Commit Graph

565 Commits

Author SHA1 Message Date
Tomas Babej
682edbf215 Restrict admins group modifications
Group-mod command no longer allows --rename and/or --external
changes made to the admins group. In such cases, ProtectedEntryError
is being raised.

https://fedorahosted.org/freeipa/ticket/3098
2012-10-03 13:22:46 +02:00
Tomas Babej
0edeb9b01d Improve user addition to default group in user-add
On adding new user, user-add tries to make it a member of default
user group. This, however, can raise AlreadyGroupMember when the
user is already member of this group due to automember rule or
default group configured. This patch makes sure AlreadyGroupMember
exception is caught in such cases.

https://fedorahosted.org/freeipa/ticket/3097
2012-10-03 09:39:15 +02:00
Martin Kosek
43f4ca710b Only use service PAC type as an override
PAC type (ipakrbauthzdata attribute) was being filled for all new
service automatically. However, the PAC type attribute was designed
to serve only as an override to default PAC type configured in
IPA config. With PAC type set in all services, users would have
to update all services to get new PAC types configured in IPA config.

Do not set PAC type for new services. Add new NONE value meaning that
we do not want any PAC for the service (empty/missing attribute means
that the default PAC type list from IPA config is read).

https://fedorahosted.org/freeipa/ticket/2184
2012-10-03 08:53:41 +02:00
Martin Kosek
988ea36827 Improve StrEnum validation error message
Do not print list of possible values as "%r" but simply as a list
of quoted values which should make it easier to read for users.
Also add a special case when there is just one allowed value.

https://fedorahosted.org/freeipa/ticket/2869
2012-10-01 13:39:22 +02:00
Martin Kosek
256024db0a Validate SELinux users in config-mod
config-mod is capable of changing default SELinux user map order
and a default SELinux user. Validate the new config values to
prevent bogus default SELinux users to be assigned to IPA users.

https://fedorahosted.org/freeipa/ticket/2993
2012-09-27 10:43:39 +02:00
Petr Viktorin
0b254e8b1e Always handle NotFound error in dnsrecord-mod
When there were no updated attrs when modifying a nonexistent DNS record,
the error was not handled and caused an internal server error later (old_entry
was used uninitialized).

https://fedorahosted.org/freeipa/ticket/3055
2012-09-24 13:55:17 +02:00
Martin Kosek
ef7b8ab764 Use default reverse zone consistently
When a new reverse zone is to be generated based on an IP address without
a network prefix length, we need to use some default value. While netaddr
library default ones (32b for IPv4 and 128b for IPv6) are not very sensible
we should use the defaults already applied in installers. That is 24b for
IPv6 and 64 for IPv6.

Test case has been added to cover the new default.

https://fedorahosted.org/freeipa/ticket/2461
2012-09-19 17:32:02 +02:00
Yuri Chornoivan
8bbb42b410 Fix various typos.
https://fedorahosted.org/freeipa/ticket/3089
2012-09-18 08:45:28 +02:00
Martin Kosek
c0630950a1 Expand Referential Integrity checks
Many attributes in IPA (e.g. manager, memberuser, managedby, ...)
are used to store DNs of linked objects in IPA (users, hosts, sudo
commands, etc.). However, when the linked objects is deleted or
renamed, the attribute pointing to it stays with the objects and
thus may create a dangling link causing issues in client software
reading the data.

Directory Server has a plugin to enforce referential integrity (RI)
by checking DEL and MODRDN operations and updating affected links.
It was already used for manager and secretary attributes and
should be expanded for the missing attributes to avoid dangling
links.

As a prerequisite, all attributes checked for RI must have pres
and eq indexes to avoid performance issues. Thus, the following
indexes are added:
  * manager (pres index only)
  * secretary (pres index only)
  * memberHost
  * memberUser
  * sourcehost
  * memberservice
  * managedby
  * memberallowcmd
  * memberdenycmd
  * ipasudorunas
  * ipasudorunasgroup

Referential Integrity plugin is updated to enforce RI for all these
attributes. Unit tests covering RI checks for all these attributes
were added as well.

Note: this update will only fix RI on one master as RI plugin does
not check replicated operations.

https://fedorahosted.org/freeipa/ticket/2866
2012-09-16 17:59:27 -04:00
Martin Kosek
cd7a85c12c Fix addattr internal error
When ADD command is being executed and a single-value object attribute
is being set with both option and addattr IPA ends up in an internal
error.

