,6 +37,14 @@ script: --container-image ${TEST_RUNNER_IMAGE} --git-repo ${TRAVIS_BUILD_DIR} run-tests $test_set +- echo "Sending build log to paste.fedoraproject.org" +- > + curl https://paste.fedoraproject.org/ -H Expect: + --data api_submit=true + --data mode=json + --data paste_lang=text + --data-urlencode paste_d...@redhatitroot.pem + || echo "failed to submit paste" after_failure: - echo "Test runner output:" - tail -n 5000 ci_results_${TRAVIS_BRANCH}.log -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#359][comment] dogtag: search past the first 100 certificates
URL: https://github.com/freeipa/freeipa/pull/359 Title: #359: dogtag: search past the first 100 certificates frasertweedale commented: """ @stlaz as I see it, the `_ldap_search` can potentially search all objects of a particular type (user/service/host), which have `(userCertificate=*)`. The result is then used to filter or add to the result, depending on whether the result is "key complete" or not (indicated by the variable `complete`). Anyhow I leave to Honza to comment further; he probably understands the code better than me :) """ See the full comment at https://github.com/freeipa/freeipa/pull/359#issuecomment-270534943 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#359][comment] dogtag: search past the first 100 certificates
URL: https://github.com/freeipa/freeipa/pull/359 Title: #359: dogtag: search past the first 100 certificates frasertweedale commented: """ @tomaskrizek @HonzaCholasta it looks like the problem is: 1. subsearches are conducted in order: 1. `_cert_search` (if `'certificate' in options` add key to result and "seal" it) 2. `_ca_search` (actually perform the search against Dogtag, via `ra.find`) 3. `_ldap_search` (look for local entries that have given cert in their `userCertificate` attr. 2. if no explicit `sizelimit` is requested, and if there are > 100 entries with `(userCertificate=*)`, `_ldap_search` will be truncated, and this result is carried across to the final result. The cert search from Dogtag is not truncated, but the search for entries to use to filter the result may have been truncated. The simplest way to resolve this is (I think) to forcibly execute `_ldap_search` with `sizelimit=0`. IMO `_ldap_search` should also be avoided or short-circuited if none of the owner-flitering options to `cert-find` are given. (edit to note: this will not find certs that are in IPA LDAP but not in Dogtag, which is guess is the wrong behaviour..? So I think we just have to have sizelimit=0. I am concerned about performance impact of cert-find with many principals with certs set... but that is a separate issue). """ See the full comment at https://github.com/freeipa/freeipa/pull/359#issuecomment-270283124 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#359][comment] dogtag: search past the first 100 certificates
URL: https://github.com/freeipa/freeipa/pull/359 Title: #359: dogtag: search past the first 100 certificates frasertweedale commented: """ @tomaskrizek @HonzaCholasta it looks like the problem is: 1. subsearches are conducted in order: 1. `_cert_search` (if `'certificate' in options` add key to result and "seal" it) 2. `_ca_search` (actually perform the search against Dogtag, via `ra.find`) 3. `_ldap_search` (look for local entries that have given cert in their `userCertificate` attr. 2. Due to raising of search limit internally within `ra.find`, `_ca_search` will return `sub_complete = True` always. 3. ~line 1477: ```python if sub_complete: sizelimit = None ... ``` This causes the next sub-search (`_ldap_search`) to be carried out with the *default* size limit (100). 4. If there are > 100 entries with the `(userCertificate=*)`, this search will be truncated, and this result is carried across to the final result. The cert search from Dogtag is not truncated, but the search for entries to use to filter the result may have been truncated. The simplest way to resolve this is (I think) to forcibly execute `_ldap_search` with `sizelimit=0`. IMO `_ldap_search` should also be avoided or short-circuited if none of the owner-flitering options to `cert-find` are given. (edit to note: this will not find certs that are in IPA LDAP but not in Dogtag, which is guess is the wrong behaviour..? So I think we just have to have sizelimit=0. I am concerned about performance impact of cert-find with many principals with certs set... but that is a separate issue). """ See the full comment at https://github.com/freeipa/freeipa/pull/359#issuecomment-270283124 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#359][comment] dogtag: search past the first 100 certificates
URL: https://github.com/freeipa/freeipa/pull/359 Title: #359: dogtag: search past the first 100 certificates frasertweedale commented: """ @tomaskrizek @HonzaCholasta it looks like the problem is: 1. subsearches are conducted in order: 1. `_cert_search` (if `'certificate' in options` add key to result and "seal" it) 2. `_ca_search` (actually perform the search against Dogtag, via `ra.find`) 3. `_ldap_search` (look for local entries that have given cert in their `userCertificate` attr. 2. Due to raising of search limit internally within `ra.find`, `_ca_search` will return `sub_complete = True` always. 3. ~line 1477: ```python if sub_complete: sizelimit = None ... ``` This causes the next sub-search (`_ldap_search`) to be carried out with the *default* size limit (100). 4. If there are > 100 entries with the `(userCertificate=*)`, this search will be truncated, and this result is carried across to the final result. The cert search from Dogtag is not truncated, but the search for entries to use to filter the result may have been truncated. The simplest way to resolve this is (I think) to forcibly execute `_ldap_search` with `sizelimit=0`. IMO `_ldap_search` should also be avoided or short-circuited if none of the owner-flitering options to `cert-find` are given. """ See the full comment at https://github.com/freeipa/freeipa/pull/359#issuecomment-270283124 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#359][comment] dogtag: search past the first 100 certificates
URL: https://github.com/freeipa/freeipa/pull/359 Title: #359: dogtag: search past the first 100 certificates frasertweedale commented: """ @tomaskrizek @HonzaCholasta it looks like the problem is: 1. subsearches are conducted in order: 1. `_cert_search` (if `'certificate' in options` add key to result and "seal" it) 2. `_ca_search` (actually perform the search against Dogtag, via `ra.find`) 3. `_ldap_search` (look for local entries that have given cert in their `userCertificate` attr. 2. Due to raising of search limit internally within `ra.find`, for this sub-search, `sub_complete = True` always. 3. ~line 1477: ```python if sub_complete: sizelimit = None ... ``` This causes the next sub-search (`_ldap_search`) to be carried out with the *default* size limit (100). 4. If there are > 100 entries with the `(userCertificate=*)`, this search will be truncated, and this result is carried across to the final result. The cert search from Dogtag is not truncated, but the search for entries to use to filter the result may have been truncated. The simplest way to resolve this is (I think) to forcibly execute `_ldap_search` with `sizelimit=0`. IMO `_ldap_search` should also be avoided or short-circuited if none of the owner-flitering options to `cert-find` are given. """ See the full comment at https://github.com/freeipa/freeipa/pull/359#issuecomment-270283124 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#359][comment] dogtag: search past the first 100 certificates
