Commit Graph

129 Commits

Author SHA1 Message Date
Ondrej Hamada
5cfee2338d Netgroup nisdomain and hosts validation
nisdomain validation:
Added pattern to the 'nisdomain' parameter to validate the specified
nisdomain name. According to most common use cases the same pattern as
for netgroup should fit. Unit-tests added.

https://fedorahosted.org/freeipa/ticket/2448

'add_external_pre_callback' function was created to allow validation of
all external members. Validation is based on usage of objects primary
key parameter. The 'add_external_pre_callback' fucntion has to be called
directly from in the 'pre_callback' function. This change affects
netgroup, hbacrule and sudorule commands.

For hostname, the validator allows non-fqdn and underscore characters.
validate_hostname function in ipalib.util was modified and contains
additional option that allows hostname to contain underscore characters.
This option is disabled by default.

Unit-tests added.

https://fedorahosted.org/freeipa/ticket/2447
2012-03-28 16:23:37 +02:00
Rob Crittenden
b9c3eb79a9 Fix attributes that contain DNs when migrating.
Some attributes, like secretary and manager, may point to other LDAP
entries. We need to fix these during migration.

https://fedorahosted.org/freeipa/ticket/2562
2012-03-22 21:46:27 +01:00
Rob Crittenden
f18cfd7de8 Use a consistent parameter name in errors, defaulting to cli_name.
For general command-line errors we want to use the cli_name on output.
The exception is when using *attr, we want to return that attribute name
in the exception.

https://fedorahosted.org/freeipa/ticket/1418
2012-03-20 09:06:52 +01:00
Rob Crittenden
35521ad6bb Don't allow hosts and services of IPA masters to be disabled.
https://fedorahosted.org/freeipa/ticket/2487
2012-03-19 16:09:09 +01:00
Petr Viktorin
e9d68a7b00 Don't crash when searching with empty relationship options
Empty sequences (and sequences of empty strings) are normalized
to None, but the member filter code expected a list.
This patch extends a test for missing options to also catch
false values.
The functional change is from `if param_name in options:` to
`if options.get(param_name):`; the rest of the patch is code
de-duplication and tests.

These are CSV params with csv_skipspace set, so on the CLI, empty
set is given as a string with just spaces and commas (including
the empty string).

https://fedorahosted.org/freeipa/ticket/2479
2012-03-13 23:28:53 -04:00
Petr Viktorin
1dc11a01d7 Allow removing sudo commands with special characters from command groups
Previously the commands were compared as serialized strings.
Differences in serializations meant commands with special characters
weren't found in the checked list.
Use the DN class to compare DNs correctly.

https://fedorahosted.org/freeipa/ticket/2483
2012-03-12 16:02:29 +01:00
Martin Kosek
eeee8e1c6e Fix encoding for setattr/addattr/delattr
Attribute values passed by --{set,add,del}attr parameters were
normalized and validated using appropriate parameter, but were
never encoded for the backend. This make prevents manipulation
with dirsvr BOOL attributes where framework tries to pass
boolean value instead of encoded "TRUE"/"FALSE" values.

https://fedorahosted.org/freeipa/ticket/2418
2012-03-01 21:50:52 -05:00
Rob Crittenden
0099ccbea8 Only apply validation rules when adding and updating.
There may be cases, for whatever reason, that an otherwise illegal
entry gets created that doesn't match the criteria for a valid
user/host/group name. If this happens (i.e. migration) there is no way
to remove this using the IPA tools because we always applied the name
pattern. So you can't, for example, delete a user with an illegal name.

Primary keys are cloned with query=True in PKQuery which causes no
rules to be applied on mod/show/find. This reverts a change from commit
3a5e26a0 which applies class rules when query=True (for enforcing no
white space).

Replace rdnattr with rdn_is_primary_key. This was meant to tell us when
an RDN change was necessary to do a rename. There could be a disconnect
where the rdnattr wasn't the primary key and in that case we don't
need to do an RDN change, so use a boolean instead so that it is
clear that RDN == primary key.

