From freeipa-github-notification at redhat.com Thu Sep 1 07:47:24 2016 From: freeipa-github-notification at redhat.com (mirielka) Date: Thu, 01 Sep 2016 09:47:24 +0200 Subject: [Freeipa-devel] [freeipa PR#42] Tests: Avoid skipping tests due to missing files (synchronize) In-Reply-To: References: Message-ID: mirielka's pull request #42: "Tests: Avoid skipping tests due to missing files" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/42 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/42/head:pr42 git checkout pr42 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-42.patch Type: text/x-diff Size: 7744 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Sep 1 08:00:13 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Thu, 01 Sep 2016 10:00:13 +0200 Subject: [Freeipa-devel] [freeipa PR#44] rpcserver: fix crash in XML-RPC system commands (opened) Message-ID: jcholast's pull request #44: "rpcserver: fix crash in XML-RPC system commands" was opened PR body: """ Fix an AttributeError in XML-RPC methodSignature and methodHelp commands caused by incorrect mangled name usage. https://fedorahosted.org/freeipa/ticket/6217 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/44 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/44/head:pr44 git checkout pr44 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-44.patch Type: text/x-diff Size: 2120 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Sep 1 08:31:10 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Thu, 01 Sep 2016 10:31:10 +0200 Subject: [Freeipa-devel] [freeipa PR#45] custodia: force reconnect before retrieving CA certs from LDAP (opened) Message-ID: jcholast's pull request #45: "custodia: force reconnect before retrieving CA certs from LDAP" was opened PR body: """ Force reconnect to LDAP as DS might have been restarted after the connection was opened, rendering the connection invalid. This fixes a crash in ipa-replica-install with --setup-ca. https://fedorahosted.org/freeipa/ticket/6207 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/45 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/45/head:pr45 git checkout pr45 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-45.patch Type: text/x-diff Size: 1184 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Sep 1 10:32:33 2016 From: freeipa-github-notification at redhat.com (mirielka) Date: Thu, 01 Sep 2016 12:32:33 +0200 Subject: [Freeipa-devel] [freeipa PR#44] rpcserver: fix crash in XML-RPC system commands (+ack) In-Reply-To: References: Message-ID: jcholast's pull request #44: "rpcserver: fix crash in XML-RPC system commands" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/44 From freeipa-github-notification at redhat.com Thu Sep 1 10:59:51 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 01 Sep 2016 12:59:51 +0200 Subject: [Freeipa-devel] [freeipa PR#45] custodia: force reconnect before retrieving CA certs from LDAP (+ack) In-Reply-To: References: Message-ID: jcholast's pull request #45: "custodia: force reconnect before retrieving CA certs from LDAP" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/45 From freeipa-github-notification at redhat.com Thu Sep 1 11:04:57 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 01 Sep 2016 13:04:57 +0200 Subject: [Freeipa-devel] [freeipa PR#42] Tests: Avoid skipping tests due to missing files (+ack) In-Reply-To: References: Message-ID: mirielka's pull request #42: "Tests: Avoid skipping tests due to missing files" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/42 From freeipa-github-notification at redhat.com Thu Sep 1 11:09:57 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 01 Sep 2016 13:09:57 +0200 Subject: [Freeipa-devel] [freeipa PR#23] Time-Based HBAC Policies (synchronize) In-Reply-To: References: Message-ID: stlaz's pull request #23: "Time-Based HBAC Policies" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/23 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/23/head:pr23 git checkout pr23 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-23.patch Type: text/x-diff Size: 47583 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Sep 1 11:11:38 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 01 Sep 2016 13:11:38 +0200 Subject: [Freeipa-devel] [freeipa PR#45] custodia: force reconnect before retrieving CA certs from LDAP (+pushed) In-Reply-To: References: Message-ID: jcholast's pull request #45: "custodia: force reconnect before retrieving CA certs from LDAP" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/45 From freeipa-github-notification at redhat.com Thu Sep 1 11:11:40 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 01 Sep 2016 13:11:40 +0200 Subject: [Freeipa-devel] [freeipa PR#45] custodia: force reconnect before retrieving CA certs from LDAP (comment) In-Reply-To: References: Message-ID: mbasti-rh commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/17ea4ae6b9007e121ae1ea7748643394fec84ad7 """ See the full comment at https://github.com/freeipa/freeipa/pull/45#issuecomment-244048121 From freeipa-github-notification at redhat.com Thu Sep 1 11:11:42 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 01 Sep 2016 13:11:42 +0200 Subject: [Freeipa-devel] [freeipa PR#45] custodia: force reconnect before retrieving CA certs from LDAP (closed) In-Reply-To: References: Message-ID: jcholast's pull request #45: "custodia: force reconnect before retrieving CA certs from LDAP" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/45 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/45/head:pr45 git checkout pr45 From freeipa-github-notification at redhat.com Thu Sep 1 11:21:15 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Thu, 01 Sep 2016 13:21:15 +0200 Subject: [Freeipa-devel] [freeipa PR#44] rpcserver: fix crash in XML-RPC system commands (closed) In-Reply-To: References: Message-ID: jcholast's pull request #44: "rpcserver: fix crash in XML-RPC system commands" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/44 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/44/head:pr44 git checkout pr44 From freeipa-github-notification at redhat.com Thu Sep 1 11:21:16 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Thu, 01 Sep 2016 13:21:16 +0200 Subject: [Freeipa-devel] [freeipa PR#44] rpcserver: fix crash in XML-RPC system commands (+pushed) In-Reply-To: References: Message-ID: jcholast's pull request #44: "rpcserver: fix crash in XML-RPC system commands" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/44 From freeipa-github-notification at redhat.com Thu Sep 1 11:21:18 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Thu, 01 Sep 2016 13:21:18 +0200 Subject: [Freeipa-devel] [freeipa PR#44] rpcserver: fix crash in XML-RPC system commands (comment) In-Reply-To: References: Message-ID: dkupka commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/afcb3bd3c32aa33dcd68cd0a2ca85bda677000a8 """ See the full comment at https://github.com/freeipa/freeipa/pull/44#issuecomment-244049974 From freeipa-github-notification at redhat.com Thu Sep 1 11:21:20 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 01 Sep 2016 13:21:20 +0200 Subject: [Freeipa-devel] [freeipa PR#23] Time-Based HBAC Policies (comment) In-Reply-To: References: Message-ID: stlaz commented on a pull request """ I pushed the latest changes of the time rules to this pull request. These changes were made according to the discussion on freeipa-devel mailing list, the main change is cutting off some attributes from the ipaHBACRuleV2 objectclass. Please note that python-icalendar rebase request for Fedora-rawhide still needs to be created as I am waiting for the python-icalendar upstream to ACK my pull request https://github.com/collective/icalendar/pull/196. Also, all the previous issues from this thread should now be fixed. A new privilege was created and added to the IT Security Specialist role. API tests are still TODO. """ See the full comment at https://github.com/freeipa/freeipa/pull/23#issuecomment-244049988 From slaznick at redhat.com Thu Sep 1 11:26:07 2016 From: slaznick at redhat.com (Standa Laznicka) Date: Thu, 1 Sep 2016 13:26:07 +0200 Subject: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies In-Reply-To: <5b5e276d-8d3d-53cb-a4a4-fa285f0662d9@redhat.com> References: <5f64db5a-8903-48a5-7d5e-ff6251667738@redhat.com> <7f48c6dd-d5b0-2587-dbe9-914fa470916d@redhat.com> <20160826102021.h64hfjrvky4bitrw@redhat.com> <188ea28b-ddff-2d8b-c515-c5bdbda8f56d@redhat.com> <1472222393.20746.86.camel@redhat.com> <20160826150943.5zmmub2ntc4vqqij@redhat.com> <1472225168.20746.95.camel@redhat.com> <1472225854.20746.104.camel@redhat.com> <1a254cbc-120f-1645-6a4e-20ef5563719f@redhat.com> <1472564054.5257.50.camel@redhat.com> <5b5e276d-8d3d-53cb-a4a4-fa285f0662d9@redhat.com> Message-ID: <457f0c25-b5ee-b827-1856-25345664670c@redhat.com> On 08/31/2016 12:57 PM, Petr Spacek wrote: > On 31.8.2016 12:42, Standa Laznicka wrote: >> On 08/30/2016 03:34 PM, Simo Sorce wrote: >>> On Tue, 2016-08-30 at 08:47 +0200, Standa Laznicka wrote: >>>> On 08/26/2016 05:37 PM, Simo Sorce wrote: >>>>> On Fri, 2016-08-26 at 11:26 -0400, Simo Sorce wrote: >>>>>> On Fri, 2016-08-26 at 18:09 +0300, Alexander Bokovoy wrote: >>>>>>> On Fri, 26 Aug 2016, Simo Sorce wrote: >>>>>>>> On Fri, 2016-08-26 at 12:39 +0200, Martin Basti wrote: >>>>>>>>>> I miss "why" part of "To be able to handle backward compatibility >>>>>>>>> with >>>>>>>>>> ease, a new object called ipaHBACRulev2 is introduced. " in the >>>>>>>>> design >>>>>>>>>> page. If the reason is the above - old client's should ignore time >>>>>>>>> rules >>>>>>>>>> then it has to be mentioned there. Otherwise I don't see a reason to >>>>>>>>>> introduce a new object type instead of extending the current. >>>>>>>>> How do you want to enforce HBAC rule that have set time from 10 to 14 >>>>>>>>> everyday? With the same objectclass old clients will allow this HBAC >>>>>>>>> for >>>>>>>>> all day. Isn't this CVE? >>>>>>>> This is a discussion worth having. >>>>>>>> >>>>>>>> In general it is a CVE only if an authorization mechanism fails to work >>>>>>>> as advertised. >>>>>>>> >>>>>>>> If you make it clear that old clients *DO NOT* respect time rules then >>>>>>>> there is no CVE material, it is working as "described". >>>>>>>> >>>>>>>> The admins already have a way to not set those rules for older clients >>>>>>>> by simply grouping newer clients in a different host group and applying >>>>>>>> time rules only there. >>>>>>>> >>>>>>>> So the question really is: should we allow admins to apply an HBAC Rule >>>>>>>> potentially to older clients that do not understand it and will >>>>>>>> therefore allow access at any time of the day, or should we prevent it ? >>>>>>>> >>>>>>>> This is a hard question to answer and can go both ways. >>>>>>>> >>>>>>>> A time rule may be something that admins want to enforce at all cost or >>>>>>>> deny access. In this case a client that fails to handle it would be a >>>>>>>> problem. >>>>>>>> >>>>>>>> But it may be something that is just used for defense in depth and not a >>>>>>>> strictly hard requirement. In this case allowing older clients would >>>>>>>> make it an easy transition as you just set up the rule and the client >>>>>>>> will start enforcing the time when it is upgraded but work otherwise >>>>>>>> with the same rules. >>>>>>>> >>>>>>>> I am a bit conflicted on trying to decide what scenario we should >>>>>>>> target, but the second one appeals to me because host groups do already >>>>>>>> give admins a good way to apply rules to a specific set of hosts and >>>>>>>> exclude old clients w/o us making it a hard rule. >>>>>>>> OTOH if an admin does not understand this difference, they may be >>>>>>>> surprised to find out there are clients that do not honor it. >>>>>>>> >>>>>>>> Perhaps we could find a way to set a flag on the rule such that when set >>>>>>>> (and only when set) older clients get excluded by way of changing the >>>>>>>> objectlass or something else to similar effect. >>>>>>>> >>>>>>>> Open to discussion. >>>>>>> At this point using new object class becomes an attractive approach. We >>>>>>> don't have means to exclude HBAC rules other than applying them >>>>>>> per-host/hostgroup. We also have no deny rules. >>>>>>> >>>>>>> I have another idea: what about enforcing time rules always to apply >>>>>>> per-host or per-hostgroup by default? Add --force option to override the >>>>>>> behavior but default to not allow --hostcat=all. This would raise >>>>>>> awareness and make sure admins are actually applying these rules with >>>>>>> intention. >>>>>> This sounds like a good idea, but it is not a silver bullet I am afraid. >>>>>> >>>>>> Simo. >>>>> I was thinking that for future proofing we could add a version field, >>>>> then reasoned more and realized that changing the object class is >>>>> basically the same thing. >>>>> >>>>> There is only one big problem, ipaHBACRule is a STRUCTURAL objectclass. >>>>> (I know 389ds allows us to do an LDAPv3 illegal operation and change it, >>>>> but I do not like to depend on that behavoir). >>>>> >>>>> Now looking into this I had an idea to solve the problem of legacy >>>>> clients without having to swap classes. >>>>> We can redefine the accessRuleType attribute to be a "capability" type. >>>>> >>>>> Ie rules that have a timeAccess component will be of type >>>>> "allow_with_time" instead of just "allow". >>>>> Old clients are supposed to search with accessRuleType=allow (and I can >>>>> see that SSSD does that), so an older client will fail to get those >>>>> rules as they won't match. >>>>> >>>>> New clients instead can recognize both types. >>>>> >>>>> Also if we need a future extension we will simpy add a new access rule >>>>> type and we can have the same effect. >>>>> The nice thing is that accessRyleType is defined as multivalue (no >>>>> SINGLE in schema) so we may actually create compatible rules if we want >>>>> to. >>>>> Ie we could set both "allow" and "allow_with_time" on an object for >>>>> cases where the admin wants to enforce the time part only o newer client >>>>> but otherwise apply the rule to any client. >>>>> >>>>> This should give us the best of all options at once. >>>>> >>>>> Thoughts ? >>>>> >>>>> Simo. >>>>> >>>> Sorry to join the discussion so late, I was away yesterday. >>>> >>>> I have to say I too like this idea much better than fiddling with the >>>> objectClasses. Also, I believe that accessRuleType was originally >>>> actually used to distinguish newer version of HBAC rules from the older >>>> so we may just do this again and profit from its original purpose. To >>>> top it off, this change should be really easy to implement to what I >>>> currently have on SSSD side. >>>> >>>> I was just wondering - would you propose for every newly created rule to >>>> have the new accessRuleType set to "allow_with_time" or should the type >>>> change with addition of time rules to the HBAC rule as it does >>>> currently? Also, should the user be able to modify the type so that a >>>> rule with the new type is also visible for older clients (=> he could >>>> add "allow" to type anytime)? >>> Rules of type allow_with_time will not work on older clients, so we >>> should probably default to just the old "allow" schema. >>> >>> I think in the first implementation the framework/cli/ui should not >>> emphasize this attribute but simply replace allow -> allow_with_time if >>> a time attribute is added. >>> >>> In future we may give control of it and allow even to set multiple >>> values, after we discuss better if that should be done, and with ample >>> warnings to admins. >>> >>> Also setting a time rule makes a rule incompatible with older clients so >>> we should spell it clearly in the CLI/UI with a warning message that >>> this rule will not apply at all to older clients. >>> >>>> Thanks for your ideas, I am very happy with what you suggested here :) >>> Thank you. >>> >>> Simo. >>> >> So - can we all agree on a solution? >> >> I took an extra half an hour and created the accessRuleType solution on top of >> what I currently have, see patches attached to get the picture what the change >> would mean for what I currently have in >> https://github.com/stlaz/freeipa/tree/timerules_2 and >> https://github.com/stlaz/sssd/tree/freeipa-trac-547_2. Note that the sssd >> patch is really just to get a picture, it currently causes sssd_be to core >> dump, not sure why and don't want to waste time debugging it right now. >> >> I myself would in the end rather go for objectClasses implementation as new >> rules are not shown to old clients which seems correct as there's no confusion >> for admins who might scratch their heads at old clients with no idea why their >> HBAC rules don't apply otherwise. > +1, I agree with Standa and Martin Basti. Let me repeat myself: > > I like the idea of "capabilities" in general but it needs proper design and > detailed specification first. > > Given that we have to modify SSSD anyway, I would go for ipaHBACRulev2 object > class with clear definition of "capabilities" (without any obsolete cruft). > > That should be future proof and without any negative/unforeseen impact to > existing clients + it matches what Jan Pazdziora plans to do for HBAC+URI. > As there were no further objections, the latest changes with the objectclass implementation that were made according to Honza's suggestions were pushed to appear in the pull request https://github.com/freeipa/freeipa/pull/23. From freeipa-github-notification at redhat.com Thu Sep 1 11:28:02 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 01 Sep 2016 13:28:02 +0200 Subject: [Freeipa-devel] [freeipa PR#34] dns: prompt for missing record parts in CLI (comment) In-Reply-To: References: Message-ID: mbasti-rh commented on a pull request """ Fix works for me partially, it fixes issues reported in ticket. Do you want to open new ticket for this or should it be part of this ticket? Expected: ``` [root at vm-058-080 ~]# ipa dnsrecord-add test. rec Please choose a type of DNS resource record to be added The most common types for this type of zone are: A, AAAA DNS resource record type: srv SRV Priority: 5 SRV Weight: 5 SRV Port: 5 SRV Target: host.example.com. Record name: rec SRV record: 5 5 5 host.example.com. ``` Got: ``` [root at vm-058-017 ~]# ipa dnsrecord-add test. rec Please choose a type of DNS resource record to be added The most common types for this type of zone are: A, AAAA DNS resource record type: srv ipa: ERROR: No options to add a specific record provided. Command help may be consulted for all supported record types. ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/34#issuecomment-244051256 From freeipa-github-notification at redhat.com Thu Sep 1 11:50:19 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 01 Sep 2016 13:50:19 +0200 Subject: [Freeipa-devel] [freeipa PR#46] Always fetch forest info from root DCs when establishing two-way trust (opened) Message-ID: martbab's pull request #46: "Always fetch forest info from root DCs when establishing two-way trust" was opened PR body: """ Prior To Windows Server 2012R2, the `netr_DsRGetForestTrustInformation` calls performed against non-root forest domain DCs were automatically routed to the root domain DCs to resolve trust topology information. This is no longer the case, so the `dcerpc.fetch_domains` function must explicitly contact root domain DCs even in the case when an external two-way trust to non-root domain is requested. https://fedorahosted.org/freeipa/ticket/6057 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/46 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/46/head:pr46 git checkout pr46 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-46.patch Type: text/x-diff Size: 3679 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Sep 1 12:01:13 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 01 Sep 2016 14:01:13 +0200 Subject: [Freeipa-devel] [freeipa PR#42] Tests: Avoid skipping tests due to missing files (+pushed) In-Reply-To: References: Message-ID: mirielka's pull request #42: "Tests: Avoid skipping tests due to missing files" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/42 From freeipa-github-notification at redhat.com Thu Sep 1 12:01:14 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 01 Sep 2016 14:01:14 +0200 Subject: [Freeipa-devel] [freeipa PR#42] Tests: Avoid skipping tests due to missing files (comment) In-Reply-To: References: Message-ID: mbasti-rh commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/72d7193ce226eed0e84420cd78bd87cceaf935a9 ipa-4-3: https://fedorahosted.org/freeipa/changeset/d472d26fc06dfe192a5385e620f4c30ca3dcf1be """ See the full comment at https://github.com/freeipa/freeipa/pull/42#issuecomment-244057832 From freeipa-github-notification at redhat.com Thu Sep 1 12:01:16 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 01 Sep 2016 14:01:16 +0200 Subject: [Freeipa-devel] [freeipa PR#42] Tests: Avoid skipping tests due to missing files (closed) In-Reply-To: References: Message-ID: mirielka's pull request #42: "Tests: Avoid skipping tests due to missing files" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/42 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/42/head:pr42 git checkout pr42 From slaznick at redhat.com Thu Sep 1 12:09:07 2016 From: slaznick at redhat.com (Standa Laznicka) Date: Thu, 1 Sep 2016 14:09:07 +0200 Subject: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies In-Reply-To: <457f0c25-b5ee-b827-1856-25345664670c@redhat.com> References: <5f64db5a-8903-48a5-7d5e-ff6251667738@redhat.com> <7f48c6dd-d5b0-2587-dbe9-914fa470916d@redhat.com> <20160826102021.h64hfjrvky4bitrw@redhat.com> <188ea28b-ddff-2d8b-c515-c5bdbda8f56d@redhat.com> <1472222393.20746.86.camel@redhat.com> <20160826150943.5zmmub2ntc4vqqij@redhat.com> <1472225168.20746.95.camel@redhat.com> <1472225854.20746.104.camel@redhat.com> <1a254cbc-120f-1645-6a4e-20ef5563719f@redhat.com> <1472564054.5257.50.camel@redhat.com> <5b5e276d-8d3d-53cb-a4a4-fa285f0662d9@redhat.com> <457f0c25-b5ee-b827-1856-25345664670c@redhat.com> Message-ID: <881ae083-a320-430c-a25a-3f435628ccda@redhat.com> On 09/01/2016 01:26 PM, Standa Laznicka wrote: > On 08/31/2016 12:57 PM, Petr Spacek wrote: >> On 31.8.2016 12:42, Standa Laznicka wrote: >>> On 08/30/2016 03:34 PM, Simo Sorce wrote: >>>> On Tue, 2016-08-30 at 08:47 +0200, Standa Laznicka wrote: >>>>> On 08/26/2016 05:37 PM, Simo Sorce wrote: >>>>>> On Fri, 2016-08-26 at 11:26 -0400, Simo Sorce wrote: >>>>>>> On Fri, 2016-08-26 at 18:09 +0300, Alexander Bokovoy wrote: >>>>>>>> On Fri, 26 Aug 2016, Simo Sorce wrote: >>>>>>>>> On Fri, 2016-08-26 at 12:39 +0200, Martin Basti wrote: >>>>>>>>>>> I miss "why" part of "To be able to handle backward >>>>>>>>>>> compatibility >>>>>>>>>> with >>>>>>>>>>> ease, a new object called ipaHBACRulev2 is introduced. " in the >>>>>>>>>> design >>>>>>>>>>> page. If the reason is the above - old client's should >>>>>>>>>>> ignore time >>>>>>>>>> rules >>>>>>>>>>> then it has to be mentioned there. Otherwise I don't see a >>>>>>>>>>> reason to >>>>>>>>>>> introduce a new object type instead of extending the current. >>>>>>>>>> How do you want to enforce HBAC rule that have set time from >>>>>>>>>> 10 to 14 >>>>>>>>>> everyday? With the same objectclass old clients will allow >>>>>>>>>> this HBAC >>>>>>>>>> for >>>>>>>>>> all day. Isn't this CVE? >>>>>>>>> This is a discussion worth having. >>>>>>>>> >>>>>>>>> In general it is a CVE only if an authorization mechanism >>>>>>>>> fails to work >>>>>>>>> as advertised. >>>>>>>>> >>>>>>>>> If you make it clear that old clients *DO NOT* respect time >>>>>>>>> rules then >>>>>>>>> there is no CVE material, it is working as "described". >>>>>>>>> >>>>>>>>> The admins already have a way to not set those rules for older >>>>>>>>> clients >>>>>>>>> by simply grouping newer clients in a different host group and >>>>>>>>> applying >>>>>>>>> time rules only there. >>>>>>>>> >>>>>>>>> So the question really is: should we allow admins to apply an >>>>>>>>> HBAC Rule >>>>>>>>> potentially to older clients that do not understand it and will >>>>>>>>> therefore allow access at any time of the day, or should we >>>>>>>>> prevent it ? >>>>>>>>> >>>>>>>>> This is a hard question to answer and can go both ways. >>>>>>>>> >>>>>>>>> A time rule may be something that admins want to enforce at >>>>>>>>> all cost or >>>>>>>>> deny access. In this case a client that fails to handle it >>>>>>>>> would be a >>>>>>>>> problem. >>>>>>>>> >>>>>>>>> But it may be something that is just used for defense in depth >>>>>>>>> and not a >>>>>>>>> strictly hard requirement. In this case allowing older clients >>>>>>>>> would >>>>>>>>> make it an easy transition as you just set up the rule and the >>>>>>>>> client >>>>>>>>> will start enforcing the time when it is upgraded but work >>>>>>>>> otherwise >>>>>>>>> with the same rules. >>>>>>>>> >>>>>>>>> I am a bit conflicted on trying to decide what scenario we should >>>>>>>>> target, but the second one appeals to me because host groups >>>>>>>>> do already >>>>>>>>> give admins a good way to apply rules to a specific set of >>>>>>>>> hosts and >>>>>>>>> exclude old clients w/o us making it a hard rule. >>>>>>>>> OTOH if an admin does not understand this difference, they may be >>>>>>>>> surprised to find out there are clients that do not honor it. >>>>>>>>> >>>>>>>>> Perhaps we could find a way to set a flag on the rule such >>>>>>>>> that when set >>>>>>>>> (and only when set) older clients get excluded by way of >>>>>>>>> changing the >>>>>>>>> objectlass or something else to similar effect. >>>>>>>>> >>>>>>>>> Open to discussion. >>>>>>>> At this point using new object class becomes an attractive >>>>>>>> approach. We >>>>>>>> don't have means to exclude HBAC rules other than applying them >>>>>>>> per-host/hostgroup. We also have no deny rules. >>>>>>>> >>>>>>>> I have another idea: what about enforcing time rules always to >>>>>>>> apply >>>>>>>> per-host or per-hostgroup by default? Add --force option to >>>>>>>> override the >>>>>>>> behavior but default to not allow --hostcat=all. This would raise >>>>>>>> awareness and make sure admins are actually applying these >>>>>>>> rules with >>>>>>>> intention. >>>>>>> This sounds like a good idea, but it is not a silver bullet I am >>>>>>> afraid. >>>>>>> >>>>>>> Simo. >>>>>> I was thinking that for future proofing we could add a version >>>>>> field, >>>>>> then reasoned more and realized that changing the object class is >>>>>> basically the same thing. >>>>>> >>>>>> There is only one big problem, ipaHBACRule is a STRUCTURAL >>>>>> objectclass. >>>>>> (I know 389ds allows us to do an LDAPv3 illegal operation and >>>>>> change it, >>>>>> but I do not like to depend on that behavoir). >>>>>> >>>>>> Now looking into this I had an idea to solve the problem of legacy >>>>>> clients without having to swap classes. >>>>>> We can redefine the accessRuleType attribute to be a "capability" >>>>>> type. >>>>>> >>>>>> Ie rules that have a timeAccess component will be of type >>>>>> "allow_with_time" instead of just "allow". >>>>>> Old clients are supposed to search with accessRuleType=allow (and >>>>>> I can >>>>>> see that SSSD does that), so an older client will fail to get those >>>>>> rules as they won't match. >>>>>> >>>>>> New clients instead can recognize both types. >>>>>> >>>>>> Also if we need a future extension we will simpy add a new access >>>>>> rule >>>>>> type and we can have the same effect. >>>>>> The nice thing is that accessRyleType is defined as multivalue (no >>>>>> SINGLE in schema) so we may actually create compatible rules if >>>>>> we want >>>>>> to. >>>>>> Ie we could set both "allow" and "allow_with_time" on an object for >>>>>> cases where the admin wants to enforce the time part only o newer >>>>>> client >>>>>> but otherwise apply the rule to any client. >>>>>> >>>>>> This should give us the best of all options at once. >>>>>> >>>>>> Thoughts ? >>>>>> >>>>>> Simo. >>>>>> >>>>> Sorry to join the discussion so late, I was away yesterday. >>>>> >>>>> I have to say I too like this idea much better than fiddling with the >>>>> objectClasses. Also, I believe that accessRuleType was originally >>>>> actually used to distinguish newer version of HBAC rules from the >>>>> older >>>>> so we may just do this again and profit from its original purpose. To >>>>> top it off, this change should be really easy to implement to what I >>>>> currently have on SSSD side. >>>>> >>>>> I was just wondering - would you propose for every newly created >>>>> rule to >>>>> have the new accessRuleType set to "allow_with_time" or should the >>>>> type >>>>> change with addition of time rules to the HBAC rule as it does >>>>> currently? Also, should the user be able to modify the type so that a >>>>> rule with the new type is also visible for older clients (=> he could >>>>> add "allow" to type anytime)? >>>> Rules of type allow_with_time will not work on older clients, so we >>>> should probably default to just the old "allow" schema. >>>> >>>> I think in the first implementation the framework/cli/ui should not >>>> emphasize this attribute but simply replace allow -> >>>> allow_with_time if >>>> a time attribute is added. >>>> >>>> In future we may give control of it and allow even to set multiple >>>> values, after we discuss better if that should be done, and with ample >>>> warnings to admins. >>>> >>>> Also setting a time rule makes a rule incompatible with older >>>> clients so >>>> we should spell it clearly in the CLI/UI with a warning message that >>>> this rule will not apply at all to older clients. >>>> >>>>> Thanks for your ideas, I am very happy with what you suggested >>>>> here :) >>>> Thank you. >>>> >>>> Simo. >>>> >>> So - can we all agree on a solution? >>> >>> I took an extra half an hour and created the accessRuleType solution >>> on top of >>> what I currently have, see patches attached to get the picture what >>> the change >>> would mean for what I currently have in >>> https://github.com/stlaz/freeipa/tree/timerules_2 and >>> https://github.com/stlaz/sssd/tree/freeipa-trac-547_2. Note that the >>> sssd >>> patch is really just to get a picture, it currently causes sssd_be >>> to core >>> dump, not sure why and don't want to waste time debugging it right now. >>> >>> I myself would in the end rather go for objectClasses implementation >>> as new >>> rules are not shown to old clients which seems correct as there's no >>> confusion >>> for admins who might scratch their heads at old clients with no idea >>> why their >>> HBAC rules don't apply otherwise. >> +1, I agree with Standa and Martin Basti. Let me repeat myself: >> >> I like the idea of "capabilities" in general but it needs proper >> design and >> detailed specification first. >> >> Given that we have to modify SSSD anyway, I would go for >> ipaHBACRulev2 object >> class with clear definition of "capabilities" (without any obsolete >> cruft). >> >> That should be future proof and without any negative/unforeseen >> impact to >> existing clients + it matches what Jan Pazdziora plans to do for >> HBAC+URI. >> > As there were no further objections, the latest changes with the > objectclass implementation that were made according to Honza's > suggestions were pushed to appear in the pull request > https://github.com/freeipa/freeipa/pull/23. > To be explicit: Currently, I go with the new objectClass ipaHBACRuleV2 which differs from ipaHBACRule in removal of obsolete attributes, namely accessRuleType, sourceHost, sourceHostCategory and accessTime. This new objectClass makes the rules of the newer type invisible to the older clients on both FreeIPA and SSSD sides. The class ipaHBACRuleV2 is dynamically switched to from ipaHBACRule upon addition of a time rule to a certain HBAC rule. The process is reversed when there're no time rules left in that exact HBAC rule. Therefore rules that may still apply on older clients are visible there, while the new rules that would not apply are not. From freeipa-github-notification at redhat.com Thu Sep 1 12:10:40 2016 From: freeipa-github-notification at redhat.com (abbra) Date: Thu, 01 Sep 2016 14:10:40 +0200 Subject: [Freeipa-devel] [freeipa PR#46] Always fetch forest info from root DCs when establishing two-way trust (comment) In-Reply-To: References: Message-ID: abbra commented on a pull request """ The change is incomplete: we need also to handle oddjobd helper because it directly calls to dcerpc.fetch_domains() with explicitly set trusted domain name. """ See the full comment at https://github.com/freeipa/freeipa/pull/46#issuecomment-244059726 From pspacek at redhat.com Thu Sep 1 12:14:16 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 1 Sep 2016 14:14:16 +0200 Subject: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies In-Reply-To: <881ae083-a320-430c-a25a-3f435628ccda@redhat.com> References: <5f64db5a-8903-48a5-7d5e-ff6251667738@redhat.com> <7f48c6dd-d5b0-2587-dbe9-914fa470916d@redhat.com> <20160826102021.h64hfjrvky4bitrw@redhat.com> <188ea28b-ddff-2d8b-c515-c5bdbda8f56d@redhat.com> <1472222393.20746.86.camel@redhat.com> <20160826150943.5zmmub2ntc4vqqij@redhat.com> <1472225168.20746.95.camel@redhat.com> <1472225854.20746.104.camel@redhat.com> <1a254cbc-120f-1645-6a4e-20ef5563719f@redhat.com> <1472564054.5257.50.camel@redhat.com> <5b5e276d-8d3d-53cb-a4a4-fa285f0662d9@redhat.com> <457f0c25-b5ee-b827-1856-25345664670c@redhat.com> <881ae083-a320-430c-a25a-3f435628ccda@redhat.com> Message-ID: <278821da-c30d-e08e-9864-ab469d5a557d@redhat.com> On 1.9.2016 14:09, Standa Laznicka wrote: > On 09/01/2016 01:26 PM, Standa Laznicka wrote: >> On 08/31/2016 12:57 PM, Petr Spacek wrote: >>> On 31.8.2016 12:42, Standa Laznicka wrote: >>>> On 08/30/2016 03:34 PM, Simo Sorce wrote: >>>>> On Tue, 2016-08-30 at 08:47 +0200, Standa Laznicka wrote: >>>>>> On 08/26/2016 05:37 PM, Simo Sorce wrote: >>>>>>> On Fri, 2016-08-26 at 11:26 -0400, Simo Sorce wrote: >>>>>>>> On Fri, 2016-08-26 at 18:09 +0300, Alexander Bokovoy wrote: >>>>>>>>> On Fri, 26 Aug 2016, Simo Sorce wrote: >>>>>>>>>> On Fri, 2016-08-26 at 12:39 +0200, Martin Basti wrote: >>>>>>>>>>>> I miss "why" part of "To be able to handle backward compatibility >>>>>>>>>>> with >>>>>>>>>>>> ease, a new object called ipaHBACRulev2 is introduced. " in the >>>>>>>>>>> design >>>>>>>>>>>> page. If the reason is the above - old client's should ignore time >>>>>>>>>>> rules >>>>>>>>>>>> then it has to be mentioned there. Otherwise I don't see a reason to >>>>>>>>>>>> introduce a new object type instead of extending the current. >>>>>>>>>>> How do you want to enforce HBAC rule that have set time from 10 to 14 >>>>>>>>>>> everyday? With the same objectclass old clients will allow this HBAC >>>>>>>>>>> for >>>>>>>>>>> all day. Isn't this CVE? >>>>>>>>>> This is a discussion worth having. >>>>>>>>>> >>>>>>>>>> In general it is a CVE only if an authorization mechanism fails to work >>>>>>>>>> as advertised. >>>>>>>>>> >>>>>>>>>> If you make it clear that old clients *DO NOT* respect time rules then >>>>>>>>>> there is no CVE material, it is working as "described". >>>>>>>>>> >>>>>>>>>> The admins already have a way to not set those rules for older clients >>>>>>>>>> by simply grouping newer clients in a different host group and applying >>>>>>>>>> time rules only there. >>>>>>>>>> >>>>>>>>>> So the question really is: should we allow admins to apply an HBAC Rule >>>>>>>>>> potentially to older clients that do not understand it and will >>>>>>>>>> therefore allow access at any time of the day, or should we prevent >>>>>>>>>> it ? >>>>>>>>>> >>>>>>>>>> This is a hard question to answer and can go both ways. >>>>>>>>>> >>>>>>>>>> A time rule may be something that admins want to enforce at all cost or >>>>>>>>>> deny access. In this case a client that fails to handle it would be a >>>>>>>>>> problem. >>>>>>>>>> >>>>>>>>>> But it may be something that is just used for defense in depth and >>>>>>>>>> not a >>>>>>>>>> strictly hard requirement. In this case allowing older clients would >>>>>>>>>> make it an easy transition as you just set up the rule and the client >>>>>>>>>> will start enforcing the time when it is upgraded but work otherwise >>>>>>>>>> with the same rules. >>>>>>>>>> >>>>>>>>>> I am a bit conflicted on trying to decide what scenario we should >>>>>>>>>> target, but the second one appeals to me because host groups do already >>>>>>>>>> give admins a good way to apply rules to a specific set of hosts and >>>>>>>>>> exclude old clients w/o us making it a hard rule. >>>>>>>>>> OTOH if an admin does not understand this difference, they may be >>>>>>>>>> surprised to find out there are clients that do not honor it. >>>>>>>>>> >>>>>>>>>> Perhaps we could find a way to set a flag on the rule such that when >>>>>>>>>> set >>>>>>>>>> (and only when set) older clients get excluded by way of changing the >>>>>>>>>> objectlass or something else to similar effect. >>>>>>>>>> >>>>>>>>>> Open to discussion. >>>>>>>>> At this point using new object class becomes an attractive approach. We >>>>>>>>> don't have means to exclude HBAC rules other than applying them >>>>>>>>> per-host/hostgroup. We also have no deny rules. >>>>>>>>> >>>>>>>>> I have another idea: what about enforcing time rules always to apply >>>>>>>>> per-host or per-hostgroup by default? Add --force option to override the >>>>>>>>> behavior but default to not allow --hostcat=all. This would raise >>>>>>>>> awareness and make sure admins are actually applying these rules with >>>>>>>>> intention. >>>>>>>> This sounds like a good idea, but it is not a silver bullet I am afraid. >>>>>>>> >>>>>>>> Simo. >>>>>>> I was thinking that for future proofing we could add a version field, >>>>>>> then reasoned more and realized that changing the object class is >>>>>>> basically the same thing. >>>>>>> >>>>>>> There is only one big problem, ipaHBACRule is a STRUCTURAL objectclass. >>>>>>> (I know 389ds allows us to do an LDAPv3 illegal operation and change it, >>>>>>> but I do not like to depend on that behavoir). >>>>>>> >>>>>>> Now looking into this I had an idea to solve the problem of legacy >>>>>>> clients without having to swap classes. >>>>>>> We can redefine the accessRuleType attribute to be a "capability" type. >>>>>>> >>>>>>> Ie rules that have a timeAccess component will be of type >>>>>>> "allow_with_time" instead of just "allow". >>>>>>> Old clients are supposed to search with accessRuleType=allow (and I can >>>>>>> see that SSSD does that), so an older client will fail to get those >>>>>>> rules as they won't match. >>>>>>> >>>>>>> New clients instead can recognize both types. >>>>>>> >>>>>>> Also if we need a future extension we will simpy add a new access rule >>>>>>> type and we can have the same effect. >>>>>>> The nice thing is that accessRyleType is defined as multivalue (no >>>>>>> SINGLE in schema) so we may actually create compatible rules if we want >>>>>>> to. >>>>>>> Ie we could set both "allow" and "allow_with_time" on an object for >>>>>>> cases where the admin wants to enforce the time part only o newer client >>>>>>> but otherwise apply the rule to any client. >>>>>>> >>>>>>> This should give us the best of all options at once. >>>>>>> >>>>>>> Thoughts ? >>>>>>> >>>>>>> Simo. >>>>>>> >>>>>> Sorry to join the discussion so late, I was away yesterday. >>>>>> >>>>>> I have to say I too like this idea much better than fiddling with the >>>>>> objectClasses. Also, I believe that accessRuleType was originally >>>>>> actually used to distinguish newer version of HBAC rules from the older >>>>>> so we may just do this again and profit from its original purpose. To >>>>>> top it off, this change should be really easy to implement to what I >>>>>> currently have on SSSD side. >>>>>> >>>>>> I was just wondering - would you propose for every newly created rule to >>>>>> have the new accessRuleType set to "allow_with_time" or should the type >>>>>> change with addition of time rules to the HBAC rule as it does >>>>>> currently? Also, should the user be able to modify the type so that a >>>>>> rule with the new type is also visible for older clients (=> he could >>>>>> add "allow" to type anytime)? >>>>> Rules of type allow_with_time will not work on older clients, so we >>>>> should probably default to just the old "allow" schema. >>>>> >>>>> I think in the first implementation the framework/cli/ui should not >>>>> emphasize this attribute but simply replace allow -> allow_with_time if >>>>> a time attribute is added. >>>>> >>>>> In future we may give control of it and allow even to set multiple >>>>> values, after we discuss better if that should be done, and with ample >>>>> warnings to admins. >>>>> >>>>> Also setting a time rule makes a rule incompatible with older clients so >>>>> we should spell it clearly in the CLI/UI with a warning message that >>>>> this rule will not apply at all to older clients. >>>>> >>>>>> Thanks for your ideas, I am very happy with what you suggested here :) >>>>> Thank you. >>>>> >>>>> Simo. >>>>> >>>> So - can we all agree on a solution? >>>> >>>> I took an extra half an hour and created the accessRuleType solution on >>>> top of >>>> what I currently have, see patches attached to get the picture what the >>>> change >>>> would mean for what I currently have in >>>> https://github.com/stlaz/freeipa/tree/timerules_2 and >>>> https://github.com/stlaz/sssd/tree/freeipa-trac-547_2. Note that the sssd >>>> patch is really just to get a picture, it currently causes sssd_be to core >>>> dump, not sure why and don't want to waste time debugging it right now. >>>> >>>> I myself would in the end rather go for objectClasses implementation as new >>>> rules are not shown to old clients which seems correct as there's no >>>> confusion >>>> for admins who might scratch their heads at old clients with no idea why >>>> their >>>> HBAC rules don't apply otherwise. >>> +1, I agree with Standa and Martin Basti. Let me repeat myself: >>> >>> I like the idea of "capabilities" in general but it needs proper design and >>> detailed specification first. >>> >>> Given that we have to modify SSSD anyway, I would go for ipaHBACRulev2 object >>> class with clear definition of "capabilities" (without any obsolete cruft). >>> >>> That should be future proof and without any negative/unforeseen impact to >>> existing clients + it matches what Jan Pazdziora plans to do for HBAC+URI. >>> >> As there were no further objections, the latest changes with the objectclass >> implementation that were made according to Honza's suggestions were pushed >> to appear in the pull request https://github.com/freeipa/freeipa/pull/23. >> > To be explicit: Currently, I go with the new objectClass ipaHBACRuleV2 which > differs from ipaHBACRule in removal of obsolete attributes, namely > accessRuleType, sourceHost, sourceHostCategory and accessTime. This new > objectClass makes the rules of the newer type invisible to the older clients > on both FreeIPA and SSSD sides. > > The class ipaHBACRuleV2 is dynamically switched to from ipaHBACRule upon > addition of a time rule to a certain HBAC rule. The process is reversed when > there're no time rules left in that exact HBAC rule. Therefore rules that may > still apply on older clients are visible there, while the new rules that would > not apply are not. To make sure we thought about this: What is your vision about interaction with future HBAC+URI (potentially also HBAC+URI+time)? -- Petr^2 Spacek From freeipa-github-notification at redhat.com Thu Sep 1 12:59:13 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Thu, 01 Sep 2016 14:59:13 +0200 Subject: [Freeipa-devel] [freeipa PR#47] schema cache: Store and check info for pre-schema servers (opened) Message-ID: dkupka's pull request #47: "schema cache: Store and check info for pre-schema servers" was opened PR body: """ Cache CommandError answer to schema command to avoid sending the command to pre-schema servers every time. This information expires after some time (1 hour) in order to start using schema as soon as the server is upgraded. https://fedorahosted.org/freeipa/ticket/6095 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/47 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/47/head:pr47 git checkout pr47 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-47.patch Type: text/x-diff Size: 12911 bytes Desc: not available URL: From slaznick at redhat.com Thu Sep 1 13:02:35 2016 From: slaznick at redhat.com (Standa Laznicka) Date: Thu, 1 Sep 2016 15:02:35 +0200 Subject: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies In-Reply-To: <278821da-c30d-e08e-9864-ab469d5a557d@redhat.com> References: <5f64db5a-8903-48a5-7d5e-ff6251667738@redhat.com> <7f48c6dd-d5b0-2587-dbe9-914fa470916d@redhat.com> <20160826102021.h64hfjrvky4bitrw@redhat.com> <188ea28b-ddff-2d8b-c515-c5bdbda8f56d@redhat.com> <1472222393.20746.86.camel@redhat.com> <20160826150943.5zmmub2ntc4vqqij@redhat.com> <1472225168.20746.95.camel@redhat.com> <1472225854.20746.104.camel@redhat.com> <1a254cbc-120f-1645-6a4e-20ef5563719f@redhat.com> <1472564054.5257.50.camel@redhat.com> <5b5e276d-8d3d-53cb-a4a4-fa285f0662d9@redhat.com> <457f0c25-b5ee-b827-1856-25345664670c@redhat.com> <881ae083-a320-430c-a25a-3f435628ccda@redhat.com> <278821da-c30d-e08e-9864-ab469d5a557d@redhat.com> Message-ID: <1407f341-798f-d14a-4772-34a8e104c919@redhat.com> On 09/01/2016 02:14 PM, Petr Spacek wrote: > On 1.9.2016 14:09, Standa Laznicka wrote: >> On 09/01/2016 01:26 PM, Standa Laznicka wrote: >>> On 08/31/2016 12:57 PM, Petr Spacek wrote: >>>> On 31.8.2016 12:42, Standa Laznicka wrote: >>>>> On 08/30/2016 03:34 PM, Simo Sorce wrote: >>>>>> On Tue, 2016-08-30 at 08:47 +0200, Standa Laznicka wrote: >>>>>>> On 08/26/2016 05:37 PM, Simo Sorce wrote: >>>>>>>> On Fri, 2016-08-26 at 11:26 -0400, Simo Sorce wrote: >>>>>>>>> On Fri, 2016-08-26 at 18:09 +0300, Alexander Bokovoy wrote: >>>>>>>>>> On Fri, 26 Aug 2016, Simo Sorce wrote: >>>>>>>>>>> On Fri, 2016-08-26 at 12:39 +0200, Martin Basti wrote: >>>>>>>>>>>>> I miss "why" part of "To be able to handle backward compatibility >>>>>>>>>>>> with >>>>>>>>>>>>> ease, a new object called ipaHBACRulev2 is introduced. " in the >>>>>>>>>>>> design >>>>>>>>>>>>> page. If the reason is the above - old client's should ignore time >>>>>>>>>>>> rules >>>>>>>>>>>>> then it has to be mentioned there. Otherwise I don't see a reason to >>>>>>>>>>>>> introduce a new object type instead of extending the current. >>>>>>>>>>>> How do you want to enforce HBAC rule that have set time from 10 to 14 >>>>>>>>>>>> everyday? With the same objectclass old clients will allow this HBAC >>>>>>>>>>>> for >>>>>>>>>>>> all day. Isn't this CVE? >>>>>>>>>>> This is a discussion worth having. >>>>>>>>>>> >>>>>>>>>>> In general it is a CVE only if an authorization mechanism fails to work >>>>>>>>>>> as advertised. >>>>>>>>>>> >>>>>>>>>>> If you make it clear that old clients *DO NOT* respect time rules then >>>>>>>>>>> there is no CVE material, it is working as "described". >>>>>>>>>>> >>>>>>>>>>> The admins already have a way to not set those rules for older clients >>>>>>>>>>> by simply grouping newer clients in a different host group and applying >>>>>>>>>>> time rules only there. >>>>>>>>>>> >>>>>>>>>>> So the question really is: should we allow admins to apply an HBAC Rule >>>>>>>>>>> potentially to older clients that do not understand it and will >>>>>>>>>>> therefore allow access at any time of the day, or should we prevent >>>>>>>>>>> it ? >>>>>>>>>>> >>>>>>>>>>> This is a hard question to answer and can go both ways. >>>>>>>>>>> >>>>>>>>>>> A time rule may be something that admins want to enforce at all cost or >>>>>>>>>>> deny access. In this case a client that fails to handle it would be a >>>>>>>>>>> problem. >>>>>>>>>>> >>>>>>>>>>> But it may be something that is just used for defense in depth and >>>>>>>>>>> not a >>>>>>>>>>> strictly hard requirement. In this case allowing older clients would >>>>>>>>>>> make it an easy transition as you just set up the rule and the client >>>>>>>>>>> will start enforcing the time when it is upgraded but work otherwise >>>>>>>>>>> with the same rules. >>>>>>>>>>> >>>>>>>>>>> I am a bit conflicted on trying to decide what scenario we should >>>>>>>>>>> target, but the second one appeals to me because host groups do already >>>>>>>>>>> give admins a good way to apply rules to a specific set of hosts and >>>>>>>>>>> exclude old clients w/o us making it a hard rule. >>>>>>>>>>> OTOH if an admin does not understand this difference, they may be >>>>>>>>>>> surprised to find out there are clients that do not honor it. >>>>>>>>>>> >>>>>>>>>>> Perhaps we could find a way to set a flag on the rule such that when >>>>>>>>>>> set >>>>>>>>>>> (and only when set) older clients get excluded by way of changing the >>>>>>>>>>> objectlass or something else to similar effect. >>>>>>>>>>> >>>>>>>>>>> Open to discussion. >>>>>>>>>> At this point using new object class becomes an attractive approach. We >>>>>>>>>> don't have means to exclude HBAC rules other than applying them >>>>>>>>>> per-host/hostgroup. We also have no deny rules. >>>>>>>>>> >>>>>>>>>> I have another idea: what about enforcing time rules always to apply >>>>>>>>>> per-host or per-hostgroup by default? Add --force option to override the >>>>>>>>>> behavior but default to not allow --hostcat=all. This would raise >>>>>>>>>> awareness and make sure admins are actually applying these rules with >>>>>>>>>> intention. >>>>>>>>> This sounds like a good idea, but it is not a silver bullet I am afraid. >>>>>>>>> >>>>>>>>> Simo. >>>>>>>> I was thinking that for future proofing we could add a version field, >>>>>>>> then reasoned more and realized that changing the object class is >>>>>>>> basically the same thing. >>>>>>>> >>>>>>>> There is only one big problem, ipaHBACRule is a STRUCTURAL objectclass. >>>>>>>> (I know 389ds allows us to do an LDAPv3 illegal operation and change it, >>>>>>>> but I do not like to depend on that behavoir). >>>>>>>> >>>>>>>> Now looking into this I had an idea to solve the problem of legacy >>>>>>>> clients without having to swap classes. >>>>>>>> We can redefine the accessRuleType attribute to be a "capability" type. >>>>>>>> >>>>>>>> Ie rules that have a timeAccess component will be of type >>>>>>>> "allow_with_time" instead of just "allow". >>>>>>>> Old clients are supposed to search with accessRuleType=allow (and I can >>>>>>>> see that SSSD does that), so an older client will fail to get those >>>>>>>> rules as they won't match. >>>>>>>> >>>>>>>> New clients instead can recognize both types. >>>>>>>> >>>>>>>> Also if we need a future extension we will simpy add a new access rule >>>>>>>> type and we can have the same effect. >>>>>>>> The nice thing is that accessRyleType is defined as multivalue (no >>>>>>>> SINGLE in schema) so we may actually create compatible rules if we want >>>>>>>> to. >>>>>>>> Ie we could set both "allow" and "allow_with_time" on an object for >>>>>>>> cases where the admin wants to enforce the time part only o newer client >>>>>>>> but otherwise apply the rule to any client. >>>>>>>> >>>>>>>> This should give us the best of all options at once. >>>>>>>> >>>>>>>> Thoughts ? >>>>>>>> >>>>>>>> Simo. >>>>>>>> >>>>>>> Sorry to join the discussion so late, I was away yesterday. >>>>>>> >>>>>>> I have to say I too like this idea much better than fiddling with the >>>>>>> objectClasses. Also, I believe that accessRuleType was originally >>>>>>> actually used to distinguish newer version of HBAC rules from the older >>>>>>> so we may just do this again and profit from its original purpose. To >>>>>>> top it off, this change should be really easy to implement to what I >>>>>>> currently have on SSSD side. >>>>>>> >>>>>>> I was just wondering - would you propose for every newly created rule to >>>>>>> have the new accessRuleType set to "allow_with_time" or should the type >>>>>>> change with addition of time rules to the HBAC rule as it does >>>>>>> currently? Also, should the user be able to modify the type so that a >>>>>>> rule with the new type is also visible for older clients (=> he could >>>>>>> add "allow" to type anytime)? >>>>>> Rules of type allow_with_time will not work on older clients, so we >>>>>> should probably default to just the old "allow" schema. >>>>>> >>>>>> I think in the first implementation the framework/cli/ui should not >>>>>> emphasize this attribute but simply replace allow -> allow_with_time if >>>>>> a time attribute is added. >>>>>> >>>>>> In future we may give control of it and allow even to set multiple >>>>>> values, after we discuss better if that should be done, and with ample >>>>>> warnings to admins. >>>>>> >>>>>> Also setting a time rule makes a rule incompatible with older clients so >>>>>> we should spell it clearly in the CLI/UI with a warning message that >>>>>> this rule will not apply at all to older clients. >>>>>> >>>>>>> Thanks for your ideas, I am very happy with what you suggested here :) >>>>>> Thank you. >>>>>> >>>>>> Simo. >>>>>> >>>>> So - can we all agree on a solution? >>>>> >>>>> I took an extra half an hour and created the accessRuleType solution on >>>>> top of >>>>> what I currently have, see patches attached to get the picture what the >>>>> change >>>>> would mean for what I currently have in >>>>> https://github.com/stlaz/freeipa/tree/timerules_2 and >>>>> https://github.com/stlaz/sssd/tree/freeipa-trac-547_2. Note that the sssd >>>>> patch is really just to get a picture, it currently causes sssd_be to core >>>>> dump, not sure why and don't want to waste time debugging it right now. >>>>> >>>>> I myself would in the end rather go for objectClasses implementation as new >>>>> rules are not shown to old clients which seems correct as there's no >>>>> confusion >>>>> for admins who might scratch their heads at old clients with no idea why >>>>> their >>>>> HBAC rules don't apply otherwise. >>>> +1, I agree with Standa and Martin Basti. Let me repeat myself: >>>> >>>> I like the idea of "capabilities" in general but it needs proper design and >>>> detailed specification first. >>>> >>>> Given that we have to modify SSSD anyway, I would go for ipaHBACRulev2 object >>>> class with clear definition of "capabilities" (without any obsolete cruft). >>>> >>>> That should be future proof and without any negative/unforeseen impact to >>>> existing clients + it matches what Jan Pazdziora plans to do for HBAC+URI. >>>> >>> As there were no further objections, the latest changes with the objectclass >>> implementation that were made according to Honza's suggestions were pushed >>> to appear in the pull request https://github.com/freeipa/freeipa/pull/23. >>> >> To be explicit: Currently, I go with the new objectClass ipaHBACRuleV2 which >> differs from ipaHBACRule in removal of obsolete attributes, namely >> accessRuleType, sourceHost, sourceHostCategory and accessTime. This new >> objectClass makes the rules of the newer type invisible to the older clients >> on both FreeIPA and SSSD sides. >> >> The class ipaHBACRuleV2 is dynamically switched to from ipaHBACRule upon >> addition of a time rule to a certain HBAC rule. The process is reversed when >> there're no time rules left in that exact HBAC rule. Therefore rules that may >> still apply on older clients are visible there, while the new rules that would >> not apply are not. > To make sure we thought about this: > What is your vision about interaction with future HBAC+URI (potentially also > HBAC+URI+time)? > The idea here was to have HBAC+URI+time in a single release but that idea may be far too optimistic as URI in HBAC development might be dead for now. We had an offline discussion with Petr about this and we came to conclusion that it may as well be possible by using a multi-valued attribute like Simo suggested. Not to forget the ideas from the offline discussion, the gist would be in downloading all the rules and then programmatically choose the ones the current client knows (similarly to what's done now in SSSD/ipa_hbac_common.c:hbac_attrs_to_rule() where there's a check whether accessRuleType equals "allow"). This check would have to be done on server (FreeIPA) too. We still need new objectClass though for the reasons mentioned in this thread and the HBAC versioning should be designed as a separate feature that would go to the same release as the time rules. From simo at redhat.com Thu Sep 1 13:06:42 2016 From: simo at redhat.com (Simo Sorce) Date: Thu, 01 Sep 2016 09:06:42 -0400 Subject: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies In-Reply-To: <881ae083-a320-430c-a25a-3f435628ccda@redhat.com> References: <5f64db5a-8903-48a5-7d5e-ff6251667738@redhat.com> <7f48c6dd-d5b0-2587-dbe9-914fa470916d@redhat.com> <20160826102021.h64hfjrvky4bitrw@redhat.com> <188ea28b-ddff-2d8b-c515-c5bdbda8f56d@redhat.com> <1472222393.20746.86.camel@redhat.com> <20160826150943.5zmmub2ntc4vqqij@redhat.com> <1472225168.20746.95.camel@redhat.com> <1472225854.20746.104.camel@redhat.com> <1a254cbc-120f-1645-6a4e-20ef5563719f@redhat.com> <1472564054.5257.50.camel@redhat.com> <5b5e276d-8d3d-53cb-a4a4-fa285f0662d9@redhat.com> <457f0c25-b5ee-b827-1856-25345664670c@redhat.com> <881ae083-a320-430c-a25a-3f435628ccda@redhat.com> Message-ID: <1472735202.10392.7.camel@redhat.com> On Thu, 2016-09-01 at 14:09 +0200, Standa Laznicka wrote: > The class ipaHBACRuleV2 is dynamically switched to from ipaHBACRule > upon > addition of a time rule to a certain HBAC rule. Honestly I am against this. If you really want the two objects to be incompatible then you tell the admin he can't add time rules to old objects. The new object type should clearly identified as a new rule type and the admin will have to create a new rule of the correct type and remove/disable or retain the old rule as he prefers. I do not think we should ever try to switch objectclasses dynamically. Simo. -- Simo Sorce * Red Hat, Inc * New York From freeipa-github-notification at redhat.com Thu Sep 1 13:48:15 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 01 Sep 2016 15:48:15 +0200 Subject: [Freeipa-devel] [freeipa PR#48] [4.4] Set zanata project-version fo 4.4 branch (opened) Message-ID: mbasti-rh's pull request #48: "[4.4] Set zanata project-version fo 4.4 branch" was opened PR body: """ """ See the full pull-request at https://github.com/freeipa/freeipa/pull/48 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/48/head:pr48 git checkout pr48 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-48.patch Type: text/x-diff Size: 702 bytes Desc: not available URL: From bind-dyndb-ldap-github-notification at redhat.com Thu Sep 1 13:51:59 2016 From: bind-dyndb-ldap-github-notification at redhat.com (pspacek) Date: Thu, 01 Sep 2016 15:51:59 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#1] [WIP] Port bind-dyndb-ldap to BIND 9.11 (synchronize) In-Reply-To: References: Message-ID: pspacek's pull request #1: "[WIP] Port bind-dyndb-ldap to BIND 9.11" was synchronize See the full pull-request at https://github.com/freeipa/bind-dyndb-ldap/pull/1 ... or pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/1/head:pr1 git checkout pr1 -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pr-1.patch Type: text/x-diff Size: 78134 bytes Desc: not available URL: From flo at redhat.com Thu Sep 1 13:58:57 2016 From: flo at redhat.com (Florence Blanc-Renaud) Date: Thu, 1 Sep 2016 15:58:57 +0200 Subject: [Freeipa-devel] [PATCH] 0014 Message-ID: <5d38f7d7-2b64-9093-35ef-df17d9dc1876@redhat.com> Hi, please find attached a patch for ipa-certupdate in CA-less deployment. https://fedorahosted.org/freeipa/ticket/6288 Flo. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-frenaud-0014-Fix-ipa-certupdate-for-CA-less-installation.patch Type: text/x-patch Size: 1743 bytes Desc: not available URL: From mbasti at redhat.com Thu Sep 1 14:25:14 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 1 Sep 2016 16:25:14 +0200 Subject: [Freeipa-devel] [PATCH] Bump master IPA devel version to 4.4.90 Message-ID: <066678b5-38a1-e805-df30-983df2748ed6@redhat.com> Pushed under oneliner rule Pushed to master: 371254fc4b36cb4d89351edb19c88a85e5a33a1b -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0000-Bump-master-IPA-devel-version-to-4.4.90.patch Type: text/x-patch Size: 722 bytes Desc: not available URL: From bind-dyndb-ldap-github-notification at redhat.com Thu Sep 1 14:32:07 2016 From: bind-dyndb-ldap-github-notification at redhat.com (pspacek) Date: Thu, 01 Sep 2016 16:32:07 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#1] [WIP] Port bind-dyndb-ldap to BIND 9.11 (synchronize) In-Reply-To: References: Message-ID: pspacek's pull request #1: "[WIP] Port bind-dyndb-ldap to BIND 9.11" was synchronize See the full pull-request at https://github.com/freeipa/bind-dyndb-ldap/pull/1 ... or pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/1/head:pr1 git checkout pr1 -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pr-1.patch Type: text/x-diff Size: 99615 bytes Desc: not available URL: From slaznick at redhat.com Thu Sep 1 14:35:23 2016 From: slaznick at redhat.com (Standa Laznicka) Date: Thu, 1 Sep 2016 16:35:23 +0200 Subject: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies In-Reply-To: <1472735202.10392.7.camel@redhat.com> References: <5f64db5a-8903-48a5-7d5e-ff6251667738@redhat.com> <7f48c6dd-d5b0-2587-dbe9-914fa470916d@redhat.com> <20160826102021.h64hfjrvky4bitrw@redhat.com> <188ea28b-ddff-2d8b-c515-c5bdbda8f56d@redhat.com> <1472222393.20746.86.camel@redhat.com> <20160826150943.5zmmub2ntc4vqqij@redhat.com> <1472225168.20746.95.camel@redhat.com> <1472225854.20746.104.camel@redhat.com> <1a254cbc-120f-1645-6a4e-20ef5563719f@redhat.com> <1472564054.5257.50.camel@redhat.com> <5b5e276d-8d3d-53cb-a4a4-fa285f0662d9@redhat.com> <457f0c25-b5ee-b827-1856-25345664670c@redhat.com> <881ae083-a320-430c-a25a-3f435628ccda@redhat.com> <1472735202.10392.7.camel@redhat.com> Message-ID: On 09/01/2016 03:06 PM, Simo Sorce wrote: > On Thu, 2016-09-01 at 14:09 +0200, Standa Laznicka wrote: >> The class ipaHBACRuleV2 is dynamically switched to from ipaHBACRule >> upon >> addition of a time rule to a certain HBAC rule. > Honestly I am against this. > > If you really want the two objects to be incompatible then you tell the > admin he can't add time rules to old objects. > The new object type should clearly identified as a new rule type and the > admin will have to create a new rule of the correct type and > remove/disable or retain the old rule as he prefers. > > I do not think we should ever try to switch objectclasses dynamically. > > Simo. > A child's question: why not? Also, should it come to life like you propose, what would you expect the user interface to be like? From simo at redhat.com Thu Sep 1 15:18:45 2016 From: simo at redhat.com (Simo Sorce) Date: Thu, 01 Sep 2016 11:18:45 -0400 Subject: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies In-Reply-To: References: <5f64db5a-8903-48a5-7d5e-ff6251667738@redhat.com> <7f48c6dd-d5b0-2587-dbe9-914fa470916d@redhat.com> <20160826102021.h64hfjrvky4bitrw@redhat.com> <188ea28b-ddff-2d8b-c515-c5bdbda8f56d@redhat.com> <1472222393.20746.86.camel@redhat.com> <20160826150943.5zmmub2ntc4vqqij@redhat.com> <1472225168.20746.95.camel@redhat.com> <1472225854.20746.104.camel@redhat.com> <1a254cbc-120f-1645-6a4e-20ef5563719f@redhat.com> <1472564054.5257.50.camel@redhat.com> <5b5e276d-8d3d-53cb-a4a4-fa285f0662d9@redhat.com> <457f0c25-b5ee-b827-1856-25345664670c@redhat.com> <881ae083-a320-430c-a25a-3f435628ccda@redhat.com> <1472735202.10392.7.camel@redhat.com> Message-ID: <1472743125.10392.25.camel@redhat.com> On Thu, 2016-09-01 at 16:35 +0200, Standa Laznicka wrote: > On 09/01/2016 03:06 PM, Simo Sorce wrote: > > On Thu, 2016-09-01 at 14:09 +0200, Standa Laznicka wrote: > >> The class ipaHBACRuleV2 is dynamically switched to from ipaHBACRule > >> upon > >> addition of a time rule to a certain HBAC rule. > > Honestly I am against this. > > > > If you really want the two objects to be incompatible then you tell the > > admin he can't add time rules to old objects. > > The new object type should clearly identified as a new rule type and the > > admin will have to create a new rule of the correct type and > > remove/disable or retain the old rule as he prefers. > > > > I do not think we should ever try to switch objectclasses dynamically. > > > > Simo. > > > A child's question: why not? > > Also, should it come to life like you propose, what would you expect the > user interface to be like? LDAPv3 does not allow changing structural classes, 389ds allows it but it is a non-standard feature. I do not want to create issues to people that create solutions that do things like synchronizing our LDAP tree to another LDAP server, for caching, proxying or anything else. It is one thing to allow to do something illegal in the LDAP protocol, it is *entirely* different to rely on an illegal feature in day to day operations. Furthermore when you change a rule this way old clients will suddenly see a rule disappear as it will not match their queries anymore. If you silently do this change in the framework an admin may not realize this is the case and break access to his legacy clients. If the admin has to delete and recreate a rule instead it will be much clear to the admin that this is the case. So the above is for why I am pretty against switching objectclass. Please do not do that, it is a NACK from me. But below find additional things I have been thinking: The thing is we (and admins) will be stuck with old client s for a loong time, so we need to make it clear to them what works for what. We need to allow admins to create rules that work for both new and old client w/o interfering with each other. In your scheme there must be a way to create a set of rule such that old clients can login at any time while newer clients use time rules. that was easy to accomplish by adding an auxiliary class and simply defining a new type. Old clients would see old stuff only, new clients would add time rules if present. If we have 2 completely different objects because the admin has to create both, then old clients still care only for the old rule, new clients instead have an interesting challenge, what rule do they apply ? How do you make sure a new client will enforce time restriction when it looks up the old rule as well ? After all the old rule grants access at "all times". Of course admins can always create very barrow host groups and apply rules only to them, but this is burdensome if you have a *lot* of clients and some other people are tasked to slowly upgrade them. It is possible though, so having 2 separate objects that new clients know about is potentially ok. I would prefer a scheme where they could be combined though for maximum flexibility with as little as possible ambiguity. Simo. -- Simo Sorce * Red Hat, Inc * New York From freeipa-github-notification at redhat.com Thu Sep 1 15:23:24 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 01 Sep 2016 17:23:24 +0200 Subject: [Freeipa-devel] [freeipa PR#49] Don't show error messages in bash completion (opened) Message-ID: tomaskrizek's pull request #49: "Don't show error messages in bash completion" was opened PR body: """ Redirect bash error output to prevent displaying error messages in bash completion for ipa command. https://fedorahosted.org/freeipa/ticket/6273 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/49 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/49/head:pr49 git checkout pr49 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-49.patch Type: text/x-diff Size: 896 bytes Desc: not available URL: From slaznick at redhat.com Thu Sep 1 15:48:44 2016 From: slaznick at redhat.com (Standa Laznicka) Date: Thu, 1 Sep 2016 17:48:44 +0200 Subject: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies In-Reply-To: <1472743125.10392.25.camel@redhat.com> References: <5f64db5a-8903-48a5-7d5e-ff6251667738@redhat.com> <7f48c6dd-d5b0-2587-dbe9-914fa470916d@redhat.com> <20160826102021.h64hfjrvky4bitrw@redhat.com> <188ea28b-ddff-2d8b-c515-c5bdbda8f56d@redhat.com> <1472222393.20746.86.camel@redhat.com> <20160826150943.5zmmub2ntc4vqqij@redhat.com> <1472225168.20746.95.camel@redhat.com> <1472225854.20746.104.camel@redhat.com> <1a254cbc-120f-1645-6a4e-20ef5563719f@redhat.com> <1472564054.5257.50.camel@redhat.com> <5b5e276d-8d3d-53cb-a4a4-fa285f0662d9@redhat.com> <457f0c25-b5ee-b827-1856-25345664670c@redhat.com> <881ae083-a320-430c-a25a-3f435628ccda@redhat.com> <1472735202.10392.7.camel@redhat.com> <1472743125.10392.25.camel@redhat.com> Message-ID: <9c2d25b6-4c76-49b9-b6f7-cf164e526e74@redhat.com> On 09/01/2016 05:18 PM, Simo Sorce wrote: > On Thu, 2016-09-01 at 16:35 +0200, Standa Laznicka wrote: >> On 09/01/2016 03:06 PM, Simo Sorce wrote: >>> On Thu, 2016-09-01 at 14:09 +0200, Standa Laznicka wrote: >>>> The class ipaHBACRuleV2 is dynamically switched to from ipaHBACRule >>>> upon >>>> addition of a time rule to a certain HBAC rule. >>> Honestly I am against this. >>> >>> If you really want the two objects to be incompatible then you tell the >>> admin he can't add time rules to old objects. >>> The new object type should clearly identified as a new rule type and the >>> admin will have to create a new rule of the correct type and >>> remove/disable or retain the old rule as he prefers. >>> >>> I do not think we should ever try to switch objectclasses dynamically. >>> >>> Simo. >>> >> A child's question: why not? >> >> Also, should it come to life like you propose, what would you expect the >> user interface to be like? > LDAPv3 does not allow changing structural classes, 389ds allows it but > it is a non-standard feature. > I do not want to create issues to people that create solutions that do > things like synchronizing our LDAP tree to another LDAP server, for > caching, proxying or anything else. > It is one thing to allow to do something illegal in the LDAP protocol, > it is *entirely* different to rely on an illegal feature in day to day > operations. > > Furthermore when you change a rule this way old clients will suddenly > see a rule disappear as it will not match their queries anymore. If you > silently do this change in the framework an admin may not realize this > is the case and break access to his legacy clients. If the admin has to > delete and recreate a rule instead it will be much clear to the admin > that this is the case. > > So the above is for why I am pretty against switching objectclass. > Please do not do that, it is a NACK from me. Thank you for the explanation, I was actually really curious about this as I still don't have that much experience and I just don't get some implications. > But below find additional things I have been thinking: > > The thing is we (and admins) will be stuck with old client s for a loong > time, so we need to make it clear to them what works for what. We need > to allow admins to create rules that work for both new and old client > w/o interfering with each other. > In your scheme there must be a way to create a set of rule such that old > clients can login at any time while newer clients use time rules. > that was easy to accomplish by adding an auxiliary class and simply > defining a new type. > Old clients would see old stuff only, new clients would add time rules > if present. > If we have 2 completely different objects because the admin has to > create both, then old clients still care only for the old rule, new > clients instead have an interesting challenge, what rule do they apply ? > > How do you make sure a new client will enforce time restriction when it > looks up the old rule as well ? > After all the old rule grants access at "all times". > > Of course admins can always create very barrow host groups and apply > rules only to them, but this is burdensome if you have a *lot* of > clients and some other people are tasked to slowly upgrade them. It is > possible though, so having 2 separate objects that new clients know > about is potentially ok. I would prefer a scheme where they could be > combined though for maximum flexibility with as little as possible > ambiguity. If an admin wants the capabilities of time rules then they should just upgrade the clients. If that is a problem, it's their choice. They can either create a special host group for those clients that just won't upgrade or just revoke access to them if it's a problem of a stubborn user who does not want their system upgraded. Having a single object would also be wrong - there's no way telling the older clients to ignore the objects you want them to ignore if you want them not to ignore some. But all and all thank you for the explanation with the example, it made some of your previous points more clear. From simo at redhat.com Thu Sep 1 16:16:38 2016 From: simo at redhat.com (Simo Sorce) Date: Thu, 01 Sep 2016 12:16:38 -0400 Subject: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies In-Reply-To: <9c2d25b6-4c76-49b9-b6f7-cf164e526e74@redhat.com> References: <5f64db5a-8903-48a5-7d5e-ff6251667738@redhat.com> <7f48c6dd-d5b0-2587-dbe9-914fa470916d@redhat.com> <20160826102021.h64hfjrvky4bitrw@redhat.com> <188ea28b-ddff-2d8b-c515-c5bdbda8f56d@redhat.com> <1472222393.20746.86.camel@redhat.com> <20160826150943.5zmmub2ntc4vqqij@redhat.com> <1472225168.20746.95.camel@redhat.com> <1472225854.20746.104.camel@redhat.com> <1a254cbc-120f-1645-6a4e-20ef5563719f@redhat.com> <1472564054.5257.50.camel@redhat.com> <5b5e276d-8d3d-53cb-a4a4-fa285f0662d9@redhat.com> <457f0c25-b5ee-b827-1856-25345664670c@redhat.com> <881ae083-a320-430c-a25a-3f435628ccda@redhat.com> <1472735202.10392.7.camel@redhat.com> <1472743125.10392.25.camel@redhat.com> <9c2d25b6-4c76-49b9-b6f7-cf164e526e74@redhat.com> Message-ID: <1472746598.10392.45.camel@redhat.com> On Thu, 2016-09-01 at 17:48 +0200, Standa Laznicka wrote: > If an admin wants the capabilities of time rules then they should just > upgrade the clients. If that is a problem, it's their choice. They can > either create a special host group for those clients that just won't > upgrade or just revoke access to them if it's a problem of a stubborn > user who does not want their system upgraded. This is a very naive view of the problem. first of all what admins want and what admins can have *and when* are 2 completely different things. Admins may *prefer* to enforce time rules but it may not be a deal breaker if some clients do not follow them. They may be ok to have a period of time i which this is not a hard rule. Say they are in the process of migrating 3000 clients from RHEL5.11 to RHEL7.4, they know the roll out will take 6 months, they want a time rule established so that in 6 months all clients will allow access only from 8AM CET to 6PM CET, but they are ok to allow access at all times until a client is migrated. Of course they may simply wait and change rules after all clients are migrated, but maybe their goal in setting rules immediately is that they can test them to see if their users are negatively impacted immediately so they deal with issues as they come slowly as one client after the other is migrated instead of having it all at once on "judgment" day. This is just an example scenario but I find it totally reasonable. Are there other ways to go about it ? Yes, definitely, as mentioned host groups can be used to control which clients see what. I am just saying this is not a black and white problem, there are various shades of gray. > Having a single object would also be wrong - there's no way telling > the older clients to ignore the objects you want them to ignore if you > want them not to ignore some. Yes there is, hostgroups again, you see, it works both ways :-) > But all and all thank you for the explanation with the example, it > made some of your previous points more clear. Sure. Simo. -- Simo Sorce * Red Hat, Inc * New York From freeipa-github-notification at redhat.com Thu Sep 1 16:22:02 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 01 Sep 2016 18:22:02 +0200 Subject: [Freeipa-devel] [freeipa PR#46] Always fetch forest info from root DCs when establishing two-way trust (synchronize) In-Reply-To: References: Message-ID: martbab's pull request #46: "Always fetch forest info from root DCs when establishing two-way trust" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/46 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/46/head:pr46 git checkout pr46 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-46.patch Type: text/x-diff Size: 11470 bytes Desc: not available URL: From mbasti at redhat.com Thu Sep 1 16:27:15 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 1 Sep 2016 18:27:15 +0200 Subject: [Freeipa-devel] Announcing FreeIPA 4.4.1 Message-ID: <13e4828e-bfcd-6bc7-6dde-52a9902be9b6@redhat.com> The FreeIPA team would like to announce FreeIPA v4.4.1 release! It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 24 will be available in the official COPR repository . == Highlights in 4.4.1 == === Enhancements === * Kerberos KDC now takes Authentication Indicators into account when issuing service tickets. This allows, for example, to require two-factor authenticated Kerberos credentials prior to obtaining tickets to a VPN service. * FreeIPA Certificate Authority now is able to create subordinate CAs to issue certificates with a specific scope * Web UI and API end-points now can be configured to log-in with client certificates and smart cards. Additional configuration details are described in the External Authentication design page . * Web UI now suggests to have redundancy in Certificate Authority topology * Custom FreeIPA plugins can now be built without modifying core FreeIPA code * When establishing trust to an Active Directory forest, FreeIPA now is capable on automatically resolving DNS namespace conflicts with another Active Directory forest. === Known Issues === * Interactive CLI input for dnsrecord-* commands does not work properly for multipart records * ipa-ca-install fails on replica when master is CA-less * Lightweight sub-CA certs are not tracked by certmonger after `ipa-replica-install` * Certificate revocation in service-del and host-del isn't aware of Sub CAs and causes command to fail when Sub CA cert is used === Bug fixes === FreeIPA 4.4.1 is a stabilization release for the features delivered as a part of 4.4.0. There are more than 140 bug-fixes which details can be seen in the list of resolved tickets below. == Upgrading == Upgrade instructions are available on [[Upgrade]] page. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode. == Detailed changelog since 4.4.0 == === Abhijeet Kasurde (4) === * Minor fix in ipa-replica-manage MAN page * Corrected minor spell check in AD Trust information doc messages * Removed unwanted line break from RefererError Dialog message * Handled empty hostname in server-del command === Alexander Bokovoy (9) === * service: add flag to allow S4U2Self * support schema files from third-party plugins * ipaserver/dcerpc: reformat to make the code closer to pep8 * trust: automatically resolve DNS trust conflicts for triangle trusts * trust: make sure external trust topology is correctly rendered * trust: make sure ID range is created for the child domain even if it exists * ipa-kdb: simplify trusted domain parent search * support multiple uid values in schema compatibility tree * freeipa.spec.in: move ipa CLI utility to freeipa-client === Ben Lipton (3) === * Fix several small typos * Use existing HostKey config to test sshd * Silence sshd messages during install === Christian Heimes (5) === * Correct path to HTTPD's systemd service directory * RedHatCAService should wait for local Dogtag instance * Remove Custodia server keys from LDAP * Secure permissions of Custodia server.keys * Require httpd 2.4.6-31 with mod_proxy Unix socket support === David Kupka (21) === * schema: Fix subtopic -> topic mapping * help: Add dnsserver commands to help topic 'dns' * vault: Catch correct exception in decrypt * schema: Speed up schema cache * frontend: Change doc, summary, topic and NO_CLI to class properties * schema: Introduce schema cache format * schema: Generate bits for help load them on request * help: Do not create instances to get information about commands and topics * compat: Save server's API version in for pre-schema servers * schema cache: Do not reset ServerInfo dirty flag * schema cache: Do not read fingerprint and format from cache * Access data for help separately * frontent: Add summary class property to CommandOverride * schema cache: Read server info only once * schema cache: Store API schema cache in memory * client: Do not create instance just to check isinstance * schema cache: Read schema instead of rewriting it when SchemaUpToDate * schema check: Check current client language against cached one * compat: Fix ping command call * schema cache: Fallback to 'en_us' when locale is not available * otptoken, permission: Convert custom type parameters on server === Florence Blanc-Renaud (4) === * Show full error message for selinuxusermap-add-hostgroup * server uninstall fails to remove krb principals * Fix session cookies * Fix ipa hbactest output === Fraser Tweedale (11) === * uninstall: untrack lightweight CA certs * caacl: expand plugin documentation * spec: require Dogtag >= 10.3.3-3 * Create server and host certs with DNS altname * caacl: fix regression in rule instantiation * cert-revoke: fix permission check bypass (CVE-2016-5404) * Move GeneralName parsing code to ipalib.x509 * x509: fix SAN directoryName parsing * x509: use NSS enums and OIDs to identify SAN types * x509: include otherName DER value in GeneralNameInfo * cert-show: show subject alternative names === Ganna Kaihorodova (2) === * Fix conflict between "got" and "expected" values * Fix for integration tests replication layouts === Jan Cholasta (19) === * frontend: copy command arguments to output params on client * Revert "Enable vault-* commands on client" * client: fix hiding of commands which lack server support * compat: fix ping call * install: fix external CA cert validation * vault: add missing salt option to vault_mod * Revert "spec: add conflict with bind-chroot to freeipa-server-dns" * parameters: move the `confirm` kwarg to Param * client: add missing output params to client-side commands * cert: speed up cert-find * cert: do not crash on invalid data in cert-find * server install: do not prompt for cert file PIN repeatedly * tests: fix test_ipalib.test_frontend.test_Object * custodia: include known CA certs in the PKCS#12 file for Dogtag * cert: add missing param values to cert-find output * cert: include CA name in cert command output * rpcserver: assume version 1 for unversioned command calls * custodia: force reconnect before retrieving CA certs from LDAP * rpcserver: fix crash in XML-RPC system commands === Lenka Doudova (26) === * Tests: Tracker class for services * Tests: Authentication indicators xmlrpc tests * Tests: Authentication indicators integration tests * Tests: External trust * Tests: Support of UPN for trusted domains * Tests: Improve handling of rename operation by user tracker * Tests: IPA user can kinit using enterprise principal with IPA domain * Tests: Removing manipulation with /etc/hosts file from integration tests * Tests: Remove has_keytab from list of expected keys of update command * Tests: Add data attribute to messages * Tests: test_ipalib/test_output fails due to change of Output behaviour * Fix malformed or missing docstrings in ipalib/messages * Tests: Fix failing tests in test_ipalib/test_parameters * Tests: Fix failing tests in test_ipalib/test_frontend * Tests: ID views tests do not recognize ipakrboktoauthasdelegate sttribute * Tests: Duplicate declaration on variables in ID views tests * Tests: ID views tests do not recognize krbcanonicalname attribute * Tests: Host tracker does not recognize 'ipakrboktoauthasdelegate' attribute * Tests: Service tracker and tests don't recognize 'ipakrboktoauthasdelegate' attribute * Tests: Failing test_ipalib/test_rpc * Tests: Failing test_ipaserver/test_ldap test * Tests: Failing tests in test_ipalib/test_plugable * Raise error when running ipa-adtrust-install with empty netbios--name * Tests: Random issuer certificate can be added to a service * Tests: Add missing attributes to test_xmlrpc/test_trust tests * Tests: Avoid skipping tests due to missing files === Luk?? Slebodn?k (4) === * ipa_pwd_extop: Fix warning declaration shadows previous local * ipa-pwd-extop: Fix warning assignment discards ?const? qualifier from pointer * ipa-kdb: Allow to build with samba 4.5 * ipa-kdb: Fix unit test after packaging changes in krb5 === Martin Babinsky (20) === * Fix incorrect check for principal type when evaluating CA ACLs * ipa-nis-manage: Use server API to retrieve plugin status * ipa-compat-manage: use server API to retrieve plugin status * ipa-advise: correct handling of plugin namespace iteration * vault-add: set the default vault type on the client side if none was given * Preserve user principal aliases during rename operation * messages: specify message type for ResultFormattingError * DNS install: Ensure that DNS servers container exists * Use server API in com.redhat.idm.trust-fetch-domains oddjob helper * allow 'value' output param in commands without primary key * allow multiple dashes in the components of server hostname * expose `--secret` option in radiusproxy-* commands * prevent search for RADIUS proxy servers by secret * trust-add: handle `--all/--raw` options properly * baseldap: Fix MidairCollision instantiation during entry modification * Create indexes for krbCanonicalName attribute * harden the check for trust namespace overlap in new principals * re-set canonical principal name on migrated users * add python-libsss_nss_idmap and python-sss to BuildRequires * do not use trusted forest name to construct domain admin principal === Martin Ba?ti (18) === * Enable vault-* commands on client * host-find: do not show SSH key by default * CI: DNS locations * Host-del: fix behavior of --updatedns and PTR records * DNS Locations: fix update-system-records unpacking error * Use copy when replacing files to keep SELinux context * CI tests: improve log collecting * CI tests: fix SSSD log collecting * idrange: fix unassigned global variable * Do not initialize API in ipa-client-automount uninstall * Increase default length of auto generated passwords * ipa-backup: backup /etc/tmpfiles.d/dirsrv-.conf * Fix: container owner should be able to add vault * Remove forgotten print from DN.__str__ implementation * Raise DuplicatedEnrty error when user exists in delete_container * Update translations * Print to debug output answer from CA * Revert "Enable LDAPS in replica promotion" === Milan Kub?k (12) === * ipatests: Tracker implementation for Sub CA feature * ipatests: Extend CAACL suite to cover Sub CA members * ipatests: Test Sub CA with CAACL and certificate profile * ipatests: remove ipacertbase option from test CSR configuration * ipatests: Add tracker class for kerberos principal aliases * ipatests: Extend the MockLDAP utility class * ipatests: Provide a context manager for mocking a trust in RPC tests * ipatests: Move trust mock helper functions to a separate module * ipapython: Extend kinit_password to support principal canonicalization * ipatests: Allow change_principal context manager to use canonicalization * ipatests: Add kerberos principal alias tests * ipatests: Fix wrong fixture in kerberos principal alias test === Oleg Fayans (7) === * Test for incorrect client domain * Fixed import error * Fixed incorrect return code assert * Fixed incorrect domainlevel determination in tests * Fixed incorrect sequence of method calls in tasks.py * Added a sleep interval after domainlevel raise in tests * Disabled raiseonerr in kinit call during topology level check === Pavel Vomacka (12) === * Close host adder dialog before showing 4304 dialog * Remove navigation using breadcrumb menus * Fix test_navigation tests * Fix test which checks removing of user * Set default delete action name to 'delete' * Remove full name from adding user to user group dialog * Add function which check whether the field is empty * Add jslint into Makefile * Fix unicode characters in ca and domain adders * Add warning about only one existing CA server * Set servers list as default facet in topology facet group * Add 'trusted to auth as user' checkbox === Peter Lacko (1) === * Test URIs in certificate. === Petr Voborn?k (2) === * unite log file name of ipa-ca-install * ca-less tests: fix getting cert in pem format from nssdb === Petr ?pa?ek (15) === * client-install: log exceptions from certmonger.request_cert * replica-install: Fix --domain * Fix ipa-replica-prepare's error message about missing local CA instance * client: RPM require initscripts to get *-domainname.service * server-install: Fix --hostname option to always override api.env values * install: Call hostnamectl set-hostname only if --hostname option is used * DNS server upgrade: do not fail when DNS server did not respond * server upgrade: do not start BIND if it was not running before the upgrade * DNS: allow to add forward zone to already broken sub-domain * adtrust-install: Mention AD GC port 3286 in list of required ports. * config-mod: normalize attribute names for --usersearch/--groupsearch * migrate-ds: Mention --enable-migration in error message about migration mode * Fix man page ipa-replica-manage: remove duplicate -c option from --no-lookup * Tests: fix test_forward_zones in test_xmlrpc/test_dns_plugin * Tests: fix test_forward_zones in test_xmlrpc/test_dns_plugin === Simo Sorce (4) === * Simplify date manipulation in pwd plugin * Regenerate asn1 code * Additional coverity fixes. * Fix CA ACL Check on SubjectAltNames === Stanislav Laznicka (7) === * Removed unused method parameter from migrate-ds * Improvements for the ipa-cacert-manage man and help * Removed objectclass from LDAP*ReverseMember based tests * Don't show --force-ntpd option in replica install * Remove sys.exit from install modules and scripts * Fail on topology disconnect/last role removal * Don't ignore --ignore-last-of-role for last CA === Sumit Bose (1) === * kdb: check for local realm in enterprise principals === Thierry Bordaz (2) === * Heap corruption in ipapwd plugin * ipa-pwd-extop memory leak during passord update === Tiboris (1) === * Added new authentication method === Tomas Krizek (5) === * Update ipa-replica-install documentation * Fix ipa-caalc-add-service error message * Validate key in otptoken-add * Fix ipa-server-install in pure IPv6 environment * Enable LDAPS in replica promotion === gkaihoro (1) === * Test for caacl-add-service === tester (4) === * Add possibility to choose parent element by css * TEST: managing user certificates * TEST: managing host certificates * TEST: managing service certificates From tkrizek at redhat.com Thu Sep 1 17:37:53 2016 From: tkrizek at redhat.com (Tomas Krizek) Date: Thu, 1 Sep 2016 19:37:53 +0200 Subject: [Freeipa-devel] [PATCH] 0014 In-Reply-To: <5d38f7d7-2b64-9093-35ef-df17d9dc1876@redhat.com> References: <5d38f7d7-2b64-9093-35ef-df17d9dc1876@redhat.com> Message-ID: <755c6d3d-af1e-7538-ecac-f06122ae8b10@redhat.com> On 09/01/2016 03:58 PM, Florence Blanc-Renaud wrote: > Hi, > > please find attached a patch for ipa-certupdate in CA-less deployment. > https://fedorahosted.org/freeipa/ticket/6288 > > Flo. > > > The patch is malformed, but you can simply delete the very first character to fix it. Other than that, patch works as expected -> ACK. -- Tomas Krizek -------------- next part -------------- An HTML attachment was scrubbed... URL: From blipton at redhat.com Fri Sep 2 02:19:08 2016 From: blipton at redhat.com (Ben Lipton) Date: Thu, 1 Sep 2016 22:19:08 -0400 Subject: [Freeipa-devel] [DESIGN] Text-based rules for CSR autogeneration using Jinja2 In-Reply-To: <1fc2c544-9431-24e4-331d-5f73bf1aaa43@redhat.com> References: <1469010462.21393.47.camel@redhat.com> <1469025427.21393.51.camel@redhat.com> <514956a4-14f7-5816-23cd-d1ce1e3d28fa@redhat.com> <1469031696.21393.55.camel@redhat.com> <60f90568-e517-8516-7c93-491d9bd20758@redhat.com> <1fc2c544-9431-24e4-331d-5f73bf1aaa43@redhat.com> Message-ID: <79fca272-6f78-45e2-5b90-5d8e31a2970a@redhat.com> On 07/27/2016 02:42 PM, Ben Lipton wrote: > On 07/21/2016 11:43 AM, Petr Spacek wrote: >> Besides this nit, >> http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation/Mapping_Rules#Planned_implementation >> sounds reasonable. I like how it prevents bad data from template-injection. > > That's what I like about it, too. It does turn out to make things a > little tricky when it comes to writing rules that won't render if the > data they depend on is unavailable. (Because instead of rendering > individual rules which we can drop if they're missing data, we build > one big template that has to handle missing data correctly on its > own.) I think it's probably still worth it, though. I added this to > the "Alternatives considered" section of the above document. By the way, I just wrote a followup blog post on this subject: describing the challenges I've had with suppressing rules when the data isn't available, and wondering if it's worth it. The post is here: http://blog.benjaminlipton.com/2016/09/01/rule-suppression.html. It might be a bit of a dense read, but I wanted to have the considerations documented at least. As always, please let me know if there's anything I can clarify. And if you do happen to read it and it makes you prefer one solution over the others, I'd love to hear your opinion. Ben From ftweedal at redhat.com Fri Sep 2 03:22:20 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 2 Sep 2016 13:22:20 +1000 Subject: [Freeipa-devel] [PATCH] 0014 In-Reply-To: <755c6d3d-af1e-7538-ecac-f06122ae8b10@redhat.com> References: <5d38f7d7-2b64-9093-35ef-df17d9dc1876@redhat.com> <755c6d3d-af1e-7538-ecac-f06122ae8b10@redhat.com> Message-ID: <20160902032220.GR11489@dhcp-40-8.bne.redhat.com> On Thu, Sep 01, 2016 at 07:37:53PM +0200, Tomas Krizek wrote: > On 09/01/2016 03:58 PM, Florence Blanc-Renaud wrote: > > Hi, > > > > please find attached a patch for ipa-certupdate in CA-less deployment. > > https://fedorahosted.org/freeipa/ticket/6288 > > > > Flo. > > > > > > > The patch is malformed, but you can simply delete the very first character > to fix it. > > Other than that, patch works as expected -> ACK. > The patch malformation is caused by Thunderbird. See [1] for how to configure Thunderbird (and Mutt) to not add the '>'. [1] http://www.freeipa.org/page/Contribute/Patch_Format#Ensuring_correct_transmission_of_patches Thanks, Fraser From pspacek at redhat.com Fri Sep 2 06:00:46 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 2 Sep 2016 08:00:46 +0200 Subject: [Freeipa-devel] [PATCH] 0014 In-Reply-To: <20160902032220.GR11489@dhcp-40-8.bne.redhat.com> References: <5d38f7d7-2b64-9093-35ef-df17d9dc1876@redhat.com> <755c6d3d-af1e-7538-ecac-f06122ae8b10@redhat.com> <20160902032220.GR11489@dhcp-40-8.bne.redhat.com> Message-ID: <601f3573-b13b-ec68-e0b8-529ad7ede1f5@redhat.com> On 2.9.2016 05:22, Fraser Tweedale wrote: > On Thu, Sep 01, 2016 at 07:37:53PM +0200, Tomas Krizek wrote: >> On 09/01/2016 03:58 PM, Florence Blanc-Renaud wrote: >>> Hi, >>> >>> please find attached a patch for ipa-certupdate in CA-less deployment. >>> https://fedorahosted.org/freeipa/ticket/6288 >>> >>> Flo. >>> >>> >>> >> The patch is malformed, but you can simply delete the very first character >> to fix it. >> >> Other than that, patch works as expected -> ACK. >> > The patch malformation is caused by Thunderbird. See [1] for how to > configure Thunderbird (and Mutt) to not add the '>'. > > [1] http://www.freeipa.org/page/Contribute/Patch_Format#Ensuring_correct_transmission_of_patches Or even better, abandon patches and start using pull requests: http://www.freeipa.org/page/Pull_request_on_Github :-) -- Petr^2 Spacek From jcholast at redhat.com Fri Sep 2 06:08:59 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 2 Sep 2016 08:08:59 +0200 Subject: [Freeipa-devel] [PATCH] 0014 In-Reply-To: <755c6d3d-af1e-7538-ecac-f06122ae8b10@redhat.com> References: <5d38f7d7-2b64-9093-35ef-df17d9dc1876@redhat.com> <755c6d3d-af1e-7538-ecac-f06122ae8b10@redhat.com> Message-ID: On 1.9.2016 19:37, Tomas Krizek wrote: > On 09/01/2016 03:58 PM, Florence Blanc-Renaud wrote: >> Hi, >> >> please find attached a patch for ipa-certupdate in CA-less deployment. >> https://fedorahosted.org/freeipa/ticket/6288 >> >> Flo. >> >> >> > The patch is malformed, but you can simply delete the very first > character to fix it. > > Other than that, patch works as expected -> ACK. Nitpick: please avoid C-isms such as "if (ca_enabled):". -- Jan Cholasta From freeipa-github-notification at redhat.com Fri Sep 2 06:57:58 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Fri, 02 Sep 2016 08:57:58 +0200 Subject: [Freeipa-devel] [freeipa PR#49] Don't show error messages in bash completion (+ack) In-Reply-To: References: Message-ID: tomaskrizek's pull request #49: "Don't show error messages in bash completion" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/49 From freeipa-github-notification at redhat.com Fri Sep 2 06:57:59 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Fri, 02 Sep 2016 08:57:59 +0200 Subject: [Freeipa-devel] [freeipa PR#49] Don't show error messages in bash completion (comment) In-Reply-To: References: Message-ID: dkupka commented on a pull request """ Works for me. There is nothing better we can do with current bash completion code. """ See the full comment at https://github.com/freeipa/freeipa/pull/49#issuecomment-244298348 From freeipa-github-notification at redhat.com Fri Sep 2 07:01:45 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Fri, 02 Sep 2016 09:01:45 +0200 Subject: [Freeipa-devel] [freeipa PR#49] Don't show error messages in bash completion (+pushed) In-Reply-To: References: Message-ID: tomaskrizek's pull request #49: "Don't show error messages in bash completion" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/49 From freeipa-github-notification at redhat.com Fri Sep 2 07:01:47 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Fri, 02 Sep 2016 09:01:47 +0200 Subject: [Freeipa-devel] [freeipa PR#49] Don't show error messages in bash completion (comment) In-Reply-To: References: Message-ID: dkupka commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/9d49b4c7e740fb909d8955d23aeb50b5d73d0b23 ipa-4-4: https://fedorahosted.org/freeipa/changeset/a046d1170b73bb31f8243f1152c0e0843ff7cf3c """ See the full comment at https://github.com/freeipa/freeipa/pull/49#issuecomment-244298953 From freeipa-github-notification at redhat.com Fri Sep 2 07:01:48 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Fri, 02 Sep 2016 09:01:48 +0200 Subject: [Freeipa-devel] [freeipa PR#49] Don't show error messages in bash completion (closed) In-Reply-To: References: Message-ID: tomaskrizek's pull request #49: "Don't show error messages in bash completion" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/49 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/49/head:pr49 git checkout pr49 From flo at redhat.com Fri Sep 2 07:05:58 2016 From: flo at redhat.com (Florence Blanc-Renaud) Date: Fri, 2 Sep 2016 09:05:58 +0200 Subject: [Freeipa-devel] [PATCH] 0014 In-Reply-To: References: <5d38f7d7-2b64-9093-35ef-df17d9dc1876@redhat.com> <755c6d3d-af1e-7538-ecac-f06122ae8b10@redhat.com> Message-ID: <3ee10d07-8584-0973-4fe3-2a8334dce76c@redhat.com> On 09/02/2016 08:08 AM, Jan Cholasta wrote: > On 1.9.2016 19:37, Tomas Krizek wrote: >> On 09/01/2016 03:58 PM, Florence Blanc-Renaud wrote: >>> Hi, >>> >>> please find attached a patch for ipa-certupdate in CA-less deployment. >>> https://fedorahosted.org/freeipa/ticket/6288 >>> >>> Flo. >>> >>> >>> >> The patch is malformed, but you can simply delete the very first >> character to fix it. >> >> Other than that, patch works as expected -> ACK. > > Nitpick: please avoid C-isms such as "if (ca_enabled):". > Hi all, thanks for the review. Please find an updated patch version. Quite difficult to get rid of typing habits... Flo -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-frenaud-0014-2-Fix-ipa-certupdate-for-CA-less-installation.patch Type: text/x-patch Size: 1740 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Sep 2 07:38:14 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 02 Sep 2016 09:38:14 +0200 Subject: [Freeipa-devel] [freeipa PR#46] Always fetch forest info from root DCs when establishing two-way trust (synchronize) In-Reply-To: References: Message-ID: martbab's pull request #46: "Always fetch forest info from root DCs when establishing two-way trust" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/46 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/46/head:pr46 git checkout pr46 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-46.patch Type: text/x-diff Size: 11479 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Sep 2 08:32:05 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Fri, 02 Sep 2016 10:32:05 +0200 Subject: [Freeipa-devel] [freeipa PR#50] Add cert checks in ipa-server-certinstall (opened) Message-ID: flo-renaud's pull request #50: "Add cert checks in ipa-server-certinstall" was opened PR body: """ When ipa-server-certinstall is called to install a new server certificate, the prerequisite is that the certificate issuer must be already known by IPA. This fix adds new checks to make sure that the tool exits before modifying the target NSS database if it is not the case. The fix consists in creating a temp NSS database with the CA certs from the target NSS database + the new server cert and checking the new server cert validity. https://fedorahosted.org/freeipa/ticket/6263 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/50 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/50/head:pr50 git checkout pr50 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-50.patch Type: text/x-diff Size: 5522 bytes Desc: not available URL: From pspacek at redhat.com Fri Sep 2 09:04:14 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 2 Sep 2016 11:04:14 +0200 Subject: [Freeipa-devel] [DESIGN] Text-based rules for CSR autogeneration using Jinja2 In-Reply-To: <79fca272-6f78-45e2-5b90-5d8e31a2970a@redhat.com> References: <1469010462.21393.47.camel@redhat.com> <1469025427.21393.51.camel@redhat.com> <514956a4-14f7-5816-23cd-d1ce1e3d28fa@redhat.com> <1469031696.21393.55.camel@redhat.com> <60f90568-e517-8516-7c93-491d9bd20758@redhat.com> <1fc2c544-9431-24e4-331d-5f73bf1aaa43@redhat.com> <79fca272-6f78-45e2-5b90-5d8e31a2970a@redhat.com> Message-ID: On 2.9.2016 04:19, Ben Lipton wrote: > On 07/27/2016 02:42 PM, Ben Lipton wrote: >> On 07/21/2016 11:43 AM, Petr Spacek wrote: >>> Besides this nit, >>> http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation/Mapping_Rules#Planned_implementation >>> >>> sounds reasonable. I like how it prevents bad data from template-injection. >> >> That's what I like about it, too. It does turn out to make things a little >> tricky when it comes to writing rules that won't render if the data they >> depend on is unavailable. (Because instead of rendering individual rules >> which we can drop if they're missing data, we build one big template that >> has to handle missing data correctly on its own.) I think it's probably >> still worth it, though. I added this to the "Alternatives considered" >> section of the above document. > > By the way, I just wrote a followup blog post on this subject: describing the > challenges I've had with suppressing rules when the data isn't available, and > wondering if it's worth it. The post is here: > http://blog.benjaminlipton.com/2016/09/01/rule-suppression.html. It might be a > bit of a dense read, but I wanted to have the considerations documented at > least. As always, please let me know if there's anything I can clarify. And if > you do happen to read it and it makes you prefer one solution over the others, > I'd love to hear your opinion. Hello Ben, my comments are in-line (text copied from the blog post): > Conclusions > > The current implementation is working ok, but the ?Declaring data dependencies? solution is also appealing. Recording in data rules what data they depend on is only slightly more involved than wrapping that reference in ipa.datafield(), and could also be useful for other purposes. I agree that syntax with explicit "if"s is little bit more elaborate. On the other hand, the explicit condition is easier to read (for me) because I can see what it is doing directly - I do not remember meaning of magical IPA macros. I.e. I like version with explicit "if"s more. > Plus, it would get rid of the empty sections in openssl configs, as well as some of the complex macros. +1 > The extra templating and new tags required to get rid of extra commas and newlines don?t seem worth it to me, unless we discover a version of openssl or certutil that can?t consume the current output. I definitely agree. > Finally, I think the number of hoops needing to be jumped through to fine-tune the output format hint at this ?template interpolation? approach being less successful than originally expected. While it was expected that inserting data rule templates into syntax rule templates and rendering the whole thing would produce similar results to rendering data rules first and inserting the output into syntax rules, that is not turning out to be the case. It might be wise to reconsider the simpler option - it may be easier to implement reliable jinja2 template markup escaping than to build templates smart enough to handle any combination of data that?s available. This is certainly something to think about. Personally I think that version with explicit "if"s is easy to understandad, write, and also it has no risk of data injection (AFAIK). Explicit escaping is usually very error prone... but I'm not in position to judge how user-friendly it would be when compared with other solutions. After all, goal of the feature is to make life of an average admin easier :-) I hope this brain-dump will help you somehow :-) Have a nice day! -- Petr^2 Spacek P.S. I will not be available in next two weeks, sorry! From bind-dyndb-ldap-github-notification at redhat.com Fri Sep 2 10:29:13 2016 From: bind-dyndb-ldap-github-notification at redhat.com (pspacek) Date: Fri, 02 Sep 2016 12:29:13 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#1] [WIP] Port bind-dyndb-ldap to BIND 9.11 (synchronize) In-Reply-To: References: Message-ID: pspacek's pull request #1: "[WIP] Port bind-dyndb-ldap to BIND 9.11" was synchronize See the full pull-request at https://github.com/freeipa/bind-dyndb-ldap/pull/1 ... or pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/1/head:pr1 git checkout pr1 -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pr-1.patch Type: text/x-diff Size: 120551 bytes Desc: not available URL: From bind-dyndb-ldap-github-notification at redhat.com Fri Sep 2 10:29:40 2016 From: bind-dyndb-ldap-github-notification at redhat.com (pspacek) Date: Fri, 02 Sep 2016 12:29:40 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#1] Port bind-dyndb-ldap to BIND 9.11 (edited) In-Reply-To: References: Message-ID: pspacek's pull request #1: "Port bind-dyndb-ldap to BIND 9.11" was edited See the full pull-request at https://github.com/freeipa/bind-dyndb-ldap/pull/1 ... or pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/1/head:pr1 git checkout pr1 From blipton at redhat.com Fri Sep 2 11:54:44 2016 From: blipton at redhat.com (Ben Lipton) Date: Fri, 2 Sep 2016 07:54:44 -0400 Subject: [Freeipa-devel] [DESIGN] Text-based rules for CSR autogeneration using Jinja2 In-Reply-To: References: <1469010462.21393.47.camel@redhat.com> <1469025427.21393.51.camel@redhat.com> <514956a4-14f7-5816-23cd-d1ce1e3d28fa@redhat.com> <1469031696.21393.55.camel@redhat.com> <60f90568-e517-8516-7c93-491d9bd20758@redhat.com> <1fc2c544-9431-24e4-331d-5f73bf1aaa43@redhat.com> <79fca272-6f78-45e2-5b90-5d8e31a2970a@redhat.com> Message-ID: On 09/02/2016 05:04 AM, Petr Spacek wrote: > On 2.9.2016 04:19, Ben Lipton wrote: >> On 07/27/2016 02:42 PM, Ben Lipton wrote: >>> On 07/21/2016 11:43 AM, Petr Spacek wrote: >>>> Besides this nit, >>>> http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation/Mapping_Rules#Planned_implementation >>>> >>>> sounds reasonable. I like how it prevents bad data from template-injection. >>> That's what I like about it, too. It does turn out to make things a little >>> tricky when it comes to writing rules that won't render if the data they >>> depend on is unavailable. (Because instead of rendering individual rules >>> which we can drop if they're missing data, we build one big template that >>> has to handle missing data correctly on its own.) I think it's probably >>> still worth it, though. I added this to the "Alternatives considered" >>> section of the above document. >> By the way, I just wrote a followup blog post on this subject: describing the >> challenges I've had with suppressing rules when the data isn't available, and >> wondering if it's worth it. The post is here: >> http://blog.benjaminlipton.com/2016/09/01/rule-suppression.html. It might be a >> bit of a dense read, but I wanted to have the considerations documented at >> least. As always, please let me know if there's anything I can clarify. And if >> you do happen to read it and it makes you prefer one solution over the others, >> I'd love to hear your opinion. > Hello Ben, > > my comments are in-line (text copied from the blog post): > >> Conclusions >> >> The current implementation is working ok, but the ?Declaring data dependencies? solution is also appealing. Recording in data rules what data they depend on is only slightly more involved than wrapping that reference in ipa.datafield(), and could also be useful for other purposes. > I agree that syntax with explicit "if"s is little bit more elaborate. On the > other hand, the explicit condition is easier to read (for me) because I can > see what it is doing directly - I do not remember meaning of magical IPA macros. > > I.e. I like version with explicit "if"s more. > >> Plus, it would get rid of the empty sections in openssl configs, as well as > some of the complex macros. > > +1 > >> The extra templating and new tags required to get rid of extra commas and newlines don?t seem worth it to me, unless we discover a version of openssl or certutil that can?t consume the current output. > I definitely agree. > > >> Finally, I think the number of hoops needing to be jumped through to fine-tune the output format hint at this ?template interpolation? approach being less successful than originally expected. While it was expected that inserting data rule templates into syntax rule templates and rendering the whole thing would produce similar results to rendering data rules first and inserting the output into syntax rules, that is not turning out to be the case. It might be wise to reconsider the simpler option - it may be easier to implement reliable jinja2 template markup escaping than to build templates smart enough to handle any combination of data that?s available. > This is certainly something to think about. Personally I think that version > with explicit "if"s is easy to understandad, write, and also it has no risk of > data injection (AFAIK). > > Explicit escaping is usually very error prone... but I'm not in position to > judge how user-friendly it would be when compared with other solutions. After > all, goal of the feature is to make life of an average admin easier :-) > > > I hope this brain-dump will help you somehow :-) Have a nice day! It very much does, thanks for reading! I was leaning towards the "explicit ifs" version but didn't want to add more changes unless the difference was meaningful. I will finish up the patch to convert to the "explicit ifs" version and make it available in the PR for discussion. I also agree that implementing escaping for a format we don't control makes me nervous. One thing we could do is change the format of the data that goes into the final formatter step. http://blog.benjaminlipton.com/2016/07/19/csr-generation-templating.html#two-pass-data-interpolation assumed that would also be jinja2 (hence the {% section %} tag), but it wouldn't have to be. We could create/choose a different format with well-defined escaping routines. But it would need to be a structured format, so that the openssl formatter can figure out what things go into sections and where. And if we're implementing a structured format for defining CSR contents, maybe we should skip the openssl format entirely and go straight to templating the actual CSR structure, as discussed in this thread https://www.redhat.com/archives/freeipa-devel/2016-August/msg00652.html (towards the bottom of the email). These are just some ideas for the future; for now I'm going to set this aside because template interpolation seems to be working well enough. From freeipa-github-notification at redhat.com Fri Sep 2 12:35:24 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 02 Sep 2016 14:35:24 +0200 Subject: [Freeipa-devel] [freeipa PR#51] Fix failing negative tests for deprecated params (opened) Message-ID: martbab's pull request #51: "Fix failing negative tests for deprecated params" was opened PR body: """ Fixes https://fedorahosted.org/freeipa/ticket/6190 There is one last failing test. To fix it properly we will have to rework `Parameter.__init__` method, see https://fedorahosted.org/freeipa/ticket/6292 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/51 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/51/head:pr51 git checkout pr51 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-51.patch Type: text/x-diff Size: 1428 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Sep 2 13:09:01 2016 From: freeipa-github-notification at redhat.com (mirielka) Date: Fri, 02 Sep 2016 15:09:01 +0200 Subject: [Freeipa-devel] [freeipa PR#51] Fix failing negative tests for deprecated params (+ack) In-Reply-To: References: Message-ID: martbab's pull request #51: "Fix failing negative tests for deprecated params" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/51 From freeipa-github-notification at redhat.com Fri Sep 2 13:25:13 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Fri, 02 Sep 2016 15:25:13 +0200 Subject: [Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (opened) Message-ID: ofayans's pull request #52: "Removed incorrect check for returncode" was opened PR body: """ The server installation in most cases returns response code 0 no matter what happens except for really severe errors. In this case when we try to uninstall the middle replica of a line topology, it fails, notifies us that we should use '--ignore-topology-disconnect', but returns 0 https://fedorahosted.org/freeipa/ticket/3230 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/52 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/52/head:pr52 git checkout pr52 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-52.patch Type: text/x-diff Size: 2775 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Sep 2 13:32:51 2016 From: freeipa-github-notification at redhat.com (abbra) Date: Fri, 02 Sep 2016 15:32:51 +0200 Subject: [Freeipa-devel] [freeipa PR#46] Always fetch forest info from root DCs when establishing two-way trust (comment) In-Reply-To: References: Message-ID: abbra commented on a pull request """ ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/46#issuecomment-244375727 From freeipa-github-notification at redhat.com Fri Sep 2 13:33:04 2016 From: freeipa-github-notification at redhat.com (abbra) Date: Fri, 02 Sep 2016 15:33:04 +0200 Subject: [Freeipa-devel] [freeipa PR#46] Always fetch forest info from root DCs when establishing two-way trust (+ack) In-Reply-To: References: Message-ID: martbab's pull request #46: "Always fetch forest info from root DCs when establishing two-way trust" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/46 From freeipa-github-notification at redhat.com Fri Sep 2 18:38:42 2016 From: freeipa-github-notification at redhat.com (mirielka) Date: Fri, 02 Sep 2016 20:38:42 +0200 Subject: [Freeipa-devel] [freeipa PR#43] Tests: Fix regex errors in integration trust tests (synchronize) In-Reply-To: References: Message-ID: mirielka's pull request #43: "Tests: Fix regex errors in integration trust tests" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/43 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/43/head:pr43 git checkout pr43 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-43.patch Type: text/x-diff Size: 1369 bytes Desc: not available URL: From jpazdziora at redhat.com Sat Sep 3 16:25:08 2016 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Sat, 3 Sep 2016 18:25:08 +0200 Subject: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies In-Reply-To: <1472743125.10392.25.camel@redhat.com> References: <1472225854.20746.104.camel@redhat.com> <1a254cbc-120f-1645-6a4e-20ef5563719f@redhat.com> <1472564054.5257.50.camel@redhat.com> <5b5e276d-8d3d-53cb-a4a4-fa285f0662d9@redhat.com> <457f0c25-b5ee-b827-1856-25345664670c@redhat.com> <881ae083-a320-430c-a25a-3f435628ccda@redhat.com> <1472735202.10392.7.camel@redhat.com> <1472743125.10392.25.camel@redhat.com> Message-ID: <20160903162508.GA13540@redhat.com> On Thu, Sep 01, 2016 at 11:18:45AM -0400, Simo Sorce wrote: > > The thing is we (and admins) will be stuck with old client s for a loong > time, so we need to make it clear to them what works for what. We need > to allow admins to create rules that work for both new and old client > w/o interfering with each other. > In your scheme there must be a way to create a set of rule such that old > clients can login at any time while newer clients use time rules. > that was easy to accomplish by adding an auxiliary class and simply > defining a new type. > Old clients would see old stuff only, new clients would add time rules > if present. > If we have 2 completely different objects because the admin has to > create both, then old clients still care only for the old rule, new > clients instead have an interesting challenge, what rule do they apply ? You use host groups to serve the old rule to old clients and time-based rule to new clients. Each client will apply the rule they see. If you happen to serve the old rule to the new client, access will be allowed no matter what the other, time-based rule says. You do not use magic to interpret one rule differently, one way on one version of client and other way on different client version. > How do you make sure a new client will enforce time restriction when it > looks up the old rule as well ? You make sure the new client does not see the old rule. > Of course admins can always create very barrow host groups and apply > rules only to them, but this is burdensome if you have a *lot* of > clients and some other people are tasked to slowly upgrade them. It is > possible though, so having 2 separate objects that new clients know > about is potentially ok. I would prefer a scheme where they could be > combined though for maximum flexibility with as little as possible > ambiguity. I agree that managing separate host group membership might be and extra work. But it seems to be the only way to remove the ambiguity. