| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When unknown keyword arguments are passed to a Command, raise an
error instead of ignoring them.
Options used when IPA calls its commands internally are listed
in a new Command attribute called internal_options, and allowed.
Previous patches (0b01751c, c45174d6, c5689e7f) made IPA not use
unknown keyword arguments in its own commands and tests, but since
that some violations were reintroduced in permission_find and tests.
Fix those.
Tests included; both a frontend unittest and a XML-RPC test via the
ping plugin (which was untested previously).
https://fedorahosted.org/freeipa/ticket/2509
|
|
|
|
|
|
| |
Trust work that was pushed recently requires few changes in unit
tests to prevent test failures. This patch also removes repetitive
construction of group DN in group unit tests.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix several problems with the callback interface:
- Automatically registered callbacks (i.e. methods named
exc_callback, pre_callback etc) were registered on every
instantiation.
Fix: Do not register callbacks in __init__; instead return the
method when asked for it.
- The calling code had to distinguish between bound methods and
plain functions by checking the 'im_self' attribute.
Fix: Always return the "default" callback as an unbound method.
Registered callbacks now always take the extra `self` argument,
whether they happen to be bound methods or not.
Calling code now always needs to pass the `self` argument.
- Did not work well with inheritance: due to the fact that Python
looks up missing attributes in superclasses, callbacks could
get attached to a superclass if it was instantiated early enough. *
Fix: Instead of attribute lookup, use a dictionary with class keys.
- The interface included the callback types, which are LDAP-specific.
Fix: Create generic register_callback and get_callback mehods,
move LDAP-specific code to BaseLDAPCommand
Update code that calls the callbacks.
Add tests.
Remove lint exceptions for CallbackInterface.
* https://fedorahosted.org/freeipa/ticket/2674
|
|
|
|
|
|
|
|
| |
Raise an error when trying to delete the last user in the
'admins' group, or remove the last member from the group,
or delete the group itself.
https://fedorahosted.org/freeipa/ticket/2564
|
|
|
|
|
|
|
|
|
|
|
|
| |
For security reasons, dynamic updates are not enabled for new DNS
zones. In order to enable the dynamic zone securely, user needs to
allow dynamic updates and create a zone update policy.
The policy is not easy to construct for regular users, we should
rather fill it by default and let users just switch the policy
on or off.
https://fedorahosted.org/freeipa/ticket/2441
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds tests for the automountlocation_tofiles and
automountlocation_import commands, and to automountmap_add_indirect
with the --parentmap option.
The tofiles test checks not only the XML-RPC output, but also the
output_for_cli method.
The import tests load data from tofiles output to the directory
and check that tofiles output matches.
This only works when all maps are connected to auto.master.
Two minor touches to the automount plugin itself: remove an extra
space, and don't hide the traceback when re-raising an exception.
|
|
|
|
|
|
|
|
|
|
|
|
| |
Precallback validator was failing when a zone-relative name was
used as a NS record (for example record "ns" in a zone "example.com").
However, this is valid in BIND and we should allow it as well.
Imports in dns module had to be switched to absolute imports
(available from Python 2.5) to deal with a conflict of IPA dns
module and dnspython module.
https://fedorahosted.org/freeipa/ticket/2630
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When permission-find post callback detected a --pkey-only option,
it just terminated. However, this way the results that could have
been added from aci_find matches were not included.
Fix the post callback to go through the entire matching process.
Also make sure that DNS permissions have a correct objectclass
(ipapermission), otherwise such objects are not matched by the
permission LDAP search.
https://fedorahosted.org/freeipa/ticket/2658
|
|
|
|
|
|
|
| |
This option will make renaming DNS records much easier.
Add a unit test for this new functionality.
https://fedorahosted.org/freeipa/ticket/2600
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We actually perform two searches in permission-find. The first looks
for matches within the permission object itself. The second looks at
matches in the underlying aci.
We need to break out in two places. The first is if we find enough
matches in the permission itself. The second when we are appending
matches from acis.
The post_callback() definition needed to be modified to return
the truncated value so a plugin author can modify that value.
https://fedorahosted.org/freeipa/ticket/2322
|
|
|
|
|
|
|
|
|
| |
If --delattr is used on an attribute that's not present on an entry,
and --{set,add}attr isn't being used on that same attribute,
say that there's "no such attribute" instead of "<attribute> does
not contain <value>".
https://fedorahosted.org/freeipa/ticket/2699
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make --{set,add,del}attr fail on parameters with the no_update/no_create
flag for the respective command.
For attributes that can be modified, but we just don't want to display
in the CLI, use the 'no_option' flag. These are "locking" attributes
(ipaenabledflag, nsaccountlock) and externalhost.
Document the 'no_option' flag. Add some tests.
https://fedorahosted.org/freeipa/ticket/2580
|
|
|
|
|
|
|
|
|
|
| |
Kerberos ticket maximum life was being set to 1 hour which then
affected lifetime of Kerberos tickets returned by IPA server under
the test.