Add a test to ensure that nowhitespace is actually enforced.

https://fedorahosted.org/freeipa/ticket/2115

Related: https://fedorahosted.org/freeipa/ticket/2089

Whitespace tickets:
https://fedorahosted.org/freeipa/ticket/1285
https://fedorahosted.org/freeipa/ticket/1286
https://fedorahosted.org/freeipa/ticket/1287
2012-02-29 18:00:45 -05:00
Rob Crittenden
d4a1dc5712 Don't allow IPA master hosts or important services be deleted.
Deleting these would cause the IPA master to blow up.

For services I'm taking a conservative approach and only limiting the
deletion of known services we care about.

https://fedorahosted.org/freeipa/ticket/2425
2012-02-23 20:17:12 +01:00
Jan Cholasta
ca3f304110 Base64-decode unicode values in Bytes parameters.
Fix wrong handling of strings in --setattr/--addattr/--delattr.

These changes make it possible to use Bytes in --setattr/--addattr/
--delattr without errors.

Fixes managing SSH keys on command-line

https://fedorahosted.org/freeipa/ticket/754
2012-02-13 22:21:50 -05:00
Petr Viktorin
90d99f6017 Clean up i18n strings
This patch switches to named ("%(name)s") instead of positional ("%s")
substitutions for internationalized strings, so translators can
reorder the words.
This fixes https://fedorahosted.org/freeipa/ticket/2179 (xgettext no
longer gives warnings).

Also, some i18n calls are rewritten to translate the template before
substitutions, not after.
2012-02-10 11:53:40 +01:00
Rob Crittenden
304b70843a Consolidate external member code into two functions in baseldap.py
External members (users and hosts) are assumed when doing member
management on certain attributes. If the member isn't in IPA it
is assumed to be external. When doing member management we need
to sift through the list of failures and pull out all those
that were simply not found in IPA.

https://fedorahosted.org/freeipa/ticket/1734
2012-02-08 09:12:53 +01:00
Martin Kosek
d4272ce374 Add argument help to CLI
CLI command help contains a documentation for all options that can
be passed to commands. However, help strings for positional
arguments are not included.

This patch uses an OptionParser description field to list all
command arguments as OptionParser does not have a native support
to provide such information to user.

https://fedorahosted.org/freeipa/ticket/1974
2012-02-06 08:57:07 +01:00
Martin Kosek
0b9279a30a Add missing managing hosts filtering options
Host object has a virtual attribute "managing" containing all hosts
it manages (governed by managedBy attribute). This patch also adds
standard membership filtering options:
  --man-hosts=HOSTS: Only hosts managing _all_ HOSTS are returned
  --not-man-hosts=HOSTS: Only hosts which do not manage _any_ host
    in HOSTS are returned

https://fedorahosted.org/freeipa/ticket/1675
2012-01-26 10:17:39 -06:00
Martin Kosek
7f6c9ac04c Add missing --pkey-only option for selfservice and delegation
pkey-only functionality has to be implemented separately for these
modules as they are based on crud.Search instead of standard
LDAPSearch.

Delegation moduled was also fixed to support new format of ACI's
memberof attribute introduced in patch "Display the value of
memberOf ACIs in permission plugin."

https://fedorahosted.org/freeipa/ticket/2092
2012-01-16 20:08:13 +01:00
Rob Crittenden
f7753bf55c Add labels so HBAC and Sudo rules show under hosts/hostgroups.
Also fix a bunch of trailing whitespace.

https://fedorahosted.org/freeipa/ticket/1751
2012-01-16 12:37:12 +01:00
Ondrej Hamada
8956fdbf40 Sort password policy by priority
'ipa pwpolicy-find' output is now sorted by priority of the policies.
Lower position means lower priority. Global policy is then at the bottom.

The changes has also affected LDAPSearch class in baseldap.py:
LDAPSearch class sorts the search results by primary key be default
(which is usually 'cn'). Therefor a function pointer entries_sortfn
was added. If no sorting function exists, default sorting by primary key
is used.

