Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient #271
Conversation
| @@ -913,7 +913,9 @@ def __setup_named_conf(self): | |||
| if not self.fstore.has_file(NAMED_CONF): | |||
| self.fstore.backup_file(NAMED_CONF) | |||
|
|
|||
| named_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.named.conf.template", self.sub_dict) | |||
| named_txt = ipautil.template_file( | |||
| paths.USR_SHARE_IPA_DIR + "bind.named.conf.template", | |||
There was a problem hiding this comment.
Please, use os.path.join here instead.
| @@ -264,7 +264,7 @@ def uninstall(self): | |||
|
|
|||
| def http_proxy(self): | |||
| """ Update the http proxy file """ | |||
| template_filename = ipautil.SHARE_DIR + "ipa-pki-proxy.conf" | |||
| template_filename = paths.USR_SHARE_IPA_DIR + "ipa-pki-proxy.conf" | |||
| @@ -607,7 +607,8 @@ def __add_default_schemas(self): | |||
| pent = pwd.getpwnam(DS_USER) | |||
| for schema_fname in IPA_SCHEMA_FILES: | |||
| target_fname = schema_dirname(self.serverid) + schema_fname | |||
| shutil.copyfile(ipautil.SHARE_DIR + schema_fname, target_fname) | |||
| shutil.copyfile(paths.USR_SHARE_IPA_DIR + schema_fname, | |||
| @@ -616,7 +617,8 @@ def __add_default_schemas(self): | |||
| schema_dirname(self.serverid) + "05rfc2247.ldif.old") | |||
|
|
|||
| target_fname = schema_dirname(self.serverid) + "05rfc2247.ldif" | |||
| shutil.copyfile(ipautil.SHARE_DIR + "05rfc2247.ldif", target_fname) | |||
| shutil.copyfile(paths.USR_SHARE_IPA_DIR + "05rfc2247.ldif", | |||
| @@ -919,7 +921,7 @@ def __create_indices(self): | |||
| self._ldap_mod("indices.ldif") | |||
|
|
|||
| def __certmap_conf(self): | |||
| shutil.copyfile(ipautil.SHARE_DIR + "certmap.conf.template", | |||
| shutil.copyfile(paths.USR_SHARE_IPA_DIR + "certmap.conf.template", | |||
| @@ -215,15 +215,17 @@ def __configure_http(self): | |||
| self.update_httpd_service_ipa_conf() | |||
|
|
|||
| target_fname = paths.HTTPD_IPA_CONF | |||
| http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict) | |||
| http_txt = ipautil.template_file( | |||
| paths.USR_SHARE_IPA_DIR + "ipa.conf", self.sub_dict) | |||
| self.fstore.backup_file(paths.HTTPD_IPA_CONF) | ||
| http_fd = open(target_fname, "w") | ||
| http_fd.write(http_txt) | ||
| http_fd.close() | ||
| os.chmod(target_fname, 0o644) | ||
|
|
||
| target_fname = paths.HTTPD_IPA_REWRITE_CONF | ||
| http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa-rewrite.conf", self.sub_dict) | ||
| http_txt = ipautil.template_file( | ||
| paths.USR_SHARE_IPA_DIR + "ipa-rewrite.conf", self.sub_dict) |
| @@ -457,7 +459,7 @@ def create_kdcproxy_conf(self): | |||
| target_fname = paths.HTTPD_IPA_KDCPROXY_CONF | |||
| sub_dict = dict(KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG) | |||
| http_txt = ipautil.template_file( | |||
| ipautil.SHARE_DIR + "ipa-kdc-proxy.conf.template", sub_dict) | |||
| paths.USR_SHARE_IPA_DIR + "ipa-kdc-proxy.conf.template", sub_dict) | |||
| @@ -176,15 +176,17 @@ def __setup_conf_files(self): | |||
| sub_conf_dict['PIN'] = pin | |||
|
|
|||
| ods_conf_txt = ipautil.template_file( | |||
| ipautil.SHARE_DIR + "opendnssec_conf.template", sub_conf_dict) | |||
| paths.USR_SHARE_IPA_DIR + "opendnssec_conf.template", | |||
|
The PR is too large. Please split it up in multiple small PRs. |
| ods_conf_fd = open(paths.OPENDNSSEC_CONF_FILE, 'w') | ||
| ods_conf_fd.seek(0) | ||
| ods_conf_fd.truncate(0) | ||
| ods_conf_fd.write(ods_conf_txt) | ||
| ods_conf_fd.close() | ||
|
|
||
| ods_kasp_txt = ipautil.template_file( | ||
| ipautil.SHARE_DIR + "opendnssec_kasp.template", self.kasp_file_dict) | ||
| paths.USR_SHARE_IPA_DIR + "opendnssec_kasp.template", |
|
I do not have much trouble reviewing the whole PR, also it does not do that much and does not break tests (did not try integration) so I believe it's fine. |
| @@ -831,7 +832,7 @@ def cert_restore_prepare(self): | |||
|
|
|||
| def cert_restore(self): | |||
| try: | |||
| certdb.update_ipa_nssdb() | |||
| update_ipa_nssdb() | |||
There was a problem hiding this comment.
