Commit Graph

504 Commits

Author SHA1 Message Date
Petr Vobornik
2449b4d827 Fixed rpm build warning - extension.js listed twice
Building the ipa rpms returns this:
warning: File listed twice: /usr/share/ipa/ui/extension.js

This is because of a glob:
%{_usr}/share/ipa/ui/*.js

and then more specifically:
%config(noreplace) %{_usr}/share/ipa/ui/extension.js

https://fedorahosted.org/freeipa/ticket/2253
2012-03-19 18:38:46 +01:00
Petr Vobornik
66692127c6 Show_content on refresh success
If an error content is displayed a successfull refresh doesn't show properly populated facet content. This patch adds show_content call to refresh success handlers which solves the problem.

https://fedorahosted.org/freeipa/ticket/2449
2012-03-19 18:37:39 +01:00
Petr Vobornik
646a4ccde3 Content is no more overwritten by error message
When an error which caused calling of report_error occurt, the content of a facet got replaced by error message. There was no way how to force the facet to recreate its content and the facet became unusable.

This patch creates a containter for an error message. On error,  report_error writes its content to error container, content container is hidden and error container is shown. Older comment in a code suggested to move the error message to facet's footer. A message in a footer could be missed by the user and on top of that a footer is sometimes used by various facet and we would have to solve the same problem again.

From experience the cause of an error is usually a missing pkey in a path. Therefore error information suggests user to navigate to top level. It causes to load default facets with default values so errors in navigation state shouldn't happen.

Facet content is displayed back on facet_show. If user tries to display same object as before facet's need_update() would return false, therefore need_update was modified to always return true if error is displayed.

Reproduction:
 1) display any nested entity - ie DNS record
 2) delete its parent pkey from path - &dnszone-pkey=example.com
 3) reload the page with this path

https://fedorahosted.org/freeipa/ticket/2449
2012-03-19 18:37:19 +01:00
Petr Vobornik
97e440bf4b Better hbactest validation message
HBAC Test validation message contains all missing values in form of list of links instead of general 'missing values' message and redirection to first missing value's facet.

When a link is clicked user is redirected to value's facet.

https://fedorahosted.org/freeipa/ticket/2182
2012-03-15 16:08:16 +01:00
Petr Vobornik
3ca0f6aee5 Fixed evaluating checkbox dirty status
Problem:
When value in checkbox is modified twice in a row (so it is at its original value) an 'undo' button is still visible even when it shouldn't be.

Cause:
IPA server sends boolean values as 'TRUE' or 'FALSE' (strings). Checkbox_widget converts them to JavaScript? boolean (true, false). Save method in checkbox_widget is returning array with a boolean. So test_dirty method always evaluates to dirty because 'FALSE' != false.

This patch is fixing the problem.

https://fedorahosted.org/freeipa/ticket/2494
2012-03-15 16:08:02 +01:00
Petr Vobornik
d082b64b7b Certificate serial number in hex format - ui testing data
Updated UI static content to contain value and label for certificate serial_number_hex.

https://fedorahosted.org/freeipa/ticket/1991
2012-03-14 04:40:35 -04:00
Rob Crittenden
d4a80dbe52 Display serial number as HEX (DECIMAL) when showing certificates.
https://fedorahosted.org/freeipa/ticket/1991
2012-03-14 04:40:35 -04:00
Petr Vobornik
4385816dbb Fixed checkbox value in table without pkey
When a table is displaying a record set without entity's pkey attribute. A checkbox value isn't properly prepared. This patch adds the preparation (converts value to string).

https://fedorahosted.org/freeipa/ticket/2404
2012-03-14 09:08:01 +01:00
Petr Vobornik
6066432f0d Fixed mask validation in network_validator
Network validator allowed invalid mask format:
 * leading zeros: 192.168.0.1/0024
 * trailing chars: 192.168.0.1/24abcd

It was fixed.

https://fedorahosted.org/freeipa/ticket/2493
2012-03-14 09:07:58 +01:00
Petr Vobornik
31eebda584 Removed CSV creation from UI
Creating CSV values in UI is unnecessary and error-prone because server converts them back to list. Possible problems with values containing commas may occur.  All occurrences of CSV joining were therefore removed.

https://fedorahosted.org/freeipa/ticket/2227
2012-03-02 11:45:21 -06:00
Petr Vobornik
c643197b19 Improved usability of login dialog
Usability was imporved in Unauthorized/Login dialog.

