Mixing 'Old' and 'New' attr style for referential integrity plugin causes errors.
Now old setting are migrated to new style setting before upgrade
Ticket: https://fedorahosted.org/freeipa/ticket/4622
Reviewed-By: David Kupka <dkupka@redhat.com>
The wrong search scope was being used when trying to determine if
a given master had a CA installed when trying to create a new
connection.
https://fedorahosted.org/freeipa/ticket/4704
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Installer adds zonemgr as relative (and invalid) address.
This fix force installer to use absolute email.
Ticket: https://fedorahosted.org/freeipa/ticket/4707
Reviewed-By: David Kupka <dkupka@redhat.com>
Base RID is no longer editable for ipa-trust-ad-posix range type
Adder dialog:
- Range type selector was moved up because it affects a field above it
Details page:
- Only fields relevant to range's type are visible
https://fedorahosted.org/freeipa/ticket/4221
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Defining schema-compat-ignore-subtree values for schema compat plugin config entries removes the
default value (ignore: cn=tasks,cn=config). This default value prevented deadlocks.
Schema plugin needs to scope the $SUFFIX and also any updates to its configuration.
This change restrict the schema compat to those subtrees. It replaces the definition of ignored subtrees
that would be too long for cn=config (tasks, mapping tree, replication, snmp..)
https://fedorahosted.org/freeipa/ticket/4635
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This should not normally happen, but if it does, report an error instead of
waiting idefinitely for the certificate to appear.
https://fedorahosted.org/freeipa/ticket/4629
Reviewed-By: David Kupka <dkupka@redhat.com>
The KRA backend has been simplified since most of the tasks have
been moved somewhere else. The transport certificate will be
installed on the client, and it is not needed by KRA backend. The
KRA agent's PEM certificate is now generated during installation
due to permission issue. The kra_host() for now is removed since
the current ldap_enable() cannot register the KRA service, so it
is using the kra_host environment variable.
The KRA installer has been modified to use Dogtag's CLI to create
KRA agent and setup the client authentication.
The proxy settings have been updated to include KRA's URLs.
Some constants have been renamed for clarity. The DOGTAG_AGENT_P12
has been renamed to DOGTAG_ADMIN_P12 since file actually contains
the Dogtag admin's certificate and private key and it can be used
to access both CA and KRA. The DOGTAG_AGENT_PEM has been renamed
to KRA_AGENT_PEM since it can only be used for KRA.
The Dogtag dependency has been updated to 10.2.1-0.1.
https://fedorahosted.org/freeipa/ticket/4503
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
If new certificate is not available, reuse the old one, instead of waiting
indefinitely for the new certificate to appear.
https://fedorahosted.org/freeipa/ticket/4628
Reviewed-By: David Kupka <dkupka@redhat.com>
To update the CA certificate in the Dogtag NSS database, the
"ipa-cacert-manage renew" and "ipa-certupdate" commands temporarily change
the profile of the CA certificate certmonger request, resubmit it and
change the profile back to the original one.
When something goes wrong while resubmitting the request, it needs to be
modified and resubmitted again manually. This might fail with invalid
cookie error, because changing the profile does not change the internal
state of the request.
Detect this in dogtag-ipa-ca-renew-agent and reset the internal state when
profile is changed.
https://fedorahosted.org/freeipa/ticket/4627
Reviewed-By: David Kupka <dkupka@redhat.com>
The port is never available in step 2 of external CA install, as Dogtag is
already running.
https://fedorahosted.org/freeipa/ticket/4660
Reviewed-By: David Kupka <dkupka@redhat.com>
Change event of combobox is not triggered when there is only one value. Calling it's handler even for option's 'click' event makes sure that value of input gets always updated.
https://fedorahosted.org/freeipa/ticket/4655
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Fixes issues when dialog is not removed from `IPA.opened_dialogs` registry when dialog.close() is called while the dialog is not shown, i.e., while other dialog is shown. Without it, the dialog is could be incorrectly displayed.
