Commit Graph

6911 Commits

Author SHA1 Message Date
Thorsten Scherf
7cf683b3bc Fixed various typos in ipa-client-install man page
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-05-06 13:49:38 +02:00
Thorsten Scherf
7646cb8e58 Fixed typo in ipa-test-task man page
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-05-06 13:44:53 +02:00
Nathaniel McCallum
797974b09f Fix a typo in the otptoken doc string
https://fedorahosted.org/freeipa/ticket/4289

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-05-06 13:23:25 +02:00
Thorsten Scherf
3f3c8eee24 Fixed typo how to create an example gpg key
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-05-06 13:20:17 +02:00
Tomas Babej
004071a246 ipatests: Add test for denying expired principals
Part of: https://fedorahosted.org/freeipa/ticket/3305

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <simo@redhat.com>
2014-05-05 19:06:39 +03:00
Tomas Babej
473a9fd238 ipatests: Add coverage for setting krbPrincipalExpiration
Part of: https://fedorahosted.org/freeipa/ticket/3306

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-05-05 19:01:04 +03:00
Tomas Babej
4568a52953 ipatests: Fix formatting errors in test_user_plugin.py
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-05-05 19:01:04 +03:00
Tomas Babej
edb5a0c534 ipalib: Expose krbPrincipalExpiration in CLI
Adds a krbPrincipalExpiration attribute to the user class
in user.py ipalib plugin as a DateTime parameter.

Part of: https://fedorahosted.org/freeipa/ticket/3306

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-05-05 19:01:04 +03:00
Tomas Babej
ecaf87c007 ipatests: Cover DateTime in test_parameters.py
Adds tests for newly added DateTime parameter, focusing on conversion
of accepted datetime formats.

Part of: https://fedorahosted.org/freeipa/ticket/3306

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-05-05 18:57:29 +03:00
Tomas Babej
1df696f543 ipalib: Add DateTime parameter
Adds a parameter that represents a DateTime format using datetime.datetime
object from python's native datetime library.

In the CLI, accepts one of the following formats:
    Accepts LDAP Generalized time without in the following format:
       '%Y%m%d%H%M%SZ'

    Accepts subset of values defined by ISO 8601:
        '%Y-%m-%dT%H:%M:%SZ'
        '%Y-%m-%dT%H:%MZ'
        '%Y-%m-%dZ'

    Also accepts above formats using ' ' (space) as a separator instead of 'T'.

As a simplification, it does not deal with timezone info and ISO 8601
values with timezone info (+-hhmm) are rejected. Values are expected
to be in the UTC timezone.

Values are saved to LDAP as LDAP Generalized time values in the format
'%Y%m%d%H%SZ' (no time fractions and UTC timezone is assumed). To avoid
confusion, in addition to subset of ISO 8601 values, the LDAP generalized
time in the format '%Y%m%d%H%M%SZ' is also accepted as an input (as this is the
format user will see on the output).

Part of: https://fedorahosted.org/freeipa/ticket/3306

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-05-05 18:57:29 +03:00
Petr Vobornik
093c72d60e webui: fix switching between multiple_choice_section choices
- required indicators are not present for all sections except the last
- validation has wrong color for the same sections

There was only one layout for all choices. Layout should not be reused
because `create` method will reset layout's rows therefore it worked
properly only for the last choice.

https://fedorahosted.org/freeipa/ticket/4327

Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
2014-05-05 17:54:36 +02:00
Petr Vobornik
7eff8ad7dc webui-ci: adjust id range tests to new validator
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
2014-05-05 17:50:53 +02:00
Tomas Babej
5d78cdf809 ipa-pwd-extop: Deny LDAP binds for accounts with expired principals
Adds a check for krbprincipalexpiration attribute to pre_bind operation
in ipa-pwd-extop dirsrv plugin. If the principal is expired, auth is
denied and LDAP_UNWILLING_TO_PERFORM along with the error message is
sent back to the client. Since krbprincipalexpiration attribute is not
mandatory, if there is no value set, the check is passed.

https://fedorahosted.org/freeipa/ticket/3305

Reviewed-By: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-05-05 18:50:01 +03:00
Petr Viktorin
c3d7e66291 ipalib.aci: Allow alternate "aci" keyword in ACIs
Dogtag adds some ACIs that use an alternate keyword:
    version 3.0; aci
instead of
    version 3.0; acl

Add support for this so the parser does not fail on these ACIs.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-04-30 22:16:28 +02:00
Petr Viktorin
be6edef6e4 Move ACI tests to the testsuite
Make old debug code into regression tests for ACI parsing and output.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-04-30 22:16:27 +02:00
Petr Viktorin
6bdb30a15d ipalib.aci: Add support for == and != operators to ACI
This allows more natural comparisons.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-04-30 22:16:27 +02:00
Rob Crittenden
64dcb1ec76 Implement an IPA Foreman smartproxy server
This currently server supports only host and hostgroup commands for
retrieving, adding and deleting entries.

