freeipa.git/ipalib/plugins/cert.py, branch webui_isolate FreeIPA patches ipalib: move server-side plugins to ipaserver 2016-06-03T07:00:34+00:00 Jan Cholasta jcholast@redhat.com 2016-04-28T08:30:05+00:00 6e44557b601f769d23ee74555a72e8b5cc62c0c9 Move the remaining plugin code from ipalib.plugins to ipaserver.plugins. Remove the now unused ipalib.plugins package. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com> 
Move the remaining plugin code from ipalib.plugins to ipaserver.plugins.

Remove the now unused ipalib.plugins package.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
ipalib: move File command arguments to ipaclient 2016-06-03T07:00:34+00:00 Jan Cholasta jcholast@redhat.com 2016-06-01T13:58:47+00:00 2f7df393fd17b115112c39c714cc6c9b0b37460c File arguments are relevant only on the client, on the server they are the same as Str. Specify the arguments as Str in ipalib.plugins and override them with File in ipaclient.plugins. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com> 
File arguments are relevant only on the client, on the server they are the
same as Str. Specify the arguments as Str in ipalib.plugins and override
them with File in ipaclient.plugins.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
ipalib: split off client-side plugin code into ipaclient 2016-06-03T07:00:34+00:00 Jan Cholasta jcholast@redhat.com 2016-04-28T08:15:01+00:00 4c7be74526bd89ed1b481f3a1ac4bb467ee0ea2c Provide client-side overrides for command plugins which implement any of the client-side `interactive_prompt_callback`, `forward` or `output_for_cli` methods and move the methods from the original plugins to the overrides. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com> 
Provide client-side overrides for command plugins which implement any of
the client-side `interactive_prompt_callback`, `forward` or
`output_for_cli` methods and move the methods from the original plugins to
the overrides.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
Add more information regarding where to find revocation reason in "ipa cert_revoke -h" and "ipa cert_find -h". 2016-06-02T08:40:54+00:00 Patrice Duc-Jacquet patduc38@gmail.com 2016-05-04T07:25:57+00:00 deb896768f395dc535ad72715bad4339c97a6a8b According to review feedback, I changed the help message as follow $ ipa cert_revoke -h Usage: ipa [global-options] cert-revoke SERIAL-NUMBER [options] Revoke a certificate. Options: -h, --help show this help message and exit --revocation-reason=INT Reason for revoking the certificate (0-10). Type "ipa help cert" for revocation reason details. https://fedorahosted.org/freeipa/ticket/5819 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Gabe Alford <redhatrises@gmail.com> 
According to review feedback, I changed the help message as follow

$ ipa cert_revoke -h
Usage: ipa [global-options] cert-revoke SERIAL-NUMBER [options]

Revoke a certificate.
Options:
  -h, --help            show this help message and exit
  --revocation-reason=INT
                        Reason for revoking the certificate (0-10). Type "ipa
                        help cert" for revocation reason details.

https://fedorahosted.org/freeipa/ticket/5819

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Gabe Alford <redhatrises@gmail.com>
ipalib: use relative imports for cross-plugin imports 2016-05-25T14:06:26+00:00 Jan Cholasta jcholast@redhat.com 2016-04-20T13:41:34+00:00 9e3c16e322ffc65e7d0799bcfbadec5df0ce1ad6 This will make it possible to move the plugin modules between ipalib, ipaclient and ipaserver without having to change the imports. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com> 
This will make it possible to move the plugin modules between ipalib,
ipaclient and ipaserver without having to change the imports.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
Remove wildcard imports 2015-12-23T06:59:22+00:00 Martin Basti mbasti@redhat.com 2015-12-16T18:04:20+00:00 e1192ebd975bc17aa600030eecbaed6660dc7733 Wildcard imports should not be used. Check for wildcard imports has been enabled in pylint. Pylint note: options 'wildcard-import' causes too much false positive results, so instead it I used 'unused-wildcard-import' option which has almost the same effect. Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Wildcard imports should not be used.

