Commit Graph

7281 Commits

Author SHA1 Message Date
Simo Sorce
88bcf5899c keytabs: Expose and modify key encoding function
Make it available outside of the encoding.c file for use in a follow-up
patch. Add option to not pass a password and generate a random key
instead.

Related:
https://fedorahosted.org/freeipa/ticket/3859

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-06-26 10:30:53 +02:00
Simo Sorce
d04746cdea keytabs: Modularize setkeytab operation
In preparation of adding another function to avoid code duplication.

Related:
https://fedorahosted.org/freeipa/ticket/3859

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-06-26 10:30:53 +02:00
Tomas Babej
e5e42fc83a ipaplatform: Move paths from installers to paths module
Part of: https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-26 09:22:21 +02:00
Tomas Babej
c8511d3b3b ipaplatform: Fix misspelled path constant
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-25 21:07:07 +02:00
Tomas Babej
697387328b ipaplatform: Fix build warnings
The newly created ipaplatform subdirectories base and fedora were
mentioned multiple times in the specfile, which produced build
warnings.

Part of: https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-25 21:07:07 +02:00
Tomas Babej
2a3c746dca ipaplatform: Drop the base authconfig class
As authconfig is a distro-specific tool there is no incentive for
implying that other platforms should implement any authconfig
implementation of their own.

Part of: https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-25 21:07:07 +02:00
Tomas Babej
e099ad4583 ipaplatform: Document the platform tasks API
Part of: https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-25 21:07:06 +02:00
Tomas Babej
af4518b728 sudorule: Refactor add and remove external_post_callback
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-25 20:14:53 +02:00
Tomas Babej
e7969f5af5 ipatests: test_sudo: Expect root listed out if no RunAsUser available
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-25 20:14:52 +02:00
Tomas Babej
701f1fc8ba ipatests: test_sudo: Do not expect enumeration of runasuser groups
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-25 20:14:52 +02:00
Tomas Babej
e0fd2695ca ipatests: test_sudo: Fix assertions not assuming runasgroupcat set to ALL
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-25 20:14:52 +02:00
Tomas Babej
ec2050b7df ipatests: test_sudo: Add coverage for category ALL validation
Makes sure sudorules behave correctly both when adding new entries
with corresponding category set to ALL, and when setting the
category to all when corresponding entries exist.

The only exception of deny commands with cmdcategory ALL is
covered as well.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-25 20:14:52 +02:00
Tomas Babej
c50d190549 ipatests: test_sudo: Add coverage for external entries
Covers functionality of external entries for:
* users
* runAsUsers
* groups of RunAsUsers
* runAsGroups

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-25 20:14:52 +02:00
Tomas Babej
d537da8b8a ipatests: test_sudo: Add tests for allowing hosts via hostmasks
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-25 20:14:51 +02:00
Tomas Babej
b1275c5b1c sudorule: Enforce category ALL checks on dirsrv level
https://fedorahosted.org/freeipa/ticket/4341

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-25 20:14:51 +02:00
Tomas Babej
a1d6c9ab6b sudorule: Fix the order of the parameters to have less chaotic output
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-25 20:14:51 +02:00
Tomas Babej
9bb88a15e0 sudorule: Make sure all the relevant attributes are checked when setting category to ALL
https://fedorahosted.org/freeipa/ticket/4341

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-25 20:14:51 +02:00
Tomas Babej
af2eb4d695 sudorule: Allow adding deny commands when command category set to ALL
https://fedorahosted.org/freeipa/ticket/4340

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-25 20:14:50 +02:00
Tomas Babej
c7da22c1e6 sudorule: Include externalhost and ipasudorunasextgroup in the list of default attributes
The following attributes were missing from the list of default attributes:

* externalhost
* ipasudorunasextuser
* ipasudorunasextgroup

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-25 20:14:50 +02:00
Tomas Babej
3a56b155e8 sudorule: Make sure sudoRunAsGroup is dereferencing the correct attribute
Makes sure we dereference the correct attribute. Also adds object class
checking.

https://fedorahosted.org/freeipa/ticket/4324

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-25 20:14:50 +02:00
Tomas Babej
9304b649a3 sudorule: Allow using external groups as groups of runAsUsers
Adds a new attribute ipaSudoRunAsExtUserGroup and corresponding hooks
sudorule plugin.

https://fedorahosted.org/freeipa/ticket/4263

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-25 20:14:49 +02:00
Tomas Babej
a228d7a3cb sudorule: Allow using hostmasks for setting allowed hosts
Adds a new --hostmasks option to sudorule-add-host and sudorule-remove-host
commands, which allows setting a range of hosts specified by a hostmask.

