| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
| |
HBAC Test validation message contains all missing values in form of list of links instead of general 'missing values' message and redirection to first missing value's facet.
When a link is clicked user is redirected to value's facet.
https://fedorahosted.org/freeipa/ticket/2182
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Problem:
When value in checkbox is modified twice in a row (so it is at its original value) an 'undo' button is still visible even when it shouldn't be.
Cause:
IPA server sends boolean values as 'TRUE' or 'FALSE' (strings). Checkbox_widget converts them to JavaScript? boolean (true, false). Save method in checkbox_widget is returning array with a boolean. So test_dirty method always evaluates to dirty because 'FALSE' != false.
This patch is fixing the problem.
https://fedorahosted.org/freeipa/ticket/2494
|
| |
|
|
|
|
| |
Updated UI static content to contain value and label for certificate serial_number_hex.
https://fedorahosted.org/freeipa/ticket/1991
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/1991
|
| |
|
|
|
|
| |
When a table is displaying a record set without entity's pkey attribute. A checkbox value isn't properly prepared. This patch adds the preparation (converts value to string).
https://fedorahosted.org/freeipa/ticket/2404
|
| |
|
|
|
|
|
|
|
|
| |
Network validator allowed invalid mask format:
* leading zeros: 192.168.0.1/0024
* trailing chars: 192.168.0.1/24abcd
It was fixed.
https://fedorahosted.org/freeipa/ticket/2493
|
| |
|
|
|
|
| |
Creating CSV values in UI is unnecessary and error-prone because server converts them back to list. Possible problems with values containing commas may occur. All occurrences of CSV joining were therefore removed.
https://fedorahosted.org/freeipa/ticket/2227
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Usability was imporved in Unauthorized/Login dialog.
When the dialog is opened a link which switches to login form is focus so user can do following:
1) press enter (login form is displayed and username field is focused )
2) type username
3) press tab
4) type password
5) press enter
this sequence will execute login request.
When filling form user can also press 'escape' to go back to previous form state. It's the same as if he would click on the 'back' button.
https://fedorahosted.org/freeipa/ticket/2450
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Support for forms based authentication was added to UI.
It consist of:
1) new login page
Page url is [ipa server]/ipa/ui/login.html
Page contains a login form. For authentication it sends ajax request at [ipa server]/session/json/login_password. If authentication is successfull page is redirected to [ipa server]/ipa/ui if it fails from whatever reason a message is shown.
2) new enhanced error dialog - authorization_dialog.
This dialog is displayed when user is not authorized to perform action - usually when ticket and session expires.
It is a standard error dialog which shows kerberos ticket related error message and newly offers (as a link) to use form based authentication. If user click on the link, the dialog content and buttons switch to login dialog which has same functionality as 'new login page'. User is able to return back to the error message by clicking on a back button.
login.html uses same css styles as migration page -> ipa-migration.css was merged into ipa.css.
https://fedorahosted.org/freeipa/ticket/2450
|
| |
|
|
|
|
|
|
|
|
| |
Logout button was added to Web UI.
Click on logout button executes session_logout command. If command succeeds or xhr stutus is 401 (unauthorized - already logged out) page is redirected to logout.html.
logout.html is a simple page with "You have been logged out" text and a link to return back to main page.
https://fedorahosted.org/freeipa/ticket/2363
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Option to set attributes in permission was missing for target 'group' and 'filter'.
Attribute_table_widget with type=group is shown for target=group.
For target=filter a multivalued textbox is shown. This is because UI can't predict what type will the result of the filter be. In future it can be extended by interactive attribute selector to help user find what he wants to enter.
Mutlivalued widget was modified to show undo button for new entries even if show_undo is false. It is useful in adder dialog to indicate that user added something and to enable it reversal.
https://fedorahosted.org/freeipa/ticket/2372
|
| |
|
|
|
|
|
|
|
|
| |
Current implementation has a limitation to have one field per one attribute. This is fine for most cases. For cases where an attribute can have two editor widgets which can be swapped a need for two different types of field may occur.
