summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins
Commit message (Collapse)AuthorAgeFilesLines
* Deprecated managing users and runas user/group in sudorule add/modRob Crittenden2011-07-291-6/+18
| | | | | | | | We have helpers to manage these values so they shouldn't be available via add/mod. There is no logic behind them to do the right thing. https://fedorahosted.org/freeipa/ticket/1307 https://fedorahosted.org/freeipa/ticket/1320
* Add hbactest command. https://fedorahosted.org/freeipa/ticket/386Alexander Bokovoy2011-07-281-0/+327
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | HBAC rules control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host. Since applying HBAC rules implies use of a production environment, this plugin aims to provide simulation of HBAC rules evaluation without having access to the production environment. Test user coming from source host to a service on a named host against existing enabled rules. ipa hbactest --user= --srchost= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] --user, --srchost, --host, and --service are mandatory, others are optional. If --rules is specified simulate enabling of the specified rules and test the login of the user using only these rules. If --enabled is specified, all enabled HBAC rules will be added to simulation If --disabled is specified, all disabled HBAC rules will be added to simulation If --nodetail is specified, do not return information about rules matched/not matched. If both --rules and --enabled are specified, apply simulation to --rules _and_ all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. EXAMPLES: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 2. Disable detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail -------------------- Access granted: True -------------------- 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled --------------------- Access granted: False --------------------- notmatched: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule notmatched: new-rule matched: allow_all Only rules existing in IPA database are tested. They may be in enabled or disabled disabled state. Specifying them through --rules option explicitly enables them only in simulation run. Specifying non-existing rules will not grant access and report non-existing rules in output.
* Fixed missing memberof definition in HBAC service.Endi S. Dewata2011-07-281-1/+4
| | | | | | | The HBAC service class has been modified to define the memberof relationship with HBAC service group. Ticket #1546
* dns section header i18n.Adam Young2011-07-281-0/+2
| | | | https://fedorahosted.org/freeipa/ticket/1493
* removing setters setup and initAdam Young2011-07-281-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | change widget and widget unit tests to hold on to entity, not entity name. Replacing entity_name with entity.name in most places. The one exception is columns for table_widget. Widgets that refer to other entities have to have late resolution of the entity object, due to circular dependencies. cleanup entity assignment. removed template and layout, merged setup into create adder dialogs adjust height for external removed init from widget, isection, association, facet, host and service Make unit tests use factory. fix functional tests to click find link correctly. tweak to activation test, but still broken. moved initialization code to the end use --all for hbacrule find, so the type shows up now fixed dns exception code and exception handling for get_entity replace metadata look up with value from entity. fixed author lines removed duplicate columns in managed by facets. tweak to nav fix in order to initialize tab. more defensive code update metadata for true false one line init for entity_name in widget move init code to end of constructor functions moved constants to start of function for adder_dialog external fields for dialogs initialized at dialog creation sudo sections: move add fields and columns to widget definition. The parameter validation in IPA.column ...This is precondition checking. Note that it merely throws an exception if the entity_name is not set. I want this stuff at the top of the function so that it is obvious to people looking to use them what is required. I added a comment to make this clear, but I'd like to keep precondition checking at the top of the function. decreased the scope of the pkey_name and moved the initiailzation fof columns into the setup_column function for association_tables return false at the end of click handler removed blank labels in sudo command section fix radio buttons for sudo category fixed table side for adder dialogs with external fields comments for future direction with add_columns https://fedorahosted.org/freeipa/ticket/1451 https://fedorahosted.org/freeipa/ticket/1462 https://fedorahosted.org/freeipa/ticket/1493 https://fedorahosted.org/freeipa/ticket/1497 https://fedorahosted.org/freeipa/ticket/1532 https://fedorahosted.org/freeipa/ticket/1534
* Don't leave dangling map if adding an indirect map failsRob Crittenden2011-07-271-5/+10
| | | | | | | | When using the add_indirect helper we create a new map and then add a key for it all in one step. If adding the key fails for any reason be sure to remove the map we added. https://fedorahosted.org/freeipa/ticket/1520
* Fix automountkey commands summaryMartin Kosek2011-07-271-4/+12
| | | | | | | | | | | The summary value was set to primary key. However, the primary key may contain also an info option as a workaround for multiple direct maps problem. This patch sets the result 'value' and thus summary text to expected and consistent value. https://fedorahosted.org/freeipa/ticket/1524
* fixed empty dns record updatePetr Vobornik2011-07-251-0/+3
| | | | | | | https://fedorahosted.org/freeipa/ticket/1477 Redirection after updating empty DNS Record (which is deleted). Added hook to details facet for post update operation.