When the dialog is opened a link which switches to login form is focus so user can do following:

1) press enter (login form is displayed and username field is focused )
2) type username
3) press tab
4) type password
5) press enter

this sequence will execute login request.

When filling form user can also press 'escape' to go back to previous form state. It's the same as if he would click on the 'back' button.

https://fedorahosted.org/freeipa/ticket/2450
2012-03-02 11:05:16 +01:00
Petr Voborník
368c624a74 Forms based authentication UI
Support for forms based authentication was added to UI.

It consist of:

1) new login page
Page url is [ipa server]/ipa/ui/login.html

Page contains a login form. For authentication it sends ajax request at [ipa server]/session/json/login_password. If authentication is successfull page is redirected to [ipa server]/ipa/ui if it fails from whatever reason a message is shown.

2) new enhanced error dialog - authorization_dialog.

This dialog is displayed when user is not authorized to perform action - usually when ticket and session expires.
It is a standard error dialog which shows kerberos ticket related error message and newly offers (as a link) to use form based authentication. If user click on the link, the dialog content and buttons switch to login dialog which has same functionality as 'new login page'. User is able to return back to the error message by clicking on a back button.

login.html uses same css styles as migration page -> ipa-migration.css was merged into ipa.css.

https://fedorahosted.org/freeipa/ticket/2450
2012-03-02 11:04:33 +01:00
Petr Voborník
87901ed709 Added logout button
Logout button was added to Web UI.

Click on logout button executes session_logout command. If command succeeds or xhr stutus is 401 (unauthorized - already logged out) page is redirected to logout.html.

logout.html is a simple page with "You have been logged out" text and a link to return back to main page.

https://fedorahosted.org/freeipa/ticket/2363
2012-02-28 23:58:51 -05:00
Petr Voborník
37cdbae234 Added attrs to permission when target is group or filter
Option to set attributes in permission was missing for target 'group' and 'filter'.

Attribute_table_widget with type=group is shown for target=group.

For target=filter a multivalued textbox is shown. This is because UI can't predict what type will the result of the filter be. In future it can be extended by interactive attribute selector to help user find what he wants to enter.

Mutlivalued widget was modified to show undo button for new entries even if show_undo is false. It is useful in adder dialog to indicate that user added something and to enable it reversal.

https://fedorahosted.org/freeipa/ticket/2372
2012-02-29 13:01:22 +01:00
Petr Voborník
885ffe5a3e Multiple fields for one attribute
Current implementation has a limitation to have one field per one attribute. This is fine for most cases. For cases where an attribute can have two editor widgets which can be swapped a need for two different types of field may occur.

This patch introduces 'param' option which supposes to contain attribute name. If 'param' is not specified it will contain field's name therefore backward compatibility is maintained. This extension allows to have two fields with different name and same param -> two fields get/supply value from/to the same attribute.

Needed for:

https://fedorahosted.org/freeipa/ticket/2372
2012-02-29 13:01:16 +01:00
Petr Voborník
34f742bec2 Fixed selection of single value in combobox
When editable combobox had only one option and input field was cleared, the option couldn't be selected if it was selected before.

This patch adds click handler to option elements. The handler calls select_on_change.

When different option is selected select_on_change is executed twice. To avoid duplicate call of value_changed an open state of option area is checked. In first pass the area will be closed so it won't be executed in second. When selected option is clicked, only onclick handler is processed.

This patch assumes that select event will be processed before click event.

https://fedorahosted.org/freeipa/ticket/2070
2012-02-29 12:59:14 +01:00
Petr Voborník
87c2b00bf8 Fixed redirection in Add and edit in automember hostgroup.
Redirection in 'Add and edit' in automember hostgroup now navigates to correct facet.

https://fedorahosted.org/freeipa/ticket/2422
2012-02-29 12:59:14 +01:00
Petr Voborník
7da8d2f296 Added unsupported_validator
dnszone attributes idnsallowquery and idnsallowtransfer have valid but currently unsupported values: 'localhost' and 'localnets'.