New dialog's property `opened` handles whether dialog is intended to be opened.
How to test:
Add new host with IP address outside of managed reverse zones to get error 4304.
https://fedorahosted.org/freeipa/ticket/4656
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Applied to hosts facet should not be default because, e.g., for Default Trust View it shouldn't be even visible(o use).
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
1. All framework objects to use event interface
2. Framework objects can be part of specification objects but they are not deep-cloned as the rest of specification objects - usually it would cause infinite loop. This make easier to add context as a $pre-op object without a need for $pre-op function.
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Allow to use --force when changing authoritative nameserver address in DNS zone.
Same for dnsrecord-add for NS record.
https://fedorahosted.org/freeipa/ticket/4573
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
This plugin ensures that all counter/watermark operations are atomic
and never decrement. Also, deletion is not permitted.
Because this plugin also ensures internal operations behave properly,
this also gives ipa-pwd-extop the appropriate behavior for OTP
authentication.
https://fedorahosted.org/freeipa/ticket/4493https://fedorahosted.org/freeipa/ticket/4494
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Martin Kosek <mkosek@redhat.com>
- display info message which points user to FreeOTP project page
- the link or the text can be easily changed by a plugin if needed
https://fedorahosted.org/freeipa/ticket/4469
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
It is necessary to fix trust flags only in the HTTP NSS DB, as it is used as
a source in the upload_cacrt update plugin.
https://fedorahosted.org/freeipa/ticket/4621
Reviewed-By: David Kupka <dkupka@redhat.com>
The --ca-signing-algorithm option is available in ipa-server-install, make
it available in ipa-ca-install as well.
https://fedorahosted.org/freeipa/ticket/4447
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Modifying CS.cfg when dogtag is running may (and does) result in corrupting
this file.
https://fedorahosted.org/freeipa/ticket/4569
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
For changes in cn=changelog or o=ipaca the scheam comapat plugin doesn't need to be
executed. It saves many internal searches and reduces contribution to lock
contention across backens in DS.
https://fedorahosted.org/freeipa/ticket/4586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Added a new option --external-ca-type which specifies the type of the
external CA. It can be either "generic" (the default) or "ms-cs". If "ms-cs"
is selected, the CSR generated for the IPA CA will include MS template name
extension (OID 1.3.6.1.4.1.311.20.2) with template name "SubCA".
https://fedorahosted.org/freeipa/ticket/4496
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Ipactl sorted service start order as string, which causes service with start order
100 starts before service with start order 30.
Patch fixes ipactl to use integers for ordering.
Reviewed-By: David Kupka <dkupka@redhat.com>
Usual link columns are link with primary key of current entity.
This patch allows to create a link to arbitrary non-nested entity.
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Current default mechanism of a link widget assumes that pkeys of a current facet are pkeys for the link. It works for the only usage - in password policy. It's rather inflexible since it can't be used if the keys are in other attribute. This behavior is also bad in nested entities - creates a link to itself which is pointless.
This patch changes the default behavior to assume that the supplied value are the pkeys and that the last pkey is the value to display.
It also keeps the old method of overriding `other_pkeys` method so if the last and only pkey is the actual value to display then the method can tranform it into the pkeys which keeps compatibility with descendant widgets (`host_dnsrecord_entity_link_widget`, `dnsrecord_host_link_widget`).
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Fixes issue when:
- user navigates to a nested facet
- refreshes browser
- uses breadcrumb navigation to go to parent entity page which requires a pkey. E.g. from automount keys to maps.
The old code relies on the facet, that user visited the parent facet before and therefore the facet has pkey stored. It fails after the browser reload.
Allows to specify a containing_facet. It allows breadcrumb navigation to return to a different facet than the 'default'.
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Add a Default Trust View, which is used by SSSD as default mapping for AD users.
Part of: https://fedorahosted.org/freeipa/ticket/3979
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
We need the referential plugin config to watch for changes in the ID view
objects, since hosts refer to them in ipaAssignedIDView attribute.
