This patch adds pending password expiration notification support to Web UI. When user's password is going to expire in less or equal than configure days a bold red text 'Your password expires in N days.' and a link 'Reset your password' are shown in Web UI's header (on the left next to 'Logged in as...').
Clicking on 'Reset your password link' opens IPA.user_password_dialog. Successful reset of own password will reload user's information (whoami) and update header (it will most likely hide the warning and link).
https://fedorahosted.org/freeipa/ticket/2625
This is a continuation of effor which transforms status widgets with buttons executing actions to separate status widget and action panels. This patch strips certificate status widget of its buttons and separates the actions to their own objects. Appropriate modifications are taken in host and service details facets.
New certificate loader, facet policy and evaluator are introduced to make actions and status widget independent. On facet load event new certificate facet policy loads a certificate from result. Unfortunately results don't contain revocation reason so it also executes additional cert-show command to get the revocation reason. Policy store the certifacete to facet. It raises the certifacet_loaded event to notify certificate evaluator and status widget. Status widget updates its state. Certificate evaluater updates state and actions get disabled or enabled.
https://fedorahosted.org/freeipa/ticket/2250
This patch adds validator which compares passwords in two fields.
In future it should be used in various password reset dialogs.
A flags attribute was added to field. It's purpose is to define control flags. This patch uses it in details facet and adder dialog to not include fields to command option if the field has 'no_command' flag. Therefore there is no need to use hacks such as disabling of field or removing a value from command's option map when a non-command field is needed (ie verify password).
https://fedorahosted.org/freeipa/ticket/2829
This patch adds Web UI for trusts.
Navigation path is IPA Server/Trust. It allows to add, deleted and show trust. Mod command doesn't have defined input options so update of a trust is not supported yet.
Adder dialog supports two ways if adding a trust:
1) adding with domain name, admin name and admin password.
2) adding with domain name, shared secret
Search page shows only list of realm names which are trusts' cns.
Details page is read only. It contains following attributes:
* Realm name (cn)
* Domain NetBIOS name (ipantflatname)
* Domain Security Identifier (ipanttrusteddomainsid)
* Trust direction (trustdirection)
* Trust type (trusttype)
trust_output_params also defines 'Trust status' param. This param is not return by show command as well so it's commented out in code until it's fixed in plugin code.
Fields in details pages are using labels defined in internal.py. It is temporary solution until including of command.has_output_params will be added to metadata.
https://fedorahosted.org/freeipa/ticket/2829
Error message for IPA error 911 is not very clear for end users.
This patch changes the message and adds an advice how to get rid of the error.
https://fedorahosted.org/freeipa/ticket/2778
Web UI was missing a way how to reset expired password for normal user. Recent server patch added API for such task. This patch is adding reset password form to unautorized dialog.
If user tries to login using form-based authentication and his password is expired login form transforms to reset password form. The username and password are used from previous login attempt. User have to enter new password and its verification. Then he can hit enter button on keyboard or click on reset button on dialog to perform the password reset. Error is displayed if some part of password reset fails. If it is successful new login with values entered for password reset is performed. It should login the user. In password reset form user can click on cancel button or hit escape on keyboard to go back to login form.
https://fedorahosted.org/freeipa/ticket/2755
This patch adds separate reset password page. It is a complement to separate login page. It differentiate from reset password capabilities in Web UI's anauthorized dialog by not performing login. This is useful for users who wants only to reset the password and not to use Web UI. And also for users who are using the separate login page.
https://fedorahosted.org/freeipa/ticket/2755
Servise provisioning status widget was modified only to display the has_keytab status. Button for 'delete key,unprovision' was moved as action to newly created action panel in the same section. This required to moved the creation of the unprovisioning dialog from that widget to new separate dialog.
Action for action panel and all required status evaluators for enabling/disabling of that action were also created.
https://fedorahosted.org/freeipa/ticket/2252
Widgets in host enrollment sections were modified. They now serve only for displaying of has_key and has_password status. Functionality for setting otp and unprovisioning was moved to separate dialogs. Execution points for opening of these dialogs are items in new action panel in enrollment section.
https://fedorahosted.org/freeipa/ticket/2251
Patch "Add options to reduce writes from KDC" adds two more possible values to config plugins ipaconfigstring configuration options.
These are:
* KDC:Disable Last Success
* KDC:Disable Lockout
This patch adds them to Web UI
https://fedorahosted.org/freeipa/ticket/2734
Association dialogs were using non-existent options for find commands. It causes error when #2509 is implemented.