Make better value sanitizing job in this case and let IPA throw
a user-friendly error. Unit test exercising this situation is added.

https://fedorahosted.org/freeipa/ticket/2429
2012-09-16 17:52:56 -04:00
Tomas Babej
46f09fb8cc Make sure selinuxusemap behaves consistently to HBAC rule
Both selinuxusermap-add and selinuxusermap-mod commands now behave
consistently in not allowing user/host category or user/host members
and HBAC rule being set at the same time. Also adds a bunch of unit
tests that check this behaviour.

https://fedorahosted.org/freeipa/ticket/2983
2012-09-12 16:13:17 +02:00
Jan Cholasta
46ad724301 Use OpenSSH-style public keys as the preferred format of SSH public keys.
Public keys in the old format (raw RFC 4253 blob) are automatically
converted to OpenSSH-style public keys. OpenSSH-style public keys are now
stored in LDAP.

Changed sshpubkeyfp to be an output parameter, as that is what it actually
is.

Allow parameter normalizers to be used on values of any type, not just
unicode, so that public key blobs (which are str) can be normalized to
OpenSSH-style public keys.

ticket 2932, 2935
2012-09-06 19:11:57 -04:00
Sumit Bose
377e1267b7 Rename range CLI to idrange 2012-09-07 16:50:35 +02:00
Martin Kosek
7c054377e3 Update DNS zone allow-query validation test
localhost and localnets ACIs are now allowed. Update the respective
unit test.
2012-09-07 13:50:54 +02:00
Rob Crittenden
e4e5bd0595 Set the e-mail attribute using the default domain name by default
https://fedorahosted.org/freeipa/ticket/2810
2012-09-07 13:36:37 +02:00
Martin Kosek
ac6cc479ed Add range safety check for range_mod and range_del
range_mod and range_del command could easily create objects with
ID which is suddenly out of specified range. This could cause issues
in trust scenarios where range objects are used for computation of
remote IDs.

Add validator for both commands to check if there is any object with
ID in the range which would become out-of-range as a pre_callback.
Also add unit tests testing this new validator.

https://fedorahosted.org/freeipa/ticket/2919
2012-09-06 20:32:07 +02:00
Martin Kosek
6abe476459 Fix DNS SOA serial parameters boundaries
Set correct boundaries for DNS SOA serial parameters (see RFC 1035,
2181).

https://fedorahosted.org/freeipa/ticket/2568
2012-09-06 14:57:48 +02:00
Tomas Babej
208e6930de Sort policies numerically in pwpolicy-find
Password policies in pwpolicy-find are now sorted in the expected
numerical manner. Also tweaks one of the unit tests so that it
tests this behaviour.

https://fedorahosted.org/freeipa/ticket/3039
2012-09-03 21:47:21 -04:00
Petr Viktorin
a95eaeac8e Internationalization for public errors
Currently, we throw many public exceptions without proper i18n.
Wrap natural-language error messages in _() so they can be translated.

In the service plugin, raise NotFound errors using handle_not_found helper
so the error message contains the offending service.

Use ScriptError instead of NotFoundError in bindinstance install.

https://fedorahosted.org/freeipa/ticket/1953
2012-09-03 18:16:12 +02:00
John Dennis
4f03aed5e6 prevent last admin from being disabled
We prevent the last member of the admin group from being deleted. The
same check needs to be performed when disabling a user.

* Moved the code in del_user to the common subroutine
  check_protected_member() and call it from both user_del and
  user_disable. Note, unlike user_del user_disable does not have a
  'pre' callback therefore the check function is called in
  user_disable's execute routine.

* Make check_protected_member() aware of disabled members. It's not
  sufficient to check which members of the protected group are
  present, one must only consider those members which are enabled.

* Add tests to test_user_plugin.py.

  - verify you cannot delete nor disable the last member of the admin
    group

  - verify when the admin group contains disabled users in addition to
    enabled users only the enabled users are considered when
    determining if the last admin is about to be disabled or deleted.

* Replace duplicated hardcoded values in the tests with variables or
  subroutines, this makes the individual tests a bit more succinct and
  easier to copy/modify.

