summaryrefslogtreecommitdiffstats
path: root/ipalib
Commit message (Collapse)AuthorAgeFilesLines
* Fixed hard-coded UI message in entity.js.Endi S. Dewata2011-09-011-0/+1
| | | | | | | The hard-coded label in IPA.facet has been moved into internal.py to allow translation. Ticket #1701
* Fixed hard-coded UI messages.Endi S. Dewata2011-08-311-322/+332
| | | | | | | | | | | Some hard-coded messages in ipa.js have been moved into internal.py. The messages in internal.py have been rearranged to match the output (ipa_init.json). A new method IPA.get_message() has been added to take a message ID and return the translated message or a default message if not found. Ticket #1701
* Let Bind track data changesMartin Kosek2011-08-311-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Integrate new bind-dyndb-ldap features to automatically track DNS data changes: 1) Zone refresh Set --zone-refresh in installation to define number of seconds between bind-dyndb-ldap polls for new DNS zones. User now doesn't have to restart name server when a new zone is added. 2) New zone notifications Use LDAP persistent search mechanism to immediately get notification when any new DNS zone is added. Use --zone-notif install option to enable. This option is mutually exclusive with Zone refresh. To enable this functionality in existing IPA installations, update a list of arguments for bind-dyndb-ldap in /etc/named.conf. An example when zone refresh is disabled and DNS data change notifications (argument psearch of bind-dyndb-ldap) are enabled: dynamic-db "ipa" { ... arg "zone_refresh 0"; arg "psearch yes"; }; This patch requires bind-dyndb-ldap-1.0.0-0.1.b1 or later. https://fedorahosted.org/freeipa/ticket/826
* Suppress managed netgroups from showing as memberof hostgroups.Rob Crittenden2011-08-311-4/+46
| | | | | | | By design these managed netgroups are not supposed to show unless you specifically want to see them. https://fedorahosted.org/freeipa/ticket/1738
* 34 Create FreeIPA CLI Plugin for the 389 Auto Membership pluginJr Aquino2011-08-313-0/+591
| | | | | | | | | | | | Added new container in etc to hold the automembership configs. Modified constants to point to the new container Modified dsinstance to create the container Created automember.py to add the new commands Added xmlrpc test to verify functionality Added minor fix to user.py for constant behavior between memberof and automember https://fedorahosted.org/freeipa/ticket/1272
* Add netgroup as possible memberOf for hostgroupsRob Crittenden2011-08-291-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/1563
* Fix sudo help and summariesMartin Kosek2011-08-293-43/+55
| | | | | | | | | | | | | | | | 1) Add sudorule docstring headline 2) Fix naming inconsistency in Sudo plugins help and summaries, especially capitalization of Sudo objects - Sudo Rule, Sudo Command and Sudo Command Group 3) Add missing summaries for sudorule-add-option and sudorule-remove-option. To keep backward compatibility with older clients, just print the missing summary with output_for_cli(), don't expand Output. https://fedorahosted.org/freeipa/ticket/1595 https://fedorahosted.org/freeipa/ticket/1596
* Add external source hosts to HBAC.Rob Crittenden2011-08-292-1/+57
| | | | | | | | When adding/removing source hosts if the host isn't found in IPA it is considered external. The attribute externalhost is used to store external hosts. ticket https://fedorahosted.org/freeipa/ticket/1574
* enable proxy for dogtagAdam Young2011-08-291-3/+7
| | | | | | | | | | | | | | | | | | | Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL connection. This patch enables renegotiate in the nss configuration file during during apache configuration, as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate. The IPA install uses the internal ports instead of proxying through httpd since httpd is not set up yet. IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose. https://fedorahosted.org/freeipa/ticket/1334 add flag to pkicreate in order to enable using proxy. add the proxy file in /etc/http/conf.d/ Signed-off-by: Simo Sorce <ssorce@redhat.com>
* Fixed host OTP status.Endi S. Dewata2011-08-261-16/+22
| | | | | | | The host details page has been modified to show the status of the OTP. Setting a new OTP is now done using a dialog box. Ticket #1710
* ticket 1669 - improve i18n docstring extractionJohn Dennis2011-08-2430-904/+633
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch reverts the use of pygettext for i18n string extraction. It was originally introduced because the help documentation for commands are in the class docstring and module docstring. Docstrings are a Python construct whereby any string which immediately follows a class declaration, function/method declaration or appears first in a module is taken to be the documentation for that object. Python automatically assigns that string to the __doc__ variable associated with the object. Explicitly assigning to the __doc__ variable is equivalent and permitted. We mark strings in the source for i18n translation by embedding them in _() or ngettext(). Specialized extraction tools (e.g. xgettext) scan the source code looking for strings with those markers and extracts the string for inclusion in a translation catalog. It was mistakingly assumed one could not mark for translation Python