NOTE: This is probably the only exception of update_ipa_nssdb usage on server side contrary to what the commit message says but it seems fine to be used like this.
There was a problem hiding this comment.
Right, that's because ipa_restore is not integrated well (or at all) with installers. Also I would like to keep the code in ipaclient, as the client owns the database.
| pkcs12_password_file = ipautil.write_tmp_file(pkcs12_passwd) | ||
| args = args + ["-w", pkcs12_password_file.name] | ||
| else: | ||
| pkcs12_password_file = None |
There was a problem hiding this comment.
Activate hard nitpick mode: having pkcs12_password_file = None before the if saves you the else branch. My old C guy soul wants this.
There was a problem hiding this comment.
Nitpick shield activated: having it inside the else branch saves you one assignment operation. But I don't really care, so let's have it your way.
| if not config.default_server: | ||
| raise IPAConfigError("IPA server not found in DNS, in the config file (/etc/ipa/default.conf) or on the command line.") | ||
| if not config.default_domain: | ||
| raise IPAConfigError("IPA domain not found in the config file (/etc/ipa/default.conf) or on the command line.") |
There was a problem hiding this comment.
With this deletion, there's nothing that raises IPAConfigError. Is there a reason to leaving it there?
There was a problem hiding this comment.
No, I will remove it as well.
| @@ -159,9 +159,12 @@ def synconce_ntp(server_fqdn, debug=False): | |||
| timeout = 15 | |||
| root_logger.info('Attempting to sync time using ntpd. ' | |||
| 'Will timeout after %d seconds' % timeout) | |||
| ipautil.run(args, timeout=timeout) | |||
| args[0:0] = [paths.BIN_TIMEOUT, str(timeout)] | |||
| ipautil.run(args) | |||
There was a problem hiding this comment.
I'd personally move the try-except only to include ipautil.run and perhaps the log and would create the args at one point right away (QuantifiedCode is working atm but I'd guess it'd be ranting about this).
|
|
||
| # create a tempdir so that we can clean up with easily | ||
| tempdir = tempfile.mkdtemp('', 'ipa-', workdir) | ||
| gpgdir = tempdir + "/.gnupg" |
There was a problem hiding this comment.
I believe os.path.join should actually really be here.
|
|
||
| # create a tempdir so that we can clean up with easily | ||
| tempdir = tempfile.mkdtemp('', 'ipa-', workdir) | ||
| gpgdir = tempdir+"/.gnupg" |
There was a problem hiding this comment.
As well as one should be here.
