URL: https://github.com/freeipa/freeipa/pull/774 Author: stlaz Title: #774: Deprecate pkinit-anonymous command Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/774/head:pr774 git checkout pr774
From 02e9b01ea1827de218f29279c5707cd5ec87103f Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Wed, 10 May 2017 15:54:21 +0200 Subject: [PATCH] Deprecate pkinit-anonymous command Ever since from v4.5, FreeIPA expects at least some kind of anonymous PKINIT to work. Deprecate the command which is capable of turning this feature off. https://pagure.io/freeipa/issue/6936 --- API.txt | 2 +- VERSION.m4 | 4 +-- ipaserver/plugins/pkinit.py | 74 ++++++++++----------------------------------- 3 files changed, 19 insertions(+), 61 deletions(-) diff --git a/API.txt b/API.txt index fa7582d..afd664e 100644 --- a/API.txt +++ b/API.txt @@ -3738,7 +3738,7 @@ option: Str('version?') output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>]) command: pkinit_anonymous/1 args: 1,1,1 -arg: Str('action') +arg: Str('action?') option: Str('version?') output: Output('result') command: plugins/1 diff --git a/VERSION.m4 b/VERSION.m4 index 6ec56c5..d915fe3 100644 --- a/VERSION.m4 +++ b/VERSION.m4 @@ -73,8 +73,8 @@ define(IPA_DATA_VERSION, 20100614120000) # # ######################################################## define(IPA_API_VERSION_MAJOR, 2) -define(IPA_API_VERSION_MINOR, 225) -# Last change: Add --password-expiration option to force password change +define(IPA_API_VERSION_MINOR, 226) +# Last change: Deprecate the pkinit-anonymous command ######################################################## diff --git a/ipaserver/plugins/pkinit.py b/ipaserver/plugins/pkinit.py index b6b3f38..81e6449 100644 --- a/ipaserver/plugins/pkinit.py +++ b/ipaserver/plugins/pkinit.py @@ -17,36 +17,21 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. -from ipalib import api, errors from ipalib import Str from ipalib import Object, Command from ipalib import _ +from ipalib import messages from ipalib.plugable import Registry -from ipalib.constants import ANON_USER -from ipapython.dn import DN __doc__ = _(""" Kerberos pkinit options -Enable or disable anonymous pkinit using the principal -WELLKNOWN/ANONYMOUS@REALM. The server must have been installed with -pkinit support. - -EXAMPLES: - - Enable anonymous pkinit: - ipa pkinit-anonymous enable - - Disable anonymous pkinit: - ipa pkinit-anonymous disable - -For more information on anonymous pkinit see: - -http://k5wiki.kerberos.org/wiki/Projects/Anonymous_pkinit +This module is deprecated since FreeIPA 4.5.1 """) register = Registry() + @register() class pkinit(Object): """ @@ -57,49 +42,22 @@ class pkinit(Object): label=_('PKINIT') -def valid_arg(ugettext, action): - """ - Accepts only Enable/Disable. - """ - a = action.lower() - if a != 'enable' and a != 'disable': - raise errors.ValidationError( - name='action', - error=_('Unknown command %s') % action - ) - @register() class pkinit_anonymous(Command): - __doc__ = _('Enable or Disable Anonymous PKINIT.') - - princ_name = '%s@%s' % (ANON_USER, api.env.realm) - default_dn = DN(('krbprincipalname', princ_name), ('cn', api.env.realm), ('cn', 'kerberos'), api.env.basedn) + __doc__ = _('Originally to enable or disable Anonymous PKINIT.\n' + 'Deprecated since FreeIPA 4.5.1') takes_args = ( - Str('action', valid_arg), + Str('action?'), ) - def execute(self, action, **options): - ldap = self.api.Backend.ldap2 - set_lock = False - lock = None - - entry_attrs = ldap.get_entry(self.default_dn, ['nsaccountlock']) - - if 'nsaccountlock' in entry_attrs: - lock = entry_attrs['nsaccountlock'][0].lower() - - if action.lower() == 'enable': - if lock == 'true': - set_lock = True - lock = None - elif action.lower() == 'disable': - if lock != 'true': - set_lock = True - lock = 'TRUE' - - if set_lock: - entry_attrs['nsaccountlock'] = lock - ldap.update_entry(entry_attrs) - - return dict(result=True) + def execute(self, action=None, **options): + self.add_message( + messages.CommandDeprecatedWarning( + command='pkinit-anonymous', + additional_info=_('This command was deprecated in ' + 'FreeIPA 4.5.1 because Anonymous PKINIT is ' + 'required for the system to work.') + ) + ) + return {'result': None}
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