Now when creating a find command a check for options existence is performend. Option is not used if not present in metadata. It fixes the issue.
https://fedorahosted.org/freeipa/ticket/2760
on_value_changed event in textboxes and textareas was raised only on keyboard input. If user used different input method such as paste or browser undo and redo functions widget's on_value_changed event wasn't raised and so dirty state wasn't changed as well.
This patch adds listener to text's and textarea's 'input' event. Input is a HTML 5 event which is raises on user initiated action.
Some of user initiated actions :
* Cut
* Copy
* Paste
* Undo
* Redo
* Clear
* Typing (like keyup)
* Form AutoFill
* User-invoked spellcheck corrections
* Input from Input Method Editor
It should be supported by all recent versions of major browsers. IE doesn't support it up to version 8.
Listener for 'keyup' event was left in implementation for backward compatibility with older browsers. This may cause firing on_value_change twice but so far it shouldn't cause troubles.
https://fedorahosted.org/freeipa/ticket/2647
Ticket https://fedorahosted.org/freeipa/ticket/2509 bans using non existent options. If such option is supplied command ends with error. It uncovered several cases in Web UI. This patch is fixing these cases.
Automember, Self-service and Delegation don't support 'pkey-only', 'size-limit' and 'rights' option. Pagination and rights check were disabled for them.
Automount map adder dialog was sending options for indirect map even if chosen type was direct (when those for indirect was filled earlier), also it was sending non-existant 'method' option.
https://fedorahosted.org/freeipa/ticket/2760
This patch creates state_evaluator which creates permission states for defined attribute. The state format is: attributeName_permissionChar.
This evaluator is used for user_password attribute and it control enabling/disabling of related action in user account action panel.
https://fedorahosted.org/freeipa/ticket/2318
Currently the user password is shown as follows in the details page:
Password: Reset Password
This is inconsistent with the rest of the page because the 'Reset Password' is an action, not the value of the password.
Now password is shown as follows:
Password: ******* (if set)
Password: (if not set)
Reset password link was removed as well the dialog for reset password was removed from password widget. The dialog was moved to its own object and can be now showed independently. An action for showing this dialog should be created.
https://fedorahosted.org/freeipa/ticket/2248
This patch implements action panel. Action panel is a box located in facet details section which contains actions related to that object/section.
In spec file can be configured actions and title used in action panel. Default title is 'Actions'. Actions are specified by their name. They have to be defined in action collection in facet.
https://fedorahosted.org/freeipa/ticket/2248
This is a first step for implementing action panels which will also use the shared list of actions.
This effor changes the way how action list and control buttons are defined. First all actions are defined on facet level - attribute 'actions' in spec file. Implementation of action list widget is not specified on facet level. It is left in facet header. A list of action names used in action list can be now specified in facet spec in 'header_actions' attribute.
Control buttons use similar concept. Facet by default is using control_buttons_widget. Details and search facet are defining their own default actions (refresh/add/remove/update/reset). Additional buttons can be defined as array of action names on facet level in control_buttons attribute.
state_evaluators and state_listeners were united. They are called state_evaluators but they uses state_listener concept, they are attached to an event. For former state_evaluator the event is post_load. They are defined in spec in state attribute. State object purpose is to aggregate states from all state evaluators. It offers changed event to which can other objects subscribe. It also has summary evaluator which evaluation conditions. Summary evaluator creates summary status with human readable description. It can be used by facet header.
https://fedorahosted.org/freeipa/ticket/2248
Very long pkeys in facet header were limited to 60 characters. This magic number was good enough but with new action lists it isn't.
This patch is adding calculation of maximum characters for pkey in facet header. It fixes regression introduced by Action Lists and also it uses effectively available space.
Also this patch is changing limiting of breadcrumbs element to use as much space as possible. It works in three steps. First a threshold is set which is equal to length average. Then a total length of keys with length less than threshold is calculated. From this we can get remaining space for long keys and calculate new threshold. At last keys are limited to new threshold.
https://fedorahosted.org/freeipa/ticket/2247
f
When DNS support was disabled there were following errors in Web UI:
1) Host details page was not filled with data
2) Host adder dialog was broken -> unusable
3) DNS tab was displayed in navigation
The bugs were fixed by:
1) Was caused by entity_link_widget. The widget was modified to do not show link if other_entity (in this case dnsrecord) is not present.