|
The changes seem fine, I especially dig moving parts only used in ipaserver/ipaclient to their respective submodules. |
|
@stlaz, this thread at freeipa-devel should answer your question. |
|
@jcholast I prefer small patches, that change just one aspect and are easily reviewable in a couple of minutes. The PR touches the entire code base. With 600 additions, more than 700 removals and 316 QC high-severity issues, it is going to take a week to merge it. Merge conflicts are already cumulating, too. You have already split up your PR in a bunch of commits. It looks like most to all commits are unrelated and don't depend on each other. Basically your PR is an epic with a bunch of independent improvements. How about use the iterative approach and create a PR for each commit? |
|
@jcholast Thanks, I'll add it as a comment to that ticket so that it's more visible to a potential community :) edit: Removed the LGTM till the outlined necessary issues are fixed, I expect that to come with the rebase. |
|
This PR is just too big and has too many CI errors to even begin a sensible review. I would need at least half a day without any interruption to perform even a basic review. Given my other responsibilities and daily meetings, I won't have time until Thursday. |
The platform-specific path to /dev/null is provided by the Python standard library in os.devnull. Replace all uses of paths.DEV_NULL with os.devnull and remove DEV_NULL. https://fedorahosted.org/freeipa/ticket/6474
Automatically restart Custodia during IPA server upgrade if custodia.conf was updated. Use the new store class name in custodia.conf.template. https://fedorahosted.org/freeipa/ticket/6474
The dnssec and secrets subpackages and the p11helper module depend on ipaplatform. Move them to ipaserver as they are used only on the server. https://fedorahosted.org/freeipa/ticket/6474
The certmonger and sysrestore modules depend on ipaplatform. Move them to ipalib.install as they are used only from installers. https://fedorahosted.org/freeipa/ticket/6474
The create_ipa_nssdb() and update_ipa_nssdb() depend on ipaplatform. Move them to ipaclient.install.client as they are used only from the client installer and ipa-restore. https://fedorahosted.org/freeipa/ticket/6474
Currently the PKCS#12 file password is passed via stdin and pk12util reads it from /dev/stdin, which is platform-specific. Use a temporary file instead. https://fedorahosted.org/freeipa/ticket/6474
SHARE_DIR and PLUGIN_SHARE_DIR depend on ipaplatform. Replace all uses of SHARE_DIR with paths.USR_SHARE_IPA_DIR and remove both SHARE_DIR and PLUGIN_SHARE_DIR. https://fedorahosted.org/freeipa/ticket/6474
get_domain_name() and related code depends on ipaplatform. Replace all uses of get_domain_name() with api.env.domain and remove get_domain_name() and all of the related code. https://fedorahosted.org/freeipa/ticket/6474
The argument depends on the platform-specific timeout binary and is used only in ipaclient.ntpconf. Call the timeout binary explicitly in ipaclient.ntpconf and remove the argument. https://fedorahosted.org/freeipa/ticket/6474
The FIPS setting is platform-specific. https://fedorahosted.org/freeipa/ticket/6474
kinit_password() depends on ipaplatform. Move kinit_password() as well as kinit_keytab() to a new ipalib.install.kinit module, as they are used only from installers. https://fedorahosted.org/freeipa/ticket/6474
The encrypt_file() and decrypt_file() functions depend on ipaplatform. Move them to ipaserver.install.installutils, as they are only used for the server installer. https://fedorahosted.org/freeipa/ticket/6474
Use hard-coded paths to certutil, pk12util and openssl in certdb if ipaplatform is not available. Hard-coded the path to setpasswd in ipautil.run() doc string. Remove ipaplatform dependency from ipapython's setup.py and add ipapython dependency to ipaplatform's setup.py. https://fedorahosted.org/freeipa/ticket/6474
The certstore module depends on ipaplatform. Move it to ipalib.install, as it is used only from installers. https://fedorahosted.org/freeipa/ticket/6474
CACERT depends on ipaplatform. Replace all uses of CACERT with paths.IPA_CA_CRT and remove CACERT. https://fedorahosted.org/freeipa/ticket/6474
Hard-code the path to /bin/false in SubprocessError doc string. Remove ipaplatform dependency from ipalib's setup.py and add it as optional installer dependency to ipalib's and ipaclient's setup.py. https://fedorahosted.org/freeipa/ticket/6474
The ipa_certupdate, ipachangeconf, ipadiscovery and ntpconf modules depend on ipaplatform. Move them to ipaclient.install as they are used only from the client installer. https://fedorahosted.org/freeipa/ticket/6474
Hard-code the user cache directory path in ipaclient.remote_plugins.schema. https://fedorahosted.org/freeipa/ticket/6474
|
I checked the rebase again as well as ran the tests. The changes in the PR clean the code nicely aside from doing what's proposed in the given ticket. The issues from CI and QuantifiedCode are only caused by moving the code in between modules. ACK. |
|
Ticket https://fedorahosted.org/freeipa/ticket/6474 is closed as wontfix and even doesn't seems right to me. |
|
Last I checked the ticket was still open. The ticket was trying to solve the same issue as this PR although its aim shifted (see the link I posted in the comments). |
|
Ticket updated. |
|
The patch's already been pushed, could you, @mbasti-rh, supply the automated message? |
|
master: 9117a5d paths: remove DEV_NULL |
paths: remove DEV_NULL
The platform-specific path to /dev/null is provided by the Python standard
library in os.devnull.