The incoming requests are completely unauthenticated and by default
requests must be local.

Utilize GSS-Proxy to manage the TGT.

Configuration information is in the ipa-smartproxy man page.

Design: http://www.freeipa.org/page/V3/Smart_Proxy

https://fedorahosted.org/freeipa/ticket/4128

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-04-30 21:57:27 +02:00
Petr Vobornik
923c7ab7bc webui: regression - enable fields on idrange type change (add)
ID range adder was not properly addressed in field binding refactoring.

The usage of reset caused some weird loops.

https://fedorahosted.org/freeipa/ticket/4326

Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
2014-04-29 18:10:36 +02:00
Adam Misnyovszki
6aeb138e46 webui: select all checkbox remains selected after operation
The select all checkbox remained selected after bulk
operation. This patch fixes it, after any bulk modify
or delete operation, unselect_all function is called.

https://fedorahosted.org/freeipa/ticket/4245

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-04-29 14:49:51 +02:00
Martin Kosek
5d832c3426 Make trust objects available to regular users
With global read ACI removed, some of the trust and trustdomain
attributes are not available. Make trust plugin resilient to these
missing attributes and let it return the available information.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-04-28 16:18:55 +02:00
Petr Viktorin
7eb12f1fb5 Add managed read permissions to trust
A single permission is added to cover trust, trustconfig, and trustdomain.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-28 16:17:38 +02:00
Petr Viktorin
e31688909c trust plugin: Remove ipatrustauth{incoming,outgoing} from default attrs
These attributes contain secrets for the trusts and should not be returned
by default.

Also, search_display_attributes is modified to better match default_attributes

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-04-28 13:45:09 +02:00
Petr Viktorin
99691d1171 aci-update: Add ACI for read-only admin attributes
Most admin access is granted with the "Admin can manage any entry" ACI,
but before the global anonymous read ACI is removed, read-only admin
access must be explicitly given.
Add an ACI for read-only attributes.

https://fedorahosted.org/freeipa/ticket/4319

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-25 14:06:08 +02:00
Petr Viktorin
223e6dc3f7 aci-update: Trim the admin write blacklist
These attributes are removed from the blacklist, which means
high-level admins can now modify them:

- krbPrincipalAliases
- krbPrincipalType
- krbPwdPolicyReference
- krbTicketPolicyReference
- krbUPEnabled
- serverHostName

The intention is to only blacklist password attributes and attributes
that are managed by DS plugins.

Also, move the admin ACIs from ldif and trusts.update to aci.update.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-25 14:06:08 +02:00
Petr Viktorin
edee79a32f test_ldap: Read a publicly accessible attribute when testing anonymous bind
The usercertificate attribute is slated to not be readable for
anonymous users. Use associateddomain in $SUFFIX instead.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-25 14:06:08 +02:00
Petr Viktorin
d893b77fb6 Add several managed read permissions under cn=etc
This adds permissions to:
- cn=masters,cn=ipa (with new privilege)
- cn=dna,cn=ipa (authenticated users)
- cn=ca_renewal,cn=ipa (authenticated users)
- cn=CAcert,cn=ipa (anonymous)
- cn=replication (authenticated users)
- cn=ad (authenticated users)

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-24 14:36:41 +02:00
Petr Viktorin
af3a4adc46 Add support for non-plugin default permissions
Add support for managed permissions that are not tied to an object
class and thus can't be defined in an Object plugin.

A dict is added to hold templates for the non-plugin permissions.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-24 14:36:41 +02:00
Petr Viktorin
b9f69d4f0b Add managed read permission to service
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-24 11:46:23 +02:00
Petr Viktorin
1389567ec5 Extend anonymous read ACI for containers
- Allow cn=etc,$SUFFIX with these exceptions:
  - cn=masters,cn=ipa,cn=etc,$SUFFIX
  - virtual operations
  - cn=replicas,cn=ipa,cn=etc,$SUFFIX
- Disallow anonymous read access to Kerberos password policy

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-24 11:19:51 +02:00
Petr Viktorin
baa72b68b1 Add a new ipaVirtualOperation objectClass to virtual operations
The entries are moved from the ldif file to an update file.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-24 11:19:51 +02:00
Adam Misnyovszki
260c5bd109 webui doc: typo fixes in guides
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-04-23 17:15:41 +02:00
Tomas Babej
01558a77df ipatests: Extend test suite for ID ranges
Add tests coverage for recently added ID range checks dependant
on the ID range types.

Part of: https://fedorahosted.org/freeipa/ticket/4137

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-23 13:19:57 +02:00
Tomas Babej
5e5d4818a1 ipa_range_check: Change range_check return values from int to range_check_result_t enum
Using integers for return values that are used for complex casing can be fragile
and typo-prone. Change range_check function to return range_check_result_t enum,
whose values properly describes each of the range_check results.

