Commit Graph

4882 Commits

Author SHA1 Message Date
John Dennis
af0ac845ff improve handling of ds instances during uninstall
Ticket #2502

* remove the "running" flag from backup_state in cainstance.py and
  dsinstance.py because it does not provide the correct
  information. In cainstance the running flag was never referenced
  because restarting dirsrv instances occurs later in dsinstance. In
  dsinstance when the running flag is set it incorrectly identifed the
  PKI ds instance configured earlier by cainstance. The intent was to
  determine if there were any ds instances other than those owned by
  IPA which will need to be restarted upon uninstall. Clearly the PKI
  ds instance does not qualify. We were generating a traceback when at
  the conclusion of dsinstance.uninstall we tried to start the
  remaining ds instances as indicated by the running flag, but there
  were none to restart (because the running flag had been set as a
  consequence of the PKI ds instance).

* We only want to restart ds instances if there are other ds instances
  besides those owned by IPA. We shouldn't be stopping all ds
  instances either, but that's going to be covered by another
  ticket. The fix for restarting other ds instances at the end of
  uninstall is to check and see if there are other ds instances
  remaining after we've removed ours, if so we restart them. Also it's
  irrelevant if those ds instances were not present when we installed,
  it only matters if they exist after we restore things during
  uninstall. If they are present we have to start them back up because
  we shut them down during uninstall.

* Add new function get_ds_instances() which returns a list of existing
  ds instances.

* fixed error messages that incorrectly stated it "failed to restart"
  a ds instance when it should be "failed to create".
2012-04-04 22:47:08 -04:00
Jan Cholasta
cdebb29fec Check whether the default user group is POSIX when adding new user with --noprivate.
ticket 2572
2012-04-05 15:04:45 +02:00
Rob Crittenden
51b34d5c42 Make revocation_reason required when revoking a certificate.
This will prevent errors if an empty reason is provided and it is
set by default one doesn't have to always set it on the command-line.

https://fedorahosted.org/freeipa/ticket/2597
2012-04-05 08:51:30 +02:00
Martin Kosek
17a0738d2d Configure SELinux for httpd during upgrades
SELinux configuration for httpd instance was set for new
installations only. Upgraded IPA servers (namely 2.1.x -> 2.2.x
upgrade) missed the configuration. This lead to AVCs when httpd
tries to contact ipa_memcached and user not being able to log in.

This patch updates ipa-upgradeconfig to configure SELinux
in the same way as ipa-server-install does.

https://fedorahosted.org/freeipa/ticket/2603
2012-04-03 18:20:51 -04:00
Petr Viktorin
8a7d7aaf81 Defer conversion and validation until after --{add,del,set}attr are handled
--addattr & friends that modified attributes known to Python sometimes
used converted and validated Python values instead of LDAP strings.
This caused a problem for --delattr, which searched for a converted
integer in a list of raw strings (ticket 2407).
With this patch we work on raw strings, converting only when done.

Deferring validation ensures the end result is valid, so proper errors
are raised instead of failing later (ticket 2405).

Tests included.

Replaces previous fix for:
https://fedorahosted.org/freeipa/ticket/2418

Fixes:
https://fedorahosted.org/freeipa/ticket/2405
https://fedorahosted.org/freeipa/ticket/2407
https://fedorahosted.org/freeipa/ticket/2408
2012-04-03 17:43:27 -04:00
Rob Crittenden
a5a4323946 Add updated Output format for batch to API.txt
This doesn't require bumping VERSION, it just makes list and tuple
both allowable
2012-04-03 17:17:41 -04:00
Petr Viktorin
2b077f7b0d Test the batch plugin
This adds tests for the batch plugin, and changes its output
declaration to allow results as tuples (this tripped validation).

The assert_deepequal function ignores the order of items in lists.
Document this in its docstring, and use a custom checker for the
batch plugin results.
2012-04-03 16:19:59 -04:00
Petr Viktorin
b0a5524028 Fix little test errors
Two test methods in test_rpcserver had the same name; the first didn't get
to run.
Another duplicate pair was in test_hbac_plugin with the same name; the ignored
test had small error in it.
check_TypeError used a wrong constant name
An error reporting function in test.util used uninitialized argument names.

