| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/1632
|
| |
|
|
|
|
|
|
| |
The facet group labels have been modified according to UXD spec.
Some facet groups will have more descriptive labels. Some others
will not have any labels because the facet tab is self-explanatory.
Ticket #1423, #1561
|
| |
|
|
|
|
|
| |
Check that NS address passed in dnszone-add is a domain name and
not an IP address. Make this clear also the parameter help.
https://fedorahosted.org/freeipa/ticket/1567
|
| |
|
|
|
|
|
| |
This option makes no sense for automount keys. This should be
removed in future versions.
https://fedorahosted.org/freeipa/ticket/1529
|
| |
|
|
|
|
|
|
| |
We have helpers to manage these values so they shouldn't be available
via add/mod. There is no logic behind them to do the right thing.
https://fedorahosted.org/freeipa/ticket/1307
https://fedorahosted.org/freeipa/ticket/1320
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
HBAC rules control who can access what services on what hosts and from where.
You can use HBAC to control which users or groups on a source host can
access a service, or group of services, on a target host.
Since applying HBAC rules implies use of a production environment,
this plugin aims to provide simulation of HBAC rules evaluation without
having access to the production environment.
Test user coming from source host to a service on a named host against
existing enabled rules.
ipa hbactest --user= --srchost= --host= --service=
[--rules=rules-list] [--nodetail] [--enabled] [--disabled]
--user, --srchost, --host, and --service are mandatory, others are optional.
If --rules is specified simulate enabling of the specified rules and test
the login of the user using only these rules.
If --enabled is specified, all enabled HBAC rules will be added to simulation
If --disabled is specified, all disabled HBAC rules will be added to simulation
If --nodetail is specified, do not return information about rules matched/not matched.
If both --rules and --enabled are specified, apply simulation to --rules _and_
all IPA enabled rules.
If no --rules specified, simulation is run against all IPA enabled rules.
EXAMPLES:
1. Use all enabled HBAC rules in IPA database to simulate:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
matched: allow_all
2. Disable detailed summary of how rules were applied:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail
--------------------
Access granted: True
--------------------
3. Test explicitly specified HBAC rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule
---------------------
Access granted: False
---------------------
notmatched: my-second-rule
notmatched: myrule
4. Use all enabled HBAC rules in IPA database + explicitly specified rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
matched: allow_all
5. Test all disabled HBAC rules in IPA database:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled
---------------------
Access granted: False
---------------------
notmatched: new-rule
6. Test all disabled HBAC rules in IPA database + explicitly specified rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled
---------------------
Access granted: False
---------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
7. Test all (enabled and disabled) HBAC rules in IPA database:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
notmatched: new-rule
matched: allow_all
Only rules existing in IPA database are tested. They may be in enabled or
disabled disabled state.
Specifying them through --rules option explicitly enables them only in
simulation run.
Specifying non-existing rules will not grant access and report non-existing
rules in output.
|
| |
|
|
|
|
|
| |
The HBAC service class has been modified to define the memberof
relationship with HBAC service group.
Ticket #1546
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/1493
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
change widget and widget unit tests to hold on to entity, not entity name.
Replacing entity_name with entity.name in most places.
The one exception is columns for table_widget.
Widgets that refer to other entities have to have late resolution of the entity object, due to circular dependencies.
cleanup entity assignment.
removed template and layout,
merged setup into create
adder dialogs adjust height for external
removed init from widget, isection, association, facet, host and service
Make unit tests use factory.
fix functional tests to click find link correctly.
tweak to activation test, but still broken.
moved initialization code to the end
use --all for hbacrule find, so the type shows up now
fixed dns exception code and exception handling for get_entity
replace metadata look up with value from entity.
fixed author lines
removed duplicate columns in managed by facets.
tweak to nav fix in order to initialize tab.
more defensive code
update metadata for true false
one line init for entity_name in widget
move init code to end of constructor functions
moved constants to start of function for adder_dialog
external fields for dialogs initialized at dialog creation
sudo sections: move add fields and columns to widget definition.
The parameter validation in IPA.column ...This is precondition checking. Note that it merely throws an exception if the entity_name is not set. I want this stuff at the top of the function so that it is obvious to people looking to use them what is required. I added a comment to make this clear, but I'd like to keep precondition checking at the top of the function.
decreased the scope of the pkey_name and moved the initiailzation fof columns into the setup_column function for association_tables
return false at the end of click handler
removed blank labels in sudo command section
fix radio buttons for sudo category
fixed table side for adder dialogs with external fields
comments for future direction with add_columns
https://fedorahosted.org/freeipa/ticket/1451
https://fedorahosted.org/freeipa/ticket/1462
https://fedorahosted.org/freeipa/ticket/1493
https://fedorahosted.org/freeipa/ticket/1497
https://fedorahosted.org/freeipa/ticket/1532
https://fedorahosted.org/freeipa/ticket/1534
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
normalization.
