Re: [Freeipa-devel] [PATCH] 375 Added mechanism to copy vault secrets.
On Mon, 02 Nov 2015, Endi Sukma Dewata wrote: On 11/2/2015 6:38 AM, Martin Basti wrote: The vault-add and vault-archive commands have been modified to optionally retrieve a secret from a source vault, then re-archive the secret into the new/existing target vault. https://fedorahosted.org/freeipa/ticket/5223 I cannot apply this patch. Rebased. It depends on patch #371-2. Rebased due to other changes in vault. Code works for me, but wouldn't be better to create a new command, Endi what do you think? something like vault-copy, instead of adding new options to existing command? +1 Endi, what do you think about the proposed change? Sorry, I'm still handling an IPA customer issue. The vault-copy is fine. I think ideally a copy command should look like this: $ ipa vault-copy But since generally the IPA command arguments are used to specify an object hierarchy (e.g. ), I'm not sure if the above format would be consistent with other IPA commands. It is not really enforced and 'ipa vault-copy source destination' is reasonable and logical, so it makes sense to implement the command this way. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 375 Added mechanism to copy vault secrets.
On 11/2/2015 6:38 AM, Martin Basti wrote: The vault-add and vault-archive commands have been modified to optionally retrieve a secret from a source vault, then re-archive the secret into the new/existing target vault. https://fedorahosted.org/freeipa/ticket/5223 I cannot apply this patch. Rebased. It depends on patch #371-2. Rebased due to other changes in vault. Code works for me, but wouldn't be better to create a new command, Endi what do you think? something like vault-copy, instead of adding new options to existing command? +1 Endi, what do you think about the proposed change? Sorry, I'm still handling an IPA customer issue. The vault-copy is fine. I think ideally a copy command should look like this: $ ipa vault-copy But since generally the IPA command arguments are used to specify an object hierarchy (e.g. ), I'm not sure if the above format would be consistent with other IPA commands. -- Endi S. Dewata -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 375 Added mechanism to copy vault secrets.
On 05.10.2015 09:21, Jan Cholasta wrote: On 2.10.2015 15:23, Martin Basti wrote: On 08/27/2015 01:47 AM, Endi Sukma Dewata wrote: On 8/20/2015 2:08 AM, Endi Sukma Dewata wrote: On 8/19/2015 4:20 AM, Martin Basti wrote: On 08/16/2015 05:29 PM, Endi Sukma Dewata wrote: The vault-add and vault-archive commands have been modified to optionally retrieve a secret from a source vault, then re-archive the secret into the new/existing target vault. https://fedorahosted.org/freeipa/ticket/5223 I cannot apply this patch. Rebased. It depends on patch #371-2. Rebased due to other changes in vault. Code works for me, but wouldn't be better to create a new command, Endi what do you think? something like vault-copy, instead of adding new options to existing command? +1 Endi, what do you think about the proposed change? -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 375 Added mechanism to copy vault secrets.
On 2.10.2015 15:23, Martin Basti wrote: On 08/27/2015 01:47 AM, Endi Sukma Dewata wrote: On 8/20/2015 2:08 AM, Endi Sukma Dewata wrote: On 8/19/2015 4:20 AM, Martin Basti wrote: On 08/16/2015 05:29 PM, Endi Sukma Dewata wrote: The vault-add and vault-archive commands have been modified to optionally retrieve a secret from a source vault, then re-archive the secret into the new/existing target vault. https://fedorahosted.org/freeipa/ticket/5223 I cannot apply this patch. Rebased. It depends on patch #371-2. Rebased due to other changes in vault. Code works for me, but wouldn't be better to create a new command, something like vault-copy, instead of adding new options to existing command? +1 -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 375 Added mechanism to copy vault secrets.
On 08/27/2015 01:47 AM, Endi Sukma Dewata wrote: On 8/20/2015 2:08 AM, Endi Sukma Dewata wrote: On 8/19/2015 4:20 AM, Martin Basti wrote: On 08/16/2015 05:29 PM, Endi Sukma Dewata wrote: The vault-add and vault-archive commands have been modified to optionally retrieve a secret from a source vault, then re-archive the secret into the new/existing target vault. https://fedorahosted.org/freeipa/ticket/5223 I cannot apply this patch. Rebased. It depends on patch #371-2. Rebased due to other changes in vault. Code works for me, but wouldn't be better to create a new command, something like vault-copy, instead of adding new options to existing command? Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 375 Added mechanism to copy vault secrets.
On 8/20/2015 2:08 AM, Endi Sukma Dewata wrote:
On 8/19/2015 4:20 AM, Martin Basti wrote:
On 08/16/2015 05:29 PM, Endi Sukma Dewata wrote:
The vault-add and vault-archive commands have been modified to
optionally retrieve a secret from a source vault, then re-archive
the secret into the new/existing target vault.
https://fedorahosted.org/freeipa/ticket/5223
I cannot apply this patch.
