Implement the --ca option for cert-revoke and cert-remove-hold.
Defaults to the IPA CA. Raise NotFound if the cert with the given
serial was not issued by the nominated CA.
Also default the --ca option of cert-show to the IPA CA.
Add commentary to cert-status to explain why it does not use the
--ca option.
Fixes: https://fedorahosted.org/freeipa/ticket/5999
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Added permissions for Kerberos authentication indicators reading and
modifying to host objects.
https://fedorahosted.org/freeipa/ticket/433
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Local API commands are not supposed to be executed over RPC but only
locally on the server. They are already excluded from API schema, exclude
them also from RPC and `batch` and `json_metadata` commands.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Add placeholders for remote plugins which are required by client-side
commands. They are used when the remote plugins are not available.
This fixes API initialization error when the remote server does not have
the plugins.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
This fixes API initialization errors when the remote server does not have
the overriden command.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Add new `no_fail` option to API.add_plugin. When set to True, override
errors are ignored and the affected plugins are skipped.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
cert_remove_hold uses output params instead of exceptions to convey
unsuccessful result. Move the output params to the client side before
the command is fixed to use exceptions.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Change user_status from a method of user to a method of a new userstatus
class, which defines the extra attributes returned by user_status.
This fixes user_status CLI output.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Move virtual attributes defined in output params of methods into params of
the related object.
This fixes the virtual attributes being ommited in CLI output.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Lightweight CA subject name collisions are prevented by Dogtag
(response code 409 Conflict), however, we do not want to expose the
Dogtag error. Perform the check in the IPA framework as well,
raising DuplicateEntry on collision.
Fixes: https://fedorahosted.org/freeipa/ticket/5981
Reviewed-By: Milan Kubik <mkubik@redhat.com>
The conflicts should have constant version in it because it is related
to package split.
https://fedorahosted.org/freeipa/ticket/6004
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
cert-request supports adding service principals that don't exist.
If add is requested for other principal types, the error message
just says "the principal doesn't exist".
Add a new error type with better error message to explain that 'add'
is not supported for host or user principals.
Fixes: https://fedorahosted.org/freeipa/ticket/5991
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Multiple issues fixed:
- when untracking a certificate, the path to the NSS directory must be
exactly identical (no trailing /), otherwise the request is not found
and the old certificate is still tracked.
- when a cert is issued by a 3rd party CA, no need to track it
- the server_cert should not be found using cdb.find_server_certs()[0][0]
because this function can return multiple server certificates. For
instance, /etc/httpd/alias contains ipaCert, Server-Cert and Signing-Cert
with the trust flags u,u,u. This leads to trying to track ipaCert (which is
already tracked).
The workaround is looking for server certs before and after the import,
and extract server-cert as the certificate in the second list but not in the
first list.
https://fedorahosted.org/freeipa/ticket/4785https://fedorahosted.org/freeipa/ticket/4786
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Some imports were not possible in old versions of IPA. This caused
import exceptions on the script start.
https://fedorahosted.org/freeipa/ticket/6003
Reviewed-By: Petr Spacek <pspacek@redhat.com>
The confirmation of revoke and remove the certificate hold action is simplier
and more consistent with another parts of WebUI.
Part of: https://fedorahosted.org/freeipa/ticket/5381
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Previously the installer did not reinitialize resolver so queries for
records created using --ip-address option might not be answered. This led
to incorrect results during 'Updating DNS system records' phase at the
end of installation.
This is kind of hack but right now we do not have enough time to extend
python-dns's interface with resolver_reinit() method.
https://fedorahosted.org/freeipa/ticket/5962
Reviewed-By: Martin Basti <mbasti@redhat.com>
Use the default context rather the server context for code not running
inside the server.
This prevents the affected code from attempting to initialize the session
manager.
https://fedorahosted.org/freeipa/ticket/5988
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Do not initialize the plugins for all in-server API instances, as they are
used only in the server context.
This prevents code using in-server API instances from attempting to
initialize the session manager.
https://fedorahosted.org/freeipa/ticket/5988
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Removes the side effect of attempting to connect to memcached when the
session module is imported, which caused user visible warnings and/or
SELinux AVC denials.
https://fedorahosted.org/freeipa/ticket/5988
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The module is used only on the server, so there's no need to have it in
ipalib, which is shared by client and server.
https://fedorahosted.org/freeipa/ticket/5988
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Strings which are used by widget which shows authentication indicators were moved.
Therefore the change in string paths.
Part of: https://fedorahosted.org/freeipa/ticket/5872
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Also move strings which are connected with authentication indicators to authtype dict.
This place is more general than have them in service dict. It's nicer when these strings are
not used only on service page.
Part of: https://fedorahosted.org/freeipa/ticket/5872
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
It is hard to translate whole dosctring again and again aftear each
minor change. This split will make life for translators easier. (Just note: dosctring was
changed and that is the reason why I'm sending this, because translators
must translate it again anyway)
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Test ipatests/test_ipalib/test_frontend.py::test_Command::test_validate fails due to attributes that are no longer present, therefore assertion for these values was removed.
https://fedorahosted.org/freeipa/ticket/5987
Reviewed-By: Ganna Kaihorodova <gkaihoro@redhat.com>
Test fails were caused mainly by assertion between unicode and nonunicode string, or due to changes in code related to thin client.
Fixes:
test_Command::test_default_from_chaining
test_Command::test_args_options_2_params
test_Command::test_params_2_args_options
test_Command::test_validate_output_per_type
Reviewed-By: Ganna Kaihorodova <gkaihoro@redhat.com>
Since DNS configuration is no longer needed for running trust tests, this method's contents are removed. Method is left empty as reference for others, should they have issues with DNS configuration.
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Oleg Fayans <ofayans@redhat.com>
If the version of the remote server is higher than the local version, don't
allow installing a replica of it.
https://fedorahosted.org/freeipa/ticket/5983
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Add possibility to add, remove, view, get and download custom certificates on ID override user page.
https://fedorahosted.org/freeipa/ticket/5926
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Some strings in the testsuite are unicode which wasn't reflected in the tests. This patch fixes the problem by changing concerned strings to unicode.
Reviewed-By: Ganna Kaihorodova <gkaihoro@redhat.com>
Add general class for multivalued widget which uses special commands which
are performed immediately.
Part of: https://fedorahosted.org/freeipa/ticket/5108
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
All certificates which are not issued by IPA CA are grey and not clickable. That's
because these certificates are not maintained by IPA CA.
Part of: https://fedorahosted.org/freeipa/ticket/5381
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Method calling in actions is moved to another function - these calls may be used
by another functions, not only by actions.
https://fedorahosted.org/freeipa/ticket/5381
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Removed old layout created using html tables. Now table layout is made by div
and modern css styling.
https://fedorahosted.org/freeipa/ticket/5381
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
