Before this patch, ipa-kdb would load global configuration on startup and
never update it. This means that if global configuration is changed, the
KDC never receives the new configuration until it is restarted.
This patch enables caching of the global configuration with a timeout of
60 seconds.
https://fedorahosted.org/freeipa/ticket/4153
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This plugin created permissions that the managed permission
updater would remove right away.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Convert the existing default permissions.
The Read permission is split between Read DNS Entries and Read
DNS Configuration.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
The "Read DNS Entries" permission, which was marked SYSTEM (no associated
ACI), can now be converted to a regular managed permission.
Add a mechanism for the updater to replace old SYSTEM permissions.
This cannot be done in an update file because we do not want to replace
V2 permissions with the same name.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
After setting sudoorder, you are unable to unset it, since the
check for uniqueness of order of sudorules is applied incorrectly.
Fix the behaviour and cover it in the test suite.
https://fedorahosted.org/freeipa/ticket/4360
Reviewed-By: Martin Kosek <mkosek@redhat.com>
It enables declarative extraction of values from partial
results of a batch commands and also further extensibility
in custom adapters.
The default adapter has detection logic for this extraction so
it can use bare record or extract data from normal or batch RPC
command.
Minor change of user plugin fixed:
https://fedorahosted.org/freeipa/ticket/4355
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
When api.env is loaded, strings that "look like" floats got
auto-converted to floats.
This is wrong, as the conversion to float can lose precision.
Case in point: the api_version (e.g. '2.88') should never be
interpreted as float.
Do not automatically convert to float.
We have two numeric options: startup_timeout and wait_for_dns.
wait_for_dns is already converted to int when used in the code.
Convert startup_timeout to float explicitly when used, so
configuration that specified it with a decimal point continues
to work.
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
The current code would convert values to DN if the key was
a substring of 'basedn', e.g. 'base' or 'sed'.
Only convert if we're actually dealing with 'basedn'.
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
This also constitutes a rethinking of the token ACIs after the introduction
of SELFDN support.
Admins, as before, have full access to all token permissions.
Normal users have read/search/compare access to all of the non-secret data
for tokens assigned to them, whether managed by them or not. Users can add
tokens if, and only if, they will also manage this token.
Managers can also read/search/compare tokens they manage. Additionally,
they can write non-secret data to their managed tokens and delete them.
When a normal user self-creates a token (the default behavior), then
managedBy is automatically set. When an admin creates a token for another
user (or no owner is assigned at all), then managed by is not set. In this
second case, the token is effectively read-only for the assigned owner.
This behavior enables two important other behaviors. First, an admin can
create a hardware token and assign it to the user as a read-only token.
Second, when the user is deleted, only his self-managed tokens are deleted.
All other (read-only) tokens are instead orphaned. This permits the same
token object to be reasigned to another user without loss of any counter
data.
https://fedorahosted.org/freeipa/ticket/4228https://fedorahosted.org/freeipa/ticket/4259
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This results in the proper message being shown if the client sends
an option the server doesn't have yet.
It also adds the check to commands that override run() but not __call__,
such as `ipa ping`, and to commands run on the server. Adjust tests
for these changes.
https://fedorahosted.org/freeipa/ticket/3963
Reviewed-By: Martin Kosek <mkosek@redhat.com>
`memberdenycmd_sudocmd` and `memberdenycmd_sudocmdgroup` tables are now
enabled/disabled based on `cmdcategory` as well.
https://fedorahosted.org/freeipa/ticket/4361
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Interface for setting default group is hidden when user doesn't have
necessary rights or if there is some error while loading the state.
https://fedorahosted.org/freeipa/ticket/4356
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
using browser history when unauthenticated causes transition to
the original and/or preceding facets. But nothing works since
all commands fail due to expired credentials in session.
These changes make sure that user stays on login screen if he misses
valid session credentials while he wants to switch to facet which
requires authentication.
https://fedorahosted.org/freeipa/ticket/4353
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Dialog instances no longer directly call IPA.opened_dialog methods. It's
handled through events (decoupled from dialog's POV). IPA.open_dialogs
with assistance of ApplicationController makes sure that there is only
one dialog opened at the same time.
It also makes sure to hide all dialogs, which are not global dialogs and
did not originate from current facet, when switching facets.
https://fedorahosted.org/freeipa/ticket/4348
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Memberofindirect processing of an entry doesn't work if the user doesn't
have rights to any one of these attributes:
- member
- memberuser
- memberhost
Add all of these to any read permission that specifies any of them.
Add a check to makeaci that will enforce this for any future permissions.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This reduces typing (or copy/pasting), and draws a bit of attention
to any non-default privileges (currently 'any' or 'anonymous').
Leaving the bindtype out by mistake isn't dangerous: by default
a permission is not granted to anyone, since it is not included in
any priviliges.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
The ACI.txt file is a list all managed permissions in ACI form.
Similarly to API.txt, it ensures that changes are not made lightly,
since modifications must be reflected in ACI.txt and committed to Git.
Add a script, makeaci, which parallels makeapi: it recreates or
validates ACI.txt.
Call makeaci --validate before the build, just after API.txt is validated.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