URL: https://github.com/freeipa/freeipa/pull/359 Title: #359: dogtag: search past the first 100 certificates frasertweedale commented: """ @tomaskrizek yes, I can reproduce with your steps. """ See the full comment at https://github.com/freeipa/freeipa/pull/359#issuecomment-270274050 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#362][comment] Clarify meaning of --domain and --realm in installers
URL: https://github.com/freeipa/freeipa/pull/362 Title: #362: Clarify meaning of --domain and --realm in installers frasertweedale commented: """ All of my comments from #352 were addressed. @stlaz you were the only other person to review #352 and request changes, so I assume you have addressed those too, in which case: ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/362#issuecomment-270050075 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#355][synchronized] Set up DS TLS on replica in CA-less topology
URL: https://github.com/freeipa/freeipa/pull/355 Author: frasertweedale Title: #355: Set up DS TLS on replica in CA-less topology Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/355/head:pr355 git checkout pr355 From d1ff655281116b0a74f5a1c5c491c3f2247317a4 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 20 Dec 2016 23:29:22 +1000 Subject: [PATCH 1/2] Set up DS TLS on replica in CA-less topology Fixes: https://fedorahosted.org/freeipa/ticket/6226 --- ipaserver/install/dsinstance.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index bcfcb05..2ac1041 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -390,7 +390,9 @@ def create_replica(self, realm_name, master_fqdn, fqdn, self.step("creating DS keytab", self._request_service_keytab) if self.promote: -if self.ca_is_configured: +if self.pkcs12_info: +self.step("configuring ssl for ds instance", self.__enable_ssl) +else: self.step("retrieving DS Certificate", self.__get_ds_cert) self.step("restarting directory server", self.__restart_instance) From 7e347d7641a29f9e94251adc97c15a8bcee70230 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 3 Jan 2017 12:04:20 +1000 Subject: [PATCH 2/2] dsinstance: minor string fixes Fixes: https://fedorahosted.org/freeipa/ticket/6586 --- ipaserver/install/dsinstance.py | 13 +++-- 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 2ac1041..a0fdc4a 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -278,7 +278,7 @@ def __common_setup(self, enable_ssl=False): self.step("creating indices", self.__create_indices) self.step("enabling referential integrity plugin", self.__add_referint_module) if enable_ssl: -self.step("configuring ssl for ds instance", self.__enable_ssl) +self.step("configuring TLS for DS instance", self.__enable_ssl) self.step("configuring certmap.conf", self.__certmap_conf) self.step("configure new location for managed entries", self.__repoint_managed_entries) self.step("configure dirsrv ccache", self.configure_dirsrv_ccache) @@ -351,7 +351,7 @@ def create_instance(self, realm_name, fqdn, domain_name, def enable_ssl(self): self.steps = [] -self.step("configuring ssl for ds instance", self.__enable_ssl) +self.step("configuring TLS for DS instance", self.__enable_ssl) self.step("restarting directory server", self.__restart_instance) self.step("adding CA certificate entry", self.__upload_ca_cert) @@ -391,7 +391,7 @@ def create_replica(self, realm_name, master_fqdn, fqdn, self.step("creating DS keytab", self._request_service_keytab) if self.promote: if self.pkcs12_info: -self.step("configuring ssl for ds instance", self.__enable_ssl) +self.step("configuring TLS for DS instance", self.__enable_ssl) else: self.step("retrieving DS Certificate", self.__get_ds_cert) self.step("restarting directory server", self.__restart_instance) @@ -559,9 +559,9 @@ def __create_instance(self): root_logger.debug("calling setup-ds.pl") try: ipautil.run(args) -root_logger.debug("completed creating ds instance") +root_logger.debug("completed creating DS instance") except ipautil.CalledProcessError as e: -raise RuntimeError("failed to create ds instance %s" % e) +raise RuntimeError("failed to create DS instance %s" % e) # check for open port 389 from now on self.open_ports.append(389) @@ -1024,7 +1024,8 @@ def uninstall(self): try: services.knownservices.dirsrv.restart(ds_instance, wait=False) except Exception as e: -root_logger.error('Unable to restart ds instance %s: %s', ds_instance, e) +root_logger.error( +'Unable to restart DS instance %s: %s', ds_instance, e) def stop_tracking_certificates(self, serverid=None): if serverid is None: -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#355][synchronized] Set up DS TLS on replica in CA-less topology
URL: https://github.com/freeipa/freeipa/pull/355 Author: frasertweedale Title: #355: Set up DS TLS on replica in CA-less topology Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/355/head:pr355 git checkout pr355 From d1ff655281116b0a74f5a1c5c491c3f2247317a4 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 20 Dec 2016 23:29:22 +1000 Subject: [PATCH 1/2] Set up DS TLS on replica in CA-less topology Fixes: https://fedorahosted.org/freeipa/ticket/6226 --- ipaserver/install/dsinstance.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index bcfcb05..2ac1041 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -390,7 +390,9 @@ def create_replica(self, realm_name, master_fqdn, fqdn, self.step("creating DS keytab", self._request_service_keytab) if self.promote: -if self.ca_is_configured: +if self.pkcs12_info: +self.step("configuring ssl for ds instance", self.__enable_ssl) +else: self.step("retrieving DS Certificate", self.__get_ds_cert) self.step("restarting directory server", self.__restart_instance) From 4780278fd3006187ca809f60b5f397c8d2dd6187 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 3 Jan 2017 12:04:20 +1000 Subject: [PATCH 2/2] dsinstance: minor string fixes Fixes: https://fedorahosted.org/freeipa/ticket/6586 --- ipaserver/install/dsinstance.py | 12 ++-- 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 2ac1041..5b0d91c 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -278,7 +278,7 @@ def __common_setup(self, enable_ssl=False): self.step("creating indices", self.__create_indices) self.step("enabling referential integrity plugin", self.__add_referint_module) if enable_ssl: -self.step("configuring ssl for ds instance", self.__enable_ssl) +self.step("configuring TLS for DS instance", self.__enable_ssl) self.step("configuring certmap.conf", self.__certmap_conf) self.step("configure new location for managed entries", self.__repoint_managed_entries) self.step("configure dirsrv ccache", self.configure_dirsrv_ccache) @@ -351,7 +351,7 @@ def create_instance(self, realm_name, fqdn, domain_name, def enable_ssl(self): self.steps = [] -self.step("configuring ssl for ds instance", self.__enable_ssl) +self.step("configuring TLS for DS instance", self.__enable_ssl) self.step("restarting directory server", self.__restart_instance) self.step("adding CA certificate entry", self.