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From abokovoy at redhat.com Sat Sep 3 22:04:33 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sun, 4 Sep 2016 01:04:33 +0300 Subject: [Freeipa-devel] Karma Requests for pki-core-10.3.5-4 In-Reply-To: References: Message-ID: <20160903220239.izvulsplt3rlkhya@redhat.com> On Tue, 30 Aug 2016, Matthew Harmsen wrote: >*The following updated candidate builds of pki-core 10.3.5 on Fedora >24, 25, and 26 (rawhide) consist of the following: >* > > * *Fedora 24* > o *pki-core-10.3.5-4.fc24 > > * > * *Fedora 25* > o *pki-core-10.3.5-4.fc25 > > * > * *Fedora 26* > o *pki-core-10.3.5-4.fc26 > > * > Unfortunately, upgrade in Fedora 24 does not work for existing FreeIPA deployments due to lack upgrade for dangling symlinks of jaxrs-api.jar. I filed a ticket https://fedorahosted.org/pki/ticket/2452. Please fix it ASAP because we already have users in Fedora 24 complaining about broken deployments after a mere 'dnf update'. -- / Alexander Bokovoy From freeipa-github-notification at redhat.com Mon Sep 5 07:07:53 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Mon, 05 Sep 2016 09:07:53 +0200 Subject: [Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (synchronize) In-Reply-To: References: Message-ID: ofayans's pull request #52: "Removed incorrect check for returncode" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/52 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/52/head:pr52 git checkout pr52 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-52.patch Type: text/x-diff Size: 7015 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Sep 5 07:11:13 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Mon, 05 Sep 2016 09:11:13 +0200 Subject: [Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (synchronize) In-Reply-To: References: Message-ID: ofayans's pull request #52: "Removed incorrect check for returncode" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/52 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/52/head:pr52 git checkout pr52 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-52.patch Type: text/x-diff Size: 7447 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Sep 5 07:14:24 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Mon, 05 Sep 2016 09:14:24 +0200 Subject: [Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (synchronize) In-Reply-To: References: Message-ID: ofayans's pull request #52: "Removed incorrect check for returncode" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/52 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/52/head:pr52 git checkout pr52 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-52.patch Type: text/x-diff Size: 9713 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Sep 5 07:21:17 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 05 Sep 2016 09:21:17 +0200 Subject: [Freeipa-devel] [freeipa PR#46] Always fetch forest info from root DCs when establishing two-way trust (closed) In-Reply-To: References: Message-ID: martbab's pull request #46: "Always fetch forest info from root DCs when establishing two-way trust" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/46 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/46/head:pr46 git checkout pr46 From freeipa-github-notification at redhat.com Mon Sep 5 07:21:19 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 05 Sep 2016 09:21:19 +0200 Subject: [Freeipa-devel] [freeipa PR#46] Always fetch forest info from root DCs when establishing two-way trust (+pushed) In-Reply-To: References: Message-ID: martbab's pull request #46: "Always fetch forest info from root DCs when establishing two-way trust" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/46 From freeipa-github-notification at redhat.com Mon Sep 5 07:21:21 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 05 Sep 2016 09:21:21 +0200 Subject: [Freeipa-devel] [freeipa PR#46] Always fetch forest info from root DCs when establishing two-way trust (comment) In-Reply-To: References: Message-ID: martbab commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/33f8685513e06f6a398036a78407d61c3ac2db86 https://fedorahosted.org/freeipa/changeset/c789b17b2e28ed9008fee076a0db72fe90f7e93f https://fedorahosted.org/freeipa/changeset/4ca671788cc54a00de6a55a2529df6126da14d88 ipa-4-4: https://fedorahosted.org/freeipa/changeset/58513d3b2a72b6c15bdf5676ed63d6eb74f36ed7 https://fedorahosted.org/freeipa/changeset/034b78e320e4868e4dee520690bb49fefc242cde https://fedorahosted.org/freeipa/changeset/a532edf97337a80b0777fb00cc1b9e57ef8cf487 """ See the full comment at https://github.com/freeipa/freeipa/pull/46#issuecomment-244675328 From freeipa-github-notification at redhat.com Mon Sep 5 07:23:57 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 05 Sep 2016 09:23:57 +0200 Subject: [Freeipa-devel] [freeipa PR#51] Fix failing negative tests for deprecated params (+pushed) In-Reply-To: References: Message-ID: martbab's pull request #51: "Fix failing negative tests for deprecated params" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/51 From freeipa-github-notification at redhat.com Mon Sep 5 07:23:58 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 05 Sep 2016 09:23:58 +0200 Subject: [Freeipa-devel] [freeipa PR#51] Fix failing negative tests for deprecated params (comment) In-Reply-To: References: Message-ID: martbab commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/82e754e9c5e46317c7c060d9bc9c00ee259101a1 ipa-4-4: https://fedorahosted.org/freeipa/changeset/4d4ea09a82cf9234a0f3cec43fd1551acae5780c """ See the full comment at https://github.com/freeipa/freeipa/pull/51#issuecomment-244675738 From freeipa-github-notification at redhat.com Mon Sep 5 07:24:00 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 05 Sep 2016 09:24:00 +0200 Subject: [Freeipa-devel] [freeipa PR#51] Fix failing negative tests for deprecated params (closed) In-Reply-To: References: Message-ID: martbab's pull request #51: "Fix failing negative tests for deprecated params" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/51 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/51/head:pr51 git checkout pr51 From freeipa-github-notification at redhat.com Mon Sep 5 07:31:46 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 05 Sep 2016 09:31:46 +0200 Subject: [Freeipa-devel] [freeipa PR#48] [4.4] Set zanata project-version fo 4.4 branch (+ack) In-Reply-To: References: Message-ID: mbasti-rh's pull request #48: "[4.4] Set zanata project-version fo 4.4 branch" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/48 From freeipa-github-notification at redhat.com Mon Sep 5 07:32:35 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 05 Sep 2016 09:32:35 +0200 Subject: [Freeipa-devel] [freeipa PR#48] [4.4] Set zanata project-version fo 4.4 branch (comment) In-Reply-To: References: Message-ID: martbab commented on a pull request """ Fixed upstream ipa-4-4: https://fedorahosted.org/freeipa/changeset/362162aba5ce83043cb3947e453234e933266f4b """ See the full comment at https://github.com/freeipa/freeipa/pull/48#issuecomment-244677238 From freeipa-github-notification at redhat.com Mon Sep 5 07:32:37 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 05 Sep 2016 09:32:37 +0200 Subject: [Freeipa-devel] [freeipa PR#48] [4.4] Set zanata project-version fo 4.4 branch (+pushed) In-Reply-To: References: Message-ID: mbasti-rh's pull request #48: "[4.4] Set zanata project-version fo 4.4 branch" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/48 From freeipa-github-notification at redhat.com Mon Sep 5 07:32:38 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 05 Sep 2016 09:32:38 +0200 Subject: [Freeipa-devel] [freeipa PR#48] [4.4] Set zanata project-version fo 4.4 branch (closed) In-Reply-To: References: Message-ID: mbasti-rh's pull request #48: "[4.4] Set zanata project-version fo 4.4 branch" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/48 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/48/head:pr48 git checkout pr48 From freeipa-github-notification at redhat.com Mon Sep 5 08:22:56 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 05 Sep 2016 10:22:56 +0200 Subject: [Freeipa-devel] [freeipa PR#47] schema cache: Store and check info for pre-schema servers (comment) In-Reply-To: References: Message-ID: tomaskrizek commented on a pull request """ Works as expected. """ See the full comment at https://github.com/freeipa/freeipa/pull/47#issuecomment-244686988 From freeipa-github-notification at redhat.com Mon Sep 5 08:23:03 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 05 Sep 2016 10:23:03 +0200 Subject: [Freeipa-devel] [freeipa PR#47] schema cache: Store and check info for pre-schema servers (+ack) In-Reply-To: References: Message-ID: dkupka's pull request #47: "schema cache: Store and check info for pre-schema servers" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/47 From freeipa-github-notification at redhat.com Mon Sep 5 08:32:58 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 05 Sep 2016 10:32:58 +0200 Subject: [Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (comment) In-Reply-To: References: Message-ID: mbasti-rh commented on a pull request """ ACK: Removed incorrect check for returncode NACK: Several fixes in replica_promotion tests -- missing explanation in commit messages why this change is needed, if changes are unrelated should be in multiple patches ACK: Changed addressing to the client hosts to be replicas ACK: Xfailed the tests due to a known bug with replica preparation """ See the full comment at https://github.com/freeipa/freeipa/pull/52#issuecomment-244689293 From freeipa-github-notification at redhat.com Mon Sep 5 08:38:18 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Mon, 05 Sep 2016 10:38:18 +0200 Subject: [Freeipa-devel] [freeipa PR#47] schema cache: Store and check info for pre-schema servers (-ack) In-Reply-To: References: Message-ID: dkupka's pull request #47: "schema cache: Store and check info for pre-schema servers" label *ack* has been removed See the full pull-request at https://github.com/freeipa/freeipa/pull/47 From freeipa-github-notification at redhat.com Mon Sep 5 08:39:01 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Mon, 05 Sep 2016 10:39:01 +0200 Subject: [Freeipa-devel] [freeipa PR#47] schema cache: Store and check info for pre-schema servers (comment) In-Reply-To: References: Message-ID: jcholast commented on a pull request """ NACK on the while loop which could loop infinitely. """ See the full comment at https://github.com/freeipa/freeipa/pull/47#issuecomment-244690568 From tkrizek at redhat.com Mon Sep 5 08:42:08 2016 From: tkrizek at redhat.com (Tomas Krizek) Date: Mon, 5 Sep 2016 10:42:08 +0200 Subject: [Freeipa-devel] [PATCH] 0014 In-Reply-To: <3ee10d07-8584-0973-4fe3-2a8334dce76c@redhat.com> References: <5d38f7d7-2b64-9093-35ef-df17d9dc1876@redhat.com> <755c6d3d-af1e-7538-ecac-f06122ae8b10@redhat.com> <3ee10d07-8584-0973-4fe3-2a8334dce76c@redhat.com> Message-ID: On 09/02/2016 09:05 AM, Florence Blanc-Renaud wrote: > On 09/02/2016 08:08 AM, Jan Cholasta wrote: >> On 1.9.2016 19:37, Tomas Krizek wrote: >>> On 09/01/2016 03:58 PM, Florence Blanc-Renaud wrote: >>>> Hi, >>>> >>>> please find attached a patch for ipa-certupdate in CA-less deployment. >>>> https://fedorahosted.org/freeipa/ticket/6288 >>>> >>>> Flo. >>>> >>>> >>>> >>> The patch is malformed, but you can simply delete the very first >>> character to fix it. >>> >>> Other than that, patch works as expected -> ACK. >> >> Nitpick: please avoid C-isms such as "if (ca_enabled):". >> > Hi all, > > thanks for the review. Please find an updated patch version. Quite > difficult to get rid of typing habits... > > Flo > ACK -- Tomas Krizek From jcholast at redhat.com Mon Sep 5 10:52:42 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 5 Sep 2016 12:52:42 +0200 Subject: [Freeipa-devel] [Design Review Request] V4/Automatic_Certificate_Request_Generation In-Reply-To: References: <8198a4a5-14fa-485f-fa89-325468b65c96@redhat.com> <23f5ad4f-c624-87db-0807-770979880bfb@redhat.com> <20160725111123.qthtarfgcsfbdnzk@redhat.com> <4eb3fe2f-ac80-4cf9-0f17-1c420fd52034@redhat.com> <57f0be1e-2915-fa33-d579-f173f1f5d019@redhat.com> <4f2f65ed-e525-1f04-f19b-c8a00b23001f@redhat.com> <57BF50E1.8030209@redhat.com> Message-ID: <82017bee-a989-cbe5-d5ed-f481441269e6@redhat.com> On 27.8.2016 22:40, Ben Lipton wrote: > On 08/25/2016 04:11 PM, Rob Crittenden wrote: >> Ben Lipton wrote: >>> On 08/23/2016 03:54 AM, Jan Cholasta wrote: >>>> On 8.8.2016 22:23, Ben Lipton wrote: >>>>> On 07/25/2016 07:45 AM, Jan Cholasta wrote: >>>>>> On 25.7.2016 13:11, Alexander Bokovoy wrote: >>>>>>> On Mon, 25 Jul 2016, Jan Cholasta wrote: >>>>>>>> On 20.7.2016 16:05, Ben Lipton wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> Thanks very much for the feedback! Some responses below; I hope >>>>>>>>> you'll >>>>>>>>> let me know what you think of my reasoning. >>>>>>>>> >>>>>>>>> >>>>>>>>> On 07/20/2016 04:20 AM, Jan Cholasta wrote: >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> On 17.6.2016 00:06, Ben Lipton wrote: >>>>>>>>>>> On 06/14/2016 08:27 AM, Ben Lipton wrote: >>>>>>>>>>>> Hello all, >>>>>>>>>>>> >>>>>>>>>>>> I have written up a design proposal for making certificate >>>>>>>>>>>> requests >>>>>>>>>>>> easier to generate when using alternate certificate profiles: >>>>>>>>>>>> http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> The use case for this is described in >>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/4899. I will be >>>>>>>>>>>> working on >>>>>>>>>>>> implementing this design over the next couple of months. If you >>>>>>>>>>>> have >>>>>>>>>>>> the time and interest, please take a look and share any >>>>>>>>>>>> comments or >>>>>>>>>>>> concerns that you have. >>>>>>>>>>>> >>>>>>>>>>>> Thanks! >>>>>>>>>>>> >>>>>>>>>>>> Ben >>>>>>>>>>>> >>>>>>>>>>> Just a quick update to say that I've created a new document that >>>>>>>>>>> covers >>>>>>>>>>> the proposed schema additions in a more descriptive way (with >>>>>>>>>>> diagrams!) >>>>>>>>>>> I'm very new to developing with LDAP, so some more experienced >>>>>>>>>>> eyes on >>>>>>>>>>> the proposal would be very helpful, even if you don't have >>>>>>>>>>> time to >>>>>>>>>>> absorb the full design. Please take a look at >>>>>>>>>>> http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation/Schema >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> if you have a chance. >>>>>>>>>> >>>>>>>>>> I finally had a chance to take a look at this, here are some >>>>>>>>>> comments: >>>>>>>>>> >>>>>>>>>> 1) I don't like how transformation rules are tied to a particular >>>>>>>>>> helper and have to be duplicated for each of them. They should be >>>>>>>>>> generic and work with any helper, as helpers are just an >>>>>>>>>> implementation detail and their resulting data is the same. >>>>>>>>>> >>>>>>>>>> In fact, I think I would prefer if the CSR was generated using >>>>>>>>>> python-cryptography's CertificateSigningRequestBuilder [1] rather >>>>>>>>>> than >>>>>>>>>> openssl or certutil or any other command line tool. >>>>>>>>>> >>>>>>>>> There are lots of tools that users might want to use to manage >>>>>>>>> their >>>>>>>>> private keys, so I don't know if we can assume that whatever >>>>>>>>> library we >>>>>>>>> prefer will actually be able to access the private key to sign a >>>>>>>>> CSR, >>>>>>>>> which is why I thought it would be useful to support more than >>>>>>>>> one. >>>>>>>> >>>>>>>> python-cryptography has the notion of backends, which allow it to >>>>>>>> support multiple crypto implementations. Upstream it currently >>>>>>>> supports only OpenSSL [2], but some work has been done on PKCS#11 >>>>>>>> backend [3], which provides support for HSMs and soft-tokens (like >>>>>>>> NSS >>>>>>>> databases). >>>>>>>> >>>>>>>> Alternatively, for NSS databases (and other "simple" cases), you >>>>>>>> can >>>>>>>> generate the private key with python-cryptography using the default >>>>>>>> backend, export it to a file and import the file to the target >>>>>>>> database, so you don't actually need the PKCS#11 backend for them. >>>>>>>> >>>>>>>> So, the only thing that's currently lacking is HSM support, but >>>>>>>> given >>>>>>>> that we don't support HSMs in IPA nor in certmonger, I don't think >>>>>>>> it's an issue for now. >>>>>>>> >>>>>>>>> The >>>>>>>>> purpose of the mapping rule is to tie together the transformation >>>>>>>>> rules >>>>>>>>> that produce the same data into an object that's >>>>>>>>> implementation-agnostic, so that profiles referencing those rules >>>>>>>>> are >>>>>>>>> automatically compatible with all the helper options. >>>>>>>> >>>>>>>> They are implementation-agnostic, as long as you consider `openssl` >>>>>>>> and `certutil` the only implementations :-) But I don't think this >>>>>>>> solution scales well to other possible implementations. >>>>>>>> >>>>>>>> Anyway, my main grudge is that the transformation rules shouldn't >>>>>>>> really be stored on and processed by the server. The server should >>>>>>>> know the *what* (mapping rules), but not the *how* (transformation >>>>>>>> rules). The *how* is an implementation detail and does not >>>>>>>> change in >>>>>>>> time, so there's no benefit in handling it on the server. It >>>>>>>> should be >>>>>>>> handled exclusively on the client, which I believe would also make >>>>>>>> the >>>>>>>> whole thing more robust (it would not be possible for a bug on the >>>>>>>> server to break all the clients). >>>>>>> This is a good point. However, for the scope of Ben's project can we >>>>>>> limit it by openssl and certutil support? Otherwise Ben wouldn't be >>>>>>> able >>>>>>> to complete the project in time. >>>>>> >>>>>> I'm fine with that, but I don't think it's up to me :-) >>>>>> >>>>>>> >>>>>>>>> This is turning out to be a common (and, I think, reasonable) >>>>>>>>> reaction >>>>>>>>> to the proposal. It is rather complex, and I worry that it will be >>>>>>>>> difficult to configure. On the other hand, there is some hidden >>>>>>>>> complexity to enabling a simpler config format, as well. One of >>>>>>>>> the >>>>>>>>> goals of the project as it was presented to me was to allow the >>>>>>>>> creation >>>>>>>>> of profiles that add certificate extensions *that FreeIPA doesn't >>>>>>>>> yet >>>>>>>>> know about*. With the current proposal, one only has to add a rule >>>>>>>>> generating text that the helper will understand. >>>>>>>> >>>>>>>> ... which will be possible only as long as the helper >>>>>>>> understands the >>>>>>>> extension. Which it might not, thus the current proposal works only >>>>>>>> for *some* extensions that FreeIPA doesn't yet support. >>>>>>> We can go ad infinitum here but with any helper implementation, >>>>>>> be it >>>>>>> python-cryptography or anything else, you will need to have a >>>>>>> support >>>>>>> there as well. >>>>>> >>>>>> My point was that the current proposal is not any better than my >>>>>> proposal in this regard, as neither of them allows one to use an >>>>>> arbitrary extension. >>>>>> >>>>>>> The idea with unknown extensions was to allow mapping >>>>>>> their acceptance to a specific relationship between IPA objects >>>>>>> (optionally) and an input from the CSR. A simplest example would >>>>>>> be an >>>>>>> identity rule that would copy an ASN.1 encoded content from the >>>>>>> CSR to >>>>>>> the certificate. >>>>>>> >>>>>>> That's on the mapping side, not on the CSR generation side, but it >>>>>>> would >>>>>>> go similarly for the CSR if you would be able to enter unknown but >>>>>>> otherwise correct ASN.1 stream. There is no difference at which >>>>>>> helper >>>>>>> type we are talking about because all of them support inserting >>>>>>> ASN.1 >>>>>>> content. >>>>>>> >>>>>>>>> With your suggestion, >>>>>>>>> if there's a mapping between "san_directoryname" and the >>>>>>>>> corresponding >>>>>>>>> API calls or configuration lines, we need some way for users to >>>>>>>>> augment >>>>>>>>> that mapping without changing the code. If there's no mapping, and >>>>>>>>> it's >>>>>>>>> just done with text processing, we need enough in the config >>>>>>>>> format to >>>>>>>>> be able to generate fairly complex structures: >>>>>>>>> >>>>>>>>> builder = >>>>>>>>> builder.subject_name(x509.Name(u'CN=user,O=EXAMPLE.COM')) >>>>>>>>> builder = >>>>>>>>> builder.add_extension(x509.SubjectAlternativeName([x509.RFC822Name(u'user at example.com'), >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> x509.DirectoryName(x509.Name(u'CN=user,O=EXAMPLE.COM'))]), False) >>>>>>>>> >>>>>>>>> and we need to do it without it being equivalent to calling >>>>>>>>> eval() on >>>>>>>>> the config attributes. I'm not sure how to achieve this (is it >>>>>>>>> safe to >>>>>>>>> call getattr(x509, extensiontype)(value) where extensiontype and >>>>>>>>> value >>>>>>>>> are user-specified?) and it definitely would have to be tied to a >>>>>>>>> particular library/tool. >>>>>>>> >>>>>>>> As I pointed out above, this needs to be figured out for the >>>>>>>> generic >>>>>>>> case for both the current proposal and my suggestion. >>>>> I have a proof of concept[1] for using openssl-based rules to add a >>>>> subject alt name extension without using openssl's knowledge of that >>>>> extension. It's not extremely pretty, and it took some trial and >>>>> error, >>>>> but no code changes. So, I think this actually is a difference between >>>>> the two proposals. >>>> >>>> With the obvious catch being that it works only with OpenSSL, which >>>> might not work for everyone, e.g. when using HSMs or SmartCards, due >>>> to a limited PKCS#11 support in OpenSSL. >>> >>> Very true. Even certutil's equivalent feature (--extGeneric) doesn't >>> seem like it would work very well in this context, as you are supposed >>> to pass in an already-encoded extension, so text-based templating >>> wouldn't be able to do much. >> >> Yeah, I struggled with this myself. I ended up writing a pyasn1 script >> to generate the extension I needed, wrote that to a file, and passed >> it to certutil using: >> >> --extGeneric 2.5.29.17:not-critical:/path/to/msupn.der >> >>>> >>>>> >>>>> Next we have the easy case, extensions that we as FreeIPA developers >>>>> know are important and build support for. For these, the two proposals >>>>> work equivalently well, but yours is simpler to configure because the >>>>> knowledge of how to make a san_rfc822name is built into the library >>>>> instead of being stored on the server as a set of rules. >>>>> >>>>> Finally, we have the case of extensions that are known to the helper, >>>>> but not to FreeIPA. In the existing proposal, new rules can be written >>>>> to support these extensions under a particular helper. Further, those >>>>> rules can be used by reference in many profiles, reducing >>>>> duplication of >>>>> effort/data/errors. >>>>> >>>>> As I understand it, the main objections in this thread are that >>>>> transformation rules are implementation (i.e. helper) specific data >>>>> stored in the IPA server, and that the system has several levels of >>>>> schema when it could just embed rules in the profile. But without >>>>> helper-specific rules, administrators could not take advantage of the >>>>> additional extensions supported by the helper they are using. >>>> >>>> There is *no* advantage in forcing the user to choose between helpers >>>> which differ only in the set of limitations on the CSR they are able >>>> to produce. The user should specify a) where the private key is >>>> located and b) what profile to use, and that's it, it should just work. >>> Ok, this is a good point about usability. The user creating the CSR >>> shouldn't have to care about helpers, and I agree that the current way >>> they are exposed is clunky. I do think that an administrator creating >>> custom rules might want to take advantage of a helper, so they wouldn't >>> need to understand the ASN.1 representation of their chosen certificate >>> extension. Of course, the desired extension might not be supported by >>> the helper either. Since I don't know what specific extensions people >>> will want to use this for, I don't know how to balance the better >>> administrator experience of adding extensions via a helper with the >>> limited extension support. >>> >>> The original reason we arrived at the concept of "helpers" was to >>> support different ways of getting at private keys, but perhaps this >>> should not be the concern of the CSR data generator. In your opinion, >>> would it be sufficient to support just one key format (PKCS#12? PEM?) >>> and let the user deal with putting those keys into whatever >>> formats/databases they need? If that's ok, maybe we can stop having >>> *multiple* helpers, but if we want to replace helpers entirely I'm still >>> not certain what to replace them with. >> >> I'd just add an option to specify the output format, e.g PEM, NSS, >> Java keystore, PKCS#12, whatever. You can probably get away with the >> first two for starters. Different output format is going to mean >> different options but that is probably not a big deal. > > My point was that if we want to get rid of all the helpers but one, or > replace helpers with something else entirely like somehow templating > ASN1 structures directly, it will get harder to support all those > formats (or even both of the first two). For example, if we drop > certutil as a helper, how will we sign CSRs with keys stored in NSS > databases? 1. get the public part of the key from the NSS database 2. construct a CertificationRequestInfo [1] from the template and the public key 3. sign the CertificationRequestInfo with NSS using the private key to get a CSR This is purely client side, will work with any crypto library (just substitute NSS for something else) and, if done right, using very little code. >> >> Remember that the private key will be at rest for some period of time >> while the CSR is being approved. The key needs to be protected at that >> time. >> >> rob >> >>>> >>>>> And >>>>> without the separation of profiles from mapping rules in the schema, >>>>> rules would need to be copy+pasted among profiles, and grouping rules >>>>> with the same effect under different helpers would be much uglier. We >>>>> can and should discuss whether these are the right tradeoffs, but this >>>>> is where those decisions came from. >>>>> >>>>>>>> >>>>>>>> OTOH, I think we could use GSER encoding of the extension value: >>>>>>>> >>>>>>>> { rfc822Name:"user at example.com", >>>>>>>> directoryName:rdnSequence:"CN=user,O=EXAMPLE.COM" } >>>>>>> GSER is not really used widely and does not have standardized >>>>>>> encoding >>>>>>> rules beyond its own definition. If you want to allow transformation >>>>>>> rules in GSER that mention existing content in IPA objects, you >>>>>>> would >>>>>>> need to deal with templating anyway. At this point it becomes >>>>>>> irrelevant >>>>>>> what you are templating, though. >>>>>> >>>>>> True, but the goal here is not to avoid templating, but rather to >>>>>> avoid implementation-specific bits on the server, and GSER is the >>>>>> only >>>>>> thing that is textual, implementation-neutral and, as a bonus, >>>>>> standardized. >>>>>> >>>>> As I said elsewhere, we could use GSER as a textual output format >>>>> instead of openssl or certutil, but it still needs its own "helper" to >>>>> build the CSR, and unlike the other options, it seems like we might >>>>> need >>>>> to implement that helper. I'm not sure it's fair to call it >>>>> implementation-neutral if no implementation exists yet :) >>>> >>>> Right. Like I said, using GSER was just a quick idea off the top of my >>>> head. I would actually rather use some sort of data structure >>>> templating rather than textual templating on top of any kind of >>>> textual representation of said data structures. I don't know if there >>>> is such a thing, though. >>> >>> This sounds interesting, can you give an example of what this might look >>> like? It would be something like XSLT, but for ASN.1 rather than XML. >>> >>> I learned that there's also an XML encoding for ASN.1, XER, but that's >>> still a textual representation and we'd have to insert the data >>> textually. Well, yes and no. While it's true that it's still a textual representation, what really makes a difference is that for XML, there is a templating mechanism which understands the structure of the data (XLST, as mentioned above). Unforutantely, XER has the same shortcoming as GSER: to be able to convert it to DER, you need to know the ASN.1 definition of the data structure. If we used XER+XSLT, we would also have to provide means of adding custom ASN.1 definitions and run them through ASN.1 compiler to convert between XER and DER. >>> It doesn't seem to be supported by any python libraries, >>> either, but it does look like it's supported by the asn1 compiler in the >>> IPA source distribution.I could imagine an implementation that builds >>> an XML representation of the CSR via python templating, then makes a >>> signed CSR out of it in C. I'm a little concerned about it because it >>> would have to implement the whole CSR structure from scratch, but is >>> this a prototype that you'd be interested in seeing? I can imagine something like this might work: 1. (client) generate a key pair 2. (client) get SubjectPublicKeyInfo [2] for the public key 3. (client) encode the SubjectPublicKeyInfo as XER using asn1c and python-cffi in API mode [3] 4. (client) call server to construct CertificationRequestInfo for specified subject from a specified template and the SubjectPublicKeyInfo 5. (server) get the subject's LDAP entry 6. (server) create a XML document which contains the subject's LDAP attributes and the SubjectPublicKeyInfo 7. (server) use XSLT to transform the XML document to CertificationRequestInfo using the specified template 8. (server) return the CertificationRequestInfo to the client 9. (client) convert the CertificationRequestInfo from XER to DER using asn1c and python-cffi in API mode 10. (client) sign the CertificationRequestInfo using the private key to get a CSR It would be better if the XER-DER conversion was done on the server, but I don't think that compiling and running code on the fly on the server is a particularly good idea. Apparently there is a ASN.1 compiler available for PyASN1 [4], maybe that could be used instead, but we would have to write a XER codec for PyASN1 ourselves (which shouldn't be too hard IMO). >>> > On further investigation, it turns out the version of > python-cryptography in F24 includes a feature allowing arbitrary > extensions to be added by adding an UnrecognizedExtension to the > CertificateSigningRequestBuilder. This makes me feel somewhat better > both about python-cryptography as a tool for this task and about the > solution I just proposed. But I still don't have a clear idea that > answers 1) how to make templates that we can turn into encoded > extensions, and 2) how to deal with all the desired key formats. I hope the above clarifies these a little bit. [1] [2] [3] [4] -- Jan Cholasta From freeipa-github-notification at redhat.com Mon Sep 5 11:02:11 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Mon, 05 Sep 2016 13:02:11 +0200 Subject: [Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (synchronize) In-Reply-To: References: Message-ID: ofayans's pull request #52: "Removed incorrect check for returncode" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/52 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/52/head:pr52 git checkout pr52 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-52.patch Type: text/x-diff Size: 10029 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Sep 5 11:02:53 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Mon, 05 Sep 2016 13:02:53 +0200 Subject: [Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (comment) In-Reply-To: References: Message-ID: ofayans commented on a pull request """ The commit message was updated """ See the full comment at https://github.com/freeipa/freeipa/pull/52#issuecomment-244720426 From freeipa-github-notification at redhat.com Mon Sep 5 11:06:33 2016 From: freeipa-github-notification at redhat.com (mirielka) Date: Mon, 05 Sep 2016 13:06:33 +0200 Subject: [Freeipa-devel] [freeipa PR#43] Tests: Fix regex errors in integration trust tests (synchronize) In-Reply-To: References: Message-ID: mirielka's pull request #43: "Tests: Fix regex errors in integration trust tests" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/43 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/43/head:pr43 git checkout pr43 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-43.patch Type: text/x-diff Size: 1514 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Sep 5 11:13:05 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 05 Sep 2016 13:13:05 +0200 Subject: [Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (+ack) In-Reply-To: References: Message-ID: ofayans's pull request #52: "Removed incorrect check for returncode" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/52 From freeipa-github-notification at redhat.com Mon Sep 5 11:43:17 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 05 Sep 2016 13:43:17 +0200 Subject: [Freeipa-devel] [freeipa PR#53] Fix ScriptError to always return string from __str__ (opened) Message-ID: mbasti-rh's pull request #53: "Fix ScriptError to always return string from __str__" was opened PR body: """ Use super for proper handling of exceptions. msg property was added due compatibility with the current code. https://fedorahosted.org/freeipa/ticket/6294 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/53 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/53/head:pr53 git checkout pr53 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-53.patch Type: text/x-diff Size: 990 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Sep 5 12:08:49 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Mon, 05 Sep 2016 14:08:49 +0200 Subject: [Freeipa-devel] [freeipa PR#34] dns: prompt for missing record parts in CLI (synchronize) In-Reply-To: References: Message-ID: jcholast's pull request #34: " dns: prompt for missing record parts in CLI" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/34 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/34/head:pr34 git checkout pr34 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-34.patch Type: text/x-diff Size: 10321 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Sep 5 12:16:58 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Mon, 05 Sep 2016 14:16:58 +0200 Subject: [Freeipa-devel] [freeipa PR#54] cli: use full name when executing a command (opened) Message-ID: jcholast's pull request #54: "cli: use full name when executing a command" was opened PR body: """ Fixes the CLI not to always call the default version of a command even when the version was explicitly specified. https://fedorahosted.org/freeipa/ticket/6279 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/54 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/54/head:pr54 git checkout pr54 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-54.patch Type: text/x-diff Size: 863 bytes Desc: not available URL: From ofayans at redhat.com Mon Sep 5 12:32:44 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Mon, 5 Sep 2016 14:32:44 +0200 Subject: [Freeipa-devel] [PATCH] ca-less tests updated In-Reply-To: <57A99B02.1010507@redhat.com> References: <56337745.109@redhat.com> <563B091B.3010501@redhat.com> <563B6A96.8090606@redhat.com> <563BABEC.8080304@redhat.com> <563C5B1A.1090803@redhat.com> <563C5E6D.4060307@redhat.com> <563CA575.1030808@redhat.com> <567176A2.1000901@redhat.com> <5707C431.6070702@redhat.com> <570E1E70.6060309@redhat.com> <5715F6B5.3070003@redhat.com> <57173F56.5020308@redhat.com> <5731F951.1020700@redhat.com> <57A99B02.1010507@redhat.com> Message-ID: Hi guys, Finally the ca-less tests are stable. Here in the attachment is the full set of necessary patches. On 08/09/2016 10:57 AM, Oleg Fayans wrote: > Hi all, > > Bump for the review of the 0013 patch. The script it addresses can be > reused in some WebUI tests - one more reason to have it reviewed/merged > > The rest patches should be re-tested, since they were prepared a good > while ago > > On 05/10/2016 05:08 PM, Oleg Fayans wrote: >> Hi David, >> >> After quite a while and some more struggles here comes the updated >> version of the patch together with other patches fixing things in >> ipatests/test_integration/tasks.py >> Server and replica installation was refactored in a way to utilize the >> code from tasks.py as much as it is possible >> >> The full set of necessary patches is attached >> >> >> On 04/20/2016 10:35 AM, David Kupka wrote: >>> On 19/04/16 11:13, Oleg Fayans wrote: >>>> OK, that one, though passing lint, did not actually work. I gave up my >>>> attempts to define method decorators inside the class. Now it passes >>>> lint AND works:) >>>> >>> >>> Hi Oleg! >>> >>> 1) Current commit message is useless. Please use it to describe what is >>> the point of the patch. >>> >>> 2) $ git show -U0 | pep8 --diff >>> ./ipatests/test_integration/test_caless.py:66:1: E302 expected 2 blank >>> lines, found 1 >>> ./ipatests/test_integration/test_caless.py:74:1: E302 expected 2 blank >>> lines, found 1 >>> ./ipatests/test_integration/test_caless.py:820:5: E303 too many blank >>> lines (2) >>> ./ipatests/test_integration/test_caless.py:825:80: E501 line too long >>> (80 > 79 characters) >>> ./ipatests/test_integration/test_caless.py:1035:44: E225 missing >>> whitespace around operator >>> >>> >>> 3) Isn't there a way to do this with pytest's fixtures? >>> >>>> +def server_install_teardown(func): >>>> + def wrapped(*args): >>>> + try: >>>> + func(*args) >>>> + finally: >>>> + args[0].uninstall_server() >>>> + return wrapped >>>> + >>>> +def replica_install_teardown(func): >>>> + def wrapped(*args): >>>> + try: >>>> + func(*args) >>>> + finally: >>>> + # Uninstall replica >>>> + replica = args[0].replicas[0] >>>> + tasks.kinit_admin(args[0].master) >>>> + args[0].uninstall_server(replica) >>>> + args[0].master.run_command(['ipa-replica-manage', 'del', >>>> + replica.hostname, '--force'], >>>> + raiseonerr=False) >>>> + args[0].master.run_command(['ipa', 'host-del', >>>> + replica.hostname], >>>> + raiseonerr=False) >>>> + return wrapped >>>> + >> >> There is a standard pytest method called 'method_teardown', that is >> indent to be executed after each test method, but with our setup it does >> not work. >> >>> >>> 4) Is it necessary to create the $TEST_DIR in the test? Isn't it created >>> by the framework? >>> >>>> + host.transport.mkdir_recursive(host.config.test_dir) >>> >> >> Removed. >> >>> >>> 5) I don't think the comment match the code. >>> >>>> >>>> + # Remove CA cert in /etc/pki/nssdb, in case of failed >>>> (un)install >>>> + for host in cls.get_all_hosts(): >>>> + cls.uninstall_server(host) >>>> + >>>> super(CALessBase, cls).uninstall(mh) >>> >> >> Not actual anymore >> >>> >>> 6) No! Create list with one element, iterate that list and append every >>> item to the other list. Maybe there's better way (Hint: append). >>> I've seen this on multiple places. >>> >>>> if unattended: >>>> args.extend(['-U']) >> >> Agreed >> >>> >>> 7) Why don't you (extend and) use >>> ipatests.test_integaration.tasks.(un)install_{master,replica}? >>> This could be done pretty much all over the code. >>> >>>> host.run_command(['ipa-server-install', '--uninstall', >>>> '-U']) >>> >>> 8) Use ipaplatform.paths for certutil and other binaries. If the binary >>> is not there feel free to add it. >>> I've seen this on multiple places. >>> >>>> + host.run_command(['certutil', '-d', paths.NSS_DB_DIR, '-D', >>>> + '-n', 'External CA cert'], >>>> + raiseonerr=False) >>>> + # A workaround forhttps://fedorahosted.org/freeipa/ticket/4639 >>>> + result = host.run_command(['certutil', '-L', '-d', >>>> + paths.HTTPD_ALIAS_DIR]) >>>> + for rawcert in result.stdout_text.split('\n')[4: -1]: >>>> + cert = rawcert.split(' ')[0] >>>> + host.run_command(['certutil', '-D', '-d', >>>> paths.HTTPD_ALIAS_DIR, >>>> + '-n', cert]) >>>> >> >> Done >> >>> >>> 9) certmonger is system service. You can check if is is .enabled() and >>> .running(). And IIUC the comment is negation of what the code does. >>> >>>> >>>> # Verify certmonger was not started >>>> result = host.run_command(['getcert', 'list'], >>>> raiseonerr=False) >>>> - assert result > 0 >>>> - assert ('Please verify that the certmonger service has >>>> been ' >>>> - 'started.' in result.stdout_text), >>>> result.stdout_text >>>> + assert result.returncode == 0 >>> >>> 10) What is the point of calling uninstall_server() when it will be >>> called in the finally block of server_install_teardown anyway? >>> >>>> + @server_install_teardown >>>> def test_revoked_http(self): >>>> "IPA server install with revoked HTTP certificate" >>>> >>>> if result.returncode == 0: >>>> + self.uninstall_server() >>>> raise nose.SkipTest( >>>> "Known CA-less installation defect, see " >>>> +"https://fedorahosted.org/freeipa/ticket/4270") >>>> >>>> assert result.returncode > 0 >>>> >> Removed >> >>> >>> Nitpick) Do not mix fixing typos/grammar/spelling/style with functional >>> changes. >>> >>>> - def test_incorect_http_pin(self): >>>> + @pytest.mark.xfail(reason='freeipa ticket 5378') >>>> + def test_incorrect_http_pin(self): >>>> "Install new HTTP certificate with incorrect PKCS#12 >>>> password" >> >> Removed >> >>> >>> >> >> >> > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0013.2-Updated-the-script-creating-test-certificate-chains.patch Type: text/x-patch Size: 1461 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0014.7-Fixed-numerous-errors-in-ca-less-tests.patch Type: text/x-patch Size: 47445 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0039.1-Updated-generic-installation-methods-for-ca-less-tests.patch Type: text/x-patch Size: 7601 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0041-Fixed-method-failures-during-second-call-for-the-method.patch Type: text/x-patch Size: 1223 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Sep 5 13:03:55 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 05 Sep 2016 15:03:55 +0200 Subject: [Freeipa-devel] [freeipa PR#55] Fix parse errors with link-local addresses (opened) Message-ID: mbasti-rh's pull request #55: "Fix parse errors with link-local addresses" was opened PR body: """ Link-local addresses received from netifaces contains '%suffix' that causes parse error in IPNetwork class. We must remove %suffix before it us used in IPNetwork objects. https://fedorahosted.org/freeipa/ticket/6296 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/55 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/55/head:pr55 git checkout pr55 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-55.patch Type: text/x-diff Size: 1366 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Sep 5 13:41:27 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 05 Sep 2016 15:41:27 +0200 Subject: [Freeipa-devel] [freeipa PR#56] Use RSA-OAEP instead of RSA PKCS#1 v1.5 (opened) Message-ID: tiran's pull request #56: "Use RSA-OAEP instead of RSA PKCS#1 v1.5" was opened PR body: """ jwcrypto's RSA1-5 (PKCS#1 v1.5) is vulnerable to padding oracle side-channel attacks. OAEP (PKCS#1 v2.0) is a safe, more modern alternative. https://fedorahosted.org/freeipa/ticket/6278 Signed-off-by: Christian Heimes """ See the full pull-request at https://github.com/freeipa/freeipa/pull/56 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/56/head:pr56 git checkout pr56 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-56.patch Type: text/x-diff Size: 1084 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Sep 5 13:50:32 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 05 Sep 2016 15:50:32 +0200 Subject: [Freeipa-devel] [freeipa PR#57] Use RSA-OAEP instead of RSA PKCS#1 v1.5 (opened) Message-ID: tiran's pull request #57: "Use RSA-OAEP instead of RSA PKCS#1 v1.5" was opened PR body: """ jwcrypto's RSA1-5 (PKCS#1 v1.5) is vulnerable to padding oracle side-channel attacks. OAEP (PKCS#1 v2.0) is a safe, more modern alternative. https://fedorahosted.org/freeipa/ticket/6278 Signed-off-by: Christian Heimes """ See the full pull-request at https://github.com/freeipa/freeipa/pull/57 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/57/head:pr57 git checkout pr57 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-57.patch Type: text/x-diff Size: 1084 bytes Desc: not available URL: From ftweedal at redhat.com Mon Sep 5 13:59:11 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 5 Sep 2016 23:59:11 +1000 Subject: [Freeipa-devel] [PATCH] 0106 Make host/service cert revocation aware of lightweight CAs In-Reply-To: References: <20160826053717.GP3877@dhcp-40-8.bne.redhat.com> <20160826054222.GQ3877@dhcp-40-8.bne.redhat.com> Message-ID: <20160905135911.GC11489@dhcp-40-8.bne.redhat.com> On Tue, Aug 30, 2016 at 10:39:16AM +0200, Jan Cholasta wrote: > Hi, > > On 26.8.2016 07:42, Fraser Tweedale wrote: > > On Fri, Aug 26, 2016 at 03:37:17PM +1000, Fraser Tweedale wrote: > > > Hi all, > > > > > > Attached patch fixes https://fedorahosted.org/freeipa/ticket/6221. > > > It depends on Honza's PR #20 > > > https://github.com/freeipa/freeipa/pull/20. > > > > > > Thanks, > > > Fraser > > > > > It does help to attach the patch :) > > I think it would be better to call cert-find once per host-del/service-del > with the --host/--service option specified. That way you'll get all > certificates for the given host/service at once. > > Honza > I agree that is a nicer approach. 'revoke_certs' is called from several other places besides just host/service_del. If we want to land this fix Real Soon I'd suggest we either: A) Define function 'revoke_certs_from_cert_find', call it from host/service_del, and leave 'revoke_certs' alone; or B) Land the patch as-is and do a bigger refactor at a later time. What do you think? From freeipa-github-notification at redhat.com Mon Sep 5 14:45:49 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 05 Sep 2016 16:45:49 +0200 Subject: [Freeipa-devel] [freeipa PR#58] Ip addr validation (opened) Message-ID: mbasti-rh's pull request #58: "Ip addr validation" was opened PR body: """ """ See the full pull-request at https://github.com/freeipa/freeipa/pull/58 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/58/head:pr58 git checkout pr58 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-58.patch Type: text/x-diff Size: 11381 bytes Desc: not available URL: From ftweedal at redhat.com Mon Sep 5 15:30:23 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 6 Sep 2016 01:30:23 +1000 Subject: [Freeipa-devel] [PATCH] 0106 Make host/service cert revocation aware of lightweight CAs In-Reply-To: <20160905135911.GC11489@dhcp-40-8.bne.redhat.com> References: <20160826053717.GP3877@dhcp-40-8.bne.redhat.com> <20160826054222.GQ3877@dhcp-40-8.bne.redhat.com> <20160905135911.GC11489@dhcp-40-8.bne.redhat.com> Message-ID: <20160905153023.GE11489@dhcp-40-8.bne.redhat.com> On Mon, Sep 05, 2016 at 11:59:11PM +1000, Fraser Tweedale wrote: > On Tue, Aug 30, 2016 at 10:39:16AM +0200, Jan Cholasta wrote: > > Hi, > > > > On 26.8.2016 07:42, Fraser Tweedale wrote: > > > On Fri, Aug 26, 2016 at 03:37:17PM +1000, Fraser Tweedale wrote: > > > > Hi all, > > > > > > > > Attached patch fixes https://fedorahosted.org/freeipa/ticket/6221. > > > > It depends on Honza's PR #20 > > > > https://github.com/freeipa/freeipa/pull/20. > > > > > > > > Thanks, > > > > Fraser > > > > > > > It does help to attach the patch :) > > > > I think it would be better to call cert-find once per host-del/service-del > > with the --host/--service option specified. That way you'll get all > > certificates for the given host/service at once. > > > > Honza > > > I agree that is a nicer approach. > > 'revoke_certs' is called from several other places besides just > host/service_del. If we want to land this fix Real Soon I'd suggest > we either: > > A) Define function 'revoke_certs_from_cert_find', call it from > host/service_del, and leave 'revoke_certs' alone; or > > B) Land the patch as-is and do a bigger refactor at a later time. > > What do you think? > Updated patch for option (A) is attached. Thanks, Fraser -------------- next part -------------- From dacb091292b57608af8adb97adf9a96f1cb34e54 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 26 Aug 2016 15:31:13 +1000 Subject: [PATCH] Make host/service cert revocation aware of lightweight CAs Revocation of host/service certs on host/service deletion or other operations is broken when cert is issued by a lightweight (sub)CA, causing the delete operation to be aborted. Look up the issuing CA and pass it to 'cert_revoke' to fix the issue. For host/service deletion, look up all certs at once and pass to an alternative revocation function that avoids addition calls to cert_find or cert_show. Fixes: https://fedorahosted.org/freeipa/ticket/6221 --- ipaserver/plugins/host.py | 11 +++----- ipaserver/plugins/service.py | 66 +++++++++++++++++++++++++++++++++++++------- 2 files changed, 60 insertions(+), 17 deletions(-) diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py index 03c64c637cbba0aee1b6569f3b5dbe200953bff8..891dacd762a57c06ff032e6f262813158c94f9f2 100644 --- a/ipaserver/plugins/host.py +++ b/ipaserver/plugins/host.py @@ -42,7 +42,8 @@ from .service import ( validate_realm, normalize_principal, validate_certificate, set_certificate_attrs, ticket_flags_params, update_krbticketflags, set_kerberos_attrs, rename_ipaallowedtoperform_from_ldap, - rename_ipaallowedtoperform_to_ldap, revoke_certs) + rename_ipaallowedtoperform_to_ldap, revoke_certs, + revoke_certs_from_cert_find) from .dns import (dns_container_exists, add_records_for_host_validation, add_records_for_host, get_reverse_zone) @@ -843,12 +844,8 @@ class host_del(LDAPDelete): ) if self.api.Command.ca_is_enabled()['result']: - try: - entry_attrs = ldap.get_entry(dn, ['usercertificate']) - except errors.NotFound: - self.obj.handle_not_found(*keys) - - revoke_certs(entry_attrs.get('usercertificate', []), self.log) + certs = self.api.Command.cert_find(host=keys)['result'] + revoke_certs_from_cert_find(certs) return dn diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py index 04d1916fe989a8651bcc4d44f1914c460be1081c..407665fb450e7a8513b42815691d64665b6b2282 100644 --- a/ipaserver/plugins/service.py +++ b/ipaserver/plugins/service.py @@ -232,24 +232,73 @@ def revoke_certs(certs, logger=None): logger.info("Problem decoding certificate: %s" % e) serial = unicode(x509.get_serial_number(cert, x509.DER)) + issuer = unicode(x509.get_issuer(cert, x509.DER)) try: - result = api.Command['cert_show'](unicode(serial))['result'] + # search by serial+issuer, not full cert match + results = api.Command['cert_find']( + min_serial_number=serial, + max_serial_number=serial, + issuer=issuer + )['result'] + if len(results) == 0: + # Dogtag doesn't know about the cert therefore + # we cannot revoke it. Perhaps it was issued by + # a 3rd-party CA. + continue + result = results[0] except errors.CertificateOperationError: continue - if 'revocation_reason' in result: + if result['status'] in {'REVOKED', 'REVOKED_EXPIRED'}: continue - if x509.normalize_certificate(result['certificate']) != cert: + if 'cacn' not in result: + # cert is known to Dogtag, but CA appears to have been + # deleted. We cannot revoke this cert via IPA anymore. + # We could go directly to Dogtag to revoke it, but the + # issuer's cert should have been revoked so never mind. continue try: - api.Command['cert_revoke'](unicode(serial), - revocation_reason=4) + api.Command['cert_revoke']( + serial, + cacn=result['cacn'], + revocation_reason=4, + ) except errors.NotImplementedError: # some CA's might not implement revoke pass +def revoke_certs_from_cert_find(certs): + """ + revoke the certificates removed from host/service entry + + ``certs`` + Output of a 'cert_find' command. + + """ + for cert in certs: + if 'cacn' not in cert: + # cert is known to Dogtag, but CA appears to have been + # deleted. We cannot revoke this cert via IPA anymore. + # We could go directly to Dogtag to revoke it, but the + # issuer's cert should have been revoked so never mind. + continue + + if cert['status'] in {'REVOKED', 'REVOKED_EXPIRED'}: + # cert is already revoked + continue + + try: + api.Command['cert_revoke']( + cert['serial_number'], + cacn=cert['cacn'], + revocation_reason=4, + ) + except errors.NotImplementedError: + # some CA's might not implement revoke + pass + def set_certificate_attrs(entry_attrs): """ @@ -674,11 +723,8 @@ class service_del(LDAPDelete): # custom services allow them to manage them. check_required_principal(ldap, keys[-1]) if self.api.Command.ca_is_enabled()['result']: - try: - entry_attrs = ldap.get_entry(dn, ['usercertificate']) - except errors.NotFound: - self.obj.handle_not_found(*keys) - revoke_certs(entry_attrs.get('usercertificate', []), self.log) + certs = self.api.Command.cert_find(service=keys)['result'] + revoke_certs_from_cert_find(certs) return dn -- 2.5.5 From freeipa-github-notification at redhat.com Mon Sep 5 15:55:05 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 05 Sep 2016 17:55:05 +0200 Subject: [Freeipa-devel] [freeipa PR#54] cli: use full name when executing a command (+ack) In-Reply-To: References: Message-ID: jcholast's pull request #54: "cli: use full name when executing a command" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/54 From freeipa-github-notification at redhat.com Mon Sep 5 15:58:28 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 05 Sep 2016 17:58:28 +0200 Subject: [Freeipa-devel] [freeipa PR#56] Use RSA-OAEP instead of RSA PKCS#1 v1.5 (+ack) In-Reply-To: References: Message-ID: tiran's pull request #56: "Use RSA-OAEP instead of RSA PKCS#1 v1.5" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/56 From freeipa-github-notification at redhat.com Mon Sep 5 15:58:30 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 05 Sep 2016 17:58:30 +0200 Subject: [Freeipa-devel] [freeipa PR#57] Use RSA-OAEP instead of RSA PKCS#1 v1.5 (+ack) In-Reply-To: References: Message-ID: tiran's pull request #57: "Use RSA-OAEP instead of RSA PKCS#1 v1.5" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/57 From freeipa-github-notification at redhat.com Mon Sep 5 16:04:31 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 05 Sep 2016 18:04:31 +0200 Subject: [Freeipa-devel] [freeipa PR#54] cli: use full name when executing a command (comment) In-Reply-To: References: Message-ID: mbasti-rh commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/a3d178b86ddff9335228d99fe06e8fc89a00235a ipa-4-4: https://fedorahosted.org/freeipa/changeset/136a649a9e1da26e28b7151af061f8094b0f1d22 """ See the full comment at https://github.com/freeipa/freeipa/pull/54#issuecomment-244778249 From freeipa-github-notification at redhat.com Mon Sep 5 16:04:32 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 05 Sep 2016 18:04:32 +0200 Subject: [Freeipa-devel] [freeipa PR#54] cli: use full name when executing a command (+pushed) In-Reply-To: References: Message-ID: jcholast's pull request #54: "cli: use full name when executing a command" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/54 From freeipa-github-notification at redhat.com Mon Sep 5 16:04:33 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 05 Sep 2016 18:04:33 +0200 Subject: [Freeipa-devel] [freeipa PR#54] cli: use full name when executing a command (closed) In-Reply-To: References: Message-ID: jcholast's pull request #54: "cli: use full name when executing a command" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/54 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/54/head:pr54 git checkout pr54 From ftweedal at redhat.com Mon Sep 5 16:05:06 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 6 Sep 2016 02:05:06 +1000 Subject: [Freeipa-devel] [PATCH] 0097 Add options to write lightweight CA cert or chain to file In-Reply-To: References: <0d50ac96-f449-c643-952d-c8089ef19b02@redhat.com> <20160808070652.GJ11092@dhcp-40-8.bne.redhat.com> <885c4c72-6e8a-4220-b25e-f577612368d2@redhat.com> <20160809144716.GA23927@dhcp-40-8.bne.redhat.com> <20160816052401.GR23927@dhcp-40-8.bne.redhat.com> <7ad5a28f-9670-b76a-f100-1a6681ac52e5@redhat.com> <20160816140939.GV23927@dhcp-40-8.bne.redhat.com> <20160819111156.GQ3877@dhcp-40-8.bne.redhat.com> Message-ID: <20160905160506.GF11489@dhcp-40-8.bne.redhat.com> On Fri, Aug 26, 2016 at 10:28:58AM +0200, Jan Cholasta wrote: > On 19.8.2016 13:11, Fraser Tweedale wrote: > > Bump for review. > > > > On Wed, Aug 17, 2016 at 12:09:39AM +1000, Fraser Tweedale wrote: > > > On Tue, Aug 16, 2016 at 08:10:08AM +0200, Jan Cholasta wrote: > > > > On 16.8.2016 07:24, Fraser Tweedale wrote: > > > > > On Mon, Aug 15, 2016 at 08:19:33AM +0200, Jan Cholasta wrote: > > > > > > On 9.8.2016 16:47, Fraser Tweedale wrote: > > > > > > > On Mon, Aug 08, 2016 at 10:49:27AM +0200, Jan Cholasta wrote: > > > > > > > > On 8.8.2016 09:06, Fraser Tweedale wrote: > > > > > > > > > On Mon, Aug 08, 2016 at 08:54:05AM +0200, Jan Cholasta wrote: > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > > > > > On 8.8.2016 06:34, Fraser Tweedale wrote: > > > > > > > > > > > Please review the attached patch with adds --certificate-out and > > > > > > > > > > > --certificate-chain-out options to `ca-show' command. > > > > > > > > > > > > > > > > > > > > > > Note that --certificate-chain-out currently writes a bogus file due > > > > > > > > > > > to a bug in Dogtag that will be fixed in this week's build. > > > > > > > > > > > > > > > > > > > > > > https://fedorahosted.org/freeipa/ticket/6178 > > > > > > > > > > > > > > > > > > > > 1) The client-side *-out options should be defined on the client side, not > > > > > > > > > > on the server side. > > > > > > > > > > > > > > > > > > > Will option defined on client side be propagated to, and observable > > > > > > > > > in the ipaserver plugin? The ipaserver plugin needs to observe that > > > > > > > > > *-out has been requested and executes additional command(s) on that > > > > > > > > > basis. > > > > > > > > > > > > > > > > Is there a reason not to *always* return the certs? > > > > > > > > > > > > > > > We hit Dogtag to retrieve them. > > > > > > > > > > > > I don't think that's an issue in a -show command. > > > > > > > > > > > cert_show is invoked by other commands (cert_find*, cert_show, > > > > > cert_request, cert_status, ca_del) but these all hit Dogtag anyway > > > > > so I suppose that's fine. I'll return the cert *and* the chain in > > > > > separate attributes, unconditionally. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 2) I don't think there should be additional information included in summary > > > > > > > > > > (and it definitely should not be multi-line). I would rather inform the user > > > > > > > > > > via an error message when unable to write the files. > > > > > > > > > > > > > > > > > > > I was just following the pattern of other commands that write certs, > > > > > > > > > profile config, etc. Apart from consistency with other commands I > > > > > > > > > agree that there is no need to have it. So I will remove it. > > > > > > > > > > > > > > > > > > > If you think there is an actual value in informing the user about > > > > > > > > > > successfully writing the files, please use ipalib.messages for the job. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 3) IMO a better format for the certificate chain than PKCS#7 would be > > > > > > > > > > concatenated PEM, as that's the most commonly used format in IPA (in > > > > > > > > > > installers, there are no cert chains in API commands ATM). > > > > > > > > > > > > > > > > > > > Sure, but the main use case isn't IPA. Other apps require PKCS #7 > > > > > > > > > or concatenated PEMs, but sometimes they must be concatenated > > > > > > > > > forward, and othertimes backwards. There is no one size fits all. > > > > > > > > > > > > > > > > True, which is exactly why I think we should at least be self-consistent and > > > > > > > > use concatenated PEM (and multi-value DER over the wire). > > > > > > > > > > > > > > > Dogtag returns a PKCS7 (either DER or PEM, according to HTTP Accept > > > > > > > header). > > > > > > > > > > > > > > If we want list-of-PEMs between server and client we have to convert > > > > > > > on the server. Do we have a good way of doing this without exec'ing > > > > > > > `openssl pkcs7' on the server? Is it acceptable to exec 'openssl' > > > > > > > to do the conversion on the server? python-nss does not have PKCS7 > > > > > > > functions and I am not keen on adding a pyasn1 PKCS7 parser just for > > > > > > > the sake of pushing bits as list-of-PEMs. > > > > > > > > > > > > I'm afraid we can't avoid conversion to/from PKCS#7 one way or the other. > > > > > > For example, if we added a call to retrieve external CA chain using certs > > > > > > from cn=certificates,cn=ipa,cn=etc, we would have to convert the result to > > > > > > PKCS#7 if it was our cert chain format of choice. > > > > > > > > > > > > What we can avoid though is executing "openssl pkcs7" to do the conversion - > > > > > > we can use an approach similar to our DNSSEC code and use python-cffi to > > > > > > call libcrypto's PKCS#7 conversion routines instead. > > > > > > > > > > > I had a look at the OpenSSL API for parsing PKCS #7; now I prefer to > > > > > exec `openssl' to do the job :) > > > > > > > > > > I will transmit DER-encoded PKCS #7 object on the wire; we cannot > > > > > used multi-valued DER attribute because order is important. Client > > > > > will convert to PEMs. > > > > > > > > Well, my point was not to send PKCS#7 over the wire, so that clients > > > > (including 3rd party clients) do not have to convert from PKCS#7 themselves. > > > > > > > > In fact we can use multi-valued DER - whatever you send over the wire from > > > > the server will be received in the exact same order by the client. Even if > > > > it wasn't, you can easily restore the order by matching issuer and subject > > > > names of the certificates. > > > > > > > > > > > > > > Should have new patch on list this afternoon. > > > > > > > > > > Thanks, > > > > > Fraser > > > > > > > > > > > > > > > > > > > FWIW, man pages and code suggest that PKCS #7 is accepted in > > > > > > > installer, etc. > > > > > > > > > > > > True, but that's a relatively new feature (since 4.1) and the installer > > > > > > internally executes "openssl pkcs7" to convert PKCS #7 to list of certs :-) > > > > > > > > > > > > > > > > > > > > > > We can add an option to control the format later, but for now, > > > > > > > > > Dogtag returns a PKCS #7 (PEM or DER) so let's go with that. Worst > > > > > > > > > case is an admin has to invoke `openssl pkcs7' and concat the certs > > > > > > > > > themselves. > > > > > > > > > > > > > > > > AFAIK none of NSS, OpenSSL or p11-kit can use PKCS#7 cert chains directly, > > > > > > > > so I'm afraid the worst case would happen virtually always. > > > > > > > > > > > > > > > If you're OK with invoking OpenSSL on the client to convert PKCS #7 > > > > > > > to list-of-PEMs (similar to what is done in > > > > > > > ipapython.certdb.NSSDatabase) then we can have the client perform > > > > > > > the conversion. > > > > > > > > > > > > See above. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 4) Over the wire, the certs should be DER-formatted, as that's the most > > > > > > > > > > common wire format in other API commands. > > > > > > > > > > > > > > > > > > > OK. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 5) What is the benefit in having the CA cert and the rest of the chain > > > > > > > > > > separate? For end-entity certs it makes sense to separate the cert from the > > > > > > > > > > CA chain, but for CA certs, you usually want the full chain, no? > > > > > > > > > > > > > > > > > > > If you want to anchor trust directly at a subca (e.g. restrict VPN > > > > > > > > > login to certs issued by VPN sub-CA) then you often just want the > > > > > > > > > cert. The chain option does subsume it, at cost of more work for > > > > > > > > > administrators with this use case. I think it makes sense to keep > > > > > > > > > both options. > > > > > > > > > > > > > > > > Does it? From what you described above, you either want just the sub-CA > > > > > > > > cert, or the full chain including the sub-CA cert, in which case it might > > > > > > > > make more sense to have a single --out option and a --chain flag. > > > > > > > > > > > > > > > How about --certificate-out which defaults to single cert, but does > > > > > > > chain (as list-of-PEMs) when --chain flag given. > > > > > > > > > > > > > > Per https://fedorahosted.org/freeipa/ticket/5166 let's not add more > > > > > > > `--out' options. > > > > > > > > > > > > +1 > > > > > > > > > Updated patch 0097-2 attached, and new patch 0099 which must be > > > applied first. > > > > > > I have implemented the suggested changes, except for cffi (I execute > > > `openssl pkcs7' instead). > > I don't like it, but OK. Another alternative would be to use pyasn1. > I don't like it either, but neither did I like the idea of reimplementing the wheel with pyasn1. Now is not the time for busywork :) > > > > > > There are two new output attributes on the wire, 'certificate' > > > (single-value DER X.509), and 'certificate_chain' (ordered > > > multi-value DER X.509). They are always returned. The first cert > > > in the chain is always the same as 'certificate'; obviously this is > > > redunant but I have left it this way because I think usage is > > > clearer. > > I don't have a strong feeling about this one way or the other, but the same > scheme should be used for cert-show in the future. Does it make sense to do > it this way for cert-show? > > I'm not sure about always returning the chain in cert-show. Now that we have > a --chain flag rather than two out options, maybe we should go back to > returning the chain only if --chain is specified. What do you think? > I think we should go for consistency and always include both over the wire. If we want to hide cert or chain or both at the `ipa' CLI depending on options, I also don't feel strongly either way. For now they're both displayed. > > Patch 0099: > > 1) Please fix this: > > $ git show -U0 | pep8 --diff > ./ipalib/x509.py:59:80: E501 line too long (93 > 79 characters) > Done. > > Patch 0097: > > 1) `certificate` and `certificate_chain` are actually attributes of the ca > object, so they should be defined in ca.takes_params rather than > ca_show.has_output_params. > Done. Out of interest, now that they are part of ca_takes_params is there a way to hide them by default in CLI output, and only show them when `--all' is given? > > 2) Please fix these: > > $ git show -U0 | pep8 --diff > ./ipaclient/plugins/ca.py:21:9: E124 closing bracket does not match visual > indentation > ./ipaclient/plugins/ca.py:23:13: E128 continuation line under-indented for > visual indent > ./ipaclient/plugins/ca.py:24:13: E128 continuation line under-indented for > visual indent > ./ipaclient/plugins/ca.py:25:13: E128 continuation line under-indented for > visual indent > ./ipaclient/plugins/ca.py:26:9: E124 closing bracket does not match visual > indentation > ./ipaclient/plugins/ca.py:38:13: E731 do not assign a lambda expression, use > a def > Done. Updated patches attached. Thanks, Fraser -------------- next part -------------- From 046b3dd078c4ccc3732a0106786bae4c01d30a89 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 16 Aug 2016 13:16:58 +1000 Subject: [PATCH] Add function for extracting PEM certs from PKCS #7 Add a single function for extracting X.509 certs in PEM format from a PKCS #7 object. Refactor sites that execute ``openssl pkcs7`` to use the new function. Part of: https://fedorahosted.org/freeipa/ticket/6178 --- ipalib/x509.py | 23 +++++++++++++++++- ipapython/certdb.py | 14 ++++------- ipaserver/install/cainstance.py | 52 +++++++++++++++-------------------------- 3 files changed, 45 insertions(+), 44 deletions(-) diff --git a/ipalib/x509.py b/ipalib/x509.py index e986a97a58aafd3aeab08765a397edbf67c7841a..0461553a73e3862c85f1ffcfe4432cabf4fdf7a1 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -51,11 +51,14 @@ from ipalib import util from ipalib import errors from ipaplatform.paths import paths from ipapython.dn import DN +from ipapython import ipautil PEM = 0 DER = 1 -PEM_REGEX = re.compile(r'(?<=-----BEGIN CERTIFICATE-----).*?(?=-----END CERTIFICATE-----)', re.DOTALL) +PEM_REGEX = re.compile( + r'-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----', + re.DOTALL) EKU_SERVER_AUTH = '1.3.6.1.5.5.7.3.1' EKU_CLIENT_AUTH = '1.3.6.1.5.5.7.3.2' @@ -148,6 +151,24 @@ def load_certificate_list(data, dbdir=None): certs = [load_certificate(cert, PEM, dbdir) for cert in certs] return certs + +def pkcs7_to_pems(data, datatype=PEM): + """ + Extract certificates from a PKCS #7 object. + + Return a ``list`` of X.509 PEM strings. + + May throw ``ipautil.CalledProcessError`` on invalid data. + + """ + cmd = [ + paths.OPENSSL, "pkcs7", "-print_certs", + "-inform", "PEM" if datatype == PEM else "DER", + ] + result = ipautil.run(cmd, stdin=data, capture_output=True) + return PEM_REGEX.findall(result.output) + + def load_certificate_list_from_file(filename, dbdir=None): """ Load a certificate list from a PEM file. diff --git a/ipapython/certdb.py b/ipapython/certdb.py index e19f712d82f160ebc5de9c5b8d6627cb941c2cef..fd18023794a2daace60efd97aff54180b8409bbd 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -270,13 +270,11 @@ class NSSDatabase(object): continue if label in ('PKCS7', 'PKCS #7 SIGNED DATA', 'CERTIFICATE'): - args = [ - paths.OPENSSL, 'pkcs7', - '-print_certs', - ] try: - result = ipautil.run( - args, stdin=body, capture_output=True) + certs = x509.pkcs7_to_pems(body) + extracted_certs += '\n'.join(certs) + '\n' + loaded = True + continue except ipautil.CalledProcessError as e: if label == 'CERTIFICATE': root_logger.warning( @@ -287,10 +285,6 @@ class NSSDatabase(object): "Skipping PKCS#7 in %s at line %s: %s", filename, line, e) continue - else: - extracted_certs += result.output + '\n' - loaded = True - continue if label in ('PRIVATE KEY', 'ENCRYPTED PRIVATE KEY', 'RSA PRIVATE KEY', 'DSA PRIVATE KEY', diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index c4b8e9ae326fb7ebda9e927cd4d0b5bad9743db4..f57c724b0273a275f8146f0d6055e2ee2e51192c 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -844,44 +844,30 @@ class CAInstance(DogtagInstance): # makes openssl throw up. data = base64.b64decode(chain) - result = ipautil.run( - [paths.OPENSSL, - "pkcs7", - "-inform", - "DER", - "-print_certs", - ], stdin=data, capture_output=True) - certlist = result.output + certlist = x509.pkcs7_to_pems(data, x509.DER) # Ok, now we have all the certificates in certs, walk through it # and pull out each certificate and add it to our database - st = 1 - en = 0 - subid = 0 ca_dn = DN(('CN','Certificate Authority'), self.subject_base) - while st > 0: - st = certlist.find('-----BEGIN', en) - en = certlist.find('-----END', en+1) - if st > 0: - try: - (chain_fd, chain_name) = tempfile.mkstemp() - os.write(chain_fd, certlist[st:en+25]) - os.close(chain_fd) - (_rdn, subject_dn) = certs.get_cert_nickname(certlist[st:en+25]) - if subject_dn == ca_dn: - nick = get_ca_nickname(self.realm) - trust_flags = 'CT,C,C' - else: - nick = str(subject_dn) - trust_flags = ',,' - self.__run_certutil( - ['-A', '-t', trust_flags, '-n', nick, '-a', - '-i', chain_name] - ) - finally: - os.remove(chain_name) - subid += 1 + for cert in certlist: + try: + (chain_fd, chain_name) = tempfile.mkstemp() + os.write(chain_fd, cert) + os.close(chain_fd) + (_rdn, subject_dn) = certs.get_cert_nickname(cert) + if subject_dn == ca_dn: + nick = get_ca_nickname(self.realm) + trust_flags = 'CT,C,C' + else: + nick = str(subject_dn) + trust_flags = ',,' + self.__run_certutil( + ['-A', '-t', trust_flags, '-n', nick, '-a', + '-i', chain_name] + ) + finally: + os.remove(chain_name) def __request_ra_certificate(self): # Create a noise file for generating our private key -- 2.5.5 -------------- next part -------------- From fba36bd2b86c2aee1d77e05aa563ced4633ab182 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 8 Aug 2016 14:27:20 +1000 Subject: [PATCH] Add options to write lightweight CA cert or chain to file Administrators need a way to retrieve the certificate or certificate chain of an IPA-managed lightweight CA. Add params to the `ca' object for carrying the CA certificate and chain (as multiple DER values), and add the `--certificate-out' option and `--chain' flag as client-side options for writing one or the other to a file. Fixes: https://fedorahosted.org/freeipa/ticket/6178 --- ipaclient/plugins/ca.py | 50 +++++++++++++++++++++++++++++++++++++++++++++ ipaserver/plugins/ca.py | 31 ++++++++++++++++++++++++---- ipaserver/plugins/dogtag.py | 12 +++++++++++ 3 files changed, 89 insertions(+), 4 deletions(-) create mode 100644 ipaclient/plugins/ca.py diff --git a/ipaclient/plugins/ca.py b/ipaclient/plugins/ca.py new file mode 100644 index 0000000000000000000000000000000000000000..f7e55dec196495f820ebf745eb49e8ddce6b3ee7 --- /dev/null +++ b/ipaclient/plugins/ca.py @@ -0,0 +1,50 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +import base64 +from ipaclient.frontend import MethodOverride +from ipalib import util, x509, Flag, Str +from ipalib.plugable import Registry +from ipalib.text import _ + +register = Registry() + + + at register(override=True, no_fail=True) +class ca_show(MethodOverride): + + takes_options = ( + Str( + 'certificate_out?', + doc=_('Write certificate to file'), + include='cli', + ), + Flag( + 'chain', + default=False, + doc=_('Write certificate chain instead of single certificate'), + include='cli', + ), + ) + + def forward(self, *keys, **options): + filename = None + if 'certificate_out' in options: + filename = options.pop('certificate_out') + util.check_writable_file(filename) + chain = options.pop('chain', False) + + result = super(ca_show, self).forward(*keys, **options) + if filename: + def to_pem(x): + return x509.make_pem(base64.b64encode(x)) + if chain: + ders = result['result']['certificate_chain'] + data = '\n'.join(map(to_pem, ders)) + else: + data = to_pem(result['result']['certificate']) + with open(filename, 'wb') as f: + f.write(data) + + return result diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py index 966ae2b1bdb4bb0207dfa58f0e9c951bc930f766..0684ddaed0ebfcab8910c1ea356550b504af15e2 100644 --- a/ipaserver/plugins/ca.py +++ b/ipaserver/plugins/ca.py @@ -2,14 +2,14 @@ # Copyright (C) 2016 FreeIPA Contributors see COPYING for license # -from ipalib import api, errors, DNParam, Str +from ipalib import api, errors, Bytes, DNParam, Str from ipalib.constants import IPA_CA_CN from ipalib.plugable import Registry from ipaserver.plugins.baseldap import ( LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, LDAPUpdate, LDAPRetrieve) from ipaserver.plugins.cert import ca_enabled_check -from ipalib import _, ngettext +from ipalib import _, ngettext, x509 __doc__ = _(""" @@ -79,6 +79,18 @@ class ca(LDAPObject): doc=_('Issuer Distinguished Name'), flags=['no_create', 'no_update'], ), + Bytes( + 'certificate', + label=_("Certificate"), + doc=_("X.509 certificate"), + flags={'no_create', 'no_update', 'no_search', 'no_display'}, + ), + Bytes( + 'certificate_chain*', + label=_("Certificate chain"), + doc=_("PKCS #7 certificate chain"), + flags={'no_create', 'no_update', 'no_search', 'no_display'}, + ), ) permission_filter_objectclasses = ['ipaca'] @@ -140,9 +152,20 @@ class ca_find(LDAPSearch): class ca_show(LDAPRetrieve): __doc__ = _("Display the properties of a CA.") - def execute(self, *args, **kwargs): + def execute(self, *keys, **options): ca_enabled_check() - return super(ca_show, self).execute(*args, **kwargs) + result = super(ca_show, self).execute(*keys, **options) + + ca_id = result['result']['ipacaid'][0] + with self.api.Backend.ra_lightweight_ca as ca_api: + result['result']['certificate'] = ca_api.read_ca_cert(ca_id) + + pkcs7_der = ca_api.read_ca_chain(ca_id) + pems = x509.pkcs7_to_pems(pkcs7_der, x509.DER) + ders = (x509.normalize_certificate(pem) for pem in pems) + result['result']['certificate_chain'] = list(ders) + + return result @register() diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index aef1e888eb1b6c273c1fd12cbf4912407f8f8132..1fd3106e0ae723eb30dbe32c61e637790f6085d2 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -2205,6 +2205,18 @@ class ra_lightweight_ca(RestClient): except: raise errors.RemoteRetrieveError(reason=_("Response from CA was not valid JSON")) + def read_ca_cert(self, ca_id): + status, resp_headers, resp_body = self._ssldo( + 'GET', '{}/cert'.format(ca_id), + headers={'Accept': 'application/pkix-cert'}) + return resp_body + + def read_ca_chain(self, ca_id): + status, resp_headers, resp_body = self._ssldo( + 'GET', '{}/chain'.format(ca_id), + headers={'Accept': 'application/pkcs7-mime'}) + return resp_body + def disable_ca(self, ca_id): self._ssldo( 'POST', ca_id + '/disable', -- 2.5.5 From freeipa-github-notification at redhat.com Mon Sep 5 16:12:10 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 05 Sep 2016 18:12:10 +0200 Subject: [Freeipa-devel] [freeipa PR#56] Use RSA-OAEP instead of RSA PKCS#1 v1.5 (comment) In-Reply-To: References: Message-ID: mbasti-rh commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/4ae4d0d6909e99892442a170288f0eee9610d1c2 ipa-4-4: https://fedorahosted.org/freeipa/changeset/71e7cb124d021f976eebb6e99fc012becf94a9b6 """ See the full comment at https://github.com/freeipa/freeipa/pull/56#issuecomment-244779506 From freeipa-github-notification at redhat.com Mon Sep 5 16:12:12 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 05 Sep 2016 18:12:12 +0200 Subject: [Freeipa-devel] [freeipa PR#56] Use RSA-OAEP instead of RSA PKCS#1 v1.5 (+pushed) In-Reply-To: References: Message-ID: tiran's pull request #56: "Use RSA-OAEP instead of RSA PKCS#1 v1.5" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/56 From freeipa-github-notification at redhat.com Mon Sep 5 16:12:13 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 05 Sep 2016 18:12:13 +0200 Subject: [Freeipa-devel] [freeipa PR#56] Use RSA-OAEP instead of RSA PKCS#1 v1.5 (closed) In-Reply-To: References: Message-ID: tiran's pull request #56: "Use RSA-OAEP instead of RSA PKCS#1 v1.5" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/56 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/56/head:pr56 git checkout pr56 From freeipa-github-notification at redhat.com Mon Sep 5 16:13:30 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 05 Sep 2016 18:13:30 +0200 Subject: [Freeipa-devel] [freeipa PR#57] Use RSA-OAEP instead of RSA PKCS#1 v1.5 (+pushed) In-Reply-To: References: Message-ID: tiran's pull request #57: "Use RSA-OAEP instead of RSA PKCS#1 v1.5" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/57 From freeipa-github-notification at redhat.com Mon Sep 5 16:13:32 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 05 Sep 2016 18:13:32 +0200 Subject: [Freeipa-devel] [freeipa PR#57] Use RSA-OAEP instead of RSA PKCS#1 v1.5 (comment) In-Reply-To: References: Message-ID: mbasti-rh commented on a pull request """ Fixed upstream ipa-4-3: https://fedorahosted.org/freeipa/changeset/2e27b7077d280447dbf526b567566101d4c800c7 """ See the full comment at https://github.com/freeipa/freeipa/pull/57#issuecomment-244779751 From freeipa-github-notification at redhat.com Mon Sep 5 16:13:33 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 05 Sep 2016 18:13:33 +0200 Subject: [Freeipa-devel] [freeipa PR#57] Use RSA-OAEP instead of RSA PKCS#1 v1.5 (closed) In-Reply-To: References: Message-ID: tiran's pull request #57: "Use RSA-OAEP instead of RSA PKCS#1 v1.5" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/57 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/57/head:pr57 git checkout pr57 From freeipa-github-notification at redhat.com Mon Sep 5 16:14:35 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 05 Sep 2016 18:14:35 +0200 Subject: [Freeipa-devel] [freeipa PR#53] Fix ScriptError to always return string from __str__ (+ack) In-Reply-To: References: Message-ID: mbasti-rh's pull request #53: "Fix ScriptError to always return string from __str__" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/53 From freeipa-github-notification at redhat.com Mon Sep 5 16:16:07 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 05 Sep 2016 18:16:07 +0200 Subject: [Freeipa-devel] [freeipa PR#53] Fix ScriptError to always return string from __str__ (+pushed) In-Reply-To: References: Message-ID: mbasti-rh's pull request #53: "Fix ScriptError to always return string from __str__" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/53 From freeipa-github-notification at redhat.com Mon Sep 5 16:16:09 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 05 Sep 2016 18:16:09 +0200 Subject: [Freeipa-devel] [freeipa PR#53] Fix ScriptError to always return string from __str__ (comment) In-Reply-To: References: Message-ID: mbasti-rh commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/00d43095da211f542189c95c88fc2e2c32e75565 ipa-4-4: https://fedorahosted.org/freeipa/changeset/26175556b46bde9e83699abdd36c5644ec7512ba """ See the full comment at https://github.com/freeipa/freeipa/pull/53#issuecomment-244780145 From freeipa-github-notification at redhat.com Mon Sep 5 16:16:10 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 05 Sep 2016 18:16:10 +0200 Subject: [Freeipa-devel] [freeipa PR#53] Fix ScriptError to always return string from __str__ (closed) In-Reply-To: References: Message-ID: mbasti-rh's pull request #53: "Fix ScriptError to always return string from __str__" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/53 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/53/head:pr53 git checkout pr53 From ftweedal at redhat.com Mon Sep 5 16:22:26 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 6 Sep 2016 02:22:26 +1000 Subject: [Freeipa-devel] [PATCH] 0095 cert-request: allow directoryName in SAN extension In-Reply-To: References: <20160722051807.GJ10771@dhcp-40-8.bne.redhat.com> <20160829055740.GW3877@dhcp-40-8.bne.redhat.com> Message-ID: <20160905162225.GG11489@dhcp-40-8.bne.redhat.com> On Tue, Aug 30, 2016 at 08:48:58AM +0200, Jan Cholasta wrote: > On 29.8.2016 07:57, Fraser Tweedale wrote: > > On Fri, Aug 26, 2016 at 10:41:37AM +0200, Jan Cholasta wrote: > > > Hi, > > > > > > On 22.7.2016 07:18, Fraser Tweedale wrote: > > > > While I was poking around SAN-processing code, I decided to > > > > implement a small enhancement: allowing the subject principal's DN > > > > to appear in SAN. > > > > > > > > https://fedorahosted.org/freeipa/ticket/6112 > > > > > > > > Patch depends on my other patches 0090, 0092, 0093, 0094. > > > > > > I don't think this is how DN SANs are supposed to be handled. For example, > > > see this bit about DN name constraints in RFC 5280 section 4.2.1.10: > > > > > > Restrictions of the form directoryName MUST be applied to the subject > > > field in the certificate (when the certificate includes a non-empty > > > subject field) and to any names of type directoryName in the > > > subjectAltName extension. > > > > > > It would appear to me that DN SANs only provide additional values to the > > > subject name of the certificate and thus should be treated the same way as > > > the subject name. > > > > > > We don't impose any restrictions on subject names with regard to DN of the > > > subject LDAP entry, so I think we should not do it for DN SANs as well. Or, > > > alternatively, we should do it for both. > > > > > I disagree. Supporting an altname containing the LDAP DN is a valid > > use case. There is no need to apply the same rules to Subject DN > > and Directory Name altname > > Nowhere in the RFC is it stated that there is any semantic difference > between the subject name and DN SANs, so I don't see why should we make DN > SANs special. > > > (otherwise, why would the Directory Name > > altname type even exist?). > > To allow multiple subject DNs. > > > There are other possible values but this > > one is trivial to validate so why not? > > I have no issue with validation per se, I just find it very odd that the > code would allow me to request a cert with any LDAP entry DN in subject name > but only one specific LDAP entry DN in DN SAN. > > > > > As for the RFC excerpt, this is about the Name Constraints > > extension. In the unlikely case that a superior certificate has a > > Name Constraints extension that applies to DNs, the way we construct > > the Subject DN is probably the bigger problem ;) > > Yes, this particular excerpt is about name constraints, but I doubt that if > you looked anywhere else, it would say something different about the > relationship of subject name and DN SANs. > RFC 5280 doesn't say anything about the relationship between SDN and DN SAN. All it says is that if there is a name constraint, all the names must satisfy the constraint. A name constraint *could* imply some "shared ancestry" relationships across all DNs on a cert, but this is is not necessarily the case, e.g. if the name constraint only has excludedSubtrees. > > > > Take the feature or leave it (after all, noone has asked for it yet) > > but IMO the usage is valid. > > > > Cheers, > > Fraser > > > > > -- > Jan Cholasta From freeipa-github-notification at redhat.com Mon Sep 5 16:41:55 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 05 Sep 2016 18:41:55 +0200 Subject: [Freeipa-devel] [freeipa PR#34] dns: prompt for missing record parts in CLI (comment) In-Reply-To: References: Message-ID: mbasti-rh commented on a pull request """ IMO api version should be incremented, otherwise works for me """ See the full comment at https://github.com/freeipa/freeipa/pull/34#issuecomment-244784027 From ftweedal at redhat.com Mon Sep 5 17:46:10 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 6 Sep 2016 03:46:10 +1000 Subject: [Freeipa-devel] [PATCH] 0100 Track lightweight CAs on replica installation In-Reply-To: References: <20160823064043.GD3877@dhcp-40-8.bne.redhat.com> Message-ID: <20160905174610.GI11489@dhcp-40-8.bne.redhat.com> On Mon, Aug 29, 2016 at 06:39:58PM +0200, Martin Babinsky wrote: > On 08/23/2016 08:40 AM, Fraser Tweedale wrote: > > Hi folks, > > > > Please review attached patch which fixes > > https://fedorahosted.org/freeipa/ticket/6019. > > > > Thanks, > > Fraser > > > > > > > Hi Fraser, > > I have couple of comments: > Thanks for your review, Martin. Updated patch attached. Comments inline. > 1.) > - for entry in lwcas: > - self.server_track_lightweight_ca(entry) > + try: > + from ipaserver.install import cainstance > + cainstance.add_lightweight_ca_tracking_requests(self.log, lwcas) > + except Exception as e: > + self.log.exception( > + "Failed to add lightweight CA tracking requests") > > You are importing a server-side module in a basically client-side command > which I don't like very much. Isn't there a possibility to use shared > client-server module for this? > It's ugly. It is an effect of my desire to keep LWCA tracking code where IMO it belongs: in cainstance module. If you know a nicer way to conditionally get at contents of cainstance module I'm happy to do it differently. Otherwise I don't think it's a showstopper. > 2.) > + def __add_lightweight_ca_tracking_requests(self): > + server_id = installutils.realm_to_serverid(api.env.realm) > + dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % > server_id > + conn = ldap2.ldap2(api, ldap_uri=dogtag_uri) > + is_already_connected = conn.isconnected() > > Why use these connection setup shenanigans when you can use either > api.Backend.ldap2 (IIRC this runs in server context so LDAPI should be a > given) or even the service's own 'admin_conn' member. > I changed it to use admin_conn. > + > + if not is_already_connected: > + try: > + conn.connect(autobind=True) > + except errors.PublicError as e: > + self.log.error( > + "Cannot connect to LDAP to add " > + "lightweight CA tracking requests: %s", > + e > + ) > PEP8 error here, the second line of the message is misformatted. > Thanks, fixed. > + return > + > + try: > + lwcas = conn.get_entries( > + base_dn=ipautil.realm_to_suffix(api.env.realm), > + filter='(objectclass=ipaca)', > + attrs_list=['cn', 'ipacaid'], > + ) > I would rather use the result of api.Command.ca_find to fetch sub-CAs. Also, > ipautil.realm_to_suffix is superseded by api.env.basedn to fetch search > base. > Updated to use api.env.basedn. I hit problems using ca_find and connecting the ldap2 backend so I'm sticking with admin_conn, which is working. > + add_lightweight_ca_tracking_requests(self.log, lwcas) > + except errors.NotFound: > + pass # shouldn't happen, but don't fail if it does > I would add at least some debug message here. > OK. > + finally: > + if not is_already_connected: > + conn.disconnect() > + > > > -- > Martin^3 Babinsky -------------- next part -------------- From 71ca530fd14cfb33833bcba6533310ec101da1b8 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 23 Aug 2016 16:14:30 +1000 Subject: [PATCH] Track lightweight CAs on replica installation Add Certmonger tracking requests for lightweight CAs on replica installation. As part of this change, extract most of the lightweight CA tracking code out of ipa-certupdate and into cainstance. Fixes: https://fedorahosted.org/freeipa/ticket/6019 --- ipaclient/ipa_certupdate.py | 53 +++++++-------------------------- ipalib/constants.py | 2 ++ ipaserver/install/cainstance.py | 66 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 78 insertions(+), 43 deletions(-) diff --git a/ipaclient/ipa_certupdate.py b/ipaclient/ipa_certupdate.py index e59047a2705eb8ccb98b5213c4c8771f55a29bc5..07eaeca38fdda92c20d127dd26b600b34ee8b61d 100644 --- a/ipaclient/ipa_certupdate.py +++ b/ipaclient/ipa_certupdate.py @@ -29,10 +29,8 @@ from ipaplatform import services from ipaplatform.paths import paths from ipaplatform.tasks import tasks from ipalib import api, errors, x509, certstore -from ipalib.constants import IPA_CA_CN +from ipalib.constants import IPA_CA_NICKNAME, RENEWAL_CA_NAME -IPA_CA_NICKNAME = 'caSigningCert cert-pki-ca' -RENEWAL_CA_NAME = 'dogtag-ipa-ca-renew-agent' class CertUpdate(admintool.AdminTool): command_name = 'ipa-certupdate' @@ -85,11 +83,8 @@ class CertUpdate(admintool.AdminTool): certs = certstore.get_ca_certs(ldap, api.env.basedn, api.env.realm, ca_enabled) - # find lightweight CAs (on renewal master only) - lwcas = [] - for ca_obj in api.Command.ca_find()['result']: - if IPA_CA_CN not in ca_obj['cn']: - lwcas.append(ca_obj) + # find lightweight CAs + lwcas = api.Command.ca_find()['result'] api.Backend.rpcclient.disconnect() finally: @@ -98,8 +93,13 @@ class CertUpdate(admintool.AdminTool): server_fstore = sysrestore.FileStore(paths.SYSRESTORE) if server_fstore.has_files(): self.update_server(certs) - for entry in lwcas: - self.server_track_lightweight_ca(entry) + try: + from ipaserver.install import cainstance + cainstance.add_lightweight_ca_tracking_requests( + self.log, lwcas) + except Exception as e: + self.log.exception( + "Failed to add lightweight CA tracking requests") self.update_client(certs) @@ -163,39 +163,6 @@ class CertUpdate(admintool.AdminTool): self.update_file(paths.CA_CRT, certs) - def server_track_lightweight_ca(self, entry): - nickname = "{} {}".format(IPA_CA_NICKNAME, entry['ipacaid'][0]) - criteria = { - 'cert-database': paths.PKI_TOMCAT_ALIAS_DIR, - 'cert-nickname': nickname, - 'ca-name': RENEWAL_CA_NAME, - } - request_id = certmonger.get_request_id(criteria) - if request_id is None: - try: - certmonger.dogtag_start_tracking( - secdir=paths.PKI_TOMCAT_ALIAS_DIR, - pin=certmonger.get_pin('internal'), - pinfile=None, - nickname=nickname, - ca=RENEWAL_CA_NAME, - pre_command='stop_pkicad', - post_command='renew_ca_cert "%s"' % nickname, - ) - request_id = certmonger.get_request_id(criteria) - certmonger.modify(request_id, profile='ipaCACertRenewal') - self.log.debug( - 'Lightweight CA renewal: ' - 'added tracking request for "%s"', nickname) - except RuntimeError as e: - self.log.error( - 'Lightweight CA renewal: Certmonger failed to ' - 'start tracking certificate: %s', e) - else: - self.log.debug( - 'Lightweight CA renewal: ' - 'already tracking certificate "%s"', nickname) - def update_file(self, filename, certs, mode=0o444): certs = (c[0] for c in certs if c[2] is not False) try: diff --git a/ipalib/constants.py b/ipalib/constants.py index 9b351e260f15211330521453b3ffcd41433a04bb..04515dcd25d066d8f1ab79ae8e8b96e909a1d884 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -274,3 +274,5 @@ CA_SUFFIX_NAME = 'ca' PKI_GSSAPI_SERVICE_NAME = 'dogtag' IPA_CA_CN = u'ipa' IPA_CA_RECORD = "ipa-ca" +IPA_CA_NICKNAME = 'caSigningCert cert-pki-ca' +RENEWAL_CA_NAME = 'dogtag-ipa-ca-renew-agent' diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index c4b8e9ae326fb7ebda9e927cd4d0b5bad9743db4..ab006be8ffc12fe30994b66e9d95fa78443253f8 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1383,6 +1383,9 @@ class CAInstance(DogtagInstance): self.step("enabling CA instance", self.__enable_instance) + self.step("configuring certmonger renewal for lightweight CAs", + self.__add_lightweight_ca_tracking_requests) + self.start_creation(runtime=210) def setup_lightweight_ca_key_retrieval(self): @@ -1448,6 +1451,22 @@ class CAInstance(DogtagInstance): os.chmod(keyfile, 0o600) os.chown(keyfile, pent.pw_uid, pent.pw_gid) + def __add_lightweight_ca_tracking_requests(self): + if not self.admin_conn: + self.ldap_connect() + + try: + lwcas = self.admin_conn.get_entries( + base_dn=api.env.basedn, + filter='(objectclass=ipaca)', + attrs_list=['cn', 'ipacaid'], + ) + add_lightweight_ca_tracking_requests(self.log, lwcas) + except errors.NotFound: + # shouldn't happen, but don't fail if it does + root_logger.warning( + "Did not find any lightweight CAs; nothing to track") + def replica_ca_install_check(config): if not config.setup_ca: @@ -2070,6 +2089,53 @@ def ensure_default_caacl(): api.Backend.ldap2.disconnect() +def add_lightweight_ca_tracking_requests(logger, lwcas): + """Add tracking requests for the given lightweight CAs. + + The entries must have the 'cn' and 'ipacaid' attributes. + + The IPA CA, if present, is skipped. + + """ + for entry in lwcas: + if ipalib.constants.IPA_CA_CN in entry['cn']: + continue + + nickname = "{} {}".format( + ipalib.constants.IPA_CA_NICKNAME, + entry['ipacaid'][0]) + criteria = { + 'cert-database': paths.PKI_TOMCAT_ALIAS_DIR, + 'cert-nickname': nickname, + 'ca-name': ipalib.constants.RENEWAL_CA_NAME, + } + request_id = certmonger.get_request_id(criteria) + if request_id is None: + try: + certmonger.dogtag_start_tracking( + secdir=paths.PKI_TOMCAT_ALIAS_DIR, + pin=certmonger.get_pin('internal'), + pinfile=None, + nickname=nickname, + ca=ipalib.constants.RENEWAL_CA_NAME, + pre_command='stop_pkicad', + post_command='renew_ca_cert "%s"' % nickname, + ) + request_id = certmonger.get_request_id(criteria) + certmonger.modify(request_id, profile='ipaCACertRenewal') + logger.debug( + 'Lightweight CA renewal: ' + 'added tracking request for "%s"', nickname) + except RuntimeError as e: + logger.error( + 'Lightweight CA renewal: Certmonger failed to ' + 'start tracking certificate: %s', e) + else: + logger.debug( + 'Lightweight CA renewal: ' + 'already tracking certificate "%s"', nickname) + + def update_ipa_conf(): """ Update IPA configuration file to ensure that RA plugins are enabled and -- 2.5.5 From freeipa-github-notification at redhat.com Tue Sep 6 05:22:19 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Tue, 06 Sep 2016 07:22:19 +0200 Subject: [Freeipa-devel] [freeipa PR#34] dns: prompt for missing record parts in CLI (synchronize) In-Reply-To: References: Message-ID: jcholast's pull request #34: " dns: prompt for missing record parts in CLI" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/34 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/34/head:pr34 git checkout pr34 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-34.patch Type: text/x-diff Size: 10807 bytes Desc: not available URL: From jcholast at redhat.com Tue Sep 6 05:51:35 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 6 Sep 2016 07:51:35 +0200 Subject: [Freeipa-devel] [PATCH] 0014 In-Reply-To: References: <5d38f7d7-2b64-9093-35ef-df17d9dc1876@redhat.com> <755c6d3d-af1e-7538-ecac-f06122ae8b10@redhat.com> <3ee10d07-8584-0973-4fe3-2a8334dce76c@redhat.com> Message-ID: <7ca68ed1-fed6-6551-d8b9-f2445f309de0@redhat.com> On 5.9.2016 10:42, Tomas Krizek wrote: > > On 09/02/2016 09:05 AM, Florence Blanc-Renaud wrote: >> On 09/02/2016 08:08 AM, Jan Cholasta wrote: >>> On 1.9.2016 19:37, Tomas Krizek wrote: >>>> On 09/01/2016 03:58 PM, Florence Blanc-Renaud wrote: >>>>> Hi, >>>>> >>>>> please find attached a patch for ipa-certupdate in CA-less deployment. >>>>> https://fedorahosted.org/freeipa/ticket/6288 >>>>> >>>>> Flo. >>>>> >>>>> >>>>> >>>> The patch is malformed, but you can simply delete the very first >>>> character to fix it. >>>> >>>> Other than that, patch works as expected -> ACK. >>> >>> Nitpick: please avoid C-isms such as "if (ca_enabled):". >>> >> Hi all, >> >> thanks for the review. Please find an updated patch version. Quite >> difficult to get rid of typing habits... >> >> Flo >> > ACK Pushed to: master: b36ee723b77a2721f4200d5df02268a9bd6a60b5 ipa-4-4: 1b8f6ec58600ad4bbfb538ddcff659ea1ba2c324 -- Jan Cholasta From freeipa-github-notification at redhat.com Tue Sep 6 06:13:33 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Tue, 06 Sep 2016 08:13:33 +0200 Subject: [Freeipa-devel] [freeipa PR#50] Add cert checks in ipa-server-certinstall (comment) In-Reply-To: References: Message-ID: jcholast commented on a pull request """ NACK, see my inline comments above. """ See the full comment at https://github.com/freeipa/freeipa/pull/50#issuecomment-244858726 From jcholast at redhat.com Tue Sep 6 08:19:14 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 6 Sep 2016 10:19:14 +0200 Subject: [Freeipa-devel] [PATCH] 0106 Make host/service cert revocation aware of lightweight CAs In-Reply-To: <20160905153023.GE11489@dhcp-40-8.bne.redhat.com> References: <20160826053717.GP3877@dhcp-40-8.bne.redhat.com> <20160826054222.GQ3877@dhcp-40-8.bne.redhat.com> <20160905135911.GC11489@dhcp-40-8.bne.redhat.com> <20160905153023.GE11489@dhcp-40-8.bne.redhat.com> Message-ID: <0f5fa3f8-11be-894c-a268-fab48fa096e5@redhat.com> On 5.9.2016 17:30, Fraser Tweedale wrote: > On Mon, Sep 05, 2016 at 11:59:11PM +1000, Fraser Tweedale wrote: >> On Tue, Aug 30, 2016 at 10:39:16AM +0200, Jan Cholasta wrote: >>> Hi, >>> >>> On 26.8.2016 07:42, Fraser Tweedale wrote: >>>> On Fri, Aug 26, 2016 at 03:37:17PM +1000, Fraser Tweedale wrote: >>>>> Hi all, >>>>> >>>>> Attached patch fixes https://fedorahosted.org/freeipa/ticket/6221. >>>>> It depends on Honza's PR #20 >>>>> https://github.com/freeipa/freeipa/pull/20. >>>>> >>>>> Thanks, >>>>> Fraser >>>>> >>>> It does help to attach the patch :) >>> >>> I think it would be better to call cert-find once per host-del/service-del >>> with the --host/--service option specified. That way you'll get all >>> certificates for the given host/service at once. >>> >>> Honza >>> >> I agree that is a nicer approach. >> >> 'revoke_certs' is called from several other places besides just >> host/service_del. If we want to land this fix Real Soon I'd suggest >> we either: >> >> A) Define function 'revoke_certs_from_cert_find', call it from >> host/service_del, and leave 'revoke_certs' alone; or >> >> B) Land the patch as-is and do a bigger refactor at a later time. >> >> What do you think? C) Use cert-find-based revoke_certs() everywhere; use the --certificate option of cert-find in the other places to get information about specific certificates. >> > Updated patch for option (A) is attached. 1) Instead of if result['status'] in {'REVOKED', 'REVOKED_EXPIRED'}: use: if result['revoked']: 2) + if 'cacn' not in cert: + # cert is known to Dogtag, but CA appears to have been + # deleted. We cannot revoke this cert via IPA anymore. + # We could go directly to Dogtag to revoke it, but the + # issuer's cert should have been revoked so never mind. + continue Or, it could be a cert issued by a 3rd party CA. 3) host-mod/service-mod do not revoke certs: $ ipa cert-request test.csr --principal host/test.example.com Serial number: 13 $ ipa cert-show 13 Revoked: False Owner host: test.example.com $ ipa host-mod test.example.com --certificate= $ ipa cert-show 13 Revoked: False -- Jan Cholasta From freeipa-github-notification at redhat.com Tue Sep 6 09:54:17 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 06 Sep 2016 11:54:17 +0200 Subject: [Freeipa-devel] [freeipa PR#59] Fix BadSyntax exception in ldapupdate.py (opened) Message-ID: martbab's pull request #59: "Fix BadSyntax exception in ldapupdate.py" was opened PR body: """ This complements commit 00d43095da211f542189c95c88fc2e2c32e75565 and fixes two failing testcases in `ipatests/test_install/test_updates.py` https://fedorahosted.org/freeipa/ticket/6294 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/59 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/59/head:pr59 git checkout pr59 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-59.patch Type: text/x-diff Size: 1013 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 6 09:59:45 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 06 Sep 2016 11:59:45 +0200 Subject: [Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (-ack) In-Reply-To: References: Message-ID: ofayans's pull request #52: "Removed incorrect check for returncode" label *ack* has been removed See the full pull-request at https://github.com/freeipa/freeipa/pull/52 From freeipa-github-notification at redhat.com Tue Sep 6 10:06:54 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 06 Sep 2016 12:06:54 +0200 Subject: [Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (comment) In-Reply-To: References: Message-ID: mbasti-rh commented on a pull request """ I went through commit messages again and I changed my mind, NACK: 1) commit: Removed incorrect check for returncode This commit contains incorrect ticket, issue has not been fixed by this commit 2) commit: Several fixes in replica_promotion tests This does not have ticket, is okay to push it just to master? 3) All commits have different tickets, so I have to manually split hashes and put it to proper tickets. Leave it as is for this PR to avoid mess, but in future create one PR for one ticket """ See the full comment at https://github.com/freeipa/freeipa/pull/52#issuecomment-244906832 From mbabinsk at redhat.com Tue Sep 6 10:12:23 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 6 Sep 2016 12:12:23 +0200 Subject: [Freeipa-devel] [PATCH] 0100 Track lightweight CAs on replica installation In-Reply-To: <20160905174610.GI11489@dhcp-40-8.bne.redhat.com> References: <20160823064043.GD3877@dhcp-40-8.bne.redhat.com> <20160905174610.GI11489@dhcp-40-8.bne.redhat.com> Message-ID: <970d1be0-177d-9564-2f37-ffb44c3ff75d@redhat.com> On 09/05/2016 07:46 PM, Fraser Tweedale wrote: > On Mon, Aug 29, 2016 at 06:39:58PM +0200, Martin Babinsky wrote: >> On 08/23/2016 08:40 AM, Fraser Tweedale wrote: >>> Hi folks, >>> >>> Please review attached patch which fixes >>> https://fedorahosted.org/freeipa/ticket/6019. >>> >>> Thanks, >>> Fraser >>> >>> >>> >> Hi Fraser, >> >> I have couple of comments: >> > Thanks for your review, Martin. Updated patch attached. Comments > inline. > >> 1.) >> - for entry in lwcas: >> - self.server_track_lightweight_ca(entry) >> + try: >> + from ipaserver.install import cainstance >> + cainstance.add_lightweight_ca_tracking_requests(self.log, lwcas) >> + except Exception as e: >> + self.log.exception( >> + "Failed to add lightweight CA tracking requests") >> >> You are importing a server-side module in a basically client-side command >> which I don't like very much. Isn't there a possibility to use shared >> client-server module for this? >> > It's ugly. It is an effect of my desire to keep LWCA tracking code > where IMO it belongs: in cainstance module. > > If you know a nicer way to conditionally get at contents of > cainstance module I'm happy to do it differently. Otherwise I don't > think it's a showstopper. > >> 2.) >> + def __add_lightweight_ca_tracking_requests(self): >> + server_id = installutils.realm_to_serverid(api.env.realm) >> + dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % >> server_id >> + conn = ldap2.ldap2(api, ldap_uri=dogtag_uri) >> + is_already_connected = conn.isconnected() >> >> Why use these connection setup shenanigans when you can use either >> api.Backend.ldap2 (IIRC this runs in server context so LDAPI should be a >> given) or even the service's own 'admin_conn' member. >> > I changed it to use admin_conn. > >> + >> + if not is_already_connected: >> + try: >> + conn.connect(autobind=True) >> + except errors.PublicError as e: >> + self.log.error( >> + "Cannot connect to LDAP to add " >> + "lightweight CA tracking requests: %s", >> + e >> + ) >> PEP8 error here, the second line of the message is misformatted. >> > Thanks, fixed. > >> + return >> + >> + try: >> + lwcas = conn.get_entries( >> + base_dn=ipautil.realm_to_suffix(api.env.realm), >> + filter='(objectclass=ipaca)', >> + attrs_list=['cn', 'ipacaid'], >> + ) >> I would rather use the result of api.Command.ca_find to fetch sub-CAs. Also, >> ipautil.realm_to_suffix is superseded by api.env.basedn to fetch search >> base. >> > Updated to use api.env.basedn. I hit problems using ca_find and > connecting the ldap2 backend so I'm sticking with admin_conn, which > is working. > >> + add_lightweight_ca_tracking_requests(self.log, lwcas) >> + except errors.NotFound: >> + pass # shouldn't happen, but don't fail if it does >> I would add at least some debug message here. >> > OK. > >> + finally: >> + if not is_already_connected: >> + conn.disconnect() >> + >> >> >> -- >> Martin^3 Babinsky Thanks, ACK. Rebased and pushed to: master: 08b768313020c45bfa82d67cd214afabf605f4b3 ipa-4-4: 99b0db0ebf090c9f60078e9ca9bf2aba665635f5 -- Martin^3 Babinsky From abokovoy at redhat.com Tue Sep 6 10:18:14 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 6 Sep 2016 13:18:14 +0300 Subject: [Freeipa-devel] FleetCommander integration Message-ID: <20160906101814.aotuinw5y4v6ihzk@redhat.com> Hi, Now that FreeIPA 4.4.1 is out, I've pushed to github my prototype for FleetCommander integration: https://github.com/abbra/freeipa-desktop-profile/ You can read the design page: https://github.com/abbra/freeipa-desktop-profile/blob/master/plugin/Feature.mediawiki The design was mostly figured out in discussions with Alberto, Fabiano, Nathaniel, and Jakub, so we are more or less on the common ground here between SSSD and FleetCommander. You can send pull requests to me on github to update the design. ;) You can cut a tarball using git archive --format=tar.gz --prefix=freeipa-desktop-profile-0.0.1/ \ --output ~/rpmbuild/SOURCES/freeipa-desktop-profile-0.0.1.tar.gz \ freeipa-desktop-profile-0.0.1 And then build the package with rpmbuild -ta freeipa-desktop-profile-0.0.1.tar.gz When installed, the package does not run ipa-server-upgrade by itself, yet. So you need to run ipa-server-upgrade manually. Once ran, deskprofile/deskprofilerule topics would become available and can be used for testing purposes. For Fedora 24 one can use FreeIPA 4.4.1 from COPR, for Fedora 25 we have FreeIPA 4.4.1 in updates stable as of today. UI plugin is not ready yet and is disabled in the spec file as it breaks loading the whole UI. -- / Alexander Bokovoy From freeipa-github-notification at redhat.com Tue Sep 6 10:31:57 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Tue, 06 Sep 2016 12:31:57 +0200 Subject: [Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (synchronize) In-Reply-To: References: Message-ID: ofayans's pull request #52: "Removed incorrect check for returncode" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/52 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/52/head:pr52 git checkout pr52 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-52.patch Type: text/x-diff Size: 10029 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 6 10:37:44 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Tue, 06 Sep 2016 12:37:44 +0200 Subject: [Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (comment) In-Reply-To: References: Message-ID: ofayans commented on a pull request """ @mbasti-rh, 1. Fixed 2. It's OK, but we won't have working tests in 4.3 branch. Should I create a ticket? 3. Gotya :) """ See the full comment at https://github.com/freeipa/freeipa/pull/52#issuecomment-244913086 From freeipa-github-notification at redhat.com Tue Sep 6 10:41:04 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 06 Sep 2016 12:41:04 +0200 Subject: [Freeipa-devel] [freeipa PR#55] Fix parse errors with link-local addresses (synchronize) In-Reply-To: References: Message-ID: mbasti-rh's pull request #55: "Fix parse errors with link-local addresses" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/55 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/55/head:pr55 git checkout pr55 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-55.patch Type: text/x-diff Size: 1370 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 6 10:42:45 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 06 Sep 2016 12:42:45 +0200 Subject: [Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (comment) In-Reply-To: References: Message-ID: mbasti-rh commented on a pull request """ Ad 2. yes """ See the full comment at https://github.com/freeipa/freeipa/pull/52#issuecomment-244914033 From freeipa-github-notification at redhat.com Tue Sep 6 10:54:29 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 06 Sep 2016 12:54:29 +0200 Subject: [Freeipa-devel] [freeipa PR#34] dns: prompt for missing record parts in CLI (+ack) In-Reply-To: References: Message-ID: jcholast's pull request #34: " dns: prompt for missing record parts in CLI" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/34 From freeipa-github-notification at redhat.com Tue Sep 6 10:54:59 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 06 Sep 2016 12:54:59 +0200 Subject: [Freeipa-devel] [freeipa PR#34] dns: prompt for missing record parts in CLI (+pushed) In-Reply-To: References: Message-ID: jcholast's pull request #34: " dns: prompt for missing record parts in CLI" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/34 From freeipa-github-notification at redhat.com Tue Sep 6 10:55:01 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 06 Sep 2016 12:55:01 +0200 Subject: [Freeipa-devel] [freeipa PR#34] dns: prompt for missing record parts in CLI (comment) In-Reply-To: References: Message-ID: mbasti-rh commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/afea9616318fbbffc2c296b7c41890db8595e3cc https://fedorahosted.org/freeipa/changeset/dce95a14595a37ce83bcf3e28f41feab715d0c81 https://fedorahosted.org/freeipa/changeset/38a51fa984a6aa92f383d7f8176057de8e057d52 ipa-4-4: https://fedorahosted.org/freeipa/changeset/fa8a5c33b73398c731cf2a472c79bd9a51404fe2 https://fedorahosted.org/freeipa/changeset/b4c104ee9038d8d87a7e78137826e655ebb5d39b https://fedorahosted.org/freeipa/changeset/47d6f49e53d27e1df1377a91789c072b11ccea31 """ See the full comment at https://github.com/freeipa/freeipa/pull/34#issuecomment-244916455 From freeipa-github-notification at redhat.com Tue Sep 6 10:55:02 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 06 Sep 2016 12:55:02 +0200 Subject: [Freeipa-devel] [freeipa PR#34] dns: prompt for missing record parts in CLI (closed) In-Reply-To: References: Message-ID: jcholast's pull request #34: " dns: prompt for missing record parts in CLI" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/34 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/34/head:pr34 git checkout pr34 From ofayans at redhat.com Tue Sep 6 10:57:37 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Tue, 6 Sep 2016 12:57:37 +0200 Subject: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test In-Reply-To: References: <57723947.2090508@redhat.com> <5772622C.9000205@redhat.com> <579FB51F.6030808@redhat.com> <98a90ec8-fa79-dd36-57dc-053204c29506@redhat.com> <57A07FE4.8000904@redhat.com> Message-ID: Hi Martin, Thanks for the review. The updated patches are attached. Please, see my comments below On 08/30/2016 01:58 PM, Martin Basti wrote: > > > On 22.08.2016 13:18, Oleg Fayans wrote: >> ping for review >> >> On 08/02/2016 01:11 PM, Oleg Fayans wrote: >>> Hi Martin, >>> >>> I did! Thank you! >>> >>> On 08/02/2016 12:31 PM, Martin Basti wrote: >>>> >>>> >>>> On 01.08.2016 22:46, Oleg Fayans wrote: >>>>> The test was redesigned so that it actually tests against an AD user. >>>>> cleanly applies, passes lint and passes >>>>> >>>>> https://paste.fedoraproject.org/399504/00843641/ >>>> >>>> Okay >>>> >>>> Did you forget to send patches? >>>> >>>> Martin^2 >>>>> >>>>> >>>>> On 06/28/2016 01:40 PM, Oleg Fayans wrote: >>>>>> Patch-0050 rebased against latest upstream branch >>>>>> >>>>>> On 06/28/2016 10:45 AM, Oleg Fayans wrote: >>>>>>> Passing test output: >>>>>>> >>>>>>> https://paste.fedoraproject.org/385774/71035231/ >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >>> >>> >> > > NACK for 0049.1 > > 1) > PEP8: you must use 2 empty lines between functions Fixed > > 2) > + new_args = " ".join(new_args + args) > > you don't need this, run_command takes list as argument too > new_args.extend(args) The list-based approach does not work with shell redirects which are heavily used in the certs_id_idoverrides test. Thus, this trick is really needed > > 3) > To make it more usable you should add raiseonerr as kwarg to > run_certutil (True as default) Done > > NACK for 0050.2 > > 1) > + tasks.run_certutil(master, ['-L', '-n', cls.adcert1, '-a', '>', > + cls.adcert1_file], cls.reqdir) > + tasks.run_certutil(master, ['-L', '-n', cls.adcert2, '-a', '>', > + cls.adcert2_file], cls.reqdir) > > IMO thus should raise an error if failed, but previously you set > raiseonerr=False (multiple times) Agreed. Done > > 2) > + cls.ad = cls.ad_domains[0].ads[0] > + cls.ad_domain = cls.ad.domain.name > + cls.aduser = "testuser@%s" % cls.ad_domain > + cls.adcert1 = 'MyCert1' > + cls.adcert2 = 'MyCert2' > + cls.adcert1_file = cls.adcert1 + '.crt' > + cls.adcert2_file = cls.adcert2 + '.crt' > > New definitions of variables/constants should be directly in class not > in install method, adding new class variables in classmethod is the same > evil as adding instance variables outside __init__ Fair point. Fixed > > 3) > I have question, why do you need AD for this test? AFAIK you can use ID > overrides without AD Correct. You can, but the workflow would be slightly different. For example, you can not issue and sign cert requests for AD-users the way you would do it for local users. We want to have tests that can be taken by end-users as example how to use our software, that's why it is better to be as close to real-world use-cases as it is possible. > > Martin^3 > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0049.2-Added-interface-to-certutil.patch Type: text/x-patch Size: 1165 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0050.3-Automated-test-for-certs-in-idoverrides-feature.patch Type: text/x-patch Size: 6498 bytes Desc: not available URL: From ofayans at redhat.com Tue Sep 6 10:58:31 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Tue, 6 Sep 2016 12:58:31 +0200 Subject: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test In-Reply-To: References: <57723947.2090508@redhat.com> <5772622C.9000205@redhat.com> <579FB51F.6030808@redhat.com> <98a90ec8-fa79-dd36-57dc-053204c29506@redhat.com> <57A07FE4.8000904@redhat.com> Message-ID: <1adaafe6-040d-a8a0-7c86-47b222568e81@redhat.com> Forgot to attach the test run output: -bash-4.3$ ipa-run-tests test_integration/test_certs_in_idoverrides.py --pdb WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission denied: 'lextab.py' WARNING: yacc table file version is out of date WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 'yacctab.py' ==================================================================================== test session starts ===================================================================================== platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini plugins: sourceorder-0.5, multihost-1.0 collected 1 items test_integration/test_certs_in_idoverrides.py . ================================================================================= 1 passed in 681.90 seconds ================================================================================= On 09/06/2016 12:57 PM, Oleg Fayans wrote: > Hi Martin, > > Thanks for the review. The updated patches are attached. Please, see my > comments below > > On 08/30/2016 01:58 PM, Martin Basti wrote: >> >> >> On 22.08.2016 13:18, Oleg Fayans wrote: >>> ping for review >>> >>> On 08/02/2016 01:11 PM, Oleg Fayans wrote: >>>> Hi Martin, >>>> >>>> I did! Thank you! >>>> >>>> On 08/02/2016 12:31 PM, Martin Basti wrote: >>>>> >>>>> >>>>> On 01.08.2016 22:46, Oleg Fayans wrote: >>>>>> The test was redesigned so that it actually tests against an AD user. >>>>>> cleanly applies, passes lint and passes >>>>>> >>>>>> https://paste.fedoraproject.org/399504/00843641/ >>>>> >>>>> Okay >>>>> >>>>> Did you forget to send patches? >>>>> >>>>> Martin^2 >>>>>> >>>>>> >>>>>> On 06/28/2016 01:40 PM, Oleg Fayans wrote: >>>>>>> Patch-0050 rebased against latest upstream branch >>>>>>> >>>>>>> On 06/28/2016 10:45 AM, Oleg Fayans wrote: >>>>>>>> Passing test output: >>>>>>>> >>>>>>>> https://paste.fedoraproject.org/385774/71035231/ >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>>> >>>> >>> >> >> NACK for 0049.1 >> >> 1) >> PEP8: you must use 2 empty lines between functions > > Fixed > >> >> 2) >> + new_args = " ".join(new_args + args) >> >> you don't need this, run_command takes list as argument too >> new_args.extend(args) > > The list-based approach does not work with shell redirects which are > heavily used in the certs_id_idoverrides test. Thus, this trick is > really needed > >> >> 3) >> To make it more usable you should add raiseonerr as kwarg to >> run_certutil (True as default) > > Done > >> >> NACK for 0050.2 >> >> 1) >> + tasks.run_certutil(master, ['-L', '-n', cls.adcert1, '-a', '>', >> + cls.adcert1_file], cls.reqdir) >> + tasks.run_certutil(master, ['-L', '-n', cls.adcert2, '-a', '>', >> + cls.adcert2_file], cls.reqdir) >> >> IMO thus should raise an error if failed, but previously you set >> raiseonerr=False (multiple times) > > Agreed. Done > >> >> 2) >> + cls.ad = cls.ad_domains[0].ads[0] >> + cls.ad_domain = cls.ad.domain.name >> + cls.aduser = "testuser@%s" % cls.ad_domain >> + cls.adcert1 = 'MyCert1' >> + cls.adcert2 = 'MyCert2' >> + cls.adcert1_file = cls.adcert1 + '.crt' >> + cls.adcert2_file = cls.adcert2 + '.crt' >> >> New definitions of variables/constants should be directly in class not >> in install method, adding new class variables in classmethod is the same >> evil as adding instance variables outside __init__ > > Fair point. Fixed > >> >> 3) >> I have question, why do you need AD for this test? AFAIK you can use ID >> overrides without AD > > Correct. You can, but the workflow would be slightly different. For > example, you can not issue and sign cert requests for AD-users the way > you would do it for local users. We want to have tests that can be taken > by end-users as example how to use our software, that's why it is better > to be as close to real-world use-cases as it is possible. > >> >> Martin^3 >> > > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From freeipa-github-notification at redhat.com Tue Sep 6 11:06:10 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 06 Sep 2016 13:06:10 +0200 Subject: [Freeipa-devel] [freeipa PR#59] Fix BadSyntax exception in ldapupdate.py (+ack) In-Reply-To: References: Message-ID: martbab's pull request #59: "Fix BadSyntax exception in ldapupdate.py" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/59 From freeipa-github-notification at redhat.com Tue Sep 6 11:07:04 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 06 Sep 2016 13:07:04 +0200 Subject: [Freeipa-devel] [freeipa PR#59] Fix BadSyntax exception in ldapupdate.py (+pushed) In-Reply-To: References: Message-ID: martbab's pull request #59: "Fix BadSyntax exception in ldapupdate.py" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/59 From freeipa-github-notification at redhat.com Tue Sep 6 11:07:05 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 06 Sep 2016 13:07:05 +0200 Subject: [Freeipa-devel] [freeipa PR#59] Fix BadSyntax exception in ldapupdate.py (comment) In-Reply-To: References: Message-ID: mbasti-rh commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/415600fe451fe806cce7dbe39ad1e9f3d676f2f9 ipa-4-4: https://fedorahosted.org/freeipa/changeset/f3ad90679773b2fd377ffac0a6eda1f674fc94a3 """ See the full comment at https://github.com/freeipa/freeipa/pull/59#issuecomment-244918830 From freeipa-github-notification at redhat.com Tue Sep 6 11:07:06 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 06 Sep 2016 13:07:06 +0200 Subject: [Freeipa-devel] [freeipa PR#59] Fix BadSyntax exception in ldapupdate.py (closed) In-Reply-To: References: Message-ID: martbab's pull request #59: "Fix BadSyntax exception in ldapupdate.py" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/59 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/59/head:pr59 git checkout pr59 From freeipa-github-notification at redhat.com Tue Sep 6 11:08:19 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 06 Sep 2016 13:08:19 +0200 Subject: [Freeipa-devel] [freeipa PR#60] Tests: extend DNS cmdline tests with lowercased record type (opened) Message-ID: mbasti-rh's pull request #60: "Tests: extend DNS cmdline tests with lowercased record type" was opened PR body: """ Test for https://fedorahosted.org/freeipa/ticket/6203 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/60 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/60/head:pr60 git checkout pr60 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-60.patch Type: text/x-diff Size: 1409 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 6 11:39:48 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Tue, 06 Sep 2016 13:39:48 +0200 Subject: [Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (synchronize) In-Reply-To: References: Message-ID: ofayans's pull request #52: "Removed incorrect check for returncode" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/52 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/52/head:pr52 git checkout pr52 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-52.patch Type: text/x-diff Size: 10075 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 6 11:40:28 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Tue, 06 Sep 2016 13:40:28 +0200 Subject: [Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (comment) In-Reply-To: References: Message-ID: ofayans commented on a pull request """ Done """ See the full comment at https://github.com/freeipa/freeipa/pull/52#issuecomment-244925053 From freeipa-github-notification at redhat.com Tue Sep 6 11:48:29 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Tue, 06 Sep 2016 13:48:29 +0200 Subject: [Freeipa-devel] [freeipa PR#47] schema cache: Store and check info for pre-schema servers (synchronize) In-Reply-To: References: Message-ID: dkupka's pull request #47: "schema cache: Store and check info for pre-schema servers" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/47 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/47/head:pr47 git checkout pr47 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-47.patch Type: text/x-diff Size: 12616 bytes Desc: not available URL: From ofayans at redhat.com Tue Sep 6 11:57:51 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Tue, 6 Sep 2016 13:57:51 +0200 Subject: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test In-Reply-To: References: <57723947.2090508@redhat.com> <5772622C.9000205@redhat.com> <579FB51F.6030808@redhat.com> <98a90ec8-fa79-dd36-57dc-053204c29506@redhat.com> <57A07FE4.8000904@redhat.com> Message-ID: The test is updated to clean up after itself On 09/06/2016 12:57 PM, Oleg Fayans wrote: > Hi Martin, > > Thanks for the review. The updated patches are attached. Please, see my > comments below > > On 08/30/2016 01:58 PM, Martin Basti wrote: >> >> >> On 22.08.2016 13:18, Oleg Fayans wrote: >>> ping for review >>> >>> On 08/02/2016 01:11 PM, Oleg Fayans wrote: >>>> Hi Martin, >>>> >>>> I did! Thank you! >>>> >>>> On 08/02/2016 12:31 PM, Martin Basti wrote: >>>>> >>>>> >>>>> On 01.08.2016 22:46, Oleg Fayans wrote: >>>>>> The test was redesigned so that it actually tests against an AD user. >>>>>> cleanly applies, passes lint and passes >>>>>> >>>>>> https://paste.fedoraproject.org/399504/00843641/ >>>>> >>>>> Okay >>>>> >>>>> Did you forget to send patches? >>>>> >>>>> Martin^2 >>>>>> >>>>>> >>>>>> On 06/28/2016 01:40 PM, Oleg Fayans wrote: >>>>>>> Patch-0050 rebased against latest upstream branch >>>>>>> >>>>>>> On 06/28/2016 10:45 AM, Oleg Fayans wrote: >>>>>>>> Passing test output: >>>>>>>> >>>>>>>> https://paste.fedoraproject.org/385774/71035231/ >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>>> >>>> >>> >> >> NACK for 0049.1 >> >> 1) >> PEP8: you must use 2 empty lines between functions > > Fixed > >> >> 2) >> + new_args = " ".join(new_args + args) >> >> you don't need this, run_command takes list as argument too >> new_args.extend(args) > > The list-based approach does not work with shell redirects which are > heavily used in the certs_id_idoverrides test. Thus, this trick is > really needed > >> >> 3) >> To make it more usable you should add raiseonerr as kwarg to >> run_certutil (True as default) > > Done > >> >> NACK for 0050.2 >> >> 1) >> + tasks.run_certutil(master, ['-L', '-n', cls.adcert1, '-a', '>', >> + cls.adcert1_file], cls.reqdir) >> + tasks.run_certutil(master, ['-L', '-n', cls.adcert2, '-a', '>', >> + cls.adcert2_file], cls.reqdir) >> >> IMO thus should raise an error if failed, but previously you set >> raiseonerr=False (multiple times) > > Agreed. Done > >> >> 2) >> + cls.ad = cls.ad_domains[0].ads[0] >> + cls.ad_domain = cls.ad.domain.name >> + cls.aduser = "testuser@%s" % cls.ad_domain >> + cls.adcert1 = 'MyCert1' >> + cls.adcert2 = 'MyCert2' >> + cls.adcert1_file = cls.adcert1 + '.crt' >> + cls.adcert2_file = cls.adcert2 + '.crt' >> >> New definitions of variables/constants should be directly in class not >> in install method, adding new class variables in classmethod is the same >> evil as adding instance variables outside __init__ > > Fair point. Fixed > >> >> 3) >> I have question, why do you need AD for this test? AFAIK you can use ID >> overrides without AD > > Correct. You can, but the workflow would be slightly different. For > example, you can not issue and sign cert requests for AD-users the way > you would do it for local users. We want to have tests that can be taken > by end-users as example how to use our software, that's why it is better > to be as close to real-world use-cases as it is possible. > >> >> Martin^3 >> > > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0050.4-Automated-test-for-certs-in-idoverrides-feature.patch Type: text/x-patch Size: 6556 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 6 12:29:52 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 06 Sep 2016 14:29:52 +0200 Subject: [Freeipa-devel] [freeipa PR#50] Add cert checks in ipa-server-certinstall (synchronize) In-Reply-To: References: Message-ID: flo-renaud's pull request #50: "Add cert checks in ipa-server-certinstall" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/50 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/50/head:pr50 git checkout pr50 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-50.patch Type: text/x-diff Size: 3883 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 6 13:56:34 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 06 Sep 2016 15:56:34 +0200 Subject: [Freeipa-devel] [freeipa PR#61] Use Travis-CI for basic sanity checks (opened) Message-ID: martbab's pull request #61: "Use Travis-CI for basic sanity checks" was opened PR body: """ This patch adds the config file for Travis CI. The config file instructs the CI to: * check pep8 errors in PR * pull in a freeipa builder container image from docker.io/martbab/freeipa-fedora-builder * build RPMs in pulled container These basic checks should eliminate basic errors that can break the build itself, it does not run any of our integration/unit tests. """ See the full pull-request at https://github.com/freeipa/freeipa/pull/61 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/61/head:pr61 git checkout pr61 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-61.patch Type: text/x-diff Size: 1230 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 6 14:19:54 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 06 Sep 2016 16:19:54 +0200 Subject: [Freeipa-devel] [freeipa PR#47] schema cache: Store and check info for pre-schema servers (+ack) In-Reply-To: References: Message-ID: dkupka's pull request #47: "schema cache: Store and check info for pre-schema servers" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/47 From freeipa-github-notification at redhat.com Tue Sep 6 14:21:30 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Tue, 06 Sep 2016 16:21:30 +0200 Subject: [Freeipa-devel] [freeipa PR#47] schema cache: Store and check info for pre-schema servers (comment) In-Reply-To: References: Message-ID: jcholast commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/ec2401917456d6f643532c0d0218c9e75172c2d8 ipa-4-4: https://fedorahosted.org/freeipa/changeset/2be232f67074ef052debb91962dbc8acd09d45bd """ See the full comment at https://github.com/freeipa/freeipa/pull/47#issuecomment-244965424 From freeipa-github-notification at redhat.com Tue Sep 6 14:21:32 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Tue, 06 Sep 2016 16:21:32 +0200 Subject: [Freeipa-devel] [freeipa PR#47] schema cache: Store and check info for pre-schema servers (+pushed) In-Reply-To: References: Message-ID: dkupka's pull request #47: "schema cache: Store and check info for pre-schema servers" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/47 From freeipa-github-notification at redhat.com Tue Sep 6 14:21:33 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Tue, 06 Sep 2016 16:21:33 +0200 Subject: [Freeipa-devel] [freeipa PR#47] schema cache: Store and check info for pre-schema servers (closed) In-Reply-To: References: Message-ID: dkupka's pull request #47: "schema cache: Store and check info for pre-schema servers" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/47 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/47/head:pr47 git checkout pr47 From freeipa-github-notification at redhat.com Tue Sep 6 14:26:12 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Tue, 06 Sep 2016 16:26:12 +0200 Subject: [Freeipa-devel] [freeipa PR#50] Add cert checks in ipa-server-certinstall (comment) In-Reply-To: References: Message-ID: jcholast commented on a pull request """ More comments inline. """ See the full comment at https://github.com/freeipa/freeipa/pull/50#issuecomment-244967015 From freeipa-github-notification at redhat.com Tue Sep 6 14:40:13 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 06 Sep 2016 16:40:13 +0200 Subject: [Freeipa-devel] [freeipa PR#55] Fix parse errors with link-local addresses (comment) In-Reply-To: References: Message-ID: mbasti-rh commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/db55bde15dd83a0ed29205a127cefabe691e81b1 ipa-4-4: https://fedorahosted.org/freeipa/changeset/d900c229f484c99a65ff5398de25057c50a6eef1 """ See the full comment at https://github.com/freeipa/freeipa/pull/55#issuecomment-244971711 From freeipa-github-notification at redhat.com Tue Sep 6 14:40:14 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 06 Sep 2016 16:40:14 +0200 Subject: [Freeipa-devel] [freeipa PR#55] Fix parse errors with link-local addresses (+pushed) In-Reply-To: References: Message-ID: mbasti-rh's pull request #55: "Fix parse errors with link-local addresses" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/55 From freeipa-github-notification at redhat.com Tue Sep 6 14:40:16 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 06 Sep 2016 16:40:16 +0200 Subject: [Freeipa-devel] [freeipa PR#55] Fix parse errors with link-local addresses (closed) In-Reply-To: References: Message-ID: mbasti-rh's pull request #55: "Fix parse errors with link-local addresses" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/55 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/55/head:pr55 git checkout pr55 From dkupka at redhat.com Tue Sep 6 14:41:30 2016 From: dkupka at redhat.com (David Kupka) Date: Tue, 6 Sep 2016 16:41:30 +0200 Subject: [Freeipa-devel] [PATCH] ca-less tests updated In-Reply-To: References: <56337745.109@redhat.com> <563B091B.3010501@redhat.com> <563B6A96.8090606@redhat.com> <563BABEC.8080304@redhat.com> <563C5B1A.1090803@redhat.com> <563C5E6D.4060307@redhat.com> <563CA575.1030808@redhat.com> <567176A2.1000901@redhat.com> <5707C431.6070702@redhat.com> <570E1E70.6060309@redhat.com> <5715F6B5.3070003@redhat.com> <57173F56.5020308@redhat.com> <5731F951.1020700@redhat.com> <57A99B02.1010507@redhat.com> Message-ID: <84a03933-9820-2c63-ef7b-1cf63a44e3a9@redhat.com> Hi Oleg! 0013 - It looks like there are two unrelated changes, addition of CRL distribution extension and creating certificate signed by no longer existing CA. Please create separate patch for each of the changes, and describe the change and reason for it in commit messages. 