summaryrefslogtreecommitdiffstats
path: root/ipalib/errors.py
Commit message (Collapse)AuthorAgeFilesLines
* Fix error in AttrValueNotFound exception exampleRob Crittenden2011-07-111-2/+2
|
* find_entry_by_attr() should fail if multiple entries are foundRob Crittenden2011-07-111-0/+17
| | | | | | | | | | It will only ever return one entry so if more than one are found then we raise an exception. This is most easily seen in the host plugin where we search on the server shortname which can be the same across sub-domains (e.g. foo.example.com & foo.lab.example.com). https://fedorahosted.org/freeipa/ticket/1388
* Raise DuplicateEntry Error when adding a duplicate sudo optionJr Aquino2011-06-161-0/+18
| | | | | | | | | | | | https://fedorahosted.org/freeipa/ticket/1276 https://fedorahosted.org/freeipa/ticket/1277 https://fedorahosted.org/freeipa/ticket/1308 Added new Exception: AttrValueNotFound Fixed XML Test for Sudorule remove_option 1276 (Raise AttrValueNotFound when trying to remove a non-existent option from Sudo rule) 1277 (Raise DuplicateEntry Error when adding a duplicate sudo option) 1308 (Make sudooption a required option for sudorule_remove_option)
* Localization fails for MaxArgumentErrorMartin Kosek2011-06-061-1/+4
| | | | | | | When MaxArgumentError si raised, the string localized by ngettext is not printed properly. https://fedorahosted.org/freeipa/ticket/1148
* Revert "Set hard limit on number of commands in batch request to 256."Adam Young2011-03-011-17/+0
| | | | This reverts commit 79d22f8341026450ba7ca564e24812c9351c7e70.
* Remove deprecated i18n code from ipalib/request and all references to it.Pavel Zuna2011-03-011-1/+1
| | | | Ticket #903
* Set hard limit on number of commands in batch request to 256.Rob Crittenden2011-02-221-0/+17
| | | | ticket 984
* Add support for tracking and counting entitlementsRob Crittenden2011-02-021-4/+37
| | | | | | | | | | | | | | Adds a plugin, entitle, to register to the entitlement server, consume entitlements and to count and track them. It is also possible to import an entitlement certificate (if for example the remote entitlement server is unaviailable). This uses the candlepin server from https://fedorahosted.org/candlepin/wiki for entitlements. Add a cron job to validate the entitlement status and syslog the results. tickets 28, 79, 278
* Fix exception doctest failureRob Crittenden2011-01-241-2/+2
|
* Add some basic filter validation to permissions and disallow empty filtersRob Crittenden2011-01-211-0/+16
| | | | | | | Try a query with a filter to see if it is at least legal. This doesn't guarantee that the filter is at all otherwise sane. ticket 808
* Set the default Int maxvalue to the maximum XML-RPC can handle.Rob Crittenden2011-01-181-0/+14
| | | | | | Also handle marshalling errors thrown by xmlrpclib more gracefully. ticket 770
* Setting an empty set of target attributes should raise an exception.Rob Crittenden2011-01-101-2/+2
| | | | | | | | | | | It is possible to create an ACI with attributes and then try to set that to None via a mod command later. We need to catch this and raise an exception. If all attributes are set to None in an aci then the attr target is removed from the ACI. This could result in an illegal ACI if there are no other targets. Having no targets is a legal state, just not a legal final state. ticket 647
* Change FreeIPA license to GPLv3+Jakub Hrozek2010-12-201-5/+5
| | | | | | | | | | The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
* Fix some doctestsRob Crittenden2010-12-171-8/+8
| | | | A few had bad formatting causing the doctests to fail.