__upload_ca_cert) @@ -391,7 +391,7 @@ def create_replica(self, realm_name, master_fqdn, fqdn, self.step("creating DS keytab", self._request_service_keytab) if self.promote: if self.pkcs12_info: -self.step("configuring ssl for ds instance", self.__enable_ssl) +self.step("configuring TLS for DS instance", self.__enable_ssl) else: self.step("retrieving DS Certificate", self.__get_ds_cert) self.step("restarting directory server", self.__restart_instance) @@ -559,9 +559,9 @@ def __create_instance(self): root_logger.debug("calling setup-ds.pl") try: ipautil.run(args) -root_logger.debug("completed creating ds instance") +root_logger.debug("completed creating DS instance") except ipautil.CalledProcessError as e: -raise RuntimeError("failed to create ds instance %s" % e) +raise RuntimeError("failed to create DS instance %s" % e) # check for open port 389 from now on self.open_ports.append(389) @@ -1024,7 +1024,7 @@ def uninstall(self): try: services.knownservices.dirsrv.restart(ds_instance, wait=False) except Exception as e: -root_logger.error('Unable to restart ds instance %s: %s', ds_instance, e) +root_logger.error('Unable to restart DS instance %s: %s', ds_instance, e) def stop_tracking_certificates(self, serverid=None): if serverid is None: -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#355][synchronized] Set up DS TLS on replica in CA-less topology
URL: https://github.com/freeipa/freeipa/pull/355 Author: frasertweedale Title: #355: Set up DS TLS on replica in CA-less topology Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/355/head:pr355 git checkout pr355 From 9e2e1fb71a6ef34cab56206346dc193305d71d82 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 20 Dec 2016 23:29:22 +1000 Subject: [PATCH] Set up DS TLS on replica in CA-less topology Fixes: https://fedorahosted.org/freeipa/ticket/6226 --- ipaserver/install/dsinstance.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index bcfcb05..2ac1041 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -390,7 +390,9 @@ def create_replica(self, realm_name, master_fqdn, fqdn, self.step("creating DS keytab", self._request_service_keytab) if self.promote: -if self.ca_is_configured: +if self.pkcs12_info: +self.step("configuring ssl for ds instance", self.__enable_ssl) +else: self.step("retrieving DS Certificate", self.__get_ds_cert) self.step("restarting directory server", self.__restart_instance) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#359][comment] dogtag: search past the first 100 certificates
URL: https://github.com/freeipa/freeipa/pull/359 Title: #359: dogtag: search past the first 100 certificates frasertweedale commented: """ This change is working for me, including having the expected behaviour for WebUI. @tomaskrizek please provide steps to reproduce your WebUI behaviour. """ See the full comment at https://github.com/freeipa/freeipa/pull/359#issuecomment-268710308 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#355][synchronized] Set up DS TLS on replica in CA-less topology
URL: https://github.com/freeipa/freeipa/pull/355 Author: frasertweedale Title: #355: Set up DS TLS on replica in CA-less topology Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/355/head:pr355 git checkout pr355 From 34ca89d344c623432dfec1bb04f4776cd9546eb6 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 20 Dec 2016 23:29:22 +1000 Subject: [PATCH] Set up DS TLS on replica in CA-less topology Fixes: https://fedorahosted.org/freeipa/ticket/6226 --- ipaserver/install/dsinstance.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index bcfcb05..2ac1041 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -390,7 +390,9 @@ def create_replica(self, realm_name, master_fqdn, fqdn, self.step("creating DS keytab", self._request_service_keytab) if self.promote: -if self.ca_is_configured: +if self.pkcs12_info: +self.step("configuring ssl for ds instance", self.__enable_ssl) +else: self.step("retrieving DS Certificate", self.__get_ds_cert) self.step("restarting directory server", self.__restart_instance) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#348][comment] ca: fix ca-find with --pkey-only
URL: https://github.com/freeipa/freeipa/pull/348 Title: #348: ca: fix ca-find with --pkey-only frasertweedale commented: """ LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/348#issuecomment-268509213 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#298][closed] ipaldap: handle binary encoding option transparently
URL: https://github.com/freeipa/freeipa/pull/298 Author: frasertweedale Title: #298: ipaldap: handle binary encoding option transparently Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/298/head:pr298 git checkout pr298 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#298][comment] ipaldap: handle binary encoding option transparently
URL: https://github.com/freeipa/freeipa/pull/298 Title: #298: ipaldap: handle binary encoding option transparently frasertweedale commented: """ OK, let's just fix all the plugins / other routines that deal with the relevant attributes to explicitly read both `userCertificate` and `userCertificate;binary` and concat the results. I think there is a lot more we could and should do to improve usability w.r.t. these attributes but it will do for now. Closing this PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/298#issuecomment-268508499 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#298][comment] ipaldap: handle binary encoding option transparently
URL: https://github.com/freeipa/freeipa/pull/298 Title: #298: ipaldap: handle binary encoding option transparently frasertweedale commented: """ @jcholast I disagree. If `ipaldap` is a generic LDAP client, it should obey the RFCs and always transfer the relevant attributes (`userCertificate`, `cACertificate`, etc) with the `;binary` encoding option, and it should expect to see it when reading the relevant attributes from the server. IMO `ipaldap` should handle this transparently because it is part of the LDAP protocol. There is no 389DS-specific hack in my proposed change (but I'm curious about what part of it you feel is). This would also avoid inconsistent handling of relevant attributes between different plugins, which is the situation we currently have. But apart from the inconsisency (which is a nusiance) we have a bigger problem - in several plugins we specifically try to read `userCertificate`, but a RFC 4522 compliant server (which 389DS is not now, but hopefully one day will be) will always return `userCertificate;binary`. So, our current code breaks if/when that happens. Furthermore, other RFC 4522-compliant programs that correctly use the `;binary` transfer encoding option to, e.g. write certificates to user entries, will cause those certificates to be unreadable by *current* IPA plugin code. This is not good enough. > Also note that the real bug in 389 DS is that it defines the attribute types > to use octet string syntax, rather than the certificate syntax as defined in > RFC 4523. It actually behaves correctly, not enforcing the binary transfer > option on attribute types with octet string syntax. 389DS does not behave correctly; it's treatment of `;binary` is wrong in several ways, apart from the incorrect attribute syntax for relevant attributes. """ See the full comment at https://github.com/freeipa/freeipa/pull/298#issuecomment-268457017 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#298][comment] ipaldap: handle binary encoding option transparently
