summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins/sudorule.py
Commit message (Collapse)AuthorAgeFilesLines
* Disallow setattr on no_update/no_create paramsPetr Viktorin2012-05-291-3/+3
| | | | | | | | | | | | | Make --{set,add,del}attr fail on parameters with the no_update/no_create flag for the respective command. For attributes that can be modified, but we just don't want to display in the CLI, use the 'no_option' flag. These are "locking" attributes (ipaenabledflag, nsaccountlock) and externalhost. Document the 'no_option' flag. Add some tests. https://fedorahosted.org/freeipa/ticket/2580
* Validate externalhost (when added by --addattr/--setattr)Petr Viktorin2012-05-111-0/+1
| | | | | | | | | | | | Change the externalhost attribute of hbacrule, netgroup and sudorule into a full-fledged Parameter, and attach a validator to it. The validator is relaxed to allow underscores, so that some hosts with nonstandard names can be added. Tests included. https://fedorahosted.org/freeipa/ticket/2649
* Netgroup nisdomain and hosts validationOndrej Hamada2012-03-281-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | nisdomain validation: Added pattern to the 'nisdomain' parameter to validate the specified nisdomain name. According to most common use cases the same pattern as for netgroup should fit. Unit-tests added. https://fedorahosted.org/freeipa/ticket/2448 'add_external_pre_callback' function was created to allow validation of all external members. Validation is based on usage of objects primary key parameter. The 'add_external_pre_callback' fucntion has to be called directly from in the 'pre_callback' function. This change affects netgroup, hbacrule and sudorule commands. For hostname, the validator allows non-fqdn and underscore characters. validate_hostname function in ipalib.util was modified and contains additional option that allows hostname to contain underscore characters. This option is disabled by default. Unit-tests added. https://fedorahosted.org/freeipa/ticket/2447
* Add support for sudoOrderRob Crittenden2012-03-011-0/+41
| | | | | | | | | | Update ipaSudoRule objectClass on upgrades to add new attributes. Ensure uniqueness of sudoOrder in rules. The attributes sudoNotBefore and sudoNotAfter are being added to schema but not as Params. https://fedorahosted.org/freeipa/ticket/1314
* Clean up i18n stringsPetr Viktorin2012-02-101-4/+4
| | | | | | | | | | | This patch switches to named ("%(name)s") instead of positional ("%s") substitutions for internationalized strings, so translators can reorder the words. This fixes https://fedorahosted.org/freeipa/ticket/2179 (xgettext no longer gives warnings). Also, some i18n calls are rewritten to translate the template before substitutions, not after.
* Consolidate external member code into two functions in baseldap.pyRob Crittenden2012-02-081-186/+9
| | | | | | | | | | External members (users and hosts) are assumed when doing member management on certain attributes. If the member isn't in IPA it is assumed to be external. When doing member management we need to sift through the list of failures and pull out all those that were simply not found in IPA. https://fedorahosted.org/freeipa/ticket/1734
* In sudo when the category is all do not allow members, and vice versa.Rob Crittenden2012-01-181-0/+75
| | | | | | | | | | This is what we already do in the HBAC plugin, this ports it to Sudo. If a category (user, host, etc) is u'all' then we don't allow individual members be added. Conversely if there are members we don't allow the category be set to u'all'. https://fedorahosted.org/freeipa/ticket/1440
* Validate sudo RunAsUser/RunAsGroup argumentsAlexander Bokovoy2012-01-131-1/+38
| | | | | | | | | | | | | FreeIPA SUDO rules use --usercat/--groupcat to specify that rule applies to all users or groups. Thus, sudorule-add-runasuser and sudorule-add-runasgroup accept specific groups and users and do not accept ALL reserved word. The patch validates user and group passed to these commands and reports appropriate errors when these are ALL. Ticket #1496 https://fedorahosted.org/freeipa/ticket/1496
* Fixed labels for run-as users and groups.Endi S. Dewata2011-09-131-8/+9
| | | | | | | The labels for the run-as users and groups tables in sudo rule details page have been modified to improve the clarity. Ticket #1752
* Fix sudo help and summariesMartin Kosek2011-08-291-14/+26
| | | | | | | | | | | | | | | | 1) Add sudorule docstring headline 2) Fix naming inconsistency in Sudo plugins help and summaries, especially capitalization of Sudo objects - Sudo Rule, Sudo Command and Sudo Command Group 3) Add missing summaries for sudorule-add-option and sudorule-remove-option. To keep backward compatibility with older clients, just print the missing summary with output_for_cli(), don't expand Output. https://fedorahosted.org/freeipa/ticket/1595 https://fedorahosted.org/freeipa/ticket/1596