0014 - Could you please split the patch to "numerous" commit each fixing one error? Please also describe each fix so everyone has at least vague idea about the patch without reading its code. Also why do you introduce global variable config, I don't see its used anywhere. 0039 - It looks like multiple different changes and commit message says nothing again. Please split and describe what did you change and why. 0041 - Looks like weird workaround to me. It would be better to investigate the root cause and fix it. Or at least describe the cause in commit message and code comment if it can't be fixed. Also "-h is deprecated in favor of -H" says man 1 ldapmodify. On 05/09/16 14:32, Oleg Fayans wrote: > Hi guys, > > Finally the ca-less tests are stable. Here in the attachment is the full > set of necessary patches. > > > On 08/09/2016 10:57 AM, Oleg Fayans wrote: >> Hi all, >> >> Bump for the review of the 0013 patch. The script it addresses can be >> reused in some WebUI tests - one more reason to have it reviewed/merged >> >> The rest patches should be re-tested, since they were prepared a good >> while ago >> >> On 05/10/2016 05:08 PM, Oleg Fayans wrote: >>> Hi David, >>> >>> After quite a while and some more struggles here comes the updated >>> version of the patch together with other patches fixing things in >>> ipatests/test_integration/tasks.py >>> Server and replica installation was refactored in a way to utilize the >>> code from tasks.py as much as it is possible >>> >>> The full set of necessary patches is attached >>> >>> >>> On 04/20/2016 10:35 AM, David Kupka wrote: >>>> On 19/04/16 11:13, Oleg Fayans wrote: >>>>> OK, that one, though passing lint, did not actually work. I gave up my >>>>> attempts to define method decorators inside the class. Now it passes >>>>> lint AND works:) >>>>> >>>> >>>> Hi Oleg! >>>> >>>> 1) Current commit message is useless. Please use it to describe what is >>>> the point of the patch. >>>> >>>> 2) $ git show -U0 | pep8 --diff >>>> ./ipatests/test_integration/test_caless.py:66:1: E302 expected 2 blank >>>> lines, found 1 >>>> ./ipatests/test_integration/test_caless.py:74:1: E302 expected 2 blank >>>> lines, found 1 >>>> ./ipatests/test_integration/test_caless.py:820:5: E303 too many blank >>>> lines (2) >>>> ./ipatests/test_integration/test_caless.py:825:80: E501 line too long >>>> (80 > 79 characters) >>>> ./ipatests/test_integration/test_caless.py:1035:44: E225 missing >>>> whitespace around operator >>>> >>>> >>>> 3) Isn't there a way to do this with pytest's fixtures? >>>> >>>>> +def server_install_teardown(func): >>>>> + def wrapped(*args): >>>>> + try: >>>>> + func(*args) >>>>> + finally: >>>>> + args[0].uninstall_server() >>>>> + return wrapped >>>>> + >>>>> +def replica_install_teardown(func): >>>>> + def wrapped(*args): >>>>> + try: >>>>> + func(*args) >>>>> + finally: >>>>> + # Uninstall replica >>>>> + replica = args[0].replicas[0] >>>>> + tasks.kinit_admin(args[0].master) >>>>> + args[0].uninstall_server(replica) >>>>> + args[0].master.run_command(['ipa-replica-manage', 'del', >>>>> + replica.hostname, '--force'], >>>>> + raiseonerr=False) >>>>> + args[0].master.run_command(['ipa', 'host-del', >>>>> + replica.hostname], >>>>> + raiseonerr=False) >>>>> + return wrapped >>>>> + >>> >>> There is a standard pytest method called 'method_teardown', that is >>> indent to be executed after each test method, but with our setup it does >>> not work. >>> >>>> >>>> 4) Is it necessary to create the $TEST_DIR in the test? Isn't it >>>> created >>>> by the framework? >>>> >>>>> + host.transport.mkdir_recursive(host.config.test_dir) >>>> >>> >>> Removed. >>> >>>> >>>> 5) I don't think the comment match the code. >>>> >>>>> >>>>> + # Remove CA cert in /etc/pki/nssdb, in case of failed >>>>> (un)install >>>>> + for host in cls.get_all_hosts(): >>>>> + cls.uninstall_server(host) >>>>> + >>>>> super(CALessBase, cls).uninstall(mh) >>>> >>> >>> Not actual anymore >>> >>>> >>>> 6) No! Create list with one element, iterate that list and append every >>>> item to the other list. Maybe there's better way (Hint: append). >>>> I've seen this on multiple places. >>>> >>>>> if unattended: >>>>> args.extend(['-U']) >>> >>> Agreed >>> >>>> >>>> 7) Why don't you (extend and) use >>>> ipatests.test_integaration.tasks.(un)install_{master,replica}? >>>> This could be done pretty much all over the code. >>>> >>>>> host.run_command(['ipa-server-install', '--uninstall', >>>>> '-U']) >>>> >>>> 8) Use ipaplatform.paths for certutil and other binaries. If the binary >>>> is not there feel free to add it. >>>> I've seen this on multiple places. >>>> >>>>> + host.run_command(['certutil', '-d', paths.NSS_DB_DIR, '-D', >>>>> + '-n', 'External CA cert'], >>>>> + raiseonerr=False) >>>>> + # A workaround >>>>> forhttps://fedorahosted.org/freeipa/ticket/4639 >>>>> + result = host.run_command(['certutil', '-L', '-d', >>>>> + paths.HTTPD_ALIAS_DIR]) >>>>> + for rawcert in result.stdout_text.split('\n')[4: -1]: >>>>> + cert = rawcert.split(' ')[0] >>>>> + host.run_command(['certutil', '-D', '-d', >>>>> paths.HTTPD_ALIAS_DIR, >>>>> + '-n', cert]) >>>>> >>> >>> Done >>> >>>> >>>> 9) certmonger is system service. You can check if is is .enabled() and >>>> .running(). And IIUC the comment is negation of what the code does. >>>> >>>>> >>>>> # Verify certmonger was not started >>>>> result = host.run_command(['getcert', 'list'], >>>>> raiseonerr=False) >>>>> - assert result > 0 >>>>> - assert ('Please verify that the certmonger service has >>>>> been ' >>>>> - 'started.' in result.stdout_text), >>>>> result.stdout_text >>>>> + assert result.returncode == 0 >>>> >>>> 10) What is the point of calling uninstall_server() when it will be >>>> called in the finally block of server_install_teardown anyway? >>>> >>>>> + @server_install_teardown >>>>> def test_revoked_http(self): >>>>> "IPA server install with revoked HTTP certificate" >>>>> >>>>> if result.returncode == 0: >>>>> + self.uninstall_server() >>>>> raise nose.SkipTest( >>>>> "Known CA-less installation defect, see " >>>>> +"https://fedorahosted.org/freeipa/ticket/4270") >>>>> >>>>> assert result.returncode > 0 >>>>> >>> Removed >>> >>>> >>>> Nitpick) Do not mix fixing typos/grammar/spelling/style with functional >>>> changes. >>>> >>>>> - def test_incorect_http_pin(self): >>>>> + @pytest.mark.xfail(reason='freeipa ticket 5378') >>>>> + def test_incorrect_http_pin(self): >>>>> "Install new HTTP certificate with incorrect PKCS#12 >>>>> password" >>> >>> Removed >>> >>>> >>>> >>> >>> >>> >> > -- David Kupka From ftweedal at redhat.com Tue Sep 6 14:49:39 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 6 Sep 2016 21:49:39 +0700 Subject: [Freeipa-devel] [PATCH] 0101 Add ca-disable and ca-enable commands In-Reply-To: <3db9b05b-5bfa-ddf6-daeb-5e2be57beca9@redhat.com> References: <20160825082523.GM3877@dhcp-40-8.bne.redhat.com> <2ecd524c-94aa-e492-aeb8-b1b8fab2135c@redhat.com> <10af7aea-68d8-49c2-b712-85969b5b2079@redhat.com> <3db9b05b-5bfa-ddf6-daeb-5e2be57beca9@redhat.com> Message-ID: <20160906144939.GK11489@dhcp-40-8.bne.redhat.com> On Tue, Aug 30, 2016 at 10:23:10AM +0200, Martin Babinsky wrote: > On 08/30/2016 10:09 AM, Jan Cholasta wrote: > > Hi, > > > > On 30.8.2016 09:56, Martin Babinsky wrote: > > > On 08/25/2016 10:25 AM, Fraser Tweedale wrote: > > > > Hi team, > > > > > > > > The attached patch fixes > > > > https://fedorahosted.org/freeipa/ticket/6257. > > > > > > > > The behaviour of cert-request when the CA is disabled is not very > > > > nice (it reports a server error from Dogtag). The Dogtag REST > > > > interface gives much better errors so I plan to move to it in a > > > > later change (which will also address > > > > https://fedorahosted.org/freeipa/ticket/3473, in part). > > > > > > > > Thanks, > > > > Fraser > > > > > > > > > > > > > > > > > > HI Fraser, > > > > > > I have a couple of comments below: > > > > > > 1.) > > > @@ -25,6 +33,10 @@ EXAMPLES: > > > ipa ca-add puppet --desc "Puppet" \\ > > > --subject "CN=Puppet CA,O=EXAMPLE.COM" > > > > > > + Disable a CA. > > > + > > > + ipa ca-disable puppet > > > + > > > """) > > > > > > You missed an example of `ca-enable` command in the doc string. > > > > > > 2.) > > > > > > Regarding implementation of ca_enable/disable, I think you can reduce > > > the amount of code duplication by employing a base class which will look > > > up the required sub-CA and call the RA backend method required by the > > > subclass. See the attached untested diff (passes lint) for details. > > Looks like I forgot how to OOP while on PTO :) Honza is right, of course, > see the example code in the attached diff (again not tested, just a quick > example). > Updated patch attached, implemented inheritance suggestion and expanding plugin help. Thanks, Fraser -------------- next part -------------- From 61adc46ec9a19f1044231d193a0d9cdef0adba64 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 25 Aug 2016 17:00:01 +1000 Subject: [PATCH] Add ca-disable and ca-enable commands We soon plan to revoke certificates upon lightweight CA deletion. This makes it important to provide a way to prevent a CA from issuing certificates whilst not deleting and revoking it, and continuing to allow management of issued certs. This commit adds the ca-disable and ca-enable commands. Fixes: https://fedorahosted.org/freeipa/ticket/6257 --- API.txt | 16 +++++++++++ VERSION | 4 +-- ipaserver/plugins/ca.py | 66 +++++++++++++++++++++++++++++++++++++++++++-- ipaserver/plugins/dogtag.py | 6 +++++ 4 files changed, 88 insertions(+), 4 deletions(-) diff --git a/API.txt b/API.txt index 5b83bfbd0b457b77e0522ab7d83abfae4df3ebe9..27b64ee143fa4f5f55c1b8a32446f004a8e3bb22 100644 --- a/API.txt +++ b/API.txt @@ -465,6 +465,20 @@ option: Str('version?') output: Output('result', type=[]) output: Output('summary', type=[, ]) output: ListOfPrimaryKeys('value') +command: ca_disable/1 +args: 1,1,3 +arg: Str('cn', cli_name='name') +option: Str('version?') +output: Output('result', type=[]) +output: Output('summary', type=[, ]) +output: PrimaryKey('value') +command: ca_enable/1 +args: 1,1,3 +arg: Str('cn', cli_name='name') +option: Str('version?') +output: Output('result', type=[]) +output: Output('summary', type=[, ]) +output: PrimaryKey('value') command: ca_find/1 args: 1,11,4 arg: Str('criteria?') @@ -6249,6 +6263,8 @@ default: batch/1 default: ca/1 default: ca_add/1 default: ca_del/1 +default: ca_disable/1 +default: ca_enable/1 default: ca_find/1 default: ca_is_enabled/1 default: ca_mod/1 diff --git a/VERSION b/VERSION index bf8160a5deb1f7a5148ef6833cec318af144b5d7..c6fb1cba2757d919a88093ca3f060f80b2d30621 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=212 -# Last change: ab: service: add flag to allow S4U2Self +IPA_API_VERSION_MINOR=213 +# Last change: ftweedal: add ca-disable and ca-enable commands diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py index 966ae2b1bdb4bb0207dfa58f0e9c951bc930f766..4d83fe81c951b01d06d3c85d74fe94e24bce0b1f 100644 --- a/ipaserver/plugins/ca.py +++ b/ipaserver/plugins/ca.py @@ -2,12 +2,12 @@ # Copyright (C) 2016 FreeIPA Contributors see COPYING for license # -from ipalib import api, errors, DNParam, Str +from ipalib import api, errors, output, DNParam, Str from ipalib.constants import IPA_CA_CN from ipalib.plugable import Registry from ipaserver.plugins.baseldap import ( LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, - LDAPUpdate, LDAPRetrieve) + LDAPUpdate, LDAPRetrieve, LDAPQuery, pkey_to_value) from ipaserver.plugins.cert import ca_enabled_check from ipalib import _, ngettext @@ -18,6 +18,14 @@ Manage Certificate Authorities Subordinate Certificate Authorities (Sub-CAs) can be added for scoped issuance of X.509 certificates. +CAs are enabled on creation, but their use is subject to CA ACLs unless the +operator has permission to bypass CA ACLs. + +All CAs except the 'IPA' CA can be disabled or re-enabled. Disabling a CA +prevents it from issuing certificates but does not affect the validity of its +certificate. + + EXAMPLES: Create new CA, subordinate to the IPA CA. @@ -25,6 +33,14 @@ EXAMPLES: ipa ca-add puppet --desc "Puppet" \\ --subject "CN=Puppet CA,O=EXAMPLE.COM" + Disable a CA. + + ipa ca-disable puppet + + Re-enable a CA. + + ipa ca-enable puppet + """) @@ -222,3 +238,49 @@ class ca_mod(LDAPUpdate): reason=u'IPA CA cannot be renamed') return dn + + +class CAQuery(LDAPQuery): + has_output = output.standard_value + + def execute(self, cn, **options): + ca_enabled_check() + + ca_id = self.api.Command.ca_show(cn)['result']['ipacaid'][0] + with self.api.Backend.ra_lightweight_ca as ca_api: + self.perform_action(ca_api, ca_id) + + return dict( + result=True, + value=pkey_to_value(cn, options), + ) + + def perform_action(self, ca_api, ca_id): + raise NotImplementedError + + + at register() +class ca_disable(CAQuery): + __doc__ = _('Disable a CA.') + msg_summary = _('Disabled CA "%(value)s"') + + def execute(self, cn, **options): + if cn == IPA_CA_CN: + raise errors.ProtectedEntryError( + label=_("CA"), + key=cn, + reason=_("IPA CA cannot be disabled")) + + return super(ca_disable, self).execute(cn, **options) + + def perform_action(self, ca_api, ca_id): + ca_api.disable_ca(ca_id) + + + at register() +class ca_enable(CAQuery): + __doc__ = _('Enable a CA.') + msg_summary = _('Enabled CA "%(value)s"') + + def perform_action(self, ca_api, ca_id): + ca_api.enable_ca(ca_id) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index aef1e888eb1b6c273c1fd12cbf4912407f8f8132..01e5f1383ee135696a8e968793863ce964025094 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -2211,5 +2211,11 @@ class ra_lightweight_ca(RestClient): headers={'Accept': 'application/json'}, ) + def enable_ca(self, ca_id): + self._ssldo( + 'POST', ca_id + '/enable', + headers={'Accept': 'application/json'}, + ) + def delete_ca(self, ca_id): self._ssldo('DELETE', ca_id) -- 2.5.5 From ftweedal at redhat.com Tue Sep 6 14:51:45 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 6 Sep 2016 21:51:45 +0700 Subject: [Freeipa-devel] [PATCH] 0102..0105 Better handling for cert-request to disabled CA In-Reply-To: References: <20160826021907.GN3877@dhcp-40-8.bne.redhat.com> Message-ID: <20160906145145.GL11489@dhcp-40-8.bne.redhat.com> On Tue, Aug 30, 2016 at 10:54:32AM +0200, Martin Babinsky wrote: > On 08/26/2016 04:19 AM, Fraser Tweedale wrote: > > The attached patches add better handling of cert-request failure due > > to target CA being disabled (#6260). To do this, rather than go and > > do extra work in Dogtag that we would depend on, instead I bite the > > bullet and refactor ra.request_certificate to use the Dogtag REST > > API, which correctly responds with status 409 in this case. > > > > Switching RA to Dogtag REST API is an old ticket (#3437) so these > > patches address it in part, and show the way forward for the rest of > > it. > > > > These patches don't technically depend on patch 0101 which adds the > > ca-enable and ca-disable commands, but 0101 may help for testing :) > > > > Thanks, > > Fraser > > > > > > > > Hi Fraser, > > PATCH 102: > > LGTM, but please use the standard ":param " annotations in the docstring for > `_ssldo` method. It will make out life easier if we decide to use Sphinx or > similar tool to auto-generate documentation from sources. > > You can also add ":raises:" section describing that RemoteRetrieveError is > raised when use_session is True but the session cookie wasn't acquired. It > is kind of obvious but it may trip the uninitiated. > > PATCH 103: > > Due to magical behavior of our public errors, the exception body should look > like this: > > --- a/ipalib/errors.py > +++ b/ipalib/errors.py > @@ -1413,10 +1413,7 @@ class HTTPRequestError(RemoteRetrieveError): > """ > > errno = 4035 > - > - def __init__(self, status=None, **kw): > - assert status is not None > - super(HTTPRequestError, self).__init__(status=status, **kw) > + format = _('Request failed with status %(status)s: %(reason)') > > The format string will be then automatically be supplied with status and > reason if you pass them to the constructor ass you already do. The errors > will be also handled magically (such as status which is None etc.) > > PATCH 104: > > 1.) please don't use bare except here: > > """ > + try: > + resp_obj = json.loads(http_body) > + except: > + raise errors.RemoteRetrieveError(reason=_("Response from CA was > not valid JSON")) > """ > > use 'except Exception' at least. > > PATCH 105: > > + if e.status == 409: # pylint: disable=E1101 > + raise errors.CertificateOperationError( > + error=_("CA '%s' is disabled") % ca) > + else: > + raise e > + > > please use named errors instead of error codes in pylint annotations: > # pylint: disable=no-member > Thanks for your review, Martin. Updated patches attached; they address all mentioned issues. Cheers, Fraser -------------- next part -------------- From a1aa93ed13a24c9ac946e47ecd49606ebad8bd9e Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 26 Aug 2016 08:59:10 +1000 Subject: [PATCH 102/105] Allow Dogtag RestClient to perform requests without logging in Currently the Dogtag RestClient '_ssldo' method requires a session cookie unconditionally, however, not all REST methods require a session: some do not require authentication at all, and some will authenticate the agent on the fly. To avoid unnecessary login/logout requests via the context manager, add the 'use_session' keyword argument to '_ssldo'. It defaults to 'True' to preserve existing behaviour (session required) but a caller can set to 'False' to avoid the requirement. Part of: https://fedorahosted.org/freeipa/ticket/6260 Part of: https://fedorahosted.org/freeipa/ticket/3473 --- ipaserver/plugins/dogtag.py | 36 ++++++++++++++++++++++++------------ 1 file changed, 24 insertions(+), 12 deletions(-) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 01e5f1383ee135696a8e968793863ce964025094..f3fb2703f4e1ea688e38cecd02c9acc79213eb40 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -2071,26 +2071,38 @@ class RestClient(Backend): ) self.cookie = None - def _ssldo(self, method, path, headers=None, body=None): + def _ssldo(self, method, path, headers=None, body=None, use_session=True): """ - :param url: The URL to post to. - :param kw: Keyword arguments to encode into POST body. + Perform an HTTPS request. + + :param method: HTTP method to use + :param path: Path component. This will *extend* the path defined for + the class (if any). + :param headers: Additional headers to include in the request. + :param body: Request body. + :param use_session: If ``True``, session cookie is added to request + (client must be logged in). + :return: (http_status, http_headers, http_body) as (integer, dict, str) - Perform an HTTPS request - """ - if self.cookie is None: - raise errors.RemoteRetrieveError( - reason=_("REST API is not logged in.")) + :raises: ``RemoteRetrieveError`` if ``use_session`` is not ``False`` + and client is not logged in. + """ headers = headers or {} - headers['Cookie'] = self.cookie + if use_session: + if self.cookie is None: + raise errors.RemoteRetrieveError( + reason=_("REST API is not logged in.")) + headers['Cookie'] = self.cookie + + resource = '/ca/rest' + if self.path is not None: + resource = os.path.join(resource, self.path) if path is not None: - resource = os.path.join('/ca/rest', self.path, path) - else: - resource = os.path.join('/ca/rest', self.path) + resource = os.path.join(resource, path) # perform main request status, resp_headers, resp_body = dogtag.https_request( -- 2.5.5 -------------- next part -------------- From ad6b3eb1c831eb845217c8e2da590ce1dd3c2c5f Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 26 Aug 2016 09:04:04 +1000 Subject: [PATCH 103/105] Add HTTPRequestError class Currently, HTTP requests that respond with status not in the 2xx range raise RemoteRetrieveError. The exception includes no information about the response status. Add the 'HTTPRequestError' class which extends 'RemoteRequestError' with an attribute for the response status, and update the Dogtag RestClient to raise the new error. Part of: https://fedorahosted.org/freeipa/ticket/6260 Part of: https://fedorahosted.org/freeipa/ticket/3473 --- ipalib/errors.py | 10 ++++++++++ ipaserver/plugins/dogtag.py | 3 ++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/ipalib/errors.py b/ipalib/errors.py index 4cc4455b0abf7d2b1366e1ce6dbb3762bc551cc6..86d758b98e65b13c08d4f3a6bcb54e5a612fb3c4 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -1406,6 +1406,16 @@ class OperationNotSupportedForPrincipalType(ExecutionError): '%(operation)s is not supported for %(principal_type)s principals') +class HTTPRequestError(RemoteRetrieveError): + """ + **4035** Raised when an HTTP request fails. Includes the response + status in the ``status`` attribute. + """ + + errno = 4035 + format = _('Request failed with status %(status)s: %(reason)s') + + class BuiltinError(ExecutionError): """ **4100** Base class for builtin execution errors (*4100 - 4199*). diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index f3fb2703f4e1ea688e38cecd02c9acc79213eb40..a7742ffa9bbe00c2f435ed457ff62f14f1d529ba 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -2113,7 +2113,8 @@ class RestClient(Backend): ) if status < 200 or status >= 300: explanation = self._parse_dogtag_error(resp_body) or '' - raise errors.RemoteRetrieveError( + raise errors.HTTPRequestError( + status=status, reason=_('Non-2xx response from CA REST API: %(status)d. %(explanation)s') % {'status': status, 'explanation': explanation} ) -- 2.5.5 -------------- next part -------------- From 2933f932c9ed8ad54531b831f22f1a15a7f1d82d Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 26 Aug 2016 10:02:21 +1000 Subject: [PATCH 104/105] Use Dogtag REST API for certificate requests The Dogtag REST API gives better responses statuses than the RPC API and properly reports failure due to disabled CA (status 409). Make 'ra' extend 'RestClient' and refactor the 'request_certificate' method to use Dogtag's REST API. Part of: https://fedorahosted.org/freeipa/ticket/6260 Part of: https://fedorahosted.org/freeipa/ticket/3473 --- install/conf/ipa-pki-proxy.conf | 4 +- ipaserver/plugins/dogtag.py | 498 ++++++++++++++++------------------------ 2 files changed, 204 insertions(+), 298 deletions(-) diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf index 545f21253ec8895397e43a3c9637956e94f40293..b48a3020d22df623fab471b2367adfd5d521544c 100644 --- a/install/conf/ipa-pki-proxy.conf +++ b/install/conf/ipa-pki-proxy.conf @@ -1,4 +1,4 @@ -# VERSION 9 - DO NOT REMOVE THIS LINE +# VERSION 10 - DO NOT REMOVE THIS LINE ProxyRequests Off @@ -27,7 +27,7 @@ ProxyRequests Off # matches for CA REST API - + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient optional ProxyPassMatch ajp://localhost:$DOGTAG_PORT diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index a7742ffa9bbe00c2f435ed457ff62f14f1d529ba..77d24731bbc102ace3123a6fe41a631ea7c24f3b 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -566,83 +566,6 @@ def parse_error_response_xml(doc): return response -def parse_profile_submit_result_xml(doc): - ''' - :param doc: The root node of the xml document to parse - :returns: result dict - :except ValueError: - - CMS returns an error code and an array of request records. - - This function returns a response dict with the following format: - {'error_code' : int, 'requests' : [{}]} - - The mapping of fields and data types is illustrated in the following table. - - If the error_code is not SUCCESS then the response dict will have the - contents described in `parse_error_response_xml`. - - +--------------------+----------------+------------------------+---------------+ - |cms name |cms type |result name |result type | - +====================+================+========================+===============+ - |Status |int |error_code |int | - +--------------------+----------------+------------------------+---------------+ - |Requests[].Id |string |requests[].request_id |unicode | - +--------------------+----------------+------------------------+---------------+ - |Requests[].SubjectDN|string |requests[].subject |unicode | - +--------------------+----------------+------------------------+---------------+ - |Requests[].serialno |BigInteger |requests[].serial_number|int|long | - +--------------------+----------------+------------------------+---------------+ - |Requests[].b64 |string |requests[].certificate |unicode [1]_ | - +--------------------+----------------+------------------------+---------------+ - |Requests[].pkcs7 |string | | | - +--------------------+----------------+------------------------+---------------+ - - .. [1] Base64 encoded - - ''' - - error_code = get_error_code_xml(doc) - if error_code != CMS_SUCCESS: - response = parse_error_response_xml(doc) - return response - - response = {} - response['error_code'] = error_code - - requests = [] - response['requests'] = requests - - for request in doc.xpath('//XMLResponse/Requests[*]/Request'): - response_request = {} - requests.append(response_request) - - request_id = request.xpath('Id[1]') - if len(request_id) == 1: - request_id = etree.tostring(request_id[0], method='text', - encoding=unicode).strip() - response_request['request_id'] = request_id - - subject_dn = request.xpath('SubjectDN[1]') - if len(subject_dn) == 1: - subject_dn = etree.tostring(subject_dn[0], method='text', - encoding=unicode).strip() - response_request['subject'] = subject_dn - - serial_number = request.xpath('serialno[1]') - if len(serial_number) == 1: - serial_number = int(serial_number[0].text, 16) # parse as hex - response_request['serial_number'] = serial_number - response['serial_number_hex'] = u'0x%X' % serial_number - - certificate = request.xpath('b64[1]') - if len(certificate) == 1: - certificate = etree.tostring(certificate[0], method='text', - encoding=unicode).strip() - response_request['certificate'] = certificate - - return response - def parse_check_request_result_xml(doc): ''' @@ -1286,32 +1209,159 @@ from ipaplatform.paths import paths register = Registry() +class RestClient(Backend): + """Simple Dogtag REST client to be subclassed by other backends. + + This class is a context manager. Authenticated calls must be + executed in a ``with`` suite:: + + @register() + class ra_certprofile(RestClient): + path = 'profile' + ... + + with api.Backend.ra_certprofile as profile_api: + # REST client is now logged in + profile_api.create_profile(...) + + """ + path = None + + @staticmethod + def _parse_dogtag_error(body): + try: + return pki.PKIException.from_json(json.loads(body)) + except Exception: + return None + + def __init__(self, api): + if api.env.in_tree: + self.sec_dir = api.env.dot_ipa + os.sep + 'alias' + self.pwd_file = self.sec_dir + os.sep + '.pwd' + else: + self.sec_dir = paths.HTTPD_ALIAS_DIR + self.pwd_file = paths.ALIAS_PWDFILE_TXT + self.noise_file = self.sec_dir + os.sep + '.noise' + self.ipa_key_size = "2048" + self.ipa_certificate_nickname = "ipaCert" + self.ca_certificate_nickname = "caCert" + self._read_password() + super(RestClient, self).__init__(api) + + # session cookie + self.override_port = None + self.cookie = None + + def _read_password(self): + try: + with open(self.pwd_file) as f: + self.password = f.readline().strip() + except IOError: + self.password = '' + + @cachedproperty + def ca_host(self): + """ + :return: host + as str + + Select our CA host. + """ + ldap2 = self.api.Backend.ldap2 + if host_has_service(api.env.ca_host, ldap2, "CA"): + return api.env.ca_host + if api.env.host != api.env.ca_host: + if host_has_service(api.env.host, ldap2, "CA"): + return api.env.host + host = select_any_master(ldap2) + if host: + return host + else: + return api.env.ca_host + + def __enter__(self): + """Log into the REST API""" + if self.cookie is not None: + return + status, resp_headers, resp_body = dogtag.https_request( + self.ca_host, self.override_port or self.env.ca_agent_port, + '/ca/rest/account/login', + self.sec_dir, self.password, self.ipa_certificate_nickname, + method='GET' + ) + cookies = ipapython.cookie.Cookie.parse(resp_headers.get('set-cookie', '')) + if status != 200 or len(cookies) == 0: + raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST API')) + self.cookie = str(cookies[0]) + return self + + def __exit__(self, exc_type, exc_value, traceback): + """Log out of the REST API""" + dogtag.https_request( + self.ca_host, self.override_port or self.env.ca_agent_port, + '/ca/rest/account/logout', + self.sec_dir, self.password, self.ipa_certificate_nickname, + method='GET' + ) + self.cookie = None + + def _ssldo(self, method, path, headers=None, body=None, use_session=True): + """ + Perform an HTTPS request. + + :param method: HTTP method to use + :param path: Path component. This will *extend* the path defined for + the class (if any). + :param headers: Additional headers to include in the request. + :param body: Request body. + :param use_session: If ``True``, session cookie is added to request + (client must be logged in). + + :return: (http_status, http_headers, http_body) + as (integer, dict, str) + + :raises: ``RemoteRetrieveError`` if ``use_session`` is not ``False`` + and client is not logged in. + + """ + headers = headers or {} + + if use_session: + if self.cookie is None: + raise errors.RemoteRetrieveError( + reason=_("REST API is not logged in.")) + headers['Cookie'] = self.cookie + + resource = '/ca/rest' + if self.path is not None: + resource = os.path.join(resource, self.path) + if path is not None: + resource = os.path.join(resource, path) + + # perform main request + status, resp_headers, resp_body = dogtag.https_request( + self.ca_host, self.override_port or self.env.ca_agent_port, + resource, + self.sec_dir, self.password, self.ipa_certificate_nickname, + method=method, headers=headers, body=body + ) + if status < 200 or status >= 300: + explanation = self._parse_dogtag_error(resp_body) or '' + raise errors.HTTPRequestError( + status=status, + reason=_('Non-2xx response from CA REST API: %(status)d. %(explanation)s') + % {'status': status, 'explanation': explanation} + ) + return (status, resp_headers, resp_body) + + @register() -class ra(rabase.rabase): +class ra(rabase.rabase, RestClient): """ Request Authority backend plugin. """ DEFAULT_PROFILE = dogtag.DEFAULT_PROFILE - def __init__(self, api): - if api.env.in_tree: - self.sec_dir = api.env.dot_ipa + os.sep + 'alias' - self.pwd_file = self.sec_dir + os.sep + '.pwd' - else: - self.sec_dir = paths.HTTPD_ALIAS_DIR - self.pwd_file = paths.ALIAS_PWDFILE_TXT - self.noise_file = self.sec_dir + os.sep + '.noise' - self.ipa_key_size = "2048" - self.ipa_certificate_nickname = "ipaCert" - self.ca_certificate_nickname = "caCert" - try: - f = open(self.pwd_file, "r") - self.password = f.readline().strip() - f.close() - except IOError: - self.password = '' - super(ra, self).__init__(api) - def raise_certificate_operation_error(self, func_name, err_msg=None, detail=None): """ :param func_name: function name where error occurred @@ -1564,75 +1614,77 @@ class ra(rabase.rabase): Submit certificate signing request. - The command returns a dict with these possible key/value pairs. - Some key/value pairs may be absent. + The command returns a dict with these key/value pairs: - +---------------+---------------+---------------+ - |result name |result type |comments | - +===============+===============+===============+ - |serial_number |unicode [1]_ | | - +---------------+---------------+---------------+ - |certificate |unicode [2]_ | | - +---------------+---------------+---------------+ - |request_id |unicode | | - +---------------+---------------+---------------+ - |subject |unicode | | - +---------------+---------------+---------------+ - - .. [1] Passed through XMLRPC as decimal string. Can convert to - optimal integer type (int or long) via int(serial_number) - - .. [2] Base64 encoded + ``serial_number`` + ``unicode``, decimal representation + ``serial_number_hex`` + ``unicode``, hex representation with ``'0x'`` leader + ``certificate`` + ``unicode``, base64-encoded DER + ``request_id`` + ``unicode``, decimal representation """ self.debug('%s.request_certificate()', type(self).__name__) # Call CMS - kw = dict( - profileId=profile_id, - cert_request_type=request_type, - cert_request=csr, - xml='true') + template = ''' + + {profile} + + certReqInputImpl + + {req_type} + + + {req} + + + ''' + data = template.format( + profile=profile_id, + req_type=request_type, + req=csr, + ) + + path = 'certrequests' if ca_id: - kw['authorityId'] = ca_id + path += '?issuer-id={}'.format(ca_id) - http_status, http_headers, http_body = self._sslget( - '/ca/eeca/ca/profileSubmitSSLClient', self.env.ca_ee_port, **kw) - # Parse and handle errors - if http_status != 200: - self.raise_certificate_operation_error('request_certificate', - detail=http_status) - - parse_result = self.get_parse_result_xml(http_body, parse_profile_submit_result_xml) - # Note different status return, it's not request_status, it's error_code - error_code = parse_result['error_code'] - if error_code != CMS_SUCCESS: - self.raise_certificate_operation_error('request_certificate', - cms_error_code_to_string(error_code), - parse_result.get('error_string')) + http_status, http_headers, http_body = self._ssldo( + 'POST', path, + headers={ + 'Content-Type': 'application/xml', + 'Accept': 'application/json', + }, + body=data, + use_session=False, + ) + try: + resp_obj = json.loads(http_body) + except ValueError: + raise errors.RemoteRetrieveError(reason=_("Response from CA was not valid JSON")) # Return command result cmd_result = {} - # FIXME: should we return all the requests instead of just the first one? - if len(parse_result['requests']) < 1: + entries = resp_obj.get('entries', []) + + # ipa cert-request only handles a single PKCS #10 request so + # there's only one certinfo in the result. + if len(entries) < 1: return cmd_result - request = parse_result['requests'][0] + certinfo = entries[0] - if 'serial_number' in request: - # see module documentation concerning serial numbers and XMLRPC - cmd_result['serial_number'] = unicode(request['serial_number']) - cmd_result['serial_number_hex'] = u'0x%X' % request['serial_number'] + if 'certId' in certinfo: + cmd_result = self.get_certificate(certinfo['certId']) + cert = ''.join(cmd_result['certificate'].splitlines()) + cmd_result['certificate'] = cert - if 'certificate' in request: - cmd_result['certificate'] = request['certificate'] - - if 'request_id' in request: - cmd_result['request_id'] = request['request_id'] - - if 'subject' in request: - cmd_result['subject'] = request['subject'] + if 'requestURL' in certinfo: + cmd_result['request_id'] = certinfo['requestURL'].split('/')[-1] return cmd_result @@ -1975,152 +2027,6 @@ class kra(Backend): return KRAClient(connection, crypto) -class RestClient(Backend): - """Simple Dogtag REST client to be subclassed by other backends. - - This class is a context manager. Authenticated calls must be - executed in a ``with`` suite:: - - @register() - class ra_certprofile(RestClient): - path = 'profile' - ... - - with api.Backend.ra_certprofile as profile_api: - # REST client is now logged in - profile_api.create_profile(...) - - """ - path = None - - @staticmethod - def _parse_dogtag_error(body): - try: - return pki.PKIException.from_json(json.loads(body)) - except Exception: - return None - - def __init__(self, api): - if api.env.in_tree: - self.sec_dir = api.env.dot_ipa + os.sep + 'alias' - self.pwd_file = self.sec_dir + os.sep + '.pwd' - else: - self.sec_dir = paths.HTTPD_ALIAS_DIR - self.pwd_file = paths.ALIAS_PWDFILE_TXT - self.noise_file = self.sec_dir + os.sep + '.noise' - self.ipa_key_size = "2048" - self.ipa_certificate_nickname = "ipaCert" - self.ca_certificate_nickname = "caCert" - self._read_password() - super(RestClient, self).__init__(api) - - # session cookie - self.override_port = None - self.cookie = None - - def _read_password(self): - try: - with open(self.pwd_file) as f: - self.password = f.readline().strip() - except IOError: - self.password = '' - - @cachedproperty - def ca_host(self): - """ - :return: host - as str - - Select our CA host. - """ - ldap2 = self.api.Backend.ldap2 - if host_has_service(api.env.ca_host, ldap2, "CA"): - return api.env.ca_host - if api.env.host != api.env.ca_host: - if host_has_service(api.env.host, ldap2, "CA"): - return api.env.host - host = select_any_master(ldap2) - if host: - return host - else: - return api.env.ca_host - - def __enter__(self): - """Log into the REST API""" - if self.cookie is not None: - return - status, resp_headers, resp_body = dogtag.https_request( - self.ca_host, self.override_port or self.env.ca_agent_port, - '/ca/rest/account/login', - self.sec_dir, self.password, self.ipa_certificate_nickname, - method='GET' - ) - cookies = ipapython.cookie.Cookie.parse(resp_headers.get('set-cookie', '')) - if status != 200 or len(cookies) == 0: - raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST API')) - self.cookie = str(cookies[0]) - return self - - def __exit__(self, exc_type, exc_value, traceback): - """Log out of the REST API""" - dogtag.https_request( - self.ca_host, self.override_port or self.env.ca_agent_port, - '/ca/rest/account/logout', - self.sec_dir, self.password, self.ipa_certificate_nickname, - method='GET' - ) - self.cookie = None - - def _ssldo(self, method, path, headers=None, body=None, use_session=True): - """ - Perform an HTTPS request. - - :param method: HTTP method to use - :param path: Path component. This will *extend* the path defined for - the class (if any). - :param headers: Additional headers to include in the request. - :param body: Request body. - :param use_session: If ``True``, session cookie is added to request - (client must be logged in). - - :return: (http_status, http_headers, http_body) - as (integer, dict, str) - - :raises: ``RemoteRetrieveError`` if ``use_session`` is not ``False`` - and client is not logged in. - - """ - headers = headers or {} - - if use_session: - if self.cookie is None: - raise errors.RemoteRetrieveError( - reason=_("REST API is not logged in.")) - headers['Cookie'] = self.cookie - - resource = '/ca/rest' - if self.path is not None: - resource = os.path.join(resource, self.path) - if path is not None: - resource = os.path.join(resource, path) - - # perform main request - status, resp_headers, resp_body = dogtag.https_request( - self.ca_host, self.override_port or self.env.ca_agent_port, - resource, - self.sec_dir, self.password, self.ipa_certificate_nickname, - method=method, headers=headers, body=body - ) - if status < 200 or status >= 300: - explanation = self._parse_dogtag_error(resp_body) or '' - raise errors.HTTPRequestError( - status=status, - reason=_('Non-2xx response from CA REST API: %(status)d. %(explanation)s') - % {'status': status, 'explanation': explanation} - ) - return (status, resp_headers, resp_body) - - @register() class ra_certprofile(RestClient): """ -- 2.5.5 -------------- next part -------------- From 432d3b7204bb2aefa0ca2f0b56f3ca87acc2bd52 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 26 Aug 2016 11:11:56 +1000 Subject: [PATCH 105/105] cert-request: raise CertificateOperationError if CA disabled Detect when cert-request returns HTTP 409, which indicates that the target CA is disabled - a valid scenario - and raise CertificateOperationError with a friendly message instead of HTTPRequestError. Fixes: https://fedorahosted.org/freeipa/ticket/6260 --- ipaserver/plugins/cert.py | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 6195a6b1e636f35de114c5fefbe84fa3b3f116f0..a1e4aeb4ea528f592bded77983c7972ce7fb92c6 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -749,8 +749,16 @@ class cert_request(Create, BaseCertMethod, VirtualCommand): info=_("Subject alt name type %s is forbidden") % desc) # Request the certificate - result = self.Backend.ra.request_certificate( - csr, profile_id, ca_id, request_type=request_type) + try: + result = self.Backend.ra.request_certificate( + csr, profile_id, ca_id, request_type=request_type) + except errors.HTTPRequestError as e: + if e.status == 409: # pylint: disable=no-member + raise errors.CertificateOperationError( + error=_("CA '%s' is disabled") % ca) + else: + raise e + if not raw: self.obj._parse(result, all) result['request_id'] = int(result['request_id']) -- 2.5.5 From freeipa-github-notification at redhat.com Tue Sep 6 15:09:03 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 06 Sep 2016 17:09:03 +0200 Subject: [Freeipa-devel] [freeipa PR#61] Use Travis-CI for basic sanity checks (synchronize) In-Reply-To: References: Message-ID: martbab's pull request #61: "Use Travis-CI for basic sanity checks" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/61 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/61/head:pr61 git checkout pr61 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-61.patch Type: text/x-diff Size: 1304 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 6 15:27:47 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 06 Sep 2016 17:27:47 +0200 Subject: [Freeipa-devel] [freeipa PR#61] Use Travis-CI for basic sanity checks (synchronize) In-Reply-To: References: Message-ID: martbab's pull request #61: "Use Travis-CI for basic sanity checks" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/61 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/61/head:pr61 git checkout pr61 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-61.patch Type: text/x-diff Size: 1324 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 6 15:31:11 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 06 Sep 2016 17:31:11 +0200 Subject: [Freeipa-devel] [freeipa PR#61] Use Travis-CI for basic sanity checks (+ack) In-Reply-To: References: Message-ID: martbab's pull request #61: "Use Travis-CI for basic sanity checks" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/61 From freeipa-github-notification at redhat.com Tue Sep 6 15:43:54 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 06 Sep 2016 17:43:54 +0200 Subject: [Freeipa-devel] [freeipa PR#61] Use Travis-CI for basic sanity checks (+pushed) In-Reply-To: References: Message-ID: martbab's pull request #61: "Use Travis-CI for basic sanity checks" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/61 From freeipa-github-notification at redhat.com Tue Sep 6 15:43:56 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 06 Sep 2016 17:43:56 +0200 Subject: [Freeipa-devel] [freeipa PR#61] Use Travis-CI for basic sanity checks (comment) In-Reply-To: References: Message-ID: mbasti-rh commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/37f3ad8867f347289adcadcc473871c54aa9ca9d """ See the full comment at https://github.com/freeipa/freeipa/pull/61#issuecomment-244993903 From freeipa-github-notification at redhat.com Tue Sep 6 15:43:57 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 06 Sep 2016 17:43:57 +0200 Subject: [Freeipa-devel] [freeipa PR#61] Use Travis-CI for basic sanity checks (closed) In-Reply-To: References: Message-ID: martbab's pull request #61: "Use Travis-CI for basic sanity checks" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/61 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/61/head:pr61 git checkout pr61 From ftweedal at redhat.com Tue Sep 6 17:36:15 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 7 Sep 2016 00:36:15 +0700 Subject: [Freeipa-devel] [PATCH] 0106 Make host/service cert revocation aware of lightweight CAs In-Reply-To: <0f5fa3f8-11be-894c-a268-fab48fa096e5@redhat.com> References: <20160826053717.GP3877@dhcp-40-8.bne.redhat.com> <20160826054222.GQ3877@dhcp-40-8.bne.redhat.com> <20160905135911.GC11489@dhcp-40-8.bne.redhat.com> <20160905153023.GE11489@dhcp-40-8.bne.redhat.com> <0f5fa3f8-11be-894c-a268-fab48fa096e5@redhat.com> Message-ID: <20160906173615.GN11489@dhcp-40-8.bne.redhat.com> On Tue, Sep 06, 2016 at 10:19:14AM +0200, Jan Cholasta wrote: > On 5.9.2016 17:30, Fraser Tweedale wrote: > > On Mon, Sep 05, 2016 at 11:59:11PM +1000, Fraser Tweedale wrote: > > > On Tue, Aug 30, 2016 at 10:39:16AM +0200, Jan Cholasta wrote: > > > > Hi, > > > > > > > > On 26.8.2016 07:42, Fraser Tweedale wrote: > > > > > On Fri, Aug 26, 2016 at 03:37:17PM +1000, Fraser Tweedale wrote: > > > > > > Hi all, > > > > > > > > > > > > Attached patch fixes https://fedorahosted.org/freeipa/ticket/6221. > > > > > > It depends on Honza's PR #20 > > > > > > https://github.com/freeipa/freeipa/pull/20. > > > > > > > > > > > > Thanks, > > > > > > Fraser > > > > > > > > > > > It does help to attach the patch :) > > > > > > > > I think it would be better to call cert-find once per host-del/service-del > > > > with the --host/--service option specified. That way you'll get all > > > > certificates for the given host/service at once. > > > > > > > > Honza > > > > > > > I agree that is a nicer approach. > > > > > > 'revoke_certs' is called from several other places besides just > > > host/service_del. If we want to land this fix Real Soon I'd suggest > > > we either: > > > > > > A) Define function 'revoke_certs_from_cert_find', call it from > > > host/service_del, and leave 'revoke_certs' alone; or > > > > > > B) Land the patch as-is and do a bigger refactor at a later time. > > > > > > What do you think? > Updated patch attached; comments inline. > C) Use cert-find-based revoke_certs() everywhere; use the --certificate > option of cert-find in the other places to get information about specific > certificates. > As discussed on IRC, I have implemented this option. The caveat is that for host/service-mod, we incur call to cert_find for each removed certificate. > > > > > Updated patch for option (A) is attached. > > 1) Instead of > > if result['status'] in {'REVOKED', 'REVOKED_EXPIRED'}: > > use: > > if result['revoked']: > Done. > > 2) > > + if 'cacn' not in cert: > + # cert is known to Dogtag, but CA appears to have been > + # deleted. We cannot revoke this cert via IPA anymore. > + # We could go directly to Dogtag to revoke it, but the > + # issuer's cert should have been revoked so never mind. > + continue > > Or, it could be a cert issued by a 3rd party CA. > I updated to comment to include this. > > 3) host-mod/service-mod do not revoke certs: > > $ ipa cert-request test.csr --principal host/test.example.com > Serial number: 13 > > $ ipa cert-show 13 > Revoked: False > Owner host: test.example.com > > $ ipa host-mod test.example.com --certificate= > > $ ipa cert-show 13 > Revoked: False > Nice find. This was a pre-existing bug: nothing gets revoked when all certs are removed. Here is the fix: - if certs and self.api.Command.ca_is_enabled()['result']: + ca_is_enabled = self.api.Command.ca_is_enabled()['result'] + if 'usercertificate' in options and ca_is_enabled: ... revocation code Finally, host/service-remove-cert does not revoke the cert because of (I think) a bug in cert-find. If the cert does not exist on a host/service the cert-find cannot find it with --certificate option. Because host/service-remove-cert uses a post_callback to revoke the cert, cert-find doesn't find it thus no revocation occurs. Honza could you check whether this is indeed a bug/limitation of cert-find or is it the smog in Saigon affecting me? Thanks, Fraser -------------- next part -------------- From 9c829d7ec8ff67dcf814c468c406772bf311c9f8 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 26 Aug 2016 15:31:13 +1000 Subject: [PATCH] Make host/service cert revocation aware of lightweight CAs Revocation of host/service certs on host/service deletion or other operations is broken when cert is issued by a lightweight (sub)CA, causing the delete operation to be aborted. Look up the issuing CA and pass it to 'cert_revoke' to fix the issue. Fixes: https://fedorahosted.org/freeipa/ticket/6221 --- ipaserver/plugins/host.py | 23 +++++++++-------- ipaserver/plugins/service.py | 59 ++++++++++++++++++++++---------------------- 2 files changed, 41 insertions(+), 41 deletions(-) diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py index 03c64c637cbba0aee1b6569f3b5dbe200953bff8..7f63e94849b4a6f2ce871ec77b188c54d640ba94 100644 --- a/ipaserver/plugins/host.py +++ b/ipaserver/plugins/host.py @@ -843,12 +843,8 @@ class host_del(LDAPDelete): ) if self.api.Command.ca_is_enabled()['result']: - try: - entry_attrs = ldap.get_entry(dn, ['usercertificate']) - except errors.NotFound: - self.obj.handle_not_found(*keys) - - revoke_certs(entry_attrs.get('usercertificate', []), self.log) + certs = self.api.Command.cert_find(host=keys)['result'] + revoke_certs(certs) return dn @@ -902,7 +898,8 @@ class host_mod(LDAPUpdate): certs_der = [x509.normalize_certificate(c) for c in certs] # revoke removed certificates - if certs and self.api.Command.ca_is_enabled()['result']: + ca_is_enabled = self.api.Command.ca_is_enabled()['result'] + if 'usercertificate' in options and ca_is_enabled: try: entry_attrs_old = ldap.get_entry(dn, ['usercertificate']) except errors.NotFound: @@ -910,7 +907,9 @@ class host_mod(LDAPUpdate): old_certs = entry_attrs_old.get('usercertificate', []) old_certs_der = [x509.normalize_certificate(c) for c in old_certs] removed_certs_der = set(old_certs_der) - set(certs_der) - revoke_certs(removed_certs_der, self.log) + for der in removed_certs_der: + rm_certs = api.Command.cert_find(certificate=der)['result'] + revoke_certs(rm_certs) if certs: entry_attrs['usercertificate'] = certs_der @@ -1196,10 +1195,10 @@ class host_disable(LDAPQuery): except errors.NotFound: self.obj.handle_not_found(*keys) if self.api.Command.ca_is_enabled()['result']: - certs = entry_attrs.get('usercertificate', []) + certs = self.api.Command.cert_find(host=keys)['result'] if certs: - revoke_certs(certs, self.log) + revoke_certs(certs) # Remove the usercertificate altogether entry_attrs['usercertificate'] = None ldap.update_entry(entry_attrs) @@ -1341,8 +1340,8 @@ class host_remove_cert(LDAPRemoveAttributeViaOption): def post_callback(self, ldap, dn, entry_attrs, *keys, **options): assert isinstance(dn, DN) - if 'usercertificate' in options: - revoke_certs(options['usercertificate'], self.log) + for cert in options.get('usercertificate', []): + revoke_certs(api.Command.cert_find(certificate=cert)['result']) return dn diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py index 04d1916fe989a8651bcc4d44f1914c460be1081c..c0590732470ac1200d4dd4ea1f089e4384a509b3 100644 --- a/ipaserver/plugins/service.py +++ b/ipaserver/plugins/service.py @@ -220,37 +220,38 @@ def validate_certificate(ugettext, cert): x509.validate_certificate(cert, datatype=x509.DER) -def revoke_certs(certs, logger=None): +def revoke_certs(certs): """ revoke the certificates removed from host/service entry + + :param certs: Output of a 'cert_find' command. + """ for cert in certs: - try: - cert = x509.normalize_certificate(cert) - except errors.CertificateFormatError as e: - if logger is not None: - logger.info("Problem decoding certificate: %s" % e) - - serial = unicode(x509.get_serial_number(cert, x509.DER)) - - try: - result = api.Command['cert_show'](unicode(serial))['result'] - except errors.CertificateOperationError: - continue - if 'revocation_reason' in result: + if 'cacn' not in cert: + # Cert is known to IPA, but has no associated CA. + # If it was issued by 3rd-party CA, we can't revoke it. + # If it was issued by a Dogtag lightweight CA that was + # subsequently deleted, we can't revoke it via IPA. + # We could go directly to Dogtag to revoke it, but the + # issuer's cert should have been revoked so never mind. continue - if x509.normalize_certificate(result['certificate']) != cert: + + if cert['revoked']: + # cert is already revoked continue try: - api.Command['cert_revoke'](unicode(serial), - revocation_reason=4) + api.Command['cert_revoke']( + cert['serial_number'], + cacn=cert['cacn'], + revocation_reason=4, + ) except errors.NotImplementedError: # some CA's might not implement revoke pass - def set_certificate_attrs(entry_attrs): """ Set individual attributes from some values from a certificate. @@ -674,11 +675,8 @@ class service_del(LDAPDelete): # custom services allow them to manage them. check_required_principal(ldap, keys[-1]) if self.api.Command.ca_is_enabled()['result']: - try: - entry_attrs = ldap.get_entry(dn, ['usercertificate']) - except errors.NotFound: - self.obj.handle_not_found(*keys) - revoke_certs(entry_attrs.get('usercertificate', []), self.log) + certs = self.api.Command.cert_find(service=keys)['result'] + revoke_certs(certs) return dn @@ -703,7 +701,8 @@ class service_mod(LDAPUpdate): certs = entry_attrs.get('usercertificate') or [] certs_der = [x509.normalize_certificate(c) for c in certs] # revoke removed certificates - if certs and self.api.Command.ca_is_enabled()['result']: + ca_is_enabled = self.api.Command.ca_is_enabled()['result'] + if 'usercertificate' in options and ca_is_enabled: try: entry_attrs_old = ldap.get_entry(dn, ['usercertificate']) except errors.NotFound: @@ -711,7 +710,9 @@ class service_mod(LDAPUpdate): old_certs = entry_attrs_old.get('usercertificate', []) old_certs_der = [x509.normalize_certificate(c) for c in old_certs] removed_certs_der = set(old_certs_der) - set(certs_der) - revoke_certs(removed_certs_der, self.log) + for der in removed_certs_der: + rm_certs = api.Command.cert_find(certificate=der)['result'] + revoke_certs(rm_certs) if certs: entry_attrs['usercertificate'] = certs_der @@ -950,10 +951,10 @@ class service_disable(LDAPQuery): done_work = False if self.api.Command.ca_is_enabled()['result']: - certs = entry_attrs.get('usercertificate', []) + certs = self.api.Command.cert_find(service=keys)['result'] if len(certs) > 0: - revoke_certs(certs, self.log) + revoke_certs(certs) # Remove the usercertificate altogether entry_attrs['usercertificate'] = None ldap.update_entry(entry_attrs) @@ -989,8 +990,8 @@ class service_remove_cert(LDAPRemoveAttributeViaOption): def post_callback(self, ldap, dn, entry_attrs, *keys, **options): assert isinstance(dn, DN) - if 'usercertificate' in options: - revoke_certs(options['usercertificate'], self.log) + for cert in options.get('usercertificate', []): + revoke_certs(api.Command.cert_find(certificate=cert)['result']) return dn -- 2.5.5 From freeipa-github-notification at redhat.com Tue Sep 6 18:12:25 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 06 Sep 2016 20:12:25 +0200 Subject: [Freeipa-devel] [freeipa PR#62] Configure Anonymous PKINIT on server install (opened) Message-ID: simo5's pull request #62: "Configure Anonymous PKINIT on server install" was opened PR body: """ Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. Signed-off-by: Simo Sorce """ See the full pull-request at https://github.com/freeipa/freeipa/pull/62 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-62.patch Type: text/x-diff Size: 32248 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 6 18:13:19 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 06 Sep 2016 20:13:19 +0200 Subject: [Freeipa-devel] [freeipa PR#50] Add cert checks in ipa-server-certinstall (synchronize) In-Reply-To: References: Message-ID: flo-renaud's pull request #50: "Add cert checks in ipa-server-certinstall" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/50 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/50/head:pr50 git checkout pr50 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-50.patch Type: text/x-diff Size: 3794 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 6 18:13:29 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 06 Sep 2016 20:13:29 +0200 Subject: [Freeipa-devel] [freeipa PR#62] Configure Anonymous PKINIT on server install (comment) In-Reply-To: References: Message-ID: simo5 commented on a pull request """ Note, I haven't looked into the upgrade of an existing server, so just posting it here for an initial review, and also for someone to pick it up if I can't finish the work on the upgrade path. @abbra @frasertweedale please take a look """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-245039584 From freeipa-github-notification at redhat.com Tue Sep 6 19:30:18 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 06 Sep 2016 21:30:18 +0200 Subject: [Freeipa-devel] [freeipa PR#62] Configure Anonymous PKINIT on server install (synchronize) In-Reply-To: References: Message-ID: simo5's pull request #62: "Configure Anonymous PKINIT on server install" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/62 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-62.patch Type: text/x-diff Size: 32322 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 6 19:47:46 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 06 Sep 2016 21:47:46 +0200 Subject: [Freeipa-devel] [freeipa PR#62] Configure Anonymous PKINIT on server install (synchronize) In-Reply-To: References: Message-ID: simo5's pull request #62: "Configure Anonymous PKINIT on server install" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/62 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-62.patch Type: text/x-diff Size: 32359 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 6 20:03:49 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 06 Sep 2016 22:03:49 +0200 Subject: [Freeipa-devel] [freeipa PR#62] Configure Anonymous PKINIT on server install (synchronize) In-Reply-To: References: Message-ID: simo5's pull request #62: "Configure Anonymous PKINIT on server install" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/62 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-62.patch Type: text/x-diff Size: 32405 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 6 20:10:40 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 06 Sep 2016 22:10:40 +0200 Subject: [Freeipa-devel] [freeipa PR#62] Configure Anonymous PKINIT on server install (synchronize) In-Reply-To: References: Message-ID: simo5's pull request #62: "Configure Anonymous PKINIT on server install" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/62 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-62.patch Type: text/x-diff Size: 32405 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 6 21:15:59 2016 From: freeipa-github-notification at redhat.com (LiptonB) Date: Tue, 06 Sep 2016 23:15:59 +0200 Subject: [Freeipa-devel] [freeipa PR#10] Client-side CSR autogeneration (synchronize) In-Reply-To: References: Message-ID: LiptonB's pull request #10: "Client-side CSR autogeneration" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/10 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/10/head:pr10 git checkout pr10 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-10.patch Type: text/x-diff Size: 54838 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 6 21:16:51 2016 From: freeipa-github-notification at redhat.com (pvoborni) Date: Tue, 06 Sep 2016 23:16:51 +0200 Subject: [Freeipa-devel] [freeipa PR#31] WebUI: add support for sub-CAs while revoking certificates and removing certificate hold (comment) In-Reply-To: References: Message-ID: pvoborni commented on a pull request """ nack for f72ae94 it needs this update ```diff diff --git a/install/ui/src/freeipa/certificate.js b/install/ui/src/freeipa/certificate.js index ad7fd87..9ab4002 100755 --- a/install/ui/src/freeipa/certificate.js +++ b/install/ui/src/freeipa/certificate.js @@ -268,6 +268,7 @@ IPA.cert.revoke_dialog = function(spec, no_init) { spec = spec || {}; spec.width = spec.width || 500; + spec.ok_label = spec.ok_label || '@i18n:buttons.revoke'; spec.sections = [ { name: 'note', @@ -308,12 +309,13 @@ IPA.cert.revoke_dialog = function(spec, no_init) { } ]; - var that = IPA.dialog(spec); + var that = IPA.confirm_dialog(spec); that.open = function() { + + that.confirmed = false; that.dialog_open(); that.set_cacn(that.facet.state.cacn); - }; that.get_reason = function() { @@ -336,23 +338,6 @@ IPA.cert.revoke_dialog = function(spec, no_init) { that.init = function() { var note = text.get('@i18n:objects.cert.revoke_confirmation'); that.widgets.get_widget('note.note').html = note; - - that.create_button({ - name: 'revoke', - label: '@i18n:buttons.revoke', - click: function() { - that.on_ok(); - that.close(); - } - }); - - that.create_button({ - name: 'cancel', - label: '@i18n:buttons.cancel', - click: function() { - that.close(); - } - }); }; ``` ACK for 8622b9f and e874ac9 (#6238) I'll create new separate pull requests for both #6238 and #6216. So that #6238 can be pushed and aforementioned changes for #6216 reviewed. """ See the full comment at https://github.com/freeipa/freeipa/pull/31#issuecomment-245094506 From freeipa-github-notification at redhat.com Tue Sep 6 21:21:19 2016 From: freeipa-github-notification at redhat.com (LiptonB) Date: Tue, 06 Sep 2016 23:21:19 +0200 Subject: [Freeipa-devel] [freeipa PR#10] Client-side CSR autogeneration (comment) In-Reply-To: References: Message-ID: LiptonB commented on a pull request """ I've added a commit (Use data_sources option to define which fields are rendered) that simplifies the way we avoid rendering rules whose source data are missing, as discussed here: https://www.redhat.com/archives/freeipa-devel/2016-September/msg00051.html. I prefer this approach to the macros in the original implementation, but I'm leaving it as a separate commit in case you would like to compare them. """ See the full comment at https://github.com/freeipa/freeipa/pull/10#issuecomment-245096157 From freeipa-github-notification at redhat.com Tue Sep 6 22:09:31 2016 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 07 Sep 2016 00:09:31 +0200 Subject: [Freeipa-devel] [freeipa PR#63] fix for 6238 "Unable to view certificates issued by Sub CA in Web UI" separated from pr31 (opened) Message-ID: pvoborni's pull request #63: "fix for 6238 "Unable to view certificates issued by Sub CA in Web UI" separated from pr31" was opened PR body: """ Pavel's patch separated from pr #31. Pavel is on vacation so he cannot split it. """ See the full pull-request at https://github.com/freeipa/freeipa/pull/63 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/63/head:pr63 git checkout pr63 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-63.patch Type: text/x-diff Size: 5295 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 6 22:10:40 2016 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 07 Sep 2016 00:10:40 +0200 Subject: [Freeipa-devel] [freeipa PR#63] fix for 6238 "Unable to view certificates issued by Sub CA in Web UI" separated from pr31 (+ack) In-Reply-To: References: Message-ID: pvoborni's pull request #63: "fix for 6238 "Unable to view certificates issued by Sub CA in Web UI" separated from pr31" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/63 From freeipa-github-notification at redhat.com Tue Sep 6 22:11:30 2016 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 07 Sep 2016 00:11:30 +0200 Subject: [Freeipa-devel] [freeipa PR#63] fix for 6238 "Unable to view certificates issued by Sub CA in Web UI" separated from pr31 (comment) In-Reply-To: References: Message-ID: pvoborni commented on a pull request """ These 2 commits were already ACKed in PR #31 so we can merge them. """ See the full comment at https://github.com/freeipa/freeipa/pull/63#issuecomment-245112325 From freeipa-github-notification at redhat.com Wed Sep 7 06:22:07 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Wed, 07 Sep 2016 08:22:07 +0200 Subject: [Freeipa-devel] [freeipa PR#64] cert: fix cert-find --certificate when the cert is not in LDAP (opened) Message-ID: jcholast's pull request #64: "cert: fix cert-find --certificate when the cert is not in LDAP" was opened PR body: """ Always return the cert specified in --certificate in cert-find result, even when the cert is not found in LDAP. https://fedorahosted.org/freeipa/ticket/6304 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/64 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/64/head:pr64 git checkout pr64 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-64.patch Type: text/x-diff Size: 1454 bytes Desc: not available URL: From jcholast at redhat.com Wed Sep 7 06:32:42 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 7 Sep 2016 08:32:42 +0200 Subject: [Freeipa-devel] [PATCH] 0106 Make host/service cert revocation aware of lightweight CAs In-Reply-To: <20160906173615.GN11489@dhcp-40-8.bne.redhat.com> References: <20160826053717.GP3877@dhcp-40-8.bne.redhat.com> <20160826054222.GQ3877@dhcp-40-8.bne.redhat.com> <20160905135911.GC11489@dhcp-40-8.bne.redhat.com> <20160905153023.GE11489@dhcp-40-8.bne.redhat.com> <0f5fa3f8-11be-894c-a268-fab48fa096e5@redhat.com> <20160906173615.GN11489@dhcp-40-8.bne.redhat.com> Message-ID: <1047ef92-f9c6-e289-730e-4be09f13e0b5@redhat.com> On 6.9.2016 19:36, Fraser Tweedale wrote: > On Tue, Sep 06, 2016 at 10:19:14AM +0200, Jan Cholasta wrote: >> On 5.9.2016 17:30, Fraser Tweedale wrote: >>> On Mon, Sep 05, 2016 at 11:59:11PM +1000, Fraser Tweedale wrote: >>>> On Tue, Aug 30, 2016 at 10:39:16AM +0200, Jan Cholasta wrote: >>>>> Hi, >>>>> >>>>> On 26.8.2016 07:42, Fraser Tweedale wrote: >>>>>> On Fri, Aug 26, 2016 at 03:37:17PM +1000, Fraser Tweedale wrote: >>>>>>> Hi all, >>>>>>> >>>>>>> Attached patch fixes https://fedorahosted.org/freeipa/ticket/6221. >>>>>>> It depends on Honza's PR #20 >>>>>>> https://github.com/freeipa/freeipa/pull/20. >>>>>>> >>>>>>> Thanks, >>>>>>> Fraser >>>>>>> >>>>>> It does help to attach the patch :) >>>>> >>>>> I think it would be better to call cert-find once per host-del/service-del >>>>> with the --host/--service option specified. That way you'll get all >>>>> certificates for the given host/service at once. >>>>> >>>>> Honza >>>>> >>>> I agree that is a nicer approach. >>>> >>>> 'revoke_certs' is called from several other places besides just >>>> host/service_del. If we want to land this fix Real Soon I'd suggest >>>> we either: >>>> >>>> A) Define function 'revoke_certs_from_cert_find', call it from >>>> host/service_del, and leave 'revoke_certs' alone; or >>>> >>>> B) Land the patch as-is and do a bigger refactor at a later time. >>>> >>>> What do you think? >> > Updated patch attached; comments inline. > >> C) Use cert-find-based revoke_certs() everywhere; use the --certificate >> option of cert-find in the other places to get information about specific >> certificates. >> > As discussed on IRC, I have implemented this option. The caveat is > that for host/service-mod, we incur call to cert_find for each > removed certificate. It's worth noting that A) and B) suffer from the same caveat. > >>>> >>> Updated patch for option (A) is attached. >> >> 1) Instead of >> >> if result['status'] in {'REVOKED', 'REVOKED_EXPIRED'}: >> >> use: >> >> if result['revoked']: >> > Done. > >> >> 2) >> >> + if 'cacn' not in cert: >> + # cert is known to Dogtag, but CA appears to have been >> + # deleted. We cannot revoke this cert via IPA anymore. >> + # We could go directly to Dogtag to revoke it, but the >> + # issuer's cert should have been revoked so never mind. >> + continue >> >> Or, it could be a cert issued by a 3rd party CA. >> > I updated to comment to include this. > >> >> 3) host-mod/service-mod do not revoke certs: >> >> $ ipa cert-request test.csr --principal host/test.example.com >> Serial number: 13 >> >> $ ipa cert-show 13 >> Revoked: False >> Owner host: test.example.com >> >> $ ipa host-mod test.example.com --certificate= >> >> $ ipa cert-show 13 >> Revoked: False >> > Nice find. This was a pre-existing bug: nothing gets revoked when > all certs are removed. Here is the fix: > > - if certs and self.api.Command.ca_is_enabled()['result']: > + ca_is_enabled = self.api.Command.ca_is_enabled()['result'] > + if 'usercertificate' in options and ca_is_enabled: > ... revocation code OK. Since it is a different bug, it should be fixed in a separate patch and have a separate ticket. > > Finally, host/service-remove-cert does not revoke the cert because > of (I think) a bug in cert-find. If the cert does not exist on a > host/service the cert-find cannot find it with --certificate option. > Because host/service-remove-cert uses a post_callback to revoke the > cert, cert-find doesn't find it thus no revocation occurs. > > Honza could you check whether this is indeed a bug/limitation of > cert-find or is it the smog in Saigon affecting me? It's a bug - FTFY, . Functional ACK. Full ACK once my fix is merged and the host/service-mod is split off into a separate patch. -- Jan Cholasta From freeipa-github-notification at redhat.com Wed Sep 7 07:00:23 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Wed, 07 Sep 2016 09:00:23 +0200 Subject: [Freeipa-devel] [freeipa PR#50] Add cert checks in ipa-server-certinstall (synchronize) In-Reply-To: References: Message-ID: flo-renaud's pull request #50: "Add cert checks in ipa-server-certinstall" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/50 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/50/head:pr50 git checkout pr50 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-50.patch Type: text/x-diff Size: 3795 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Sep 7 07:18:11 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 07 Sep 2016 09:18:11 +0200 Subject: [Freeipa-devel] [freeipa PR#63] fix for 6238 "Unable to view certificates issued by Sub CA in Web UI" separated from pr31 (closed) In-Reply-To: References: Message-ID: pvoborni's pull request #63: "fix for 6238 "Unable to view certificates issued by Sub CA in Web UI" separated from pr31" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/63 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/63/head:pr63 git checkout pr63 From freeipa-github-notification at redhat.com Wed Sep 7 07:18:13 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 07 Sep 2016 09:18:13 +0200 Subject: [Freeipa-devel] [freeipa PR#63] fix for 6238 "Unable to view certificates issued by Sub CA in Web UI" separated from pr31 (+pushed) In-Reply-To: References: Message-ID: pvoborni's pull request #63: "fix for 6238 "Unable to view certificates issued by Sub CA in Web UI" separated from pr31" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/63 From freeipa-github-notification at redhat.com Wed Sep 7 07:18:14 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 07 Sep 2016 09:18:14 +0200 Subject: [Freeipa-devel] [freeipa PR#63] fix for 6238 "Unable to view certificates issued by Sub CA in Web UI" separated from pr31 (comment) In-Reply-To: References: Message-ID: martbab commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/40f923f56b4777e3e18c9f76ba1a745ed69ef0a6 https://fedorahosted.org/freeipa/changeset/64ac981dddcecf1176585b6e7b729cf38b24bcea ipa-4-4: https://fedorahosted.org/freeipa/changeset/0b76ba8723d7ba6f7657d0f7c17f2fc2a7356752 https://fedorahosted.org/freeipa/changeset/29af03aa4283883612bdc8cbd299f5caa6adee2b """ See the full comment at https://github.com/freeipa/freeipa/pull/63#issuecomment-245196074 From freeipa-github-notification at redhat.com Wed Sep 7 07:35:29 2016 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 07 Sep 2016 09:35:29 +0200 Subject: [Freeipa-devel] [freeipa PR#65] #6216 - webui: cert_revoke should use --cacn to set correct CA when revoking certificate (opened) Message-ID: pvoborni's pull request #65: "#6216 - webui: cert_revoke should use --cacn to set correct CA when revoking certificate" was opened PR body: """ This is Pavel's patch with changes mentioned in pull request #31 comment 1 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/65 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/65/head:pr65 git checkout pr65 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-65.patch Type: text/x-diff Size: 13455 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Sep 7 07:36:39 2016 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 07 Sep 2016 09:36:39 +0200 Subject: [Freeipa-devel] [freeipa PR#65] #6216 - webui: cert_revoke should use --cacn to set correct CA when revoking certificate (synchronize) In-Reply-To: References: Message-ID: pvoborni's pull request #65: "#6216 - webui: cert_revoke should use --cacn to set correct CA when revoking certificate" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/65 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/65/head:pr65 git checkout pr65 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-65.patch Type: text/x-diff Size: 8155 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Sep 7 07:40:12 2016 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 07 Sep 2016 09:40:12 +0200 Subject: [Freeipa-devel] [freeipa PR#31] WebUI: add support for sub-CAs while revoking certificates and removing certificate hold (comment) In-Reply-To: References: Message-ID: pvoborni commented on a pull request """ Obsoleted by pull request #65 """ See the full comment at https://github.com/freeipa/freeipa/pull/31#issuecomment-245200659 From freeipa-github-notification at redhat.com Wed Sep 7 07:40:13 2016 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 07 Sep 2016 09:40:13 +0200 Subject: [Freeipa-devel] [freeipa PR#31] WebUI: add support for sub-CAs while revoking certificates and removing certificate hold (closed) In-Reply-To: References: Message-ID: pvomacka's pull request #31: "WebUI: add support for sub-CAs while revoking certificates and removing certificate hold" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/31 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/31/head:pr31 git checkout pr31 From freeipa-github-notification at redhat.com Wed Sep 7 08:01:44 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 07 Sep 2016 10:01:44 +0200 Subject: [Freeipa-devel] [freeipa PR#58] Ip addr validation (comment) In-Reply-To: References: Message-ID: dkupka commented on a pull request """ @mbasti-rh In last patch, please copy-paste the warnings also into replicainstall.py """ See the full comment at https://github.com/freeipa/freeipa/pull/58#issuecomment-245205422 From freeipa-github-notification at redhat.com Wed Sep 7 08:26:57 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 07 Sep 2016 10:26:57 +0200 Subject: [Freeipa-devel] [freeipa PR#65] #6216 - webui: cert_revoke should use --cacn to set correct CA when revoking certificate (comment) In-Reply-To: References: Message-ID: stlaz commented on a pull request """ Seems to be working as expected. """ See the full comment at https://github.com/freeipa/freeipa/pull/65#issuecomment-245210985 From freeipa-github-notification at redhat.com Wed Sep 7 08:27:02 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 07 Sep 2016 10:27:02 +0200 Subject: [Freeipa-devel] [freeipa PR#65] #6216 - webui: cert_revoke should use --cacn to set correct CA when revoking certificate (+ack) In-Reply-To: References: Message-ID: pvoborni's pull request #65: "#6216 - webui: cert_revoke should use --cacn to set correct CA when revoking certificate" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/65 From ftweedal at redhat.com Wed Sep 7 08:28:21 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 7 Sep 2016 15:28:21 +0700 Subject: [Freeipa-devel] [PATCH] 0106 Make host/service cert revocation aware of lightweight CAs In-Reply-To: <1047ef92-f9c6-e289-730e-4be09f13e0b5@redhat.com> References: <20160826053717.GP3877@dhcp-40-8.bne.redhat.com> <20160826054222.GQ3877@dhcp-40-8.bne.redhat.com> <20160905135911.GC11489@dhcp-40-8.bne.redhat.com> <20160905153023.GE11489@dhcp-40-8.bne.redhat.com> <0f5fa3f8-11be-894c-a268-fab48fa096e5@redhat.com> <20160906173615.GN11489@dhcp-40-8.bne.redhat.com> <1047ef92-f9c6-e289-730e-4be09f13e0b5@redhat.com> Message-ID: <20160907082821.GR11489@dhcp-40-8.bne.redhat.com> On Wed, Sep 07, 2016 at 08:32:42AM +0200, Jan Cholasta wrote: > On 6.9.2016 19:36, Fraser Tweedale wrote: > > On Tue, Sep 06, 2016 at 10:19:14AM +0200, Jan Cholasta wrote: > > > On 5.9.2016 17:30, Fraser Tweedale wrote: > > > > On Mon, Sep 05, 2016 at 11:59:11PM +1000, Fraser Tweedale wrote: > > > > > On Tue, Aug 30, 2016 at 10:39:16AM +0200, Jan Cholasta wrote: > > > > > > Hi, > > > > > > > > > > > > On 26.8.2016 07:42, Fraser Tweedale wrote: > > > > > > > On Fri, Aug 26, 2016 at 03:37:17PM +1000, Fraser Tweedale wrote: > > > > > > > > Hi all, > > > > > > > > > > > > > > > > Attached patch fixes https://fedorahosted.org/freeipa/ticket/6221. > > > > > > > > It depends on Honza's PR #20 > > > > > > > > https://github.com/freeipa/freeipa/pull/20. > > > > > > > > > > > > > > > > Thanks, > > > > > > > > Fraser > > > > > > > > > > > > > > > It does help to attach the patch :) > > > > > > > > > > > > I think it would be better to call cert-find once per host-del/service-del > > > > > > with the --host/--service option specified. That way you'll get all > > > > > > certificates for the given host/service at once. > > > > > > > > > > > > Honza > > > > > > > > > > > I agree that is a nicer approach. > > > > > > > > > > 'revoke_certs' is called from several other places besides just > > > > > host/service_del. If we want to land this fix Real Soon I'd suggest > > > > > we either: > > > > > > > > > > A) Define function 'revoke_certs_from_cert_find', call it from > > > > > host/service_del, and leave 'revoke_certs' alone; or > > > > > > > > > > B) Land the patch as-is and do a bigger refactor at a later time. > > > > > > > > > > What do you think? > > > > > Updated patch attached; comments inline. > > > > > C) Use cert-find-based revoke_certs() everywhere; use the --certificate > > > option of cert-find in the other places to get information about specific > > > certificates. > > > > > As discussed on IRC, I have implemented this option. The caveat is > > that for host/service-mod, we incur call to cert_find for each > > removed certificate. > > It's worth noting that A) and B) suffer from the same caveat. > > > > > > > > > > > > Updated patch for option (A) is attached. > > > > > > 1) Instead of > > > > > > if result['status'] in {'REVOKED', 'REVOKED_EXPIRED'}: > > > > > > use: > > > > > > if result['revoked']: > > > > > Done. > > > > > > > > 2) > > > > > > + if 'cacn' not in cert: > > > + # cert is known to Dogtag, but CA appears to have been > > > + # deleted. We cannot revoke this cert via IPA anymore. > > > + # We could go directly to Dogtag to revoke it, but the > > > + # issuer's cert should have been revoked so never mind. > > > + continue > > > > > > Or, it could be a cert issued by a 3rd party CA. > > > > > I updated to comment to include this. > > > > > > > > 3) host-mod/service-mod do not revoke certs: > > > > > > $ ipa cert-request test.csr --principal host/test.example.com > > > Serial number: 13 > > > > > > $ ipa cert-show 13 > > > Revoked: False > > > Owner host: test.example.com > > > > > > $ ipa host-mod test.example.com --certificate= > > > > > > $ ipa cert-show 13 > > > Revoked: False > > > > > Nice find. This was a pre-existing bug: nothing gets revoked when > > all certs are removed. Here is the fix: > > > > - if certs and self.api.Command.ca_is_enabled()['result']: > > + ca_is_enabled = self.api.Command.ca_is_enabled()['result'] > > + if 'usercertificate' in options and ca_is_enabled: > > ... revocation code > > OK. Since it is a different bug, it should be fixed in a separate patch and > have a separate ticket. > > > > > Finally, host/service-remove-cert does not revoke the cert because > > of (I think) a bug in cert-find. If the cert does not exist on a > > host/service the cert-find cannot find it with --certificate option. > > Because host/service-remove-cert uses a post_callback to revoke the > > cert, cert-find doesn't find it thus no revocation occurs. > > > > Honza could you check whether this is indeed a bug/limitation of > > cert-find or is it the smog in Saigon affecting me? > > It's a bug - FTFY, . > > Functional ACK. Full ACK once my fix is merged and the host/service-mod is > split off into a separate patch. > To clarify - you want only the fix discussed above in the separate patch? Thanks, Fraser From jcholast at redhat.com Wed Sep 7 08:39:59 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 7 Sep 2016 10:39:59 +0200 Subject: [Freeipa-devel] [PATCH] 0106 Make host/service cert revocation aware of lightweight CAs In-Reply-To: <20160907082821.GR11489@dhcp-40-8.bne.redhat.com> References: <20160826053717.GP3877@dhcp-40-8.bne.redhat.com> <20160826054222.GQ3877@dhcp-40-8.bne.redhat.com> <20160905135911.GC11489@dhcp-40-8.bne.redhat.com> <20160905153023.GE11489@dhcp-40-8.bne.redhat.com> <0f5fa3f8-11be-894c-a268-fab48fa096e5@redhat.com> <20160906173615.GN11489@dhcp-40-8.bne.redhat.com> <1047ef92-f9c6-e289-730e-4be09f13e0b5@redhat.com> <20160907082821.GR11489@dhcp-40-8.bne.redhat.com> Message-ID: <22bfec71-ff6f-aa34-8ad9-ecd5c51bb260@redhat.com> On 7.9.2016 10:28, Fraser Tweedale wrote: > On Wed, Sep 07, 2016 at 08:32:42AM +0200, Jan Cholasta wrote: >> On 6.9.2016 19:36, Fraser Tweedale wrote: >>> On Tue, Sep 06, 2016 at 10:19:14AM +0200, Jan Cholasta wrote: >>>> On 5.9.2016 17:30, Fraser Tweedale wrote: >>>>> On Mon, Sep 05, 2016 at 11:59:11PM +1000, Fraser Tweedale wrote: >>>>>> On Tue, Aug 30, 2016 at 10:39:16AM +0200, Jan Cholasta wrote: >>>>>>> Hi, >>>>>>> >>>>>>> On 26.8.2016 07:42, Fraser Tweedale wrote: >>>>>>>> On Fri, Aug 26, 2016 at 03:37:17PM +1000, Fraser Tweedale wrote: >>>>>>>>> Hi all, >>>>>>>>> >>>>>>>>> Attached patch fixes https://fedorahosted.org/freeipa/ticket/6221. >>>>>>>>> It depends on Honza's PR #20 >>>>>>>>> https://github.com/freeipa/freeipa/pull/20. >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> Fraser >>>>>>>>> >>>>>>>> It does help to attach the patch :) >>>>>>> >>>>>>> I think it would be better to call cert-find once per host-del/service-del >>>>>>> with the --host/--service option specified. That way you'll get all >>>>>>> certificates for the given host/service at once. >>>>>>> >>>>>>> Honza >>>>>>> >>>>>> I agree that is a nicer approach. >>>>>> >>>>>> 'revoke_certs' is called from several other places besides just >>>>>> host/service_del. If we want to land this fix Real Soon I'd suggest >>>>>> we either: >>>>>> >>>>>> A) Define function 'revoke_certs_from_cert_find', call it from >>>>>> host/service_del, and leave 'revoke_certs' alone; or >>>>>> >>>>>> B) Land the patch as-is and do a bigger refactor at a later time. >>>>>> >>>>>> What do you think? >>>> >>> Updated patch attached; comments inline. >>> >>>> C) Use cert-find-based revoke_certs() everywhere; use the --certificate >>>> option of cert-find in the other places to get information about specific >>>> certificates. >>>> >>> As discussed on IRC, I have implemented this option. The caveat is >>> that for host/service-mod, we incur call to cert_find for each >>> removed certificate. >> >> It's worth noting that A) and B) suffer from the same caveat. >> >>> >>>>>> >>>>> Updated patch for option (A) is attached. >>>> >>>> 1) Instead of >>>> >>>> if result['status'] in {'REVOKED', 'REVOKED_EXPIRED'}: >>>> >>>> use: >>>> >>>> if result['revoked']: >>>> >>> Done. >>> >>>> >>>> 2) >>>> >>>> + if 'cacn' not in cert: >>>> + # cert is known to Dogtag, but CA appears to have been >>>> + # deleted. We cannot revoke this cert via IPA anymore. >>>> + # We could go directly to Dogtag to revoke it, but the >>>> + # issuer's cert should have been revoked so never mind. >>>> + continue >>>> >>>> Or, it could be a cert issued by a 3rd party CA. >>>> >>> I updated to comment to include this. >>> >>>> >>>> 3) host-mod/service-mod do not revoke certs: >>>> >>>> $ ipa cert-request test.csr --principal host/test.example.com >>>> Serial number: 13 >>>> >>>> $ ipa cert-show 13 >>>> Revoked: False >>>> Owner host: test.example.com >>>> >>>> $ ipa host-mod test.example.com --certificate= >>>> >>>> $ ipa cert-show 13 >>>> Revoked: False >>>> >>> Nice find. This was a pre-existing bug: nothing gets revoked when >>> all certs are removed. Here is the fix: >>> >>> - if certs and self.api.Command.ca_is_enabled()['result']: >>> + ca_is_enabled = self.api.Command.ca_is_enabled()['result'] >>> + if 'usercertificate' in options and ca_is_enabled: >>> ... revocation code >> >> OK. Since it is a different bug, it should be fixed in a separate patch and >> have a separate ticket. >> >>> >>> Finally, host/service-remove-cert does not revoke the cert because >>> of (I think) a bug in cert-find. If the cert does not exist on a >>> host/service the cert-find cannot find it with --certificate option. >>> Because host/service-remove-cert uses a post_callback to revoke the >>> cert, cert-find doesn't find it thus no revocation occurs. >>> >>> Honza could you check whether this is indeed a bug/limitation of >>> cert-find or is it the smog in Saigon affecting me? >> >> It's a bug - FTFY, . >> >> Functional ACK. Full ACK once my fix is merged and the host/service-mod is >> split off into a separate patch. >> > To clarify - you want only the fix discussed above in the separate > patch? I want the fix for sub-CA revocation in one patch and the fix for host/service-mod with empty --certificate in other patch. -- Jan Cholasta From ftweedal at redhat.com Wed Sep 7 09:05:18 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 7 Sep 2016 16:05:18 +0700 Subject: [Freeipa-devel] [PATCH] 0106 Make host/service cert revocation aware of lightweight CAs In-Reply-To: <22bfec71-ff6f-aa34-8ad9-ecd5c51bb260@redhat.com> References: <20160826053717.GP3877@dhcp-40-8.bne.redhat.com> <20160826054222.GQ3877@dhcp-40-8.bne.redhat.com> <20160905135911.GC11489@dhcp-40-8.bne.redhat.com> <20160905153023.GE11489@dhcp-40-8.bne.redhat.com> <0f5fa3f8-11be-894c-a268-fab48fa096e5@redhat.com> <20160906173615.GN11489@dhcp-40-8.bne.redhat.com> <1047ef92-f9c6-e289-730e-4be09f13e0b5@redhat.com> <20160907082821.GR11489@dhcp-40-8.bne.redhat.com> <22bfec71-ff6f-aa34-8ad9-ecd5c51bb260@redhat.com> Message-ID: <20160907090518.GS11489@dhcp-40-8.bne.redhat.com> On Wed, Sep 07, 2016 at 10:39:59AM +0200, Jan Cholasta wrote: > On 7.9.2016 10:28, Fraser Tweedale wrote: > > On Wed, Sep 07, 2016 at 08:32:42AM +0200, Jan Cholasta wrote: > > > On 6.9.2016 19:36, Fraser Tweedale wrote: > > > > On Tue, Sep 06, 2016 at 10:19:14AM +0200, Jan Cholasta wrote: > > > > > On 5.9.2016 17:30, Fraser Tweedale wrote: > > > > > > On Mon, Sep 05, 2016 at 11:59:11PM +1000, Fraser Tweedale wrote: > > > > > > > On Tue, Aug 30, 2016 at 10:39:16AM +0200, Jan Cholasta wrote: > > > > > > > > Hi, > > > > > > > > > > > > > > > > On 26.8.2016 07:42, Fraser Tweedale wrote: > > > > > > > > > On Fri, Aug 26, 2016 at 03:37:17PM +1000, Fraser Tweedale wrote: > > > > > > > > > > Hi all, > > > > > > > > > > > > > > > > > > > > Attached patch fixes https://fedorahosted.org/freeipa/ticket/6221. > > > > > > > > > > It depends on Honza's PR #20 > > > > > > > > > > https://github.com/freeipa/freeipa/pull/20. > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > Fraser > > > > > > > > > > > > > > > > > > > It does help to attach the patch :) > > > > > > > > > > > > > > > > I think it would be better to call cert-find once per host-del/service-del > > > > > > > > with the --host/--service option specified. That way you'll get all > > > > > > > > certificates for the given host/service at once. > > > > > > > > > > > > > > > > Honza > > > > > > > > > > > > > > > I agree that is a nicer approach. > > > > > > > > > > > > > > 'revoke_certs' is called from several other places besides just > > > > > > > host/service_del. If we want to land this fix Real Soon I'd suggest > > > > > > > we either: > > > > > > > > > > > > > > A) Define function 'revoke_certs_from_cert_find', call it from > > > > > > > host/service_del, and leave 'revoke_certs' alone; or > > > > > > > > > > > > > > B) Land the patch as-is and do a bigger refactor at a later time. > > > > > > > > > > > > > > What do you think? > > > > > > > > > Updated patch attached; comments inline. > > > > > > > > > C) Use cert-find-based revoke_certs() everywhere; use the --certificate > > > > > option of cert-find in the other places to get information about specific > > > > > certificates. > > > > > > > > > As discussed on IRC, I have implemented this option. The caveat is > > > > that for host/service-mod, we incur call to cert_find for each > > > > removed certificate. > > > > > > It's worth noting that A) and B) suffer from the same caveat. > > > > > > > > > > > > > > > > > > > > Updated patch for option (A) is attached. > > > > > > > > > > 1) Instead of > > > > > > > > > > if result['status'] in {'REVOKED', 'REVOKED_EXPIRED'}: > > > > > > > > > > use: > > > > > > > > > > if result['revoked']: > > > > > > > > > Done. > > > > > > > > > > > > > > 2) > > > > > > > > > > + if 'cacn' not in cert: > > > > > + # cert is known to Dogtag, but CA appears to have been > > > > > + # deleted. We cannot revoke this cert via IPA anymore. > > > > > + # We could go directly to Dogtag to revoke it, but the > > > > > + # issuer's cert should have been revoked so never mind. > > > > > + continue > > > > > > > > > > Or, it could be a cert issued by a 3rd party CA. > > > > > > > > > I updated to comment to include this. > > > > > > > > > > > > > > 3) host-mod/service-mod do not revoke certs: > > > > > > > > > > $ ipa cert-request test.csr --principal host/test.example.com > > > > > Serial number: 13 > > > > > > > > > > $ ipa cert-show 13 > > > > > Revoked: False > > > > > Owner host: test.example.com > > > > > > > > > > $ ipa host-mod test.example.com --certificate= > > > > > > > > > > $ ipa cert-show 13 > > > > > Revoked: False > > > > > > > > > Nice find. This was a pre-existing bug: nothing gets revoked when > > > > all certs are removed. Here is the fix: > > > > > > > > - if certs and self.api.Command.ca_is_enabled()['result']: > > > > + ca_is_enabled = self.api.Command.ca_is_enabled()['result'] > > > > + if 'usercertificate' in options and ca_is_enabled: > > > > ... revocation code > > > > > > OK. Since it is a different bug, it should be fixed in a separate patch and > > > have a separate ticket. > > > > > > > > > > > Finally, host/service-remove-cert does not revoke the cert because > > > > of (I think) a bug in cert-find. If the cert does not exist on a > > > > host/service the cert-find cannot find it with --certificate option. > > > > Because host/service-remove-cert uses a post_callback to revoke the > > > > cert, cert-find doesn't find it thus no revocation occurs. > > > > > > > > Honza could you check whether this is indeed a bug/limitation of > > > > cert-find or is it the smog in Saigon affecting me? > > > > > > It's a bug - FTFY, . > > > > > > Functional ACK. Full ACK once my fix is merged and the host/service-mod is > > > split off into a separate patch. > > > > > To clarify - you want only the fix discussed above in the separate > > patch? > > I want the fix for sub-CA revocation in one patch and the fix for > host/service-mod with empty --certificate in other patch. > Updated patch 106 attached. Well send patch for other fix separately. Thanks, Fraser -------------- next part -------------- From ea7795adafb6ae70bfec27e6dbe6c095f477cab7 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 26 Aug 2016 15:31:13 +1000 Subject: [PATCH] Make host/service cert revocation aware of lightweight CAs Revocation of host/service certs on host/service deletion or other operations is broken when cert is issued by a lightweight (sub)CA, causing the delete operation to be aborted. Look up the issuing CA and pass it to 'cert_revoke' to fix the issue. Fixes: https://fedorahosted.org/freeipa/ticket/6221 --- ipaserver/plugins/host.py | 20 +++++++--------- ipaserver/plugins/service.py | 56 ++++++++++++++++++++++---------------------- 2 files changed, 37 insertions(+), 39 deletions(-) diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py index 03c64c637cbba0aee1b6569f3b5dbe200953bff8..2362b6247af87b4ce63c21083e6bc8ac39db0804 100644 --- a/ipaserver/plugins/host.py +++ b/ipaserver/plugins/host.py @@ -843,12 +843,8 @@ class host_del(LDAPDelete): ) if self.api.Command.ca_is_enabled()['result']: - try: - entry_attrs = ldap.get_entry(dn, ['usercertificate']) - except errors.NotFound: - self.obj.handle_not_found(*keys) - - revoke_certs(entry_attrs.get('usercertificate', []), self.log) + certs = self.api.Command.cert_find(host=keys)['result'] + revoke_certs(certs) return dn @@ -910,7 +906,9 @@ class host_mod(LDAPUpdate): old_certs = entry_attrs_old.get('usercertificate', []) old_certs_der = [x509.normalize_certificate(c) for c in old_certs] removed_certs_der = set(old_certs_der) - set(certs_der) - revoke_certs(removed_certs_der, self.log) + for der in removed_certs_der: + rm_certs = api.Command.cert_find(certificate=der)['result'] + revoke_certs(rm_certs) if certs: entry_attrs['usercertificate'] = certs_der @@ -1196,10 +1194,10 @@ class host_disable(LDAPQuery): except errors.NotFound: self.obj.handle_not_found(*keys) if self.api.Command.ca_is_enabled()['result']: - certs = entry_attrs.get('usercertificate', []) + certs = self.api.Command.cert_find(host=keys)['result'] if certs: - revoke_certs(certs, self.log) + revoke_certs(certs) # Remove the usercertificate altogether entry_attrs['usercertificate'] = None ldap.update_entry(entry_attrs) @@ -1341,8 +1339,8 @@ class host_remove_cert(LDAPRemoveAttributeViaOption): def post_callback(self, ldap, dn, entry_attrs, *keys, **options): assert isinstance(dn, DN) - if 'usercertificate' in options: - revoke_certs(options['usercertificate'], self.log) + for cert in options.get('usercertificate', []): + revoke_certs(api.Command.cert_find(certificate=cert)['result']) return dn diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py index 04d1916fe989a8651bcc4d44f1914c460be1081c..093525f2e7cb84b18f0658dcb5d7c786e45c6ab6 100644 --- a/ipaserver/plugins/service.py +++ b/ipaserver/plugins/service.py @@ -220,37 +220,38 @@ def validate_certificate(ugettext, cert): x509.validate_certificate(cert, datatype=x509.DER) -def revoke_certs(certs, logger=None): +def revoke_certs(certs): """ revoke the certificates removed from host/service entry + + :param certs: Output of a 'cert_find' command. + """ for cert in certs: - try: - cert = x509.normalize_certificate(cert) - except errors.CertificateFormatError as e: - if logger is not None: - logger.info("Problem decoding certificate: %s" % e) - - serial = unicode(x509.get_serial_number(cert, x509.DER)) - - try: - result = api.Command['cert_show'](unicode(serial))['result'] - except errors.CertificateOperationError: - continue - if 'revocation_reason' in result: + if 'cacn' not in cert: + # Cert is known to IPA, but has no associated CA. + # If it was issued by 3rd-party CA, we can't revoke it. + # If it was issued by a Dogtag lightweight CA that was + # subsequently deleted, we can't revoke it via IPA. + # We could go directly to Dogtag to revoke it, but the + # issuer's cert should have been revoked so never mind. continue - if x509.normalize_certificate(result['certificate']) != cert: + + if cert['revoked']: + # cert is already revoked continue try: - api.Command['cert_revoke'](unicode(serial), - revocation_reason=4) + api.Command['cert_revoke']( + cert['serial_number'], + cacn=cert['cacn'], + revocation_reason=4, + ) except errors.NotImplementedError: # some CA's might not implement revoke pass - def set_certificate_attrs(entry_attrs): """ Set individual attributes from some values from a certificate. @@ -674,11 +675,8 @@ class service_del(LDAPDelete): # custom services allow them to manage them. check_required_principal(ldap, keys[-1]) if self.api.Command.ca_is_enabled()['result']: - try: - entry_attrs = ldap.get_entry(dn, ['usercertificate']) - except errors.NotFound: - self.obj.handle_not_found(*keys) - revoke_certs(entry_attrs.get('usercertificate', []), self.log) + certs = self.api.Command.cert_find(service=keys)['result'] + revoke_certs(certs) return dn @@ -711,7 +709,9 @@ class service_mod(LDAPUpdate): old_certs = entry_attrs_old.get('usercertificate', []) old_certs_der = [x509.normalize_certificate(c) for c in old_certs] removed_certs_der = set(old_certs_der) - set(certs_der) - revoke_certs(removed_certs_der, self.log) + for der in removed_certs_der: + rm_certs = api.Command.cert_find(certificate=der)['result'] + revoke_certs(rm_certs) if certs: entry_attrs['usercertificate'] = certs_der @@ -950,10 +950,10 @@ class service_disable(LDAPQuery): done_work = False if self.api.Command.ca_is_enabled()['result']: - certs = entry_attrs.get('usercertificate', []) + certs = self.api.Command.cert_find(service=keys)['result'] if len(certs) > 0: - revoke_certs(certs, self.log) + revoke_certs(certs) # Remove the usercertificate altogether entry_attrs['usercertificate'] = None ldap.update_entry(entry_attrs) @@ -989,8 +989,8 @@ class service_remove_cert(LDAPRemoveAttributeViaOption): def post_callback(self, ldap, dn, entry_attrs, *keys, **options): assert isinstance(dn, DN) - if 'usercertificate' in options: - revoke_certs(options['usercertificate'], self.log) + for cert in options.get('usercertificate', []): + revoke_certs(api.Command.cert_find(certificate=cert)['result']) return dn -- 2.5.5 From ftweedal at redhat.com Wed Sep 7 09:06:25 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 7 Sep 2016 16:06:25 +0700 Subject: [Freeipa-devel] [PATCH] 0107 Fix cert revocation when removing all certs via host/service-mod Message-ID: <20160907090625.GT11489@dhcp-40-8.bne.redhat.com> Attached patch fixes https://fedorahosted.org/freeipa/ticket/6305 Thanks, Fraser -------------- next part -------------- From d4d7e77795f96a4970058e61d99c70522689b22d Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 7 Sep 2016 19:00:18 +1000 Subject: [PATCH] Fix cert revocation when removing all certs via host/service-mod When removing all host/service certificates via host/service-mod --certificate=, the removed certificates should be revoked, but they are not. Examine whether the --certificate option was provided to determine whether certs should be revoked, instead of looking for a cert list in the options (which in this case is empty). Fixes: https://fedorahosted.org/freeipa/ticket/6305 --- ipaserver/plugins/host.py | 3 ++- ipaserver/plugins/service.py | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py index 2362b6247af87b4ce63c21083e6bc8ac39db0804..7f63e94849b4a6f2ce871ec77b188c54d640ba94 100644 --- a/ipaserver/plugins/host.py +++ b/ipaserver/plugins/host.py @@ -898,7 +898,8 @@ class host_mod(LDAPUpdate): certs_der = [x509.normalize_certificate(c) for c in certs] # revoke removed certificates - if certs and self.api.Command.ca_is_enabled()['result']: + ca_is_enabled = self.api.Command.ca_is_enabled()['result'] + if 'usercertificate' in options and ca_is_enabled: try: entry_attrs_old = ldap.get_entry(dn, ['usercertificate']) except errors.NotFound: diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py index 093525f2e7cb84b18f0658dcb5d7c786e45c6ab6..c0590732470ac1200d4dd4ea1f089e4384a509b3 100644 --- a/ipaserver/plugins/service.py +++ b/ipaserver/plugins/service.py @@ -701,7 +701,8 @@ class service_mod(LDAPUpdate): certs = entry_attrs.get('usercertificate') or [] certs_der = [x509.normalize_certificate(c) for c in certs] # revoke removed certificates - if certs and self.api.Command.ca_is_enabled()['result']: + ca_is_enabled = self.api.Command.ca_is_enabled()['result'] + if 'usercertificate' in options and ca_is_enabled: try: entry_attrs_old = ldap.get_entry(dn, ['usercertificate']) except errors.NotFound: -- 2.5.5 From freeipa-github-notification at redhat.com Wed Sep 7 10:35:24 2016 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 07 Sep 2016 12:35:24 +0200 Subject: [Freeipa-devel] [freeipa PR#65] #6216 - webui: cert_revoke should use --cacn to set correct CA when revoking certificate (closed) In-Reply-To: References: Message-ID: pvoborni's pull request #65: "#6216 - webui: cert_revoke should use --cacn to set correct CA when revoking certificate" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/65 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/65/head:pr65 git checkout pr65 From freeipa-github-notification at redhat.com Wed Sep 7 10:35:26 2016 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 07 Sep 2016 12:35:26 +0200 Subject: [Freeipa-devel] [freeipa PR#65] #6216 - webui: cert_revoke should use --cacn to set correct CA when revoking certificate (+pushed) In-Reply-To: References: Message-ID: pvoborni's pull request #65: "#6216 - webui: cert_revoke should use --cacn to set correct CA when revoking certificate" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/65 From freeipa-github-notification at redhat.com Wed Sep 7 10:35:28 2016 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 07 Sep 2016 12:35:28 +0200 Subject: [Freeipa-devel] [freeipa PR#65] #6216 - webui: cert_revoke should use --cacn to set correct CA when revoking certificate (comment) In-Reply-To: References: Message-ID: pvoborni commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/7fea3914fbfc0748f26dfe41445b5f0d12f406e6 ipa-4-4: https://fedorahosted.org/freeipa/changeset/a68da14654243821274848b9af57fec3dc2fdb39 """ See the full comment at https://github.com/freeipa/freeipa/pull/65#issuecomment-245241413 From mbabinsk at redhat.com Wed Sep 7 10:38:35 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 7 Sep 2016 12:38:35 +0200 Subject: [Freeipa-devel] [PATCH] 0101 Add ca-disable and ca-enable commands In-Reply-To: <20160906144939.GK11489@dhcp-40-8.bne.redhat.com> References: <20160825082523.GM3877@dhcp-40-8.bne.redhat.com> <2ecd524c-94aa-e492-aeb8-b1b8fab2135c@redhat.com> <10af7aea-68d8-49c2-b712-85969b5b2079@redhat.com> <3db9b05b-5bfa-ddf6-daeb-5e2be57beca9@redhat.com> <20160906144939.GK11489@dhcp-40-8.bne.redhat.com> Message-ID: On 09/06/2016 04:49 PM, Fraser Tweedale wrote: > On Tue, Aug 30, 2016 at 10:23:10AM +0200, Martin Babinsky wrote: >> On 08/30/2016 10:09 AM, Jan Cholasta wrote: >>> Hi, >>> >>> On 30.8.2016 09:56, Martin Babinsky wrote: >>>> On 08/25/2016 10:25 AM, Fraser Tweedale wrote: >>>>> Hi team, >>>>> >>>>> The attached patch fixes >>>>> https://fedorahosted.org/freeipa/ticket/6257. >>>>> >>>>> The behaviour of cert-request when the CA is disabled is not very >>>>> nice (it reports a server error from Dogtag). The Dogtag REST >>>>> interface gives much better errors so I plan to move to it in a >>>>> later change (which will also address >>>>> https://fedorahosted.org/freeipa/ticket/3473, in part). >>>>> >>>>> Thanks, >>>>> Fraser >>>>> >>>>> >>>>> >>>> >>>> HI Fraser, >>>> >>>> I have a couple of comments below: >>>> >>>> 1.) >>>> @@ -25,6 +33,10 @@ EXAMPLES: >>>> ipa ca-add puppet --desc "Puppet" \\ >>>> --subject "CN=Puppet CA,O=EXAMPLE.COM" >>>> >>>> + Disable a CA. >>>> + >>>> + ipa ca-disable puppet >>>> + >>>> """) >>>> >>>> You missed an example of `ca-enable` command in the doc string. >>>> >>>> 2.) >>>> >>>> Regarding implementation of ca_enable/disable, I think you can reduce >>>> the amount of code duplication by employing a base class which will look >>>> up the required sub-CA and call the RA backend method required by the >>>> subclass. See the attached untested diff (passes lint) for details. >> >> Looks like I forgot how to OOP while on PTO :) Honza is right, of course, >> see the example code in the attached diff (again not tested, just a quick >> example). >> > Updated patch attached, implemented inheritance suggestion and > expanding plugin help. > > Thanks, > Fraser > Thanks, ACK. Pushed to: master: c7e0dbc4e174d0bb7577de18cdb2f414f4199c57 ipa-4-4: b037e54e457d731cd16144df7573f4c85d79368a -- Martin^3 Babinsky From freeipa-github-notification at redhat.com Wed Sep 7 10:45:16 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 07 Sep 2016 12:45:16 +0200 Subject: [Freeipa-devel] [freeipa PR#64] cert: fix cert-find --certificate when the cert is not in LDAP (+ack) In-Reply-To: References: Message-ID: jcholast's pull request #64: "cert: fix cert-find --certificate when the cert is not in LDAP" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/64 From freeipa-github-notification at redhat.com Wed Sep 7 10:47:31 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 07 Sep 2016 12:47:31 +0200 Subject: [Freeipa-devel] [freeipa PR#64] cert: fix cert-find --certificate when the cert is not in LDAP (+pushed) In-Reply-To: References: Message-ID: jcholast's pull request #64: "cert: fix cert-find --certificate when the cert is not in LDAP" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/64 From freeipa-github-notification at redhat.com Wed Sep 7 10:47:33 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 07 Sep 2016 12:47:33 +0200 Subject: [Freeipa-devel] [freeipa PR#64] cert: fix cert-find --certificate when the cert is not in LDAP (comment) In-Reply-To: References: Message-ID: dkupka commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/b7b6faf14aaa8ac677ab9ebc2bcbf87e6b2a1146 ipa-4-4: https://fedorahosted.org/freeipa/changeset/5d4f7b78bc4d179544810419f73ec4d48b0a2a76 """ See the full comment at https://github.com/freeipa/freeipa/pull/64#issuecomment-245243898 From freeipa-github-notification at redhat.com Wed Sep 7 10:47:34 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 07 Sep 2016 12:47:34 +0200 Subject: [Freeipa-devel] [freeipa PR#64] cert: fix cert-find --certificate when the cert is not in LDAP (closed) In-Reply-To: References: Message-ID: jcholast's pull request #64: "cert: fix cert-find --certificate when the cert is not in LDAP" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/64 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/64/head:pr64 git checkout pr64 From mbabinsk at redhat.com Wed Sep 7 10:50:18 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 7 Sep 2016 12:50:18 +0200 Subject: [Freeipa-devel] [PATCH] 0102..0105 Better handling for cert-request to disabled CA In-Reply-To: <20160906145145.GL11489@dhcp-40-8.bne.redhat.com> References: <20160826021907.GN3877@dhcp-40-8.bne.redhat.com> <20160906145145.GL11489@dhcp-40-8.bne.redhat.com> Message-ID: <9e95a529-a8dd-c58b-ec4f-78c707ab86a2@redhat.com> On 09/06/2016 04:51 PM, Fraser Tweedale wrote: > On Tue, Aug 30, 2016 at 10:54:32AM +0200, Martin Babinsky wrote: >> On 08/26/2016 04:19 AM, Fraser Tweedale wrote: >>> The attached patches add better handling of cert-request failure due >>> to target CA being disabled (#6260). To do this, rather than go and >>> do extra work in Dogtag that we would depend on, instead I bite the >>> bullet and refactor ra.request_certificate to use the Dogtag REST >>> API, which correctly responds with status 409 in this case. >>> >>> Switching RA to Dogtag REST API is an old ticket (#3437) so these >>> patches address it in part, and show the way forward for the rest of >>> it. >>> >>> These patches don't technically depend on patch 0101 which adds the >>> ca-enable and ca-disable commands, but 0101 may help for testing :) >>> >>> Thanks, >>> Fraser >>> >>> >>> >> >> Hi Fraser, >> >> PATCH 102: >> >> LGTM, but please use the standard ":param " annotations in the docstring for >> `_ssldo` method. It will make out life easier if we decide to use Sphinx or >> similar tool to auto-generate documentation from sources. >> >> You can also add ":raises:" section describing that RemoteRetrieveError is >> raised when use_session is True but the session cookie wasn't acquired. It >> is kind of obvious but it may trip the uninitiated. >> >> PATCH 103: >> >> Due to magical behavior of our public errors, the exception body should look >> like this: >> >> --- a/ipalib/errors.py >> +++ b/ipalib/errors.py >> @@ -1413,10 +1413,7 @@ class HTTPRequestError(RemoteRetrieveError): >> """ >> >> errno = 4035 >> - >> - def __init__(self, status=None, **kw): >> - assert status is not None >> - super(HTTPRequestError, self).