Commit Graph

481 Commits

Author SHA1 Message Date
Jan Cholasta
dcea80fc17 Check configured maximum user login length on user rename.
ticket 2587
2012-04-08 17:10:39 -04:00
Ondrej Hamada
d75bffccd6 Confusing default user groups
Added 'fallback' into the labels for default automember group and
hostgroup.

https://fedorahosted.org/freeipa/ticket/2354
2012-04-08 16:48:54 -04:00
Jan Cholasta
cdebb29fec Check whether the default user group is POSIX when adding new user with --noprivate.
ticket 2572
2012-04-05 15:04:45 +02:00
Petr Viktorin
8a7d7aaf81 Defer conversion and validation until after --{add,del,set}attr are handled
--addattr & friends that modified attributes known to Python sometimes
used converted and validated Python values instead of LDAP strings.
This caused a problem for --delattr, which searched for a converted
integer in a list of raw strings (ticket 2407).
With this patch we work on raw strings, converting only when done.

Deferring validation ensures the end result is valid, so proper errors
are raised instead of failing later (ticket 2405).

Tests included.

Replaces previous fix for:
https://fedorahosted.org/freeipa/ticket/2418

Fixes:
https://fedorahosted.org/freeipa/ticket/2405
https://fedorahosted.org/freeipa/ticket/2407
https://fedorahosted.org/freeipa/ticket/2408
2012-04-03 17:43:27 -04:00
Petr Viktorin
2b077f7b0d Test the batch plugin
This adds tests for the batch plugin, and changes its output
declaration to allow results as tuples (this tripped validation).

The assert_deepequal function ignores the order of items in lists.
Document this in its docstring, and use a custom checker for the
batch plugin results.
2012-04-03 16:19:59 -04:00
Petr Viktorin
b0a5524028 Fix little test errors
Two test methods in test_rpcserver had the same name; the first didn't get
to run.
Another duplicate pair was in test_hbac_plugin with the same name; the ignored
test had small error in it.
check_TypeError used a wrong constant name
An error reporting function in test.util used uninitialized argument names.

This patch fixes these problems.
2012-04-03 16:19:43 -04:00
Petr Viktorin
8c1171e923 Move test skipping to class setup
Currently, each DNS test case first checks if DNS is configured
by creating and deleting a test zone. This takes quite a lot of time.

This patch moves the check to the setUpClass method, so the check is
only done once for all the tests.

Similarly, if the server is not available, entire XMLRPC test classes
are now skipped.

Additionally, CLItests that hit the server are skipped if the server
isn't available.
2012-04-01 16:21:10 -04:00
Ondrej Hamada
5cfee2338d Netgroup nisdomain and hosts validation
nisdomain validation:
Added pattern to the 'nisdomain' parameter to validate the specified
nisdomain name. According to most common use cases the same pattern as
for netgroup should fit. Unit-tests added.

https://fedorahosted.org/freeipa/ticket/2448

'add_external_pre_callback' function was created to allow validation of
all external members. Validation is based on usage of objects primary
key parameter. The 'add_external_pre_callback' fucntion has to be called
directly from in the 'pre_callback' function. This change affects
netgroup, hbacrule and sudorule commands.

For hostname, the validator allows non-fqdn and underscore characters.
validate_hostname function in ipalib.util was modified and contains
additional option that allows hostname to contain underscore characters.
This option is disabled by default.

Unit-tests added.

https://fedorahosted.org/freeipa/ticket/2447
2012-03-28 16:23:37 +02:00
Petr Viktorin
96c5551ace Add CLI parsing tests
These test that command lines are parsed to correct Command arguments.
Includes some tests for interactive prompts.

