We need an indicator to see if a keytab has been set on host and
service entries. We also need a way to know if a one-time password is
set on a host.
This adds an ACI that grants search on userPassword and
krbPrincipalKey so we can do an existence search on them. This way
we can tell if the attribute is set and create a fake attribute
accordingly.
When a userPassword is set on a host a keytab is generated against
that password so we always set has_keytab to False if a password
exists. This is fine because when keytab gets generated for the
host the password is removed (hence one-time).
This adds has_keytab/has_password to the user, host and service plugins.
ticket https://fedorahosted.org/freeipa/ticket/1538
Fix automountkey-mod so that automountkey attribute is correctly
updated. Add this test case to the unit tests.
Make automountkey required for automountkey-mod, otherwise it would
cause internal server error.
Make --newinfo optional so that automountkey may be just renamed
without changing its info attribute.
https://fedorahosted.org/freeipa/ticket/1528
We have a larger goal of replacing all DN creation via string
formatting/concatenation with DN object operations because string
operations are not a safe way to form a DN nor to compare a DN. This
work needs to be broken into smaller chunks for easier review and
testing.
Addressing the unit tests first makes sense because we don't want to
be modifying both the core code and the tests used to verify the core
code simultaneously. If we modify the unittests first with existing
core code and no regressions are found then we can move on to
modifying parts of the core code with the belief the unittests can
validate the changes in the core code. Also by doing the unittests
first we also help to validate the DN objects are working correctly
(although they do have an extensive unittest).
The fundamental changes are:
* replace string substitution & concatenation with DN object
constructor
* when comparing dn's the comparision is done after promotion
to a DN object, then two DN objects are compared
* when a list of string dn's are to be compared a new list is
formed where each string dn is replaced by a DN object
* because the unittest framework accepts a complex data structure of
expected values where dn's are represeted as strings the unittest
needs to express the expected value of a dn as a callable object
(e.g. a lambda expression) which promotes the dn string to a DN
object in order to do the comparision.
The DN unittest was lacking a test for i18n. The unittest was
updated to store "Hello" in Arabic with both utf-8 and unicode
and verify the values could be properly retrieved and converted
to dn string syntax.
During the testing a few problems were discovered and corrected.
* passing in utf-8 caused an ASCII decode error becuase of Python's
silly default encoding of ASCII. The fix was to explictly use
the utf-8 codec.
* there were a couple of places where encode/decode were not
called correctly.
* the internal attr and value members of the AVA class were renamed
to explicitly show they are stored as unicode.
Of course the unittest was updated as well.
HBAC rules control who can access what services on what hosts and from where.
You can use HBAC to control which users or groups on a source host can
access a service, or group of services, on a target host.
Since applying HBAC rules implies use of a production environment,
this plugin aims to provide simulation of HBAC rules evaluation without
having access to the production environment.
Test user coming from source host to a service on a named host against
existing enabled rules.
ipa hbactest --user= --srchost= --host= --service=
[--rules=rules-list] [--nodetail] [--enabled] [--disabled]
--user, --srchost, --host, and --service are mandatory, others are optional.
If --rules is specified simulate enabling of the specified rules and test
the login of the user using only these rules.
If --enabled is specified, all enabled HBAC rules will be added to simulation
If --disabled is specified, all disabled HBAC rules will be added to simulation
If --nodetail is specified, do not return information about rules matched/not matched.
If both --rules and --enabled are specified, apply simulation to --rules _and_
all IPA enabled rules.
If no --rules specified, simulation is run against all IPA enabled rules.
EXAMPLES:
1. Use all enabled HBAC rules in IPA database to simulate:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
matched: allow_all
2. Disable detailed summary of how rules were applied:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail
--------------------
Access granted: True
--------------------
3. Test explicitly specified HBAC rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule
---------------------
Access granted: False
---------------------
notmatched: my-second-rule
notmatched: myrule
4. Use all enabled HBAC rules in IPA database + explicitly specified rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
matched: allow_all
5. Test all disabled HBAC rules in IPA database:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled
---------------------
Access granted: False
---------------------
notmatched: new-rule
6. Test all disabled HBAC rules in IPA database + explicitly specified rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled
---------------------
Access granted: False
---------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
7. Test all (enabled and disabled) HBAC rules in IPA database:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
notmatched: new-rule
matched: allow_all
Only rules existing in IPA database are tested. They may be in enabled or
disabled disabled state.
