Commit Graph

6734 Commits

Author SHA1 Message Date
Petr Viktorin
254c82727f permission CLI: Rename filter to rawfilter, extratargetfilter to filter
Since extratargetfilter is shown by default, change it to also have
the "default" (i.e. shorter) option name.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-14 10:14:05 +01:00
Petr Viktorin
f58ffe176c permission plugin: Write support for extratargetfilter
Extend the permission-add and permission-mod commands to process
extratargetfilter.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4216

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-14 10:14:05 +01:00
Petr Viktorin
3120a6833e permission plugin: Output the extratargetfilter virtual attribute
The --filter, --type, and --memberof options interact in a way that's
difficult to recreate in the UI: type and memberof are "views" on the
filter, they affect it and are affected by it

Add a "extratagretfilter" view that only contains the filters
not linked to type or memberof.

Show extra target filter, and not the full target filter, by default;
show both with --all, and full filter only with --raw.

Write support will be added in a subsequent patch.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4216

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-14 10:14:05 +01:00
Martin Kosek
6fb53bb08c Fix idrange unit test failure
This is a follow up to patch for ticket 4247 - the raised
errors.DependentEntry changed, test needs to be change as well.

https://fedorahosted.org/freeipa/ticket/4247
2014-03-14 10:07:20 +01:00
Petr Viktorin
7c9fa8fad9 ipaserver.install.service: Fix estimated time display
Use basic math rather than timezone conversion to get
minutes and seconds.
Break out the message generation into a small tested function.

https://fedorahosted.org/freeipa/ticket/4242

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-03-13 18:15:43 +01:00
Tomas Babej
62426970b7 Prohibit deletion of active subdomain range
Changes the code in the idrange_del method to not only check for
the root domains that match the SID in the IDRange, but for the
SIDs of subdomains of trusts as well.

https://fedorahosted.org/freeipa/ticket/4247

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-03-13 18:12:13 +01:00
Petr Vobornik
870a5daf24 webui: Datetime parsing and formatting
this patch implements:
- output_formatter in field. It should be used in par with formatter. Formatter serves for datasource->widget conversion, output_formatter for widget->datasource format conversion.
- datetime module which parses/format strings in subset of ISO 8601 and LDAP generalized time format to Date.
- utc formatter replaced with new datetime formatter
- datetime_validator introduced
- new datetime field, extension of text field, which by default uses datetime formatter and validator

Dojo was regenerated to include dojo/string module

https://fedorahosted.org/freeipa/ticket/4194

Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
2014-03-13 15:59:44 +01:00
Petr Viktorin
05f612e58a Do not hardcode path to ipa-getkeytab in tests
Using the in-tree binary makes testing outside the source tree
impossible.
Use ipa-getkeytab from $PATH, and add the directory to $PATH when
running the in-tree tests.

Part of the work for https://fedorahosted.org/freeipa/ticket/3654

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-13 15:52:18 +01:00
Petr Vobornik
65bde3ecd7 webui: use unique ids for checkboxes
Checkboxes have not used unique ids across the whole UI. It broke checking by clicking on label for later displayed instances. It became serious problem when rcue introduced new checkbox styles with 'label clicking' as default check method.

https://fedorahosted.org/freeipa/ticket/3904

Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
2014-03-13 11:10:42 +01:00
Alexander Bokovoy
34d644ebdf trust: do not fetch subdomains in case shared secret was used to set up the trust
Until incoming trust is validated from AD side, we cannot run any operations
against AD using the trust. Also, Samba currently does not suport verifying
trust against the other party (returns WERR_NOT_SUPPORTED).

This needs to be added to the documentation:

   When using 'ipa trust-add ad.domain --trust-secret', one has to manually
   validate incoming trust using forest trust properties in AD Domains and
   Trusts tool.

   Once incoming trust is validated at AD side, use IPA command
   'ipa trust-fetch-domains ad.domain' to retrieve topology of the AD forest.
   From this point on the trust should be usable.

https://fedorahosted.org/freeipa/ticket/4246

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-12 18:16:52 +01:00
Alexander Bokovoy
6195870e82 ipaserver/dcerpc: make sure to always return unicode SID of the trust domain
Trusted domain SID could be obtained through different means. When it is
fetched from the AD DC via LDAP, it needs to be extracted from a default
context and explicitly converted to unicode.

https://fedorahosted.org/freeipa/ticket/4246

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-12 18:16:52 +01:00
Petr Vobornik
723166aebe Support OTP in form based auth
OTP requires to use kerberos FAST channel. Ccache with ticket obtained using ipa.keytab is used as an armor.

https://fedorahosted.org/freeipa/ticket/3369

Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
2014-03-12 17:29:28 +01:00
Petr Vobornik
6d1ef651db Added QRcode generation to Web UI
https://fedorahosted.org/freeipa/ticket/3369

Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
2014-03-12 17:29:28 +01:00
Petr Vobornik
57021d1a50 UI for managing user-auth types
https://fedorahosted.org/freeipa/ticket/3369

Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
2014-03-12 17:29:28 +01:00
Petr Vobornik
ea66f48987 UI for radius proxy
https://fedorahosted.org/freeipa/ticket/3369

Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
2014-03-12 17:29:28 +01:00
Petr Vobornik
fef26fe3d8 UI for OTP tokens
https://fedorahosted.org/freeipa/ticket/3369

Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
2014-03-12 17:29:28 +01:00
Petr Vobornik
0700b13807 Fix handling of action visibility change in action panel
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
2014-03-12 17:29:28 +01:00
Petr Vobornik
05a9c6de2b Use general password dialog for host OTP
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
2014-03-12 17:29:28 +01:00
Petr Vobornik
17563108c3 Password Dialog
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
2014-03-12 17:29:27 +01:00
Petr Vobornik
290b8aeffe Fixed doc examples in Spec_mod
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
2014-03-12 17:29:27 +01:00
Petr Vobornik
46478e3e1e Declarative replacement of array item in specification object
This patch adds option to define which item of which array attribute of specification object will be replaced by a new value.

The difference between combination of $add and $del is that it keeps position of that item in the array.

Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
2014-03-12 17:29:27 +01:00
Petr Vobornik
9e6cc48be6 Added empty value meaning to boolean formatter
Boolean object properties can have different default meaning for not defined
value. This patch allows to defined this meaning to `boolean_formatter` by
introduction of `emty_value` property. `boolean_state_evaluator` was modified
to leverage it as well.

Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
2014-03-12 17:29:27 +01:00
Jason Woods
d6a7923f71 ipa-sam: cache gid to sid and uid to sid requests in idmap cache
Add idmap_cache calls to ipa-sam to prevent huge numbers of LDAP calls to the
directory service for gid/uid<->sid resolution.

Additionally, this patch further reduces number of queries by:
 - fast fail on uidNumber=0 which doesn't exist in FreeIPA,
 - return fallback group correctly when looking up user primary group as is
   done during init,
 - checking for group objectclass in case insensitive way

Patch by Jason Woods <devel@jasonwoods.me.uk>

Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>

https://fedorahosted.org/freeipa/ticket/4234
and
https://bugzilla.redhat.com/show_bug.cgi?id=1073829
https://bugzilla.redhat.com/show_bug.cgi?id=1074314

Reviewed-By: Sumit Bose <sbose@redhat.com>
2014-03-12 12:19:06 +01:00
Petr Viktorin
d3a34591a8 permission_add: Remove permission entry if adding the ACI fails
https://fedorahosted.org/freeipa/ticket/4187

Reviewed-By: Jan Pazdziora <jpazdziora@redhat.com>
2014-03-12 12:17:08 +01:00
Martin Kosek
0be66e9a67 ipa-replica-install never checks for 7389 port
When creating replica from a Dogtag 9 based IPA server, the port 7389
which is required for the installation is never checked by
ipa-replica-conncheck even though it knows that it is being installed
from the Dogtag 9 based FreeIPA. If the 7389 port would be blocked by
firewall, installation would stuck with no hint to user.

Make sure that the port configuration parsed from replica info file
is used consistently in the installers.

https://fedorahosted.org/freeipa/ticket/4240

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-11 17:10:28 +01:00
Martin Kosek
740298d120 Avoid passing non-terminated string to is_master_host
When string is not terminated, queries with corrupted base may be sent
to LDAP:

... cn=ipa1.example.com<garbage>,cn=masters...

https://fedorahosted.org/freeipa/ticket/4214

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-03-11 16:55:01 +01:00
Petr Viktorin
34c3d309d9 permission-find: Cache the root entry for legacy permissions
This makes searching faster if there are many legacy permissions present.

The root entry (which contains all legacy permission ACIs) is only
looked up once.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-11 10:00:27 +01:00
Jan Cholasta
8e98690409 Log unhandled exceptions in certificate renewal scripts.
https://fedorahosted.org/freeipa/ticket/4093

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-10 18:41:10 +01:00
Petr Viktorin
d727599aa8 permissions plugin: Don't crash with empty targetfilter
https://fedorahosted.org/freeipa/ticket/4206

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-07 20:06:52 +01:00
Petr Viktorin
0c2aec1be5 permission plugin: Allow multiple values for memberof
Design: http://www.freeipa.org/page/V3/Multivalued_target_filters_in_permissions
Additional fix for: https://fedorahosted.org/freeipa/ticket/4074

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-07 20:05:28 +01:00
Petr Viktorin
02e61961da permission-mod: Remove attributelevelrights before reverting entry
LDAPUpdate adds the display-only 'attributelevelrights' attribute,
which doesn't exist in LDAP. Remove it before reverting entry.

https://fedorahosted.org/freeipa/ticket/4212

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-07 16:52:40 +01:00
Alexander Bokovoy
4048d412f2 ipa-kdb: do not fetch client principal if it is the same as existing entry
When client principal is the same as supplied client entry, don't fetch it
again.

Note that when client principal is not NULL, client entry might be NULL for
cross-realm case, so we need to make sure to not dereference NULL pointer here.