Replace all uses of paths.DEV_NULL with os.devnull and remove DEV_NULL.
custodiainstance: automatic restart on config file update
Automatically restart Custodia during IPA server upgrade if custodia.conf
was updated.
Use the new store class name in custodia.conf.template.
ipapython: move dnssec, p11helper and secrets to ipaserver
The dnssec and secrets subpackages and the p11helper module depend on
ipaplatform.
Move them to ipaserver as they are used only on the server.
ipapython: move certmonger and sysrestore to ipalib.install
The certmonger and sysrestore modules depend on ipaplatform.
Move them to ipalib.install as they are used only from installers.
certdb: move IPA NSS DB install functions to ipaclient.install
The create_ipa_nssdb() and update_ipa_nssdb() depend on ipaplatform.
Move them to ipaclient.install.client as they are used only from the client
installer.
certdb: use a temporary file to pass password to pk12util
Currently the PKCS#12 file password is passed via stdin and pk12util reads
it from /dev/stdin, which is platform-specific.
Use a temporary file instead.
ipautil: remove SHARE_DIR and PLUGIN_SHARE_DIR
SHARE_DIR and PLUGIN_SHARE_DIR depend on ipaplatform.
Replace all uses of SHARE_DIR with paths.USR_SHARE_IPA_DIR and remove
both SHARE_DIR and PLUGIN_SHARE_DIR.
ipautil: remove get_domain_name()
get_domain_name() and related code depends on ipaplatform.
Replace all uses of get_domain_name() with api.env.domain and remove
get_domain_name() and all of the related code.
ipautil: remove the timeout argument of run()
The argument depends on the platform-specific timeout binary and is used
only in ipaclient.ntpconf.
Call the timeout binary explicitly in ipaclient.ntpconf and remove the
argument.
ipautil: move is_fips_enabled() to ipaplatform.tasks
The FIPS setting is platform-specific.
ipautil: move kinit functions to ipalib.install
kinit_password() depends on ipaplatform.
Move kinit_password() as well as kinit_keytab() to a new
ipalib.install.kinit module, as they are used only from installers.
ipautil: move file encryption functions to installutils
The encrypt_file() and decrypt_file() functions depend on ipaplatform.
Move them to ipaserver.install.installutils, as they are only used for the
server installer.
ipapython: remove hard dependency on ipaplatform
Use hard-coded paths to certutil, pk12util and openssl in certdb if
ipaplatform is not available.
Hard-coded the path to setpasswd in ipautil.run() doc string.
Remove ipaplatform dependency from ipapython's setup.py and add ipapython
dependency to ipaplatform's setup.py.
ipalib: move certstore to the install subpackage
The certstore module depends on ipaplatform.
Move it to ipalib.install, as it is used only from installers.
constants: remove CACERT
CACERT depends on ipaplatform.
Replace all uses of CACERT with paths.IPA_CA_CRT and remove CACERT.
ipalib: remove hard dependency on ipapython
Hard-code the path to /bin/false in SubprocessError doc string.
Remove ipaplatform dependency from ipalib's setup.py and add it as optional
installer dependency to ipalib's and ipaclient's setup.py.
ipaclient: move install modules to the install subpackage
The ipa_certupdate, ipachangeconf, ipadiscovery and ntpconf modules depend
on ipaplatform.
Move them to ipaclient.install as they are used only from the client
installer.
ipaclient: remove hard dependency on ipaplatform
Hard-code the user cache directory path in ipaclient.remote_plugins.schema.
https://fedorahosted.org/freeipa/ticket/6474