summaryrefslogtreecommitdiffstats
path: root/tests
Commit message (Collapse)AuthorAgeFilesLines
* ipa permission-mod --rename does not workMartin Kosek2011-01-281-4/+64
| | | | | | | | | | | This patch fixes nonfunctional rename operation in permission plugin. Also makes sure, that no change is made to the underlying ACI in pre_callback() when the target permission already exists. Several tests for the rename operation have been created to ensure that the it won't break again unnoticed. https://fedorahosted.org/freeipa/ticket/814
* Enforce that all NS records are resolvableJakub Hrozek2011-01-281-1/+60
| | | | | | | Bind cannot load a zone if any of its name server records is not resolvable. https://fedorahosted.org/freeipa/ticket/838
* Delete the whole DNS record with no parametersJakub Hrozek2011-01-281-17/+21
| | | | | | | | | Error out when deleting a nonexistent DNS record Also fixes the DNS unit tests. https://fedorahosted.org/freeipa/ticket/816 https://fedorahosted.org/freeipa/ticket/829
* Enforce uniqueness on (key,info) pairs in automount keysJakub Hrozek2011-01-251-17/+66
| | | | https://fedorahosted.org/freeipa/ticket/293
* Fix failed tests. API for utcoffset changed and strings are more robust.Rob Crittenden2011-01-241-3/+4
| | | | | | | In Python 2.7 the API for time.utcoffset() changed. We do more automatic conversions of strings so need to loosen the tests a bit.
* Move HBAC services and service groups to cn=hbacJan Zeleny2011-01-181-2/+2
| | | | https://fedorahosted.org/freeipa/ticket/762
* Move sudo related data all under cn=sudoSimo Sorce2011-01-172-20/+20
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/773
* Add API version and have server reject incompatible clients.Rob Crittenden2011-01-142-8/+13
| | | | | | | | | | | | | | | | | | | | | | | | This patch contains 2 parts. The first part is a small utility to create and validate the current API. To do this it needs to load ipalib which on a fresh system introduces a few problems, namely that it relies on a python plugin to set the default encoding to utf8. For our purposes we can skip that. It is also important that any optional plugins be loadable so the API can be examined. The second part is a version exchange between the client and server. The version has a major and a minor version. The major verion is updated whenever existing API changes. The minor version is updated when new API is added. A request will be rejected if either the major versions don't match or if the client major version is higher than then server major version (though by implication new API would return a command not found if allowed to proceed). To determine the API version of the server from a client use the ping command. ticket 584
* fix sudorule runas user/groups https://fedorahosted.org/freeipa/ticket/570Jr Aquino2011-01-121-0/+55
|
* Display the entries that failed when deleting with --continue.Rob Crittenden2011-01-1017-36/+46
| | | | | | | | | | | | We collected the failures but didn't report it back. This changes the API of most delete commands so rather than returning a boolean it returns a dict with the only current key as failed. This also adds a new parameter flag, suppress_empty. This will try to not print values that are empty if included. This makes the output of the delete commands a bit prettier. ticket 687
* Rename hbac module to hbacruleJan Zeleny2011-01-071-93/+93
| | | | | | The renaming follows previous discussion on mailing list and it leads to name compatibility with other plugins (e.g. sudorule). It is also necessary for following changes in ipa help.