To make this possible cli.run is broken up into several pieces.
2012-03-28 15:25:33 +02:00
Jan Cholasta
a2299070c8 Change parameters to use only default_from for dynamic default values.
Replace all occurences of create_default with equivalent default_from
and remove create_default from the framework. This is needed for
proper parameter validation, as there is no way to tell which
parameters to validate prior to calling create_default, because
create_default does not provide information about which parameters are
used for generating the default value.
2012-03-28 14:04:31 +02:00
Jan Cholasta
bd440d515e Fix uses of O=REALM instead of the configured certificate subject base.
ticket 2521
2012-03-26 20:29:26 -04:00
Jan Cholasta
0024024897 Parse zone indices in IPv6 addresses in CheckedIPAddress.
If a zone index is present in an IPv6 address, it is ignored.

ticket 2138
2012-03-27 12:03:16 +02:00
Petr Viktorin
0b01751c1b Use valid argument names in tests
Some of our tests used unintended extra options, or options with
misspelled, wrongly copy-pasted or otherwise bad names. These are
ignored, so the intended argument was treated as missing. The test
itself can still pass but may be rendered ineffective or fragile.

This only fixes those of such errors that appear in the test suite.
Fixing code in the framework and actual rejecting of unknown
arguments is deferred for later (ticket #2509).
2012-03-25 18:05:33 -04:00
Rob Crittenden
a672483118 Fix unit tests to work with new comma-support, validation requirements 2012-03-26 09:29:27 +02:00
Martin Kosek
5b8e1e8c62 Harden raw record processing in DNS plugin
There were cases where DNS plugin was too tolerant in a raw DNS
record option (--<rrtype-rec) processing. It let people specify
DNS record parts options in dnsrecord-mod operations for some
record without specifying the record that should be updated. It
also ignored DNS record parts in dnsrecord-add operation when the
raw DNS record value was already set via --<rrtype>-rec option.

This patch hardens the processing and returns error in both
described cases to make the processes clearer and more robust.

All these use cases were also covered by new unit tests.

https://fedorahosted.org/freeipa/ticket/2551
2012-03-22 19:30:13 +01:00
Martin Kosek
19b2af8e52 Fix precallback validators in DNS plugin
DNS plugin contains several RR type record validators run in
pre_callback which cannot be used as standard param validator
as it needs more data and resources that standard validators
provide. However, the precallback validators are not run for
DNS records created by new structured options and thus an invalid
value may slip in.

This patch moves the execution of these precallback validators
_after_ the processing of structured DNS options. It also cleans
them up a little and makes them more robust.

https://fedorahosted.org/freeipa/ticket/2550
2012-03-22 17:27:09 +01:00
Ondrej Hamada
a58cbb985e Search allowed attributes in superior objectclasses
get_allowed_attributes function was improved to look for allowed
attributes also in the superior objectclasses of specified objectclass.

This fixes the regression caused by patch for ticket #2293. Test-case
for unit-test was also created.

https://fedorahosted.org/freeipa/ticket/2293
2012-03-22 17:13:39 +01:00
Rob Crittenden
d14438405a Fix test failure testing rename with an invalid hostname.
Validation is going to catch the invalid hostname before the mod is tried.
2012-03-21 17:48:59 -04:00
Petr Viktorin
dddebe2350 Only split CSV in the client, quote instead of escaping
Splitting on commas is not an idempotent operation:
'a,b\,c' -> ('a', 'b,c') -> ('a', 'b', 'c')

That means we can't do it when the call is forwarded, so this is only
done on the CLI. The UI already sends values as a tuple.

Replace escaping in the csv parser with quoting. Quoted strings can have
embedded commas instead of having to escape them. This prevents the csv
parser from eating all escape characters.

Also, document Param's csv arguments, and update tests.

https://fedorahosted.org/freeipa/ticket/2417
https://fedorahosted.org/freeipa/ticket/2227
2012-03-20 20:03:54 -04:00
Martin Kosek
9b562f7377 Add missing global options in dnsconfig
Add a support for new global options in bind-dyndb-ldap, that is:
 * idnsforwardpolicy: Default policy for conditional forwarding
 * idnsallowsyncptr: Allow globaly PTR synchronization for dynamic
   updates
 * idnszonerefresh: Default interval between regular polls of the
   name server for new DNS zones

https://fedorahosted.org/freeipa/ticket/2439
2012-03-20 15:40:08 +01:00
Petr Viktorin
c14a2d8245 Use nose tools to check for exceptions
Some of our tests checked for exceptions using an error-prone
try block: they allowed the expected exception to pass, but sometimes
forgot an else block, so the test passed when an exception wasn't
thrown.