__init__(status=status, **kw) >> + format = _('Request failed with status %(status)s: %(reason)') >> >> The format string will be then automatically be supplied with status and >> reason if you pass them to the constructor ass you already do. The errors >> will be also handled magically (such as status which is None etc.) >> >> PATCH 104: >> >> 1.) please don't use bare except here: >> >> """ >> + try: >> + resp_obj = json.loads(http_body) >> + except: >> + raise errors.RemoteRetrieveError(reason=_("Response from CA was >> not valid JSON")) >> """ >> >> use 'except Exception' at least. >> >> PATCH 105: >> >> + if e.status == 409: # pylint: disable=E1101 >> + raise errors.CertificateOperationError( >> + error=_("CA '%s' is disabled") % ca) >> + else: >> + raise e >> + >> >> please use named errors instead of error codes in pylint annotations: >> # pylint: disable=no-member >> > Thanks for your review, Martin. Updated patches attached; they > address all mentioned issues. > > Cheers, > Fraser > Thanks, ACK. Pushed to: ipa-4-4: b8491490c2dbb3b2db3ce64cd154b499142bc250 master: 520ad7d865ff147d3ff8819d3e384d7cbd69bfb7 -- Martin^3 Babinsky From freeipa-github-notification at redhat.com Wed Sep 7 10:54:50 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 07 Sep 2016 12:54:50 +0200 Subject: [Freeipa-devel] [freeipa PR#31] WebUI: add support for sub-CAs while revoking certificates and removing certificate hold (+rejected) In-Reply-To: References: Message-ID: pvomacka's pull request #31: "WebUI: add support for sub-CAs while revoking certificates and removing certificate hold" label *rejected* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/31 From freeipa-github-notification at redhat.com Wed Sep 7 11:02:48 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 07 Sep 2016 13:02:48 +0200 Subject: [Freeipa-devel] [freeipa PR#58] Ip addr validation (synchronize) In-Reply-To: References: Message-ID: mbasti-rh's pull request #58: "Ip addr validation" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/58 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/58/head:pr58 git checkout pr58 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-58.patch Type: text/x-diff Size: 13094 bytes Desc: not available URL: From jcholast at redhat.com Wed Sep 7 11:21:57 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 7 Sep 2016 13:21:57 +0200 Subject: [Freeipa-devel] [PATCH] 0106 Make host/service cert revocation aware of lightweight CAs In-Reply-To: <20160907090518.GS11489@dhcp-40-8.bne.redhat.com> References: <20160826053717.GP3877@dhcp-40-8.bne.redhat.com> <20160826054222.GQ3877@dhcp-40-8.bne.redhat.com> <20160905135911.GC11489@dhcp-40-8.bne.redhat.com> <20160905153023.GE11489@dhcp-40-8.bne.redhat.com> <0f5fa3f8-11be-894c-a268-fab48fa096e5@redhat.com> <20160906173615.GN11489@dhcp-40-8.bne.redhat.com> <1047ef92-f9c6-e289-730e-4be09f13e0b5@redhat.com> <20160907082821.GR11489@dhcp-40-8.bne.redhat.com> <22bfec71-ff6f-aa34-8ad9-ecd5c51bb260@redhat.com> <20160907090518.GS11489@dhcp-40-8.bne.redhat.com> Message-ID: On 7.9.2016 11:05, Fraser Tweedale wrote: > On Wed, Sep 07, 2016 at 10:39:59AM +0200, Jan Cholasta wrote: >> On 7.9.2016 10:28, Fraser Tweedale wrote: >>> On Wed, Sep 07, 2016 at 08:32:42AM +0200, Jan Cholasta wrote: >>>> On 6.9.2016 19:36, Fraser Tweedale wrote: >>>>> On Tue, Sep 06, 2016 at 10:19:14AM +0200, Jan Cholasta wrote: >>>>>> On 5.9.2016 17:30, Fraser Tweedale wrote: >>>>>>> On Mon, Sep 05, 2016 at 11:59:11PM +1000, Fraser Tweedale wrote: >>>>>>>> On Tue, Aug 30, 2016 at 10:39:16AM +0200, Jan Cholasta wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> On 26.8.2016 07:42, Fraser Tweedale wrote: >>>>>>>>>> On Fri, Aug 26, 2016 at 03:37:17PM +1000, Fraser Tweedale wrote: >>>>>>>>>>> Hi all, >>>>>>>>>>> >>>>>>>>>>> Attached patch fixes https://fedorahosted.org/freeipa/ticket/6221. >>>>>>>>>>> It depends on Honza's PR #20 >>>>>>>>>>> https://github.com/freeipa/freeipa/pull/20. >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> Fraser >>>>>>>>>>> >>>>>>>>>> It does help to attach the patch :) >>>>>>>>> >>>>>>>>> I think it would be better to call cert-find once per host-del/service-del >>>>>>>>> with the --host/--service option specified. That way you'll get all >>>>>>>>> certificates for the given host/service at once. >>>>>>>>> >>>>>>>>> Honza >>>>>>>>> >>>>>>>> I agree that is a nicer approach. >>>>>>>> >>>>>>>> 'revoke_certs' is called from several other places besides just >>>>>>>> host/service_del. If we want to land this fix Real Soon I'd suggest >>>>>>>> we either: >>>>>>>> >>>>>>>> A) Define function 'revoke_certs_from_cert_find', call it from >>>>>>>> host/service_del, and leave 'revoke_certs' alone; or >>>>>>>> >>>>>>>> B) Land the patch as-is and do a bigger refactor at a later time. >>>>>>>> >>>>>>>> What do you think? >>>>>> >>>>> Updated patch attached; comments inline. >>>>> >>>>>> C) Use cert-find-based revoke_certs() everywhere; use the --certificate >>>>>> option of cert-find in the other places to get information about specific >>>>>> certificates. >>>>>> >>>>> As discussed on IRC, I have implemented this option. The caveat is >>>>> that for host/service-mod, we incur call to cert_find for each >>>>> removed certificate. >>>> >>>> It's worth noting that A) and B) suffer from the same caveat. >>>> >>>>> >>>>>>>> >>>>>>> Updated patch for option (A) is attached. >>>>>> >>>>>> 1) Instead of >>>>>> >>>>>> if result['status'] in {'REVOKED', 'REVOKED_EXPIRED'}: >>>>>> >>>>>> use: >>>>>> >>>>>> if result['revoked']: >>>>>> >>>>> Done. >>>>> >>>>>> >>>>>> 2) >>>>>> >>>>>> + if 'cacn' not in cert: >>>>>> + # cert is known to Dogtag, but CA appears to have been >>>>>> + # deleted. We cannot revoke this cert via IPA anymore. >>>>>> + # We could go directly to Dogtag to revoke it, but the >>>>>> + # issuer's cert should have been revoked so never mind. >>>>>> + continue >>>>>> >>>>>> Or, it could be a cert issued by a 3rd party CA. >>>>>> >>>>> I updated to comment to include this. >>>>> >>>>>> >>>>>> 3) host-mod/service-mod do not revoke certs: >>>>>> >>>>>> $ ipa cert-request test.csr --principal host/test.example.com >>>>>> Serial number: 13 >>>>>> >>>>>> $ ipa cert-show 13 >>>>>> Revoked: False >>>>>> Owner host: test.example.com >>>>>> >>>>>> $ ipa host-mod test.example.com --certificate= >>>>>> >>>>>> $ ipa cert-show 13 >>>>>> Revoked: False >>>>>> >>>>> Nice find. This was a pre-existing bug: nothing gets revoked when >>>>> all certs are removed. Here is the fix: >>>>> >>>>> - if certs and self.api.Command.ca_is_enabled()['result']: >>>>> + ca_is_enabled = self.api.Command.ca_is_enabled()['result'] >>>>> + if 'usercertificate' in options and ca_is_enabled: >>>>> ... revocation code >>>> >>>> OK. Since it is a different bug, it should be fixed in a separate patch and >>>> have a separate ticket. >>>> >>>>> >>>>> Finally, host/service-remove-cert does not revoke the cert because >>>>> of (I think) a bug in cert-find. If the cert does not exist on a >>>>> host/service the cert-find cannot find it with --certificate option. >>>>> Because host/service-remove-cert uses a post_callback to revoke the >>>>> cert, cert-find doesn't find it thus no revocation occurs. >>>>> >>>>> Honza could you check whether this is indeed a bug/limitation of >>>>> cert-find or is it the smog in Saigon affecting me? >>>> >>>> It's a bug - FTFY, . >>>> >>>> Functional ACK. Full ACK once my fix is merged and the host/service-mod is >>>> split off into a separate patch. >>>> >>> To clarify - you want only the fix discussed above in the separate >>> patch? >> >> I want the fix for sub-CA revocation in one patch and the fix for >> host/service-mod with empty --certificate in other patch. >> > Updated patch 106 attached. Well send patch for other fix > separately. Thanks, ACK. Pushed to: master: daeaf2a8234ba684352d98fbc8d734100e6d63d1 ipa-4-4: d3f3869e6d496cfec2c9c02373f97ebafe73ce93 -- Jan Cholasta From freeipa-github-notification at redhat.com Wed Sep 7 12:05:46 2016 From: freeipa-github-notification at redhat.com (mirielka) Date: Wed, 07 Sep 2016 14:05:46 +0200 Subject: [Freeipa-devel] [freeipa PR#43] Tests: Fix regex errors in integration trust tests (synchronize) In-Reply-To: References: Message-ID: mirielka's pull request #43: "Tests: Fix regex errors in integration trust tests" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/43 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/43/head:pr43 git checkout pr43 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-43.patch Type: text/x-diff Size: 2136 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Sep 7 12:13:36 2016 From: freeipa-github-notification at redhat.com (mirielka) Date: Wed, 07 Sep 2016 14:13:36 +0200 Subject: [Freeipa-devel] [freeipa PR#66] [master, ipa-4-4] Tests: Add cleanup to integration trust tests (opened) Message-ID: mirielka's pull request #66: "[master, ipa-4-4] Tests: Add cleanup to integration trust tests" was opened PR body: """ Trust tests fail if they are executed after external trust tests. This is caused my missing cleanup. Providing cleanup that would enable correct execution of the tests regardless of their order. https://fedorahosted.org/freeipa/ticket/6306 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/66 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/66/head:pr66 git checkout pr66 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-66.patch Type: text/x-diff Size: 1290 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Sep 7 13:18:22 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 07 Sep 2016 15:18:22 +0200 Subject: [Freeipa-devel] [freeipa PR#58] Ip addr validation (comment) In-Reply-To: References: Message-ID: martbab commented on a pull request """ @mbasti-rh you forgot to copy-paste the code to promote_check function. @pvoborni ^^ and that's why we need to refactor installer code """ See the full comment at https://github.com/freeipa/freeipa/pull/58#issuecomment-245277233 From freeipa-github-notification at redhat.com Wed Sep 7 13:19:44 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 07 Sep 2016 15:19:44 +0200 Subject: [Freeipa-devel] [freeipa PR#58] Ip addr validation (synchronize) In-Reply-To: References: Message-ID: mbasti-rh's pull request #58: "Ip addr validation" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/58 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/58/head:pr58 git checkout pr58 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-58.patch Type: text/x-diff Size: 14261 bytes Desc: not available URL: From ofayans at redhat.com Wed Sep 7 13:27:24 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Wed, 7 Sep 2016 15:27:24 +0200 Subject: [Freeipa-devel] [Test][patch-0058] Fixed topology tests failures in CI In-Reply-To: <2c50265e-40fb-2243-5a19-72627060370f@redhat.com> References: <57AB735A.3000101@redhat.com> <57ADD39F.8050409@redhat.com> <5beb66d0-62d4-1940-79be-4bcf16a140aa@redhat.com> <2c50265e-40fb-2243-5a19-72627060370f@redhat.com> Message-ID: <3f44586e-2edc-7c36-dc82-45d1dd8e291c@redhat.com> ping for review On 08/24/2016 01:58 PM, Oleg Fayans wrote: > And here is how the run looks like: > > $ ipa-run-tests test_integration/test_topology.py > WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] > Permission denied: 'lextab.py' > WARNING: yacc table file version is out of date > WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission > denied: 'yacctab.py' > ==================================================================================== > test session starts > ===================================================================================== > > platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 > rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini > plugins: sourceorder-0.5, multihost-1.0 > collected 3 items > > test_integration/test_topology.py ..x > > =========================================================================== > 2 passed, 1 xfailed in 1558.66 seconds > =========================================================================== > > > > On 08/12/2016 04:05 PM, Martin Basti wrote: >> >> >> On 12.08.2016 15:48, Oleg Fayans wrote: >>> Hi Martin, >>> >>> >>> >>> On 08/11/2016 10:05 AM, Martin Basti wrote: >>>> >>>> >>>> On 10.08.2016 20:32, Oleg Fayans wrote: >>>>> >>>>> >>>>> >>>> Hello, >>>> >>>> before we jump into fixing tests, my question is: Was this planned >>>> change and not reflected by test, or switched values are unwanted side >>>> effect and thus bug for us? >>> >>> That's a marvelous question! The test used to pass, which means that >>> at some point the convention of naming the segments must have changed. >>> Is it a bug? I do not think so: the feature still works as expected. >> >> Ludwig, do you know details about this change, why positions of server >> names are different than used to be in topology name? >> >>> >>>> >>>> Ticket contains almost no info, except a traceback and it says nothing. >>>> Commit message says at least something. >>>> >>>> I'm not sure if this patch fixes that ticket, because traceback in test >>>> shows error message that "removal of segment will disconnect topology", >>>> but this patch only swap order of replica names in segment name. I >>>> would >>>> expect that you should get different error, something like segment does >>>> not exist. >>> Which I do get in jenkins job N 37: "segment not found" >>> >>> In fact, the error in the issue is unrelated to the fix, you are right. >> >>> To tell the truth, I just put a random error from one of the jenkins >>> topology testruns into the issue. >> This is very good way how to report tickets: >> * nobody knows what happened >> * nobody can search in current tickets, what is wrong without proper >> description >> * developers cannot investigate issue, because there is even no name of >> exact test in ticket, no steps to reproduce, nothing >> * without proper tickets it is hard to backport patches correctly, if >> patch fixes different issue than is reported >> >> I'm closing ticket as invalid, please follow >> http://www.chiark.greenend.org.uk/~sgtatham/bugs.html and file a new >> proper ticket. >> >>> This particular error message was caused by a previous replica >>> installation failure, which resulted in existing only one segment >>> instead of three: >>> master <-> replica1 >>> instead of: >>> master <-> replica1, >>> master <-> replica2 >>> replica1 <-> replica2 >>> >>> In fact the patch supplied fixes 2 tests at once: >>> The first test tries to remove the unexisting segment master <-> >>> replica2 and fails, the second test expects the line topology >>> master <-> replica1 <-> replica2. >>> It removes the connection between replica1 and replica2, expects the >>> operation to fail but it does not because the connection between >>> master and replica2 exists >>> >>> the output from the testrun with the patch applied: >>> >>> >>> -bash-4.3$ ipa-run-tests test_integration/test_topology.py --pdb >>> WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] >>> Permission denied: 'lextab.py' >>> WARNING: yacc table file version is out of date >>> WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission >>> denied: 'yacctab.py' >>> ==================================================================================== >>> >>> test session starts >>> ===================================================================================== >>> >>> >>> platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 >>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini >>> plugins: sourceorder-0.5, multihost-1.0 >>> collected 3 items >>> >>> test_integration/test_topology.py ... >>> >>> ================================================================================ >>> >>> 3 passed in 2156.82 seconds >>> ================================================================================= >>> >>> >>> >> >> I don't care about test output until there is no valid description of >> problem, fixing test may just cover real issue. >> Martin^2 >>>> >>>> Martin^2 >>>> >>>> >>> >> > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From jcholast at redhat.com Wed Sep 7 13:55:42 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 7 Sep 2016 15:55:42 +0200 Subject: [Freeipa-devel] [PATCH 190] expose `--secret` option in radiusproxy-* commands In-Reply-To: References: <4619e944-47d6-e181-c42d-073f479d4f85@redhat.com> <0fb7c740-d932-3e77-87fd-4a91dbef71f4@redhat.com> Message-ID: <363e1021-d974-462d-8af8-0d786a116f17@redhat.com> On 21.7.2016 10:50, Jan Cholasta wrote: > On 21.7.2016 10:13, Martin Babinsky wrote: >> On 07/20/2016 12:10 PM, Martin Babinsky wrote: >>> On 07/19/2016 12:32 PM, Jan Cholasta wrote: >>>> Hi, >>>> >>>> On 18.7.2016 13:51, Martin Babinsky wrote: >>>>> https://fedorahosted.org/freeipa/ticket/6078 >>>> >>>> I don't think we want the secret searchable. Add a 'no_search' flag to >>>> the param to fix that. >>>> >>>> Honza >>>> >>> >>> 'no_search' flag breaks the API backwards compatibility, so I am sending >>> another two patches which fix handling of deprecated options in the >>> framework and deprecate `--secret` in radiusproxy-find command. >>> >>> I hope this solution is the best. >>> >>> >>> >> After discussion with Jan we realized that it is enough to hide the >> '--secret' option from CLI, not deprecate it. >> >> Re-sending patch 190 and updated 193.1. > > Thanks, ACK. > > Pushed to master: 66da08445370f7024a6a529a6659714c33b7525e > >> Patch 192 will be send in >> separate thread since the actual issue it fixes is orthogonal to this >> one and requires a separate ticket. > > Right. ATM this only affects --srchostcat in hbacrule-find. Bump so that patch 192 is not forgotten. -- Jan Cholasta From jcholast at redhat.com Wed Sep 7 13:57:56 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 7 Sep 2016 15:57:56 +0200 Subject: [Freeipa-devel] [PATCH 0183] ipa-advise: correct handling of plugin namespace iteration In-Reply-To: References: <610683a7-079b-cd36-c28c-e4b0b4415aad@redhat.com> Message-ID: On 19.7.2016 09:15, Martin Babinsky wrote: > On 07/18/2016 08:46 AM, Jan Cholasta wrote: >> Hi, >> >> On 11.7.2016 14:18, Martin Babinsky wrote: >>> https://fedorahosted.org/freeipa/ticket/6044 >> >> Note that you should use .name rather than .__name__ to get plugin >> names, otherwise the code won't work with plugins with non-default names. >> >> There currently aren't any Advice plugins with non-default name, but I >> would rather fix this now to avoid surprises later. >> >> Honza >> > > I didn't realize this when doing the patch, here's the fix for that. > > I have attached the original closed ticket to the commit message, should > I create a new ticket for such a small change? Bump. I'm fine with new ticket or no ticket, but don't use 6044. -- Jan Cholasta From mbabinsk at redhat.com Wed Sep 7 14:13:24 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 7 Sep 2016 16:13:24 +0200 Subject: [Freeipa-devel] [PATCH 190] expose `--secret` option in radiusproxy-* commands In-Reply-To: <363e1021-d974-462d-8af8-0d786a116f17@redhat.com> References: <4619e944-47d6-e181-c42d-073f479d4f85@redhat.com> <0fb7c740-d932-3e77-87fd-4a91dbef71f4@redhat.com> <363e1021-d974-462d-8af8-0d786a116f17@redhat.com> Message-ID: <7f473923-76b7-5c3f-53a1-7663924a1727@redhat.com> On 09/07/2016 03:55 PM, Jan Cholasta wrote: > On 21.7.2016 10:50, Jan Cholasta wrote: >> On 21.7.2016 10:13, Martin Babinsky wrote: >>> On 07/20/2016 12:10 PM, Martin Babinsky wrote: >>>> On 07/19/2016 12:32 PM, Jan Cholasta wrote: >>>>> Hi, >>>>> >>>>> On 18.7.2016 13:51, Martin Babinsky wrote: >>>>>> https://fedorahosted.org/freeipa/ticket/6078 >>>>> >>>>> I don't think we want the secret searchable. Add a 'no_search' flag to >>>>> the param to fix that. >>>>> >>>>> Honza >>>>> >>>> >>>> 'no_search' flag breaks the API backwards compatibility, so I am >>>> sending >>>> another two patches which fix handling of deprecated options in the >>>> framework and deprecate `--secret` in radiusproxy-find command. >>>> >>>> I hope this solution is the best. >>>> >>>> >>>> >>> After discussion with Jan we realized that it is enough to hide the >>> '--secret' option from CLI, not deprecate it. >>> >>> Re-sending patch 190 and updated 193.1. >> >> Thanks, ACK. >> >> Pushed to master: 66da08445370f7024a6a529a6659714c33b7525e >> >>> Patch 192 will be send in >>> separate thread since the actual issue it fixes is orthogonal to this >>> one and requires a separate ticket. >> >> Right. ATM this only affects --srchostcat in hbacrule-find. > > Bump so that patch 192 is not forgotten. > Patch 192 was pushed as a fix to https://fedorahosted.org/freeipa/ticket/6190. -- Martin^3 Babinsky From jcholast at redhat.com Wed Sep 7 14:25:14 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 7 Sep 2016 16:25:14 +0200 Subject: [Freeipa-devel] [PATCH 190] expose `--secret` option in radiusproxy-* commands In-Reply-To: <7f473923-76b7-5c3f-53a1-7663924a1727@redhat.com> References: <4619e944-47d6-e181-c42d-073f479d4f85@redhat.com> <0fb7c740-d932-3e77-87fd-4a91dbef71f4@redhat.com> <363e1021-d974-462d-8af8-0d786a116f17@redhat.com> <7f473923-76b7-5c3f-53a1-7663924a1727@redhat.com> Message-ID: On 7.9.2016 16:13, Martin Babinsky wrote: > On 09/07/2016 03:55 PM, Jan Cholasta wrote: >> On 21.7.2016 10:50, Jan Cholasta wrote: >>> On 21.7.2016 10:13, Martin Babinsky wrote: >>>> On 07/20/2016 12:10 PM, Martin Babinsky wrote: >>>>> On 07/19/2016 12:32 PM, Jan Cholasta wrote: >>>>>> Hi, >>>>>> >>>>>> On 18.7.2016 13:51, Martin Babinsky wrote: >>>>>>> https://fedorahosted.org/freeipa/ticket/6078 >>>>>> >>>>>> I don't think we want the secret searchable. Add a 'no_search' >>>>>> flag to >>>>>> the param to fix that. >>>>>> >>>>>> Honza >>>>>> >>>>> >>>>> 'no_search' flag breaks the API backwards compatibility, so I am >>>>> sending >>>>> another two patches which fix handling of deprecated options in the >>>>> framework and deprecate `--secret` in radiusproxy-find command. >>>>> >>>>> I hope this solution is the best. >>>>> >>>>> >>>>> >>>> After discussion with Jan we realized that it is enough to hide the >>>> '--secret' option from CLI, not deprecate it. >>>> >>>> Re-sending patch 190 and updated 193.1. >>> >>> Thanks, ACK. >>> >>> Pushed to master: 66da08445370f7024a6a529a6659714c33b7525e >>> >>>> Patch 192 will be send in >>>> separate thread since the actual issue it fixes is orthogonal to this >>>> one and requires a separate ticket. >>> >>> Right. ATM this only affects --srchostcat in hbacrule-find. >> >> Bump so that patch 192 is not forgotten. >> > > Patch 192 was pushed as a fix to > https://fedorahosted.org/freeipa/ticket/6190. Okay. -- Jan Cholasta From freeipa-github-notification at redhat.com Wed Sep 7 14:21:37 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 07 Sep 2016 16:21:37 +0200 Subject: [Freeipa-devel] [freeipa PR#58] Ip addr validation (+ack) In-Reply-To: References: Message-ID: mbasti-rh's pull request #58: "Ip addr validation" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/58 From freeipa-github-notification at redhat.com Wed Sep 7 14:22:54 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 07 Sep 2016 16:22:54 +0200 Subject: [Freeipa-devel] [freeipa PR#58] Ip addr validation (comment) In-Reply-To: References: Message-ID: dkupka commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/81d64d530cca148198312d3d993502575b288f63 https://fedorahosted.org/freeipa/changeset/71ad8d4fc982b5349248d50338e1d16ce45c523e https://fedorahosted.org/freeipa/changeset/f3d379071a9af50e38fcc07491bc68b8d3d172a4 https://fedorahosted.org/freeipa/changeset/b232ad463cf43596cdf397e51469df13a89e83fa ipa-4-4: https://fedorahosted.org/freeipa/changeset/00e747226fc011ab7181f5ed54cd4c2bc5470406 https://fedorahosted.org/freeipa/changeset/a6ab515add69058f9a45309a110d3a4553250529 https://fedorahosted.org/freeipa/changeset/435318ef347163e740a70ffe1f8a1246a908e3fe https://fedorahosted.org/freeipa/changeset/3ffd1dceebdaf7617cabfbb57b3d0ca1f9e87065 """ See the full comment at https://github.com/freeipa/freeipa/pull/58#issuecomment-245296345 From freeipa-github-notification at redhat.com Wed Sep 7 14:22:56 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 07 Sep 2016 16:22:56 +0200 Subject: [Freeipa-devel] [freeipa PR#58] Ip addr validation (+pushed) In-Reply-To: References: Message-ID: mbasti-rh's pull request #58: "Ip addr validation" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/58 From freeipa-github-notification at redhat.com Wed Sep 7 14:22:57 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 07 Sep 2016 16:22:57 +0200 Subject: [Freeipa-devel] [freeipa PR#58] Ip addr validation (closed) In-Reply-To: References: Message-ID: mbasti-rh's pull request #58: "Ip addr validation" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/58 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/58/head:pr58 git checkout pr58 From freeipa-github-notification at redhat.com Wed Sep 7 15:00:58 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 07 Sep 2016 17:00:58 +0200 Subject: [Freeipa-devel] [freeipa PR#67] advise: Use `name` instead of `__name__` to get plugin names (opened) Message-ID: martbab's pull request #67: "advise: Use `name` instead of `__name__` to get plugin names" was opened PR body: """ This change will allow ipa-advise to correctly handle advise plugins with custom names. """ See the full pull-request at https://github.com/freeipa/freeipa/pull/67 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/67/head:pr67 git checkout pr67 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-67.patch Type: text/x-diff Size: 1191 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Sep 7 21:42:52 2016 From: freeipa-github-notification at redhat.com (LiptonB) Date: Wed, 07 Sep 2016 23:42:52 +0200 Subject: [Freeipa-devel] [freeipa PR#10] Client-side CSR autogeneration (synchronize) In-Reply-To: References: Message-ID: LiptonB's pull request #10: "Client-side CSR autogeneration" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/10 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/10/head:pr10 git checkout pr10 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-10.patch Type: text/x-diff Size: 60263 bytes Desc: not available URL: From mharmsen at redhat.com Thu Sep 8 00:33:06 2016 From: mharmsen at redhat.com (Matthew Harmsen) Date: Wed, 7 Sep 2016 18:33:06 -0600 Subject: [Freeipa-devel] Karma Requests for pki-core-10.3.5-5 Message-ID: <09cf941b-4dfa-f376-b775-ba5954f403dd@redhat.com> *The following updated candidate builds of pki-core 10.3.5 on Fedora 24, 25, and 26 (rawhide) consist of the following: * * *Fedora 24* o *pki-core-10.3.5-5.fc24 * * *Fedora 25* o *pki-core-10.3.5-5.fc25 * * *Fedora 26* o *pki-core-10.3.5-5.fc26 * *Additionally, the CentOS 7 COPR EPEL Builds of Dogtag 10.3.3 were also updated:* * *https://copr.fedorainfracloud.org/coprs/g/pki/10.3.3/repo/epel-7/group_pki-10.3.3-epel-7.repo* [group_pki-10.3.3] name=Copr repo for 10.3.3 owned by @pki baseurl=https://copr-be.cloud.fedoraproject.org/results/@pki/10.3.3/epel-7-$basearch/ skip_if_unavailable=True gpgcheck=1 gpgkey=https://copr-be.cloud.fedoraproject.org/results/@pki/10.3.3/pubkey.gpg enabled=1 enabled_metadata=1 *These builds address the following PKI tickets: * * PKI TRAC Ticket #1638 - Lightweight CAs: revoke certificate on CA deletion * PKI TRAC Ticket #2346 - Dogtag 10.3.6: Miscellaneous Enhancements * PKI TRAC Ticket #2443 - Prevent deletion of host CA's keys if LWCA entry deleted * PKI TRAC Ticket #2444 - Authority entry without entryUSN is skipped even if USN plugin enabled * PKI TRAC Ticket #2446 - pkispawn: make subject_dn defaults unique per instance name (for shared HSM) * PKI TRAC Ticket #2447 - CertRequestInfo has incorrect URLs * PKI TRAC Ticket #2449 - Unable to create system certificates in different tokens *Please provide Karma for the following builds: * * *Fedora 24* o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-994f943797 pki-core-10.3.5-5.fc24* * *Fedora 25* o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-d363d36e22 pki-core-10.3.5-5.fc25 * -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Thu Sep 8 02:00:25 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 8 Sep 2016 09:00:25 +0700 Subject: [Freeipa-devel] [PATCH] 0108 cert-request: raise error when request fails Message-ID: <20160908020025.GW11489@dhcp-40-8.bne.redhat.com> The attached patch fixes regression in cert-request: https://fedorahosted.org/freeipa/ticket/6309 Thanks, Fraser -------------- next part -------------- From b27eef53ee36b7cae70206c37dea6aaa3bcfc940 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 8 Sep 2016 11:56:16 +1000 Subject: [PATCH] cert-request: raise error when request fails Fix a regression in recent change to request cert via Dogtag REST API. 'ra.request_certificate' was no longer raising CertificateOperationError when the cert request failed. Inspect the request result to determine if the request completed, and raise if it did not. Fixes: https://fedorahosted.org/freeipa/ticket/6309 --- ipaserver/plugins/dogtag.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 77d24731bbc102ace3123a6fe41a631ea7c24f3b..644b41e90f2d377ae9b70cf4719ab8789fdfc649 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1678,6 +1678,10 @@ class ra(rabase.rabase, RestClient): return cmd_result certinfo = entries[0] + if certinfo['requestStatus'] != 'complete': + raise errors.CertificateOperationError( + error=certinfo.get('errorMessage')) + if 'certId' in certinfo: cmd_result = self.get_certificate(certinfo['certId']) cert = ''.join(cmd_result['certificate'].splitlines()) -- 2.5.5 From freeipa-github-notification at redhat.com Thu Sep 8 06:10:15 2016 From: freeipa-github-notification at redhat.com (mirielka) Date: Thu, 08 Sep 2016 08:10:15 +0200 Subject: [Freeipa-devel] [freeipa PR#60] Tests: extend DNS cmdline tests with lowercased record type (+ack) In-Reply-To: References: Message-ID: mbasti-rh's pull request #60: "Tests: extend DNS cmdline tests with lowercased record type" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/60 From freeipa-github-notification at redhat.com Thu Sep 8 06:52:05 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 08 Sep 2016 08:52:05 +0200 Subject: [Freeipa-devel] [freeipa PR#19] WebUI: Add 'Restore' option to action dropdown menu (comment) In-Reply-To: References: Message-ID: stlaz commented on a pull request """ Works as expected, the code looks fine as well. """ See the full comment at https://github.com/freeipa/freeipa/pull/19#issuecomment-245509559 From freeipa-github-notification at redhat.com Thu Sep 8 06:52:09 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 08 Sep 2016 08:52:09 +0200 Subject: [Freeipa-devel] [freeipa PR#19] WebUI: Add 'Restore' option to action dropdown menu (+ack) In-Reply-To: References: Message-ID: pvomacka's pull request #19: "WebUI: Add 'Restore' option to action dropdown menu" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/19 From freeipa-github-notification at redhat.com Thu Sep 8 07:44:39 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 08 Sep 2016 09:44:39 +0200 Subject: [Freeipa-devel] [freeipa PR#19] WebUI: Add 'Restore' option to action dropdown menu (+pushed) In-Reply-To: References: Message-ID: pvomacka's pull request #19: "WebUI: Add 'Restore' option to action dropdown menu" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/19 From freeipa-github-notification at redhat.com Thu Sep 8 07:44:41 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 08 Sep 2016 09:44:41 +0200 Subject: [Freeipa-devel] [freeipa PR#19] WebUI: Add 'Restore' option to action dropdown menu (comment) In-Reply-To: References: Message-ID: martbab commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/c3374c6e16a10e8780401c58c04dcf8d95ea1a4d ipa-4-4: https://fedorahosted.org/freeipa/changeset/8ac026a22506188815f66a65f9592fee724a6720 """ See the full comment at https://github.com/freeipa/freeipa/pull/19#issuecomment-245519260 From freeipa-github-notification at redhat.com Thu Sep 8 07:44:42 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 08 Sep 2016 09:44:42 +0200 Subject: [Freeipa-devel] [freeipa PR#19] WebUI: Add 'Restore' option to action dropdown menu (closed) In-Reply-To: References: Message-ID: pvomacka's pull request #19: "WebUI: Add 'Restore' option to action dropdown menu" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/19 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/19/head:pr19 git checkout pr19 From freeipa-github-notification at redhat.com Thu Sep 8 08:11:46 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 08 Sep 2016 10:11:46 +0200 Subject: [Freeipa-devel] [freeipa PR#67] advise: Use `name` instead of `__name__` to get plugin names (comment) In-Reply-To: References: Message-ID: stlaz commented on a pull request """ Seems to be doing more or less the same but in cleaner manner => LGTM. Do we need a ticket for this? """ See the full comment at https://github.com/freeipa/freeipa/pull/67#issuecomment-245525153 From freeipa-github-notification at redhat.com Thu Sep 8 08:18:53 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 08 Sep 2016 10:18:53 +0200 Subject: [Freeipa-devel] [freeipa PR#67] advise: Use `name` instead of `__name__` to get plugin names (comment) In-Reply-To: References: Message-ID: martbab commented on a pull request """ This change is intended only for master branch and I think a ticket would be a bit overkill. """ See the full comment at https://github.com/freeipa/freeipa/pull/67#issuecomment-245526674 From freeipa-github-notification at redhat.com Thu Sep 8 08:30:38 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 08 Sep 2016 10:30:38 +0200 Subject: [Freeipa-devel] [freeipa PR#67] advise: Use `name` instead of `__name__` to get plugin names (comment) In-Reply-To: References: Message-ID: stlaz commented on a pull request """ Sure. """ See the full comment at https://github.com/freeipa/freeipa/pull/67#issuecomment-245529296 From freeipa-github-notification at redhat.com Thu Sep 8 08:30:40 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 08 Sep 2016 10:30:40 +0200 Subject: [Freeipa-devel] [freeipa PR#67] advise: Use `name` instead of `__name__` to get plugin names (+ack) In-Reply-To: References: Message-ID: martbab's pull request #67: "advise: Use `name` instead of `__name__` to get plugin names" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/67 From mbabinsk at redhat.com Thu Sep 8 11:15:03 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 8 Sep 2016 13:15:03 +0200 Subject: [Freeipa-devel] [PATCH] 0108 cert-request: raise error when request fails In-Reply-To: <20160908020025.GW11489@dhcp-40-8.bne.redhat.com> References: <20160908020025.GW11489@dhcp-40-8.bne.redhat.com> Message-ID: On 09/08/2016 04:00 AM, Fraser Tweedale wrote: > The attached patch fixes regression in cert-request: > https://fedorahosted.org/freeipa/ticket/6309 > > Thanks, > Fraser > ACK. Does this patch also fix the (reopened) https://fedorahosted.org/freeipa/ticket/3473 ? -- Martin^3 Babinsky From freeipa-github-notification at redhat.com Thu Sep 8 15:27:35 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 08 Sep 2016 17:27:35 +0200 Subject: [Freeipa-devel] [freeipa PR#68] netgroup: avoid extraneous LDAP search when retrieving primary key from DN (opened) Message-ID: martbab's pull request #68: "netgroup: avoid extraneous LDAP search when retrieving primary key from DN" was opened PR body: """ Fixes https://fedorahosted.org/freeipa/ticket/5855 Please note that the parent method does not correctly handle cases when the attribute considered as primary ked is contained in multiple RDNs: >>> LDAPObject.get_primary_key_from_dn( ... DN('ipauniqueid=yadda-yadda,cn=ng,cn=alt,dc=ipa,dc=test')) u'ng' That's why I had to completely override parent method. """ See the full pull-request at https://github.com/freeipa/freeipa/pull/68 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/68/head:pr68 git checkout pr68 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-68.patch Type: text/x-diff Size: 1461 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Sep 8 15:28:51 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 08 Sep 2016 17:28:51 +0200 Subject: [Freeipa-devel] [freeipa PR#67] advise: Use `name` instead of `__name__` to get plugin names (comment) In-Reply-To: References: Message-ID: martbab commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/5b9516753cae324126fac7e17b6918c08e210d59 """ See the full comment at https://github.com/freeipa/freeipa/pull/67#issuecomment-245636195 From freeipa-github-notification at redhat.com Thu Sep 8 15:28:53 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 08 Sep 2016 17:28:53 +0200 Subject: [Freeipa-devel] [freeipa PR#67] advise: Use `name` instead of `__name__` to get plugin names (+pushed) In-Reply-To: References: Message-ID: martbab's pull request #67: "advise: Use `name` instead of `__name__` to get plugin names" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/67 From freeipa-github-notification at redhat.com Thu Sep 8 15:28:54 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 08 Sep 2016 17:28:54 +0200 Subject: [Freeipa-devel] [freeipa PR#67] advise: Use `name` instead of `__name__` to get plugin names (closed) In-Reply-To: References: Message-ID: martbab's pull request #67: "advise: Use `name` instead of `__name__` to get plugin names" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/67 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/67/head:pr67 git checkout pr67 From freeipa-github-notification at redhat.com Thu Sep 8 15:30:46 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 08 Sep 2016 17:30:46 +0200 Subject: [Freeipa-devel] [freeipa PR#60] Tests: extend DNS cmdline tests with lowercased record type (+pushed) In-Reply-To: References: Message-ID: mbasti-rh's pull request #60: "Tests: extend DNS cmdline tests with lowercased record type" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/60 From freeipa-github-notification at redhat.com Thu Sep 8 15:30:47 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 08 Sep 2016 17:30:47 +0200 Subject: [Freeipa-devel] [freeipa PR#60] Tests: extend DNS cmdline tests with lowercased record type (comment) In-Reply-To: References: Message-ID: martbab commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/866e59bdcee74ea9aea4e65f193339ae9cab5ce3 ipa-4-4: https://fedorahosted.org/freeipa/changeset/e302886204fbac3f155bf272debeaf3330c99952 """ See the full comment at https://github.com/freeipa/freeipa/pull/60#issuecomment-245636839 From freeipa-github-notification at redhat.com Thu Sep 8 15:30:49 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 08 Sep 2016 17:30:49 +0200 Subject: [Freeipa-devel] [freeipa PR#60] Tests: extend DNS cmdline tests with lowercased record type (closed) In-Reply-To: References: Message-ID: mbasti-rh's pull request #60: "Tests: extend DNS cmdline tests with lowercased record type" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/60 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/60/head:pr60 git checkout pr60 From freeipa-github-notification at redhat.com Thu Sep 8 15:50:18 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Thu, 08 Sep 2016 17:50:18 +0200 Subject: [Freeipa-devel] [freeipa PR#69] Fix ipa-replica-install with RHEL 6.8 master (opened) Message-ID: flo-renaud's pull request #69: "Fix ipa-replica-install with RHEL 6.8 master" was opened PR body: """ ipa-replica-prepare creates a gpg file containing realm_info/cacert.p12 with the certificates. When run on a RHEL 6.8 instance, cacert.p12 contains twice the same cert (for caSigningCert cert-pki-ca), once with the nickname and once without. ipa-replica-install passes this file to pkispawn and makes pkispawn fail. The fix exports the pkcs12 file into a temp nsddb then re-creates a pkcs12 file from the nssdb (this process removes the duplicate cert). https://fedorahosted.org/freeipa/ticket/6310 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/69 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/69/head:pr69 git checkout pr69 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-69.patch Type: text/x-diff Size: 2410 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Sep 8 15:54:47 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 08 Sep 2016 17:54:47 +0200 Subject: [Freeipa-devel] [freeipa PR#68] netgroup: avoid extraneous LDAP search when retrieving primary key from DN (edited) In-Reply-To: References: Message-ID: martbab's pull request #68: "netgroup: avoid extraneous LDAP search when retrieving primary key from DN" was edited See the full pull-request at https://github.com/freeipa/freeipa/pull/68 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/68/head:pr68 git checkout pr68 From freeipa-github-notification at redhat.com Thu Sep 8 18:17:45 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 08 Sep 2016 20:17:45 +0200 Subject: [Freeipa-devel] [freeipa PR#62] Configure Anonymous PKINIT on server install (synchronize) In-Reply-To: References: Message-ID: simo5's pull request #62: "Configure Anonymous PKINIT on server install" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/62 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-62.patch Type: text/x-diff Size: 32399 bytes Desc: not available URL: From ftweedal at redhat.com Thu Sep 8 23:53:42 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 9 Sep 2016 09:53:42 +1000 Subject: [Freeipa-devel] [PATCH] 0108 cert-request: raise error when request fails In-Reply-To: References: <20160908020025.GW11489@dhcp-40-8.bne.redhat.com> Message-ID: <20160908235342.GY11489@dhcp-40-8.bne.redhat.com> On Thu, Sep 08, 2016 at 01:15:03PM +0200, Martin Babinsky wrote: > On 09/08/2016 04:00 AM, Fraser Tweedale wrote: > > The attached patch fixes regression in cert-request: > > https://fedorahosted.org/freeipa/ticket/6309 > > > > Thanks, > > Fraser > > > > ACK. Does this patch also fix the (reopened) > https://fedorahosted.org/freeipa/ticket/3473 ? > It does not. There's much more work to do on #3473. It has only been a little bit done because I needed to switch ra.request_certificate to REST API so we can properly detect failure due to CA-disabled condition. Thanks, Fraser From freeipa-github-notification at redhat.com Fri Sep 9 08:24:49 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 09 Sep 2016 10:24:49 +0200 Subject: [Freeipa-devel] [freeipa PR#68] netgroup: avoid extraneous LDAP search when retrieving primary key from DN (edited) In-Reply-To: References: Message-ID: martbab's pull request #68: "netgroup: avoid extraneous LDAP search when retrieving primary key from DN" was edited See the full pull-request at https://github.com/freeipa/freeipa/pull/68 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/68/head:pr68 git checkout pr68 From freeipa-github-notification at redhat.com Fri Sep 9 09:29:08 2016 From: freeipa-github-notification at redhat.com (mirielka) Date: Fri, 09 Sep 2016 11:29:08 +0200 Subject: [Freeipa-devel] [freeipa PR#70] [Tests: Fix failing ldap.backend test (opened) Message-ID: mirielka's pull request #70: "[Tests: Fix failing ldap.backend test" was opened PR body: """ Test ipatests/test_ipaserver/test_ldap::test_Backend fails claiming service cannot be found. Fixing this by not using api with in_tree parameter. https://fedorahosted.org/freeipa/ticket/6312 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/70 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/70/head:pr70 git checkout pr70 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-70.patch Type: text/x-diff Size: 1097 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Sep 9 09:29:47 2016 From: freeipa-github-notification at redhat.com (mirielka) Date: Fri, 09 Sep 2016 11:29:47 +0200 Subject: [Freeipa-devel] [freeipa PR#70] [master, ipa-4-4] Tests: Fix failing ldap.backend test (edited) In-Reply-To: References: Message-ID: mirielka's pull request #70: "[master, ipa-4-4] Tests: Fix failing ldap.backend test" was edited See the full pull-request at https://github.com/freeipa/freeipa/pull/70 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/70/head:pr70 git checkout pr70 From ldoudova at redhat.com Fri Sep 9 09:30:52 2016 From: ldoudova at redhat.com (Lenka Doudova) Date: Fri, 9 Sep 2016 11:30:52 +0200 Subject: [Freeipa-devel] [PATCH] 0108 cert-request: raise error when request fails In-Reply-To: <20160908235342.GY11489@dhcp-40-8.bne.redhat.com> References: <20160908020025.GW11489@dhcp-40-8.bne.redhat.com> <20160908235342.GY11489@dhcp-40-8.bne.redhat.com> Message-ID: On 09/09/2016 01:53 AM, Fraser Tweedale wrote: > On Thu, Sep 08, 2016 at 01:15:03PM +0200, Martin Babinsky wrote: >> On 09/08/2016 04:00 AM, Fraser Tweedale wrote: >>> The attached patch fixes regression in cert-request: >>> https://fedorahosted.org/freeipa/ticket/6309 >>> >>> Thanks, >>> Fraser >>> >> ACK. Does this patch also fix the (reopened) >> https://fedorahosted.org/freeipa/ticket/3473 ? >> > It does not. There's much more work to do on #3473. It has only > been a little bit done because I needed to switch > ra.request_certificate to REST API so we can properly detect failure > due to CA-disabled condition. > > Thanks, > Fraser > Hi, just a note - this needs to be pushed to both master and ipa-4-4 branches. Thanks, Lenka From freeipa-github-notification at redhat.com Fri Sep 9 10:31:44 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 09 Sep 2016 12:31:44 +0200 Subject: [Freeipa-devel] [freeipa PR#68] netgroup: avoid extraneous LDAP search when retrieving primary key from DN (comment) In-Reply-To: References: Message-ID: stlaz commented on a pull request """ LGTM, just please add ```assert isinstance(dn, DN)``` as in the parent method. """ See the full comment at https://github.com/freeipa/freeipa/pull/68#issuecomment-245878203 From freeipa-github-notification at redhat.com Fri Sep 9 10:37:47 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 09 Sep 2016 12:37:47 +0200 Subject: [Freeipa-devel] [freeipa PR#68] netgroup: avoid extraneous LDAP search when retrieving primary key from DN (comment) In-Reply-To: References: Message-ID: stlaz commented on a pull request """ Please add ```assert isinstance(dn, DN)``` as in the parent method. Also, I think maybe it's safer to check for rdns emptiness before you try to assign from it. """ See the full comment at https://github.com/freeipa/freeipa/pull/68#issuecomment-245878203 From slaznick at redhat.com Fri Sep 9 11:14:32 2016 From: slaznick at redhat.com (Standa Laznicka) Date: Fri, 9 Sep 2016 13:14:32 +0200 Subject: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies In-Reply-To: <20160903162508.GA13540@redhat.com> References: <1472225854.20746.104.camel@redhat.com> <1a254cbc-120f-1645-6a4e-20ef5563719f@redhat.com> <1472564054.5257.50.camel@redhat.com> <5b5e276d-8d3d-53cb-a4a4-fa285f0662d9@redhat.com> <457f0c25-b5ee-b827-1856-25345664670c@redhat.com> <881ae083-a320-430c-a25a-3f435628ccda@redhat.com> <1472735202.10392.7.camel@redhat.com> <1472743125.10392.25.camel@redhat.com> <20160903162508.GA13540@redhat.com> Message-ID: On 09/03/2016 06:25 PM, Jan Pazdziora wrote: > On Thu, Sep 01, 2016 at 11:18:45AM -0400, Simo Sorce wrote: >> The thing is we (and admins) will be stuck with old client s for a loong >> time, so we need to make it clear to them what works for what. We need >> to allow admins to create rules that work for both new and old client >> w/o interfering with each other. >> In your scheme there must be a way to create a set of rule such that old >> clients can login at any time while newer clients use time rules. >> that was easy to accomplish by adding an auxiliary class and simply >> defining a new type. >> Old clients would see old stuff only, new clients would add time rules >> if present. >> If we have 2 completely different objects because the admin has to >> create both, then old clients still care only for the old rule, new >> clients instead have an interesting challenge, what rule do they apply ? > You use host groups to serve the old rule to old clients and time-based > rule to new clients. Each client will apply the rule they see. > > If you happen to serve the old rule to the new client, access will > be allowed no matter what the other, time-based rule says. > > You do not use magic to interpret one rule differently, one way on > one version of client and other way on different client version. > >> How do you make sure a new client will enforce time restriction when it >> looks up the old rule as well ? > You make sure the new client does not see the old rule. > >> Of course admins can always create very barrow host groups and apply >> rules only to them, but this is burdensome if you have a *lot* of >> clients and some other people are tasked to slowly upgrade them. It is >> possible though, so having 2 separate objects that new clients know >> about is potentially ok. I would prefer a scheme where they could be >> combined though for maximum flexibility with as little as possible >> ambiguity. > I agree that managing separate host group membership might be > and extra work. But it seems to be the only way to remove the ambiguity. > I also believe there's no way avoiding that (if we want to be somehow backward compatible). I would just love us to come to a consensus as I am growing weary of this discussion and am willing to go with just anything as long as it's somehow OK with most people. Could we therefore decide to go with something, please? From freeipa-github-notification at redhat.com Fri Sep 9 11:32:40 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 09 Sep 2016 13:32:40 +0200 Subject: [Freeipa-devel] [freeipa PR#66] [master, ipa-4-4] Tests: Add cleanup to integration trust tests (+ack) In-Reply-To: References: Message-ID: mirielka's pull request #66: "[master, ipa-4-4] Tests: Add cleanup to integration trust tests" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/66 From freeipa-github-notification at redhat.com Fri Sep 9 11:33:00 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 09 Sep 2016 13:33:00 +0200 Subject: [Freeipa-devel] [freeipa PR#43] Tests: Fix regex errors in integration trust tests (+ack) In-Reply-To: References: Message-ID: mirielka's pull request #43: "Tests: Fix regex errors in integration trust tests" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/43 From freeipa-github-notification at redhat.com Fri Sep 9 11:33:22 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 09 Sep 2016 13:33:22 +0200 Subject: [Freeipa-devel] [freeipa PR#70] [master, ipa-4-4] Tests: Fix failing ldap.backend test (+ack) In-Reply-To: References: Message-ID: mirielka's pull request #70: "[master, ipa-4-4] Tests: Fix failing ldap.backend test" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/70 From freeipa-github-notification at redhat.com Fri Sep 9 11:42:09 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 09 Sep 2016 13:42:09 +0200 Subject: [Freeipa-devel] [freeipa PR#68] netgroup: avoid extraneous LDAP search when retrieving primary key from DN (synchronize) In-Reply-To: References: Message-ID: martbab's pull request #68: "netgroup: avoid extraneous LDAP search when retrieving primary key from DN" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/68 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/68/head:pr68 git checkout pr68 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-68.patch Type: text/x-diff Size: 1552 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Sep 9 11:57:44 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 09 Sep 2016 13:57:44 +0200 Subject: [Freeipa-devel] [freeipa PR#68] netgroup: avoid extraneous LDAP search when retrieving primary key from DN (+ack) In-Reply-To: References: Message-ID: martbab's pull request #68: "netgroup: avoid extraneous LDAP search when retrieving primary key from DN" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/68 From simo at redhat.com Fri Sep 9 12:58:14 2016 From: simo at redhat.com (Simo Sorce) Date: Fri, 09 Sep 2016 08:58:14 -0400 Subject: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies In-Reply-To: References: <1472225854.20746.104.camel@redhat.com> <1a254cbc-120f-1645-6a4e-20ef5563719f@redhat.com> <1472564054.5257.50.camel@redhat.com> <5b5e276d-8d3d-53cb-a4a4-fa285f0662d9@redhat.com> <457f0c25-b5ee-b827-1856-25345664670c@redhat.com> <881ae083-a320-430c-a25a-3f435628ccda@redhat.com> <1472735202.10392.7.camel@redhat.com> <1472743125.10392.25.camel@redhat.com> <20160903162508.GA13540@redhat.com> Message-ID: <1473425894.31476.9.camel@redhat.com> On Fri, 2016-09-09 at 13:14 +0200, Standa Laznicka wrote: > On 09/03/2016 06:25 PM, Jan Pazdziora wrote: > > On Thu, Sep 01, 2016 at 11:18:45AM -0400, Simo Sorce wrote: > >> The thing is we (and admins) will be stuck with old client s for a loong > >> time, so we need to make it clear to them what works for what. We need > >> to allow admins to create rules that work for both new and old client > >> w/o interfering with each other. > >> In your scheme there must be a way to create a set of rule such that old > >> clients can login at any time while newer clients use time rules. > >> that was easy to accomplish by adding an auxiliary class and simply > >> defining a new type. > >> Old clients would see old stuff only, new clients would add time rules > >> if present. > >> If we have 2 completely different objects because the admin has to > >> create both, then old clients still care only for the old rule, new > >> clients instead have an interesting challenge, what rule do they apply ? > > You use host groups to serve the old rule to old clients and time-based > > rule to new clients. Each client will apply the rule they see. > > > > If you happen to serve the old rule to the new client, access will > > be allowed no matter what the other, time-based rule says. > > > > You do not use magic to interpret one rule differently, one way on > > one version of client and other way on different client version. > > > >> How do you make sure a new client will enforce time restriction when it > >> looks up the old rule as well ? > > You make sure the new client does not see the old rule. > > > >> Of course admins can always create very barrow host groups and apply > >> rules only to them, but this is burdensome if you have a *lot* of > >> clients and some other people are tasked to slowly upgrade them. It is > >> possible though, so having 2 separate objects that new clients know > >> about is potentially ok. I would prefer a scheme where they could be > >> combined though for maximum flexibility with as little as possible > >> ambiguity. > > I agree that managing separate host group membership might be > > and extra work. But it seems to be the only way to remove the ambiguity. > > > I also believe there's no way avoiding that (if we want to be somehow > backward compatible). > > I would just love us to come to a consensus as I am growing weary of > this discussion and am willing to go with just anything as long as it's > somehow OK with most people. Could we therefore decide to go with > something, please? As long as the tooling does not try to replace object classes I am ok with the solution most people agree on. Simo. -- Simo Sorce * Red Hat, Inc * New York From freeipa-github-notification at redhat.com Fri Sep 9 13:04:01 2016 From: freeipa-github-notification at redhat.com (abbra) Date: Fri, 09 Sep 2016 15:04:01 +0200 Subject: [Freeipa-devel] [freeipa PR#62] Configure Anonymous PKINIT on server install (comment) In-Reply-To: References: Message-ID: abbra commented on a pull request """ Thanks. Looks good. I'll work on upgrade next week and will do actual testing. """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-245906612 From ofayans at redhat.com Fri Sep 9 13:22:06 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Fri, 9 Sep 2016 15:22:06 +0200 Subject: [Freeipa-devel] [PATCH] ca-less tests updated In-Reply-To: <84a03933-9820-2c63-ef7b-1cf63a44e3a9@redhat.com> References: <56337745.109@redhat.com> <563B091B.3010501@redhat.com> <563B6A96.8090606@redhat.com> <563BABEC.8080304@redhat.com> <563C5B1A.1090803@redhat.com> <563C5E6D.4060307@redhat.com> <563CA575.1030808@redhat.com> <567176A2.1000901@redhat.com> <5707C431.6070702@redhat.com> <570E1E70.6060309@redhat.com> <5715F6B5.3070003@redhat.com> <57173F56.5020308@redhat.com> <5731F951.1020700@redhat.com> <57A99B02.1010507@redhat.com> <84a03933-9820-2c63-ef7b-1cf63a44e3a9@redhat.com> Message-ID: <4b1365a2-c140-4aa4-baf9-9c7a6953c7f8@redhat.com> Hi David, team According to your suggestions I've splitted my commits so that each commit addresses some particular problem. One patch (0071) still contains several unrelated fixes, but they mostly reflect changes in error messages and really small but numerous bugfixes that I did not consider worthy of a separate commit each. Please, whenever you have a free time take a look at this new bunch of patches. Thanks! On 09/06/2016 04:41 PM, David Kupka wrote: > Hi Oleg! > > 0013 - It looks like there are two unrelated changes, addition of CRL > distribution extension and creating certificate signed by no longer > existing CA. Please create separate patch for each of the changes, and > describe the change and reason for it in commit messages. > > 0014 - Could you please split the patch to "numerous" commit each fixing > one error? Please also describe each fix so everyone has at least vague > idea about the patch without reading its code. Also why do you introduce > global variable config, I don't see its used anywhere. > > 0039 - It looks like multiple different changes and commit message says > nothing again. Please split and describe what did you change and why. > > 0041 - Looks like weird workaround to me. It would be better to > investigate the root cause and fix it. Or at least describe the cause in > commit message and code comment if it can't be fixed. Also "-h is > deprecated in favor of -H" says man 1 ldapmodify. > > > On 05/09/16 14:32, Oleg Fayans wrote: >> Hi guys, >> >> Finally the ca-less tests are stable. Here in the attachment is the full >> set of necessary patches. >> >> >> On 08/09/2016 10:57 AM, Oleg Fayans wrote: >>> Hi all, >>> >>> Bump for the review of the 0013 patch. The script it addresses can be >>> reused in some WebUI tests - one more reason to have it reviewed/merged >>> >>> The rest patches should be re-tested, since they were prepared a good >>> while ago >>> >>> On 05/10/2016 05:08 PM, Oleg Fayans wrote: >>>> Hi David, >>>> >>>> After quite a while and some more struggles here comes the updated >>>> version of the patch together with other patches fixing things in >>>> ipatests/test_integration/tasks.py >>>> Server and replica installation was refactored in a way to utilize the >>>> code from tasks.py as much as it is possible >>>> >>>> The full set of necessary patches is attached >>>> >>>> >>>> On 04/20/2016 10:35 AM, David Kupka wrote: >>>>> On 19/04/16 11:13, Oleg Fayans wrote: >>>>>> OK, that one, though passing lint, did not actually work. I gave >>>>>> up my >>>>>> attempts to define method decorators inside the class. Now it passes >>>>>> lint AND works:) >>>>>> >>>>> >>>>> Hi Oleg! >>>>> >>>>> 1) Current commit message is useless. Please use it to describe >>>>> what is >>>>> the point of the patch. >>>>> >>>>> 2) $ git show -U0 | pep8 --diff >>>>> ./ipatests/test_integration/test_caless.py:66:1: E302 expected 2 blank >>>>> lines, found 1 >>>>> ./ipatests/test_integration/test_caless.py:74:1: E302 expected 2 blank >>>>> lines, found 1 >>>>> ./ipatests/test_integration/test_caless.py:820:5: E303 too many blank >>>>> lines (2) >>>>> ./ipatests/test_integration/test_caless.py:825:80: E501 line too long >>>>> (80 > 79 characters) >>>>> ./ipatests/test_integration/test_caless.py:1035:44: E225 missing >>>>> whitespace around operator >>>>> >>>>> >>>>> 3) Isn't there a way to do this with pytest's fixtures? >>>>> >>>>>> +def server_install_teardown(func): >>>>>> + def wrapped(*args): >>>>>> + try: >>>>>> + func(*args) >>>>>> + finally: >>>>>> + args[0].uninstall_server() >>>>>> + return wrapped >>>>>> + >>>>>> +def replica_install_teardown(func): >>>>>> + def wrapped(*args): >>>>>> + try: >>>>>> + func(*args) >>>>>> + finally: >>>>>> + # Uninstall replica >>>>>> + replica = args[0].replicas[0] >>>>>> + tasks.kinit_admin(args[0].master) >>>>>> + args[0].uninstall_server(replica) >>>>>> + args[0].master.run_command(['ipa-replica-manage', 'del', >>>>>> + replica.hostname, >>>>>> '--force'], >>>>>> + raiseonerr=False) >>>>>> + args[0].master.run_command(['ipa', 'host-del', >>>>>> + replica.hostname], >>>>>> + raiseonerr=False) >>>>>> + return wrapped >>>>>> + >>>> >>>> There is a standard pytest method called 'method_teardown', that is >>>> indent to be executed after each test method, but with our setup it >>>> does >>>> not work. >>>> >>>>> >>>>> 4) Is it necessary to create the $TEST_DIR in the test? Isn't it >>>>> created >>>>> by the framework? >>>>> >>>>>> + host.transport.mkdir_recursive(host.config.test_dir) >>>>> >>>> >>>> Removed. >>>> >>>>> >>>>> 5) I don't think the comment match the code. >>>>> >>>>>> >>>>>> + # Remove CA cert in /etc/pki/nssdb, in case of failed >>>>>> (un)install >>>>>> + for host in cls.get_all_hosts(): >>>>>> + cls.uninstall_server(host) >>>>>> + >>>>>> super(CALessBase, cls).uninstall(mh) >>>>> >>>> >>>> Not actual anymore >>>> >>>>> >>>>> 6) No! Create list with one element, iterate that list and append >>>>> every >>>>> item to the other list. Maybe there's better way (Hint: append). >>>>> I've seen this on multiple places. >>>>> >>>>>> if unattended: >>>>>> args.extend(['-U']) >>>> >>>> Agreed >>>> >>>>> >>>>> 7) Why don't you (extend and) use >>>>> ipatests.test_integaration.tasks.(un)install_{master,replica}? >>>>> This could be done pretty much all over the code. >>>>> >>>>>> host.run_command(['ipa-server-install', '--uninstall', >>>>>> '-U']) >>>>> >>>>> 8) Use ipaplatform.paths for certutil and other binaries. If the >>>>> binary >>>>> is not there feel free to add it. >>>>> I've seen this on multiple places. >>>>> >>>>>> + host.run_command(['certutil', '-d', paths.NSS_DB_DIR, '-D', >>>>>> + '-n', 'External CA cert'], >>>>>> + raiseonerr=False) >>>>>> + # A workaround >>>>>> forhttps://fedorahosted.org/freeipa/ticket/4639 >>>>>> + result = host.run_command(['certutil', '-L', '-d', >>>>>> + paths.HTTPD_ALIAS_DIR]) >>>>>> + for rawcert in result.stdout_text.split('\n')[4: -1]: >>>>>> + cert = rawcert.split(' ')[0] >>>>>> + host.run_command(['certutil', '-D', '-d', >>>>>> paths.HTTPD_ALIAS_DIR, >>>>>> + '-n', cert]) >>>>>> >>>> >>>> Done >>>> >>>>> >>>>> 9) certmonger is system service. You can check if is is .enabled() and >>>>> .running(). And IIUC the comment is negation of what the code does. >>>>> >>>>>> >>>>>> # Verify certmonger was not started >>>>>> result = host.run_command(['getcert', 'list'], >>>>>> raiseonerr=False) >>>>>> - assert result > 0 >>>>>> - assert ('Please verify that the certmonger service has >>>>>> been ' >>>>>> - 'started.' in result.stdout_text), >>>>>> result.stdout_text >>>>>> + assert result.returncode == 0 >>>>> >>>>> 10) What is the point of calling uninstall_server() when it will be >>>>> called in the finally block of server_install_teardown anyway? >>>>> >>>>>> + @server_install_teardown >>>>>> def test_revoked_http(self): >>>>>> "IPA server install with revoked HTTP certificate" >>>>>> >>>>>> if result.returncode == 0: >>>>>> + self.uninstall_server() >>>>>> raise nose.SkipTest( >>>>>> "Known CA-less installation defect, see " >>>>>> +"https://fedorahosted.org/freeipa/ticket/4270") >>>>>> >>>>>> assert result.returncode > 0 >>>>>> >>>> Removed >>>> >>>>> >>>>> Nitpick) Do not mix fixing typos/grammar/spelling/style with >>>>> functional >>>>> changes. >>>>> >>>>>> - def test_incorect_http_pin(self): >>>>>> + @pytest.mark.xfail(reason='freeipa ticket 5378') >>>>>> + def test_incorrect_http_pin(self): >>>>>> "Install new HTTP certificate with incorrect PKCS#12 >>>>>> password" >>>> >>>> Removed >>>> >>>>> >>>>> >>>> >>>> >>>> >>> >> > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0041.1-Fixed-method-failures-during-second-call-for-the-method.patch Type: text/x-patch Size: 1388 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0062-Added-basic-constraints-extension-to-the-CA-certs.patch Type: text/x-patch Size: 1129 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0063-Added-generation-of-missing-certs.patch Type: text/x-patch Size: 1152 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0064-Updated-ipa-server-installation-stdin-text.patch Type: text/x-patch Size: 1337 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0065-Create-a-method-that-cleans-all-ipa-certs.patch Type: text/x-patch Size: 1671 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0066-Added-teardown-methods-for-server-and-replica-instal.patch Type: text/x-patch Size: 2049 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0067-Removed-call-for-install-method-from-parent-class.patch Type: text/x-patch Size: 1151 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0068-Adapted-installation-methods-to-utilize-tasks.patch Type: text/x-patch Size: 10325 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0069-Fixed-incorrect-assert-in-verify_installation.patch Type: text/x-patch Size: 1475 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0070-Applied-correct-install-and-teardown-methods.patch Type: text/x-patch Size: 18279 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0071-Fixed-test-errors-in-calss-tests.patch Type: text/x-patch Size: 17796 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0072-Removed-outdated-command-options-test.patch Type: text/x-patch Size: 1722 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0073-Added-necessary-getkeytabs-calls-to-fixtures.patch Type: text/x-patch Size: 1680 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0074-Added-necessary-xfails.patch Type: text/x-patch Size: 4999 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0075-Updated-master-and-replica-installation-methods.patch Type: text/x-patch Size: 6383 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0076-Made-unapply_fixes-call-optional-at-master-uninstall.patch Type: text/x-patch Size: 1535 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0077-Enabled-negative-testing-for-cleaning-replication-agreements.patch Type: text/x-patch Size: 1323 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Sep 9 13:54:23 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Fri, 09 Sep 2016 15:54:23 +0200 Subject: [Freeipa-devel] [freeipa PR#71] Fix regression introduced in ipa-certupdate (opened) Message-ID: flo-renaud's pull request #71: "Fix regression introduced in ipa-certupdate" was opened PR body: """ The fix for 6288 was overwritten by commit 08b768313020c45bfa82d67cd214afabf605f4b3. https://fedorahosted.org/freeipa/ticket/6288 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/71 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/71/head:pr71 git checkout pr71 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-71.patch Type: text/x-diff Size: 1033 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Sep 9 14:20:31 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 09 Sep 2016 16:20:31 +0200 Subject: [Freeipa-devel] [freeipa PR#71] Fix regression introduced in ipa-certupdate (+ack) In-Reply-To: References: Message-ID: flo-renaud's pull request #71: "Fix regression introduced in ipa-certupdate" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/71 From freeipa-github-notification at redhat.com Fri Sep 9 14:21:26 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 09 Sep 2016 16:21:26 +0200 Subject: [Freeipa-devel] [freeipa PR#71] Fix regression introduced in ipa-certupdate (+pushed) In-Reply-To: References: Message-ID: flo-renaud's pull request #71: "Fix regression introduced in ipa-certupdate" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/71 From freeipa-github-notification at redhat.com Fri Sep 9 14:21:27 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 09 Sep 2016 16:21:27 +0200 Subject: [Freeipa-devel] [freeipa PR#71] Fix regression introduced in ipa-certupdate (comment) In-Reply-To: References: Message-ID: martbab commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/cd75eb3b2557cbd97e93be3e1ceeef21b948a694 ipa-4-4: https://fedorahosted.org/freeipa/changeset/2eeab3acf43c8f33729b48779c12aea57e453075 """ See the full comment at https://github.com/freeipa/freeipa/pull/71#issuecomment-245927050 From freeipa-github-notification at redhat.com Fri Sep 9 14:21:29 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 09 Sep 2016 16:21:29 +0200 Subject: [Freeipa-devel] [freeipa PR#71] Fix regression introduced in ipa-certupdate (closed) In-Reply-To: References: Message-ID: flo-renaud's pull request #71: "Fix regression introduced in ipa-certupdate" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/71 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/71/head:pr71 git checkout pr71 From freeipa-github-notification at redhat.com Fri Sep 9 14:28:11 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 09 Sep 2016 16:28:11 +0200 Subject: [Freeipa-devel] [freeipa PR#68] netgroup: avoid extraneous LDAP search when retrieving primary key from DN (+pushed) In-Reply-To: References: Message-ID: martbab's pull request #68: "netgroup: avoid extraneous LDAP search when retrieving primary key from DN" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/68 From freeipa-github-notification at redhat.com Fri Sep 9 14:28:12 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 09 Sep 2016 16:28:12 +0200 Subject: [Freeipa-devel] [freeipa PR#68] netgroup: avoid extraneous LDAP search when retrieving primary key from DN (comment) In-Reply-To: References: Message-ID: martbab commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/003b364c5a06a5adc89bac7371f46d534cfb4616 ipa-4-4: https://fedorahosted.org/freeipa/changeset/85b98059f91670bd489c35816b2ff901a7820c4f """ See the full comment at https://github.com/freeipa/freeipa/pull/68#issuecomment-245929493 From freeipa-github-notification at redhat.com Fri Sep 9 14:28:14 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 09 Sep 2016 16:28:14 +0200 Subject: [Freeipa-devel] [freeipa PR#68] netgroup: avoid extraneous LDAP search when retrieving primary key from DN (closed) In-Reply-To: References: Message-ID: martbab's pull request #68: "netgroup: avoid extraneous LDAP search when retrieving primary key from DN" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/68 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/68/head:pr68 git checkout pr68 From freeipa-github-notification at redhat.com Fri Sep 9 14:54:28 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 09 Sep 2016 16:54:28 +0200 Subject: [Freeipa-devel] [freeipa PR#43] Tests: Fix regex errors in integration trust tests (+pushed) In-Reply-To: References: Message-ID: mirielka's pull request #43: "Tests: Fix regex errors in integration trust tests" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/43 From freeipa-github-notification at redhat.com Fri Sep 9 14:54:29 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 09 Sep 2016 16:54:29 +0200 Subject: [Freeipa-devel] [freeipa PR#43] Tests: Fix regex errors in integration trust tests (comment) In-Reply-To: References: Message-ID: martbab commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/fc5a99274c2ea0301a539fe9a8b2dc9b61786a8a ipa-4-4: https://fedorahosted.org/freeipa/changeset/86fa116ee8617a60c8111f3061408bcd70db06ff """ See the full comment at https://github.com/freeipa/freeipa/pull/43#issuecomment-245937241 From freeipa-github-notification at redhat.com Fri Sep 9 14:54:31 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 09 Sep 2016 16:54:31 +0200 Subject: [Freeipa-devel] [freeipa PR#43] Tests: Fix regex errors in integration trust tests (closed) In-Reply-To: References: Message-ID: mirielka's pull request #43: "Tests: Fix regex errors in integration trust tests" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/43 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/43/head:pr43 git checkout pr43 From dkupka at redhat.com Mon Sep 12 07:51:01 2016 From: dkupka at redhat.com (David Kupka) Date: Mon, 12 Sep 2016 09:51:01 +0200 Subject: [Freeipa-devel] [PATCH] ca-less tests updated In-Reply-To: <4b1365a2-c140-4aa4-baf9-9c7a6953c7f8@redhat.com> References: <56337745.109@redhat.com> <563B091B.3010501@redhat.com> <563B6A96.8090606@redhat.com> <563BABEC.8080304@redhat.com> <563C5B1A.1090803@redhat.com> <563C5E6D.4060307@redhat.com> <563CA575.1030808@redhat.com> <567176A2.1000901@redhat.com> <5707C431.6070702@redhat.com> <570E1E70.6060309@redhat.com> <5715F6B5.3070003@redhat.com> <57173F56.5020308@redhat.com> <5731F951.1020700@redhat.com> <57A99B02.1010507@redhat.com> <84a03933-9820-2c63-ef7b-1cf63a44e3a9@redhat.com> <4b1365a2-c140-4aa4-baf9-9c7a6953c7f8@redhat.com> Message-ID: <5dee6817-b758-3694-16e6-a9e99cd2f838@redhat.com> Hi Oleg, thank you, now it's completely different game. Please add prefix to commit message summaries. Simply prepending "tests: " should be OK. 0041 - -h is deprecated in favor of -H. 0062 - 0068 - LGTM 0069 - I see 2 unrelated changes in the patch, please split them: - 1 - certutil - > paths.CERTUTIL - 2 - assert 0070 - I see 2 unrelated changes in the patch, please split them: - 1 - teardown - 2 - TestReplicaInstall.setUp -> TestReplicaInstall.install 0071 - typos in commit message, I see 5 unrelated changes in that patch: - 1 - error messages in assert - 2 - certificates used - 3 - verify_installation called only in DOMAIN_LEVEL_0. - 4 - TestCertinstall.install - 5 - TestCertinstall.certinstall 0072 - 0077 - LGTM On 09/09/16 15:22, Oleg Fayans wrote: > Hi David, team > > According to your suggestions I've splitted my commits so that each > commit addresses some particular problem. One patch (0071) still > contains several unrelated fixes, but they mostly reflect changes in > error messages and really small but numerous bugfixes that I did not > consider worthy of a separate commit each. Please, whenever you have a > free time take a look at this new bunch of patches. > > Thanks! > > On 09/06/2016 04:41 PM, David Kupka wrote: >> Hi Oleg! >> >> 0013 - It looks like there are two unrelated changes, addition of CRL >> distribution extension and creating certificate signed by no longer >> existing CA. Please create separate patch for each of the changes, and >> describe the change and reason for it in commit messages. >> >> 0014 - Could you please split the patch to "numerous" commit each fixing >> one error? Please also describe each fix so everyone has at least vague >> idea about the patch without reading its code. Also why do you introduce >> global variable config, I don't see its used anywhere. >> >> 0039 - It looks like multiple different changes and commit message says >> nothing again. Please split and describe what did you change and why. >> >> 0041 - Looks like weird workaround to me. It would be better to >> investigate the root cause and fix it. Or at least describe the cause in >> commit message and code comment if it can't be fixed. Also "-h is >> deprecated in favor of -H" says man 1 ldapmodify. >> >> >> On 05/09/16 14:32, Oleg Fayans wrote: >>> Hi guys, >>> >>> Finally the ca-less tests are stable. Here in the attachment is the full >>> set of necessary patches. >>> >>> >>> On 08/09/2016 10:57 AM, Oleg Fayans wrote: >>>> Hi all, >>>> >>>> Bump for the review of the 0013 patch. The script it addresses can be >>>> reused in some WebUI tests - one more reason to have it reviewed/merged >>>> >>>> The rest patches should be re-tested, since they were prepared a good >>>> while ago >>>> >>>> On 05/10/2016 05:08 PM, Oleg Fayans wrote: >>>>> Hi David, >>>>> >>>>> After quite a while and some more struggles here comes the updated >>>>> version of the patch together with other patches fixing things in >>>>> ipatests/test_integration/tasks.py >>>>> Server and replica installation was refactored in a way to utilize the >>>>> code from tasks.py as much as it is possible >>>>> >>>>> The full set of necessary patches is attached >>>>> >>>>> >>>>> On 04/20/2016 10:35 AM, David Kupka wrote: >>>>>> On 19/04/16 11:13, Oleg Fayans wrote: >>>>>>> OK, that one, though passing lint, did not actually work. I gave >>>>>>> up my >>>>>>> attempts to define method decorators inside the class. Now it passes >>>>>>> lint AND works:) >>>>>>> >>>>>> >>>>>> Hi Oleg! >>>>>> >>>>>> 1) Current commit message is useless. Please use it to describe >>>>>> what is >>>>>> the point of the patch. >>>>>> >>>>>> 2) $ git show -U0 | pep8 --diff >>>>>> ./ipatests/test_integration/test_caless.py:66:1: E302 expected 2 >>>>>> blank >>>>>> lines, found 1 >>>>>> ./ipatests/test_integration/test_caless.py:74:1: E302 expected 2 >>>>>> blank >>>>>> lines, found 1 >>>>>> ./ipatests/test_integration/test_caless.py:820:5: E303 too many blank >>>>>> lines (2) >>>>>> ./ipatests/test_integration/test_caless.py:825:80: E501 line too long >>>>>> (80 > 79 characters) >>>>>> ./ipatests/test_integration/test_caless.py:1035:44: E225 missing >>>>>> whitespace around operator >>>>>> >>>>>> >>>>>> 3) Isn't there a way to do this with pytest's fixtures? >>>>>> >>>>>>> +def server_install_teardown(func): >>>>>>> + def wrapped(*args): >>>>>>> + try: >>>>>>> + func(*args) >>>>>>> + finally: >>>>>>> + args[0].uninstall_server() >>>>>>> + return wrapped >>>>>>> + >>>>>>> +def replica_install_teardown(func): >>>>>>> + def wrapped(*args): >>>>>>> + try: >>>>>>> + func(*args) >>>>>>> + finally: >>>>>>> + # Uninstall replica >>>>>>> + replica = args[0].replicas[0] >>>>>>> + tasks.kinit_admin(args[0].master) >>>>>>> + args[0].uninstall_server(replica) >>>>>>> + args[0].master.run_command(['ipa-replica-manage', >>>>>>> 'del', >>>>>>> + replica.hostname, >>>>>>> '--force'], >>>>>>> + raiseonerr=False) >>>>>>> + args[0].master.run_command(['ipa', 'host-del', >>>>>>> + replica.hostname], >>>>>>> + raiseonerr=False) >>>>>>> + return wrapped >>>>>>> + >>>>> >>>>> There is a standard pytest method called 'method_teardown', that is >>>>> indent to be executed after each test method, but with our setup it >>>>> does >>>>> not work. >>>>> >>>>>> >>>>>> 4) Is it necessary to create the $TEST_DIR in the test? Isn't it >>>>>> created >>>>>> by the framework? >>>>>> >>>>>>> + host.transport.mkdir_recursive(host.config.test_dir) >>>>>> >>>>> >>>>> Removed. >>>>> >>>>>> >>>>>> 5) I don't think the comment match the code. >>>>>> >>>>>>> >>>>>>> + # Remove CA cert in /etc/pki/nssdb, in case of failed >>>>>>> (un)install >>>>>>> + for host in cls.get_all_hosts(): >>>>>>> + cls.uninstall_server(host) >>>>>>> + >>>>>>> super(CALessBase, cls).uninstall(mh) >>>>>> >>>>> >>>>> Not actual anymore >>>>> >>>>>> >>>>>> 6) No! Create list with one element, iterate that list and append >>>>>> every >>>>>> item to the other list. Maybe there's better way (Hint: append). >>>>>> I've seen this on multiple places. >>>>>> >>>>>>> if unattended: >>>>>>> args.extend(['-U']) >>>>> >>>>> Agreed >>>>> >>>>>> >>>>>> 7) Why don't you (extend and) use >>>>>> ipatests.test_integaration.tasks.(un)install_{master,replica}? >>>>>> This could be done pretty much all over the code. >>>>>> >>>>>>> host.run_command(['ipa-server-install', '--uninstall', >>>>>>> '-U']) >>>>>> >>>>>> 8) Use ipaplatform.paths for certutil and other binaries. If the >>>>>> binary >>>>>> is not there feel free to add it. >>>>>> I've seen this on multiple places. >>>>>> >>>>>>> + host.run_command(['certutil', '-d', paths.NSS_DB_DIR, '-D', >>>>>>> + '-n', 'External CA cert'], >>>>>>> + raiseonerr=False) >>>>>>> + # A workaround >>>>>>> forhttps://fedorahosted.org/freeipa/ticket/4639 >>>>>>> + result = host.run_command(['certutil', '-L', '-d', >>>>>>> + paths.HTTPD_ALIAS_DIR]) >>>>>>> + for rawcert in result.stdout_text.split('\n')[4: -1]: >>>>>>> + cert = rawcert.split(' ')[0] >>>>>>> + host.run_command(['certutil', '-D', '-d', >>>>>>> paths.HTTPD_ALIAS_DIR, >>>>>>> + '-n', cert]) >>>>>>> >>>>> >>>>> Done >>>>> >>>>>> >>>>>> 9) certmonger is system service. You can check if is is .enabled() >>>>>> and >>>>>> .running(). And IIUC the comment is negation of what the code does. >>>>>> >>>>>>> >>>>>>> # Verify certmonger was not started >>>>>>> result = host.run_command(['getcert', 'list'], >>>>>>> raiseonerr=False) >>>>>>> - assert result > 0 >>>>>>> - assert ('Please verify that the certmonger service has >>>>>>> been ' >>>>>>> - 'started.' in result.stdout_text), >>>>>>> result.stdout_text >>>>>>> + assert result.returncode == 0 >>>>>> >>>>>> 10) What is the point of calling uninstall_server() when it will be >>>>>> called in the finally block of server_install_teardown anyway? >>>>>> >>>>>>> + @server_install_teardown >>>>>>> def test_revoked_http(self): >>>>>>> "IPA server install with revoked HTTP certificate" >>>>>>> >>>>>>> if result.returncode == 0: >>>>>>> + self.uninstall_server() >>>>>>> raise nose.SkipTest( >>>>>>> "Known CA-less installation defect, see " >>>>>>> +"https://fedorahosted.org/freeipa/ticket/4270") >>>>>>> >>>>>>> assert result.returncode > 0 >>>>>>> >>>>> Removed >>>>> >>>>>> >>>>>> Nitpick) Do not mix fixing typos/grammar/spelling/style with >>>>>> functional >>>>>> changes. >>>>>> >>>>>>> - def test_incorect_http_pin(self): >>>>>>> + @pytest.mark.xfail(reason='freeipa ticket 5378') >>>>>>> + def test_incorrect_http_pin(self): >>>>>>> "Install new HTTP certificate with incorrect PKCS#12 >>>>>>> password" >>>>> >>>>> Removed >>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>> >>> >> >> > -- David Kupka From freeipa-github-notification at redhat.com Mon Sep 12 12:14:15 2016 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 12 Sep 2016 14:14:15 +0200 Subject: [Freeipa-devel] [freeipa PR#72] WebUI: Add handling for HTTP error 404 (opened) Message-ID: pvomacka's pull request #72: "WebUI: Add handling for HTTP error 404" was opened PR body: """ In case that API is not accessible the 404 error is thrown. There was error dialog with almost no information. The new dialog says what error is there and what can be the main cause of the error. https://fedorahosted.org/freeipa/ticket/4821 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/72 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/72/head:pr72 git checkout pr72 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-72.patch Type: text/x-diff Size: 1908 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Sep 12 13:08:26 2016 From: freeipa-github-notification at redhat.com (apophys) Date: Mon, 12 Sep 2016 15:08:26 +0200 Subject: [Freeipa-devel] [freeipa PR#73] Tests for certificates with SAN (opened) Message-ID: apophys's pull request #73: "Tests for certificates with SAN" was opened PR body: """ Commits include several new test cases for CA ACLs and cert request for CSRs containing subject alternative name extension. Also included minor fixes in used tracker and couple of new context managers used in the test cases. """ See the full pull-request at https://github.com/freeipa/freeipa/pull/73 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/73/head:pr73 git checkout pr73 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-73.patch Type: text/x-diff Size: 16131 bytes Desc: not available URL: From aruizrui at redhat.com Mon Sep 12 15:36:42 2016 From: aruizrui at redhat.com (Alberto Ruiz Ruiz) Date: Mon, 12 Sep 2016 16:36:42 +0100 Subject: [Freeipa-devel] FleetCommander integration In-Reply-To: <20160906101814.aotuinw5y4v6ihzk@redhat.com> References: <20160906101814.aotuinw5y4v6ihzk@redhat.com> Message-ID: Hey Alexander, Just a heads up, we're in the middle of releasing 0.8 just this week so we're testing like mad. Right after 0.8 is out, we should be able to sit down and look into FreeIPA integration right away and will certainly look into this. And sorry for the late reply On Tue, Sep 6, 2016 at 11:18 AM, Alexander Bokovoy wrote: > Hi, > > Now that FreeIPA 4.4.1 is out, I've pushed to github my prototype for > FleetCommander integration: https://github.com/abbra/freei > pa-desktop-profile/ > > You can read the design page: > https://github.com/abbra/freeipa-desktop-profile/blob/master > /plugin/Feature.mediawiki > > The design was mostly figured out in discussions with Alberto, Fabiano, > Nathaniel, and Jakub, so we are more or less on the common ground here > between SSSD and FleetCommander. You can send pull requests to me on > github to update the design. ;) > > You can cut a tarball using > git archive --format=tar.gz --prefix=freeipa-desktop-profile-0.0.1/ \ > --output ~/rpmbuild/SOURCES/freeipa-desktop-profile-0.0.1.tar.gz > \ > freeipa-desktop-profile-0.0.1 > > And then build the package with > rpmbuild -ta freeipa-desktop-profile-0.0.1.tar.gz > > When installed, the package does not run ipa-server-upgrade by itself, > yet. So you need to run ipa-server-upgrade manually. Once ran, > deskprofile/deskprofilerule topics would become available and can be > used for testing purposes. For Fedora 24 one can use FreeIPA 4.4.1 from > COPR, for Fedora 25 we have FreeIPA 4.4.1 in updates stable as of today. > > UI plugin is not ready yet and is disabled in the spec file as it breaks > loading the whole UI. > > -- > / Alexander Bokovoy > -- Alberto Ruiz Engineering Supervisor - Desktop Management Tools Red Hat -------------- next part -------------- An HTML attachment was scrubbed... URL: From mharmsen at redhat.com Tue Sep 13 04:09:30 2016 From: mharmsen at redhat.com (Matthew Harmsen) Date: Mon, 12 Sep 2016 22:09:30 -0600 Subject: [Freeipa-devel] Karma Requests for pki-core-10.3.5-6 In-Reply-To: <09cf941b-4dfa-f376-b775-ba5954f403dd@redhat.com> References: <09cf941b-4dfa-f376-b775-ba5954f403dd@redhat.com> Message-ID: <314a3af2-64b7-1160-f46c-7fa4488eac64@redhat.com> > *The following updated candidate builds of pki-core 10.3.5 on Fedora > 24, 25, and 26 (rawhide) consist of the following: > * > > * *Fedora 24* > o *pki-core-10.3.5-5.fc24 > > * > * *pki-core-10.3.5-6.fc24 * > o ** > * *Fedora 25* > o *pki-core-10.3.5-5.fc25 > * > o *pki-core-10.3.5-6.fc25 * > o ** > * *Fedora 26* > o *pki-core-10.3.5-5.fc26 > * > o *pki-core-10.3.5-6.fc26 ** * > *Additionally, the CentOS 7 COPR EPEL Builds of Dogtag 10.3.3 were > also updated:* > > * *https://copr.fedorainfracloud.org/coprs/g/pki/10.3.3/repo/epel-7/group_pki-10.3.3-epel-7.repo* > > > [group_pki-10.3.3] > name=Copr repo for 10.3.3 owned by @pki > baseurl=https://copr-be.cloud.fedoraproject.org/results/@pki/10.3.3/epel-7-$basearch/ > skip_if_unavailable=True > gpgcheck=1 > gpgkey=https://copr-be.cloud.fedoraproject.org/results/@pki/10.3.3/pubkey.gpg > enabled=1 > enabled_metadata=1 > > *These builds address the following PKI tickets: > * > > * PKI TRAC Ticket #1638 - Lightweight CAs: revoke certificate on CA > deletion > * PKI TRAC Ticket #2346 - Dogtag 10.3.6: Miscellaneous Enhancements > > * PKI TRAC Ticket #2443 - Prevent deletion of host CA's keys if LWCA > entry deleted > * PKI TRAC Ticket #2444 - Authority entry without entryUSN is > skipped even if USN plugin enabled > > * PKI TRAC Ticket #2446 - pkispawn: make subject_dn defaults unique > per instance name (for shared HSM) > > * PKI TRAC Ticket #2447 - CertRequestInfo has incorrect URLs > > * PKI TRAC Ticket #2449 - Unable to create system certificates in > different tokens > * *REVOKES PATCH FOR **PKI TRAC Ticket #2449 - Unable to create system certificates in different tokens * > *Please provide Karma for the following builds: > * > > * *Fedora 24* > o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-994f943797pki-core-10.3.5-5.fc24 > * > o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-7b06393ae4**pki-core-10.3.5-6.fc24* > * *Fedora 25* > o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-d363d36e22pki-core-10.3.5-5.fc25 > * > o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-734ba29899**pki-core-10.3.5-6.fc25** * -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa-github-notification at redhat.com Tue Sep 13 06:24:39 2016 From: freeipa-github-notification at redhat.com (mirielka) Date: Tue, 13 Sep 2016 08:24:39 +0200 Subject: [Freeipa-devel] [freeipa PR#74] [master, ipa-4-4] Tests: Add krb5kdc.service restart to integration trust tests (opened) Message-ID: mirielka's pull request #74: "[master, ipa-4-4] Tests: Add krb5kdc.service restart to integration trust tests" was opened PR body: """ krb5kdc.service restart is necessary for proper running of integration trust related tests. https://fedorahosted.org/freeipa/ticket/6322 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/74 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/74/head:pr74 git checkout pr74 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-74.patch Type: text/x-diff Size: 1940 bytes Desc: not available URL: From ofayans at redhat.com Tue Sep 13 08:10:05 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Tue, 13 Sep 2016 10:10:05 +0200 Subject: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964 In-Reply-To: References: <5762BBDD.4010502@redhat.com> <5763AA17.60207@redhat.com> <5763C073.5020503@redhat.com> <577113B2.1080904@redhat.com> <8ada929c-ebff-b8ce-6f1f-ae65fb8b1ba2@redhat.com> <577FAD77.7080504@redhat.com> <9149be7c-ee3d-42e5-16fb-fd0c0f351bb8@redhat.com> <57A1E76F.9@redhat.com> Message-ID: <87cb02c1-9d08-9f1e-25cd-731dd6e21155@redhat.com> Hi Ludwig, The ipa-replica-manage clean-ruv sometimes does not quite work. For example: I have a master and 2 replicas. Initial output of 'ipa-replica-manage list-ruv' looks like this: Replica Update Vectors: f24replica2.pesen.net:389: 7 f24master.pesen.net:389: 4 f24replica1.pesen.net:389: 3 Certificate Server Replica Update Vectors: f24master.pesen.net:389: 6 f24replica1.pesen.net:389: 5 f24replica2.pesen.net:389: 8 When I do 'ipa-replica-manage clean-ruv 5' and then list-ruv, it shows the expected result: Replica Update Vectors: f24replica2.pesen.net:389: 7 f24master.pesen.net:389: 4 f24replica1.pesen.net:389: 3 Certificate Server Replica Update Vectors: f24master.pesen.net:389: 6 f24replica2.pesen.net:389: 8 But when I then do 'ipa-replica-manage clean-ruv 3', the command executes successfully, but list-ruv still shows 5 RUVs instead of four. After all nodes are restarted still 5 RUV's are displaayed, but if I clean the RUV N 3 manually again, it works and leaves (expected) 4 RUVs. Do you have an idea, what it might be and how to debug this? On 08/05/2016 06:36 PM, Martin Basti wrote: > > > On 03.08.2016 14:45, Oleg Fayans wrote: >> Hi Martin, >> >> Thanks for the review! Both patches were updated. >> >> On 07/28/2016 04:11 PM, Martin Basti wrote: >>> >>> >>> On 08.07.2016 15:41, Oleg Fayans wrote: >>>> Hi Martin, >>>> >>>> Thanks for the review! >>>> >>>> On 07/08/2016 02:18 PM, Martin Basti wrote: >>>>> >>>>> >>>>> On 27.06.2016 13:53, Oleg Fayans wrote: >>>>>> Hi guys, >>>>>> >>>>>> Is there a chance the patches NN 0047.1 and 0048.1 get reviewed >>>>>> before >>>>>> 4.4 release? They cover a good part of the Managed Topology 4.4 >>>>>> feature. >>>>>> >>>>>> On 06/17/2016 11:18 AM, Oleg Fayans wrote: >>>>>>> One more test was added to the patch-0048 >>>>>>> >>>>>>> On 06/17/2016 09:43 AM, Oleg Fayans wrote: >>>>>>>> Fixed a bug in the previous patch, automated 2 more testcases from >>>>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On 06/16/2016 04:46 PM, Oleg Fayans wrote: >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>> IIUC, this will turn off the machine completely, how is cleanup done >>>>> then. AFAIK our tests cannot turn on machine again and run >>>>> cleanup, so >>>>> you will not be able to run more tests on the same topology without >>>>> manual cleanup and manual start. >>>>> >>>>> + replica = self.replicas[0] >>>>> + replica.run_command(['poweroff']) >>>>> >>>>> IMO would be better to just call 'ipactl stop' instead of 'poweroff' >>>> >>>> Agreed! Fixed. >>>> >>>>> >>>>> Martin^2 >>>>> >>>> >>>> >>>> >>> *Automated ipa-replica-manage del tests* >>> >>> 1) >>> + replica.run_command(['ipactl', 'stop']) >>> + time.sleep(3) >>> >>> Why do you need sleep here? >> >> Removed, it was left from the old "poweroff" approach >> >>> >>> >>> 2) >>> + ruvid_re = re.compile(".*%s:389: (\d+).*" % replica.hostname) >>> + replica_ruvs = ruvid_re.findall(result.stdout_text) >>> + master.run_command(['ipa-replica-manage', 'clean-ruv', 'f', >>> + '-p', master.config.dirman_password, >>> + replica_ruvs[0]]) >>> >>> Because you are using re.findall(), without any match you will receive >>> IndexError here replica_ruvs[0]. IMO it deserves assert before >> >> Implemented the assert which checks that the output contains enough >> replica RUVs >> >>> >>> 3) >>> assert(replica.hostname in result1.stdout_text) >>> >>> I think that this is error prone. What if there is just error 'could not >>> connect to replica ', or something similar. instead of >>> listing/cleaning/whatever operation was executed. I think that it should >>> be more specific regexp than just finding a replica name substring (Yes >>> In IPA we dont always print error so stderr) >>> >>> I'm not sure, but probably there might be cases when non critical error >>> happen and exist status is still 0 >> >> Agree. Implemented a regex-based search >> >>> >>> 4) >>> >>> + replica.run_command(['poweroff']) >>> + time.sleep(3) >>> >>> There should not be poweroff, probably sleep could be removed too. >> >> Gone >> >>> >>> >>> * Automated clean-ruv subcommand test* >>> >>> 1) PEP8, 2 new lines expected >>> ./ipatests/test_integration/test_topology.py:163:1: E302 expected 2 >>> blank lines, found 0 >>> ./ipatests/test_integration/test_topology.py:182:80: E501 line too long >>> (85 > 79 characters) >> >> Fixed >> >>> >>> >>> 2) >>> I dont like doing assert just with count of occurences of substring in >>> STDOUT, would be possible to improve this somehow? >> >> Maybe, but frankly, I don't see how. In this case we are making sure >> that both simple and CA-specific RUVs of a replica are displayed. The >> format of the output is strict: >> Replica Update Vectors: >> replica1_hostname:389: RUV_id >> replica2_hostname:389: RUV_id >> Certificate Server Replica Update Vectors: >> replica1_hostname:389: RUV_id >> replica2_hostname:389: RUV_id >> If we do not see 2 occurrences of the replica hostname than definitely >> something went wrong >> >>> >>> 3) >>> I'm not sure if clean-ruv is instant operations or there is some magic >>> happening in background (we have abort-clean-ruv). Maybe some sleep >>> should be there, but this needs investigation. >>> >>> + assert(replica.hostname in result2.stdout_text), ( >>> + "The wrong RUV was deleted") >>> + result3 = master.run_command(['ipa-replica-manage', 'list-ruv', >>> + '-p', >>> master.config.dirman_password]) >>> + assert(result3.stdout_text.count(replica.hostname) == 1), ( >>> + "CA RUV of the replica is still displayed") >>> >> >> Based on my discussion with Stanislav Laznicka, I understood that by >> default clean-ruv does not return the shell until the operation is >> finished. You can force dropping into the shell by pressing CTRL+C, in >> which case the background job will still be running, but this is not >> the default behavior >> > Test failed: > result4 = master.run_command(['ipa-replica-manage', 'list-ruv', > '-p', master.config.dirman_password]) >> assert(replica.hostname not in result4.stdout_text), ( > "replica's RUV is still displayed") > E AssertionError: replica's RUV is still displayed > E assert 'replica3.ipa.test' not in 'Replica Update > V...ipa.test:389: 8\n' > E 'replica3.ipa.test' is contained here: > E Replica Update Vectors: > E \tmaster.ipa.test:389: 4 > E \treplica3.ipa.test:389: 3 > E \treplica2.ipa.test:389: 7 > E Certificate Server Replica Update Vectors: > E \tmaster.ipa.test:389: 6 > E \treplica2.ipa.test:389: 8 > > > [root at master ~]# ipa topologysegment-find > Suffix name: domain > ------------------ > 2 segments matched > ------------------ > Segment name: master.ipa.test-to-replica2.ipa.test > Left node: master.ipa.test > Right node: replica2.ipa.test > Connectivity: both > > Segment name: master.ipa.test-to-replica3.ipa.test > Left node: master.ipa.test > Right node: replica3.ipa.test > Connectivity: both > ---------------------------- > Number of entries returned 2 > ---------------------------- > [root at master ~]# ipa-replica-manage list-ruv > Directory Manager password: > > Replica Update Vectors: > master.ipa.test:389: 4 > replica2.ipa.test:389: 7 > replica3.ipa.test:389: 3 > Certificate Server Replica Update Vectors: > master.ipa.test:389: 6 > replica2.ipa.test:389: 8 > [root at master ~]# > > Then I tried manually to clean RUV 3, and it behaves somehow odd > > [root at master ~]# 'ipa-replica-manage' 'clean-ruv' '3' '-p' 'Secret123' '-f' > Clean the Replication Update Vector for replica3.ipa.test:389 > Background task created to clean replication data. This may take a while. > This may be safely interrupted with Ctrl+C > Cleanup task created > [root at master ~]# less /var/log/dirsrv/slapd-IPA-TEST/errors > [root at master ~]# ipa-replica-manage list-ruv > Directory Manager password: > > Replica Update Vectors: > master.ipa.test:389: 4 > replica2.ipa.test:389: 7 > replica3.ipa.test:389: 3 > Certificate Server Replica Update Vectors: > master.ipa.test:389: 6 > replica2.ipa.test:389: 8 > [root at master ~]# 'ipa-replica-manage' 'clean-ruv' '3' '-p' 'Secret123' '-f' > Clean the Replication Update Vector for replica3.ipa.test:389 > CLEANALLRUV task for replica id 3 already exists. > This may be safely interrupted with Ctrl+C > Cleanup task created > > [root at master ~]# ipa-replica-manage list-clean-ruv -p Secret123 > No CLEANALLRUV tasks running > > No abort CLEANALLRUV tasks running > [root at master ~]# 'ipa-replica-manage' 'clean-ruv' '3' '-p' 'Secret123' '-f' > Clean the Replication Update Vector for replica3.ipa.test:389 > Background task created to clean replication data. This may take a while. > This may be safely interrupted with Ctrl+C > Cleanup task created > [root at master ~]# ipa-replica-manage list-clean-ruv -p Secret123 > CLEANALLRUV tasks > RID 3: Successfully cleaned rid(3). > > No abort CLEANALLRUV tasks running > [root at master ~]# ipa-replica-manage list-ruv -p Secret123 > Replica Update Vectors: > master.ipa.test:389: 4 > replica2.ipa.test:389: 7 > Certificate Server Replica Update Vectors: > master.ipa.test:389: 6 > replica2.ipa.test:389: 8 > > > I'm not sure if this behavior is right, Ludwig may know. -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From freeipa-github-notification at redhat.com Tue Sep 13 08:16:12 2016 From: freeipa-github-notification at redhat.com (mirielka) Date: Tue, 13 Sep 2016 10:16:12 +0200 Subject: [Freeipa-devel] [freeipa PR#75] Tests: Remove usage of krb5 ccache from test_ipaserver/test_ldap (opened) Message-ID: mirielka's pull request #75: "Tests: Remove usage of krb5 ccache from test_ipaserver/test_ldap" was opened PR body: """ In test_ipaserver/test_ldap::test_ldap::test_GSSAPI a krb5 ccache is used to connect to ldap. The test tries to locate this cache in /tmp/krb5cc_$UID file, which is not there due to default settings in krb5.conf, and hence the whole test is skipped. Fix the test to use keyring to connect instead of ccache in /tmp. https://fedorahosted.org/freeipa/ticket/6323 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/75 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/75/head:pr75 git checkout pr75 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-75.patch Type: text/x-diff Size: 2060 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 13 08:17:43 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 13 Sep 2016 10:17:43 +0200 Subject: [Freeipa-devel] [freeipa PR#76] Keep NSS trust flags of existing certificates (opened) Message-ID: tomaskrizek's pull request #76: "Keep NSS trust flags of existing certificates" was opened PR body: """ Backup and restore trust flags of existing certificates during CA installation. This prevents marking a previously trusted certificate as untrusted, as was the case when CA-less was converted to CA-full with external CA when using the same certificate. https://fedorahosted.org/freeipa/ticket/5791 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/76 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/76/head:pr76 git checkout pr76 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-76.patch Type: text/x-diff Size: 1690 bytes Desc: not available URL: From slaznick at redhat.com Tue Sep 13 10:56:59 2016 From: slaznick at redhat.com (Standa Laznicka) Date: Tue, 13 Sep 2016 12:56:59 +0200 Subject: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies In-Reply-To: <1473425894.31476.9.camel@redhat.com> References: <1472225854.20746.104.camel@redhat.com> <1a254cbc-120f-1645-6a4e-20ef5563719f@redhat.com> <1472564054.5257.50.camel@redhat.com> <5b5e276d-8d3d-53cb-a4a4-fa285f0662d9@redhat.com> <457f0c25-b5ee-b827-1856-25345664670c@redhat.com> <881ae083-a320-430c-a25a-3f435628ccda@redhat.com> <1472735202.10392.7.camel@redhat.com> <1472743125.10392.25.camel@redhat.com> <20160903162508.GA13540@redhat.com> <1473425894.31476.9.camel@redhat.com> Message-ID: On 09/09/2016 02:58 PM, Simo Sorce wrote: > On Fri, 2016-09-09 at 13:14 +0200, Standa Laznicka wrote: >> On 09/03/2016 06:25 PM, Jan Pazdziora wrote: >>> On Thu, Sep 01, 2016 at 11:18:45AM -0400, Simo Sorce wrote: >>>> The thing is we (and admins) will be stuck with old client s for a loong >>>> time, so we need to make it clear to them what works for what. We need >>>> to allow admins to create rules that work for both new and old client >>>> w/o interfering with each other. >>>> In your scheme there must be a way to create a set of rule such that old >>>> clients can login at any time while newer clients use time rules. >>>> that was easy to accomplish by adding an auxiliary class and simply >>>> defining a new type. >>>> Old clients would see old stuff only, new clients would add time rules >>>> if present. >>>> If we have 2 completely different objects because the admin has to >>>> create both, then old clients still care only for the old rule, new >>>> clients instead have an interesting challenge, what rule do they apply ? >>> You use host groups to serve the old rule to old clients and time-based >>> rule to new clients. Each client will apply the rule they see. >>> >>> If you happen to serve the old rule to the new client, access will >>> be allowed no matter what the other, time-based rule says. >>> >>> You do not use magic to interpret one rule differently, one way on >>> one version of client and other way on different client version. >>> >>>> How do you make sure a new client will enforce time restriction when it >>>> looks up the old rule as well ? >>> You make sure the new client does not see the old rule. >>> >>>> Of course admins can always create very barrow host groups and apply >>>> rules only to them, but this is burdensome if you have a *lot* of >>>> clients and some other people are tasked to slowly upgrade them. It is >>>> possible though, so having 2 separate objects that new clients know >>>> about is potentially ok. I would prefer a scheme where they could be >>>> combined though for maximum flexibility with as little as possible >>>> ambiguity. >>> I agree that managing separate host group membership might be >>> and extra work. But it seems to be the only way to remove the ambiguity. >>> >> I also believe there's no way avoiding that (if we want to be somehow >> backward compatible). >> >> I would just love us to come to a consensus as I am growing weary of >> this discussion and am willing to go with just anything as long as it's >> somehow OK with most people. Could we therefore decide to go with >> something, please? > As long as the tooling does not try to replace object classes I am ok > with the solution most people agree on. > > Simo. > > So, basically, we are back at accessRuleType usage, which I guess is kind of ok? We may either use its multi-valueness (is that a word?) or be setting it as flags (e.g. "tu" or "ut" for URI with time rules etc.). In the multi-valued case, when someone adds "allow" amongst the values, it will screw HBAC evaluation up (=> deny even if it's among allow rules for the given host) but I guess that's something we could live with. In the flag-case, the filters for obtaining the rules from IPA may seem rather ridiculous (substring match) and may be a very bad decision for future development. Also, anyone is able to add "allow" as another value but that would just be their fault. In both cases, "allow" as an only value may be the default which states the rule may be evaluated even on older clients and SSSD just has to guess what the rule is capable of (which is OK with time rules as if there's none it means "always allow" should previous evaluation allow as well). Please note that I rather included the rather "naive" flag implementation just to make sure to cover everything. We could just as well of course add something like "capabilities" attribute to ipaHBACRule object as another solution but that's starting to be an overkill IMO. Standa From freeipa-github-notification at redhat.com Tue Sep 13 12:54:26 2016 From: freeipa-github-notification at redhat.com (mirielka) Date: Tue, 13 Sep 2016 14:54:26 +0200 Subject: [Freeipa-devel] [freeipa PR#77] Tests: Update host test with ipa-join (opened) Message-ID: mirielka's pull request #77: "Tests: Update host test with ipa-join" was opened PR body: """ Updating path to ipa-join command to allow execution of test_xmlrpc/test_host::TestHostFalsePwdChange::test_join_host. Fixing discrepancies in returned and checked attributes. https://fedorahosted.org/freeipa/ticket/6326 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/77 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/77/head:pr77 git checkout pr77 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-77.patch Type: text/x-diff Size: 3166 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 13 13:36:19 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 13 Sep 2016 15:36:19 +0200 Subject: [Freeipa-devel] [freeipa PR#66] [master, ipa-4-4] Tests: Add cleanup to integration trust tests (+pushed) In-Reply-To: References: Message-ID: mirielka's pull request #66: "[master, ipa-4-4] Tests: Add cleanup to integration trust tests" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/66 From freeipa-github-notification at redhat.com Tue Sep 13 13:36:21 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 13 Sep 2016 15:36:21 +0200 Subject: [Freeipa-devel] [freeipa PR#66] [master, ipa-4-4] Tests: Add cleanup to integration trust tests (comment) In-Reply-To: References: Message-ID: martbab commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/b8240133866bb8fabd3962b44789a0315f2e7dd8 ipa-4-4: https://fedorahosted.org/freeipa/changeset/f27b064eeac0fece9cf79482c3971c971c7ef46d """ See the full comment at https://github.com/freeipa/freeipa/pull/66#issuecomment-246683023 From freeipa-github-notification at redhat.com Tue Sep 13 13:36:22 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 13 Sep 2016 15:36:22 +0200 Subject: [Freeipa-devel] [freeipa PR#66] [master, ipa-4-4] Tests: Add cleanup to integration trust tests (closed) In-Reply-To: References: Message-ID: mirielka's pull request #66: "[master, ipa-4-4] Tests: Add cleanup to integration trust tests" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/66 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/66/head:pr66 git checkout pr66 From freeipa-github-notification at redhat.com Tue Sep 13 13:38:13 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 13 Sep 2016 15:38:13 +0200 Subject: [Freeipa-devel] [freeipa PR#70] [master, ipa-4-4] Tests: Fix failing ldap.backend test (+pushed) In-Reply-To: References: Message-ID: mirielka's pull request #70: "[master, ipa-4-4] Tests: Fix failing ldap.backend test" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/70 From freeipa-github-notification at redhat.com Tue Sep 13 13:38:14 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 13 Sep 2016 15:38:14 +0200 Subject: [Freeipa-devel] [freeipa PR#70] [master, ipa-4-4] Tests: Fix failing ldap.backend test (comment) In-Reply-To: References: Message-ID: martbab commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/8c6f677a166d01a120e6b2a9361d7e5d3888c1c7 ipa-4-4: https://fedorahosted.org/freeipa/changeset/0670721ae34f50b93befd4d59737a8991f33c6f7 """ See the full comment at https://github.com/freeipa/freeipa/pull/70#issuecomment-246683564 From freeipa-github-notification at redhat.com Tue Sep 13 13:38:15 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 13 Sep 2016 15:38:15 +0200 Subject: [Freeipa-devel] [freeipa PR#70] [master, ipa-4-4] Tests: Fix failing ldap.backend test (closed) In-Reply-To: References: Message-ID: mirielka's pull request #70: "[master, ipa-4-4] Tests: Fix failing ldap.backend test" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/70 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/70/head:pr70 git checkout pr70 From mbabinsk at redhat.com Tue Sep 13 15:23:21 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 13 Sep 2016 17:23:21 +0200 Subject: [Freeipa-devel] [PATCH] 0108 cert-request: raise error when request fails In-Reply-To: References: <20160908020025.GW11489@dhcp-40-8.bne.redhat.com> <20160908235342.GY11489@dhcp-40-8.bne.redhat.com> Message-ID: <98b18849-8abc-34c3-267f-d12ce8d902e0@redhat.com> On 09/09/2016 11:30 AM, Lenka Doudova wrote: > > > On 09/09/2016 01:53 AM, Fraser Tweedale wrote: >> On Thu, Sep 08, 2016 at 01:15:03PM +0200, Martin Babinsky wrote: >>> On 09/08/2016 04:00 AM, Fraser Tweedale wrote: >>>> The attached patch fixes regression in cert-request: >>>> https://fedorahosted.org/freeipa/ticket/6309 >>>> >>>> Thanks, >>>> Fraser >>>> >>> ACK. Does this patch also fix the (reopened) >>> https://fedorahosted.org/freeipa/ticket/3473 ? >>> >> It does not. There's much more work to do on #3473. It has only >> been a little bit done because I needed to switch >> ra.request_certificate to REST API so we can properly detect failure >> due to CA-disabled condition. >> >> Thanks, >> Fraser >> > Hi, > just a note - this needs to be pushed to both master and ipa-4-4 branches. > Thanks, > Lenka > Pushed to: master: 1f1c93d2b5023f8d491252c605dbcf05c8ecc7e3 ipa-4-4: a7de75808c79186f72c4a32bd04434639fa947fd -- Martin^3 Babinsky From freeipa-github-notification at redhat.com Tue Sep 13 16:05:38 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 13 Sep 2016 18:05:38 +0200 Subject: [Freeipa-devel] [freeipa PR#78] Fix Ip-addr validation (opened) Message-ID: mbasti-rh's pull request #78: "Fix Ip-addr validation" was opened PR body: """ """ See the full pull-request at https://github.com/freeipa/freeipa/pull/78 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/78/head:pr78 git checkout pr78 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-78.patch Type: text/x-diff Size: 16285 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 13 16:06:00 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 13 Sep 2016 18:06:00 +0200 Subject: [Freeipa-devel] [freeipa PR#79] trust-fetch-domains: contact forest DCs when fetching trust domain info (opened) Message-ID: martbab's pull request #79: "trust-fetch-domains: contact forest DCs when fetching trust domain info" was opened PR body: """ The code should always contact forest root DCs when requesting trust domain info. In the case of one-way or external trusts `com.redhat.idm.trust-fetch-domains` helper is leveraged, otherwise forest root domain is contacted directly through Samba using the credentials of HTTP principal. https://fedorahosted.org/freeipa/ticket/6328 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/79 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/79/head:pr79 git checkout pr79 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-79.patch Type: text/x-diff Size: 2458 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 13 16:09:12 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 13 Sep 2016 18:09:12 +0200 Subject: [Freeipa-devel] [freeipa PR#78] Fix Ip-addr validation (synchronize) In-Reply-To: References: Message-ID: mbasti-rh's pull request #78: "Fix Ip-addr validation" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/78 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/78/head:pr78 git checkout pr78 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-78.patch Type: text/x-diff Size: 13430 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 13 16:56:55 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 13 Sep 2016 18:56:55 +0200 Subject: [Freeipa-devel] [freeipa PR#80] ipa passwd: use correct normalizer for user principals (opened) Message-ID: martbab's pull request #80: "ipa passwd: use correct normalizer for user principals" was opened PR body: """ Commit c2af032c0333f7e210c54369159d1d9f5e3fec74 introduced a regression in the handling of user principals supplied to the`ipa passwd` command. This patch restores the original behavior which lowercases the username portion of the principal. https://fedorahosted.org/freeipa/ticket/6329 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/80 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/80/head:pr80 git checkout pr80 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-80.patch Type: text/x-diff Size: 1867 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 13 17:17:46 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 13 Sep 2016 19:17:46 +0200 Subject: [Freeipa-devel] [freeipa PR#81] Fix emptyzones dns upgrade (opened) Message-ID: mbasti-rh's pull request #81: "Fix emptyzones dns upgrade" was opened PR body: """ """ See the full pull-request at https://github.com/freeipa/freeipa/pull/81 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/81/head:pr81 git checkout pr81 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-81.patch Type: text/x-diff Size: 3429 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Sep 14 06:48:51 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Wed, 14 Sep 2016 08:48:51 +0200 Subject: [Freeipa-devel] [freeipa PR#50] Add cert checks in ipa-server-certinstall (comment) In-Reply-To: References: Message-ID: flo-renaud commented on a pull request """ Bump for review """ See the full comment at https://github.com/freeipa/freeipa/pull/50#issuecomment-246921696 From freeipa-github-notification at redhat.com Wed Sep 14 07:29:49 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Sep 2016 09:29:49 +0200 Subject: [Freeipa-devel] [freeipa PR#81] Fix emptyzones dns upgrade (synchronize) In-Reply-To: References: Message-ID: mbasti-rh's pull request #81: "Fix emptyzones dns upgrade" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/81 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/81/head:pr81 git checkout pr81 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-81.patch Type: text/x-diff Size: 3429 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Sep 14 07:32:06 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Sep 2016 09:32:06 +0200 Subject: [Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (+ack) In-Reply-To: References: Message-ID: ofayans's pull request #52: "Removed incorrect check for returncode" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/52 From freeipa-github-notification at redhat.com Wed Sep 14 07:38:52 2016 From: freeipa-github-notification at redhat.com (abbra) Date: Wed, 14 Sep 2016 09:38:52 +0200 Subject: [Freeipa-devel] [freeipa PR#80] ipa passwd: use correct normalizer for user principals (comment) In-Reply-To: References: Message-ID: abbra commented on a pull request """ Looks good, thanks! """ See the full comment at https://github.com/freeipa/freeipa/pull/80#issuecomment-246931189 From freeipa-github-notification at redhat.com Wed Sep 14 07:38:59 2016 From: freeipa-github-notification at redhat.com (abbra) Date: Wed, 14 Sep 2016 09:38:59 +0200 Subject: [Freeipa-devel] [freeipa PR#80] ipa passwd: use correct normalizer for user principals (+ack) In-Reply-To: References: Message-ID: martbab's pull request #80: "ipa passwd: use correct normalizer for user principals" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/80 From freeipa-github-notification at redhat.com Wed Sep 14 07:47:51 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Sep 2016 09:47:51 +0200 Subject: [Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (comment) In-Reply-To: References: Message-ID: mbasti-rh commented on a pull request """ **Removed incorrect check for returncode** Fixed upstream master: https://fedorahosted.org/freeipa/changeset/22b0e8a9eb9eb3d47131c6784d70dd409d5b889b ipa-4-4: https://fedorahosted.org/freeipa/changeset/e265853d055caf7e3d17316eee6e25aa26bbf2a9 """ See the full comment at https://github.com/freeipa/freeipa/pull/52#issuecomment-246933097 From freeipa-github-notification at redhat.com Wed Sep 14 07:50:06 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Sep 2016 09:50:06 +0200 Subject: [Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (comment) In-Reply-To: References: Message-ID: mbasti-rh commented on a pull request """ **Several fixes in replica_promotion tests** Fixed upstream master: https://fedorahosted.org/freeipa/changeset/39c15ecdcdcbc2a0b651b0f89080789dd806e998 ipa-4-4: https://fedorahosted.org/freeipa/changeset/cd6adafbf699da48ab877e77ac9c1cc1dd26bf61 """ See the full comment at https://github.com/freeipa/freeipa/pull/52#issuecomment-246933583 From freeipa-github-notification at redhat.com Wed Sep 14 07:53:13 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Sep 2016 09:53:13 +0200 Subject: [Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (comment) In-Reply-To: References: Message-ID: mbasti-rh commented on a pull request """ **Changed addressing to the client hosts to be replicas** Fixed upstream master: https://fedorahosted.org/freeipa/changeset/ac78d191ded6721cf1051413cdd6862c0362e66b ipa-4-4: https://fedorahosted.org/freeipa/changeset/de4a1fc0df5474f268c7ed08ffb802110631c13f ipa-4-3: https://fedorahosted.org/freeipa/changeset/8ed4a4ba6392deb7972ddc07593d649926065c72 """ See the full comment at https://github.com/freeipa/freeipa/pull/52#issuecomment-246934259 From freeipa-github-notification at redhat.com Wed Sep 14 07:54:49 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Sep 2016 09:54:49 +0200 Subject: [Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (comment) In-Reply-To: References: Message-ID: mbasti-rh commented on a pull request """ **Xfailed the tests due to a known bug with replica preparation** Fixed upstream master: https://fedorahosted.org/freeipa/changeset/1e484d010b653b8ac06425ca602ba5c9e950ed89 """ See the full comment at https://github.com/freeipa/freeipa/pull/52#issuecomment-246934600 From freeipa-github-notification at redhat.com Wed Sep 14 07:54:52 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Sep 2016 09:54:52 +0200 Subject: [Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (+pushed) In-Reply-To: References: Message-ID: ofayans's pull request #52: "Removed incorrect check for returncode" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/52 From freeipa-github-notification at redhat.com Wed Sep 14 07:59:21 2016 From: freeipa-github-notification at redhat.com (abbra) Date: Wed, 14 Sep 2016 09:59:21 +0200 Subject: [Freeipa-devel] [freeipa PR#79] trust-fetch-domains: contact forest DCs when fetching trust domain info (comment) In-Reply-To: References: Message-ID: abbra commented on a pull request """ LGTM. We discussed the placement of populate_remote_domain() but decided to keep it there. """ See the full comment at https://github.com/freeipa/freeipa/pull/79#issuecomment-246935619 From freeipa-github-notification at redhat.com Wed Sep 14 07:59:30 2016 From: freeipa-github-notification at redhat.com (abbra) Date: Wed, 14 Sep 2016 09:59:30 +0200 Subject: [Freeipa-devel] [freeipa PR#79] trust-fetch-domains: contact forest DCs when fetching trust domain info (+ack) In-Reply-To: References: Message-ID: martbab's pull request #79: "trust-fetch-domains: contact forest DCs when fetching trust domain info" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/79 From freeipa-github-notification at redhat.com Wed Sep 14 08:38:44 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 14 Sep 2016 10:38:44 +0200 Subject: [Freeipa-devel] [freeipa PR#79] trust-fetch-domains: contact forest DCs when fetching trust domain info (+pushed) In-Reply-To: References: Message-ID: martbab's pull request #79: "trust-fetch-domains: contact forest DCs when fetching trust domain info" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/79 From freeipa-github-notification at redhat.com Wed Sep 14 08:38:46 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 14 Sep 2016 10:38:46 +0200 Subject: [Freeipa-devel] [freeipa PR#79] trust-fetch-domains: contact forest DCs when fetching trust domain info (closed) In-Reply-To: References: Message-ID: martbab's pull request #79: "trust-fetch-domains: contact forest DCs when fetching trust domain info" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/79 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/79/head:pr79 git checkout pr79 From freeipa-github-notification at redhat.com Wed Sep 14 08:38:47 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 14 Sep 2016 10:38:47 +0200 Subject: [Freeipa-devel] [freeipa PR#79] trust-fetch-domains: contact forest DCs when fetching trust domain info (comment) In-Reply-To: References: Message-ID: martbab commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/b0d40b80e8d9a4960296ce70d843ad987657696b ipa-4-4: https://fedorahosted.org/freeipa/changeset/6755cbbc3346910bcd4be1577351cc15ab7d3140 """ See the full comment at https://github.com/freeipa/freeipa/pull/79#issuecomment-246944496 From ofayans at redhat.com Wed Sep 14 08:43:25 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Wed, 14 Sep 2016 10:43:25 +0200 Subject: [Freeipa-devel] [Test][patch-0058] Fixed topology tests failures in CI In-Reply-To: <3f44586e-2edc-7c36-dc82-45d1dd8e291c@redhat.com> References: <57AB735A.3000101@redhat.com> <57ADD39F.8050409@redhat.com> <5beb66d0-62d4-1940-79be-4bcf16a140aa@redhat.com> <2c50265e-40fb-2243-5a19-72627060370f@redhat.com> <3f44586e-2edc-7c36-dc82-45d1dd8e291c@redhat.com> Message-ID: <63f702db-13c8-15cc-8bfa-9af7c78d6baa@redhat.com> Again ping for review, please it completely blocks the whole job. On 09/07/2016 03:27 PM, Oleg Fayans wrote: > ping for review > > On 08/24/2016 01:58 PM, Oleg Fayans wrote: >> And here is how the run looks like: >> >> $ ipa-run-tests test_integration/test_topology.py >> WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] >> Permission denied: 'lextab.py' >> WARNING: yacc table file version is out of date >> WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission >> denied: 