* Update error msg to reflect either deleting or disabling is an error.

https://fedorahosted.org/freeipa/ticket/2979
2012-09-03 18:11:49 +02:00
John Dennis
557b260550 ipa user-find --manager does not find matches
The manager LDAP attribute is a dn pointing inside the user
container. When passed on the command it is typically a bare user
uid. The search filter will only succeed if the bare uid is converted
to a full dn because that is what is stored in the value for the
manager attribute.

The search failure is solved by calling _normalize_manager() which
does the conversion to a dn (if not already a dn).

It feels like this type of conversion should be performed in the pre
callback which allows one to modify the filter. But when the pre
callback is invoked it's complex string with the manager attribute
already inserted. This is because the LDAPSearch.execute() method
processes the options dict and constructs a filter component for each
key/value in the options dict prior to invoking the pre callback. If
we wanted to modify the manager value in the filter in the pre
callback we would have to decompose the filter string, perform dn
checking and then reassemble the filter. It's much cleaner to perform
the dn operations on the manager value before it gets embedded into
what otherwise might be a very complex filter. This is the reason why
the normalization is perfored in the execute method as opposed to the
pre callback. Other classes do similar things in their execute methods
as opposed to their callbacks's, selinuxusermap_find is one example.

Patch also introduces new unit test to verify.

https://fedorahosted.org/freeipa/ticket/2264
2012-09-03 18:10:17 +02:00
Tomas Babej
7e9eb9caad Fixes different behaviour of permission-mod and show.
Both commands now produce the same output regarding
the attributelevelrights.

https://fedorahosted.org/freeipa/ticket/2875
2012-08-29 16:02:43 -04:00
Rob Crittenden
785e80c4fc Restrict the SELinux user map user MLS value to 0-1023
https://fedorahosted.org/freeipa/ticket/3001
2012-08-29 09:29:08 +02:00
John Dennis
1328f984d0 Ticket #3008: DN objects hash differently depending on case
Because the attrs & values in DN's, RDN's and AVA's are comparison case-
insensitive the hash value between two objects which compare as equal but
differ in case must also yield the same hash value. This is critical when
these objects are used as a dict key or in a set because dicts and sets
use the object's __hash__ value in conjunction with the objects __eq__
method to lookup the object.

The defect is the DN, RDN & AVA objects computed their hash from the case-
preserving string representation thus two otherwise equal objects
incorrectly yielded different hash values.

The problem manifests itself when one of these objects is used as a key in
a dict, for example a dn.

dn1 = DN(('cn', 'Bob'))
dn2 = DN(('cn', 'bob'))

dn1 == dn2 --> True

hash(dn1) == hash(dn2) --> False

d = {}

d[dn1] = x
d[dn2] = y

len(d) --> 2

The patch fixes the above by lower casing the string representation of
the object prior to computing it's hash.

The patch also corrects a spelling mistake and a bogus return value in
ldapupdate.py which happened to be discovered while researching this
bug.
2012-08-22 17:23:12 +03:00
Rob Crittenden
b5d0a9fcb2 Validate default user in ordered list when using setattr, require MLS
The MLS was optional in the format, it should be required.

https://fedorahosted.org/freeipa/ticket/2984
2012-08-16 12:52:38 +02:00
John Dennis
94d457e83c Use DN objects instead of strings
* Convert every string specifying a DN into a DN object

* Every place a dn was manipulated in some fashion it was replaced by
  the use of DN operators

* Add new DNParam parameter type for parameters which are DN's

* DN objects are used 100% of the time throughout the entire data
  pipeline whenever something is logically a dn.

* Many classes now enforce DN usage for their attributes which are
  dn's. This is implmented via ipautil.dn_attribute_property(). The
  only permitted types for a class attribute specified to be a DN are
  either None or a DN object.

* Require that every place a dn is used it must be a DN object.
  This translates into lot of::

    assert isinstance(dn, DN)

  sprinkled through out the code. Maintaining these asserts is
  valuable to preserve DN type enforcement. The asserts can be
  disabled in production.

  The goal of 100% DN usage 100% of the time has been realized, these
  asserts are meant to preserve that.

  The asserts also proved valuable in detecting functions which did
  not obey their function signatures, such as the baseldap pre and
  post callbacks.

* Moved ipalib.dn to ipapython.dn because DN class is shared with all
  components, not just the server which uses ipalib.

* All API's now accept DN's natively, no need to convert to str (or
  unicode).