This changes the tests to use the appropriate nose tools (raises,
assert_raises).
For consistency, tests that had a correct else block are also changed.

Also fix some test problems that were hidden by the above:
- in some sudorule and HBAC tests, change the *_add_user argument name
  from `users` to `user`
- don't remove HBAC testing data while it was still used
2012-03-19 16:33:35 +01:00
Rob Crittenden
35521ad6bb Don't allow hosts and services of IPA masters to be disabled.
https://fedorahosted.org/freeipa/ticket/2487
2012-03-19 16:09:09 +01:00
Petr Viktorin
7a5ca16c74 Remove ipausers' gidnumber from tests
The ipausers group is no longer a POSIX group by default.
Reflect that in the tests.
2012-03-14 23:59:54 -04:00
Rob Crittenden
d4a80dbe52 Display serial number as HEX (DECIMAL) when showing certificates.
https://fedorahosted.org/freeipa/ticket/1991
2012-03-14 04:40:35 -04:00
Petr Viktorin
e9d68a7b00 Don't crash when searching with empty relationship options
Empty sequences (and sequences of empty strings) are normalized
to None, but the member filter code expected a list.
This patch extends a test for missing options to also catch
false values.
The functional change is from `if param_name in options:` to
`if options.get(param_name):`; the rest of the patch is code
de-duplication and tests.

These are CSV params with csv_skipspace set, so on the CLI, empty
set is given as a string with just spaces and commas (including
the empty string).

https://fedorahosted.org/freeipa/ticket/2479
2012-03-13 23:28:53 -04:00
Petr Viktorin
1dc11a01d7 Allow removing sudo commands with special characters from command groups
Previously the commands were compared as serialized strings.
Differences in serializations meant commands with special characters
weren't found in the checked list.
Use the DN class to compare DNs correctly.

https://fedorahosted.org/freeipa/ticket/2483
2012-03-12 16:02:29 +01:00
Rob Crittenden
8fdb181c7a Make hostnames adhere to new standards in hbactest plugin tests 2012-03-01 21:53:29 -05:00
Rob Crittenden
d55d8bfa7e Add support for sudoOrder
Update ipaSudoRule objectClass on upgrades to add new attributes.
Ensure uniqueness of sudoOrder in rules.

The attributes sudoNotBefore and sudoNotAfter are being added to
schema but not as Params.

https://fedorahosted.org/freeipa/ticket/1314
2012-03-01 21:02:33 -05:00
Rob Crittenden
6c3e908232 Make hostnames adhere to new standards in HBAC tests 2012-03-01 05:16:59 -05:00
Rob Crittenden
5e01ed1325 subclass HTTP_Status from plugable.Plugin, fix not_found tests
HTTP_Status needs to subclass from Plugin because it does its own logging.

Add tests for other methods of HTTP_Status
2012-02-29 21:04:10 -05:00
Rob Crittenden
0099ccbea8 Only apply validation rules when adding and updating.
There may be cases, for whatever reason, that an otherwise illegal
entry gets created that doesn't match the criteria for a valid
user/host/group name. If this happens (i.e. migration) there is no way
to remove this using the IPA tools because we always applied the name
pattern. So you can't, for example, delete a user with an illegal name.

Primary keys are cloned with query=True in PKQuery which causes no
rules to be applied on mod/show/find. This reverts a change from commit
3a5e26a0 which applies class rules when query=True (for enforcing no
white space).

Replace rdnattr with rdn_is_primary_key. This was meant to tell us when
an RDN change was necessary to do a rename. There could be a disconnect
where the rdnattr wasn't the primary key and in that case we don't
need to do an RDN change, so use a boolean instead so that it is
clear that RDN == primary key.

Add a test to ensure that nowhitespace is actually enforced.

https://fedorahosted.org/freeipa/ticket/2115

Related: https://fedorahosted.org/freeipa/ticket/2089

Whitespace tickets:
https://fedorahosted.org/freeipa/ticket/1285
https://fedorahosted.org/freeipa/ticket/1286
https://fedorahosted.org/freeipa/ticket/1287
2012-02-29 18:00:45 -05:00
Martin Kosek
7db1da1d65 Improve hostname and domain name validation
DNS plugin did not check DNS zone and DNS record validity and
user was thus able to create domains like "foo bar" or other
invalid DNS labels which would really confuse both user and
bind-dyndb-ldap plugin.