Part of: https://fedorahosted.org/freeipa/ticket/3979
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
For slapi-nis plugin, we need to cache the original uid value of the user in the override
object.
Part of: https://fedorahosted.org/freeipa/ticket/3979
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Part of: https://fedorahosted.org/freeipa/ticket/3979
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Part of: https://fedorahosted.org/freeipa/ticket/3979
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Added new --*-cert-name options to ipa-server-install and ipa-replica-prepare
and --cert-name option to ipa-server-certinstall. The options allows choosing
a particular certificate and private key from PKCS#12 files by its friendly
name.
https://fedorahosted.org/freeipa/ticket/4489
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
The --*_pkcs12 options of ipa-server-install and ipa-replica-prepare have
been replaced by --*-cert-file options which accept multiple files.
ipa-server-certinstall now accepts multiple files as well. The files are
accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and
raw private key and PKCS#12 formats.
The --root-ca-file option of ipa-server-install has been replaced by
--ca-cert-file option which accepts multiple files. The files are
accepted in PEM and DER certificate and PKCS#7 certificate chain formats.
The --*_pin options of ipa-server-install and ipa-replica-prepare have been
renamed to --*-pin.
https://fedorahosted.org/freeipa/ticket/4489
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
The --external_cert_file and --external_ca_file options of ipa-server-install
and ipa-ca-install have been replaced by --external-cert-file option which
accepts multiple files. The files are accepted in PEM and DER certificate and
PKCS#7 certificate chain formats.
https://fedorahosted.org/freeipa/ticket/4480
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
This is especially useful for external CA install, as the algorithm is also
used for the CSR signature.
https://fedorahosted.org/freeipa/ticket/4447
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Find, verify and configure all IP addresses that can be used to reach the server
FreeIPA is being installed on. Ignore some IP address only if user specifies
subset of detected addresses using --ip-address option.
This change simplyfies FreeIPA installation on multihomed and dual-stacked servers.
https://fedorahosted.org/freeipa/ticket/3575
Reviewed-By: Martin Basti <mbasti@redhat.com>
Required to prevent code duplications
ipaldap.IPAdmin now has method do_bind, which tries several bind methods
ipaldap.IPAClient now has method object_exists(dn)
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
All ipa-dns capable server is added to root zones as nameserver
During uninstall all NS records pointing to particular replica are
removed.
Part of ticket: https://fedorahosted.org/freeipa/ticket/4149
Reviewed-By: Petr Spacek <pspacek@redhat.com>
With 389 DS 1.3.3 upwards we can leverage the nsslapd-return-default-opattr
attribute to enumerate the list of attributes that should be returned
even if not specified explicitly. Use the behaviour to get the same attributes
returned from searches on rootDSE as in 1.3.1.
https://fedorahosted.org/freeipa/ticket/4288
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Sytem users and their groups are always created together.
Also, users & groups should never be removed once they exist
on the system (see comit a5a55ce).
Use a single function for generic user creation, and specific
funtions in dsinstance and cainstance.
Remove code left over from when we used to delete the DS user.
Preparation for: https://fedorahosted.org/freeipa/ticket/3866
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The underlying Dogtag issue (Dogtag ticket 1113) has been fixed.
We can therefore re-enable the uninstall option for ipa-kra-install.
Also, fixes an incorrect path in the ipa-pki-proxy.conf, and adds
a debug statement to provide status to the user when an uninstall
is done. Also, re-added the no_host_dns option which is used when
unpacking a replica file.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Hisorically DS provided defaults for the referential
integrity plugin in nsslapd-pluginArg*:
nsslapd-pluginarg3: member
nsslapd-pluginarg4: uniquemember
nsslapd-pluginarg5: owner
nsslapd-pluginarg6: seeAlso
In 389-ds 1.3.3, the multi-valued referint-membership-attr
is used instead.
The old way still works, but it requires that the values
are numbered consecutively, so IPA's defaults that started
with 7 were not taken into account.