* Give the memberof plugin time to work when adding/removing reverse members.Rob Crittenden2010-12-131-0/+17
| | | | | | | | | | | | When we add/remove reverse members it looks like we're operating on group A but we're really operating on group B. This adds/removes the member attribute on group B and the memberof plugin adds the memberof attribute into group A. We need to give the memberof plugin a chance to do its work so loop a few times, reading the entry to see if the number of memberof is more or less what we expect. Bail out if it is taking too long. ticket 560
* Add --out option to service, host and cert-show to save the cert to a file.Rob Crittenden2010-12-131-0/+33
| | | | | | | Override forward() to grab the result and if a certificate is in the entry and the file is writable then dump the certificate in PEM format. ticket 473
* Check for existence of the group when adding a user.Rob Crittenden2010-12-131-0/+15
| | | | | | | | | | | | | The Managed Entries plugin will allow a user to be added even if a group of the same name exists. This would leave the user without a private group. We need to check for both the user and the group so we can do 1 of 3 things: - throw an error that the group exists (but not the user) - throw an error that the user exists (and the group) - allow the uesr to be added ticket 567
* Add new parameter type IA5Str and use this to enforce the right charset.Rob Crittenden2010-12-071-0/+16
| | | | ticket 496
* Re-implement access control using an updated model.Rob Crittenden2010-12-011-4/+4
| | | | | | | | | | | | | | | | | | | The new model is based on permssions, privileges and roles. Most importantly it corrects the reverse membership that caused problems in the previous implementation. You add permission to privileges and privileges to roles, not the other way around (even though it works that way behind the scenes). A permission object is a combination of a simple group and an aci. The linkage between the aci and the permission is the description of the permission. This shows as the name/description of the aci. ldap:///self and groups granting groups (v1-style) are not supported by this model (it will be provided separately). This makes the aci plugin internal only. ticket 445
* Add ability to add/remove DNS records when adding/removing a host entry.Rob Crittenden2010-11-231-0/+17
| | | | | | | | | | | | | | | | | | A host in DNS must have an IP address so a valid IP address is required when adding a host. The --force flag will be needed too since you are adding a host that isn't in DNS. For IPv4 it will create an A and a PTR DNS record. IPv6 isn't quite supported yet. Some basic work in the DNS installer is needed to get this working. Once the get_reverse_zone() returns the right value then this should start working and create an AAAA record and the appropriate reverse entry. When deleting a host with the --updatedns flag it will try to remove all records it can find in the zone for this host. ticket 238
* Fix typo in exception sample causing a doctest to failRob Crittenden2010-11-051-1/+1
|
* user-enable/disable improvementsRob Crittenden2010-11-041-6/+6
| | | | | | | | | | | | | Always display the account enable/disable status. Don't ignore the exceptions when a user is already enabled or disabled. Fix the exception error messages to use the right terminology. In baseldap when retrieving all attributes include the default attributes in case they include some operational attributes. ticket 392
* Don't allow managed groups to have group password policy.Rob Crittenden2010-10-281-0/+15
| | | | | | | UPG cannot have members and we use memberOf in class of service to determine which policy to apply. ticket 160
* Fix two failing tests.Rob Crittenden2010-10-221-1/+1
| | | | | | The first test is a mismatch in the sample output of an exception. The second test adds certificate information output to the service plugin.
* Disallow RDN change and single-value bypass using setattr/addattr.Pavel Zuna2010-10-181-3/+34
| | | | | | | | | | | When setting or adding an attribute wiht setatt/addattr check to see if there is a Param for the attribute and enforce the multi-value. If there is no Param check the LDAP schema for SINGLE-VALUE. Catch RDN mods and try to return a more reasonable error message. Ticket #230 Ticket #246
* Add Requires on ipa-client to ipa-admintools, ensure ipa client is configuredRob Crittenden2010-10-151-0/+10
| | | | | | | | | | It makes little sense to install ipa-admintools without ipa-client, require it. Also see if the client has been configured. This is a bit tricky since we have a full set of defaults. Add a new env option that gets set if at least one configuration file is loaded. ticket 213
* Accept an incoming certificate as either DER or base64 in the service plugin.Rob Crittenden2010-10-081-1/+17
| | | | | | | | | | | | | The plugin required a base64-encoded certificate and always decoded it before processing. This doesn't work with the UI because the json module decodes binary values already. Try to detect if the incoming value is base64-encoded and decode if necessary. Finally, try to pull the cert apart to validate it. This will tell us for sure that the data is a certificate, regardless of the format it came in as. ticket 348
* If an HBAC category is 'all' don't allow individual objects to be added.Rob Crittenden2010-10-081-0/+17
| | | | | | | | Basically, make 'all' mutually exclusive. This makes debugging lots easier. If say usercat='all' there is no point adding specific users to the rule because it will always apply to everyone. ticket 164
* Allow decoupling of user-private groups.Rob Crittenden2010-08-101-0/+15
| | | | | | | | | | | To do this we need to break the link manually on both sides, the user and the group. We also have to verify in advance that the user performing this is allowed to do both. Otherwise the user could be decoupled but not the group leaving it in a quasi broken state that only ldapmodify could fix. ticket 75
* Require that hosts be resolvable in DNS. Use --force to ignore warnings.Rob Crittenden2010-08-061-0/+16
| | | | | | | | | | | | | This also requires a resolvable hostname on services as well. I want people to think long and hard about adding things that aren't resolvable. The cert plugin can automatically create services on the user's behalf when issuing a cert. It will always set the force flag to True. We use a lot of made-up host names in the test system, all of which require the force flag now. ticket #25
* Add NotImplementedError type so CA plugins can return client-friendly errorsRob Crittenden2009-12-011-0/+8
| | | | | | | | Ignore NotImplementedError when revoking a certificate as this isn't implemented in the selfsign plugin. Also use the new type argument in x509.load_certificate(). Certificates are coming out of LDAP as binary instead of base64-encoding.
