Re: [Freeipa-devel] [PATCH 190] expose `--secret` option in radiusproxy-* commands
On 7.9.2016 16:13, Martin Babinsky wrote: On 09/07/2016 03:55 PM, Jan Cholasta wrote: On 21.7.2016 10:50, Jan Cholasta wrote: On 21.7.2016 10:13, Martin Babinsky wrote: On 07/20/2016 12:10 PM, Martin Babinsky wrote: On 07/19/2016 12:32 PM, Jan Cholasta wrote: Hi, On 18.7.2016 13:51, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/6078 I don't think we want the secret searchable. Add a 'no_search' flag to the param to fix that. Honza 'no_search' flag breaks the API backwards compatibility, so I am sending another two patches which fix handling of deprecated options in the framework and deprecate `--secret` in radiusproxy-find command. I hope this solution is the best. After discussion with Jan we realized that it is enough to hide the '--secret' option from CLI, not deprecate it. Re-sending patch 190 and updated 193.1. Thanks, ACK. Pushed to master: 66da08445370f7024a6a529a6659714c33b7525e Patch 192 will be send in separate thread since the actual issue it fixes is orthogonal to this one and requires a separate ticket. Right. ATM this only affects --srchostcat in hbacrule-find. Bump so that patch 192 is not forgotten. Patch 192 was pushed as a fix to https://fedorahosted.org/freeipa/ticket/6190. Okay. -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 190] expose `--secret` option in radiusproxy-* commands
On 09/07/2016 03:55 PM, Jan Cholasta wrote: On 21.7.2016 10:50, Jan Cholasta wrote: On 21.7.2016 10:13, Martin Babinsky wrote: On 07/20/2016 12:10 PM, Martin Babinsky wrote: On 07/19/2016 12:32 PM, Jan Cholasta wrote: Hi, On 18.7.2016 13:51, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/6078 I don't think we want the secret searchable. Add a 'no_search' flag to the param to fix that. Honza 'no_search' flag breaks the API backwards compatibility, so I am sending another two patches which fix handling of deprecated options in the framework and deprecate `--secret` in radiusproxy-find command. I hope this solution is the best. After discussion with Jan we realized that it is enough to hide the '--secret' option from CLI, not deprecate it. Re-sending patch 190 and updated 193.1. Thanks, ACK. Pushed to master: 66da08445370f7024a6a529a6659714c33b7525e Patch 192 will be send in separate thread since the actual issue it fixes is orthogonal to this one and requires a separate ticket. Right. ATM this only affects --srchostcat in hbacrule-find. Bump so that patch 192 is not forgotten. Patch 192 was pushed as a fix to https://fedorahosted.org/freeipa/ticket/6190. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 190] expose `--secret` option in radiusproxy-* commands
On 21.7.2016 10:50, Jan Cholasta wrote: On 21.7.2016 10:13, Martin Babinsky wrote: On 07/20/2016 12:10 PM, Martin Babinsky wrote: On 07/19/2016 12:32 PM, Jan Cholasta wrote: Hi, On 18.7.2016 13:51, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/6078 I don't think we want the secret searchable. Add a 'no_search' flag to the param to fix that. Honza 'no_search' flag breaks the API backwards compatibility, so I am sending another two patches which fix handling of deprecated options in the framework and deprecate `--secret` in radiusproxy-find command. I hope this solution is the best. After discussion with Jan we realized that it is enough to hide the '--secret' option from CLI, not deprecate it. Re-sending patch 190 and updated 193.1. Thanks, ACK. Pushed to master: 66da08445370f7024a6a529a6659714c33b7525e Patch 192 will be send in separate thread since the actual issue it fixes is orthogonal to this one and requires a separate ticket. Right. ATM this only affects --srchostcat in hbacrule-find. Bump so that patch 192 is not forgotten. -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 190] expose `--secret` option in radiusproxy-* commands
On 21.7.2016 10:13, Martin Babinsky wrote: On 07/20/2016 12:10 PM, Martin Babinsky wrote: On 07/19/2016 12:32 PM, Jan Cholasta wrote: Hi, On 18.7.2016 13:51, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/6078 I don't think we want the secret searchable. Add a 'no_search' flag to the param to fix that. Honza 'no_search' flag breaks the API backwards compatibility, so I am sending another two patches which fix handling of deprecated options in the framework and deprecate `--secret` in radiusproxy-find command. I hope this solution is the best. After discussion with Jan we realized that it is enough to hide the '--secret' option from CLI, not deprecate it. Re-sending patch 190 and updated 193.1. Thanks, ACK. Pushed to master: 66da08445370f7024a6a529a6659714c33b7525e Patch 192 will be send in separate thread since the actual issue it fixes is orthogonal to this one and requires a separate ticket. Right. ATM this only affects --srchostcat in hbacrule-find. -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 190] expose `--secret` option in radiusproxy-* commands
On 07/20/2016 12:10 PM, Martin Babinsky wrote:
On 07/19/2016 12:32 PM, Jan Cholasta wrote:
Hi,
On 18.7.2016 13:51, Martin Babinsky wrote:
https://fedorahosted.org/freeipa/ticket/6078
I don't think we want the secret searchable. Add a 'no_search' flag to
the param to fix that.