This patch fixes these problems.
2012-04-03 16:19:43 -04:00
Simo Sorce
c007ac0d70 Fix MS-PAC checks when using s4u2proxy
We were using the wrong principal in the s4u2proxy case.

Fixes: https://fedorahosted.org/freeipa/ticket/2504
2012-04-03 09:28:50 -04:00
Rob Crittenden
b55c98f1c5 Don't create private groups for migrated users, check for valid gidnumber
Migrated users don't get a private group, there is no safe way to verify
that the namespace is correct without redoing the uidnumber as well.

Verify that the GID at least points to a valid group on the remote server
and warn if it doesn't (this doesn't guarantee that the group gets migrated
but at least we try).

If the remote entry has no gidNumber then don't migrate that user. We
don't know why that user is non-POSIX, it could be a special user used
for auth, for example.

Add a loginshell if the remote user doesn't have one.

https://fedorahosted.org/freeipa/ticket/2562
2012-04-03 09:04:10 +02:00
Martin Kosek
df13cdcb97 Forbid public access to DNS tree
With a publicly accessible DNS tree in LDAP, anyone with an access
to the LDAP server can get all DNS data as with a zone transfer
which is already restricted with ACL. Making DNS tree not readable
to public is a common security practice and should be applied
in FreeIPA as well.

This patch adds a new deny rule to forbid access to DNS tree to
users or hosts without an appropriate permission or users which
are not members of admins group. The new permission/aci is
applied both for new installs and upgraded servers.

bind-dyndb-ldap plugin is allowed to read DNS tree without any
change because its principal is already a member of "DNS
Servers" privilege.

https://fedorahosted.org/freeipa/ticket/2569
2012-04-01 21:17:04 -04:00
Endi Sukma Dewata
874a298b07 Fixed boot.ldif permission.
The server installation failed on F17 due to permission problem.
The /var/lib/dirsrv/boot.ldif was previously owned and only readable
by root. It is now owned by DS user dirsrv.

Ticket #2544
2012-04-01 16:54:55 -04:00
Petr Viktorin
8c1171e923 Move test skipping to class setup
Currently, each DNS test case first checks if DNS is configured
by creating and deleting a test zone. This takes quite a lot of time.

This patch moves the check to the setUpClass method, so the check is
only done once for all the tests.

Similarly, if the server is not available, entire XMLRPC test classes
are now skipped.

Additionally, CLItests that hit the server are skipped if the server
isn't available.
2012-04-01 16:21:10 -04:00
Rob Crittenden
16b38d39b3 Handle updating replication agreements that lack nsDS5ReplicatedAttributeList
When updating from 2.x we need to add nsDS5ReplicatedAttributeList and
nsDS5ReplicatedAttributeListTotal if they aren't present.

If nsDS5ReplicatedAttributeList is present and doesn't contain memberof
then we want to add it.

https://fedorahosted.org/freeipa/ticket/2594
2012-04-02 10:49:20 +02:00
Rob Crittenden
56fa06fec4 Fix failure count interval attribute name in query for password policy.
This was causing the failure count interval to not be applied so
the failure count was never reset to 0.

https://fedorahosted.org/freeipa/ticket/2540
2012-03-29 00:52:25 -04:00
Martin Kosek
944aacc7d5 Improve automount indirect map error message
When user does not pass a name of parent map in
automountmap-add-indirect command, auto.master is used as
a default. However, when auto.master does not exist in a given
location, we raise NotFound error with a name of a location instead
of a name of the missing automount map.

https://fedorahosted.org/freeipa/ticket/2387
2012-03-28 22:44:02 -04:00
Petr Viktorin
0b62700c8c Allow multi-line CSV parameters
Feed individual lines of input into the CSV parser, and include all lines
in the output.

https://fedorahosted.org/freeipa/ticket/2402
2012-03-28 22:01:24 -04:00
Petr Vobornik
18a6ab356a Inter-facet expiration
Problem:

When some facet perform action which modifies data, some other facet may become expired.

Example: User modifies group's description. Now group search facet contains old data and has to be refreshed.

Solution:

New event was added to facet: on_update. It should be executed when facet performs action which modifies data ie: details facet update or add entry to dnsrecord.

