Commit Graph

4994 Commits

Author SHA1 Message Date
Petr Viktorin
1565ce3a8c Validate externalhost (when added by --addattr/--setattr)
Change the externalhost attribute of hbacrule, netgroup
and sudorule into a full-fledged Parameter, and attach
a validator to it.
The validator is relaxed to allow underscores, so that
some hosts with nonstandard names can be added.

Tests included.

https://fedorahosted.org/freeipa/ticket/2649
2012-05-11 08:14:20 +02:00
Petr Viktorin
f19218f7d8 Remove duplicate and unused utility code
IPA has some unused code from abandoned features (Radius, ipa 1.x user
input, commant-line tab completion), as well as some duplicate utilities.
This patch cleans up the utility modules.

Duplicate code consolidated into ipapython.ipautil:
    {ipalib.util,ipaserver.ipautil,ipapython.ipautil}.realm_to_suffix
    {ipaserver,ipapython}.ipautil.CIDict
            (with style improvements from the ipaserver version)
    {ipapython.entity,ipaserver.ipautil}.utf8_encode_value
    {ipapython.entity,ipaserver.ipautil}.utf8_encode_values

ipalib.util.get_fqdn was removed in favor of the same function in
ipaserver.install.installutils

Removed unused code:
    ipalib.util:
        load_plugins_in_dir
        import_plugins_subpackage
        make_repr (was imported but unused; also removed from tests)

    ipapython.ipautil:
        format_list
        parse_key_value_pairs
        read_pairs_file
        read_items_file
        user_input_plain
        AttributeValueCompleter
        ItemCompleter

    ipaserver.ipautil:
        get_gsserror (a different version exists in ipapython.ipautil)

ipaserver.ipautil ended up empty and is removed entirely.

https://fedorahosted.org/freeipa/ticket/2650
2012-05-09 11:54:20 +02:00
Petr Viktorin
c02fcf5d34 Don't fail when adding default objectclasses using config-mod
The config plugin was adding together a list and a tuple, then
converting to a set.
Replace the operation with a set union.

Regression test included.

https://fedorahosted.org/freeipa/ticket/2706
2012-05-09 09:53:51 +02:00
Jan Cholasta
d9d1967989 Redo boolean value encoding.
Move the code for encoding boolean values to LDAP boolean syntax from the
Parameter class to the Encoder class, where the rest of LDAP encoding takes
place. Remove encoding code from the Parameter class altogether, as all LDAP
encoding should be done in the Encoder class.
2012-05-09 09:43:35 +02:00
Petr Viktorin
abef5e8c02 Do not crash on empty --setattr, --getattr, --addattr
Also the unused `append` argument from _convert_2_dict.

https://fedorahosted.org/freeipa/ticket/2680
2012-05-07 17:23:08 +02:00
Petr Viktorin
0206dbe795 Do not crash on empty reverse member options
Calling a LDAP{Add,Remove}ReverseMember with an empty reverse_member
caused an internal error, because empty values are converted to None,
which is then iterated.

Use an empty list instead of None (or other false falues, of which we
only use the empty list).

https://fedorahosted.org/freeipa/ticket/2681
2012-05-07 17:21:58 +02:00
Petr Viktorin
c45174d680 Do not use extra command options in the automount plugin
Allowing Commands to be called with ignored unknown options opens the
door to problems, for example with misspelled option names.
Before we start rejecting them, we need to make sure IPA itself does
not use them when it calls commands internally.

This patch does that for the automount plugin and its tests.

Part of the work for https://fedorahosted.org/freeipa/ticket/2509
2012-05-07 14:08:50 +02:00
Ondrej Hamada
343aba2486 Allow one letter net/hostgroups names
Changed regex validating net/hostgroup names to allow single letter
names. Unit-tests added.

https://fedorahosted.org/freeipa/ticket/2671
2012-05-07 08:35:11 +02:00
Petr Viktorin
85185a89db Update hostname validator error messages in tests
A recent patch changed the error message from the hostname
validator. Update the tests to reflect this change.
2012-05-03 16:54:57 +02:00
Martin Kosek
b8f30bce77 Make ipa 2.2 client capable of joining an older server
IPA server of version 2.2 and higher supports Kerberos S4U2Proxy
delegation, i.e. ipa command no longer forwards Kerberos TGT to the
server during authentication. However, when IPA client of version
2.2 and higher tries to join an older IPA server, the installer
crashes because the pre-2.2 server expects the TGT to be forwarded.

This patch adds a fallback to ipa-client-install which would detect
this situation and tries connecting with TGT forwarding enabled
again. User is informed about this incompatibility.