Honza
'no_search' flag breaks the API backwards compatibility, so I am sending
another two patches which fix handling of deprecated options in the
framework and deprecate `--secret` in radiusproxy-find command.
I hope this solution is the best.
After discussion with Jan we realized that it is enough to hide the
'--secret' option from CLI, not deprecate it.
Re-sending patch 190 and updated 193.1. Patch 192 will be send in
separate thread since the actual issue it fixes is orthogonal to this
one and requires a separate ticket.
--
Martin^3 Babinsky
From 645b7ece72e902c9b108d41a5e71d7e88a48720f Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Mon, 18 Jul 2016 10:45:48 +0200
Subject: [PATCH] expose `--secret` option in radiusproxy-* commands
Option `--secret` was hidden from radiusproxy CLI preventing setting a secret
on existing server or searching by secret. Since thin client implementation it
was also not recognized by the interactive prompt code in CLI frontend since
it never got there.
https://fedorahosted.org/freeipa/ticket/6078
---
ipaserver/plugins/radiusproxy.py | 1 -
1 file changed, 1 deletion(-)
diff --git a/ipaserver/plugins/radiusproxy.py b/ipaserver/plugins/radiusproxy.py
index 44d87b9ae1337278bb6237d471f64693b0eac3db..5657e002c1ce66335b7697b98f95a49207c61d87 100644
--- a/ipaserver/plugins/radiusproxy.py
+++ b/ipaserver/plugins/radiusproxy.py
@@ -126,7 +126,6 @@ class radiusproxy(LDAPObject):
label=_('Secret'),
doc=_('The secret used to encrypt data'),
confirm=True,
-flags=['no_option'],
),
Int('ipatokenradiustimeout?',
cli_name='timeout',
--
2.7.4
From 5542508919a0615b4088329ba80eb92002d45f0f Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Thu, 21 Jul 2016 09:42:01 +0200
Subject: [PATCH] prevent search for RADIUS proxy servers by secret
radiusproxy-find should not allow search by proxy secret even for privileged
users so we should hide it from CLI.
https://fedorahosted.org/freeipa/ticket/6078
---
ipaserver/plugins/radiusproxy.py | 8
1 file changed, 8 insertions(+)
diff --git a/ipaserver/plugins/radiusproxy.py b/ipaserver/plugins/radiusproxy.py
index 5657e002c1ce66335b7697b98f95a49207c61d87..3391b8aed77205fb1a586d5472d8cfdbc9fd1cd5 100644
--- a/ipaserver/plugins/radiusproxy.py
+++ b/ipaserver/plugins/radiusproxy.py
@@ -169,6 +169,14 @@ class radiusproxy_find(LDAPSearch):
'%(count)d RADIUS proxy server matched', '%(count)d RADIUS proxy servers matched', 0
)
+def get_options(self):
+for option in super(radiusproxy_find, self).get_options():
+if option.name == 'ipatokenradiussecret':
+option = option.clone(flags={'no_option'})
+
+yield option
+
+
@register()
class radiusproxy_show(LDAPRetrieve):
__doc__ = _('Display information about a RADIUS proxy server.')
--
2.7.4
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 190] expose `--secret` option in radiusproxy-* commands
On 07/19/2016 12:32 PM, Jan Cholasta wrote:
Hi,
On 18.7.2016 13:51, Martin Babinsky wrote:
https://fedorahosted.org/freeipa/ticket/6078
I don't think we want the secret searchable. Add a 'no_search' flag to
the param to fix that.
Honza
'no_search' flag breaks the API backwards compatibility, so I am sending
another two patches which fix handling of deprecated options in the
framework and deprecate `--secret` in radiusproxy-find command.
I hope this solution is the best.
