Commit Graph

6708 Commits

Author SHA1 Message Date
Petr Viktorin
34c3d309d9 permission-find: Cache the root entry for legacy permissions
This makes searching faster if there are many legacy permissions present.

The root entry (which contains all legacy permission ACIs) is only
looked up once.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-11 10:00:27 +01:00
Jan Cholasta
8e98690409 Log unhandled exceptions in certificate renewal scripts.
https://fedorahosted.org/freeipa/ticket/4093

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-10 18:41:10 +01:00
Petr Viktorin
d727599aa8 permissions plugin: Don't crash with empty targetfilter
https://fedorahosted.org/freeipa/ticket/4206

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-07 20:06:52 +01:00
Petr Viktorin
0c2aec1be5 permission plugin: Allow multiple values for memberof
Design: http://www.freeipa.org/page/V3/Multivalued_target_filters_in_permissions
Additional fix for: https://fedorahosted.org/freeipa/ticket/4074

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-07 20:05:28 +01:00
Petr Viktorin
02e61961da permission-mod: Remove attributelevelrights before reverting entry
LDAPUpdate adds the display-only 'attributelevelrights' attribute,
which doesn't exist in LDAP. Remove it before reverting entry.

https://fedorahosted.org/freeipa/ticket/4212

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-07 16:52:40 +01:00
Alexander Bokovoy
4048d412f2 ipa-kdb: do not fetch client principal if it is the same as existing entry
When client principal is the same as supplied client entry, don't fetch it
again.

Note that when client principal is not NULL, client entry might be NULL for
cross-realm case, so we need to make sure to not dereference NULL pointer here.

Also fix reverted condition for case when we didn't find the client principal
in the database, preventing a memory leak.

https://fedorahosted.org/freeipa/ticket/4223

Reviewed-By: Sumit Bose <sbose@redhat.com>
2014-03-06 12:28:25 +01:00
Petr Viktorin
68f4af3122 tests: Create the testing service certificate on demand
Replace the make-testcert command with a module that creates
the certificate when it is first needed.
As a result the tests are more self-contained, and can be run from
a read-only location (such as installed from a system package).

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-03-06 10:33:21 +01:00
Petr Viktorin
5ae737e160 ipalib.plugable: Always set the parser in bootstrap()
In cases where logging was already configured by the time
API.bootstrap() was called, saving the argument parser was
mistakenly skipped along with the logging configuration.

Always set the argument parser on the API object.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-03-05 19:57:37 +01:00
Tomas Babej
6b94f959a4 man: sshd should be run at least once before client enrollment
If SSH keys have not been generated prior to enrolling the client to the
IPA server, they will not be uploaded to the server, since they're not
present. Clarify this issue in the man pages.

https://fedorahosted.org/freeipa/ticket/4055

Reviewed-By: Jan Pazdziora <jpazdziora@redhat.com>
2014-03-05 12:47:47 +01:00
Alexander Bokovoy
6b45ec3f31 fix filtering of subdomain-based trust users
https://fedorahosted.org/freeipa/ticket/4207

Reviewed-By: Simo Sorce <ssorce@redhat.com>
2014-03-05 10:40:39 +01:00
Nathaniel McCallum
0ca6653c29 Fix token secret length RFC compliance
RFC 4226 states the following in section 4:
   R6 - The algorithm MUST use a strong shared secret.  The length of
   the shared secret MUST be at least 128 bits.  This document
   RECOMMENDs a shared secret length of 160 bits.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-03-05 10:09:16 +01:00
Nathaniel McCallum
21ff4f920e Rework how otptoken defaults are handled
We had originally decided to provide defaults on the server side so that they
could be part of a global config for the admin. However, on further reflection,
only certain defaults really make sense given the limitations of Google
Authenticator. Similarly, other defaults may be token specific.

Attempting to handle defaults on the server side also makes both the UI and
the generated documentation unclear.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-03-05 10:09:16 +01:00
Petr Viktorin
561e57d121 Add tests for integration test configuration
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-03-05 10:00:58 +01:00
Petr Viktorin
e6dbb2aa68 test_integration.config: Convert some text values to str
When loading from file, some strings are loaded as unicode,
which would throw off assert_deepequal.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-03-05 10:00:58 +01:00
Petr Viktorin
87a36db6bc ipa-test-config: Add --json and --yaml output options
Also update the man page.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3938

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-03-05 10:00:58 +01:00
Petr Viktorin
2150481f2a test_integration.config: Add environment variables for JSON/YAML
Part of the work for: https://fedorahosted.org/freeipa/ticket/3938

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-03-05 10:00:58 +01:00
Petr Viktorin
ef0264f75f test_integration.config: Load/store from/to dicts
Part of the work for: https://fedorahosted.org/freeipa/ticket/3938

