Commit Graph

280 Commits

Author SHA1 Message Date
Rob Crittenden
110d46b792 Use global time and size limit values when searching.
Add test to verify that limit is honored and truncated flag set.

ticket #48
2010-08-19 10:51:55 -04:00
Rob Crittenden
e225ad4341 Add support for ldap:///self bind rules
This is added mainly so the self service rules can be updated without
resorting to ldapmodify.

ticket 80
2010-08-19 10:49:42 -04:00
Rob Crittenden
2f4f9054aa Enable a host to retrieve a keytab for all its services.
Using the host service principal one should be able to retrieve a keytab
for other services for the host using ipa-getkeytab. This required a number
of changes:

- allow hosts in the service's managedby to write krbPrincipalKey
- automatically add the host to managedby when a service is created
- fix ipa-getkeytab to return the entire prinicpal and not just the
  first data element. It was returning "host" from the service tgt
  and not host/ipa.example.com
- fix the display of the managedby attribute in the service plugin

This led to a number of changes in the service unit tests. I took the
opportunity to switch to the Declarative scheme and tripled the number
of tests we were doing. This shed some light on a few bugs in the plugin:

- if a service had a bad usercertificate it was impossible to delete the
  service. I made it a bit more flexible.
- I added a summary for the mod and find commands
- has_keytab wasn't being set in the find output

ticket 68
2010-08-16 17:13:56 -04:00
Rob Crittenden
1df10a88cd Add support for client failover to the ipa command-line.
This adds a new global option to the ipa command, -f/--no-fallback. If this
is included then just the server configured in /etc/ipa/default.conf is used.
Otherwise that is tried first then all servers in DNS with the ldap SRV record
are tried.

Create a new Local() Command class for local-only commands. The help
command is one of these. It shouldn't need a remote connection to execute.

ticket #15
2010-08-16 10:35:27 -04:00
Rob Crittenden
5b894d1fb7 Allow decoupling of user-private groups.
To do this we need to break the link manually on both sides, the user and
the group.

We also have to verify in advance that the user performing this is allowed
to do both. Otherwise the user could be decoupled but not the group
leaving it in a quasi broken state that only ldapmodify could fix.

ticket 75
2010-08-10 16:41:47 -04:00
Rob Crittenden
719592a209 Fix user tests to handle managed entries
We now enable managed entries by default and need to account for it
in the expected output.
2010-08-10 16:41:28 -04:00
Rob Crittenden
768cb29afe Check to see if the command is available before running command tests. 2010-08-06 15:33:32 -04:00
Rob Crittenden
35cbbde5bf Fix RPC tests. The method comes back as a unicode from xmlrpclib. 2010-08-06 15:32:53 -04:00
Rob Crittenden
2d7d047cbf Add optional error message to pattern validator
The pattern validator by default displays the pattern that is being
matched against. This isn't helpful, particularly for very hairy patterns.
This adds a new parameter, pattern_errmsg, that is displayed on errors
if set.

ticket #11
2010-08-06 15:32:37 -04:00
Rob Crittenden
252b73fb3e Skip the i18n test if the test language has not been built 2010-08-06 15:32:00 -04:00
Rob Crittenden
d885339f1c Require that hosts be resolvable in DNS. Use --force to ignore warnings.
This also requires a resolvable hostname on services as well. I want
people to think long and hard about adding things that aren't resolvable.

The cert plugin can automatically create services on the user's behalf when
issuing a cert. It will always set the force flag to True.

We use a lot of made-up host names in the test system, all of which require
the force flag now.

ticket #25
2010-08-06 15:31:57 -04:00
Rob Crittenden
efa11d3746 Fix replacing a certificate in a service.
When a service has a certificate and the CA backend doesn't support
revocation (like selfsign) then we simply drop the old certificate in
preparation for adding a new one. We weren't setting the usercertificate
attribute to None so there was nothing to do in ldap_update().

