New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IPA-EPN: First version. #4676
IPA-EPN: First version. #4676
Conversation
Note to self: something to be investigated: |
/AzurePipelines run |
Azure Pipelines successfully started running 1 pipeline(s). |
While not 100% feature complete this patch represents the majority of the minimal viable product of sending expiring e-mail. I'll squash the patches together to clean up the history but doing it now would mess up PR-CI's understanding of the test patch. Left to do for MVP:
|
The azure pipeline failure should be fixed with a rebase including b6fbee53 |
/AzurePipelines run |
Azure Pipelines successfully started running 1 pipeline(s). |
@@ -0,0 +1,5 @@ | |||
Hi {{ fullname }}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about your turn the template into a RFC 822 message and parse the output of JINJA with email.message_from_string?
This would allow an admin to specify email headers including subject or custom headers in the template. I did a quick test. The parser automatically converts headers with non-ASCII char.
>>> text = """\
... Subject: Blä
...
... Test äöü
... """
>>> print(email.message_from_string(text).as_string())
Subject: =?utf-8?q?Bl=C3=A4?=
Test äöü
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the future EPN could also look at the language and locale attribute of the user and choose a language specific template (e.g. expire_msg.fr.template
). With my proposal you have the subject and body in one file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree that it'd be nice to have a configurable subject. Francois took the approach of having the body of the message be an attachment so the encoding is automatic. Arguably this will make it difficult for text-based readers. He did want to allow html-based e-mails which is why there is the content subtype (defaults to plain). We could add subject as an option in the config file, and may allso allow X- headers to be defined.
I'm not sure about separate templates. We don't have information on the target other than what is in LDAP and we don't currently maintain language.
self._msg["From"] = formataddr(("IPA-EPN", mail_from)) | ||
self._msg["To"] = ", ".join(self._subscribers) | ||
self._msg["Date"] = formatdate(localtime=True) | ||
self._msg["Subject"] = Header(self._subject, self._charset) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I recommend to include a Message-ID
. MTAs tend to dislike and block messages without a proper id. You can use email.utils.make_msgid
to generate one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
postfix is generating a message-id for us:
Message-Id: 20200515145329.668C8389A20E@ipa.example.test
We are trying to be agnostic about the MTA so I suppose adding it would be fine.
Added patch to include message-id, configurable subject and better template error handling. |
So I don't lose this, Christian suggested moving some of the options into new sections. The current ipa config only supports a single section, global. He provided a candidate patch to look in all sections.
I'm not sure what if any confusion this would cause. It could be difficult to troubleshoot since all the sections are treated equally and with the ipa config reader the first one "wins". |
Things I need help with. At this point I've worked on it enough that I'm a bit biased.
A sample of an e-mail sent out via postfix is:
|
@tiran suggested moving ipa_epn.py into its own subdirectory inside ipaclient. That results in: ipaclient/epn/ipa_epn.py:42: [W9901(ipa-forbidden-import), ] Forbidden import ipaclient.install.client.is_ipa_client_installed (can't import from ipaclient.install in ipaclient)) |
I squashed from 21 to 12 patches and moved the temp commit to the top of the queue to verify that I got the rebases correct. |
Tests pass, removing temp commit per @tiran |
I just realized that the PR introduces a new top level directory |
If desired I can move ipa-epn into client and rename to ipa-epn.in so it gets processed like the other client tools and the man pages into client/man. |
hi @tiran I think I have addressed all your concerns, and squashed commits into manageable chunks. Could you please review a final time? |
except Exception: | ||
# postfix isn't yet used so this shouldn't cause existing | ||
# tests to fail. | ||
pass |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You might want to do away with this try/except. This was to workaround the PR-CI issue where packages weren't being installed properly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually PR-CI is not fixed yet.
Failed run without the try/except:
http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/983787d0-a703-11ea-bfc3-fa163e401a00/report.html
There is a proposed fix from @wladich in:
freeipa/freeipa-pr-ci#363
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@fcami My PR freeipa/freeipa-pr-ci#373 is not about fixing dnf issue, it is about fixing other issue (resolv.conf overwritten by NetworkManager) without breaking the dnf on master.