'yacctab.py' >> ==================================================================================== >> >> test session starts >> ===================================================================================== >> >> >> platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 >> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini >> plugins: sourceorder-0.5, multihost-1.0 >> collected 3 items >> >> test_integration/test_topology.py ..x >> >> =========================================================================== >> >> 2 passed, 1 xfailed in 1558.66 seconds >> =========================================================================== >> >> >> >> >> On 08/12/2016 04:05 PM, Martin Basti wrote: >>> >>> >>> On 12.08.2016 15:48, Oleg Fayans wrote: >>>> Hi Martin, >>>> >>>> >>>> >>>> On 08/11/2016 10:05 AM, Martin Basti wrote: >>>>> >>>>> >>>>> On 10.08.2016 20:32, Oleg Fayans wrote: >>>>>> >>>>>> >>>>>> >>>>> Hello, >>>>> >>>>> before we jump into fixing tests, my question is: Was this planned >>>>> change and not reflected by test, or switched values are unwanted side >>>>> effect and thus bug for us? >>>> >>>> That's a marvelous question! The test used to pass, which means that >>>> at some point the convention of naming the segments must have changed. >>>> Is it a bug? I do not think so: the feature still works as expected. >>> >>> Ludwig, do you know details about this change, why positions of server >>> names are different than used to be in topology name? >>> >>>> >>>>> >>>>> Ticket contains almost no info, except a traceback and it says >>>>> nothing. >>>>> Commit message says at least something. >>>>> >>>>> I'm not sure if this patch fixes that ticket, because traceback in >>>>> test >>>>> shows error message that "removal of segment will disconnect >>>>> topology", >>>>> but this patch only swap order of replica names in segment name. I >>>>> would >>>>> expect that you should get different error, something like segment >>>>> does >>>>> not exist. >>>> Which I do get in jenkins job N 37: "segment not found" >>>> >>>> In fact, the error in the issue is unrelated to the fix, you are right. >>> >>>> To tell the truth, I just put a random error from one of the jenkins >>>> topology testruns into the issue. >>> This is very good way how to report tickets: >>> * nobody knows what happened >>> * nobody can search in current tickets, what is wrong without proper >>> description >>> * developers cannot investigate issue, because there is even no name of >>> exact test in ticket, no steps to reproduce, nothing >>> * without proper tickets it is hard to backport patches correctly, if >>> patch fixes different issue than is reported >>> >>> I'm closing ticket as invalid, please follow >>> http://www.chiark.greenend.org.uk/~sgtatham/bugs.html and file a new >>> proper ticket. >>> >>>> This particular error message was caused by a previous replica >>>> installation failure, which resulted in existing only one segment >>>> instead of three: >>>> master <-> replica1 >>>> instead of: >>>> master <-> replica1, >>>> master <-> replica2 >>>> replica1 <-> replica2 >>>> >>>> In fact the patch supplied fixes 2 tests at once: >>>> The first test tries to remove the unexisting segment master <-> >>>> replica2 and fails, the second test expects the line topology >>>> master <-> replica1 <-> replica2. >>>> It removes the connection between replica1 and replica2, expects the >>>> operation to fail but it does not because the connection between >>>> master and replica2 exists >>>> >>>> the output from the testrun with the patch applied: >>>> >>>> >>>> -bash-4.3$ ipa-run-tests test_integration/test_topology.py --pdb >>>> WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] >>>> Permission denied: 'lextab.py' >>>> WARNING: yacc table file version is out of date >>>> WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission >>>> denied: 'yacctab.py' >>>> ==================================================================================== >>>> >>>> >>>> test session starts >>>> ===================================================================================== >>>> >>>> >>>> >>>> platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 >>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini >>>> plugins: sourceorder-0.5, multihost-1.0 >>>> collected 3 items >>>> >>>> test_integration/test_topology.py ... >>>> >>>> ================================================================================ >>>> >>>> >>>> 3 passed in 2156.82 seconds >>>> ================================================================================= >>>> >>>> >>>> >>>> >>> >>> I don't care about test output until there is no valid description of >>> problem, fixing test may just cover real issue. >>> Martin^2 >>>>> >>>>> Martin^2 >>>>> >>>>> >>>> >>> >> > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From ofayans at redhat.com Wed Sep 14 08:50:49 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Wed, 14 Sep 2016 10:50:49 +0200 Subject: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test In-Reply-To: References: <57723947.2090508@redhat.com> <5772622C.9000205@redhat.com> <579FB51F.6030808@redhat.com> <98a90ec8-fa79-dd36-57dc-053204c29506@redhat.com> <57A07FE4.8000904@redhat.com> Message-ID: Ping for review. On 09/06/2016 01:57 PM, Oleg Fayans wrote: > The test is updated to clean up after itself > > On 09/06/2016 12:57 PM, Oleg Fayans wrote: >> Hi Martin, >> >> Thanks for the review. The updated patches are attached. Please, see my >> comments below >> >> On 08/30/2016 01:58 PM, Martin Basti wrote: >>> >>> >>> On 22.08.2016 13:18, Oleg Fayans wrote: >>>> ping for review >>>> >>>> On 08/02/2016 01:11 PM, Oleg Fayans wrote: >>>>> Hi Martin, >>>>> >>>>> I did! Thank you! >>>>> >>>>> On 08/02/2016 12:31 PM, Martin Basti wrote: >>>>>> >>>>>> >>>>>> On 01.08.2016 22:46, Oleg Fayans wrote: >>>>>>> The test was redesigned so that it actually tests against an AD >>>>>>> user. >>>>>>> cleanly applies, passes lint and passes >>>>>>> >>>>>>> https://paste.fedoraproject.org/399504/00843641/ >>>>>> >>>>>> Okay >>>>>> >>>>>> Did you forget to send patches? >>>>>> >>>>>> Martin^2 >>>>>>> >>>>>>> >>>>>>> On 06/28/2016 01:40 PM, Oleg Fayans wrote: >>>>>>>> Patch-0050 rebased against latest upstream branch >>>>>>>> >>>>>>>> On 06/28/2016 10:45 AM, Oleg Fayans wrote: >>>>>>>>> Passing test output: >>>>>>>>> >>>>>>>>> https://paste.fedoraproject.org/385774/71035231/ >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>>> >>>>> >>>> >>> >>> NACK for 0049.1 >>> >>> 1) >>> PEP8: you must use 2 empty lines between functions >> >> Fixed >> >>> >>> 2) >>> + new_args = " ".join(new_args + args) >>> >>> you don't need this, run_command takes list as argument too >>> new_args.extend(args) >> >> The list-based approach does not work with shell redirects which are >> heavily used in the certs_id_idoverrides test. Thus, this trick is >> really needed >> >>> >>> 3) >>> To make it more usable you should add raiseonerr as kwarg to >>> run_certutil (True as default) >> >> Done >> >>> >>> NACK for 0050.2 >>> >>> 1) >>> + tasks.run_certutil(master, ['-L', '-n', cls.adcert1, '-a', '>', >>> + cls.adcert1_file], cls.reqdir) >>> + tasks.run_certutil(master, ['-L', '-n', cls.adcert2, '-a', '>', >>> + cls.adcert2_file], cls.reqdir) >>> >>> IMO thus should raise an error if failed, but previously you set >>> raiseonerr=False (multiple times) >> >> Agreed. Done >> >>> >>> 2) >>> + cls.ad = cls.ad_domains[0].ads[0] >>> + cls.ad_domain = cls.ad.domain.name >>> + cls.aduser = "testuser@%s" % cls.ad_domain >>> + cls.adcert1 = 'MyCert1' >>> + cls.adcert2 = 'MyCert2' >>> + cls.adcert1_file = cls.adcert1 + '.crt' >>> + cls.adcert2_file = cls.adcert2 + '.crt' >>> >>> New definitions of variables/constants should be directly in class not >>> in install method, adding new class variables in classmethod is the same >>> evil as adding instance variables outside __init__ >> >> Fair point. Fixed >> >>> >>> 3) >>> I have question, why do you need AD for this test? AFAIK you can use ID >>> overrides without AD >> >> Correct. You can, but the workflow would be slightly different. For >> example, you can not issue and sign cert requests for AD-users the way >> you would do it for local users. We want to have tests that can be taken >> by end-users as example how to use our software, that's why it is better >> to be as close to real-world use-cases as it is possible. >> >>> >>> Martin^3 >>> >> >> >> > > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From freeipa-github-notification at redhat.com Wed Sep 14 10:24:56 2016 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 14 Sep 2016 12:24:56 +0200 Subject: [Freeipa-devel] [freeipa PR#27] [master, ipa-4-3] Tests: Fix integration sudo tests setup and checks (comment) In-Reply-To: References: Message-ID: lslebodn commented on a pull request """ Test passed on fedora 24 + freeipa-4_4. ACK """ See the full comment at https://github.com/freeipa/freeipa/pull/27#issuecomment-246969936 From freeipa-github-notification at redhat.com Wed Sep 14 10:48:03 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Sep 2016 12:48:03 +0200 Subject: [Freeipa-devel] [freeipa PR#27] [master, ipa-4-3] Tests: Fix integration sudo tests setup and checks (+ack) In-Reply-To: References: Message-ID: mirielka's pull request #27: "[master, ipa-4-3] Tests: Fix integration sudo tests setup and checks" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/27 From freeipa-github-notification at redhat.com Wed Sep 14 10:49:33 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Sep 2016 12:49:33 +0200 Subject: [Freeipa-devel] [freeipa PR#27] [master, ipa-4-3] Tests: Fix integration sudo tests setup and checks (+pushed) In-Reply-To: References: Message-ID: mirielka's pull request #27: "[master, ipa-4-3] Tests: Fix integration sudo tests setup and checks" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/27 From freeipa-github-notification at redhat.com Wed Sep 14 10:49:34 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Sep 2016 12:49:34 +0200 Subject: [Freeipa-devel] [freeipa PR#27] [master, ipa-4-3] Tests: Fix integration sudo tests setup and checks (comment) In-Reply-To: References: Message-ID: mbasti-rh commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/7cac8392036bf6d6bbd74f5a781986dec21149d6 ipa-4-3: https://fedorahosted.org/freeipa/changeset/6d04220dc3071782cf303b2e94e06da4ee26e512 ipa-4-4: https://fedorahosted.org/freeipa/changeset/32a6528dade8a6bcf1be2885b0ae714669a06d62 """ See the full comment at https://github.com/freeipa/freeipa/pull/27#issuecomment-246975562 From freeipa-github-notification at redhat.com Wed Sep 14 10:49:36 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Sep 2016 12:49:36 +0200 Subject: [Freeipa-devel] [freeipa PR#27] [master, ipa-4-3] Tests: Fix integration sudo tests setup and checks (closed) In-Reply-To: References: Message-ID: mirielka's pull request #27: "[master, ipa-4-3] Tests: Fix integration sudo tests setup and checks" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/27 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/27/head:pr27 git checkout pr27 From freeipa-github-notification at redhat.com Wed Sep 14 10:57:57 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Sep 2016 12:57:57 +0200 Subject: [Freeipa-devel] [freeipa PR#82] Fix regexp in user/group name (opened) Message-ID: mbasti-rh's pull request #82: "Fix regexp in user/group name" was opened PR body: """ Regexp should not enforce lenght of string, we have different checks for that. Secondly regexp with length specified produces an incorrect error message. https://fedorahosted.org/freeipa/ticket/5822 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/82 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/82/head:pr82 git checkout pr82 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-82.patch Type: text/x-diff Size: 1628 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Sep 14 11:09:13 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 14 Sep 2016 13:09:13 +0200 Subject: [Freeipa-devel] [freeipa PR#80] ipa passwd: use correct normalizer for user principals (+pushed) In-Reply-To: References: Message-ID: martbab's pull request #80: "ipa passwd: use correct normalizer for user principals" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/80 From freeipa-github-notification at redhat.com Wed Sep 14 11:09:15 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 14 Sep 2016 13:09:15 +0200 Subject: [Freeipa-devel] [freeipa PR#80] ipa passwd: use correct normalizer for user principals (comment) In-Reply-To: References: Message-ID: martbab commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/f3f9087ee8d1b1531730cf1e91fe404092e8c81d ipa-4-4: https://fedorahosted.org/freeipa/changeset/0fe08fdce78b8a26cae1ad238cfea20fe86b8332 """ See the full comment at https://github.com/freeipa/freeipa/pull/80#issuecomment-246979841 From freeipa-github-notification at redhat.com Wed Sep 14 11:09:16 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 14 Sep 2016 13:09:16 +0200 Subject: [Freeipa-devel] [freeipa PR#80] ipa passwd: use correct normalizer for user principals (closed) In-Reply-To: References: Message-ID: martbab's pull request #80: "ipa passwd: use correct normalizer for user principals" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/80 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/80/head:pr80 git checkout pr80 From freeipa-github-notification at redhat.com Wed Sep 14 11:58:53 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Sep 2016 13:58:53 +0200 Subject: [Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (closed) In-Reply-To: References: Message-ID: ofayans's pull request #52: "Removed incorrect check for returncode" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/52 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/52/head:pr52 git checkout pr52 From freeipa-github-notification at redhat.com Wed Sep 14 12:52:58 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 14 Sep 2016 14:52:58 +0200 Subject: [Freeipa-devel] [freeipa PR#81] Fix emptyzones dns upgrade (+ack) In-Reply-To: References: Message-ID: mbasti-rh's pull request #81: "Fix emptyzones dns upgrade" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/81 From freeipa-github-notification at redhat.com Wed Sep 14 12:57:29 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 14 Sep 2016 14:57:29 +0200 Subject: [Freeipa-devel] [freeipa PR#81] Fix emptyzones dns upgrade (+pushed) In-Reply-To: References: Message-ID: mbasti-rh's pull request #81: "Fix emptyzones dns upgrade" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/81 From freeipa-github-notification at redhat.com Wed Sep 14 12:57:31 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 14 Sep 2016 14:57:31 +0200 Subject: [Freeipa-devel] [freeipa PR#81] Fix emptyzones dns upgrade (comment) In-Reply-To: References: Message-ID: martbab commented on a pull request """ Fixed upstream ipa-4-3: https://fedorahosted.org/freeipa/changeset/2d011b97c8a56d9eabae2ca3d88c30314e0adb58 https://fedorahosted.org/freeipa/changeset/93756dc719723bbec93497ecd6e06e325e6eecbd ipa-4-4: https://fedorahosted.org/freeipa/changeset/afeb4bd8a6039173c24201803f1253fae2529a83 https://fedorahosted.org/freeipa/changeset/e39cc53d90175e3cae6805302f318a96bc0e1af1 master: https://fedorahosted.org/freeipa/changeset/22fd6f020940b5b2a1258f8e0e6058c95f7a1ba5 https://fedorahosted.org/freeipa/changeset/271a4f098230112ee0e3ea3ffb3a509977ee7330 """ See the full comment at https://github.com/freeipa/freeipa/pull/81#issuecomment-247004156 From freeipa-github-notification at redhat.com Wed Sep 14 12:57:32 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 14 Sep 2016 14:57:32 +0200 Subject: [Freeipa-devel] [freeipa PR#81] Fix emptyzones dns upgrade (closed) In-Reply-To: References: Message-ID: mbasti-rh's pull request #81: "Fix emptyzones dns upgrade" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/81 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/81/head:pr81 git checkout pr81 From freeipa-github-notification at redhat.com Wed Sep 14 13:30:30 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 14 Sep 2016 15:30:30 +0200 Subject: [Freeipa-devel] [freeipa PR#78] Fix Ip-addr validation (+ack) In-Reply-To: References: Message-ID: mbasti-rh's pull request #78: "Fix Ip-addr validation" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/78 From freeipa-github-notification at redhat.com Wed Sep 14 13:32:24 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 14 Sep 2016 15:32:24 +0200 Subject: [Freeipa-devel] [freeipa PR#78] Fix Ip-addr validation (comment) In-Reply-To: References: Message-ID: dkupka commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/1c96ff7a6c7e1733a6492f9b3c93265f5bc8ff5b https://fedorahosted.org/freeipa/changeset/cd2c10d7ca97ffc76682159ad58161eab413532d https://fedorahosted.org/freeipa/changeset/d13a4c2f395c08b514a51a19eaad3fa7d32e7538 ipa-4-4: https://fedorahosted.org/freeipa/changeset/dee950d88ec969b36c1271a3ef9fe4e4f5b48b01 https://fedorahosted.org/freeipa/changeset/b7fcbe9a59cbb748087f8f2b29511d2ead484e1c https://fedorahosted.org/freeipa/changeset/bb2c1790ea14381fa3e0f6ab11484300a2bcb746 """ See the full comment at https://github.com/freeipa/freeipa/pull/78#issuecomment-247013555 From freeipa-github-notification at redhat.com Wed Sep 14 13:32:26 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 14 Sep 2016 15:32:26 +0200 Subject: [Freeipa-devel] [freeipa PR#78] Fix Ip-addr validation (+pushed) In-Reply-To: References: Message-ID: mbasti-rh's pull request #78: "Fix Ip-addr validation" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/78 From freeipa-github-notification at redhat.com Wed Sep 14 13:32:27 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 14 Sep 2016 15:32:27 +0200 Subject: [Freeipa-devel] [freeipa PR#78] Fix Ip-addr validation (closed) In-Reply-To: References: Message-ID: mbasti-rh's pull request #78: "Fix Ip-addr validation" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/78 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/78/head:pr78 git checkout pr78 From mbasti at redhat.com Wed Sep 14 15:30:38 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 14 Sep 2016 17:30:38 +0200 Subject: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test In-Reply-To: References: <57723947.2090508@redhat.com> <5772622C.9000205@redhat.com> <579FB51F.6030808@redhat.com> <98a90ec8-fa79-dd36-57dc-053204c29506@redhat.com> <57A07FE4.8000904@redhat.com> Message-ID: <2b0ed7fe-f0bc-7137-bdc1-b0758ffe9cd6@redhat.com> On 06.09.2016 13:57, Oleg Fayans wrote: > The test is updated to clean up after itself > > On 09/06/2016 12:57 PM, Oleg Fayans wrote: >> Hi Martin, >> >> Thanks for the review. The updated patches are attached. Please, see my >> comments below >> >> On 08/30/2016 01:58 PM, Martin Basti wrote: >>> >>> >>> On 22.08.2016 13:18, Oleg Fayans wrote: >>>> ping for review >>>> >>>> On 08/02/2016 01:11 PM, Oleg Fayans wrote: >>>>> Hi Martin, >>>>> >>>>> I did! Thank you! >>>>> >>>>> On 08/02/2016 12:31 PM, Martin Basti wrote: >>>>>> >>>>>> >>>>>> On 01.08.2016 22:46, Oleg Fayans wrote: >>>>>>> The test was redesigned so that it actually tests against an AD >>>>>>> user. >>>>>>> cleanly applies, passes lint and passes >>>>>>> >>>>>>> https://paste.fedoraproject.org/399504/00843641/ >>>>>> >>>>>> Okay >>>>>> >>>>>> Did you forget to send patches? >>>>>> >>>>>> Martin^2 >>>>>>> >>>>>>> >>>>>>> On 06/28/2016 01:40 PM, Oleg Fayans wrote: >>>>>>>> Patch-0050 rebased against latest upstream branch >>>>>>>> >>>>>>>> On 06/28/2016 10:45 AM, Oleg Fayans wrote: >>>>>>>>> Passing test output: >>>>>>>>> >>>>>>>>> https://paste.fedoraproject.org/385774/71035231/ >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>>> >>>>> >>>> >>> >>> NACK for 0049.1 >>> >>> 1) >>> PEP8: you must use 2 empty lines between functions >> >> Fixed >> >>> >>> 2) >>> + new_args = " ".join(new_args + args) >>> >>> you don't need this, run_command takes list as argument too >>> new_args.extend(args) >> >> The list-based approach does not work with shell redirects which are >> heavily used in the certs_id_idoverrides test. Thus, this trick is >> really needed >> >>> >>> 3) >>> To make it more usable you should add raiseonerr as kwarg to >>> run_certutil (True as default) >> >> Done >> >>> >>> NACK for 0050.2 >>> >>> 1) >>> + tasks.run_certutil(master, ['-L', '-n', cls.adcert1, '-a', >>> '>', >>> + cls.adcert1_file], cls.reqdir) >>> + tasks.run_certutil(master, ['-L', '-n', cls.adcert2, '-a', >>> '>', >>> + cls.adcert2_file], cls.reqdir) >>> >>> IMO thus should raise an error if failed, but previously you set >>> raiseonerr=False (multiple times) >> >> Agreed. Done >> >>> >>> 2) >>> + cls.ad = cls.ad_domains[0].ads[0] >>> + cls.ad_domain = cls.ad.domain.name >>> + cls.aduser = "testuser@%s" % cls.ad_domain >>> + cls.adcert1 = 'MyCert1' >>> + cls.adcert2 = 'MyCert2' >>> + cls.adcert1_file = cls.adcert1 + '.crt' >>> + cls.adcert2_file = cls.adcert2 + '.crt' >>> >>> New definitions of variables/constants should be directly in class not >>> in install method, adding new class variables in classmethod is the >>> same >>> evil as adding instance variables outside __init__ >> >> Fair point. Fixed >> >>> >>> 3) >>> I have question, why do you need AD for this test? AFAIK you can use ID >>> overrides without AD >> >> Correct. You can, but the workflow would be slightly different. For >> example, you can not issue and sign cert requests for AD-users the way >> you would do it for local users. We want to have tests that can be taken >> by end-users as example how to use our software, that's why it is better >> to be as close to real-world use-cases as it is possible. >> >>> >>> Martin^3 >>> >> >> >> > > > 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? 2) The test itself looks for me as just API/CLI test. IMO it can be in ipatests/test_xmlrpc/test_idviews_plugin.py or ipatests/test_xmlrpc/test_add_remove_cert_cmd.py 3) I don't see any integration with SSSD in that test, just pure IPA CLI test, shouldn't be this tested against SSSD here? Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Wed Sep 14 15:41:19 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 14 Sep 2016 18:41:19 +0300 Subject: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test In-Reply-To: <2b0ed7fe-f0bc-7137-bdc1-b0758ffe9cd6@redhat.com> References: <57723947.2090508@redhat.com> <5772622C.9000205@redhat.com> <579FB51F.6030808@redhat.com> <98a90ec8-fa79-dd36-57dc-053204c29506@redhat.com> <57A07FE4.8000904@redhat.com> <2b0ed7fe-f0bc-7137-bdc1-b0758ffe9cd6@redhat.com> Message-ID: <20160914154119.mkk2ma7tvks55xsu@redhat.com> On Wed, 14 Sep 2016, Martin Basti wrote: >1) >I still don't see the reason why AD trust is needed. Default trust ID >view is added just by ipa-adtrust-install, adding trust is not needed >for current implementation. You don't need AD for this, IDviews is >generic feature not just for AD. Is that user configured on AD side? You cannot add non-AD user to 'default trust view', so you will not be able to set up certificates to ID override which does not exist. For non-'default trust view' you can add both IPA and AD users, so using some other view and then assign certificate for a ID override in that one. -- / Alexander Bokovoy From mbasti at redhat.com Wed Sep 14 15:43:32 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 14 Sep 2016 17:43:32 +0200 Subject: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test In-Reply-To: <20160914154119.mkk2ma7tvks55xsu@redhat.com> References: <57723947.2090508@redhat.com> <5772622C.9000205@redhat.com> <579FB51F.6030808@redhat.com> <98a90ec8-fa79-dd36-57dc-053204c29506@redhat.com> <57A07FE4.8000904@redhat.com> <2b0ed7fe-f0bc-7137-bdc1-b0758ffe9cd6@redhat.com> <20160914154119.mkk2ma7tvks55xsu@redhat.com> Message-ID: <97eaa313-e889-cd4a-e900-9e88596577a0@redhat.com> On 14.09.2016 17:41, Alexander Bokovoy wrote: > On Wed, 14 Sep 2016, Martin Basti wrote: >> 1) >> I still don't see the reason why AD trust is needed. Default trust ID >> view is added just by ipa-adtrust-install, adding trust is not needed >> for current implementation. You don't need AD for this, IDviews is >> generic feature not just for AD. Is that user configured on AD side? > You cannot add non-AD user to 'default trust view', so you will not be > able to set up certificates to ID override which does not exist. > > For non-'default trust view' you can add both IPA and AD users, so using > some other view and then assign certificate for a ID override in that > one. > Ok then, but anyway I would like to see API/CLI tests for this feature with proper output validation. How can be this tested with SSSD? From abokovoy at redhat.com Wed Sep 14 15:53:20 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 14 Sep 2016 18:53:20 +0300 Subject: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test In-Reply-To: <97eaa313-e889-cd4a-e900-9e88596577a0@redhat.com> References: <579FB51F.6030808@redhat.com> <98a90ec8-fa79-dd36-57dc-053204c29506@redhat.com> <57A07FE4.8000904@redhat.com> <2b0ed7fe-f0bc-7137-bdc1-b0758ffe9cd6@redhat.com> <20160914154119.mkk2ma7tvks55xsu@redhat.com> <97eaa313-e889-cd4a-e900-9e88596577a0@redhat.com> Message-ID: <20160914155320.iowrijrq3z62evoo@redhat.com> On Wed, 14 Sep 2016, Martin Basti wrote: > > >On 14.09.2016 17:41, Alexander Bokovoy wrote: >>On Wed, 14 Sep 2016, Martin Basti wrote: >>>1) >>>I still don't see the reason why AD trust is needed. Default trust >>>ID view is added just by ipa-adtrust-install, adding trust is not >>>needed for current implementation. You don't need AD for this, >>>IDviews is generic feature not just for AD. Is that user >>>configured on AD side? >>You cannot add non-AD user to 'default trust view', so you will not be >>able to set up certificates to ID override which does not exist. >> >>For non-'default trust view' you can add both IPA and AD users, so using >>some other view and then assign certificate for a ID override in that >>one. >> > >Ok then, but anyway I would like to see API/CLI tests for this feature >with proper output validation. > > >How can be this tested with SSSD? You need to log into the system with a certificate... -- / Alexander Bokovoy From mbasti at redhat.com Wed Sep 14 16:03:37 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 14 Sep 2016 18:03:37 +0200 Subject: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test In-Reply-To: <20160914155320.iowrijrq3z62evoo@redhat.com> References: <579FB51F.6030808@redhat.com> <98a90ec8-fa79-dd36-57dc-053204c29506@redhat.com> <57A07FE4.8000904@redhat.com> <2b0ed7fe-f0bc-7137-bdc1-b0758ffe9cd6@redhat.com> <20160914154119.mkk2ma7tvks55xsu@redhat.com> <97eaa313-e889-cd4a-e900-9e88596577a0@redhat.com> <20160914155320.iowrijrq3z62evoo@redhat.com> Message-ID: <1af52e6c-c24b-d58b-ccf5-a85c5c290e0c@redhat.com> On 14.09.2016 17:53, Alexander Bokovoy wrote: > On Wed, 14 Sep 2016, Martin Basti wrote: >> >> >> On 14.09.2016 17:41, Alexander Bokovoy wrote: >>> On Wed, 14 Sep 2016, Martin Basti wrote: >>>> 1) >>>> I still don't see the reason why AD trust is needed. Default trust >>>> ID view is added just by ipa-adtrust-install, adding trust is not >>>> needed for current implementation. You don't need AD for this, >>>> IDviews is generic feature not just for AD. Is that user configured >>>> on AD side? >>> You cannot add non-AD user to 'default trust view', so you will not be >>> able to set up certificates to ID override which does not exist. >>> >>> For non-'default trust view' you can add both IPA and AD users, so >>> using >>> some other view and then assign certificate for a ID override in that >>> one. >>> >> >> Ok then, but anyway I would like to see API/CLI tests for this >> feature with proper output validation. >> >> >> How can be this tested with SSSD? > You need to log into the system with a certificate... Is this possible from test? We are logged remotely as root, is there any cmdline util which allows us to test certificate against AD user? Martin^2 From sbose at redhat.com Wed Sep 14 16:53:48 2016 From: sbose at redhat.com (Sumit Bose) Date: Wed, 14 Sep 2016 18:53:48 +0200 Subject: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test In-Reply-To: <1af52e6c-c24b-d58b-ccf5-a85c5c290e0c@redhat.com> References: <57A07FE4.8000904@redhat.com> <2b0ed7fe-f0bc-7137-bdc1-b0758ffe9cd6@redhat.com> <20160914154119.mkk2ma7tvks55xsu@redhat.com> <97eaa313-e889-cd4a-e900-9e88596577a0@redhat.com> <20160914155320.iowrijrq3z62evoo@redhat.com> <1af52e6c-c24b-d58b-ccf5-a85c5c290e0c@redhat.com> Message-ID: <20160914165348.GE2761@p.Speedport_W_724V_Typ_A_05011603_00_009> On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: > > > On 14.09.2016 17:53, Alexander Bokovoy wrote: > > On Wed, 14 Sep 2016, Martin Basti wrote: > > > > > > > > > On 14.09.2016 17:41, Alexander Bokovoy wrote: > > > > On Wed, 14 Sep 2016, Martin Basti wrote: > > > > > 1) > > > > > I still don't see the reason why AD trust is needed. Default > > > > > trust ID view is added just by ipa-adtrust-install, adding > > > > > trust is not needed for current implementation. You don't > > > > > need AD for this, IDviews is generic feature not just for > > > > > AD. Is that user configured on AD side? > > > > You cannot add non-AD user to 'default trust view', so you will not be > > > > able to set up certificates to ID override which does not exist. > > > > > > > > For non-'default trust view' you can add both IPA and AD users, > > > > so using > > > > some other view and then assign certificate for a ID override in that > > > > one. > > > > > > > > > > Ok then, but anyway I would like to see API/CLI tests for this > > > feature with proper output validation. > > > > > > > > > How can be this tested with SSSD? > > You need to log into the system with a certificate... > Is this possible from test? We are logged remotely as root, is there any > cmdline util which allows us to test certificate against AD user? You can use 'sss_ssh_authorizedkeys aduser at ad.domain' which should return the ssh key derived from the public key in the certificate. This should work for certificate stored in AD as well as for overrides. You can also you the DBus lookup by certificate as described in https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate . HTH bye, Sumit > > Martin^2 > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code From abokovoy at redhat.com Wed Sep 14 17:00:27 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 14 Sep 2016 20:00:27 +0300 Subject: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test In-Reply-To: <1af52e6c-c24b-d58b-ccf5-a85c5c290e0c@redhat.com> References: <57A07FE4.8000904@redhat.com> <2b0ed7fe-f0bc-7137-bdc1-b0758ffe9cd6@redhat.com> <20160914154119.mkk2ma7tvks55xsu@redhat.com> <97eaa313-e889-cd4a-e900-9e88596577a0@redhat.com> <20160914155320.iowrijrq3z62evoo@redhat.com> <1af52e6c-c24b-d58b-ccf5-a85c5c290e0c@redhat.com> Message-ID: <20160914170027.u4pq2g5fmvsabizt@redhat.com> On Wed, 14 Sep 2016, Martin Basti wrote: > > >On 14.09.2016 17:53, Alexander Bokovoy wrote: >>On Wed, 14 Sep 2016, Martin Basti wrote: >>> >>> >>>On 14.09.2016 17:41, Alexander Bokovoy wrote: >>>>On Wed, 14 Sep 2016, Martin Basti wrote: >>>>>1) >>>>>I still don't see the reason why AD trust is needed. Default >>>>>trust ID view is added just by ipa-adtrust-install, adding >>>>>trust is not needed for current implementation. You don't need >>>>>AD for this, IDviews is generic feature not just for AD. Is >>>>>that user configured on AD side? >>>>You cannot add non-AD user to 'default trust view', so you will not be >>>>able to set up certificates to ID override which does not exist. >>>> >>>>For non-'default trust view' you can add both IPA and AD users, >>>>so using >>>>some other view and then assign certificate for a ID override in that >>>>one. >>>> >>> >>>Ok then, but anyway I would like to see API/CLI tests for this >>>feature with proper output validation. >>> >>> >>>How can be this tested with SSSD? >>You need to log into the system with a certificate... >Is this possible from test? We are logged remotely as root, is there >any cmdline util which allows us to test certificate against AD user? https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationTestingWithAD The only thing that differentiates AD user from IPA is the fact that you'd need to trust a certificate authority that issued the certificate for this user. -- / Alexander Bokovoy From freeipa-github-notification at redhat.com Wed Sep 14 21:59:14 2016 From: freeipa-github-notification at redhat.com (LiptonB) Date: Wed, 14 Sep 2016 23:59:14 +0200 Subject: [Freeipa-devel] [freeipa PR#10] Client-side CSR autogeneration (synchronize) In-Reply-To: References: Message-ID: LiptonB's pull request #10: "Client-side CSR autogeneration" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/10 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/10/head:pr10 git checkout pr10 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-10.patch Type: text/x-diff Size: 89335 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Sep 14 22:17:03 2016 From: freeipa-github-notification at redhat.com (LiptonB) Date: Thu, 15 Sep 2016 00:17:03 +0200 Subject: [Freeipa-devel] [freeipa PR#10] Client-side CSR autogeneration (comment) In-Reply-To: References: Message-ID: LiptonB commented on a pull request """ Some tests for the CSR generation functionality have been added to the pull request. """ See the full comment at https://github.com/freeipa/freeipa/pull/10#issuecomment-247174035 From freeipa-github-notification at redhat.com Thu Sep 15 06:12:02 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Thu, 15 Sep 2016 08:12:02 +0200 Subject: [Freeipa-devel] [freeipa PR#10] Client-side CSR autogeneration (comment) In-Reply-To: References: Message-ID: jcholast commented on a pull request """ In addition to my inline comments above: 1. "Certificate mapping" does not really evoke "certificate request templating" to me, and is also used in the context of mapping identities to certificates. Could we use a more suitable name to avoid confusion? 2. The `ipalib.certmapping` module is used only in `ipaclient`, so that's where it should be located. It can be moved to `ipalib` later if necessary. 3. I don't think `IPAExtension` deserves it's own module, at least not now. """ See the full comment at https://github.com/freeipa/freeipa/pull/10#issuecomment-247244120 From freeipa-github-notification at redhat.com Thu Sep 15 06:32:54 2016 From: freeipa-github-notification at redhat.com (Akasurde) Date: Thu, 15 Sep 2016 08:32:54 +0200 Subject: [Freeipa-devel] [freeipa PR#83] Added a fix for setting Priority as required field (opened) Message-ID: Akasurde's pull request #83: "Added a fix for setting Priority as required field " was opened PR body: """ Fixes: https://fedorahosted.org/freeipa/ticket/5553 Signed-off-by: Abhijeet Kasurde """ See the full pull-request at https://github.com/freeipa/freeipa/pull/83 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/83/head:pr83 git checkout pr83 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-83.patch Type: text/x-diff Size: 1210 bytes Desc: not available URL: From mbasti at redhat.com Thu Sep 15 07:49:33 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 15 Sep 2016 09:49:33 +0200 Subject: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test In-Reply-To: <20160914165348.GE2761@p.Speedport_W_724V_Typ_A_05011603_00_009> References: <57A07FE4.8000904@redhat.com> <2b0ed7fe-f0bc-7137-bdc1-b0758ffe9cd6@redhat.com> <20160914154119.mkk2ma7tvks55xsu@redhat.com> <97eaa313-e889-cd4a-e900-9e88596577a0@redhat.com> <20160914155320.iowrijrq3z62evoo@redhat.com> <1af52e6c-c24b-d58b-ccf5-a85c5c290e0c@redhat.com> <20160914165348.GE2761@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: <59763ea7-2ab5-bdc2-72c1-489a462f78ef@redhat.com> On 14.09.2016 18:53, Sumit Bose wrote: > On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: >> >> On 14.09.2016 17:53, Alexander Bokovoy wrote: >>> On Wed, 14 Sep 2016, Martin Basti wrote: >>>> >>>> On 14.09.2016 17:41, Alexander Bokovoy wrote: >>>>> On Wed, 14 Sep 2016, Martin Basti wrote: >>>>>> 1) >>>>>> I still don't see the reason why AD trust is needed. Default >>>>>> trust ID view is added just by ipa-adtrust-install, adding >>>>>> trust is not needed for current implementation. You don't >>>>>> need AD for this, IDviews is generic feature not just for >>>>>> AD. Is that user configured on AD side? >>>>> You cannot add non-AD user to 'default trust view', so you will not be >>>>> able to set up certificates to ID override which does not exist. >>>>> >>>>> For non-'default trust view' you can add both IPA and AD users, >>>>> so using >>>>> some other view and then assign certificate for a ID override in that >>>>> one. >>>>> >>>> Ok then, but anyway I would like to see API/CLI tests for this >>>> feature with proper output validation. >>>> >>>> >>>> How can be this tested with SSSD? >>> You need to log into the system with a certificate... >> Is this possible from test? We are logged remotely as root, is there any >> cmdline util which allows us to test certificate against AD user? > > You can use 'sss_ssh_authorizedkeys aduser at ad.domain' which should > return the ssh key derived from the public key in the certificate. This > should work for certificate stored in AD as well as for overrides. > > You can also you the DBus lookup by certificate as described in > https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate . > > HTH > > bye, > Sumit Thank you Alexander and Summit for hints. Oleg I realized we don't have any other idviews integration tests So I propose to rename test file you are adding to test_idviews.py. We can add more testcases for idviews there later Martin^2 >> Martin^2 >> >> -- >> Manage your subscription for the Freeipa-devel mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code From ofayans at redhat.com Thu Sep 15 08:10:57 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 15 Sep 2016 10:10:57 +0200 Subject: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test In-Reply-To: <59763ea7-2ab5-bdc2-72c1-489a462f78ef@redhat.com> References: <57A07FE4.8000904@redhat.com> <2b0ed7fe-f0bc-7137-bdc1-b0758ffe9cd6@redhat.com> <20160914154119.mkk2ma7tvks55xsu@redhat.com> <97eaa313-e889-cd4a-e900-9e88596577a0@redhat.com> <20160914155320.iowrijrq3z62evoo@redhat.com> <1af52e6c-c24b-d58b-ccf5-a85c5c290e0c@redhat.com> <20160914165348.GE2761@p.Speedport_W_724V_Typ_A_05011603_00_009> <59763ea7-2ab5-bdc2-72c1-489a462f78ef@redhat.com> Message-ID: Hi Martin, The file was renamed. Did I understand correctly that for now we are leaving the test as is and are planning to extend it later? On 09/15/2016 09:49 AM, Martin Basti wrote: > > > On 14.09.2016 18:53, Sumit Bose wrote: >> On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: >>> >>> On 14.09.2016 17:53, Alexander Bokovoy wrote: >>>> On Wed, 14 Sep 2016, Martin Basti wrote: >>>>> >>>>> On 14.09.2016 17:41, Alexander Bokovoy wrote: >>>>>> On Wed, 14 Sep 2016, Martin Basti wrote: >>>>>>> 1) >>>>>>> I still don't see the reason why AD trust is needed. Default >>>>>>> trust ID view is added just by ipa-adtrust-install, adding >>>>>>> trust is not needed for current implementation. You don't >>>>>>> need AD for this, IDviews is generic feature not just for >>>>>>> AD. Is that user configured on AD side? >>>>>> You cannot add non-AD user to 'default trust view', so you will >>>>>> not be >>>>>> able to set up certificates to ID override which does not exist. >>>>>> >>>>>> For non-'default trust view' you can add both IPA and AD users, >>>>>> so using >>>>>> some other view and then assign certificate for a ID override in that >>>>>> one. >>>>>> >>>>> Ok then, but anyway I would like to see API/CLI tests for this >>>>> feature with proper output validation. >>>>> >>>>> >>>>> How can be this tested with SSSD? >>>> You need to log into the system with a certificate... >>> Is this possible from test? We are logged remotely as root, is there any >>> cmdline util which allows us to test certificate against AD user? >> >> You can use 'sss_ssh_authorizedkeys aduser at ad.domain' which should >> return the ssh key derived from the public key in the certificate. This >> should work for certificate stored in AD as well as for overrides. >> >> You can also you the DBus lookup by certificate as described in >> https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate . >> >> HTH >> >> bye, >> Sumit > > Thank you Alexander and Summit for hints. > > Oleg I realized we don't have any other idviews integration tests > > So I propose to rename test file you are adding to test_idviews.py. We > can add more testcases for idviews there later > > Martin^2 >>> Martin^2 >>> >>> -- >>> Manage your subscription for the Freeipa-devel mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0050.5-Automated-test-for-certs-in-idoverrides-feature.patch Type: text/x-patch Size: 6491 bytes Desc: not available URL: From mbasti at redhat.com Thu Sep 15 08:27:42 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 15 Sep 2016 10:27:42 +0200 Subject: [Freeipa-devel] [Test][patch-0058] Fixed topology tests failures in CI In-Reply-To: <63f702db-13c8-15cc-8bfa-9af7c78d6baa@redhat.com> References: <57AB735A.3000101@redhat.com> <57ADD39F.8050409@redhat.com> <5beb66d0-62d4-1940-79be-4bcf16a140aa@redhat.com> <2c50265e-40fb-2243-5a19-72627060370f@redhat.com> <3f44586e-2edc-7c36-dc82-45d1dd8e291c@redhat.com> <63f702db-13c8-15cc-8bfa-9af7c78d6baa@redhat.com> Message-ID: <8c8898c8-0589-fd6c-41c6-ef6331af360b@redhat.com> On 14.09.2016 10:43, Oleg Fayans wrote: > Again ping for review, please it completely blocks the whole job. > > On 09/07/2016 03:27 PM, Oleg Fayans wrote: >> ping for review >> >> On 08/24/2016 01:58 PM, Oleg Fayans wrote: >>> And here is how the run looks like: >>> >>> $ ipa-run-tests test_integration/test_topology.py >>> WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] >>> Permission denied: 'lextab.py' >>> WARNING: yacc table file version is out of date >>> WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission >>> denied: 'yacctab.py' >>> ==================================================================================== >>> >>> >>> test session starts >>> ===================================================================================== >>> >>> >>> >>> platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 >>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini >>> plugins: sourceorder-0.5, multihost-1.0 >>> collected 3 items >>> >>> test_integration/test_topology.py ..x >>> >>> =========================================================================== >>> >>> >>> 2 passed, 1 xfailed in 1558.66 seconds >>> =========================================================================== >>> >>> >>> >>> >>> >>> On 08/12/2016 04:05 PM, Martin Basti wrote: >>>> >>>> >>>> On 12.08.2016 15:48, Oleg Fayans wrote: >>>>> Hi Martin, >>>>> >>>>> >>>>> >>>>> On 08/11/2016 10:05 AM, Martin Basti wrote: >>>>>> >>>>>> >>>>>> On 10.08.2016 20:32, Oleg Fayans wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>> Hello, >>>>>> >>>>>> before we jump into fixing tests, my question is: Was this planned >>>>>> change and not reflected by test, or switched values are unwanted >>>>>> side >>>>>> effect and thus bug for us? >>>>> >>>>> That's a marvelous question! The test used to pass, which means that >>>>> at some point the convention of naming the segments must have >>>>> changed. >>>>> Is it a bug? I do not think so: the feature still works as expected. >>>> >>>> Ludwig, do you know details about this change, why positions of server >>>> names are different than used to be in topology name? >>>> >>>>> >>>>>> >>>>>> Ticket contains almost no info, except a traceback and it says >>>>>> nothing. >>>>>> Commit message says at least something. >>>>>> >>>>>> I'm not sure if this patch fixes that ticket, because traceback in >>>>>> test >>>>>> shows error message that "removal of segment will disconnect >>>>>> topology", >>>>>> but this patch only swap order of replica names in segment name. I >>>>>> would >>>>>> expect that you should get different error, something like segment >>>>>> does >>>>>> not exist. >>>>> Which I do get in jenkins job N 37: "segment not found" >>>>> >>>>> In fact, the error in the issue is unrelated to the fix, you are >>>>> right. >>>> >>>>> To tell the truth, I just put a random error from one of the jenkins >>>>> topology testruns into the issue. >>>> This is very good way how to report tickets: >>>> * nobody knows what happened >>>> * nobody can search in current tickets, what is wrong without proper >>>> description >>>> * developers cannot investigate issue, because there is even no >>>> name of >>>> exact test in ticket, no steps to reproduce, nothing >>>> * without proper tickets it is hard to backport patches correctly, if >>>> patch fixes different issue than is reported >>>> >>>> I'm closing ticket as invalid, please follow >>>> http://www.chiark.greenend.org.uk/~sgtatham/bugs.html and file a new >>>> proper ticket. >>>> >>>>> This particular error message was caused by a previous replica >>>>> installation failure, which resulted in existing only one segment >>>>> instead of three: >>>>> master <-> replica1 >>>>> instead of: >>>>> master <-> replica1, >>>>> master <-> replica2 >>>>> replica1 <-> replica2 >>>>> >>>>> In fact the patch supplied fixes 2 tests at once: >>>>> The first test tries to remove the unexisting segment master <-> >>>>> replica2 and fails, the second test expects the line topology >>>>> master <-> replica1 <-> replica2. >>>>> It removes the connection between replica1 and replica2, expects the >>>>> operation to fail but it does not because the connection between >>>>> master and replica2 exists >>>>> >>>>> the output from the testrun with the patch applied: >>>>> >>>>> >>>>> -bash-4.3$ ipa-run-tests test_integration/test_topology.py --pdb >>>>> WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] >>>>> Permission denied: 'lextab.py' >>>>> WARNING: yacc table file version is out of date >>>>> WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission >>>>> denied: 'yacctab.py' >>>>> ==================================================================================== >>>>> >>>>> >>>>> >>>>> test session starts >>>>> ===================================================================================== >>>>> >>>>> >>>>> >>>>> >>>>> platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, >>>>> pluggy-0.3.1 >>>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: >>>>> pytest.ini >>>>> plugins: sourceorder-0.5, multihost-1.0 >>>>> collected 3 items >>>>> >>>>> test_integration/test_topology.py ... >>>>> >>>>> ================================================================================ >>>>> >>>>> >>>>> >>>>> 3 passed in 2156.82 seconds >>>>> ================================================================================= >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> I don't care about test output until there is no valid description of >>>> problem, fixing test may just cover real issue. >>>> Martin^2 >>>>>> >>>>>> Martin^2 >>>>>> >>>>>> >>>>> >>>> >>> >> > ACK master: * 49fbbb0641df2adab28fd3440686cb7430645c85 Fixed segment naming in topology tests * 3e4740f788aee00ae03a61d39238f605779fcece Xfailed a test that fails due to 6250 From mbasti at redhat.com Thu Sep 15 08:32:19 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 15 Sep 2016 10:32:19 +0200 Subject: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test In-Reply-To: References: <57A07FE4.8000904@redhat.com> <2b0ed7fe-f0bc-7137-bdc1-b0758ffe9cd6@redhat.com> <20160914154119.mkk2ma7tvks55xsu@redhat.com> <97eaa313-e889-cd4a-e900-9e88596577a0@redhat.com> <20160914155320.iowrijrq3z62evoo@redhat.com> <1af52e6c-c24b-d58b-ccf5-a85c5c290e0c@redhat.com> <20160914165348.GE2761@p.Speedport_W_724V_Typ_A_05011603_00_009> <59763ea7-2ab5-bdc2-72c1-489a462f78ef@redhat.com> Message-ID: On 15.09.2016 10:10, Oleg Fayans wrote: > Hi Martin, > > The file was renamed. Did I understand correctly that for now we are > leaving the test as is and are planning to extend it later? I would like to have there SSSD check involved, please use what Summit recommends. No new test cases. And this can be done by separate patch, I want to have API/CLI certificate override tests for non-AD idview (extending current tests I posted in this thread) Martin^2 > > On 09/15/2016 09:49 AM, Martin Basti wrote: >> >> >> On 14.09.2016 18:53, Sumit Bose wrote: >>> On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: >>>> >>>> On 14.09.2016 17:53, Alexander Bokovoy wrote: >>>>> On Wed, 14 Sep 2016, Martin Basti wrote: >>>>>> >>>>>> On 14.09.2016 17:41, Alexander Bokovoy wrote: >>>>>>> On Wed, 14 Sep 2016, Martin Basti wrote: >>>>>>>> 1) >>>>>>>> I still don't see the reason why AD trust is needed. Default >>>>>>>> trust ID view is added just by ipa-adtrust-install, adding >>>>>>>> trust is not needed for current implementation. You don't >>>>>>>> need AD for this, IDviews is generic feature not just for >>>>>>>> AD. Is that user configured on AD side? >>>>>>> You cannot add non-AD user to 'default trust view', so you will >>>>>>> not be >>>>>>> able to set up certificates to ID override which does not exist. >>>>>>> >>>>>>> For non-'default trust view' you can add both IPA and AD users, >>>>>>> so using >>>>>>> some other view and then assign certificate for a ID override in >>>>>>> that >>>>>>> one. >>>>>>> >>>>>> Ok then, but anyway I would like to see API/CLI tests for this >>>>>> feature with proper output validation. >>>>>> >>>>>> >>>>>> How can be this tested with SSSD? >>>>> You need to log into the system with a certificate... >>>> Is this possible from test? We are logged remotely as root, is >>>> there any >>>> cmdline util which allows us to test certificate against AD user? >>> >>> You can use 'sss_ssh_authorizedkeys aduser at ad.domain' which should >>> return the ssh key derived from the public key in the certificate. This >>> should work for certificate stored in AD as well as for overrides. >>> >>> You can also you the DBus lookup by certificate as described in >>> https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate >>> . >>> >>> HTH >>> >>> bye, >>> Sumit >> >> Thank you Alexander and Summit for hints. >> >> Oleg I realized we don't have any other idviews integration tests >> >> So I propose to rename test file you are adding to test_idviews.py. We >> can add more testcases for idviews there later >> >> Martin^2 >>>> Martin^2 >>>> >>>> -- >>>> Manage your subscription for the Freeipa-devel mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa-github-notification at redhat.com Thu Sep 15 08:47:02 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 15 Sep 2016 10:47:02 +0200 Subject: [Freeipa-devel] [freeipa PR#84] Removed update_from_dict function from ldapupdate (opened) Message-ID: stlaz's pull request #84: "Removed update_from_dict function from ldapupdate" was opened PR body: """ update_from_dict was basically dead code as it's used nowhere in the project. https://fedorahosted.org/freeipa/ticket/6311 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/84 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/84/head:pr84 git checkout pr84 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-84.patch Type: text/x-diff Size: 5256 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Sep 15 09:23:13 2016 From: freeipa-github-notification at redhat.com (abbra) Date: Thu, 15 Sep 2016 11:23:13 +0200 Subject: [Freeipa-devel] [freeipa PR#84] Removed update_from_dict function from ldapupdate (comment) In-Reply-To: References: Message-ID: abbra commented on a pull request """ NACK. Please instead fix update_from_dict() to follow _run_updates() expectations. update_from_dict() is a handy function for externally provided FreeIPA modules. They will need to implement the same functionality if they would want to do dynamic updates themselves. Thus, the function is better to stay to avoid duplication and instead be fixed to properly call _run_updates(). """ See the full comment at https://github.com/freeipa/freeipa/pull/84#issuecomment-247279263 From freeipa-github-notification at redhat.com Thu Sep 15 10:25:33 2016 From: freeipa-github-notification at redhat.com (Akasurde) Date: Thu, 15 Sep 2016 12:25:33 +0200 Subject: [Freeipa-devel] [freeipa PR#83] Added a fix for setting Priority as required field (synchronize) In-Reply-To: References: Message-ID: Akasurde's pull request #83: "Added a fix for setting Priority as required field " was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/83 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/83/head:pr83 git checkout pr83 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-83.patch Type: text/x-diff Size: 1064 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Sep 15 10:39:17 2016 From: freeipa-github-notification at redhat.com (pvomacka) Date: Thu, 15 Sep 2016 12:39:17 +0200 Subject: [Freeipa-devel] [freeipa PR#85] WebUI: Change group name from 'normal' to 'Non-POSIX' (opened) Message-ID: pvomacka's pull request #85: "WebUI: Change group name from 'normal' to 'Non-POSIX'" was opened PR body: """ It will correspond with CLI and will be more self-explanatory. https://fedorahosted.org/freeipa/ticket/6334 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/85 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/85/head:pr85 git checkout pr85 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-85.patch Type: text/x-diff Size: 3374 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Sep 15 10:54:31 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 15 Sep 2016 12:54:31 +0200 Subject: [Freeipa-devel] [freeipa PR#72] WebUI: Add handling for HTTP error 404 (+ack) In-Reply-To: References: Message-ID: pvomacka's pull request #72: "WebUI: Add handling for HTTP error 404" label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/72 From freeipa-github-notification at redhat.com Thu Sep 15 11:07:40 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Thu, 15 Sep 2016 13:07:40 +0200 Subject: [Freeipa-devel] [freeipa PR#50] Add cert checks in ipa-server-certinstall (comment) In-Reply-To: References: Message-ID: jcholast commented on a pull request """ Functional ACK, but please don't use newlines in exception messages. If you want the original error on a separate line, you can use the logger to log it, but I think it would be preferable to use this format: ``` Peer's certificate issuer is not trusted ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate. ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/50#issuecomment-247299454 From freeipa-github-notification at redhat.com Thu Sep 15 11:23:06 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 15 Sep 2016 13:23:06 +0200 Subject: [Freeipa-devel] [freeipa PR#84] Removed update_from_dict function from ldapupdate (comment) In-Reply-To: References: Message-ID: mbasti-rh commented on a pull request """ Shouldn't external plugins use update files or update plugins as IPA does? We don't have any guaranteed internal API for anything, we don't have any document about external plugins, we don't have prepared any API for 3rd party plugins. We just have your POC 3rd party plugin. Unless there is no design document with serious investigation and agreed workflow how to work with 3rd party plugins, provided stable well tested API for 3rd party plugins (not just internal API that may and will change), then "is a handy" is not valid argument for me. I don't remember that we did freeze our internal API, so 3rd party plugins will fail with any change there. """ See the full comment at https://github.com/freeipa/freeipa/pull/84#issuecomment-247302163 From freeipa-github-notification at redhat.com Thu Sep 15 11:55:28 2016 From: freeipa-github-notification at redhat.com (abbra) Date: Thu, 15 Sep 2016 13:55:28 +0200 Subject: [Freeipa-devel] [freeipa PR#84] Removed update_from_dict function from ldapupdate (comment) In-Reply-To: References: Message-ID: abbra commented on a pull request """ Update plugins are higher level of abstraction. They use ipaserver.install.ldapupdate.LDAPUpdate which provides both .update() and .update_from_dict() methods. Update plugins can produce dictionaries. With the change in this pull request they will have to always write down dynamic update content to files first and then run LDAPUpdate.update() with those files. Or re-implement .update_from_dict(). That's why I gave a NACK -- consider this coming from the work I'm doing right now to create documentation for external plugins. It is silly to remove function only to introduce it back. """ See the full comment at https://github.com/freeipa/freeipa/pull/84#issuecomment-247307982 From freeipa-github-notification at redhat.com Thu Sep 15 11:57:11 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 15 Sep 2016 13:57:11 +0200 Subject: [Freeipa-devel] [freeipa PR#84] Removed update_from_dict function from ldapupdate (synchronize) In-Reply-To: References: Message-ID: stlaz's pull request #84: "Removed update_from_dict function from ldapupdate" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/84 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/84/head:pr84 git checkout pr84 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-84.patch Type: text/x-diff Size: 4271 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Sep 15 12:01:09 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 15 Sep 2016 14:01:09 +0200 Subject: [Freeipa-devel] [freeipa PR#84] Removed update_from_dict function from ldapupdate (comment) In-Reply-To: References: Message-ID: stlaz commented on a pull request """ Well, I did fix the test, then. I can imagine the function being pretty handy as a library function although it'd better be used in the future. What infuriates me is the fact that the test might have never worked (well, at least year and a half, but my guess is never) and nobody really cared. """ See the full comment at https://github.com/freeipa/freeipa/pull/84#issuecomment-247309050 From freeipa-github-notification at redhat.com Thu Sep 15 12:08:13 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 15 Sep 2016 14:08:13 +0200 Subject: [Freeipa-devel] [freeipa PR#83] Added a fix for setting Priority as required field (comment) In-Reply-To: References: Message-ID: stlaz commented on a pull request """ Looks OK to me, thanks. """ See the full comment at https://github.com/freeipa/freeipa/pull/83#issuecomment-247310347 From freeipa-github-notification at redhat.com Thu Sep 15 12:08:20 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 15 Sep 2016 14:08:20 +0200 Subject: [Freeipa-devel] [freeipa PR#83] Added a fix for setting Priority as required field (+ack) In-Reply-To: References: Message-ID: Akasurde's pull request #83: "Added a fix for setting Priority as required field " label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/83 From freeipa-github-notification at redhat.com Thu Sep 15 12:11:10 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Thu, 15 Sep 2016 14:11:10 +0200 Subject: [Freeipa-devel] [freeipa PR#86] Made sssd restart a non-raising opration (opened) Message-ID: ofayans's pull request #86: "Made sssd restart a non-raising opration" was opened PR body: """ Uninstallation of ipa-server usually removes sssd configuration file, /etc/sssd/sssd.conf If we then issue syustemctl restart sssd.service, the command fails because is unable to find the config file. We need to make this call not raise an exception """ See the full pull-request at https://github.com/freeipa/freeipa/pull/86 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/86/head:pr86 git checkout pr86 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-86.patch Type: text/x-diff Size: 1152 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Sep 15 12:16:45 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Thu, 15 Sep 2016 14:16:45 +0200 Subject: [Freeipa-devel] [freeipa PR#87] dns: re-introduce --raw in dnsrecord-del (opened) Message-ID: jcholast's pull request #87: "dns: re-introduce --raw in dnsrecord-del" was opened PR body: """ The flag was removed in commit ff52c25ae299abba8bed653fe324951979a41293 because it is unused. Add it back for compatibility with old clients. https://fedorahosted.org/freeipa/ticket/5644 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/87 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/87/head:pr87 git checkout pr87 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-87.patch Type: text/x-diff Size: 2503 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Sep 15 12:21:23 2016 From: freeipa-github-notification at redhat.com (Akasurde) Date: Thu, 15 Sep 2016 14:21:23 +0200 Subject: [Freeipa-devel] [freeipa PR#83] Added a fix for setting Priority as required field (comment) In-Reply-To: References: Message-ID: Akasurde commented on a pull request """ @stlaz Thanks """ See the full comment at https://github.com/freeipa/freeipa/pull/83#issuecomment-247312920 From freeipa-github-notification at redhat.com Thu Sep 15 12:36:19 2016 From: freeipa-github-notification at redhat.com (Akasurde) Date: Thu, 15 Sep 2016 14:36:19 +0200 Subject: [Freeipa-devel] [freeipa PR#25] Added install check before executing ipa-* command (comment) In-Reply-To: References: Message-ID: Akasurde commented on a pull request """ @pspacek Should I close this PR then? """ See the full comment at https://github.com/freeipa/freeipa/pull/25#issuecomment-247315968 From freeipa-github-notification at redhat.com Thu Sep 15 12:41:50 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Thu, 15 Sep 2016 14:41:50 +0200 Subject: [Freeipa-devel] [freeipa PR#88] test_plugable: update the rest of test_init (opened) Message-ID: jcholast's pull request #88: "test_plugable: update the rest of test_init" was opened PR body: """ In commit ed4c2d9252a995d01dc098e5b761ded8cd9373d8, changes to the Plugin class were made, but the test was updated only partially. Update the rest to fix the failing test. https://fedorahosted.org/freeipa/ticket/6313 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/88 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/88/head:pr88 git checkout pr88 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-88.patch Type: text/x-diff Size: 1774 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Sep 15 12:47:36 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Thu, 15 Sep 2016 14:47:36 +0200 Subject: [Freeipa-devel] [freeipa PR#89] client: remove hard dependency on pam_krb5 (opened) Message-ID: jcholast's pull request #89: "client: remove hard dependency on pam_krb5" was opened PR body: """ If ipa-client-install is executed with --no-sssd, check if pam_krb5 is available before proceeding with the install. https://fedorahosted.org/freeipa/ticket/5557 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/89 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/89/head:pr89 git checkout pr89 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-89.patch Type: text/x-diff Size: 3084 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Sep 15 12:49:45 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Thu, 15 Sep 2016 14:49:45 +0200 Subject: [Freeipa-devel] [freeipa PR#89] client: remove hard dependency on pam_krb5 (synchronize) In-Reply-To: References: Message-ID: jcholast's pull request #89: "client: remove hard dependency on pam_krb5" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/89 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/89/head:pr89 git checkout pr89 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-89.patch Type: text/x-diff Size: 3082 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Sep 15 13:06:56 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Thu, 15 Sep 2016 15:06:56 +0200 Subject: [Freeipa-devel] [freeipa PR#50] Add cert checks in ipa-server-certinstall (synchronize) In-Reply-To: References: Message-ID: flo-renaud's pull request #50: "Add cert checks in ipa-server-certinstall" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/50 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/50/head:pr50 git checkout pr50 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-50.patch Type: text/x-diff Size: 3831 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Sep 15 13:07:33 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 15 Sep 2016 15:07:33 +0200 Subject: [Freeipa-devel] [freeipa PR#86] Made sssd restart a non-raising opration (comment) In-Reply-To: References: Message-ID: mbasti-rh commented on a pull request """ I was thinking hard about it, if there should be SSSD restart, but I cannot find any case where it is needed after server uninstall """ See the full comment at https://github.com/freeipa/freeipa/pull/86#issuecomment-247322795 From freeipa-github-notification at redhat.com Thu Sep 15 13:20:35 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 15 Sep 2016 15:20:35 +0200 Subject: [Freeipa-devel] [freeipa PR#77] Tests: Update host test with ipa-join (comment) In-Reply-To: References: Message-ID: mbasti-rh commented on a pull request """ Please split this into 2 commits, it contains independent issues * wrong path to IPA join * extra attribute It is not related to this PR, but for me it looks that this test is focused to ipa-join command and I don't see how this is related to API tests. I don't think that we can tests this from intree tests because it requires build first """ See the full comment at https://github.com/freeipa/freeipa/pull/77#issuecomment-247325837 From freeipa-github-notification at redhat.com Thu Sep 15 13:30:24 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Thu, 15 Sep 2016 15:30:24 +0200 Subject: [Freeipa-devel] [freeipa PR#86] Made sssd restart a non-raising opration (comment) In-Reply-To: References: Message-ID: ofayans commented on a pull request """ Probably Lenka has some use-case for this. I am pretty sure these lines weren't added just for fun :) """ See the full comment at https://github.com/freeipa/freeipa/pull/86#issuecomment-247328115 From freeipa-github-notification at redhat.com Thu Sep 15 13:34:23 2016 From: freeipa-github-notification at redhat.com (rcritten) Date: Thu, 15 Sep 2016 15:34:23 +0200 Subject: [Freeipa-devel] [freeipa PR#84] Removed update_from_dict function from ldapupdate (comment) In-Reply-To: References: Message-ID: rcritten commented on a pull request """ For the record this test used to pass. Don't blame the test when the code it is testing was changed. """ See the full comment at https://github.com/freeipa/freeipa/pull/84#issuecomment-247329152 From freeipa-github-notification at redhat.com Thu Sep 15 14:29:07 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 15 Sep 2016 16:29:07 +0200 Subject: [Freeipa-devel] [freeipa PR#86] Made sssd restart a non-raising opration (comment) In-Reply-To: References: Message-ID: mbasti-rh commented on a pull request """ Can wait until Lenka give us the reason? """ See the full comment at https://github.com/freeipa/freeipa/pull/86#issuecomment-247344542 From freeipa-github-notification at redhat.com Thu Sep 15 14:30:07 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Thu, 15 Sep 2016 16:30:07 +0200 Subject: [Freeipa-devel] [freeipa PR#86] Made sssd restart a non-raising opration (comment) In-Reply-To: References: Message-ID: ofayans commented on a pull request """ sure """ See the full comment at https://github.com/freeipa/freeipa/pull/86#issuecomment-247344841 From freeipa-github-notification at redhat.com Thu Sep 15 14:43:31 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 15 Sep 2016 16:43:31 +0200 Subject: [Freeipa-devel] [freeipa PR#83] Added a fix for setting Priority as required field (comment) In-Reply-To: References: Message-ID: mbasti-rh commented on a pull request """ Sorry guys, but ticket is in closed milestone you need a new one. """ See the full comment at https://github.com/freeipa/freeipa/pull/83#issuecomment-247348762 From freeipa-github-notification at redhat.com Thu Sep 15 14:43:34 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 15 Sep 2016 16:43:34 +0200 Subject: [Freeipa-devel] [freeipa PR#83] Added a fix for setting Priority as required field (-ack) In-Reply-To: References: Message-ID: Akasurde's pull request #83: "Added a fix for setting Priority as required field " label *ack* has been removed See the full pull-request at https://github.com/freeipa/freeipa/pull/83 From freeipa-github-notification at redhat.com Thu Sep 15 14:46:39 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 15 Sep 2016 16:46:39 +0200 Subject: [Freeipa-devel] [freeipa PR#72] WebUI: Add handling for HTTP error 404 (+pushed) In-Reply-To: References: Message-ID: pvomacka's pull request #72: "WebUI: Add handling for HTTP error 404" label *pushed* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/72 From freeipa-github-notification at redhat.com Thu Sep 15 14:46:41 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 15 Sep 2016 16:46:41 +0200 Subject: [Freeipa-devel] [freeipa PR#72] WebUI: Add handling for HTTP error 404 (comment) In-Reply-To: References: Message-ID: mbasti-rh commented on a pull request """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/b18a35145df92522ae990e020513d1a77e311493 """ See the full comment at https://github.com/freeipa/freeipa/pull/72#issuecomment-247349710 From freeipa-github-notification at redhat.com Thu Sep 15 14:46:42 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 15 Sep 2016 16:46:42 +0200 Subject: [Freeipa-devel] [freeipa PR#72] WebUI: Add handling for HTTP error 404 (closed) In-Reply-To: References: Message-ID: pvomacka's pull request #72: "WebUI: Add handling for HTTP error 404" was closed See the full pull-request at https://github.com/freeipa/freeipa/pull/72 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/72/head:pr72 git checkout pr72 From freeipa-github-notification at redhat.com Thu Sep 15 20:26:21 2016 From: freeipa-github-notification at redhat.com (LiptonB) Date: Thu, 15 Sep 2016 22:26:21 +0200 Subject: [Freeipa-devel] [freeipa PR#10] Client-side CSR autogeneration (synchronized) In-Reply-To: References: Message-ID: LiptonB's pull request #10: "Client-side CSR autogeneration" was synchronized See the full pull-request at https://github.com/freeipa/freeipa/pull/10 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/10/head:pr10 git checkout pr10 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-10.patch Type: text/x-diff Size: 98960 bytes Desc: not available URL: From blipton at redhat.com Thu Sep 15 20:49:37 2016 From: blipton at redhat.com (Ben Lipton) Date: Thu, 15 Sep 2016 16:49:37 -0400 Subject: [Freeipa-devel] [freeipa PR#10] Client-side CSR autogeneration (comment) In-Reply-To: References: Message-ID: On 09/15/2016 02:12 AM, jcholast wrote: > jcholast commented on a pull request > > """ > In addition to my inline comments above: > > 1. "Certificate mapping" does not really evoke "certificate request templating" to me, and is also used in the context of mapping identities to certificates. Could we use a more suitable name to avoid confusion? > 2. The `ipalib.certmapping` module is used only in `ipaclient`, so that's where it should be located. It can be moved to `ipalib` later if necessary. > 3. I don't think `IPAExtension` deserves it's own module, at least not now. > """ > > See the full comment at https://github.com/freeipa/freeipa/pull/10#issuecomment-247244120 > > Tried sending my comments as a "review" (new Github feature) and it seems they don't get sent to the list that way. So: Thanks for the comments! I've fixed the simple ones and replied to the rest. Regarding your comments about file organization: 1. I quite agree that certmapping isn't a good name for what this turned out to be. With the convention of naming modules after the objects they model, perhaps a good name would be|certrequest|or|csr|? The command could be renamed to something like|certrequest-get-data|(or|certrequest-get-script|). 2. Just to confirm, you're suggesting just moving these classes to the|ipaclient.plugins.|module? 3. Seems reasonable, I've moved it into the ipalib module for now. It will go wherever the contents of that module end up. Logistical stuff: * Now that this is under review I won't add any more content. Are you ok with the two commits about testing being part of this review or should I remove them? * If you run rebase --autosquash with the latest commit it doesn't actually apply cleanly, but I'm trying not to change history while it's being reviewed, so I'll do the rebase later on if that's ok? -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa-github-notification at redhat.com Fri Sep 16 05:14:28 2016 From: freeipa-github-notification at redhat.com (Akasurde) Date: Fri, 16 Sep 2016 07:14:28 +0200 Subject: [Freeipa-devel] [freeipa PR#83] Added a fix for setting Priority as required field (comment) In-Reply-To: References: Message-ID: Akasurde commented on a pull request """ @mbasti-rh I re-opened the ticket, Could you please provide ack ? """ See the full comment at https://github.com/freeipa/freeipa/pull/83#issuecomment-247519895 From freeipa-github-notification at redhat.com Fri Sep 16 06:51:28 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 16 Sep 2016 08:51:28 +0200 Subject: [Freeipa-devel] [freeipa PR#83] Added a fix for setting Priority as required field (comment) In-Reply-To: References: Message-ID: mbasti-rh commented on a pull request """ @Akasurde I said we need a *new* ticket for it. I opened one for you https://fedorahosted.org/freeipa/ticket/6335 """ See the full comment at https://github.com/freeipa/freeipa/pull/83#issuecomment-247530662 From freeipa-github-notification at redhat.com Fri Sep 16 06:54:25 2016 From: freeipa-github-notification at redhat.com (Akasurde) Date: Fri, 16 Sep 2016 08:54:25 +0200 Subject: [Freeipa-devel] [freeipa PR#83] Added a fix for setting Priority as required field (edited) In-Reply-To: References: Message-ID: Akasurde's pull request #83: "Added a fix for setting Priority as required field " was edited See the full pull-request at https://github.com/freeipa/freeipa/pull/83 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/83/head:pr83 git checkout pr83 From freeipa-github-notification at redhat.com Fri Sep 16 06:59:37 2016 From: freeipa-github-notification at redhat.com (Akasurde) Date: Fri, 16 Sep 2016 08:59:37 +0200 Subject: [Freeipa-devel] [freeipa PR#83] Added a fix for setting Priority as required field (synchronized) In-Reply-To: References: Message-ID: Akasurde's pull request #83: "Added a fix for setting Priority as required field " was synchronized See the full pull-request at https://github.com/freeipa/freeipa/pull/83 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/83/head:pr83 git checkout pr83 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-83.patch Type: text/x-diff Size: 1064 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Sep 16 07:04:43 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 16 Sep 2016 09:04:43 +0200 Subject: [Freeipa-devel] [freeipa PR#83] Added a fix for setting Priority as required field (+ack) In-Reply-To: References: Message-ID: Akasurde's pull request #83: "Added a fix for setting Priority as required field " label *ack* has been added See the full pull-request at https://github.com/freeipa/freeipa/pull/83 From mbasti at redhat.com Fri Sep 16 07:17:57 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 16 Sep 2016 09:17:57 +0200 Subject: [Freeipa-devel] Github review feature In-Reply-To: References: Message-ID: <19d04716-d492-9b2d-d07b-fe1e67095379@redhat.com> Sorry for stealing your thread, but you started asking about github review emails :) Standard review inline comments are disabled on purpose, each comment generates one email, so we decided that is better after review to write a regular comment "NACK, please see inline comments" or so. I would expecting that the new review feature is sending all comments in one batch, but I was wrong. I used the new review feature (with the pending comments) but when I sent it I received all comments as single notifications again, so again one inline comment = one email Even worse it is with states of review (approved, required change). I didn't received any notification from github related to this (not sure if is part of any inline comment message or just not implemented yet). This is not documented in their API docs (according David) so we cannot use it our tools yet. Generally adding Labels ACK/Rejected are more visible and filters can be made easily. So for now I would stay with our old workflow and not extend email notifications. We can play with new review feature for longer time and decide if it is worth to use it (and change email notification accordingly) Martin^2 On 15.09.2016 22:49, Ben Lipton wrote: > On 09/15/2016 02:12 AM, jcholast wrote: >> jcholast commented on a pull request >> >> """ >> In addition to my inline comments above: >> >> 1. "Certificate mapping" does not really evoke "certificate request templating" to me, and is also used in the context of mapping identities to certificates. Could we use a more suitable name to avoid confusion? >> 2. The `ipalib.certmapping` module is used only in `ipaclient`, so that's where it should be located. It can be moved to `ipalib` later if necessary. >> 3. I don't think `IPAExtension` deserves it's own module, at least not now. >> """ >> >> See the full comment athttps://github.com/freeipa/freeipa/pull/10#issuecomment-247244120 >> >> > Tried sending my comments as a "review" (new Github feature) and it > seems they don't get sent to the list that way. So: > > Thanks for the comments! I've fixed the simple ones and replied to the > rest. Regarding your comments about file organization: > > 1. I quite agree that certmapping isn't a good name for what this > turned out to be. With the convention of naming modules after the > objects they model, perhaps a good name would > be|certrequest|or|csr|? The command could be renamed to something > like|certrequest-get-data|(or|certrequest-get-script|). > 2. Just to confirm, you're suggesting just moving these classes to > the|ipaclient.plugins.|module? > 3. Seems reasonable, I've moved it into the ipalib module for now. It > will go wherever the contents of that module end up. > > Logistical stuff: > > * Now that this is under review I won't add any more content. Are > you ok with the two commits about testing being part of this > review or should I remove them? > * If you run rebase --autosquash with the latest commit it doesn't > actually apply cleanly, but I'm trying not to change history while > it's being reviewed, so I'll do the rebase later on if that's ok? > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa-github-notification at redhat.com Fri Sep 16 07:40:29 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 16 Sep 2016 09:40:29 +0200 Subject: [Freeipa-devel] [freeipa PR#82] Fix regexp in user/group name (comment) In-Reply-To: References: Message-ID: stlaz commented on a pull request """ Would the gist of this patch also apply to any of idviews, servicedelegation or topology plugins where a similar or slightly different regexp is used? Could we rather have the regexp as a constant somewhere so it does not have to be changed at all places it appears every time we want to modify it? """ See the full comment at https://github.com/freeipa/freeipa/pull/82#issuecomment-247538082 From freeipa-github-notification at redhat.com Fri Sep 16 08:03:44 2016 From: freeipa-github-notification at redhat.com (abbra) Date: Fri, 16 Sep 2016 10:03:44 +0200 Subject: [Freeipa-devel] [freeipa PR#82] Fix regexp in user/group name (comment) In-Reply-To: References: Message-ID: abbra commented on a pull request """ 'uid' in user object and 'cn' in group object have meaning in POSIX environments. 'cn' in other objects is not subject for strict limits. """ See the full comment at https://github.com/freeipa/freeipa/pull/82#issuecomment-247541965 From freeipa-github-notification at redhat.com Fri Sep 16 08:48:47 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 16 Sep 2016 10:48:47 +0200 Subject: [Freeipa-devel] [freeipa PR#82][comment] Fix regexp in user/group name In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/82 Title: #82: Fix regexp in user/group name stlaz commented: """ Sure. But from what I see, this patch may possibly break idviews plugin for users of username of about 255 characters (see idoverrideuser - 'uid'), same for groups (with 'cn' ofc). NACK until that is fixed. """ See the full comment at https://github.com/freeipa/freeipa/pull/82#issuecomment-247549973 From freeipa-github-notification at redhat.com Fri Sep 16 11:37:37 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 16 Sep 2016 13:37:37 +0200 Subject: [Freeipa-devel] [freeipa PR#89][+ack] client: remove hard dependency on pam_krb5 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/89 Title: #89: client: remove hard dependency on pam_krb5 Label: +ack From freeipa-github-notification at redhat.com Fri Sep 16 11:37:44 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 16 Sep 2016 13:37:44 +0200 Subject: [Freeipa-devel] [freeipa PR#89][comment] client: remove hard dependency on pam_krb5 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/89 Title: #89: client: remove hard dependency on pam_krb5 stlaz commented: """ Works as expected. """ See the full comment at https://github.com/freeipa/freeipa/pull/89#issuecomment-247579650 From freeipa-github-notification at redhat.com Fri Sep 16 12:58:41 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 16 Sep 2016 14:58:41 +0200 Subject: [Freeipa-devel] [freeipa PR#82][synchronized] Fix regexp in user/group name In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/82 Author: mbasti-rh Title: #82: Fix regexp in user/group name Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/82/head:pr82 git checkout pr82 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-82.patch Type: text/x-diff Size: 4450 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Sep 16 13:43:06 2016 From: freeipa-github-notification at redhat.com (pvoborni) Date: Fri, 16 Sep 2016 15:43:06 +0200 Subject: [Freeipa-devel] [freeipa PR#69][comment] Fix ipa-replica-install with RHEL 6.8 master In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/69 Title: #69: Fix ipa-replica-install with RHEL 6.8 master pvoborni commented: """ Is it still needed? Seems that fixing IPA 3.0 fixes the issue. """ See the full comment at https://github.com/freeipa/freeipa/pull/69#issuecomment-247603640 From freeipa-github-notification at redhat.com Fri Sep 16 14:25:06 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Fri, 16 Sep 2016 16:25:06 +0200 Subject: [Freeipa-devel] [freeipa PR#69][comment] Fix ipa-replica-install with RHEL 6.8 master In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/69 Title: #69: Fix ipa-replica-install with RHEL 6.8 master flo-renaud commented: """ Please ignore this PR as the issue has been fixed in IPA 3.0 (in ipa-replica-prepare). """ See the full comment at https://github.com/freeipa/freeipa/pull/69#issuecomment-247614004 From freeipa-github-notification at redhat.com Fri Sep 16 14:27:31 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 16 Sep 2016 16:27:31 +0200 Subject: [Freeipa-devel] [freeipa PR#69][+rejected] Fix ipa-replica-install with RHEL 6.8 master In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/69 Title: #69: Fix ipa-replica-install with RHEL 6.8 master Label: +rejected From freeipa-github-notification at redhat.com Fri Sep 16 14:27:33 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 16 Sep 2016 16:27:33 +0200 Subject: [Freeipa-devel] [freeipa PR#69][closed] Fix ipa-replica-install with RHEL 6.8 master In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/69 Author: flo-renaud Title: #69: Fix ipa-replica-install with RHEL 6.8 master Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/69/head:pr69 git checkout pr69 From freeipa-github-notification at redhat.com Mon Sep 19 05:53:45 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Mon, 19 Sep 2016 07:53:45 +0200 Subject: [Freeipa-devel] [freeipa PR#50][+ack] Add cert checks in ipa-server-certinstall In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/50 Title: #50: Add cert checks in ipa-server-certinstall Label: +ack From freeipa-github-notification at redhat.com Mon Sep 19 05:55:15 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Mon, 19 Sep 2016 07:55:15 +0200 Subject: [Freeipa-devel] [freeipa PR#50][+pushed] Add cert checks in ipa-server-certinstall In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/50 Title: #50: Add cert checks in ipa-server-certinstall Label: +pushed From freeipa-github-notification at redhat.com Mon Sep 19 05:55:17 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Mon, 19 Sep 2016 07:55:17 +0200 Subject: [Freeipa-devel] [freeipa PR#50][comment] Add cert checks in ipa-server-certinstall In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/50 Title: #50: Add cert checks in ipa-server-certinstall jcholast commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/0c4a91348a57ee941db94b31f59952eb1fcd4565 """ See the full comment at https://github.com/freeipa/freeipa/pull/50#issuecomment-247915464 From freeipa-github-notification at redhat.com Mon Sep 19 05:55:18 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Mon, 19 Sep 2016 07:55:18 +0200 Subject: [Freeipa-devel] [freeipa PR#50][closed] Add cert checks in ipa-server-certinstall In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/50 Author: flo-renaud Title: #50: Add cert checks in ipa-server-certinstall Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/50/head:pr50 git checkout pr50 From freeipa-github-notification at redhat.com Mon Sep 19 05:57:20 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Mon, 19 Sep 2016 07:57:20 +0200 Subject: [Freeipa-devel] [freeipa PR#89][+pushed] client: remove hard dependency on pam_krb5 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/89 Title: #89: client: remove hard dependency on pam_krb5 Label: +pushed From freeipa-github-notification at redhat.com Mon Sep 19 05:57:21 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Mon, 19 Sep 2016 07:57:21 +0200 Subject: [Freeipa-devel] [freeipa PR#89][closed] client: remove hard dependency on pam_krb5 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/89 Author: jcholast Title: #89: client: remove hard dependency on pam_krb5 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/89/head:pr89 git checkout pr89 From freeipa-github-notification at redhat.com Mon Sep 19 05:57:22 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Mon, 19 Sep 2016 07:57:22 +0200 Subject: [Freeipa-devel] [freeipa PR#89][comment] client: remove hard dependency on pam_krb5 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/89 Title: #89: client: remove hard dependency on pam_krb5 jcholast commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/984ae3858d8fb25d30b886bb953df1b06ab34ec7 ipa-4-4: https://fedorahosted.org/freeipa/changeset/62eefc74693022ebdd1e19a0c33d0f5479c9f93e """ See the full comment at https://github.com/freeipa/freeipa/pull/89#issuecomment-247915596 From freeipa-github-notification at redhat.com Mon Sep 19 07:56:05 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Mon, 19 Sep 2016 09:56:05 +0200 Subject: [Freeipa-devel] [freeipa PR#10][comment] Client-side CSR autogeneration In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/10 Title: #10: Client-side CSR autogeneration jcholast commented: """ 1. I'm afraid `certrequest` (actually `certreq`) is already taken. What about `csrgen`? 2. I would be perfectly happy with `ipaclient.`. 3. OK. Logistical stuff: - I'm fine with the testing commits being part of this review. I would also be fine with new content if it was added after this part of review is done. - I'm fine with later rebase. """ See the full comment at https://github.com/freeipa/freeipa/pull/10#issuecomment-247930858 From freeipa-github-notification at redhat.com Mon Sep 19 11:27:01 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 19 Sep 2016 13:27:01 +0200 Subject: [Freeipa-devel] [freeipa PR#90][opened] Update ipa-server-install man page for hostname Message-ID: URL: https://github.com/freeipa/freeipa/pull/90 Author: tomaskrizek Title: #90: Update ipa-server-install man page for hostname Action: opened PR body: """ Hostname is always set, remove the text that says hostname is set only if it does not match the current hostname. https://fedorahosted.org/freeipa/ticket/6330 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/90/head:pr90 git checkout pr90 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-90.patch Type: text/x-diff Size: 1368 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Sep 19 11:27:03 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 19 Sep 2016 13:27:03 +0200 Subject: [Freeipa-devel] [freeipa PR#91][opened] Add help info about certificate revocation reasons Message-ID: URL: https://github.com/freeipa/freeipa/pull/91 Author: tomaskrizek Title: #91: Add help info about certificate revocation reasons Action: opened PR body: """ Inform the user where to find additional information about certificate revocation reasons. https://fedorahosted.org/freeipa/ticket/6327 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/91/head:pr91 git checkout pr91 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-91.patch Type: text/x-diff Size: 1049 bytes Desc: not available URL: From blipton at redhat.com Mon Sep 19 11:27:25 2016 From: blipton at redhat.com (Ben Lipton) Date: Mon, 19 Sep 2016 07:27:25 -0400 Subject: [Freeipa-devel] Github review feature In-Reply-To: <19d04716-d492-9b2d-d07b-fe1e67095379@redhat.com> References: <19d04716-d492-9b2d-d07b-fe1e67095379@redhat.com> Message-ID: On 09/16/2016 03:17 AM, Martin Basti wrote: > > Sorry for stealing your thread, but you started asking about github > review emails :) > > > Standard review inline comments are disabled on purpose, each comment > generates one email, so we decided that is better after review to > write a regular comment "NACK, please see inline comments" or so. > > I would expecting that the new review feature is sending all comments > in one batch, but I was wrong. I used the new review feature (with the > pending comments) but when I sent it I received all comments as single > notifications again, so again one inline comment = one email > > Even worse it is with states of review (approved, required change). I > didn't received any notification from github related to this (not sure > if is part of any inline comment message or just not implemented yet). > This is not documented in their API docs (according David) so we > cannot use it our tools yet. > > Generally adding Labels ACK/Rejected are more visible and filters can > be made easily. > > > So for now I would stay with our old workflow and not extend email > notifications. We can play with new review feature for longer time and > decide if it is worth to use it (and change email notification > accordingly) > That all seems reasonable. I hope they will improve the API in the future to make this work better, but in the meantime the current process is fine. Thanks for looking into it! Ben From freeipa-github-notification at redhat.com Mon Sep 19 12:25:56 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Mon, 19 Sep 2016 14:25:56 +0200 Subject: [Freeipa-devel] [freeipa PR#76][+ack] Keep NSS trust flags of existing certificates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/76 Title: #76: Keep NSS trust flags of existing certificates Label: +ack From freeipa-github-notification at redhat.com Mon Sep 19 12:28:25 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Mon, 19 Sep 2016 14:28:25 +0200 Subject: [Freeipa-devel] [freeipa PR#76][comment] Keep NSS trust flags of existing certificates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/76 Title: #76: Keep NSS trust flags of existing certificates flo-renaud commented: """ (re-sending as setting the review state did not send any email) Hi Tomas, thanks for your patch. Works as expected. """ See the full comment at https://github.com/freeipa/freeipa/pull/76#issuecomment-247979575 From freeipa-github-notification at redhat.com Mon Sep 19 12:39:59 2016 From: freeipa-github-notification at redhat.com (LiptonB) Date: Mon, 19 Sep 2016 14:39:59 +0200 Subject: [Freeipa-devel] [freeipa PR#10][synchronized] Client-side CSR autogeneration In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/10 Author: LiptonB Title: #10: Client-side CSR autogeneration Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/10/head:pr10 git checkout pr10 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-10.patch Type: text/x-diff Size: 172661 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Sep 19 12:47:38 2016 From: freeipa-github-notification at redhat.com (LiptonB) Date: Mon, 19 Sep 2016 14:47:38 +0200 Subject: [Freeipa-devel] [freeipa PR#10][synchronized] Client-side CSR autogeneration In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/10 Author: LiptonB Title: #10: Client-side CSR autogeneration Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/10/head:pr10 git checkout pr10 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-10.patch Type: text/x-diff Size: 172646 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Sep 19 12:53:10 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 19 Sep 2016 14:53:10 +0200 Subject: [Freeipa-devel] [freeipa PR#87][comment] dns: re-introduce --raw in dnsrecord-del In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/87 Title: #87: dns: re-introduce --raw in dnsrecord-del mbasti-rh commented: """ Works for me with server API. """ See the full comment at https://github.com/freeipa/freeipa/pull/87#issuecomment-247984671 From freeipa-github-notification at redhat.com Mon Sep 19 12:53:13 2016 From: freeipa-github-notification at redhat.com (LiptonB) Date: Mon, 19 Sep 2016 14:53:13 +0200 Subject: [Freeipa-devel] [freeipa PR#10][comment] Client-side CSR autogeneration In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/10 Title: #10: Client-side CSR autogeneration LiptonB commented: """ `csrgen` sounds good to me. The new modules have now been moved to `ipaclient.plugins.csrgen`, `ipaclient.csrgen`, and `ipatests.test_ipaclient.test_csrgen`. FYI: I force pushed a few minutes after adding these commits to fix a pep8 error. """ See the full comment at https://github.com/freeipa/freeipa/pull/10#issuecomment-247984688 From freeipa-github-notification at redhat.com Mon Sep 19 12:53:21 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 19 Sep 2016 14:53:21 +0200 Subject: [Freeipa-devel] [freeipa PR#87][+ack] dns: re-introduce --raw in dnsrecord-del In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/87 Title: #87: dns: re-introduce --raw in dnsrecord-del Label: +ack From freeipa-github-notification at redhat.com Mon Sep 19 15:07:55 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 19 Sep 2016 17:07:55 +0200 Subject: [Freeipa-devel] [freeipa PR#92][opened] Add log messages for IP checks during client install Message-ID: URL: https://github.com/freeipa/freeipa/pull/92 Author: tomaskrizek Title: #92: Add log messages for IP checks during client install Action: opened PR body: """ The added log messages allow easier debugging of IP related issues during ipa-client-install. https://fedorahosted.org/freeipa/ticket/6331 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/92/head:pr92 git checkout pr92 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-92.patch Type: text/x-diff Size: 1091 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Sep 19 15:37:49 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 19 Sep 2016 17:37:49 +0200 Subject: [Freeipa-devel] [freeipa PR#87][+pushed] dns: re-introduce --raw in dnsrecord-del In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/87 Title: #87: dns: re-introduce --raw in dnsrecord-del Label: +pushed From freeipa-github-notification at redhat.com Mon Sep 19 15:38:04 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 19 Sep 2016 17:38:04 +0200 Subject: [Freeipa-devel] [freeipa PR#87][comment] dns: re-introduce --raw in dnsrecord-del In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/87 Title: #87: dns: re-introduce --raw in dnsrecord-del mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/e5f7a612fbfdaa9ee12ef16cef550931011abe4c ipa-4-4: https://fedorahosted.org/freeipa/changeset/2609a3ef4b5d4f8f043128365baaa4a046967483 """ See the full comment at https://github.com/freeipa/freeipa/pull/87#issuecomment-248029245 From freeipa-github-notification at redhat.com Mon Sep 19 15:38:24 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 19 Sep 2016 17:38:24 +0200 Subject: [Freeipa-devel] [freeipa PR#87][closed] dns: re-introduce --raw in dnsrecord-del In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/87 Author: jcholast Title: #87: dns: re-introduce --raw in dnsrecord-del Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/87/head:pr87 git checkout pr87 From freeipa-github-notification at redhat.com Mon Sep 19 15:51:23 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 19 Sep 2016 17:51:23 +0200 Subject: [Freeipa-devel] [freeipa PR#88][comment] test_plugable: update the rest of test_init In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/88 Title: #88: test_plugable: update the rest of test_init mbasti-rh commented: """ Can you please remove unused import? """ See the full comment at https://github.com/freeipa/freeipa/pull/88#issuecomment-248033023 From freeipa-github-notification at redhat.com Mon Sep 19 15:57:00 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 19 Sep 2016 17:57:00 +0200 Subject: [Freeipa-devel] [freeipa PR#76][comment] Keep NSS trust flags of existing certificates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/76 Title: #76: Keep NSS trust flags of existing certificates mbasti-rh commented: """ This does not apply to ipa-4-2, please rebase and create a new PR for 4.2 """ See the full comment at https://github.com/freeipa/freeipa/pull/76#issuecomment-248034608 From freeipa-github-notification at redhat.com Mon Sep 19 15:58:24 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 19 Sep 2016 17:58:24 +0200 Subject: [Freeipa-devel] [freeipa PR#76][+pushed] Keep NSS trust flags of existing certificates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/76 Title: #76: Keep NSS trust flags of existing certificates Label: +pushed From freeipa-github-notification at redhat.com Mon Sep 19 15:58:39 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 19 Sep 2016 17:58:39 +0200 Subject: [Freeipa-devel] [freeipa PR#76][comment] Keep NSS trust flags of existing certificates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/76 Title: #76: Keep NSS trust flags of existing certificates mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/2bc70a5d5f5eb953969e7341179c5083c147221a ipa-4-3: https://fedorahosted.org/freeipa/changeset/b3e57f789ef7f697f8cc68f180dc8ce292954ed4 """ See the full comment at https://github.com/freeipa/freeipa/pull/76#issuecomment-248035107 From freeipa-github-notification at redhat.com Mon Sep 19 15:58:51 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 19 Sep 2016 17:58:51 +0200 Subject: [Freeipa-devel] [freeipa PR#76][closed] Keep NSS trust flags of existing certificates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/76 Author: tomaskrizek Title: #76: Keep NSS trust flags of existing certificates Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/76/head:pr76 git checkout pr76 From freeipa-github-notification at redhat.com Mon Sep 19 18:58:48 2016 From: freeipa-github-notification at redhat.com (mirielka) Date: Mon, 19 Sep 2016 20:58:48 +0200 Subject: [Freeipa-devel] [freeipa PR#86][comment] Made sssd restart a non-raising opration In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/86 Title: #86: Made sssd restart a non-raising opration mirielka commented: """ Hi, so sorry about this, but the necessity of sssd restart was caused by some leftover mess on the machines where I ran the trust related tests. If the configuration is correct and system clean, the restart is not necessary. I recommend rejecting this patch and will provide fix for my error ASAP. """ See the full comment at https://github.com/freeipa/freeipa/pull/86#issuecomment-248088611 From freeipa-github-notification at redhat.com Tue Sep 20 05:15:15 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Tue, 20 Sep 2016 07:15:15 +0200 Subject: [Freeipa-devel] [freeipa PR#88][synchronized] test_plugable: update the rest of test_init In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/88 Author: jcholast Title: #88: test_plugable: update the rest of test_init Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/88/head:pr88 git checkout pr88 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-88.patch Type: text/x-diff Size: 1997 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 20 05:53:24 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 20 Sep 2016 07:53:24 +0200 Subject: [Freeipa-devel] [freeipa PR#90][+ack] Update ipa-server-install man page for hostname In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/90 Title: #90: Update ipa-server-install man page for hostname Label: +ack From freeipa-github-notification at redhat.com Tue Sep 20 05:55:58 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 20 Sep 2016 07:55:58 +0200 Subject: [Freeipa-devel] [freeipa PR#91][+ack] Add help info about certificate revocation reasons In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/91 Title: #91: Add help info about certificate revocation reasons Label: +ack From freeipa-github-notification at redhat.com Tue Sep 20 05:56:28 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 20 Sep 2016 07:56:28 +0200 Subject: [Freeipa-devel] [freeipa PR#91][comment] Add help info about certificate revocation reasons In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/91 Title: #91: Add help info about certificate revocation reasons stlaz commented: """ Please, don't forget to add the ACK labels if you think the code should be pushed into FreeIPA. """ See the full comment at https://github.com/freeipa/freeipa/pull/91#issuecomment-248208732 From freeipa-github-notification at redhat.com Tue Sep 20 07:17:34 2016 From: freeipa-github-notification at redhat.com (mirielka) Date: Tue, 20 Sep 2016 09:17:34 +0200 Subject: [Freeipa-devel] [freeipa PR#77][synchronized] Tests: Update host test with ipa-join In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/77 Author: mirielka Title: #77: Tests: Update host test with ipa-join Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/77/head:pr77 git checkout pr77 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-77.patch Type: text/x-diff Size: 4089 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 20 07:19:18 2016 From: freeipa-github-notification at redhat.com (mirielka) Date: Tue, 20 Sep 2016 09:19:18 +0200 Subject: [Freeipa-devel] [freeipa PR#93][opened] Tests: Remove SSSD restart from integration tests Message-ID: URL: https://github.com/freeipa/freeipa/pull/93 Author: mirielka Title: #93: Tests: Remove SSSD restart from integration tests Action: opened PR body: """ SSSD restart has been mistakenly added to integration tests (test_integration/tasks.py::uninstall_master). When system setup is correct, this restart has no significance, moreover it makes tests fail, hence its removal is necessary. https://fedorahosted.org/freeipa/ticket/6338 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/93/head:pr93 git checkout pr93 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-93.patch Type: text/x-diff Size: 1102 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 20 07:46:57 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 20 Sep 2016 09:46:57 +0200 Subject: [Freeipa-devel] [freeipa PR#94][opened] [ipa-4-2] Keep NSS trust flags of existing certificates Message-ID: URL: https://github.com/freeipa/freeipa/pull/94 Author: tomaskrizek Title: #94: [ipa-4-2] Keep NSS trust flags of existing certificates Action: opened PR body: """ Backup and restore trust flags of existing certificates during CA installation. This prevents marking a previously trusted certificate as untrusted, as was the case when CA-less was converted to CA-full with external CA when using the same certificate. https://fedorahosted.org/freeipa/ticket/5791 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/94/head:pr94 git checkout pr94 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-94.patch Type: text/x-diff Size: 1661 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 20 07:53:51 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 20 Sep 2016 09:53:51 +0200 Subject: [Freeipa-devel] [freeipa PR#92][synchronized] Add log messages for IP checks during client install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/92 Author: tomaskrizek Title: #92: Add log messages for IP checks during client install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/92/head:pr92 git checkout pr92 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-92.patch Type: text/x-diff Size: 1086 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 20 08:22:16 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 20 Sep 2016 10:22:16 +0200 Subject: [Freeipa-devel] [freeipa PR#85][comment] WebUI: Change group name from 'normal' to 'Non-POSIX' In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/85 Title: #85: WebUI: Change group name from 'normal' to 'Non-POSIX' stlaz commented: """ Works fine. """ See the full comment at https://github.com/freeipa/freeipa/pull/85#issuecomment-248236255 From freeipa-github-notification at redhat.com Tue Sep 20 08:22:19 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 20 Sep 2016 10:22:19 +0200 Subject: [Freeipa-devel] [freeipa PR#85][+ack] WebUI: Change group name from 'normal' to 'Non-POSIX' In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/85 Title: #85: WebUI: Change group name from 'normal' to 'Non-POSIX' Label: +ack From freeipa-github-notification at redhat.com Tue Sep 20 08:24:21 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 20 Sep 2016 10:24:21 +0200 Subject: [Freeipa-devel] [freeipa PR#92][+ack] Add log messages for IP checks during client install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/92 Title: #92: Add log messages for IP checks during client install Label: +ack From freeipa-github-notification at redhat.com Tue Sep 20 09:13:56 2016 From: freeipa-github-notification at redhat.com (mirielka) Date: Tue, 20 Sep 2016 11:13:56 +0200 Subject: [Freeipa-devel] [freeipa PR#95][opened] Tests: Remove unnecessary attributes from base tracker Message-ID: URL: https://github.com/freeipa/freeipa/pull/95 Author: mirielka Title: #95: Tests: Remove unnecessary attributes from base tracker Action: opened PR body: """ https://fedorahosted.org/freeipa/ticket/6128 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/95/head:pr95 git checkout pr95 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-95.patch Type: text/x-diff Size: 808 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 20 10:13:54 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 20 Sep 2016 12:13:54 +0200 Subject: [Freeipa-devel] [freeipa PR#96][opened] Show error message for invalid IPs in client install Message-ID: URL: https://github.com/freeipa/freeipa/pull/96 Author: tomaskrizek Title: #96: Show error message for invalid IPs in client install Action: opened PR body: """ Re-raise the thrown exception to get an error message instead of a traceback during ipa-client-install with invalid IP address. https://fedorahosted.org/freeipa/ticket/6340 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/96/head:pr96 git checkout pr96 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-96.patch Type: text/x-diff Size: 1149 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 20 11:02:06 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 20 Sep 2016 13:02:06 +0200 Subject: [Freeipa-devel] [freeipa PR#82][synchronized] Fix regexp in user/group name In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/82 Author: mbasti-rh Title: #82: Fix regexp in user/group name Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/82/head:pr82 git checkout pr82 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-82.patch Type: text/x-diff Size: 8478 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 20 11:04:09 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 20 Sep 2016 13:04:09 +0200 Subject: [Freeipa-devel] [freeipa PR#82][synchronized] Fix regexp in user/group name In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/82 Author: mbasti-rh Title: #82: Fix regexp in user/group name Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/82/head:pr82 git checkout pr82 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-82.patch Type: text/x-diff Size: 8478 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 20 12:06:38 2016 From: freeipa-github-notification at redhat.com (abbra) Date: Tue, 20 Sep 2016 14:06:38 +0200 Subject: [Freeipa-devel] [freeipa PR#82][comment] Fix regexp in user/group name In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/82 Title: #82: Fix regexp in user/group name abbra commented: """ LGTM. Thanks for first fixing the regexp and then replacing it by a constant, this will help with backports. """ See the full comment at https://github.com/freeipa/freeipa/pull/82#issuecomment-248282196 From freeipa-github-notification at redhat.com Tue Sep 20 12:06:51 2016 From: freeipa-github-notification at redhat.com (abbra) Date: Tue, 20 Sep 2016 14:06:51 +0200 Subject: [Freeipa-devel] [freeipa PR#82][+ack] Fix regexp in user/group name In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/82 Title: #82: Fix regexp in user/group name Label: +ack From freeipa-github-notification at redhat.com Tue Sep 20 13:20:23 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 20 Sep 2016 15:20:23 +0200 Subject: [Freeipa-devel] [freeipa PR#97][opened] Pylint fixes Message-ID: URL: https://github.com/freeipa/freeipa/pull/97 Author: mbasti-rh Title: #97: Pylint fixes Action: opened PR body: """ I updated pylint fixes from Jan Barta """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/97/head:pr97 git checkout pr97 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-97.patch Type: text/x-diff Size: 35279 bytes Desc: not available URL: From mbasti at redhat.com Tue Sep 20 13:21:21 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 20 Sep 2016 15:21:21 +0200 Subject: [Freeipa-devel] [PATCH] pylint fixes In-Reply-To: <32f24f39-4f11-f10b-667a-f0cb279e4639@redhat.com> References: <495588b7-9e02-942d-81fd-01e852f07e6c@redhat.com> <623d1af4-7e4c-63ce-d6d3-3874a6ef87cd@redhat.com> <9fb20d03-4559-8ad2-1e95-4c1da386ae06@redhat.com> <7bf2dcab-0a71-abc6-2062-aa291fd82278@redhat.com> <6b1ff078-f1dd-c5d3-607b-2e2e84b9d878@redhat.com> <32f24f39-4f11-f10b-667a-f0cb279e4639@redhat.com> Message-ID: <82c04c32-0397-414c-6ded-886a7e941e67@redhat.com> On 01.07.2016 15:51, Florence Blanc-Renaud wrote: > On 06/21/2016 01:51 PM, Martin Basti wrote: >> >> >> On 21.06.2016 08:38, Florence Blanc-Renaud wrote: >>> On 06/20/2016 07:08 PM, Martin Basti wrote: >>>> >>>> >>>> On 20.06.2016 19:06, Martin Basti wrote: >>>>> >>>>> >>>>> >>>>> On 20.06.2016 12:00, Florence Blanc-Renaud wrote: >>>>>> On 06/09/2016 05:10 PM, Petr Spacek wrote: >>>>>>> Hello, >>>>>>> >>>>>>> I've received a bunch of pylint fixes produced by upstream >>>>>>> contributor who is >>>>>>> not subscribed to the list so I'm resending them here. >>>>>>> >>>>>>> All credit goes to B?rta Jan <55042barta at sstebrno.eu>. >>>>>>> >>>>>>> Flo, if you have time for it I think that it could be a good >>>>>>> exercise which >>>>>>> will lead you to various dark corners in IPA :-) >>>>>>> >>>>>>> Petr^2 Spacek >>>>>>> >>>>>>> >>>>>>> -------- Forwarded Message -------- >>>>>>> Date: Fri, 3 Jun 2016 14:57:16 +0200 >>>>>>> From: B?rta Jan <55042barta at sstebrno.eu> >>>>>>> To: pspacek at redhat.com >>>>>> ___- In the patch >>>>>> 0002-pylint-fix-simplifiable-if-statement-warnings.patch:_ >>>>>> >>>>>> diff --git a/ipatests/test_integration/tasks.py >>>>>> b/ipatests/test_integration/tasks.py >>>>>> index aebd907..ca2e10f 100644 >>>>>> --- a/ipatests/test_integration/tasks.py >>>>>> +++ b/ipatests/test_integration/tasks.py >>>>>> @@ -149,11 +149,7 @@ def host_service_active(host, service): >>>>>> res = host.run_command(['systemctl', 'is-active', '--quiet', >>>>>> service], >>>>>> raiseonerr=False) >>>>>> >>>>>> - if res.returncode == 0: >>>>>> - return True >>>>>> - else: >>>>>> - return False >>>>>> - >>>>>> + return res.returncode >>>>>> >>>>>> should be instead: return res.returncode *== 0* (otherwise the >>>>>> return >>>>>> type is an int and not a boolean). >>>>>> >>>>>> In the same file: >>>>>> @@ -295,11 +291,7 @@ def >>>>>> master_authoritative_for_client_domain(master, client): >>>>>> zone = ".".join(client.hostname.split('.')[1:]) >>>>>> result = master.run_command(["ipa", "dnszone-show", zone], >>>>>> raiseonerr=False) >>>>>> - if result.returncode == 0: >>>>>> - return True >>>>>> - else: >>>>>> - return False >>>>>> - >>>>>> + result.returncode == 0 >>>>>> >>>>>> should be instead: *return* result.returncode == 0 (otherwise there >>>>>> is no return statement) >>>>>> >>>>>> diff --git a/ipaserver/plugins/dogtag.py >>>>>> b/ipaserver/plugins/dogtag.py >>>>>> index 197814c..36b6ba5 100644 >>>>>> --- a/ipaserver/plugins/dogtag.py >>>>>> +++ b/ipaserver/plugins/dogtag.py >>>>>> @@ -1689,12 +1689,7 @@ class ra(rabase.rabase): >>>>>> # Return command result >>>>>> cmd_result = {} >>>>>> >>>>>> - if parse_result.get('revoked') == 'yes': >>>>>> - cmd_result['revoked'] = True >>>>>> - else: >>>>>> - cmd_result['revoked'] = False >>>>>> - >>>>>> - return cmd_result >>>>>> + cmd_result['revoked'] = parse_result.get('revoked') >>>>>> >>>>>> Should be instead: cmd_result['revoked'] = >>>>>> parse_result.get('revoked') *== 'yes'* (otherwise the type is a >>>>>> string and not a boolean) >>>>>> >>>>>> _- in the patch 00__04-pylint-fix-unneeded-not.patch_ >>>>>> >>>>>> @@ -632,7 +632,7 @@ class host_add(LDAPCreate): >>>>>> options['ip_address'], >>>>>> check_forward=True, >>>>>> check_reverse=check_reverse) >>>>>> - if not options.get('force', False) and not 'ip_address' in >>>>>> options: >>>>>> + if options.get('force', False) and 'ip_address' not in >>>>>> options: >>>>>> >>>>>> Should be instead: if *not* options.get('force', False) and >>>>>> 'ip_address' not in options: >>>>>> because of operators precedence >>>>>> >>>>>> I will review patches 0005 to 0010 later today. >>>>>> Flo. >>>>>> >>>>>> >>>>> >>>>> How about patches 1, and 3? Because patches are independent, we can >>>>> separately ACK them and push them. >>>>> >>>>> Martin^2 >>>>> >>>>> >>>> >>>> Sorry, I just noticed that there is no patch 1 :) >>>> >>>> >>> Patch 0003 is OK, ACK for this one. >>> Flo. >>> >> Patch 0003: Pushed to master: 94909d21dbf033cbe34089782c430ec25b9ad0bc >> > Hi, > > please find my comments on the remaining patches. > > - Patch 0005 must be rebased because of changes in > ipatests/test_integration/tasks.py > the patch can also modify pylintrc (remove pointless-statement) > > - Patch 0006: > no need to rename the items in "for e in ...", renaming the Exception > as exc should be enough > > - Patch 0007: > pylintrc should remove old-style-class instead of > bad-classmethod-argument > > - Patch 0008: > this one should remove bad-classmethod-argument in pylintrc > > - Patch 0009: > ok > > - Patch 0010: > In the __bind method(self, obj_type), cls variable is already used > thus replacing self with cls can be done only if cls is also renamed > into something else. > > Flo. > Please follow new changes in this PR https://github.com/freeipa/freeipa/pull/97 It will be easier to review. Martin^2 From freeipa-github-notification at redhat.com Tue Sep 20 13:25:00 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 20 Sep 2016 15:25:00 +0200 Subject: [Freeipa-devel] [freeipa PR#98][opened] Make server uninstaller exit with non-zero exit status during failed validation Message-ID: URL: https://github.com/freeipa/freeipa/pull/98 Author: martbab Title: #98: Make server uninstaller exit with non-zero exit status during failed validation Action: opened PR body: """ https://fedorahosted.org/freeipa/ticket/5725 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/98/head:pr98 git checkout pr98 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-98.patch Type: text/x-diff Size: 4863 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 20 13:49:17 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 20 Sep 2016 15:49:17 +0200 Subject: [Freeipa-devel] [freeipa PR#82][comment] Fix regexp in user/group name In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/82 Title: #82: Fix regexp in user/group name stlaz commented: """ The tests seem to pass as well. """ See the full comment at https://github.com/freeipa/freeipa/pull/82#issuecomment-248306443 From freeipa-github-notification at redhat.com Tue Sep 20 13:58:01 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 20 Sep 2016 15:58:01 +0200 Subject: [Freeipa-devel] [freeipa PR#97][synchronized] Pylint fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/97 Author: mbasti-rh Title: #97: Pylint fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/97/head:pr97 git checkout pr97 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-97.patch Type: text/x-diff Size: 35290 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 20 15:35:54 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 20 Sep 2016 17:35:54 +0200 Subject: [Freeipa-devel] [freeipa PR#82][+pushed] Fix regexp in user/group name In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/82 Title: #82: Fix regexp in user/group name Label: +pushed From freeipa-github-notification at redhat.com Tue Sep 20 15:35:56 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 20 Sep 2016 17:35:56 +0200 Subject: [Freeipa-devel] [freeipa PR#82][comment] Fix regexp in user/group name In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/82 Title: #82: Fix regexp in user/group name martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/37200806118d39ef8afe84ad5887a294d54e2659 https://fedorahosted.org/freeipa/changeset/8f8e3d008f1de91337a83ea6d271662432209767 ipa-4-4: https://fedorahosted.org/freeipa/changeset/85ee93deb62ce8026122e5c40cdc8813f6a70e81 https://fedorahosted.org/freeipa/changeset/63914414bcc151ca954258215757ddd2bf4c3843 """ See the full comment at https://github.com/freeipa/freeipa/pull/82#issuecomment-248339321 From freeipa-github-notification at redhat.com Tue Sep 20 15:35:58 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 20 Sep 2016 17:35:58 +0200 Subject: [Freeipa-devel] [freeipa PR#82][closed] Fix regexp in user/group name In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/82 Author: mbasti-rh Title: #82: Fix regexp in user/group name Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/82/head:pr82 git checkout pr82 From freeipa-github-notification at redhat.com Tue Sep 20 15:39:03 2016 From: freeipa-github-notification at redhat.com (mirielka) Date: Tue, 20 Sep 2016 17:39:03 +0200 Subject: [Freeipa-devel] [freeipa PR#99][opened] Tests: Remove --force options from tracker base class Message-ID: URL: https://github.com/freeipa/freeipa/pull/99 Author: mirielka Title: #99: Tests: Remove --force options from tracker base class Action: opened PR body: """ Removing --force option from tracker base class so it would not be required to be implemented in every specific tracker, even though it's not necessary. Modifying existing trackers to reflect this change. https://fedorahosted.org/freeipa/ticket/6124 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/99/head:pr99 git checkout pr99 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-99.patch Type: text/x-diff Size: 12062 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 20 20:45:59 2016 From: freeipa-github-notification at redhat.com (alibasim86) Date: Tue, 20 Sep 2016 22:45:59 +0200 Subject: [Freeipa-devel] [freeipa PR#100][opened] Ipa 4 4 Message-ID: URL: https://github.com/freeipa/freeipa/pull/100 Author: alibasim86 Title: #100: Ipa 4 4 Action: opened PR body: """ we have implemented IPA in our our environment and we got an issue when it comes to DNS service reload, we have more than 25k records across multiple domains "quite few". when we do dns service reload the DNS stops replying for approx. 45 sec which is causing a down time to a number of services. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/100/head:pr100 git checkout pr100 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-100.patch Type: text/x-diff Size: 190535 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Sep 21 07:10:38 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 21 Sep 2016 09:10:38 +0200 Subject: [Freeipa-devel] [freeipa PR#100][+rejected] Ipa 4 4 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/100 Title: #100: Ipa 4 4 Label: +rejected From freeipa-github-notification at redhat.com Wed Sep 21 07:13:49 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 21 Sep 2016 09:13:49 +0200 Subject: [Freeipa-devel] [freeipa PR#100][closed] Ipa 4 4 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/100 Author: alibasim86 Title: #100: Ipa 4 4 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/100/head:pr100 git checkout pr100 From freeipa-github-notification at redhat.com Wed Sep 21 07:13:51 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 21 Sep 2016 09:13:51 +0200 Subject: [Freeipa-devel] [freeipa PR#100][comment] Ipa 4 4 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/100 Title: #100: Ipa 4 4 martbab commented: """ Pull Requests are intended for contributing code to FreeIPA upstream. If you need help with your deployment or have a question about FreeIPA please use our public mailing list (https://www.redhat.com/mailman/listinfo/freeipa-users) or ask at #freeipa irc channel on freenode. """ See the full comment at https://github.com/freeipa/freeipa/pull/100#issuecomment-248530322 From freeipa-github-notification at redhat.com Wed Sep 21 08:19:20 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 21 Sep 2016 10:19:20 +0200 Subject: [Freeipa-devel] [freeipa PR#96][+ack] Show error message for invalid IPs in client install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/96 Title: #96: Show error message for invalid IPs in client install Label: +ack From freeipa-github-notification at redhat.com Wed Sep 21 08:26:50 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 21 Sep 2016 10:26:50 +0200 Subject: [Freeipa-devel] [freeipa PR#96][+pushed] Show error message for invalid IPs in client install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/96 Title: #96: Show error message for invalid IPs in client install Label: +pushed From freeipa-github-notification at redhat.com Wed Sep 21 08:26:52 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 21 Sep 2016 10:26:52 +0200 Subject: [Freeipa-devel] [freeipa PR#96][comment] Show error message for invalid IPs in client install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/96 Title: #96: Show error message for invalid IPs in client install martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/ddf48f2fef344784b9e1918d2f2ee6feef9d4c04 """ See the full comment at https://github.com/freeipa/freeipa/pull/96#issuecomment-248545080 From freeipa-github-notification at redhat.com Wed Sep 21 08:26:53 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 21 Sep 2016 10:26:53 +0200 Subject: [Freeipa-devel] [freeipa PR#96][closed] Show error message for invalid IPs in client install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/96 Author: tomaskrizek Title: #96: Show error message for invalid IPs in client install Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/96/head:pr96 git checkout pr96 From freeipa-github-notification at redhat.com Wed Sep 21 08:36:54 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 21 Sep 2016 10:36:54 +0200 Subject: [Freeipa-devel] [freeipa PR#92][+pushed] Add log messages for IP checks during client install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/92 Title: #92: Add log messages for IP checks during client install Label: +pushed From freeipa-github-notification at redhat.com Wed Sep 21 08:36:55 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 21 Sep 2016 10:36:55 +0200 Subject: [Freeipa-devel] [freeipa PR#92][comment] Add log messages for IP checks during client install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/92 Title: #92: Add log messages for IP checks during client install martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/d6f6a291da5926217ac3acbbb959fd23227c7bd2 """ See the full comment at https://github.com/freeipa/freeipa/pull/92#issuecomment-248547405 From freeipa-github-notification at redhat.com Wed Sep 21 08:36:57 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 21 Sep 2016 10:36:57 +0200 Subject: [Freeipa-devel] [freeipa PR#92][closed] Add log messages for IP checks during client install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/92 Author: tomaskrizek Title: #92: Add log messages for IP checks during client install Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/92/head:pr92 git checkout pr92 From abokovoy at redhat.com Wed Sep 21 09:20:34 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 21 Sep 2016 12:20:34 +0300 Subject: [Freeipa-devel] FleetCommander integration In-Reply-To: References: <20160906101814.aotuinw5y4v6ihzk@redhat.com> Message-ID: <20160921092034.khew6nfrjgr3vts7@redhat.com> Hi Alberto, On Wed, 21 Sep 2016, Alberto Ruiz Ruiz wrote: >Hello Alexander, > >So, I've been assigned with a new team/project just this week (related to >hardware enablement/support), I'll still manage Fleet Commander but this >means I won't have time to be involved in the implementation. > >I will be delegating the discussion between you and Oliver Gutierrez, >Oliver is spending a few weeks in Brno, so I'm expecting he will catch up a >bit on Fleet Commander with Fabiano. > >As I was the sole maintainer of the client daemon so I'll still be around >for questions and small changes, if only until I find someone to assign to >it within the bigger team. > >I would expect Oliver would go ahead and start testing your test plugin >right away. Got it. Let's discuss on IRC (freenode, #freeipa or #sssd) whenever you guys would have time any issues you'll encounter. -- / Alexander Bokovoy From aruizrui at redhat.com Wed Sep 21 09:10:54 2016 From: aruizrui at redhat.com (Alberto Ruiz Ruiz) Date: Wed, 21 Sep 2016 10:10:54 +0100 Subject: [Freeipa-devel] FleetCommander integration In-Reply-To: References: <20160906101814.aotuinw5y4v6ihzk@redhat.com> Message-ID: Hello Alexander, So, I've been assigned with a new team/project just this week (related to hardware enablement/support), I'll still manage Fleet Commander but this means I won't have time to be involved in the implementation. I will be delegating the discussion between you and Oliver Gutierrez, Oliver is spending a few weeks in Brno, so I'm expecting he will catch up a bit on Fleet Commander with Fabiano. As I was the sole maintainer of the client daemon so I'll still be around for questions and small changes, if only until I find someone to assign to it within the bigger team. I would expect Oliver would go ahead and start testing your test plugin right away. On Mon, Sep 12, 2016 at 4:36 PM, Alberto Ruiz Ruiz wrote: > Hey Alexander, > > Just a heads up, we're in the middle of releasing 0.8 just this week so > we're testing like mad. > > Right after 0.8 is out, we should be able to sit down and look into > FreeIPA integration right away and will certainly look into this. > > And sorry for the late reply > > On Tue, Sep 6, 2016 at 11:18 AM, Alexander Bokovoy > wrote: > >> Hi, >> >> Now that FreeIPA 4.4.1 is out, I've pushed to github my prototype for >> FleetCommander integration: https://github.com/abbra/freei >> pa-desktop-profile/ >> >> You can read the design page: >> https://github.com/abbra/freeipa-desktop-profile/blob/master >> /plugin/Feature.mediawiki >> >> The design was mostly figured out in discussions with Alberto, Fabiano, >> Nathaniel, and Jakub, so we are more or less on the common ground here >> between SSSD and FleetCommander. You can send pull requests to me on >> github to update the design. ;) >> >> You can cut a tarball using >> git archive --format=tar.gz --prefix=freeipa-desktop-profile-0.0.1/ \ >> --output ~/rpmbuild/SOURCES/freeipa-desktop-profile-0.0.1.tar.gz >> \ >> freeipa-desktop-profile-0.0.1 >> >> And then build the package with >> rpmbuild -ta freeipa-desktop-profile-0.0.1.tar.gz >> >> When installed, the package does not run ipa-server-upgrade by itself, >> yet. So you need to run ipa-server-upgrade manually. Once ran, >> deskprofile/deskprofilerule topics would become available and can be >> used for testing purposes. For Fedora 24 one can use FreeIPA 4.4.1 from >> COPR, for Fedora 25 we have FreeIPA 4.4.1 in updates stable as of today. >> >> UI plugin is not ready yet and is disabled in the spec file as it breaks >> loading the whole UI. >> >> -- >> / Alexander Bokovoy >> > > > > -- > Alberto Ruiz > Engineering Supervisor - Desktop Management Tools > Red Hat > -- Alberto Ruiz Engineering Supervisor - Desktop Management Tools Red Hat -------------- next part -------------- An HTML attachment was scrubbed... URL: From jpazdziora at redhat.com Wed Sep 21 10:01:44 2016 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Wed, 21 Sep 2016 12:01:44 +0200 Subject: [Freeipa-devel] What would break if loopback addresses were allowed for IPA server? Message-ID: <20160921100144.GA7371@redhat.com> Hello, I've recently hit again the situation of IPA installer not happy about the provided IP address not being local to it, this time in containerized environment: https://bugzilla.redhat.com/show_bug.cgi?id=1377973 During the discussion, we came to an interesting question: What would break if loopback addresses were allowed for IPA server? Of course, the idea is that it would only be used for installation and then IPA would change its IP address in DNS to whatever is the real IP address under which it is accessible. Where does the allow_loopback=False requirement in the installer come from and what would break if it was removed altogether? Thanks, -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From freeipa-github-notification at redhat.com Wed Sep 21 10:18:50 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 21 Sep 2016 12:18:50 +0200 Subject: [Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install martbab commented: """ Regarding requesting certificate for krbtgt, we plan to fix cert-request in a more systematic manner to allow requesting certificate for any principal in IPA realm (see https://fedorahosted.org/freeipa/ticket/6295) so hopefully the cert-request fixes would not be needed eventually. As a side question is the separate profile needed due to some custom extensions required for PKINIT certificate? """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-248570361 From freeipa-github-notification at redhat.com Wed Sep 21 10:24:25 2016 From: freeipa-github-notification at redhat.com (abbra) Date: Wed, 21 Sep 2016 12:24:25 +0200 Subject: [Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install abbra commented: """ > As a side question is the separate profile needed due to some custom extensions required for PKINIT certificate? yes, we don't want to allow everyone to issue certificates with PKINIT extensions, they only should be done for KDC cert. """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-248571527 From freeipa-github-notification at redhat.com Wed Sep 21 10:47:39 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 21 Sep 2016 12:47:39 +0200 Subject: [Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install martbab commented: """ I thought so, it would be nice to have this mentioned somewhere, e.g. in profile description so that the future selves will know why this is needed. """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-248576106 From freeipa-github-notification at redhat.com Wed Sep 21 10:51:25 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 12:51:25 +0200 Subject: [Freeipa-devel] [freeipa PR#84][edited] Fix update_from_dict function testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/84 Author: stlaz Title: #84: Fix update_from_dict function testing Action: edited To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/84/head:pr84 git checkout pr84 From freeipa-github-notification at redhat.com Wed Sep 21 10:57:50 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 12:57:50 +0200 Subject: [Freeipa-devel] [freeipa PR#86][closed] Made sssd restart a non-raising opration In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/86 Author: ofayans Title: #86: Made sssd restart a non-raising opration Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/86/head:pr86 git checkout pr86 From freeipa-github-notification at redhat.com Wed Sep 21 10:57:52 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 12:57:52 +0200 Subject: [Freeipa-devel] [freeipa PR#86][+rejected] Made sssd restart a non-raising opration In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/86 Title: #86: Made sssd restart a non-raising opration Label: +rejected From freeipa-github-notification at redhat.com Wed Sep 21 11:02:24 2016 From: freeipa-github-notification at redhat.com (ofayans) Date: Wed, 21 Sep 2016 13:02:24 +0200 Subject: [Freeipa-devel] [freeipa PR#93][+ack] Tests: Remove SSSD restart from integration tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/93 Title: #93: Tests: Remove SSSD restart from integration tests Label: +ack From freeipa-github-notification at redhat.com Wed Sep 21 11:05:51 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 13:05:51 +0200 Subject: [Freeipa-devel] [freeipa PR#91][+pushed] Add help info about certificate revocation reasons In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/91 Title: #91: Add help info about certificate revocation reasons Label: +pushed From freeipa-github-notification at redhat.com Wed Sep 21 11:05:53 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 13:05:53 +0200 Subject: [Freeipa-devel] [freeipa PR#91][comment] Add help info about certificate revocation reasons In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/91 Title: #91: Add help info about certificate revocation reasons mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/75f77e0f2a55de4802b2ab74a0e6f50eaf728dc8 ipa-4-4: https://fedorahosted.org/freeipa/changeset/43ab75e56d8e661c51cc45803c4f7752e24bcde7 """ See the full comment at https://github.com/freeipa/freeipa/pull/91#issuecomment-248579782 From freeipa-github-notification at redhat.com Wed Sep 21 11:05:54 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 13:05:54 +0200 Subject: [Freeipa-devel] [freeipa PR#91][closed] Add help info about certificate revocation reasons In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/91 Author: tomaskrizek Title: #91: Add help info about certificate revocation reasons Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/91/head:pr91 git checkout pr91 From freeipa-github-notification at redhat.com Wed Sep 21 11:06:02 2016 From: freeipa-github-notification at redhat.com (abbra) Date: Wed, 21 Sep 2016 13:06:02 +0200 Subject: [Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install abbra commented: """ Yes, we need to create a design page for PKINIT support. I'll make sure it is done. """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-248579818 From freeipa-github-notification at redhat.com Wed Sep 21 11:06:55 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Wed, 21 Sep 2016 13:06:55 +0200 Subject: [Freeipa-devel] [freeipa PR#84][comment] Fix update_from_dict function testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/84 Title: #84: Fix update_from_dict function testing jcholast commented: """ @abbra: > Update plugins are higher level of abstraction. They use ipaserver.install.ldapupdate.LDAPUpdate which provides both .update() and .update_from_dict() methods. Update plugins can produce dictionaries. With the change in this pull request they will have to always write down dynamic update content to files first and then run LDAPUpdate.update() with those files. Or re-implement .update_from_dict(). This is not true, update plugins are supposed to return the dictionaries from their `execute` method. See any of the update plugins in [ipaserver/install/plugins](https://github.com/freeipa/freeipa/tree/master/ipaserver/install/plugins) for how it's done. """ See the full comment at https://github.com/freeipa/freeipa/pull/84#issuecomment-248579978 From freeipa-github-notification at redhat.com Wed Sep 21 11:12:37 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 13:12:37 +0200 Subject: [Freeipa-devel] [freeipa PR#90][comment] Update ipa-server-install man page for hostname In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/90 Title: #90: Update ipa-server-install man page for hostname mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/4e880f7ce96bc160af2383880b9c11e66c660a5a ipa-4-4: https://fedorahosted.org/freeipa/changeset/ca45a8cde3d0411eff598eac74bb301253446bad """ See the full comment at https://github.com/freeipa/freeipa/pull/90#issuecomment-248581057 From freeipa-github-notification at redhat.com Wed Sep 21 11:12:39 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 13:12:39 +0200 Subject: [Freeipa-devel] [freeipa PR#90][+pushed] Update ipa-server-install man page for hostname In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/90 Title: #90: Update ipa-server-install man page for hostname Label: +pushed From freeipa-github-notification at redhat.com Wed Sep 21 11:12:40 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 13:12:40 +0200 Subject: [Freeipa-devel] [freeipa PR#90][closed] Update ipa-server-install man page for hostname In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/90 Author: tomaskrizek Title: #90: Update ipa-server-install man page for hostname Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/90/head:pr90 git checkout pr90 From freeipa-github-notification at redhat.com Wed Sep 21 11:13:23 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 21 Sep 2016 13:13:23 +0200 Subject: [Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install martbab commented: """ Thank you """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-248581191 From freeipa-github-notification at redhat.com Wed Sep 21 11:20:41 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 13:20:41 +0200 Subject: [Freeipa-devel] [freeipa PR#85][comment] WebUI: Change group name from 'normal' to 'Non-POSIX' In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/85 Title: #85: WebUI: Change group name from 'normal' to 'Non-POSIX' mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/0e6d6e403255649538224c409a0a279aaf9d5181 """ See the full comment at https://github.com/freeipa/freeipa/pull/85#issuecomment-248582556 From freeipa-github-notification at redhat.com Wed Sep 21 11:20:43 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 13:20:43 +0200 Subject: [Freeipa-devel] [freeipa PR#85][closed] WebUI: Change group name from 'normal' to 'Non-POSIX' In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/85 Author: pvomacka Title: #85: WebUI: Change group name from 'normal' to 'Non-POSIX' Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/85/head:pr85 git checkout pr85 From freeipa-github-notification at redhat.com Wed Sep 21 11:20:47 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 13:20:47 +0200 Subject: [Freeipa-devel] [freeipa PR#85][+pushed] WebUI: Change group name from 'normal' to 'Non-POSIX' In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/85 Title: #85: WebUI: Change group name from 'normal' to 'Non-POSIX' Label: +pushed From freeipa-github-notification at redhat.com Wed Sep 21 11:40:29 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 13:40:29 +0200 Subject: [Freeipa-devel] [freeipa PR#83][+pushed] Added a fix for setting Priority as required field In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/83 Title: #83: Added a fix for setting Priority as required field Label: +pushed From freeipa-github-notification at redhat.com Wed Sep 21 11:40:30 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 13:40:30 +0200 Subject: [Freeipa-devel] [freeipa PR#83][comment] Added a fix for setting Priority as required field In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/83 Title: #83: Added a fix for setting Priority as required field mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/8149b762b424d1ce7a26847386715ca98038b230 """ See the full comment at https://github.com/freeipa/freeipa/pull/83#issuecomment-248586545 From freeipa-github-notification at redhat.com Wed Sep 21 11:40:32 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 13:40:32 +0200 Subject: [Freeipa-devel] [freeipa PR#83][closed] Added a fix for setting Priority as required field In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/83 Author: Akasurde Title: #83: Added a fix for setting Priority as required field Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/83/head:pr83 git checkout pr83 From freeipa-github-notification at redhat.com Wed Sep 21 11:44:17 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 21 Sep 2016 13:44:17 +0200 Subject: [Freeipa-devel] [freeipa PR#101][opened] Improved vault-show error message Message-ID: URL: https://github.com/freeipa/freeipa/pull/101 Author: stlaz Title: #101: Improved vault-show error message Action: opened PR body: """ Added more information to the NotFound error that may occur during execution of vault-show. It was not clear whether the vault really does not exist or it does not exist in a certain container. https://fedorahosted.org/freeipa/ticket/5950 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/101/head:pr101 git checkout pr101 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-101.patch Type: text/x-diff Size: 1951 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Sep 21 12:31:50 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 21 Sep 2016 14:31:50 +0200 Subject: [Freeipa-devel] [freeipa PR#102][opened] Updated ipa-client-install info about hostname Message-ID: URL: https://github.com/freeipa/freeipa/pull/102 Author: stlaz Title: #102: Updated ipa-client-install info about hostname Action: opened PR body: """ The man page and help of ipa-client-install had an outdated information about what is used as a hostname. https://fedorahosted.org/freeipa/ticket/5754 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/102/head:pr102 git checkout pr102 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-102.patch Type: text/x-diff Size: 2286 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Sep 21 12:41:31 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 14:41:31 +0200 Subject: [Freeipa-devel] [freeipa PR#93][comment] Tests: Remove SSSD restart from integration tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/93 Title: #93: Tests: Remove SSSD restart from integration tests mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/361105a3d5b509bafee83934eb31d10f69d512f6 """ See the full comment at https://github.com/freeipa/freeipa/pull/93#issuecomment-248600041 From freeipa-github-notification at redhat.com Wed Sep 21 12:41:33 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 14:41:33 +0200 Subject: [Freeipa-devel] [freeipa PR#93][closed] Tests: Remove SSSD restart from integration tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/93 Author: mirielka Title: #93: Tests: Remove SSSD restart from integration tests Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/93/head:pr93 git checkout pr93 From freeipa-github-notification at redhat.com Wed Sep 21 12:41:34 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 14:41:34 +0200 Subject: [Freeipa-devel] [freeipa PR#93][+pushed] Tests: Remove SSSD restart from integration tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/93 Title: #93: Tests: Remove SSSD restart from integration tests Label: +pushed From ofayans at redhat.com Wed Sep 21 12:41:58 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Wed, 21 Sep 2016 14:41:58 +0200 Subject: [Freeipa-devel] [PATCH] ca-less tests updated In-Reply-To: <5dee6817-b758-3694-16e6-a9e99cd2f838@redhat.com> References: <56337745.109@redhat.com> <563B091B.3010501@redhat.com> <563B6A96.8090606@redhat.com> <563BABEC.8080304@redhat.com> <563C5B1A.1090803@redhat.com> <563C5E6D.4060307@redhat.com> <563CA575.1030808@redhat.com> <567176A2.1000901@redhat.com> <5707C431.6070702@redhat.com> <570E1E70.6060309@redhat.com> <5715F6B5.3070003@redhat.com> <57173F56.5020308@redhat.com> <5731F951.1020700@redhat.com> <57A99B02.1010507@redhat.com> <84a03933-9820-2c63-ef7b-1cf63a44e3a9@redhat.com> <4b1365a2-c140-4aa4-baf9-9c7a6953c7f8@redhat.com> <5dee6817-b758-3694-16e6-a9e99cd2f838@redhat.com> Message-ID: <86705758-a778-665c-8480-a2f127ead97c@redhat.com> Hi David, As per your comments the patches were once again refactored. I am attaching the full set of them, please ignore any previous versions The patches apply cleanly on master and pylint swallows the resulting code silently On 09/12/2016 09:51 AM, David Kupka wrote: > Hi Oleg, > thank you, now it's completely different game. > Please add prefix to commit message summaries. Simply prepending "tests: > " should be OK. > > 0041 - -h is deprecated in favor of -H. > 0062 - 0068 - LGTM > 0069 - I see 2 unrelated changes in the patch, please split them: > - 1 - certutil - > paths.CERTUTIL > - 2 - assert > 0070 - I see 2 unrelated changes in the patch, please split them: > - 1 - teardown > - 2 - TestReplicaInstall.setUp -> TestReplicaInstall.install > 0071 - typos in commit message, I see 5 unrelated changes in that patch: > - 1 - error messages in assert > - 2 - certificates used > - 3 - verify_installation called only in DOMAIN_LEVEL_0. > - 4 - TestCertinstall.install > - 5 - TestCertinstall.certinstall > 0072 - 0077 - LGTM > > On 09/09/16 15:22, Oleg Fayans wrote: >> Hi David, team >> >> According to your suggestions I've splitted my commits so that each >> commit addresses some particular problem. One patch (0071) still >> contains several unrelated fixes, but they mostly reflect changes in >> error messages and really small but numerous bugfixes that I did not >> consider worthy of a separate commit each. Please, whenever you have a >> free time take a look at this new bunch of patches. >> >> Thanks! >> >> On 09/06/2016 04:41 PM, David Kupka wrote: >>> Hi Oleg! >>> >>> 0013 - It looks like there are two unrelated changes, addition of CRL >>> distribution extension and creating certificate signed by no longer >>> existing CA. Please create separate patch for each of the changes, and >>> describe the change and reason for it in commit messages. >>> >>> 0014 - Could you please split the patch to "numerous" commit each fixing >>> one error? Please also describe each fix so everyone has at least vague >>> idea about the patch without reading its code. Also why do you introduce >>> global variable config, I don't see its used anywhere. >>> >>> 0039 - It looks like multiple different changes and commit message says >>> nothing again. Please split and describe what did you change and why. >>> >>> 0041 - Looks like weird workaround to me. It would be better to >>> investigate the root cause and fix it. Or at least describe the cause in >>> commit message and code comment if it can't be fixed. Also "-h is >>> deprecated in favor of -H" says man 1 ldapmodify. >>> >>> >>> On 05/09/16 14:32, Oleg Fayans wrote: >>>> Hi guys, >>>> >>>> Finally the ca-less tests are stable. Here in the attachment is the >>>> full >>>> set of necessary patches. >>>> >>>> >>>> On 08/09/2016 10:57 AM, Oleg Fayans wrote: >>>>> Hi all, >>>>> >>>>> Bump for the review of the 0013 patch. The script it addresses can be >>>>> reused in some WebUI tests - one more reason to have it >>>>> reviewed/merged >>>>> >>>>> The rest patches should be re-tested, since they were prepared a good >>>>> while ago >>>>> >>>>> On 05/10/2016 05:08 PM, Oleg Fayans wrote: >>>>>> Hi David, >>>>>> >>>>>> After quite a while and some more struggles here comes the updated >>>>>> version of the patch together with other patches fixing things in >>>>>> ipatests/test_integration/tasks.py >>>>>> Server and replica installation was refactored in a way to utilize >>>>>> the >>>>>> code from tasks.py as much as it is possible >>>>>> >>>>>> The full set of necessary patches is attached >>>>>> >>>>>> >>>>>> On 04/20/2016 10:35 AM, David Kupka wrote: >>>>>>> On 19/04/16 11:13, Oleg Fayans wrote: >>>>>>>> OK, that one, though passing lint, did not actually work. I gave >>>>>>>> up my >>>>>>>> attempts to define method decorators inside the class. Now it >>>>>>>> passes >>>>>>>> lint AND works:) >>>>>>>> >>>>>>> >>>>>>> Hi Oleg! >>>>>>> >>>>>>> 1) Current commit message is useless. Please use it to describe >>>>>>> what is >>>>>>> the point of the patch. >>>>>>> >>>>>>> 2) $ git show -U0 | pep8 --diff >>>>>>> ./ipatests/test_integration/test_caless.py:66:1: E302 expected 2 >>>>>>> blank >>>>>>> lines, found 1 >>>>>>> ./ipatests/test_integration/test_caless.py:74:1: E302 expected 2 >>>>>>> blank >>>>>>> lines, found 1 >>>>>>> ./ipatests/test_integration/test_caless.py:820:5: E303 too many >>>>>>> blank >>>>>>> lines (2) >>>>>>> ./ipatests/test_integration/test_caless.py:825:80: E501 line too >>>>>>> long >>>>>>> (80 > 79 characters) >>>>>>> ./ipatests/test_integration/test_caless.py:1035:44: E225 missing >>>>>>> whitespace around operator >>>>>>> >>>>>>> >>>>>>> 3) Isn't there a way to do this with pytest's fixtures? >>>>>>> >>>>>>>> +def server_install_teardown(func): >>>>>>>> + def wrapped(*args): >>>>>>>> + try: >>>>>>>> + func(*args) >>>>>>>> + finally: >>>>>>>> + args[0].uninstall_server() >>>>>>>> + return wrapped >>>>>>>> + >>>>>>>> +def replica_install_teardown(func): >>>>>>>> + def wrapped(*args): >>>>>>>> + try: >>>>>>>> + func(*args) >>>>>>>> + finally: >>>>>>>> + # Uninstall replica >>>>>>>> + replica = args[0].replicas[0] >>>>>>>> + tasks.kinit_admin(args[0].master) >>>>>>>> + args[0].uninstall_server(replica) >>>>>>>> + args[0].master.run_command(['ipa-replica-manage', >>>>>>>> 'del', >>>>>>>> + replica.hostname, >>>>>>>> '--force'], >>>>>>>> + raiseonerr=False) >>>>>>>> + args[0].master.run_command(['ipa', 'host-del', >>>>>>>> + replica.hostname], >>>>>>>> + raiseonerr=False) >>>>>>>> + return wrapped >>>>>>>> + >>>>>> >>>>>> There is a standard pytest method called 'method_teardown', that is >>>>>> indent to be executed after each test method, but with our setup it >>>>>> does >>>>>> not work. >>>>>> >>>>>>> >>>>>>> 4) Is it necessary to create the $TEST_DIR in the test? Isn't it >>>>>>> created >>>>>>> by the framework? >>>>>>> >>>>>>>> + host.transport.mkdir_recursive(host.config.test_dir) >>>>>>> >>>>>> >>>>>> Removed. >>>>>> >>>>>>> >>>>>>> 5) I don't think the comment match the code. >>>>>>> >>>>>>>> >>>>>>>> + # Remove CA cert in /etc/pki/nssdb, in case of failed >>>>>>>> (un)install >>>>>>>> + for host in cls.get_all_hosts(): >>>>>>>> + cls.uninstall_server(host) >>>>>>>> + >>>>>>>> super(CALessBase, cls).uninstall(mh) >>>>>>> >>>>>> >>>>>> Not actual anymore >>>>>> >>>>>>> >>>>>>> 6) No! Create list with one element, iterate that list and append >>>>>>> every >>>>>>> item to the other list. Maybe there's better way (Hint: append). >>>>>>> I've seen this on multiple places. >>>>>>> >>>>>>>> if unattended: >>>>>>>> args.extend(['-U']) >>>>>> >>>>>> Agreed >>>>>> >>>>>>> >>>>>>> 7) Why don't you (extend and) use >>>>>>> ipatests.test_integaration.tasks.(un)install_{master,replica}? >>>>>>> This could be done pretty much all over the code. >>>>>>> >>>>>>>> host.run_command(['ipa-server-install', '--uninstall', >>>>>>>> '-U']) >>>>>>> >>>>>>> 8) Use ipaplatform.paths for certutil and other binaries. If the >>>>>>> binary >>>>>>> is not there feel free to add it. >>>>>>> I've seen this on multiple places. >>>>>>> >>>>>>>> + host.run_command(['certutil', '-d', paths.NSS_DB_DIR, >>>>>>>> '-D', >>>>>>>> + '-n', 'External CA cert'], >>>>>>>> + raiseonerr=False) >>>>>>>> + # A workaround >>>>>>>> forhttps://fedorahosted.org/freeipa/ticket/4639 >>>>>>>> + result = host.run_command(['certutil', '-L', '-d', >>>>>>>> + paths.HTTPD_ALIAS_DIR]) >>>>>>>> + for rawcert in result.stdout_text.split('\n')[4: -1]: >>>>>>>> + cert = rawcert.split(' ')[0] >>>>>>>> + host.run_command(['certutil', '-D', '-d', >>>>>>>> paths.HTTPD_ALIAS_DIR, >>>>>>>> + '-n', cert]) >>>>>>>> >>>>>> >>>>>> Done >>>>>> >>>>>>> >>>>>>> 9) certmonger is system service. You can check if is is .enabled() >>>>>>> and >>>>>>> .running(). And IIUC the comment is negation of what the code does. >>>>>>> >>>>>>>> >>>>>>>> # Verify certmonger was not started >>>>>>>> result = host.run_command(['getcert', 'list'], >>>>>>>> raiseonerr=False) >>>>>>>> - assert result > 0 >>>>>>>> - assert ('Please verify that the certmonger service has >>>>>>>> been ' >>>>>>>> - 'started.' in result.stdout_text), >>>>>>>> result.stdout_text >>>>>>>> + assert result.returncode == 0 >>>>>>> >>>>>>> 10) What is the point of calling uninstall_server() when it will be >>>>>>> called in the finally block of server_install_teardown anyway? >>>>>>> >>>>>>>> + @server_install_teardown >>>>>>>> def test_revoked_http(self): >>>>>>>> "IPA server install with revoked HTTP certificate" >>>>>>>> >>>>>>>> if result.returncode == 0: >>>>>>>> + self.uninstall_server() >>>>>>>> raise nose.SkipTest( >>>>>>>> "Known CA-less installation defect, see " >>>>>>>> +"https://fedorahosted.org/freeipa/ticket/4270") >>>>>>>> >>>>>>>> assert result.returncode > 0 >>>>>>>> >>>>>> Removed >>>>>> >>>>>>> >>>>>>> Nitpick) Do not mix fixing typos/grammar/spelling/style with >>>>>>> functional >>>>>>> changes. >>>>>>> >>>>>>>> - def test_incorect_http_pin(self): >>>>>>>> + @pytest.mark.xfail(reason='freeipa ticket 5378') >>>>>>>> + def test_incorrect_http_pin(self): >>>>>>>> "Install new HTTP certificate with incorrect PKCS#12 >>>>>>>> password" >>>>>> >>>>>> Removed >>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >>> >> > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0041.2-Fixed-method-failures-during-second-call-for-the-method.patch Type: text/x-patch Size: 1394 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0062-Added-basic-constraints-extension-to-the-CA-certs.patch Type: text/x-patch Size: 1136 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0063-Added-generation-of-missing-certs.patch Type: text/x-patch Size: 1159 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0064-Updated-ipa-server-installation-stdin-text.patch Type: text/x-patch Size: 1344 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0065-Create-a-method-that-cleans-all-ipa-certs.patch Type: text/x-patch Size: 1678 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0066-Added-teardown-methods-for-server-and-replica-instal.patch Type: text/x-patch Size: 2056 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0067-Removed-call-for-install-method-from-parent-class.patch Type: text/x-patch Size: 1158 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0068-Adapted-installation-methods-to-utilize-tasks.patch Type: text/x-patch Size: 10332 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0069.1-Fixed-incorrect-assert-in-verify_installation.patch Type: text/x-patch Size: 1112 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0070.1-Applied-correct-teardown-methods.patch Type: text/x-patch Size: 17742 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0072-Removed-outdated-command-options-test.patch Type: text/x-patch Size: 1729 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0073-Added-necessary-getkeytabs-calls-to-fixtures.patch Type: text/x-patch Size: 1687 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0074.1-Added-necessary-xfails.patch Type: text/x-patch Size: 4940 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0075-Updated-master-and-replica-installation-methods.patch Type: text/x-patch Size: 6390 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0076.1-Made-unapply_fixes-call-optional-at-master-uninstall.patch Type: text/x-patch Size: 1553 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0077-Enabled-negative-testing-for-cleaning-replication-agreements.patch Type: text/x-patch Size: 1330 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0078-Replaced-hardcoded-certutil-with-imported-from-paths.patch Type: text/x-patch Size: 990 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0079-test-Replaced-unused-setUp-method-with-install.patch Type: text/x-patch Size: 1474 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0080-test-fixed-expects-of-incorrect-error-messages.patch Type: text/x-patch Size: 7557 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0081-test-Fixed-Usage-of-improper-certs-in-ca-less-tests.patch Type: text/x-patch Size: 3467 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0082-tests-Implemented-check-for-domainlevel.patch Type: text/x-patch Size: 5390 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0083-tests-Standardized-replica_preparation-in-test_no_ce.patch Type: text/x-patch Size: 1344 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0084-tests-added-verbose-assert-to-test_service_disable.patch Type: text/x-patch Size: 1427 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0085-tests-fixed-super-method-invocation.patch Type: text/x-patch Size: 927 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0086-tests-fixed-certinstall-method.patch Type: text/x-patch Size: 1265 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0087-Reverted-erronous-asserts-in-4-tests.patch Type: text/x-patch Size: 2277 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0088-Fixed-code-styling-to-make-pep8-happy.patch Type: text/x-patch Size: 3287 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Sep 21 12:44:10 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 14:44:10 +0200 Subject: [Freeipa-devel] [freeipa PR#93][comment] Tests: Remove SSSD restart from integration tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/93 Title: #93: Tests: Remove SSSD restart from integration tests mbasti-rh commented: """ Fixed upstream ipa-4-4: https://fedorahosted.org/freeipa/changeset/64599789f93ad0d6bf7e44acc81d30ecd6ecf0c9 """ See the full comment at https://github.com/freeipa/freeipa/pull/93#issuecomment-248600830 From freeipa-github-notification at redhat.com Wed Sep 21 13:14:22 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 15:14:22 +0200 Subject: [Freeipa-devel] [freeipa PR#77][+ack] Tests: Update host test with ipa-join In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/77 Title: #77: Tests: Update host test with ipa-join Label: +ack From freeipa-github-notification at redhat.com Wed Sep 21 13:18:08 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 21 Sep 2016 15:18:08 +0200 Subject: [Freeipa-devel] [freeipa PR#102][comment] Updated ipa-client-install info about hostname In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/102 Title: #102: Updated ipa-client-install info about hostname tomaskrizek commented: """ The doc text should also be updated for the `ipa-replica-conncheck` command. """ See the full comment at https://github.com/freeipa/freeipa/pull/102#issuecomment-248609339 From freeipa-github-notification at redhat.com Wed Sep 21 13:30:35 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Wed, 21 Sep 2016 15:30:35 +0200 Subject: [Freeipa-devel] [freeipa PR#94][+ack] [ipa-4-2] Keep NSS trust flags of existing certificates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/94 Title: #94: [ipa-4-2] Keep NSS trust flags of existing certificates Label: +ack From freeipa-github-notification at redhat.com Wed Sep 21 13:30:40 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Wed, 21 Sep 2016 15:30:40 +0200 Subject: [Freeipa-devel] [freeipa PR#94][comment] [ipa-4-2] Keep NSS trust flags of existing certificates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/94 Title: #94: [ipa-4-2] Keep NSS trust flags of existing certificates flo-renaud commented: """ Hi Tomas, the backport works for me as well. """ See the full comment at https://github.com/freeipa/freeipa/pull/94#issuecomment-248612733 From freeipa-github-notification at redhat.com Wed Sep 21 13:40:21 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 15:40:21 +0200 Subject: [Freeipa-devel] [freeipa PR#94][+pushed] [ipa-4-2] Keep NSS trust flags of existing certificates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/94 Title: #94: [ipa-4-2] Keep NSS trust flags of existing certificates Label: +pushed From freeipa-github-notification at redhat.com Wed Sep 21 13:40:22 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 15:40:22 +0200 Subject: [Freeipa-devel] [freeipa PR#94][comment] [ipa-4-2] Keep NSS trust flags of existing certificates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/94 Title: #94: [ipa-4-2] Keep NSS trust flags of existing certificates mbasti-rh commented: """ Fixed upstream ipa-4-2: https://fedorahosted.org/freeipa/changeset/202ab8719e3c3a2dfd7fa82d84162954751405a3 """ See the full comment at https://github.com/freeipa/freeipa/pull/94#issuecomment-248615361 From freeipa-github-notification at redhat.com Wed Sep 21 13:40:24 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 15:40:24 +0200 Subject: [Freeipa-devel] [freeipa PR#94][closed] [ipa-4-2] Keep NSS trust flags of existing certificates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/94 Author: tomaskrizek Title: #94: [ipa-4-2] Keep NSS trust flags of existing certificates Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/94/head:pr94 git checkout pr94 From freeipa-github-notification at redhat.com Wed Sep 21 13:43:35 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 15:43:35 +0200 Subject: [Freeipa-devel] [freeipa PR#76][comment] Keep NSS trust flags of existing certificates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/76 Title: #76: Keep NSS trust flags of existing certificates mbasti-rh commented: """ ipa-4-4: https://fedorahosted.org/freeipa/changeset/741f2e4e7a6d3fddf39fec42ea9b49b753af9cf4 """ See the full comment at https://github.com/freeipa/freeipa/pull/76#issuecomment-248616329 From freeipa-github-notification at redhat.com Wed Sep 21 13:44:04 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 15:44:04 +0200 Subject: [Freeipa-devel] [freeipa PR#76][comment] Keep NSS trust flags of existing certificates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/76 Title: #76: Keep NSS trust flags of existing certificates mbasti-rh commented: """ #94 Backport to 4.2 version """ See the full comment at https://github.com/freeipa/freeipa/pull/76#issuecomment-248616455 From freeipa-github-notification at redhat.com Wed Sep 21 13:44:32 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 15:44:32 +0200 Subject: [Freeipa-devel] [freeipa PR#94][comment] [ipa-4-2] Keep NSS trust flags of existing certificates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/94 Title: #94: [ipa-4-2] Keep NSS trust flags of existing certificates mbasti-rh commented: """ JFTR original PR #76 """ See the full comment at https://github.com/freeipa/freeipa/pull/94#issuecomment-248616580 From freeipa-github-notification at redhat.com Wed Sep 21 13:47:57 2016 From: freeipa-github-notification at redhat.com (rcritten) Date: Wed, 21 Sep 2016 15:47:57 +0200 Subject: [Freeipa-devel] [freeipa PR#84][comment] Fix update_from_dict function testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/84 Title: #84: Fix update_from_dict function testing rcritten commented: """ The sort of pie-in-the-sky thinking about 3rd party plugins that Jason and I talked about eons ago was users would provide their own update files as part of their installer to be dropped somewhere (perhaps into the IPA-provided directory) and be processed like any other. I'm not sure I'd want a 3rd party plugin poking at ldapupdate internals. """ See the full comment at https://github.com/freeipa/freeipa/pull/84#issuecomment-248617607 From freeipa-github-notification at redhat.com Wed Sep 21 13:59:07 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 15:59:07 +0200 Subject: [Freeipa-devel] [freeipa PR#88][+ack] test_plugable: update the rest of test_init In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/88 Title: #88: test_plugable: update the rest of test_init Label: +ack From ofayans at redhat.com Wed Sep 21 14:21:06 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Wed, 21 Sep 2016 16:21:06 +0200 Subject: [Freeipa-devel] [PATCH] ca-less tests updated In-Reply-To: <86705758-a778-665c-8480-a2f127ead97c@redhat.com> References: <56337745.109@redhat.com> <563B091B.3010501@redhat.com> <563B6A96.8090606@redhat.com> <563BABEC.8080304@redhat.com> <563C5B1A.1090803@redhat.com> <563C5E6D.4060307@redhat.com> <563CA575.1030808@redhat.com> <567176A2.1000901@redhat.com> <5707C431.6070702@redhat.com> <570E1E70.6060309@redhat.com> <5715F6B5.3070003@redhat.com> <57173F56.5020308@redhat.com> <5731F951.1020700@redhat.com> <57A99B02.1010507@redhat.com> <84a03933-9820-2c63-ef7b-1cf63a44e3a9@redhat.com> <4b1365a2-c140-4aa4-baf9-9c7a6953c7f8@redhat.com> <5dee6817-b758-3694-16e6-a9e99cd2f838@redhat.com> <86705758-a778-665c-8480-a2f127ead97c@redhat.com> Message-ID: Patch-0076 rebased to current master On 09/21/2016 02:41 PM, Oleg Fayans wrote: > Hi David, > > As per your comments the patches were once again refactored. I am > attaching the full set of them, please ignore any previous versions > The patches apply cleanly on master and pylint swallows the resulting > code silently > > On 09/12/2016 09:51 AM, David Kupka wrote: >> Hi Oleg, >> thank you, now it's completely different game. >> Please add prefix to commit message summaries. Simply prepending "tests: >> " should be OK. >> >> 0041 - -h is deprecated in favor of -H. >> 0062 - 0068 - LGTM >> 0069 - I see 2 unrelated changes in the patch, please split them: >> - 1 - certutil - > paths.CERTUTIL >> - 2 - assert >> 0070 - I see 2 unrelated changes in the patch, please split them: >> - 1 - teardown >> - 2 - TestReplicaInstall.setUp -> TestReplicaInstall.install >> 0071 - typos in commit message, I see 5 unrelated changes in that patch: >> - 1 - error messages in assert >> - 2 - certificates used >> - 3 - verify_installation called only in DOMAIN_LEVEL_0. >> - 4 - TestCertinstall.install >> - 5 - TestCertinstall.certinstall >> 0072 - 0077 - LGTM >> >> On 09/09/16 15:22, Oleg Fayans wrote: >>> Hi David, team >>> >>> According to your suggestions I've splitted my commits so that each >>> commit addresses some particular problem. One patch (0071) still >>> contains several unrelated fixes, but they mostly reflect changes in >>> error messages and really small but numerous bugfixes that I did not >>> consider worthy of a separate commit each. Please, whenever you have a >>> free time take a look at this new bunch of patches. >>> >>> Thanks! >>> >>> On 09/06/2016 04:41 PM, David Kupka wrote: >>>> Hi Oleg! >>>> >>>> 0013 - It looks like there are two unrelated changes, addition of CRL >>>> distribution extension and creating certificate signed by no longer >>>> existing CA. Please create separate patch for each of the changes, and >>>> describe the change and reason for it in commit messages. >>>> >>>> 0014 - Could you please split the patch to "numerous" commit each >>>> fixing >>>> one error? Please also describe each fix so everyone has at least vague >>>> idea about the patch without reading its code. Also why do you >>>> introduce >>>> global variable config, I don't see its used anywhere. >>>> >>>> 0039 - It looks like multiple different changes and commit message says >>>> nothing again. Please split and describe what did you change and why. >>>> >>>> 0041 - Looks like weird workaround to me. It would be better to >>>> investigate the root cause and fix it. Or at least describe the >>>> cause in >>>> commit message and code comment if it can't be fixed. Also "-h is >>>> deprecated in favor of -H" says man 1 ldapmodify. >>>> >>>> >>>> On 05/09/16 14:32, Oleg Fayans wrote: >>>>> Hi guys, >>>>> >>>>> Finally the ca-less tests are stable. Here in the attachment is the >>>>> full >>>>> set of necessary patches. >>>>> >>>>> >>>>> On 08/09/2016 10:57 AM, Oleg Fayans wrote: >>>>>> Hi all, >>>>>> >>>>>> Bump for the review of the 0013 patch. The script it addresses can be >>>>>> reused in some WebUI tests - one more reason to have it >>>>>> reviewed/merged >>>>>> >>>>>> The rest patches should be re-tested, since they were prepared a good >>>>>> while ago >>>>>> >>>>>> On 05/10/2016 05:08 PM, Oleg Fayans wrote: >>>>>>> Hi David, >>>>>>> >>>>>>> After quite a while and some more struggles here comes the updated >>>>>>> version of the patch together with other patches fixing things in >>>>>>> ipatests/test_integration/tasks.py >>>>>>> Server and replica installation was refactored in a way to utilize >>>>>>> the >>>>>>> code from tasks.py as much as it is possible >>>>>>> >>>>>>> The full set of necessary patches is attached >>>>>>> >>>>>>> >>>>>>> On 04/20/2016 10:35 AM, David Kupka wrote: >>>>>>>> On 19/04/16 11:13, Oleg Fayans wrote: >>>>>>>>> OK, that one, though passing lint, did not actually work. I gave >>>>>>>>> up my >>>>>>>>> attempts to define method decorators inside the class. Now it >>>>>>>>> passes >>>>>>>>> lint AND works:) >>>>>>>>> >>>>>>>> >>>>>>>> Hi Oleg! >>>>>>>> >>>>>>>> 1) Current commit message is useless. Please use it to describe >>>>>>>> what is >>>>>>>> the point of the patch. >>>>>>>> >>>>>>>> 2) $ git show -U0 | pep8 --diff >>>>>>>> ./ipatests/test_integration/test_caless.py:66:1: E302 expected 2 >>>>>>>> blank >>>>>>>> lines, found 1 >>>>>>>> ./ipatests/test_integration/test_caless.py:74:1: E302 expected 2 >>>>>>>> blank >>>>>>>> lines, found 1 >>>>>>>> ./ipatests/test_integration/test_caless.py:820:5: E303 too many >>>>>>>> blank >>>>>>>> lines (2) >>>>>>>> ./ipatests/test_integration/test_caless.py:825:80: E501 line too >>>>>>>> long >>>>>>>> (80 > 79 characters) >>>>>>>> ./ipatests/test_integration/test_caless.py:1035:44: E225 missing >>>>>>>> whitespace around operator >>>>>>>> >>>>>>>> >>>>>>>> 3) Isn't there a way to do this with pytest's fixtures? >>>>>>>> >>>>>>>>> +def server_install_teardown(func): >>>>>>>>> + def wrapped(*args): >>>>>>>>> + try: >>>>>>>>> + func(*args) >>>>>>>>> + finally: >>>>>>>>> + args[0].uninstall_server() >>>>>>>>> + return wrapped >>>>>>>>> + >>>>>>>>> +def replica_install_teardown(func): >>>>>>>>> + def wrapped(*args): >>>>>>>>> + try: >>>>>>>>> + func(*args) >>>>>>>>> + finally: >>>>>>>>> + # Uninstall replica >>>>>>>>> + replica = args[0].replicas[0] >>>>>>>>> + tasks.kinit_admin(args[0].master) >>>>>>>>> + args[0].uninstall_server(replica) >>>>>>>>> + args[0].master.run_command(['ipa-replica-manage', >>>>>>>>> 'del', >>>>>>>>> + replica.hostname, >>>>>>>>> '--force'], >>>>>>>>> + raiseonerr=False) >>>>>>>>> + args[0].master.run_command(['ipa', 'host-del', >>>>>>>>> + replica.hostname], >>>>>>>>> + raiseonerr=False) >>>>>>>>> + return wrapped >>>>>>>>> + >>>>>>> >>>>>>> There is a standard pytest method called 'method_teardown', that is >>>>>>> indent to be executed after each test method, but with our setup it >>>>>>> does >>>>>>> not work. >>>>>>> >>>>>>>> >>>>>>>> 4) Is it necessary to create the $TEST_DIR in the test? Isn't it >>>>>>>> created >>>>>>>> by the framework? >>>>>>>> >>>>>>>>> + host.transport.mkdir_recursive(host.config.test_dir) >>>>>>>> >>>>>>> >>>>>>> Removed. >>>>>>> >>>>>>>> >>>>>>>> 5) I don't think the comment match the code. >>>>>>>> >>>>>>>>> >>>>>>>>> + # Remove CA cert in /etc/pki/nssdb, in case of failed >>>>>>>>> (un)install >>>>>>>>> + for host in cls.get_all_hosts(): >>>>>>>>> + cls.uninstall_server(host) >>>>>>>>> + >>>>>>>>> super(CALessBase, cls).uninstall(mh) >>>>>>>> >>>>>>> >>>>>>> Not actual anymore >>>>>>> >>>>>>>> >>>>>>>> 6) No! Create list with one element, iterate that list and append >>>>>>>> every >>>>>>>> item to the other list. Maybe there's better way (Hint: append). >>>>>>>> I've seen this on multiple places. >>>>>>>> >>>>>>>>> if unattended: >>>>>>>>> args.extend(['-U']) >>>>>>> >>>>>>> Agreed >>>>>>> >>>>>>>> >>>>>>>> 7) Why don't you (extend and) use >>>>>>>> ipatests.test_integaration.tasks.(un)install_{master,replica}? >>>>>>>> This could be done pretty much all over the code. >>>>>>>> >>>>>>>>> host.run_command(['ipa-server-install', '--uninstall', >>>>>>>>> '-U']) >>>>>>>> >>>>>>>> 8) Use ipaplatform.paths for certutil and other binaries. If the >>>>>>>> binary >>>>>>>> is not there feel free to add it. >>>>>>>> I've seen this on multiple places. >>>>>>>> >>>>>>>>> + host.run_command(['certutil', '-d', paths.NSS_DB_DIR, >>>>>>>>> '-D', >>>>>>>>> + '-n', 'External CA cert'], >>>>>>>>> + raiseonerr=False) >>>>>>>>> + # A workaround >>>>>>>>> forhttps://fedorahosted.org/freeipa/ticket/4639 >>>>>>>>> + result = host.run_command(['certutil', '-L', '-d', >>>>>>>>> + paths.HTTPD_ALIAS_DIR]) >>>>>>>>> + for rawcert in result.stdout_text.split('\n')[4: -1]: >>>>>>>>> + cert = rawcert.split(' ')[0] >>>>>>>>> + host.run_command(['certutil', '-D', '-d', >>>>>>>>> paths.HTTPD_ALIAS_DIR, >>>>>>>>> + '-n', cert]) >>>>>>>>> >>>>>>> >>>>>>> Done >>>>>>> >>>>>>>> >>>>>>>> 9) certmonger is system service. You can check if is is .enabled() >>>>>>>> and >>>>>>>> .running(). And IIUC the comment is negation of what the code does. >>>>>>>> >>>>>>>>> >>>>>>>>> # Verify certmonger was not started >>>>>>>>> result = host.run_command(['getcert', 'list'], >>>>>>>>> raiseonerr=False) >>>>>>>>> - assert result > 0 >>>>>>>>> - assert ('Please verify that the certmonger service >>>>>>>>> has >>>>>>>>> been ' >>>>>>>>> - 'started.' in result.stdout_text), >>>>>>>>> result.stdout_text >>>>>>>>> + assert result.returncode == 0 >>>>>>>> >>>>>>>> 10) What is the point of calling uninstall_server() when it will be >>>>>>>> called in the finally block of server_install_teardown anyway? >>>>>>>> >>>>>>>>> + @server_install_teardown >>>>>>>>> def test_revoked_http(self): >>>>>>>>> "IPA server install with revoked HTTP certificate" >>>>>>>>> >>>>>>>>> if result.returncode == 0: >>>>>>>>> + self.uninstall_server() >>>>>>>>> raise nose.SkipTest( >>>>>>>>> "Known CA-less installation defect, see " >>>>>>>>> >>>>>>>>> +"https://fedorahosted.org/freeipa/ticket/4270") >>>>>>>>> >>>>>>>>> assert result.returncode > 0 >>>>>>>>> >>>>>>> Removed >>>>>>> >>>>>>>> >>>>>>>> Nitpick) Do not mix fixing typos/grammar/spelling/style with >>>>>>>> functional >>>>>>>> changes. >>>>>>>> >>>>>>>>> - def test_incorect_http_pin(self): >>>>>>>>> + @pytest.mark.xfail(reason='freeipa ticket 5378') >>>>>>>>> + def test_incorrect_http_pin(self): >>>>>>>>> "Install new HTTP certificate with incorrect PKCS#12 >>>>>>>>> password" >>>>>>> >>>>>>> Removed >>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>>> >>> >> >> > > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0076.2-Made-unapply_fixes-call-optional-at-master-uninstall.patch Type: text/x-patch Size: 1552 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Sep 21 14:52:28 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 16:52:28 +0200 Subject: [Freeipa-devel] [freeipa PR#95][+ack] Tests: Remove unnecessary attributes from base tracker In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/95 Title: #95: Tests: Remove unnecessary attributes from base tracker Label: +ack From freeipa-github-notification at redhat.com Wed Sep 21 15:15:34 2016 From: freeipa-github-notification at redhat.com (abbra) Date: Wed, 21 Sep 2016 17:15:34 +0200 Subject: [Freeipa-devel] [freeipa PR#84][comment] Fix update_from_dict function testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/84 Title: #84: Fix update_from_dict function testing abbra commented: """ > This is not true, update plugins are supposed to return the dictionaries from their execute method. See any of the update plugins in ipaserver/install/plugins for how it's done. most of plugins there use direct 'ldap.update()' calls and return empty lists of dictionaries. Perhaps, 'update_uniqueness.py' and 'rename_managed.py' could serve as examples where a list of dictionaries is returned to do the update. But point is taken -- I think this proves we can remove the method as the original patch proposed. """ See the full comment at https://github.com/freeipa/freeipa/pull/84#issuecomment-248643940 From freeipa-github-notification at redhat.com Wed Sep 21 15:17:19 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 17:17:19 +0200 Subject: [Freeipa-devel] [freeipa PR#74][+ack] [master, ipa-4-4] Tests: Add krb5kdc.service restart to integration trust tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/74 Title: #74: [master, ipa-4-4] Tests: Add krb5kdc.service restart to integration trust tests Label: +ack From freeipa-github-notification at redhat.com Wed Sep 21 15:22:29 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 17:22:29 +0200 Subject: [Freeipa-devel] [freeipa PR#75][comment] Tests: Remove usage of krb5 ccache from test_ipaserver/test_ldap In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/75 Title: #75: Tests: Remove usage of krb5 ccache from test_ipaserver/test_ldap mbasti-rh commented: """ Works for me """ See the full comment at https://github.com/freeipa/freeipa/pull/75#issuecomment-248646130 From freeipa-github-notification at redhat.com Wed Sep 21 15:22:34 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 17:22:34 +0200 Subject: [Freeipa-devel] [freeipa PR#75][+ack] Tests: Remove usage of krb5 ccache from test_ipaserver/test_ldap In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/75 Title: #75: Tests: Remove usage of krb5 ccache from test_ipaserver/test_ldap Label: +ack From freeipa-github-notification at redhat.com Wed Sep 21 15:37:02 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 17:37:02 +0200 Subject: [Freeipa-devel] [freeipa PR#99][+ack] Tests: Remove --force options from tracker base class In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/99 Title: #99: Tests: Remove --force options from tracker base class Label: +ack From freeipa-github-notification at redhat.com Wed Sep 21 15:37:19 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 17:37:19 +0200 Subject: [Freeipa-devel] [freeipa PR#99][comment] Tests: Remove --force options from tracker base class In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/99 Title: #99: Tests: Remove --force options from tracker base class mbasti-rh commented: """ works for me """ See the full comment at https://github.com/freeipa/freeipa/pull/99#issuecomment-248651004 From freeipa-github-notification at redhat.com Wed Sep 21 16:40:27 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 18:40:27 +0200 Subject: [Freeipa-devel] [freeipa PR#99][+pushed] Tests: Remove --force options from tracker base class In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/99 Title: #99: Tests: Remove --force options from tracker base class Label: +pushed From freeipa-github-notification at redhat.com Wed Sep 21 16:40:29 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 18:40:29 +0200 Subject: [Freeipa-devel] [freeipa PR#99][comment] Tests: Remove --force options from tracker base class In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/99 Title: #99: Tests: Remove --force options from tracker base class mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/a07c4bdd4fda0ed1cca93d5a56ef67205be1a9d1 """ See the full comment at https://github.com/freeipa/freeipa/pull/99#issuecomment-248670204 From freeipa-github-notification at redhat.com Wed Sep 21 16:40:31 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 18:40:31 +0200 Subject: [Freeipa-devel] [freeipa PR#99][closed] Tests: Remove --force options from tracker base class In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/99 Author: mirielka Title: #99: Tests: Remove --force options from tracker base class Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/99/head:pr99 git checkout pr99 From freeipa-github-notification at redhat.com Wed Sep 21 16:41:43 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 18:41:43 +0200 Subject: [Freeipa-devel] [freeipa PR#95][+pushed] Tests: Remove unnecessary attributes from base tracker In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/95 Title: #95: Tests: Remove unnecessary attributes from base tracker Label: +pushed From freeipa-github-notification at redhat.com Wed Sep 21 16:41:44 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 18:41:44 +0200 Subject: [Freeipa-devel] [freeipa PR#95][comment] Tests: Remove unnecessary attributes from base tracker In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/95 Title: #95: Tests: Remove unnecessary attributes from base tracker mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/522766a565f6845984c98dc3ea67d66a3e00e4c7 """ See the full comment at https://github.com/freeipa/freeipa/pull/95#issuecomment-248670556 From freeipa-github-notification at redhat.com Wed Sep 21 16:41:45 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 18:41:45 +0200 Subject: [Freeipa-devel] [freeipa PR#95][closed] Tests: Remove unnecessary attributes from base tracker In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/95 Author: mirielka Title: #95: Tests: Remove unnecessary attributes from base tracker Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/95/head:pr95 git checkout pr95 From freeipa-github-notification at redhat.com Wed Sep 21 16:43:24 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 18:43:24 +0200 Subject: [Freeipa-devel] [freeipa PR#88][comment] test_plugable: update the rest of test_init In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/88 Title: #88: test_plugable: update the rest of test_init mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/09a8f62d12c0be26741c24845cda2be83f14c503 ipa-4-4: https://fedorahosted.org/freeipa/changeset/3fa092591b097f0cadd2d9fab1857bf8b360cbf7 """ See the full comment at https://github.com/freeipa/freeipa/pull/88#issuecomment-248671013 From freeipa-github-notification at redhat.com Wed Sep 21 16:43:25 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 18:43:25 +0200 Subject: [Freeipa-devel] [freeipa PR#88][+pushed] test_plugable: update the rest of test_init In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/88 Title: #88: test_plugable: update the rest of test_init Label: +pushed From freeipa-github-notification at redhat.com Wed Sep 21 16:43:26 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 18:43:26 +0200 Subject: [Freeipa-devel] [freeipa PR#88][closed] test_plugable: update the rest of test_init In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/88 Author: jcholast Title: #88: test_plugable: update the rest of test_init Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/88/head:pr88 git checkout pr88 From freeipa-github-notification at redhat.com Wed Sep 21 16:45:18 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 18:45:18 +0200 Subject: [Freeipa-devel] [freeipa PR#74][+pushed] [master, ipa-4-4] Tests: Add krb5kdc.service restart to integration trust tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/74 Title: #74: [master, ipa-4-4] Tests: Add krb5kdc.service restart to integration trust tests Label: +pushed From freeipa-github-notification at redhat.com Wed Sep 21 16:45:19 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 18:45:19 +0200 Subject: [Freeipa-devel] [freeipa PR#74][comment] [master, ipa-4-4] Tests: Add krb5kdc.service restart to integration trust tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/74 Title: #74: [master, ipa-4-4] Tests: Add krb5kdc.service restart to integration trust tests mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/936a6a38b8e7ece83933090db5840ebd37c26c20 ipa-4-4: https://fedorahosted.org/freeipa/changeset/d4ee84d7c1aeae409f49b684b9e11c48ef04afe1 """ See the full comment at https://github.com/freeipa/freeipa/pull/74#issuecomment-248671549 From freeipa-github-notification at redhat.com Wed Sep 21 16:45:21 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 18:45:21 +0200 Subject: [Freeipa-devel] [freeipa PR#74][closed] [master, ipa-4-4] Tests: Add krb5kdc.service restart to integration trust tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/74 Author: mirielka Title: #74: [master, ipa-4-4] Tests: Add krb5kdc.service restart to integration trust tests Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/74/head:pr74 git checkout pr74 From freeipa-github-notification at redhat.com Wed Sep 21 16:47:01 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 18:47:01 +0200 Subject: [Freeipa-devel] [freeipa PR#77][+pushed] Tests: Update host test with ipa-join In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/77 Title: #77: Tests: Update host test with ipa-join Label: +pushed From freeipa-github-notification at redhat.com Wed Sep 21 16:47:02 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 18:47:02 +0200 Subject: [Freeipa-devel] [freeipa PR#77][comment] Tests: Update host test with ipa-join In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/77 Title: #77: Tests: Update host test with ipa-join mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/c0fcfb31ecb2d17c3484d752edf55a42ef04ead7 https://fedorahosted.org/freeipa/changeset/8a947e2fd0d62df9a68252c1f7505451347b0c7d ipa-4-4: https://fedorahosted.org/freeipa/changeset/bc6dbfb4d88014f87a072f5f28b1883a96f41995 https://fedorahosted.org/freeipa/changeset/9a2f9c27cd3fc2d5009ecfefc82de728d20020db """ See the full comment at https://github.com/freeipa/freeipa/pull/77#issuecomment-248672020 From freeipa-github-notification at redhat.com Wed Sep 21 16:47:04 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 18:47:04 +0200 Subject: [Freeipa-devel] [freeipa PR#77][closed] Tests: Update host test with ipa-join In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/77 Author: mirielka Title: #77: Tests: Update host test with ipa-join Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/77/head:pr77 git checkout pr77 From freeipa-github-notification at redhat.com Wed Sep 21 16:48:43 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 18:48:43 +0200 Subject: [Freeipa-devel] [freeipa PR#75][+pushed] Tests: Remove usage of krb5 ccache from test_ipaserver/test_ldap In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/75 Title: #75: Tests: Remove usage of krb5 ccache from test_ipaserver/test_ldap Label: +pushed From freeipa-github-notification at redhat.com Wed Sep 21 16:48:44 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 18:48:44 +0200 Subject: [Freeipa-devel] [freeipa PR#75][comment] Tests: Remove usage of krb5 ccache from test_ipaserver/test_ldap In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/75 Title: #75: Tests: Remove usage of krb5 ccache from test_ipaserver/test_ldap mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/a7c49e455e4f1f06f621f4c634a79b3ae0585cd8 ipa-4-4: https://fedorahosted.org/freeipa/changeset/1d4c97079ea9f77105279c56cc45d389c28cdc02 """ See the full comment at https://github.com/freeipa/freeipa/pull/75#issuecomment-248672512 From freeipa-github-notification at redhat.com Wed Sep 21 16:48:46 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 18:48:46 +0200 Subject: [Freeipa-devel] [freeipa PR#75][closed] Tests: Remove usage of krb5 ccache from test_ipaserver/test_ldap In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/75 Author: mirielka Title: #75: Tests: Remove usage of krb5 ccache from test_ipaserver/test_ldap Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/75/head:pr75 git checkout pr75 From freeipa-github-notification at redhat.com Wed Sep 21 17:01:14 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 21 Sep 2016 19:01:14 +0200 Subject: [Freeipa-devel] [freeipa PR#103][+rejected] Backport XMLRPC test fixes to ipa-4-3 branch In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/103 Title: #103: Backport XMLRPC test fixes to ipa-4-3 branch Label: +rejected From freeipa-github-notification at redhat.com Wed Sep 21 17:01:18 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 21 Sep 2016 19:01:18 +0200 Subject: [Freeipa-devel] [freeipa PR#103][closed] Backport XMLRPC test fixes to ipa-4-3 branch In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/103 Author: martbab Title: #103: Backport XMLRPC test fixes to ipa-4-3 branch Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/103/head:pr103 git checkout pr103 From freeipa-github-notification at redhat.com Wed Sep 21 17:03:07 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 21 Sep 2016 19:03:07 +0200 Subject: [Freeipa-devel] [freeipa PR#104][opened] Backport XMLRPC test fixes to ipa-4-3 branch Message-ID: URL: https://github.com/freeipa/freeipa/pull/104 Author: martbab Title: #104: Backport XMLRPC test fixes to ipa-4-3 branch Action: opened PR body: """ https://fedorahosted.org/freeipa/ticket/6316 https://fedorahosted.org/freeipa/ticket/6317 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/104/head:pr104 git checkout pr104 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-104.patch Type: text/x-diff Size: 4144 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Sep 21 17:12:12 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 19:12:12 +0200 Subject: [Freeipa-devel] [freeipa PR#101][comment] Improved vault-show error message In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/101 Title: #101: Improved vault-show error message mbasti-rh commented: """ NACK: you fixed only vault-show not other vault-* commands NACK: I don't like the override of execute method (it should work for all vault-* commands automatically) Is possible to override method handle_not_found of vault object? IMO which vault type is used can be determined by DN suffix (maybe it deserves a new method vault_type_from_DN()). NACK: This is pure evil, pls keep better readability (use if-elif-else instead) ``` if options.get('service'): container_type = 'service' else: container_type = 'shared' if options.get('shared') else 'user' ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/101#issuecomment-248679160 From bind-dyndb-ldap-github-notification at redhat.com Wed Sep 21 17:25:51 2016 From: bind-dyndb-ldap-github-notification at redhat.com (pspacek) Date: Wed, 21 Sep 2016 19:25:51 +0200 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#1][synchronized] Port bind-dyndb-ldap to BIND 9.11 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/1 Author: pspacek Title: #1: Port bind-dyndb-ldap to BIND 9.11 Action: synchronized To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/1/head:pr1 git checkout pr1 -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pr-1.patch Type: text/x-diff Size: 123169 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Sep 21 20:09:40 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Sep 2016 22:09:40 +0200 Subject: [Freeipa-devel] [freeipa PR#101][comment] Improved vault-show error message In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/101 Title: #101: Improved vault-show error message mbasti-rh commented: """ Oh realized that is not possible to create DN inside handle_not_found, because it does not take **kwargs Probably we can extend handle_not_found with kwargs, but this decision needs broader audience. """ See the full comment at https://github.com/freeipa/freeipa/pull/101#issuecomment-248728122 From freeipa-github-notification at redhat.com Wed Sep 21 23:56:25 2016 From: freeipa-github-notification at redhat.com (alibasim86) Date: Thu, 22 Sep 2016 01:56:25 +0200 Subject: [Freeipa-devel] [freeipa PR#100][edited] Ipa 4 4 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/100 Author: alibasim86 Title: #100: Ipa 4 4 Action: edited To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/100/head:pr100 git checkout pr100 From freeipa-github-notification at redhat.com Thu Sep 22 07:07:11 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Thu, 22 Sep 2016 09:07:11 +0200 Subject: [Freeipa-devel] [freeipa PR#100][comment] Ipa 4 4 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/100 Title: #100: Ipa 4 4 dkupka commented: """ > hi, my issue is not in deployment my issue is a bug in the software itself i have already submitted a ticket with redhat support which is taking too much time so i hoped you guys can see this since you are the developers of the application"my deployment is based on official redhat recommendation" Ok, but PR is still not a good place to report bugs or ask for fix. If you want to discuss this issue and possibly find a solution with upstream developers please use freeipa-users@ mailing list. It's the preferred communication medium because it allows us to ask further questions (outputs, logs, results of suggested changes, ...) and is asynchronous so people all over the world can join the discussion without problems. """ See the full comment at https://github.com/freeipa/freeipa/pull/100#issuecomment-248828506 From freeipa-github-notification at redhat.com Thu Sep 22 07:21:21 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 22 Sep 2016 09:21:21 +0200 Subject: [Freeipa-devel] [freeipa PR#102][+ack] Updated ipa-client-install info about hostname In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/102 Title: #102: Updated ipa-client-install info about hostname Label: +ack From freeipa-github-notification at redhat.com Thu Sep 22 07:29:45 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 22 Sep 2016 09:29:45 +0200 Subject: [Freeipa-devel] [freeipa PR#84][synchronized] Fix update_from_dict function testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/84 Author: stlaz Title: #84: Fix update_from_dict function testing Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/84/head:pr84 git checkout pr84 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-84.patch Type: text/x-diff Size: 5282 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Sep 22 07:30:47 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 22 Sep 2016 09:30:47 +0200 Subject: [Freeipa-devel] [freeipa PR#84][comment] Fix update_from_dict function testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/84 Title: #84: Fix update_from_dict function testing stlaz commented: """ Removed the method and its respective test again. """ See the full comment at https://github.com/freeipa/freeipa/pull/84#issuecomment-248832033 From freeipa-github-notification at redhat.com Thu Sep 22 07:50:33 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 22 Sep 2016 09:50:33 +0200 Subject: [Freeipa-devel] [freeipa PR#84][edited] Removed update_from_dict function from ldapupdate In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/84 Author: stlaz Title: #84: Removed update_from_dict function from ldapupdate Action: edited To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/84/head:pr84 git checkout pr84 From freeipa-github-notification at redhat.com Thu Sep 22 08:29:13 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 22 Sep 2016 10:29:13 +0200 Subject: [Freeipa-devel] [freeipa PR#102][closed] Updated ipa-client-install info about hostname In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/102 Author: stlaz Title: #102: Updated ipa-client-install info about hostname Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/102/head:pr102 git checkout pr102 From freeipa-github-notification at redhat.com Thu Sep 22 08:29:14 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 22 Sep 2016 10:29:14 +0200 Subject: [Freeipa-devel] [freeipa PR#102][+pushed] Updated ipa-client-install info about hostname In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/102 Title: #102: Updated ipa-client-install info about hostname Label: +pushed From freeipa-github-notification at redhat.com Thu Sep 22 08:29:16 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 22 Sep 2016 10:29:16 +0200 Subject: [Freeipa-devel] [freeipa PR#102][comment] Updated ipa-client-install info about hostname In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/102 Title: #102: Updated ipa-client-install info about hostname mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/2e0afab5f2a47149580b4bc79093cdbb77f489c3 ipa-4-4: https://fedorahosted.org/freeipa/changeset/e2aaa9c716b64a27d04aff97f229996071d31c0c """ See the full comment at https://github.com/freeipa/freeipa/pull/102#issuecomment-248841837 From freeipa-github-notification at redhat.com Thu Sep 22 10:44:55 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 22 Sep 2016 12:44:55 +0200 Subject: [Freeipa-devel] [freeipa PR#97][comment] Pylint fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/97 Title: #97: Pylint fixes tomaskrizek commented: """ NACK, please see inline comments """ See the full comment at https://github.com/freeipa/freeipa/pull/97#issuecomment-248867576 From ofayans at redhat.com Thu Sep 22 10:55:41 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 22 Sep 2016 12:55:41 +0200 Subject: [Freeipa-devel] [PATCH] ca-less tests updated In-Reply-To: References: <56337745.109@redhat.com> <563B091B.3010501@redhat.com> <563B6A96.8090606@redhat.com> <563BABEC.8080304@redhat.com> <563C5B1A.1090803@redhat.com> <563C5E6D.4060307@redhat.com> <563CA575.1030808@redhat.com> <567176A2.1000901@redhat.com> <5707C431.6070702@redhat.com> <570E1E70.6060309@redhat.com> <5715F6B5.3070003@redhat.com> <57173F56.5020308@redhat.com> <5731F951.1020700@redhat.com> <57A99B02.1010507@redhat.com> <84a03933-9820-2c63-ef7b-1cf63a44e3a9@redhat.com> <4b1365a2-c140-4aa4-baf9-9c7a6953c7f8@redhat.com> <5dee6817-b758-3694-16e6-a9e99cd2f838@redhat.com> <86705758-a778-665c-8480-a2f127ead97c@redhat.com> Message-ID: Fixed patch N 41 On 09/21/2016 04:21 PM, Oleg Fayans wrote: > Patch-0076 rebased to current master > > On 09/21/2016 02:41 PM, Oleg Fayans wrote: >> Hi David, >> >> As per your comments the patches were once again refactored. I am >> attaching the full set of them, please ignore any previous versions >> The patches apply cleanly on master and pylint swallows the resulting >> code silently >> >> On 09/12/2016 09:51 AM, David Kupka wrote: >>> Hi Oleg, >>> thank you, now it's completely different game. >>> Please add prefix to commit message summaries. Simply prepending "tests: >>> " should be OK. >>> >>> 0041 - -h is deprecated in favor of -H. >>> 0062 - 0068 - LGTM >>> 0069 - I see 2 unrelated changes in the patch, please split them: >>> - 1 - certutil - > paths.CERTUTIL >>> - 2 - assert >>> 0070 - I see 2 unrelated changes in the patch, please split them: >>> - 1 - teardown >>> - 2 - TestReplicaInstall.setUp -> TestReplicaInstall.install >>> 0071 - typos in commit message, I see 5 unrelated changes in that patch: >>> - 1 - error messages in assert >>> - 2 - certificates used >>> - 3 - verify_installation called only in DOMAIN_LEVEL_0. >>> - 4 - TestCertinstall.install >>> - 5 - TestCertinstall.certinstall >>> 0072 - 0077 - LGTM >>> >>> On 09/09/16 15:22, Oleg Fayans wrote: >>>> Hi David, team >>>> >>>> According to your suggestions I've splitted my commits so that each >>>> commit addresses some particular problem. One patch (0071) still >>>> contains several unrelated fixes, but they mostly reflect changes in >>>> error messages and really small but numerous bugfixes that I did not >>>> consider worthy of a separate commit each. Please, whenever you have a >>>> free time take a look at this new bunch of patches. >>>> >>>> Thanks! >>>> >>>> On 09/06/2016 04:41 PM, David Kupka wrote: >>>>> Hi Oleg! >>>>> >>>>> 0013 - It looks like there are two unrelated changes, addition of CRL >>>>> distribution extension and creating certificate signed by no longer >>>>> existing CA. Please create separate patch for each of the changes, and >>>>> describe the change and reason for it in commit messages. >>>>> >>>>> 0014 - Could you please split the patch to "numerous" commit each >>>>> fixing >>>>> one error? Please also describe each fix so everyone has at least >>>>> vague >>>>> idea about the patch without reading its code. Also why do you >>>>> introduce >>>>> global variable config, I don't see its used anywhere. >>>>> >>>>> 0039 - It looks like multiple different changes and commit message >>>>> says >>>>> nothing again. Please split and describe what did you change and why. >>>>> >>>>> 0041 - Looks like weird workaround to me. It would be better to >>>>> investigate the root cause and fix it. Or at least describe the >>>>> cause in >>>>> commit message and code comment if it can't be fixed. Also "-h is >>>>> deprecated in favor of -H" says man 1 ldapmodify. >>>>> >>>>> >>>>> On 05/09/16 14:32, Oleg Fayans wrote: >>>>>> Hi guys, >>>>>> >>>>>> Finally the ca-less tests are stable. Here in the attachment is the >>>>>> full >>>>>> set of necessary patches. >>>>>> >>>>>> >>>>>> On 08/09/2016 10:57 AM, Oleg Fayans wrote: >>>>>>> Hi all, >>>>>>> >>>>>>> Bump for the review of the 0013 patch. The script it addresses >>>>>>> can be >>>>>>> reused in some WebUI tests - one more reason to have it >>>>>>> reviewed/merged >>>>>>> >>>>>>> The rest patches should be re-tested, since they were prepared a >>>>>>> good >>>>>>> while ago >>>>>>> >>>>>>> On 05/10/2016 05:08 PM, Oleg Fayans wrote: >>>>>>>> Hi David, >>>>>>>> >>>>>>>> After quite a while and some more struggles here comes the updated >>>>>>>> version of the patch together with other patches fixing things in >>>>>>>> ipatests/test_integration/tasks.py >>>>>>>> Server and replica installation was refactored in a way to utilize >>>>>>>> the >>>>>>>> code from tasks.py as much as it is possible >>>>>>>> >>>>>>>> The full set of necessary patches is attached >>>>>>>> >>>>>>>> >>>>>>>> On 04/20/2016 10:35 AM, David Kupka wrote: >>>>>>>>> On 19/04/16 11:13, Oleg Fayans wrote: >>>>>>>>>> OK, that one, though passing lint, did not actually work. I gave >>>>>>>>>> up my >>>>>>>>>> attempts to define method decorators inside the class. Now it >>>>>>>>>> passes >>>>>>>>>> lint AND works:) >>>>>>>>>> >>>>>>>>> >>>>>>>>> Hi Oleg! >>>>>>>>> >>>>>>>>> 1) Current commit message is useless. Please use it to describe >>>>>>>>> what is >>>>>>>>> the point of the patch. >>>>>>>>> >>>>>>>>> 2) $ git show -U0 | pep8 --diff >>>>>>>>> ./ipatests/test_integration/test_caless.py:66:1: E302 expected 2 >>>>>>>>> blank >>>>>>>>> lines, found 1 >>>>>>>>> ./ipatests/test_integration/test_caless.py:74:1: E302 expected 2 >>>>>>>>> blank >>>>>>>>> lines, found 1 >>>>>>>>> ./ipatests/test_integration/test_caless.py:820:5: E303 too many >>>>>>>>> blank >>>>>>>>> lines (2) >>>>>>>>> ./ipatests/test_integration/test_caless.py:825:80: E501 line too >>>>>>>>> long >>>>>>>>> (80 > 79 characters) >>>>>>>>> ./ipatests/test_integration/test_caless.py:1035:44: E225 missing >>>>>>>>> whitespace around operator >>>>>>>>> >>>>>>>>> >>>>>>>>> 3) Isn't there a way to do this with pytest's fixtures? >>>>>>>>> >>>>>>>>>> +def server_install_teardown(func): >>>>>>>>>> + def wrapped(*args): >>>>>>>>>> + try: >>>>>>>>>> + func(*args) >>>>>>>>>> + finally: >>>>>>>>>> + args[0].uninstall_server() >>>>>>>>>> + return wrapped >>>>>>>>>> + >>>>>>>>>> +def replica_install_teardown(func): >>>>>>>>>> + def wrapped(*args): >>>>>>>>>> + try: >>>>>>>>>> + func(*args) >>>>>>>>>> + finally: >>>>>>>>>> + # Uninstall replica >>>>>>>>>> + replica = args[0].replicas[0] >>>>>>>>>> + tasks.kinit_admin(args[0].master) >>>>>>>>>> + args[0].uninstall_server(replica) >>>>>>>>>> + args[0].master.run_command(['ipa-replica-manage', >>>>>>>>>> 'del', >>>>>>>>>> + replica.hostname, >>>>>>>>>> '--force'], >>>>>>>>>> + raiseonerr=False) >>>>>>>>>> + args[0].master.run_command(['ipa', 'host-del', >>>>>>>>>> + replica.hostname], >>>>>>>>>> + raiseonerr=False) >>>>>>>>>> + return wrapped >>>>>>>>>> + >>>>>>>> >>>>>>>> There is a standard pytest method called 'method_teardown', that is >>>>>>>> indent to be executed after each test method, but with our setup it >>>>>>>> does >>>>>>>> not work. >>>>>>>> >>>>>>>>> >>>>>>>>> 4) Is it necessary to create the $TEST_DIR in the test? Isn't it >>>>>>>>> created >>>>>>>>> by the framework? >>>>>>>>> >>>>>>>>>> + host.transport.mkdir_recursive(host.config.test_dir) >>>>>>>>> >>>>>>>> >>>>>>>> Removed. >>>>>>>> >>>>>>>>> >>>>>>>>> 5) I don't think the comment match the code. >>>>>>>>> >>>>>>>>>> >>>>>>>>>> + # Remove CA cert in /etc/pki/nssdb, in case of failed >>>>>>>>>> (un)install >>>>>>>>>> + for host in cls.get_all_hosts(): >>>>>>>>>> + cls.uninstall_server(host) >>>>>>>>>> + >>>>>>>>>> super(CALessBase, cls).uninstall(mh) >>>>>>>>> >>>>>>>> >>>>>>>> Not actual anymore >>>>>>>> >>>>>>>>> >>>>>>>>> 6) No! Create list with one element, iterate that list and append >>>>>>>>> every >>>>>>>>> item to the other list. Maybe there's better way (Hint: append). >>>>>>>>> I've seen this on multiple places. >>>>>>>>> >>>>>>>>>> if unattended: >>>>>>>>>> args.extend(['-U']) >>>>>>>> >>>>>>>> Agreed >>>>>>>> >>>>>>>>> >>>>>>>>> 7) Why don't you (extend and) use >>>>>>>>> ipatests.test_integaration.tasks.(un)install_{master,replica}? >>>>>>>>> This could be done pretty much all over the code. >>>>>>>>> >>>>>>>>>> host.run_command(['ipa-server-install', '--uninstall', >>>>>>>>>> '-U']) >>>>>>>>> >>>>>>>>> 8) Use ipaplatform.paths for certutil and other binaries. If the >>>>>>>>> binary >>>>>>>>> is not there feel free to add it. >>>>>>>>> I've seen this on multiple places. >>>>>>>>> >>>>>>>>>> + host.run_command(['certutil', '-d', paths.NSS_DB_DIR, >>>>>>>>>> '-D', >>>>>>>>>> + '-n', 'External CA cert'], >>>>>>>>>> + raiseonerr=False) >>>>>>>>>> + # A workaround >>>>>>>>>> forhttps://fedorahosted.org/freeipa/ticket/4639 >>>>>>>>>> + result = host.run_command(['certutil', '-L', '-d', >>>>>>>>>> + paths.HTTPD_ALIAS_DIR]) >>>>>>>>>> + for rawcert in result.stdout_text.split('\n')[4: -1]: >>>>>>>>>> + cert = rawcert.split(' ')[0] >>>>>>>>>> + host.run_command(['certutil', '-D', '-d', >>>>>>>>>> paths.HTTPD_ALIAS_DIR, >>>>>>>>>> + '-n', cert]) >>>>>>>>>> >>>>>>>> >>>>>>>> Done >>>>>>>> >>>>>>>>> >>>>>>>>> 9) certmonger is system service. You can check if is is .enabled() >>>>>>>>> and >>>>>>>>> .running(). And IIUC the comment is negation of what the code >>>>>>>>> does. >>>>>>>>> >>>>>>>>>> >>>>>>>>>> # Verify certmonger was not started >>>>>>>>>> result = host.run_command(['getcert', 'list'], >>>>>>>>>> raiseonerr=False) >>>>>>>>>> - assert result > 0 >>>>>>>>>> - assert ('Please verify that the certmonger service >>>>>>>>>> has >>>>>>>>>> been ' >>>>>>>>>> - 'started.' in result.stdout_text), >>>>>>>>>> result.stdout_text >>>>>>>>>> + assert result.returncode == 0 >>>>>>>>> >>>>>>>>> 10) What is the point of calling uninstall_server() when it >>>>>>>>> will be >>>>>>>>> called in the finally block of server_install_teardown anyway? >>>>>>>>> >>>>>>>>>> + @server_install_teardown >>>>>>>>>> def test_revoked_http(self): >>>>>>>>>> "IPA server install with revoked HTTP certificate" >>>>>>>>>> >>>>>>>>>> if result.returncode == 0: >>>>>>>>>> + self.uninstall_server() >>>>>>>>>> raise nose.SkipTest( >>>>>>>>>> "Known CA-less installation defect, see " >>>>>>>>>> >>>>>>>>>> +"https://fedorahosted.org/freeipa/ticket/4270") >>>>>>>>>> >>>>>>>>>> assert result.returncode > 0 >>>>>>>>>> >>>>>>>> Removed >>>>>>>> >>>>>>>>> >>>>>>>>> Nitpick) Do not mix fixing typos/grammar/spelling/style with >>>>>>>>> functional >>>>>>>>> changes. >>>>>>>>> >>>>>>>>>> - def test_incorect_http_pin(self): >>>>>>>>>> + @pytest.mark.xfail(reason='freeipa ticket 5378') >>>>>>>>>> + def test_incorrect_http_pin(self): >>>>>>>>>> "Install new HTTP certificate with incorrect PKCS#12 >>>>>>>>>> password" >>>>>>>> >>>>>>>> Removed >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>>> >>>> >>> >>> >> >> >> > > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0041.3-Fixed-method-failures-during-second-call-for-the-method.patch Type: text/x-patch Size: 1394 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Sep 22 10:57:21 2016 From: freeipa-github-notification at redhat.com (abbra) Date: Thu, 22 Sep 2016 12:57:21 +0200 Subject: [Freeipa-devel] [freeipa PR#84][comment] Removed update_from_dict function from ldapupdate In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/84 Title: #84: Removed update_from_dict function from ldapupdate abbra commented: """ LGTM. Thanks. """ See the full comment at https://github.com/freeipa/freeipa/pull/84#issuecomment-248869910 From freeipa-github-notification at redhat.com Thu Sep 22 10:57:37 2016 From: freeipa-github-notification at redhat.com (abbra) Date: Thu, 22 Sep 2016 12:57:37 +0200 Subject: [Freeipa-devel] [freeipa PR#84][+ack] Removed update_from_dict function from ldapupdate In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/84 Title: #84: Removed update_from_dict function from ldapupdate Label: +ack From freeipa-github-notification at redhat.com Thu Sep 22 11:03:23 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 22 Sep 2016 13:03:23 +0200 Subject: [Freeipa-devel] [freeipa PR#84][+pushed] Removed update_from_dict function from ldapupdate In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/84 Title: #84: Removed update_from_dict function from ldapupdate Label: +pushed From freeipa-github-notification at redhat.com Thu Sep 22 11:03:24 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 22 Sep 2016 13:03:24 +0200 Subject: [Freeipa-devel] [freeipa PR#84][comment] Removed update_from_dict function from ldapupdate In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/84 Title: #84: Removed update_from_dict function from ldapupdate mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/330a3ca93101bcec82ec5d3add14586871864bdd ipa-4-4: https://fedorahosted.org/freeipa/changeset/fd9434cab32e1581706d5c2925c774f9afe125b9 ipa-4-3: https://fedorahosted.org/freeipa/changeset/126c7c6932bba62342eefdc910877df1075e4a70 """ See the full comment at https://github.com/freeipa/freeipa/pull/84#issuecomment-248871140 From freeipa-github-notification at redhat.com Thu Sep 22 11:03:26 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 22 Sep 2016 13:03:26 +0200 Subject: [Freeipa-devel] [freeipa PR#84][closed] Removed update_from_dict function from ldapupdate In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/84 Author: stlaz Title: #84: Removed update_from_dict function from ldapupdate Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/84/head:pr84 git checkout pr84 From freeipa-github-notification at redhat.com Thu Sep 22 11:13:11 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 22 Sep 2016 13:13:11 +0200 Subject: [Freeipa-devel] [freeipa PR#104][synchronized] Backport XMLRPC test fixes to ipa-4-3 branch In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/104 Author: martbab Title: #104: Backport XMLRPC test fixes to ipa-4-3 branch Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/104/head:pr104 git checkout pr104 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-104.patch Type: text/x-diff Size: 4166 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Sep 22 11:14:11 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 22 Sep 2016 13:14:11 +0200 Subject: [Freeipa-devel] [freeipa PR#97][synchronized] Pylint fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/97 Author: mbasti-rh Title: #97: Pylint fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/97/head:pr97 git checkout pr97 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-97.patch Type: text/x-diff Size: 35310 bytes Desc: not available URL: From mbasti at redhat.com Thu Sep 22 11:28:30 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 22 Sep 2016 13:28:30 +0200 Subject: [Freeipa-devel] What would break if loopback addresses were allowed for IPA server? In-Reply-To: <20160921100144.GA7371@redhat.com> References: <20160921100144.GA7371@redhat.com> Message-ID: <3250132d-7e2b-54ee-8118-07db7a511025@redhat.com> On 21.09.2016 12:01, Jan Pazdziora wrote: > Hello, > > I've recently hit again the situation of IPA installer not happy > about the provided IP address not being local to it, this time in > containerized environment: > > https://bugzilla.redhat.com/show_bug.cgi?id=1377973 > > During the discussion, we came to an interesting question: > > What would break if loopback addresses were allowed for IPA > server? > > Of course, the idea is that it would only be used for installation and > then IPA would change its IP address in DNS to whatever is the real IP > address under which it is accessible. > > Where does the allow_loopback=False requirement in the installer come > from and what would break if it was removed altogether? > > Thanks, > I'm not aware of anything that should prevent us to have just loopback address (installation without DNS) on server. It is somehow weird to not have any other address unicast address assigned, but cloud world strikes. IIRC in past there might be issue with some services (KDC? not sure) that cannot run only with loopback address, but I dont think that this is an issue nowadays. This needs investigation, please file a ticket and we may allocate human and time for this :) Martin^2 From mbasti at redhat.com Thu Sep 22 11:41:13 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 22 Sep 2016 13:41:13 +0200 Subject: [Freeipa-devel] Suspicious IPA cert test fail after upgrade to pki-ca-10.3.5-6 Message-ID: <18a50948-bc3f-6df7-f35e-9bd0aa25e426@redhat.com> Hello all, Following test is failing: ________________________________________________________________________________ test_cert_find.test_0007_find_revocation_reason_0 ________________________________________________________________________________ self = def test_0007_find_revocation_reason_0(self): """ Find all certificates with revocation reason 0 """ res = api.Command['cert_find'](revocation_reason=0) > assert 'count' in res and res['count'] == 0 E assert ('count' in {'count': 4, 'result': ({'cacn': 'ipa', 'issuer': 'CN=Certificate Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.C....BRQ.REDHAT.COM', 'revoked': True, 'serial_number': 85, ...}), 'summary': '4 certificates matched', 'truncated': False} and 4 == 0) test_xmlrpc/test_cert_plugin.py:302: AssertionError ====================================================================================== 1 failed, 38 passed in 10.77 seconds ======================================================================================= Steps to reproduce: 1. upgrade to pki-ca-10.3.5-6 2. run all xmlrpc_tests (ipa-run-test test_xmlrpc) 3. ipa-run-tests test_xmlrpc/test_cert_plugin.py will always fail with error above The curious thing is that with pki-ca-10.3.5-1, I'm not able to reproduce this. Probably something was changed on pki-ca side. [root at vm-058-017 ~]# ipa cert-find --revocation-reason=0 ---------------------- 4 certificates matched ---------------------- Issuing CA: ipa Subject: CN=crud subca test,O=crud testing inc Issuer: CN=Certificate Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM Serial number: 78 Serial number (hex): 0x4E Status: REVOKED Revoked: True Issuing CA: ipa Subject: CN=crud subca test,O=crud testing inc Issuer: CN=Certificate Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM Serial number: 79 Serial number (hex): 0x4F Status: REVOKED Revoked: True Issuing CA: ipa Subject: CN=caacl test subca,O=test industries inc. Issuer: CN=Certificate Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM Serial number: 80 Serial number (hex): 0x50 Status: REVOKED Revoked: True Issuing CA: ipa Subject: CN=SMIME CA,O=test industries Inc. Issuer: CN=Certificate Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM Serial number: 85 Serial number (hex): 0x55 Status: REVOKED Revoked: True ---------------------------- Number of entries returned 4 ---------------------------- My question is, should we update tests, or is it a bug on PKI-CA side?? I actually dont know why certificates are present there, it needs more investigation. Martin^2 From mbabinsk at redhat.com Thu Sep 22 11:56:49 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 22 Sep 2016 13:56:49 +0200 Subject: [Freeipa-devel] Suspicious IPA cert test fail after upgrade to pki-ca-10.3.5-6 In-Reply-To: <18a50948-bc3f-6df7-f35e-9bd0aa25e426@redhat.com> References: <18a50948-bc3f-6df7-f35e-9bd0aa25e426@redhat.com> Message-ID: On 09/22/2016 01:41 PM, Martin Basti wrote: > Hello all, > > > Following test is failing: > > > ________________________________________________________________________________ > test_cert_find.test_0007_find_revocation_reason_0 > ________________________________________________________________________________ > > > self = 0x7f1bf4532f90> > > def test_0007_find_revocation_reason_0(self): > """ > Find all certificates with revocation reason 0 > """ > res = api.Command['cert_find'](revocation_reason=0) >> assert 'count' in res and res['count'] == 0 > E assert ('count' in {'count': 4, 'result': ({'cacn': 'ipa', > 'issuer': 'CN=Certificate > Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.C....BRQ.REDHAT.COM', > 'revoked': True, 'serial_number': 85, ...}), 'summary': '4 certificates > matched', 'truncated': False} and 4 == 0) > > test_xmlrpc/test_cert_plugin.py:302: AssertionError > ====================================================================================== > 1 failed, 38 passed in 10.77 seconds > ======================================================================================= > > > > Steps to reproduce: > > 1. upgrade to pki-ca-10.3.5-6 > > 2. run all xmlrpc_tests (ipa-run-test test_xmlrpc) > > 3. ipa-run-tests test_xmlrpc/test_cert_plugin.py will always fail with > error above > > > The curious thing is that with pki-ca-10.3.5-1, I'm not able to > reproduce this. Probably something was changed on pki-ca side. > > [root at vm-058-017 ~]# ipa cert-find --revocation-reason=0 > ---------------------- > 4 certificates matched > ---------------------- > Issuing CA: ipa > Subject: CN=crud subca test,O=crud testing inc > Issuer: CN=Certificate > Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM > Serial number: 78 > Serial number (hex): 0x4E > Status: REVOKED > Revoked: True > > Issuing CA: ipa > Subject: CN=crud subca test,O=crud testing inc > Issuer: CN=Certificate > Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM > Serial number: 79 > Serial number (hex): 0x4F > Status: REVOKED > Revoked: True > > Issuing CA: ipa > Subject: CN=caacl test subca,O=test industries inc. > Issuer: CN=Certificate > Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM > Serial number: 80 > Serial number (hex): 0x50 > Status: REVOKED > Revoked: True > > Issuing CA: ipa > Subject: CN=SMIME CA,O=test industries Inc. > Issuer: CN=Certificate > Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM > Serial number: 85 > Serial number (hex): 0x55 > Status: REVOKED > Revoked: True > ---------------------------- > Number of entries returned 4 > ---------------------------- > > My question is, should we update tests, or is it a bug on PKI-CA side?? > I actually dont know why certificates are present there, it needs more > investigation. > > > Martin^2 > > > Seeing that all the certs are actually intermediary CA certs and seeing the following line: """ - PKI TRAC Ticket #1638 - Lightweight CAs: revoke certificate on CA deletion (ftweedal) """ in pki-core 10.3.5-6 release notes, I would guess that these are leftover certificates from sub-CA tests which were previously just sitting there but are now marked as revoked with reason 0 - unspecified (as a side note, shouldn't there be different reason, i.e. 5 -cessationOfOperation?). Seems like we need to fix our tests to cleanup sub-CA certificates as well, should I open a ticket for this? -- Martin^3 Babinsky From mbasti at redhat.com Thu Sep 22 12:06:42 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 22 Sep 2016 14:06:42 +0200 Subject: [Freeipa-devel] Suspicious IPA cert test fail after upgrade to pki-ca-10.3.5-6 In-Reply-To: References: <18a50948-bc3f-6df7-f35e-9bd0aa25e426@redhat.com> Message-ID: On 22.09.2016 13:56, Martin Babinsky wrote: > On 09/22/2016 01:41 PM, Martin Basti wrote: >> Hello all, >> >> >> Following test is failing: >> >> >> ________________________________________________________________________________ >> >> test_cert_find.test_0007_find_revocation_reason_0 >> ________________________________________________________________________________ >> >> >> >> self = > 0x7f1bf4532f90> >> >> def test_0007_find_revocation_reason_0(self): >> """ >> Find all certificates with revocation reason 0 >> """ >> res = api.Command['cert_find'](revocation_reason=0) >>> assert 'count' in res and res['count'] == 0 >> E assert ('count' in {'count': 4, 'result': ({'cacn': 'ipa', >> 'issuer': 'CN=Certificate >> Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.C....BRQ.REDHAT.COM', >> 'revoked': True, 'serial_number': 85, ...}), 'summary': '4 certificates >> matched', 'truncated': False} and 4 == 0) >> >> test_xmlrpc/test_cert_plugin.py:302: AssertionError >> ====================================================================================== >> >> 1 failed, 38 passed in 10.77 seconds >> ======================================================================================= >> >> >> >> >> Steps to reproduce: >> >> 1. upgrade to pki-ca-10.3.5-6 >> >> 2. run all xmlrpc_tests (ipa-run-test test_xmlrpc) >> >> 3. ipa-run-tests test_xmlrpc/test_cert_plugin.py will always fail with >> error above >> >> >> The curious thing is that with pki-ca-10.3.5-1, I'm not able to >> reproduce this. Probably something was changed on pki-ca side. >> >> [root at vm-058-017 ~]# ipa cert-find --revocation-reason=0 >> ---------------------- >> 4 certificates matched >> ---------------------- >> Issuing CA: ipa >> Subject: CN=crud subca test,O=crud testing inc >> Issuer: CN=Certificate >> Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM >> Serial number: 78 >> Serial number (hex): 0x4E >> Status: REVOKED >> Revoked: True >> >> Issuing CA: ipa >> Subject: CN=crud subca test,O=crud testing inc >> Issuer: CN=Certificate >> Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM >> Serial number: 79 >> Serial number (hex): 0x4F >> Status: REVOKED >> Revoked: True >> >> Issuing CA: ipa >> Subject: CN=caacl test subca,O=test industries inc. >> Issuer: CN=Certificate >> Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM >> Serial number: 80 >> Serial number (hex): 0x50 >> Status: REVOKED >> Revoked: True >> >> Issuing CA: ipa >> Subject: CN=SMIME CA,O=test industries Inc. >> Issuer: CN=Certificate >> Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM >> Serial number: 85 >> Serial number (hex): 0x55 >> Status: REVOKED >> Revoked: True >> ---------------------------- >> Number of entries returned 4 >> ---------------------------- >> >> My question is, should we update tests, or is it a bug on PKI-CA side?? >> I actually dont know why certificates are present there, it needs more >> investigation. >> >> >> Martin^2 >> >> >> > Seeing that all the certs are actually intermediary CA certs and > seeing the following line: > > """ > - PKI TRAC Ticket #1638 - Lightweight CAs: revoke certificate on CA > deletion (ftweedal) > > """ > > in pki-core 10.3.5-6 release notes, I would guess that these are > leftover certificates from sub-CA tests which were previously just > sitting there but are now marked as revoked with reason 0 - > unspecified (as a side note, shouldn't there be different reason, i.e. > 5 -cessationOfOperation?). > > Seems like we need to fix our tests to cleanup sub-CA certificates as > well, should I open a ticket for this? > Yes please, thank you From freeipa-github-notification at redhat.com Thu Sep 22 12:07:18 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 22 Sep 2016 14:07:18 +0200 Subject: [Freeipa-devel] [freeipa PR#97][comment] Pylint fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/97 Title: #97: Pylint fixes tomaskrizek commented: """ Please fix the typo. """ See the full comment at https://github.com/freeipa/freeipa/pull/97#issuecomment-248884825 From freeipa-github-notification at redhat.com Thu Sep 22 12:47:10 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 22 Sep 2016 14:47:10 +0200 Subject: [Freeipa-devel] [freeipa PR#105][opened] Test: dont use global variable for iteration in test_cert_plugin Message-ID: URL: https://github.com/freeipa/freeipa/pull/105 Author: mbasti-rh Title: #105: Test: dont use global variable for iteration in test_cert_plugin Action: opened PR body: """ Iteration over global variable causes unwanted value changes outside method https://fedorahosted.org/freeipa/ticket/5755 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/105/head:pr105 git checkout pr105 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-105.patch Type: text/x-diff Size: 1184 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Sep 22 12:55:30 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 22 Sep 2016 14:55:30 +0200 Subject: [Freeipa-devel] [freeipa PR#97][synchronized] Pylint fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/97 Author: mbasti-rh Title: #97: Pylint fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/97/head:pr97 git checkout pr97 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-97.patch Type: text/x-diff Size: 41518 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Sep 22 12:59:39 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 22 Sep 2016 14:59:39 +0200 Subject: [Freeipa-devel] [freeipa PR#97][synchronized] Pylint fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/97 Author: mbasti-rh Title: #97: Pylint fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/97/head:pr97 git checkout pr97 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-97.patch Type: text/x-diff Size: 35210 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Sep 22 13:20:01 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 22 Sep 2016 15:20:01 +0200 Subject: [Freeipa-devel] [freeipa PR#105][+ack] Test: dont use global variable for iteration in test_cert_plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/105 Title: #105: Test: dont use global variable for iteration in test_cert_plugin Label: +ack From dkupka at redhat.com Thu Sep 22 13:23:01 2016 From: dkupka at redhat.com (David Kupka) Date: Thu, 22 Sep 2016 15:23:01 +0200 Subject: [Freeipa-devel] [PATCH] ca-less tests updated In-Reply-To: References: <56337745.109@redhat.com> <563B091B.3010501@redhat.com> <563B6A96.8090606@redhat.com> <563BABEC.8080304@redhat.com> <563C5B1A.1090803@redhat.com> <563C5E6D.4060307@redhat.com> <563CA575.1030808@redhat.com> <567176A2.1000901@redhat.com> <5707C431.6070702@redhat.com> <570E1E70.6060309@redhat.com> <5715F6B5.3070003@redhat.com> <57173F56.5020308@redhat.com> <5731F951.1020700@redhat.com> <57A99B02.1010507@redhat.com> <84a03933-9820-2c63-ef7b-1cf63a44e3a9@redhat.com> <4b1365a2-c140-4aa4-baf9-9c7a6953c7f8@redhat.com> <5dee6817-b758-3694-16e6-a9e99cd2f838@redhat.com> <86705758-a778-665c-8480-a2f127ead97c@redhat.com> Message-ID: <3bb59d39-73d6-6756-99a3-d22777028135@redhat.com> Hi Oleg! As we discussed this morning there're still some issues [1][2] but I think the patch set is in reasonably good state and I'm not sure that the issues are bugs in IPA or in tests. This can be investigated and fixed later. ACK. Pushed to master: * bbac233b5ee487ab0e035cf0b861144769a0b738 tests: Fixed method failures during second call for the method * 2f6ffa326adb4d4e9152463ffa733d559f7be2af tests: Added basic constraints extension to the CA certs * 0c635686ddc6dbba54285a9c7844e12342083b9b tests: Added generation of missing certs * 38ad864342bb3fcbf65397b763c240f034f3e2c7 tests: Updated ipa server installation stdin text * c0e16aa3b9c380fb7936dc18c4bfc04e7f8327b5 tests: Create a method that cleans all ipa certs * 48ca465a12a91977eb57bb791cf0b098e5e5a4b3 tests: Added teardown methods for server and replica installation * 725d8d0cac16f6a41ad54ae319e3822d44047031 tests: Removed call for install method from parent class * fad6ec8256a97fbf06b3e4509d93af1d159e6b81 tests: Adapted installation methods to utilize methods from tasks * 84db13f676771746f9ab7769073837a29f6de464 tests: Fixed incorrect assert in verify_installation * a81d8472042f4909020c073ecb00a37d8e05ec33 tests: Applied correct teardown methods * 759bbcdfcbeade91c77b201c439c939d6477cd08 tests: Removed outdated command options test * d17d13d77a7c09cbc99c8bb0a3f7af3b72da8aca tests: Added necessary getkeytabs calls to fixtures * 24f218f4ebe203213eebede59ff79b89c657ee76 tests: Added necessary xfails * e0b67dfa7e957cc134043b265b87ed71bb09a7d3 tests: Updated master and replica installation methods to enable negative testing * 9217bcc871468615110c85b1131b62735f9e5092 tests: Made unapply_fixes call optional at master uninstallation * bb4205b582038669888544786a5611b18e52bf42 tests: Enabled negative testing for cleaning replication agreements * dbf0d141c5a4d1ccd1b681ac49cb57e47234aaa4 tests: Replaced hardcoded certutil with imported from paths * b8cf212e8bbe301f6d44551ecac063d12a042520 tests: Replaced unused setUp method with install * 804aae81966f23e307ec86364489f808fd0c3357 tests: fixed expects of incorrect error messages * 43994e669743bb8f54e32b52f2410ebde3660f04 tests: Fixed Usage of improper certs in ca-less tests * b8968d923cedbbeb931c3ed33b81b299a55baf4a tests: Implemented check for domainlevel before installation verification * 106f37c26f64492f771214409d229feb5d70a113 tests: Standardized replica_preparation in test_no_certs * 8be0906b04bbf995af6326b560151d15901b544e tests: added verbose assert to test_service_disable_doesnt_revoke * f1f94a7b9fe354d93f31ce8cd606d985dd44703b tests: fixed super method invocation * 7412f0cb20801e1608f8cf388210e57ef7d27497 tests: fixed certinstall method * 9870c5804a65ae320ebbcb313f8facb21963f710 tests: Reverted erroneous asserts in 4 tests * 47c808afa35f0708ca00ac8e98851c9f8d75badc tests: Fixed code styling in caless tests to make pep8 happy [1] https://fedorahosted.org/freeipa/ticket/6346 [2] https://fedorahosted.org/freeipa/ticket/6348 On 22/09/16 12:55, Oleg Fayans wrote: > Fixed patch N 41 > > On 09/21/2016 04:21 PM, Oleg Fayans wrote: >> Patch-0076 rebased to current master >> >> On 09/21/2016 02:41 PM, Oleg Fayans wrote: >>> Hi David, >>> >>> As per your comments the patches were once again refactored. I am >>> attaching the full set of them, please ignore any previous versions >>> The patches apply cleanly on master and pylint swallows the resulting >>> code silently >>> >>> On 09/12/2016 09:51 AM, David Kupka wrote: >>>> Hi Oleg, >>>> thank you, now it's completely different game. >>>> Please add prefix to commit message summaries. Simply prepending >>>> "tests: >>>> " should be OK. >>>> >>>> 0041 - -h is deprecated in favor of -H. >>>> 0062 - 0068 - LGTM >>>> 0069 - I see 2 unrelated changes in the patch, please split them: >>>> - 1 - certutil - > paths.CERTUTIL >>>> - 2 - assert >>>> 0070 - I see 2 unrelated changes in the patch, please split them: >>>> - 1 - teardown >>>> - 2 - TestReplicaInstall.setUp -> TestReplicaInstall.install >>>> 0071 - typos in commit message, I see 5 unrelated changes in that >>>> patch: >>>> - 1 - error messages in assert >>>> - 2 - certificates used >>>> - 3 - verify_installation called only in DOMAIN_LEVEL_0. >>>> - 4 - TestCertinstall.install >>>> - 5 - TestCertinstall.certinstall >>>> 0072 - 0077 - LGTM >>>> >>>> On 09/09/16 15:22, Oleg Fayans wrote: >>>>> Hi David, team >>>>> >>>>> According to your suggestions I've splitted my commits so that each >>>>> commit addresses some particular problem. One patch (0071) still >>>>> contains several unrelated fixes, but they mostly reflect changes in >>>>> error messages and really small but numerous bugfixes that I did not >>>>> consider worthy of a separate commit each. Please, whenever you have a >>>>> free time take a look at this new bunch of patches. >>>>> >>>>> Thanks! >>>>> >>>>> On 09/06/2016 04:41 PM, David Kupka wrote: >>>>>> Hi Oleg! >>>>>> >>>>>> 0013 - It looks like there are two unrelated changes, addition of CRL >>>>>> distribution extension and creating certificate signed by no longer >>>>>> existing CA. Please create separate patch for each of the changes, >>>>>> and >>>>>> describe the change and reason for it in commit messages. >>>>>> >>>>>> 0014 - Could you please split the patch to "numerous" commit each >>>>>> fixing >>>>>> one error? Please also describe each fix so everyone has at least >>>>>> vague >>>>>> idea about the patch without reading its code. Also why do you >>>>>> introduce >>>>>> global variable config, I don't see its used anywhere. >>>>>> >>>>>> 0039 - It looks like multiple different changes and commit message >>>>>> says >>>>>> nothing again. Please split and describe what did you change and why. >>>>>> >>>>>> 0041 - Looks like weird workaround to me. It would be better to >>>>>> investigate the root cause and fix it. Or at least describe the >>>>>> cause in >>>>>> commit message and code comment if it can't be fixed. Also "-h is >>>>>> deprecated in favor of -H" says man 1 ldapmodify. >>>>>> >>>>>> >>>>>> On 05/09/16 14:32, Oleg Fayans wrote: >>>>>>> Hi guys, >>>>>>> >>>>>>> Finally the ca-less tests are stable. Here in the attachment is the >>>>>>> full >>>>>>> set of necessary patches. >>>>>>> >>>>>>> >>>>>>> On 08/09/2016 10:57 AM, Oleg Fayans wrote: >>>>>>>> Hi all, >>>>>>>> >>>>>>>> Bump for the review of the 0013 patch. The script it addresses >>>>>>>> can be >>>>>>>> reused in some WebUI tests - one more reason to have it >>>>>>>> reviewed/merged >>>>>>>> >>>>>>>> The rest patches should be re-tested, since they were prepared a >>>>>>>> good >>>>>>>> while ago >>>>>>>> >>>>>>>> On 05/10/2016 05:08 PM, Oleg Fayans wrote: >>>>>>>>> Hi David, >>>>>>>>> >>>>>>>>> After quite a while and some more struggles here comes the updated >>>>>>>>> version of the patch together with other patches fixing things in >>>>>>>>> ipatests/test_integration/tasks.py >>>>>>>>> Server and replica installation was refactored in a way to utilize >>>>>>>>> the >>>>>>>>> code from tasks.py as much as it is possible >>>>>>>>> >>>>>>>>> The full set of necessary patches is attached >>>>>>>>> >>>>>>>>> >>>>>>>>> On 04/20/2016 10:35 AM, David Kupka wrote: >>>>>>>>>> On 19/04/16 11:13, Oleg Fayans wrote: >>>>>>>>>>> OK, that one, though passing lint, did not actually work. I gave >>>>>>>>>>> up my >>>>>>>>>>> attempts to define method decorators inside the class. Now it >>>>>>>>>>> passes >>>>>>>>>>> lint AND works:) >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Hi Oleg! >>>>>>>>>> >>>>>>>>>> 1) Current commit message is useless. Please use it to describe >>>>>>>>>> what is >>>>>>>>>> the point of the patch. >>>>>>>>>> >>>>>>>>>> 2) $ git show -U0 | pep8 --diff >>>>>>>>>> ./ipatests/test_integration/test_caless.py:66:1: E302 expected 2 >>>>>>>>>> blank >>>>>>>>>> lines, found 1 >>>>>>>>>> ./ipatests/test_integration/test_caless.py:74:1: E302 expected 2 >>>>>>>>>> blank >>>>>>>>>> lines, found 1 >>>>>>>>>> ./ipatests/test_integration/test_caless.py:820:5: E303 too many >>>>>>>>>> blank >>>>>>>>>> lines (2) >>>>>>>>>> ./ipatests/test_integration/test_caless.py:825:80: E501 line too >>>>>>>>>> long >>>>>>>>>> (80 > 79 characters) >>>>>>>>>> ./ipatests/test_integration/test_caless.py:1035:44: E225 missing >>>>>>>>>> whitespace around operator >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 3) Isn't there a way to do this with pytest's fixtures? >>>>>>>>>> >>>>>>>>>>> +def server_install_teardown(func): >>>>>>>>>>> + def wrapped(*args): >>>>>>>>>>> + try: >>>>>>>>>>> + func(*args) >>>>>>>>>>> + finally: >>>>>>>>>>> + args[0].uninstall_server() >>>>>>>>>>> + return wrapped >>>>>>>>>>> + >>>>>>>>>>> +def replica_install_teardown(func): >>>>>>>>>>> + def wrapped(*args): >>>>>>>>>>> + try: >>>>>>>>>>> + func(*args) >>>>>>>>>>> + finally: >>>>>>>>>>> + # Uninstall replica >>>>>>>>>>> + replica = args[0].replicas[0] >>>>>>>>>>> + tasks.kinit_admin(args[0].master) >>>>>>>>>>> + args[0].uninstall_server(replica) >>>>>>>>>>> + args[0].master.run_command(['ipa-replica-manage', >>>>>>>>>>> 'del', >>>>>>>>>>> + replica.hostname, >>>>>>>>>>> '--force'], >>>>>>>>>>> + raiseonerr=False) >>>>>>>>>>> + args[0].master.run_command(['ipa', 'host-del', >>>>>>>>>>> + replica.hostname], >>>>>>>>>>> + raiseonerr=False) >>>>>>>>>>> + return wrapped >>>>>>>>>>> + >>>>>>>>> >>>>>>>>> There is a standard pytest method called 'method_teardown', >>>>>>>>> that is >>>>>>>>> indent to be executed after each test method, but with our >>>>>>>>> setup it >>>>>>>>> does >>>>>>>>> not work. >>>>>>>>> >>>>>>>>>> >>>>>>>>>> 4) Is it necessary to create the $TEST_DIR in the test? Isn't it >>>>>>>>>> created >>>>>>>>>> by the framework? >>>>>>>>>> >>>>>>>>>>> + >>>>>>>>>>> host.transport.mkdir_recursive(host.config.test_dir) >>>>>>>>>> >>>>>>>>> >>>>>>>>> Removed. >>>>>>>>> >>>>>>>>>> >>>>>>>>>> 5) I don't think the comment match the code. >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> + # Remove CA cert in /etc/pki/nssdb, in case of failed >>>>>>>>>>> (un)install >>>>>>>>>>> + for host in cls.get_all_hosts(): >>>>>>>>>>> + cls.uninstall_server(host) >>>>>>>>>>> + >>>>>>>>>>> super(CALessBase, cls).uninstall(mh) >>>>>>>>>> >>>>>>>>> >>>>>>>>> Not actual anymore >>>>>>>>> >>>>>>>>>> >>>>>>>>>> 6) No! Create list with one element, iterate that list and append >>>>>>>>>> every >>>>>>>>>> item to the other list. Maybe there's better way (Hint: append). >>>>>>>>>> I've seen this on multiple places. >>>>>>>>>> >>>>>>>>>>> if unattended: >>>>>>>>>>> args.extend(['-U']) >>>>>>>>> >>>>>>>>> Agreed >>>>>>>>> >>>>>>>>>> >>>>>>>>>> 7) Why don't you (extend and) use >>>>>>>>>> ipatests.test_integaration.tasks.