* Removed ipalib.encoder and encode/decode decorators. Type conversion
  is now explicitly performed in each IPASimpleLDAPObject method which
  emulates a ldap.SimpleLDAPObject method.

* Entity & Entry classes now utilize DN's

* Removed __getattr__ in Entity & Entity clases. There were two
  problems with it. It presented synthetic Python object attributes
  based on the current LDAP data it contained. There is no way to
  validate synthetic attributes using code checkers, you can't search
  the code to find LDAP attribute accesses (because synthetic
  attriutes look like Python attributes instead of LDAP data) and
  error handling is circumscribed. Secondly __getattr__ was hiding
  Python internal methods which broke class semantics.

* Replace use of methods inherited from ldap.SimpleLDAPObject via
  IPAdmin class with IPAdmin methods. Directly using inherited methods
  was causing us to bypass IPA logic. Mostly this meant replacing the
  use of search_s() with getEntry() or getList(). Similarly direct
  access of the LDAP data in classes using IPAdmin were replaced with
  calls to getValue() or getValues().

* Objects returned by ldap2.find_entries() are now compatible with
  either the python-ldap access methodology or the Entity/Entry access
  methodology.

* All ldap operations now funnel through the common
  IPASimpleLDAPObject giving us a single location where we interface
  to python-ldap and perform conversions.

* The above 4 modifications means we've greatly reduced the
  proliferation of multiple inconsistent ways to perform LDAP
  operations. We are well on the way to having a single API in IPA for
  doing LDAP (a long range goal).

* All certificate subject bases are now DN's

* DN objects were enhanced thusly:
  - find, rfind, index, rindex, replace and insert methods were added
  - AVA, RDN and DN classes were refactored in immutable and mutable
    variants, the mutable variants are EditableAVA, EditableRDN and
    EditableDN. By default we use the immutable variants preserving
    important semantics. To edit a DN cast it to an EditableDN and
    cast it back to DN when done editing. These issues are fully
    described in other documentation.
  - first_key_match was removed
  - DN equalty comparison permits comparison to a basestring

* Fixed ldapupdate to work with DN's. This work included:
  - Enhance test_updates.py to do more checking after applying
    update. Add test for update_from_dict(). Convert code to use
    unittest classes.
  - Consolidated duplicate code.
  - Moved code which should have been in the class into the class.
  - Fix the handling of the 'deleteentry' update action. It's no longer
    necessary to supply fake attributes to make it work. Detect case
    where subsequent update applies a change to entry previously marked
    for deletetion. General clean-up and simplification of the
    'deleteentry' logic.
  - Rewrote a couple of functions to be clearer and more Pythonic.
  - Added documentation on the data structure being used.
  - Simplfy the use of update_from_dict()

* Removed all usage of get_schema() which was being called prior to
  accessing the .schema attribute of an object. If a class is using
  internal lazy loading as an optimization it's not right to require
  users of the interface to be aware of internal
  optimization's. schema is now a property and when the schema
  property is accessed it calls a private internal method to perform
  the lazy loading.

* Added SchemaCache class to cache the schema's from individual
  servers. This was done because of the observation we talk to
  different LDAP servers, each of which may have it's own
  schema. Previously we globally cached the schema from the first
  server we connected to and returned that schema in all contexts. The
  cache includes controls to invalidate it thus forcing a schema
  refresh.

* Schema caching is now senstive to the run time context. During
  install and upgrade the schema can change leading to errors due to
  out-of-date cached schema. The schema cache is refreshed in these
  contexts.

* We are aware of the LDAP syntax of all LDAP attributes. Every
  attribute returned from an LDAP operation is passed through a
  central table look-up based on it's LDAP syntax. The table key is
  the LDAP syntax it's value is a Python callable that returns a
  Python object matching the LDAP syntax. There are a handful of LDAP
  attributes whose syntax is historically incorrect
  (e.g. DistguishedNames that are defined as DirectoryStrings). The
  table driven conversion mechanism is augmented with a table of
  hard coded exceptions.

  Currently only the following conversions occur via the table:

  - dn's are converted to DN objects

  - binary objects are converted to Python str objects (IPA
    convention).

  - everything else is converted to unicode using UTF-8 decoding (IPA
    convention).

  However, now that the table driven conversion mechanism is in place
  it would be trivial to do things such as converting attributes
  which have LDAP integer syntax into a Python integer, etc.

