Commit Graph

396 Commits

Author SHA1 Message Date
Rob Crittenden
6dfd7c8242 Retrieve password/keytab state when modifying a host.
ticket https://fedorahosted.org/freeipa/ticket/1714
2011-08-25 16:38:38 +00:00
Rob Crittenden
109b79a7ac Change the way has_keytab is determined, also check for password.
We need an indicator to see if a keytab has been set on host and
service entries. We also need a way to know if a one-time password is
set on a host.

This adds an ACI that grants search on userPassword and
krbPrincipalKey so we can do an existence search on them. This way
we can tell if the attribute is set and create a fake attribute
accordingly.

When a userPassword is set on a host a keytab is generated against
that password so we always set has_keytab to False if a password
exists. This is fine because when keytab gets generated for the
host the password is removed (hence one-time).

This adds has_keytab/has_password to the user, host and service plugins.

ticket https://fedorahosted.org/freeipa/ticket/1538
2011-08-24 14:12:01 +02:00
Martin Kosek
d28f1c3b7c Fix automountkey-mod
Fix automountkey-mod so that automountkey attribute is correctly
updated. Add this test case to the unit tests.

Make automountkey required for automountkey-mod, otherwise it would
cause internal server error.

Make --newinfo optional so that automountkey may be just renamed
without changing its info attribute.

https://fedorahosted.org/freeipa/ticket/1528
2011-08-18 20:35:12 -04:00
John Dennis
2673782aec ticket 1600 - convert unittests to use DN objects
We have a larger goal of replacing all DN creation via string
formatting/concatenation with DN object operations because string
operations are not a safe way to form a DN nor to compare a DN. This
work needs to be broken into smaller chunks for easier review and
testing.

Addressing the unit tests first makes sense because we don't want to
be modifying both the core code and the tests used to verify the core
code simultaneously. If we modify the unittests first with existing
core code and no regressions are found then we can move on to
modifying parts of the core code with the belief the unittests can
validate the changes in the core code. Also by doing the unittests
first we also help to validate the DN objects are working correctly
(although they do have an extensive unittest).

The fundamental changes are:

* replace string substitution & concatenation with DN object
  constructor

* when comparing dn's the comparision is done after promotion
  to a DN object, then two DN objects are compared

* when a list of string dn's are to be compared a new list is
  formed where each string dn is replaced by a DN object

* because the unittest framework accepts a complex data structure of
  expected values where dn's are represeted as strings the unittest
  needs to express the expected value of a dn as a callable object
  (e.g. a lambda expression) which promotes the dn string to a DN
  object in order to do the comparision.
2011-08-16 23:52:26 -04:00
John Dennis
b6006f78f0 ticket 1569 - Test DN object non-latin Unicode support
The DN unittest was lacking a test for i18n. The unittest was
updated to store "Hello" in Arabic with both utf-8 and unicode
and verify the values could be properly retrieved and converted
to dn string syntax.

During the testing a few problems were discovered and corrected.

* passing in utf-8 caused an ASCII decode error becuase of Python's
  silly default encoding of ASCII. The fix was to explictly use
  the utf-8 codec.

* there were a couple of places where encode/decode were not
  called correctly.

* the internal attr and value members of the AVA class were renamed
  to explicitly show they are stored as unicode.

Of course the unittest was updated as well.
2011-08-16 23:28:31 -04:00
John Dennis
fae07f8154 ticket 1568 - DN objects should support the insert method
Add dn.insert() and update unittest
2011-08-16 23:25:01 -04:00
Alexander Bokovoy
dd296eec13 Add hbactest command. https://fedorahosted.org/freeipa/ticket/386
HBAC rules control who can access what services on what hosts and from where.
You can use HBAC to control which users or groups on a source host can
access a service, or group of services, on a target host.

Since applying HBAC rules implies use of a production environment,
this plugin aims to provide simulation of HBAC rules evaluation without
having access to the production environment.

 Test user coming from source host to a service on a named host against
 existing enabled rules.

 ipa hbactest --user= --srchost= --host= --service=
              [--rules=rules-list] [--nodetail] [--enabled] [--disabled]

 --user, --srchost, --host, and --service are mandatory, others are optional.