(un)install_{master,replica}? >>>>>>>>>> This could be done pretty much all over the code. >>>>>>>>>> >>>>>>>>>>> host.run_command(['ipa-server-install', >>>>>>>>>>> '--uninstall', >>>>>>>>>>> '-U']) >>>>>>>>>> >>>>>>>>>> 8) Use ipaplatform.paths for certutil and other binaries. If the >>>>>>>>>> binary >>>>>>>>>> is not there feel free to add it. >>>>>>>>>> I've seen this on multiple places. >>>>>>>>>> >>>>>>>>>>> + host.run_command(['certutil', '-d', paths.NSS_DB_DIR, >>>>>>>>>>> '-D', >>>>>>>>>>> + '-n', 'External CA cert'], >>>>>>>>>>> + raiseonerr=False) >>>>>>>>>>> + # A workaround >>>>>>>>>>> forhttps://fedorahosted.org/freeipa/ticket/4639 >>>>>>>>>>> + result = host.run_command(['certutil', '-L', '-d', >>>>>>>>>>> + paths.HTTPD_ALIAS_DIR]) >>>>>>>>>>> + for rawcert in result.stdout_text.split('\n')[4: -1]: >>>>>>>>>>> + cert = rawcert.split(' ')[0] >>>>>>>>>>> + host.run_command(['certutil', '-D', '-d', >>>>>>>>>>> paths.HTTPD_ALIAS_DIR, >>>>>>>>>>> + '-n', cert]) >>>>>>>>>>> >>>>>>>>> >>>>>>>>> Done >>>>>>>>> >>>>>>>>>> >>>>>>>>>> 9) certmonger is system service. You can check if is is >>>>>>>>>> .enabled() >>>>>>>>>> and >>>>>>>>>> .running(). And IIUC the comment is negation of what the code >>>>>>>>>> does. >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> # Verify certmonger was not started >>>>>>>>>>> result = host.run_command(['getcert', 'list'], >>>>>>>>>>> raiseonerr=False) >>>>>>>>>>> - assert result > 0 >>>>>>>>>>> - assert ('Please verify that the certmonger service >>>>>>>>>>> has >>>>>>>>>>> been ' >>>>>>>>>>> - 'started.' in result.stdout_text), >>>>>>>>>>> result.stdout_text >>>>>>>>>>> + assert result.returncode == 0 >>>>>>>>>> >>>>>>>>>> 10) What is the point of calling uninstall_server() when it >>>>>>>>>> will be >>>>>>>>>> called in the finally block of server_install_teardown anyway? >>>>>>>>>> >>>>>>>>>>> + @server_install_teardown >>>>>>>>>>> def test_revoked_http(self): >>>>>>>>>>> "IPA server install with revoked HTTP certificate" >>>>>>>>>>> >>>>>>>>>>> if result.returncode == 0: >>>>>>>>>>> + self.uninstall_server() >>>>>>>>>>> raise nose.SkipTest( >>>>>>>>>>> "Known CA-less installation defect, see " >>>>>>>>>>> >>>>>>>>>>> +"https://fedorahosted.org/freeipa/ticket/4270") >>>>>>>>>>> >>>>>>>>>>> assert result.returncode > 0 >>>>>>>>>>> >>>>>>>>> Removed >>>>>>>>> >>>>>>>>>> >>>>>>>>>> Nitpick) Do not mix fixing typos/grammar/spelling/style with >>>>>>>>>> functional >>>>>>>>>> changes. >>>>>>>>>> >>>>>>>>>>> - def test_incorect_http_pin(self): >>>>>>>>>>> + @pytest.mark.xfail(reason='freeipa ticket 5378') >>>>>>>>>>> + def test_incorrect_http_pin(self): >>>>>>>>>>> "Install new HTTP certificate with incorrect PKCS#12 >>>>>>>>>>> password" >>>>>>>>> >>>>>>>>> Removed >>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>>> >>> >>> >>> >> >> >> > > > -- David Kupka From freeipa-github-notification at redhat.com Thu Sep 22 13:23:18 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 22 Sep 2016 15:23:18 +0200 Subject: [Freeipa-devel] [freeipa PR#105][+pushed] Test: dont use global variable for iteration in test_cert_plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/105 Title: #105: Test: dont use global variable for iteration in test_cert_plugin Label: +pushed From freeipa-github-notification at redhat.com Thu Sep 22 13:23:19 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 22 Sep 2016 15:23:19 +0200 Subject: [Freeipa-devel] [freeipa PR#105][comment] Test: dont use global variable for iteration in test_cert_plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/105 Title: #105: Test: dont use global variable for iteration in test_cert_plugin martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/929086e0992cc32a654b4dfa435f536ecb0c665b """ See the full comment at https://github.com/freeipa/freeipa/pull/105#issuecomment-248901967 From freeipa-github-notification at redhat.com Thu Sep 22 13:23:21 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 22 Sep 2016 15:23:21 +0200 Subject: [Freeipa-devel] [freeipa PR#105][closed] Test: dont use global variable for iteration in test_cert_plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/105 Author: mbasti-rh Title: #105: Test: dont use global variable for iteration in test_cert_plugin Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/105/head:pr105 git checkout pr105 From freeipa-github-notification at redhat.com Thu Sep 22 13:39:07 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 22 Sep 2016 15:39:07 +0200 Subject: [Freeipa-devel] [freeipa PR#97][+ack] Pylint fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/97 Title: #97: Pylint fixes Label: +ack From freeipa-github-notification at redhat.com Thu Sep 22 14:04:07 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 22 Sep 2016 16:04:07 +0200 Subject: [Freeipa-devel] [freeipa PR#97][synchronized] Pylint fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/97 Author: mbasti-rh Title: #97: Pylint fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/97/head:pr97 git checkout pr97 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-97.patch Type: text/x-diff Size: 34475 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Sep 22 14:05:17 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 22 Sep 2016 16:05:17 +0200 Subject: [Freeipa-devel] [freeipa PR#97][comment] Pylint fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/97 Title: #97: Pylint fixes mbasti-rh commented: """ I had to rebase, there were conflicts due the latest pushed patches """ See the full comment at https://github.com/freeipa/freeipa/pull/97#issuecomment-248913108 From mbasti at redhat.com Thu Sep 22 14:39:08 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 22 Sep 2016 16:39:08 +0200 Subject: [Freeipa-devel] pylint: remove unused variables Message-ID: Hello all, In 4.5, I would like to remove all unused variables from code and enable pylint check. Due to big amount of unused variables in the code this will be longterm effort. Why this?: * better code readability * removing dead code * unused variable may uncover potential bug It is clear what to do with unused assignments, but I need an agreement what to do with unpacking or iteration with unused variables For example: for name, surname, gender in (('Martin', 'Basti', 'M'), ): name, surname, gender = user['mbasti'] Where 'surname' is unused Pylint will detect surname as unused variable and we have to agree on a way how to tell pylint that this variable is unused on purpose: 1) ( name, surname, # pylint: disable=unused-variable gender ) = user['mbasti'] I dont like this approach 2) Use defined keyword: 'dummy' is default in pylint, we can set our own, like ignored, unused name, dummy, gender = user['mbasti'] 3) use a prefix for unused variables: '_' or 'ignore_' name, _surname, gender = user['mbasti'] 4) we can combine all :) For me the best is to have prefix '_' and 'dummy' keyword As first step I'll enable pylint check and disable it locally per module where unused variables are, to avoid new regressions. Then I will fix it module by module. I'm open to suggestions Martin^2 From freeipa-github-notification at redhat.com Thu Sep 22 14:53:21 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 22 Sep 2016 16:53:21 +0200 Subject: [Freeipa-devel] [freeipa PR#97][+pushed] Pylint fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/97 Title: #97: Pylint fixes Label: +pushed From freeipa-github-notification at redhat.com Thu Sep 22 14:53:23 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 22 Sep 2016 16:53:23 +0200 Subject: [Freeipa-devel] [freeipa PR#97][comment] Pylint fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/97 Title: #97: Pylint fixes mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/36484e8672f5ee1fdc2bd57622e330ab8dbb7671 https://fedorahosted.org/freeipa/changeset/275e85d076607ce317b3aeca467167fac55bf396 https://fedorahosted.org/freeipa/changeset/cdecbcd0a175e010057beae6f7fb74fd67856ca1 https://fedorahosted.org/freeipa/changeset/568f9da331af14e5f05764c46f51a0410da1e49c https://fedorahosted.org/freeipa/changeset/9bc57a01e1c0942e1a94ac0d948c8c5f8c0d4dcc https://fedorahosted.org/freeipa/changeset/f252f50987cfb1234671ca1742c11a0eebe8633c https://fedorahosted.org/freeipa/changeset/8420d04f383b958660934ccf3c7c3bf9b27ac30c https://fedorahosted.org/freeipa/changeset/71b3352ad0e0aa105c90e490a41645dfcc46ce87 """ See the full comment at https://github.com/freeipa/freeipa/pull/97#issuecomment-248927333 From freeipa-github-notification at redhat.com Thu Sep 22 14:53:24 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 22 Sep 2016 16:53:24 +0200 Subject: [Freeipa-devel] [freeipa PR#97][closed] Pylint fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/97 Author: mbasti-rh Title: #97: Pylint fixes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/97/head:pr97 git checkout pr97 From freeipa-github-notification at redhat.com Thu Sep 22 14:57:43 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 22 Sep 2016 16:57:43 +0200 Subject: [Freeipa-devel] [freeipa PR#106][opened] Pylint: enable additional checks Message-ID: URL: https://github.com/freeipa/freeipa/pull/106 Author: mbasti-rh Title: #106: Pylint: enable additional checks Action: opened PR body: """ Enabling: * cyclic-imports * global-variable-not-assigned """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/106/head:pr106 git checkout pr106 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-106.patch Type: text/x-diff Size: 5096 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Sep 22 15:40:53 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 22 Sep 2016 17:40:53 +0200 Subject: [Freeipa-devel] [freeipa PR#107][opened] Update man/help for --server option Message-ID: URL: https://github.com/freeipa/freeipa/pull/107 Author: tomaskrizek Title: #107: Update man/help for --server option Action: opened PR body: """ The --server option now specifically mentions that it expects the FQDN of the IPA server. https://fedorahosted.org/freeipa/ticket/6202 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/107/head:pr107 git checkout pr107 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-107.patch Type: text/x-diff Size: 4618 bytes Desc: not available URL: From tkrizek at redhat.com Thu Sep 22 15:59:00 2016 From: tkrizek at redhat.com (Tomas Krizek) Date: Thu, 22 Sep 2016 17:59:00 +0200 Subject: [Freeipa-devel] pylint: remove unused variables In-Reply-To: References: Message-ID: On 09/22/2016 04:39 PM, Martin Basti wrote: > Hello all, > > In 4.5, I would like to remove all unused variables from code and > enable pylint check. Due to big amount of unused variables in the code > this will be longterm effort. > > Why this?: > > * better code readability > > * removing dead code > > * unused variable may uncover potential bug > > > It is clear what to do with unused assignments, but I need an > agreement what to do with unpacking or iteration with unused variables > > > For example: > > for name, surname, gender in (('Martin', 'Basti', 'M'), ): > > name, surname, gender = user['mbasti'] > > Where 'surname' is unused > > > Pylint will detect surname as unused variable and we have to agree on > a way how to tell pylint that this variable is unused on purpose: > > > 1) > > ( > > name, > > surname, # pylint: disable=unused-variable > > gender > > ) = user['mbasti'] > > > I dont like this approach > > > 2) > > Use defined keyword: 'dummy' is default in pylint, we can set our own, > like ignored, unused > > name, dummy, gender = user['mbasti'] > > > 3) > > use a prefix for unused variables: '_' or 'ignore_' > > name, _surname, gender = user['mbasti'] > > > 4) > > we can combine all :) > > > For me the best is to have prefix '_' and 'dummy' keyword > > > As first step I'll enable pylint check and disable it locally per > module where unused variables are, to avoid new regressions. Then I > will fix it module by module. > > > I'm open to suggestions > > Martin^2 > I'd use a double underscore variable: name, __, gender = user['mbasti'] It is quicker to write than _dummy and it also provides a better readability, because I can immediately identify the symbol as special. Unlike _dummy which I have to read to understand (simply because I'm used to _something to indicate a 'protected' variable). -- Tomas Krizek From mbasti at redhat.com Thu Sep 22 16:00:46 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 22 Sep 2016 18:00:46 +0200 Subject: [Freeipa-devel] pylint: remove unused variables In-Reply-To: References: Message-ID: On 22.09.2016 17:59, Tomas Krizek wrote: > On 09/22/2016 04:39 PM, Martin Basti wrote: >> Hello all, >> >> In 4.5, I would like to remove all unused variables from code and >> enable pylint check. Due to big amount of unused variables in the >> code this will be longterm effort. >> >> Why this?: >> >> * better code readability >> >> * removing dead code >> >> * unused variable may uncover potential bug >> >> >> It is clear what to do with unused assignments, but I need an >> agreement what to do with unpacking or iteration with unused variables >> >> >> For example: >> >> for name, surname, gender in (('Martin', 'Basti', 'M'), ): >> >> name, surname, gender = user['mbasti'] >> >> Where 'surname' is unused >> >> >> Pylint will detect surname as unused variable and we have to agree on >> a way how to tell pylint that this variable is unused on purpose: >> >> >> 1) >> >> ( >> >> name, >> >> surname, # pylint: disable=unused-variable >> >> gender >> >> ) = user['mbasti'] >> >> >> I dont like this approach >> >> >> 2) >> >> Use defined keyword: 'dummy' is default in pylint, we can set our >> own, like ignored, unused >> >> name, dummy, gender = user['mbasti'] >> >> >> 3) >> >> use a prefix for unused variables: '_' or 'ignore_' >> >> name, _surname, gender = user['mbasti'] >> >> >> 4) >> >> we can combine all :) >> >> >> For me the best is to have prefix '_' and 'dummy' keyword >> >> >> As first step I'll enable pylint check and disable it locally per >> module where unused variables are, to avoid new regressions. Then I >> will fix it module by module. >> >> >> I'm open to suggestions >> >> Martin^2 >> > I'd use a double underscore variable: > > name, __, gender = user['mbasti'] > > It is quicker to write than _dummy and it also provides a better > readability, because I can immediately identify the symbol as special. > Unlike _dummy which I have to read to understand (simply because I'm > used to _something to indicate a 'protected' variable). > With double underscores there is a risk, that typo will be just one underscore and _ means ugettext in IPA :) From tkrizek at redhat.com Thu Sep 22 16:05:10 2016 From: tkrizek at redhat.com (Tomas Krizek) Date: Thu, 22 Sep 2016 18:05:10 +0200 Subject: [Freeipa-devel] pylint: remove unused variables In-Reply-To: References: Message-ID: <3c83e5e8-503f-5206-12ef-2fff423cf0d7@redhat.com> On 09/22/2016 06:00 PM, Martin Basti wrote: > > > On 22.09.2016 17:59, Tomas Krizek wrote: >> On 09/22/2016 04:39 PM, Martin Basti wrote: >>> Hello all, >>> >>> In 4.5, I would like to remove all unused variables from code and >>> enable pylint check. Due to big amount of unused variables in the >>> code this will be longterm effort. >>> >>> Why this?: >>> >>> * better code readability >>> >>> * removing dead code >>> >>> * unused variable may uncover potential bug >>> >>> >>> It is clear what to do with unused assignments, but I need an >>> agreement what to do with unpacking or iteration with unused variables >>> >>> >>> For example: >>> >>> for name, surname, gender in (('Martin', 'Basti', 'M'), ): >>> >>> name, surname, gender = user['mbasti'] >>> >>> Where 'surname' is unused >>> >>> >>> Pylint will detect surname as unused variable and we have to agree >>> on a way how to tell pylint that this variable is unused on purpose: >>> >>> >>> 1) >>> >>> ( >>> >>> name, >>> >>> surname, # pylint: disable=unused-variable >>> >>> gender >>> >>> ) = user['mbasti'] >>> >>> >>> I dont like this approach >>> >>> >>> 2) >>> >>> Use defined keyword: 'dummy' is default in pylint, we can set our >>> own, like ignored, unused >>> >>> name, dummy, gender = user['mbasti'] >>> >>> >>> 3) >>> >>> use a prefix for unused variables: '_' or 'ignore_' >>> >>> name, _surname, gender = user['mbasti'] >>> >>> >>> 4) >>> >>> we can combine all :) >>> >>> >>> For me the best is to have prefix '_' and 'dummy' keyword >>> >>> >>> As first step I'll enable pylint check and disable it locally per >>> module where unused variables are, to avoid new regressions. Then I >>> will fix it module by module. >>> >>> >>> I'm open to suggestions >>> >>> Martin^2 >>> >> I'd use a double underscore variable: >> >> name, __, gender = user['mbasti'] >> >> It is quicker to write than _dummy and it also provides a better >> readability, because I can immediately identify the symbol as >> special. Unlike _dummy which I have to read to understand (simply >> because I'm used to _something to indicate a 'protected' variable). >> > > With double underscores there is a risk, that typo will be just one > underscore and _ means ugettext in IPA :) I think pylint would detect a redefinition in that case, since this check was added in today's PR#97: https://github.com/freeipa/freeipa/pull/97/commits/06f35e5bdcb9f3ea42145de253674fda06b43d30 -- Tomas Krizek From pvoborni at redhat.com Thu Sep 22 16:09:43 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 22 Sep 2016 18:09:43 +0200 Subject: [Freeipa-devel] FedoraHosted.org sunset Message-ID: <7c333c64-919b-9cdf-f5c9-3f48f89710ec@redhat.com> Hi all, As you know, FedoraHosted.org will be decommissioned. https://communityblog.fedoraproject.org/fedorahosted-sunset-2017-02-28/ We use Trac instance there. Let's discuss where we should migrate and what are our requirements. Then put results on one place. For that I've created: http://www.freeipa.org/page/FedoraHosted_Migration It already contains several requirements which were discussed in other channels. -- Petr Vobornik From mbasti at redhat.com Thu Sep 22 16:35:59 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 22 Sep 2016 18:35:59 +0200 Subject: [Freeipa-devel] pylint: remove unused variables In-Reply-To: <3c83e5e8-503f-5206-12ef-2fff423cf0d7@redhat.com> References: <3c83e5e8-503f-5206-12ef-2fff423cf0d7@redhat.com> Message-ID: On 22.09.2016 18:05, Tomas Krizek wrote: > On 09/22/2016 06:00 PM, Martin Basti wrote: >> >> >> On 22.09.2016 17:59, Tomas Krizek wrote: >>> On 09/22/2016 04:39 PM, Martin Basti wrote: >>>> Hello all, >>>> >>>> In 4.5, I would like to remove all unused variables from code and >>>> enable pylint check. Due to big amount of unused variables in the >>>> code this will be longterm effort. >>>> >>>> Why this?: >>>> >>>> * better code readability >>>> >>>> * removing dead code >>>> >>>> * unused variable may uncover potential bug >>>> >>>> >>>> It is clear what to do with unused assignments, but I need an >>>> agreement what to do with unpacking or iteration with unused variables >>>> >>>> >>>> For example: >>>> >>>> for name, surname, gender in (('Martin', 'Basti', 'M'), ): >>>> >>>> name, surname, gender = user['mbasti'] >>>> >>>> Where 'surname' is unused >>>> >>>> >>>> Pylint will detect surname as unused variable and we have to agree >>>> on a way how to tell pylint that this variable is unused on purpose: >>>> >>>> >>>> 1) >>>> >>>> ( >>>> >>>> name, >>>> >>>> surname, # pylint: disable=unused-variable >>>> >>>> gender >>>> >>>> ) = user['mbasti'] >>>> >>>> >>>> I dont like this approach >>>> >>>> >>>> 2) >>>> >>>> Use defined keyword: 'dummy' is default in pylint, we can set our >>>> own, like ignored, unused >>>> >>>> name, dummy, gender = user['mbasti'] >>>> >>>> >>>> 3) >>>> >>>> use a prefix for unused variables: '_' or 'ignore_' >>>> >>>> name, _surname, gender = user['mbasti'] >>>> >>>> >>>> 4) >>>> >>>> we can combine all :) >>>> >>>> >>>> For me the best is to have prefix '_' and 'dummy' keyword >>>> >>>> >>>> As first step I'll enable pylint check and disable it locally per >>>> module where unused variables are, to avoid new regressions. Then I >>>> will fix it module by module. >>>> >>>> >>>> I'm open to suggestions >>>> >>>> Martin^2 >>>> >>> I'd use a double underscore variable: >>> >>> name, __, gender = user['mbasti'] >>> >>> It is quicker to write than _dummy and it also provides a better >>> readability, because I can immediately identify the symbol as >>> special. Unlike _dummy which I have to read to understand (simply >>> because I'm used to _something to indicate a 'protected' variable). >>> >> >> With double underscores there is a risk, that typo will be just one >> underscore and _ means ugettext in IPA :) > I think pylint would detect a redefinition in that case, since this > check was added in today's PR#97: > > https://github.com/freeipa/freeipa/pull/97/commits/06f35e5bdcb9f3ea42145de253674fda06b43d30 > > So much trust in pylint :), I tested it and it passed with redefinition of '_'. It works only for some cases. From ftweedal at redhat.com Fri Sep 23 03:29:06 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 23 Sep 2016 13:29:06 +1000 Subject: [Freeipa-devel] [PATCH] 0097 Add options to write lightweight CA cert or chain to file In-Reply-To: <20160905160506.GF11489@dhcp-40-8.bne.redhat.com> References: <20160808070652.GJ11092@dhcp-40-8.bne.redhat.com> <885c4c72-6e8a-4220-b25e-f577612368d2@redhat.com> <20160809144716.GA23927@dhcp-40-8.bne.redhat.com> <20160816052401.GR23927@dhcp-40-8.bne.redhat.com> <7ad5a28f-9670-b76a-f100-1a6681ac52e5@redhat.com> <20160816140939.GV23927@dhcp-40-8.bne.redhat.com> <20160819111156.GQ3877@dhcp-40-8.bne.redhat.com> <20160905160506.GF11489@dhcp-40-8.bne.redhat.com> Message-ID: <20160923032906.GY11489@dhcp-40-8.bne.redhat.com> Bump for review. Rebased patches attached (there was a trivial conflict in imports). Thanks, Fraser On Tue, Sep 06, 2016 at 02:05:06AM +1000, Fraser Tweedale wrote: > On Fri, Aug 26, 2016 at 10:28:58AM +0200, Jan Cholasta wrote: > > On 19.8.2016 13:11, Fraser Tweedale wrote: > > > Bump for review. > > > > > > On Wed, Aug 17, 2016 at 12:09:39AM +1000, Fraser Tweedale wrote: > > > > On Tue, Aug 16, 2016 at 08:10:08AM +0200, Jan Cholasta wrote: > > > > > On 16.8.2016 07:24, Fraser Tweedale wrote: > > > > > > On Mon, Aug 15, 2016 at 08:19:33AM +0200, Jan Cholasta wrote: > > > > > > > On 9.8.2016 16:47, Fraser Tweedale wrote: > > > > > > > > On Mon, Aug 08, 2016 at 10:49:27AM +0200, Jan Cholasta wrote: > > > > > > > > > On 8.8.2016 09:06, Fraser Tweedale wrote: > > > > > > > > > > On Mon, Aug 08, 2016 at 08:54:05AM +0200, Jan Cholasta wrote: > > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > > > > > > > On 8.8.2016 06:34, Fraser Tweedale wrote: > > > > > > > > > > > > Please review the attached patch with adds --certificate-out and > > > > > > > > > > > > --certificate-chain-out options to `ca-show' command. > > > > > > > > > > > > > > > > > > > > > > > > Note that --certificate-chain-out currently writes a bogus file due > > > > > > > > > > > > to a bug in Dogtag that will be fixed in this week's build. > > > > > > > > > > > > > > > > > > > > > > > > https://fedorahosted.org/freeipa/ticket/6178 > > > > > > > > > > > > > > > > > > > > > > 1) The client-side *-out options should be defined on the client side, not > > > > > > > > > > > on the server side. > > > > > > > > > > > > > > > > > > > > > Will option defined on client side be propagated to, and observable > > > > > > > > > > in the ipaserver plugin? The ipaserver plugin needs to observe that > > > > > > > > > > *-out has been requested and executes additional command(s) on that > > > > > > > > > > basis. > > > > > > > > > > > > > > > > > > Is there a reason not to *always* return the certs? > > > > > > > > > > > > > > > > > We hit Dogtag to retrieve them. > > > > > > > > > > > > > > I don't think that's an issue in a -show command. > > > > > > > > > > > > > cert_show is invoked by other commands (cert_find*, cert_show, > > > > > > cert_request, cert_status, ca_del) but these all hit Dogtag anyway > > > > > > so I suppose that's fine. I'll return the cert *and* the chain in > > > > > > separate attributes, unconditionally. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 2) I don't think there should be additional information included in summary > > > > > > > > > > > (and it definitely should not be multi-line). I would rather inform the user > > > > > > > > > > > via an error message when unable to write the files. > > > > > > > > > > > > > > > > > > > > > I was just following the pattern of other commands that write certs, > > > > > > > > > > profile config, etc. Apart from consistency with other commands I > > > > > > > > > > agree that there is no need to have it. So I will remove it. > > > > > > > > > > > > > > > > > > > > > If you think there is an actual value in informing the user about > > > > > > > > > > > successfully writing the files, please use ipalib.messages for the job. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 3) IMO a better format for the certificate chain than PKCS#7 would be > > > > > > > > > > > concatenated PEM, as that's the most commonly used format in IPA (in > > > > > > > > > > > installers, there are no cert chains in API commands ATM). > > > > > > > > > > > > > > > > > > > > > Sure, but the main use case isn't IPA. Other apps require PKCS #7 > > > > > > > > > > or concatenated PEMs, but sometimes they must be concatenated > > > > > > > > > > forward, and othertimes backwards. There is no one size fits all. > > > > > > > > > > > > > > > > > > True, which is exactly why I think we should at least be self-consistent and > > > > > > > > > use concatenated PEM (and multi-value DER over the wire). > > > > > > > > > > > > > > > > > Dogtag returns a PKCS7 (either DER or PEM, according to HTTP Accept > > > > > > > > header). > > > > > > > > > > > > > > > > If we want list-of-PEMs between server and client we have to convert > > > > > > > > on the server. Do we have a good way of doing this without exec'ing > > > > > > > > `openssl pkcs7' on the server? Is it acceptable to exec 'openssl' > > > > > > > > to do the conversion on the server? python-nss does not have PKCS7 > > > > > > > > functions and I am not keen on adding a pyasn1 PKCS7 parser just for > > > > > > > > the sake of pushing bits as list-of-PEMs. > > > > > > > > > > > > > > I'm afraid we can't avoid conversion to/from PKCS#7 one way or the other. > > > > > > > For example, if we added a call to retrieve external CA chain using certs > > > > > > > from cn=certificates,cn=ipa,cn=etc, we would have to convert the result to > > > > > > > PKCS#7 if it was our cert chain format of choice. > > > > > > > > > > > > > > What we can avoid though is executing "openssl pkcs7" to do the conversion - > > > > > > > we can use an approach similar to our DNSSEC code and use python-cffi to > > > > > > > call libcrypto's PKCS#7 conversion routines instead. > > > > > > > > > > > > > I had a look at the OpenSSL API for parsing PKCS #7; now I prefer to > > > > > > exec `openssl' to do the job :) > > > > > > > > > > > > I will transmit DER-encoded PKCS #7 object on the wire; we cannot > > > > > > used multi-valued DER attribute because order is important. Client > > > > > > will convert to PEMs. > > > > > > > > > > Well, my point was not to send PKCS#7 over the wire, so that clients > > > > > (including 3rd party clients) do not have to convert from PKCS#7 themselves. > > > > > > > > > > In fact we can use multi-valued DER - whatever you send over the wire from > > > > > the server will be received in the exact same order by the client. Even if > > > > > it wasn't, you can easily restore the order by matching issuer and subject > > > > > names of the certificates. > > > > > > > > > > > > > > > > > Should have new patch on list this afternoon. > > > > > > > > > > > > Thanks, > > > > > > Fraser > > > > > > > > > > > > > > > > > > > > > > FWIW, man pages and code suggest that PKCS #7 is accepted in > > > > > > > > installer, etc. > > > > > > > > > > > > > > True, but that's a relatively new feature (since 4.1) and the installer > > > > > > > internally executes "openssl pkcs7" to convert PKCS #7 to list of certs :-) > > > > > > > > > > > > > > > > > > > > > > > > > We can add an option to control the format later, but for now, > > > > > > > > > > Dogtag returns a PKCS #7 (PEM or DER) so let's go with that. Worst > > > > > > > > > > case is an admin has to invoke `openssl pkcs7' and concat the certs > > > > > > > > > > themselves. > > > > > > > > > > > > > > > > > > AFAIK none of NSS, OpenSSL or p11-kit can use PKCS#7 cert chains directly, > > > > > > > > > so I'm afraid the worst case would happen virtually always. > > > > > > > > > > > > > > > > > If you're OK with invoking OpenSSL on the client to convert PKCS #7 > > > > > > > > to list-of-PEMs (similar to what is done in > > > > > > > > ipapython.certdb.NSSDatabase) then we can have the client perform > > > > > > > > the conversion. > > > > > > > > > > > > > > See above. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 4) Over the wire, the certs should be DER-formatted, as that's the most > > > > > > > > > > > common wire format in other API commands. > > > > > > > > > > > > > > > > > > > > > OK. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 5) What is the benefit in having the CA cert and the rest of the chain > > > > > > > > > > > separate? For end-entity certs it makes sense to separate the cert from the > > > > > > > > > > > CA chain, but for CA certs, you usually want the full chain, no? > > > > > > > > > > > > > > > > > > > > > If you want to anchor trust directly at a subca (e.g. restrict VPN > > > > > > > > > > login to certs issued by VPN sub-CA) then you often just want the > > > > > > > > > > cert. The chain option does subsume it, at cost of more work for > > > > > > > > > > administrators with this use case. I think it makes sense to keep > > > > > > > > > > both options. > > > > > > > > > > > > > > > > > > Does it? From what you described above, you either want just the sub-CA > > > > > > > > > cert, or the full chain including the sub-CA cert, in which case it might > > > > > > > > > make more sense to have a single --out option and a --chain flag. > > > > > > > > > > > > > > > > > How about --certificate-out which defaults to single cert, but does > > > > > > > > chain (as list-of-PEMs) when --chain flag given. > > > > > > > > > > > > > > > > Per https://fedorahosted.org/freeipa/ticket/5166 let's not add more > > > > > > > > `--out' options. > > > > > > > > > > > > > > +1 > > > > > > > > > > > Updated patch 0097-2 attached, and new patch 0099 which must be > > > > applied first. > > > > > > > > I have implemented the suggested changes, except for cffi (I execute > > > > `openssl pkcs7' instead). > > > > I don't like it, but OK. Another alternative would be to use pyasn1. > > > I don't like it either, but neither did I like the idea of > reimplementing the wheel with pyasn1. Now is not the time for > busywork :) > > > > > > > > > There are two new output attributes on the wire, 'certificate' > > > > (single-value DER X.509), and 'certificate_chain' (ordered > > > > multi-value DER X.509). They are always returned. The first cert > > > > in the chain is always the same as 'certificate'; obviously this is > > > > redunant but I have left it this way because I think usage is > > > > clearer. > > > > I don't have a strong feeling about this one way or the other, but the same > > scheme should be used for cert-show in the future. Does it make sense to do > > it this way for cert-show? > > > > I'm not sure about always returning the chain in cert-show. Now that we have > > a --chain flag rather than two out options, maybe we should go back to > > returning the chain only if --chain is specified. What do you think? > > > I think we should go for consistency and always include both over > the wire. If we want to hide cert or chain or both at the `ipa' CLI > depending on options, I also don't feel strongly either way. For > now they're both displayed. > > > > > Patch 0099: > > > > 1) Please fix this: > > > > $ git show -U0 | pep8 --diff > > ./ipalib/x509.py:59:80: E501 line too long (93 > 79 characters) > > > Done. > > > > > Patch 0097: > > > > 1) `certificate` and `certificate_chain` are actually attributes of the ca > > object, so they should be defined in ca.takes_params rather than > > ca_show.has_output_params. > > > Done. Out of interest, now that they are part of ca_takes_params is > there a way to hide them by default in CLI output, and only show > them when `--all' is given? > > > > > 2) Please fix these: > > > > $ git show -U0 | pep8 --diff > > ./ipaclient/plugins/ca.py:21:9: E124 closing bracket does not match visual > > indentation > > ./ipaclient/plugins/ca.py:23:13: E128 continuation line under-indented for > > visual indent > > ./ipaclient/plugins/ca.py:24:13: E128 continuation line under-indented for > > visual indent > > ./ipaclient/plugins/ca.py:25:13: E128 continuation line under-indented for > > visual indent > > ./ipaclient/plugins/ca.py:26:9: E124 closing bracket does not match visual > > indentation > > ./ipaclient/plugins/ca.py:38:13: E731 do not assign a lambda expression, use > > a def > > > Done. Updated patches attached. > > Thanks, > Fraser > From 046b3dd078c4ccc3732a0106786bae4c01d30a89 Mon Sep 17 00:00:00 2001 > From: Fraser Tweedale > Date: Tue, 16 Aug 2016 13:16:58 +1000 > Subject: [PATCH] Add function for extracting PEM certs from PKCS #7 > > Add a single function for extracting X.509 certs in PEM format from > a PKCS #7 object. Refactor sites that execute ``openssl pkcs7`` to > use the new function. > > Part of: https://fedorahosted.org/freeipa/ticket/6178 > --- > ipalib/x509.py | 23 +++++++++++++++++- > ipapython/certdb.py | 14 ++++------- > ipaserver/install/cainstance.py | 52 +++++++++++++++-------------------------- > 3 files changed, 45 insertions(+), 44 deletions(-) > > diff --git a/ipalib/x509.py b/ipalib/x509.py > index e986a97a58aafd3aeab08765a397edbf67c7841a..0461553a73e3862c85f1ffcfe4432cabf4fdf7a1 100644 > --- a/ipalib/x509.py > +++ b/ipalib/x509.py > @@ -51,11 +51,14 @@ from ipalib import util > from ipalib import errors > from ipaplatform.paths import paths > from ipapython.dn import DN > +from ipapython import ipautil > > PEM = 0 > DER = 1 > > -PEM_REGEX = re.compile(r'(?<=-----BEGIN CERTIFICATE-----).*?(?=-----END CERTIFICATE-----)', re.DOTALL) > +PEM_REGEX = re.compile( > + r'-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----', > + re.DOTALL) > > EKU_SERVER_AUTH = '1.3.6.1.5.5.7.3.1' > EKU_CLIENT_AUTH = '1.3.6.1.5.5.7.3.2' > @@ -148,6 +151,24 @@ def load_certificate_list(data, dbdir=None): > certs = [load_certificate(cert, PEM, dbdir) for cert in certs] > return certs > > + > +def pkcs7_to_pems(data, datatype=PEM): > + """ > + Extract certificates from a PKCS #7 object. > + > + Return a ``list`` of X.509 PEM strings. > + > + May throw ``ipautil.CalledProcessError`` on invalid data. > + > + """ > + cmd = [ > + paths.OPENSSL, "pkcs7", "-print_certs", > + "-inform", "PEM" if datatype == PEM else "DER", > + ] > + result = ipautil.run(cmd, stdin=data, capture_output=True) > + return PEM_REGEX.findall(result.output) > + > + > def load_certificate_list_from_file(filename, dbdir=None): > """ > Load a certificate list from a PEM file. > diff --git a/ipapython/certdb.py b/ipapython/certdb.py > index e19f712d82f160ebc5de9c5b8d6627cb941c2cef..fd18023794a2daace60efd97aff54180b8409bbd 100644 > --- a/ipapython/certdb.py > +++ b/ipapython/certdb.py > @@ -270,13 +270,11 @@ class NSSDatabase(object): > continue > > if label in ('PKCS7', 'PKCS #7 SIGNED DATA', 'CERTIFICATE'): > - args = [ > - paths.OPENSSL, 'pkcs7', > - '-print_certs', > - ] > try: > - result = ipautil.run( > - args, stdin=body, capture_output=True) > + certs = x509.pkcs7_to_pems(body) > + extracted_certs += '\n'.join(certs) + '\n' > + loaded = True > + continue > except ipautil.CalledProcessError as e: > if label == 'CERTIFICATE': > root_logger.warning( > @@ -287,10 +285,6 @@ class NSSDatabase(object): > "Skipping PKCS#7 in %s at line %s: %s", > filename, line, e) > continue > - else: > - extracted_certs += result.output + '\n' > - loaded = True > - continue > > if label in ('PRIVATE KEY', 'ENCRYPTED PRIVATE KEY', > 'RSA PRIVATE KEY', 'DSA PRIVATE KEY', > diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py > index c4b8e9ae326fb7ebda9e927cd4d0b5bad9743db4..f57c724b0273a275f8146f0d6055e2ee2e51192c 100644 > --- a/ipaserver/install/cainstance.py > +++ b/ipaserver/install/cainstance.py > @@ -844,44 +844,30 @@ class CAInstance(DogtagInstance): > # makes openssl throw up. > data = base64.b64decode(chain) > > - result = ipautil.run( > - [paths.OPENSSL, > - "pkcs7", > - "-inform", > - "DER", > - "-print_certs", > - ], stdin=data, capture_output=True) > - certlist = result.output > + certlist = x509.pkcs7_to_pems(data, x509.DER) > > # Ok, now we have all the certificates in certs, walk through it > # and pull out each certificate and add it to our database > > - st = 1 > - en = 0 > - subid = 0 > ca_dn = DN(('CN','Certificate Authority'), self.subject_base) > - while st > 0: > - st = certlist.find('-----BEGIN', en) > - en = certlist.find('-----END', en+1) > - if st > 0: > - try: > - (chain_fd, chain_name) = tempfile.mkstemp() > - os.write(chain_fd, certlist[st:en+25]) > - os.close(chain_fd) > - (_rdn, subject_dn) = certs.get_cert_nickname(certlist[st:en+25]) > - if subject_dn == ca_dn: > - nick = get_ca_nickname(self.realm) > - trust_flags = 'CT,C,C' > - else: > - nick = str(subject_dn) > - trust_flags = ',,' > - self.__run_certutil( > - ['-A', '-t', trust_flags, '-n', nick, '-a', > - '-i', chain_name] > - ) > - finally: > - os.remove(chain_name) > - subid += 1 > + for cert in certlist: > + try: > + (chain_fd, chain_name) = tempfile.mkstemp() > + os.write(chain_fd, cert) > + os.close(chain_fd) > + (_rdn, subject_dn) = certs.get_cert_nickname(cert) > + if subject_dn == ca_dn: > + nick = get_ca_nickname(self.realm) > + trust_flags = 'CT,C,C' > + else: > + nick = str(subject_dn) > + trust_flags = ',,' > + self.__run_certutil( > + ['-A', '-t', trust_flags, '-n', nick, '-a', > + '-i', chain_name] > + ) > + finally: > + os.remove(chain_name) > > def __request_ra_certificate(self): > # Create a noise file for generating our private key > -- > 2.5.5 > > From fba36bd2b86c2aee1d77e05aa563ced4633ab182 Mon Sep 17 00:00:00 2001 > From: Fraser Tweedale > Date: Mon, 8 Aug 2016 14:27:20 +1000 > Subject: [PATCH] Add options to write lightweight CA cert or chain to file > > Administrators need a way to retrieve the certificate or certificate > chain of an IPA-managed lightweight CA. Add params to the `ca' > object for carrying the CA certificate and chain (as multiple DER > values), and add the `--certificate-out' option and `--chain' flag > as client-side options for writing one or the other to a file. > > Fixes: https://fedorahosted.org/freeipa/ticket/6178 > --- > ipaclient/plugins/ca.py | 50 +++++++++++++++++++++++++++++++++++++++++++++ > ipaserver/plugins/ca.py | 31 ++++++++++++++++++++++++---- > ipaserver/plugins/dogtag.py | 12 +++++++++++ > 3 files changed, 89 insertions(+), 4 deletions(-) > create mode 100644 ipaclient/plugins/ca.py > > diff --git a/ipaclient/plugins/ca.py b/ipaclient/plugins/ca.py > new file mode 100644 > index 0000000000000000000000000000000000000000..f7e55dec196495f820ebf745eb49e8ddce6b3ee7 > --- /dev/null > +++ b/ipaclient/plugins/ca.py > @@ -0,0 +1,50 @@ > +# > +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license > +# > + > +import base64 > +from ipaclient.frontend import MethodOverride > +from ipalib import util, x509, Flag, Str > +from ipalib.plugable import Registry > +from ipalib.text import _ > + > +register = Registry() > + > + > + at register(override=True, no_fail=True) > +class ca_show(MethodOverride): > + > + takes_options = ( > + Str( > + 'certificate_out?', > + doc=_('Write certificate to file'), > + include='cli', > + ), > + Flag( > + 'chain', > + default=False, > + doc=_('Write certificate chain instead of single certificate'), > + include='cli', > + ), > + ) > + > + def forward(self, *keys, **options): > + filename = None > + if 'certificate_out' in options: > + filename = options.pop('certificate_out') > + util.check_writable_file(filename) > + chain = options.pop('chain', False) > + > + result = super(ca_show, self).forward(*keys, **options) > + if filename: > + def to_pem(x): > + return x509.make_pem(base64.b64encode(x)) > + if chain: > + ders = result['result']['certificate_chain'] > + data = '\n'.join(map(to_pem, ders)) > + else: > + data = to_pem(result['result']['certificate']) > + with open(filename, 'wb') as f: > + f.write(data) > + > + return result > diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py > index 966ae2b1bdb4bb0207dfa58f0e9c951bc930f766..0684ddaed0ebfcab8910c1ea356550b504af15e2 100644 > --- a/ipaserver/plugins/ca.py > +++ b/ipaserver/plugins/ca.py > @@ -2,14 +2,14 @@ > # Copyright (C) 2016 FreeIPA Contributors see COPYING for license > # > > -from ipalib import api, errors, DNParam, Str > +from ipalib import api, errors, Bytes, DNParam, Str > from ipalib.constants import IPA_CA_CN > from ipalib.plugable import Registry > from ipaserver.plugins.baseldap import ( > LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, > LDAPUpdate, LDAPRetrieve) > from ipaserver.plugins.cert import ca_enabled_check > -from ipalib import _, ngettext > +from ipalib import _, ngettext, x509 > > > __doc__ = _(""" > @@ -79,6 +79,18 @@ class ca(LDAPObject): > doc=_('Issuer Distinguished Name'), > flags=['no_create', 'no_update'], > ), > + Bytes( > + 'certificate', > + label=_("Certificate"), > + doc=_("X.509 certificate"), > + flags={'no_create', 'no_update', 'no_search', 'no_display'}, > + ), > + Bytes( > + 'certificate_chain*', > + label=_("Certificate chain"), > + doc=_("PKCS #7 certificate chain"), > + flags={'no_create', 'no_update', 'no_search', 'no_display'}, > + ), > ) > > permission_filter_objectclasses = ['ipaca'] > @@ -140,9 +152,20 @@ class ca_find(LDAPSearch): > class ca_show(LDAPRetrieve): > __doc__ = _("Display the properties of a CA.") > > - def execute(self, *args, **kwargs): > + def execute(self, *keys, **options): > ca_enabled_check() > - return super(ca_show, self).execute(*args, **kwargs) > + result = super(ca_show, self).execute(*keys, **options) > + > + ca_id = result['result']['ipacaid'][0] > + with self.api.Backend.ra_lightweight_ca as ca_api: > + result['result']['certificate'] = ca_api.read_ca_cert(ca_id) > + > + pkcs7_der = ca_api.read_ca_chain(ca_id) > + pems = x509.pkcs7_to_pems(pkcs7_der, x509.DER) > + ders = (x509.normalize_certificate(pem) for pem in pems) > + result['result']['certificate_chain'] = list(ders) > + > + return result > > > @register() > diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py > index aef1e888eb1b6c273c1fd12cbf4912407f8f8132..1fd3106e0ae723eb30dbe32c61e637790f6085d2 100644 > --- a/ipaserver/plugins/dogtag.py > +++ b/ipaserver/plugins/dogtag.py > @@ -2205,6 +2205,18 @@ class ra_lightweight_ca(RestClient): > except: > raise errors.RemoteRetrieveError(reason=_("Response from CA was not valid JSON")) > > + def read_ca_cert(self, ca_id): > + status, resp_headers, resp_body = self._ssldo( > + 'GET', '{}/cert'.format(ca_id), > + headers={'Accept': 'application/pkix-cert'}) > + return resp_body > + > + def read_ca_chain(self, ca_id): > + status, resp_headers, resp_body = self._ssldo( > + 'GET', '{}/chain'.format(ca_id), > + headers={'Accept': 'application/pkcs7-mime'}) > + return resp_body > + > def disable_ca(self, ca_id): > self._ssldo( > 'POST', ca_id + '/disable', > -- > 2.5.5 > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -------------- next part -------------- From b33c2290602d08db423a4cc4d671a6f1be384b88 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 16 Aug 2016 13:16:58 +1000 Subject: [PATCH] Add function for extracting PEM certs from PKCS #7 Add a single function for extracting X.509 certs in PEM format from a PKCS #7 object. Refactor sites that execute ``openssl pkcs7`` to use the new function. Part of: https://fedorahosted.org/freeipa/ticket/6178 --- ipalib/x509.py | 23 +++++++++++++++++- ipapython/certdb.py | 14 ++++------- ipaserver/install/cainstance.py | 52 +++++++++++++++-------------------------- 3 files changed, 45 insertions(+), 44 deletions(-) diff --git a/ipalib/x509.py b/ipalib/x509.py index e986a97a58aafd3aeab08765a397edbf67c7841a..0461553a73e3862c85f1ffcfe4432cabf4fdf7a1 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -51,11 +51,14 @@ from ipalib import util from ipalib import errors from ipaplatform.paths import paths from ipapython.dn import DN +from ipapython import ipautil PEM = 0 DER = 1 -PEM_REGEX = re.compile(r'(?<=-----BEGIN CERTIFICATE-----).*?(?=-----END CERTIFICATE-----)', re.DOTALL) +PEM_REGEX = re.compile( + r'-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----', + re.DOTALL) EKU_SERVER_AUTH = '1.3.6.1.5.5.7.3.1' EKU_CLIENT_AUTH = '1.3.6.1.5.5.7.3.2' @@ -148,6 +151,24 @@ def load_certificate_list(data, dbdir=None): certs = [load_certificate(cert, PEM, dbdir) for cert in certs] return certs + +def pkcs7_to_pems(data, datatype=PEM): + """ + Extract certificates from a PKCS #7 object. + + Return a ``list`` of X.509 PEM strings. + + May throw ``ipautil.CalledProcessError`` on invalid data. + + """ + cmd = [ + paths.OPENSSL, "pkcs7", "-print_certs", + "-inform", "PEM" if datatype == PEM else "DER", + ] + result = ipautil.run(cmd, stdin=data, capture_output=True) + return PEM_REGEX.findall(result.output) + + def load_certificate_list_from_file(filename, dbdir=None): """ Load a certificate list from a PEM file. diff --git a/ipapython/certdb.py b/ipapython/certdb.py index e19f712d82f160ebc5de9c5b8d6627cb941c2cef..fd18023794a2daace60efd97aff54180b8409bbd 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -270,13 +270,11 @@ class NSSDatabase(object): continue if label in ('PKCS7', 'PKCS #7 SIGNED DATA', 'CERTIFICATE'): - args = [ - paths.OPENSSL, 'pkcs7', - '-print_certs', - ] try: - result = ipautil.run( - args, stdin=body, capture_output=True) + certs = x509.pkcs7_to_pems(body) + extracted_certs += '\n'.join(certs) + '\n' + loaded = True + continue except ipautil.CalledProcessError as e: if label == 'CERTIFICATE': root_logger.warning( @@ -287,10 +285,6 @@ class NSSDatabase(object): "Skipping PKCS#7 in %s at line %s: %s", filename, line, e) continue - else: - extracted_certs += result.output + '\n' - loaded = True - continue if label in ('PRIVATE KEY', 'ENCRYPTED PRIVATE KEY', 'RSA PRIVATE KEY', 'DSA PRIVATE KEY', diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index c81b8f5b224b941a5a75449653d5c90b6d0c3426..c96d142b8de8bc451350a12784438da253bf0158 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -848,44 +848,30 @@ class CAInstance(DogtagInstance): # makes openssl throw up. data = base64.b64decode(chain) - result = ipautil.run( - [paths.OPENSSL, - "pkcs7", - "-inform", - "DER", - "-print_certs", - ], stdin=data, capture_output=True) - certlist = result.output + certlist = x509.pkcs7_to_pems(data, x509.DER) # Ok, now we have all the certificates in certs, walk through it # and pull out each certificate and add it to our database - st = 1 - en = 0 - subid = 0 ca_dn = DN(('CN','Certificate Authority'), self.subject_base) - while st > 0: - st = certlist.find('-----BEGIN', en) - en = certlist.find('-----END', en+1) - if st > 0: - try: - (chain_fd, chain_name) = tempfile.mkstemp() - os.write(chain_fd, certlist[st:en+25]) - os.close(chain_fd) - (_rdn, subject_dn) = certs.get_cert_nickname(certlist[st:en+25]) - if subject_dn == ca_dn: - nick = get_ca_nickname(self.realm) - trust_flags = 'CT,C,C' - else: - nick = str(subject_dn) - trust_flags = ',,' - self.__run_certutil( - ['-A', '-t', trust_flags, '-n', nick, '-a', - '-i', chain_name] - ) - finally: - os.remove(chain_name) - subid += 1 + for cert in certlist: + try: + (chain_fd, chain_name) = tempfile.mkstemp() + os.write(chain_fd, cert) + os.close(chain_fd) + (_rdn, subject_dn) = certs.get_cert_nickname(cert) + if subject_dn == ca_dn: + nick = get_ca_nickname(self.realm) + trust_flags = 'CT,C,C' + else: + nick = str(subject_dn) + trust_flags = ',,' + self.__run_certutil( + ['-A', '-t', trust_flags, '-n', nick, '-a', + '-i', chain_name] + ) + finally: + os.remove(chain_name) # Restore NSS trust flags of all previously existing certificates for nick, trust_flags in cert_backup_list: -- 2.5.5 -------------- next part -------------- From 9dc7ffe4ffe826a9de4fb188c70f5da7f805d3e4 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 8 Aug 2016 14:27:20 +1000 Subject: [PATCH] Add options to write lightweight CA cert or chain to file Administrators need a way to retrieve the certificate or certificate chain of an IPA-managed lightweight CA. Add params to the `ca' object for carrying the CA certificate and chain (as multiple DER values), and add the `--certificate-out' option and `--chain' flag as client-side options for writing one or the other to a file. Fixes: https://fedorahosted.org/freeipa/ticket/6178 --- ipaclient/plugins/ca.py | 50 +++++++++++++++++++++++++++++++++++++++++++++ ipaserver/plugins/ca.py | 31 ++++++++++++++++++++++++---- ipaserver/plugins/dogtag.py | 12 +++++++++++ 3 files changed, 89 insertions(+), 4 deletions(-) create mode 100644 ipaclient/plugins/ca.py diff --git a/ipaclient/plugins/ca.py b/ipaclient/plugins/ca.py new file mode 100644 index 0000000000000000000000000000000000000000..f7e55dec196495f820ebf745eb49e8ddce6b3ee7 --- /dev/null +++ b/ipaclient/plugins/ca.py @@ -0,0 +1,50 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +import base64 +from ipaclient.frontend import MethodOverride +from ipalib import util, x509, Flag, Str +from ipalib.plugable import Registry +from ipalib.text import _ + +register = Registry() + + + at register(override=True, no_fail=True) +class ca_show(MethodOverride): + + takes_options = ( + Str( + 'certificate_out?', + doc=_('Write certificate to file'), + include='cli', + ), + Flag( + 'chain', + default=False, + doc=_('Write certificate chain instead of single certificate'), + include='cli', + ), + ) + + def forward(self, *keys, **options): + filename = None + if 'certificate_out' in options: + filename = options.pop('certificate_out') + util.check_writable_file(filename) + chain = options.pop('chain', False) + + result = super(ca_show, self).forward(*keys, **options) + if filename: + def to_pem(x): + return x509.make_pem(base64.b64encode(x)) + if chain: + ders = result['result']['certificate_chain'] + data = '\n'.join(map(to_pem, ders)) + else: + data = to_pem(result['result']['certificate']) + with open(filename, 'wb') as f: + f.write(data) + + return result diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py index 4d83fe81c951b01d06d3c85d74fe94e24bce0b1f..bf37bb7e641062256dee367cdd26674619944221 100644 --- a/ipaserver/plugins/ca.py +++ b/ipaserver/plugins/ca.py @@ -2,14 +2,14 @@ # Copyright (C) 2016 FreeIPA Contributors see COPYING for license # -from ipalib import api, errors, output, DNParam, Str +from ipalib import api, errors, output, Bytes, DNParam, Str from ipalib.constants import IPA_CA_CN from ipalib.plugable import Registry from ipaserver.plugins.baseldap import ( LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, LDAPUpdate, LDAPRetrieve, LDAPQuery, pkey_to_value) from ipaserver.plugins.cert import ca_enabled_check -from ipalib import _, ngettext +from ipalib import _, ngettext, x509 __doc__ = _(""" @@ -95,6 +95,18 @@ class ca(LDAPObject): doc=_('Issuer Distinguished Name'), flags=['no_create', 'no_update'], ), + Bytes( + 'certificate', + label=_("Certificate"), + doc=_("X.509 certificate"), + flags={'no_create', 'no_update', 'no_search', 'no_display'}, + ), + Bytes( + 'certificate_chain*', + label=_("Certificate chain"), + doc=_("PKCS #7 certificate chain"), + flags={'no_create', 'no_update', 'no_search', 'no_display'}, + ), ) permission_filter_objectclasses = ['ipaca'] @@ -156,9 +168,20 @@ class ca_find(LDAPSearch): class ca_show(LDAPRetrieve): __doc__ = _("Display the properties of a CA.") - def execute(self, *args, **kwargs): + def execute(self, *keys, **options): ca_enabled_check() - return super(ca_show, self).execute(*args, **kwargs) + result = super(ca_show, self).execute(*keys, **options) + + ca_id = result['result']['ipacaid'][0] + with self.api.Backend.ra_lightweight_ca as ca_api: + result['result']['certificate'] = ca_api.read_ca_cert(ca_id) + + pkcs7_der = ca_api.read_ca_chain(ca_id) + pems = x509.pkcs7_to_pems(pkcs7_der, x509.DER) + ders = (x509.normalize_certificate(pem) for pem in pems) + result['result']['certificate_chain'] = list(ders) + + return result @register() diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index ffe6ead26a00b158df92fb6dbee7dea80b8fb6bc..8554c7b8b33c6ea39a892548c93194586c8d142c 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -2122,6 +2122,18 @@ class ra_lightweight_ca(RestClient): except: raise errors.RemoteRetrieveError(reason=_("Response from CA was not valid JSON")) + def read_ca_cert(self, ca_id): + status, resp_headers, resp_body = self._ssldo( + 'GET', '{}/cert'.format(ca_id), + headers={'Accept': 'application/pkix-cert'}) + return resp_body + + def read_ca_chain(self, ca_id): + status, resp_headers, resp_body = self._ssldo( + 'GET', '{}/chain'.format(ca_id), + headers={'Accept': 'application/pkcs7-mime'}) + return resp_body + def disable_ca(self, ca_id): self._ssldo( 'POST', ca_id + '/disable', -- 2.5.5 From ftweedal at redhat.com Fri Sep 23 03:30:28 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 23 Sep 2016 13:30:28 +1000 Subject: [Freeipa-devel] [PATCH] 0107 Fix cert revocation when removing all certs via host/service-mod In-Reply-To: <20160907090625.GT11489@dhcp-40-8.bne.redhat.com> References: <20160907090625.GT11489@dhcp-40-8.bne.redhat.com> Message-ID: <20160923033028.GZ11489@dhcp-40-8.bne.redhat.com> Bump for review. On Wed, Sep 07, 2016 at 04:06:25PM +0700, Fraser Tweedale wrote: > Attached patch fixes https://fedorahosted.org/freeipa/ticket/6305 > > Thanks, > Fraser > From d4d7e77795f96a4970058e61d99c70522689b22d Mon Sep 17 00:00:00 2001 > From: Fraser Tweedale > Date: Wed, 7 Sep 2016 19:00:18 +1000 > Subject: [PATCH] Fix cert revocation when removing all certs via > host/service-mod > > When removing all host/service certificates via host/service-mod > --certificate=, the removed certificates should be revoked, but they > are not. Examine whether the --certificate option was provided to > determine whether certs should be revoked, instead of looking for a > cert list in the options (which in this case is empty). > > Fixes: https://fedorahosted.org/freeipa/ticket/6305 > --- > ipaserver/plugins/host.py | 3 ++- > ipaserver/plugins/service.py | 3 ++- > 2 files changed, 4 insertions(+), 2 deletions(-) > > diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py > index 2362b6247af87b4ce63c21083e6bc8ac39db0804..7f63e94849b4a6f2ce871ec77b188c54d640ba94 100644 > --- a/ipaserver/plugins/host.py > +++ b/ipaserver/plugins/host.py > @@ -898,7 +898,8 @@ class host_mod(LDAPUpdate): > certs_der = [x509.normalize_certificate(c) for c in certs] > > # revoke removed certificates > - if certs and self.api.Command.ca_is_enabled()['result']: > + ca_is_enabled = self.api.Command.ca_is_enabled()['result'] > + if 'usercertificate' in options and ca_is_enabled: > try: > entry_attrs_old = ldap.get_entry(dn, ['usercertificate']) > except errors.NotFound: > diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py > index 093525f2e7cb84b18f0658dcb5d7c786e45c6ab6..c0590732470ac1200d4dd4ea1f089e4384a509b3 100644 > --- a/ipaserver/plugins/service.py > +++ b/ipaserver/plugins/service.py > @@ -701,7 +701,8 @@ class service_mod(LDAPUpdate): > certs = entry_attrs.get('usercertificate') or [] > certs_der = [x509.normalize_certificate(c) for c in certs] > # revoke removed certificates > - if certs and self.api.Command.ca_is_enabled()['result']: > + ca_is_enabled = self.api.Command.ca_is_enabled()['result'] > + if 'usercertificate' in options and ca_is_enabled: > try: > entry_attrs_old = ldap.get_entry(dn, ['usercertificate']) > except errors.NotFound: > -- > 2.5.5 > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code From jcholast at redhat.com Fri Sep 23 05:28:42 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 23 Sep 2016 07:28:42 +0200 Subject: [Freeipa-devel] pylint: remove unused variables In-Reply-To: References: Message-ID: <707f370c-87cc-f7d4-c664-8ac26fbf7fdb@redhat.com> On 22.9.2016 16:39, Martin Basti wrote: > Hello all, > > In 4.5, I would like to remove all unused variables from code and enable > pylint check. Due to big amount of unused variables in the code this > will be longterm effort. > > Why this?: > > * better code readability > > * removing dead code > > * unused variable may uncover potential bug > > > It is clear what to do with unused assignments, but I need an agreement > what to do with unpacking or iteration with unused variables > > > For example: > > for name, surname, gender in (('Martin', 'Basti', 'M'), ): > > name, surname, gender = user['mbasti'] > > Where 'surname' is unused > > > Pylint will detect surname as unused variable and we have to agree on a > way how to tell pylint that this variable is unused on purpose: > > > 1) > > ( > > name, > > surname, # pylint: disable=unused-variable > > gender > > ) = user['mbasti'] > > > I dont like this approach +1 > > > 2) > > Use defined keyword: 'dummy' is default in pylint, we can set our own, > like ignored, unused > > name, dummy, gender = user['mbasti'] -1, not visible enough. > > > 3) > > use a prefix for unused variables: '_' or 'ignore_' > > name, _surname, gender = user['mbasti'] This. We have already been using it in new code for quite some time, and it's common in other Python projects too. Don't reinvent the wheel. > > > 4) > > we can combine all :) > > > For me the best is to have prefix '_' and 'dummy' keyword Use '_dummy', it's both :-) > > > As first step I'll enable pylint check and disable it locally per module > where unused variables are, to avoid new regressions. Then I will fix it > module by module. > > > I'm open to suggestions > > Martin^2 > -- Jan Cholasta From jcholast at redhat.com Fri Sep 23 06:11:36 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 23 Sep 2016 08:11:36 +0200 Subject: [Freeipa-devel] [PATCH] 0107 Fix cert revocation when removing all certs via host/service-mod In-Reply-To: <20160923033028.GZ11489@dhcp-40-8.bne.redhat.com> References: <20160907090625.GT11489@dhcp-40-8.bne.redhat.com> <20160923033028.GZ11489@dhcp-40-8.bne.redhat.com> Message-ID: <2920e01f-906c-4ad6-ba25-cf4e759da56e@redhat.com> On 23.9.2016 05:30, Fraser Tweedale wrote: > Bump for review. Works for me, ACK. Pushed to master: 97d4ffc2dc5db00fd7ed10b0b290cc97a506d0ef -- Jan Cholasta From freeipa-github-notification at redhat.com Fri Sep 23 06:08:36 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 23 Sep 2016 08:08:36 +0200 Subject: [Freeipa-devel] [freeipa PR#106][+ack] Pylint: enable additional checks In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/106 Title: #106: Pylint: enable additional checks Label: +ack From freeipa-github-notification at redhat.com Fri Sep 23 06:26:54 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Fri, 23 Sep 2016 08:26:54 +0200 Subject: [Freeipa-devel] [freeipa PR#108][opened] https://fedorahosted.org/freeipa/ticket/6256 Message-ID: URL: https://github.com/freeipa/freeipa/pull/108 Author: frasertweedale Title: #108: https://fedorahosted.org/freeipa/ticket/6256 Action: opened PR body: """ None """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/108/head:pr108 git checkout pr108 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-108.patch Type: text/x-diff Size: 2432 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Sep 23 06:40:16 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Fri, 23 Sep 2016 08:40:16 +0200 Subject: [Freeipa-devel] [freeipa PR#108][edited] Bump pki min version and add commentary about sub-CA revocation on delete In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/108 Author: frasertweedale Title: #108: Bump pki min version and add commentary about sub-CA revocation on delete Action: edited To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/108/head:pr108 git checkout pr108 From freeipa-github-notification at redhat.com Fri Sep 23 06:40:18 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Fri, 23 Sep 2016 08:40:18 +0200 Subject: [Freeipa-devel] [freeipa PR#108][edited] Bump pki min version and add commentary about sub-CA revocation on delete In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/108 Author: frasertweedale Title: #108: Bump pki min version and add commentary about sub-CA revocation on delete Action: edited To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/108/head:pr108 git checkout pr108 From jcholast at redhat.com Fri Sep 23 06:50:32 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 23 Sep 2016 08:50:32 +0200 Subject: [Freeipa-devel] [PATCH 0060] Add --force-join option to ipa-replica-install In-Reply-To: <0873eb61-3504-d14d-cd72-a6b350b45c2b@redhat.com> References: <84165298-500b-1638-f3b1-a6b20c8f9e63@redhat.com> <44b90a51-6b3c-03fd-86e0-b3c65f626a2a@redhat.com> <378fc422-9620-2b38-cb64-316e4de99e5e@redhat.com> <62dde92d-4978-ae47-abbc-354542ff44a2@redhat.com> <0873eb61-3504-d14d-cd72-a6b350b45c2b@redhat.com> Message-ID: On 25.8.2016 15:31, Martin Basti wrote: > > > On 10.08.2016 07:53, Stanislav Laznicka wrote: >> On 08/10/2016 07:31 AM, Jan Cholasta wrote: >>> On 9.8.2016 18:52, Petr Vobornik wrote: >>>> On 08/09/2016 04:18 PM, Martin Basti wrote: >>>>> >>>>> >>>>> On 09.08.2016 16:07, Stanislav Laznicka wrote: >>>>>> https://fedorahosted.org/freeipa/ticket/6183 >>>>>> >>>>>> >>>>>> >>>>> Didn't we agreed that --force-join should be always used (without >>>>> extra >>>>> replica-install option) >>>> >>>> +1 >>> >>> Did we? >>> >>> IMO the default behavior should be the same as in domain level 0 when >>> trying to install replica on an already enrolled host. >> That was my impression as well. > > OK then, I don't like to add mostly useless option, but client install > is broken by design so whatever. Bump, what is the status of this? FTR this is what happens on domain level 0 if the host is already enrolled: # ipa-replica-install replica-info-test.example.com.gpg WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd Directory Manager (existing master) password: The host test.example.com already exists on the master server. You should remove it before proceeding: % ipa host-del test.example.com ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information -- Jan Cholasta From jcholast at redhat.com Fri Sep 23 06:51:02 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 23 Sep 2016 08:51:02 +0200 Subject: [Freeipa-devel] [PATCH] 0091 Allow full customisability of CA subject name In-Reply-To: <6c5080d5-f0fa-655d-71de-e2a8f474ffa6@redhat.com> References: <20160715050448.GE10771@dhcp-40-8.bne.redhat.com> <20160715050539.GF10771@dhcp-40-8.bne.redhat.com> <83eb61a6-4e1f-d33a-1bbb-dacf8de522af@redhat.com> <20160719095445.GU10771@dhcp-40-8.bne.redhat.com> <4f7384ee-e648-2adb-3c86-26e297ede481@redhat.com> <63eec8fe-b64d-00db-f516-ccff6e8220a5@redhat.com> <20160815125425.GM23927@dhcp-40-8.bne.redhat.com> <20160819100933.GM3877@dhcp-40-8.bne.redhat.com> <20160822050057.GV3877@dhcp-40-8.bne.redhat.com> <6c5080d5-f0fa-655d-71de-e2a8f474ffa6@redhat.com> Message-ID: <7e1776b6-cb72-4fa5-07a1-531c91feb051@redhat.com> On 25.8.2016 12:08, Jan Cholasta wrote: > On 22.8.2016 07:00, Fraser Tweedale wrote: >> On Fri, Aug 19, 2016 at 08:09:33PM +1000, Fraser Tweedale wrote: >>> On Mon, Aug 15, 2016 at 10:54:25PM +1000, Fraser Tweedale wrote: >>>> On Mon, Aug 15, 2016 at 02:08:54PM +0200, Jan Cholasta wrote: >>>>> On 19.7.2016 12:05, Jan Cholasta wrote: >>>>>> On 19.7.2016 11:54, Fraser Tweedale wrote: >>>>>>> On Tue, Jul 19, 2016 at 09:36:17AM +0200, Jan Cholasta wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> On 15.7.2016 07:05, Fraser Tweedale wrote: >>>>>>>>> On Fri, Jul 15, 2016 at 03:04:48PM +1000, Fraser Tweedale wrote: >>>>>>>>>> The attached patch is a work in progress for >>>>>>>>>> https://fedorahosted.org/freeipa/ticket/2614 (BZ 828866). >>>>>>>>>> >>>>>>>>>> I am sharing now to make the approach clear and solicit feedback. >>>>>>>>>> >>>>>>>>>> It has been tested for server install, replica install (with and >>>>>>>>>> without CA) and CA-replica install (all hosts running >>>>>>>>>> master+patch). >>>>>>>>>> >>>>>>>>>> Migration from earlier versions and server/replica/CA install >>>>>>>>>> on a >>>>>>>>>> CA-less deployment are not yet tested; these will be tested over >>>>>>>>>> coming days and patch will be tweaked as necessary. >>>>>>>>>> >>>>>>>>>> Commit message has a fair bit to say so I won't repeat here >>>>>>>>>> but let >>>>>>>>>> me know your questions and comments. >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> Fraser >>>>>>>>>> >>>>>>>>> It does help to attach the patch, of course ^_^ >>>>>>>> >>>>>>>> IMO explicit is better than implicit, so instead of introducing >>>>>>>> additional >>>>>>>> magic around --subject, I would rather add a new separate option >>>>>>>> for >>>>>>>> specifying the CA subject name (I think --ca-subject, for >>>>>>>> consistency >>>>>>>> with >>>>>>>> --ca-signing-algorithm). >>>>>>>> >>>>>>> The current situation - the --subject argument which specifies the >>>>>>> not the subject but the subject base, is confusing enough (to say >>>>>>> nothing of the limitations that give rise to the RFE). >>>>>>> >>>>>>> Retaining --subject for specifying the subject base and adding >>>>>>> --ca-subject for specifying the *actual* subject DN gets us over the >>>>>>> line in terms of the RFE, but does not make the installer less >>>>>>> confusing. This is why I made --subject accept the full subject DN, >>>>>>> with provisions to retain existing behaviour. >>>>>>> >>>>>>> IMO if we want to have separate arguments for subject DN and subject >>>>>>> base (I am not against it), let's bite the bullet and name arguments >>>>>>> accordingly. --subject should be used to specify full Subject DN, >>>>>>> --subject-base (or similar) for specifying subject base. >>>>>> >>>>>> IMHO --ca-subject is better than --subject, because it is more >>>>>> explicit >>>>>> whose subject name that is (the CA's). I agree that --subject >>>>>> should be >>>>>> deprecated and replaced with --subject-base. >>>>>> >>>>>>> >>>>>>> (I intentionally defer discussion of specific behaviour if one, none >>>>>>> or both are specified; let's resolve the question or renaming / >>>>>>> changing meaning of arguments first). >>>>>>> >>>>>>> >>>>>>>> By specifying the option you would override the default >>>>>>>> "CN=Certificate >>>>>>>> Authority,$SUBJECT_BASE" subject name. If --external-ca was not >>>>>>>> used, >>>>>>>> additional validation would be done to make sure the subject >>>>>>>> name meets >>>>>>>> Dogtag's expectations. Actually, it might make sense to always >>>>>>>> do the >>>>>>>> additional validation, to be able to print a warning that if a >>>>>>>> Dogtag-incompatible subject name is used, it won't be possible to >>>>>>>> change the >>>>>>>> CA cert chaining from externally signed to self-signed later. >>>>>>>> >>>>>>>> Honza >>>>> >>>>> Bump, any update on this? >>>>> >>>> I have an updated patch that fixes some issues Sebastian encountered >>>> in testing, but I've not yet tackled the main change requested by >>>> Honza (in brief: adding --ca-subject for specifying that, adding >>>> --subject-base for specifying that, and deprecating --subject; >>>> Sebastian, see discussion above and feel free to give your >>>> thoughts). I expect I'll get back onto this work within the next >>>> few days. >>>> >>> Update: I've got an updated version of patch almost ready for >>> review, but I'm still ironing out some wrinkles in replica >>> installation. >>> >>> Expect to be able to send it Monday or Tuesday for review. >>> >> Updated patch attached. >> >> I expect it will take a while to review, test and get the ACK, but >> in any case: IMO it should not be merged until after ipa-4-4 branch >> gets created. > > 1) Please fix these: > > $ git show -U0 | pep8 --diff > ./ipaserver/install/cainstance.py:508:13: E128 continuation line > under-indented for visual indent > ./ipaserver/install/dsinstance.py:259:5: E303 too many blank lines (2) > ./ipaserver/install/installutils.py:999:1: E302 expected 2 blank lines, > found 1 > ./ipaserver/install/server/common.py:161:80: E501 line too long (101 > > 79 characters) > ./ipaserver/install/server/replicainstall.py:93:80: E501 line too long > (82 > 79 characters) > ./ipaserver/install/server/replicainstall.py:604:80: E501 line too long > (81 > 79 characters) > > > 2) Please put 3rd party library (such as six) imports between standard > library imports and ipa imports. > > > 3) ipa-ca-install should also have the --subject-base and --ca-subject > options. > > > 4) Please use the original method of getting the configured subject base > from ipacertificatesubjectbase of the config object rather than > DSInstance.find_subject_base(), which is horrendous and should in fact > be obliterated (not necessarily in this patch). > > > 5) You can use "unicode(x509.get_subject(cert))" to get subject name of > a cert instead of "unicode(x509.load_certificate(cert).subject)". > > > 6) For every removed "options.subject = ..." there should be a > "options.subject_base ..." added. > > > 7) The subject base read from replica config should be respected, i.e. > this bit in ipa-ca-install should stay: > > - if config.subject_base is None: > - attrs = conn.get_ipa_config() > - config.subject_base = attrs.get('ipacertificatesubjectbase')[0] > > Also I would move the rest of the "look up CA subject name" to between > options.ca_cert_file assignment and ca.install_check() call: > > else: > options.ca_cert_file = None > > + # look up CA subject name (needed for DS certmap.conf) > + ipa_ca_nickname = get_ca_nickname(config.realm_name) > + db = certs.CertDB(config.realm_name, nssdir=paths.IPA_NSSDB_DIR) > + cert = db.get_cert_from_db(ipa_ca_nickname) > + options.ca_subject = unicode(x509.load_certificate(cert).subject) > + > ca.install_check(True, config, options) > if options.promote: > ca_data = (os.path.join(config.dir, 'cacert.p12'), > > > 8) I think we should remove --subject from ipa-server-install man page > altogether. > > > 9) I don't like that the default values are set in multiple places > (CAInstance.configure_instance(), CAInstance.configure_replica(), > KRAInstance.configure_instance(), KRAInstance.configure_replica(), > ipa-server-install). The defaults should be handled in one place - ca.py > - and the values (read from configuration or specified by user or > default) should be passed through arguments to CAInstance/KRAInstance. > > > 10) Nitpick, but the ca_subject_dn argument of CertDB() would be better > called just ca_subject and be located after subject_base, for > consistency with the rest of the patch. > > Maybe also rename the subject argument of the various CAInstance and > KRAInstance methods to ca_subject? > > > 11) I see that there was some code which ignored the configured subject > base. I think the fixes for that should be moved into a separate patch > and maybe even a separate ticket. > > > 12) The proper way to rename a Knob and keep the old name is to put the > old name in cli_aliases of the renamed Knob rather than add a new Knob, > like this: > > subject_base = Knob( > str, None, > description="The certificate subject base (default > O=)", > cli_aliases=['subject'], > ) > > This way you wouldn't be able to issue a warning when --subject is used, > but that's OK, as we don't do it for any other renamed options too. > > > 13) AFAIK CN is in fact not valid in a subject base, so it should not be > added to VALID_SUBJECT_ATTRS. > > > 14) NACK on the normalization stuff. It's not really normalization if > the original value is not equal to the normalized value. Instead of this > you should validate if the provided subject name is suitable for Dogtag > and if it isn't, fail and inform the user what the acceptable format is. > > > 15) Subject base setting is not respected for most of our certs. This is > with --subject-base='O=Test': > > $ sudo getcert list | grep subject > subject: CN=CA Audit,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM > subject: CN=OCSP Subsystem,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM > subject: CN=CA Subsystem,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM > subject: CN=Certificate Authority,O=Test > subject: CN=IPA RA,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM > subject: > CN=vm-058-193.abc.idm.lab.eng.brq.redhat.com,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM > > subject: CN=vm-058-193.abc.idm.lab.eng.brq.redhat.com,O=Test > subject: CN=vm-058-193.abc.idm.lab.eng.brq.redhat.com,O=Test > > This is most likely because of 5) and 8) combined. > > > 16) Spaces do not work. This is with --subject-base='O=My Organization': > > $ ipa config-show | grep 'Subject base' > Certificate Subject base: O=My > > $ sudo getcert list | grep 'subject' > subject: CN=CA Audit,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM > subject: CN=OCSP Subsystem,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM > subject: CN=CA Subsystem,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM > subject: CN=Certificate Authority,O=My > subject: CN=IPA RA,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM > subject: > CN=vm-058-193.abc.idm.lab.eng.brq.redhat.com,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM > > subject: CN=vm-058-193.abc.idm.lab.eng.brq.redhat.com,O=My > subject: CN=vm-058-193.abc.idm.lab.eng.brq.redhat.com,O=My > > I blame the normalization. See also 13). > > > 17) CN in subject base does not work. This is with > --subject-base='CN=Test': > > $ sudo getcert list | grep subject > subject: CN=CA Audit,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM > subject: CN=OCSP Subsystem,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM > subject: CN=CA Subsystem,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM > subject: CN=Certificate Authority,CN=Test > subject: CN=IPA RA,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM > subject: > CN=vm-058-193.abc.idm.lab.eng.brq.redhat.com,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM > > subject: CN=Test,CN=Test > subject: CN=Test,CN=Test > > See 12). > > > 18) In CA-less topology, ipa-replica-install fails: > > 2016-08-25T09:54:09Z DEBUG Starting external process > 2016-08-25T09:54:09Z DEBUG args=/usr/bin/certutil -d /etc/ipa/nssdb -L > -n ABC.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA -a > 2016-08-25T09:54:09Z DEBUG Process finished, return code=255 > 2016-08-25T09:54:09Z DEBUG stdout= > 2016-08-25T09:54:09Z DEBUG stderr=certutil: Could not find cert: > ABC.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA > : PR_FILE_NOT_FOUND_ERROR: File not found > > 2016-08-25T09:54:09Z DEBUG Destroyed connection > context.ldap2_140045224192976 > 2016-08-25T09:54:09Z DEBUG Starting external process > 2016-08-25T09:54:09Z DEBUG args=/usr/sbin/ipa-client-install > --unattended --uninstall > 2016-08-25T09:54:18Z DEBUG Process finished, return code=0 > 2016-08-25T09:54:18Z DEBUG File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in > execute > return_value = self.run() > ----8<------ > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", > line 1722, in main > promote_check(self) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", > line 364, in decorated > func(installer) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", > line 386, in decorated > func(installer) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", > line 1266, in promote_check > options.ca_subject = unicode(x509.load_certificate(cert).subject) > File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 125, in > load_certificate > return nss.Certificate(buffer(data)) # pylint: disable=buffer-builtin > > 2016-08-25T09:54:18Z DEBUG The ipa-replica-install command failed, > exception: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. > 2016-08-25T09:54:18Z ERROR (SEC_ERROR_LIBRARY_FAILURE) security library > failure. > 2016-08-25T09:54:18Z ERROR The ipa-replica-install command failed. See > /var/log/ipareplica-install.log for more information > > > 19) In CA-less topology, ipa-ca-install fails: > > 2016-08-25T09:58:21Z DEBUG raw: ca_show(u'ipa', version=u'2.212') > 2016-08-25T09:58:21Z DEBUG ca_show(u'ipa', rights=False, all=False, > raw=False, version=u'2.212') > 2016-08-25T09:58:21Z DEBUG raw: ca_is_enabled(version=u'2.212') > 2016-08-25T09:58:21Z DEBUG ca_is_enabled(version=u'2.212') > 2016-08-25T09:58:21Z DEBUG File > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", > line 752, in run_script > return_value = main_function() > > File "/sbin/ipa-ca-install", line 309, in main > promote(safe_options, options, filename) > > File "/sbin/ipa-ca-install", line 279, in promote > install_master(safe_options, options) > > File "/sbin/ipa-ca-install", line 232, in install_master > subject = api.Command.ca_show(IPA_CA_CN)['result']['ipacasubjectdn'] > > File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 449, > in __call__ > return self.__do_call(*args, **options) > > File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 477, > in __do_call > ret = self.run(*args, **options) > > File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 799, > in run > return self.execute(*args, **options) > > File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ca.py", line > 144, in execute > ca_enabled_check() > > File "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", > line 222, in ca_enabled_check > raise errors.NotFound(reason=_('CA is not configured')) > > 2016-08-25T09:58:21Z DEBUG The ipa-ca-install command failed, exception: > NotFound: CA is not configured > > This is related to 3). Bump. -- Jan Cholasta From freeipa-github-notification at redhat.com Fri Sep 23 06:46:36 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Fri, 23 Sep 2016 08:46:36 +0200 Subject: [Freeipa-devel] [freeipa PR#109][opened] sudorule: add SELinux transition examples to plugin doc Message-ID: URL: https://github.com/freeipa/freeipa/pull/109 Author: frasertweedale Title: #109: sudorule: add SELinux transition examples to plugin doc Action: opened PR body: """ It is not obvious how to add SELinux type and role transitions to a Sudo rule. Update the 'sudorule' plugin documentation with examples of how to do this. Fixes: https://fedorahosted.org/freeipa/ticket/3461 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/109/head:pr109 git checkout pr109 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-109.patch Type: text/x-diff Size: 1061 bytes Desc: not available URL: From slaznick at redhat.com Fri Sep 23 07:01:25 2016 From: slaznick at redhat.com (Standa Laznicka) Date: Fri, 23 Sep 2016 09:01:25 +0200 Subject: [Freeipa-devel] [PATCH 0060] Add --force-join option to ipa-replica-install In-Reply-To: References: <84165298-500b-1638-f3b1-a6b20c8f9e63@redhat.com> <44b90a51-6b3c-03fd-86e0-b3c65f626a2a@redhat.com> <378fc422-9620-2b38-cb64-316e4de99e5e@redhat.com> <62dde92d-4978-ae47-abbc-354542ff44a2@redhat.com> <0873eb61-3504-d14d-cd72-a6b350b45c2b@redhat.com> Message-ID: <1c48121d-4a23-a6dd-36b3-f27023404cb4@redhat.com> On 09/23/2016 08:50 AM, Jan Cholasta wrote: > On 25.8.2016 15:31, Martin Basti wrote: >> >> >> On 10.08.2016 07:53, Stanislav Laznicka wrote: >>> On 08/10/2016 07:31 AM, Jan Cholasta wrote: >>>> On 9.8.2016 18:52, Petr Vobornik wrote: >>>>> On 08/09/2016 04:18 PM, Martin Basti wrote: >>>>>> >>>>>> >>>>>> On 09.08.2016 16:07, Stanislav Laznicka wrote: >>>>>>> https://fedorahosted.org/freeipa/ticket/6183 >>>>>>> >>>>>>> >>>>>>> >>>>>> Didn't we agreed that --force-join should be always used (without >>>>>> extra >>>>>> replica-install option) >>>>> >>>>> +1 >>>> >>>> Did we? >>>> >>>> IMO the default behavior should be the same as in domain level 0 when >>>> trying to install replica on an already enrolled host. >>> That was my impression as well. >> >> OK then, I don't like to add mostly useless option, but client install >> is broken by design so whatever. > > Bump, what is the status of this? > > FTR this is what happens on domain level 0 if the host is already > enrolled: > > # ipa-replica-install replica-info-test.example.com.gpg > WARNING: conflicting time&date synchronization service 'chronyd' will > be disabled in favor of ntpd > > Directory Manager (existing master) password: > > The host test.example.com already exists on the master server. > You should remove it before proceeding: > % ipa host-del test.example.com > ipa.ipapython.install.cli.install_tool(Replica): ERROR The > ipa-replica-install command failed. See > /var/log/ipareplica-install.log for more information > > There's been no status change. I think the problem here is more about client-install advertising the --force-join option which does not exist for ipa-replica-install. I do not think we can detect that exactly this error occurred during client-install being run from replica-install (can we?) but we can add this option and pass it to client-install if required. From jcholast at redhat.com Fri Sep 23 07:19:14 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 23 Sep 2016 09:19:14 +0200 Subject: [Freeipa-devel] [PATCH 0060] Add --force-join option to ipa-replica-install In-Reply-To: <1c48121d-4a23-a6dd-36b3-f27023404cb4@redhat.com> References: <84165298-500b-1638-f3b1-a6b20c8f9e63@redhat.com> <44b90a51-6b3c-03fd-86e0-b3c65f626a2a@redhat.com> <378fc422-9620-2b38-cb64-316e4de99e5e@redhat.com> <62dde92d-4978-ae47-abbc-354542ff44a2@redhat.com> <0873eb61-3504-d14d-cd72-a6b350b45c2b@redhat.com> <1c48121d-4a23-a6dd-36b3-f27023404cb4@redhat.com> Message-ID: On 23.9.2016 09:01, Standa Laznicka wrote: > On 09/23/2016 08:50 AM, Jan Cholasta wrote: >> On 25.8.2016 15:31, Martin Basti wrote: >>> >>> >>> On 10.08.2016 07:53, Stanislav Laznicka wrote: >>>> On 08/10/2016 07:31 AM, Jan Cholasta wrote: >>>>> On 9.8.2016 18:52, Petr Vobornik wrote: >>>>>> On 08/09/2016 04:18 PM, Martin Basti wrote: >>>>>>> >>>>>>> >>>>>>> On 09.08.2016 16:07, Stanislav Laznicka wrote: >>>>>>>> https://fedorahosted.org/freeipa/ticket/6183 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> Didn't we agreed that --force-join should be always used (without >>>>>>> extra >>>>>>> replica-install option) >>>>>> >>>>>> +1 >>>>> >>>>> Did we? >>>>> >>>>> IMO the default behavior should be the same as in domain level 0 when >>>>> trying to install replica on an already enrolled host. >>>> That was my impression as well. >>> >>> OK then, I don't like to add mostly useless option, but client install >>> is broken by design so whatever. >> >> Bump, what is the status of this? >> >> FTR this is what happens on domain level 0 if the host is already >> enrolled: >> >> # ipa-replica-install replica-info-test.example.com.gpg >> WARNING: conflicting time&date synchronization service 'chronyd' will >> be disabled in favor of ntpd >> >> Directory Manager (existing master) password: >> >> The host test.example.com already exists on the master server. >> You should remove it before proceeding: >> % ipa host-del test.example.com >> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >> ipa-replica-install command failed. See >> /var/log/ipareplica-install.log for more information >> >> > There's been no status change. > > I think the problem here is more about client-install advertising the > --force-join option which does not exist for ipa-replica-install. I do > not think we can detect that exactly this error occurred during > client-install being run from replica-install (can we?) but we can add > this option and pass it to client-install if required. We could detect it before running ipa-client-install, but adding the option to ipa-replica-install is easier, so IMO that's what we should do. -- Jan Cholasta From ftweedal at redhat.com Fri Sep 23 07:15:00 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 23 Sep 2016 17:15:00 +1000 Subject: [Freeipa-devel] [PATCH] 0091 Allow full customisability of CA subject name In-Reply-To: <7e1776b6-cb72-4fa5-07a1-531c91feb051@redhat.com> References: <20160715050539.GF10771@dhcp-40-8.bne.redhat.com> <83eb61a6-4e1f-d33a-1bbb-dacf8de522af@redhat.com> <20160719095445.GU10771@dhcp-40-8.bne.redhat.com> <4f7384ee-e648-2adb-3c86-26e297ede481@redhat.com> <63eec8fe-b64d-00db-f516-ccff6e8220a5@redhat.com> <20160815125425.GM23927@dhcp-40-8.bne.redhat.com> <20160819100933.GM3877@dhcp-40-8.bne.redhat.com> <20160822050057.GV3877@dhcp-40-8.bne.redhat.com> <6c5080d5-f0fa-655d-71de-e2a8f474ffa6@redhat.com> <7e1776b6-cb72-4fa5-07a1-531c91feb051@redhat.com> Message-ID: <20160923071500.GD11489@dhcp-40-8.bne.redhat.com> On Fri, Sep 23, 2016 at 08:51:02AM +0200, Jan Cholasta wrote: > On 25.8.2016 12:08, Jan Cholasta wrote: > > On 22.8.2016 07:00, Fraser Tweedale wrote: > > > On Fri, Aug 19, 2016 at 08:09:33PM +1000, Fraser Tweedale wrote: > > > > On Mon, Aug 15, 2016 at 10:54:25PM +1000, Fraser Tweedale wrote: > > > > > On Mon, Aug 15, 2016 at 02:08:54PM +0200, Jan Cholasta wrote: > > > > > > On 19.7.2016 12:05, Jan Cholasta wrote: > > > > > > > On 19.7.2016 11:54, Fraser Tweedale wrote: > > > > > > > > On Tue, Jul 19, 2016 at 09:36:17AM +0200, Jan Cholasta wrote: > > > > > > > > > Hi, > > > > > > > > > > > > > > > > > > On 15.7.2016 07:05, Fraser Tweedale wrote: > > > > > > > > > > On Fri, Jul 15, 2016 at 03:04:48PM +1000, Fraser Tweedale wrote: > > > > > > > > > > > The attached patch is a work in progress for > > > > > > > > > > > https://fedorahosted.org/freeipa/ticket/2614 (BZ 828866). > > > > > > > > > > > > > > > > > > > > > > I am sharing now to make the approach clear and solicit feedback. > > > > > > > > > > > > > > > > > > > > > > It has been tested for server install, replica install (with and > > > > > > > > > > > without CA) and CA-replica install (all hosts running > > > > > > > > > > > master+patch). > > > > > > > > > > > > > > > > > > > > > > Migration from earlier versions and server/replica/CA install > > > > > > > > > > > on a > > > > > > > > > > > CA-less deployment are not yet tested; these will be tested over > > > > > > > > > > > coming days and patch will be tweaked as necessary. > > > > > > > > > > > > > > > > > > > > > > Commit message has a fair bit to say so I won't repeat here > > > > > > > > > > > but let > > > > > > > > > > > me know your questions and comments. > > > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > Fraser > > > > > > > > > > > > > > > > > > > > > It does help to attach the patch, of course ^_^ > > > > > > > > > > > > > > > > > > IMO explicit is better than implicit, so instead of introducing > > > > > > > > > additional > > > > > > > > > magic around --subject, I would rather add a new separate option > > > > > > > > > for > > > > > > > > > specifying the CA subject name (I think --ca-subject, for > > > > > > > > > consistency > > > > > > > > > with > > > > > > > > > --ca-signing-algorithm). > > > > > > > > > > > > > > > > > The current situation - the --subject argument which specifies the > > > > > > > > not the subject but the subject base, is confusing enough (to say > > > > > > > > nothing of the limitations that give rise to the RFE). > > > > > > > > > > > > > > > > Retaining --subject for specifying the subject base and adding > > > > > > > > --ca-subject for specifying the *actual* subject DN gets us over the > > > > > > > > line in terms of the RFE, but does not make the installer less > > > > > > > > confusing. This is why I made --subject accept the full subject DN, > > > > > > > > with provisions to retain existing behaviour. > > > > > > > > > > > > > > > > IMO if we want to have separate arguments for subject DN and subject > > > > > > > > base (I am not against it), let's bite the bullet and name arguments > > > > > > > > accordingly. --subject should be used to specify full Subject DN, > > > > > > > > --subject-base (or similar) for specifying subject base. > > > > > > > > > > > > > > IMHO --ca-subject is better than --subject, because it is more > > > > > > > explicit > > > > > > > whose subject name that is (the CA's). I agree that --subject > > > > > > > should be > > > > > > > deprecated and replaced with --subject-base. > > > > > > > > > > > > > > > > > > > > > > > (I intentionally defer discussion of specific behaviour if one, none > > > > > > > > or both are specified; let's resolve the question or renaming / > > > > > > > > changing meaning of arguments first). > > > > > > > > > > > > > > > > > > > > > > > > > By specifying the option you would override the default > > > > > > > > > "CN=Certificate > > > > > > > > > Authority,$SUBJECT_BASE" subject name. If --external-ca was not > > > > > > > > > used, > > > > > > > > > additional validation would be done to make sure the subject > > > > > > > > > name meets > > > > > > > > > Dogtag's expectations. Actually, it might make sense to always > > > > > > > > > do the > > > > > > > > > additional validation, to be able to print a warning that if a > > > > > > > > > Dogtag-incompatible subject name is used, it won't be possible to > > > > > > > > > change the > > > > > > > > > CA cert chaining from externally signed to self-signed later. > > > > > > > > > > > > > > > > > > Honza > > > > > > > > > > > > Bump, any update on this? > > > > > > > > > > > I have an updated patch that fixes some issues Sebastian encountered > > > > > in testing, but I've not yet tackled the main change requested by > > > > > Honza (in brief: adding --ca-subject for specifying that, adding > > > > > --subject-base for specifying that, and deprecating --subject; > > > > > Sebastian, see discussion above and feel free to give your > > > > > thoughts). I expect I'll get back onto this work within the next > > > > > few days. > > > > > > > > > Update: I've got an updated version of patch almost ready for > > > > review, but I'm still ironing out some wrinkles in replica > > > > installation. > > > > > > > > Expect to be able to send it Monday or Tuesday for review. > > > > > > > Updated patch attached. > > > > > > I expect it will take a while to review, test and get the ACK, but > > > in any case: IMO it should not be merged until after ipa-4-4 branch > > > gets created. > > > > 1) Please fix these: > > > > $ git show -U0 | pep8 --diff > > ./ipaserver/install/cainstance.py:508:13: E128 continuation line > > under-indented for visual indent > > ./ipaserver/install/dsinstance.py:259:5: E303 too many blank lines (2) > > ./ipaserver/install/installutils.py:999:1: E302 expected 2 blank lines, > > found 1 > > ./ipaserver/install/server/common.py:161:80: E501 line too long (101 > > > 79 characters) > > ./ipaserver/install/server/replicainstall.py:93:80: E501 line too long > > (82 > 79 characters) > > ./ipaserver/install/server/replicainstall.py:604:80: E501 line too long > > (81 > 79 characters) > > > > > > 2) Please put 3rd party library (such as six) imports between standard > > library imports and ipa imports. > > > > > > 3) ipa-ca-install should also have the --subject-base and --ca-subject > > options. > > > > > > 4) Please use the original method of getting the configured subject base > > from ipacertificatesubjectbase of the config object rather than > > DSInstance.find_subject_base(), which is horrendous and should in fact > > be obliterated (not necessarily in this patch). > > > > > > 5) You can use "unicode(x509.get_subject(cert))" to get subject name of > > a cert instead of "unicode(x509.load_certificate(cert).subject)". > > > > > > 6) For every removed "options.subject = ..." there should be a > > "options.subject_base ..." added. > > > > > > 7) The subject base read from replica config should be respected, i.e. > > this bit in ipa-ca-install should stay: > > > > - if config.subject_base is None: > > - attrs = conn.get_ipa_config() > > - config.subject_base = attrs.get('ipacertificatesubjectbase')[0] > > > > Also I would move the rest of the "look up CA subject name" to between > > options.ca_cert_file assignment and ca.install_check() call: > > > > else: > > options.ca_cert_file = None > > > > + # look up CA subject name (needed for DS certmap.conf) > > + ipa_ca_nickname = get_ca_nickname(config.realm_name) > > + db = certs.CertDB(config.realm_name, nssdir=paths.IPA_NSSDB_DIR) > > + cert = db.get_cert_from_db(ipa_ca_nickname) > > + options.ca_subject = unicode(x509.load_certificate(cert).subject) > > + > > ca.install_check(True, config, options) > > if options.promote: > > ca_data = (os.path.join(config.dir, 'cacert.p12'), > > > > > > 8) I think we should remove --subject from ipa-server-install man page > > altogether. > > > > > > 9) I don't like that the default values are set in multiple places > > (CAInstance.configure_instance(), CAInstance.configure_replica(), > > KRAInstance.configure_instance(), KRAInstance.configure_replica(), > > ipa-server-install). The defaults should be handled in one place - ca.py > > - and the values (read from configuration or specified by user or > > default) should be passed through arguments to CAInstance/KRAInstance. > > > > > > 10) Nitpick, but the ca_subject_dn argument of CertDB() would be better > > called just ca_subject and be located after subject_base, for > > consistency with the rest of the patch. > > > > Maybe also rename the subject argument of the various CAInstance and > > KRAInstance methods to ca_subject? > > > > > > 11) I see that there was some code which ignored the configured subject > > base. I think the fixes for that should be moved into a separate patch > > and maybe even a separate ticket. > > > > > > 12) The proper way to rename a Knob and keep the old name is to put the > > old name in cli_aliases of the renamed Knob rather than add a new Knob, > > like this: > > > > subject_base = Knob( > > str, None, > > description="The certificate subject base (default > > O=)", > > cli_aliases=['subject'], > > ) > > > > This way you wouldn't be able to issue a warning when --subject is used, > > but that's OK, as we don't do it for any other renamed options too. > > > > > > 13) AFAIK CN is in fact not valid in a subject base, so it should not be > > added to VALID_SUBJECT_ATTRS. > > > > > > 14) NACK on the normalization stuff. It's not really normalization if > > the original value is not equal to the normalized value. Instead of this > > you should validate if the provided subject name is suitable for Dogtag > > and if it isn't, fail and inform the user what the acceptable format is. > > > > > > 15) Subject base setting is not respected for most of our certs. This is > > with --subject-base='O=Test': > > > > $ sudo getcert list | grep subject > > subject: CN=CA Audit,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM > > subject: CN=OCSP Subsystem,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM > > subject: CN=CA Subsystem,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM > > subject: CN=Certificate Authority,O=Test > > subject: CN=IPA RA,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM > > subject: > > CN=vm-058-193.abc.idm.lab.eng.brq.redhat.com,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM > > > > subject: CN=vm-058-193.abc.idm.lab.eng.brq.redhat.com,O=Test > > subject: CN=vm-058-193.abc.idm.lab.eng.brq.redhat.com,O=Test > > > > This is most likely because of 5) and 8) combined. > > > > > > 16) Spaces do not work. This is with --subject-base='O=My Organization': > > > > $ ipa config-show | grep 'Subject base' > > Certificate Subject base: O=My > > > > $ sudo getcert list | grep 'subject' > > subject: CN=CA Audit,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM > > subject: CN=OCSP Subsystem,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM > > subject: CN=CA Subsystem,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM > > subject: CN=Certificate Authority,O=My > > subject: CN=IPA RA,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM > > subject: > > CN=vm-058-193.abc.idm.lab.eng.brq.redhat.com,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM > > > > subject: CN=vm-058-193.abc.idm.lab.eng.brq.redhat.com,O=My > > subject: CN=vm-058-193.abc.idm.lab.eng.brq.redhat.com,O=My > > > > I blame the normalization. See also 13). > > > > > > 17) CN in subject base does not work. This is with > > --subject-base='CN=Test': > > > > $ sudo getcert list | grep subject > > subject: CN=CA Audit,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM > > subject: CN=OCSP Subsystem,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM > > subject: CN=CA Subsystem,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM > > subject: CN=Certificate Authority,CN=Test > > subject: CN=IPA RA,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM > > subject: > > CN=vm-058-193.abc.idm.lab.eng.brq.redhat.com,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM > > > > subject: CN=Test,CN=Test > > subject: CN=Test,CN=Test > > > > See 12). > > > > > > 18) In CA-less topology, ipa-replica-install fails: > > > > 2016-08-25T09:54:09Z DEBUG Starting external process > > 2016-08-25T09:54:09Z DEBUG args=/usr/bin/certutil -d /etc/ipa/nssdb -L > > -n ABC.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA -a > > 2016-08-25T09:54:09Z DEBUG Process finished, return code=255 > > 2016-08-25T09:54:09Z DEBUG stdout= > > 2016-08-25T09:54:09Z DEBUG stderr=certutil: Could not find cert: > > ABC.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA > > : PR_FILE_NOT_FOUND_ERROR: File not found > > > > 2016-08-25T09:54:09Z DEBUG Destroyed connection > > context.ldap2_140045224192976 > > 2016-08-25T09:54:09Z DEBUG Starting external process > > 2016-08-25T09:54:09Z DEBUG args=/usr/sbin/ipa-client-install > > --unattended --uninstall > > 2016-08-25T09:54:18Z DEBUG Process finished, return code=0 > > 2016-08-25T09:54:18Z DEBUG File > > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in > > execute > > return_value = self.run() > > ----8<------ > > File > > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", > > line 1722, in main > > promote_check(self) > > File > > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", > > line 364, in decorated > > func(installer) > > File > > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", > > line 386, in decorated > > func(installer) > > File > > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", > > line 1266, in promote_check > > options.ca_subject = unicode(x509.load_certificate(cert).subject) > > File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 125, in > > load_certificate > > return nss.Certificate(buffer(data)) # pylint: disable=buffer-builtin > > > > 2016-08-25T09:54:18Z DEBUG The ipa-replica-install command failed, > > exception: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. > > 2016-08-25T09:54:18Z ERROR (SEC_ERROR_LIBRARY_FAILURE) security library > > failure. > > 2016-08-25T09:54:18Z ERROR The ipa-replica-install command failed. See > > /var/log/ipareplica-install.log for more information > > > > > > 19) In CA-less topology, ipa-ca-install fails: > > > > 2016-08-25T09:58:21Z DEBUG raw: ca_show(u'ipa', version=u'2.212') > > 2016-08-25T09:58:21Z DEBUG ca_show(u'ipa', rights=False, all=False, > > raw=False, version=u'2.212') > > 2016-08-25T09:58:21Z DEBUG raw: ca_is_enabled(version=u'2.212') > > 2016-08-25T09:58:21Z DEBUG ca_is_enabled(version=u'2.212') > > 2016-08-25T09:58:21Z DEBUG File > > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", > > line 752, in run_script > > return_value = main_function() > > > > File "/sbin/ipa-ca-install", line 309, in main > > promote(safe_options, options, filename) > > > > File "/sbin/ipa-ca-install", line 279, in promote > > install_master(safe_options, options) > > > > File "/sbin/ipa-ca-install", line 232, in install_master > > subject = api.Command.ca_show(IPA_CA_CN)['result']['ipacasubjectdn'] > > > > File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 449, > > in __call__ > > return self.__do_call(*args, **options) > > > > File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 477, > > in __do_call > > ret = self.run(*args, **options) > > > > File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 799, > > in run > > return self.execute(*args, **options) > > > > File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ca.py", line > > 144, in execute > > ca_enabled_check() > > > > File "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", > > line 222, in ca_enabled_check > > raise errors.NotFound(reason=_('CA is not configured')) > > > > 2016-08-25T09:58:21Z DEBUG The ipa-ca-install command failed, exception: > > NotFound: CA is not configured > > > > This is related to 3). > > Bump. > I expect (hope...) to have cycles to push this forward after my PTO next week. Thanks for your comprehensive initial review; there is plenty of work still to do :) Cheers, Fraser From jcholast at redhat.com Fri Sep 23 07:28:21 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 23 Sep 2016 09:28:21 +0200 Subject: [Freeipa-devel] [PATCH] 0091 Allow full customisability of CA subject name In-Reply-To: <20160923071500.GD11489@dhcp-40-8.bne.redhat.com> References: <20160715050539.GF10771@dhcp-40-8.bne.redhat.com> <83eb61a6-4e1f-d33a-1bbb-dacf8de522af@redhat.com> <20160719095445.GU10771@dhcp-40-8.bne.redhat.com> <4f7384ee-e648-2adb-3c86-26e297ede481@redhat.com> <63eec8fe-b64d-00db-f516-ccff6e8220a5@redhat.com> <20160815125425.GM23927@dhcp-40-8.bne.redhat.com> <20160819100933.GM3877@dhcp-40-8.bne.redhat.com> <20160822050057.GV3877@dhcp-40-8.bne.redhat.com> <6c5080d5-f0fa-655d-71de-e2a8f474ffa6@redhat.com> <7e1776b6-cb72-4fa5-07a1-531c91feb051@redhat.com> <20160923071500.GD11489@dhcp-40-8.bne.redhat.com> Message-ID: On 23.9.2016 09:15, Fraser Tweedale wrote: > On Fri, Sep 23, 2016 at 08:51:02AM +0200, Jan Cholasta wrote: >> On 25.8.2016 12:08, Jan Cholasta wrote: >>> On 22.8.2016 07:00, Fraser Tweedale wrote: >>>> On Fri, Aug 19, 2016 at 08:09:33PM +1000, Fraser Tweedale wrote: >>>>> On Mon, Aug 15, 2016 at 10:54:25PM +1000, Fraser Tweedale wrote: >>>>>> On Mon, Aug 15, 2016 at 02:08:54PM +0200, Jan Cholasta wrote: >>>>>>> On 19.7.2016 12:05, Jan Cholasta wrote: >>>>>>>> On 19.7.2016 11:54, Fraser Tweedale wrote: >>>>>>>>> On Tue, Jul 19, 2016 at 09:36:17AM +0200, Jan Cholasta wrote: >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> On 15.7.2016 07:05, Fraser Tweedale wrote: >>>>>>>>>>> On Fri, Jul 15, 2016 at 03:04:48PM +1000, Fraser Tweedale wrote: >>>>>>>>>>>> The attached patch is a work in progress for >>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/2614 (BZ 828866). >>>>>>>>>>>> >>>>>>>>>>>> I am sharing now to make the approach clear and solicit feedback. >>>>>>>>>>>> >>>>>>>>>>>> It has been tested for server install, replica install (with and >>>>>>>>>>>> without CA) and CA-replica install (all hosts running >>>>>>>>>>>> master+patch). >>>>>>>>>>>> >>>>>>>>>>>> Migration from earlier versions and server/replica/CA install >>>>>>>>>>>> on a >>>>>>>>>>>> CA-less deployment are not yet tested; these will be tested over >>>>>>>>>>>> coming days and patch will be tweaked as necessary. >>>>>>>>>>>> >>>>>>>>>>>> Commit message has a fair bit to say so I won't repeat here >>>>>>>>>>>> but let >>>>>>>>>>>> me know your questions and comments. >>>>>>>>>>>> >>>>>>>>>>>> Thanks, >>>>>>>>>>>> Fraser >>>>>>>>>>>> >>>>>>>>>>> It does help to attach the patch, of course ^_^ >>>>>>>>>> >>>>>>>>>> IMO explicit is better than implicit, so instead of introducing >>>>>>>>>> additional >>>>>>>>>> magic around --subject, I would rather add a new separate option >>>>>>>>>> for >>>>>>>>>> specifying the CA subject name (I think --ca-subject, for >>>>>>>>>> consistency >>>>>>>>>> with >>>>>>>>>> --ca-signing-algorithm). >>>>>>>>>> >>>>>>>>> The current situation - the --subject argument which specifies the >>>>>>>>> not the subject but the subject base, is confusing enough (to say >>>>>>>>> nothing of the limitations that give rise to the RFE). >>>>>>>>> >>>>>>>>> Retaining --subject for specifying the subject base and adding >>>>>>>>> --ca-subject for specifying the *actual* subject DN gets us over the >>>>>>>>> line in terms of the RFE, but does not make the installer less >>>>>>>>> confusing. This is why I made --subject accept the full subject DN, >>>>>>>>> with provisions to retain existing behaviour. >>>>>>>>> >>>>>>>>> IMO if we want to have separate arguments for subject DN and subject >>>>>>>>> base (I am not against it), let's bite the bullet and name arguments >>>>>>>>> accordingly. --subject should be used to specify full Subject DN, >>>>>>>>> --subject-base (or similar) for specifying subject base. >>>>>>>> >>>>>>>> IMHO --ca-subject is better than --subject, because it is more >>>>>>>> explicit >>>>>>>> whose subject name that is (the CA's). I agree that --subject >>>>>>>> should be >>>>>>>> deprecated and replaced with --subject-base. >>>>>>>> >>>>>>>>> >>>>>>>>> (I intentionally defer discussion of specific behaviour if one, none >>>>>>>>> or both are specified; let's resolve the question or renaming / >>>>>>>>> changing meaning of arguments first). >>>>>>>>> >>>>>>>>> >>>>>>>>>> By specifying the option you would override the default >>>>>>>>>> "CN=Certificate >>>>>>>>>> Authority,$SUBJECT_BASE" subject name. If --external-ca was not >>>>>>>>>> used, >>>>>>>>>> additional validation would be done to make sure the subject >>>>>>>>>> name meets >>>>>>>>>> Dogtag's expectations. Actually, it might make sense to always >>>>>>>>>> do the >>>>>>>>>> additional validation, to be able to print a warning that if a >>>>>>>>>> Dogtag-incompatible subject name is used, it won't be possible to >>>>>>>>>> change the >>>>>>>>>> CA cert chaining from externally signed to self-signed later. >>>>>>>>>> >>>>>>>>>> Honza >>>>>>> >>>>>>> Bump, any update on this? >>>>>>> >>>>>> I have an updated patch that fixes some issues Sebastian encountered >>>>>> in testing, but I've not yet tackled the main change requested by >>>>>> Honza (in brief: adding --ca-subject for specifying that, adding >>>>>> --subject-base for specifying that, and deprecating --subject; >>>>>> Sebastian, see discussion above and feel free to give your >>>>>> thoughts). I expect I'll get back onto this work within the next >>>>>> few days. >>>>>> >>>>> Update: I've got an updated version of patch almost ready for >>>>> review, but I'm still ironing out some wrinkles in replica >>>>> installation. >>>>> >>>>> Expect to be able to send it Monday or Tuesday for review. >>>>> >>>> Updated patch attached. >>>> >>>> I expect it will take a while to review, test and get the ACK, but >>>> in any case: IMO it should not be merged until after ipa-4-4 branch >>>> gets created. >>> >>> 1) Please fix these: >>> >>> $ git show -U0 | pep8 --diff >>> ./ipaserver/install/cainstance.py:508:13: E128 continuation line >>> under-indented for visual indent >>> ./ipaserver/install/dsinstance.py:259:5: E303 too many blank lines (2) >>> ./ipaserver/install/installutils.py:999:1: E302 expected 2 blank lines, >>> found 1 >>> ./ipaserver/install/server/common.py:161:80: E501 line too long (101 > >>> 79 characters) >>> ./ipaserver/install/server/replicainstall.py:93:80: E501 line too long >>> (82 > 79 characters) >>> ./ipaserver/install/server/replicainstall.py:604:80: E501 line too long >>> (81 > 79 characters) >>> >>> >>> 2) Please put 3rd party library (such as six) imports between standard >>> library imports and ipa imports. >>> >>> >>> 3) ipa-ca-install should also have the --subject-base and --ca-subject >>> options. >>> >>> >>> 4) Please use the original method of getting the configured subject base >>> from ipacertificatesubjectbase of the config object rather than >>> DSInstance.find_subject_base(), which is horrendous and should in fact >>> be obliterated (not necessarily in this patch). >>> >>> >>> 5) You can use "unicode(x509.get_subject(cert))" to get subject name of >>> a cert instead of "unicode(x509.load_certificate(cert).subject)". >>> >>> >>> 6) For every removed "options.subject = ..." there should be a >>> "options.subject_base ..." added. >>> >>> >>> 7) The subject base read from replica config should be respected, i.e. >>> this bit in ipa-ca-install should stay: >>> >>> - if config.subject_base is None: >>> - attrs = conn.get_ipa_config() >>> - config.subject_base = attrs.get('ipacertificatesubjectbase')[0] >>> >>> Also I would move the rest of the "look up CA subject name" to between >>> options.ca_cert_file assignment and ca.install_check() call: >>> >>> else: >>> options.ca_cert_file = None >>> >>> + # look up CA subject name (needed for DS certmap.conf) >>> + ipa_ca_nickname = get_ca_nickname(config.realm_name) >>> + db = certs.CertDB(config.realm_name, nssdir=paths.IPA_NSSDB_DIR) >>> + cert = db.get_cert_from_db(ipa_ca_nickname) >>> + options.ca_subject = unicode(x509.load_certificate(cert).subject) >>> + >>> ca.install_check(True, config, options) >>> if options.promote: >>> ca_data = (os.path.join(config.dir, 'cacert.p12'), >>> >>> >>> 8) I think we should remove --subject from ipa-server-install man page >>> altogether. >>> >>> >>> 9) I don't like that the default values are set in multiple places >>> (CAInstance.configure_instance(), CAInstance.configure_replica(), >>> KRAInstance.configure_instance(), KRAInstance.configure_replica(), >>> ipa-server-install). The defaults should be handled in one place - ca.py >>> - and the values (read from configuration or specified by user or >>> default) should be passed through arguments to CAInstance/KRAInstance. >>> >>> >>> 10) Nitpick, but the ca_subject_dn argument of CertDB() would be better >>> called just ca_subject and be located after subject_base, for >>> consistency with the rest of the patch. >>> >>> Maybe also rename the subject argument of the various CAInstance and >>> KRAInstance methods to ca_subject? >>> >>> >>> 11) I see that there was some code which ignored the configured subject >>> base. I think the fixes for that should be moved into a separate patch >>> and maybe even a separate ticket. >>> >>> >>> 12) The proper way to rename a Knob and keep the old name is to put the >>> old name in cli_aliases of the renamed Knob rather than add a new Knob, >>> like this: >>> >>> subject_base = Knob( >>> str, None, >>> description="The certificate subject base (default >>> O=)", >>> cli_aliases=['subject'], >>> ) >>> >>> This way you wouldn't be able to issue a warning when --subject is used, >>> but that's OK, as we don't do it for any other renamed options too. >>> >>> >>> 13) AFAIK CN is in fact not valid in a subject base, so it should not be >>> added to VALID_SUBJECT_ATTRS. >>> >>> >>> 14) NACK on the normalization stuff. It's not really normalization if >>> the original value is not equal to the normalized value. Instead of this >>> you should validate if the provided subject name is suitable for Dogtag >>> and if it isn't, fail and inform the user what the acceptable format is. >>> >>> >>> 15) Subject base setting is not respected for most of our certs. This is >>> with --subject-base='O=Test': >>> >>> $ sudo getcert list | grep subject >>> subject: CN=CA Audit,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM >>> subject: CN=OCSP Subsystem,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM >>> subject: CN=CA Subsystem,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM >>> subject: CN=Certificate Authority,O=Test >>> subject: CN=IPA RA,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM >>> subject: >>> CN=vm-058-193.abc.idm.lab.eng.brq.redhat.com,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM >>> >>> subject: CN=vm-058-193.abc.idm.lab.eng.brq.redhat.com,O=Test >>> subject: CN=vm-058-193.abc.idm.lab.eng.brq.redhat.com,O=Test >>> >>> This is most likely because of 5) and 8) combined. >>> >>> >>> 16) Spaces do not work. This is with --subject-base='O=My Organization': >>> >>> $ ipa config-show | grep 'Subject base' >>> Certificate Subject base: O=My >>> >>> $ sudo getcert list | grep 'subject' >>> subject: CN=CA Audit,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM >>> subject: CN=OCSP Subsystem,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM >>> subject: CN=CA Subsystem,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM >>> subject: CN=Certificate Authority,O=My >>> subject: CN=IPA RA,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM >>> subject: >>> CN=vm-058-193.abc.idm.lab.eng.brq.redhat.com,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM >>> >>> subject: CN=vm-058-193.abc.idm.lab.eng.brq.redhat.com,O=My >>> subject: CN=vm-058-193.abc.idm.lab.eng.brq.redhat.com,O=My >>> >>> I blame the normalization. See also 13). >>> >>> >>> 17) CN in subject base does not work. This is with >>> --subject-base='CN=Test': >>> >>> $ sudo getcert list | grep subject >>> subject: CN=CA Audit,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM >>> subject: CN=OCSP Subsystem,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM >>> subject: CN=CA Subsystem,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM >>> subject: CN=Certificate Authority,CN=Test >>> subject: CN=IPA RA,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM >>> subject: >>> CN=vm-058-193.abc.idm.lab.eng.brq.redhat.com,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM >>> >>> subject: CN=Test,CN=Test >>> subject: CN=Test,CN=Test >>> >>> See 12). >>> >>> >>> 18) In CA-less topology, ipa-replica-install fails: >>> >>> 2016-08-25T09:54:09Z DEBUG Starting external process >>> 2016-08-25T09:54:09Z DEBUG args=/usr/bin/certutil -d /etc/ipa/nssdb -L >>> -n ABC.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA -a >>> 2016-08-25T09:54:09Z DEBUG Process finished, return code=255 >>> 2016-08-25T09:54:09Z DEBUG stdout= >>> 2016-08-25T09:54:09Z DEBUG stderr=certutil: Could not find cert: >>> ABC.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA >>> : PR_FILE_NOT_FOUND_ERROR: File not found >>> >>> 2016-08-25T09:54:09Z DEBUG Destroyed connection >>> context.ldap2_140045224192976 >>> 2016-08-25T09:54:09Z DEBUG Starting external process >>> 2016-08-25T09:54:09Z DEBUG args=/usr/sbin/ipa-client-install >>> --unattended --uninstall >>> 2016-08-25T09:54:18Z DEBUG Process finished, return code=0 >>> 2016-08-25T09:54:18Z DEBUG File >>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in >>> execute >>> return_value = self.run() >>> ----8<------ >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >>> line 1722, in main >>> promote_check(self) >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >>> line 364, in decorated >>> func(installer) >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >>> line 386, in decorated >>> func(installer) >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >>> line 1266, in promote_check >>> options.ca_subject = unicode(x509.load_certificate(cert).subject) >>> File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 125, in >>> load_certificate >>> return nss.Certificate(buffer(data)) # pylint: disable=buffer-builtin >>> >>> 2016-08-25T09:54:18Z DEBUG The ipa-replica-install command failed, >>> exception: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. >>> 2016-08-25T09:54:18Z ERROR (SEC_ERROR_LIBRARY_FAILURE) security library >>> failure. >>> 2016-08-25T09:54:18Z ERROR The ipa-replica-install command failed. See >>> /var/log/ipareplica-install.log for more information >>> >>> >>> 19) In CA-less topology, ipa-ca-install fails: >>> >>> 2016-08-25T09:58:21Z DEBUG raw: ca_show(u'ipa', version=u'2.212') >>> 2016-08-25T09:58:21Z DEBUG ca_show(u'ipa', rights=False, all=False, >>> raw=False, version=u'2.212') >>> 2016-08-25T09:58:21Z DEBUG raw: ca_is_enabled(version=u'2.212') >>> 2016-08-25T09:58:21Z DEBUG ca_is_enabled(version=u'2.212') >>> 2016-08-25T09:58:21Z DEBUG File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", >>> line 752, in run_script >>> return_value = main_function() >>> >>> File "/sbin/ipa-ca-install", line 309, in main >>> promote(safe_options, options, filename) >>> >>> File "/sbin/ipa-ca-install", line 279, in promote >>> install_master(safe_options, options) >>> >>> File "/sbin/ipa-ca-install", line 232, in install_master >>> subject = api.Command.ca_show(IPA_CA_CN)['result']['ipacasubjectdn'] >>> >>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 449, >>> in __call__ >>> return self.