--
Martin^3 Babinsky
From 645b7ece72e902c9b108d41a5e71d7e88a48720f Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Mon, 18 Jul 2016 10:45:48 +0200
Subject: [PATCH] expose `--secret` option in radiusproxy-* commands
Option `--secret` was hidden from radiusproxy CLI preventing setting a secret
on existing server or searching by secret. Since thin client implementation it
was also not recognized by the interactive prompt code in CLI frontend since
it never got there.
https://fedorahosted.org/freeipa/ticket/6078
---
ipaserver/plugins/radiusproxy.py | 1 -
1 file changed, 1 deletion(-)
diff --git a/ipaserver/plugins/radiusproxy.py b/ipaserver/plugins/radiusproxy.py
index 44d87b9ae1337278bb6237d471f64693b0eac3db..5657e002c1ce66335b7697b98f95a49207c61d87 100644
--- a/ipaserver/plugins/radiusproxy.py
+++ b/ipaserver/plugins/radiusproxy.py
@@ -126,7 +126,6 @@ class radiusproxy(LDAPObject):
label=_('Secret'),
doc=_('The secret used to encrypt data'),
confirm=True,
-flags=['no_option'],
),
Int('ipatokenradiustimeout?',
cli_name='timeout',
--
2.7.4
From 4e3c8077f1d8bc8c4467ccbcd4d6c9d0f4631c46 Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Tue, 19 Jul 2016 17:05:32 +0200
Subject: [PATCH] raise ValidationError when deprecated param is passed to
command
https://fedorahosted.org/freeipa/ticket/6078
---
ipalib/parameters.py | 7 +++
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/ipalib/parameters.py b/ipalib/parameters.py
index 1581b7dcac5259e5c4a127e2a38e13335002b204..5c3d7705a004f77614a754e1ecdcf4f6ca386eaf 100644
--- a/ipalib/parameters.py
+++ b/ipalib/parameters.py
@@ -852,6 +852,9 @@ class Param(ReadOnly):
if self.required or (supplied and 'nonempty' in self.flags):
raise RequirementError(name=self.name)
return
+if self.deprecated:
+raise ValidationError(name=self.get_param_name(),
+ error=_('this option is deprecated'))
if self.multivalue:
if type(value) is not tuple:
raise TypeError(
@@ -874,10 +877,6 @@ class Param(ReadOnly):
if error is not None:
raise ValidationError(name=self.get_param_name(), error=error)
-def _rule_deprecated(self, _, value):
-if self.deprecated:
-return _('this option is deprecated')
-
def get_default(self, **kw):
"""
Return the static default or construct and return a dynamic default.
--
2.7.4
From 631281ec6e50090cf819eda1f131c8e0b0011d7f Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Tue, 19 Jul 2016 13:04:05 +0200
Subject: [PATCH] prevent search for RADIUS proxy servers by secret
radiusproxy-find should not allow search by proxy secret even for privileged
users. Deprecate this option so that it is not shown in command's help and is
not allowed to be specified as parameter.
https://fedorahosted.org/freeipa/ticket/6078
---
API.txt | 2 +-
VERSION | 4 ++--
ipaserver/plugins/radiusproxy.py | 8
3 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/API.txt b/API.txt
index cbe23f4bde3a29cf3f28a9e361f83e176ede08e0..e5a5cc2ae07d2c44df31934dda857d63f6b90f1e 100644
--- a/API.txt
+++ b/API.txt
@@ -3818,7 +3818,7 @@ option: Flag('all', autofill=True, cli_name='all', default=False)
option: Str('cn?', autofill=False, cli_name='name')
option: Str('description?', autofill=False, cli_name='desc')
option: Int('ipatokenradiusretries?', autofill=False, cli_name='retries')
-option: Password('ipatokenradiussecret?', autofill=False, cli_name='secret', confirm=True)
+option: Password('ipatokenradiussecret?', autofill=False, cli_name='secret', confirm=True, deprecated=True)
option: Str('ipatokenradiusserver*', autofill=False, cli_name='server')
option: Int('ipatokenradiustimeout?', autofill=False, cli_name='timeout')
option: Str('ipatokenusermapattribute?', autofill=False, cli_name='userattr')
diff --git a/VERSION b/VERSION
index ca489965050f32d2d8987dfd251ec2b2a0ba1768..401b7d92839496f1b7bf97bf61475d53fd8e77df 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412
# #
IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=211
-# Last change: mbabinsk: allow 'value' output param in c
Re: [Freeipa-devel] [PATCH 190] expose `--secret` option in radiusproxy-* commands
Hi, On 18.7.2016 13:51, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/6078 I don't think we want the secret searchable. Add a 'no_search' flag to the param to fix that. Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