Missing realm was also added to keytab kinit as it was reported to
fix occasional install issues.

https://fedorahosted.org/freeipa/ticket/2697
2012-05-01 20:38:43 -04:00
Jan Cholasta
6569f355b6 Set the "KerberosAuthentication" option in sshd_config to "no" instead of "yes".
Setting it to "yes" causes sshd to handle kinits itself, bypassing SSSD.

ticket 2689
2012-04-29 19:45:13 -04:00
Martin Kosek
caf36e1f24 Improve error message in zonemgr validator
This patch consolidates zonemgr function to move the most of the
checks to common functions in order to provide consistent output.
The error messages produced by the validator should now be more
helpful when identifying the source of error.

https://fedorahosted.org/freeipa/ticket/1966
2012-04-29 19:38:19 -04:00
Rob Crittenden
1a26406db2 Revert "Validate attributes in permission-add"
This reverts commit 1356988b7a.

We are going to take another approach to this. Instead of erroring
out on attributes that don't seem to be allowed we are going to
eventually return a warning.
2012-04-29 17:39:55 -04:00
Rob Crittenden
4416c185de Revert "Search allowed attributes in superior objectclasses"
This reverts commit a58cbb985e.

We are going to take another approach to this. Instead of erroring
out on attributes that don't seem to be allowed we are going to
eventually return a warning.
2012-04-29 17:39:42 -04:00
Petr Vobornik
e1f6962545 Paging disable for password policies
Password policies are sorted by priority. When paging is enabled, table facet uses pwpolicy-find --pkey-only to get all pwpolicies keys. Those keys are sorted on server by priority but table facet sorts them again. This breaks the priority sorting.

This patch disables the paging in passord policy serch page so the keys are sorted by priority.

TODO: we should inspect sorting in table facet more deeply and disable it if it don't break anything.

https://fedorahosted.org/freeipa/ticket/2676
2012-04-26 14:32:17 +02:00
Petr Viktorin
c34136b037 Additional tests for pwpolicy
Test that `pwpolicy_find --pkey-only` works as expected
Test that deleting a group removes its password policy

Rename the test module to be consistent with other plugin tests.
2012-04-26 14:32:11 +02:00
Martin Kosek
b137b71371 Sort password policies properly with --pkey-only
Password policy plugin sorts password policies by its COS priority.
However, when the pwpolicy-find command is run with --pkey-only,
the resulting entries do not contain COS priority and the sort
function crashes.

This patch makes sure that cospriority is present in the time
of the result sorting process and removes the cospriority again
when the sorting is done. This way, the entries are sorted properly
both with and without --pkey-only flag.

Previous entries_sortfn member attribute of LDAPSearch class
containing custom user sorting function was replaced just with
a flag indicating if a sorting in LDAPSearch shall be done at all.
This change makes it possible to sort entries in a custom
post_callback which is much more powerful (and essential for
sorting like in pwpolicy plugin) approach than a plain sorting
function.

https://fedorahosted.org/freeipa/ticket/2676
2012-04-26 14:31:53 +02:00
John Dennis
81c65ee0b2 validate i18n strings when running "make lint"
* Add bootstrap-autogen depdenency to lint target to force
  generated files to be created.

* Add validate-src-strings to lint rules

* Add validate-src-strings as dependency to lint targett

* Remove obsolete test_lang frm test target

* Add diagnostic message to validation command in i18n.py
  that outputs how many objects were scanned. Formerly it only
  output a message if there were errors. This made it impossible to
  distinguish an empty file from one with no errors.

* While adding the validation counts it was discovered plurals had
  been omitted for some of the validation checks. Added the missing
  checks for plural forms.

* Also distinguished between errors and warnings. Permit warnings to
  be emitted but do not fail the validatition unless actual errors
  were also detected.
2012-04-26 13:53:37 +02:00
Jan Cholasta
3ba9cc8eb4 Refactor exc_callback invocation.
Replace _call_exc_callbacks with a function wrapper, which will automatically
call exception callbacks when an exception is raised from the function. This
removes the need to specify the function and its arguments twice (once in the
function call itself and once in _call_exc_callbacks).

Add some extra checks to existing exception callbacks.
2012-04-26 09:00:30 +02:00
Nalin Dahyabhai
856b9627be - add a pair of ethers maps for computers with hardware addresses on file 2012-04-26 09:00:22 +02:00
Nalin Dahyabhai
74b42cc89c - create a "cn=computers" compat area populated with ieee802Device entries corresponding to computers with fqdn and macAddress attributes 2012-04-26 09:00:17 +02:00
Nalin Dahyabhai
1c26c06d61 - index the fqdn and macAddress attributes for the sake of the compat plugin 2012-04-26 09:00:11 +02:00
Rob Crittenden
d7f7bb11df Update docs for user-status, always show disabled, time for each server.
Provide some guidance on how to read and understand the output. Some
manual work is needed to identify which master the user is locked on.