New validator was introduced for unsuported values. By using this validator user can see that the value is currently unsupported instead of showing 'invalid value' or passing the value to server and creating error there.

https://fedorahosted.org/freeipa/ticket/2351
2012-02-29 12:59:13 +01:00
Petr Voborník
cf60e7e71e Fixed DNS record add handling of 4304 error
Fixed hanling of 4304 error in DNS record add.

Code which handled this error in host-add was generalized and moved to IPA. DNS record add both in adder dialog and dns record table are using this generalized version.

https://fedorahosted.org/freeipa/ticket/2349
2012-02-29 12:59:13 +01:00
Petr Voborník
525bf04da5 Making validators to return true result if empty
All custom validators were changed to return true result if value is empty. Raising error if value is empty is resposibility of check_required call.

This fixes immediate displaying of error message in multivalued fields containing custom validators.

https://fedorahosted.org/freeipa/ticket/2351
2012-02-29 12:59:13 +01:00
Petr Voborník
52208e8b40 Moved is_empty method from field to IPA object
is_empty method represents IPA UI standard of evaluating whether value is empty. Therefore is should be placed in IPA object instead of IPA.field to allow reuse in different locations.

https://fedorahosted.org/freeipa/ticket/2351
2012-02-29 12:59:13 +01:00
Petr Voborník
25bda1e860 New UI for DNS global configuration
UI for DNS global configuration was implemented.

https://fedorahosted.org/freeipa/ticket/2350
2012-02-29 12:59:13 +01:00
Petr Voborník
43bbbf749d Fixed displaying of A6 Record
UI was modified to reflect changes in #2309.

Now it uses a6_part_data attribute instead of a6record. This fixes displaying of values in a table and modification of existing A6 record.

https://fedorahosted.org/freeipa/ticket/2367
2012-02-29 12:59:13 +01:00
Petr Voborník
fbf46fb78c DNS UI: added A,AAAA create reverse options to adder dialog
To DNS record adder dialog were added a_extra_create_reverse and aaaa_extra_create_reverse options.

It's UI part of #2009.

https://fedorahosted.org/freeipa/ticket/2349
2012-02-29 12:59:13 +01:00
Petr Voborník
a1f8c39f88 DNS Zone UI: added new attributes
New attributes were added to DNS zone details facet.

Attributes:
    idnsallowquery
    idnsallowtransfer
    idnsforwarders
    idnsforwardpolicy
    idnsallowsyncptr

New network address validator created for idnsallowquery and idnsallowtransfer attributes.

Network address validator also added to dnszone adder dialog - from_ip field.

https://fedorahosted.org/freeipa/ticket/2351
2012-02-29 12:59:13 +01:00
Petr Voborník
7c392cb9a8 New checkboxes option: Mutual exclusive
Problem:
UI doesn't have a control for selecting one or none value from given set of values.

Solution:
Attribute mutex was added to checkboxes_widget. When it is set, checking some value causes that all other values are unchecked.

https://fedorahosted.org/freeipa/ticket/2351
2012-02-29 12:59:13 +01:00
Petr Voborník
a66d8d51b6 Static metadata update - new DNS options
Tickets: #2349 #2350 #2351 #2367
2012-02-29 12:59:13 +01:00
John Dennis
ee780df13c Implement password based session login
* Adjust URL's
  - rename /ipa/login -> /ipa/session/login_kerberos
  - add /ipa/session/login_password

* Adjust Kerberos protection on URL's in ipa.conf

* Bump VERSION in httpd ipa.conf to pick up session changes.

* Adjust login URL in ipa.js

* Add InvalidSessionPassword to errors.py

* Rename krblogin class to login_kerberos for consistency with
  new login_password class

* Implement login_password.kinit() method which invokes
  /usr/bin/kinit as a subprocess

* Add login_password class for WSGI dispatch, accepts POST
  application/x-www-form-urlencoded user & password
  parameters. We form the Kerberos principal from the server's
  realm.

* Add function  krb5_unparse_ccache()

* Refactor code to share common code

* Clean up use of ccache names, be consistent

* Replace read_krbccache_file(), store_krbccache_file(), delete_krbccache_file()
  with load_ccache_data(), bind_ipa_ccache(), release_ipa_ccache().
  bind_ipa_ccache() now sets environment KRB5CCNAME variable.
  release_ipa_ccache() now clears environment KRB5CCNAME variable.