2) Was caused by host_fqdn_widget. The widget is unusable becouse withou DNS support it doesn't have access to DNS zone entity. The section with this widget was removed. Also IP address field was removed because it shouln't be used without DNS support. New 'fqdn' text box was added for specifying hostname.
3) New DNS config entity was initialized but it wasn't shown because it caused some JavaScript error. The dnsconfig's init method was modified to throw expected exception. Now no dns entity is initialized and therefore DNS tab in navigation is not displayed.
https://fedorahosted.org/freeipa/ticket/2728
Instructions to generate certificate were changed. Now they use certutil instead of openssl. In the example is also used option for specifying key size.
https://fedorahosted.org/freeipa/ticket/2725
This patch adds action list and control buttons for consistent change of enty status for user, hbac rules, sudo rules, SELinux maps and dns zones.
Action lists with 'enable' and 'disable' and 'delete' options were added to details facets.
Two control buttons: 'enable' and 'disable' were added to search facets.
https://fedorahosted.org/freeipa/ticket/2247
Adds hiding/showing capabilities to action_button_widget. This patch is fixing regression caused replacing old details facet buttons with control_buttons_widget. The problem was that some buttons were not hidden in self-service mode.
https://fedorahosted.org/freeipa/ticket/2707
Control buttons is a widget which contains action buttons. It is located in facet header and are supposed to replace old action buttons created by IPA.action_button(spec) call. The benefit is that now it is possible to define new buttons declaratively in spec definition without a need of inheriting facet and overriding create method.
Action buttons are an entry poing for execution facet-wide action so they are tightly bound to facet.
Action button options:
name: string
label: string, human readable label
tooltip: string, human readable tooltip
href: string, optional
icon: string, icon class
needs_confirm: boolean, default false
confirm_msg: string, human readable confirmation message
confirm_dialog: confirmation dialog, optional, custom confirmation dialog
action: action, action which will be executed
enabled: boolean, optional, default true
Control buttons are define in facet spec in control_buttons property. Its a spec object with following attributes:
all attributes which normal widget can have
buttons: array of action_button specs
state_listeners: array of state listener specs
In init phase control_buttons_widget should assign a action_button a facet.
control_buttons_widget are resposible for evaluation of action_button disable/enable state because they contain state_listeners which creates the state upon the enabled/disabled state is evaluated.
State listeners are similar to state_evaluators. The differce is that the state is not evaluated from record set but from facet itself. The execution of evaluation is bound to a facet event.
https://fedorahosted.org/freeipa/ticket/2247
This patch add support fo Action Lists.
Action list is a select widget with actions as options located in facet header. Action can be selected and then executed by clickin on 'apply' button.
Actions lists are defined on facet level. Facet header takes them from facet.
Action list options
actions: list of actions
state_evaluator: a state evaluator which is needed for enabling/disabling options. Can encapsulate more evaluators.
State evaluator object
----------------------
State evaluator is resposible for evaluating a state from result set. State is a array of strings. Each evaluator should inherit from IPA.state_evaluator and override evaluate method.
Methods:
evaluate(record): should return string array which represents the state
get_description(): human readable representation of a state
Action
------
Action is a object which can perform certain action on a facet. Action has enabling and disabling conditions.
action options:
name: string, required, name of the option
label: string, required, human readable name of the option
enable_cond: string array, states which need to be present in order to run this action
disable_cond: string array, states which must not be present in order to run this action
handler: function, contains action's logic
needs_confirm: boolean, default false, indicates if action needs user confirmation
confirm_msg: string, default generic message, human readable confirmation message.
Action list should contain logic which enables/disables action based on facet state and action's enabling/disabling conditions. It should also enforce presence of confirmation.
In this patch is also slightly modified facet header, mostly title part. It was revised to contain status icon, title and action list on single line. Facet header is using state evaluator's get_description method to properly set tooltip for state icon.
https://fedorahosted.org/freeipa/ticket/2247
Web UI mainly uses declarative way of defining UI structure. When a new object type is created it is often required to create a new builder which would build the objects from spec file. The builders' logic is mostly the same. This patch adds a general builder with some extendability capabilities.
Now it is possible to:
1) define spec for single object and build it by calling IPA.build(spec, /* optional */ builder_fac)
2) define an array of specs and build the objects by the same call
Prerequisite for following action list patches.
https://fedorahosted.org/freeipa/ticket/2707
Password policies are sorted by priority. When paging is enabled, table facet uses pwpolicy-find --pkey-only to get all pwpolicies keys. Those keys are sorted on server by priority but table facet sorts them again. This breaks the priority sorting.