Then entity policies were introduced. Entity policies are a objects which are stored in entity.policies. They have similar function as facet_policies - performing communications and other functionality between facets. This way facets don't have to contain such logic and thus they aren't dependant on each other.

This patch adds IPA.facet_update_policy, IPA.adder_facet_update_policy, IPA.search_facet_update_policy, IPA.details_facet_update_policy.

IPA.facet_update_policy: On facets_created it bind itself to [current entity].[source facet].[event]. Default event is on_update. When the event is executed it sets expiration flag to [dest entity].[dest facet].

IPA.search_facet_update_policy: IPA.facet_update_policy where source facet = search, dest facet = details, dest entity = current entity. Its a default policy for updatein changes from search facet to details facet. Right now it isn't needed but it will be needed when action lists come to play.

IPA.details_facet_update_policy: same as IPA.search_facet_update_policy just reversed. Very important.

IPA.adder_facet_update_policy: similar functionality, just source of the event is dialog. Default event is added (new event in entity_adder_dialog).

Entity policies should be specified in entity's spec object. If none are specified a default ones are used. Default policies are: IPA.search_facet_update_policy and IPA.details_facet_update_policy.

https://fedorahosted.org/freeipa/ticket/2075
2012-03-29 13:39:53 +02:00
Petr Vobornik
bbe672a2ae Facet expiration flag
Problem:

For performance reason a facet may cache the data in browser's memory. There should be a flag to indicate whether a facet has expired and should be refreshed. The expired flag could be set by these events:

 1) any update operation
 2) changing search filter in search facet
 3) switching page in a multi-paged search/association facet
 4) switching direct/indirect view in association facet
 5) facet expiration time
A facet should be able to use these methods to refresh itself:
 6) on demand: an expired facet should be refreshed when a user opens it.
 7) automatic: an open facet should automatically refresh itself when it expires.

Solution:

This patch solves cases: #2, #3, #5, #6. Case #4 works without any change. Case #1 will be solved later. Case #7 is deffered.

Default expiration timeout was set to 10 minutes.

In this patch are also updated facet.needs_update methods to reflect changes in containing facets.

https://fedorahosted.org/freeipa/ticket/2075
2012-03-29 13:39:37 +02:00
Ondrej Hamada
5cfee2338d Netgroup nisdomain and hosts validation
nisdomain validation:
Added pattern to the 'nisdomain' parameter to validate the specified
nisdomain name. According to most common use cases the same pattern as
for netgroup should fit. Unit-tests added.

https://fedorahosted.org/freeipa/ticket/2448

'add_external_pre_callback' function was created to allow validation of
all external members. Validation is based on usage of objects primary
key parameter. The 'add_external_pre_callback' fucntion has to be called
directly from in the 'pre_callback' function. This change affects
netgroup, hbacrule and sudorule commands.

For hostname, the validator allows non-fqdn and underscore characters.
validate_hostname function in ipalib.util was modified and contains
additional option that allows hostname to contain underscore characters.
This option is disabled by default.

Unit-tests added.

https://fedorahosted.org/freeipa/ticket/2447
2012-03-28 16:23:37 +02:00
Martin Kosek
159e848d85 Tolerate UDP port failures in conncheck
UDP port checks in ipa-replica-conncheck are too strict. The entire
conncheck fails when UDP ports cannot be verified as open. However,
UDP protocol is unrealiable by its nature and the port can also not
be checked if there is an application already bound to it. This can
happen for example when ipa-replica-conncheck is run as a part of
ipa-ca-install and the replica services are thus already running.

This patch changes the behavior of UDP port checks. The conncheck
script now rather reports a warning that UDP port cannot be verified
but does not fail the entire test.

https://fedorahosted.org/freeipa/ticket/2514
2012-03-27 17:05:22 -04:00
Petr Viktorin
96c5551ace Add CLI parsing tests
These test that command lines are parsed to correct Command arguments.
Includes some tests for interactive prompts.