Part of: https://fedorahosted.org/freeipa/ticket/4137

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-23 13:18:41 +02:00
Tomas Babej
91d68864d1 ipa_range_check: Fix typo when comparing strings using strcasecmp
Part of: https://fedorahosted.org/freeipa/ticket/4137

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-04-23 13:16:35 +02:00
Tomas Babej
6c8b40afb5 ipa_range_check: Do not fail when no trusted domain is available
When building the domain to forest root map, we need to take the case
of IPA server having no trusted domains configured at all. Do not abort
the checks, but return an empty map instead.

Part of: https://fedorahosted.org/freeipa/ticket/4137

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-04-23 13:16:35 +02:00
Tomas Babej
246e722b4f ipa_range_check: Make a new copy of forest_root_id attribute for range_info struct
Not making a new copy of this attribute creates multiple frees caused by multiple
pointers to the same forest_root_id from all the range_info structs for all the
domains belonging to given forest.

Part of: https://fedorahosted.org/freeipa/ticket/4137

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-04-23 13:16:34 +02:00
Tomas Babej
2c4d41221a ipa_range_check: Connect the new node of the linked list
Part of: https://fedorahosted.org/freeipa/ticket/4137

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-04-23 13:16:34 +02:00
Tomas Babej
2011392246 ipa_range_check: Use special attributes to determine presence of RID bases
The slapi_entry_attr_get_ulong which is used to get value of the RID base
attributes returns 0 in case the attribute is not set at all. We need
to distinguish this situation from the situation where RID base attributes
are present, but deliberately set to 0.

Otherwise this can cause false negative results of checks in the range_check
plugin.

Part of: https://fedorahosted.org/freeipa/ticket/4137

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-04-23 13:16:34 +02:00
Petr Viktorin
d28d37ebdb test_integration.host: Export the hostname to dict as string
Our tests do strict type-checking, using unicode string causes failures.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-04-22 12:55:35 +02:00
Jan Cholasta
9814b272af Keep original name when setting attribute in LDAPEntry.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-04-18 14:59:21 +02:00
Jan Cholasta
a8dd7aa337 Use raw attribute values in command result when --raw is specified.
For backward compatibility, the values are converted to unicode, unless the
attribute is binary or the conversion fails.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-04-18 14:59:20 +02:00
Jan Cholasta
b4860d09b4 Replace get_syntax method of IPASimpleObject with new get_type method.
get_type returns the Python type for an LDAP attribute.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-04-18 14:59:20 +02:00
Jan Cholasta
8b6dc819d5 Support API version-specific RPC marshalling.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-04-18 14:59:20 +02:00
Jan Cholasta
4314d02fbf Allow primary keys to use different type than unicode.
Also return list of primary keys instead of a single unicode CSV value from
LDAPDelete-based commands.

This introduces a new capability 'primary_key_types' for backward
compatibility with old clients.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-04-18 14:59:20 +02:00
Petr Vobornik
c644b47492 webui: fix OTP Token add regression
OTP Token add failed because of invalid function call. qr_widget doesn't
contain `on_value_changed` method since it inherits from `IPA.widget` and
not from `IPA.input_widget`.

Emitting the event was preserved for future possible usage.

https://fedorahosted.org/freeipa/ticket/4306

Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
2014-04-17 16:34:09 +02:00
Tomas Babej
f74ab3cba2 ipatests: Fix incorrect UID/GID reference for subdomain users and groups
In legacy client integration test, the test cases that query information
from subdomain about subdomain users and group expected subdomain
users and groups to have the UIDs/GIDs as users and groups in the root
domain.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-04-17 16:31:11 +02:00
Tomas Babej
49a59d1292 ipatests: Allow using FQDN with trailing dot as final hostname
When creating a BaseHost instance, the machine's hostname was
reconfigured to have the same shortname prepended the domain name
of the domain where it was defined.

However, it makes sense in certain use cases to define hosts
that have hostnames other than belonging directly in the domain
they were defined in.

Treat input hostnames with trailing dots as static FQDNs that
will not be changed by the name of the domain they were defined in.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-04-17 16:31:11 +02:00
Tomas Babej
24aa0a91e5 ipatests: tasks: Accept extra arguments when installing client
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-04-17 16:31:11 +02:00
Tomas Babej
ceca0b5591 ipatests: Fix apache semaphores prior to installing IPA server
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-04-17 16:31:11 +02:00
Adam Misnyovszki
f85fe1e851 CI - test_forced_client_reenrollment stability fix
fixes FreeIPA Jenkins CI test freeipa-integration-forced_client_reenrollment-f19

https://fedorahosted.org/freeipa/ticket/4298

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-04-17 16:31:11 +02:00