freeipa.git/install/ui, branch systemd-master FreeIPA project Ticket 1201 - Unable to Download Certificate with Browser 2011-10-21T15:29:47+00:00 John Dennis jdennis@redhat.com 2011-10-18T22:19:25+00:00 9a039acb224ab3dd6c739f141233000b50c28e6f Certificates are passed through the IPA XML-RPC and JSON as binary data in DER X509 format. Queries peformed against the LDAP server also return binary DER X509 format. In all cases the binary DER data is base-64 encoded. PEM is standard text format for certificates. It also uses base64 to encode the binary DER data, but had specific formatting requirements. The base64 data must be wrapped inside PEM delimiters and the base64 data must be line wrapped at 64 characters. Most external software which accepts certificates as input will only accept DER or PEM format (e.g. openssl & NSS). Although base64 is closely related to PEM it is not PEM unless the PEM delimters are present and the base64 data is line wrapped at 64 characters. We already convert binary DER certificates which have been passed as base64 in other parts of the IPA code. However this conversion has not been available in the web UI. When the web UI presented certificates it did so by filling a dialog box with a single line of base64 data. A user could not copy this data and use it as input to openssl or NSS for example. We resolve this problem by introducing new javascript functions in certificate.js. IPA.cert.pem_cert_format(text) will examine the text input and if it's already in PEM format just return it unmodified, otherwise it will line wrap the base64 data and add the PEM delimiters. Thus it is safe to call on either a previously formated PEM cert or a binary DER cert encoded as base64. This applies to pem_csr_format() as well for CSR's. Because pem_cert_format() is safe to call on either format the web UI will see the use of the flag add_pem_delimiters was eliminated except in the one case where the IPA.cert.download_dialog() was being abused to display PKCS12 binary data (pkcs12 is neither a cert nor a cert request). Because of the abuse of the cert.download_dialog() for pkcs12 it was necessary to retain the flag which in effect said "do not treat the data as PEM". Modify the CSR (Certificate Signing Request) dialog box to accept a PEM formatted CSR. Remove the artifical PEM delimiters above and below the dialog box which were used to suggest the input needed to be sans the delimiters. The dialog box continues to accept bare base64 thus allowing either text format. Also note this solves the display of certificate data in the UI without touching anything existing code in the server or command line, thus it's isolated. 
Certificates are passed through the IPA XML-RPC and JSON as binary
data in DER X509 format. Queries peformed against the LDAP server
also return binary DER X509 format. In all cases the binary DER
data is base-64 encoded.

PEM is standard text format for certificates. It also uses base64 to
encode the binary DER data, but had specific formatting
requirements. The base64 data must be wrapped inside PEM delimiters
and the base64 data must be line wrapped at 64 characters.

Most external software which accepts certificates as input will only
accept DER or PEM format (e.g. openssl & NSS). Although base64 is
closely related to PEM it is not PEM unless the PEM delimters are
present and the base64 data is line wrapped at 64 characters.

We already convert binary DER certificates which have been passed as
base64 in other parts of the IPA code. However this conversion has not
been available in the web UI. When the web UI presented certificates
it did so by filling a dialog box with a single line of base64 data. A
user could not copy this data and use it as input to openssl or NSS
for example.

We resolve this problem by introducing new javascript functions in
certificate.js. IPA.cert.pem_cert_format(text) will examine the text
input and if it's already in PEM format just return it unmodified,
otherwise it will line wrap the base64 data and add the PEM
delimiters. Thus it is safe to call on either a previously formated
PEM cert or a binary DER cert encoded as base64. This applies to
pem_csr_format() as well for CSR's.

Because pem_cert_format() is safe to call on either format the web UI
will see the use of the flag add_pem_delimiters was eliminated except
in the one case where the IPA.cert.download_dialog() was being abused
to display PKCS12 binary data (pkcs12 is neither a cert nor a cert
request). Because of the abuse of the cert.download_dialog() for
pkcs12 it was necessary to retain the flag which in effect said "do
not treat the data as PEM".

Modify the CSR (Certificate Signing Request) dialog box to accept a
PEM formatted CSR. Remove the artifical PEM delimiters above and below
the dialog box which were used to suggest the input needed to be sans
the delimiters. The dialog box continues to accept bare base64 thus
allowing either text format.

Also note this solves the display of certificate data in the UI
without touching anything existing code in the server or command line,
thus it's isolated.
Fixing infinite loop in UI navigation unit test. 2011-10-20T15:13:58+00:00 Petr Vobornik pvoborni@redhat.com 2011-10-20T14:37:48+00:00 40f9f52a76907960edc293a84c1af281f674ecad https://fedorahosted.org/freeipa/ticket/1531 It's a fix for regression introduced by previous patch. 
https://fedorahosted.org/freeipa/ticket/1531

It's a fix for regression introduced by previous patch.
Fixed dependency problem in UI test. 2011-10-20T14:17:10+00:00 Endi S. Dewata edewata@redhat.com 2011-10-20T14:12:14+00:00 24cedc41541d140e3a7571499e1944b5beae56e4 






Fixed: Duplicate CSS definitions
2011-10-19T12:44:44+00:00

Petr Vobornik
pvoborni@redhat.com

2011-10-11T07:42:35+00:00

1dda03120e5873d231072468c5637c4718656ed3

https://fedorahosted.org/freeipa/ticket/1565

The ipa.css, ipa_error.css and ipa_migration.css contain some duplicate definitions which cause maintenance problems.