To make this possible cli.run is broken up into several pieces.
2012-03-28 15:25:33 +02:00
Jan Cholasta
a2299070c8 Change parameters to use only default_from for dynamic default values.
Replace all occurences of create_default with equivalent default_from
and remove create_default from the framework. This is needed for
proper parameter validation, as there is no way to tell which
parameters to validate prior to calling create_default, because
create_default does not provide information about which parameters are
used for generating the default value.
2012-03-28 14:04:31 +02:00
Jan Cholasta
5a55e11a25 Fix the procedure for getting default values of command parameters.
The parameters used in default_from of other parameters are now
properly validated before the default_from is called.

ticket 1847
2012-03-28 14:03:27 +02:00
Rob Crittenden
9bb1e6c03e Add requires on python-krbV to client subpackage
This is needed since ipa-client-install initializes the ipalib api.

https://fedorahosted.org/freeipa/ticket/2577
2012-03-28 08:53:01 +02:00
John Dennis
e2a3907726 Replace broken i18n shell test with Python test
We had been using shell scripts and sed to test our translations. But
trying to edit pot and po files with sed is nearly impossible because
the file format can vary significantly and the sed editing was failing
and gettext tools were complaining about our test strategy.  We had
been using a Python script (test_i18n.py) to perform the actual test
after using shell, sed, and gettext tools to create the files. There
is a Python library (polib) which can read/write/edit pot/po/mo files
(used internally by Transifex, our translation portal). The strategy
now is to do everything in Python (in test_i18n.py). This is easier,
more robust and allows us to do more things.

* add python-polib to BuildRequires

* Remove the logic for creating the test lang from Makefile.in and
  replace it with calls to test_i18n.py

* add argument parsing, usage, configuration parameters, etc. to
  test_i18n.py to make it easier to use and configurable.

* add function to generate a test po and mo file. It also
  writes the files and creates the test directory structure.

* Took the existing validate code and refactored it into validation
  function. It used to just pick one string and test it, now it
  iterates over all strings and all plural forms.

* Validate anonymous Python format substitutions in pot file

* added support for plural forms.

* Add pot po file validation for variable substitution

* In install/po subdir you can now do:
  $ make test
  $ make validate-pot
  $ make validate-po

* The options for running test_i18n.py are:

$ ./test_i18n.py --help
Usage:

test_i18n.py --test-gettext
test_i18n.py --create-test
test_i18n.py --validate-pot [pot_file1, ...]
test_i18n.py --validate-po po_file1 [po_file2, ...]

Options:
  -h, --help            show this help message and exit
  -s, --show-strings    show the offending string when an error is detected
  --pedantic            be aggressive when validating
  -v, --verbose         be informative
  --traceback           print the traceback when an exception occurs

  Operational Mode:
    You must select one these modes to run in

    -g, --test-gettext  create the test translation file(s) and exercise them
    -c, --create-test   create the test translation file(s)
    -P, --validate-pot  validate pot file(s)
    -p, --validate-po   validate po file(s)

  Run Time Parameters:
    These may be used to modify the run time defaults

    --test-lang=TEST_LANG
                        test po file uses this as it's basename (default=test)
    --lang=LANG         lang used for locale, MUST be a valid lang
                        (default=xh_ZA)
    --domain=DOMAIN     translation domain used during test (default=ipa)
    --locale=LOCALE     locale used during test (default=test_locale)
    --pot-file=POT_FILE
                        default pot file, used when validating pot file or
                        generating test po and mo files (default=ipa.pot)

https://fedorahosted.org/freeipa/ticket/2044
2012-03-26 20:29:26 -04:00
Jan Cholasta
bd440d515e Fix uses of O=REALM instead of the configured certificate subject base.
ticket 2521
2012-03-26 20:29:26 -04:00
Martin Kosek
ef21a286f0 Fix dnsrecord-del interactive mode
User was not able to select multiple values in dnsrecord-del
interactive mode.

https://fedorahosted.org/freeipa/ticket/2581
2012-03-27 18:02:47 +02:00
Jan Cholasta
0024024897 Parse zone indices in IPv6 addresses in CheckedIPAddress.
If a zone index is present in an IPv6 address, it is ignored.

ticket 2138
2012-03-27 12:03:16 +02:00
Martin Kosek
52aa008b87 Improve user awareness about dnsconfig
Global DNS configuration is a nice tool to maintain a common DNS
settings stored in LDAP which are then used for all enrolled IPA
servers. However, the settings stored in LDAP override local
settings in named.conf on DNS servers.