Make sure that the policy is reset before and after the unit test to
keep the IPA server settings clean and not to disrupt development
environment.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Always call convert_time_for_output so time gets reported correctly.
That method has its own checks for whether the attributes are present;
an additional check is unnecessary.
Use a key function for sorting; cmp is deprecated, slower and
more complicated.
Add a test
https://fedorahosted.org/freeipa/ticket/2726
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2701
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2321
|
|
|
|
|
|
|
|
|
|
|
| |
Allowing Commands to be called with ignored unknown options opens the
door to problems, for example with misspelled option names.
Before we start rejecting them, we need to make sure IPA itself does
not use them when it calls commands internally.
This patch does that for ACI-related plugins.
Part of the work for https://fedorahosted.org/freeipa/ticket/2509
|
|
|
|
|
|
|
|
|
|
|
|
| |
permission-find --name wasn't working for two reasons. The first
was that the cn to search on in options ended up overlapping the
primary key name causing the request to fail.
The second reason was aci uses aciname, not cn, as its name field.
So searching on --name matched everything because it was as if you
were searching on nothing.
https://fedorahosted.org/freeipa/ticket/2320
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change the externalhost attribute of hbacrule, netgroup
and sudorule into a full-fledged Parameter, and attach
a validator to it.
The validator is relaxed to allow underscores, so that
some hosts with nonstandard names can be added.
Tests included.
https://fedorahosted.org/freeipa/ticket/2649
|
|
|
|
|
|
|
|
|
|
| |
The config plugin was adding together a list and a tuple, then
converting to a set.
Replace the operation with a set union.
Regression test included.
https://fedorahosted.org/freeipa/ticket/2706
|
|
|
|
|
|
| |
Also the unused `append` argument from _convert_2_dict.
https://fedorahosted.org/freeipa/ticket/2680
|
|
|
|
|
|
|
|
|
|
|
| |
Calling a LDAP{Add,Remove}ReverseMember with an empty reverse_member
caused an internal error, because empty values are converted to None,
which is then iterated.
Use an empty list instead of None (or other false falues, of which we
only use the empty list).
https://fedorahosted.org/freeipa/ticket/2681
|
|
|
|
|
|
|
|
|
|
|
| |
Allowing Commands to be called with ignored unknown options opens the
door to problems, for example with misspelled option names.
Before we start rejecting them, we need to make sure IPA itself does
not use them when it calls commands internally.
This patch does that for the automount plugin and its tests.
Part of the work for https://fedorahosted.org/freeipa/ticket/2509
|
|
|
|
|
|
|
| |
Changed regex validating net/hostgroup names to allow single letter
names. Unit-tests added.
https://fedorahosted.org/freeipa/ticket/2671
|
|
|
|
|
| |
A recent patch changed the error message from the hostname
validator. Update the tests to reflect this change.
|
|
|
|
|
|
|
|
| |
This reverts commit 1356988b7a40a60af39807db143860efb4a2f435.
We are going to take another approach to this. Instead of erroring
out on attributes that don't seem to be allowed we are going to
eventually return a warning.
|
|
|
|
|
|
|
|
| |
This reverts commit a58cbb985ec007c0ef83010b32408efb2f4784d2.
We are going to take another approach to this. Instead of erroring
out on attributes that don't seem to be allowed we are going to
eventually return a warning.
|
|
|
|
|
|
|
| |
Test that `pwpolicy_find --pkey-only` works as expected
Test that deleting a group removes its password policy
Rename the test module to be consistent with other plugin tests.
|
|
|
|
|
|
|
|
|
| |
Replace _call_exc_callbacks with a function wrapper, which will automatically
call exception callbacks when an exception is raised from the function. This
removes the need to specify the function and its arguments twice (once in the
function call itself and once in _call_exc_callbacks).
Add some extra checks to existing exception callbacks.
|
|
|
|
|
| |
Amend unit tests to match the latest changes in DNS (tickets 2627,
2628) and hardened exception error message checks.
|
|
|
|
|
|
|
| |
The update was failing because of the case insensitivity of permission
object DN. Unit-tests added.
https://fedorahosted.org/freeipa/ticket/2571
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Have the test suite check error messages.
Since XMLRPC doesn't give us structured error information, just
compare the resulting text.
Fix messages that tests expect to cause.
Minor changes:
Make netgroup-mod's NotFound message consistent with other objects
and methods.
In test_automember_plugin, test with nonexistent automember rules
of both types, instead of nonexistent users.
https://fedorahosted.org/freeipa/ticket/2549
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Attribute Patrams marked no_update never get cloned to Update commands,
and thus never receive the `attribute` flag. This makes their `encode`
method a no-op, which meant they don't get properly encoded when used
with --setattr, making the --setattr fail.
Introduce a `force` argument to encode, which overrides checking
for the attribute flag. Use this in set/add/delattr normalization,
where we know we are dealing with attributes.
https://fedorahosted.org/freeipa/ticket/2616
|
|
|
|
|
|
|
|
| |
The DN and ACI code doesn't always escape special characters properly.
