IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
7,143 Commits 11 Branches 60 Tags
439dd7fa74de9acd920ca060788190e71eeadf2b
Commit Graph

7143 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Petr Viktorin
439dd7fa74 Convert Service default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:41 +02:00
Petr Viktorin
f8dc51860c Convert SELinux User Map default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:41 +02:00
Petr Viktorin
820a60420d Convert Role default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:40 +02:00
Petr Viktorin
f881f06364 Convert the Modify privilege membership permission to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:40 +02:00
Petr Viktorin
0c4d13e136 Convert Netgroup default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:40 +02:00
Petr Viktorin
978af07dd5 Convert Hostgroup default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:40 +02:00
Petr Viktorin
8e8e6b1ae7 Convert HBAC Service Group default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:40 +02:00
Petr Viktorin
49abbb1ead Convert HBAC Service default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:40 +02:00
Petr Viktorin
81d8c8acb5 Convert HBAC Rule default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:40 +02:00
Petr Viktorin
af366278b8 Convert Group default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:40 +02:00
Petr Viktorin
afac09b8f3 Convert Automount default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:40 +02:00
Jan Cholasta
8b8774d138 Remove GetEffectiveRights control when ldap2.get_effective_rights fails. 
Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 12:10:01 +02:00
Jan Cholasta
d6fb110b77 Support requests with SAN in cert-request. 
For each SAN in a request there must be a matching service entry writable by
the requestor. Users can request certificates with SAN only if they have
"Request Certificate With SubjectAltName" permission.

https://fedorahosted.org/freeipa/ticket/3977

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 12:10:01 +02:00
Jan Cholasta
e675e427c7 Allow SAN in IPA certificate profile. 
https://fedorahosted.org/freeipa/ticket/3977

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 12:10:01 +02:00
Petr Viktorin
61eeea9e69 netgroup: Add objectclass attribute to read permissions 
The entries were unreadable without this.

Additional fix for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-23 17:41:49 +02:00
Tomas Babej
ef5309d376 trusts: Allow reading ipaNTSecurityIdentifier in user and group objects 
https://fedorahosted.org/freeipa/ticket/4385

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-06-23 15:27:33 +02:00
Petr Vobornik
6e43d01266 webui: plugin API 
new `extend` module should serve as a stable API for plugin authors.
It should expose the most commonly used global calls.

https://fedorahosted.org/freeipa/ticket/4345

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
 2014-06-23 15:13:14 +02:00
Petr Vobornik
6f5e80b0ce webui: add parent link to widgets in ContainerMixin 
Standard facets sets `facet` attribute to widgets. This one adds
similar, more generic `parent` attribute which should be used for going through
the hierarchy up to top.

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
 2014-06-23 15:13:13 +02:00
Petr Vobornik
86898065b5 webui: generic routing 
Router is not able to create hash from facet state for custom
routes/facets. This patch refactors router methods into providers. It
allows to create additional route handlers, navigators and hash creators.

These providers are mapped to facets and therefore it's possible
to create router hash for any facet without any logic in the facet itself.

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
 2014-06-23 15:13:13 +02:00
Petr Vobornik
27836cba9d webui: support standalone facets in navigation module 
One can access standard standalone facets with:
  `navigation.show('facet_name')`
and completely custom facets with low level call:
  `navigation.show_generic('/custom/hash', facet)``

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
 2014-06-23 15:13:13 +02:00
Petr Vobornik
c6c7dfeefb webui: fix excessive registration of state change event listeners 
`Facet` descendants don't have `container` attribute as opposite to
`facet.facet`. Therefore the registration will happen on every facet
visit.

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
 2014-06-23 15:13:13 +02:00
Petr Viktorin
14e2eb9171 host permissions: Allow writing attributes needed for automatic enrollment 
- userclass
  added to existing Modify hosts permission
- usercertificate, userpassword
  added to a new permissions

https://fedorahosted.org/freeipa/ticket/4252

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-23 12:44:33 +02:00
Petr Viktorin
8a5110305f Convert Host default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-23 12:44:32 +02:00
Petr Viktorin
ac8539bd34 Add posixgroup to groups' permission object filter 
Private groups don't have the 'ipausergroup' objectclass.
Add posixgroup to the objectclass filters to make
"--type group" permissions apply to all groups.

https://fedorahosted.org/freeipa/ticket/4372

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-23 10:54:43 +02:00
Petr Viktorin
02b5074d84 permission plugin: Join --type objectclass filters with OR 
For groups, we will need to filter on either posixgroup (which UPGs
have but non-posix groups don't) and groupofnames/nestedgroup
(which normal groups have but UPGs don't).
Join permission_filter_objectclasses with `|` and add them as
a single ipapermtargetfilter value.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-23 10:54:43 +02:00
Petr Viktorin
013bf3d4e2 Test and docstring fixes 
The recent conversions to managed permissions left behind a few
failing tests. Fix them.

Also fix a now incorrect docstring in ipalib.config.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-23 10:54:42 +02:00
Petr Viktorin
f486d23ad6 Allow anonymous read access to virtual operation entries 
These entries are the same in all IPA installations, so there's
no need to hide them.

Also remove the ipaVirtualOperation objectclass, since it is
no longer needed.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-20 22:18:43 +02:00
Nathaniel McCallum
cf8f143e98 Make otptoken use os.urandom() for random data 
This also fixes an error where the default value was not respecting
the KEY_LENGTH variable.