* Expected values in the unit tests which are a DN no longer need to
  use lambda expressions to promote the returned value to a DN for
  equality comparison. The return value is automatically promoted to
  a DN. The lambda expressions have been removed making the code much
  simpler and easier to read.

* Add class level logging to a number of classes which did not support
  logging, less need for use of root_logger.

* Remove ipaserver/conn.py, it was unused.

* Consolidated duplicate code wherever it was found.

* Fixed many places that used string concatenation to form a new
  string rather than string formatting operators. This is necessary
  because string formatting converts it's arguments to a string prior
  to building the result string. You can't concatenate a string and a
  non-string.

* Simplify logic in rename_managed plugin. Use DN operators to edit
  dn's.

* The live version of ipa-ldap-updater did not generate a log file.
  The offline version did, now both do.

https://fedorahosted.org/freeipa/ticket/1670
https://fedorahosted.org/freeipa/ticket/1671
https://fedorahosted.org/freeipa/ticket/1672
https://fedorahosted.org/freeipa/ticket/1673
https://fedorahosted.org/freeipa/ticket/1674
https://fedorahosted.org/freeipa/ticket/1392
https://fedorahosted.org/freeipa/ticket/2872
2012-08-12 16:23:24 -04:00
Tomas Babej
36c4778bc6 Adds check for ipa-join.
If the executable ipa-client/ipa-join is not found, the relevant
tests are skipped. Implemented in setUpClass() method, also moved
the mkstemp() call there.

https://fedorahosted.org/freeipa/ticket/2905
2012-08-03 16:26:54 +02:00
Jan Cholasta
72cc54bc27 Make --{set,add,del}attr more robust.
This fixes --addattr on single value attributes in add commands and --delattr
on non-unicode attributes in mod commands.

ticket 2954
2012-08-03 14:17:42 +02:00
Rob Crittenden
fb817d3401 Add per-service option to store the types of PAC it supports
Create a per-service default as well.

https://fedorahosted.org/freeipa/ticket/2184
2012-08-01 16:15:51 +02:00
Rob Crittenden
e345ad12eb Fix validator for SELinux user map settings in config plugin.
We need to compare two values and need to be aware of where those
values are coming from. They may come from options, setattr or
existing config. The format of that data is going to be different
depending on its source (always a list internally).

One may also set both at the same time so a standard validator cannot
be used because it lacks the context of the other value being set.

https://fedorahosted.org/freeipa/ticket/2938
https://fedorahosted.org/freeipa/ticket/2940
2012-07-26 23:57:25 -04:00
Petr Viktorin
23e188f226 Arrange stripping .po files
The .po files we use for translations have two shortcomings when used in Git:
- They include file locations, which change each time the source is updated.
  This results in large, unreadable diffs that don't merge well.
- They include source strings for untranslated messages, wasting space
  unnecessarily.

Update the Makefile so that the extraneous information is stripped when the
files are updated or pulled form Transifex, and empty translation files are
removed entirely.
Also, translations are normalized to a common style. This should help diffs
and merges.

The validator requires file location comments to identify the programming
language, and to produce good error reports.
To make this work, merge the comments in before validation.

First patch for: https://fedorahosted.org/freeipa/ticket/2435
2012-07-24 16:54:21 -04:00
Martin Kosek
854b763675 Enforce CNAME constrains for DNS commands
RFC 1912 states that no record (besides PTR) is allowed to coexist
with any other record type. When BIND detects this situation, it
refuses to load such records.

Enforce the constrain for dnsrecord-mod and dnsrecord-add commands.

https://fedorahosted.org/freeipa/ticket/2601
2012-07-12 17:44:13 -04:00
Martin Kosek
34f8ff4793 Add range-mod command
range plugin was missing range-mod command that could be used for
example to fix a size for a range generated during upgrades. The
range should be updated with a caution though, a misconfiguration
could break trusts.

iparangetype is now also handled better and filled in all commands
instead of just range-show. objectclass attribute is deleted only
when really needed now.
2012-07-13 16:18:29 +02:00
Petr Viktorin
5f69a06d1a Fix batch command error reporting
The Batch command did not report errors correctly: it reported
the text of *all* errors, not just PublicError, used unicode(e)
instead of e.strerror (which results in incorrect i18n), and only
reported the text of error messages, not their type and code.

