Commit Graph

2648 Commits

Author SHA1 Message Date
Rob Crittenden
2f4f9054aa Enable a host to retrieve a keytab for all its services.
Using the host service principal one should be able to retrieve a keytab
for other services for the host using ipa-getkeytab. This required a number
of changes:

- allow hosts in the service's managedby to write krbPrincipalKey
- automatically add the host to managedby when a service is created
- fix ipa-getkeytab to return the entire prinicpal and not just the
  first data element. It was returning "host" from the service tgt
  and not host/ipa.example.com
- fix the display of the managedby attribute in the service plugin

This led to a number of changes in the service unit tests. I took the
opportunity to switch to the Declarative scheme and tripled the number
of tests we were doing. This shed some light on a few bugs in the plugin:

- if a service had a bad usercertificate it was impossible to delete the
  service. I made it a bit more flexible.
- I added a summary for the mod and find commands
- has_keytab wasn't being set in the find output

ticket 68
2010-08-16 17:13:56 -04:00
Rob Crittenden
81ae7c3a60 Add a BuildRequires for authconfig
ticket 137
2010-08-16 17:09:17 -04:00
Rob Crittenden
1df10a88cd Add support for client failover to the ipa command-line.
This adds a new global option to the ipa command, -f/--no-fallback. If this
is included then just the server configured in /etc/ipa/default.conf is used.
Otherwise that is tried first then all servers in DNS with the ldap SRV record
are tried.

Create a new Local() Command class for local-only commands. The help
command is one of these. It shouldn't need a remote connection to execute.

ticket #15
2010-08-16 10:35:27 -04:00
Adam Young
3e6f0f5721 From: Pavel Zuna <pzuna@redhat.com>
Date: Tue, 10 Aug 2010 16:41:28 -0400
Subject: [PATCH 2/6] Add a new INTERNAL plugin that exports plugin meta-data into JSON.

This is required for the webUI, since we're dropping Genshi. *ehm* :)

You can't use this command on the CLI. It takes one optional argument:
the name of an IPA object. If not specified, meta-data for all objects
are returned.
2010-08-13 17:56:16 -04:00
Adam Young
030b5dab93 Change the behaviour of addattr/setattr parameters.
setattr and addattr can now be used both to set all values of
ANY attribute. the last setattr always resets the attribute to
the specified value and all addattr append to it.

Examples:
user-mod testuser --setattr=title=msc
  title: msc
user-mod testuser --setattr=title=msb
  title: msb
user-mod testuser --addattr=title=msc
  title: msb, msc
user-mod testuser --setattr=title=
  title:
user-mod testuser --setattr=title=msc --addattr=msb
  title: msc, msb
user-mod testuser --setattr=title=ing --addattr=bc
  title: ing, bc
user-mod testuser --setattr=title=doc
  title: doc

It's not very user friendly, but it's going to be used very very
rarely in special conditions in the CLI and we can use it to save
lots of JSON-RPC roundtrips in the webUI.

This version includes calling the validation of Params during the setting of the attrs.
2010-08-13 16:20:41 -04:00
Pavel Zuna
f15758dbea Improve serialization to JSON.
- Make it recursive.
- Make Param classes serializable.
- Take python native data types into account.
2010-08-12 09:06:22 -04:00
Pavel Zuna
58fd1199f6 Stretch content div and make Reset/Update buttons stick to right. 2010-08-12 09:05:18 -04:00
Pavel Zuna
cc9d0ffc67 Fix bug: not found exc. handler was failing for singleton objects 2010-08-12 09:03:36 -04:00
Pavel Zuna
6136f773a9 Add new parameters to LDAPSearch: timelimit and sizelimit. 2010-08-12 09:02:39 -04:00
Pavel Zuna
5797c8167a Make LDAPObject classes JSON serializable. 2010-08-12 09:01:56 -04:00
Rob Crittenden
9d9d789912 Correct CA options in ipa-server-install manpage 2010-08-10 16:42:21 -04:00
Rob Crittenden
5b894d1fb7 Allow decoupling of user-private groups.
To do this we need to break the link manually on both sides, the user and
the group.

We also have to verify in advance that the user performing this is allowed
to do both. Otherwise the user could be decoupled but not the group
leaving it in a quasi broken state that only ldapmodify could fix.

ticket 75
2010-08-10 16:41:47 -04:00
Rob Crittenden
719592a209 Fix user tests to handle managed entries
We now enable managed entries by default and need to account for it
in the expected output.
2010-08-10 16:41:28 -04:00
Rob Crittenden
6befd08973 Fix reference to _handle_errors() in remove_principal_key()
It incorrectly was trying to call the class method _handle_errors() instead
of the global function.
2010-08-10 15:03:11 -04:00
Adam Young
d0a60f3a15 Group add functionality now implmented.
- Proper navigation. (Add and edit versus add another)
   - posix field is respected
    - gid set accordingly
2010-08-09 17:21:30 -04:00
Adam Young
4c1fc48ee5 IPA HTTPD config uses /usr/share/static as target for /ipa/ui 2010-08-09 15:07:06 -04:00
Adam Young
b192bb76d0 Remove search field on group button
Hide the search bar when showing the groups listed for a user, and resotre it when doing other searches.