Convert IPA defaults to use referint-membership-attr.
https://fedorahosted.org/freeipa/ticket/4537
Reviewed-By: Martin Kosek <mkosek@redhat.com>
use configuration parameters to enable ciphers provided by NSS
and not considered weak.
This requires 389-ds version 1.3.3.2 or later
https://fedorahosted.org/freeipa/ticket/4395
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
hide widgets if associated field had received attribute level rights
without 'r' right.
Explicit rights are required to avoid hiding of special widgets which
are not associated with any LDAP attribute.
https://fedorahosted.org/freeipa/ticket/4402
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Hide widgets without a value. Must be explicitly turned on. In widget by
`hidden_if_empty` flag. Or globally by `hide_empty_widgets` flag. Global
hiding can be individually turned off by `ignore_empty_hiding` flag.
https://fedorahosted.org/freeipa/ticket/4402
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
- used `ctor_init` instead of `init` to avoid name collision with
existing logic
- `ctor_init` is called right after widget instantiation. Basically support
better inheritance for the old class system which doesn't have proper
contructors
https://fedorahosted.org/freeipa/ticket/4402
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
- widget save() save method should try to always return value even if read only
- report value-change event with actual value to allow processing of the value
https://fedorahosted.org/freeipa/ticket/4402
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Add 'Add OTP Token' action to user action menu.
This option is disabled in self-service when viewing other users.
https://fedorahosted.org/freeipa/ticket/4402
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
We don't want to copy the extension from master to replica because the
replica may use newer version of FreeIPA and therefore the extension
code might be obsolete. Same reason for upgrades.
https://fedorahosted.org/freeipa/ticket/4478
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Make association auto-magic little bit less stupid. Now it supports
adding of new attribute member with add_member and remove_member
methods only on one side of the relationship.
https://fedorahosted.org/freeipa/ticket/4507
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
- bounce url param was renamed from 'redirect' to 'url'
- support for 'delay' param added
Behavior:
- "Continue to next page" link is shown if 'url' is present
- page is no longer automatically redirected if 'url' is present
- automatic redirect is controlled by 'delay' param - it specifies
number of seconds until redirection
- info message 'You will be redirected in Xs' is show to notify
the user that something will happen. It's useful even if delay
is 0 or negative because redirection might be slow.
- counter is decremented every second
- delay is ignored if parsed as NaN
https://fedorahosted.org/freeipa/ticket/4440
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
DNS zone 'Add and Edit' failed because of new DNS name encoding.
This patch makes sure that keys are extracted properly.
https://fedorahosted.org/freeipa/ticket/4520
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
The CA cert specified by --root-ca-file option must always be the CA cert of
the CA which issued the server certificates in the PKCS#12 files. As the cert
is not actually user selectable, use CA cert from the PKCS#12 files by default
if it is present.
Document --root-ca-file in ipa-server-install man page.
https://fedorahosted.org/freeipa/ticket/4457
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
FreeIPA certmonger module changed to use D-Bus to communicate with certmonger.
Using the D-Bus API should be more stable and supported way of using cermonger than
tampering with its files.
>=certmonger-0.75.13 is needed for this to work.
https://fedorahosted.org/freeipa/ticket/4280
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In patch 0001-3, the DNA plugins configuration was changed to scope only 'cn=accounts,SUFFIX'
This part of the fix was invalid as trust domain object (that need uid/gid allocation)
are under 'cn=trust,SUFFIX'. Revert that part of the fix.
Waiting on https://fedorahosted.org/389/ticket/47828, to exclude provisioning contains
https://fedorahosted.org/freeipa/ticket/3813
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This patch adds the capability of installing a Dogtag KRA
to an IPA instance. With this patch, a KRA is NOT configured
by default when ipa-server-install is run. Rather, the command
ipa-kra-install must be executed on an instance on which a Dogtag
CA has already been configured.