This patch at first consolidates hostname/domain name validators
so that they use common functions and we don't have regular
expressions and other checks defined in several places. These
new cleaned validators are then used for zone/record name
validation.

https://fedorahosted.org/freeipa/ticket/2384
2012-02-29 18:52:58 +01:00
Ondrej Hamada
1356988b7a Validate attributes in permission-add
When adding or modifying permission with both type and attributes
specified, check whether the attributes are allowed for specified type.
In case of disallowed attributes raises the ObjectclassViolation
exception.

New tests were also added to the unit-tests.

https://fedorahosted.org/freeipa/ticket/2293
2012-02-28 18:22:24 -05:00
John Dennis
ee780df13c Implement password based session login
* Adjust URL's
  - rename /ipa/login -> /ipa/session/login_kerberos
  - add /ipa/session/login_password

* Adjust Kerberos protection on URL's in ipa.conf

* Bump VERSION in httpd ipa.conf to pick up session changes.

* Adjust login URL in ipa.js

* Add InvalidSessionPassword to errors.py

* Rename krblogin class to login_kerberos for consistency with
  new login_password class

* Implement login_password.kinit() method which invokes
  /usr/bin/kinit as a subprocess

* Add login_password class for WSGI dispatch, accepts POST
  application/x-www-form-urlencoded user & password
  parameters. We form the Kerberos principal from the server's
  realm.

* Add function  krb5_unparse_ccache()

* Refactor code to share common code

* Clean up use of ccache names, be consistent

* Replace read_krbccache_file(), store_krbccache_file(), delete_krbccache_file()
  with load_ccache_data(), bind_ipa_ccache(), release_ipa_ccache().
  bind_ipa_ccache() now sets environment KRB5CCNAME variable.
  release_ipa_ccache() now clears environment KRB5CCNAME variable.

* ccache names should now support any ccache storage scheme,
  not just FILE based ccaches

* Add utilies to return HTTP status from wsgi handlers,
  use constants for HTTP status code for consistency.
  Use utilies for returning from wsgi handlers rather than
  duplicated code.

* Add KerberosSession.finalize_kerberos_acquisition() method
  so different login handlers can share common code.

* add Requires: krb5-workstation to server (server now calls kinit)

* Fix test_rpcserver.py to use new dispatch inside route() method

https://fedorahosted.org/freeipa/ticket/2095
2012-02-27 05:57:43 -05:00
John Dennis
9753fd4230 Tweak the session auth to reflect developer consensus.
* Increase the session ID from 48 random bits to 128.

* Implement the sesison_logout RPC command. It permits the UI to send
  a command that destroys the users credentials in the current
  session.

* Restores the original web URL's and their authentication
  protections. Adds a new URL for sessions /ipa/session/json. Restores
  the original Kerberos auth which was for /ipa and everything
  below. New /ipa/session/json URL is treated as an exception and
  turns all authenticaion off. Similar to how /ipa/ui is handled.

* Refactor the RPC handlers in rpcserver.py such that there is one
  handler per URL, specifically one handler per RPC and AuthMechanism
  combination.

* Reworked how the URL names are used to map a URL to a
  handler. Previously it only permitted one level in the URL path
  hierarchy. We now dispatch on more that one URL path component.

* Renames the api.Backend.session object to wsgi_dispatch. The use of
  the name session was historical and is now confusing since we've
  implemented sessions in a different location than the
  api.Backend.session object, which is really a WSGI dispatcher, hence
  the new name wsgi_dispatch.

* Bullet-proof the setting of the KRB5CCNAME environment
  variable. ldap2.connect already sets it via the create_context()
  call but just in case that's not called or not called early enough
  (we now have other things besides ldap which need the ccache) we
  explicitly set it early as soon as we know it.