The enroll button is added only on the groups page, and removed along with anything else in the searchButtons div when a new search is started.
2010-08-09 15:06:27 -04:00
Rob Crittenden
8ad88b4119 Properly show the members when an add/remove operation fails.
The remove member function in baseldap was not returning failures at all.
The add member function was only showing them in the group object.

Most of the magic is handled in baseldap. Each plugin just needs to define
object_name and object_name_plural. object_name must be all lower-case
because fake-attributes are created so membership can be broken out
per-object type. I left the plural name lower case as well.

ticket 85
2010-08-06 15:34:09 -04:00
Rob Crittenden
d0740fb08b Enforce existence of 389-ds header files.
ticket #82
2010-08-06 15:33:49 -04:00
Rob Crittenden
768cb29afe Check to see if the command is available before running command tests. 2010-08-06 15:33:32 -04:00
Rob Crittenden
35cbbde5bf Fix RPC tests. The method comes back as a unicode from xmlrpclib. 2010-08-06 15:32:53 -04:00
Rob Crittenden
2d7d047cbf Add optional error message to pattern validator
The pattern validator by default displays the pattern that is being
matched against. This isn't helpful, particularly for very hairy patterns.
This adds a new parameter, pattern_errmsg, that is displayed on errors
if set.

ticket #11
2010-08-06 15:32:37 -04:00
Rob Crittenden
252b73fb3e Skip the i18n test if the test language has not been built 2010-08-06 15:32:00 -04:00
Rob Crittenden
d885339f1c Require that hosts be resolvable in DNS. Use --force to ignore warnings.
This also requires a resolvable hostname on services as well. I want
people to think long and hard about adding things that aren't resolvable.

The cert plugin can automatically create services on the user's behalf when
issuing a cert. It will always set the force flag to True.

We use a lot of made-up host names in the test system, all of which require
the force flag now.

ticket #25
2010-08-06 15:31:57 -04:00
Rob Crittenden
830910d1f3 Have the env plugin print all attributes by default
ticket #113
2010-08-06 13:12:42 -04:00
Rob Crittenden
efa11d3746 Fix replacing a certificate in a service.
When a service has a certificate and the CA backend doesn't support
revocation (like selfsign) then we simply drop the old certificate in
preparation for adding a new one. We weren't setting the usercertificate
attribute to None so there was nothing to do in ldap_update().

Added a test case for this situation to ensure that re-issuing a certificate
works.

ticket #88
2010-08-06 13:12:21 -04:00
Rob Crittenden
4ea34d5910 Add framework for other command-line tests, starting with ipa-getkeytab. 2010-08-06 13:12:02 -04:00
Rob Crittenden
e874b41c5b Fix this test to work from source tree root
It would work if you ran the test from its location in tests/test_ipalib
but this isn't the most common method. If you want to run it individually
you can do:

$  ./make-test tests/test_ipalib/test_text.py
2010-08-06 13:11:05 -04:00
Rob Crittenden
1e963646b3 Add hbac service for su-l, su with a login shell 2010-08-06 13:10:24 -04:00
Adam Young
b7162b3b8a Changes to the install and config files to support deploying the javascript code. 2010-08-06 11:55:52 -04:00
Adam Young
125bd09faf The Javascript code for the new web UI
Now with whitespace cleanup.
2010-08-06 11:55:38 -04:00
Adam Young
a63fd83e89 Images for the Javascript Based webui.
These are all binary files, in png format.
2010-08-06 11:55:22 -04:00
Adam Young
056419403a whoami plugin.
It returns the user prinicpal.
This is required by the webui, as the Kerberos credential mechanism in http
does not expose the cleartext prinicpal to the web browser.
2010-08-05 20:36:08 -04:00
Rob Crittenden
d4adbc8052 Add container and initial ACIs for entitlement support
The entitlement entries themselves will be rather simple, consisting
of the objectClasses ipaObject and pkiUser. We will just store
userCertificate in it. The DN will contain the UUID of the entitlement.

ticket #27
2010-07-29 10:50:29 -04:00
Rob Crittenden
b7ca3d68c2 Drop our own PKCS#10 ASN.1 decoder and use the one from python-nss
This patch:
- bumps up the minimum version of python-nss
- will initialize NSS with nodb if a CSR is loaded and it isn't already
  init'd
- will shutdown NSS if initialized in the RPC subsystem so we use right db
- updated and added a few more tests