The KRA shares the same tomcat instance and DS instance as the
Dogtag CA. Moreover, the same admin user/agent (and agent cert) can
be used for both subsystems. Certmonger is also confgured to
monitor the new subsystem certificates.
To create a clone KRA, simply execute ipa-kra-install <replica_file>
on a replica on which a Dogtag CA has already been replicated.
ipa-kra-install will use the security domain to detect whether the
system being installed is a replica, and will error out if a needed
replica file is not provided.
The install scripts have been refactored somewhat to minimize
duplication of code. A new base class dogtagintance.py has
been introduced containing code that is common to KRA and CA
installs. This will become very useful when we add more PKI
subsystems.
The KRA will install its database as a subtree of o=ipaca,
specifically o=ipakra,o=ipaca. This means that replication
agreements created to replicate CA data will also replicate KRA
data. No new replication agreements are required.
Added dogtag plugin for KRA. This is an initial commit providing
the basic vault functionality needed for vault. This plugin will
likely be modified as we create the code to call some of these
functions.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3872
The uninstallation option in ipa-kra-install is temporarily disabled.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
action buttons associated with batch actions were enabled by default, but
they were disabled right after facet creation and a load of data. It caused
a visual flicker.
UX is enhanced by making them disabled by default.
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
- save one click by opening edit dialog right after adding new row
- add margin between fingerprint and "show/edit" button
- fix honoring of writable/read-only flags upon row creation
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
- category radio line has line-height large enough to contain
undo button -> content doesn't move several pixels on change
- remove vertical padding from btns in table headers to maintain
about the same height
- remove invisible border from link buttons to have the same height
for disabled and enabled button
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Tooltips were added to "User authentication types" and "Default user
authentication types" to describe their relationship and a meaning of
not-setting a value.
https://fedorahosted.org/freeipa/ticket/4471
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Allow to set 'tooltip' attribute in spec. It displays info icon
with Bootstrap's tooltip near field's label.
https://fedorahosted.org/freeipa/ticket/4471
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
- use title for input's elements 'title' attribute
- tooltip for Bootstrap's tooltip component
https://fedorahosted.org/freeipa/ticket/4471
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
- added cancel button to reset password view of login screen
- re-implemented buttons hiding mechanism
- switching between 'Reset Password' and 'Reset Password and Login' according to presence of value in OTP field
https://fedorahosted.org/freeipa/ticket/4470
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
- add info icons to distinguish and classify the messages.
- add info text for OTP fields
- fix login instruction inaccuracy related to position of login button
https://fedorahosted.org/freeipa/ticket/4470
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
The notification is a primary information of the page. It should be more highlighted.
https://fedorahosted.org/freeipa/ticket/4470
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
On page:
- styled to use proper line breaks
- "centered" by .container class and not by huge padding
Console:
- proper line breaks
- links in stack trace are clickable(Chrome)
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Simplify code base by reuse of 'disable' feature of button_widget. All
occurrences of action-button which were disabled/enabled were replaced
by button-widget.
https://fedorahosted.org/freeipa/ticket/4258
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Detach/attach facet nodes when switching facets instead of
hiding/showing.
Keeps dom-tree more simple.
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Fixed:
1. IE doesn't support value 'initial' in CSS rule.
2. setting innerHTML='' also destroys content of child nodes in
LoginScreen in IE -> reattached buttons have no text.
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
This prevents the reuse of TOTP tokens by recording the last token
interval that was used. This will be replicated as normal. However,
this patch does not increase the number of writes to the database
in the standard authentication case. This is because it also
eliminates an unnecessary write during authentication. Hence, this
patch should be write-load neutral with the existing code.
Further performance enhancement is desired, but is outside the
scope of this patch.
https://fedorahosted.org/freeipa/ticket/4410
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Without nsslapd-allow-hashed-passwords being turned on, user password
migration fails.
https://fedorahosted.org/freeipa/ticket/4450
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Allow use of characters that no longer cause troubles. Check for
leading and trailing characters in case of 389 Direcory Manager password.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Nested options (MS-PAC and PAD) of service's PAC type should be
disabled if no value is supplied (default value is "Inherited
from server configuration"). That was not the case - regression.