* Rework how we test for credential validity and expiration. The
  previous code did not work with s4u2proxy because it assumed the
  existance of a TGT. Now we first try ldap credentials and if we
  can't find those fallback to the TGT. This logic was moved to the
  KRB5_CCache object, it's an imperfect location for it but it's the
  only location that makes sense at the moment given some of the
  current code limitations. The new methods are KRB5_CCache.valid()
  and KRB5_CCache.endtime().

* Add two new classes to session.py AuthManager and
  SessionAuthManager. Their purpose is to emit authication events to
  interested listeners. At the moment the logout event is the only
  event, but the framework should support other events as they arise.

* Add BuildRequires python-memcached to freeipa.spec.in

* Removed the marshaled_dispatch method, it was cruft, no longer
  referenced.

https://fedorahosted.org/freeipa/ticket/2362
2012-02-27 05:54:29 -05:00
Rob Crittenden
7d7322de2e Limit allowed characters in a netgroup name to alpha, digit, -, _ and .
Apply this to hostgroup names as well since they can be linked.

https://fedorahosted.org/freeipa/ticket/2221
2012-02-27 00:06:44 -05:00
Martin Kosek
cbb3bfae23 Add reverse DNS record when forward is created
Adding reverse DNS record may be a time consuming task, especially
for IPv6 addresses. Having a way to automatically create a reverse
record when a forward record is created could speed up the process.
host-add command already has this possibility.

This patch takes advantage of the new per-type API and adds new
options for A/AAAA record types: --a-create-reverse and
--aaaa-create-reverse. These commands can be used to automatically
create reverse records for new A/AAAA addresses (both forward
and reverse zones need to be managed by FreeIPA server):

ipa dnsrecord-add example.com foo --a-rec=10.0.0.1 --a-create-reverse

This command would add a new A record to record foo in zone
example.com and a PTR record to appropriate reverse zone for
IP address 10.0.0.1 (for example PTR record 1 in zone
0.0.10.in-addr.arpa. pointing to foo.example.com.).

Few modification were done to new DNS API to support this feature:
 - Refactor --ip-address option handling from host-add and place it
   to dns.py to be used by both modules
 - Add support for "extra" per-type options
 - Hide DNS record part options in dnsrecord_find command as they
   have no effect for this command

https://fedorahosted.org/freeipa/ticket/2009
2012-02-27 16:50:08 +01:00
Martin Kosek
8605790225 Query and transfer ACLs for DNS zones
Provide a way to specify BIND allow-query and allow-transfer ACLs
for DNS zones.

IMPORTANT: new bind-dyndb-ldap adds a zone transfer ability. To
avoid zone information leaks to unintended places, allow-transfer
ACL for every zone is by default set to none and has to be
explicitly enabled by an Administrator. This is done both for new
DNS zones and old DNS zones during RPM update via new DNS upgrade
plugin.

https://fedorahosted.org/freeipa/ticket/1211
2012-02-24 09:40:43 +01:00
Martin Kosek
2cf5893761 Global DNS options
Implement API for DNS global options supported in bind-dyndb-ldap.
Currently, global DNS option overrides any relevant option in
named.conf. Thus they are not filled by default they are left as
a possibility for a user.

Bool encoding had to be fixed so that Bool LDAP attribute can also
be deleted and not just set to True or False.

https://fedorahosted.org/freeipa/ticket/2216
2012-02-24 09:40:40 +01:00
Rob Crittenden
d4a1dc5712 Don't allow IPA master hosts or important services be deleted.
Deleting these would cause the IPA master to blow up.

For services I'm taking a conservative approach and only limiting the
deletion of known services we care about.

https://fedorahosted.org/freeipa/ticket/2425
2012-02-23 20:17:12 +01:00
Petr Viktorin
8125c11a8d Add extra checking function to XMLRPC test framework
This fixes https://fedorahosted.org/freeipa/ticket/1968 (Add
ability in test framework to compare two values in result)
in a general way: adding an optional extra_check key to the test
dict, so a custom checking function with access to the whole result
can be called.

The particular test mentioned in that issue, checking that the
uidnumber and gidnumber for new isers are the same, is added.

