Commit Graph

70 Commits

Author SHA1 Message Date
Rob Crittenden
2f4f9054aa Enable a host to retrieve a keytab for all its services.
Using the host service principal one should be able to retrieve a keytab
for other services for the host using ipa-getkeytab. This required a number
of changes:

- allow hosts in the service's managedby to write krbPrincipalKey
- automatically add the host to managedby when a service is created
- fix ipa-getkeytab to return the entire prinicpal and not just the
  first data element. It was returning "host" from the service tgt
  and not host/ipa.example.com
- fix the display of the managedby attribute in the service plugin

This led to a number of changes in the service unit tests. I took the
opportunity to switch to the Declarative scheme and tripled the number
of tests we were doing. This shed some light on a few bugs in the plugin:

- if a service had a bad usercertificate it was impossible to delete the
  service. I made it a bit more flexible.
- I added a summary for the mod and find commands
- has_keytab wasn't being set in the find output

ticket 68
2010-08-16 17:13:56 -04:00
Rob Crittenden
1df10a88cd Add support for client failover to the ipa command-line.
This adds a new global option to the ipa command, -f/--no-fallback. If this
is included then just the server configured in /etc/ipa/default.conf is used.
Otherwise that is tried first then all servers in DNS with the ldap SRV record
are tried.

Create a new Local() Command class for local-only commands. The help
command is one of these. It shouldn't need a remote connection to execute.

ticket #15
2010-08-16 10:35:27 -04:00
Rob Crittenden
5b894d1fb7 Allow decoupling of user-private groups.
To do this we need to break the link manually on both sides, the user and
the group.

We also have to verify in advance that the user performing this is allowed
to do both. Otherwise the user could be decoupled but not the group
leaving it in a quasi broken state that only ldapmodify could fix.

ticket 75
2010-08-10 16:41:47 -04:00
Rob Crittenden
719592a209 Fix user tests to handle managed entries
We now enable managed entries by default and need to account for it
in the expected output.
2010-08-10 16:41:28 -04:00
Rob Crittenden
2d7d047cbf Add optional error message to pattern validator
The pattern validator by default displays the pattern that is being
matched against. This isn't helpful, particularly for very hairy patterns.
This adds a new parameter, pattern_errmsg, that is displayed on errors
if set.

ticket #11
2010-08-06 15:32:37 -04:00
Rob Crittenden
d885339f1c Require that hosts be resolvable in DNS. Use --force to ignore warnings.
This also requires a resolvable hostname on services as well. I want
people to think long and hard about adding things that aren't resolvable.

The cert plugin can automatically create services on the user's behalf when
issuing a cert. It will always set the force flag to True.

We use a lot of made-up host names in the test system, all of which require
the force flag now.

ticket #25
2010-08-06 15:31:57 -04:00
Rob Crittenden
efa11d3746 Fix replacing a certificate in a service.
When a service has a certificate and the CA backend doesn't support
revocation (like selfsign) then we simply drop the old certificate in
preparation for adding a new one. We weren't setting the usercertificate
attribute to None so there was nothing to do in ldap_update().

Added a test case for this situation to ensure that re-issuing a certificate
works.

ticket #88
2010-08-06 13:12:21 -04:00
Rob Crittenden
57a9001f8d Fix netgroup plugin to use correct member attribute names.
When the netgroup plugin was rebased it ended up using the member
attribute for its memberships and not memberuser/memberhost.

I also fixed this same attribute problem in the tests and tried to beef
them up a little. If nis/schema compat are enabled it will try to compare
the generated triplets with a known-good value.
2010-07-15 11:18:18 -04:00
Rob Crittenden
1e1985b17c Add API to delete a service principal key, service-disable.
I have to do some pretty low-level LDAP work to achieve this. Since
we can't read the key using our modlist generator won't work and lots of
tricks would be needed to use the LDAPUpdate object in any case.

I pulled usercertificate out of the global params and put into each
appropriate function because it makes no sense for service-disable.