 If --rules is specified simulate enabling of the specified rules and test
 the login of the user using only these rules.

 If --enabled is specified, all enabled HBAC rules will be added to simulation

 If --disabled is specified, all disabled HBAC rules will be added to simulation

 If --nodetail is specified, do not return information about rules matched/not matched.

 If both --rules and --enabled are specified, apply simulation to --rules _and_
 all IPA enabled rules.

 If no --rules specified, simulation is run against all IPA enabled rules.

EXAMPLES:

    1. Use all enabled HBAC rules in IPA database to simulate:
    $ ipa  hbactest --user=a1a --srchost=foo --host=bar --service=ssh
    --------------------
    Access granted: True
    --------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule
      matched: allow_all

    2. Disable detailed summary of how rules were applied:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail
    --------------------
    Access granted: True
    --------------------

    3. Test explicitly specified HBAC rules:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule
    ---------------------
    Access granted: False
    ---------------------
      notmatched: my-second-rule
      notmatched: myrule

    4. Use all enabled HBAC rules in IPA database + explicitly specified rules:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled
    --------------------
    Access granted: True
    --------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule
      matched: allow_all

    5. Test all disabled HBAC rules in IPA database:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled
    ---------------------
    Access granted: False
    ---------------------
      notmatched: new-rule

    6. Test all disabled HBAC rules in IPA database + explicitly specified rules:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled
    ---------------------
    Access granted: False
    ---------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule

    7. Test all (enabled and disabled) HBAC rules in IPA database:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled
    --------------------
    Access granted: True
    --------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule
      notmatched: new-rule
      matched: allow_all

Only rules existing in IPA database are tested. They may be in enabled or
disabled disabled state.

Specifying them through --rules option explicitly enables them only in
simulation run.

Specifying non-existing rules will not grant access and report non-existing
rules in output.
2011-07-28 18:01:44 -04:00
Rob Crittenden
324777d67c Fix message in test case for checking minimum values 2011-07-28 02:03:56 -04:00
John Dennis
264ed38fa2 Make AVA, RDN & DN comparison case insensitive. No need for lowercase normalization.
Replace deepcopy with constructor (i.e. type call)
Can now "clone" with configuration changes by passing object
of the same type to it's constructor, e.g.
dn1 = DN(('cn', 'foo'))
dn2 = DN(dn1)
dn2 = DN(dn1, first_key_match=False)

Remove pairwise grouping for RDN's. Had previously removed it
for DN's, left it in for RDN's because it seemed to make sense
because of the way RDN's work but consistency is a higher goal.

Add keyword constructor parameters to pass configuration options.

Make first_key_match a configuration keyword.

Updated documentation.

Updated unit test.

FWIW, I noticed the unittest is now running 2x faster, not sure why,
removal of deepcopy? Anyway, hard to argue with performance doubling.
2011-07-27 20:58:48 -04:00
Martin Kosek
18aa73e06e Fix invalid issuer in unit tests
Fix several test failures when issuer does not match the one
generated by make-testcert (CN=Certificate Authority,O=<realm>).

https://fedorahosted.org/freeipa/ticket/1527
2011-07-27 20:56:16 -04:00
Rob Crittenden
62445b8673 Don't leave dangling map if adding an indirect map fails
When using the add_indirect helper we create a new map and then add a key
for it all in one step. If adding the key fails for any reason be sure to
remove the map we added.

https://fedorahosted.org/freeipa/ticket/1520
2011-07-27 00:02:28 -04:00
Rob Crittenden
506cbaa1fb Hide the HBAC access type attribute now that deny is deprecated.
It won't appear in the UI/CLI but is still available via XML-RPC.
allow is the default and deny will be rejected.

https://fedorahosted.org/freeipa/ticket/1495
2011-07-21 01:11:45 -04:00
John Dennis
ad3cf68ac2 Ticket 1485 - DN pairwise grouping
The pairwise grouping used to form RDN's and AVA's proved to be
confusing in practice, this patch removes that functionality thus
requiring programmers to explicitly pair attr,value using a tuple or
list.

In addition it was discovered additional functionality was needed to
support some DN operations in freeipa. DN objects now support
startswith(), endswith() and the "in" membership test. These functions
and operators will accept either a DN or RDN.