Rebased. It depends on patch #371-2.
Rebased due to other changes in vault.
--
Endi S. Dewata
>From 676b2043a390e6e68772837cf46e222aeda9da78 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata"
Date: Sat, 15 Aug 2015 16:17:47 +0200
Subject: [PATCH] Added mechanism to copy vault secrets.
The vault-add and vault-archive commands have been modified to
optionally retrieve a secret from a source vault, then re-archive
the secret into the new/existing target vault.
https://fedorahosted.org/freeipa/ticket/5223
---
API.txt | 20 ++-
VERSION | 4 +-
ipalib/plugins/vault.py | 213 --
ipatests/test_xmlrpc/test_vault_plugin.py | 143
4 files changed, 306 insertions(+), 74 deletions(-)
diff --git a/API.txt b/API.txt
index
afd5017bee2bc1eed54497ccd504b92619ff7a58..c883271af4ff84f82c623208567f114265c3ce60
100644
--- a/API.txt
+++ b/API.txt
@@ -5405,7 +5405,7 @@ output: Output('result', , None)
output: Output('summary', (, ), None)
output: PrimaryKey('value', None, None)
command: vault_add
-args: 1,14,3
+args: 1,22,3
arg: Str('cn', attribute=True, cli_name='name', maxlength=255,
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True,
required=True)
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('all', autofill=True, cli_name='all', default=False,
exclude='webui')
@@ -5419,6 +5419,14 @@ option: Flag('raw', autofill=True, cli_name='raw',
default=False, exclude='webui
option: Str('service?')
option: Str('setattr*', cli_name='setattr', exclude='webui')
option: Flag('shared?', autofill=True, default=False)
+option: Str('source_password?')
+option: Str('source_password_file?')
+option: Bytes('source_private_key?')
+option: Str('source_private_key_file?')
+option: Str('source_service?')
+option: Flag('source_shared?', autofill=True, default=False)
+option: Str('source_user?')
+option: Str('source_vault?')
option: Str('username?', cli_name='user')
option: Str('version?', exclude='webui')
output: Entry('result', , Gettext('A dictionary representing an
LDAP entry', domain='ipa', localedir=None))
@@ -5474,7 +5482,7 @@ output: Output('completed', , None)
output: Output('failed', , None)
output: Entry('result', , Gettext('A dictionary representing an
LDAP entry', domain='ipa', localedir=None))
command: vault_archive
-args: 1,11,3
+args: 1,19,3
arg: Str('cn', attribute=True, cli_name='name', maxlength=255,
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True,
required=True)
option: Flag('all', autofill=True, cli_name='all', default=False,
exclude='webui')
option: Bytes('data?')
@@ -5485,6 +5493,14 @@ option: Str('password_file?', cli_name='password_file')
option: Flag('raw', autofill=True, cli_name='raw', default=False,
exclude='webui')
option: Str('service?')
option: Flag('shared?', autofill=True, default=False)
+option: Str('source_password?')
+option: Str('source_password_file?')
+option: Bytes('source_private_key?')
+option: Str('source_private_key_file?')
+option: Str('source_service?')
+option: Flag('source_shared?', autofill=True, default=False)
+option: Str('source_user?')
+option: Str('source_vault?')
option: Str('username?', cli_name='user')
option: Str('version?', exclude='webui')
output: Entry('result', , Gettext('A dictionary representing an
LDAP entry', domain='ipa', localedir=None))
diff --git a/VERSION b/VERSION
index
d3073e52ee022cc08b74953222a5040929ded60f..e3cfaa91f03fc6f4d9f5084809a8f74af333c8ef
100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412
# #
IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=154
-# Last change: pvoborni - change default vault type to 'symmetric'
+IPA_API_VERSION_MINOR=155
+# Last change: edewata - Added mechanism to copy vault secrets.
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index
ff6c22c646e9784b2fa1a6464f0749cb1ce86b50..a625746ab067d915e71504e971eefb0d0222ff77
100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -255,6 +255,78 @@ vault_options = (
),
)
+source_vault_options = (
+Str(
+'source_vault?',
+doc=_('Name of the source service vault'),
+),
+Str(
+'source_service?',
+doc=_('Service name of the source service vault'),
+),
+Flag(
+'source_shared?',
+doc=_('Source shared vault'),
+),
+
Re: [Freeipa-devel] [PATCH] 375 Added mechanism to copy vault secrets.
On 8/19/2015 4:20 AM, Martin Basti wrote:
On 08/16/2015 05:29 PM, Endi Sukma Dewata wrote:
The vault-add and vault-archive commands have been modified to
optionally retrieve a secret from a source vault, then re-archive
the secret into the new/existing target vault.
https://fedorahosted.org/freeipa/ticket/5223
I cannot apply this patch.