* ccache names should now support any ccache storage scheme,
  not just FILE based ccaches

* Add utilies to return HTTP status from wsgi handlers,
  use constants for HTTP status code for consistency.
  Use utilies for returning from wsgi handlers rather than
  duplicated code.

* Add KerberosSession.finalize_kerberos_acquisition() method
  so different login handlers can share common code.

* add Requires: krb5-workstation to server (server now calls kinit)

* Fix test_rpcserver.py to use new dispatch inside route() method

https://fedorahosted.org/freeipa/ticket/2095
2012-02-27 05:57:43 -05:00
John Dennis
9753fd4230 Tweak the session auth to reflect developer consensus.
* Increase the session ID from 48 random bits to 128.

* Implement the sesison_logout RPC command. It permits the UI to send
  a command that destroys the users credentials in the current
  session.

* Restores the original web URL's and their authentication
  protections. Adds a new URL for sessions /ipa/session/json. Restores
  the original Kerberos auth which was for /ipa and everything
  below. New /ipa/session/json URL is treated as an exception and
  turns all authenticaion off. Similar to how /ipa/ui is handled.

* Refactor the RPC handlers in rpcserver.py such that there is one
  handler per URL, specifically one handler per RPC and AuthMechanism
  combination.

* Reworked how the URL names are used to map a URL to a
  handler. Previously it only permitted one level in the URL path
  hierarchy. We now dispatch on more that one URL path component.

* Renames the api.Backend.session object to wsgi_dispatch. The use of
  the name session was historical and is now confusing since we've
  implemented sessions in a different location than the
  api.Backend.session object, which is really a WSGI dispatcher, hence
  the new name wsgi_dispatch.

* Bullet-proof the setting of the KRB5CCNAME environment
  variable. ldap2.connect already sets it via the create_context()
  call but just in case that's not called or not called early enough
  (we now have other things besides ldap which need the ccache) we
  explicitly set it early as soon as we know it.

* Rework how we test for credential validity and expiration. The
  previous code did not work with s4u2proxy because it assumed the
  existance of a TGT. Now we first try ldap credentials and if we
  can't find those fallback to the TGT. This logic was moved to the
  KRB5_CCache object, it's an imperfect location for it but it's the
  only location that makes sense at the moment given some of the
  current code limitations. The new methods are KRB5_CCache.valid()
  and KRB5_CCache.endtime().

* Add two new classes to session.py AuthManager and
  SessionAuthManager. Their purpose is to emit authication events to
  interested listeners. At the moment the logout event is the only
  event, but the framework should support other events as they arise.

* Add BuildRequires python-memcached to freeipa.spec.in

* Removed the marshaled_dispatch method, it was cruft, no longer
  referenced.

https://fedorahosted.org/freeipa/ticket/2362
2012-02-27 05:54:29 -05:00
Petr Voborník
a7ced67e77 Added missing configuration options
Missing options were added to Web UI's IPA Server/Configuration page.
 * ipaconfigstring
 * ipaselinuxusermaporder
 * ipaselinuxusermapdefault

https://fedorahosted.org/freeipa/ticket/2285
https://fedorahosted.org/freeipa/ticket/2400
2012-02-20 15:47:39 -06:00
Petr Voborník
a11f1bb2c2 Fixed problem when attributes_widget was displaying empty option
Attribute table was modified to skip creation of option for empty value.

https://fedorahosted.org/freeipa/ticket/2291
2012-02-20 15:47:32 -06:00
Petr Voborník
8ad295a554 Redirection to PTR records from A,AAAA records
Address column in A, AAAA DNS records was exented of redirection capabilities.
Redirection dialog is shown after a click on a value.
Dialog does following steps:
 1) fetch all dns zones
 2) find most accurate reverse zone for IP address
    2 -fail) show error message, stop
 3) checks if target record exists in the zone
    3 -fail) show 'dns record create link', stop
 4) redirects

Click on 'dns record create link':
 1) creates record
   1 -fail) show error, stop
 2) redirects

https://fedorahosted.org/freeipa/ticket/1975
2012-02-15 09:23:26 +01:00
Petr Voborník
eb87b8c319 UI support for ssh keys
To user and host details pages was added ipasshpubkey attribute.