* add new error class for certificate operationsJohn Dennis2009-11-191-1/+28
| | | | add new error class for certificate operations
* error strings in documentation were missing unicode specifierJohn Dennis2009-11-191-3/+3
| | | | error strings in documentation were missing unicode specifier
* Change Password param so (password, confirm_password) can be passed to ↵Jason Gerard DeRose2009-10-181-0/+9
| | | | _convert_scalar()
* Giant webui patch take 2Jason Gerard DeRose2009-10-131-0/+11
|
* Raise more specific error when an Objectclass Violation occurs Fix the ↵Rob Crittenden2009-09-141-0/+15
| | | | virtual plugin to work with the new backend
* Remove Python 2.6 BaseException.message deprecation warningRob Crittenden2009-08-201-5/+5
|
* Clean up additional issues discovered with pylint and pycheckerRob Crittenden2009-08-201-0/+16
|
* Clean up some problems discovered with pylint and pycheckerRob Crittenden2009-08-121-0/+16
| | | | | Much of this is formatting to make pylint happy but it also fixes some real bugs.
* Add a return value to exceptions.Rob Crittenden2009-07-101-0/+2
| | | | | | | | Returning the exception value doesn't work because a shell return value is in the range of 0-255. The default return value is 1 which means "something went wrong." The only specific return value implemented so far is 2 which is "not found".
* Implement support for non-LDAP-based actions that use the LDAP ACI subsystem.Rob Crittenden2009-07-101-1/+1
| | | | | | | | | | | | There are some operations, like those for the certificate system, that don't need to write to the directory server. So instead we have an entry that we test against to determine whether the operation is allowed or not. This is done by attempting a write on the entry. If it would succeed then permission is granted. If not then denied. The write we attempt is actually invalid so the write itself will fail but the attempt will fail first if access is not permitted, so we can distinguish between the two without polluting the entry.
* Fix typo, occured -> occurredRob Crittenden2009-05-211-4/+4
|
* Add a format to the generic KerberosError classRob Crittenden2009-05-211-0/+9
|
* Raise an exception if the certificate chain is not returned from the CARob Crittenden2009-05-211-0/+16
|
* Fixed doctest for errors.NotFoundJason Gerard DeRose2009-05-191-3/+3
|
* Re-enable doctest, fix broken docstringsJason Gerard DeRose2009-05-131-9/+9
|
* Add a reason to the NotFound exception so we can provide more robust errorsRob Crittenden2009-05-131-1/+1
|
* Make MalformedServicePrincipal take a reason arg and add Base64DecodeErrorRob Crittenden2009-05-061-3/+19
|
* Rename errors2.py to errors.py. Modify all affected files.Pavel Zuna2009-04-231-0/+1077
|
* Finish work replacing the errors module with errors2Rob Crittenden2009-04-201-441/+0
| | | | | | Once this is committed we can start the process of renaming errors2 as errors. I thought that combinig this into one commit would be more difficult to review.
generated by cgit (git 2.34.1) at 2024-04-23 13:15:34 +0000