Fix these problems. Update tests.

https://fedorahosted.org/freeipa/ticket/2874
https://fedorahosted.org/freeipa/ticket/2901
2012-07-11 10:49:02 +02:00
Petr Viktorin
03f247ec86 Explicitly filter options that permission-{add,mod} passes to aci-{add,mod}
Make permission commands not pass options that the underlying ACI commands
do not understand.

Update tests.

Remove some extraneous imports of the `copy` module.

https://fedorahosted.org/freeipa/ticket/2885
2012-07-02 08:31:03 +02:00
Sumit Bose
fbebe82811 Add CLI for ID ranges
https://fedorahosted.org/freeipa/ticket/2185
2012-06-29 18:00:50 -04:00
Alexander Bokovoy
a6ff85f425 Add support for external group members
When using ipaExternalGroup/ipaExternalMember attributes it is
possible to add group members which don't exist in IPA database.
This is primarily is required for AD trusts support and therefore
validation is accepting only secure identifier (SID) format.

https://fedorahosted.org/freeipa/ticket/2664
2012-06-28 16:53:33 +02:00
Martin Kosek
52f69aaa8a Per-domain DNS record permissions
IPA implements read/write permissions for DNS record or zones.
Provided set of permissions and privileges can, however, only grant
access to the whole DNS tree, which may not be appropriate.
Administrators may miss more fine-grained permissions allowing
them to delegate access per-zone.

Create a new IPA auxiliary objectclass ipaDNSZone allowing
a managedBy attribute for a DNS zone. This attribute will hold
a group DN (in this case a permission) which allows its members
to read or write in a zone. Member permissions in given zone
will only have 2 limitations:
1) Members cannot delete the zone
2) Members cannot edit managedBy attribute

Current DNS deny ACI used to enforce read access is removed so that
DNS privileges are based on allow ACIs only, which is much more
flexible approach as deny ACIs have always precedence and limit
other extensions. Per-zone access is allowed in 3 generic ACIs
placed in cn=dns,$SUFFIX so that no special ACIs has to be added
to DNS zones itselves.

2 new commands have been added which allows an administrator to
create the system permission allowing the per-zone access and
fill a zone's managedBy attribute:
 * dnszone-add-permission: Add per-zone permission
 * dnszone-remove-permission: Remove per-zone permission

https://fedorahosted.org/freeipa/ticket/2511
2012-06-28 15:21:21 +02:00
Ondrej Hamada
8ce7330c53 Change random passwords behaviour
Improved options checking so that host-mod operation is not changing
password for enrolled host when '--random' option is used.

Unit tests added.

https://fedorahosted.org/freeipa/ticket/2799

Updated set of characters that is used for generating random passwords
for ipa hosts. All characters that might need escaping were removed.

https://fedorahosted.org/freeipa/ticket/2800
2012-06-27 12:58:46 +02:00
Petr Viktorin
3021b3e9d5 Improve output validation
We only checked the length of Command output dictionaries. A misspelled
key in would not be caught.

Fix the problem by checking if the sets of keys are equal.

Add a test. Split the test methods into more manageable pieces.

https://fedorahosted.org/freeipa/ticket/2860
2012-06-25 22:04:14 -04:00
Ondrej Hamada
f298a20d27 Case sensitive renaming of objects
When renaming object its case sensitivity is obeyed. This was DS bug.
Unit tests were corrected and minimal DS version was updated in spec
file.

https://fedorahosted.org/freeipa/ticket/2620
2012-06-20 15:47:02 +02:00
Petr Viktorin
1235dfa7bf Fail on unknown Command options
When unknown keyword arguments are passed to a Command, raise an
error instead of ignoring them.

Options used when IPA calls its commands internally are listed
in a new Command attribute called internal_options, and allowed.

Previous patches (0b01751c, c45174d6, c5689e7f) made IPA not use
unknown keyword arguments in its own commands and tests, but since
that some violations were reintroduced in permission_find and tests.
Fix those.

Tests included; both a frontend unittest and a XML-RPC test via the
ping plugin (which was untested previously).

https://fedorahosted.org/freeipa/ticket/2509
2012-06-20 15:18:42 +02:00
Martin Kosek
1484ccc404 Decimal parameter conversion and normalization
Parameter Decimal does not have a sufficient value checks. Some values
cause Decimal parameter with a custom precision to crash with
an unhandled exception.