URL: https://github.com/freeipa/freeipa/pull/298 Title: #298: ipaldap: handle binary encoding option transparently frasertweedale commented: """ @jcholast I disagree. If `ipaldap` is a generic LDAP client, it should obey the RFCs and always transfer the relevant attributes (`userCertificate`, `cACertificate`, etc) with the `;binary` encoding option, and it should expect to see it when reading the relevant attributes from the server. IMO `ipaldap` should handle this transparently because it is part of the LDAP protocol. There is no 389DS-specific hack in my proposed change (but I'm curious about what part of it you feel is). This would also avoid inconsistent handling of relevant attributes between different plugins, which is the situation we currently have. But apart from the inconsisency (which is a nusiance) we have a bigger problem - in several plugins we specifically try to read `userCertificate`, but a RFC 4522 compliant server (which 389DS is not now, but hopefully one day will be) will always return `userCertificate;binary`. So, our current code breaks if/when that happens. Furthermore, other RFC 4522-compliant programs that correctly use the `;binary` transfer encoding option to, e.g. write certificates to user entries, will cause those certificates to be unreadable but *currenty* IPA code. This is not good enough. > Also note that the real bug in 389 DS is that it defines the attribute types > to use octet string syntax, rather than the certificate syntax as defined in > RFC 4523. It actually behaves correctly, not enforcing the binary transfer > option on attribute types with octet string syntax. 389DS does not behave correctly; it's treatment of `;binary` is wrong in several ways, apart from the incorrect attribute syntax for relevant attributes. """ See the full comment at https://github.com/freeipa/freeipa/pull/298#issuecomment-268457017 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#299][comment] Remove "Request Certificate with SubjectAltName" permission
URL: https://github.com/freeipa/freeipa/pull/299 Title: #299: Remove "Request Certificate with SubjectAltName" permission frasertweedale commented: """ @martbab I don't think this will break migrations from v3; it does not actively remove the permission from existing deployments, it just doesn't add it for new installations. (Admittedly, it is the next thing to test but I have not done so yet). """ See the full comment at https://github.com/freeipa/freeipa/pull/299#issuecomment-268450765 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#299][synchronized] Remove "Request Certificate with SubjectAltName" permission
URL: https://github.com/freeipa/freeipa/pull/299 Author: frasertweedale Title: #299: Remove "Request Certificate with SubjectAltName" permission Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/299/head:pr299 git checkout pr299 From 837a225bc5d7fa4672ac9833747cf1de4a4521ad Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 1 Dec 2016 14:28:03 +1000 Subject: [PATCH] Remove "Request Certificate with SubjectAltName" permission subjectAltName is required or relevant in most certificate use cases (esp. TLS, where carrying DNS name in Subject DN CN attribute is deprecated). Therefore it does not really make sense to have a special permission for this, over and above "request certificate" permission. Furthermore, we already do rigorously validate SAN contents again the subject principal, and the permission is waived for self-service requests or if the operator is a host principal. So remove the permission, the associated virtual operation, and the associated code in cert_request. Fixes: https://fedorahosted.org/freeipa/ticket/6526 --- install/updates/40-delegation.update | 15 --- ipaserver/plugins/cert.py | 6 -- ipatests/test_xmlrpc/test_permission_plugin.py | 2 +- 3 files changed, 1 insertion(+), 22 deletions(-) diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 259cbdb..f48d23a 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -133,21 +133,6 @@ default:objectClass: top default:objectClass: nsContainer default:cn: certificate remove hold -dn: cn=request certificate with subjectaltname,cn=virtual operations,cn=etc,$SUFFIX -default:objectClass: top -default:objectClass: nsContainer -default:cn: request certificate with subjectaltname - -dn: cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,$SUFFIX -default:objectClass: top -default:objectClass: groupofnames -default:objectClass: ipapermission -default:cn: Request Certificate with SubjectAltName -default:member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX - -dn: $SUFFIX -add:aci:(targetattr = "objectclass")(target = "ldap:///cn=request certificate with subjectaltname,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0; acl "permission:Request Certificate with SubjectAltName"; allow (write) groupdn = "ldap:///cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,$SUFFIX";) - dn: cn=request certificate ignore caacl,cn=virtual operations,cn=etc,$SUFFIX default:objectClass: top default:objectClass: nsContainer diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 81872cf..4c1248f 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -620,12 +620,6 @@ def execute(self, csr, all=False, raw=False, **kw): except cryptography.x509.extensions.ExtensionNotFound: ext_san = None -# self-service and host principals may bypass SAN permission check -if (bind_principal_string != principal_string -and bind_principal_type != HOST): -if ext_san is not None: -self.check_access('request certificate with subjectaltname') - dn = None principal_obj = None # See if the service exists and punt if it doesn't and we aren't diff --git a/ipatests/test_xmlrpc/test_permission_plugin.py b/ipatests/test_xmlrpc/test_permission_plugin.py index 6336df7..7582b24 100644 --- a/ipatests/test_xmlrpc/test_permission_plugin.py +++ b/ipatests/test_xmlrpc/test_permission_plugin.py @@ -3125,7 +3125,7 @@ def check_legacy_results(results): legacy_permissions = [p for p in results if not p.get('ipapermissiontype')] print(legacy_permissions) -assert len(legacy_permissions) == 9, len(legacy_permissions) +assert len(legacy_permissions) == 8, len(legacy_permissions) return True -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#245][synchronized] Allow full customisability of IPA CA subject DN