docstrings. Since some docstrings are vital for our command help system some method had to be devised to extract docstrings for the translation catalog. pygettext has the ability to locate and extract docstrings and it was introduced to acquire the documentation for our commands located in module and class docstrings. However pygettext was too large a hammer for this task, it lacked any fined grained ability to extract only the docstrings we were interested in. In practice it extracted EVERY docstring in each file it was presented with. This caused a large number strings to be extracted for translation which had no reason to be translated, the string might have been internal code documentation never meant to be seen by users. Often the superfluous docstrings were long, complex and likely difficult to translate. This placed an unnecessary burden on our volunteer translators. Instead what is needed is some method to extract only those strings intended for translation. We already have such a mechanism and it is already widely used, namely wrapping strings intended for translation in calls to _() or _negettext(), i.e. marking a string for i18n translation. Thus the solution to the docstring translation problem is to mark the docstrings exactly as we have been doing, it only requires that instead of a bare Python docstring we instead assign the marked string to the __doc__ variable. Using the hypothetical class foo as an example. class foo(Command): ''' The foo command takes out the garbage. ''' Would become: class foo(Command): __doc__ = _('The foo command takes out the garbage.') But which docstrings need to be marked for translation? The makeapi tool knows how to iterate over every command in our public API. It was extended to validate every command's documentation and report if any documentation is missing or not marked for translation. That information was then used to identify each docstring in the code which needed to be transformed. In summary what this patch does is: * Remove the use of pygettext (modification to install/po/Makefile.in) * Replace every docstring with an explicit assignment to __doc__ where the rhs of the assignment is an i18n marking function. * Single line docstrings appearing in multi-line string literals (e.g. ''' or """) were replaced with single line string literals because the multi-line literals were introducing unnecessary whitespace and newlines in the string extracted for translation. For example: ''' The foo command takes out the garbage. ''' Would appear in the translation catalog as: "\n The foo command takes out the garbage.\n " The superfluous whitespace and newlines are confusing to translators and requires us to strip leading and trailing whitespace from the translation at run time. * Import statements were moved from below the docstring to above it. This was necessary because the i18n markers are imported functions and must be available before the the doc is parsed. Technically only the import of the i18n markers had to appear before the doc but stylistically it's better to keep all the imports together. * It was observed during the docstring editing process that the command documentation was inconsistent with respect to the use of periods to terminate a sentence. Some doc had a trailing period, others didn't. Consistency was enforced by adding a period to end of every docstring if one was missing.
* ticket 1706 - internationalize cli help frameworkJohn Dennis2011-08-241-7/+7
| | | | | | | | | In cli.py is a framework for printing out help information. The command documentation being displayed is internationalized, however the text generated by the help framework itself is not internationalized. The strings output by the help subsystem need to be internationalized.
* ticket 1705 - internationalize help topicsJohn Dennis2011-08-247-11/+9
| | | | | | | | | | | | * Wrap each topic description in _() * Replace the use of if 'topic' in dir(module) with the more Pythonic and efficient getattr(module, 'topic', None) * Make sure to invoke unicode on the value returned from _() otherwise you'll get a GettextFactory instance, not a string * Clean up trailing whitespace errors
* Retrieve password/keytab state when modifying a host.Rob Crittenden2011-08-251-0/+5
| | | | ticket https://fedorahosted.org/freeipa/ticket/1714
* Add option to only prompt once for passwords, use in entitle_registerRob Crittenden2011-08-243-4/+11
| | | | | | | | | A Password param always prompted to confirm the entered password. This doesn't make sense if you want to prompt for a password to another system like we do with entitlements. This adds a new boolean option to control the Password prompt parameter. https://fedorahosted.org/freeipa/ticket/1695
* Add label for HBAC services to show as membersRob Crittenden2011-08-241-0/+3
| | | | https://fedorahosted.org/freeipa/ticket/1711
* Validation of details facet before update ↵test-patches-2-1Petr Vobornik2011-08-251-2/+4
| | | | | | | | https://fedorahosted.org/freeipa/ticket/1676 The ticket is a duplicate of server error, but it revealed few UI errors. Newly performs validation of details facet before update. If validation fails, notification dialog is shown and command isn't executed. Fixed integer minimum and maximum value checking. Read-only and non-writable fields are no longer considered required.