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-03-05 10:00:58 +01:00
Petr Viktorin
310d8254ed test_integration.config: Do not store the index in Domain and Host objects
The index is a detail of the environment variable method of
configuration, it should only be used there.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-03-05 10:00:58 +01:00
Petr Viktorin
e1b73c18e3 test_integration.config: Use a more declarative approach to test-wide settings
The list of options was duplicated too many times. Consolidate.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3938

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-03-05 10:00:58 +01:00
Petr Viktorin
8e2bceffa3 test_integration.config: Do not save the input environment
Using the input environment saved in self._session_env
outside of the config loading meant that methods of
configuration other than environment variables wouldn't
be possible.

Restructure the roles/extra_roles to not depend on _session_env.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3938

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-03-05 10:00:58 +01:00
Petr Viktorin
56f0430f52 test_integration.config: Fix crash in to_env when no replica is defined
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-03-05 10:00:57 +01:00
Petr Vobornik
9b540ef218 webui: Don't act on keyboard events which originated in different dialog
Fixes issue when:
1. 2 dialogs are opened
2. top dialog's close button is focused
3. user presses enter to execute 'close' action
4. dialog is immediately closed (enter key is still pressed)
5. second dialog automatically receives focus (it's top dialog now)
6. user releases the key
7. second dialog reacts to keyup event - which is by default confirmation mixin's confirm event
8. UNDESIRED behavior occurs

Now confirmation mixin remembers which keys were pressed and released and reacts only to those which originated there.

https://fedorahosted.org/freeipa/ticket/4098

Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
2014-03-05 09:59:13 +01:00
Gabe
b50cdd55af Typo in warning message where IPA realm and domain name differ
Removed 'y' from warning message.

https://fedorahosted.org/freeipa/ticket/4211

Reviewed-By: Simo Sorce <ssorce@redhat.com>
2014-03-05 09:58:16 +01:00
Petr Viktorin
fa5cbe7cb2 Test fixed modlist generation code
https://fedorahosted.org/freeipa/ticket/4138
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-03-03 12:14:09 +01:00
Jan Cholasta
c0c38ed314 Fix modlist generation code not to generate empty replace mods.
https://fedorahosted.org/freeipa/ticket/4138
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-03 12:14:09 +01:00
Alexander Bokovoy
e99fa380af adtrustinstance: make sure to stop and disable winbind in uninstall()
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-02-28 09:50:14 +01:00
Alexander Bokovoy
3a7ba6013f ipaserver/dcerpc: catch the case of insuffient permissions when establishing trust
We attempt to delete the trust that might exist already. If there are not enough
privileges to do so, we wouldn't be able to create trust at the next step and it will fail.
However, failure to create trust will be due to the name collision as we already had
the trust with the same name before. Thus, raise access denied exception here
to properly indicate wrong access level instead of returning NT_STATUS_OBJECT_NAME_COLLISION.

https://fedorahosted.org/freeipa/ticket/4202

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-02-27 14:33:15 +01:00
Alexander Bokovoy
41ca5afba7 trust: make sure we always discover topology of the
forest trust

Even though we are creating idranges for subdomains only in case
there is algorithmic ID mapping in use, we still need to fetch
list of subdomains for all other cases.

https://fedorahosted.org/freeipa/ticket/4205
2014-02-27 14:08:49 +01:00
Tomas Babej
96f87e548a trusts: Remove usage of deprecated LDAP API
Remove a reference to the old deprecated LDAP API invoked by
the usage of trust_add method.

https://fedorahosted.org/freeipa/ticket/4204

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-02-27 12:54:37 +01:00
Petr Viktorin
4fda432050 ipalib.plugins: Expose LDAPObjects' eligibility for permission --type in JSON metadata
https://fedorahosted.org/freeipa/ticket/4201

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-02-27 12:54:37 +01:00
Alexander Bokovoy
ff9be7f67a trustdomain_find: make sure we skip short entries when --pkey-only is specified
With --pkey-only only primary key is returned. It makes no sense to check and
replace boolean values then.

https://fedorahosted.org/freeipa/ticket/4196

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-02-27 11:52:09 +01:00
Petr Vobornik
61770269d4 webui: Focus expand/collapse link in batch_error dialog
Dialog loses focus when the links are clicked making the dialog uncontrollable by keyboard. This patch focuses the link again after expanding/collapsing the error list. Thus keeping the focus in a dialog

https://fedorahosted.org/freeipa/ticket/4097

Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
2014-02-27 10:53:42 +01:00
Alexander Bokovoy
f7955abdda ipa-kdb: make sure we don't produce MS-PAC in case of authdata flag cleared by admin
When admin clears authdata flag for the service principal, KDC will pass
NULL client pointer (service proxy) to the DAL driver.

