This patch requires a forthcoming change in MIT libraries which allows to pass
NULL for the server_key to the krb5_pac_verify() function.
In most cases we should always only check the KDC checksum to verify the PAC
validity.
The only exception is when we are releasing a ticket to a client from another
realm. In this case the only signature we can check is the server checksum, and
we use the cross-realm key to validate in this case.
The previous code was working for normal cases because the kdc uses the same
key to create the server and the kdc checksum for a TGT, but that is not true
for evidence tickets (s4u2proxy) or cross-realm TGTs.
Fixes: https://fedorahosted.org/freeipa/ticket/2169
This creates a new container, cn=s4u2proxy,cn=etc,$SUFFIX
Within that container we control which services are allowed to
delegate tickets for other services. Right now that is limited
from the IPA HTTP to ldap services.
Requires a version of mod_auth_kerb that supports s4u2proxy
https://fedorahosted.org/freeipa/ticket/1098
Also fixed minor issues reagarding IP addresses or multivalued field:
- removed unnecessary method overrides from multivalued_field
- fixed extract_child_value method in multivalued_widget to return '' instead of empty arrays when value array is empty
- net.js - changed method name and error message from 'trailing zeros' to 'leading zeros'
https://fedorahosted.org/freeipa/ticket/1466
The user details page has been modified to show the password policy
and Kerberos ticket policy that apply to the user. The policies are
currently displayed as read-only.
Ticket #703
New version of SSSD begins ignoring sourcehost value of HBAC rules by
default. In order to match this behaviour the sourcehost option in
hbactest is optional now, but the value of sourcehost is ignored in all
rules. Every rule's sourcehost value is set to 'ALL' what turns sourchost
value comparation off. If srchost option is used, warning is displayed to
inform the user about changes. Text of plugin help was also updated.
Also the unit tests for hbactest plugin were updated. Every test was
doubled. The second ones test the plugin without sourcehost option. They
are supposed to have the same result.
https://fedorahosted.org/freeipa/ticket/2085
The user search facet has been modified to show the account status.
The IPA.boolean_format has been converted into a class to allow
behavior customization.
Ticket #1996
There were two problems:
1. memberof wasn't in the list of things we looked for in the return value
from aci_show()
2. The value wasn't being translated into a group name.
Use the DN class to retrieve the group name from the memberof URI.
Note that I changed the parsing for targetgroup as well. We now save a lookup
and potentially returning a NotFound if an aci points to a group that no
longer exists.
https://fedorahosted.org/freeipa/ticket/2100
It is pointless to report failures for all checked ports when the
target hostname is not resolvable - user may get easily confused.
This patch changes this behavior so that conncheck fails with
a proper error and does not even continue to port probing part.
https://fedorahosted.org/freeipa/ticket/1984
Current validation logic supports only validation based on metadata. It can be extended only by overriding field's validation method. This approach requires creating subclasses of field for each different format of desired value. It's inconvenient for cases like adding the same validation logic to two different subclasses of field.
This patch is adding support for creating custom validators.
Validator is an object which contains validation logic. Validation is executed in a validate(value, context) method. This method checks if the value is valid and returns a validation result. Validation result is a simple object which contains valid property and an error message if valid is false.
Field is extended by validators property. It can be set in spec object or later. It should contain instances of validators for the field. Validators are run in field's validation method.
This patch is a prerequisite for:
https://fedorahosted.org/freeipa/ticket/1466
Add new class "cachedproperty" for creating property-like attributes
that cache the return value of a method call.
Also fix few issues in the unit tests to enable them to succeed.
ticket 1959
The JSON server has been modified to return the version number
in all responses. The UI has been modified to keep the version
obtained during env operation and check the version returned
in subsequent operations. If the version changes the UI will
reload itself.
Ticket #946
The JSON server has been modified to return the principal name
in all responses. The UI has been modified to keep the principal
obtained during whoami operation and check the principal returned
in subsequent operations. If the principal changes the UI will
reload itself.
Ticket #1400
The IPA.get_entity() has been modified to accept either entity name
or entity object. If it receives an entity object it will return
the object itself. Otherwise, it will resolve the name in the entity
registry.
The other_entity variables have been modified to store a reference
to the entity object instead of its name. The test cases have been
modified to use real entity objects instead of just the names.
Ticket #2042
Columns can have width set or not. Without setting the width it was computed based on tbody width and number of columns. This method is working well if no column has width set. The disadvantage of this approach is that all columns have the same width and so they are not reflecting their possible usage. Flag columns such as 'external' in rule association tables or various 'enable' flags in search facets can be narrower. If we set them fixed small width it will have different size because this width is not currently added to the computation.
This is fixing this problem so dynamic and fixed width can be combined and the columns have desired width.
https://fedorahosted.org/freeipa/ticket/2200
Problem:
Rule association widget was displaying standard records with external records in one table. User couldn't distinguish the values. When clicking on the external record link it navigated to appropriate page for that entity. But for external value there is no record to show so it displayed error.