URL: https://github.com/freeipa/freeipa/pull/245 Author: frasertweedale Title: #245: Allow full customisability of IPA CA subject DN Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/245/head:pr245 git checkout pr245 From 315c3c6d95977847afffc94d6e3ace03d3f101e0 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 11 Nov 2016 18:54:01 +1000 Subject: [PATCH 01/12] Refactor and relocate set_subject_base_in_config Refactor set_subject_base_in_config to use api.Backend.ldap2 instead of a manually created LDAP connection. Also rename the function to have a more accurate name, and move it to 'ipaserver.install.ca' to avoid cyclic import (we will eventually need to use it from within that module). Part of: https://fedorahosted.org/freeipa/ticket/2614 --- ipaserver/install/ca.py | 9 + ipaserver/install/server/install.py | 24 +--- 2 files changed, 10 insertions(+), 23 deletions(-) diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py index 4f64d99..820c6ee 100644 --- a/ipaserver/install/ca.py +++ b/ipaserver/install/ca.py @@ -48,6 +48,15 @@ external_ca_file = None +def set_subject_base_in_config(subject_base): +entry_attrs = api.Backend.ldap2.get_ipa_config() +entry_attrs['ipacertificatesubjectbase'] = [str(subject_base)] +try: +api.Backend.ldap2.update_entry(entry_attrs) +except errors.EmptyModlist: +pass + + def install_check(standalone, replica_config, options): global external_cert_file global external_ca_file diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index fc319d9..36bbb4b 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -16,7 +16,6 @@ from ipalib.install import certmonger, sysrestore from ipapython import ipautil -from ipapython.dn import DN from ipapython.ipa_log_manager import root_logger from ipapython.ipautil import ( format_netloc, ipa_generate_password, run, user_input) @@ -40,7 +39,6 @@ IPA_MODULES, BadHostError, get_fqdn, get_server_ip_address, is_ipa_configured, load_pkcs12, read_password, verify_fqdn, update_hosts_file) -from ipaserver.plugins.ldap2 import ldap2 if six.PY3: unicode = str @@ -242,25 +240,6 @@ def check_dirsrv(unattended): raise ScriptError(msg) -def set_subject_in_config(realm_name, dm_password, suffix, subject_base): -ldapuri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % ( -installutils.realm_to_serverid(realm_name) -) -try: -conn = ldap2(api, ldap_uri=ldapuri) -conn.connect(bind_dn=DN(('cn', 'directory manager')), - bind_pw=dm_password) -except errors.ExecutionError as e: -root_logger.critical("Could not connect to the Directory Server " - "on %s" % realm_name) -raise e -entry_attrs = conn.get_ipa_config() -if 'ipacertificatesubjectbase' not in entry_attrs: -entry_attrs['ipacertificatesubjectbase'] = [str(subject_base)] -conn.update_entry(entry_attrs) -conn.disconnect() - - def common_cleanup(func): def decorated(installer): success = False @@ -848,8 +827,7 @@ def install(installer): os.chmod(paths.IPA_CA_CRT, 0o644) ca_db.publish_ca_cert(paths.IPA_CA_CRT) -set_subject_in_config(realm_name, dm_password, - ipautil.realm_to_suffix(realm_name), options.subject) +ca.set_subject_base_in_config(options.subject_base) # Apply any LDAP updates. Needs to be done after the configuration file # is created. DS is restarted in the process. From 8a7e9b17c493a980f8405a3e4ce18bd735973594 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 16 Nov 2016 19:31:19 +1000 Subject: [PATCH 02/12] installutils: remove hardcoded subject DN assumption `installutils.load_external_cert` assumes that the IPA CA subject DN is `CN=Certificate Authority, {subject_base}`. In preparation for full customisability of IPA CA subject DN, push this assumption out of this function to call sites (which will be updated in a subsequent commit). Part of: https://fedorahosted.org/freeipa/ticket/2614 --- ipaserver/install/ca.py| 4 +++- ipaserver/install/installutils.py | 7 --- ipaserver/install/ipa_cacert_manage.py | 7 +-- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py index 820c6ee..56f6692 100644 --- a/ipaserver/install/ca.py +++ b/ipaserver/install/ca.py @@ -109,7 +109,9 @@ def install_check(standalone, replica_config, options): "--external-ca.") external_cert_file, external_
[Freeipa-devel] [freeipa PR#355][comment] Set up DS TLS on replica in CA-less topology
URL: https://github.com/freeipa/freeipa/pull/355 Title: #355: Set up DS TLS on replica in CA-less topology frasertweedale commented: """ FWIW, this one does not break CA-ful replica promotion. """ See the full comment at https://github.com/freeipa/freeipa/pull/355#issuecomment-268432611 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#245][synchronized] Allow full customisability of IPA CA subject DN
URL: https://github.com/freeipa/freeipa/pull/245 Author: frasertweedale Title: #245: Allow full customisability of IPA CA subject DN Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/245/head:pr245 git checkout pr245 From 315c3c6d95977847afffc94d6e3ace03d3f101e0 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 11 Nov 2016 18:54:01 +1000 Subject: [PATCH 01/12] Refactor and relocate set_subject_base_in_config Refactor set_subject_base_in_config to use api.Backend.ldap2 instead of a manually created LDAP connection. Also rename the function to have a more accurate name, and move it to 'ipaserver.install.ca' to avoid cyclic import (we will eventually need to use it from within that module). Part of: https://fedorahosted.org/freeipa/ticket/2614 --- ipaserver/install/ca.py | 9 + ipaserver/install/server/install.py | 24 +--- 2 files changed, 10 insertions(+), 23 deletions(-) diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py index 4f64d99..820c6ee 100644 --- a/ipaserver/install/ca.py +++ b/ipaserver/install/ca.py @@ -48,6 +48,15 @@ external_ca_file = None +def set_subject_base_in_config(subject_base): +entry_attrs = api.Backend.ldap2.get_ipa_config() +entry_attrs['ipacertificatesubjectbase'] = [str(subject_base)] +try: +api.Backend.ldap2.update_entry(entry_attrs) +except errors.EmptyModlist: +pass + + def install_check(standalone, replica_config, options): global external_cert_file global external_ca_file diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index fc319d9..36bbb4b 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -16,7 +16,6 @@ from ipalib.install import certmonger, sysrestore from ipapython import ipautil -from ipapython.dn import DN from ipapython.ipa_log_manager import root_logger from ipapython.ipautil import ( format_netloc, ipa_generate_password, run, user_input) @@ -40,7 +39,6 @@ IPA_MODULES, BadHostError, get_fqdn, get_server_ip_address, is_ipa_configured, load_pkcs12, read_password, verify_fqdn, update_hosts_file) -from ipaserver.plugins.ldap2 import ldap2 if six.PY3: unicode = str @@ -242,25 +240,6 @@ def check_dirsrv(unattended): raise ScriptError(msg) -def set_subject_in_config(realm_name, dm_password, suffix, subject_base): -ldapuri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % ( -installutils.realm_to_serverid(realm_name) -) -try: -conn = ldap2(api, ldap_uri=ldapuri) -conn.connect(bind_dn=DN(('cn', 'directory manager')), - bind_pw=dm_password) -except errors.ExecutionError as e: -root_logger.critical("Could not connect to the Directory Server " - "on %s" % realm_name) -raise e -entry_attrs = conn.get_ipa_config() -if 'ipacertificatesubjectbase' not in entry_attrs: -entry_attrs['ipacertificatesubjectbase'] = [str(subject_base)] -conn.update_entry(entry_attrs) -conn.disconnect() - - def common_cleanup(func): def decorated(installer): success = False @@ -848,8 +827,7 @@ def install(installer): os.chmod(paths.IPA_CA_CRT, 0o644) ca_db.publish_ca_cert(paths.IPA_CA_CRT) -set_subject_in_config(realm_name, dm_password, - ipautil.realm_to_suffix(realm_name), options.subject) +ca.set_subject_base_in_config(options.subject_base) # Apply any LDAP updates. Needs to be done after the configuration file # is created. DS is restarted in the process. From 8a7e9b17c493a980f8405a3e4ce18bd735973594 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 16 Nov 2016 19:31:19 +1000 Subject: [PATCH 02/12] installutils: remove hardcoded subject DN assumption `installutils.load_external_cert` assumes that the IPA CA subject DN is `CN=Certificate Authority, {subject_base}`. In preparation for full customisability of IPA CA subject DN, push this assumption out of this function to call sites (which will be updated in a subsequent commit). Part of: https://fedorahosted.org/freeipa/ticket/2614 --- ipaserver/install/ca.py| 4 +++- ipaserver/install/installutils.py | 7 --- ipaserver/install/ipa_cacert_manage.py | 7 +-- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py index 820c6ee..56f6692 100644 --- a/ipaserver/install/ca.py +++ b/ipaserver/install/ca.py @@ -109,7 +109,9 @@ def install_check(standalone, replica_config, options): "--external-ca.") external_cert_file, external_
