| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
The attributes entryusn, createtimestamp, and modifytimestamp
should be readable whenever thir entry is, i.e. when we allow reading
the objectclass.
Automatically add them to every read permission that includes objectclass.
https://fedorahosted.org/freeipa/ticket/4534
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4521
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
|
|
| |
This was left out by mistake when permissions were refactored.
The API is already tested.
https://fedorahosted.org/freeipa/ticket/4522
|
|
|
|
|
|
| |
Ticket: https://fedorahosted.org/freeipa/ticket/4422
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When manipulating a permission for an entry that has an ACI
that the parser cannot process, skip this ACI instead of
failing.
Add a test that manipulates permission in cn=accounts,
where there are complex ipaAllowedOperation-based ACIs.
Workaround for: https://fedorahosted.org/freeipa/ticket/4376
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
|
| |
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
For groups, we will need to filter on either posixgroup (which UPGs
have but non-posix groups don't) and groupofnames/nestedgroup
(which normal groups have but UPGs don't).
Join permission_filter_objectclasses with `|` and add them as
a single ipapermtargetfilter value.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Memberofindirect processing of an entry doesn't work if the user doesn't
have rights to any one of these attributes:
- member
- memberuser
- memberhost
Add all of these to any read permission that specifies any of them.
Add a check to makeaci that will enforce this for any future permissions.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
This reduces typing (or copy/pasting), and draws a bit of attention
to any non-default privileges (currently 'any' or 'anonymous').
Leaving the bindtype out by mistake isn't dangerous: by default
a permission is not granted to anyone, since it is not included in
any priviliges.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
|
| |
This makes the ACI independent on set/dict iteration order.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
|
|
| |
Add default read permissions to roles, privileges and permissions.
Also add permission to read ACIs. This is required for legacy permissions.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
|
|
|
|
|
|
|
|
|
|
|
| |
The 'top' objectclass is added by DS if not present. On every
update the managed permission updater compared the object_class
list with the state from LDAP, saw that there's an extra 'top'
value, and tried deleting it.
Add 'top' to the list to match the entry in LDAP.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ":" character will be reserved for default permissions, so that
users cannot create a permission with a name that will later be
added as a default.
Allow the ":" character modifying/deleting permissions*, but not
when creating them. Also do not allow the new name to contain ":"
when renaming.
(* modify/delete have unrelated restrictions on managed permissions)
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
|
|
| |
Previously the search term was only applied to the name.
Fix it so that it filters results based on any attribute.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
As with the flags, the objectclass should be returned as it is
on the entry.
https://fedorahosted.org/freeipa/ticket/4257
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
|
|
|
| |
The old name is kept as a deprecated alias.
https://fedorahosted.org/freeipa/ticket/4231
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, setting/deleting the "--type" virtual attribute removed
all (objectclass=...) target filters.
Change so that only the filter associated with --type is removed.
The same change applies to --memberof: only filters associated
with the option are removed when --memberof is (un-)set.
Follow-up to https://fedorahosted.org/freeipa/ticket/4216
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
The --memberof logic tried to convert the value of a (memberof=...)
filter to a DN, which failed with filters like (memberof=*).
Do not try to set memberof if the value is not a DN.
A test will be added in a subsequent patch.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
The extratargetfilter behaves exactly like targetfilter, so that e.g.
ipa permission-find --filter=(objectclass=ipausergroup)
finds all permissions with that filter in the ACI.
Part of the work for https://fedorahosted.org/freeipa/ticket/4216
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
|
|
| |
Since extratargetfilter is shown by default, change it to also have
the "default" (i.e. shorter) option name.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Extend the permission-add and permission-mod commands to process
extratargetfilter.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4216
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The --filter, --type, and --memberof options interact in a way that's
difficult to recreate in the UI: type and memberof are "views" on the
filter, they affect it and are affected by it
Add a "extratagretfilter" view that only contains the filters
not linked to type or memberof.
Show extra target filter, and not the full target filter, by default;
show both with --all, and full filter only with --raw.