Always display the enabled/disabled status.

Include the time that the master was contacted in the output for each
master as lockout is very time sensitive.

https://fedorahosted.org/freeipa/ticket/2162
2012-04-23 10:20:34 +02:00
Rob Crittenden
0423213148 Use mixed-case for Read DNS Entries permission
https://fedorahosted.org/freeipa/ticket/2569
2012-04-23 10:00:40 +02:00
Martin Kosek
4d66cc07dc Fix help of --hostname option in ipa-client-install
Replace word "server" with "machine" to clearly distinguish between
IPA server and other machines (clients) and to also match the help
with ipa-client-install man pages.

https://fedorahosted.org/freeipa/ticket/1967
2012-04-19 19:55:44 +02:00
John Dennis
885bb07bb1 Fix name error in hbactest
Ticket #2512

In hbactest.py there is a name error wrapped inside a try/except block
that ignores all errors so the code block exits prematurely leaving a
critical variable uninitialized.

The name error is the result of a cut-n-paste error that references a
variable that had never been initialized in the scope of the code
block. Python generates an exception when this variable is referenced
but because it's wrapped in a try/except block that catches all errors
and ignores all errors there is no evidence that something went wrong.

The fix is to use the correct variables.

At some point we may want to revist if ignoring all errors and
proceding as if nothing happened is actually correct. Alexander tells
me this mimics what SSSD does in the hbac rule processing, thus the
ignoring of errors is intentional. But in a plugin whose purpose is to
test and exercise hbac rules I'm not sure ignoring all errors is
really the right behavior.
2012-04-19 15:22:49 +02:00
Petr Vobornik
7f2ac4c715 Added permission field to delegation
Permission field is missing in delegation so it can't be set/modified.

It was added to delegation details facet and adder dialog.

The field is using checkboxes instead of multivalued textbox because it can have only two effective values: 'read' and 'write'.

https://fedorahosted.org/freeipa/ticket/2635
2012-04-17 17:53:25 -04:00
Jan Cholasta
c043a65728 Fix internal error when renaming user with an empty string.
ticket 2629
2012-04-18 09:03:53 +02:00
Martin Kosek
88927fb78b Do not fail migration because of duplicate groups
When 2 groups in a remote LDAP server share the same GID number,
the migration may fail entirely with incomprehensible message. This
should not be taken as unrecoverable error - GID number check is
just a sanity check, a warning is enough. This patch also makes
sure that GID check warnings include a user name to make
an investigation easier.

https://fedorahosted.org/freeipa/ticket/2644
2012-04-17 00:20:31 -04:00
Martin Kosek
a663e83cb2 Raise proper exception when LDAP limits are exceeded
ldap2 plugin returns NotFound error for find_entries/get_entry
queries when the server did not manage to return an entry
due to time limits. This may be confusing for user when the
entry he searches actually exists.

This patch fixes the behavior in ldap2 plugin to
1) Return even a zero search results + truncated bool set in
   ldap2.find_entries
2) Raise LimitsExceeded in ldap2.get_entry and
   ldap2.find_entry_by_attr instead of NotFound error

This changed several assumptions about ldap2.find_entries
results. Several calls accross IPA code base had to be
amended.

https://fedorahosted.org/freeipa/ticket/2606
2012-04-16 23:23:57 -04:00
Simo Sorce
adf16a9b1c Fix theoretical leak discovered by coverity
This was introduced when we started checking the return from
ipadb_get_context() to silence another coverity report.
That condition can never be true in this function but whatever ... let's
silence Coverity once again :)
2012-04-17 15:40:58 -04:00
John Dennis
72efa64c81 don't append basedn to container if it is included
ticket #2566

When specifying a container to ds-migrate we should not automatically
append the basedn if it is provided by the end-user.

This is easy to detect using DN objects because DN objects have a
endswith() method which can easily and correctly ascertain if a base
already exists.
2012-04-16 22:26:49 -04:00
Petr Vobornik
c64bcafa13 User is notified that password needs to be reset in forms-based login
Forms-based login procedure detects if 401 unauthorized response contains
'X-IPA-Rejection-Reason' http header with 'password-expired' value. If so
it displays an error message that user needs to reset his password.

https://fedorahosted.org/freeipa/ticket/2608
2012-04-16 21:53:56 -04:00
Rob Crittenden
7b515bddbc Return consistent expiration message for forms-based login
We need to inform users when a forms-based login fails due to the
password needing to be reset. Currently there is no way to distinguish
a reset case vs an incorrect password.