This patch introduces 'param' option which supposes to contain attribute name. If 'param' is not specified it will contain field's name therefore backward compatibility is maintained. This extension allows to have two fields with different name and same param -> two fields get/supply value from/to the same attribute.
Needed for:
https://fedorahosted.org/freeipa/ticket/2372
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When editable combobox had only one option and input field was cleared, the option couldn't be selected if it was selected before.
This patch adds click handler to option elements. The handler calls select_on_change.
When different option is selected select_on_change is executed twice. To avoid duplicate call of value_changed an open state of option area is checked. In first pass the area will be closed so it won't be executed in second. When selected option is clicked, only onclick handler is processed.
This patch assumes that select event will be processed before click event.
https://fedorahosted.org/freeipa/ticket/2070
|
| |
|
|
|
|
| |
Redirection in 'Add and edit' in automember hostgroup now navigates to correct facet.
https://fedorahosted.org/freeipa/ticket/2422
|
| |
|
|
|
|
|
|
| |
dnszone attributes idnsallowquery and idnsallowtransfer have valid but currently unsupported values: 'localhost' and 'localnets'.
New validator was introduced for unsuported values. By using this validator user can see that the value is currently unsupported instead of showing 'invalid value' or passing the value to server and creating error there.
https://fedorahosted.org/freeipa/ticket/2351
|
| |
|
|
|
|
|
|
| |
Fixed hanling of 4304 error in DNS record add.
Code which handled this error in host-add was generalized and moved to IPA. DNS record add both in adder dialog and dns record table are using this generalized version.
https://fedorahosted.org/freeipa/ticket/2349
|
| |
|
|
|
|
|
|
| |
All custom validators were changed to return true result if value is empty. Raising error if value is empty is resposibility of check_required call.
This fixes immediate displaying of error message in multivalued fields containing custom validators.
https://fedorahosted.org/freeipa/ticket/2351
|
| |
|
|
|
|
| |
is_empty method represents IPA UI standard of evaluating whether value is empty. Therefore is should be placed in IPA object instead of IPA.field to allow reuse in different locations.
https://fedorahosted.org/freeipa/ticket/2351
|
| |
|
|
|
|
| |
UI for DNS global configuration was implemented.
https://fedorahosted.org/freeipa/ticket/2350
|
| |
|
|
|
|
|
|
| |
UI was modified to reflect changes in #2309.
Now it uses a6_part_data attribute instead of a6record. This fixes displaying of values in a table and modification of existing A6 record.
https://fedorahosted.org/freeipa/ticket/2367
|
| |
|
|
|
|
|
|
| |
To DNS record adder dialog were added a_extra_create_reverse and aaaa_extra_create_reverse options.
It's UI part of #2009.
https://fedorahosted.org/freeipa/ticket/2349
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
New attributes were added to DNS zone details facet.
Attributes:
idnsallowquery
idnsallowtransfer
idnsforwarders
idnsforwardpolicy
idnsallowsyncptr
New network address validator created for idnsallowquery and idnsallowtransfer attributes.
Network address validator also added to dnszone adder dialog - from_ip field.
https://fedorahosted.org/freeipa/ticket/2351
|
| |
|
|
|
|
|
|
|
|
| |
Problem:
UI doesn't have a control for selecting one or none value from given set of values.
Solution:
Attribute mutex was added to checkboxes_widget. When it is set, checking some value causes that all other values are unchecked.
https://fedorahosted.org/freeipa/ticket/2351
|
| |
|
|
| |
Tickets: #2349 #2350 #2351 #2367
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Adjust URL's
- rename /ipa/login -> /ipa/session/login_kerberos
- add /ipa/session/login_password
* Adjust Kerberos protection on URL's in ipa.conf
* Bump VERSION in httpd ipa.conf to pick up session changes.