Also, this adds a docstring to the Declarative class.

And finally, the test dictionary is passed to check() via keyword
arguments, preventing spelling mistakes in keys from going unnoticed.
2012-02-19 20:10:46 -05:00
Jan Cholasta
6488378764 Move the compat module from ipalib to ipapython.
Fixes import problems trying to import just ipalib/compat.py.

https://fedorahosted.org/freeipa/ticket/754
2012-02-13 22:22:49 -05:00
Jan Cholasta
3c2b0fc28a Add support for SSH public keys to user and host objects.
This patch adds a new multivalue param "sshpubkey" for specifying SSH public
keys to both user and host objects. The accepted value is base64-encoded
public key blob as specified in RFC4253, section 6.6.

Additionaly, host commands automatically update DNS SSHFP records when
requested by user.

https://fedorahosted.org/freeipa/ticket/754
2012-02-13 22:21:27 -05:00
Petr Viktorin
d706c411ef Honor default home directory and login shell in user_add
The homedirectory argument had a default_from '/home/<name>', ignoring
the ipahomesrootdir config setting. This patch removes that default,
and adds a test case for ipahomesrootdir.

https://fedorahosted.org/freeipa/ticket/2332

The login shell had the same problem. Again this patch removes the
client-side default and adds a test.

Building the home directory from the default is changed to use
posixpath.join instead of string formatting and ad-hoc cleanup,
and to use '/home' instead of failing when the ipahomesrootdir
setting is not present for some reason.
2012-02-09 18:11:57 +01:00
Ondrej Hamada
616d543a54 Memberof attribute control and update
Checking of parameters used by _make_aci funcion was rewritten.
Additional attributes of ACI(type, attribute, memberof, targetgroup,
subtree, filter) could be unset.

Permission plugin now allows to unset memberof value.
https://fedorahosted.org/freeipa/ticket/2255

Added checking of existence of groups that are specified in permission
and delegation module.

https://fedorahosted.org/freeipa/ticket/2286
https://fedorahosted.org/freeipa/ticket/2305
2012-02-08 10:43:25 +01:00
Rob Crittenden
304b70843a Consolidate external member code into two functions in baseldap.py
External members (users and hosts) are assumed when doing member
management on certain attributes. If the member isn't in IPA it
is assumed to be external. When doing member management we need
to sift through the list of failures and pull out all those
that were simply not found in IPA.

https://fedorahosted.org/freeipa/ticket/1734
2012-02-08 09:12:53 +01:00
Martin Kosek
cf12f3106a Fix raw format for ACI commands
ACI plugins (permission, selfservice and delegation) were not
prepared to serve ACIs in a raw format, i.e. raw "aci" attribute
taken from LDAP. This patch fixes all these plugins and their
commands to provide provide this format. Few ACI raw format unit
tests were added for all these plugins.

https://fedorahosted.org/freeipa/ticket/2010
https://fedorahosted.org/freeipa/ticket/2223
https://fedorahosted.org/freeipa/ticket/2228
https://fedorahosted.org/freeipa/ticket/2232
2012-02-03 17:04:51 +01:00
Martin Kosek
e1fecfaf6a Add SRV record target validator
Add missing SRV record target validator to filter out possible
user errors.

https://fedorahosted.org/freeipa/ticket/2308
2012-02-03 16:25:53 +01:00
Martin Kosek
cb4b2e6fac Fix NSEC record conversion
NSEC record needs special treatment as it is not composed from
a fixed set of DNS parts divided by space, but it contains
a multivalued DNS part "types" containing a list of RR types
it covers.

There was already a special method for parsing raw NSEC record
to DNS parts, but the other direction was missing. This patch
adds special NSEC convertor to fix this issue.

https://fedorahosted.org/freeipa/ticket/2307
2012-02-03 16:25:26 +01:00
Martin Kosek
e41282fbc6 Fix TXT record parsing
TXT record validation fails to parse the record if it contains
spaces. Standard DNS part parser uses a space to divide record
parts. A special parser thus need to be implemented for this RR
type.

https://fedorahosted.org/freeipa/ticket/2306
2012-02-03 16:24:54 +01:00