THis patch handles Kerberos ticket expiration in the UI. Additionally it removes the mod_atuh_kerb authorization for elements in the static directory, cutting down on the number of round trips required for initializing the web app
Conflicts:
install/static/ipa.js
if the field does not have a 'w' for writable in its rights, disable it.
Merged with the HBAC/Widget changes
add and remove links are managed via permissions now
The UI framework has been extended to include a collection of widgets:
- ipa_widget: base class
- ipa_text_widget: text field
- ipa_radio_widget: radio button
- ipa_textarea_widget: textarea
- ipa_button_widget: button
- ipa_column_widget: column for table
- ipa_table_widget: table
These widgets can be used to create input controls. They can also be
extended to create custom controls.
The framework has also been enhanced to support custom layouts. This
can be used to change the look of the application without changing
the code. Initially this is only available in details section.
Layout consists of a collection of HTML templates. Each template is a
complete and valid HTML file representing a portion of a page. The
template will be loaded and initialized by the code, then filled with
the data from the server. The layouts are located in
install/static/layouts/<name> folder.
By default, if no templates are used, the fields in the details page
are rendered vertically using dd/dt/dd tags. For pages that require
different layout, a custom UI needs to be developed. There are two ways
to do that:
- write a custom widget to generate the UI dynamically
- create an HTML template and write the initialization code
For components that are quite complex or used frequently, it's might
be better to use the first method. For simple pages that are used only
in one location or need to support customization, the second method
might be preferable. Other benefits of templates:
- cleaner code and UI separation
- more flexibility in customization
- new pages can be developed quickly and require less coding
- multiple templates can be used with the same initialization code
- easier to maintain
The HBAC details page has been implemented using both methods. By
default it will use custom widgets to generate the page. To use a
custom layout, add the following parameter to the URL, then reload
the page:
&layout=<name>
Currently the only available layout is 'default' which produces the
same look as the custom widgets.
The HBAC details page is usable, but it still needs additional work.
The access time is not working yet. There is no undo button, hint,
or validation yet.
The table in the association facet has also been changed to use
ipa_association_widget which is derived from ipa_table_widget.
The Makefile has been updated to include the layouts. The unit tests
have been updated as well.
Always display the account enable/disable status.
Don't ignore the exceptions when a user is already enabled or disabled.
Fix the exception error messages to use the right terminology.
In baseldap when retrieving all attributes include the default attributes
in case they include some operational attributes.
ticket 392
This lets the KDC count password failures and can lock out accounts for
a period of time. This only works for KDC >= 1.8.
There currently is no way to unlock a locked account across a replica. MIT
Kerberos 1.9 is adding support for doing so. Once that is available unlock
will be added.
The concept of a "global" password policy has changed. When we were managing
the policy using the IPA password plugin it was smart enough to search up
the tree looking for a policy. The KDC is not so smart and relies on the
krbpwdpolicyreference to find the policy. For this reason every user entry
requires this attribute. I've created a new global_policy entry to store
the default password policy. All users point at this now. The group policy
works the same and can override this setting.
As a result the special "GLOBAL" name has been replaced with global_policy.
This policy works like any other and is the default if a name is not
provided on the command-line.
ticket 51
Uses code very similar to the search code for deleting associations
Had to modify how we were configuring for bulk so that the logic for delete matched the logic for enroll
Fixed unit test and removed the 'new' from the associator call
We used to return a list of dns that failed to be added. We now return
a list of tuples instead. The tuple looks like (dn, reason) where reason
is the exception that was returned.
Also made the label we use for failures to be singular instead of plural
since we now print them out individually instead of as comma-separated.
ticket 270
This should make renamed users able to keep using old credentials as the salt
is not derived from the principal name but is always a random quantity.
https://fedorahosted.org/freeipa/ticket/412
When a Requirement fails we throw an exception including the name of the
field that is missing. To make the command-line friendlier we have a
cli_name defined which may or may not match the LDAP attribute. This can
be confusing if you are using ipalib directly because the attribute name
missing may not match what is actually required (desc vs description is
a good example).
If you use the context 'cli' then it will throw exceptions using cli_name.
If you use any other context it will use the name of the attribute.
ticket 187
This is done by creating a new attribute, memberindirect, to hold this
indirect membership.
The new function get_members() can return all members or just indirect or
direct. We are only using it to retrieve indirect members currently.
This also:
* Moves all member display attributes into baseldap.py to reduce duplication
* Adds netgroup nesting
* Use a unique object name in hbacsvc and hbacsvcgroup
ticket 296
The output is a pure python dict so is really only useful when used with
--all so it is required.
Updated to return a string for rights as opposed to a list. Terser, reducing the wire size by a factor of 3.5
The ipa_cmd() has been modified to identity the type of the error
it has received and display the error using the right dialog box.
The dialog box can be customized further to display the appropriate
amount of information for each type of error.
This patch introduces a new framework for implementing custom UI.
It consists of the following classes:
Main:
- IPA: global namespace and object repository
- ipa_entity: base class for entities
- ipa_facet: base class for facets
Add dialog:
- ipa_add_dialog: default add dialog
- ipa_add_field: the fields used in the dialog
Search facet:
- ipa_search_facet: default search facet
- ipa_search_column: the columns in the search result
Details facet:
- ipa_details_facet: default details facet
- ipa_details_section: the sections in the details facet
- ipa_details_field: the fields in the details facet
Association facet:
- ipa_association_facet: default association facet
- ipa_association_config: the association configurations
To use this framework, create a class extending the ipa_entity (e.g.
ipa_hbac). Use the create_* methods to create add dialog, search facet,
details facet, and association facet. The fields/columns for the dialog
and facets can be specified using the init() function. Custom UI can be
defined by overwriting the base methods (e.g. setup, save, load).
The entity must be added into the repository using IPA.add_entity().
The original ipa_entity_setup() has been generalized by moving facet-
specific codes into the corresponding facet. Some facet names are still
hard-coded. This will be fixed in follow-up patches.
Some global variables have been removed because their function has been
replaced by the object repository:
- ipa_entity_add_list
- ipa_entity_search_list
- ipa_entity_details_list
- window_hash_cache
Some functions and variables have been moved into IPA namespace:
- ipa_json_url -> IPA.json_url
- ipa_use_static_files -> IPA.use_static_files
- ipa_ajax_options -> IPA.ajax_options
- ipa_objs -> IPA.metadata
- ipa_messages -> IPA.messages
- ipa_dialog -> IPA.error_dialog
- ipa_init() -> IPA.init()
Initially the HBAC and Service entities have been rewritten to use the
new framework. The DNS is partially converted, the ipa_records_facet
is used to define custom records facet.
Other entities can still work using the old framework. The old framework
has been modified to be a wrapper for the new framework. Eventually all
entities will be converted to use the new framework.
Some unit tests have been modified to use the new framework.
To do a change right now you have to perform a setattr like:
ipa user-mod --setattr uid=newuser olduser
The RDN change is performed before the rest of the mods. If the RDN
change is the only change done then the EmptyModlist that update_entry()
throws is ignored.
ticket 323
If a modify operation does not specify our attribute then we need to short
circuit the loop, otherwise on enforcing we will return an error by mistake if
we are not Directory Manager because generate is false if the attr is not
found.
By setting the enforce flag in the configuration we prevent anyone from storing
arbitrary values and allow only Directory Manager to override the plugin.
Users can only set the value to the magic value (usually 0) to have the uuid
regenerated, and nothing else.
Remove one level of indentation from the main function by jumping
to the end immediately if the configuration list is empty.
Other minor style cleanups.