Commit Graph

7082 Commits

Author SHA1 Message Date
Tomas Babej
4d2ef43f28 ipaplatform: Move all filesystem paths to ipaplatform.paths module
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:20 +02:00
Tomas Babej
c7edd7b68c ipaplatform: Remove redundant imports of ipaservices
Also fixes few incorrect imports.

https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:20 +02:00
Tomas Babej
c011bccf45 ipaplatform: Change paths dependant on ipaservices to use ipaplatform.paths
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:19 +02:00
Tomas Babej
49fcd42f8f ipaplatform: Change service code in freeipa to use ipaplatform services
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:19 +02:00
Tomas Babej
926f8647d2 ipaplatform: Change platform dependant code in freeipa to use ipaplatform tasks
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:19 +02:00
Tomas Babej
a7c2327a36 ipaplatform: Move Fedora-specific implementations of tasks to fedora base platform file
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:18 +02:00
Tomas Babej
3edfabb4c4 ipaplatform: Remove legacy redhat platform module
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:18 +02:00
Tomas Babej
5f31f2d35f ipaplatform: Do not require custom Authconfig implementations from platform modules
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:18 +02:00
Tomas Babej
6a4cd8a4e3 ipaplatform: Move restore_context and check_selinux_status implementations to base fedora platform tasks
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:18 +02:00
Tomas Babej
c465eb842f ipaplatform: Moved Fedora 16 service implementations and refactored them as base Fedora module service implementations
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:17 +02:00
Tomas Babej
c368aae048 ipaplatform: Add base fedora platform module
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:17 +02:00
Tomas Babej
3fcaf81c64 ipaplatform: Create default implementations for tasks that were missing them
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:17 +02:00
Tomas Babej
1d0623ce1c ipaplatform: Move default implementations of tasks from service.py.in
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:17 +02:00
Tomas Babej
0b974007de ipaplatform: Move service base platfrom related functionality to ipaplatform/base/service.py
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:17 +02:00
Tomas Babej
1fc7b04858 ipaplatform: Create separate module for platform files
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:17 +02:00
Petr Vobornik
4de9c5fc51 webui: expose krbprincipalexpiration
https://fedorahosted.org/freeipa/ticket/3306

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-06-16 15:47:27 +02:00
Petr Vobornik
5a428608be webui: move RPC result extraction logic to Adapter
It enables declarative extraction of values from partial
results of a batch commands and also further extensibility
in custom adapters.

The default adapter has detection logic for this extraction so
it can use bare record or extract data from normal or batch RPC
command.

Minor change of user plugin fixed:
https://fedorahosted.org/freeipa/ticket/4355

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-06-16 15:41:38 +02:00
Petr Viktorin
521df77744 ipalib.config: Don't autoconvert values to float
When api.env is loaded, strings that "look like" floats got
auto-converted to floats.
This is wrong, as the conversion to float can lose precision.
Case in point: the api_version (e.g. '2.88') should never be
interpreted as float.

Do not automatically convert to float.

We have two numeric options: startup_timeout and wait_for_dns.
wait_for_dns is already converted to int when used in the code.
Convert startup_timeout to float explicitly when used, so
configuration that specified it with a decimal point continues
to work.

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2014-06-16 13:38:54 +02:00
Petr Viktorin
da64c891e9 ipalib.config: Only convert basedn to DN
The current code would convert values to DN if the key was
a substring of 'basedn', e.g. 'base' or 'sed'.

Only convert if we're actually dealing with 'basedn'.

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2014-06-16 13:38:53 +02:00
Nathaniel McCallum
98851256f9 Add support for managedBy to tokens
This also constitutes a rethinking of the token ACIs after the introduction
of SELFDN support.

Admins, as before, have full access to all token permissions.

Normal users have read/search/compare access to all of the non-secret data
for tokens assigned to them, whether managed by them or not. Users can add
tokens if, and only if, they will also manage this token.