Specifying them through --rules option explicitly enables them only in
simulation run.
Specifying non-existing rules will not grant access and report non-existing
rules in output.
Replace deepcopy with constructor (i.e. type call)
Can now "clone" with configuration changes by passing object
of the same type to it's constructor, e.g.
dn1 = DN(('cn', 'foo'))
dn2 = DN(dn1)
dn2 = DN(dn1, first_key_match=False)
Remove pairwise grouping for RDN's. Had previously removed it
for DN's, left it in for RDN's because it seemed to make sense
because of the way RDN's work but consistency is a higher goal.
Add keyword constructor parameters to pass configuration options.
Make first_key_match a configuration keyword.
Updated documentation.
Updated unit test.
FWIW, I noticed the unittest is now running 2x faster, not sure why,
removal of deepcopy? Anyway, hard to argue with performance doubling.
When using the add_indirect helper we create a new map and then add a key
for it all in one step. If adding the key fails for any reason be sure to
remove the map we added.
https://fedorahosted.org/freeipa/ticket/1520
The pairwise grouping used to form RDN's and AVA's proved to be
confusing in practice, this patch removes that functionality thus
requiring programmers to explicitly pair attr,value using a tuple or
list.
In addition it was discovered additional functionality was needed to
support some DN operations in freeipa. DN objects now support
startswith(), endswith() and the "in" membership test. These functions
and operators will accept either a DN or RDN.
The unittest was modified to remove the pairwise tests and add new
explicit tests. The unittest was augmented to test the new
functionality. In addition the unittest was cleaned up a bit to use
common utilty functions for improved readabilty and robustness.
The documentation was updated.
fix test_role_plugin use of DN to avoid pairwise grouping
Allow a long to get as far as the min/max constraints where we can
compare it to min/max int values and reject with a proper error message.
https://fedorahosted.org/freeipa/ticket/1494
Add a new command that lets you wait for an attribute to appear in
a value. Using this you can do things like wait for a managed entry
to be created, adding a new objectclass to the parent entry.
This is controlled by a new booleon option, wait_for_attr, defaulting
to False.
https://fedorahosted.org/freeipa/ticket/1144
Implement a test for new dnszone-find option --forward-only.
Fix example for reverse zone (zone was not fully qualified and
DNS plugin would forbid adding PTR records).
https://fedorahosted.org/freeipa/ticket/1473
New rules will all be allow type. Existing rules cannot be changed to
deny.
The type attribute now defaults to allow with autofill so it won't be
prompted in interactive mode in the cli.
https://fedorahosted.org/freeipa/ticket/1432
https://fedorahosted.org/freeipa/ticket/1259
Python code will see nsaccountlock as bool. JavaScript code will also see it as bool.
This allows native boolean operations with the lock field. Passes both CLI and WebUI tests.
The DNS record plugin does not support modification of a record. One
can only add A type addresses to a DNS record or remove the current
ones. To actually change a DNS record value it has to be removed and
then added with a desired value.
This patch adds a new DNS plugin command "dnsrecord-mod" which enables
user to:
- modify a DNS record value (note than DNS record can hold multiple values
and those will be overwritten)
- remove a DNS record when an empty value is passed
New tests for this new command have been added to the CLI test suite.
https://fedorahosted.org/freeipa/ticket/1137
The ipaldap.py code was updated to consider the schema when making
changes and does a REPLACE on single-value attributes. So when you
do an add in an update it will effectively replace the value instead
of ignoring it.