[Freeipa-devel] [freeipa PR#299][comment] Remove "Request Certificate with SubjectAltName" permission
URL: https://github.com/freeipa/freeipa/pull/299 Title: #299: Remove "Request Certificate with SubjectAltName" permission frasertweedale commented: """ On Tue, Dec 20, 2016 at 07:11:08AM -0800, Martin Babinsky wrote: > Bumping this PR as it seems a bit forgotten. > Cheers. Not forgotten, just not my top priority right now. """ See the full comment at https://github.com/freeipa/freeipa/pull/299#issuecomment-268377852 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#355][opened] Set up DS TLS on replica in CA-less topology
URL: https://github.com/freeipa/freeipa/pull/355 Author: frasertweedale Title: #355: Set up DS TLS on replica in CA-less topology Action: opened PR body: """ Fixes: https://fedorahosted.org/freeipa/ticket/6226 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/355/head:pr355 git checkout pr355 From 989bb1ad9ee79f09076f2bb82305a3b6ece8b0e9 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 20 Dec 2016 23:29:22 +1000 Subject: [PATCH] Set up DS TLS on replica in CA-less topology Fixes: https://fedorahosted.org/freeipa/ticket/6226 --- ipaserver/install/dsinstance.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index bcfcb05..fe3a505 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -392,6 +392,8 @@ def create_replica(self, realm_name, master_fqdn, fqdn, if self.promote: if self.ca_is_configured: self.step("retrieving DS Certificate", self.__get_ds_cert) +elif self.pkcs12_info: +self.step("configuring ssl for ds instance", self.__enable_ssl) self.step("restarting directory server", self.__restart_instance) self.step("setting up initial replication", self.__setup_replica) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#354][opened] Fix DL1 replica installation in CA-less topology
URL: https://github.com/freeipa/freeipa/pull/354 Author: frasertweedale Title: #354: Fix DL1 replica installation in CA-less topology Action: opened PR body: """ Commit dbb98765d73519289ee22f3de1a5ccde140f6f5d changed certmonger requests for DS and HTTP certificates during installation to raise on error (https://fedorahosted.org/freeipa/ticket/6514). This introduced a regression in DL1 replica installation in CA-less topology. A certificate was requested, but prior to the aforementioned commit this would fail silently and installation continued, whereas now installation fails. Guard the certificate request with a check that the topology is CA-ful. Fixes: https://fedorahosted.org/freeipa/ticket/6573 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/354/head:pr354 git checkout pr354 From db6038d2bf11f349d79dddc5e10865dd9b3d333a Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 20 Dec 2016 16:45:38 +1000 Subject: [PATCH] Fix DL1 replica installation in CA-less topology Commit dbb98765d73519289ee22f3de1a5ccde140f6f5d changed certmonger requests for DS and HTTP certificates during installation to raise on error (https://fedorahosted.org/freeipa/ticket/6514). This introduced a regression in DL1 replica installation in CA-less topology. A certificate was requested, but prior to the aforementioned commit this would fail silently and installation continued, whereas now installation fails. Guard the certificate request with a check that the topology is CA-ful. Fixes: https://fedorahosted.org/freeipa/ticket/6573 --- ipaserver/install/server/replicainstall.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index b0cf28f..6e986f7 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -1338,7 +1338,7 @@ def install(installer): # Always try to install DNS records install_dns_records(config, options, remote_api) -if promote: +if promote and ca_enabled: # we need to install http certs to setup ssl for httpd install_http_certs(config.host_name, config.realm_name, -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#348][comment] ca: fix ca-find with --pkey-only
URL: https://github.com/freeipa/freeipa/pull/348 Title: #348: ca: fix ca-find with --pkey-only frasertweedale commented: """ IMO the current change is fine, but I would also implement a defensive guard within `set_certificate_attrs` in case this somehow happens in some other command. ```python def set_certificate_attrs(entry, options, want_cert=True): if 'ipacaid' not in entry: return ca_id = entry['ipacaid'][0] ... ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/348#issuecomment-268125375 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#245][comment] Allow full customisability of IPA CA subject DN
URL: https://github.com/freeipa/freeipa/pull/245 Title: #245: Allow full customisability of IPA CA subject DN frasertweedale commented: """ @jcholast: new tickets pertaining to subject_base / certmap.conf config: - **do not update ipaCertificateSubjectBase and certmap.conf in CA-less mode** - https://fedorahosted.org/freeipa/ticket/6556 - **do not set (or look up) subject_base in sysupgrade file** - https://fedorahosted.org/freeipa/ticket/6557 Other review comments will be addressed in due course. Thanks for reviewing. """ See the full comment at https://github.com/freeipa/freeipa/pull/245#issuecomment-266910282 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#332][synchronized] Fix regression in test suite
URL: https://github.com/freeipa/freeipa/pull/332 Author: frasertweedale Title: #332: Fix regression in test suite Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/332/head:pr332 git checkout pr332 From caf1836023fe8128d54e781a949d752516164402 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 14 Dec 2016 00:22:56 +1000 Subject: [PATCH] Fix regression in test suite 32b1743e5fb318b226a602ec8d9a4b6ef2a25c9d introduced a regression in test_serverroles.py, caused by ca_find attempting to log into the Dogtag REST API. (ca_find is called by cert_find which is called by server_del during cleanup). Avoid logging into Dogtag in cert_find unless something actually needs to be retrieved. Fixes: https://fedorahosted.org/freeipa/ticket/6178 --- ipaserver/plugins/ca.py | 14 ++ 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py index ef1d68c..2510a79 100644 --- a/ipaserver/plugins/ca.py +++ b/ipaserver/plugins/ca.py @@ -161,15 +161,21 @@ class ca(LDAPObject): } -def set_certificate_attrs(entry, options, always_include_cert=True): +def set_certificate_attrs(entry, options, want_cert=True): ca_id = entry['ipacaid'][0] full = options.get('all', False) +want_chain = options.get('chain', False) + +want_data = want_cert or want_chain or full +if not want_data: +return + with api.Backend.ra_lightweight_ca as ca_api: -if always_include_cert or full: +if want_cert or full: der = ca_api.read_ca_cert(ca_id) entry['certificate'] = six.text_type(base64.b64encode(der)) -if options.get('chain', False) or full: +if want_chain or full: pkcs7_der = ca_api.read_ca_chain(ca_id) pems = x509.pkcs7_to_pems(pkcs7_der, x509.DER) ders = [x509.normalize_certificate(pem) for pem in pems] @@ -187,7 +193,7 @@ def execute(self, *keys, **options): ca_enabled_check() result = super(ca_find, self).execute(*keys, **options) for entry in result['result']: -set_certificate_attrs(entry, options, always_include_cert=False) +set_certificate_attrs(entry, options, want_cert=False) return result -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#332][opened] Fix regression in test suite