Sorting function had to be introduced due to the fact that pwpolicy's
primary key is also it's 'cn' and global policy is not allowed to have any
priority.

https://fedorahosted.org/freeipa/ticket/2045
2011-12-01 18:04:30 -05:00
Jan Cholasta
135ccf89de Parse comma-separated lists of values in all parameter types. This can be enabled for a specific parameter by setting the "csv" option to True.
Remove "List" parameter type and replace all occurences of it with appropriate
multi-valued parameter ("Str" in most cases) with csv enabled.

Add new parameter type "Any", capable of holding values of any type. This is
needed by the "batch" command, as "Str" is not suitable type for the "methods"
parameter.

ticket 2007
2011-11-30 17:08:35 +01:00
Martin Kosek
1b0b9645d1 Add --delattr option to complement --setattr/--addattr
Add a --delattr option to round out multi-valued attribute
manipulation. The new option is available for all LDAPUpdate based
commands. --delattr is evaluated last, it can remove any value
present either in --addattr/--setattr option or in current LDAP
object.

--*attr processing was completely refactored and placed to one
independent function available for all baseldap commands. For this
purpose a missing common base class for all baseldap commands has
been implemented. The new class should serve not only for --*attr
processing but also for other common baseldap methods and
attributes.

This approach will also benefit other custom commands based neither
on LDAPCreate nor LDAPUpdate. They can easily integrate --*attr
option processing when needed.

https://fedorahosted.org/freeipa/ticket/1929
2011-11-29 10:08:28 +01:00
Ondrej Hamada
8089f2859c Misleading Keytab field
The 'Keytab' field in output of all 'user-*' commands was changed
to 'Kerberos keys available'. In order to do this change for 'user-*'
commands only, the flag 'has_keytab' had to be removed from common
output parametrs in ipalib/baseldap.py. This change also affected the
host.py and service.py, where the 'has_keytab' flag was added to their
local output params. Both host.py and service.py holds the old field
caption - 'Keytab' - because of compatibility with older clients.

https://fedorahosted.org/freeipa/ticket/1961
2011-11-10 14:11:02 +01:00
Martin Kosek
a486f49a37 Create pkey-only option for find commands
New option --pkey-only is available for all LDAPSearch based classes
with primary key visible in the output. This option makes LDAPSearch
commands search for primary attribute only.

This may be useful when manipulating large data sets. User can at
first retrieve all primary keys in a relatively small data package
and then run further commands with retrieved primary keys.

https://fedorahosted.org/freeipa/ticket/1262
2011-10-27 14:17:51 +00:00
Martin Kosek
759ae9e2ef Fix LDAPCreate search failure
LDAPCreate reports "search criteria was not specific enough" when LDAP
object created in LDAPCreate shares its container with other LDAP objects
and there is one with the same name and RDN attribute.

Pass objectclass to find_entry_by_attr() function used to retrieve
newly created object for POST_CALLBACK to identify correct LDAP
object.

https://fedorahosted.org/freeipa/ticket/1864
2011-09-30 12:24:20 +02:00
Rob Crittenden
6aa5bfe5db Include failed service and service groups in hbac rule management
hbacrule-service-add/remove failures weren't being displayed because
no label was defined.

https://fedorahosted.org/freeipa/ticket/1863
https://fedorahosted.org/freeipa/ticket/1865
2011-09-27 15:57:14 +02:00
Rob Crittenden
3b9da8e276 Add external source hosts to HBAC.
When adding/removing source hosts if the host isn't found in IPA it is
considered external. The attribute externalhost is used to store
external hosts.

ticket https://fedorahosted.org/freeipa/ticket/1574
2011-08-29 17:14:28 -04:00
Rob Crittenden
41d89d0d13 Add label for HBAC services to show as members
https://fedorahosted.org/freeipa/ticket/1711
2011-08-24 15:24:19 -04:00
Rob Crittenden
109b79a7ac Change the way has_keytab is determined, also check for password.
We need an indicator to see if a keytab has been set on host and
service entries. We also need a way to know if a one-time password is
set on a host.

This adds an ACI that grants search on userPassword and
krbPrincipalKey so we can do an existence search on them. This way
we can tell if the attribute is set and create a fake attribute
accordingly.

When a userPassword is set on a host a keytab is generated against
that password so we always set has_keytab to False if a password
exists. This is fine because when keytab gets generated for the
host the password is removed (hence one-time).