Added a test case for this situation to ensure that re-issuing a certificate
works.

ticket #88
2010-08-06 13:12:21 -04:00
Rob Crittenden
4ea34d5910 Add framework for other command-line tests, starting with ipa-getkeytab. 2010-08-06 13:12:02 -04:00
Rob Crittenden
e874b41c5b Fix this test to work from source tree root
It would work if you ran the test from its location in tests/test_ipalib
but this isn't the most common method. If you want to run it individually
you can do:

$  ./make-test tests/test_ipalib/test_text.py
2010-08-06 13:11:05 -04:00
Rob Crittenden
b7ca3d68c2 Drop our own PKCS#10 ASN.1 decoder and use the one from python-nss
This patch:
- bumps up the minimum version of python-nss
- will initialize NSS with nodb if a CSR is loaded and it isn't already
  init'd
- will shutdown NSS if initialized in the RPC subsystem so we use right db
- updated and added a few more tests

Relying more on NSS introduces a bit of a problem. For NSS to work you
need to have initialized a database (either a real one or no_db). But once
you've initialized one and want to use another you have to close down the
first one.  I've added some code to nsslib.py to do just that. This could
potentially have some bad side-effects at some point, it works ok now.
2010-07-29 10:50:10 -04:00
Rob Crittenden
563c7cde40 Add some basic tests for ipalib/x509 2010-07-29 10:45:11 -04:00
Adam Young
26b0e8fc98 This patch removes the existing UI functionality, as a prep for adding the Javascript based ui. 2010-07-29 10:44:56 -04:00
Rob Crittenden
57a9001f8d Fix netgroup plugin to use correct member attribute names.
When the netgroup plugin was rebased it ended up using the member
attribute for its memberships and not memberuser/memberhost.

I also fixed this same attribute problem in the tests and tried to beef
them up a little. If nis/schema compat are enabled it will try to compare
the generated triplets with a known-good value.
2010-07-15 11:18:18 -04:00
Rob Crittenden
1e1985b17c Add API to delete a service principal key, service-disable.
I have to do some pretty low-level LDAP work to achieve this. Since
we can't read the key using our modlist generator won't work and lots of
tricks would be needed to use the LDAPUpdate object in any case.

I pulled usercertificate out of the global params and put into each
appropriate function because it makes no sense for service-disable.

This also adds a new variable, has_keytab, to service/host_show output.
This flag tells us whether there is a krbprincipalkey.
2010-07-13 09:29:10 -04:00
Rob Crittenden
c9e0b43d53 Add test to ensure that a certificate we issue is actually stored properly. 2010-07-13 09:28:03 -04:00
Rob Crittenden
7f9485f5bf Change expected aci summary from Updated to Modify in test cases 2010-07-06 15:39:44 -04:00
Rob Crittenden
93e54366f9 Fix aci_mod command. It should handle more complex operations now.
The problem was trying to operate directly on the ACI itself. I
introduced a new function, _aci_to_kw(), that converts an ACI
into a set of keywords. We can take these keywords, like those passed
in when an ACI is created, to merge in any changes and then re-create the
ACI.

I also switched the ACI tests to be declarative and added a lot more
cases around the modify operation.
2010-06-24 10:26:08 -04:00
Rob Crittenden
e123fa6671 Add ipaUniqueID to HBAC services and service groups
Also fix the memberOf attribute for the HBAC services
2010-05-27 10:51:02 -04:00
Rob Crittenden
71738f9177 Remove local get_dn() from hbacsvcgroup and add tests for hbacsvcgroup 2010-05-20 13:53:02 -04:00
Rob Crittenden
1dad0758ce Use new service schema for HBAC tests 2010-05-17 13:48:44 -04:00
Rob Crittenden
542768bec7 Replace old pwpolicy plugin with new one using baseldap, fix tests.
Fix deletion of policy when a group is removed.
2010-05-17 13:48:19 -04:00
root
f6cde533fd Add new password policy plugin based on baseldap.py classes. 2010-05-05 15:00:04 -04:00
root
a3d1b17559 Add weekly periodic schedule to AccessTime param type.
Fix bug #588414
2010-05-04 13:39:42 -04:00
Rob Crittenden
3698dca8e3 Add test cases for AccessTime param and fix some problems in AccessTime 2010-05-03 14:07:34 -06:00
John Dennis
5b9d1ee180 Add gettext translation test using test language. 2010-04-16 10:56:48 -04:00
Jason Gerard DeRose
918721c1d0 XML-RPC signature change 2010-03-30 15:10:58 -04:00
Rob Crittenden
c3c850b1d7 Deleting a non-fully-qualified hostname should still delete its services
We were being left with orphan services if the host entry was not removed
using the FQDN.
2010-03-30 09:41:17 -04:00
Rob Crittenden
d13fcb6a0c Ensure that the group policy priority is unique.
We use CoS to determine the order in which group policy is applied. The
behavior in CoS is undefined for multiple entries with the same
cospriority.
2010-03-19 07:13:33 -06:00
Jason Gerard DeRose
c350f84134 Finish deferred translation mechanism 2010-03-16 11:41:22 -06:00
John Dennis
b75d06e189 localize doc strings
A number of doc strings were not localized, wrap them in _().
Some messages were not localized, wrap them in _()