* Adjust login URL in ipa.js
* Add InvalidSessionPassword to errors.py
* Rename krblogin class to login_kerberos for consistency with
new login_password class
* Implement login_password.kinit() method which invokes
/usr/bin/kinit as a subprocess
* Add login_password class for WSGI dispatch, accepts POST
application/x-www-form-urlencoded user & password
parameters. We form the Kerberos principal from the server's
realm.
* Add function krb5_unparse_ccache()
* Refactor code to share common code
* Clean up use of ccache names, be consistent
* Replace read_krbccache_file(), store_krbccache_file(), delete_krbccache_file()
with load_ccache_data(), bind_ipa_ccache(), release_ipa_ccache().
bind_ipa_ccache() now sets environment KRB5CCNAME variable.
release_ipa_ccache() now clears environment KRB5CCNAME variable.
* ccache names should now support any ccache storage scheme,
not just FILE based ccaches
* Add utilies to return HTTP status from wsgi handlers,
use constants for HTTP status code for consistency.
Use utilies for returning from wsgi handlers rather than
duplicated code.
* Add KerberosSession.finalize_kerberos_acquisition() method
so different login handlers can share common code.
* add Requires: krb5-workstation to server (server now calls kinit)
* Fix test_rpcserver.py to use new dispatch inside route() method
https://fedorahosted.org/freeipa/ticket/2095
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Increase the session ID from 48 random bits to 128.
* Implement the sesison_logout RPC command. It permits the UI to send
a command that destroys the users credentials in the current
session.
* Restores the original web URL's and their authentication
protections. Adds a new URL for sessions /ipa/session/json. Restores
the original Kerberos auth which was for /ipa and everything
below. New /ipa/session/json URL is treated as an exception and
turns all authenticaion off. Similar to how /ipa/ui is handled.
* Refactor the RPC handlers in rpcserver.py such that there is one
handler per URL, specifically one handler per RPC and AuthMechanism
combination.
* Reworked how the URL names are used to map a URL to a
handler. Previously it only permitted one level in the URL path
hierarchy. We now dispatch on more that one URL path component.
* Renames the api.Backend.session object to wsgi_dispatch. The use of
the name session was historical and is now confusing since we've
implemented sessions in a different location than the
api.Backend.session object, which is really a WSGI dispatcher, hence
the new name wsgi_dispatch.
* Bullet-proof the setting of the KRB5CCNAME environment
variable. ldap2.connect already sets it via the create_context()
call but just in case that's not called or not called early enough
(we now have other things besides ldap which need the ccache) we
explicitly set it early as soon as we know it.
* Rework how we test for credential validity and expiration. The
previous code did not work with s4u2proxy because it assumed the
existance of a TGT. Now we first try ldap credentials and if we
can't find those fallback to the TGT. This logic was moved to the
KRB5_CCache object, it's an imperfect location for it but it's the
only location that makes sense at the moment given some of the
current code limitations. The new methods are KRB5_CCache.valid()
and KRB5_CCache.endtime().
* Add two new classes to session.py AuthManager and
SessionAuthManager. Their purpose is to emit authication events to
interested listeners. At the moment the logout event is the only
event, but the framework should support other events as they arise.
* Add BuildRequires python-memcached to freeipa.spec.in
* Removed the marshaled_dispatch method, it was cruft, no longer
referenced.
https://fedorahosted.org/freeipa/ticket/2362
|
| |
|
|
|
|
|
|
|
|
| |
Missing options were added to Web UI's IPA Server/Configuration page.
* ipaconfigstring
* ipaselinuxusermaporder
* ipaselinuxusermapdefault
https://fedorahosted.org/freeipa/ticket/2285
https://fedorahosted.org/freeipa/ticket/2400
|
| |
|
|
|
|
| |
Attribute table was modified to skip creation of option for empty value.
https://fedorahosted.org/freeipa/ticket/2291
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Address column in A, AAAA DNS records was exented of redirection capabilities.
Redirection dialog is shown after a click on a value.