New widget for ssh public keys was created.

https://fedorahosted.org/freeipa/ticket/2340
2012-02-15 09:23:05 +01:00
Petr Voborník
2755709f2e Removed question marks from field labels
In user group adder dialog, the "Is this a POSIX group?" was replaced with "POSIX group".
In host search facet, the "Enrolled?" was replaced with "Enrolled".

https://fedorahosted.org/freeipa/ticket/2353
2012-02-14 08:35:49 -06:00
Petr Vobornik
7e02cb8aec Fixed entity link disabling
Problem:
Entity link (eg: to hosts in dns record or to dns record in host) is not changing its state when linked record doesn't exist. The link can remain wrongly enabled from previous state.

Fixed:
The link is disabled when target doesn't exist.

https://fedorahosted.org/freeipa/ticket/2364
2012-02-14 08:35:41 -06:00
Endi S. Dewata
eba3a341e6 Fixed ipa.js for sessions.
The patch fixes a problem in error_handler_login() when it gets
an error other than 401.

The login_url is not needed for fixtures because it does not need
authentication.

The patch also fixes jslint warnings and formatting issues.
2012-02-09 13:21:12 -06:00
John Dennis
bba4ccb3a0 add session manager and cache krb auth
This patch adds a session manager and support for caching
authentication in the session. Major elements of the patch are:

* Add a session manager to support cookie based sessions which
  stores session data in a memcached entry.

* Add ipalib/krb_utils.py which contains functions to parse ccache
  names, format principals, format KRB timestamps, and a KRB_CCache
  class which reads ccache entry and allows one to extract information
  such as the principal, credentials, credential timestamps, etc.

* Move krb constants defined in ipalib/rpc.py to ipa_krb_utils.py so
  that all kerberos items are co-located.

* Modify javascript in ipa.js so that the IPA.command() RPC call
  checks for authentication needed error response and if it receives
  it sends a GET request to /ipa/login URL to refresh credentials.

* Add session_auth_duration config item to constants.py, used to
  configure how long a session remains valid.

* Add parse_time_duration utility to ipalib/util.py. Used to parse the
  session_auth_duration config item.

* Update the default.conf.5 man page to document session_auth_duration
  config item (also added documentation for log_manager config items
  which had been inadvertantly omitted from a previous commit).

* Add SessionError object to ipalib/errors.py

* Move Kerberos protection in Apache config from /ipa to /ipa/xml and
  /ipa/login

* Add SessionCCache class to session.py to manage temporary Kerberos
  ccache file in effect for the duration of an RPC command.

* Adds a krblogin plugin used to implement the /ipa/login
  handler. login handler sets the session expiration time, currently
  60 minutes or the expiration of the TGT, whichever is shorter. It
  also copies the ccache provied by mod_auth_kerb into the session
  data.  The json handler will later extract and validate the ccache
  belonging to the session.

* Refactored the WSGI handlers so that json and xlmrpc could have
  independent behavior, this also moves where create and destroy
  context occurs, now done in the individual handler rather than the
  parent class.

* The json handler now looks up the session data, validates the ccache
  bound to the session, if it's expired replies with authenicated
  needed error.

* Add documentation to session.py. Fully documents the entire process,
  got questions, read the doc.

* Add exclusions to make-lint as needed.
2012-02-09 13:20:45 -06:00
Petr Voborník
cbd77cae0a Automember UI - Fixed I18n labels
Hard-coded labels in Automember UI have been moved into internal.py to
allow translation.

https://fedorahosted.org/freeipa/ticket/2195
2012-02-07 00:48:10 -06:00
Petr Voborník
fccea2dca4 Automember UI - default groups
In this patch was implemented and added a control for defining default automember groups.

There is a difference from UXD spec. In the spec the control was placed below table in the search facet. This was not working well with the combobox in the control. Open combobox requires some space below it. As it was placed at the bottom of the page it created unwanted blank space and forced showing scrollbars. Moving the control above the table solves the problem without rewriting combobox logic. It can be rewritten and moved down later.

https://fedorahosted.org/freeipa/ticket/2195
2012-02-07 00:48:07 -06:00
Petr Voborník
199d6815d4 Automember UI
New UI for automember.