This patch adds more information about global DNS configuration
options in install scripts and DNS module help.

https://fedorahosted.org/freeipa/ticket/2525
2012-03-26 00:33:45 -04:00
Martin Kosek
b944ad44b5 Amend permissions for new DNS attributes
New features in bind-dyndb-ldap and IPA DNS plugin pulled new
attributes and objectclasses. ACIs and permissions need to be
updated to allow users with appropriate permissions update
these attributes in LDAP.

This patch updates the ACI for DNS record updates and adds one
new permission to update global DNS configuration.

https://fedorahosted.org/freeipa/ticket/2510
2012-03-25 23:58:24 -04:00
Petr Viktorin
0b01751c1b Use valid argument names in tests
Some of our tests used unintended extra options, or options with
misspelled, wrongly copy-pasted or otherwise bad names. These are
ignored, so the intended argument was treated as missing. The test
itself can still pass but may be rendered ineffective or fragile.

This only fixes those of such errors that appear in the test suite.
Fixing code in the framework and actual rejecting of unknown
arguments is deferred for later (ticket #2509).
2012-03-25 18:05:33 -04:00
Rob Crittenden
a735420a9b Set nsslapd-minssf-exclude-rootdse to on so the DSE is always available.
If minssf is set in configuration and this is not set then clients won't
be able to detect the available namingContexts, defaultNamingContext,
capabilities, etc.

https://fedorahosted.org/freeipa/ticket/2542
2012-03-26 14:26:10 +02:00
Rob Crittenden
00ce15b744 Set minimum version of 389-ds-base to 1.2.10.4-2 to fix upgrade issue
The IPA upgrade process was starting before 389-ds had upgraded the
database which caused corruption.

https://fedorahosted.org/freeipa/ticket/2541
2012-03-26 09:48:43 +02:00
Petr Viktorin
a4394e5e4a Add missing BuildRequires
Since our build process runs pylint, we need all Python dependencies
installed at RPM creation time.
This adds python-lxml and python-pyasn1 to BuildRequires.

https://fedorahosted.org/freeipa/ticket/2538
2012-03-26 09:38:08 +02:00
Rob Crittenden
a672483118 Fix unit tests to work with new comma-support, validation requirements 2012-03-26 09:29:27 +02:00
Ondrej Hamada
cfafc415f3 Typos in FreeIPA messages
Rebased patch sent by Yuri Chornoivan (yurchor@ukr.net). Fixes 'occured'
and 'commond' typos in FreeIPA messages.

https://fedorahosted.org/freeipa/ticket/2526
2012-03-23 16:59:12 +01:00
Martin Kosek
9578f67572 Fix default SOA serial format
RFC 1912 recommends format YYYYMMDDnn, we used YYYYDDMMnn.

https://fedorahosted.org/freeipa/ticket/2567
2012-03-23 16:55:12 +01:00
Martin Kosek
11ef670835 Avoid deleting DNS zone when a context is reused
When dnsrecord-del pre_callback detects that the record does
not contain any records, it sets a flag to connection context
and deletes the record object later. However, when more
dnsrecord-del commands share the same context (and this is
the case of "ipa-replica-manage del $MASTER" DNS cleanup), it
may reuse a positive flag from previous dnsrecord-del command
and delete the root DNS zone record and thus effectively delete
the zone.

This patch makes sure that this flag is always initialized to a
sane value in dnsrecord-del pre_callback to make sure that the DNS
zone is not deleted. It also fixes pre_callback function definition
to prevent adding attrs_list to "keys" parameter and thus confuse
developers.

https://fedorahosted.org/freeipa/ticket/2503
2012-03-23 16:08:17 +01:00
Jan Cholasta
d9e8b9a3ed Wait for child process to terminate after receiving SIGINT in ipautil.run.
Do cleanup on KeyboardInterrupt rather than in custom SIGINT handler in
ipa-replica-conncheck.

https://fedorahosted.org/freeipa/ticket/2127
2012-03-23 10:53:02 +01:00
Alexander Bokovoy
f6077c46b3 When changing multiple booleans with setsebool, pass each of them separately.
Fixes SELinux configuration for ipa-server-install with selinux-policy 3.10.0-104.fc17.
2012-03-23 10:19:47 +02:00
Martin Kosek
2d460003b9 Fix LDAP effective rights control with python-ldap 2.4.x
The new version of python-ldap changed the way it created LDAPv3
extended controls. The API used in 2.4.x can no longer be used
because it does not send the bind DN with effective rights
control and LDAP server thus rejects it.