Dialog does following steps:
1) fetch all dns zones
2) find most accurate reverse zone for IP address
2 -fail) show error message, stop
3) checks if target record exists in the zone
3 -fail) show 'dns record create link', stop
4) redirects
Click on 'dns record create link':
1) creates record
1 -fail) show error, stop
2) redirects
https://fedorahosted.org/freeipa/ticket/1975
|
| |
|
|
|
|
|
|
| |
To user and host details pages was added ipasshpubkey attribute.
New widget for ssh public keys was created.
https://fedorahosted.org/freeipa/ticket/2340
|
| |
|
|
|
|
|
| |
In user group adder dialog, the "Is this a POSIX group?" was replaced with "POSIX group".
In host search facet, the "Enrolled?" was replaced with "Enrolled".
https://fedorahosted.org/freeipa/ticket/2353
|
| |
|
|
|
|
|
|
|
|
| |
Problem:
Entity link (eg: to hosts in dns record or to dns record in host) is not changing its state when linked record doesn't exist. The link can remain wrongly enabled from previous state.
Fixed:
The link is disabled when target doesn't exist.
https://fedorahosted.org/freeipa/ticket/2364
|
| |
|
|
|
|
|
|
|
|
| |
The patch fixes a problem in error_handler_login() when it gets
an error other than 401.
The login_url is not needed for fixtures because it does not need
authentication.
The patch also fixes jslint warnings and formatting issues.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a session manager and support for caching
authentication in the session. Major elements of the patch are:
* Add a session manager to support cookie based sessions which
stores session data in a memcached entry.
* Add ipalib/krb_utils.py which contains functions to parse ccache
names, format principals, format KRB timestamps, and a KRB_CCache
class which reads ccache entry and allows one to extract information
such as the principal, credentials, credential timestamps, etc.
* Move krb constants defined in ipalib/rpc.py to ipa_krb_utils.py so
that all kerberos items are co-located.
* Modify javascript in ipa.js so that the IPA.command() RPC call
checks for authentication needed error response and if it receives
it sends a GET request to /ipa/login URL to refresh credentials.
* Add session_auth_duration config item to constants.py, used to
configure how long a session remains valid.
* Add parse_time_duration utility to ipalib/util.py. Used to parse the
session_auth_duration config item.
* Update the default.conf.5 man page to document session_auth_duration
config item (also added documentation for log_manager config items
which had been inadvertantly omitted from a previous commit).
* Add SessionError object to ipalib/errors.py
* Move Kerberos protection in Apache config from /ipa to /ipa/xml and
/ipa/login
* Add SessionCCache class to session.py to manage temporary Kerberos
ccache file in effect for the duration of an RPC command.
* Adds a krblogin plugin used to implement the /ipa/login
handler. login handler sets the session expiration time, currently
60 minutes or the expiration of the TGT, whichever is shorter. It
also copies the ccache provied by mod_auth_kerb into the session
data. The json handler will later extract and validate the ccache
belonging to the session.
* Refactored the WSGI handlers so that json and xlmrpc could have
independent behavior, this also moves where create and destroy
context occurs, now done in the individual handler rather than the
parent class.
* The json handler now looks up the session data, validates the ccache
bound to the session, if it's expired replies with authenicated
needed error.
* Add documentation to session.py. Fully documents the entire process,
got questions, read the doc.
* Add exclusions to make-lint as needed.
|
| |
|
|
|
|
|
| |
Hard-coded labels in Automember UI have been moved into internal.py to
allow translation.
https://fedorahosted.org/freeipa/ticket/2195
|
| |
|
|
|
|
|
|
| |
In this patch was implemented and added a control for defining default automember groups.
There is a difference from UXD spec. In the spec the control was placed below table in the search facet. This was not working well with the combobox in the control. Open combobox requires some space below it. As it was placed at the bottom of the page it created unwanted blank space and forced showing scrollbars. Moving the control above the table solves the problem without rewriting combobox logic. It can be rewritten and moved down later.
https://fedorahosted.org/freeipa/ticket/2195
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
New UI for automember.
