Having float type as a base type for floating point parameters in
ipalib introduces several issues, e.g. problem with representation
or value comparison. Python language provides a Decimal type which
help overcome these issues.
This patch replaces a float type and Float parameter with a
decimal.Decimal type in Decimal parameter. A precision attribute
was added to Decimal parameter that can be used to limit a number
of decimal places in parameter representation. This approach fixes
a problem with API.txt validation where comparison of float values
may fail on different architectures due to float representation error.
In order to safely transfer the parameter value over RPC it is
being converted to string which is then converted back to
decimal.Decimal number on a server side.
https://fedorahosted.org/freeipa/ticket/2260
This is what we already do in the HBAC plugin, this ports it to Sudo.
If a category (user, host, etc) is u'all' then we don't allow individual
members be added. Conversely if there are members we don't allow the
category be set to u'all'.
https://fedorahosted.org/freeipa/ticket/1440
Paging has been enabled on self-service permissions and delegations
list pages. The search facet's get_pkeys() has been fixed to handle
non-array value. New test data files have been added as well.
Ticket #2092
pkey-only functionality has to be implemented separately for these
modules as they are based on crud.Search instead of standard
LDAPSearch.
Delegation moduled was also fixed to support new format of ACI's
memberof attribute introduced in patch "Display the value of
memberOf ACIs in permission plugin."
https://fedorahosted.org/freeipa/ticket/2092
Due to a recent change the deleting automount keys and DNS records no
longer worked. The functions that are supposed to get the selected
values has been fixed to use the correct names and element type. They
also have been converted into methods of the search facets.
Ticket #2256
The certificate request dialog box has been modified to show
the OpenSSL commands for generating a CSR.
The realm and entry names in the test data have been fixed to
be more consistent.
Ticket #1012
When multiple HBAC rules are defined, IPA default limits to retrieve
objects may limit the scope of HBAC testing. To allow full range of rules
to be tested support for --sizelimit option is added.
In addition, when --rules option is specified, make sure only those rules
are retrieved regardless total number of rules defined. This should also
speed up HBAC test performance for real life scenarios when few new rules
are added to large collection of rules.
https://fedorahosted.org/freeipa/ticket/2230
Changes to add a cs-replication management tool mistakenly always set a flag
that caused replicas to not add the list of attribute we exclude from
replication.
Let ipa-replica-prepare and ipa-replica-install work without
proper DNS records as records in /etc/hosts are sufficient for
DS replication.
1) ipa-replica-prepare now just checks if the replica hostname
is resolvable (DNS records are not required). It is now able
to prepare a replica file even when the replica IP address is
present in /etc/hosts only.
2) ipa-replica-install is now able to proceed when the hostname
is not resolvable. It uses an IP address passed in a new
option --ip-address to create a record in /etc/hosts in the
same way as ipa-server-install does.
https://fedorahosted.org/freeipa/ticket/2139
ipalib API needs to be bootstrapped in 'installer' context otherwise
LDAP update plugins don't get initialized and ipa-replica-install
crashes.
https://fedorahosted.org/freeipa/ticket/2139
Call restart() methods of appropriate services instead of calling
the system service restart command directly as service() method
has a capability to wait until the service is fully up. Without
this patch ipa-replica-install crashed on F-16 because krb5kdc
service was started before dirsrv service was fully up.
https://fedorahosted.org/freeipa/ticket/2139
FreeIPA SUDO rules use --usercat/--groupcat to specify that rule
applies to all users or groups. Thus, sudorule-add-runasuser and
sudorule-add-runasgroup accept specific groups and users and do not
accept ALL reserved word.
The patch validates user and group passed to these commands and
reports appropriate errors when these are ALL.
Ticket #1496https://fedorahosted.org/freeipa/ticket/1496
Having a Parameter maxvalue larger that 2G makes Python convert it
to "long" type instead of "int" type. Our framework than fails to
bootstrap the API when it detects long integer in Parameter
maxvalue.