This adds has_keytab/has_password to the user, host and service plugins.

ticket https://fedorahosted.org/freeipa/ticket/1538
2011-08-24 14:12:01 +02:00
Rob Crittenden
1dd9e14073 Optionally wait for 389-ds postop plugins to complete
Add a new command that lets you wait for an attribute to appear in
a value. Using this you can do things like wait for a managed entry
to be created, adding a new objectclass to the parent entry.

This is controlled by a new booleon option, wait_for_attr, defaulting
to False.

https://fedorahosted.org/freeipa/ticket/1144
2011-07-19 13:06:16 +02:00
Endi S. Dewata
4bd85ceb90 Fixed label capitalization
The CSS text-transform sometimes produces incorrect capitalization,
so the code has been modified to use translated labels that already
contain the correct capitalization.

Ticket #1424
2011-07-14 11:44:48 -04:00
Endi S. Dewata
b2c5b2b4b5 Fixed object_name and object_name_plural internationalization
The object_name, object_name_plural and messages that use these
attributes have been converted to support translation. The label
attribute in the Param class has been modified to accept unicode
string.

Ticket #1435
2011-07-12 16:33:08 -04:00
Rob Crittenden
3a5e26a01c Enforce class rules when query=True, continue to not run validators.
This started as a problem in allowing leading/trailing whitespaces
on primary keys. In nearly every command other than add query is True
so all rules were ignored on the primary key. This meant that to
enforce whitespace we would need to define a validator for each one.

I decided instead to set self.all_rules to just the class rules if
query == True. So the minimum set of validators will be executed
against each type but param-specific validators will only run on add.

https://fedorahosted.org/freeipa/ticket/1285
https://fedorahosted.org/freeipa/ticket/1286
https://fedorahosted.org/freeipa/ticket/1287
2011-07-11 18:43:32 -04:00
Endi S. Dewata
6083df1b02 Fixed object_name usage.
The object_name attribute was used as both an identifier and a
label which sometimes require different values (e.g. hbacrule
vs. HBAC rule). The code that uses object_name as an identifier
has been changed to use the 'name' attribute instead. The values
of the object_name attribute have been fixed to become proper
labels.

Ticket #1217
2011-07-05 16:19:10 -04:00
Endi S. Dewata
8d9575605d Added singular entity labels.
A new attribute label_singular has been added to all entities which
contains the singular form of the entity label in lower cases except
for acronyms (e.g. HBAC) or proper nouns (e.g. Kerberos). In the Web
UI, this label can be capitalized using CSS text-transform.

The existing 'label' attribute is intentionally left unchanged due to
inconsistencies in the current values. It contains mostly the plural
form of capitalized entity label, but some are singular. Also, it
seems currently there is no comparable capitalization method on the
server-side. So more work is needed before the label can be changed.

Ticket #1249
2011-06-27 12:11:22 -04:00
John Dennis
8c95eb68d2 Use DN class in get_primary_key_from_dn to return decoded value 2011-06-22 01:26:01 -04:00
Rob Crittenden
1aee9df3bc Do lazy LDAP schema retrieval in json handler.
It was possible to get to this point without a schema if the first
handled request resulted in a Kerberos error.

https://fedorahosted.org/freeipa/ticket/1354
2011-06-21 16:40:07 -04:00
Martin Kosek
585083c1d7 Improve interactive mode for DNS plugin
Interactive mode for commands manipulating with DNS records
(dnsrecord-add, dnsrecord-del) is not usable. This patch enhances
the server framework with new callback for interactive mode, which
can be used by commands to inject their own interactive handling.

The callback is then used to improve aforementioned commands'
interactive mode.

https://fedorahosted.org/freeipa/ticket/1018
2011-06-02 09:00:35 +02:00
Rob Crittenden
868d4e734e Do a lazy retrieval of the LDAP schema rather than at module load.
Attempt to retrieve the schema the first time it is needed rather than
when Apache is started. A global copy is cached for future requests
for performance reasons.