Rebased. It depends on patch #371-2.
--
Endi S. Dewata
>From 20ee7fa94d28239b7b0512db53c6b899baf8a62f Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata"
Date: Sat, 15 Aug 2015 16:17:47 +0200
Subject: [PATCH] Added mechanism to copy vault secrets.
The vault-add and vault-archive commands have been modified to
optionally retrieve a secret from a source vault, then re-archive
the secret into the new/existing target vault.
https://fedorahosted.org/freeipa/ticket/5223
---
API.txt | 20 +++-
VERSION | 4 +-
ipalib/plugins/vault.py | 193 --
ipatests/test_xmlrpc/test_vault_plugin.py | 143 ++
4 files changed, 292 insertions(+), 68 deletions(-)
diff --git a/API.txt b/API.txt
index
749aa41d5cab60e4f2acf7486135ad066db7a8a6..3007bf31934d0b71dd104774ddbd1638cd12e8a3
100644
--- a/API.txt
+++ b/API.txt
@@ -5397,7 +5397,7 @@ output: Output('result', , None)
output: Output('summary', (, ), None)
output: PrimaryKey('value', None, None)
command: vault_add
-args: 1,14,3
+args: 1,22,3
arg: Str('cn', attribute=True, cli_name='name', maxlength=255,
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True,
required=True)
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('all', autofill=True, cli_name='all', default=False,
exclude='webui')
@@ -5411,6 +5411,14 @@ option: Flag('raw', autofill=True, cli_name='raw',
default=False, exclude='webui
option: Str('service?')
option: Str('setattr*', cli_name='setattr', exclude='webui')
option: Flag('shared?', autofill=True, default=False)
+option: Str('source_password?')
+option: Str('source_password_file?')
+option: Bytes('source_private_key?')
+option: Str('source_private_key_file?')
+option: Str('source_service?')
+option: Flag('source_shared?', autofill=True, default=False)
+option: Str('source_user?')
+option: Str('source_vault?')
option: Str('username?', cli_name='user')
option: Str('version?', exclude='webui')
output: Entry('result', , Gettext('A dictionary representing an
LDAP entry', domain='ipa', localedir=None))
@@ -5466,7 +5474,7 @@ output: Output('completed', , None)
output: Output('failed', , None)
output: Entry('result', , Gettext('A dictionary representing an
LDAP entry', domain='ipa', localedir=None))
command: vault_archive
-args: 1,11,3
+args: 1,19,3
arg: Str('cn', attribute=True, cli_name='name', maxlength=255,
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True,
required=True)
option: Flag('all', autofill=True, cli_name='all', default=False,
exclude='webui')
option: Bytes('data?')
@@ -5477,6 +5485,14 @@ option: Str('password_file?', cli_name='password_file')
option: Flag('raw', autofill=True, cli_name='raw', default=False,
exclude='webui')
option: Str('service?')
option: Flag('shared?', autofill=True, default=False)
+option: Str('source_password?')
+option: Str('source_password_file?')
+option: Bytes('source_private_key?')
+option: Str('source_private_key_file?')
+option: Str('source_service?')
+option: Flag('source_shared?', autofill=True, default=False)
+option: Str('source_user?')
+option: Str('source_vault?')
option: Str('username?', cli_name='user')
option: Str('version?', exclude='webui')
output: Entry('result', , Gettext('A dictionary representing an
LDAP entry', domain='ipa', localedir=None))
diff --git a/VERSION b/VERSION
index
941b5356378582d4d620896acdf5c284a4f66b8d..19302efe7a36441b1ffef0d8db609f7be9a26c83
100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412
# #
IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=152
-# Last change: edewata - Added support for changing vault encryption.
+IPA_API_VERSION_MINOR=153
+# Last change: edewata - Added mechanism to copy vault secrets.
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index
54dbf94b7de53a218df38550daa5e21450d2b9bd..47610fee56069a85296445d4eda3c640f835ebcf
100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -254,6 +254,74 @@ vault_options = (
),
)
+source_vault_options = (
+Str(
+'source_vault?',
+doc=_('Name of the source service vault'),
+),
+Str(
+'source_service?',
+doc=_('Service name of the source service vault'),
+),
+Flag(
+'source_shared?',
+doc=_('Source shared vault'),
+),
+Str(
+'source_user?',
+doc=_('Username of the source user vault'),
Re: [Freeipa-devel] [PATCH] 375 Added mechanism to copy vault secrets.
On 08/16/2015 05:29 PM, Endi Sukma Dewata wrote: The vault-add and vault-archive commands have been modified to optionally retrieve a secret from a source vault, then re-archive the secret into the new/existing target vault. https://fedorahosted.org/freeipa/ticket/5223 I cannot apply this patch. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] 375 Added mechanism to copy vault secrets.