Implemented:
* search facet core
* rule details facet
* attribute_table_widget - new base class for tables which contains multivalued attribute with special add/remove commands
* adding/removing conditions in details facet
TODO:
* label translations
* UI for defining default rules
https://fedorahosted.org/freeipa/ticket/2195
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In current implementation target facet of navigation(from menu) and redirection is always one exact facet per entity. There isn't a way to navigate to different facet from menu or redirect to different facets from various facets.
This patch adds:
* possibility to define menu items which can navigate to different facets of various entities. This also means that now current menu tree can contain leafs with the same entity.
* possibility to define redirection target per facet - it is needed to keep breadcrumb navigation consistent with various navigation tree patch leading to same entity leafs.
This functionality is needed for Automember UI. Automember UI is designed as if it was for two entities but it is in fact only one.
https://fedorahosted.org/freeipa/ticket/2195
|
| |
|
|
|
|
|
|
|
|
|
| |
The user details page was modified to show the password expiration
date next to the existing password field.
Fixed problem resetting password in self-service mode. The JSON
interface for the passwd command requires the username to be
specified although the equivalent CLI command doesn't require it.
Ticket #2064
|
| |
|
|
|
|
|
| |
The textareas used to display certificates were modified to use
fixed font.
Ticket #2017
|
| |
|
|
|
|
|
| |
Users do not have add/delete permission in self-service mode, so
the search facet was modified to hide the Add/Delete buttons.
Ticket #2188
|
| |
|
|
|
|
|
|
|
|
|
| |
The status formatter was modified to show enabled/disabled icon
before the status text.
The format classes were renamed to formatter to avoid confusion
with the format() method. A new parameter 'type' was added to the
formatter to determine the output type (e.g. text/html).
Ticket #1996
|
| |
|
|
|
|
|
| |
The host managed-by adder dialog has been fixed to use the new
--not-man-hosts option to filter out hosts that are already added.
Ticket #1675
|
| |
|
|
|
|
|
|
| |
Paging in DNS record search facet was disabled because there was a mismatch between primary keys sent by server and values displayed in the facet.
The facet was modified to enable paging. To preserve amount of information which was displayed before, current rows have variable height - they can contain more that one line depending on number of values in the record. Each record has a checkbox and indsname in its first line to distinguish one record from others. Because there is only one checkbox for record, delete command is called with --rem-all option which causes that entire record is removed. Individual values can be deleted in record's details facet.
https://fedorahosted.org/freeipa/ticket/2094
|
| |
|
|
|
|
| |
DNS UI was modified to offer structured way of defining DNS records.
https://fedorahosted.org/freeipa/ticket/2208
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Web UI is caching records. Currently only possible ways how to display updated record which was changed elsewhere - ie. in CLI are:
* refresh page in browser (takes really long on slow vpns)
* search facet: change filter, find, change filter back, find
* entity details: go to search, select other entry, go back to search, select original entry
* association facet: same as entity details
These are unconvenient methods.
This patch adds Refresh button to search, details and association facet. This button executes facets refresh method.
https://fedorahosted.org/freeipa/ticket/2051
|
| |
|
|
|
|
|
|
|
| |
This patch modifies the status attributes in users, DNS zones,
HBAC/sudo rules, HBAC test, and SELinux User Map to use the same
label (i.e. Status) and values (i.e. Enabled/Disabled). The method
to change the status will be modified separately.
Ticket #2247
|
| |
|
|
|
|
|
|
| |
The users, HBAC/sudo rules, HBAC test, and SELinux list pages have
been modified to show disabled entries in gray. Icons will be added
separately.
Ticket #1996
|
| |
|
|
|
|
|
|
|
|
|
| |
The automount keys search facet has been modified to support paging.
Since the automountkey-find command doesn't support --pkey-only
option, the facet is configured such that during a refresh operation
it will retrieve all entries (including the key and info attributes)
and then display only the ones that are supposed to be visible in
the current page.
Ticket #2093
|
| |
|
|
|
|
| |
This patch adds UI for SELinux user mapping. Its design is based on HBAC Rule design.
https://fedorahosted.org/freeipa/ticket/2145
|