Fix a couple of failing tests:
The method name in RPC should not be unicode.
The doc attribute must use the .msg attribute for comparison.

Also clean up imports of _() The import should come from
ipalib or ipalib.text, not ugettext from request.
2010-03-08 21:10:36 -07:00
Jason Gerard DeRose
942919bef7 Consolidate to single WSGI entry point 2010-03-01 20:21:38 -07:00
Rob Crittenden
766757e4d4 Fix unicode failures in Env tests and dn failures in XML-RPC tests 2010-02-26 12:31:11 -05:00
Pavel Zuna
aa2c124e7d Make the --all option work in Add/Remove Member commands. 2010-02-24 14:56:34 -05:00
Jason Gerard DeRose
8c46e09735 Translatable Param.label, Param.doc 2010-02-24 02:47:39 -07:00
Jason Gerard DeRose
47f2e618f9 Fix non XML-RPC tests 2010-02-19 18:10:37 -05:00
Rob Crittenden
58746226d4 Use the Output tuple to determine the order of output
The attributes displayed is now dependant upon their definition in
a Param. This enhances that, giving some level of control over how
the result is displayed to the user.

This also fixes displaying group membership, including failures of
adding/removing entries.

All tests pass now though there is still one problem. We need to
return the dn as well. Once that is fixed we just need to comment
out all the dn entries in the tests and they should once again
pass.
2010-02-15 13:10:11 -07:00
Jason Gerard DeRose
069763c5c6 Add Object.label class attribute, enable in webUI 2010-02-12 17:07:37 -05:00
Rob Crittenden
338578d10a Allow one-character Param names
This is done explicitly to support the l/localityname attribute.
2010-02-12 13:14:29 -07:00
Jason Gerard DeRose
dc2f246d47 Command.output_params not contains params in Command.params 2010-02-11 14:56:10 -05:00
Rob Crittenden
b7f557e3cf Fix the cert plugin tests
These tests rely on the existence of a backend CA. It is easiest to
test with a self-signed CA in ~/.ipa so that is what I documented.

These tests are skipped if no CA is available.

Improved robustness a bit by putting the cleanup as a separate test.
2010-02-09 02:13:06 -07:00
Jason Gerard DeRose
c43b69e77c Add support for the 'no_create', 'no_update', and 'no_search' Param flags 2010-02-05 14:32:04 -05:00
Jason Gerard DeRose
1d6cc1bb7b Remove __public__ and __proxy__ hold-overs from Plugin class 2010-01-28 13:32:00 -05:00
Jason Gerard DeRose
e9dc9de23a Fixed xmlrpc_test.fuzzy_digits for Fedora12 2010-01-22 14:41:49 -05:00
Pavel Zuna
0023ffb881 Fix backend.Executioner unit test.
Before the patch that allows to create unshared instances of Connectible
objects, all Connection object were deleted at once in destroy_context().
It made sense at the time, because there was always at most one Connection
per Connectible subclass and Connectible.disconnect() was called only
internally by the Executioner class. Now that we can make arbitrary
connections, it makes more sense to delete the Connection object when
Connectible.disconnect() is called.
2010-01-13 13:39:50 -05:00
Rob Crittenden
ee446ff148 Remove hardcoded domain, example.com 2009-12-18 09:41:53 -07:00