Replace deepcopy with constructor (i.e. type call)
Can now "clone" with configuration changes by passing object
of the same type to it's constructor, e.g.
dn1 = DN(('cn', 'foo'))
dn2 = DN(dn1)
dn2 = DN(dn1, first_key_match=False)
Remove pairwise grouping for RDN's. Had previously removed it
for DN's, left it in for RDN's because it seemed to make sense
because of the way RDN's work but consistency is a higher goal.
Add keyword constructor parameters to pass configuration options.
Make first_key_match a configuration keyword.
Updated documentation.
Updated unit test.
FWIW, I noticed the unittest is now running 2x faster, not sure why,
removal of deepcopy? Anyway, hard to argue with performance doubling.
|
| |
|
|
|
|
|
| |
Fix several test failures when issuer does not match the one
generated by make-testcert (CN=Certificate Authority,O=<realm>).
https://fedorahosted.org/freeipa/ticket/1527
|
| |
|
|
|
|
|
|
| |
When using the add_indirect helper we create a new map and then add a key
for it all in one step. If adding the key fails for any reason be sure to
remove the map we added.
https://fedorahosted.org/freeipa/ticket/1520
|
| |
|
|
|
|
|
|
|
|
|
| |
The summary value was set to primary key. However, the primary key
may contain also an info option as a workaround for multiple direct
maps problem.
This patch sets the result 'value' and thus summary text to
expected and consistent value.
https://fedorahosted.org/freeipa/ticket/1524
|
| |
|
|
| |
BZ https://bugzilla.redhat.com/show_bug.cgi?id=723969
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1477
Redirection after updating empty DNS Record (which is deleted).
Added hook to details facet for post update operation.
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/1505
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/1514
|
| |
|
|
|
|
|
| |
It won't appear in the UI/CLI but is still available via XML-RPC.
allow is the default and deny will be rejected.
https://fedorahosted.org/freeipa/ticket/1495
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pairwise grouping used to form RDN's and AVA's proved to be
confusing in practice, this patch removes that functionality thus
requiring programmers to explicitly pair attr,value using a tuple or
list.
In addition it was discovered additional functionality was needed to
support some DN operations in freeipa. DN objects now support
startswith(), endswith() and the "in" membership test. These functions
and operators will accept either a DN or RDN.
The unittest was modified to remove the pairwise tests and add new
explicit tests. The unittest was augmented to test the new
functionality. In addition the unittest was cleaned up a bit to use
common utilty functions for improved readabilty and robustness.
The documentation was updated.
fix test_role_plugin use of DN to avoid pairwise grouping
|
| |
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1509
https://fedorahosted.org/freeipa/ticket/1510
|
| |
|
|
| |
This fixes an indentation problem.
|
| |
|
|
|
|
|
| |
Allow a long to get as far as the min/max constraints where we can
compare it to min/max int values and reject with a proper error message.
https://fedorahosted.org/freeipa/ticket/1494
|
| |
|
|
|
| |
The members should be the current members of the entry, not the refreshed
copy
|
| |
|
|
|
|
| |
This is just a display problem, the host is actually removed from the entry.
https://fedorahosted.org/freeipa/ticket/1492
|
| |
|
|
|
|
|
| |
Removed sudorule "External User" is displayed in the output when
"--all" switch is used.
https://fedorahosted.org/freeipa/ticket/1489
|
| |
|
|
|
|
|
|
|
|
|
| |
Add a new command that lets you wait for an attribute to appear in
a value. Using this you can do things like wait for a managed entry
to be created, adding a new objectclass to the parent entry.
This is controlled by a new booleon option, wait_for_attr, defaulting
to False.
https://fedorahosted.org/freeipa/ticket/1144
|
| |
|
|
|
|
|
|
|
| |
If you used sudorule-remove-runasgroup to remove a member that member
still appeared in the command output when --all was included (it isn't a
default attribute). This was due to post-processing to evaluate external
users/groups, the entry was actually updated properly.
https://fedorahosted.org/freeipa/ticket/1348
|
| |
|
|
|
|
|
|
|
|
|
| |
There were a few places in the code where certs were loaded from a
PKCS#7 file or a chain in a PEM file. The certificates got very
generic nicknames.