* SUDO plugin support for external hosts and users ↵Jr Aquino2010-12-211-2/+78
| | | | https://fedorahosted.org/freeipa/ticket/570
* Change FreeIPA license to GPLv3+Jakub Hrozek2010-12-2056-280/+280
| | | | | | | | | | The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
* Translate the membergroup dn into a group name.Rob Crittenden2010-12-201-11/+6
| | | | | | Drop filter from the output, it is superfluous. ticket 634
* Allow RDN changes from CLIJakub Hrozek2010-12-201-0/+28
| | | | https://fedorahosted.org/freeipa/ticket/397
* Don't use camel-case LDAP attributes in ACI and don't clear enrolledByRob Crittenden2010-12-172-10/+14
| | | | | | | | | | | | We keep LDAP attributes lower-case elsewhere in the API we should do the same with all access controls. There were two ACIs pointing at the manage_host_keytab permission. This isn't allowed in general and we have decided separately to not clear out enrolledBy when a host is unenrolled so dropping it is the obvious thing to do. ticket 597
* Fix a slew of tests.Rob Crittenden2010-12-176-1/+42
| | | | | | | - Skip the DNS tests if DNS isn't configured - Add new attributes to user entries (displayname, cn and initials) - Make the nsaccountlock value consistent - Fix the cert subject for cert tests
* Add group to group delegation plugin.Rob Crittenden2010-12-131-0/+198
| | | | | | | This is a thin wrapper around the ACI plugin that manages granting group A the ability to write a set of attributes of group B. ticket 532
* tests for sudo run as user or group https://fedorahosted.org/freeipa/ticket/570Jr Aquino2010-12-131-0/+72
|
* Check for existence of the group when adding a user.Rob Crittenden2010-12-131-0/+31
| | | | | | | | | | | | | The Managed Entries plugin will allow a user to be added even if a group of the same name exists. This would leave the user without a private group. We need to check for both the user and the group so we can do 1 of 3 things: - throw an error that the group exists (but not the user) - throw an error that the user exists (and the group) - allow the uesr to be added ticket 567
* Properly handle multi-valued attributes when using setattr/addattr.Rob Crittenden2010-12-102-1/+178
| | | | | | | | | | | | The problem was that the normalizer was returning each value as a tuple which we were then appending to a list, so it looked like [(u'value1',), (u'value2',),...]. If there was a single value we could end up adding a tuple to a list which would fail. Additionally python-ldap doesn't like lists of lists so it was failing later in the process as well. I've added some simple tests for setattr and addattr. ticket 565
* Fix automount testsRob Crittenden2010-12-081-26/+25
|
* Add plugin for manage self-service ACIsRob Crittenden2010-12-081-0/+183
| | | | | | | | | This is just a thin wrapper around the aci plugin, controlling what types of ACIs can be added. Right now only ACIs in the basedn can be managed with this plugin. ticket 531
* Add new parameter type IA5Str and use this to enforce the right charset.Rob Crittenden2010-12-071-0/+23
| | | | ticket 496
* Remove accessTime from HBAC.Rob Crittenden2010-12-061-26/+23
| | | | ticket 545
* Add new version of DNS plugin: complete rework with baseldap + unit tests.Pavel Zuna2010-12-011-0/+341
| | | | | Ticket #36 Ticket #450
* Re-implement access control using an updated model.Rob Crittenden2010-12-0111-1310/+1350
| | | | | | | | | | | | | | | | | | | The new model is based on permssions, privileges and roles. Most importantly it corrects the reverse membership that caused problems in the previous implementation. You add permission to privileges and privileges to roles, not the other way around (even though it works that way behind the scenes). A permission object is a combination of a simple group and an aci. The linkage between the aci and the permission is the description of the permission. This shows as the name/description of the aci. ldap:///self and groups granting groups (v1-style) are not supported by this model (it will be provided separately). This makes the aci plugin internal only. ticket 445
* Add managedby to Host entriesRob Crittenden2010-11-194-3/+113
| | | | | | This will allow others to provision on behalf of the host. ticket 280
* Revoke a host's certificate (if any) when it is deleted or disabled.Rob Crittenden2010-11-192-2/+29
| | | | | | | | | Disable any services when its host is disabled. This also adds displaying the certificate attributes (subject, etc) a bit more universal and centralized in a single function. ticket 297
* Revert tests code to use the old uuid format.Simo Sorce2010-11-151-2/+2
|
* user-enable/disable improvementsRob Crittenden2010-11-041-0/+10
| | | | | | | | | | | | | Always display the account enable/disable status. Don't ignore the exceptions when a user is already enabled or disabled. Fix the exception error messages to use the right terminology. In baseldap when retrieving all attributes include the default attributes in case they include some operational attributes. ticket 392
* Output ACI's broken out into attributes rather than a single text fieldRob Crittenden2010-11-041-17/+79
| | | | | | Also add validation to the List parameter type. ticket 357
* Added fixes to adjust for sudocmd attribute for sudocmds. Added fix for ↵Jr Aquino2010-11-032-14/+14
| | | | sudorule to allow for cmdCategory all Added fixes for xmlrpc tests to reflect sudocmd changes.