* ticket 1669 - improve i18n docstring extractionJohn Dennis2011-08-241-70/+48
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch reverts the use of pygettext for i18n string extraction. It was originally introduced because the help documentation for commands are in the class docstring and module docstring. Docstrings are a Python construct whereby any string which immediately follows a class declaration, function/method declaration or appears first in a module is taken to be the documentation for that object. Python automatically assigns that string to the __doc__ variable associated with the object. Explicitly assigning to the __doc__ variable is equivalent and permitted. We mark strings in the source for i18n translation by embedding them in _() or ngettext(). Specialized extraction tools (e.g. xgettext) scan the source code looking for strings with those markers and extracts the string for inclusion in a translation catalog. It was mistakingly assumed one could not mark for translation Python docstrings. Since some docstrings are vital for our command help system some method had to be devised to extract docstrings for the translation catalog. pygettext has the ability to locate and extract docstrings and it was introduced to acquire the documentation for our commands located in module and class docstrings. However pygettext was too large a hammer for this task, it lacked any fined grained ability to extract only the docstrings we were interested in. In practice it extracted EVERY docstring in each file it was presented with. This caused a large number strings to be extracted for translation which had no reason to be translated, the string might have been internal code documentation never meant to be seen by users. Often the superfluous docstrings were long, complex and likely difficult to translate. This placed an unnecessary burden on our volunteer translators. Instead what is needed is some method to extract only those strings intended for translation. We already have such a mechanism and it is already widely used, namely wrapping strings intended for translation in calls to _() or _negettext(), i.e. marking a string for i18n translation. Thus the solution to the docstring translation problem is to mark the docstrings exactly as we have been doing, it only requires that instead of a bare Python docstring we instead assign the marked string to the __doc__ variable. Using the hypothetical class foo as an example. class foo(Command): ''' The foo command takes out the garbage. ''' Would become: class foo(Command): __doc__ = _('The foo command takes out the garbage.') But which docstrings need to be marked for translation? The makeapi tool knows how to iterate over every command in our public API. It was extended to validate every command's documentation and report if any documentation is missing or not marked for translation. That information was then used to identify each docstring in the code which needed to be transformed. In summary what this patch does is: * Remove the use of pygettext (modification to install/po/Makefile.in) * Replace every docstring with an explicit assignment to __doc__ where the rhs of the assignment is an i18n marking function. * Single line docstrings appearing in multi-line string literals (e.g. ''' or """) were replaced with single line string literals because the multi-line literals were introducing unnecessary whitespace and newlines in the string extracted for translation. For example: ''' The foo command takes out the garbage. ''' Would appear in the translation catalog as: "\n The foo command takes out the garbage.\n " The superfluous whitespace and newlines are confusing to translators and requires us to strip leading and trailing whitespace from the translation at run time. * Import statements were moved from below the docstring to above it. This was necessary because the i18n markers are imported functions and must be available before the the doc is parsed. Technically only the import of the i18n markers had to appear before the doc but stylistically it's better to keep all the imports together. * It was observed during the docstring editing process that the command documentation was inconsistent with respect to the use of periods to terminate a sentence. Some doc had a trailing period, others didn't. Consistency was enforced by adding a period to end of every docstring if one was missing.