__do_call(*args, **options) >>> >>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 477, >>> in __do_call >>> ret = self.run(*args, **options) >>> >>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 799, >>> in run >>> return self.execute(*args, **options) >>> >>> File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ca.py", line >>> 144, in execute >>> ca_enabled_check() >>> >>> File "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", >>> line 222, in ca_enabled_check >>> raise errors.NotFound(reason=_('CA is not configured')) >>> >>> 2016-08-25T09:58:21Z DEBUG The ipa-ca-install command failed, exception: >>> NotFound: CA is not configured >>> >>> This is related to 3). >> >> Bump. >> > I expect (hope...) to have cycles to push this forward after my PTO > next week. OK. > > Thanks for your comprehensive initial review; there is plenty of > work still to do :) Right :-) BTW could you please split the patch into separate "rename --subject to --subject-base" and "add --ca-subject" parts? -- Jan Cholasta From freeipa-github-notification at redhat.com Fri Sep 23 07:24:00 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 23 Sep 2016 09:24:00 +0200 Subject: [Freeipa-devel] [freeipa PR#106][+pushed] Pylint: enable additional checks In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/106 Title: #106: Pylint: enable additional checks Label: +pushed From freeipa-github-notification at redhat.com Fri Sep 23 07:24:02 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 23 Sep 2016 09:24:02 +0200 Subject: [Freeipa-devel] [freeipa PR#106][closed] Pylint: enable additional checks In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/106 Author: mbasti-rh Title: #106: Pylint: enable additional checks Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/106/head:pr106 git checkout pr106 From freeipa-github-notification at redhat.com Fri Sep 23 07:24:04 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 23 Sep 2016 09:24:04 +0200 Subject: [Freeipa-devel] [freeipa PR#106][comment] Pylint: enable additional checks In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/106 Title: #106: Pylint: enable additional checks mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/4d7d53c9664c9e68d7c6cda1a65cae7551423df7 https://fedorahosted.org/freeipa/changeset/9b68d2a1f858854bc3cf2d6024f3fd3d79c2f696 """ See the full comment at https://github.com/freeipa/freeipa/pull/106#issuecomment-249121222 From jhrozek at redhat.com Fri Sep 23 07:54:22 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 23 Sep 2016 09:54:22 +0200 Subject: [Freeipa-devel] FedoraHosted.org sunset In-Reply-To: <7c333c64-919b-9cdf-f5c9-3f48f89710ec@redhat.com> References: <7c333c64-919b-9cdf-f5c9-3f48f89710ec@redhat.com> Message-ID: <20160923075422.liumycyyw7eivzli@hendrix> On Thu, Sep 22, 2016 at 06:09:43PM +0200, Petr Vobornik wrote: > Hi all, > > As you know, FedoraHosted.org will be decommissioned. > https://communityblog.fedoraproject.org/fedorahosted-sunset-2017-02-28/ > > We use Trac instance there. Let's discuss where we should migrate and > what are our requirements. Then put results on one place. For that I've > created: > http://www.freeipa.org/page/FedoraHosted_Migration That you for writing this up, there are some good points I didn't think about, like migrating the ticket numbers. Did you already file an issue that tracks this in Pagure (or asked if this is already possible)? From pspacek at redhat.com Fri Sep 23 08:40:23 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 23 Sep 2016 10:40:23 +0200 Subject: [Freeipa-devel] pylint: remove unused variables In-Reply-To: <707f370c-87cc-f7d4-c664-8ac26fbf7fdb@redhat.com> References: <707f370c-87cc-f7d4-c664-8ac26fbf7fdb@redhat.com> Message-ID: <70f3187c-02f6-5fff-afa7-69faeacf0b04@redhat.com> On 23.9.2016 07:28, Jan Cholasta wrote: > On 22.9.2016 16:39, Martin Basti wrote: >> Hello all, >> >> In 4.5, I would like to remove all unused variables from code and enable >> pylint check. Due to big amount of unused variables in the code this >> will be longterm effort. >> >> Why this?: >> >> * better code readability >> >> * removing dead code >> >> * unused variable may uncover potential bug >> >> >> It is clear what to do with unused assignments, but I need an agreement >> what to do with unpacking or iteration with unused variables >> >> >> For example: >> >> for name, surname, gender in (('Martin', 'Basti', 'M'), ): >> >> name, surname, gender = user['mbasti'] >> >> Where 'surname' is unused >> >> >> Pylint will detect surname as unused variable and we have to agree on a >> way how to tell pylint that this variable is unused on purpose: >> >> >> 1) >> >> ( >> >> name, >> >> surname, # pylint: disable=unused-variable >> >> gender >> >> ) = user['mbasti'] >> >> >> I dont like this approach > > +1 > >> >> >> 2) >> >> Use defined keyword: 'dummy' is default in pylint, we can set our own, >> like ignored, unused >> >> name, dummy, gender = user['mbasti'] > > -1, not visible enough. > >> >> >> 3) >> >> use a prefix for unused variables: '_' or 'ignore_' >> >> name, _surname, gender = user['mbasti'] > > This. We have already been using it in new code for quite some time, and it's > common in other Python projects too. Don't reinvent the wheel. > >> >> >> 4) >> >> we can combine all :) >> >> >> For me the best is to have prefix '_' and 'dummy' keyword > > Use '_dummy', it's both :-) I like "__". If it is not acceptable for rest of the team, I would be okay with _dummy. I would even use _dummy multiple times: > name, _dummy, _dummy = user['mbasti'] so namespace is not polluted and garbage collector can do the right thing. Petr^2 Spacek >> As first step I'll enable pylint check and disable it locally per module >> where unused variables are, to avoid new regressions. Then I will fix it >> module by module. >> >> >> I'm open to suggestions >> >> Martin^2 From freeipa-github-notification at redhat.com Fri Sep 23 08:44:54 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Fri, 23 Sep 2016 10:44:54 +0200 Subject: [Freeipa-devel] [freeipa PR#107][+ack] Update man/help for --server option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/107 Title: #107: Update man/help for --server option Label: +ack From freeipa-github-notification at redhat.com Fri Sep 23 08:47:27 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 23 Sep 2016 10:47:27 +0200 Subject: [Freeipa-devel] [freeipa PR#110][opened] test_text: add test ipa.pot file for tests Message-ID: URL: https://github.com/freeipa/freeipa/pull/110 Author: mbasti-rh Title: #110: test_text: add test ipa.pot file for tests Action: opened PR body: """ Input data should be packaged into freeipa-test module to be able run test from RPM (outoftree) https://fedorahosted.org/freeipa/ticket/6333 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/110/head:pr110 git checkout pr110 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-110.patch Type: text/x-diff Size: 4445 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Sep 23 08:49:30 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 23 Sep 2016 10:49:30 +0200 Subject: [Freeipa-devel] [freeipa PR#110][comment] test_text: add test ipa.pot file for tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/110 Title: #110: test_text: add test ipa.pot file for tests mbasti-rh commented: """ I hope I didn't changed the aim of test, but having test packaged in separate module which requires to have cloned repo and working only from project directory is quite weird for me. So I create testing 'ipa.pot' file in test directory (in test package as well) """ See the full comment at https://github.com/freeipa/freeipa/pull/110#issuecomment-249137555 From jcholast at redhat.com Fri Sep 23 10:38:45 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 23 Sep 2016 12:38:45 +0200 Subject: [Freeipa-devel] pylint: remove unused variables In-Reply-To: <70f3187c-02f6-5fff-afa7-69faeacf0b04@redhat.com> References: <707f370c-87cc-f7d4-c664-8ac26fbf7fdb@redhat.com> <70f3187c-02f6-5fff-afa7-69faeacf0b04@redhat.com> Message-ID: <9761fb0f-6198-a034-eac9-66c25dd5b8ad@redhat.com> On 23.9.2016 10:40, Petr Spacek wrote: > On 23.9.2016 07:28, Jan Cholasta wrote: >> On 22.9.2016 16:39, Martin Basti wrote: >>> Hello all, >>> >>> In 4.5, I would like to remove all unused variables from code and enable >>> pylint check. Due to big amount of unused variables in the code this >>> will be longterm effort. >>> >>> Why this?: >>> >>> * better code readability >>> >>> * removing dead code >>> >>> * unused variable may uncover potential bug >>> >>> >>> It is clear what to do with unused assignments, but I need an agreement >>> what to do with unpacking or iteration with unused variables >>> >>> >>> For example: >>> >>> for name, surname, gender in (('Martin', 'Basti', 'M'), ): >>> >>> name, surname, gender = user['mbasti'] >>> >>> Where 'surname' is unused >>> >>> >>> Pylint will detect surname as unused variable and we have to agree on a >>> way how to tell pylint that this variable is unused on purpose: >>> >>> >>> 1) >>> >>> ( >>> >>> name, >>> >>> surname, # pylint: disable=unused-variable >>> >>> gender >>> >>> ) = user['mbasti'] >>> >>> >>> I dont like this approach >> >> +1 >> >>> >>> >>> 2) >>> >>> Use defined keyword: 'dummy' is default in pylint, we can set our own, >>> like ignored, unused >>> >>> name, dummy, gender = user['mbasti'] >> >> -1, not visible enough. >> >>> >>> >>> 3) >>> >>> use a prefix for unused variables: '_' or 'ignore_' >>> >>> name, _surname, gender = user['mbasti'] >> >> This. We have already been using it in new code for quite some time, and it's >> common in other Python projects too. Don't reinvent the wheel. >> >>> >>> >>> 4) >>> >>> we can combine all :) >>> >>> >>> For me the best is to have prefix '_' and 'dummy' keyword >> >> Use '_dummy', it's both :-) > > I like "__". If it is not acceptable for rest of the team, I would be okay > with _dummy. I'm not a fan of "__" (because it's as "brilliant" as "___" or "aaaa"), but if any local variable with "_" prefix is considered unused (i.e. what I'm proposing), it would be perfectly legal. > I would even use _dummy multiple times: >> name, _dummy, _dummy = user['mbasti'] > so namespace is not polluted and garbage collector can do the right thing. This is a pretty misguided argument if I may say so. First, I don't see how locals namespace pollution could ever cause any issues, and even if it did, the proper way to avoid it is to not write long functions with many local variables. Second, removing a local variable does not guarantee that the garbage collector will do anything (because garbage collection is not always deterministic), and even if it did, you should be explicit about it and use the del statement. > > Petr^2 Spacek > > >>> As first step I'll enable pylint check and disable it locally per module >>> where unused variables are, to avoid new regressions. Then I will fix it >>> module by module. >>> >>> >>> I'm open to suggestions >>> >>> Martin^2 > -- Jan Cholasta From slaznick at redhat.com Fri Sep 23 11:23:50 2016 From: slaznick at redhat.com (Standa Laznicka) Date: Fri, 23 Sep 2016 13:23:50 +0200 Subject: [Freeipa-devel] pylint: remove unused variables In-Reply-To: <707f370c-87cc-f7d4-c664-8ac26fbf7fdb@redhat.com> References: <707f370c-87cc-f7d4-c664-8ac26fbf7fdb@redhat.com> Message-ID: On 09/23/2016 07:28 AM, Jan Cholasta wrote: > On 22.9.2016 16:39, Martin Basti wrote: >> Hello all, >> >> In 4.5, I would like to remove all unused variables from code and enable >> pylint check. Due to big amount of unused variables in the code this >> will be longterm effort. >> >> Why this?: >> >> * better code readability >> >> * removing dead code >> >> * unused variable may uncover potential bug >> >> >> It is clear what to do with unused assignments, but I need an agreement >> what to do with unpacking or iteration with unused variables >> >> >> For example: >> >> for name, surname, gender in (('Martin', 'Basti', 'M'), ): >> >> name, surname, gender = user['mbasti'] >> >> Where 'surname' is unused >> >> >> Pylint will detect surname as unused variable and we have to agree on a >> way how to tell pylint that this variable is unused on purpose: >> >> >> 1) >> >> ( >> >> name, >> >> surname, # pylint: disable=unused-variable >> >> gender >> >> ) = user['mbasti'] >> >> >> I dont like this approach > > +1 > >> >> >> 2) >> >> Use defined keyword: 'dummy' is default in pylint, we can set our own, >> like ignored, unused >> >> name, dummy, gender = user['mbasti'] > > -1, not visible enough. > >> >> >> 3) >> >> use a prefix for unused variables: '_' or 'ignore_' >> >> name, _surname, gender = user['mbasti'] > > This. We have already been using it in new code for quite some time, > and it's common in other Python projects too. Don't reinvent the wheel. > >> >> >> 4) >> >> we can combine all :) >> >> >> For me the best is to have prefix '_' and 'dummy' keyword > > Use '_dummy', it's both :-) > +1. I would rather use _meh as it's easier to type but perhaps not that self-explanatory and not established at all, so _dummy is just fine :) >> >> >> As first step I'll enable pylint check and disable it locally per module >> where unused variables are, to avoid new regressions. Then I will fix it >> module by module. >> >> >> I'm open to suggestions >> >> Martin^2 >> > > From freeipa-github-notification at redhat.com Fri Sep 23 11:36:36 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 23 Sep 2016 13:36:36 +0200 Subject: [Freeipa-devel] [freeipa PR#111][opened] Prompt for forwarder in dnsforwardzone-add Message-ID: URL: https://github.com/freeipa/freeipa/pull/111 Author: tomaskrizek Title: #111: Prompt for forwarder in dnsforwardzone-add Action: opened PR body: """ When the command ipa dnsforwardzone-add is invoked without specifying the forwarder as an argument and the forward policy is not set to none, prompt for DNS forwarder. https://fedorahosted.org/freeipa/ticket/6169 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/111/head:pr111 git checkout pr111 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-111.patch Type: text/x-diff Size: 1204 bytes Desc: not available URL: From jcholast at redhat.com Fri Sep 23 12:12:46 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 23 Sep 2016 14:12:46 +0200 Subject: [Freeipa-devel] pylint: remove unused variables In-Reply-To: References: <707f370c-87cc-f7d4-c664-8ac26fbf7fdb@redhat.com> Message-ID: <965e98c8-f634-1580-931b-abebccf3e5f8@redhat.com> On 23.9.2016 13:23, Standa Laznicka wrote: > On 09/23/2016 07:28 AM, Jan Cholasta wrote: >> On 22.9.2016 16:39, Martin Basti wrote: >>> Hello all, >>> >>> In 4.5, I would like to remove all unused variables from code and enable >>> pylint check. Due to big amount of unused variables in the code this >>> will be longterm effort. >>> >>> Why this?: >>> >>> * better code readability >>> >>> * removing dead code >>> >>> * unused variable may uncover potential bug >>> >>> >>> It is clear what to do with unused assignments, but I need an agreement >>> what to do with unpacking or iteration with unused variables >>> >>> >>> For example: >>> >>> for name, surname, gender in (('Martin', 'Basti', 'M'), ): >>> >>> name, surname, gender = user['mbasti'] >>> >>> Where 'surname' is unused >>> >>> >>> Pylint will detect surname as unused variable and we have to agree on a >>> way how to tell pylint that this variable is unused on purpose: >>> >>> >>> 1) >>> >>> ( >>> >>> name, >>> >>> surname, # pylint: disable=unused-variable >>> >>> gender >>> >>> ) = user['mbasti'] >>> >>> >>> I dont like this approach >> >> +1 >> >>> >>> >>> 2) >>> >>> Use defined keyword: 'dummy' is default in pylint, we can set our own, >>> like ignored, unused >>> >>> name, dummy, gender = user['mbasti'] >> >> -1, not visible enough. >> >>> >>> >>> 3) >>> >>> use a prefix for unused variables: '_' or 'ignore_' >>> >>> name, _surname, gender = user['mbasti'] >> >> This. We have already been using it in new code for quite some time, >> and it's common in other Python projects too. Don't reinvent the wheel. >> >>> >>> >>> 4) >>> >>> we can combine all :) >>> >>> >>> For me the best is to have prefix '_' and 'dummy' keyword >> >> Use '_dummy', it's both :-) >> > +1. I would rather use _meh as it's easier to type but perhaps not that > self-explanatory and not established at all, so _dummy is just fine :) What I'm actually suggesting is that any local variable with "_" prefix should be considered unused, so _meh would be fine as well. -- Jan Cholasta From mbasti at redhat.com Fri Sep 23 12:09:45 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 23 Sep 2016 14:09:45 +0200 Subject: [Freeipa-devel] FedoraHosted.org sunset In-Reply-To: <20160923075422.liumycyyw7eivzli@hendrix> References: <7c333c64-919b-9cdf-f5c9-3f48f89710ec@redhat.com> <20160923075422.liumycyyw7eivzli@hendrix> Message-ID: <5f232f69-cb02-b0e5-02f3-7f8d6dcd6bdb@redhat.com> On 23.09.2016 09:54, Jakub Hrozek wrote: > On Thu, Sep 22, 2016 at 06:09:43PM +0200, Petr Vobornik wrote: >> Hi all, >> >> As you know, FedoraHosted.org will be decommissioned. >> https://communityblog.fedoraproject.org/fedorahosted-sunset-2017-02-28/ >> >> We use Trac instance there. Let's discuss where we should migrate and >> what are our requirements. Then put results on one place. For that I've >> created: >> http://www.freeipa.org/page/FedoraHosted_Migration > That you for writing this up, there are some good points I didn't think > about, like migrating the ticket numbers. Did you already file an issue > that tracks this in Pagure (or asked if this is already possible)? > Do we need review by field? It is recorded in commit and for ongoing reviews we are assigning ourselves to pull requests, so everybody knows if somebody is reviewing a PR. Martin^2 From freeipa-github-notification at redhat.com Fri Sep 23 12:09:57 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 23 Sep 2016 14:09:57 +0200 Subject: [Freeipa-devel] [freeipa PR#109][+ack] sudorule: add SELinux transition examples to plugin doc In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/109 Title: #109: sudorule: add SELinux transition examples to plugin doc Label: +ack From mbasti at redhat.com Fri Sep 23 12:11:03 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 23 Sep 2016 14:11:03 +0200 Subject: [Freeipa-devel] pylint: remove unused variables In-Reply-To: <965e98c8-f634-1580-931b-abebccf3e5f8@redhat.com> References: <707f370c-87cc-f7d4-c664-8ac26fbf7fdb@redhat.com> <965e98c8-f634-1580-931b-abebccf3e5f8@redhat.com> Message-ID: On 23.09.2016 14:12, Jan Cholasta wrote: > On 23.9.2016 13:23, Standa Laznicka wrote: >> On 09/23/2016 07:28 AM, Jan Cholasta wrote: >>> On 22.9.2016 16:39, Martin Basti wrote: >>>> Hello all, >>>> >>>> In 4.5, I would like to remove all unused variables from code and >>>> enable >>>> pylint check. Due to big amount of unused variables in the code this >>>> will be longterm effort. >>>> >>>> Why this?: >>>> >>>> * better code readability >>>> >>>> * removing dead code >>>> >>>> * unused variable may uncover potential bug >>>> >>>> >>>> It is clear what to do with unused assignments, but I need an >>>> agreement >>>> what to do with unpacking or iteration with unused variables >>>> >>>> >>>> For example: >>>> >>>> for name, surname, gender in (('Martin', 'Basti', 'M'), ): >>>> >>>> name, surname, gender = user['mbasti'] >>>> >>>> Where 'surname' is unused >>>> >>>> >>>> Pylint will detect surname as unused variable and we have to agree >>>> on a >>>> way how to tell pylint that this variable is unused on purpose: >>>> >>>> >>>> 1) >>>> >>>> ( >>>> >>>> name, >>>> >>>> surname, # pylint: disable=unused-variable >>>> >>>> gender >>>> >>>> ) = user['mbasti'] >>>> >>>> >>>> I dont like this approach >>> >>> +1 >>> >>>> >>>> >>>> 2) >>>> >>>> Use defined keyword: 'dummy' is default in pylint, we can set our own, >>>> like ignored, unused >>>> >>>> name, dummy, gender = user['mbasti'] >>> >>> -1, not visible enough. >>> >>>> >>>> >>>> 3) >>>> >>>> use a prefix for unused variables: '_' or 'ignore_' >>>> >>>> name, _surname, gender = user['mbasti'] >>> >>> This. We have already been using it in new code for quite some time, >>> and it's common in other Python projects too. Don't reinvent the wheel. >>> >>>> >>>> >>>> 4) >>>> >>>> we can combine all :) >>>> >>>> >>>> For me the best is to have prefix '_' and 'dummy' keyword >>> >>> Use '_dummy', it's both :-) >>> >> +1. I would rather use _meh as it's easier to type but perhaps not that >> self-explanatory and not established at all, so _dummy is just fine :) > > What I'm actually suggesting is that any local variable with "_" > prefix should be considered unused, so _meh would be fine as well. > +1 regexp '_.+' works for me From slaznick at redhat.com Fri Sep 23 12:17:12 2016 From: slaznick at redhat.com (Standa Laznicka) Date: Fri, 23 Sep 2016 14:17:12 +0200 Subject: [Freeipa-devel] pylint: remove unused variables In-Reply-To: References: <707f370c-87cc-f7d4-c664-8ac26fbf7fdb@redhat.com> <965e98c8-f634-1580-931b-abebccf3e5f8@redhat.com> Message-ID: On 09/23/2016 02:11 PM, Martin Basti wrote: > > > On 23.09.2016 14:12, Jan Cholasta wrote: >> On 23.9.2016 13:23, Standa Laznicka wrote: >>> On 09/23/2016 07:28 AM, Jan Cholasta wrote: >>>> On 22.9.2016 16:39, Martin Basti wrote: >>>>> Hello all, >>>>> >>>>> In 4.5, I would like to remove all unused variables from code and >>>>> enable >>>>> pylint check. Due to big amount of unused variables in the code this >>>>> will be longterm effort. >>>>> >>>>> Why this?: >>>>> >>>>> * better code readability >>>>> >>>>> * removing dead code >>>>> >>>>> * unused variable may uncover potential bug >>>>> >>>>> >>>>> It is clear what to do with unused assignments, but I need an >>>>> agreement >>>>> what to do with unpacking or iteration with unused variables >>>>> >>>>> >>>>> For example: >>>>> >>>>> for name, surname, gender in (('Martin', 'Basti', 'M'), ): >>>>> >>>>> name, surname, gender = user['mbasti'] >>>>> >>>>> Where 'surname' is unused >>>>> >>>>> >>>>> Pylint will detect surname as unused variable and we have to agree >>>>> on a >>>>> way how to tell pylint that this variable is unused on purpose: >>>>> >>>>> >>>>> 1) >>>>> >>>>> ( >>>>> >>>>> name, >>>>> >>>>> surname, # pylint: disable=unused-variable >>>>> >>>>> gender >>>>> >>>>> ) = user['mbasti'] >>>>> >>>>> >>>>> I dont like this approach >>>> >>>> +1 >>>> >>>>> >>>>> >>>>> 2) >>>>> >>>>> Use defined keyword: 'dummy' is default in pylint, we can set our >>>>> own, >>>>> like ignored, unused >>>>> >>>>> name, dummy, gender = user['mbasti'] >>>> >>>> -1, not visible enough. >>>> >>>>> >>>>> >>>>> 3) >>>>> >>>>> use a prefix for unused variables: '_' or 'ignore_' >>>>> >>>>> name, _surname, gender = user['mbasti'] >>>> >>>> This. We have already been using it in new code for quite some time, >>>> and it's common in other Python projects too. Don't reinvent the >>>> wheel. >>>> >>>>> >>>>> >>>>> 4) >>>>> >>>>> we can combine all :) >>>>> >>>>> >>>>> For me the best is to have prefix '_' and 'dummy' keyword >>>> >>>> Use '_dummy', it's both :-) >>>> >>> +1. I would rather use _meh as it's easier to type but perhaps not that >>> self-explanatory and not established at all, so _dummy is just fine :) >> >> What I'm actually suggesting is that any local variable with "_" >> prefix should be considered unused, so _meh would be fine as well. >> > > +1 regexp '_.+' works for me Wonderful, I'm all in. From freeipa-github-notification at redhat.com Fri Sep 23 13:00:15 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 23 Sep 2016 15:00:15 +0200 Subject: [Freeipa-devel] [freeipa PR#109][comment] sudorule: add SELinux transition examples to plugin doc In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/109 Title: #109: sudorule: add SELinux transition examples to plugin doc mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/ff490b6c403f9fe14fcc2d1558c43dae5b80f493 """ See the full comment at https://github.com/freeipa/freeipa/pull/109#issuecomment-249185580 From freeipa-github-notification at redhat.com Fri Sep 23 13:00:17 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 23 Sep 2016 15:00:17 +0200 Subject: [Freeipa-devel] [freeipa PR#109][closed] sudorule: add SELinux transition examples to plugin doc In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/109 Author: frasertweedale Title: #109: sudorule: add SELinux transition examples to plugin doc Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/109/head:pr109 git checkout pr109 From freeipa-github-notification at redhat.com Fri Sep 23 13:00:18 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 23 Sep 2016 15:00:18 +0200 Subject: [Freeipa-devel] [freeipa PR#109][+pushed] sudorule: add SELinux transition examples to plugin doc In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/109 Title: #109: sudorule: add SELinux transition examples to plugin doc Label: +pushed From freeipa-github-notification at redhat.com Fri Sep 23 13:05:25 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 23 Sep 2016 15:05:25 +0200 Subject: [Freeipa-devel] [freeipa PR#107][+pushed] Update man/help for --server option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/107 Title: #107: Update man/help for --server option Label: +pushed From freeipa-github-notification at redhat.com Fri Sep 23 13:05:26 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 23 Sep 2016 15:05:26 +0200 Subject: [Freeipa-devel] [freeipa PR#107][comment] Update man/help for --server option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/107 Title: #107: Update man/help for --server option mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/07ff1f619c001181563886b5a0b5f1886b6638a1 """ See the full comment at https://github.com/freeipa/freeipa/pull/107#issuecomment-249186962 From freeipa-github-notification at redhat.com Fri Sep 23 13:05:27 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 23 Sep 2016 15:05:27 +0200 Subject: [Freeipa-devel] [freeipa PR#107][closed] Update man/help for --server option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/107 Author: tomaskrizek Title: #107: Update man/help for --server option Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/107/head:pr107 git checkout pr107 From pvoborni at redhat.com Fri Sep 23 13:20:57 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 23 Sep 2016 15:20:57 +0200 Subject: [Freeipa-devel] FedoraHosted.org sunset In-Reply-To: <5f232f69-cb02-b0e5-02f3-7f8d6dcd6bdb@redhat.com> References: <7c333c64-919b-9cdf-f5c9-3f48f89710ec@redhat.com> <20160923075422.liumycyyw7eivzli@hendrix> <5f232f69-cb02-b0e5-02f3-7f8d6dcd6bdb@redhat.com> Message-ID: On 09/23/2016 02:09 PM, Martin Basti wrote: > > > On 23.09.2016 09:54, Jakub Hrozek wrote: >> On Thu, Sep 22, 2016 at 06:09:43PM +0200, Petr Vobornik wrote: >>> Hi all, >>> >>> As you know, FedoraHosted.org will be decommissioned. >>> >>> https://communityblog.fedoraproject.org/fedorahosted-sunset-2017-02-28/ >>> >>> We use Trac instance there. Let's discuss where we should migrate and >>> what are our requirements. Then put results on one place. For that I've >>> created: >>> http://www.freeipa.org/page/FedoraHosted_Migration >> That you for writing this up, there are some good points I didn't think >> about, like migrating the ticket numbers. Did you already file an issue >> that tracks this in Pagure (or asked if this is already possible)? >> > > Do we need review by field? It is recorded in commit and for ongoing > reviews we are assigning ourselves to pull requests, so everybody knows > if somebody is reviewing a PR. > > Martin^2 > Assigning to PR solves the issue for which "review by" was meant. So we may eventually drop it. Ideally when patch backlog on devel list is cleansed. In general, I'd not say that each individual field is a requirement, e.g. I can imagine that: keywords, source, component, maybe even a milestone and a priority can be tags/labels What would be nice is some reporting/filtering capability so that I don't have to script each view separately. -- Petr Vobornik From freeipa-github-notification at redhat.com Fri Sep 23 14:05:06 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 23 Sep 2016 16:05:06 +0200 Subject: [Freeipa-devel] [freeipa PR#112][opened] The first jab at fixing https://fedorahosted.org/freeipa/ticket/5809 Message-ID: URL: https://github.com/freeipa/freeipa/pull/112 Author: martbab Title: #112: The first jab at fixing https://fedorahosted.org/freeipa/ticket/5809 Action: opened PR body: """ There are two ways to fix the issue reported in the ticket: 1.) Make certificate handling code to generate nicknames that do not break existing implementation of `installutils.set_directive` 2.) Extend the quoting abilities of the function so that it is less fragile when encoding more funky values such as quoted RDNs This PR opts for option 2. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/112/head:pr112 git checkout pr112 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-112.patch Type: text/x-diff Size: 6981 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Sep 23 14:24:21 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 23 Sep 2016 16:24:21 +0200 Subject: [Freeipa-devel] [freeipa PR#112][synchronized] The first jab at fixing https://fedorahosted.org/freeipa/ticket/5809 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/112 Author: martbab Title: #112: The first jab at fixing https://fedorahosted.org/freeipa/ticket/5809 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/112/head:pr112 git checkout pr112 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-112.patch Type: text/x-diff Size: 6983 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Sat Sep 24 17:46:24 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Sat, 24 Sep 2016 19:46:24 +0200 Subject: [Freeipa-devel] [freeipa PR#113][opened] ipalib.constants: Remove default domain, realm, basedn, xmlrpc_uri, ldap_uri Message-ID: URL: https://github.com/freeipa/freeipa/pull/113 Author: pspacek Title: #113: ipalib.constants: Remove default domain, realm, basedn, xmlrpc_uri, ldap_uri Action: opened PR body: """ Domain, realm, basedn, xmlrpc_uri, ldap_uri do not have any reasonable default. This patch removes hardcoded default so the so the code which depends on these values blows up early and does not do crazy stuff with default values instead of real ones. This should help to uncover issues caused by improper ipalib initialization. It will surely break something but right now, at the beginning of devel cycle, is IMHO the right time to do change like this and to remove some old cruft. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/113/head:pr113 git checkout pr113 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-113.patch Type: text/x-diff Size: 3267 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Sat Sep 24 17:48:56 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Sat, 24 Sep 2016 19:48:56 +0200 Subject: [Freeipa-devel] [freeipa PR#114][opened] Raise errors from service.py:_ldap_mod() by default Message-ID: URL: https://github.com/freeipa/freeipa/pull/114 Author: pspacek Title: #114: Raise errors from service.py:_ldap_mod() by default Action: opened PR body: """ This is to prevent situations when installer prints CRITICAL Failed to load ....ldif and continues just to crash later on because of non-existing LDAP container or so on. Beginning of devel cycle is the right time to fix this so we have time to uncover potential regressions and fix long hidden bugs. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/114/head:pr114 git checkout pr114 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-114.patch Type: text/x-diff Size: 1492 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Sat Sep 24 17:54:05 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Sat, 24 Sep 2016 19:54:05 +0200 Subject: [Freeipa-devel] [freeipa PR#111][+ack] Prompt for forwarder in dnsforwardzone-add In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/111 Title: #111: Prompt for forwarder in dnsforwardzone-add Label: +ack From freeipa-github-notification at redhat.com Sat Sep 24 19:43:54 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Sat, 24 Sep 2016 21:43:54 +0200 Subject: [Freeipa-devel] [freeipa PR#98][+ack] Make server uninstaller exit with non-zero exit status during failed validation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/98 Title: #98: Make server uninstaller exit with non-zero exit status during failed validation Label: +ack From freeipa-github-notification at redhat.com Sat Sep 24 19:43:59 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Sat, 24 Sep 2016 21:43:59 +0200 Subject: [Freeipa-devel] [freeipa PR#98][comment] Make server uninstaller exit with non-zero exit status during failed validation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/98 Title: #98: Make server uninstaller exit with non-zero exit status during failed validation pspacek commented: """ Works for me! """ See the full comment at https://github.com/freeipa/freeipa/pull/98#issuecomment-249383672 From freeipa-github-notification at redhat.com Mon Sep 26 10:20:15 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 26 Sep 2016 12:20:15 +0200 Subject: [Freeipa-devel] [freeipa PR#115][opened] Don't show traceback when ipa config file is not an absolute path Message-ID: URL: https://github.com/freeipa/freeipa/pull/115 Author: tomaskrizek Title: #115: Don't show traceback when ipa config file is not an absolute path Action: opened PR body: """ When using the ipa command with the '-c' flag, the user provides a configuration file. If this path is not absolute, an error without a traceback should be displayed. https://fedorahosted.org/freeipa/ticket/6114 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/115/head:pr115 git checkout pr115 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-115.patch Type: text/x-diff Size: 3414 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Sep 26 10:24:51 2016 From: freeipa-github-notification at redhat.com (Akasurde) Date: Mon, 26 Sep 2016 12:24:51 +0200 Subject: [Freeipa-devel] [freeipa PR#116][opened] Added fix for no-hbac-allow option in server install script Message-ID: URL: https://github.com/freeipa/freeipa/pull/116 Author: Akasurde Title: #116: Added fix for no-hbac-allow option in server install script Action: opened PR body: """ Fixes: https://fedorahosted.org/freeipa/ticket/6357 Signed-off-by: Abhijeet Kasurde """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/116/head:pr116 git checkout pr116 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-116.patch Type: text/x-diff Size: 1669 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Sep 26 10:34:32 2016 From: freeipa-github-notification at redhat.com (mirielka) Date: Mon, 26 Sep 2016 12:34:32 +0200 Subject: [Freeipa-devel] [freeipa PR#110][+ack] test_text: add test ipa.pot file for tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/110 Title: #110: test_text: add test ipa.pot file for tests Label: +ack From freeipa-github-notification at redhat.com Mon Sep 26 10:37:59 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 26 Sep 2016 12:37:59 +0200 Subject: [Freeipa-devel] [freeipa PR#116][comment] Added fix for no-hbac-allow option in server install script In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/116 Title: #116: Added fix for no-hbac-allow option in server install script tomaskrizek commented: """ `--no_hbac_allow` option should remain as an undocumented option for backwards compatibility. """ See the full comment at https://github.com/freeipa/freeipa/pull/116#issuecomment-249536240 From freeipa-github-notification at redhat.com Mon Sep 26 11:23:12 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 26 Sep 2016 13:23:12 +0200 Subject: [Freeipa-devel] [freeipa PR#117][opened] Make ipa-replica-install run in interactive mode Message-ID: URL: https://github.com/freeipa/freeipa/pull/117 Author: stlaz Title: #117: Make ipa-replica-install run in interactive mode Action: opened PR body: """ ipa-replica-install would not run in interactive mode which confused some users. Make it run ipa-client-install in attended mode so that the required arguments are asked for instead of the installation just failing. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/117/head:pr117 git checkout pr117 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-117.patch Type: text/x-diff Size: 6443 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Sep 26 11:32:13 2016 From: freeipa-github-notification at redhat.com (Akasurde) Date: Mon, 26 Sep 2016 13:32:13 +0200 Subject: [Freeipa-devel] [freeipa PR#116][comment] Added fix for no-hbac-allow option in server install script In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/116 Title: #116: Added fix for no-hbac-allow option in server install script Akasurde commented: """ @tomaskrizek Should I remove 'no_hbac_allow' option from ipa-server-install man page then ? """ See the full comment at https://github.com/freeipa/freeipa/pull/116#issuecomment-249545807 From freeipa-github-notification at redhat.com Mon Sep 26 11:48:02 2016 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 26 Sep 2016 13:48:02 +0200 Subject: [Freeipa-devel] [freeipa PR#118][opened] WebUI: hide buttons in certificate widget according to acl Message-ID: URL: https://github.com/freeipa/freeipa/pull/118 Author: pvomacka Title: #118: WebUI: hide buttons in certificate widget according to acl Action: opened PR body: """ When user is logged in and opens details page of another user there should not be visible button for adding new certificate and also the option in action menu for deleting certificate should be grayed out. This is achieved by adding custom field for certificates widget, which is able to read ACLs from result of user-show and not from cert-find result. https://fedorahosted.org/freeipa/ticket/6341 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/118/head:pr118 git checkout pr118 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-118.patch Type: text/x-diff Size: 3788 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Sep 26 12:00:23 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 26 Sep 2016 14:00:23 +0200 Subject: [Freeipa-devel] [freeipa PR#104][+ack] Backport XMLRPC test fixes to ipa-4-3 branch In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/104 Title: #104: Backport XMLRPC test fixes to ipa-4-3 branch Label: +ack From freeipa-github-notification at redhat.com Mon Sep 26 12:49:15 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 26 Sep 2016 14:49:15 +0200 Subject: [Freeipa-devel] [freeipa PR#116][comment] Added fix for no-hbac-allow option in server install script In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/116 Title: #116: Added fix for no-hbac-allow option in server install script tomaskrizek commented: """ @Akasurde The man page is correct. However, we can no longer use the command ``` ipa-server-install --no_hbac_allow ``` if you simply rename the option. We need to keep this option for backwards compatibility and add a new option `--no-hbac-allow`. Internally, `no_hbac_allow` should only be an alias to `no-hbac-allow`. As a result, both of the following commands should work: ``` ipa-server-install --no-hbac-allow ipa-server-install --no_hbac_allow ``` With `--no-hbac-allow` being the preferred and documented option, while `--no_hbac_allow` simply remains for backwards compatibility. I think the correct way to fix the issue is to add a new option and then make sure both the options have the same effect when used. """ See the full comment at https://github.com/freeipa/freeipa/pull/116#issuecomment-249560066 From freeipa-github-notification at redhat.com Mon Sep 26 13:25:26 2016 From: freeipa-github-notification at redhat.com (mirielka) Date: Mon, 26 Sep 2016 15:25:26 +0200 Subject: [Freeipa-devel] [freeipa PR#119][opened] Tests: Providing trust tests with tree root domain Message-ID: URL: https://github.com/freeipa/freeipa/pull/119 Author: mirielka Title: #119: Tests: Providing trust tests with tree root domain Action: opened PR body: """ https://fedorahosted.org/freeipa/ticket/6347 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/119/head:pr119 git checkout pr119 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-119.patch Type: text/x-diff Size: 7024 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Sep 26 14:07:55 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 26 Sep 2016 16:07:55 +0200 Subject: [Freeipa-devel] [freeipa PR#120][opened] Pretty-print structures in assert_deepequal Message-ID: URL: https://github.com/freeipa/freeipa/pull/120 Author: stlaz Title: #120: Pretty-print structures in assert_deepequal Action: opened PR body: """ By default, ipa-run-tests will now pretty-print structures compared in the assert_deepequal function. This behaviour can be turned off by the --no-pretty-print option. https://fedorahosted.org/freeipa/ticket/6212 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/120/head:pr120 git checkout pr120 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-120.patch Type: text/x-diff Size: 4385 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Sep 26 16:31:01 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 26 Sep 2016 18:31:01 +0200 Subject: [Freeipa-devel] [freeipa PR#121][opened] Pylint: enable unused-variable check Message-ID: URL: https://github.com/freeipa/freeipa/pull/121 Author: mbasti-rh Title: #121: Pylint: enable unused-variable check Action: opened PR body: """ Modules with too many unused variables have check locally disabled """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/121/head:pr121 git checkout pr121 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-121.patch Type: text/x-diff Size: 107825 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Sep 26 16:39:11 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 26 Sep 2016 18:39:11 +0200 Subject: [Freeipa-devel] [freeipa PR#98][+pushed] Make server uninstaller exit with non-zero exit status during failed validation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/98 Title: #98: Make server uninstaller exit with non-zero exit status during failed validation Label: +pushed From freeipa-github-notification at redhat.com Mon Sep 26 16:39:13 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 26 Sep 2016 18:39:13 +0200 Subject: [Freeipa-devel] [freeipa PR#98][closed] Make server uninstaller exit with non-zero exit status during failed validation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/98 Author: martbab Title: #98: Make server uninstaller exit with non-zero exit status during failed validation Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/98/head:pr98 git checkout pr98 From freeipa-github-notification at redhat.com Mon Sep 26 16:39:15 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 26 Sep 2016 18:39:15 +0200 Subject: [Freeipa-devel] [freeipa PR#98][comment] Make server uninstaller exit with non-zero exit status during failed validation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/98 Title: #98: Make server uninstaller exit with non-zero exit status during failed validation mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/347f5ca0e145491d387f60f95b67ef59e7c28316 https://fedorahosted.org/freeipa/changeset/f7764cda6824a2fe73abe11f6daa28758a185319 ipa-4-4: https://fedorahosted.org/freeipa/changeset/e306e8f06d05d49784bf2bc6a235801c1b641daa https://fedorahosted.org/freeipa/changeset/e45bd59b44c8ad9e56f7eee4a20e2e6f74c5e266 """ See the full comment at https://github.com/freeipa/freeipa/pull/98#issuecomment-249624771 From freeipa-github-notification at redhat.com Mon Sep 26 16:43:11 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 26 Sep 2016 18:43:11 +0200 Subject: [Freeipa-devel] [freeipa PR#104][comment] Backport XMLRPC test fixes to ipa-4-3 branch In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/104 Title: #104: Backport XMLRPC test fixes to ipa-4-3 branch mbasti-rh commented: """ Fixed upstream ipa-4-3: https://fedorahosted.org/freeipa/changeset/4b551743820f436807811415ab51d6ee238ee971 https://fedorahosted.org/freeipa/changeset/505a7da9d4335adc39d06b29fde66e00b758d4a2 """ See the full comment at https://github.com/freeipa/freeipa/pull/104#issuecomment-249625869 From freeipa-github-notification at redhat.com Mon Sep 26 16:43:13 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 26 Sep 2016 18:43:13 +0200 Subject: [Freeipa-devel] [freeipa PR#104][+pushed] Backport XMLRPC test fixes to ipa-4-3 branch In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/104 Title: #104: Backport XMLRPC test fixes to ipa-4-3 branch Label: +pushed From freeipa-github-notification at redhat.com Mon Sep 26 16:43:14 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 26 Sep 2016 18:43:14 +0200 Subject: [Freeipa-devel] [freeipa PR#104][closed] Backport XMLRPC test fixes to ipa-4-3 branch In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/104 Author: martbab Title: #104: Backport XMLRPC test fixes to ipa-4-3 branch Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/104/head:pr104 git checkout pr104 From freeipa-github-notification at redhat.com Mon Sep 26 16:46:10 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 26 Sep 2016 18:46:10 +0200 Subject: [Freeipa-devel] [freeipa PR#111][comment] Prompt for forwarder in dnsforwardzone-add In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/111 Title: #111: Prompt for forwarder in dnsforwardzone-add mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/ef9c718e3a82fcbd5944cc993e2c9f3f1237f85c """ See the full comment at https://github.com/freeipa/freeipa/pull/111#issuecomment-249626628 From freeipa-github-notification at redhat.com Mon Sep 26 16:46:12 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 26 Sep 2016 18:46:12 +0200 Subject: [Freeipa-devel] [freeipa PR#111][+pushed] Prompt for forwarder in dnsforwardzone-add In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/111 Title: #111: Prompt for forwarder in dnsforwardzone-add Label: +pushed From freeipa-github-notification at redhat.com Mon Sep 26 16:46:14 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 26 Sep 2016 18:46:14 +0200 Subject: [Freeipa-devel] [freeipa PR#111][closed] Prompt for forwarder in dnsforwardzone-add In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/111 Author: tomaskrizek Title: #111: Prompt for forwarder in dnsforwardzone-add Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/111/head:pr111 git checkout pr111 From freeipa-github-notification at redhat.com Mon Sep 26 16:48:28 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 26 Sep 2016 18:48:28 +0200 Subject: [Freeipa-devel] [freeipa PR#110][+pushed] test_text: add test ipa.pot file for tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/110 Title: #110: test_text: add test ipa.pot file for tests Label: +pushed From freeipa-github-notification at redhat.com Mon Sep 26 16:48:30 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 26 Sep 2016 18:48:30 +0200 Subject: [Freeipa-devel] [freeipa PR#110][comment] test_text: add test ipa.pot file for tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/110 Title: #110: test_text: add test ipa.pot file for tests mbasti-rh commented: """ Fixed upstream ipa-4-4: https://fedorahosted.org/freeipa/changeset/f4115f68eea4112957bb58c25f29c6f40d8172ef master: https://fedorahosted.org/freeipa/changeset/452b08754d02b89c0e3117b83d9156e6110943c9 """ See the full comment at https://github.com/freeipa/freeipa/pull/110#issuecomment-249627269 From freeipa-github-notification at redhat.com Mon Sep 26 16:48:31 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 26 Sep 2016 18:48:31 +0200 Subject: [Freeipa-devel] [freeipa PR#110][closed] test_text: add test ipa.pot file for tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/110 Author: mbasti-rh Title: #110: test_text: add test ipa.pot file for tests Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/110/head:pr110 git checkout pr110 From freeipa-github-notification at redhat.com Mon Sep 26 16:49:36 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 26 Sep 2016 18:49:36 +0200 Subject: [Freeipa-devel] [freeipa PR#121][synchronized] Pylint: enable unused-variable check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/121 Author: mbasti-rh Title: #121: Pylint: enable unused-variable check Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/121/head:pr121 git checkout pr121 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-121.patch Type: text/x-diff Size: 107824 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 27 07:08:19 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 27 Sep 2016 09:08:19 +0200 Subject: [Freeipa-devel] [freeipa PR#115][comment] Don't show traceback when ipa config file is not an absolute path In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/115 Title: #115: Don't show traceback when ipa config file is not an absolute path mbasti-rh commented: """ NACK, please see my inline comments """ See the full comment at https://github.com/freeipa/freeipa/pull/115#issuecomment-249783814 From freeipa-github-notification at redhat.com Tue Sep 27 09:32:52 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 27 Sep 2016 11:32:52 +0200 Subject: [Freeipa-devel] [freeipa PR#117][comment] Make ipa-replica-install run in interactive mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/117 Title: #117: Make ipa-replica-install run in interactive mode tomaskrizek commented: """ NACK, please see inline comments. """ See the full comment at https://github.com/freeipa/freeipa/pull/117#issuecomment-249814914 From freeipa-github-notification at redhat.com Tue Sep 27 09:42:12 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 27 Sep 2016 11:42:12 +0200 Subject: [Freeipa-devel] [freeipa PR#121][comment] Pylint: enable unused-variable check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/121 Title: #121: Pylint: enable unused-variable check mbasti-rh commented: """ I disagree, I really think that there should not be assert """ See the full comment at https://github.com/freeipa/freeipa/pull/121#issuecomment-249816977 From freeipa-github-notification at redhat.com Tue Sep 27 10:05:16 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 27 Sep 2016 12:05:16 +0200 Subject: [Freeipa-devel] [freeipa PR#121][comment] Pylint: enable unused-variable check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/121 Title: #121: Pylint: enable unused-variable check flo-renaud commented: """ Agree with you, ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/121#issuecomment-249822167 From freeipa-github-notification at redhat.com Tue Sep 27 10:10:10 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 27 Sep 2016 12:10:10 +0200 Subject: [Freeipa-devel] [freeipa PR#121][comment] Pylint: enable unused-variable check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/121 Title: #121: Pylint: enable unused-variable check stlaz commented: """ The changes seem fine except for the two small nitpicks. """ See the full comment at https://github.com/freeipa/freeipa/pull/121#issuecomment-249823191 From freeipa-github-notification at redhat.com Tue Sep 27 10:14:27 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 27 Sep 2016 12:14:27 +0200 Subject: [Freeipa-devel] [freeipa PR#121][synchronized] Pylint: enable unused-variable check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/121 Author: mbasti-rh Title: #121: Pylint: enable unused-variable check Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/121/head:pr121 git checkout pr121 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-121.patch Type: text/x-diff Size: 108093 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 27 10:32:22 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 27 Sep 2016 12:32:22 +0200 Subject: [Freeipa-devel] [freeipa PR#114][comment] Raise errors from service.py:_ldap_mod() by default In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/114 Title: #114: Raise errors from service.py:_ldap_mod() by default mbasti-rh commented: """ This issues are caused mostly by newer replica install, so I don't think that earlier devel cycle will help us , we need good upgrade testing. However I agree that is better to stop with first error and not continou later and break things even more """ See the full comment at https://github.com/freeipa/freeipa/pull/114#issuecomment-249827802 From freeipa-github-notification at redhat.com Tue Sep 27 10:32:54 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 27 Sep 2016 12:32:54 +0200 Subject: [Freeipa-devel] [freeipa PR#114][comment] Raise errors from service.py:_ldap_mod() by default In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/114 Title: #114: Raise errors from service.py:_ldap_mod() by default mbasti-rh commented: """ This issues are caused mostly by newer replica install, so I don't think that earlier devel cycle will help us , we need good upgrade testing. However I agree that is better to stop with first error and not continue later and break things even more """ See the full comment at https://github.com/freeipa/freeipa/pull/114#issuecomment-249827802 From freeipa-github-notification at redhat.com Tue Sep 27 10:33:38 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 27 Sep 2016 12:33:38 +0200 Subject: [Freeipa-devel] [freeipa PR#114][comment] Raise errors from service.py:_ldap_mod() by default In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/114 Title: #114: Raise errors from service.py:_ldap_mod() by default mbasti-rh commented: """ This issues are caused mostly by newer replica install, so I don't think that earlier devel cycle will help us, we need good upgrade testing. However I agree that is better to stop with first error and not continue and break things even more later """ See the full comment at https://github.com/freeipa/freeipa/pull/114#issuecomment-249827802 From freeipa-github-notification at redhat.com Tue Sep 27 10:45:17 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 27 Sep 2016 12:45:17 +0200 Subject: [Freeipa-devel] [freeipa PR#121][comment] Pylint: enable unused-variable check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/121 Title: #121: Pylint: enable unused-variable check stlaz commented: """ The latest changes fixed the nitpicks mentioned, ACK. Thanks :+1: """ See the full comment at https://github.com/freeipa/freeipa/pull/121#issuecomment-249830361 From freeipa-github-notification at redhat.com Tue Sep 27 10:45:23 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 27 Sep 2016 12:45:23 +0200 Subject: [Freeipa-devel] [freeipa PR#121][+ack] Pylint: enable unused-variable check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/121 Title: #121: Pylint: enable unused-variable check Label: +ack From freeipa-github-notification at redhat.com Tue Sep 27 11:18:01 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 27 Sep 2016 13:18:01 +0200 Subject: [Freeipa-devel] [freeipa PR#117][synchronized] Make ipa-replica-install run in interactive mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/117 Author: stlaz Title: #117: Make ipa-replica-install run in interactive mode Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/117/head:pr117 git checkout pr117 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-117.patch Type: text/x-diff Size: 6231 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 27 11:36:18 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 27 Sep 2016 13:36:18 +0200 Subject: [Freeipa-devel] [freeipa PR#121][+pushed] Pylint: enable unused-variable check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/121 Title: #121: Pylint: enable unused-variable check Label: +pushed From freeipa-github-notification at redhat.com Tue Sep 27 11:36:19 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 27 Sep 2016 13:36:19 +0200 Subject: [Freeipa-devel] [freeipa PR#121][comment] Pylint: enable unused-variable check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/121 Title: #121: Pylint: enable unused-variable check mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/0f88f8fe889ae4801fc8d5ece1ad51c5246718ac https://fedorahosted.org/freeipa/changeset/9d83be3647547cfca4e129cfeb63771213232cf7 https://fedorahosted.org/freeipa/changeset/45e3aee35219c89c07d590003a334f8db658a3b2 """ See the full comment at https://github.com/freeipa/freeipa/pull/121#issuecomment-249840099 From freeipa-github-notification at redhat.com Tue Sep 27 11:36:21 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 27 Sep 2016 13:36:21 +0200 Subject: [Freeipa-devel] [freeipa PR#121][closed] Pylint: enable unused-variable check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/121 Author: mbasti-rh Title: #121: Pylint: enable unused-variable check Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/121/head:pr121 git checkout pr121 From freeipa-github-notification at redhat.com Tue Sep 27 11:41:12 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 27 Sep 2016 13:41:12 +0200 Subject: [Freeipa-devel] [freeipa PR#115][synchronized] Don't show traceback when ipa config file is not an absolute path In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/115 Author: tomaskrizek Title: #115: Don't show traceback when ipa config file is not an absolute path Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/115/head:pr115 git checkout pr115 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-115.patch Type: text/x-diff Size: 1874 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 27 12:10:22 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 27 Sep 2016 14:10:22 +0200 Subject: [Freeipa-devel] [freeipa PR#115][comment] Don't show traceback when ipa config file is not an absolute path In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/115 Title: #115: Don't show traceback when ipa config file is not an absolute path mbasti-rh commented: """ NACK, please see inline comments """ See the full comment at https://github.com/freeipa/freeipa/pull/115#issuecomment-249846654 From jpazdziora at redhat.com Tue Sep 27 12:31:34 2016 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Tue, 27 Sep 2016 14:31:34 +0200 Subject: [Freeipa-devel] What would break if loopback addresses were allowed for IPA server? In-Reply-To: <20160921100144.GA7371@redhat.com> References: <20160921100144.GA7371@redhat.com> Message-ID: <20160927123134.GA32730@redhat.com> On Wed, Sep 21, 2016 at 12:01:44PM +0200, Jan Pazdziora wrote: > > I've recently hit again the situation of IPA installer not happy > about the provided IP address not being local to it, this time in > containerized environment: > > https://bugzilla.redhat.com/show_bug.cgi?id=1377973 > > During the discussion, we came to an interesting question: > > What would break if loopback addresses were allowed for IPA > server? > > Of course, the idea is that it would only be used for installation and > then IPA would change its IP address in DNS to whatever is the real IP > address under which it is accessible. > > Where does the allow_loopback=False requirement in the installer come > from and what would break if it was removed altogether? I also see messages like Adding [10.11.12.13 ipa.example.com] to your /etc/hosts file in some cases. Actually, it's 10.11.12.13 ipa.example.com ipa which gets added so the message is not accurate. Modification of /etc/hosts itself seems unfortunate. Should the IP address change in the future, there will be one more place where the IP address stays hardcoded. I wonder why hosts: files dns myhostname isn't enough, and whether hosts: files myhostname dns might actually be better order. When the value is not in /etc/hosts, I see weird startup issues, presumably because individual components time out resolving $HOSTNAME, so systemctl start ipa fails. Perhaps it has something to do with named being up at that point, rather than unreachable, just not resolving anything yet. Chicken and egg. I wonder why we cannot add ipa.example.com to 127.0.0.1. I've tried that and have seen named-pkcs11[453]: LDAP error: Local error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server ldap/localhost at EXAMPLE.TEST not found in Kerberos database): bind to LDAP server failed which suggests something derives the hostname and thus the principal from the IP address used. Why is not $HOSTNAME used everywhere? What part of the system cares about the IP address (and the reverse resolution)? If overloading 127.0.0.1 with the $HOSTNAME does not work, could 127.0.0.2 do the trick? It seems to work for subsequent starts (did not try it during ipa-server-install) in containers. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From freeipa-github-notification at redhat.com Tue Sep 27 12:46:08 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Tue, 27 Sep 2016 14:46:08 +0200 Subject: [Freeipa-devel] [freeipa PR#115][comment] Don't show traceback when ipa config file is not an absolute path In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/115 Title: #115: Don't show traceback when ipa config file is not an absolute path pspacek commented: """ Why the file must be absolute? I would rather remove this requirement and be done with it. `open()` the file and if it succeeds - use it. If it fails, print error returned from `open`. """ See the full comment at https://github.com/freeipa/freeipa/pull/115#issuecomment-249854141 From freeipa-github-notification at redhat.com Tue Sep 27 12:48:49 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Tue, 27 Sep 2016 14:48:49 +0200 Subject: [Freeipa-devel] [freeipa PR#122][opened] Acceptance tests Message-ID: URL: https://github.com/freeipa/freeipa/pull/122 Author: dkupka Title: #122: Acceptance tests Action: opened PR body: """ Starting with minimal suite that will grow as necessary. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/122/head:pr122 git checkout pr122 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-122.patch Type: text/x-diff Size: 3563 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 27 13:03:45 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 27 Sep 2016 15:03:45 +0200 Subject: [Freeipa-devel] [freeipa PR#122][comment] Acceptance tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/122 Title: #122: Acceptance tests mbasti-rh commented: """ I quite disagree with marks, please read my inline comments """ See the full comment at https://github.com/freeipa/freeipa/pull/122#issuecomment-249858212 From freeipa-github-notification at redhat.com Tue Sep 27 13:11:32 2016 From: freeipa-github-notification at redhat.com (mirielka) Date: Tue, 27 Sep 2016 15:11:32 +0200 Subject: [Freeipa-devel] [freeipa PR#123][opened] Tests: Remove silent deleting and creating entries by tracker Message-ID: URL: https://github.com/freeipa/freeipa/pull/123 Author: mirielka Title: #123: Tests: Remove silent deleting and creating entries by tracker Action: opened PR body: """ https://fedorahosted.org/freeipa/ticket/6123 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/123/head:pr123 git checkout pr123 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-123.patch Type: text/x-diff Size: 4715 bytes Desc: not available URL: From pspacek at redhat.com Tue Sep 27 14:03:50 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 27 Sep 2016 16:03:50 +0200 Subject: [Freeipa-devel] CA-less installs: passive certmonger - watch-and-warn mode In-Reply-To: <05c3ec25-1d51-0955-f3f0-533886783bc9@redhat.com> References: <577FAB41.7030909@redhat.com> <2e9575f4-a599-1bb7-045d-ff2e589720b8@redhat.com> <577FB1B0.7090509@redhat.com> <05c3ec25-1d51-0955-f3f0-533886783bc9@redhat.com> Message-ID: <5a10f1bd-63a8-3a64-8c46-2b4525f887c9@redhat.com> On 18.7.2016 08:22, Jan Cholasta wrote: > On 8.7.2016 15:59, Rob Crittenden wrote: >> Petr Spacek wrote: >>> On 8.7.2016 15:31, Rob Crittenden wrote: >>>> Petr Spacek wrote: >>>>> Hi, >>>>> >>>>> our docs >>>>> >>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-determine-ca >>>>> >>>>> >>>>> >>>>> >>>>> claim this: >>>>> "The certmonger service is not used to track certificates. >>>>> Therefore, it does >>>>> not warn you of impending certificate expiration." >>>>> >>>>> Is this correct? >>>>> >>>>> Can we at least configure certmonger to passively track the >>>>> certificates and >>>>> throw warning about impending expiration into logs? > > +1, I have already suggested we do this several times. > >>>>> >>>> >>>> Throw a warning where? Register an e-mail address as part of the >>>> tracking >>>> perhaps? >>>> >>>> It would probably be fairly easy to write a "CA" that sends an >>>> e-mail. The >>>> trick, and this has always tripped us up, is having an MTA configured. >>> >>> I would start with logs, as I wrote in the original message. This will >>> naturally evolve into something else when we finally get >>> user-configurable hooks. >>> >>> In any case, having certmonger configured to track the certs is >>> prerequisite >>> for all cases... >> >> "Logs" is not very specific, do you mean syslog/journal? >> >> Feel free to open an RFE against certmonger with your proposal. I >> suspect that anything logged will just get lost in most cases. Finally, here is the ticket: https://fedorahosted.org/certmonger/ticket/59 > For IPA CA certificate, we log warnings to syslog with ALERT level. I think > doing that for other certs would be good enough for starters. -- Petr^2 Spacek From freeipa-github-notification at redhat.com Tue Sep 27 14:26:04 2016 From: freeipa-github-notification at redhat.com (apophys) Date: Tue, 27 Sep 2016 16:26:04 +0200 Subject: [Freeipa-devel] [freeipa PR#73][synchronized] Tests for certificates with SAN In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/73 Author: apophys Title: #73: Tests for certificates with SAN Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/73/head:pr73 git checkout pr73 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-73.patch Type: text/x-diff Size: 20771 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 27 14:53:24 2016 From: freeipa-github-notification at redhat.com (apophys) Date: Tue, 27 Sep 2016 16:53:24 +0200 Subject: [Freeipa-devel] [freeipa PR#73][synchronized] Tests for certificates with SAN In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/73 Author: apophys Title: #73: Tests for certificates with SAN Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/73/head:pr73 git checkout pr73 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-73.patch Type: text/x-diff Size: 20771 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 27 15:12:15 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 27 Sep 2016 17:12:15 +0200 Subject: [Freeipa-devel] [freeipa PR#115][synchronized] Don't show traceback when ipa config file is not an absolute path In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/115 Author: tomaskrizek Title: #115: Don't show traceback when ipa config file is not an absolute path Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/115/head:pr115 git checkout pr115 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-115.patch Type: text/x-diff Size: 3448 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 27 15:28:38 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 27 Sep 2016 17:28:38 +0200 Subject: [Freeipa-devel] [freeipa PR#115][synchronized] Don't show traceback when ipa config file is not an absolute path In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/115 Author: tomaskrizek Title: #115: Don't show traceback when ipa config file is not an absolute path Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/115/head:pr115 git checkout pr115 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-115.patch Type: text/x-diff Size: 3708 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Sep 27 15:32:14 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 27 Sep 2016 17:32:14 +0200 Subject: [Freeipa-devel] [freeipa PR#115][comment] Don't show traceback when ipa config file is not an absolute path In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/115 Title: #115: Don't show traceback when ipa config file is not an absolute path tomaskrizek commented: """ I found no reason why the path should be absolute, so I removed that constraint. The parser check to verify if file exists should remain, since non-existent files are otherwise ignored without any notice. """ See the full comment at https://github.com/freeipa/freeipa/pull/115#issuecomment-249901658 From freeipa-github-notification at redhat.com Tue Sep 27 16:19:43 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 27 Sep 2016 18:19:43 +0200 Subject: [Freeipa-devel] [freeipa PR#124][opened] Fix: find OSCP certificate test Message-ID: URL: https://github.com/freeipa/freeipa/pull/124 Author: mbasti-rh Title: #124: Fix: find OSCP certificate test Action: opened PR body: """ Test should check if any OSCP certificate has been returned https://fedorahosted.org/freeipa/ticket/6359 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/124/head:pr124 git checkout pr124 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-124.patch Type: text/x-diff Size: 1021 bytes Desc: not available URL: From npmccallum at redhat.com Tue Sep 27 18:54:42 2016 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Tue, 27 Sep 2016 14:54:42 -0400 Subject: [Freeipa-devel] [PATCH 0097] Properly handle LDAP socket closures in ipa-otpd Message-ID: <1475002482.22323.17.camel@redhat.com> In at least one case, when an LDAP socket closes, a read event is fired rather than an error event. Without this patch, ipa-otpd silently ignores this event and enters a state where all bind auths fail. To remedy this problem, we pass error events along the same path as read events. Should the actual read fail, we exit. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-npmccallum-0097-Properly-handle-LDAP-socket-closures-in-ipa-otpd.patch Type: text/x-patch Size: 2969 bytes Desc: not available URL: From simo at redhat.com Tue Sep 27 18:57:45 2016 From: simo at redhat.com (Simo Sorce) Date: Tue, 27 Sep 2016 14:57:45 -0400 Subject: [Freeipa-devel] [PATCH 0097] Properly handle LDAP socket closures in ipa-otpd In-Reply-To: <1475002482.22323.17.camel@redhat.com> References: <1475002482.22323.17.camel@redhat.com> Message-ID: <1475002665.3612.71.camel@redhat.com> On Tue, 2016-09-27 at 14:54 -0400, Nathaniel McCallum wrote: > In at least one case, when an LDAP socket closes, a read event is > fired > rather than an error event. Without this patch, ipa-otpd silently > ignores this event and enters a state where all bind auths fail. > > To remedy this problem, we pass error events along the same path as > read events. Should the actual read fail, we exit. LGTM Simo. -- Simo Sorce * Red Hat, Inc * New York From abokovoy at redhat.com Wed Sep 28 05:03:34 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 28 Sep 2016 08:03:34 +0300 Subject: [Freeipa-devel] [PATCH 0097] Properly handle LDAP socket closures in ipa-otpd In-Reply-To: <1475002482.22323.17.camel@redhat.com> References: <1475002482.22323.17.camel@redhat.com> Message-ID: <20160928050334.li3lfpvabo3nc773@redhat.com> On ti, 27 syys 2016, Nathaniel McCallum wrote: >In at least one case, when an LDAP socket closes, a read event is fired >rather than an error event. Without this patch, ipa-otpd silently >ignores this event and enters a state where all bind auths fail. > >To remedy this problem, we pass error events along the same path as >read events. Should the actual read fail, we exit. Please add the bugzilla link. -- / Alexander Bokovoy From npmccallum at redhat.com Wed Sep 28 14:58:53 2016 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Wed, 28 Sep 2016 10:58:53 -0400 Subject: [Freeipa-devel] [PATCH 0097] Properly handle LDAP socket closures in ipa-otpd In-Reply-To: <20160928050334.li3lfpvabo3nc773@redhat.com> References: <1475002482.22323.17.camel@redhat.com> <20160928050334.li3lfpvabo3nc773@redhat.com> Message-ID: <1475074733.9001.0.camel@redhat.com> On Wed, 2016-09-28 at 08:03 +0300, Alexander Bokovoy wrote: > On ti, 27 syys 2016, Nathaniel McCallum wrote: > > In at least one case, when an LDAP socket closes, a read event is > > fired > > rather than an error event. Without this patch, ipa-otpd silently > > ignores this event and enters a state where all bind auths fail. > > > > To remedy this problem, we pass error events along the same path as > > read events. Should the actual read fail, we exit. > > Please add the bugzilla link. Done. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-npmccallum-0097-Properly-handle-LDAP-socket-closures-in-ipa-otpd.patch Type: text/x-patch Size: 3022 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Sep 28 18:04:45 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 28 Sep 2016 20:04:45 +0200 Subject: [Freeipa-devel] [freeipa PR#125][opened] Add iSecStore.span Message-ID: URL: https://github.com/freeipa/freeipa/pull/125 Author: tiran Title: #125: Add iSecStore.span Action: opened PR body: """ In the future Custodia is going to make CSStore.span an abstract method. Closes: https://fedorahosted.org/freeipa/ticket/6365 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/125/head:pr125 git checkout pr125 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-125.patch Type: text/x-diff Size: 789 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Sep 29 07:17:54 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 29 Sep 2016 09:17:54 +0200 Subject: [Freeipa-devel] [freeipa PR#117][comment] Make ipa-replica-install run in interactive mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/117 Title: #117: Make ipa-replica-install run in interactive mode tomaskrizek commented: """ ACK Running the command in interactive mode by default is desirable behaviour. Since the `-U` flag was present in previous versions, we don't have to worry about backward compatibility. """ See the full comment at https://github.com/freeipa/freeipa/pull/117#issuecomment-250389651 From freeipa-github-notification at redhat.com Thu Sep 29 07:18:00 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 29 Sep 2016 09:18:00 +0200 Subject: [Freeipa-devel] [freeipa PR#117][+ack] Make ipa-replica-install run in interactive mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/117 Title: #117: Make ipa-replica-install run in interactive mode Label: +ack From mbabinsk at redhat.com Thu Sep 29 07:36:11 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 29 Sep 2016 09:36:11 +0200 Subject: [Freeipa-devel] python-nss-1.0.0-2.fc24.x86_64 from updates-testing breaks FreeIPA client API Message-ID: Hi list, today I noticed the following exceptions in my VMs when installing/using FreeIPA: """ # ipa ping exception in SSLSocket.handshake_callback Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipapython/nsslib.py", line 258, in handshake_callback channel = sock.get_ssl_channel_info() nss.error.NSPRError: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. -------------------------------------------- IPA server version 4.4.90. API version 2.215 -------------------------------------------- """ This was caused by python-nss-1.0.0-2.fc24.x86_64 which was pushed to updates-testing. Reverting the package to previous versions fixed the problem. We may wish to provide negative karma to this build[1] until we figure out whether it is a bug in the package or we need to update our client libs. [1] https://bodhi.fedoraproject.org/updates/FEDORA-2016-c93fd2726a -- Martin^3 Babinsky From freeipa-github-notification at redhat.com Thu Sep 29 07:57:09 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 29 Sep 2016 09:57:09 +0200 Subject: [Freeipa-devel] [freeipa PR#73][comment] Tests for certificates with SAN In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/73 Title: #73: Tests for certificates with SAN martbab commented: """ NACK: you probably forgot to add service fixtures as params to the added test cases: https://paste.fedoraproject.org/437721/51355181/ In addition please write sensible commit message to commit f43833d and probably squash the last commit into 2d75883 I have also noticed that you linked the commits to a ticket in a already closed milestone. Per our process guidelines you need to open a new ticket and go through a new triage, sorry. """ See the full comment at https://github.com/freeipa/freeipa/pull/73#issuecomment-250397011 From abokovoy at redhat.com Thu Sep 29 08:14:50 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 29 Sep 2016 11:14:50 +0300 Subject: [Freeipa-devel] python-nss-1.0.0-2.fc24.x86_64 from updates-testing breaks FreeIPA client API In-Reply-To: References: Message-ID: <20160929081450.s5mpkxzhiq3lkodd@redhat.com> On to, 29 syys 2016, Martin Babinsky wrote: >Hi list, > >today I noticed the following exceptions in my VMs when >installing/using FreeIPA: > >""" ># ipa ping >exception in SSLSocket.handshake_callback >Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/ipapython/nsslib.py", line >258, in handshake_callback > channel = sock.get_ssl_channel_info() >nss.error.NSPRError: (SEC_ERROR_INVALID_ARGS) security library: >invalid arguments. >-------------------------------------------- >IPA server version 4.4.90. API version 2.215 >-------------------------------------------- >""" > >This was caused by python-nss-1.0.0-2.fc24.x86_64 which was pushed to >updates-testing. Reverting the package to previous versions fixed the >problem. python-nss-1.0.0-1.fc25 (note fc25) works fine. There is no 1.0.0-2.fc25 which is a packaging bug, but that's should not be bringing any difference as the tarball (1.0.0) is the same and no additional patches were applied. Also, we didn't have any changes between 4.4.1 and git master that could have affected ipapython/nsslib.py other than 0f88f8fe889ae4801fc8d5ece1ad51c5246718ac, which is this chunk of changes: diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py index 1573de9..f9f64c1 100644 --- a/ipapython/nsslib.py +++ b/ipapython/nsslib.py @@ -234,7 +234,7 @@ class NSSConnection(httplib.HTTPConnection, NSSAddressFamilyFallback): self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True) try: self.sock.set_ssl_version_range(self.tls_version_min, self.tls_version_max) - except NSPRError as e: + except NSPRError: root_logger.error('Failed to set TLS range to %s, %s' % (self.tls_version_min, self.tls_version_max)) raise self.sock.set_ssl_option(ssl_require_safe_negotiation, False) e.g. nothing that is relevant to the trace you provided. -- / Alexander Bokovoy From freeipa-github-notification at redhat.com Thu Sep 29 08:34:12 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 29 Sep 2016 10:34:12 +0200 Subject: [Freeipa-devel] [freeipa PR#124][+ack] Fix: find OSCP certificate test In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/124 Title: #124: Fix: find OSCP certificate test Label: +ack From freeipa-github-notification at redhat.com Thu Sep 29 09:12:04 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 29 Sep 2016 11:12:04 +0200 Subject: [Freeipa-devel] [freeipa PR#118][+ack] WebUI: hide buttons in certificate widget according to acl In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/118 Title: #118: WebUI: hide buttons in certificate widget according to acl Label: +ack From freeipa-github-notification at redhat.com Thu Sep 29 09:12:05 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 29 Sep 2016 11:12:05 +0200 Subject: [Freeipa-devel] [freeipa PR#118][comment] WebUI: hide buttons in certificate widget according to acl In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/118 Title: #118: WebUI: hide buttons in certificate widget according to acl martbab commented: """ Works as expected """ See the full comment at https://github.com/freeipa/freeipa/pull/118#issuecomment-250412691 From freeipa-github-notification at redhat.com Thu Sep 29 09:14:27 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 29 Sep 2016 11:14:27 +0200 Subject: [Freeipa-devel] [freeipa PR#118][+pushed] WebUI: hide buttons in certificate widget according to acl In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/118 Title: #118: WebUI: hide buttons in certificate widget according to acl Label: +pushed From freeipa-github-notification at redhat.com Thu Sep 29 09:14:29 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 29 Sep 2016 11:14:29 +0200 Subject: [Freeipa-devel] [freeipa PR#118][comment] WebUI: hide buttons in certificate widget according to acl In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/118 Title: #118: WebUI: hide buttons in certificate widget according to acl martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/81ead980fb808b70d7590800518b655abe64948b ipa-4-4: https://fedorahosted.org/freeipa/changeset/5ac1f367139d4c2fac804c057afadc7849880431 """ See the full comment at https://github.com/freeipa/freeipa/pull/118#issuecomment-250413176 From freeipa-github-notification at redhat.com Thu Sep 29 09:14:30 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 29 Sep 2016 11:14:30 +0200 Subject: [Freeipa-devel] [freeipa PR#118][closed] WebUI: hide buttons in certificate widget according to acl In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/118 Author: pvomacka Title: #118: WebUI: hide buttons in certificate widget according to acl Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/118/head:pr118 git checkout pr118 From mbasti at redhat.com Thu Sep 29 10:23:41 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 29 Sep 2016 12:23:41 +0200 Subject: [Freeipa-devel] python-nss-1.0.0-2.fc24.x86_64 from updates-testing breaks FreeIPA client API In-Reply-To: <20160929081450.s5mpkxzhiq3lkodd@redhat.com> References: <20160929081450.s5mpkxzhiq3lkodd@redhat.com> Message-ID: <51b53290-065d-df06-c502-b2bc911514d8@redhat.com> On 29.09.2016 10:14, Alexander Bokovoy wrote: > On to, 29 syys 2016, Martin Babinsky wrote: >> Hi list, >> >> today I noticed the following exceptions in my VMs when >> installing/using FreeIPA: >> >> """ >> # ipa ping >> exception in SSLSocket.handshake_callback >> Traceback (most recent call last): >> File "/usr/lib/python2.7/site-packages/ipapython/nsslib.py", line >> 258, in handshake_callback >> channel = sock.get_ssl_channel_info() >> nss.error.NSPRError: (SEC_ERROR_INVALID_ARGS) security library: >> invalid arguments. >> -------------------------------------------- >> IPA server version 4.4.90. API version 2.215 >> -------------------------------------------- >> """ >> >> This was caused by python-nss-1.0.0-2.fc24.x86_64 which was pushed to >> updates-testing. Reverting the package to previous versions fixed the >> problem. > python-nss-1.0.0-1.fc25 (note fc25) works fine. There is no 1.0.0-2.fc25 > which is a packaging bug, but that's should not be bringing any > difference as the tarball (1.0.0) is the same and no additional patches > were applied. > > Also, we didn't have any changes between 4.4.1 and git master that could > have affected ipapython/nsslib.py other than > 0f88f8fe889ae4801fc8d5ece1ad51c5246718ac, > which is this chunk of changes: > > diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py > index 1573de9..f9f64c1 100644 > --- a/ipapython/nsslib.py > +++ b/ipapython/nsslib.py > @@ -234,7 +234,7 @@ class NSSConnection(httplib.HTTPConnection, > NSSAddressFamilyFallback): > self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True) > try: > self.sock.set_ssl_version_range(self.tls_version_min, > self.tls_version_max) > - except NSPRError as e: > + except NSPRError: > root_logger.error('Failed to set TLS range to %s, %s' % > (self.tls_version_min, self.tls_version_max)) > raise > self.sock.set_ssl_option(ssl_require_safe_negotiation, False) > > e.g. nothing that is relevant to the trace you provided. > > Sorry I cannot reproduce it as well [root at vm-058-017 ~]# ipa ping -------------------------------------------- IPA server version 4.4.90. API version 2.215 -------------------------------------------- [root at vm-058-017 ~]# dnf upgrade python-nss ... Running transaction Upgrading : python-nss-1.0.0-2.fc24.x86_64 1/4 Upgrading : python3-nss-1.0.0-2.fc24.x86_64 2/4 Cleanup : python3-nss-1.0.0-beta1.2.fc24.1.x86_64 3/4 Cleanup : python-nss-1.0.0-beta1.2.fc24.1.x86_64 4/4 Verifying : python3-nss-1.0.0-2.fc24.x86_64 1/4 Verifying : python-nss-1.0.0-2.fc24.x86_64 2/4 Verifying : python-nss-1.0.0-beta1.2.fc24.1.x86_64 3/4 Verifying : python3-nss-1.0.0-beta1.2.fc24.1.x86_64 [root at vm-058-017 ~]# ipa ping -------------------------------------------- IPA server version 4.4.90. API version 2.215 -------------------------------------------- From freeipa-github-notification at redhat.com Thu Sep 29 10:39:07 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 29 Sep 2016 12:39:07 +0200 Subject: [Freeipa-devel] [freeipa PR#120][+ack] Pretty-print structures in assert_deepequal In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/120 Title: #120: Pretty-print structures in assert_deepequal Label: +ack From pvomacka at redhat.com Thu Sep 29 11:05:30 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Thu, 29 Sep 2016 13:05:30 +0200 Subject: [Freeipa-devel] [PATCH] webui: Fix coverity bugs In-Reply-To: <8c539d0a-29ee-30ba-33eb-90aa0698f583@redhat.com> References: <17dedc13-dab5-4ae2-5a7b-d7921458a46f@redhat.com> <20160729132534.sdsdlda5c2gtvqj6@redhat.com> <8c539d0a-29ee-30ba-33eb-90aa0698f583@redhat.com> Message-ID: Bump for review. On 08/05/2016 02:33 PM, Pavel Vomacka wrote: > > > On 08/01/2016 05:53 PM, Petr Vobornik wrote: >> On 07/29/2016 03:25 PM, Alexander Bokovoy wrote: >>> On Fri, 29 Jul 2016, Pavel Vomacka wrote: >>>> Hello, >>>> >>>> please review attached patches which fixes errors from Coverity. >>>> >>>> -- >>>> Pavel^3 Vomacka >>>> >>>> From 0391289b3f6844897e2a9f3ae549bd4c33233ffc Mon Sep 17 00:00:00 >>>> 2001 >>>> From: Pavel Vomacka >>>> Date: Mon, 25 Jul 2016 10:36:47 +0200 >>>> Subject: [PATCH 01/13] Coverity - null pointer exception >>>> >>>> Variable 'option' can be null and there will be error of reading >>>> property of null. >>>> --- >>>> install/ui/src/freeipa/widget.js | 2 +- >>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>> >>>> diff --git a/install/ui/src/freeipa/widget.js >>>> b/install/ui/src/freeipa/widget.js >>>> index >>>> 9151ebac9438e9e674f81bfb1ccfe7a63872b1ae..cfdf5d4750951e4549c16a2b9b9c355f61e90c39 >>>> >>>> 100644 >>>> --- a/install/ui/src/freeipa/widget.js >>>> +++ b/install/ui/src/freeipa/widget.js >>>> @@ -2249,7 +2249,7 @@ IPA.option_widget_base = function(spec, that) { >>>> var child_values = []; >>>> var option = that.get_option(value); >>>> >>>> - if (option.widget) { >>>> + if (option && option.widget) { >>>> child_values = option.widget.save(); >>>> values.push.apply(values, child_values); >>>> } >>>> -- >>>> 2.5.5 >>>> >>> ACK >> ACK >> >>>> From 6df8e608232e25daa9aefe4fccbdeca4dbaf1998 Mon Sep 17 00:00:00 >>>> 2001 >>>> From: Pavel Vomacka >>>> Date: Mon, 25 Jul 2016 10:43:00 +0200 >>>> Subject: [PATCH 02/13] Coverity - null pointer exception >>>> >>>> Variable 'row' could be null in some cases. And set css to variable >>>> which is pointing to null >>>> causes error. Therefore there is new check. >>>> --- >>>> install/ui/src/freeipa/widget.js | 2 ++ >>>> 1 file changed, 2 insertions(+) >>>> >>>> diff --git a/install/ui/src/freeipa/widget.js >>>> b/install/ui/src/freeipa/widget.js >>>> index >>>> cfdf5d4750951e4549c16a2b9b9c355f61e90c39..5844436abf090f12d5a9d65efe7a1aaee14097e2 >>>> >>>> 100644 >>>> --- a/install/ui/src/freeipa/widget.js >>>> +++ b/install/ui/src/freeipa/widget.js >>>> @@ -5766,6 +5766,8 @@ exp.fluid_layout = IPA.fluid_layout = >>>> function(spec) { >>>> that.on_visible_change = function(event) { >>>> >>>> var row = that._get_row(event); >>>> + if (!row) return; >>>> + >>>> if (event.visible) { >>>> row.css('display', ''); >>>> } else { >>>> -- >>>> 2.5.5 >>>> >>> ACK >> >> ACK >> >>> >>>> From 6f2ddc9e1c5323a640bdf744d2da00bfee7ab766 Mon Sep 17 00:00:00 >>>> 2001 >>>> From: Pavel Vomacka >>>> Date: Mon, 25 Jul 2016 13:48:16 +0200 >>>> Subject: [PATCH 03/13] Coverity - not initialized variable >>>> >>>> The variable hasn't been initialized, now it is set to null by >>>> default. >>>> --- >>>> install/ui/src/freeipa/widget.js | 2 +- >>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>> >>>> diff --git a/install/ui/src/freeipa/widget.js >>>> b/install/ui/src/freeipa/widget.js >>>> index >>>> 5844436abf090f12d5a9d65efe7a1aaee14097e2..43804c5ea524ca741017d02f6e12ccf60d50b5df >>>> >>>> 100644 >>>> --- a/install/ui/src/freeipa/widget.js >>>> +++ b/install/ui/src/freeipa/widget.js >>>> @@ -1047,7 +1047,7 @@ IPA.multivalued_widget = function(spec) { >>>> >>>> that.child_spec = spec.child_spec; >>>> that.size = spec.size || 30; >>>> - that.undo_control; >>>> + that.undo_control = null; >>>> that.initialized = true; >>>> that.updating = false; >>>> >>>> -- >>>> 2.5.5 >>>> >>> ACK >> ACK >> >>> >>>> From b9ddd32ec45aadae5a79e372c3e1b70990071e60 Mon Sep 17 00:00:00 >>>> 2001 >>>> From: Pavel Vomacka >>>> Date: Mon, 25 Jul 2016 14:42:50 +0200 >>>> Subject: [PATCH 04/13] Coverity - identical code for different >>>> branches >>>> >>>> In both cases when the condition is true or false ut is set the same >>>> value. >>>> Changed to assign the value directly. >>>> --- >>>> install/ui/src/freeipa/topology_graph.js | 4 ++-- >>>> 1 file changed, 2 insertions(+), 2 deletions(-) >>>> >>>> diff --git a/install/ui/src/freeipa/topology_graph.js >>>> b/install/ui/src/freeipa/topology_graph.js >>>> index >>>> ce2ebeaff611987ae27f2655b5da80bdcd1b4f8a..712d38fbe67e87ffa773e0a3a1f8937e9595c9a6 >>>> >>>> 100644 >>>> --- a/install/ui/src/freeipa/topology_graph.js >>>> +++ b/install/ui/src/freeipa/topology_graph.js >>>> @@ -325,8 +325,8 @@ topology_graph.TopoGraph = declare([Evented], { >>>> off = dir ? -1 : 1, // determines shift direction of >>>> curve >>>> ns = 5, // shift on normal vector >>>> s = target_count > 1 ? 1 : 0, // shift from center? >>>> - spad = d.left ? 18 : 18, // source padding >>>> - tpad = d.right ? 18 : 18, // target padding >>>> + spad = d.left = 18, // source padding >>>> + tpad = d.right = 18, // target padding >>>> sourceX = d.source.x + (spad * ux) + off * nx * ns >>>> * s, >>>> sourceY = d.source.y + (spad * uy) + off * ny * ns >>>> * s, >>>> targetX = d.target.x - (tpad * ux) + off * nx * ns >>>> * s, >>>> -- >>>> 2.5.5 >>>> >>> ACK >> NACK >> >> following lines are not equivalent >> spad = d.left ? 18 : 18 >> spad = d.left = 18 >> >> same with tpad > Fixed >>>> From f1f2b55247d6c7f41f8053f372a47945c93fc8a4 Mon Sep 17 00:00:00 >>>> 2001 >>>> From: Pavel Vomacka >>>> Date: Mon, 25 Jul 2016 14:52:15 +0200 >>>> Subject: [PATCH 05/13] Coverity - Accesing attribute of null >>>> >>>> There is a possibility that widget is null and then there could be an >>>> error. >>>> Therefore there is new check of widget variable. >>>> --- >>>> install/ui/src/freeipa/widgets/APIBrowserWidget.js | 2 +- >>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>> >>>> diff --git a/install/ui/src/freeipa/widgets/APIBrowserWidget.js >>>> b/install/ui/src/freeipa/widgets/APIBrowserWidget.js >>>> index >>>> 1a3726190d4a5d628a8f7c2b564c4c9f6e7cea1f..50c2989fcc126585787df61cdd19493632ed37b9 >>>> >>>> 100644 >>>> --- a/install/ui/src/freeipa/widgets/APIBrowserWidget.js >>>> +++ b/install/ui/src/freeipa/widgets/APIBrowserWidget.js >>>> @@ -252,7 +252,7 @@ widgets.APIBrowserWidget = declare([Stateful, >>>> Evented], { >>>> } >>>> >>>> // switch widget >>>> - if (!widget.el) widget.render(); >>>> + if (widget && !widget.el) widget.render(); >>>> if (this.current_details_w !== widget) { >>>> this.details_el.empty(); >>>> this.details_el.append(widget.el); >>>> -- >>>> 2.5.5 >>>> >>> ACK >> ACK >> >>>> From 1476b5ed3ab5c4ec55f3ed20ad07a5b88cfd45f2 Mon Sep 17 00:00:00 >>>> 2001 >>>> From: Pavel Vomacka >>>> Date: Mon, 25 Jul 2016 16:47:22 +0200 >>>> Subject: [PATCH 06/13] Coverity - removed dead code >>>> >>>> There cannot be string value because of previous checks. >>>> --- >>>> install/ui/src/freeipa/dns.js | 12 ++++-------- >>>> 1 file changed, 4 insertions(+), 8 deletions(-) >>>> >>>> diff --git a/install/ui/src/freeipa/dns.js >>>> b/install/ui/src/freeipa/dns.js >>>> index >>>> 2d424aeae8ef735d02426a0f08b6261ec2f04c19..822c0b3cedb3988563c0a1f83862f56e95eed21b >>>> >>>> 100644 >>>> --- a/install/ui/src/freeipa/dns.js >>>> +++ b/install/ui/src/freeipa/dns.js >>>> @@ -1509,14 +1509,10 @@ IPA.dns.record_prepare_editor_for_type = >>>> function(type, fields, widgets, update) >>>> >>>> //create editor widget >>>> var widget = {}; >>>> - if (typeof attribute === 'string') { >>>> - widget.name = attribute; >>>> - } else { >>>> - widget.name = attribute.name; >>>> - set_defined(attribute.$type, widget, '$type'); >>>> - set_defined(attribute.options, widget, 'options'); >>>> - copy_obj(widget, attribute.widget_opt); >>>> - } >>>> + widget.name = attribute.name; >>>> + set_defined(attribute.$type, widget, '$type'); >>>> + set_defined(attribute.options, widget, 'options'); >>>> + copy_obj(widget, attribute.widget_opt); >>>> section.widgets.push(widget); >>>> } >>>> }; >>>> -- >>>> 2.5.5 >>>> >>> ACK >> ACK >> >>> >>>> From b1dd66f3b08889b51430d9176035366cb055324e Mon Sep 17 00:00:00 >>>> 2001 >>>> From: Pavel Vomacka >>>> Date: Mon, 25 Jul 2016 17:44:56 +0200 >>>> Subject: [PATCH 07/13] Coverity - true branch can't be executed >>>> >>>> The 'data' variable is always false because of previous condition. >>>> Therefore there is direct assignment. >>>> --- >>>> install/ui/src/freeipa/rpc.js | 2 +- >>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>> >>>> diff --git a/install/ui/src/freeipa/rpc.js >>>> b/install/ui/src/freeipa/rpc.js >>>> index >>>> a185585f4176658e299e7e92434522c936cc36b4..88aaf6ede72ea69495c369dd74c657d0419a3605 >>>> >>>> 100644 >>>> --- a/install/ui/src/freeipa/rpc.js >>>> +++ b/install/ui/src/freeipa/rpc.js >>>> @@ -372,7 +372,7 @@ rpc.command = function(spec) { >>>> error_handler.call(this, xhr, text_status, /* >>>> error_thrown */ { >>>> name: text.get('@i18n:errors.http_error', 'HTTP >>>> Error')+' '+xhr.status, >>>> url: this.url, >>>> - message: data ? xhr.statusText : >>>> text.get('@i18n:errors.no_response', 'No response') >>>> + message: text.get('@i18n:errors.no_response', 'No >>>> response') >>>> }); >>>> >>>> } else if (IPA.version && data.version && IPA.version !== >>>> data.version) { >>>> -- >>>> 2.5.5 >>>> >>> ACK >> >> ACK - patch fixes the issue. >> >> But I wonder if it should be rather: >> message: xhr ? xhr.statusText : text.get('@i18n:errors.no_response', >> 'No response') >> >> don't remember. > That's true, fixed. >>> >>>> From 463f24936469d87890b666dfd7edabbe90541491 Mon Sep 17 00:00:00 >>>> 2001 >>>> From: Pavel Vomacka >>>> Date: Mon, 25 Jul 2016 17:49:50 +0200 >>>> Subject: [PATCH 08/13] Coverity - true branch can't be executed >>>> >>>> The 'result' variable is always false because of previous condition. >>>> Therefore there is direct assignment. >>>> --- >>>> install/ui/src/freeipa/rpc.js | 2 +- >>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>> >>>> diff --git a/install/ui/src/freeipa/rpc.js >>>> b/install/ui/src/freeipa/rpc.js >>>> index >>>> 88aaf6ede72ea69495c369dd74c657d0419a3605..30a5366787974b2d127114f7683d0589ed332f5a >>>> >>>> 100644 >>>> --- a/install/ui/src/freeipa/rpc.js >>>> +++ b/install/ui/src/freeipa/rpc.js >>>> @@ -628,7 +628,7 @@ rpc.batch_command = function(spec) { >>>> >>>> if (!result) { >>>> name = text.get('@i18n:errors.internal_error', >>>> 'Internal Error')+' '+xhr.status; >>>> - message = result ? xhr.statusText : >>>> text.get('@i18n:errors.internal_error', 'Internal Error'); >>>> + message = text.get('@i18n:errors.internal_error', >>>> 'Internal Error'); >>>> >>>> that.errors.add(command, name, message, text_status); >>>> >>>> -- >>>> 2.5.5 >>>> >>> ACK >> same as previous > Fixed as well. >>>> From c0ba1c141b6191e2a7ef33bc9eaaad5c970f9d0e Mon Sep 17 00:00:00 >>>> 2001 >>>> From: Pavel Vomacka >>>> Date: Mon, 25 Jul 2016 18:25:36 +0200 >>>> Subject: [PATCH 09/13] Coverity - null pointer dereference >>>> >>>> The 'obj' variable could be null, so there could be error when it is >>>> used. >>>> A new check that 'obj' is not false is added. >>>> --- >>>> install/ui/src/freeipa/widgets/browser_widgets.js | 6 +++--- >>>> 1 file changed, 3 insertions(+), 3 deletions(-) >>>> >>>> diff --git a/install/ui/src/freeipa/widgets/browser_widgets.js >>>> b/install/ui/src/freeipa/widgets/browser_widgets.js >>>> index >>>> 57ad2bd984ea35f03b302b59fc1d014def162bd8..91bb850a638fd6f16f207b1111d126fbb4fe2dd8 >>>> >>>> 100644 >>>> --- a/install/ui/src/freeipa/widgets/browser_widgets.js >>>> +++ b/install/ui/src/freeipa/widgets/browser_widgets.js >>>> @@ -427,11 +427,11 @@ widgets.browser_widgets.CommandDetailWidget = >>>> declare([base], { >>>> if (i>0) { >>>> out_params_cnt.append(', '); >>>> } >>>> - if (!param) { >>>> - out_params_cnt.append(param_name); >>>> - } else { >>>> + if (param && obj) { >>>> var link = this.render_param_link(obj.name, >>>> param_name); >>>> out_params_cnt.append(link); >>>> + } else { >>>> + out_params_cnt.append(param_name); >>>> } >>>> } >>>> out_params_cnt.appendTo(this.el); >>>> -- >>>> 2.5.5 >>>> >>> ACK >> ACK >> >>>> From a9f7ecf5833db379fe9731184aa4f7aef8845995 Mon Sep 17 00:00:00 >>>> 2001 >>>> From: Pavel Vomacka >>>> Date: Tue, 26 Jul 2016 09:48:32 +0200 >>>> Subject: [PATCH 10/13] Coverity - iterating over variable which could >>>> be null >>>> >>>> Change condition to check also variable which could be null. >>>> --- >>>> install/ui/src/freeipa/widgets/APIBrowserWidget.js | 8 ++++---- >>>> 1 file changed, 4 insertions(+), 4 deletions(-) >>>> >>>> diff --git a/install/ui/src/freeipa/widgets/APIBrowserWidget.js >>>> b/install/ui/src/freeipa/widgets/APIBrowserWidget.js >>>> index >>>> 50c2989fcc126585787df61cdd19493632ed37b9..18773536d3587cdeb9e5fecedcc5e42c05bfe120 >>>> >>>> 100644 >>>> --- a/install/ui/src/freeipa/widgets/APIBrowserWidget.js >>>> +++ b/install/ui/src/freeipa/widgets/APIBrowserWidget.js >>>> @@ -135,7 +135,7 @@ widgets.APIBrowserWidget = declare([Stateful, >>>> Evented], { >>>> groups = this._get_params(parts[0]); >>>> } >>>> >>>> - if (filter) { >>>> + if (filter && groups) { >>>> filter = filter.toLowerCase(); >>>> var new_groups = []; >>>> for (var i=0,l=groups.length; i>>> @@ -153,10 +153,10 @@ widgets.APIBrowserWidget = declare([Stateful, >>>> Evented], { >>>> new_groups.push(groups[i]); >>>> } >>>> } >>>> - return new_groups; >>>> - } else { >>>> - return groups; >>>> + groups = new_groups; >>>> } >>>> + >>>> + return groups; >>>> }, >>>> >>>> /** >>>> -- >>>> 2.5.5 >>>> >>> ACK >> ACK >> >>> >>>> From 3d63ca1d5cb7a7b84cf20c26d4b1ea5b657c44c4 Mon Sep 17 00:00:00 >>>> 2001 >>>> From: Pavel Vomacka >>>> Date: Tue, 26 Jul 2016 12:03:28 +0200 >>>> Subject: [PATCH 11/13] Coverity - opens dialog which might not be >>>> created >>>> >>>> Check whether dialog object is created before opening it. >>>> --- >>>> install/ui/src/freeipa/search.js | 2 +- >>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>> >>>> diff --git a/install/ui/src/freeipa/search.js >>>> b/install/ui/src/freeipa/search.js >>>> index >>>> 25f21e70db170daf0d45a6862ee9adb528ad03bc..fee1bc7523d6afdb3e2b23db2833a415febb85ec >>>> >>>> 100644 >>>> --- a/install/ui/src/freeipa/search.js >>>> +++ b/install/ui/src/freeipa/search.js >>>> @@ -221,7 +221,7 @@ IPA.search_facet = function(spec, no_init) { >>>> that.show_remove_dialog = function() { >>>> >>>> var dialog = that.create_remove_dialog(); >>>> - dialog.open(); >>>> + if (dialog) dialog.open(); >>>> }; >>>> >>>> that.find = function() { >>>> -- >>>> 2.5.5 >>>> >>> ACK >> >> ACK but question is whether we should laso log to console that dialog is >> not defined because it just hides an issue which may be harder to debug. >> > It's a good idea, logging added. >>>> From 7819293fc546de31cc5eea246242742af3be094e Mon Sep 17 00:00:00 >>>> 2001 >>>> From: Pavel Vomacka >>>> Date: Tue, 26 Jul 2016 13:07:30 +0200 >>>> Subject: [PATCH 12/13] Coverity - accessing attribute of variable >>>> which can >>>> point to null >>>> >>>> Added check whether variable is pointing to null or not. >>>> --- >>>> install/ui/src/freeipa/widget.js | 4 ++-- >>>> 1 file changed, 2 insertions(+), 2 deletions(-) >>>> >>>> diff --git a/install/ui/src/freeipa/widget.js >>>> b/install/ui/src/freeipa/widget.js >>>> index >>>> 43804c5ea524ca741017d02f6e12ccf60d50b5df..1f61ce7341b1b8e13d4df5acea1f8901a63a290a >>>> >>>> 100644 >>>> --- a/install/ui/src/freeipa/widget.js >>>> +++ b/install/ui/src/freeipa/widget.js >>>> @@ -4938,7 +4938,7 @@ IPA.combobox_widget = function(spec) { >>>> var value = that.list.val(); >>>> var option = $('option[value="'+value+'"]', that.list); >>>> var next = option.next(); >>>> - if (!next.length) return; >>>> + if (!next || !next.length) return; >>>> that.select(next.val()); >>>> }; >>>> >>>> @@ -4946,7 +4946,7 @@ IPA.combobox_widget = function(spec) { >>>> var value = that.list.val(); >>>> var option = $('option[value="'+value+'"]', that.list); >>>> var prev = option.prev(); >>>> - if (!prev.length) return; >>>> + if (!prev || !prev.length) return; >>>> that.select(prev.val()); >>>> }; >>>> >>>> -- >>>> 2.5.5 >>>> >>> ACK >> ACK, but IMO the situation cannot happen. .next() and .prev() should not >> return null ever. >> > There are condition which return null in next() and prev() functions. > So, it could happen. >>>> From 3ba5110fa8b2255b83fa3e7a4135ec33b85a7fd8 Mon Sep 17 00:00:00 >>>> 2001 >>>> From: Pavel Vomacka >>>> Date: Fri, 29 Jul 2016 10:13:21 +0200 >>>> Subject: [PATCH 13/13] Coverity - null pointer dereference >>>> >>>> Add check which protect from calling method of null. >>>> --- >>>> install/ui/src/freeipa/widgets/APIBrowserWidget.js | 2 +- >>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>> >>>> diff --git a/install/ui/src/freeipa/widgets/APIBrowserWidget.js >>>> b/install/ui/src/freeipa/widgets/APIBrowserWidget.js >>>> index >>>> 18773536d3587cdeb9e5fecedcc5e42c05bfe120..2164df2f5ffa00edf9ac41fd4cf6254f6d4eb9a3 >>>> >>>> 100644 >>>> --- a/install/ui/src/freeipa/widgets/APIBrowserWidget.js >>>> +++ b/install/ui/src/freeipa/widgets/APIBrowserWidget.js >>>> @@ -264,7 +264,7 @@ widgets.APIBrowserWidget = declare([Stateful, >>>> Evented], { >>>> this.list_w.select(item); >>>> >>>> // set item >>>> - widget.set('item', item); >>>> + if (widget) widget.set('item', item); >>>> this.set('current', { >>>> item: item, >>>> type: type, >>>> -- >>>> 2.5.5 >>>> >>> ACK >>> >> Does it fix the issue? There is a line before this one which also uses >> `widget` >> >> if (!widget.el) widget.render(); >> >> maybe we miss `return;` in: >> >> } else { >> IPA.notify("Invalid type", 'error'); >> this.show_default(); >> } >> >> >> >> >> > There is another patch, which fixes the line above this one (0089). Or > we can add return to the and of else branch. > > > -- Pavel^3 Vomacka -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa-github-notification at redhat.com Thu Sep 29 11:18:03 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 29 Sep 2016 13:18:03 +0200 Subject: [Freeipa-devel] [freeipa PR#114][+ack] Raise errors from service.py:_ldap_mod() by default In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/114 Title: #114: Raise errors from service.py:_ldap_mod() by default Label: +ack From freeipa-github-notification at redhat.com Thu Sep 29 11:23:50 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 29 Sep 2016 13:23:50 +0200 Subject: [Freeipa-devel] [freeipa PR#108][comment] Bump pki min version and add commentary about sub-CA revocation on delete In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/108 Title: #108: Bump pki min version and add commentary about sub-CA revocation on delete mbasti-rh commented: """ I don't think that bumping BuildRequires is needed Also you are changing strings used for translations, so I'd use this change and rather add new things to doc string using http://www.freeipa.org/page/Coding_Best_Practices#Split_long_translatable_strings It will help translators in future """ See the full comment at https://github.com/freeipa/freeipa/pull/108#issuecomment-250439798 From freeipa-github-notification at redhat.com Thu Sep 29 11:39:56 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 29 Sep 2016 13:39:56 +0200 Subject: [Freeipa-devel] [freeipa PR#115][comment] Don't show traceback when ipa config file is not an absolute path In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/115 Title: #115: Don't show traceback when ipa config file is not an absolute path mbasti-rh commented: """ nack, please see comments """ See the full comment at https://github.com/freeipa/freeipa/pull/115#issuecomment-250442693 From freeipa-github-notification at redhat.com Thu Sep 29 11:51:16 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 29 Sep 2016 13:51:16 +0200 Subject: [Freeipa-devel] [freeipa PR#115][synchronized] Don't show traceback when ipa config file is not an absolute path In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/115 Author: tomaskrizek Title: #115: Don't show traceback when ipa config file is not an absolute path Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/115/head:pr115 git checkout pr115 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-115.patch Type: text/x-diff Size: 3714 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Sep 29 12:14:39 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Thu, 29 Sep 2016 14:14:39 +0200 Subject: [Freeipa-devel] [freeipa PR#126][opened] Fix ipa migrate-ds when it finds a search reference Message-ID: URL: https://github.com/freeipa/freeipa/pull/126 Author: flo-renaud Title: #126: Fix ipa migrate-ds when it finds a search reference Action: opened PR body: """ When ipa migrate-ds finds user entries and a search reference, it complains that the LDAP search did not return any result and does not migrate the entries or the groups. The issue comes from LDAPClient._convert_result which returns an empty result list when the input is a search reference. In turn LDAPClient.find_entries assumes that the empty result list corresponds to a Search Result Done and returns without any entry. The fix is to return a LDAPUrl inside _convert_result and properly process LDAPUrl in find_entries. https://fedorahosted.org/freeipa/ticket/6358 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/126/head:pr126 git checkout pr126 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-126.patch Type: text/x-diff Size: 3788 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Sep 29 13:07:40 2016 From: freeipa-github-notification at redhat.com (apophys) Date: Thu, 29 Sep 2016 15:07:40 +0200 Subject: [Freeipa-devel] [freeipa PR#73][synchronized] Tests for certificates with SAN In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/73 Author: apophys Title: #73: Tests for certificates with SAN Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/73/head:pr73 git checkout pr73 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-73.patch Type: text/x-diff Size: 19593 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Sep 29 13:11:23 2016 From: freeipa-github-notification at redhat.com (apophys) Date: Thu, 29 Sep 2016 15:11:23 +0200 Subject: [Freeipa-devel] [freeipa PR#73][comment] Tests for certificates with SAN In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/73 Title: #73: Tests for certificates with SAN apophys commented: """ I have fixed typos and implemented the proposed test cases. I have also provided docstring to the change_principal context manager. """ See the full comment at https://github.com/freeipa/freeipa/pull/73#issuecomment-250461484 From jdennis at redhat.com Thu Sep 29 13:44:18 2016 From: jdennis at redhat.com (John Dennis) Date: Thu, 29 Sep 2016 09:44:18 -0400 Subject: [Freeipa-devel] python-nss-1.0.0-2.fc24.x86_64 from updates-testing breaks FreeIPA client API In-Reply-To: <20160929081450.s5mpkxzhiq3lkodd@redhat.com> References: <20160929081450.s5mpkxzhiq3lkodd@redhat.com> Message-ID: <093b9956-2a86-5d84-9250-41dad896a42a@redhat.com> On 09/29/2016 04:14 AM, Alexander Bokovoy wrote: > On to, 29 syys 2016, Martin Babinsky wrote: >> Hi list, >> >> today I noticed the following exceptions in my VMs when >> installing/using FreeIPA: >> >> """ >> # ipa ping >> exception in SSLSocket.handshake_callback >> Traceback (most recent call last): >> File "/usr/lib/python2.7/site-packages/ipapython/nsslib.py", line >> 258, in handshake_callback >> channel = sock.get_ssl_channel_info() >> nss.error.NSPRError: (SEC_ERROR_INVALID_ARGS) security library: >> invalid arguments. >> -------------------------------------------- >> IPA server version 4.4.90. API version 2.215 >> -------------------------------------------- >> """ >> >> This was caused by python-nss-1.0.0-2.fc24.x86_64 which was pushed to >> updates-testing. Reverting the package to previous versions fixed the >> problem. > python-nss-1.0.0-1.fc25 (note fc25) works fine. There is no 1.0.0-2.fc25 > which is a packaging bug, but that's should not be bringing any > difference as the tarball (1.0.0) is the same and no additional patches > were applied. Alexander is correct, there were no changes between the f24 and f25 versions. Martin Basti added later he could not reproduce the problem either. So I'm not sure what is going on but lets keep an eye on it, at the moment I don't think it's a regression in python-nss, but who knows. As for whether python-nss-1.0.0-2.fc24 vs python-nss-1.0.0-1.fc25 is a packaging bug, my understanding is that is permissible for distributions to have independent release numbers. Yes, if you upgraded from f24 to f25 at this moment it wouldn't update the f25 version but in this case it's OK because the difference between the 1 and 2 releases is only in the spec file which removed an unused reference to a patch. However, I'll push an update to f25 to keep things consistent. > > Also, we didn't have any changes between 4.4.1 and git master that could > have affected ipapython/nsslib.py other than > 0f88f8fe889ae4801fc8d5ece1ad51c5246718ac, > which is this chunk of changes: > > diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py > index 1573de9..f9f64c1 100644 > --- a/ipapython/nsslib.py > +++ b/ipapython/nsslib.py > @@ -234,7 +234,7 @@ class NSSConnection(httplib.HTTPConnection, > NSSAddressFamilyFallback): > self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True) > try: > self.sock.set_ssl_version_range(self.tls_version_min, > self.tls_version_max) > - except NSPRError as e: > + except NSPRError: > root_logger.error('Failed to set TLS range to %s, %s' % > (self.tls_version_min, self.tls_version_max)) > raise > self.sock.set_ssl_option(ssl_require_safe_negotiation, False) > > e.g. nothing that is relevant to the trace you provided. > > -- John From freeipa-github-notification at redhat.com Thu Sep 29 22:20:48 2016 From: freeipa-github-notification at redhat.com (tjaalton) Date: Fri, 30 Sep 2016 00:20:48 +0200 Subject: [Freeipa-devel] [freeipa PR#127][opened] Move ipa-otpd to $libexecdir/ipa Message-ID: URL: https://github.com/freeipa/freeipa/pull/127 Author: tjaalton Title: #127: Move ipa-otpd to $libexecdir/ipa Action: opened PR body: """ This is more consistent with the other daemons. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/127/head:pr127 git checkout pr127 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-127.patch Type: text/x-diff Size: 2193 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Sep 29 22:47:24 2016 From: freeipa-github-notification at redhat.com (tjaalton) Date: Fri, 30 Sep 2016 00:47:24 +0200 Subject: [Freeipa-devel] [freeipa PR#127][synchronized] Move ipa-otpd to $libexecdir/ipa In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/127 Author: tjaalton Title: #127: Move ipa-otpd to $libexecdir/ipa Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/127/head:pr127 git checkout pr127 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-127.patch Type: text/x-diff Size: 29288 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Sep 29 22:59:33 2016 From: freeipa-github-notification at redhat.com (tjaalton) Date: Fri, 30 Sep 2016 00:59:33 +0200 Subject: [Freeipa-devel] [freeipa PR#127][edited] Move ipa-otpd to $libexecdir/ipa, purge ffextension In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/127 Author: tjaalton Title: #127: Move ipa-otpd to $libexecdir/ipa, purge ffextension Action: edited To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/127/head:pr127 git checkout pr127 From freeipa-github-notification at redhat.com Thu Sep 29 23:02:49 2016 From: freeipa-github-notification at redhat.com (tjaalton) Date: Fri, 30 Sep 2016 01:02:49 +0200 Subject: [Freeipa-devel] [freeipa PR#127][synchronized] Move ipa-otpd to $libexecdir/ipa, purge ffextension In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/127 Author: tjaalton Title: #127: Move ipa-otpd to $libexecdir/ipa, purge ffextension Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/127/head:pr127 git checkout pr127 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-127.patch Type: text/x-diff Size: 29417 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Sep 30 07:42:32 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Fri, 30 Sep 2016 09:42:32 +0200 Subject: [Freeipa-devel] [freeipa PR#120][comment] Pretty-print structures in assert_deepequal In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/120 Title: #120: Pretty-print structures in assert_deepequal pspacek commented: """ ACK as well :-) """ See the full comment at https://github.com/freeipa/freeipa/pull/120#issuecomment-250680762 From freeipa-github-notification at redhat.com Fri Sep 30 07:56:21 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 30 Sep 2016 09:56:21 +0200 Subject: [Freeipa-devel] [freeipa PR#120][+pushed] Pretty-print structures in assert_deepequal In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/120 Title: #120: Pretty-print structures in assert_deepequal Label: +pushed From freeipa-github-notification at redhat.com Fri Sep 30 07:56:22 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 30 Sep 2016 09:56:22 +0200 Subject: [Freeipa-devel] [freeipa PR#120][comment] Pretty-print structures in assert_deepequal In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/120 Title: #120: Pretty-print structures in assert_deepequal martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/ecd6cb4e45096f8d6653c6bb2e4701e683ce4e61 ipa-4-4: https://fedorahosted.org/freeipa/changeset/d982710bec5924308abcb222fe09873f9c67c452 """ See the full comment at https://github.com/freeipa/freeipa/pull/120#issuecomment-250683103 From freeipa-github-notification at redhat.com Fri Sep 30 07:56:24 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 30 Sep 2016 09:56:24 +0200 Subject: [Freeipa-devel] [freeipa PR#120][closed] Pretty-print structures in assert_deepequal In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/120 Author: stlaz Title: #120: Pretty-print structures in assert_deepequal Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/120/head:pr120 git checkout pr120 From freeipa-github-notification at redhat.com Fri Sep 30 11:14:17 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 30 Sep 2016 13:14:17 +0200 Subject: [Freeipa-devel] [freeipa PR#124][comment] Fix: find OSCP certificate test In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/124 Title: #124: Fix: find OSCP certificate test mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/95aa9369cb2f84ab71fa84e254d0bb3af264e97e """ See the full comment at https://github.com/freeipa/freeipa/pull/124#issuecomment-250719682 From freeipa-github-notification at redhat.com Fri Sep 30 11:14:19 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 30 Sep 2016 13:14:19 +0200 Subject: [Freeipa-devel] [freeipa PR#124][closed] Fix: find OSCP certificate test In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/124 Author: mbasti-rh Title: #124: Fix: find OSCP certificate test Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/124/head:pr124 git checkout pr124 From freeipa-github-notification at redhat.com Fri Sep 30 11:14:21 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 30 Sep 2016 13:14:21 +0200 Subject: [Freeipa-devel] [freeipa PR#124][+pushed] Fix: find OSCP certificate test In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/124 Title: #124: Fix: find OSCP certificate test Label: +pushed From freeipa-github-notification at redhat.com Fri Sep 30 11:56:06 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 30 Sep 2016 13:56:06 +0200 Subject: [Freeipa-devel] [freeipa PR#112][+ack] The first jab at fixing https://fedorahosted.org/freeipa/ticket/5809 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/112 Title: #112: The first jab at fixing https://fedorahosted.org/freeipa/ticket/5809 Label: +ack From mkosek at redhat.com Fri Sep 30 12:19:12 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 30 Sep 2016 14:19:12 +0200 Subject: [Freeipa-devel] FedoraHosted.org sunset In-Reply-To: <20160923075422.liumycyyw7eivzli@hendrix> References: <7c333c64-919b-9cdf-f5c9-3f48f89710ec@redhat.com> <20160923075422.liumycyyw7eivzli@hendrix> Message-ID: <9ed30c39-45e1-6714-cd75-cb9920468090@redhat.com> On 09/23/2016 09:54 AM, Jakub Hrozek wrote: > On Thu, Sep 22, 2016 at 06:09:43PM +0200, Petr Vobornik wrote: >> Hi all, >> >> As you know, FedoraHosted.org will be decommissioned. >> https://communityblog.fedoraproject.org/fedorahosted-sunset-2017-02-28/ >> >> We use Trac instance there. Let's discuss where we should migrate and >> what are our requirements. Then put results on one place. For that I've >> created: >> http://www.freeipa.org/page/FedoraHosted_Migration > > That you for writing this up, there are some good points I didn't think > about, like migrating the ticket numbers. Did you already file an issue > that tracks this in Pagure (or asked if this is already possible)? I think the achieving the same ticket numbers should not be difficult. During the migration, we would just need to make sure we insert dummy Pagure/Github/... tickets on when the original ticket was deleted, like https://fedorahosted.org/freeipa/ticket/2 Martin From pvoborni at redhat.com Fri Sep 30 13:10:51 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 30 Sep 2016 15:10:51 +0200 Subject: [Freeipa-devel] [PATCH 0097] Properly handle LDAP socket closures in ipa-otpd In-Reply-To: <1475074733.9001.0.camel@redhat.com> References: <1475002482.22323.17.camel@redhat.com> <20160928050334.li3lfpvabo3nc773@redhat.com> <1475074733.9001.0.camel@redhat.com> Message-ID: <2f7d5257-629c-2e18-250f-6a5e11a2bd39@redhat.com> On 09/28/2016 04:58 PM, Nathaniel McCallum wrote: > On Wed, 2016-09-28 at 08:03 +0300, Alexander Bokovoy wrote: >> On ti, 27 syys 2016, Nathaniel McCallum wrote: >>> In at least one case, when an LDAP socket closes, a read event is >>> fired >>> rather than an error event. Without this patch, ipa-otpd silently >>> ignores this event and enters a state where all bind auths fail. >>> >>> To remedy this problem, we pass error events along the same path as >>> read events. Should the actual read fail, we exit. >> >> Please add the bugzilla link. > > Done. > Linked upstream ticket: https://fedorahosted.org/freeipa/ticket/6368 -- Petr Vobornik From npmccallum at redhat.com Fri Sep 30 14:46:54 2016 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Fri, 30 Sep 2016 10:46:54 -0400 Subject: [Freeipa-devel] FedoraHosted.org sunset In-Reply-To: <9ed30c39-45e1-6714-cd75-cb9920468090@redhat.com> References: <7c333c64-919b-9cdf-f5c9-3f48f89710ec@redhat.com> <20160923075422.liumycyyw7eivzli@hendrix> <9ed30c39-45e1-6714-cd75-cb9920468090@redhat.com> Message-ID: <1475246814.25274.1.camel@redhat.com> On Fri, 2016-09-30 at 14:19 +0200, Martin Kosek wrote: > On 09/23/2016 09:54 AM, Jakub Hrozek wrote: > > On Thu, Sep 22, 2016 at 06:09:43PM +0200, Petr Vobornik wrote: > > > Hi all, > > > > > > As you know, FedoraHosted.org will be decommissioned. > > > ?https://communityblog.fedoraproject.org/fedorahosted-sunset-2017 > > > -02-28/ > > > > > > We use Trac instance there. Let's discuss where we should migrate > > > and > > > what are our requirements. Then put results on one place. For > > > that I've > > > created: > > > ? http://www.freeipa.org/page/FedoraHosted_Migration > > > > > > That you for writing this up, there are some good points I didn't > > think > > about, like migrating the ticket numbers. Did you already file an > > issue > > that tracks this in Pagure (or asked if this is already possible)? > > > I think the achieving the same ticket numbers should not be > difficult. During > the migration, we would just need to make sure we insert dummy > Pagure/Github/... tickets on when the original ticket was deleted, > like > > https://fedorahosted.org/freeipa/ticket/2 A pro for github is that migration tools exist. This is a con for pagure. The github API doesn't allow you to specify issue numbers. However, it does issue them incrementally. Thus, so long as the input to the conversion process is sorted by ticket number and there are no gaps, the ticket number will be retained. One issue I ran into was github's throttling limits. I worked around this by inserting a sleep() into the import loop which slowed down the process enough to bypass github's limiting. However, this also means that with a database as large as FreeIPA's import will take a long time. Nathaniel From npmccallum at redhat.com Fri Sep 30 15:32:00 2016 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Fri, 30 Sep 2016 11:32:00 -0400 Subject: [Freeipa-devel] [PATCH 0097] Properly handle LDAP socket closures in ipa-otpd In-Reply-To: <2f7d5257-629c-2e18-250f-6a5e11a2bd39@redhat.com> References: <1475002482.22323.17.camel@redhat.com> <20160928050334.li3lfpvabo3nc773@redhat.com> <1475074733.9001.0.camel@redhat.com> <2f7d5257-629c-2e18-250f-6a5e11a2bd39@redhat.com> Message-ID: <1475249520.25274.2.camel@redhat.com> On Fri, 2016-09-30 at 15:10 +0200, Petr Vobornik wrote: > On 09/28/2016 04:58 PM, Nathaniel McCallum wrote: > > On Wed, 2016-09-28 at 08:03 +0300, Alexander Bokovoy wrote: > > > On ti, 27 syys 2016, Nathaniel McCallum wrote: > > > > In at least one case, when an LDAP socket closes, a read event > > > > is > > > > fired > > > > rather than an error event. Without this patch, ipa-otpd > > > > silently > > > > ignores this event and enters a state where all bind auths > > > > fail. > > > > > > > > To remedy this problem, we pass error events along the same > > > > path as > > > > read events. Should the actual read fail, we exit. > > > > > > > > > Please add the bugzilla link. > > > > > > Done. > > > > > Linked upstream ticket: https://fedorahosted.org/freeipa/ticket/6368 Added upstream ticket link to the commit message. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-npmccallum-0097-Properly-handle-LDAP-socket-closures-in-ipa-otpd.patch Type: text/x-patch Size: 3067 bytes Desc: not available URL: From rharwood at redhat.com Fri Sep 30 17:02:22 2016 From: rharwood at redhat.com (Robbie Harwood) Date: Fri, 30 Sep 2016 13:02:22 -0400 Subject: [Freeipa-devel] FedoraHosted.org sunset In-Reply-To: <1475246814.25274.1.camel@redhat.com> References: <7c333c64-919b-9cdf-f5c9-3f48f89710ec@redhat.com> <20160923075422.liumycyyw7eivzli@hendrix> <9ed30c39-45e1-6714-cd75-cb9920468090@redhat.com> <1475246814.25274.1.camel@redhat.com> Message-ID: Nathaniel McCallum writes: > On Fri, 2016-09-30 at 14:19 +0200, Martin Kosek wrote: >> On 09/23/2016 09:54 AM, Jakub Hrozek wrote: >>> On Thu, Sep 22, 2016 at 06:09:43PM +0200, Petr Vobornik wrote: >>>> >>>> As you know, FedoraHosted.org will be decommissioned. >>>> ?https://communityblog.fedoraproject.org/fedorahosted-sunset-2017 >>>> -02-28/ >>>> >>>> We use Trac instance there. Let's discuss where we should migrate >>>> and what are our requirements. Then put results on one place. For >>>> that I've created: ? >>>> http://www.freeipa.org/page/FedoraHosted_Migration >>> >>> >>> That you for writing this up, there are some good points I didn't >>> think about, like migrating the ticket numbers. Did you already file >>> an issue that tracks this in Pagure (or asked if this is already >>> possible)? >> >> >> I think the achieving the same ticket numbers should not be >> difficult. During the migration, we would just need to make sure we >> insert dummy Pagure/Github/... tickets on when the original ticket >> was deleted, like >> >> https://fedorahosted.org/freeipa/ticket/2 > > A pro for github is that migration tools exist. This is a con for > pagure. Much as I want github... a migration tool does exist to go to pagure: https://pagure.io/pagure-importer/ I have used it (on the gssproxy fedorahosted as a test) and while I did not like it it did get the job done eventually. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 818 bytes Desc: not available URL: From npmccallum at redhat.com Fri Sep 30 17:47:54 2016 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Fri, 30 Sep 2016 13:47:54 -0400 Subject: [Freeipa-devel] FedoraHosted.org sunset In-Reply-To: References: <7c333c64-919b-9cdf-f5c9-3f48f89710ec@redhat.com> <20160923075422.liumycyyw7eivzli@hendrix> <9ed30c39-45e1-6714-cd75-cb9920468090@redhat.com> <1475246814.25274.1.camel@redhat.com> Message-ID: <1475257674.25274.3.camel@redhat.com> On Fri, 2016-09-30 at 13:02 -0400, Robbie Harwood wrote: > Nathaniel McCallum writes: > > > On Fri, 2016-09-30 at 14:19 +0200, Martin Kosek wrote: > > > On 09/23/2016 09:54 AM, Jakub Hrozek wrote: > > > > On Thu, Sep 22, 2016 at 06:09:43PM +0200, Petr Vobornik wrote: > > > > > > > > > > As you know, FedoraHosted.org will be decommissioned. > > > > > ?https://communityblog.fedoraproject.org/fedorahosted-sunset- > > > > > 2017 > > > > > -02-28/ > > > > > > > > > > We use Trac instance there. Let's discuss where we should > > > > > migrate > > > > > and what are our requirements. Then put results on one place. > > > > > For > > > > > that I've created: ? > > > > > http://www.freeipa.org/page/FedoraHosted_Migration > > > > > > > > > > > > > > > > That you for writing this up, there are some good points I > > > > didn't > > > > think about, like migrating the ticket numbers. Did you already > > > > file > > > > an issue that tracks this in Pagure (or asked if this is > > > > already > > > > possible)? > > > > > > > > > > > > I think the achieving the same ticket numbers should not be > > > difficult. During the migration, we would just need to make sure > > > we > > > insert dummy Pagure/Github/... tickets on when the original > > > ticket > > > was deleted, like > > > > > > https://fedorahosted.org/freeipa/ticket/2 > > > > > > A pro for github is that migration tools exist. This is a con for > > pagure. > > > Much as I want github... a migration tool does exist to go to pagure: > https://pagure.io/pagure-importer/ I have used it (on the gssproxy > fedorahosted as a test) and while I did not like it it did get the > job > done eventually. Thanks for the correction. I didn't see that the last time I looked. Nathaniel From freeipa-github-notification at redhat.com Fri Sep 30 18:00:12 2016 From: freeipa-github-notification at redhat.com (npmccallum) Date: Fri, 30 Sep 2016 20:00:12 +0200 Subject: [Freeipa-devel] [freeipa PR#128][opened] Properly handle LDAP socket closures in ipa-otpd Message-ID: URL: https://github.com/freeipa/freeipa/pull/128 Author: npmccallum Title: #128: Properly handle LDAP socket closures in ipa-otpd Action: opened PR body: """ In at least one case, when an LDAP socket closes, a read event is fired rather than an error event. Without this patch, ipa-otpd silently ignores this event and enters a state where all bind auths fail. To remedy this problem, we pass error events along the same path as read events. Should the actual read fail, we exit. https://bugzilla.redhat.com/show_bug.cgi?id=1377858 https://fedorahosted.org/freeipa/ticket/6368 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/128/head:pr128 git checkout pr128 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-128.patch Type: text/x-diff Size: 2923 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Sep 30 18:34:30 2016 From: freeipa-github-notification at redhat.com (abbra) Date: Fri, 30 Sep 2016 20:34:30 +0200 Subject: [Freeipa-devel] [freeipa PR#128][comment] Properly handle LDAP socket closures in ipa-otpd In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/128 Title: #128: Properly handle LDAP socket closures in ipa-otpd abbra commented: """ LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/128#issuecomment-250819663 From freeipa-github-notification at redhat.com Fri Sep 30 18:34:39 2016 From: freeipa-github-notification at redhat.com (abbra) Date: Fri, 30 Sep 2016 20:34:39 +0200 Subject: [Freeipa-devel] [freeipa PR#128][+ack] Properly handle LDAP socket closures in ipa-otpd In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/128 Title: #128: Properly handle LDAP socket closures in ipa-otpd Label: +ack