This will bind the user using a simple LDAP bind over ldapi (by default)
and if that is successful, check the expiration date against the current
time.

The UI portion of this that uses this message will come later.

https://fedorahosted.org/freeipa/ticket/2608
2012-04-16 21:53:01 -04:00
Ondrej Hamada
6f7224f252 Fix empty external member processing
Validation of external member was failing for empty strings because of
wrong condition.

https://fedorahosted.org/freeipa/ticket/2447
2012-04-17 16:22:37 +02:00
Martin Kosek
c79ea41a80 Fix DNS and permissions unit tests
Amend unit tests to match the latest changes in DNS (tickets 2627,
2628) and hardened exception error message checks.
2012-04-17 14:05:07 +02:00
Rob Crittenden
9c39f95f21 Remove the running state when uninstalling DS instances.
We don't need to do anything with the state but if it exists in
the sysrestore index at the end of uninstallation the uninstaller will
complain about it.

https://fedorahosted.org/freeipa/ticket/2637
2012-04-17 11:25:41 +02:00
Martin Kosek
568de5027b Fix dnsrecord_add interactive mode
dnsrecord_add interactive mode did not work correctly when more
than one DNS record part was entered as command line option. It
asked for remaining options more than once. This patch fixes
this situation and also adds tests to cover this use case
properly.

https://fedorahosted.org/freeipa/ticket/2641
2012-04-15 18:37:18 -04:00
Martin Kosek
0acdae0b4d Return correct record name in DNS plugin
When dnsrecord-add or dnsrecord-mod commands are used on a root
zone record (it has a special name "@"), a zone name is returned
instead of a special name "@". This confuses DNS part of Web UI
which is then not able to manipulate records in the root zone
when these commands are used.

This patch fixes these 2 commands to return correct value when
a root zone is modified.

https://fedorahosted.org/freeipa/ticket/2627
https://fedorahosted.org/freeipa/ticket/2628
2012-04-16 16:11:33 +02:00
John Dennis
d317c2a0d1 Validate DN & RDN parameters for migrate command
Ticket #2555

We were generating a traceback (server error) if a malformed RDN was
passed as a parameter to the migrate command.

* add parameter validation functions validate_dn_param() and
  validate_rdn_param() to ipalib.util. Those functions simply invoke
  the DN or RDN constructor from our dn module passing it the string
  representation. If the constructor does not throw an error it's
  valid.

* Add the parameter validation function pointers to the Param objects
  in the migrate command.

* Make the usercontainer and groupcontainer parameters required.
  passing --usercontainer= on the command line will produce

  ipa: ERROR: 'user_container' is required

* Fix _get_search_bases() so if a container dn is empty it it just
  uses the base dn alone instead of faulting (currently
  bullet-proofing because now the containers are required).

* Update the doc for usercontainer and groupcontainer to reflect the
  fact they are DN's not RDN's. A RDN can only be one level and it
  should be possible to have a container more than one RDN removed
  from the base.
2012-04-16 08:35:03 +02:00
Petr Viktorin
98e662b96f Document the 'nonempty' flag
Missing documentation for commit 7cfc16c/c6e4372
2012-04-13 15:45:41 +02:00
Ondrej Hamada
2584e9be67 Unable to rename permission object
The update was failing because of the case insensitivity of permission
object DN. Unit-tests added.

https://fedorahosted.org/freeipa/ticket/2571
2012-04-11 22:29:04 -04:00
Petr Viktorin
fca43ccd47 Pass make-test arguments through to Nose
Currently, our test script forwards a select few command line arguments
to nosetests.
This patch removes the filtering, passing all arguments through.
This allows things like disabling output redirection (--nocapture),
dropping into a debugger (--pdb, --pdb-failures), coverage reporting
(--with-cover, if installed), etc.

https://fedorahosted.org/freeipa/ticket/2135
2012-04-11 22:20:07 -04:00
Petr Viktorin
e1813976a5 Remove pattern_errmsg from API.txt
https://fedorahosted.org/freeipa/ticket/2619
2012-04-12 15:05:54 +02:00
Petr Viktorin
6d0e4e58fc Fix expected error messages in tests
Have the test suite check error messages.
Since XMLRPC doesn't give us structured error information, just
compare the resulting text.
Fix messages that tests expect to cause.

Minor changes:

Make netgroup-mod's NotFound message consistent with other objects
and methods.