* Change the way has_keytab is determined, also check for password.Rob Crittenden2011-08-244-31/+61
| | | | | | | | | | | | | | | | | | | | We need an indicator to see if a keytab has been set on host and service entries. We also need a way to know if a one-time password is set on a host. This adds an ACI that grants search on userPassword and krbPrincipalKey so we can do an existence search on them. This way we can tell if the attribute is set and create a fake attribute accordingly. When a userPassword is set on a host a keytab is generated against that password so we always set has_keytab to False if a password exists. This is fine because when keytab gets generated for the host the password is removed (hence one-time). This adds has_keytab/has_password to the user, host and service plugins. ticket https://fedorahosted.org/freeipa/ticket/1538
* Verify that the external CA certificate files are correct.Jan Cholasta2011-08-231-1/+19
| | | | ticket 1572
* Improve sudorule documentationJr Aquino2011-08-231-0/+11
| | | | | | | | Added brief explanations for the various Sudo components in the top level doc. Added doc entries for RunAs User and RunAs Group. https://fedorahosted.org/freeipa/ticket/1657
* Updated add and delete association dialog titles.Endi S. Dewata2011-08-231-2/+20
| | | | | | | | | | The association table widget and facet have been modified to accept titles for the add and delete dialogs. The table and facet definitions have been modified to specify the appropriate titles. Some unused code have been removed. Ticket #1629
* Fix wording in examples of delegation plugin.Rob Crittenden2011-08-191-5/+5
| | | | https://fedorahosted.org/freeipa/ticket/1013
* Do batch logging on successful commands too, not just failures.Rob Crittenden2011-08-191-1/+1
| | | | This was an oversight for previous logging patch, ticket 1598
* Log each command in a batch separately.Rob Crittenden2011-08-191-1/+25
| | | | | | | This also fixes command logging in general, it wasn't working in most cases as a regression in ticket 1322. https://fedorahosted.org/freeipa/ticket/1598
* Fix automountlocation-import conflictsMartin Kosek2011-08-181-2/+14
| | | | | | | | | Do not fail import operation with DuplicateEntry when imported maps/keys conflict with maps/keys pre-created by automountlocation-add command. Currently, this applies for map 'auto.direct' and key '/-'. https://fedorahosted.org/freeipa/ticket/1551
* Replaced page dirty dialog title.Endi S. Dewata2011-08-191-1/+1
| | | | | | The title of page dirty dialog has been changed to 'Unsaved Changes'. Ticket #1653
* Removed 'Hide already enrolled' checkbox.Endi S. Dewata2011-08-191-1/+0
| | | | | | | | The 'Hide already enrolled' has been removed from the enrollment dialog because it is checked by default and entries that are already enrolled cannot be enrolled again. Ticket #1638
* Fix automountkey-modMartin Kosek2011-08-182-17/+40
| | | | | | | | | | | | | Fix automountkey-mod so that automountkey attribute is correctly updated. Add this test case to the unit tests. Make automountkey required for automountkey-mod, otherwise it would cause internal server error. Make --newinfo optional so that automountkey may be just renamed without changing its info attribute. https://fedorahosted.org/freeipa/ticket/1528
* ticket 1659 - invalid i18n string in dns.pyJohn Dennis2011-08-181-3/+2
| | | | | | | | | dns.py at line 976 has an invalid i18n string and cannot be processed during message extraction causing message catalog generation to fail. The format parameters are trapped inside the i18n string. Also it's not necessary to promote the i18n string literal to unicode via the u prefix because the _() function returns unicode.