* ticket 1705 - internationalize help topicsJohn Dennis2011-08-241-1/+1
| | | | | | | | | | | | * Wrap each topic description in _() * Replace the use of if 'topic' in dir(module) with the more Pythonic and efficient getattr(module, 'topic', None) * Make sure to invoke unicode on the value returned from _() otherwise you'll get a GettextFactory instance, not a string * Clean up trailing whitespace errors
* Improve sudorule documentationJr Aquino2011-08-231-0/+11
| | | | | | | | Added brief explanations for the various Sudo components in the top level doc. Added doc entries for RunAs User and RunAs Group. https://fedorahosted.org/freeipa/ticket/1657
* Add missing attribute labels for sudoruleMartin Kosek2011-08-171-0/+8
| | | | https://fedorahosted.org/freeipa/ticket/1571
* Deprecated managing users and runas user/group in sudorule add/modRob Crittenden2011-07-291-6/+18
| | | | | | | | We have helpers to manage these values so they shouldn't be available via add/mod. There is no logic behind them to do the right thing. https://fedorahosted.org/freeipa/ticket/1307 https://fedorahosted.org/freeipa/ticket/1320
* Fix sudorule-remove-userMartin Kosek2011-07-191-2/+2
| | | | | | | Removed sudorule "External User" is displayed in the output when "--all" switch is used. https://fedorahosted.org/freeipa/ticket/1489
* Return correct "RunAs External Group" when removing membersJr Aquino2011-07-181-4/+4
| | | | | | | | | If you used sudorule-remove-runasgroup to remove a member that member still appeared in the command output when --all was included (it isn't a default attribute). This was due to post-processing to evaluate external users/groups, the entry was actually updated properly. https://fedorahosted.org/freeipa/ticket/1348
* In sudo labels we should use RunAs and not Run As.Rob Crittenden2011-07-141-6/+6
| | | | https://fedorahosted.org/freeipa/ticket/1328
* Fixed label capitalizationEndi S. Dewata2011-07-141-1/+1
| | | | | | | | The CSS text-transform sometimes produces incorrect capitalization, so the code has been modified to use translated labels that already contain the correct capitalization. Ticket #1424
* Fixed object_name and object_name_plural internationalizationEndi S. Dewata2011-07-121-2/+2
| | | | | | | | | The object_name, object_name_plural and messages that use these attributes have been converted to support translation. The label attribute in the Param class has been modified to accept unicode string. Ticket #1435
* Fixed object_name usage.Endi S. Dewata2011-07-051-2/+2
| | | | | | | | | | | The object_name attribute was used as both an identifier and a label which sometimes require different values (e.g. hbacrule vs. HBAC rule). The code that uses object_name as an identifier has been changed to use the 'name' attribute instead. The values of the object_name attribute have been fixed to become proper labels. Ticket #1217
* Fixed entity labels.Endi S. Dewata2011-06-271-1/+1
| | | | | | | | | | | | | | | | The entity labels in the following locations have been fixed: - search facet title: plural - details facet title: singular - association facet title: singular - breadcrumb: plural - adder dialog title: singular - deleter dialog title: plural Some entity labels have been changed into the correct plural form. Unused file install/ui/test/data/i18n_messages.json has been removed. Ticket #1249 Ticket #1387
* Added singular entity labels.Endi S. Dewata2011-06-271-0/+1
| | | | | | | | | | | | | | | A new attribute label_singular has been added to all entities which contains the singular form of the entity label in lower cases except for acronyms (e.g. HBAC) or proper nouns (e.g. Kerberos). In the Web UI, this label can be capitalized using CSS text-transform. The existing 'label' attribute is intentionally left unchanged due to inconsistencies in the current values. It contains mostly the plural form of capitalized entity label, but some are singular. Also, it seems currently there is no comparable capitalization method on the server-side. So more work is needed before the label can be changed. Ticket #1249
* oneliner correct typo in ipasudorunas_groupJr Aquino2011-06-261-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/1326
* Don't add empty tuple to entry_attrs['externalhost']Jr Aquino2011-06-161-1/+2
| | | | https://fedorahosted.org/freeipa/ticket/1339
* Raise DuplicateEntry Error when adding a duplicate sudo optionJr Aquino2011-06-161-26/+40