Managers can also read/search/compare tokens they manage. Additionally,
they can write non-secret data to their managed tokens and delete them.

When a normal user self-creates a token (the default behavior), then
managedBy is automatically set. When an admin creates a token for another
user (or no owner is assigned at all), then managed by is not set. In this
second case, the token is effectively read-only for the assigned owner.

This behavior enables two important other behaviors. First, an admin can
create a hardware token and assign it to the user as a read-only token.
Second, when the user is deleted, only his self-managed tokens are deleted.
All other (read-only) tokens are instead orphaned. This permits the same
token object to be reasigned to another user without loss of any counter
data.

https://fedorahosted.org/freeipa/ticket/4228
https://fedorahosted.org/freeipa/ticket/4259

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-06-16 10:13:59 +02:00
Petr Viktorin
ba53299b98 ipalib.frontend: Do API version check before converting arguments
This results in the proper message being shown if the client sends
an option the server doesn't have yet.

It also adds the check to commands that override run() but not __call__,
such as `ipa ping`, and to commands run on the server. Adjust tests
for these changes.

https://fedorahosted.org/freeipa/ticket/3963

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-13 14:15:06 +02:00
Petr Spacek
91d3d4d7b2 Fix --ttl description for DNS zones
TTL specified in idnsZone object class affects all records at zone apex,
not only SOA record.

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-06-12 09:57:58 +02:00
Petr Vobornik
8f286d5c51 webui: add sudoorder field to sudo rule page
part of
https://fedorahosted.org/freeipa/ticket/2348

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-06-12 09:56:50 +02:00
Petr Vobornik
f1b83198da webui: control sudo rule deny command tables by category switch
`memberdenycmd_sudocmd` and `memberdenycmd_sudocmdgroup` tables are now
enabled/disabled based on `cmdcategory` as well.

https://fedorahosted.org/freeipa/ticket/4361

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-06-12 09:56:49 +02:00
Petr Vobornik
f0c19f907e webui: handle "unknown" result of automember-default-group-show
Interface for setting default group is hidden when user doesn't have
necessary rights or if there is some error while loading the state.

https://fedorahosted.org/freeipa/ticket/4356

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-06-12 09:56:49 +02:00
Petr Vobornik
352ef8428c webui: fix SSH Key widget update
Update widget status text on update.

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-06-12 09:50:10 +02:00
Martin Basti
d2d0da0152 Python-kerberos update in freeipa.spec.in
Remove duplicated entry in BuildRequires
Minimal version 1.1-14 is required for ipapython

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-06-11 15:51:58 +02:00
Petr Vobornik
905d58a2a4 webui: handle back button when unauthenticated
using browser history when unauthenticated causes transition to
the original and/or preceding facets. But nothing works since
all commands fail due to expired credentials in session.

These changes make sure that user stays on login screen if he misses
valid session credentials while he wants to switch to facet which
requires authentication.

https://fedorahosted.org/freeipa/ticket/4353

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-06-11 13:54:20 +02:00
Petr Vobornik
4b2d20a1f9 webui: display only dialogs which belong to current facet
Dialog instances no longer directly call IPA.opened_dialog methods. It's
handled through events (decoupled from dialog's POV). IPA.open_dialogs
with assistance of ApplicationController makes sure that there is only
one dialog opened at the same time.

It also makes sure to hide all dialogs, which are not global dialogs and
did not originate from current facet, when switching facets.

https://fedorahosted.org/freeipa/ticket/4348

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-06-11 13:50:12 +02:00
Petr Viktorin
b6258d08d6 Make sure member* attrs are always granted together in read permissions
Memberofindirect processing of an entry doesn't work if the user doesn't
have rights to any one of these attributes:
- member
- memberuser
- memberhost

Add all of these to any read permission that specifies any of them.

Add a check to makeaci that will enforce this for any future permissions.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-11 13:21:30 +02:00
Petr Viktorin
2f3cdba546 Make 'permission' the default bind type for managed permissions
This reduces typing (or copy/pasting), and draws a bit of attention
to any non-default privileges (currently 'any' or 'anonymous').