URL: https://github.com/freeipa/freeipa/pull/332 Author: frasertweedale Title: #332: Fix regression in test suite Action: opened PR body: """ 32b1743e5fb318b226a602ec8d9a4b6ef2a25c9d introduced a regression in test_serverroles.py, caused by ca_find attempting to log into the Dogtag REST API. (ca_find is called by cert_find which is caused by server_del during cleanup). Avoid logging into Dogtag in cert_find unless something actually needs to be retrieved. Fixes: https://fedorahosted.org/freeipa/ticket/6178 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/332/head:pr332 git checkout pr332 From 19a63ecd713b5133dbd5ee6ba65d4351799cebaa Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 14 Dec 2016 00:22:56 +1000 Subject: [PATCH] Fix regression in test suite 32b1743e5fb318b226a602ec8d9a4b6ef2a25c9d introduced a regression in test_serverroles.py, caused by ca_find attempting to log into the Dogtag REST API. (ca_find is called by cert_find which is caused by server_del during cleanup). Avoid logging into Dogtag in cert_find unless something actually needs to be retrieved. Fixes: https://fedorahosted.org/freeipa/ticket/6178 --- ipaserver/plugins/ca.py | 12 +--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py index ef1d68c..86bec0f 100644 --- a/ipaserver/plugins/ca.py +++ b/ipaserver/plugins/ca.py @@ -161,15 +161,21 @@ class ca(LDAPObject): } -def set_certificate_attrs(entry, options, always_include_cert=True): +def set_certificate_attrs(entry, options, want_cert=True): ca_id = entry['ipacaid'][0] full = options.get('all', False) +want_chain = options.get('chain', False) + +want_data = want_cert or want_chain or full +if not want_data: +return + with api.Backend.ra_lightweight_ca as ca_api: if always_include_cert or full: der = ca_api.read_ca_cert(ca_id) entry['certificate'] = six.text_type(base64.b64encode(der)) -if options.get('chain', False) or full: +if want_chain or full: pkcs7_der = ca_api.read_ca_chain(ca_id) pems = x509.pkcs7_to_pems(pkcs7_der, x509.DER) ders = [x509.normalize_certificate(pem) for pem in pems] @@ -187,7 +193,7 @@ def execute(self, *keys, **options): ca_enabled_check() result = super(ca_find, self).execute(*keys, **options) for entry in result['result']: -set_certificate_attrs(entry, options, always_include_cert=False) +set_certificate_attrs(entry, options, want_cert=False) return result -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#329][closed] experiment: did pull/177 break ci?
URL: https://github.com/freeipa/freeipa/pull/329 Author: frasertweedale Title: #329: experiment: did pull/177 break ci? Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/329/head:pr329 git checkout pr329 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#329][synchronized] experiment: did pull/177 break ci?
URL: https://github.com/freeipa/freeipa/pull/329 Author: frasertweedale Title: #329: experiment: did pull/177 break ci? Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/329/head:pr329 git checkout pr329 From dcd48155a899a14cdf1de843fa729064ba06b4b7 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 13 Dec 2016 20:24:30 +1000 Subject: [PATCH 1/3] ci: run tests with a single job instead of two --- .travis.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index e870213..2a409f2 100644 --- a/.travis.yml +++ b/.travis.yml @@ -5,7 +5,6 @@ env: global: - TEST_RUNNER_IMAGE="martbab/freeipa-fedora-test-runner:master-latest" matrix: -- TESTS_TO_RUN="test_xmlrpc/test_[a-k]*.py" - > TESTS_TO_RUN="test_cmdline test_install @@ -13,7 +12,7 @@ env: test_ipapython test_ipaserver test_pkcs10 -test_xmlrpc/test_[l-z]*.py" +test_xmlrpc/test_[a-z]*.py" before_install: - pip install pep8 - > From 4f29cd26fccb508538598da9dac96b12a3317aee Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 13 Dec 2016 22:11:07 +1000 Subject: [PATCH 2/3] ci: make travis wait 120 mins (experimental) --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 2a409f2..b574e86 100644 --- a/.travis.yml +++ b/.travis.yml @@ -30,7 +30,7 @@ script: # output do not cause premature termination of the build - "docker pull ${TEST_RUNNER_IMAGE}" - > -travis_wait 50 +travis_wait 120 ipa-docker-test-runner -l ci_results_${TRAVIS_BRANCH}.log -c .test_runner_config.yaml --container-image ${TEST_RUNNER_IMAGE} From eeac7bb902edd6aea9cb6502b9779ff82e30d4c5 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 13 Dec 2016 22:46:17 +1000 Subject: [PATCH 3/3] gimme more log --- .travis.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index b574e86..2e83511 100644 --- a/.travis.yml +++ b/.travis.yml @@ -38,6 +38,7 @@ script: run-tests $test_set after_failure: - echo "Test runner output:" - - tail -n 5000 ci_results_${TRAVIS_BRANCH}.log + - cat ci_results_${TRAVIS_BRANCH}.log + - cat /var/log/httpd/error_log - echo "PEP-8 errors:" - cat pep8_errors.log -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#329][synchronized] experiment: did pull/177 break ci?
URL: https://github.com/freeipa/freeipa/pull/329 Author: frasertweedale Title: #329: experiment: did pull/177 break ci? Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/329/head:pr329 git checkout pr329 From dcd48155a899a14cdf1de843fa729064ba06b4b7 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 13 Dec 2016 20:24:30 +1000 Subject: [PATCH 1/2] ci: run tests with a single job instead of two --- .travis.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index e870213..2a409f2 100644 --- a/.travis.yml +++ b/.travis.yml @@ -5,7 +5,6 @@ env: global: - TEST_RUNNER_IMAGE="martbab/freeipa-fedora-test-runner:master-latest" matrix: -- TESTS_TO_RUN="test_xmlrpc/test_[a-k]*.py" - > TESTS_TO_RUN="test_cmdline test_install @@ -13,7 +12,7 @@ env: test_ipapython test_ipaserver test_pkcs10 -test_xmlrpc/test_[l-z]*.py" +test_xmlrpc/test_[a-z]*.py" before_install: - pip install pep8 - > From 4f29cd26fccb508538598da9dac96b12a3317aee Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 13 Dec 2016 22:11:07 +1000 Subject: [PATCH 2/2] ci: make travis wait 120 mins (experimental) --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 2a409f2..b574e86 100644 --- a/.travis.yml +++ b/.travis.yml @@ -30,7 +30,7 @@ script: # output do not cause premature termination of the build - "docker pull ${TEST_RUNNER_IMAGE}" - > -travis_wait 50 +travis_wait 120 ipa-docker-test-runner -l ci_results_${TRAVIS_BRANCH}.log -c .test_runner_config.yaml --container-image ${TEST_RUNNER_IMAGE} -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#329][synchronized] experiment: did pull/177 break ci?