Remove the clashing maxvalue out entirely as we can't transfer
values larger than 2G anyway (xmlrpc limitation).
https://fedorahosted.org/freeipa/ticket/2082
Use new structured DNSRecord parameters to generate per-type API
for all supported DNS RR types. This should help significantly
the end-user with manipulating complex DNS record type (MX, LOC,
etc.).
All enhancements are integrated to current DNS record commands:
1) dnsrecord-add
- Records can be either entered as a raw value (e.g. --mx-rec=
"1 srv1.example.com" for MX record) or per-part:
--mx-preference=1 --mx-exchanger=srv1.example.com
- CLI interactive help behavior was changed. It will ask for
a record type and then ask for all DNS record part values
(e.g. MX Preference value, MX Exchanger value).
2) dnsrecord-mod
- This command can now operate in 2 modes. When only a raw DNS
record is entered (e.g. --mx-rec="1 srv1.example.com") it
operates in standard mode and replaces any previous mxrecord
value with the --mx-rec value.
When any structured parameter (e.g. --mx-preference) is passed
it modifies just the specified parts of one mxrecord value
referred by --mx-rec:
--mx-rec="1 srv1.example.com" --mx-preference=2
- New interactive help has been implemented. It will ask for a
record to be modified (in the same manner as dnsrecord-del)
and then let user change DNS record part(s) for chosen
records.
3) All dnsrecord-* commands have now --structured option
- When this option is passed, instead of displaying raw DNS values
all DNS records are parsed and displayed per-part. Example:
$ ipa dnsrecord-show example.com @ --structured
Record name: @
Records:
Record type: MX
Record data: 0 server1.example.com.
MX Preference: 0
MX Exchanger: server1.example.com.
Record type: NS
Record data: ns1.example.com.
NS Hostname: ns1.example.com.
All API changes are compatible with clients without this patch.
https://fedorahosted.org/freeipa/ticket/2082
Complex commands may have many options or non-standard output. This
patch adds 2 improvements to handle these commands better:
1) Add "option_group" parameter attribute
Make command help more readable by specifying an option group
for the parameter. All parameters in the same option group are
then placed to one named option group
2) Allow nested entries in the output
Current CLI output module cannot handle a list of nested entries
(dictionaries) contained in an entry attribute. Make sure they
are printed properly (with indentation)
https://fedorahosted.org/freeipa/ticket/2082
CSV values were not parsed in ipalib.parameters.normalize method
properly when passed as a list and not as a basestring.
Based on Jan Cholasta's contribution.
Current DNS record processing architecture has many flaws,
including custom execute() methods which does not take advantage
of base LDAP commands or nonstandard and confusing DNS record
option processing.
This patch refactors DNS record processing with the following
improvements:
* Every DNS record has now own Parameter type. Each DNS record
consists from one or more "parts" which are also Parameters.
This architecture will enable much easier implementation of
future per-DNS-type API.
* Validation is now not written as a separate function for
every parameter but is delegated to DNS record parts.
* Normalization is also delegated to DNS record parts.
* Since standard LDAP base commands execute method is now used,
dnsrecord-add and dnsrecord-mod correctly supports --setattr
and --addattr options.
* In order to prevent confusion unsupported DNS record types
are now hidden. They are still present in the plugin so that
old clients receive proper validation error.
The patch also contains several fixes:
* Fix domain-name validation and normalization- allow domain
names that are not fully qualified. For example --cname-rec=bar
is a valid domain-name for bind which will translate it then
as bar.<owning-domain>. This change implies, that fully qualified
domain names must end with '.'.
* Do not let user accidentally remove entire zone with command
"ipa dnsrecord-del @ --del-all".
* Fix --ttl and --class option processing in dnsrecord-add and
dnsrecord-mod.
All API changes are compatible with clients without this patch.
https://fedorahosted.org/freeipa/ticket/2082
This patch requires a forthcoming change in MIT libraries which allows to pass
NULL for the server_key to the krb5_pac_verify() function.
In most cases we should always only check the KDC checksum to verify the PAC
validity.
