The facet group labels have been modified according to UXD spec.
Some facet groups will have more descriptive labels. Some others
will not have any labels because the facet tab is self-explanatory.

Ticket #1423, #1561

Check that NS address passed in dnszone-add is a domain name and
not an IP address. Make this clear also the parameter help.

https://fedorahosted.org/freeipa/ticket/1567

This option makes no sense for automount keys. This should be
removed in future versions.

https://fedorahosted.org/freeipa/ticket/1529

We have helpers to manage these values so they shouldn't be available
via add/mod. There is no logic behind them to do the right thing.

https://fedorahosted.org/freeipa/ticket/1307
https://fedorahosted.org/freeipa/ticket/1320

HBAC rules control who can access what services on what hosts and from where.
You can use HBAC to control which users or groups on a source host can
access a service, or group of services, on a target host.

Since applying HBAC rules implies use of a production environment,
this plugin aims to provide simulation of HBAC rules evaluation without
having access to the production environment.

 Test user coming from source host to a service on a named host against
 existing enabled rules.

 ipa hbactest --user= --srchost= --host= --service=
              [--rules=rules-list] [--nodetail] [--enabled] [--disabled]

 --user, --srchost, --host, and --service are mandatory, others are optional.

 If --rules is specified simulate enabling of the specified rules and test
 the login of the user using only these rules.

 If --enabled is specified, all enabled HBAC rules will be added to simulation

 If --disabled is specified, all disabled HBAC rules will be added to simulation

 If --nodetail is specified, do not return information about rules matched/not matched.

 If both --rules and --enabled are specified, apply simulation to --rules _and_
 all IPA enabled rules.

 If no --rules specified, simulation is run against all IPA enabled rules.

EXAMPLES:

    1. Use all enabled HBAC rules in IPA database to simulate:
    $ ipa  hbactest --user=a1a --srchost=foo --host=bar --service=ssh
    --------------------
    Access granted: True
    --------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule
      matched: allow_all

    2. Disable detailed summary of how rules were applied:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail
    --------------------
    Access granted: True
    --------------------

    3. Test explicitly specified HBAC rules:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule
    ---------------------
    Access granted: False
    ---------------------
      notmatched: my-second-rule
      notmatched: myrule

    4. Use all enabled HBAC rules in IPA database + explicitly specified rules:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled
    --------------------
    Access granted: True
    --------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule
      matched: allow_all

    5. Test all disabled HBAC rules in IPA database:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled
    ---------------------
    Access granted: False
    ---------------------
      notmatched: new-rule

    6. Test all disabled HBAC rules in IPA database + explicitly specified rules:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled
    ---------------------
    Access granted: False
    ---------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule

    7. Test all (enabled and disabled) HBAC rules in IPA database:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled
    --------------------
    Access granted: True
    --------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule
      notmatched: new-rule
      matched: allow_all

Only rules existing in IPA database are tested. They may be in enabled or
disabled disabled state.

Specifying them through --rules option explicitly enables them only in
simulation run.

Specifying non-existing rules will not grant access and report non-existing
rules in output.

The HBAC service class has been modified to define the memberof
relationship with HBAC service group.

Ticket #1546

https://fedorahosted.org/freeipa/ticket/1493

    change widget and widget unit tests to hold on to entity, not entity name.
    Replacing entity_name with entity.name  in most places.
       The one exception is columns for table_widget.
       Widgets that refer to other entities have to have late resolution of the entity object, due to circular dependencies.

    cleanup entity assignment.
    removed template and layout,
    merged setup into create
    adder dialogs adjust height for external
    removed init from widget, isection, association, facet, host and service

    Make unit tests use factory.
    fix functional tests to click find link correctly.
    tweak to activation test, but still broken.
    moved initialization code to the end
    use --all for hbacrule find, so the type shows up now

    fixed dns exception code and exception handling for get_entity
    replace metadata look up with value from entity.
    fixed author lines
    removed duplicate columns in managed by facets.
    tweak to nav fix in order to initialize tab.
    more defensive code
    update metadata for true false
    one line init for entity_name in widget
    move init code to end of constructor functions
    moved constants to start of function for adder_dialog
    external fields for dialogs initialized at dialog creation
    sudo sections: move add fields and columns to widget definition.

   The parameter validation in IPA.column ...This is precondition checking.  Note that it merely throws an exception if the entity_name is not set.  I want this stuff at the top of the function so that it is obvious to people looking to use them what is required.  I added a comment to make this clear, but I'd like to keep precondition checking at the top of the function.

   decreased the scope of the pkey_name and moved the initiailzation fof columns into the setup_column function for association_tables

   return false at the end of click handler

   removed blank labels in sudo command section

   fix radio buttons for sudo category

   fixed table side for adder dialogs with external fields
    comments for future direction with add_columns

    https://fedorahosted.org/freeipa/ticket/1451
    https://fedorahosted.org/freeipa/ticket/1462
    https://fedorahosted.org/freeipa/ticket/1493
    https://fedorahosted.org/freeipa/ticket/1497
    https://fedorahosted.org/freeipa/ticket/1532
    https://fedorahosted.org/freeipa/ticket/1534

Replace deepcopy with constructor (i.e. type call)
Can now "clone" with configuration changes by passing object
of the same type to it's constructor, e.g.
dn1 = DN(('cn', 'foo'))
dn2 = DN(dn1)
dn2 = DN(dn1, first_key_match=False)

Remove pairwise grouping for RDN's. Had previously removed it
for DN's, left it in for RDN's because it seemed to make sense
because of the way RDN's work but consistency is a higher goal.

Add keyword constructor parameters to pass configuration options.

Make first_key_match a configuration keyword.

Updated documentation.

Updated unit test.

FWIW, I noticed the unittest is now running 2x faster, not sure why,
removal of deepcopy? Anyway, hard to argue with performance doubling.

Fix several test failures when issuer does not match the one
generated by make-testcert (CN=Certificate Authority,O=<realm>).

https://fedorahosted.org/freeipa/ticket/1527