IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-29 10:21:18 -06:00
Code Issues Packages Projects Releases Wiki Activity
7,121 Commits 11 Branches 59 Tags 60 MiB
8a5110305f
Commit Graph

7121 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Petr Viktorin
8a5110305f Convert Host default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-23 12:44:32 +02:00
Petr Viktorin
ac8539bd34 Add posixgroup to groups' permission object filter 
Private groups don't have the 'ipausergroup' objectclass.
Add posixgroup to the objectclass filters to make
"--type group" permissions apply to all groups.

https://fedorahosted.org/freeipa/ticket/4372

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-23 10:54:43 +02:00
Petr Viktorin
02b5074d84 permission plugin: Join --type objectclass filters with OR 
For groups, we will need to filter on either posixgroup (which UPGs
have but non-posix groups don't) and groupofnames/nestedgroup
(which normal groups have but UPGs don't).
Join permission_filter_objectclasses with `|` and add them as
a single ipapermtargetfilter value.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-23 10:54:43 +02:00
Petr Viktorin
013bf3d4e2 Test and docstring fixes 
The recent conversions to managed permissions left behind a few
failing tests. Fix them.

Also fix a now incorrect docstring in ipalib.config.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-23 10:54:42 +02:00
Petr Viktorin
f486d23ad6 Allow anonymous read access to virtual operation entries 
These entries are the same in all IPA installations, so there's
no need to hide them.

Also remove the ipaVirtualOperation objectclass, since it is
no longer needed.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-20 22:18:43 +02:00
Nathaniel McCallum
cf8f143e98 Make otptoken use os.urandom() for random data 
This also fixes an error where the default value was not respecting
the KEY_LENGTH variable.

Reviewed-By: Simo Sorce <ssorce@redhat.com>
 2014-06-20 21:27:50 +02:00
Martin Basti
0eef37908c DNSSEC: WebUI add DLV record type 
Ticket: https://fedorahosted.org/freeipa/ticket/4328
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-06-20 16:46:03 +02:00
Martin Basti
2229e89bbb Digest part in DLV/DS records allows only heaxadecimal characters 
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-06-20 16:46:03 +02:00
Martin Basti
ee6e634c28 DNSSEC: Test: DLV record 
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-06-20 16:46:03 +02:00
Martin Basti
7cdc4178b0 DNSSEC: DLVRecord type added 
Ticket: https://fedorahosted.org/freeipa/ticket/4328
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-06-20 16:46:02 +02:00
Martin Basti
4c88fdd904 Tests: tests for NSEC3PARAM records 
Ticket: https://fedorahosted.org/freeipa/ticket/4328
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-06-20 15:41:40 +02:00
Martin Basti
cbc64454b0 Tests: remove unused records from tests 
Ticket: https://fedorahosted.org/freeipa/ticket/4328
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-06-20 15:41:40 +02:00
Martin Basti
4d90d3d572 DNSSEC: webui update DNSSEC attributes 
Removed SIG, KEY, RRSIG, NSEG record types
Added NSEC3PARAM record type

Ticket: https://fedorahosted.org/freeipa/ticket/4328
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-06-20 15:41:40 +02:00
Martin Basti
5b95be802c DNSSEC: added NSEC3PARAM record type 
Ticket: https://fedorahosted.org/freeipa/ticket/4328
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-06-20 15:41:40 +02:00
Martin Basti
48865aed5f DNSSEC: remove unsuported records 
Removed SIG, NSEC, KEy, RRSIG records

Ticket: https://fedorahosted.org/freeipa/ticket/4328
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-06-20 15:41:39 +02:00
Martin Basti
9f5e77f686 Fix handle python-dns UnicodeError 
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2014-06-20 13:28:53 +02:00
Martin Basti
11c250a612 Tests DNS: forward zones 
design: http://www.freeipa.org/page/V4/Forward_zones

Ticket: https://fedorahosted.org/freeipa/ticket/3210
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-06-20 13:14:45 +02:00
Martin Basti
727f5f3373 Create BASE zone class 
Zones and forward zones have a lot of common code,
this patch remove duplications by creating a DNSBase
class and its subclasses

design: http://www.freeipa.org/page/V4/Forward_zones

Ticket: https://fedorahosted.org/freeipa/ticket/3210
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-06-20 13:14:45 +02:00
Martin Basti
266015c3e2 Prevent commands to modify different type of a zone 
Commands dnsforwardzone-* can modify only forward zones
Commands dnszone-* can modify only (master) zones
Commands dnsrecord-* can work only with master zones

design: http://www.freeipa.org/page/V4/Forward_zones

Ticket: https://fedorahosted.org/freeipa/ticket/3210
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-06-20 13:14:45 +02:00
Martin Basti
49068ade92 Separate master and forward DNS zones 
Forward zones are stored in idnsforwadzone objectclasses.

design: http://www.freeipa.org/page/V4/Forward_zones

Ticket: https://fedorahosted.org/freeipa/ticket/3210
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-06-20 13:14:45 +02:00
Petr Spacek
e821576129 Clarify LDAPClient docstrings about get_entry, get_entries and find_entries 
Reviewed-By: Martin Basti <mbasti@redhat.com>
 2014-06-20 12:38:58 +02:00
Petr Viktorin
18744d1833 Fix: Allow read access to masters, but not their services, to auth'd users 
Fixes commit b243da415e

A bad version of the patch was sent and pushed.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-19 17:13:03 +02:00
Petr Viktorin
b243da415e Allow read access to masters, but not their services, to auth'd users 
The ipa host-del command checks if the host to be deleted is an
IPA master by looking up the entry in cn=masters.
If the entry is not accessible, host-del would proceed to delete
the host.
Thus we need to allow reading the master entries to at least
those that can delete hosts.
Since the host information is also available via DNS, it makes
no sense be extremely secretive about it.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-19 16:46:29 +02:00
Nathaniel McCallum
8b2f4443dc Periodically refresh global ipa-kdb configuration 
Before this patch, ipa-kdb would load global configuration on startup and
never update it. This means that if global configuration is changed, the
KDC never receives the new configuration until it is restarted.