This also adds a new variable, has_keytab, to service/host_show output.
This flag tells us whether there is a krbprincipalkey.
2010-07-13 09:29:10 -04:00
Rob Crittenden
c9e0b43d53 Add test to ensure that a certificate we issue is actually stored properly. 2010-07-13 09:28:03 -04:00
Rob Crittenden
7f9485f5bf Change expected aci summary from Updated to Modify in test cases 2010-07-06 15:39:44 -04:00
Rob Crittenden
93e54366f9 Fix aci_mod command. It should handle more complex operations now.
The problem was trying to operate directly on the ACI itself. I
introduced a new function, _aci_to_kw(), that converts an ACI
into a set of keywords. We can take these keywords, like those passed
in when an ACI is created, to merge in any changes and then re-create the
ACI.

I also switched the ACI tests to be declarative and added a lot more
cases around the modify operation.
2010-06-24 10:26:08 -04:00
Rob Crittenden
e123fa6671 Add ipaUniqueID to HBAC services and service groups
Also fix the memberOf attribute for the HBAC services
2010-05-27 10:51:02 -04:00
Rob Crittenden
71738f9177 Remove local get_dn() from hbacsvcgroup and add tests for hbacsvcgroup 2010-05-20 13:53:02 -04:00
Rob Crittenden
1dad0758ce Use new service schema for HBAC tests 2010-05-17 13:48:44 -04:00
Rob Crittenden
542768bec7 Replace old pwpolicy plugin with new one using baseldap, fix tests.
Fix deletion of policy when a group is removed.
2010-05-17 13:48:19 -04:00
root
f6cde533fd Add new password policy plugin based on baseldap.py classes. 2010-05-05 15:00:04 -04:00
Rob Crittenden
c3c850b1d7 Deleting a non-fully-qualified hostname should still delete its services
We were being left with orphan services if the host entry was not removed
using the FQDN.
2010-03-30 09:41:17 -04:00
Rob Crittenden
d13fcb6a0c Ensure that the group policy priority is unique.
We use CoS to determine the order in which group policy is applied. The
behavior in CoS is undefined for multiple entries with the same
cospriority.
2010-03-19 07:13:33 -06:00
Rob Crittenden
766757e4d4 Fix unicode failures in Env tests and dn failures in XML-RPC tests 2010-02-26 12:31:11 -05:00
Pavel Zuna
aa2c124e7d Make the --all option work in Add/Remove Member commands. 2010-02-24 14:56:34 -05:00
Rob Crittenden
58746226d4 Use the Output tuple to determine the order of output
The attributes displayed is now dependant upon their definition in
a Param. This enhances that, giving some level of control over how
the result is displayed to the user.

This also fixes displaying group membership, including failures of
adding/removing entries.

All tests pass now though there is still one problem. We need to
return the dn as well. Once that is fixed we just need to comment
out all the dn entries in the tests and they should once again
pass.
2010-02-15 13:10:11 -07:00
Rob Crittenden
b7f557e3cf Fix the cert plugin tests
These tests rely on the existence of a backend CA. It is easiest to
test with a self-signed CA in ~/.ipa so that is what I documented.

These tests are skipped if no CA is available.