The unittest was modified to remove the pairwise tests and add new
explicit tests. The unittest was augmented to test the new
functionality. In addition the unittest was cleaned up a bit to use
common utilty functions for improved readabilty and robustness.

The documentation was updated.

fix test_role_plugin use of DN to avoid pairwise grouping
2011-07-21 00:29:38 -04:00
Rob Crittenden
e8c7eaf260 Set a default minimum value for class Int, handle long values better.
Allow a long to get as far as the min/max constraints where we can
compare it to min/max int values and reject with a proper error message.

https://fedorahosted.org/freeipa/ticket/1494
2011-07-19 20:32:00 -04:00
Rob Crittenden
bcdd149bd1 With the external user/group management fixed, correct the unit tests.
The unit tests were incorrectly expecting the removed data back when
removing external users.
2011-07-20 17:27:42 +02:00
Rob Crittenden
1dd9e14073 Optionally wait for 389-ds postop plugins to complete
Add a new command that lets you wait for an attribute to appear in
a value. Using this you can do things like wait for a managed entry
to be created, adding a new objectclass to the parent entry.

This is controlled by a new booleon option, wait_for_attr, defaulting
to False.

https://fedorahosted.org/freeipa/ticket/1144
2011-07-19 13:06:16 +02:00
Rob Crittenden
b14473a86c Fix failing tests due to object name changes
Some object names had spaces in them which was bad, update the tests
to reflect the new names.
2011-07-17 22:21:53 -04:00
Martin Kosek
47f1d86e35 Add new dnszone-find test
Implement a test for new dnszone-find option --forward-only.
Fix example for reverse zone (zone was not fully qualified and
DNS plugin would forbid adding PTR records).

https://fedorahosted.org/freeipa/ticket/1473
2011-07-18 09:50:23 +02:00
Jan Cholasta
b203756a88 Add ability to specify DNS reverse zone name by IP network address.
In order for this to work, chaining of parameters through
default_from is made possible.

ticket 1474
2011-07-15 02:21:23 -04:00
Rob Crittenden
bea7818add Remove the ability to create new HBAC deny rules.
New rules will all be allow type. Existing rules cannot be changed to
deny.

The type attribute now defaults to allow with autofill so it won't be
prompted in interactive mode in the cli.

https://fedorahosted.org/freeipa/ticket/1432
2011-07-14 19:23:17 -04:00
Alexander Bokovoy
b93e0b8bbf Convert nsaccountlock to always work as bool towards Python code
https://fedorahosted.org/freeipa/ticket/1259

Python code will see nsaccountlock as bool. JavaScript code will also see it as bool.

This allows native boolean operations with the lock field. Passes both CLI and WebUI tests.
2011-07-13 12:02:46 +02:00
Martin Kosek
e6c68e9993 Add DNS record modification command
The DNS record plugin does not support modification of a record. One
can only add A type addresses to a DNS record or remove the current
ones. To actually change a DNS record value it has to be removed and
then added with a desired value.

This patch adds a new DNS plugin command "dnsrecord-mod" which enables
user to:
 - modify a DNS record value (note than DNS record can hold multiple values
   and those will be overwritten)
 - remove a DNS record when an empty value is passed

New tests for this new command have been added to the CLI test suite.

https://fedorahosted.org/freeipa/ticket/1137
2011-07-12 14:20:16 -04:00
Rob Crittenden
28e85ee47a Fix test failure in updater when adding values to a single-value attr
The ipaldap.py code was updated to consider the schema when making
changes and does a REPLACE on single-value attributes. So when you
do an add in an update it will effectively replace the value instead
of ignoring it.
2011-07-11 19:21:51 -04:00
Rob Crittenden
d9627ab165 find_entry_by_attr() should fail if multiple entries are found
It will only ever return one entry so if more than one are found
then we raise an exception. This is most easily seen in the host
plugin where we search on the server shortname which can be the
same across sub-domains (e.g. foo.example.com &
foo.lab.example.com).

https://fedorahosted.org/freeipa/ticket/1388
2011-07-11 18:45:49 -04:00
Rob Crittenden
8810758c11 Let the framework be able to override the hostname.
The hostname is passed in during the server installation. We should use
this hostname for the resulting server as well. It was being discarded
and we always used the system hostname value.