Reviewed-By: Simo Sorce <ssorce@redhat.com>
 2014-06-20 21:27:50 +02:00
Martin Basti
0eef37908c DNSSEC: WebUI add DLV record type 
Ticket: https://fedorahosted.org/freeipa/ticket/4328
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-06-20 16:46:03 +02:00
Martin Basti
2229e89bbb Digest part in DLV/DS records allows only heaxadecimal characters 
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-06-20 16:46:03 +02:00
Martin Basti
ee6e634c28 DNSSEC: Test: DLV record 
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-06-20 16:46:03 +02:00
Martin Basti
7cdc4178b0 DNSSEC: DLVRecord type added 
Ticket: https://fedorahosted.org/freeipa/ticket/4328
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-06-20 16:46:02 +02:00
Martin Basti
4c88fdd904 Tests: tests for NSEC3PARAM records 
Ticket: https://fedorahosted.org/freeipa/ticket/4328
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-06-20 15:41:40 +02:00
Martin Basti
cbc64454b0 Tests: remove unused records from tests 
Ticket: https://fedorahosted.org/freeipa/ticket/4328
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-06-20 15:41:40 +02:00
Martin Basti
4d90d3d572 DNSSEC: webui update DNSSEC attributes 
Removed SIG, KEY, RRSIG, NSEG record types
Added NSEC3PARAM record type

Ticket: https://fedorahosted.org/freeipa/ticket/4328
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-06-20 15:41:40 +02:00
Martin Basti
5b95be802c DNSSEC: added NSEC3PARAM record type 
Ticket: https://fedorahosted.org/freeipa/ticket/4328
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-06-20 15:41:40 +02:00
Martin Basti
48865aed5f DNSSEC: remove unsuported records 
Removed SIG, NSEC, KEy, RRSIG records

Ticket: https://fedorahosted.org/freeipa/ticket/4328
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-06-20 15:41:39 +02:00
Martin Basti
9f5e77f686 Fix handle python-dns UnicodeError 
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2014-06-20 13:28:53 +02:00
Martin Basti
11c250a612 Tests DNS: forward zones 
design: http://www.freeipa.org/page/V4/Forward_zones

Ticket: https://fedorahosted.org/freeipa/ticket/3210
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-06-20 13:14:45 +02:00
Martin Basti
727f5f3373 Create BASE zone class 
Zones and forward zones have a lot of common code,
this patch remove duplications by creating a DNSBase
class and its subclasses

design: http://www.freeipa.org/page/V4/Forward_zones

Ticket: https://fedorahosted.org/freeipa/ticket/3210
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-06-20 13:14:45 +02:00
Martin Basti
266015c3e2 Prevent commands to modify different type of a zone 
Commands dnsforwardzone-* can modify only forward zones
Commands dnszone-* can modify only (master) zones
Commands dnsrecord-* can work only with master zones

design: http://www.freeipa.org/page/V4/Forward_zones

Ticket: https://fedorahosted.org/freeipa/ticket/3210
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-06-20 13:14:45 +02:00
Martin Basti
49068ade92 Separate master and forward DNS zones 
Forward zones are stored in idnsforwadzone objectclasses.

design: http://www.freeipa.org/page/V4/Forward_zones

Ticket: https://fedorahosted.org/freeipa/ticket/3210
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-06-20 13:14:45 +02:00
Petr Spacek
e821576129 Clarify LDAPClient docstrings about get_entry, get_entries and find_entries 
Reviewed-By: Martin Basti <mbasti@redhat.com>
 2014-06-20 12:38:58 +02:00
Petr Viktorin
18744d1833 Fix: Allow read access to masters, but not their services, to auth'd users 
Fixes commit b243da415e

A bad version of the patch was sent and pushed.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-19 17:13:03 +02:00
Petr Viktorin
b243da415e Allow read access to masters, but not their services, to auth'd users 
The ipa host-del command checks if the host to be deleted is an
IPA master by looking up the entry in cn=masters.
If the entry is not accessible, host-del would proceed to delete
the host.
Thus we need to allow reading the master entries to at least
those that can delete hosts.
Since the host information is also available via DNS, it makes
no sense be extremely secretive about it.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-19 16:46:29 +02:00
Nathaniel McCallum
8b2f4443dc Periodically refresh global ipa-kdb configuration 
Before this patch, ipa-kdb would load global configuration on startup and
never update it. This means that if global configuration is changed, the
KDC never receives the new configuration until it is restarted.

This patch enables caching of the global configuration with a timeout of
60 seconds.

https://fedorahosted.org/freeipa/ticket/4153

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-06-19 14:50:32 +02:00
Petr Viktorin
49e83256b4 Convert Password Policy default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-18 14:56:43 +02:00
Petr Viktorin
ca465e8ae7 Convert COSTemplate default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-18 14:56:42 +02:00
Petr Viktorin
83cb982858 Add $REALM to variables supported by the managed permission updater 
This will allow converting password policy permissions

Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-18 14:56:42 +02:00
Petr Viktorin
700ac6c116 Remove the update_dns_permissions plugin 
This plugin created permissions that the managed permission
updater would remove right away.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-18 14:45:51 +02:00