Relying more on NSS introduces a bit of a problem. For NSS to work you
need to have initialized a database (either a real one or no_db). But once
you've initialized one and want to use another you have to close down the
first one.  I've added some code to nsslib.py to do just that. This could
potentially have some bad side-effects at some point, it works ok now.
2010-07-29 10:50:10 -04:00
Rob Crittenden
563c7cde40 Add some basic tests for ipalib/x509 2010-07-29 10:45:11 -04:00
Adam Young
26b0e8fc98 This patch removes the existing UI functionality, as a prep for adding the Javascript based ui. 2010-07-29 10:44:56 -04:00
Dmitri Pal
fd1ff372dc 1. Schema cleanup
The ipaAssociation is the core of different association object.
It seems that the service is an exception rather then rule.
So it is moved into the object where it belongs.

Fixed matching rules and some attribute types.

Addressing ticket: https://fedorahosted.org/freeipa/ticket/89

Removed unused password attribute and realigned OIDs.
2010-07-21 11:40:25 -04:00
Rob Crittenden
a0dfbc069d Become IPA v2 alpha 4 (1.9.0.pre4) 2010-07-15 11:25:39 -04:00
Rob Crittenden
57a9001f8d Fix netgroup plugin to use correct member attribute names.
When the netgroup plugin was rebased it ended up using the member
attribute for its memberships and not memberuser/memberhost.

I also fixed this same attribute problem in the tests and tried to beef
them up a little. If nis/schema compat are enabled it will try to compare
the generated triplets with a known-good value.
2010-07-15 11:18:18 -04:00
Rob Crittenden
0d12b0344f Fix nis netgroup configuration
This was originally configured to pull from the compat area but Nalin
thinks that is a bad idea (and it stopped working anyway). This configures
the netgroup map to create the triples on its own.

Ticket #87
2010-07-15 11:18:15 -04:00
Rob Crittenden
ed488c6349 Fix ipa-compat-manage and ipa-nis-manage
Neither of these was working properly, I assume due to changes in the ldap
backend. The normalizer now appends the basedn if it isn't included and
this was causing havoc with these utilities.

After fixing the basics I found a few corner cases that I also addressed:
- you can't/shouldn't disable compat if the nis plugin is enabled
- we always want to load the nis LDAP update so we get the netgroup config
- LDAPupdate.update() returns True/False, not an integer

I took some time and fixed up some things pylint complained about too.

Ticket #83
2010-07-15 11:18:11 -04:00
Rob Crittenden
18476c9538 Use newer API in ipalib/x509 and add missing import.
The import was only used when running the in-tree lite-server
2010-07-15 11:17:58 -04:00
Rob Crittenden
8d2d7429be Clean up crypto code, take advantage of new nss-python capabilities
This patch does the following:
- drops our in-tree x509v3 parser to use the python-nss one
- return more information on certificates
- make an API change, renaming cert-get to cert-show
- Drop a lot of duplicated code
2010-07-15 10:51:49 -04:00
Rob Crittenden
1e1985b17c Add API to delete a service principal key, service-disable.
I have to do some pretty low-level LDAP work to achieve this. Since
we can't read the key using our modlist generator won't work and lots of
tricks would be needed to use the LDAPUpdate object in any case.

I pulled usercertificate out of the global params and put into each
appropriate function because it makes no sense for service-disable.

This also adds a new variable, has_keytab, to service/host_show output.
This flag tells us whether there is a krbprincipalkey.
2010-07-13 09:29:10 -04:00
Rob Crittenden
c9e0b43d53 Add test to ensure that a certificate we issue is actually stored properly. 2010-07-13 09:28:03 -04:00
Rob Crittenden
2bb2850fff Include contents of has_output_params in get_output_params 2010-07-13 09:27:50 -04:00
Rob Crittenden
371a4b2c72 Add separate var for search attributes and config attribute for search fields
Add an optional search_attributes variable in case the attributes you
want to display by default aren't what you want to search on.

Also link in any cn=ipaconfig attributes that contain a comma-separated
list of attributes to search on.
2010-07-13 09:27:34 -04:00
Rob Crittenden
ccaf537aa6 Handle errors raised by plugins more gracefully in mod_wsgi.
This started as an effort to display a more useful error message in the
Apache error log if retrieving the schema failed. I broadened the scope
a little to include limiting the output in the Apache error log
so errors are easier to find.

This adds a new configuration option, startup_traceback. Outside of
lite-server.py it is False by default so does not display the traceback
that lead to the StandardError being raised. This makes the mod_wsgi
error much easier to follow.
2010-07-12 09:32:33 -04:00
Rob Crittenden
7f9485f5bf Change expected aci summary from Updated to Modify in test cases 2010-07-06 15:39:44 -04:00