Also fix reverted condition for case when we didn't find the client principal
in the database, preventing a memory leak.

https://fedorahosted.org/freeipa/ticket/4223

Reviewed-By: Sumit Bose <sbose@redhat.com>
2014-03-06 12:28:25 +01:00
Petr Viktorin
68f4af3122 tests: Create the testing service certificate on demand
Replace the make-testcert command with a module that creates
the certificate when it is first needed.
As a result the tests are more self-contained, and can be run from
a read-only location (such as installed from a system package).

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-03-06 10:33:21 +01:00
Petr Viktorin
5ae737e160 ipalib.plugable: Always set the parser in bootstrap()
In cases where logging was already configured by the time
API.bootstrap() was called, saving the argument parser was
mistakenly skipped along with the logging configuration.

Always set the argument parser on the API object.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-03-05 19:57:37 +01:00
Tomas Babej
6b94f959a4 man: sshd should be run at least once before client enrollment
If SSH keys have not been generated prior to enrolling the client to the
IPA server, they will not be uploaded to the server, since they're not
present. Clarify this issue in the man pages.

https://fedorahosted.org/freeipa/ticket/4055

Reviewed-By: Jan Pazdziora <jpazdziora@redhat.com>
2014-03-05 12:47:47 +01:00
Alexander Bokovoy
6b45ec3f31 fix filtering of subdomain-based trust users
https://fedorahosted.org/freeipa/ticket/4207

Reviewed-By: Simo Sorce <ssorce@redhat.com>
2014-03-05 10:40:39 +01:00
Nathaniel McCallum
0ca6653c29 Fix token secret length RFC compliance
RFC 4226 states the following in section 4:
   R6 - The algorithm MUST use a strong shared secret.  The length of
   the shared secret MUST be at least 128 bits.  This document
   RECOMMENDs a shared secret length of 160 bits.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-03-05 10:09:16 +01:00
Nathaniel McCallum
21ff4f920e Rework how otptoken defaults are handled
We had originally decided to provide defaults on the server side so that they
could be part of a global config for the admin. However, on further reflection,
only certain defaults really make sense given the limitations of Google
Authenticator. Similarly, other defaults may be token specific.

Attempting to handle defaults on the server side also makes both the UI and
the generated documentation unclear.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-03-05 10:09:16 +01:00
Petr Viktorin
561e57d121 Add tests for integration test configuration
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-03-05 10:00:58 +01:00
Petr Viktorin
e6dbb2aa68 test_integration.config: Convert some text values to str
When loading from file, some strings are loaded as unicode,
which would throw off assert_deepequal.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-03-05 10:00:58 +01:00
Petr Viktorin
87a36db6bc ipa-test-config: Add --json and --yaml output options
Also update the man page.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3938

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-03-05 10:00:58 +01:00
Petr Viktorin
2150481f2a test_integration.config: Add environment variables for JSON/YAML
Part of the work for: https://fedorahosted.org/freeipa/ticket/3938

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-03-05 10:00:58 +01:00
Petr Viktorin
ef0264f75f test_integration.config: Load/store from/to dicts
Part of the work for: https://fedorahosted.org/freeipa/ticket/3938

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-03-05 10:00:58 +01:00
Petr Viktorin
310d8254ed test_integration.config: Do not store the index in Domain and Host objects
The index is a detail of the environment variable method of
configuration, it should only be used there.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-03-05 10:00:58 +01:00
Petr Viktorin
e1b73c18e3 test_integration.config: Use a more declarative approach to test-wide settings
The list of options was duplicated too many times. Consolidate.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3938

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-03-05 10:00:58 +01:00
Petr Viktorin
8e2bceffa3 test_integration.config: Do not save the input environment
Using the input environment saved in self._session_env
outside of the config loading meant that methods of
configuration other than environment variables wouldn't
be possible.

Restructure the roles/extra_roles to not depend on _session_env.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3938

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-03-05 10:00:58 +01:00
Petr Viktorin
56f0430f52 test_integration.config: Fix crash in to_env when no replica is defined
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-03-05 10:00:57 +01:00
Petr Vobornik
9b540ef218 webui: Don't act on keyboard events which originated in different dialog
Fixes issue when:
1. 2 dialogs are opened
2. top dialog's close button is focused
3. user presses enter to execute 'close' action
4. dialog is immediately closed (enter key is still pressed)
5. second dialog automatically receives focus (it's top dialog now)
6. user releases the key
7. second dialog reacts to keyup event - which is by default confirmation mixin's confirm event
8. UNDESIRED behavior occurs

Now confirmation mixin remembers which keys were pressed and released and reacts only to those which originated there.

https://fedorahosted.org/freeipa/ticket/4098

Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
2014-03-05 09:59:13 +01:00
Gabe
b50cdd55af Typo in warning message where IPA realm and domain name differ
Removed 'y' from warning message.

https://fedorahosted.org/freeipa/ticket/4211

Reviewed-By: Simo Sorce <ssorce@redhat.com>
2014-03-05 09:58:16 +01:00
Petr Viktorin
fa5cbe7cb2 Test fixed modlist generation code
https://fedorahosted.org/freeipa/ticket/4138
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-03-03 12:14:09 +01:00