* Use kerberos password policy.Rob Crittenden2010-11-012-7/+8
| | | | | | | | | | | | | | | | | | | | | | | This lets the KDC count password failures and can lock out accounts for a period of time. This only works for KDC >= 1.8. There currently is no way to unlock a locked account across a replica. MIT Kerberos 1.9 is adding support for doing so. Once that is available unlock will be added. The concept of a "global" password policy has changed. When we were managing the policy using the IPA password plugin it was smart enough to search up the tree looking for a policy. The KDC is not so smart and relies on the krbpwdpolicyreference to find the policy. For this reason every user entry requires this attribute. I've created a new global_policy entry to store the default password policy. All users point at this now. The group policy works the same and can override this setting. As a result the special "GLOBAL" name has been replaced with global_policy. This policy works like any other and is the default if a name is not provided on the command-line. ticket 51
* Implement nested netgroups and include summaries for the commands.Rob Crittenden2010-10-293-367/+1052
| | | | | | | Replace the existing netgroup test cases with Declarative tests. This triples the number of tests we were doing. ticket 209
* Return reason for failure when updating group membership fails.Rob Crittenden2010-10-283-12/+22
| | | | | | | | | | | We used to return a list of dns that failed to be added. We now return a list of tuples instead. The tuple looks like (dn, reason) where reason is the exception that was returned. Also made the label we use for failures to be singular instead of plural since we now print them out individually instead of as comma-separated. ticket 270
* Don't allow managed groups to have group password policy.Rob Crittenden2010-10-281-1/+12
| | | | | | | UPG cannot have members and we use memberOf in class of service to determine which policy to apply. ticket 160
* Remove group nesting from the HBAC service groupsRob Crittenden2010-10-281-2/+0
| | | | ticket 389
* Use context to decide which name to return on RequirementsErrorsRob Crittenden2010-10-282-11/+19
| | | | | | | | | | | | | | When a Requirement fails we throw an exception including the name of the field that is missing. To make the command-line friendlier we have a cli_name defined which may or may not match the LDAP attribute. This can be confusing if you are using ipalib directly because the attribute name missing may not match what is actually required (desc vs description is a good example). If you use the context 'cli' then it will throw exceptions using cli_name. If you use any other context it will use the name of the attribute. ticket 187
* Populate indirect members when showing a group object.Rob Crittenden2010-10-283-6/+356
| | | | | | | | | | | | | | | This is done by creating a new attribute, memberindirect, to hold this indirect membership. The new function get_members() can return all members or just indirect or direct. We are only using it to retrieve indirect members currently. This also: * Moves all member display attributes into baseldap.py to reduce duplication * Adds netgroup nesting * Use a unique object name in hbacsvc and hbacsvcgroup ticket 296
* Allow RDN changes for users, groups, rolegroups and taskgroups.Rob Crittenden2010-10-285-0/+172
| | | | | | | | | | | | To do a change right now you have to perform a setattr like: ipa user-mod --setattr uid=newuser olduser The RDN change is performed before the rest of the mods. If the RDN change is the only change done then the EmptyModlist that update_entry() throws is ignored. ticket 323
* UUIDs: remove uuid python plugin and let DS always autogenerateSimo Sorce2010-10-281-1/+1
| | | | merge in remove uuid
* Fix two failing tests.Rob Crittenden2010-10-221-0/+9
| | | | | | The first test is a mismatch in the sample output of an exception. The second test adds certificate information output to the service plugin.
* Add flag to group-find to only search on private groups.Pavel Zuna2010-10-202-4/+82
| | | | ticket #251
* Fix _merge_from_file testRob Crittenden2010-10-181-1/+1
|
* Accept an incoming certificate as either DER or base64 in the service plugin.Rob Crittenden2010-10-081-5/+8
| | | | | | | | | | | | | The plugin required a base64-encoded certificate and always decoded it before processing. This doesn't work with the UI because the json module decodes binary values already. Try to detect if the incoming value is base64-encoded and decode if necessary. Finally, try to pull the cert apart to validate it. This will tell us for sure that the data is a certificate, regardless of the format it came in as. ticket 348
* If an HBAC category is 'all' don't allow individual objects to be added.Rob Crittenden2010-10-081-2/+73
| | | | | | | | Basically, make 'all' mutually exclusive. This makes debugging lots easier. If say usercat='all' there is no point adding specific users to the rule because it will always apply to everyone. ticket 164
* Rename user-lock and user-unlock to user-enable user-disable.Pavel Zuna2010-10-061-6/+6
| | | | Ticket #165
* Added modifications to the sudorule plugin to reflect the schema update.Jr Aquino2010-10-051-35/+77
|
* Fix a couple of test cases broken by the POSIX group change.Rob Crittenden2010-10-042-2/+4
| | | | They were made as non-POSIX originally, keep them that way.