Make sure we bail out correctly.

Reviewed-By: Tomáš Babej <tbabej@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2014-02-26 14:19:49 +01:00
Alexander Bokovoy
fb2eca8d1e ipa-kdb: in case of delegation use original client's database entry, not the proxy
https://fedorahosted.org/freeipa/ticket/4195

Reviewed-By: Tomáš Babej <tbabej@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2014-02-26 14:19:48 +01:00
Alexander Bokovoy
090a9669d8 bindinstance: make sure zone manager is initialized in add_master_dns_records
Bind instance is configured using a short-circuited way when replica is set up.
Make sure required properties are in place for that.

https://fedorahosted.org/freeipa/ticket/4186

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-02-26 12:44:56 +01:00
Petr Viktorin
00d6b529c9 Update API.txt
This fixes commit be7b1b94e3
https://fedorahosted.org/freeipa/ticket/4163
2014-02-25 16:31:30 +01:00
Nathaniel McCallum
4499b25be9 Remove NULLS from constants.py
In the parameters system, we have been checking for a positive list of values
which get converted to None. The problem is that this method can in some
cases throw warnings when type coercion doesn't work (particularly, string
to unicode). Instead, any values that evaluate to False that are neither
numeric nor boolean should be converted to None.

Reviewed-By: Jan Pazdziora <jpazdziora@redhat.com>
2014-02-25 16:05:19 +01:00
Adam Misnyovszki
be7b1b94e3 Certificate search max_serial_number problem fixed
Maximum serial number field now accepts only positive numbers

https://fedorahosted.org/freeipa/ticket/4163

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-02-25 16:01:27 +01:00
Tomas Babej
bc0872cc0b ipatests: Fix incorrect order of operations when restoring backup
When restoring files from backup, we do use an incorrect order of
operations - we first restore SELinux context and then copy the
files from backup, when we need to do the exact opposite.

https://fedorahosted.org/freeipa/ticket/4133

Reviewed-By: Jan Pazdziora <jpazdziora@redhat.com>
2014-02-25 10:06:09 +01:00
Jan Cholasta
792c3f9c8c Always use real entry DNs for memberOf in ldap2.
https://fedorahosted.org/freeipa/ticket/4192

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-02-24 14:30:23 +01:00
Nathaniel McCallum
adcd373931 Make all ipatokenTOTP attributes mandatory
Originally we made them all optional as a workaround for the lack of SELFDN
support in 389DS. However, with the advent of SELFDN, this hack is no longer
necessary. This patch updates TOTP to match HOTP in this regard.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-02-21 16:07:39 +01:00
Petr Spacek
dd55e13aa9 Clarify error message about missing DNS component in ipa-replica-prepare.
https://fedorahosted.org/freeipa/ticket/4188

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-02-21 16:04:20 +01:00
Nathaniel McCallum
70e2217d73 Use super() properly to avoid an exception
https://fedorahosted.org/freeipa/ticket/4099

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-02-21 16:01:22 +01:00
Petr Viktorin
773e006ddd permission plugin: Do not assume attribute-level rights for new attributes are present
With the --all --raw options, the code assumed attribute-level rights
were set on ipaPermissionV2 attributes, even on permissions that did not
have the objectclass.
Add a check that the data is present before using it.

https://fedorahosted.org/freeipa/ticket/4121

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-02-21 14:33:49 +01:00
Petr Viktorin
eef5acd9d7 Remove the unused ipalib.frontend.Property class
This class was built into the framework from its early days but it's
not used anywhere.
Remove it along with its tests

https://fedorahosted.org/freeipa/ticket/3460

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-02-21 11:58:00 +01:00
Alexander Bokovoy
9a8f44c09e libotp: do not call internal search for NULL dn
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-02-21 10:27:34 +01:00
Nathaniel McCallum
9f62d0c157 Teach ipa-pwd-extop to respect global ipaUserAuthType settings
https://fedorahosted.org/freeipa/ticket/4105

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-02-21 10:26:02 +01:00
Nathaniel McCallum
a51b07c275 Add OTP sync support to ipa-pwd-extop
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-02-21 10:26:02 +01:00
Nathaniel McCallum
49038cda9f Add OTP last token plugin
This plugin prevents the deletion or deactivation of the last
valid token for a user. This prevents the user from migrating
back to single factor authentication once OTP has been enabled.

Thanks to Mark Reynolds for helping me with this patch.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-02-21 10:26:02 +01:00
Nathaniel McCallum
abb63ed9d1 Add HOTP support
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-02-21 10:26:02 +01:00