We can instead pull the subject from the certificate and use that as
the nickname.
https://fedorahosted.org/freeipa/ticket/1141
|
| |
|
|
|
|
|
|
|
| |
Passing a number of "long" type to IPA Int parameter invokes
user-unfriendly error message about incompatible types. This patch
improves Int parameter with user understandable message along with
maximum value he can pass.
https://fedorahosted.org/freeipa/ticket/1346
|
| |
|
|
|
|
|
|
| |
Implement a test for new dnszone-find option --forward-only.
Fix example for reverse zone (zone was not fully qualified and
DNS plugin would forbid adding PTR records).
https://fedorahosted.org/freeipa/ticket/1473
|
| |
|
|
|
|
|
| |
In order for this to work, chaining of parameters through
default_from is made possible.
ticket 1474
|
| |
|
|
|
|
|
|
|
|
| |
New rules will all be allow type. Existing rules cannot be changed to
deny.
The type attribute now defaults to allow with autofill so it won't be
prompted in interactive mode in the cli.
https://fedorahosted.org/freeipa/ticket/1432
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/1328
|
| |
|
|
|
|
|
|
| |
It was my understanding that we would be able to pass in an existing UUID
when registering to connect to an existing registration (for the case where
IPA is re-installed). This is supported in the REST API but not python-rhsm.
https://fedorahosted.org/freeipa/ticket/1216
|
| |
|
|
|
|
|
|
| |
The CSS text-transform sometimes produces incorrect capitalization,
so the code has been modified to use translated labels that already
contain the correct capitalization.
Ticket #1424
|
| |
|
|
|
|
|
|
|
| |
Implements a new option to filter out reverse zones.
This patch also do some clean up in dns plugin - debug prints were
accidentally left here in the last dns patch.
https://fedorahosted.org/freeipa/ticket/1471
|
| |
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1259
Python code will see nsaccountlock as bool. JavaScript code will also see it as bool.
This allows native boolean operations with the lock field. Passes both CLI and WebUI tests.
|
| |
|
|
|
|
|
|
|
| |
The object_name, object_name_plural and messages that use these
attributes have been converted to support translation. The label
attribute in the Param class has been modified to accept unicode
string.
Ticket #1435
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The DNS record plugin does not support modification of a record. One
can only add A type addresses to a DNS record or remove the current
ones. To actually change a DNS record value it has to be removed and
then added with a desired value.
This patch adds a new DNS plugin command "dnsrecord-mod" which enables
user to:
- modify a DNS record value (note than DNS record can hold multiple values
and those will be overwritten)
- remove a DNS record when an empty value is passed
New tests for this new command have been added to the CLI test suite.
https://fedorahosted.org/freeipa/ticket/1137
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
It will only ever return one entry so if more than one are found
then we raise an exception. This is most easily seen in the host
plugin where we search on the server shortname which can be the
same across sub-domains (e.g. foo.example.com &
foo.lab.example.com).
https://fedorahosted.org/freeipa/ticket/1388
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This started as a problem in allowing leading/trailing whitespaces
on primary keys. In nearly every command other than add query is True
so all rules were ignored on the primary key. This meant that to
enforce whitespace we would need to define a validator for each one.
I decided instead to set self.all_rules to just the class rules if
query == True. So the minimum set of validators will be executed
against each type but param-specific validators will only run on add.
https://fedorahosted.org/freeipa/ticket/1285
https://fedorahosted.org/freeipa/ticket/1286
https://fedorahosted.org/freeipa/ticket/1287
|
| |
|
|
|
|
|
| |
A table has been added into sudo rule details page for managing
sudo options.
Ticket #1447
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
The object_name attribute was used as both an identifier and a
label which sometimes require different values (e.g. hbacrule
vs. HBAC rule). The code that uses object_name as an identifier
has been changed to use the 'name' attribute instead. The values
of the object_name attribute have been fixed to become proper
labels.
Ticket #1217
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/1416
|
| |
|
|
|
|
|
|
|
| |
The following invalid associations have been removed:
- group's memberindirect netgroup and role
- hostgroup's memberofindirect host
Ticket #1366
Ticket #1367
|
| |
|
|
|
|
|
|
|
| |
The IPA.user_status_widget has been modified such that it checks
the facet dirty status and asks the admin to either Update or Reset
the changes. Then the widget shows a dialog to confirm whether
the admin wants to activate/deactivate the user.
Ticket #1395
|
| | |
|
| |
|
|
|
|
| |
Hard-coded messages in the UI have been replaced with I18n messages.
Ticket #1396
|