| | | | | | | | | | | | https://fedorahosted.org/freeipa/ticket/1276 https://fedorahosted.org/freeipa/ticket/1277 https://fedorahosted.org/freeipa/ticket/1308 Added new Exception: AttrValueNotFound Fixed XML Test for Sudorule remove_option 1276 (Raise AttrValueNotFound when trying to remove a non-existent option from Sudo rule) 1277 (Raise DuplicateEntry Error when adding a duplicate sudo option) 1308 (Make sudooption a required option for sudorule_remove_option)
* Fix doc for sudorule runasuser commandsMartin Kosek2011-06-171-2/+2
| | | | https://fedorahosted.org/freeipa/ticket/1324
* Add message output summary to sudorule del, mod and find.Rob Crittenden2011-06-151-0/+5
| | | | https://fedorahosted.org/freeipa/ticket/1255
* Display remaining external hosts when removing from sudoruleJr Aquino2011-06-141-2/+2
| | | | | https://fedorahosted.org/freeipa/ticket/1269 https://fedorahosted.org/freeipa/ticket/1270
* Typos in freeIPA messages and man pageYuri Chornoivan2011-05-101-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/1128
* Fixed labels for sudo and hbac rulesAdam Young2011-03-311-1/+1
|
* Fix style and grammatical issues in built-in command help.Rob Crittenden2011-03-041-2/+2
| | | | | | | There is a rather large API.txt change but it is only due to changes in the doc string in parameters. ticket 729
* Use Sudo rather than SUDO as a label.Rob Crittenden2011-03-011-3/+3
| | | | ticket 1005
* Create default disabled sudo bind userJr Aquino2011-02-231-1/+14
| | | | | | | | Read access is denied to the sudo container for unauthenticated users. This shared user can be used to provide authenticated access to the sudo information. https://fedorahosted.org/freeipa/ticket/998
* Add group members to default output of sudorule-showJan Zeleny2011-02-151-0/+4
| | | | https://fedorahosted.org/freeipa/ticket/915
* fix sudorule runas user/groups https://fedorahosted.org/freeipa/ticket/570Jr Aquino2011-01-121-1/+111
|
* Initial grouping of ipalib plugins for ipa helpJan Zeleny2011-01-071-0/+1
| | | | | This patch makes one group for all HBAC plugins and one group for all sudo plugins.
* SUDO plugin support for external hosts and users ↵Jr Aquino2010-12-211-4/+191
| | | | https://fedorahosted.org/freeipa/ticket/570
* Change FreeIPA license to GPLv3+Jakub Hrozek2010-12-201-5/+5
| | | | | | | | | | The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
* sudo run as user or group https://fedorahosted.org/freeipa/ticket/570Jr Aquino2010-12-131-0/+62
|
* Enable/Disable SudoRule https://fedorahosted.org/freeipa/ticket/570Jr Aquino2010-12-081-2/+60
|
* Adding user/host category and ipaenabledflag ↵Jr Aquino2010-12-081-0/+16
| | | | https://fedorahosted.org/freeipa/ticket/570 This patch Addresses items: 1. The UI needs a rule status with values active & inactive. The CLI doesn't have this attribute. HBAC has ipaenabledflag attribute which can be managed using hbac-enable/disable operations. 2. The UI needs a user category for the "Who" section. The CLI doesn't have this attribute. HBAC has usercategory attribute which can be managed using hbac-add/mod operations. 3. The UI needs a host category for the "Access this host" section. The CLI doesn't have this attribute. HBAC has hostcategory attribute which can be managed using hbac-add/mod operations.
* This is the second half of a patch. Only the part that had to beRob Crittenden2010-12-021-1/+1
| | | | | | | | | | | | | | | | | | | | | | | re-based got pushed for some reason. Use better description for group names in help and always prompt for members When running <foo>-[add|remove]-member completely interactively it didn't prompt for managing membership, it just reported that 0 members were handled which was rather confusing. This will work via a shell if you want to echo too: $ echo "" | ipa group-add-member g1 This returns 0 members because nothing is read for users or group members. $ echo -e "g1\nadmin\n" | ipa group-add-member This adds the user admin to the group g1. It adds it as a user because user membership is prompted for first. ticket 415
* action panel sibling added function to get sibling entities from the tab ↵Adam Young2010-12-011-1/+1
| | | | set. remove explicit sibling code from entity pages Modified the Label fields on HBAC and SUDO to make them appear cleaner in the UI
* Added fixes to adjust for sudocmd attribute for sudocmds. Added fix for ↵Jr Aquino2010-11-031-0/+6
| | | | sudorule to allow for cmdCategory all Added fixes for xmlrpc tests to reflect sudocmd changes.
* Add LDAPObject setting to handle different attributes for RDN and PKEY.Pavel Zuna2010-10-281-10/+1
|
* Added modifications to the sudorule plugin to reflect the schema update.Jr Aquino2010-10-051-17/+41
|
* Add plugins for Sudo Commands, Command Groups and RulesJr Aquino2010-09-271-0/+199
generated by cgit (git 2.34.1) at 2024-06-25 16:14:01 +0000