Important changes:
- configure ipa_hostname in sssd on masters
- set PKI_HOSTNAME so the hostname is passed to dogtag installer
- set the hostname when doing ldapi binds

This also reorders some things in the dogtag installer to eliminate an
unnecessary restart. We were restarting the service twice in a row with
very little time in between and this could result in a slew of reported
errors, though the server installed ok.

ticket 1052
2011-06-23 02:11:34 -04:00
John Dennis
d9d00f1522 Update test_role_plugin test to include a comma in a privilege
Introduce a comma into a privilege name to assure we can handle
commas.

Commas must be escaped for some parameters, add escape_comma() utility
and invoke it for the necessary parameters.

Utilize a DN object to properly construct a DN and most importantly to
allow equality testing beween the DN we expect and the one
returned. This is necessary because a DN can be encoded according to
different encoding syntaxes all of which are valid. DN objects always
decode from their input. DN objects can test for equality between DN's
without being affected by DN encoding.

Add a equality callback for the dn in the expected dict. When the test
framework tests for equality between the expected value and the
returned value it will call back into a function we provide which will
convert the returned dn into a DN object. An equality test is then
performed between two DN objects. This is the only way to properly
compare two dn's.
2011-06-22 02:06:02 -04:00
John Dennis
4c1bfdb919 assert_deepequal supports callback for equality testing 2011-06-22 01:16:31 -04:00
John Dennis
1a7d05cc0f Module for DN objects plus unit test 2011-06-22 01:05:44 -04:00
Rob Crittenden
a2a3782efb Require an imported certificate's issuer to match our issuer.
The goal is to not import foreign certificates.

This caused a bunch of tests to fail because we had a hardcoded server
certificate. Instead a developer will need to run make-testcert to
create a server certificate generated by the local CA to test against.

ticket 1134
2011-06-16 19:27:17 -04:00
Jr Aquino
44cdf8ef54 Raise DuplicateEntry Error when adding a duplicate sudo option
https://fedorahosted.org/freeipa/ticket/1276
https://fedorahosted.org/freeipa/ticket/1277
https://fedorahosted.org/freeipa/ticket/1308

Added new Exception: AttrValueNotFound
Fixed XML Test for Sudorule remove_option
1276 (Raise AttrValueNotFound when trying to remove a non-existent option from Sudo rule)
1277 (Raise DuplicateEntry Error when adding a duplicate sudo option)
1308 (Make sudooption a required option for sudorule_remove_option)
2011-06-16 19:21:07 -04:00
Martin Kosek
613804083d Add a list of managed hosts
Enhance Host plugin to provide not only "Managed By" list but also
a list of managed hosts. The new list is generated only when --all
option is passed.

https://fedorahosted.org/freeipa/ticket/993
2011-06-15 12:47:57 +02:00
Rob Crittenden
c5d8618424 Fix indirect member calculation
Indirect membership is calculated by looking at each member and pulling
all the memberof out of it. What was missing was doing nested searches
on any members in that member group.

So if group2 was a member of group1 and group3 was a member of group2
we would miss group3 as being an indirect member of group1.

I updated the nesting test to do deeper nested testing. I confirmed
that this test failed with the old code and works with the new.

This also prevents duplicate indirect users and looping on circular
membership.

ticket https://fedorahosted.org/freeipa/ticket/1273
2011-06-14 15:34:11 +00:00
Rob Crittenden
4ef8b58c26 Add UID, GID and e-mail to the user default attributes.
ticket https://fedorahosted.org/freeipa/ticket/1265
2011-06-08 23:30:11 +00:00
Jr Aquino
d7c60205a6 Add sudorule and hbacrule to memberof and indirectmemberof attributes
Add Add tests for users, groups, hosts and hostgroups to verify membership

Update API to version 2.3

https://fedorahosted.org/freeipa/ticket/1170
2011-06-06 13:14:38 -04:00
Jan Cholasta
fd639bc88c Do stricter checking of IP addressed passed to server install.
ticket 1213
2011-05-30 13:38:46 +02:00
Jan Cholasta
80b4b3d44b Parse netmasks in IP addresses passed to server install.
ticket 1212
2011-05-30 13:36:26 +02:00
Rob Crittenden
9cc0754b71 Add option to limit the attributes allowed in an entry.
Kerberos ticket policy can update policy in a user entry. This allowed
set/addattr to be used to modify attributes outside of the ticket policy
perview, also bypassing all validation/normalization. Likewise the
ticket policy was updatable by the user plugin bypassing all validation.