https://fedorahosted.org/freeipa/ticket/4274

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-25 20:14:49 +02:00
Tomas Babej
5a1207cb6e sudorule: PEP8 fixes in sudorule.py
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-25 20:14:49 +02:00
Martin Basti
816007bdd9 Fix incompatible DNS permission
dns(forward)zone-add/remove-permission can work with permissions with
relative zone name

Ticket:https://fedorahosted.org/freeipa/ticket/4383

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-25 18:31:27 +02:00
Petr Vobornik
6dab9123be webui: don't limit permission search in privileges
Search for privileges was limited to bindruletype==permission. There
was no reason to do that.

This patch removes the restriction.

Related to:
https://fedorahosted.org/freeipa/ticket/4079

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-06-25 16:23:14 +02:00
Petr Vobornik
bfdf9039ce webui: fix field's default value
Fields with default value, such as DNS Zone's idnsforwardpolicy, were
marked as dirty when no value was loaded and when default value of
input control was other than empty.

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-06-25 16:23:14 +02:00
Petr Vobornik
15374cf58f webui-ci: adjust tests to dns changes
All DNS Zone names must be fully qualified.

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-06-25 16:23:14 +02:00
Tomas Babej
c2e6b74029 trusts: Allow reading system trust accounts by adtrust agents
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-06-25 15:01:52 +02:00
Tomas Babej
8f9838c7ef trusts: Add more read attributes
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-06-25 15:01:52 +02:00
Nathaniel McCallum
7b15fcd57b Change OTPSyncRequest structure to use OctetString
This change has two motivations:
  1. Clients don't have to parse the string.
  2. Future token types may have new formats.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-06-25 14:22:01 +02:00
Alexander Bokovoy
6af1fc4763 Add missing ipa-otptoken-import.1.gz to spec file
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-25 12:58:41 +02:00
Alexander Bokovoy
2163166ebf Fix packaging issue with doubly specified directories
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-25 12:58:41 +02:00
Nathaniel McCallum
5baa941317 Implement OTP token importing
This patch adds support for importing tokens using RFC 6030 key container
files. This includes decryption support. For sysadmin sanity, any tokens
which fail to add will be written to the output file for examination. The
main use case here is where a small subset of a large set of tokens fails
to validate or add. Using the output file, the sysadmin can attempt to
recover these specific tokens.

This code is implemented as a server-side script. However, it doesn't
actually need to run on the server. This was done because importing is an
odd fit for the IPA command framework:
1. We need to write an output file.
2. The operation may be long-running (thousands of tokens).
3. Only admins need to perform this task and it only happens infrequently.

https://fedorahosted.org/freeipa/ticket/4261

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-06-25 12:55:02 +02:00
Martin Basti
bd1df14bd6 Fix ipa.service restart
Ticket: https://fedorahosted.org/freeipa/ticket/4243
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-25 09:11:00 +02:00
Petr Viktorin
628bed8673 test_permission_plugin: Fix permission_find test for legacy permissions
Most of the legacy permissions have been removed.
Do not test that there are many of them.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:41 +02:00
Petr Viktorin
175b19bbf8 Add several CRUD default permissions
Add missing Add, Modify, Removedefault permissions to:
- automountlocation (Add/Remove only; locations have
   no data to modify)
- privilege
- sudocmdgroup (Modify only; the others were present)

Related to: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:41 +02:00
Petr Viktorin
52003a9ffb Convert Sudo Command Group default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:41 +02:00
Petr Viktorin
6b478628dc Convert Sudo Command default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:41 +02:00
Petr Viktorin
439dd7fa74 Convert Service default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:41 +02:00
Petr Viktorin
f8dc51860c Convert SELinux User Map default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:41 +02:00
Petr Viktorin
820a60420d Convert Role default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Petr Viktorin
f881f06364 Convert the Modify privilege membership permission to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Petr Viktorin
0c4d13e136 Convert Netgroup default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Petr Viktorin
978af07dd5 Convert Hostgroup default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Petr Viktorin
8e8e6b1ae7 Convert HBAC Service Group default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Petr Viktorin
49abbb1ead Convert HBAC Service default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Petr Viktorin
81d8c8acb5 Convert HBAC Rule default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Petr Viktorin
af366278b8 Convert Group default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Petr Viktorin
afac09b8f3 Convert Automount default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Jan Cholasta
8b8774d138 Remove GetEffectiveRights control when ldap2.get_effective_rights fails.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 12:10:01 +02:00