This patch enables caching of the global configuration with a timeout of
60 seconds.

https://fedorahosted.org/freeipa/ticket/4153

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-06-19 14:50:32 +02:00
Petr Viktorin
49e83256b4 Convert Password Policy default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-18 14:56:43 +02:00
Petr Viktorin
ca465e8ae7 Convert COSTemplate default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-18 14:56:42 +02:00
Petr Viktorin
83cb982858 Add $REALM to variables supported by the managed permission updater 
This will allow converting password policy permissions

Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-18 14:56:42 +02:00
Petr Viktorin
700ac6c116 Remove the update_dns_permissions plugin 
This plugin created permissions that the managed permission
updater would remove right away.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-18 14:45:51 +02:00
Petr Viktorin
853b6ef4ce Convert DNS default permissions to managed 
Convert the existing default permissions.

The Read permission is split between Read DNS Entries and Read
DNS Configuration.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-18 14:45:50 +02:00
Petr Viktorin
16ee6847e4 managed permission updater: Add mechanism to replace SYSTEM permissions 
The "Read DNS Entries" permission, which was marked SYSTEM (no associated
ACI), can now be converted to a regular managed permission.

Add a mechanism for the updater to replace old SYSTEM permissions.

This cannot be done in an update file because we do not want to replace
V2 permissions with the same name.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-18 14:45:50 +02:00
Tomas Babej
637ef11109 sudorule: Allow unsetting sudoorder 
After setting sudoorder, you are unable to unset it, since the
check for uniqueness of order of sudorules is applied incorrectly.

Fix the behaviour and cover it in the test suite.

https://fedorahosted.org/freeipa/ticket/4360

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-18 12:59:25 +02:00
Petr Viktorin
d868fc5566 Fix self argument in tasks 
Reviewed-By: Tomáš Babej <tbabej@redhat.com>
 2014-06-16 19:48:21 +02:00
Tomas Babej
3b4ab8b4f2 ipaplatform: Move hardcoded paths from Fedora platform files to path namespace 
Part of: https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-16 19:48:21 +02:00
Tomas Babej
8a5e2a8166 ipaplatform: Contain all the tasks in the TaskNamespace 
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-16 19:48:21 +02:00
Tomas Babej
f0d0640a46 ipaplatform: Pylint fixes 
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-16 19:48:21 +02:00
Tomas Babej
c8aa00806b ipaplatform: Link to platform module during build time 
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-16 19:48:21 +02:00
Tomas Babej
6906eed27e ipaplatform: Let fedora path module use PathNamespace class 
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-16 19:48:20 +02:00
Tomas Babej
3bb9e1bbd5 ipaplatform: Change makefiles to accomodate for new platform package 
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-16 19:48:20 +02:00
Tomas Babej
a9a4bc0848 ipaplatform: Remove remnants of the ipapython/platform 
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-16 19:48:20 +02:00
Tomas Babej
4d2ef43f28 ipaplatform: Move all filesystem paths to ipaplatform.paths module 
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-16 19:48:20 +02:00
Tomas Babej
c7edd7b68c ipaplatform: Remove redundant imports of ipaservices 
Also fixes few incorrect imports.

https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-16 19:48:20 +02:00
Tomas Babej
c011bccf45 ipaplatform: Change paths dependant on ipaservices to use ipaplatform.paths 
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-16 19:48:19 +02:00
Tomas Babej
49fcd42f8f ipaplatform: Change service code in freeipa to use ipaplatform services 
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-16 19:48:19 +02:00
Tomas Babej
926f8647d2 ipaplatform: Change platform dependant code in freeipa to use ipaplatform tasks 
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-16 19:48:19 +02:00
Tomas Babej
a7c2327a36 ipaplatform: Move Fedora-specific implementations of tasks to fedora base platform file 
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-16 19:48:18 +02:00
Tomas Babej
3edfabb4c4 ipaplatform: Remove legacy redhat platform module 
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-16 19:48:18 +02:00
Tomas Babej
5f31f2d35f ipaplatform: Do not require custom Authconfig implementations from platform modules 
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-16 19:48:18 +02:00
Tomas Babej
6a4cd8a4e3 ipaplatform: Move restore_context and check_selinux_status implementations to base fedora platform tasks 
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-16 19:48:18 +02:00
Tomas Babej
c465eb842f ipaplatform: Moved Fedora 16 service implementations and refactored them as base Fedora module service implementations 
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-16 19:48:17 +02:00
Tomas Babej
c368aae048 ipaplatform: Add base fedora platform module 
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-16 19:48:17 +02:00