This patch disables the paging in passord policy serch page so the keys are sorted by priority.
TODO: we should inspect sorting in table facet more deeply and disable it if it don't break anything.
https://fedorahosted.org/freeipa/ticket/2676
Permission field is missing in delegation so it can't be set/modified.
It was added to delegation details facet and adder dialog.
The field is using checkboxes instead of multivalued textbox because it can have only two effective values: 'read' and 'write'.
https://fedorahosted.org/freeipa/ticket/2635
Forms-based login procedure detects if 401 unauthorized response contains
'X-IPA-Rejection-Reason' http header with 'password-expired' value. If so
it displays an error message that user needs to reset his password.
https://fedorahosted.org/freeipa/ticket/2608
DNS forward policy fields were using mutually exclusive checkboxes. Such behavior is unusual for users.
Checkboxes were changed to radios.
https://fedorahosted.org/freeipa/ticket/2599
Permission form was missing attrs field for target=subtree. All other target types have it.
It uses multivalued text widget, same as filter, because we can't predict the target type.
https://fedorahosted.org/freeipa/ticket/2592
This patch is changing netgroup web ui to look more like hbac or sudo rule UI. This change allows to define and display user category, host category and external host.
The core of the change is changing member attributes (user, group, host, hostgroup) to use rule_details_widget instead of separate association facets. In host case it allows to display and add external hosts.
https://fedorahosted.org/freeipa/ticket/2578
Problem:
When some facet perform action which modifies data, some other facet may become expired.
Example: User modifies group's description. Now group search facet contains old data and has to be refreshed.
Solution:
New event was added to facet: on_update. It should be executed when facet performs action which modifies data ie: details facet update or add entry to dnsrecord.
Then entity policies were introduced. Entity policies are a objects which are stored in entity.policies. They have similar function as facet_policies - performing communications and other functionality between facets. This way facets don't have to contain such logic and thus they aren't dependant on each other.
This patch adds IPA.facet_update_policy, IPA.adder_facet_update_policy, IPA.search_facet_update_policy, IPA.details_facet_update_policy.
IPA.facet_update_policy: On facets_created it bind itself to [current entity].[source facet].[event]. Default event is on_update. When the event is executed it sets expiration flag to [dest entity].[dest facet].
IPA.search_facet_update_policy: IPA.facet_update_policy where source facet = search, dest facet = details, dest entity = current entity. Its a default policy for updatein changes from search facet to details facet. Right now it isn't needed but it will be needed when action lists come to play.
IPA.details_facet_update_policy: same as IPA.search_facet_update_policy just reversed. Very important.
IPA.adder_facet_update_policy: similar functionality, just source of the event is dialog. Default event is added (new event in entity_adder_dialog).
Entity policies should be specified in entity's spec object. If none are specified a default ones are used. Default policies are: IPA.search_facet_update_policy and IPA.details_facet_update_policy.
https://fedorahosted.org/freeipa/ticket/2075
Problem:
For performance reason a facet may cache the data in browser's memory. There should be a flag to indicate whether a facet has expired and should be refreshed. The expired flag could be set by these events:
1) any update operation
2) changing search filter in search facet
3) switching page in a multi-paged search/association facet
4) switching direct/indirect view in association facet
5) facet expiration time
A facet should be able to use these methods to refresh itself:
6) on demand: an expired facet should be refreshed when a user opens it.
7) automatic: an open facet should automatically refresh itself when it expires.
Solution:
This patch solves cases: #2, #3, #5, #6. Case #4 works without any change. Case #1 will be solved later. Case #7 is deffered.
Default expiration timeout was set to 10 minutes.
In this patch are also updated facet.needs_update methods to reflect changes in containing facets.
https://fedorahosted.org/freeipa/ticket/2075
DNS forwarder's value can consist of IP address and a port.
The syntax is '<IP ADDRESS> port <PORT>'. A new validator was created for this purpose. It is based on IP address validator.
https://fedorahosted.org/freeipa/ticket/2490
dnsconfig was extended of new attributes, so reflecting it in UI.
New attributes:
* idnsForwardPolicy
* idnsAllowSyncPTR
* idnsZoneRefresh
https://fedorahosted.org/freeipa/ticket/2489