Rather than trying to fix it, this patch takes the easy way out and
enforces that the names are safe.
https://fedorahosted.org/freeipa/ticket/2585
|
|
|
|
| |
ticket 2587
|
|
|
|
|
|
|
| |
Added 'fallback' into the labels for default automember group and
hostgroup.
https://fedorahosted.org/freeipa/ticket/2354
|
|
|
|
|
|
| |
--noprivate.
ticket 2572
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
--addattr & friends that modified attributes known to Python sometimes
used converted and validated Python values instead of LDAP strings.
This caused a problem for --delattr, which searched for a converted
integer in a list of raw strings (ticket 2407).
With this patch we work on raw strings, converting only when done.
Deferring validation ensures the end result is valid, so proper errors
are raised instead of failing later (ticket 2405).
Tests included.
Replaces previous fix for:
https://fedorahosted.org/freeipa/ticket/2418
Fixes:
https://fedorahosted.org/freeipa/ticket/2405
https://fedorahosted.org/freeipa/ticket/2407
https://fedorahosted.org/freeipa/ticket/2408
|
|
|
|
|
|
|
|
|
| |
This adds tests for the batch plugin, and changes its output
declaration to allow results as tuples (this tripped validation).
The assert_deepequal function ignores the order of items in lists.
Document this in its docstring, and use a custom checker for the
batch plugin results.
|
|
|
|
|
|
|
|
|
|
|
| |
Two test methods in test_rpcserver had the same name; the first didn't get
to run.
Another duplicate pair was in test_hbac_plugin with the same name; the ignored
test had small error in it.
check_TypeError used a wrong constant name
An error reporting function in test.util used uninitialized argument names.
This patch fixes these problems.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, each DNS test case first checks if DNS is configured
by creating and deleting a test zone. This takes quite a lot of time.
This patch moves the check to the setUpClass method, so the check is
only done once for all the tests.
Similarly, if the server is not available, entire XMLRPC test classes
are now skipped.
Additionally, CLItests that hit the server are skipped if the server
isn't available.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nisdomain validation:
Added pattern to the 'nisdomain' parameter to validate the specified
nisdomain name. According to most common use cases the same pattern as
for netgroup should fit. Unit-tests added.
https://fedorahosted.org/freeipa/ticket/2448
'add_external_pre_callback' function was created to allow validation of
all external members. Validation is based on usage of objects primary
key parameter. The 'add_external_pre_callback' fucntion has to be called
directly from in the 'pre_callback' function. This change affects
netgroup, hbacrule and sudorule commands.
For hostname, the validator allows non-fqdn and underscore characters.
validate_hostname function in ipalib.util was modified and contains
additional option that allows hostname to contain underscore characters.
This option is disabled by default.
Unit-tests added.
https://fedorahosted.org/freeipa/ticket/2447
|
|
|
|
| |
ticket 2521
|
|
|
|
|
|
|
|
|
|
|
| |
Some of our tests used unintended extra options, or options with
misspelled, wrongly copy-pasted or otherwise bad names. These are
ignored, so the intended argument was treated as missing. The test
itself can still pass but may be rendered ineffective or fragile.
This only fixes those of such errors that appear in the test suite.
Fixing code in the framework and actual rejecting of unknown
arguments is deferred for later (ticket #2509).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There were cases where DNS plugin was too tolerant in a raw DNS
record option (--<rrtype-rec) processing. It let people specify
DNS record parts options in dnsrecord-mod operations for some
record without specifying the record that should be updated. It
also ignored DNS record parts in dnsrecord-add operation when the
raw DNS record value was already set via --<rrtype>-rec option.
This patch hardens the processing and returns error in both
described cases to make the processes clearer and more robust.
All these use cases were also covered by new unit tests.
https://fedorahosted.org/freeipa/ticket/2551
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
DNS plugin contains several RR type record validators run in
pre_callback which cannot be used as standard param validator
as it needs more data and resources that standard validators
provide. However, the precallback validators are not run for
DNS records created by new structured options and thus an invalid
value may slip in.
This patch moves the execution of these precallback validators
_after_ the processing of structured DNS options. It also cleans
them up a little and makes them more robust.
https://fedorahosted.org/freeipa/ticket/2550
|
|
|
|
|
|
|
|
|
|
| |
get_allowed_attributes function was improved to look for allowed
attributes also in the superior objectclasses of specified objectclass.
This fixes the regression caused by patch for ticket #2293. Test-case
for unit-test was also created.
https://fedorahosted.org/freeipa/ticket/2293
|
|
|
|
| |
Validation is going to catch the invalid hostname before the mod is tried.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Splitting on commas is not an idempotent operation:
'a,b\,c' -> ('a', 'b,c') -> ('a', 'b', 'c')
That means we can't do it when the call is forwarded, so this is only
done on the CLI. The UI already sends values as a tuple.
Replace escaping in the csv parser with quoting. Quoted strings can have
embedded commas instead of having to escape them. This prevents the csv
parser from eating all escape characters.
Also, document Param's csv arguments, and update tests.
https://fedorahosted.org/freeipa/ticket/2417
https://fedorahosted.org/freeipa/ticket/2227
|