* Propagate environment when it is required.Alexander Bokovoy2011-08-171-0/+7
| | | | | https://fedorahosted.org/freeipa/ticket/1549 https://fedorahosted.org/freeipa/ticket/1550
* Add missing attribute labels for sudoruleMartin Kosek2011-08-171-0/+8
| | | | https://fedorahosted.org/freeipa/ticket/1571
* ticket 1569 - Test DN object non-latin Unicode supportJohn Dennis2011-08-161-16/+22
| | | | | | | | | | | | | | | | | | | | | The DN unittest was lacking a test for i18n. The unittest was updated to store "Hello" in Arabic with both utf-8 and unicode and verify the values could be properly retrieved and converted to dn string syntax. During the testing a few problems were discovered and corrected. * passing in utf-8 caused an ASCII decode error becuase of Python's silly default encoding of ASCII. The fix was to explictly use the utf-8 codec. * there were a couple of places where encode/decode were not called correctly. * the internal attr and value members of the AVA class were renamed to explicitly show they are stored as unicode. Of course the unittest was updated as well.
* ticket 1568 - DN objects should support the insert methodJohn Dennis2011-08-161-3/+27
| | | | Add dn.insert() and update unittest
* error dialog for batch commandPetr Vobornik2011-08-171-0/+5
| | | | | | | https://fedorahosted.org/freeipa/ticket/1597 https://fedorahosted.org/freeipa/ticket/1592 Added option to show multiple errors in error dialog.
* Pass empty options as empty arrays for supported dns record types. ↵Alexander Bokovoy2011-08-151-0/+2
| | | | https://fedorahosted.org/freeipa/ticket/1632
* Fixed facet group labels.Endi S. Dewata2011-08-081-6/+3
| | | | | | | | The facet group labels have been modified according to UXD spec. Some facet groups will have more descriptive labels. Some others will not have any labels because the facet tab is self-explanatory. Ticket #1423, #1561
* Improve dnszone-add error messageMartin Kosek2011-08-081-1/+7
| | | | | | | Check that NS address passed in dnszone-add is a domain name and not an IP address. Make this clear also the parameter help. https://fedorahosted.org/freeipa/ticket/1567
* Hide continue option from automountkey-delMartin Kosek2011-08-021-0/+8
| | | | | | | This option makes no sense for automount keys. This should be removed in future versions. https://fedorahosted.org/freeipa/ticket/1529
* Deprecated managing users and runas user/group in sudorule add/modRob Crittenden2011-07-291-6/+18
| | | | | | | | We have helpers to manage these values so they shouldn't be available via add/mod. There is no logic behind them to do the right thing. https://fedorahosted.org/freeipa/ticket/1307 https://fedorahosted.org/freeipa/ticket/1320
* Add hbactest command. https://fedorahosted.org/freeipa/ticket/386Alexander Bokovoy2011-07-281-0/+327
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | HBAC rules control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host. Since applying HBAC rules implies use of a production environment, this plugin aims to provide simulation of HBAC rules evaluation without having access to the production environment. Test user coming from source host to a service on a named host against existing enabled rules. ipa hbactest --user= --srchost= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] --user, --srchost, --host, and --service are mandatory, others are optional. If --rules is specified simulate enabling of the specified rules and test the login of the user using only these rules. If --enabled is specified, all enabled HBAC rules will be added to simulation If --disabled is specified, all disabled HBAC rules will be added to simulation If --nodetail is specified, do not return information about rules matched/not matched. If both --rules and --enabled are specified, apply simulation to --rules _and_ all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. EXAMPLES: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 2. Disable detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail -------------------- Access granted: True -------------------- 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled --------------------- Access granted: False --------------------- notmatched: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule notmatched: new-rule matched: allow_all Only rules existing in IPA database are tested. They may be in enabled or disabled disabled state. Specifying them through --rules option explicitly enables them only in simulation run. Specifying non-existing rules will not grant access and report non-existing rules in output.