URL: https://github.com/freeipa/freeipa/pull/329 Author: frasertweedale Title: #329: experiment: did pull/177 break ci? Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/329/head:pr329 git checkout pr329 From dcd48155a899a14cdf1de843fa729064ba06b4b7 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 13 Dec 2016 20:24:30 +1000 Subject: [PATCH] ci: run tests with a single job instead of two --- .travis.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index e870213..2a409f2 100644 --- a/.travis.yml +++ b/.travis.yml @@ -5,7 +5,6 @@ env: global: - TEST_RUNNER_IMAGE="martbab/freeipa-fedora-test-runner:master-latest" matrix: -- TESTS_TO_RUN="test_xmlrpc/test_[a-k]*.py" - > TESTS_TO_RUN="test_cmdline test_install @@ -13,7 +12,7 @@ env: test_ipapython test_ipaserver test_pkcs10 -test_xmlrpc/test_[l-z]*.py" +test_xmlrpc/test_[a-z]*.py" before_install: - pip install pep8 - > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#329][reopened] experiment: did pull/177 break ci?
URL: https://github.com/freeipa/freeipa/pull/329 Author: frasertweedale Title: #329: experiment: did pull/177 break ci? Action: reopened To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/329/head:pr329 git checkout pr329 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#329][synchronized] experiment: did pull/177 break ci?
URL: https://github.com/freeipa/freeipa/pull/329 Author: frasertweedale Title: #329: experiment: did pull/177 break ci? Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/329/head:pr329 git checkout pr329 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#329][synchronized] experiment: did pull/177 break ci?
URL: https://github.com/freeipa/freeipa/pull/329 Author: frasertweedale Title: #329: experiment: did pull/177 break ci? Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/329/head:pr329 git checkout pr329 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#329][closed] experiment: did pull/177 break ci?
URL: https://github.com/freeipa/freeipa/pull/329 Author: frasertweedale Title: #329: experiment: did pull/177 break ci? Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/329/head:pr329 git checkout pr329 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#329][synchronized] experiment: did pull/177 break ci?
URL: https://github.com/freeipa/freeipa/pull/329 Author: frasertweedale Title: #329: experiment: did pull/177 break ci? Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/329/head:pr329 git checkout pr329 From 8e13b7c01311e44eb3ec1dc16dac26b8d3287139 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 13 Dec 2016 10:50:50 +1000 Subject: [PATCH] Revert "Add options to write lightweight CA cert or chain to file" This reverts commit 32b1743e5fb318b226a602ec8d9a4b6ef2a25c9d. --- API.txt | 6 +-- VERSION.m4| 4 +- ipaclient/plugins/ca.py | 53 - ipaserver/plugins/ca.py | 65 +++ ipaserver/plugins/dogtag.py | 12 -- ipatests/test_xmlrpc/tracker/ca_plugin.py | 31 --- ipatests/test_xmlrpc/xmlrpc_test.py | 17 7 files changed, 16 insertions(+), 172 deletions(-) delete mode 100644 ipaclient/plugins/ca.py diff --git a/API.txt b/API.txt index 543cec5..bad3b92 100644 --- a/API.txt +++ b/API.txt @@ -445,11 +445,10 @@ option: Str('version?') output: Output('count', type=[]) output: Output('results', type=[, ]) command: ca_add/1 -args: 1,8,3 +args: 1,7,3 arg: Str('cn', cli_name='name') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) -option: Flag('chain', autofill=True, default=False) option: Str('description?', cli_name='desc') option: DNParam('ipacasubjectdn', cli_name='subject') option: Flag('raw', autofill=True, cli_name='raw', default=False) @@ -520,10 +519,9 @@ output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') command: ca_show/1 -args: 1,5,3 +args: 1,4,3 arg: Str('cn', cli_name='name') option: Flag('all', autofill=True, cli_name='all', default=False) -option: Flag('chain', autofill=True, default=False) option: Flag('raw', autofill=True, cli_name='raw', default=False) option: Flag('rights', autofill=True, default=False) option: Str('version?') diff --git a/VERSION.m4 b/VERSION.m4 index 36929ee..7d9e107 100644 --- a/VERSION.m4 +++ b/VERSION.m4 @@ -73,8 +73,8 @@ define(IPA_DATA_VERSION, 2010061412) # # define(IPA_API_VERSION_MAJOR, 2) -define(IPA_API_VERSION_MINOR, 217) -# Last change: Add options to write lightweight CA cert or chain to file +define(IPA_API_VERSION_MINOR, 216) +# Last change: DNS: Support URI resource record type diff --git a/ipaclient/plugins/ca.py b/ipaclient/plugins/ca.py deleted file mode 100644 index fcdf484..000 --- a/ipaclient/plugins/ca.py +++ /dev/null @@ -1,53 +0,0 @@ -# -# Copyright (C) 2016 FreeIPA Contributors see COPYING for license -# - -import base64 -from ipaclient.frontend import MethodOverride -from ipalib import util, x509, Str -from ipalib.plugable import Registry -from ipalib.text import _ - -register = Registry() - - -class WithCertOutArgs(MethodOverride): - -takes_options = ( -Str( -'certificate_out?', -doc=_('Write certificate (chain if --chain used) to file'), -include='cli', -cli_metavar='FILE', -), -) - -def forward(self, *keys, **options): -filename = None -if 'certificate_out' in options: -filename = options.pop('certificate_out') -util.check_writable_file(filename) - -result = super(WithCertOutArgs, self).forward(*keys, **options) -if filename: -def to_pem(x): -return x509.make_pem(x) -if options.get('chain', False): -ders = result['result']['certificate_chain'] -data = '\n'.join(to_pem(base64.b64encode(der)) for der in ders) -else: -data = to_pem(result['result']['certificate']) -with open(filename, 'wb') as f: -f.write(data) - -return result - - -@register(override=True, no_fail=True) -class ca_add(WithCertOutArgs): -pass - - -@register(override=True, no_fail=True) -class ca_show(WithCertOutArgs): -pass diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py index ef1d68c..d9ae8c8 100644 --- a/ipaserver/plugins/ca.py +++ b/ipaserver/plugins/ca.py @@ -2,18 +2,14 @@ # Copyright (C) 2