Additional changes:
* fixed whitespaces in ipa.css
* unified headings in config pages





https://fedorahosted.org/freeipa/ticket/1565

The ipa.css, ipa_error.css and ipa_migration.css contain some duplicate definitions which cause maintenance problems.

Additional changes:
* fixed whitespaces in ipa.css
* unified headings in config pages







Circular entity dependency
2011-10-18T18:19:06+00:00

Petr Vobornik
pvoborni@redhat.com

2011-10-10T11:34:15+00:00

27ea90792fb06e7e62f81c352936232ee10894ff

https://fedorahosted.org/freeipa/ticket/1531

Each entity is created together with its dependent objects (e.g. facets and dialog boxes). This causes a circular dependency problem because some of the objects need to obtain a reference to another entity that has not been created.

Currently this is handled by storing only the other entity name and resolve it when needed (e.g. during rendering stage). In IPA.search_facet this delays the creation of the table widget, making it more difficult to customize.

One solution is to do the object creation in 2 steps:

 * create all entity objects only
 * create the dependent objects in each entity

Implemented solution:
 * all entities are created on application start
 * dependant objects (facets and dialogs) are created at once on their first use in entity.





https://fedorahosted.org/freeipa/ticket/1531

Each entity is created together with its dependent objects (e.g. facets and dialog boxes). This causes a circular dependency problem because some of the objects need to obtain a reference to another entity that has not been created.

Currently this is handled by storing only the other entity name and resolve it when needed (e.g. during rendering stage). In IPA.search_facet this delays the creation of the table widget, making it more difficult to customize.

One solution is to do the object creation in 2 steps:

 * create all entity objects only
 * create the dependent objects in each entity

Implemented solution:
 * all entities are created on application start
 * dependant objects (facets and dialogs) are created at once on their first use in entity.







Fixed: Unable to add external user for RunAs User for Sudo rules
2011-10-17T16:01:16+00:00

Petr Vobornik
pvoborni@redhat.com

2011-10-17T09:48:03+00:00

1e5391422143c17a94008a0703099c5f877e46fd

https://fedorahosted.org/freeipa/ticket/1987

There is no way to add root or any external user as a RunAs User for a Sudo
Rule.





https://fedorahosted.org/freeipa/ticket/1987

There is no way to add root or any external user as a RunAs User for a Sudo
Rule.







Fix dynamic display of UI tabs based on rights
2011-10-13T03:19:54+00:00

Adam Young
ayoung@redhat.com

2011-10-13T18:48:55+00:00

93ddfd008af6cd720c6f8c6902e8d24b06d59e72

Fixes the webui for the case wherea user is not admin but has a role. In
that case, the UI should show the full administrative tabset, but was
instead limited to the selfservice tabset.

The problem was rolegroup had been renamed to role but the UI hadn't
been updated to reflect this.

Addresses
https://bugzilla.redhat.com/show_bug.cgi?id=745957
https://fedorahosted.org/freeipa/ticket/1970





Fixes the webui for the case wherea user is not admin but has a role. In
that case, the UI should show the full administrative tabset, but was
instead limited to the selfservice tabset.

The problem was rolegroup had been renamed to role but the UI hadn't
been updated to reflect this.

Addresses
https://bugzilla.redhat.com/show_bug.cgi?id=745957
https://fedorahosted.org/freeipa/ticket/1970







Added missing fields to password policy page
2011-10-10T22:50:34+00:00

Petr Vobornik
pvoborni@redhat.com

2011-10-11T08:24:48+00:00

89b869d2c2ab6a86b3be12f1aff33437e9974571

https://fedorahosted.org/freeipa/ticket/1944

No editable fields exist for "maxfail", "failinterval" "lockouttime" and "priority" in password policy page.





https://fedorahosted.org/freeipa/ticket/1944

No editable fields exist for "maxfail", "failinterval" "lockouttime" and "priority" in password policy page.







Split Web UI initialization to several smaller calls
2011-10-10T03:32:55+00:00

Petr Vobornik
pvoborni@redhat.com

2011-10-07T15:41:24+00:00

59cd7f51c48d7e9b2703437229f35b114fd9585b

https://fedorahosted.org/freeipa/ticket/1933

Web UI init method was modified to get initialization data in 3 calls.
First call remains the same as before except that the json_metadata command
was removed.

JSON metadata are requested after successful response of the first batch command.
This approach should preserve functionality in IE (where request is missing after
authentication). Getting JSON metadata is split to two commands - this should prevent
the error in linked ticket. These two commands are paralelly executed by new
concurent_command object.

Concurrent command waits for all responses then it calls each command's success
handler.





https://fedorahosted.org/freeipa/ticket/1933

Web UI init method was modified to get initialization data in 3 calls.
First call remains the same as before except that the json_metadata command
was removed.

JSON metadata are requested after successful response of the first batch command.
This approach should preserve functionality in IE (where request is missing after
authentication). Getting JSON metadata is split to two commands - this should prevent
the error in linked ticket. These two commands are paralelly executed by new
concurent_command object.

Concurrent command waits for all responses then it calls each command's success
handler.







Split Web UI initialization to several smaller calls #2
2011-10-10T03:32:55+00:00

Petr Vobornik
pvoborni@redhat.com

2011-10-07T15:42:37+00:00

6be3ef1681718d1af81089c0a2d7ea1817b16a0e

https://fedorahosted.org/freeipa/ticket/1933

Modified data files for offline testing.





https://fedorahosted.org/freeipa/ticket/1933

Modified data files for offline testing.