Add two new LDAPObject values to control this behavior:

limit_object_classes: only attributes in these are allowed
disallow_object_classes: attributes in these are disallowed

By default both of these lists are empty so are skipped.

ticket 744
2011-05-27 13:51:37 -04:00
Martin Kosek
dea578a357 A new flag to disable creation of UPG
Automatic creation may of User Private Groups (UPG) may not be
wanted at all times. This patch adds a new flag --noprivate to
ipa user-add command to disable it.

https://fedorahosted.org/freeipa/ticket/1131
2011-05-25 08:39:47 +02:00
Rob Crittenden
d3b0c64fce Modify the default attributes shown in user-find to match the UI design.
This change means the UI can stop using the --all option and have to
retrieve significantly less information from the server. It also
speeds up user-find as it doesn't have to calculate membership.

This adds a new baseclass parameter, search_display_attributes, which
can provide a separate list from default_attributes just for find
commands.

The UI will need to be changed to switch from using cn to using
givenname and sn.

ticket 1136
2011-04-22 14:49:20 -04:00
Rob Crittenden
f746121824 Convert manager from userid to dn for storage and back for displaying.
ticket 1151
2011-04-22 14:49:20 -04:00
Rob Crittenden
9cac1d88fc Sort entries returned by *-find by the primary key (if any).
Do a server-side sort if there is a primary key.

Fix a couple of tests that were failing due to the new sorting.

ticket 794
2011-04-13 17:29:16 +02:00
Rob Crittenden
316efbc32f postalCode should be a string not an integer.
postalCode is defined as an Int. This means you can't define one that has
a leading zero nor can you have dashes, letters, etc.

This changes the data type on the server. It will still accept an int
value if provided and convert it into a string.

Bump the API version to 2.1.

ticket 1150
2011-04-05 21:51:34 -04:00
Rob Crittenden
deaf029023 Change default gecos from uid to first and last name.
ticket 1146
2011-04-05 14:18:55 -04:00
Rob Crittenden
f476c097d2 Replace only if old and new have nothing in common
Jakub did the initial diagnosis of this, I added a fix for removing
the last entry when removing members and a test case.

ticket 1000
2011-03-03 11:02:02 -05:00
Pavel Zuna
1eb3033311 Final i18n unit test fixes. 2011-03-01 10:31:43 -05:00
Pavel Zuna
18dda28c56 Fix i18n related failures in unit tests. 2011-03-01 10:31:41 -05:00
Pavel Zuna
6eb70ea8e2 Remove deprecated i18n code from ipalib/request and all references to it.
Ticket #903
2011-03-01 10:31:36 -05:00
Rob Crittenden
d57dfc4e98 Sudo command groups are not supposed to allow nesting.
It was a design decision to not allow nesting sudo command groups,
remove it.

ticket 1004
2011-02-23 18:44:28 -05:00
Rob Crittenden
af9f905239 Collect memberof information for sudo commands.
We weren't searching the cn=sudo container so all members of a
sudocmdgroup looked indirect.

Add a label for sudo command groups.

Update the tests to include verifying that membership is done
properly.

ticket 1003
2011-02-23 18:44:23 -05:00
Rob Crittenden
2f82112bb3 Add handling for indirect memberof other entries.
This creates a new custom attribute, memberofindirect_[plugin].
Using this you can tell the difference between being an actual memberof
another entry and being a memberof as the result if inheritence. This is
particularly useful when trying to remove members of an entry, you can
only remove direct members.

I had to add a couple of short sleep calls to make things work a little
better. The memberof plugin runs as a postop and we have no way of knowing
when it has done its work. If we don't pause we may show some stale
data that memberof hasn't updated yet. .3 seconds is an arbitrary choice.

ticket 966
2011-02-21 11:21:23 -05:00