Write support will be added in a subsequent patch.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4216
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4187
Reviewed-By: Jan Pazdziora <jpazdziora@redhat.com>
|
|
|
|
|
|
|
|
|
| |
This makes searching faster if there are many legacy permissions present.
The root entry (which contains all legacy permission ACIs) is only
looked up once.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4206
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
|
|
| |
Design: http://www.freeipa.org/page/V3/Multivalued_target_filters_in_permissions
Additional fix for: https://fedorahosted.org/freeipa/ticket/4074
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
LDAPUpdate adds the display-only 'attributelevelrights' attribute,
which doesn't exist in LDAP. Remove it before reverting entry.
https://fedorahosted.org/freeipa/ticket/4212
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
are present
With the --all --raw options, the code assumed attribute-level rights
were set on ipaPermissionV2 attributes, even on permissions that did not
have the objectclass.
Add a check that the data is present before using it.
https://fedorahosted.org/freeipa/ticket/4121
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
|
| |
Part of the work for: https://fedorahosted.org/freeipa/ticket/4074
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change the target filter to be multivalued.
Make the `type` option on permissions set location and an
(objectclass=...) targetfilter, instead of location and target.
Make changing or unsetting `type` remove existing
(objectclass=...) targetfilters only, and similarly,
changing/unsetting `memberof` to remove (memberof=...) only.
Update tests
Part of the work for: https://fedorahosted.org/freeipa/ticket/4074
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/4178
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds support for managed permissions. The attribute list
of these is computed from the "default" (modifiable only internally),
"allowed", and "excluded" lists. This makes it possible to cleanly
merge updated IPA defaults and user changes on upgrades.
The default managed permissions are to be added in a future patch.
For now they can only be created manually (see test_managed_permissions).
Tests included.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4033
Design: http://www.freeipa.org/page/V3/Managed_Read_permissions
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Construct the ACI string from permission entry directly
in the permission plugin.
This is the next step in moving away from ipalib.aci.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
|
|
|
| |
With this change, shortcut options like memberof and type will be
aplied on the server, not on the client.
This will allow us to pass more information than just updated options.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
|
|
|
|
|
|
|
| |
- Fix i18n for plugin docstring
- Fix error when the aci attribute is not present on an entry
- Fix error when raising exception for ACI not found
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3488
|
|
|
|
|
|
|
| |
Disallow adding permissions with non-default bindtype to privileges
Ticket: https://fedorahosted.org/freeipa/ticket/4032
Design: http://www.freeipa.org/page/V3/Anonymous_and_All_permissions
|
|
|
|
|
|
|
| |
ipasearchrecordslimit can be -1, which means unlimited.
The permission_find post_callback failed in this case in legacy
permission handling.
Do not fail in this case.
|
|
|
|
|
|
|
| |
The value from my machine ended up wired into API.txt,
so builds on other machines would fail.
Correct the mistake.
|
|
|
|
| |
Part of the work for: https://fedorahosted.org/freeipa/ticket/4034
|
| |
|
| |
|
|
|
|
|
| |
Ticket: https://fedorahosted.org/freeipa/ticket/3566
Design: http://www.freeipa.org/page/V3/Permissions_V2
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Convert all code that uses the 'dn' key of LDAPEntry for this to use the dn
attribute instead.
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3352
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The password and modrdn plugins needed to be made transaction aware
for the pre and post operations.
Remove the reverse member hoop jumping. Just fetch the entry once
and all the memberof data is there (plus objectclass).
Fix some unit tests that are failing because we actually get the data
now due to transactions.
Add small bit of code in user plugin to retrieve the user again
ala wait_for_attr but in the case of transactions we need do it only
once.
Deprecate wait_for_attr code.
Add a memberof fixup task for roles.
https://fedorahosted.org/freeipa/ticket/1263
https://fedorahosted.org/freeipa/ticket/1891
https://fedorahosted.org/freeipa/ticket/2056
https://fedorahosted.org/freeipa/ticket/3043
https://fedorahosted.org/freeipa/ticket/3191
https://fedorahosted.org/freeipa/ticket/3046
|