Check for wildcard imports has been enabled in pylint.
Pylint note: options 'wildcard-import' causes too much false positive
results, so instead it I used 'unused-wildcard-import' option which has almost
the same effect.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Remove unused imports 2015-12-23T06:59:22+00:00 Martin Basti mbasti@redhat.com 2015-12-16T15:06:03+00:00 e4075b1fe26a608cd1f3778ee1f655a5f5700c65 This patch removes unused imports, alse pylint has been configured to check unused imports. Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
This patch removes unused imports, alse pylint has been configured to
check unused imports.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Handle binascii.Error from base64.b64decode() 2015-10-22T16:34:46+00:00 Petr Viktorin pviktori@redhat.com 2015-10-06T11:54:33+00:00 eab334dde8e3f94fcf1fca0d111b5121e26c1f4f In Python 3, the base64.b64decode function raises binascii.Error (a ValueError subclass) when it finds incorrect padding. In Python 2 it raises TypeError. Callers should usually handle ValueError; unless they are specifically concerned with handling base64 padding issues). In some cases, callers should handle ValueError: - ipalib.pkcs10 (get_friendlyname, load_certificate_request): callers should handle ValueError - ipalib.x509 (load_certificate*, get_*): callers should handle ValueError In other cases ValueError is handled: - ipalib.parameters - ipapython.ssh - ipalib.rpc (json_decode_binary - callers already expect ValueError) - ipaserver.install.ldapupdate Elsewhere no error handling is done, because values come from trusted sources, or are pre-validated: - vault plugin - ipaserver.install.cainstance - ipaserver.install.certs - ipaserver.install.ipa_otptoken_import Reviewed-By: Tomas Babej <tbabej@redhat.com> 
In Python 3, the base64.b64decode function raises binascii.Error (a ValueError
subclass) when it finds incorrect padding. In Python 2 it raises TypeError.

Callers should usually handle ValueError; unless they are specifically
concerned with handling base64 padding issues).

In some cases, callers should handle ValueError:
- ipalib.pkcs10 (get_friendlyname, load_certificate_request): callers should
  handle ValueError
- ipalib.x509 (load_certificate*, get_*): callers should handle ValueError

In other cases ValueError is handled:
- ipalib.parameters
- ipapython.ssh
- ipalib.rpc (json_decode_binary - callers already expect ValueError)
- ipaserver.install.ldapupdate

Elsewhere no error handling is done, because values come from trusted
sources, or are pre-validated:
- vault plugin
- ipaserver.install.cainstance
- ipaserver.install.certs
- ipaserver.install.ipa_otptoken_import

Reviewed-By: Tomas Babej <tbabej@redhat.com>
Alias "unicode" to "str" under Python 3 2015-09-17T09:08:43+00:00 Jan Cholasta jcholast@redhat.com 2015-09-11T11:43:28+00:00 23507e6124041ed17f39db211e802495e37520e7 The six way of doing this is to replace all occurences of "unicode" with "six.text_type". However, "unicode" is non-ambiguous and (arguably) easier to read. Also, using it makes the patches smaller, which should help with backporting. Reviewed-By: Petr Viktorin <pviktori@redhat.com> 
The six way of doing this is to replace all occurences of "unicode"
with "six.text_type". However, "unicode" is non-ambiguous and
(arguably) easier to read. Also, using it makes the patches smaller,
which should help with backporting.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
cert-request: remove allowed extensions check 2015-08-19T10:31:03+00:00 Fraser Tweedale ftweedal@redhat.com 2015-08-13T05:42:06+00:00 02969d09d868907c6d2d5b2aee3089f2f5540dda cert-request currently permits a limited number of request extensions; uncommon and esoteric extensions are prohibited and this limits the usefulness of custom profiles. The Dogtag profile has total control over what goes into the final certificate and has the option to reject request based on the request extensions present or their values, so there is little reason to restrict what extensions can be used in FreeIPA. Remove the check. Fixes: https://fedorahosted.org/freeipa/ticket/5205 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
cert-request currently permits a limited number of request
extensions; uncommon and esoteric extensions are prohibited and this
limits the usefulness of custom profiles.

The Dogtag profile has total control over what goes into the final
certificate and has the option to reject request based on the
request extensions present or their values, so there is little
reason to restrict what extensions can be used in FreeIPA.  Remove
the check.

Fixes: https://fedorahosted.org/freeipa/ticket/5205
Reviewed-By: Jan Cholasta <jcholast@redhat.com>