The schema will be retrieved once per Apache child process.

ticket 583
2011-05-30 09:16:30 +02:00
Rob Crittenden
e91aa64d4a Include the word 'member' with autogenerated optional member labels.
There were reports of confusion over what was being prompted for, hopefully
adding member will make things clearer.

ticket 1062
2011-05-27 13:54:31 -04:00
Rob Crittenden
9cc0754b71 Add option to limit the attributes allowed in an entry.
Kerberos ticket policy can update policy in a user entry. This allowed
set/addattr to be used to modify attributes outside of the ticket policy
perview, also bypassing all validation/normalization. Likewise the
ticket policy was updatable by the user plugin bypassing all validation.

Add two new LDAPObject values to control this behavior:

limit_object_classes: only attributes in these are allowed
disallow_object_classes: attributes in these are disallowed

By default both of these lists are empty so are skipped.

ticket 744
2011-05-27 13:51:37 -04:00
Endi S. Dewata
f9a8d772e3 Customizable facet groups.
The IPA.entity has been modified to support customizable facet groups.
The default list of facet groups is defined in IPA.entity_header and can
be overriden in the entity definition.

Ticket #1219
2011-05-16 13:18:51 -04:00
Rob Crittenden
d3b0c64fce Modify the default attributes shown in user-find to match the UI design.
This change means the UI can stop using the --all option and have to
retrieve significantly less information from the server. It also
speeds up user-find as it doesn't have to calculate membership.

This adds a new baseclass parameter, search_display_attributes, which
can provide a separate list from default_attributes just for find
commands.

The UI will need to be changed to switch from using cn to using
givenname and sn.

ticket 1136
2011-04-22 14:49:20 -04:00
Rob Crittenden
740416c8fb Always ask members in LDAP*ReverseMember commands.
This changes the API but alwaysask is enforced on the client only
so doesn't change the wire API so I'm not updating the API version.

ticket 1081
2011-04-15 13:12:16 +02:00
Endi S. Dewata
e3ec1fb7ef Entitlement registration.
The entitlement facet will show buttons according to the entitlement
status. If it's unregistered, the facet will show a Register button.
If it's registered, the facet will show a Consume button.
2011-04-14 23:05:09 +00:00
Rob Crittenden
9cac1d88fc Sort entries returned by *-find by the primary key (if any).
Do a server-side sort if there is a primary key.

Fix a couple of tests that were failing due to the new sorting.

ticket 794
2011-04-13 17:29:16 +02:00
Jan Cholasta
1ac3ed2c27 Fix lint false positives. 2011-04-13 15:58:45 +02:00
Rob Crittenden
4d0e739345 Fix style and grammatical issues in built-in command help.
There is a rather large API.txt change but it is only due to changes
in the doc string in parameters.

ticket 729
2011-03-04 11:09:43 -05:00
Rob Crittenden
07ba40f33e Use Sudo rather than SUDO as a label.
ticket 1005
2011-03-01 16:48:35 -05:00
Pavel Zuna
f3de95ce99 Fix translatable strings in ipalib plugins.
Needed for xgettext/pygettext processing.
2011-03-01 10:31:40 -05:00
Rob Crittenden
d57dfc4e98 Sudo command groups are not supposed to allow nesting.
It was a design decision to not allow nesting sudo command groups,
remove it.

ticket 1004
2011-02-23 18:44:28 -05:00
Rob Crittenden
af9f905239 Collect memberof information for sudo commands.
We weren't searching the cn=sudo container so all members of a
sudocmdgroup looked indirect.

Add a label for sudo command groups.

Update the tests to include verifying that membership is done
properly.

ticket 1003
2011-02-23 18:44:23 -05:00
Rob Crittenden
2f82112bb3 Add handling for indirect memberof other entries.
This creates a new custom attribute, memberofindirect_[plugin].
Using this you can tell the difference between being an actual memberof
another entry and being a memberof as the result if inheritence. This is
particularly useful when trying to remove members of an entry, you can
only remove direct members.

I had to add a couple of short sleep calls to make things work a little
better. The memberof plugin runs as a postop and we have no way of knowing
when it has done its work. If we don't pause we may show some stale
data that memberof hasn't updated yet. .3 seconds is an arbitrary choice.

ticket 966
2011-02-21 11:21:23 -05:00