* Fixed missing memberof definition in HBAC service.Endi S. Dewata2011-07-281-1/+4
| | | | | | | The HBAC service class has been modified to define the memberof relationship with HBAC service group. Ticket #1546
* dns section header i18n.Adam Young2011-07-281-0/+2
| | | | https://fedorahosted.org/freeipa/ticket/1493
* removing setters setup and initAdam Young2011-07-281-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | change widget and widget unit tests to hold on to entity, not entity name. Replacing entity_name with entity.name in most places. The one exception is columns for table_widget. Widgets that refer to other entities have to have late resolution of the entity object, due to circular dependencies. cleanup entity assignment. removed template and layout, merged setup into create adder dialogs adjust height for external removed init from widget, isection, association, facet, host and service Make unit tests use factory. fix functional tests to click find link correctly. tweak to activation test, but still broken. moved initialization code to the end use --all for hbacrule find, so the type shows up now fixed dns exception code and exception handling for get_entity replace metadata look up with value from entity. fixed author lines removed duplicate columns in managed by facets. tweak to nav fix in order to initialize tab. more defensive code update metadata for true false one line init for entity_name in widget move init code to end of constructor functions moved constants to start of function for adder_dialog external fields for dialogs initialized at dialog creation sudo sections: move add fields and columns to widget definition. The parameter validation in IPA.column ...This is precondition checking. Note that it merely throws an exception if the entity_name is not set. I want this stuff at the top of the function so that it is obvious to people looking to use them what is required. I added a comment to make this clear, but I'd like to keep precondition checking at the top of the function. decreased the scope of the pkey_name and moved the initiailzation fof columns into the setup_column function for association_tables return false at the end of click handler removed blank labels in sudo command section fix radio buttons for sudo category fixed table side for adder dialogs with external fields comments for future direction with add_columns https://fedorahosted.org/freeipa/ticket/1451 https://fedorahosted.org/freeipa/ticket/1462 https://fedorahosted.org/freeipa/ticket/1493 https://fedorahosted.org/freeipa/ticket/1497 https://fedorahosted.org/freeipa/ticket/1532 https://fedorahosted.org/freeipa/ticket/1534
* Make AVA, RDN & DN comparison case insensitive. No need for lowercase ↵John Dennis2011-07-271-103/+159
| | | | | | | | | | | | | | | | | | | | | | | | | | normalization. Replace deepcopy with constructor (i.e. type call) Can now "clone" with configuration changes by passing object of the same type to it's constructor, e.g. dn1 = DN(('cn', 'foo')) dn2 = DN(dn1) dn2 = DN(dn1, first_key_match=False) Remove pairwise grouping for RDN's. Had previously removed it for DN's, left it in for RDN's because it seemed to make sense because of the way RDN's work but consistency is a higher goal. Add keyword constructor parameters to pass configuration options. Make first_key_match a configuration keyword. Updated documentation. Updated unit test. FWIW, I noticed the unittest is now running 2x faster, not sure why, removal of deepcopy? Anyway, hard to argue with performance doubling.
* Fix invalid issuer in unit testsMartin Kosek2011-07-271-2/+5
| | | | | | | Fix several test failures when issuer does not match the one generated by make-testcert (CN=Certificate Authority,O=<realm>). https://fedorahosted.org/freeipa/ticket/1527
* Don't leave dangling map if adding an indirect map failsRob Crittenden2011-07-271-5/+10
| | | | | | | | When using the add_indirect helper we create a new map and then add a key for it all in one step. If adding the key fails for any reason be sure to remove the map we added. https://fedorahosted.org/freeipa/ticket/1520
* Fix automountkey commands summaryMartin Kosek2011-07-271-4/+12
| | | | | | | | | | | The summary value was set to primary key. However, the primary key may contain also an info option as a workaround for multiple direct maps problem. This patch sets the result 'value' and thus summary text to expected and consistent value. https://fedorahosted.org/freeipa/ticket/1524
* Revert use of 'can be at least' to 'must be at least' in minvalue validatorRob Crittenden2011-07-261-1/+1
| | | | BZ https://bugzilla.redhat.com/show_bug.cgi?id=723969
* fixed empty dns record updatePetr Vobornik2011-07-251-0/+3
| | | | | | | https://fedorahosted.org/freeipa/ticket/1477 Redirection after updating empty DNS Record (which is deleted). Added hook to details facet for post update operation.
* Don't check for leading/trailing spaces in a File parameterRob Crittenden2011-07-251-1/+2
| | | | https://fedorahosted.org/freeipa/ticket/1505