Improve parameter conversion and normalization operations to handle
decimal exceptions more gracefully. Decimal parameter now also has
new attributes enabling 2 new validation/normalization methods:
 * exponential: when False, decimal number is normalized to its
                non-exponential form
 * numberclass: a set of allowed decimal number classes
                (e.g. +Infinity, -Normal, ...) that are enforced
                for every Decimal parameter value

https://fedorahosted.org/freeipa/ticket/2705
2012-06-17 21:59:54 -04:00
Rob Crittenden
54135ecd9a Store session cookie in ccache for cli users
Try to use the URI /ipa/session/xml if there is a key in the kernel
keyring. If there is no cookie or it turns out to be invalid (expired,
whatever) then use the standard URI /ipa/xml. This in turn will create
a session that the user can then use later.

https://fedorahosted.org/freeipa/ticket/2331
2012-06-14 14:02:26 +02:00
Martin Kosek
0c96f59356 Remove trust work unit test failures
Trust work that was pushed recently requires few changes in unit
tests to prevent test failures. This patch also removes repetitive
construction of group DN in group unit tests.
2012-06-14 12:21:18 +02:00
Petr Viktorin
9960149e3f Rework the CallbackInterface
Fix several problems with the callback interface:
- Automatically registered callbacks (i.e. methods named
    exc_callback, pre_callback etc) were registered on every
    instantiation.
    Fix: Do not register callbacks in __init__; instead return the
    method when asked for it.
- The calling code had to distinguish between bound methods and
    plain functions by checking the 'im_self' attribute.
    Fix: Always return the "default" callback as an unbound method.
    Registered callbacks now always take the extra `self` argument,
    whether they happen to be bound methods or not.
    Calling code now always needs to pass the `self` argument.
- Did not work well with inheritance: due to the fact that Python
    looks up missing attributes in superclasses, callbacks could
    get attached to a superclass if it was instantiated early enough. *
    Fix: Instead of attribute lookup, use a dictionary with class keys.
- The interface included the callback types, which are LDAP-specific.
    Fix: Create generic register_callback and get_callback mehods,
    move LDAP-specific code to BaseLDAPCommand

Update code that calls the callbacks.
Add tests.
Remove lint exceptions for CallbackInterface.

* https://fedorahosted.org/freeipa/ticket/2674
2012-06-14 11:09:43 +02:00
Martin Kosek
d1e695b5d0 Password change capability for form-based auth
IPA server web form-based authentication allows logins for users
which for some reason cannot use Kerberos authentication. However,
when a password for such users expires, they are unable change the
password via web interface.

This patch adds a new WSGI script attached to URL
/ipa/session/change_password which can be accessed without
authentication and which provides password change capability
for web services.

The actual password change in the script is processed by LDAP
password change command.

Password result is passed both in the resulting HTML page, but
also in HTTP headers for easier parsing in web services:
  X-IPA-Pwchange-Result: {ok, invalid-password, policy-error, error}
  (optional) X-IPA-Pwchange-Policy-Error: $policy_error_text

https://fedorahosted.org/freeipa/ticket/2276
2012-06-11 23:07:03 -04:00
Petr Viktorin
f8e7b516d9 Prevent deletion of the last admin
Raise an error when trying to delete the last user in the
'admins' group, or remove the last member from the group,
or delete the group itself.

https://fedorahosted.org/freeipa/ticket/2564
2012-06-06 21:57:12 -04:00
Martin Kosek
c06cbb12ac Fill new DNS zone update policy by default
For security reasons, dynamic updates are not enabled for new DNS
zones. In order to enable the dynamic zone securely, user needs to
allow dynamic updates and create a zone update policy.

The policy is not easy to construct for regular users, we should
rather fill it by default and let users just switch the policy
on or off.

https://fedorahosted.org/freeipa/ticket/2441
2012-06-05 08:41:46 +02:00
Petr Viktorin
c799f6a0bf Add more automount tests
This adds tests for the automountlocation_tofiles and
automountlocation_import commands, and to automountmap_add_indirect
with the --parentmap option.

The tofiles test checks not only the XML-RPC output, but also the
output_for_cli method.

The import tests load data from tofiles output to the directory
and check that tofiles output matches.
This only works when all maps are connected to auto.master.

Two minor touches to the automount plugin itself: remove an extra
space, and don't hide the traceback when re-raising an exception.
2012-05-31 20:16:29 -04:00