This patch implements the new API in a backward compatible way
so that it works both with python-ldap versions 2.3.x and 2.4.x.

https://fedorahosted.org/freeipa/ticket/2565
2012-03-22 00:54:57 -04:00
Rob Crittenden
98a99cbca8 Normalize the primary key value to lowercase during migration.
https://bugzilla.redhat.com/show_bug.cgi?id=804609
2012-03-22 21:47:01 +01:00
Rob Crittenden
b9c3eb79a9 Fix attributes that contain DNs when migrating.
Some attributes, like secretary and manager, may point to other LDAP
entries. We need to fix these during migration.

https://fedorahosted.org/freeipa/ticket/2562
2012-03-22 21:46:27 +01:00
Martin Kosek
5b8e1e8c62 Harden raw record processing in DNS plugin
There were cases where DNS plugin was too tolerant in a raw DNS
record option (--<rrtype-rec) processing. It let people specify
DNS record parts options in dnsrecord-mod operations for some
record without specifying the record that should be updated. It
also ignored DNS record parts in dnsrecord-add operation when the
raw DNS record value was already set via --<rrtype>-rec option.

This patch hardens the processing and returns error in both
described cases to make the processes clearer and more robust.

All these use cases were also covered by new unit tests.

https://fedorahosted.org/freeipa/ticket/2551
2012-03-22 19:30:13 +01:00
Simo Sorce
735618a1c6 Fix memleak and silence Coverity defects
Some of these are not real defects, because we are guaranteed to have valid
context in some functions, and checks are not necessary.
I added the checks anyway in order to silence Coverity on these issues.

One meleak on error condition was fixed in
daemons/ipa-kdb/ipa_kdb_pwdpolicy.c

Silence errors in ipa-client/ipa-getkeytab.c, the code looks wrong, but it is
actually fine as we count before hand so we never actually use the wrong value
that is computed on the last pass when p == 0

Fixes: https://fedorahosted.org/freeipa/ticket/2488
2012-03-22 17:33:13 +01:00
Martin Kosek
19b2af8e52 Fix precallback validators in DNS plugin
DNS plugin contains several RR type record validators run in
pre_callback which cannot be used as standard param validator
as it needs more data and resources that standard validators
provide. However, the precallback validators are not run for
DNS records created by new structured options and thus an invalid
value may slip in.

This patch moves the execution of these precallback validators
_after_ the processing of structured DNS options. It also cleans
them up a little and makes them more robust.

https://fedorahosted.org/freeipa/ticket/2550
2012-03-22 17:27:09 +01:00
Ondrej Hamada
a58cbb985e Search allowed attributes in superior objectclasses
get_allowed_attributes function was improved to look for allowed
attributes also in the superior objectclasses of specified objectclass.

This fixes the regression caused by patch for ticket #2293. Test-case
for unit-test was also created.

https://fedorahosted.org/freeipa/ticket/2293
2012-03-22 17:13:39 +01:00
Rob Crittenden
d14438405a Fix test failure testing rename with an invalid hostname.
Validation is going to catch the invalid hostname before the mod is tried.
2012-03-21 17:48:59 -04:00
Petr Viktorin
dddebe2350 Only split CSV in the client, quote instead of escaping
Splitting on commas is not an idempotent operation:
'a,b\,c' -> ('a', 'b,c') -> ('a', 'b', 'c')

That means we can't do it when the call is forwarded, so this is only
done on the CLI. The UI already sends values as a tuple.

Replace escaping in the csv parser with quoting. Quoted strings can have
embedded commas instead of having to escape them. This prevents the csv
parser from eating all escape characters.

Also, document Param's csv arguments, and update tests.

https://fedorahosted.org/freeipa/ticket/2417
https://fedorahosted.org/freeipa/ticket/2227
2012-03-20 20:03:54 -04:00