Improved robustness a bit by putting the cleanup as a separate test.
2010-02-09 02:13:06 -07:00
Jason Gerard DeRose
e9dc9de23a Fixed xmlrpc_test.fuzzy_digits for Fedora12 2010-01-22 14:41:49 -05:00
Rob Crittenden
ee446ff148 Remove hardcoded domain, example.com 2009-12-18 09:41:53 -07:00
Jason Gerard DeRose
e83c54587f Add messages, declarative tests for rolegroup, taskgroup plugins 2009-12-18 10:56:16 -05:00
Jason Gerard DeRose
ab1aba5a9a Added Fuzzy docstrings; make-test now runs doctests in tests/*; fixed 'existant' mispelling 2009-12-18 10:56:13 -05:00
Jason Gerard DeRose
29f243bf4e Fuzzy feelings 2009-12-17 11:22:14 -05:00
Jason Gerard DeRose
8ae0f9c8aa host and hostgroup summary messages, declarative tests; fix tests for 'dn' 2009-12-16 15:54:55 -07:00
Rob Crittenden
c334ec4584 Add simple tests for the aci plugin 2009-12-14 20:02:33 -07:00
Jason Gerard DeRose
b6e4972e7f Take 2: Extensible return values and validation; steps toward a single output_for_cli(); enable more webUI stuff 2009-12-10 08:29:15 -07:00
Rob Crittenden
8115b28c99 Add minimal test for the cert plugin
This assumes that the developer has the equivalent of a selfsign CA
installed. To do this, install IPA without a CA and copy
/etc/httpd/alias/*.db to ~/.ipa/alias and
/etc/httpd/alias/pwdfile.txt to ~/.ipa/alias/.pwd
2009-12-03 09:58:56 -07:00
Pavel Zuna
40368f0d01 Add {user,host,sourcehost}Category to HBAC and make accessTime multivalue. 2009-12-01 10:38:49 -05:00
Pavel Zuna
5be9721292 Fix unit tests for plugins using baseldap classes. 2009-10-07 10:00:32 -04:00
Pavel Zuna
e01b1b8f99 Fix unit tests for plugins using baseldap classes. 2009-10-05 15:59:09 -04:00
Pavel Zuna
a6eb928f98 Add HBAC plugin and introduce GeneralizedTime parameter type. 2009-10-05 15:55:27 -04:00
Rob Crittenden
dac224c25a Add support for per-group kerberos password policy.
Use a Class of Service template to do per-group password policy. The
design calls for non-overlapping groups but with cospriority we can
still make sense of things.

The password policy entries stored under the REALM are keyed only on
the group name because the MIT ldap plugin can't handle quotes in the
DN. It also can't handle spaces between elements in the DN.
2009-10-05 13:29:55 -06:00
Rob Crittenden
7a7041045e Fix service_mod and add a test case 2009-08-26 09:51:15 -04:00
Rob Crittenden
c781e8a57d Add a new objectclass, ipaObject, that will add a UUID to many IPA objects
ipaObject is defined as an auxiliary objectclass so it is up to the
plugin author to ensure that the objectclass is included an a UUID generated.
ipaUniqueId is a MUST attribute so if you include the objectclass you must
ensure that the uuid is generated.

This also fixes up some unrelated unit test failures.
2009-08-10 16:38:42 -06:00
Rob Crittenden
ac2970e52f Add unit test for password plugin 2009-07-07 22:56:45 -04:00
Pavel Zuna
48d6669796 Fix unit tests to handle new group-{add, del}-member semantics. 2009-07-02 13:33:05 -04:00
Pavel Zuna
72e4816140 Add unit tests for new plugins. 2009-07-02 13:33:04 -04:00
Pavel Zuna
57b55d8e2f Add utility functions for plugin unit testing. 2009-07-02 13:33:04 -04:00
Pavel Zuna
12ee586392 Remove unit tests for old plugins. 2009-07-02 13:33:04 -04:00
Rob Crittenden
e5bec4ae39 Schema change so the nisnetgroup triples work properly.
If we use cn for hostname there is no easy way to distinguish between
a host and a hostgroup. So adding a fqdn attribute to be used to store
the hostname instead.
2009-05-19 09:54:17 -04:00
Jason Gerard DeRose
ae38a2461f Force xmlrpc tests to run with in_tree=True so config files in /etc/ipa/ don't get read; cleaned up config.Env automagic with regard to running in-tree vs. installed 2009-05-11 16:17:08 -04:00
Rob Crittenden
7ab9c3363f Add missing attribute to fix netgroups test 2009-05-07 10:54:32 -04:00
Pavel Zuna
7d0bd4b895 Rename errors2.py to errors.py. Modify all affected files. 2009-04-23 10:29:14 -04:00
Rob Crittenden
64fa3dd4c3 Finish work replacing the errors module with errors2
Once this is committed we can start the process of renaming errors2 as errors.
I thought that combinig this into one commit would be more difficult to
review.
2009-04-20 13:58:26 -04:00
Rob Crittenden
e6171404bf Make parentmap a autofill variable and add tests when parentmap is not passed 2009-04-13 15:22:49 -04:00