The only exception is when we are releasing a ticket to a client from another
realm. In this case the only signature we can check is the server checksum, and
we use the cross-realm key to validate in this case.
The previous code was working for normal cases because the kdc uses the same
key to create the server and the kdc checksum for a TGT, but that is not true
for evidence tickets (s4u2proxy) or cross-realm TGTs.
Fixes: https://fedorahosted.org/freeipa/ticket/2169
This creates a new container, cn=s4u2proxy,cn=etc,$SUFFIX
Within that container we control which services are allowed to
delegate tickets for other services. Right now that is limited
from the IPA HTTP to ldap services.
Requires a version of mod_auth_kerb that supports s4u2proxy
https://fedorahosted.org/freeipa/ticket/1098
Also fixed minor issues reagarding IP addresses or multivalued field:
- removed unnecessary method overrides from multivalued_field
- fixed extract_child_value method in multivalued_widget to return '' instead of empty arrays when value array is empty
- net.js - changed method name and error message from 'trailing zeros' to 'leading zeros'
https://fedorahosted.org/freeipa/ticket/1466
The user details page has been modified to show the password policy
and Kerberos ticket policy that apply to the user. The policies are
currently displayed as read-only.
Ticket #703
New version of SSSD begins ignoring sourcehost value of HBAC rules by
default. In order to match this behaviour the sourcehost option in
hbactest is optional now, but the value of sourcehost is ignored in all
rules. Every rule's sourcehost value is set to 'ALL' what turns sourchost
value comparation off. If srchost option is used, warning is displayed to
inform the user about changes. Text of plugin help was also updated.
Also the unit tests for hbactest plugin were updated. Every test was
doubled. The second ones test the plugin without sourcehost option. They
are supposed to have the same result.
https://fedorahosted.org/freeipa/ticket/2085
The user search facet has been modified to show the account status.
The IPA.boolean_format has been converted into a class to allow
behavior customization.
Ticket #1996
There were two problems:
1. memberof wasn't in the list of things we looked for in the return value
from aci_show()
2. The value wasn't being translated into a group name.
Use the DN class to retrieve the group name from the memberof URI.
Note that I changed the parsing for targetgroup as well. We now save a lookup
and potentially returning a NotFound if an aci points to a group that no
longer exists.
https://fedorahosted.org/freeipa/ticket/2100
It is pointless to report failures for all checked ports when the
target hostname is not resolvable - user may get easily confused.
This patch changes this behavior so that conncheck fails with
a proper error and does not even continue to port probing part.
https://fedorahosted.org/freeipa/ticket/1984
Current validation logic supports only validation based on metadata. It can be extended only by overriding field's validation method. This approach requires creating subclasses of field for each different format of desired value. It's inconvenient for cases like adding the same validation logic to two different subclasses of field.
This patch is adding support for creating custom validators.
Validator is an object which contains validation logic. Validation is executed in a validate(value, context) method. This method checks if the value is valid and returns a validation result. Validation result is a simple object which contains valid property and an error message if valid is false.
Field is extended by validators property. It can be set in spec object or later. It should contain instances of validators for the field. Validators are run in field's validation method.
This patch is a prerequisite for:
https://fedorahosted.org/freeipa/ticket/1466
Add new class "cachedproperty" for creating property-like attributes
that cache the return value of a method call.
Also fix few issues in the unit tests to enable them to succeed.
ticket 1959
The JSON server has been modified to return the version number
in all responses. The UI has been modified to keep the version
obtained during env operation and check the version returned
in subsequent operations. If the version changes the UI will
reload itself.
Ticket #946
The JSON server has been modified to return the principal name
in all responses. The UI has been modified to keep the principal
obtained during whoami operation and check the principal returned
in subsequent operations. If the principal changes the UI will
reload itself.
Ticket #1400
The IPA.get_entity() has been modified to accept either entity name
or entity object. If it receives an entity object it will return
the object itself. Otherwise, it will resolve the name in the entity
registry.
The other_entity variables have been modified to store a reference
to the entity object instead of its name. The test cases have been
modified to use real entity objects instead of just the names.
Ticket #2042
