Commit Graph

94 Commits

Author SHA1 Message Date
Adam Young
3f88bc1484 Revert "Set hard limit on number of commands in batch request to 256."
This reverts commit 79d22f8341.
2011-03-01 17:35:56 -05:00
Pavel Zuna
6eb70ea8e2 Remove deprecated i18n code from ipalib/request and all references to it.
Ticket #903
2011-03-01 10:31:36 -05:00
Rob Crittenden
79d22f8341 Set hard limit on number of commands in batch request to 256.
ticket 984
2011-02-22 09:09:46 -05:00
Rob Crittenden
275998f6bd Add support for tracking and counting entitlements
Adds a plugin, entitle, to register to the entitlement server, consume
entitlements and to count and track them. It is also possible to
import an entitlement certificate (if for example the remote entitlement
server is unaviailable).

This uses the candlepin server from https://fedorahosted.org/candlepin/wiki
for entitlements.

Add a cron job to validate the entitlement status and syslog the results.

tickets 28, 79, 278
2011-02-02 10:00:38 -05:00
Rob Crittenden
0637bff95f Fix exception doctest failure 2011-01-24 10:42:16 -05:00
Rob Crittenden
fc28fae03f Add some basic filter validation to permissions and disallow empty filters
Try a query with a filter to see if it is at least legal. This doesn't
guarantee that the filter is at all otherwise sane.

ticket 808
2011-01-21 10:47:43 -05:00
Rob Crittenden
886e417fd7 Set the default Int maxvalue to the maximum XML-RPC can handle.
Also handle marshalling errors thrown by xmlrpclib more gracefully.

ticket 770
2011-01-18 10:03:55 -05:00
Rob Crittenden
0a79836082 Setting an empty set of target attributes should raise an exception.
It is possible to create an ACI with attributes and then try to set that
to None via a mod command later. We need to catch this and raise an exception.

If all attributes are set to None in an aci then the attr target is removed
from the ACI. This could result in an illegal ACI if there are no other
targets. Having no targets is a legal state, just not a legal final state.

ticket 647
2011-01-10 10:27:23 -05:00
Jakub Hrozek
7493d781df Change FreeIPA license to GPLv3+
The changes include:
 * Change license blobs in source files to mention GPLv3+ not GPLv2 only
 * Add GPLv3+ license text
 * Package COPYING not LICENSE as the license blobs (even the old ones)
   mention COPYING specifically, it is also more common, I think

 https://fedorahosted.org/freeipa/ticket/239
2010-12-20 17:19:53 -05:00
Rob Crittenden
7035ffe49c Fix some doctests
A few had bad formatting causing the doctests to fail.
2010-12-17 18:04:37 -05:00
Rob Crittenden
8a534bf07b Give the memberof plugin time to work when adding/removing reverse members.
When we add/remove reverse members it looks like we're operating on group A
but we're really operating on group B. This adds/removes the member attribute
on group B and the memberof plugin adds the memberof attribute into group A.

We need to give the memberof plugin a chance to do its work so loop a few
times, reading the entry to see if the number of memberof is more or less
what we expect. Bail out if it is taking too long.

ticket 560
2010-12-13 17:58:43 -05:00
Rob Crittenden
5f8a9b9849 Add --out option to service, host and cert-show to save the cert to a file.
Override forward() to grab the result and if a certificate is in the entry
and the file is writable then dump the certificate in PEM format.

ticket 473
2010-12-13 09:58:26 -05:00
Rob Crittenden
ba8d21f5ae Check for existence of the group when adding a user.
The Managed Entries plugin will allow a user to be added even if a group
of the same name exists. This would leave the user without a private
group.

We need to check for both the user and the group so we can do 1 of 3 things:
- throw an error that the group exists (but not the user)
- throw an error that the user exists (and the group)
- allow the uesr to be added

ticket 567
2010-12-13 09:53:29 -05:00
Rob Crittenden
6e2dd0fa5b Add new parameter type IA5Str and use this to enforce the right charset.
ticket 496
2010-12-07 16:37:42 -05:00
Rob Crittenden
4ad8055341 Re-implement access control using an updated model.
The new model is based on permssions, privileges and roles.
Most importantly it corrects the reverse membership that caused problems
in the previous implementation. You add permission to privileges and
privileges to roles, not the other way around (even though it works that
way behind the scenes).