* Autofill the default revocation reasonRob Crittenden2011-07-221-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/1514
* Hide the HBAC access type attribute now that deny is deprecated.Rob Crittenden2011-07-211-4/+6
| | | | | | | It won't appear in the UI/CLI but is still available via XML-RPC. allow is the default and deny will be rejected. https://fedorahosted.org/freeipa/ticket/1495
* Add missing automount summariesMartin Kosek2011-07-211-0/+40
| | | | | https://fedorahosted.org/freeipa/ticket/1509 https://fedorahosted.org/freeipa/ticket/1510
* Only call entry_from_entry() after waiting for the new entry.Rob Crittenden2011-07-191-1/+1
| | | | This fixes an indentation problem.
* Fix regression when calculating external groups.Rob Crittenden2011-07-191-1/+1
| | | | | The members should be the current members of the entry, not the refreshed copy
* A removed external host is shown in output when removing external hosts.Rob Crittenden2011-07-181-3/+3
| | | | | | This is just a display problem, the host is actually removed from the entry. https://fedorahosted.org/freeipa/ticket/1492
* Fix sudorule-remove-userMartin Kosek2011-07-191-2/+2
| | | | | | | Removed sudorule "External User" is displayed in the output when "--all" switch is used. https://fedorahosted.org/freeipa/ticket/1489
* Optionally wait for 389-ds postop plugins to completeRob Crittenden2011-07-193-0/+66
| | | | | | | | | | | Add a new command that lets you wait for an attribute to appear in a value. Using this you can do things like wait for a managed entry to be created, adding a new objectclass to the parent entry. This is controlled by a new booleon option, wait_for_attr, defaulting to False. https://fedorahosted.org/freeipa/ticket/1144
* Return correct "RunAs External Group" when removing membersJr Aquino2011-07-181-4/+4
| | | | | | | | | If you used sudorule-remove-runasgroup to remove a member that member still appeared in the command output when --all was included (it isn't a default attribute). This was due to post-processing to evaluate external users/groups, the entry was actually updated properly. https://fedorahosted.org/freeipa/ticket/1348
* Add new dnszone-find testMartin Kosek2011-07-181-1/+1
| | | | | | | | Implement a test for new dnszone-find option --forward-only. Fix example for reverse zone (zone was not fully qualified and DNS plugin would forbid adding PTR records). https://fedorahosted.org/freeipa/ticket/1473
* Add ability to specify DNS reverse zone name by IP network address.Jan Cholasta2011-07-151-0/+30
| | | | | | | In order for this to work, chaining of parameters through default_from is made possible. ticket 1474
* Remove the ability to create new HBAC deny rules.Rob Crittenden2011-07-141-2/+8
| | | | | | | | | | New rules will all be allow type. Existing rules cannot be changed to deny. The type attribute now defaults to allow with autofill so it won't be prompted in interactive mode in the cli. https://fedorahosted.org/freeipa/ticket/1432
* In sudo labels we should use RunAs and not Run As.Rob Crittenden2011-07-141-6/+6
| | | | https://fedorahosted.org/freeipa/ticket/1328
* Document registering to an entitlement server with a UUID as not implemented.Rob Crittenden2011-07-141-1/+4
| | | | | | | | It was my understanding that we would be able to pass in an existing UUID when registering to connect to an existing registration (for the case where IPA is re-installed). This is supported in the REST API but not python-rhsm. https://fedorahosted.org/freeipa/ticket/1216
* Fixed label capitalizationEndi S. Dewata2011-07-1425-28/+28
| | | | | | | | The CSS text-transform sometimes produces incorrect capitalization, so the code has been modified to use translated labels that already contain the correct capitalization. Ticket #1424
* Filter reverse zones in dnszone-findMartin Kosek2011-07-131-4/+19
| | | | | | | | | Implements a new option to filter out reverse zones. This patch also do some clean up in dns plugin - debug prints were accidentally left here in the last dns patch. https://fedorahosted.org/freeipa/ticket/1471
* Convert nsaccountlock to always work as bool towards Python codeAlexander Bokovoy2011-07-131-11/+16
| | | | | | | | https://fedorahosted.org/freeipa/ticket/1259 Python code will see nsaccountlock as bool. JavaScript code will also see it as bool. This allows native boolean operations with the lock field. Passes both CLI and WebUI tests.