Solution:
* For tables with possible external values a 'external' column was added. It displays "True" if the value is external and nothing if not. Displaying nothing is intentional. If user sees some text in external column he imidiately knows that the record is external without even reading the "True" text.
* Rows with external values don't have a link for navigating to record page. This prevents showing the error as no record exists.
Additional changes:
* Association table widget was stripped of get_records method. Loading records isn't its resposibility it's a resposibility of field.
* Column was extended by possible suppressing of link creation. It's done by optional suppress_link argument in setup method.
* To allow setting suppress_link attribute in inherited tables a new overridable method was created - setup_column.
Posible future improvements:
* Table is using dynamic setting of width for columns. Each column has the same width. For flag columns such as 'external' the width of the column is too big. It would be better to be able to set smaller fixed width and the rest of the columns width (without the width set) would be computed (to fit the table).
* When a table has displayed buttons in its last column header the cells in column header have different vertical alignmnent. It should be united.
https://fedorahosted.org/freeipa/ticket/1993
This is to prevent a Cross-Site Request Forgery (CSRF) attack where
a rogue server tricks a user who was logged into the FreeIPA
management interface into visiting a specially-crafted URL where
the attacker could perform FreeIPA oonfiguration changes with the
privileges of the logged-in user.
https://bugzilla.redhat.com/show_bug.cgi?id=747710
I've used code from ipalib/plugins/host.py to add support for random
password generation. The '--random' option is now available in user-add
and user-mod commands. If both the 'password' and 'random' options are
used the 'random' option will be ignored.
Two test cases were added to unit test's module test_user_plugin.py -
they test creating and modifying user with random password. Two fuzzy tests
were added: test for password(string that doesn't start or end with
whitespace and doesn't containt other whitespace than ' ') and for whatever
string(because of krbextradata).
I've slightly modified ipa_generate_password in order to make passwords for
users more user-friendly(reduce number of non-letters). It has two optional
parameters now - first one is string of characters that should be used for
generating the passwd and second one is length of password. If none
parameter is set default values will be used so there's no need to modify
other plugins that use random password generator.
https://fedorahosted.org/freeipa/ticket/1979
This patch works with assumption that user in self-service mode doesn't have rights for enrolling/un-enrolling himself to/from group, role, hbac rule, net group, sudo rule. He can only read the attributes. Therefore in self service mode all user association facets are set read only.
Checkingi and working with the actual rights would require significantly bigger effort.
https://fedorahosted.org/freeipa/ticket/1972
- facet group headers, error dialog, non-scrollable tables, can manage long names
Size calculation of scrollable and non-scrollable tables was united. Now these types of tables differ only by style.
https://fedorahosted.org/freeipa/ticket/1821
When discovering IPA LDAP servers through DNS records, look through all
servers found until first success. A master might be not available or
denied access but replica may succeed.
Ticket #1827https://fedorahosted.org/freeipa/ticket/1827
The DNS records list page was not loaded correctly due to a recent
change in HBAC Test. The page has been updated to use the load_all()
to show all records in the zone.
Ticket #388
The checkboxes in HBAC Test run page have been fixed to show/hide
matched or unmatched rules. The New Test button has been fixed to
deselect the inputs in all facets. The test data has been updated
as well.
Ticket #388
This will allow one to define what SELinux context a given user gets
on a given machine. A rule can contain a set of users and hosts or it
can point to an existing HBAC rule that defines them.
https://fedorahosted.org/freeipa/ticket/755
Tables columns have computed width. If value in one column is very long it widens the column and shortens others. This change causes that body columns are not aligned with header columns which makes the table less readable.
Applying 'word-break: break-all' style breaks the word to multiple lines and solves the problem.
Simililar problem is in details facet when displaying text values. Very long values widens the table and a horizontal slider is displayed, which is bad. Applying same solution.
In facet headers and breadcrumb navigation breaking the pkey looks bad - there should be only on line of pkey. To solve this, the pkey is limited to 63 characters (empirically measured). Long pkeys are cut. Uncut pkey is set as a title to avoid losing information.
Whole breadcrump could be about 140 chars (with current styles). 10 chars is reserved for entity link, 60 for pkey the rest (about 60) for parent pkeys. The assumtion is that the parent pkeys wouldn't be so long so they won't be cut anyway.
Column width calculation in tables was iproved. Now it counts with cell spacing, padding, border. It uses these assumtions:
cell-spacing: 2px
cell-padding: 6px th:right, left; td: left
cell-border: th:1px; td:0px
It would be better to get these measures dynamically. Right now it is good enough - better than previous calculation.
Result: data cells are aligned with their header. This alignment fails if vertical scrollbar is displayed (existing problem).
Also added padding to headers in association adder dialog.
https://fedorahosted.org/freeipa/ticket/1890
Recover from connection failures in IPAdmin LDAP bind functions and
rather try reconnect in scope of a given timeout instead of giving
up after the first failed connection.
The recovery fixes ipa-ldap-updater on F-16 which always failed
because of a missing dirsrv socket.
https://fedorahosted.org/freeipa/ticket/2175