It will only ever return one entry so if more than one are found
then we raise an exception. This is most easily seen in the host
plugin where we search on the server shortname which can be the
same across sub-domains (e.g. foo.example.com &
foo.lab.example.com).
https://fedorahosted.org/freeipa/ticket/1388
The hostname is passed in during the server installation. We should use
this hostname for the resulting server as well. It was being discarded
and we always used the system hostname value.
Important changes:
- configure ipa_hostname in sssd on masters
- set PKI_HOSTNAME so the hostname is passed to dogtag installer
- set the hostname when doing ldapi binds
This also reorders some things in the dogtag installer to eliminate an
unnecessary restart. We were restarting the service twice in a row with
very little time in between and this could result in a slew of reported
errors, though the server installed ok.
ticket 1052
Introduce a comma into a privilege name to assure we can handle
commas.
Commas must be escaped for some parameters, add escape_comma() utility
and invoke it for the necessary parameters.
Utilize a DN object to properly construct a DN and most importantly to
allow equality testing beween the DN we expect and the one
returned. This is necessary because a DN can be encoded according to
different encoding syntaxes all of which are valid. DN objects always
decode from their input. DN objects can test for equality between DN's
without being affected by DN encoding.
Add a equality callback for the dn in the expected dict. When the test
framework tests for equality between the expected value and the
returned value it will call back into a function we provide which will
convert the returned dn into a DN object. An equality test is then
performed between two DN objects. This is the only way to properly
compare two dn's.
The goal is to not import foreign certificates.
This caused a bunch of tests to fail because we had a hardcoded server
certificate. Instead a developer will need to run make-testcert to
create a server certificate generated by the local CA to test against.
ticket 1134
Enhance Host plugin to provide not only "Managed By" list but also
a list of managed hosts. The new list is generated only when --all
option is passed.
https://fedorahosted.org/freeipa/ticket/993
Indirect membership is calculated by looking at each member and pulling
all the memberof out of it. What was missing was doing nested searches
on any members in that member group.
So if group2 was a member of group1 and group3 was a member of group2
we would miss group3 as being an indirect member of group1.
I updated the nesting test to do deeper nested testing. I confirmed
that this test failed with the old code and works with the new.
This also prevents duplicate indirect users and looping on circular
membership.
ticket https://fedorahosted.org/freeipa/ticket/1273
Kerberos ticket policy can update policy in a user entry. This allowed
set/addattr to be used to modify attributes outside of the ticket policy
perview, also bypassing all validation/normalization. Likewise the
ticket policy was updatable by the user plugin bypassing all validation.
Add two new LDAPObject values to control this behavior:
limit_object_classes: only attributes in these are allowed
disallow_object_classes: attributes in these are disallowed
By default both of these lists are empty so are skipped.
ticket 744
Automatic creation may of User Private Groups (UPG) may not be
wanted at all times. This patch adds a new flag --noprivate to
ipa user-add command to disable it.
https://fedorahosted.org/freeipa/ticket/1131
This change means the UI can stop using the --all option and have to
retrieve significantly less information from the server. It also
speeds up user-find as it doesn't have to calculate membership.
This adds a new baseclass parameter, search_display_attributes, which
can provide a separate list from default_attributes just for find
commands.
The UI will need to be changed to switch from using cn to using
givenname and sn.
ticket 1136
postalCode is defined as an Int. This means you can't define one that has
a leading zero nor can you have dashes, letters, etc.
This changes the data type on the server. It will still accept an int
value if provided and convert it into a string.
Bump the API version to 2.1.
ticket 1150
We weren't searching the cn=sudo container so all members of a
sudocmdgroup looked indirect.
Add a label for sudo command groups.
Update the tests to include verifying that membership is done
properly.
ticket 1003
This creates a new custom attribute, memberofindirect_[plugin].
Using this you can tell the difference between being an actual memberof
another entry and being a memberof as the result if inheritence. This is
particularly useful when trying to remove members of an entry, you can
only remove direct members.
I had to add a couple of short sleep calls to make things work a little
better. The memberof plugin runs as a postop and we have no way of knowing
when it has done its work. If we don't pause we may show some stale
data that memberof hasn't updated yet. .3 seconds is an arbitrary choice.
ticket 966