* Fixed object_name and object_name_plural internationalizationEndi S. Dewata2011-07-1226-63/+63
| | | | | | | | | The object_name, object_name_plural and messages that use these attributes have been converted to support translation. The label attribute in the Param class has been modified to accept unicode string. Ticket #1435
* Add DNS record modification commandMartin Kosek2011-07-121-42/+85
| | | | | | | | | | | | | | | | | The DNS record plugin does not support modification of a record. One can only add A type addresses to a DNS record or remove the current ones. To actually change a DNS record value it has to be removed and then added with a desired value. This patch adds a new DNS plugin command "dnsrecord-mod" which enables user to: - modify a DNS record value (note than DNS record can hold multiple values and those will be overwritten) - remove a DNS record when an empty value is passed New tests for this new command have been added to the CLI test suite. https://fedorahosted.org/freeipa/ticket/1137
* Enforce class rules when query=True, continue to not run validators.ticket-hbac-testRob Crittenden2011-07-111-1/+1
| | | | | | | | | | | | | | | This started as a problem in allowing leading/trailing whitespaces on primary keys. In nearly every command other than add query is True so all rules were ignored on the primary key. This meant that to enforce whitespace we would need to define a validator for each one. I decided instead to set self.all_rules to just the class rules if query == True. So the minimum set of validators will be executed against each type but param-specific validators will only run on add. https://fedorahosted.org/freeipa/ticket/1285 https://fedorahosted.org/freeipa/ticket/1286 https://fedorahosted.org/freeipa/ticket/1287
* Added sudo options.Endi S. Dewata2011-07-111-0/+1
| | | | | | | A table has been added into sudo rule details page for managing sudo options. Ticket #1447
* password expiration labelAdam Young2011-07-051-1/+1
|
* Fixed object_name usage.Endi S. Dewata2011-07-058-15/+15
| | | | | | | | | | | The object_name attribute was used as both an identifier and a label which sometimes require different values (e.g. hbacrule vs. HBAC rule). The code that uses object_name as an identifier has been changed to use the 'name' attribute instead. The values of the object_name attribute have been fixed to become proper labels. Ticket #1217
* Add pwd expiration notif (ipapwdexpadvnotify) to config plugin def attr listRob Crittenden2011-07-051-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/1416
* Removed invalid associations.Endi S. Dewata2011-07-012-2/+2
| | | | | | | | | The following invalid associations have been removed: - group's memberindirect netgroup and role - hostgroup's memberofindirect host Ticket #1366 Ticket #1367
* Added confirmation dialog for user activation.Endi S. Dewata2011-07-011-10/+12
| | | | | | | | | The IPA.user_status_widget has been modified such that it checks the facet dirty status and asks the admin to either Update or Reset the changes. Then the widget shows a dialog to confirm whether the admin wants to activate/deactivate the user. Ticket #1395
* config widgets entity select default group checkbox for migrationAdam Young2011-06-301-1/+1
|
* Fixed hard-coded messages.Endi S. Dewata2011-06-301-12/+51
| | | | | | Hard-coded messages in the UI have been replaced with I18n messages. Ticket #1396
* config fieldsAdam Young2011-06-301-0/+3
| | | | | | | | | | https://fedorahosted.org/freeipa/ticket/1403 https://fedorahosted.org/freeipa/ticket/1404 https://fedorahosted.org/freeipa/ticket/1405 https://fedorahosted.org/freeipa/ticket/1406 fields and sections for config screen Using multivalue controls for object classes
* Replace the 'private' option in netgroup-find with 'managed'.Jan Cholasta2011-06-281-4/+9
| | | | | | | The 'private' option is kept in to maintain API compatibility, but is hidden from the user. ticket 1120