Leaving the bindtype out by mistake isn't dangerous: by default
a permission is not granted to anyone, since it is not included in
any priviliges.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-11 13:21:29 +02:00
Petr Viktorin
6acaf73b0c Add ACI.txt
The ACI.txt file is a list all managed permissions in ACI form.
Similarly to API.txt, it ensures that changes are not made lightly,
since modifications must be reflected in ACI.txt and committed to Git.

Add a script, makeaci, which parallels makeapi: it recreates or
validates ACI.txt.

Call makeaci --validate before the build, just after API.txt is validated.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-11 13:21:29 +02:00
Petr Viktorin
13bcd03fcf Add method to enumerate managed permission templates
This will ease writing audit and management scripts for managed permissions.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-11 13:21:29 +02:00
Petr Viktorin
52a4b54635 permission plugin: Sort rights when writing the ACI
This makes the ACI independent on set/dict iteration order.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-11 13:21:28 +02:00
Petr Vobornik
36c5ba9d27 webui: simplify self-service menu
there is only one top level item -> no point of having this level.

This patch replaces top level with second menu level

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-06-11 13:02:51 +02:00
Petr Vobornik
9c97bbd347 webui: add idnsSecInlineSigning option to DNS zone details facet
https://fedorahosted.org/freeipa/ticket/3801

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-06-11 10:51:32 +02:00
Petr Vobornik
e3840eef09 webui: fix regression: enabled gid field on group add
GID field should be enabled by default since the default group is posix.

Was caused by option_widget_base not properly reporting value change while
selecting the default value. It has to be notified with delay otherwise the
event is consumed by FieldBinder.

https://fedorahosted.org/freeipa/ticket/4325

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-06-11 10:47:27 +02:00
Nathaniel McCallum
255cbb4976 Update all remaining plugins to the new Registry API
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-06-11 09:24:22 +02:00
Martin Basti
47d8fec92f Make zonenames absolute in host plugin
This is fix for regression caused by IDNA patch, zone names must be
absolute.

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-06-11 09:22:36 +02:00
Petr Viktorin
46faed0b4b Add missing attributes to User managed permissions
- Add nsAccountLock to the Unlock user accounts permission
- Add member to Read User Membership
- Add userClass and preferredLanguage to Modify Users

https://fedorahosted.org/freeipa/ticket/3697

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-10 13:55:56 +02:00
Petr Viktorin
53a63ae346 Convert User default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-10 13:55:56 +02:00
Petr Viktorin
e0cafea374 managed perm updater: Handle case where we changed default ACIs in the past
This handles the case where IPA's default ACIs changed in something else
than just attribute lists.
In this case we can narrow the set of ACIs we think the user might be
upgrading from.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-10 13:55:56 +02:00
Petr Viktorin
e3b20b9d03 Split long docstrings that were recently modified
When the strings are changed again, translators will only need to
re-translate the modified parts.

See: https://fedorahosted.org/freeipa/ticket/3587
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-10 13:19:32 +02:00
Petr Vobornik
b0a61ab953 webui: break long text in a code element in a modal
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-06-10 10:23:31 +02:00
Petr Vobornik
31df435e41 webui: fix layout of QR code on wide screens
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-06-10 10:23:31 +02:00
Petr Vobornik
dea2da4455 webui: fix search box overlap in mobile mode
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-06-10 10:23:31 +02:00
Petr Vobornik
bc6105b270 webui: use propert alerts in header notification area
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-06-10 10:23:31 +02:00
Petr Vobornik
bedd128de0 webui: proper alerts in dialogs
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-06-10 10:23:31 +02:00
Petr Vobornik
0fadb14ec7 webui: move radius proxy action panel commands to header actions
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-06-10 10:23:30 +02:00
Petr Vobornik
dd69557f4e webui: use normal buttons instead of link buttons in multivalued widget
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-06-10 10:23:30 +02:00