Implemented:
 * search facet core
 * rule details facet
 * attribute_table_widget - new base class for tables which contains multivalued attribute with special add/remove commands
 * adding/removing conditions in details facet

TODO:
 * label translations
 * UI for defining default rules

https://fedorahosted.org/freeipa/ticket/2195
2012-02-01 12:47:46 -06:00
Petr Voborník
c00267308e Navigation and redirection to various facets
In current implementation target facet of navigation(from menu) and redirection is always one exact facet per entity. There isn't a way to navigate to different facet from menu or redirect to different facets from various facets.

This patch adds:
 * possibility to define menu items which can navigate to different facets of various entities. This also means that now current menu tree can contain leafs with the same entity.
 * possibility to define redirection target per facet - it is needed to keep breadcrumb navigation consistent with various navigation tree patch leading to same entity leafs.

This functionality is needed for Automember UI. Automember UI is designed as if it was for two entities but it is in fact only one.

https://fedorahosted.org/freeipa/ticket/2195
2012-02-01 12:47:42 -06:00
Endi Sukma Dewata
b73fc6e550 Show password expiration date.
The user details page was modified to show the password expiration
date next to the existing password field.

Fixed problem resetting password in self-service mode. The JSON
interface for the passwd command requires the username to be
specified although the equivalent CLI command doesn't require it.

Ticket #2064
2012-02-01 15:51:50 +01:00
Endi Sukma Dewata
77f0e9aba5 Use fixed font when displaying certificate.
The textareas used to display certificates were modified to use
fixed font.

Ticket #2017
2012-02-01 15:51:31 +01:00
Endi Sukma Dewata
0c4500738b Hide Add/Delete buttons in self-service mode.
Users do not have add/delete permission in self-service mode, so
the search facet was modified to hide the Add/Delete buttons.

Ticket #2188
2012-02-01 15:51:21 +01:00
Endi Sukma Dewata
ea9d5e6f9a Added icons for status column.
The status formatter was modified to show enabled/disabled icon
before the status text.

The format classes were renamed to formatter to avoid confusion
with the format() method. A new parameter 'type' was added to the
formatter to determine the output type (e.g. text/html).

Ticket #1996
2012-02-01 15:51:10 +01:00
Endi Sukma Dewata
6bd2f5ba35 Fixed host managed-by adder dialog.
The host managed-by adder dialog has been fixed to use the new
--not-man-hosts option to filter out hosts that are already added.

Ticket #1675
2012-01-31 08:40:00 -06:00
Petr Voborník
191f05e477 Added paging to DNS record search facet
Paging in DNS record search facet was disabled because there was a mismatch between primary keys sent by server and values displayed in the facet.

The facet was modified to enable paging. To preserve amount of information which was displayed before, current rows have variable height - they can contain more that one line depending on number of values in the record. Each record has a checkbox and indsname in its first line to distinguish one record from others. Because there is only one checkbox for record, delete command is called with --rem-all option which causes that entire record is removed. Individual values can be deleted in record's details facet.

https://fedorahosted.org/freeipa/ticket/2094
2012-01-31 08:39:12 -06:00
Petr Voborník
1f3d8003f7 Modifying DNS UI to benefit from new DNS API
DNS UI was modified to offer structured way of defining DNS records.

https://fedorahosted.org/freeipa/ticket/2208
2012-01-30 17:47:07 -06:00
Petr Voborník
71f9343480 Added refresh button for UI
Web UI is caching records. Currently only possible ways how to display updated record which was changed elsewhere - ie. in CLI are:
 * refresh page in browser (takes really long on slow vpns)
 * search facet: change filter, find, change filter back, find
 * entity details: go to search, select other entry, go back to search, select original entry
 * association facet: same as entity details

These are unconvenient methods.

This patch adds Refresh button to search, details and association facet. This button executes facets refresh method.

https://fedorahosted.org/freeipa/ticket/2051
2012-01-30 17:46:57 -06:00
Endi Sukma Dewata
b353239e59 Fixed inconsistent status labels.
This patch modifies the status attributes in users, DNS zones,
HBAC/sudo rules, HBAC test, and SELinux User Map to use the same
label (i.e. Status) and values (i.e. Enabled/Disabled). The method
to change the status will be modified separately.

Ticket #2247
2012-01-23 15:38:41 +01:00