The dnf issue was expected to be resolved by freeipa/freeipa-pr-ci#367 which reverted my previous attempt to solve aforementioned problem with resolv.conf.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@wladich argh, I mixed things up. Do you know if the current runners are up to date?
Because that's what I get (on a client):
[ipatests.pytest_ipa.integration.host.Host.master.cmd48] Error: Error downloading packages:
[ipatests.pytest_ipa.integration.host.Host.master.cmd48] Curl error (6): Couldn't resolve host name for https://mirrors.fedoraproject.org/metalink?repo=updates-released-f32&arch=x86_64 [Could not resolve host: mirrors.fedoraproject.org]
[ipatests.pytest_ipa.integration.host.Host.master.cmd48] Exit code: 1
ipa: ERROR: stderr: Error: Error downloading packages:
Curl error (6): Couldn't resolve host name for https://mirrors.fedoraproject.org/metalink?repo=updates-released-f32&arch=x86_64 [Could not resolve host: mirrors.fedoraproject.org]
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's strange is that ipa-healthcheck similarly installs itself during its testing and that is passing. I wonder if the timing of the package install is different between the tests (e.g. before/after ipa-server-install).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch... Let me try changing that
@fcami |
For reference, installing packages before installing IPA provides a good run. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apart from aforementioned comments, nice! 😸
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please, see inline comments
EPN stands for Expiring Password Notification. It is a standalone tool designed to build a list of users whose password would expire in the near future, and either display the list in a machine-readable format, or send email notifications to these users. EPN provides command-line options to display the list of affected users. This provides data introspection and helps understand how many emails would be sent for a given day, or a given date range. The command-line options can also be used by a monitoring system to alert whenever a number of emails over the SMTP quota would be sent. EPN is meant to be launched once a day from an IPA client (preferred) or replica from a systemd timer. EPN does not keep state. The list of affected users is built at runtime but never kept. TLS/STARTTLS SMTP code is untested and unlikely to work as-is. Parts of code contributed by Rob Crittenden. Ideas and feedback contributed by Christian Heimes and Michal Polovka. Fixes: https://pagure.io/freeipa/issue/3687 Signed-off-by: François Cami <fcami@redhat.com> Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Initial test suite for EPN. Fixes: https://pagure.io/freeipa/issue/3687 Signed-off-by: François Cami <fcami@redhat.com> Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Add options for character set (default utf8) and message subtype (default plain). This will allow for more control for users to do either HTML mail or use ascii for the character set so the attachment is not base64-encoded to make it easier for all mail clients. Collect first and last name as well for each user in order to provide more options for the template engine. Make the From address configurable, defaulting to noreply@ipa_domain Make Subject configurable too. Don't rely on the MTA to set Message-Id: set it using the email module. Fixes: https://pagure.io/freeipa/issue/3687 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Expiring Password Notifications search for expiring passwords between dates. Add an equality index for this attribute. https://pagure.io/freeipa/issue/3687 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
hi @miskopo I've addressed all your concerns I think. |
@fcami it looks good, please remove the temp commit, I'll ACK in the morning. |
Thanks @miskopo temp commit removed. Running gating now. |
Hi @fcami, you have a GO for take-off... I mean, pushing. |
EPN stands for Expiring Password Notification. It is a standalone
tool designed to build a list of users whose password would expire
in the near future, and either display the list in a machine-readable
format, or send email notifications to these users.
EPN provides command-line options to display the list of affected users.
This provides data introspection and helps understand how many emails
would be sent for a given day, or a given date range.
The command-line options can also be used by a monitoring system to alert
whenever a number of emails over the SMTP quota would be sent.
EPN is meant to be launched once a day from an IPA client (preferred)
or replica from a systemd timer.
EPN does not keep state. The list of affected users is built at runtime
but never kept.
TLS/STARTTLS SMTP code is untested and unlikely to work as-is.
Parts of code contributed by Rob Crittenden.
Ideas and feedback contributed by Christian Heimes and Michal Polovka.
Fixes: https://pagure.io/freeipa/issue/3687