* optional uidAdam Young2011-06-271-0/+1
| | | | Make the uid field optional
* Fixed entity labels.Endi S. Dewata2011-06-278-35/+11
| | | | | | | | | | | | | | | | The entity labels in the following locations have been fixed: - search facet title: plural - details facet title: singular - association facet title: singular - breadcrumb: plural - adder dialog title: singular - deleter dialog title: plural Some entity labels have been changed into the correct plural form. Unused file install/ui/test/data/i18n_messages.json has been removed. Ticket #1249 Ticket #1387
* Added singular entity labels.Endi S. Dewata2011-06-2724-4/+30
| | | | | | | | | | | | | | | A new attribute label_singular has been added to all entities which contains the singular form of the entity label in lower cases except for acronyms (e.g. HBAC) or proper nouns (e.g. Kerberos). In the Web UI, this label can be capitalized using CSS text-transform. The existing 'label' attribute is intentionally left unchanged due to inconsistencies in the current values. It contains mostly the plural form of capitalized entity label, but some are singular. Also, it seems currently there is no comparable capitalization method on the server-side. So more work is needed before the label can be changed. Ticket #1249
* oneliner correct typo in ipasudorunas_groupJr Aquino2011-06-261-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/1326
* Use DN class in get_primary_key_from_dn to return decoded valueJohn Dennis2011-06-221-1/+4
|
* Make data type of certificates more obvious/predictable internally.Rob Crittenden2011-06-214-143/+31
| | | | | | | | | | | | | | | | | | | For the most part certificates will be treated as being in DER format. When we load a certificate we will generally accept it in any format but will convert it to DER before proceeding in normalize_certificate(). This also re-arranges a bit of code to pull some certificate-specific functions out of ipalib/plugins/service.py into ipalib/x509.py. This also tries to use variable names to indicate what format the certificate is in at any given point: dercert: DER cert: PEM nsscert: a python-nss Certificate object rawcert: unknown format ticket 32
* Do lazy LDAP schema retrieval in json handler.Rob Crittenden2011-06-211-0/+1
| | | | | | | It was possible to get to this point without a schema if the first handled request resulted in a Kerberos error. https://fedorahosted.org/freeipa/ticket/1354
* ipaddress for host addAdam Young2011-06-201-0/+1
| | | | updated label triggered an API change
* Improve IP address handling in the host-add command.Jan Cholasta2011-06-191-15/+36
| | | | | | | IP addresses are more strictly checked. Netmasks can be specified and are used in DNS PTR record creation. ticket 1234
* Require an imported certificate's issuer to match our issuer.Rob Crittenden2011-06-162-2/+32
| | | | | | | | | | The goal is to not import foreign certificates. This caused a bunch of tests to fail because we had a hardcoded server certificate. Instead a developer will need to run make-testcert to create a server certificate generated by the local CA to test against. ticket 1134
* Don't add empty tuple to entry_attrs['externalhost']Jr Aquino2011-06-161-1/+2
| | | | https://fedorahosted.org/freeipa/ticket/1339
* Raise DuplicateEntry Error when adding a duplicate sudo optionJr Aquino2011-06-161-26/+40
| | | | | | | | | | | | https://fedorahosted.org/freeipa/ticket/1276 https://fedorahosted.org/freeipa/ticket/1277 https://fedorahosted.org/freeipa/ticket/1308 Added new Exception: AttrValueNotFound Fixed XML Test for Sudorule remove_option 1276 (Raise AttrValueNotFound when trying to remove a non-existent option from Sudo rule) 1277 (Raise DuplicateEntry Error when adding a duplicate sudo option) 1308 (Make sudooption a required option for sudorule_remove_option)
generated by cgit (git 2.34.1) at 2024-05-25 20:17:22 +0000