This patch fixes it and along with it simplifies the update method
of option_widget_base to be more comprehensible.
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
User is not able to change Bind Rule Type if permission is already
member of a privilege. Let's disable it and don't confuse user.
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Little regression - select widget could not handle empty or no array as an
input value.
It broke 'undo' operation in Permissions' 'Type' attribute while switching
between '' and some value.
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Visible read-only fields are no longer displayed as disabled in
permission details facet.
https://fedorahosted.org/freeipa/ticket/4254
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
The input-group class was added based on visibility of child elements.
This failed when it had to be determined *before* displaying the widget.
Now it's added if the buttons are not hidden by `display: none` CSS rule.
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Separate update of read-only state from update of value.
It should be possible to switch from read-only UI to editable UI without
value change.
https://fedorahosted.org/freeipa/ticket/4254
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Very useful for managed permissions since the list of attrs in metadata
might be smaller that default attributes. This smooths behavior if one
removes an attr from effective attrs which is not in metadata. Without
this it will disappear from the list and one has to add it manually
through 'Add'.
https://fedorahosted.org/freeipa/ticket/4253
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Web UI doesn't always know what are the possible attributes
for target object. This will allow to add custom attributes
if necessary.
https://fedorahosted.org/freeipa/ticket/4253
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
There is a case where attributes widget can contain > 1000 items.
It's about 3000 nodes. It's slow in jQuery. Simple move to dojo
speeds it up (is closer to native calls) while maintaining developer
friendliness.
Now the biggest lag is in browser's render. It's probably not worth
developer time to optimize that.
https://fedorahosted.org/freeipa/ticket/4253
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Adds filter field to attribute box in permissions for better user
experience. User can then quickly find the desired attribute.
Initial version of the patch authored by: Adam Misnyovszki
https://fedorahosted.org/freeipa/ticket/4253
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Attributes widget layour was changed from tiny table which allowed
to display only few options to a checkbox list with multiple
columns (depends on container).
Check all attributes option was removed to force the user
to read through the attributes which he selects.
Initial version authored by: Adam Misnyovszki
https://fedorahosted.org/freeipa/ticket/4253
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Since recent permissions work references this entry, we need to be
able to have memberOf attributes created on this entry. Hence we
need to include the nestedgroup objectclass.
https://fedorahosted.org/freeipa/ticket/4433
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
API responses can contain warnings in "messages" array. This patch
also adds support for displaying multiple notifications at the same
time in order to show the message and a status of finished operation.
Reviewed-By: Petr Spacek <pspacek@redhat.com>
/usr/share/java/rhino.jar is a Fedora's symlink to /usr/share/java/js.jar
Debian doesn't have it. Direct usage of upstream /usr/share/java/js.jar should
work on both systems.
Reviewed-By: Timo Aaltonen <tjaalton@ubuntu.com>
It was decided not to change the OID space for FreeIPA 4.0+ objectclasses.
However, we should still at least properly mark the X-ORIGIN to make
analyzing schema easier.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
The make-ui.sh script builds both app.js and core.js,
but only one was specified in the Makefile.
Correct the mistake.
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Call user-unlock command from Web UI.
It will unlock displayed user on current master.
https://fedorahosted.org/freeipa/ticket/4407
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
standalone page for OTP token synchronization. It reuses SyncOTPScreen
widget instead of reimplementing the logic as in other standalone pages.
https://fedorahosted.org/freeipa/ticket/4218
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Current compiled Web UI layer (app.js) contains every FreeIPA plugin and
not just the UI framework. It's not possible to start just a simple facet.
This commit creates a basis for a layer (core.js) which contains only
framework code and not entity related code.
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Simple plugin which handles transition from login facet to OTP sync facet
and vice versa.
https://fedorahosted.org/freeipa/ticket/4218
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>