The vault-add and vault-archive commands have been modified to
optionally retrieve a secret from a source vault, then re-archive
the secret into the new/existing target vault.
https://fedorahosted.org/freeipa/ticket/5223
--
Endi S. Dewata
From 604c206e861b35fc1ae30c7cd68a03e52fd83845 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata"
Date: Sat, 15 Aug 2015 16:17:47 +0200
Subject: [PATCH] Added mechanism to copy vault secrets.
The vault-add and vault-archive commands have been modified to
optionally retrieve a secret from a source vault, then re-archive
the secret into the new/existing target vault.
https://fedorahosted.org/freeipa/ticket/5223
---
API.txt | 20 ++-
ipalib/plugins/vault.py | 195 --
ipatests/test_xmlrpc/test_vault_plugin.py | 152 ++-
3 files changed, 297 insertions(+), 70 deletions(-)
diff --git a/API.txt b/API.txt
index
26f05cf9e1e27ec4f714bb34174e17972961bda2..d86a40742728ddb9cf8db9358166f49f70a8bc00
100644
--- a/API.txt
+++ b/API.txt
@@ -5397,7 +5397,7 @@ output: Output('result', , None)
output: Output('summary', (, ), None)
output: PrimaryKey('value', None, None)
command: vault_add
-args: 1,14,3
+args: 1,22,3
arg: Str('cn', attribute=True, cli_name='name', maxlength=255,
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True,
required=True)
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('all', autofill=True, cli_name='all', default=False,
exclude='webui')
@@ -5411,6 +5411,14 @@ option: Flag('raw', autofill=True, cli_name='raw',
default=False, exclude='webui
option: Str('service?')
option: Str('setattr*', cli_name='setattr', exclude='webui')
option: Flag('shared?', autofill=True, default=False)
+option: Str('source_password?')
+option: Str('source_password_file?')
+option: Bytes('source_private_key?')
+option: Str('source_private_key_file?')
+option: Str('source_service?')
+option: Flag('source_shared?', autofill=True, default=False)
+option: Str('source_user?')
+option: Str('source_vault?')
option: Str('username?', cli_name='user')
option: Str('version?', exclude='webui')
output: Entry('result', , Gettext('A dictionary representing an
LDAP entry', domain='ipa', localedir=None))
@@ -5466,7 +5474,7 @@ output: Output('completed', , None)
output: Output('failed', , None)
output: Entry('result', , Gettext('A dictionary representing an
LDAP entry', domain='ipa', localedir=None))
command: vault_archive
-args: 1,11,3
+args: 1,19,3
arg: Str('cn', attribute=True, cli_name='name', maxlength=255,
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True,
required=True)
option: Flag('all', autofill=True, cli_name='all', default=False,
exclude='webui')
option: Bytes('data?')
@@ -5477,6 +5485,14 @@ option: Str('password_file?', cli_name='password_file')
option: Flag('raw', autofill=True, cli_name='raw', default=False,
exclude='webui')
option: Str('service?')
option: Flag('shared?', autofill=True, default=False)
+option: Str('source_password?')
+option: Str('source_password_file?')
+option: Bytes('source_private_key?')
+option: Str('source_private_key_file?')
+option: Str('source_service?')
+option: Flag('source_shared?', autofill=True, default=False)
+option: Str('source_user?')
+option: Str('source_vault?')
option: Str('username?', cli_name='user')
option: Str('version?', exclude='webui')
output: Entry('result', , Gettext('A dictionary representing an
LDAP entry', domain='ipa', localedir=None))
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index
c9eb4378b5c40d4182a70b72ae785740492ac9cb..278ca5e9113396f3de6217ef0e4eaa9da7ddce9a
100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -252,6 +252,74 @@ vault_options = (
),
)
+source_vault_options = (
+Str(
+'source_vault?',
+doc=_('Name of the source service vault'),
+),
+Str(
+'source_service?',
+doc=_('Service name of the source service vault'),
+),
+Flag(
+'source_shared?',
+doc=_('Source shared vault'),
+),
+Str(
+'source_user?',
+doc=_('Username of the source user vault'),
+),
+Str(
+'source_password?',
+doc=_('Source vault password'),
+),
+Str( # TODO: use File parameter
+'source_password_file?',
+doc=_('File containing the source vault password'),
+),
+Bytes(
+'source_private_key?',
+doc=_('Source vault private key'),
+),
+Str( # TODO: use File parameter
+'source_private_key_file?',
+doc=_('File containing the source vault private key'),
+),
+)
+
+vault_add_options = (
+Str(
+'description?',
+cli_name='desc',
+doc=_('Vault description'),
+),
+Str(
+'ipavaulttype?',
+cli_name='type',
+doc=_('Vault type'),
+),
+Str(
+'password?',
+