In test_automember_plugin, test with nonexistent automember rules
of both types, instead of nonexistent users.

https://fedorahosted.org/freeipa/ticket/2549
2012-04-10 21:05:45 -04:00
John Dennis
689bea6575 text unit test should validate using installed mo file
We use custom gettext classes (e.g. GettextFactory &
NGettextFactory). We should exercise those classes with an installed
binary mo file to demonstrate we are actually returning the expected
translated strings for all strings defined as being translatable.

The test logic in install/po/test_i18n.py was recently enhanced to
make this type of testing easier and more complete.
tests/test_ipalib/test_text.py should import the new i18n test support
and run it.

Previously tests/test_ipalib/test_text.py made a feeble but incomplete
attempt to do the above but even that was often not run because the
test would skip because the necessary test files were not available
unless they had been manually created in the install/po subdir. It is
now possible to correct those deficiencies in the test.

This patch does the following:

* Moves the location of i18n test code and adjust references to it.
  install/po/test_i18n.py was moved to tests/i18n.py. This permits
  tests/test_ipalib/test_text.py to import the i18n test utilities
  in a clean fashion. The Makefile in install/po now calls this
  same file.

* Modfies test function in test_i18n.py to accept function pointers
  for retreiving a translation.

* Imports test_i18n.py from the install/po directory in the tree

* Creates a tmp directory for the test localedir

* Parses the current ipa.pot file in install/po and generates
  a test po and mo file with special unicode markers. It installs
  the test mo file in the tmp localedir. This is accomplished by
  calling create_po() from the test_i18n.py file.

* If any of the above does not work it raises nose.SkipTest with
  the reason, and skips the test.

* It sets up functions to get a translation and a plural translation
  via our text.GettextFactory class and text.NGettextFactory class
  respectively. This are the functions we use intenally to get
  translations. It set the localdir and lang which are used by those
  classes to match our test configuration. It then runs a validation
  test on every translation and it's plural found in the test.po file
  by calling po_file_iterate and passed it the function pointers to
  our internal routines.

* At the conclusion of the test it cleans up after itself.

Note: extraneous files are not created in the tree, only a tmp
directory is utilized.

Validating msgid's in C code was insufficient.

* Make the discovery of format conversions much more robust by authoring
  a new function parse_printf_fmt() that is able to discover each
  format conversion in a string and break it into it's individual
  subparts. One of those subparts is the argument selector index. In c
  code we need to know if the argumenet selector index is present to
  know if translator can reorder the substitution strings.

  This replaces the simplistic python_anonymous_substitutions_regexp
  which was insufficient to deal with other programming languages
  (e.g. c).

* Add get_prog_langs() function to return the set of programming
  languages a msgid appears in. This is necessar because the msdid
  validation is programming language specific.

https://fedorahosted.org/freeipa/ticket/2582
2012-04-10 18:11:48 -04:00
John Dennis
b8f1292e86 Use indexed format specifiers in i18n strings
Translators need to reorder messages to suit the needs of the target
language. The conventional positional format specifiers (e.g. %s %d)
do not permit reordering because their order is tied to the ordering
of the arguments to the printf function. The fix is to use indexed
format specifiers.

https://fedorahosted.org/freeipa/ticket/2596
2012-04-10 18:07:10 -04:00
Rob Crittenden
717bbcd2bf Configure certmonger to execute restart scripts on renewal.
certmonger now has the ability to execute a script when it renews a
certificate. This can be used to automatically restart servers so
the certificate doesn't expire in the running server.

https://fedorahosted.org/freeipa/ticket/2050
2012-04-10 01:08:41 -04:00
Petr Vobornik
e9b79cc1e1 Removal of memberofindirect_permissons from privileges
Problem:
In the Privilege page, can list Permissions. This "Shows Results" for "Direct
Membership". But there is an option to list this for "Indirect Membership"
also.
There isn't a way to nest permissions, so this option is not needed.

Solution:
This patch removes the memberofindirect_persmission definition from server plugin. It fixes the problem in Web UI.

https://fedorahosted.org/freeipa/ticket/2611
2012-04-09 22:12:39 -04:00
Petr Viktorin
1431c80b3c Convert --setattr values for attributes marked no_update
Attribute Patrams marked no_update never get cloned to Update commands,
and thus never receive the `attribute` flag. This makes their `encode`
method a no-op, which meant they don't get properly encoded when used
with --setattr, making the --setattr fail.

Introduce a `force` argument to encode, which overrides checking
for the attribute flag. Use this in set/add/delattr normalization,
where we know we are dealing with attributes.

https://fedorahosted.org/freeipa/ticket/2616
2012-04-09 21:54:07 -04:00