A permission object is a combination of a simple group and an aci.
The linkage between the aci and the permission is the description of
the permission. This shows as the name/description of the aci.

ldap:///self and groups granting groups (v1-style) are not supported by
this model (it will be provided separately).

This makes the aci plugin internal only.

ticket 445
2010-12-01 20:42:31 -05:00
Rob Crittenden
6d51a48af8 Add ability to add/remove DNS records when adding/removing a host entry.
A host in DNS must have an IP address so a valid IP address is required
when adding a host. The --force flag will be needed too since you are
adding a host that isn't in DNS.

For IPv4 it will create an A and a PTR DNS record.

IPv6 isn't quite supported yet. Some basic work in the DNS installer
is needed to get this working. Once the get_reverse_zone() returns the
right value then this should start working and create an AAAA record and
the appropriate reverse entry.

When deleting a host with the --updatedns flag it will try to remove all
records it can find in the zone for this host.

ticket 238
2010-11-23 18:23:29 -05:00
Rob Crittenden
9c50371652 Fix typo in exception sample causing a doctest to fail 2010-11-05 12:17:09 -04:00
Rob Crittenden
6f5cd3232a user-enable/disable improvements
Always display the account enable/disable status.

Don't ignore the exceptions when a user is already enabled or disabled.

Fix the exception error messages to use the right terminology.

In baseldap when retrieving all attributes include the default attributes
in case they include some operational attributes.

ticket 392
2010-11-04 12:49:33 -04:00
Rob Crittenden
7486ead6c9 Don't allow managed groups to have group password policy.
UPG cannot have members and we use memberOf in class of service to determine
which policy to apply.

ticket 160
2010-10-28 17:36:05 -04:00
Rob Crittenden
0e4e1f4bbd Fix two failing tests.
The first test is a mismatch in the sample output of an exception.

The second test adds certificate information output to the service plugin.
2010-10-22 21:45:37 -04:00
Pavel Zuna
dff2ff8300 Disallow RDN change and single-value bypass using setattr/addattr.
When setting or adding an attribute wiht setatt/addattr check to
see if there is a Param for the attribute and enforce the multi-value.
If there is no Param check the LDAP schema for SINGLE-VALUE.

Catch RDN mods and try to return a more reasonable error message.

Ticket #230
Ticket #246
2010-10-18 14:44:42 -04:00
Rob Crittenden
0ceba59d87 Add Requires on ipa-client to ipa-admintools, ensure ipa client is configured
It makes little sense to install ipa-admintools without ipa-client, require it.

Also see if the client has been configured. This is a bit tricky since we
have a full set of defaults. Add a new env option that gets set if at least
one configuration file is loaded.

ticket 213
2010-10-15 15:03:51 -04:00
Rob Crittenden
d2a9ccf407 Accept an incoming certificate as either DER or base64 in the service plugin.
The plugin required a base64-encoded certificate and always decoded it
before processing. This doesn't work with the UI because the json module
decodes binary values already.

Try to detect if the incoming value is base64-encoded and decode if
necessary. Finally, try to pull the cert apart to validate it. This will
tell us for sure that the data is a certificate, regardless of the format
it came in as.

ticket 348
2010-10-08 13:15:03 -04:00
Rob Crittenden
bed6e81935 If an HBAC category is 'all' don't allow individual objects to be added.
Basically, make 'all' mutually exclusive. This makes debugging lots easier.
If say usercat='all' there is no point adding specific users to the rule
because it will always apply to everyone.

ticket 164
2010-10-08 10:11:41 -04:00
Rob Crittenden
5b894d1fb7 Allow decoupling of user-private groups.
To do this we need to break the link manually on both sides, the user and
the group.

We also have to verify in advance that the user performing this is allowed
to do both. Otherwise the user could be decoupled but not the group
leaving it in a quasi broken state that only ldapmodify could fix.

ticket 75
2010-08-10 16:41:47 -04:00
Rob Crittenden
d885339f1c Require that hosts be resolvable in DNS. Use --force to ignore warnings.
This also requires a resolvable hostname on services as well. I want
people to think long and hard about adding things that aren't resolvable.

The cert plugin can automatically create services on the user's behalf when
issuing a cert. It will always set the force flag to True.

We use a lot of made-up host names in the test system, all of which require
the force flag now.

ticket #25
2010-08-06 15:31:57 -04:00
Rob Crittenden
4348b5f8c4 Add NotImplementedError type so CA plugins can return client-friendly errors
Ignore NotImplementedError when revoking a certificate as this isn't
implemented in the selfsign plugin.

