Authselect migration #1862
Authselect migration #1862
Conversation
flo-renaud
added
prioritized
freeipa.spec.in
Outdated
| @@ -597,7 +597,7 @@ Requires: python2-sssdconfig | |||
| Requires: cyrus-sasl-gssapi%{?_isa} | |||
| Requires: chrony | |||
| Requires: krb5-workstation >= %{krb5_version} | |||
| Requires: authconfig | |||
| Requires: authselect >= 0.3.1 | |||
There was a problem hiding this comment.
Please bump the version. The latest version is 0.4-2 with fix for https://bugzilla.redhat.com/show_bug.cgi?id=1571844
ipaplatform/redhat/authconfig.py
Outdated
|
|
||
| features = re.findall(r"-\s*(\S+)", cfg_params[0][1], re.DOTALL) | ||
|
|
||
| return (profile, features) |
ipaplatform/redhat/authconfig.py
Outdated
|
|
||
| class RedHatAuthConfig(object): | ||
|
|
||
| class RedHatAuthTool(object): |
There was a problem hiding this comment.
IMHO, the class is over-engineered. A simple module-level function like get_auth_tool is a sufficient abstraction layer.
| preconfigured_options = ['with-fingerprint'] | ||
|
|
||
|
|
||
| def check_authselect_profile(host, expected_profile, expected_options=[]): |
There was a problem hiding this comment.
Mutable object in argument list, use () instead of [].
| assert option in options | ||
|
|
||
|
|
||
| def apply_authselect_profile(host, profile, options=[]): |
| return None | ||
|
|
||
| cfg_params = re.findall( | ||
| r"\s*Profile ID:\s*(\S+)\s*\n\s*Enabled features:\s*(.*)", |
There was a problem hiding this comment.
The code assumes that the output of authselect won't change in the future. Did somebody talk to the author of the tool?
There was a problem hiding this comment.
I added --raw parameter to authselect current in 0.4 (already in F28). This will print non-formatted output as it was given on command line with authselect select. I.e.:
$ authselect select sssd with-smartcard
$ authselect current --raw
sssd with-smartcard
You can use that instead.
|
|
||
|
|
||
| @pytest.mark.skipif( | ||
| ipaplatform.NAME not in ['fedora', 'rhel', 'centos'], |
There was a problem hiding this comment.
Are we sure that Debian/Ubuntu will never use authselect? I think it would be better to test for ipaplatform.paths.paths.AUTHSELECT is None instead of hard-coding platforms.
The authconfig tool is deprecated and replaced by authselect. Migrate FreeIPA in order to use the new tool as described in the design page https://www.freeipa.org/page/V4/Authselect_migration Fixes: https://pagure.io/freeipa/issue/7377
Add new test for client and server installation when authselect tool is used instead of authconfig Related to https://pagure.io/freeipa/issue/7377
Commit d705320 was temporarily disabling authconfig backup and restore because of issue 7478. With the migration to authselect this is not needed any more Related to https://pagure.io/freeipa/issue/7377
ipa-advise config-client-for-smart-card-auth was producing a shell script calling authconfig. With the migration from authconfig to authselect, the script needs to be updated and call authselect enable-feature with-smartcard instead. Related to https://pagure.io/freeipa/issue/7377
flo-renaud
force-pushed
the
authselect_migration
branch
from
4a4e1ef
to
05fd1e4
Compare
|
Hi @tiran, |
tiran
added
ack
This PR replaces PR 1603.
It contains basically cosmetic changes (split into multiple commits), and the enhancements proposed in the comments.
@akokshar I hope this does not bother you but we needed to speed up the process in your absence.