Also use the new type argument in x509.load_certificate(). Certificates
are coming out of LDAP as binary instead of base64-encoding.
2009-12-01 23:18:05 -07:00
John Dennis
0d880b3ee3 add new error class for certificate operations
add new error class for certificate operations
2009-11-19 14:52:17 -05:00
John Dennis
76fc1f75f9 error strings in documentation were missing unicode specifier
error strings in documentation were missing unicode specifier
2009-11-19 14:51:49 -05:00
Jason Gerard DeRose
b35849b47d Change Password param so (password, confirm_password) can be passed to _convert_scalar() 2009-10-18 00:35:05 -06:00
Jason Gerard DeRose
f58ff2921d Giant webui patch take 2 2009-10-13 11:28:00 -06:00
Rob Crittenden
eca7cdc94a Raise more specific error when an Objectclass Violation occurs Fix the virtual plugin to work with the new backend 2009-09-14 09:46:39 -04:00
Rob Crittenden
dacfddfdc8 Remove Python 2.6 BaseException.message deprecation warning 2009-08-20 15:16:52 -06:00
Rob Crittenden
d9c54cd83e Clean up additional issues discovered with pylint and pychecker 2009-08-20 09:20:56 -04:00
Rob Crittenden
8780751330 Clean up some problems discovered with pylint and pychecker
Much of this is formatting to make pylint happy but it also fixes some
real bugs.
2009-08-12 13:18:15 -04:00
Rob Crittenden
fe84ffd0f1 Add a return value to exceptions.
Returning the exception value doesn't work because a shell return value
is in the range of 0-255.

The default return value is 1 which means "something went wrong." The only
specific return value implemented so far is 2 which is "not found".
2009-07-10 16:44:54 -04:00
Rob Crittenden
e31d5fb1cf Implement support for non-LDAP-based actions that use the LDAP ACI subsystem.
There are some operations, like those for the certificate system, that
don't need to write to the directory server. So instead we have an entry
that we test against to determine whether the operation is allowed or not.

This is done by attempting a write on the entry. If it would succeed then
permission is granted. If not then denied. The write we attempt is actually
invalid so the write itself will fail but the attempt will fail first if
access is not permitted, so we can distinguish between the two without
polluting the entry.
2009-07-10 16:41:05 -04:00
Rob Crittenden
cac8ebb866 Fix typo, occured -> occurred 2009-05-21 22:43:07 -04:00
Rob Crittenden
067b5c122c Add a format to the generic KerberosError class 2009-05-21 15:37:12 -06:00
Rob Crittenden
13696ae18b Raise an exception if the certificate chain is not returned from the CA 2009-05-21 17:34:00 -04:00
Jason Gerard DeRose
3a4828b372 Fixed doctest for errors.NotFound 2009-05-19 13:53:45 -06:00
Jason Gerard DeRose
87480b7bde Re-enable doctest, fix broken docstrings 2009-05-13 14:22:09 -04:00
Rob Crittenden
1c31b5bc08 Add a reason to the NotFound exception so we can provide more robust errors 2009-05-13 14:16:44 -04:00
Rob Crittenden
0d538b20f2 Make MalformedServicePrincipal take a reason arg and add Base64DecodeError 2009-05-06 11:29:11 -04:00
Pavel Zuna
7d0bd4b895 Rename errors2.py to errors.py. Modify all affected files. 2009-04-23 10:29:14 -04:00
Rob Crittenden
64fa3dd4c3 Finish work replacing the errors module with errors2
Once this is committed we can start the process of renaming errors2 as errors.
I thought that combinig this into one commit would be more difficult to
review.
2009-04-20 13:58:26 -04:00
Rob Crittenden
233a4cb5fd Raise a more specific error when a user lacks the proper permissions.
The info part of the message will contain details on what permission
failed on what attribute.
2009-03-25 11:02:44 -04:00
Rob Crittenden
5717c9d668 Applied Rob's errors patch 2009-02-03 15:29:04 -05:00
Jason Gerard DeRose
0d3ddef93b Started fleshing out reoganization of errors in errors.py (with gettext support) 2009-01-03 02:35:36 -07:00
Jason Gerard DeRose
4390523b7f Improved Plugin.call() method and added its unit test 2008-12-21 17:12:00 -07:00