| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
A recent patch changed the error message from the hostname
validator. Update the tests to reflect this change.
|
| |
|
|
|
|
|
|
| |
This reverts commit 1356988b7a40a60af39807db143860efb4a2f435.
We are going to take another approach to this. Instead of erroring
out on attributes that don't seem to be allowed we are going to
eventually return a warning.
|
| |
|
|
|
|
|
|
| |
This reverts commit a58cbb985ec007c0ef83010b32408efb2f4784d2.
We are going to take another approach to this. Instead of erroring
out on attributes that don't seem to be allowed we are going to
eventually return a warning.
|
| |
|
|
|
|
|
| |
Test that `pwpolicy_find --pkey-only` works as expected
Test that deleting a group removes its password policy
Rename the test module to be consistent with other plugin tests.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We need to inform users when a forms-based login fails due to the
password needing to be reset. Currently there is no way to distinguish
a reset case vs an incorrect password.
This will bind the user using a simple LDAP bind over ldapi (by default)
and if that is successful, check the expiration date against the current
time.
The UI portion of this that uses this message will come later.
https://fedorahosted.org/freeipa/ticket/2608
|
| |
|
|
|
| |
Amend unit tests to match the latest changes in DNS (tickets 2627,
2628) and hardened exception error message checks.
|
| |
|
|
|
|
|
|
|
|
| |
dnsrecord_add interactive mode did not work correctly when more
than one DNS record part was entered as command line option. It
asked for remaining options more than once. This patch fixes
this situation and also adds tests to cover this use case
properly.
https://fedorahosted.org/freeipa/ticket/2641
|
| |
|
|
|
|
|
| |
The update was failing because of the case insensitivity of permission
object DN. Unit-tests added.
https://fedorahosted.org/freeipa/ticket/2571
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Have the test suite check error messages.
Since XMLRPC doesn't give us structured error information, just
compare the resulting text.
Fix messages that tests expect to cause.
Minor changes:
Make netgroup-mod's NotFound message consistent with other objects
and methods.
In test_automember_plugin, test with nonexistent automember rules
of both types, instead of nonexistent users.
https://fedorahosted.org/freeipa/ticket/2549
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We use custom gettext classes (e.g. GettextFactory &
NGettextFactory). We should exercise those classes with an installed
binary mo file to demonstrate we are actually returning the expected
translated strings for all strings defined as being translatable.
The test logic in install/po/test_i18n.py was recently enhanced to
make this type of testing easier and more complete.
tests/test_ipalib/test_text.py should import the new i18n test support
and run it.
Previously tests/test_ipalib/test_text.py made a feeble but incomplete
attempt to do the above but even that was often not run because the
test would skip because the necessary test files were not available
unless they had been manually created in the install/po subdir. It is
now possible to correct those deficiencies in the test.
This patch does the following:
* Moves the location of i18n test code and adjust references to it.
install/po/test_i18n.py was moved to tests/i18n.py. This permits
tests/test_ipalib/test_text.py to import the i18n test utilities
in a clean fashion. The Makefile in install/po now calls this
same file.
* Modfies test function in test_i18n.py to accept function pointers
for retreiving a translation.
* Imports test_i18n.py from the install/po directory in the tree
* Creates a tmp directory for the test localedir
* Parses the current ipa.pot file in install/po and generates
a test po and mo file with special unicode markers. It installs
the test mo file in the tmp localedir. This is accomplished by
calling create_po() from the test_i18n.py file.
* If any of the above does not work it raises nose.SkipTest with
the reason, and skips the test.
* It sets up functions to get a translation and a plural translation
via our text.GettextFactory class and text.NGettextFactory class
respectively. This are the functions we use intenally to get
translations. It set the localdir and lang which are used by those
classes to match our test configuration. It then runs a validation
test on every translation and it's plural found in the test.po file
by calling po_file_iterate and passed it the function pointers to
our internal routines.
* At the conclusion of the test it cleans up after itself.
Note: extraneous files are not created in the tree, only a tmp
directory is utilized.
Validating msgid's in C code was insufficient.
* Make the discovery of format conversions much more robust by authoring
a new function parse_printf_fmt() that is able to discover each
format conversion in a string and break it into it's individual
subparts. One of those subparts is the argument selector index. In c
code we need to know if the argumenet selector index is present to
know if translator can reorder the substitution strings.
This replaces the simplistic python_anonymous_substitutions_regexp
which was insufficient to deal with other programming languages
(e.g. c).
* Add get_prog_langs() function to return the set of programming
languages a msgid appears in. This is necessar because the msdid
validation is programming language specific.
https://fedorahosted.org/freeipa/ticket/2582
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Attribute Patrams marked no_update never get cloned to Update commands,
and thus never receive the `attribute` flag. This makes their `encode`
method a no-op, which meant they don't get properly encoded when used
with --setattr, making the --setattr fail.
Introduce a `force` argument to encode, which overrides checking
for the attribute flag. Use this in set/add/delattr normalization,
where we know we are dealing with attributes.
https://fedorahosted.org/freeipa/ticket/2616
|
| |
|
|
|
|
|
|
| |
The DN and ACI code doesn't always escape special characters properly.
Rather than trying to fix it, this patch takes the easy way out and
enforces that the names are safe.
https://fedorahosted.org/freeipa/ticket/2585
|
| |
|
|
| |
ticket 2587
|
| |
|
|
|
|
|
| |
Added 'fallback' into the labels for default automember group and
hostgroup.
https://fedorahosted.org/freeipa/ticket/2354
|
| |
|
|
|
|
| |
--noprivate.
ticket 2572
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
--addattr & friends that modified attributes known to Python sometimes
used converted and validated Python values instead of LDAP strings.
This caused a problem for --delattr, which searched for a converted
integer in a list of raw strings (ticket 2407).
With this patch we work on raw strings, converting only when done.
Deferring validation ensures the end result is valid, so proper errors
are raised instead of failing later (ticket 2405).
Tests included.
Replaces previous fix for:
https://fedorahosted.org/freeipa/ticket/2418
Fixes:
https://fedorahosted.org/freeipa/ticket/2405
https://fedorahosted.org/freeipa/ticket/2407
https://fedorahosted.org/freeipa/ticket/2408
|
| |
|
|
|
|
|
|
|
| |
This adds tests for the batch plugin, and changes its output
declaration to allow results as tuples (this tripped validation).
The assert_deepequal function ignores the order of items in lists.
Document this in its docstring, and use a custom checker for the
batch plugin results.
|
| |
|
|
|
|
|
|
|
|
|
| |
Two test methods in test_rpcserver had the same name; the first didn't get
to run.
Another duplicate pair was in test_hbac_plugin with the same name; the ignored
test had small error in it.
check_TypeError used a wrong constant name
An error reporting function in test.util used uninitialized argument names.
This patch fixes these problems.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, each DNS test case first checks if DNS is configured
by creating and deleting a test zone. This takes quite a lot of time.
This patch moves the check to the setUpClass method, so the check is
only done once for all the tests.
Similarly, if the server is not available, entire XMLRPC test classes
are now skipped.
Additionally, CLItests that hit the server are skipped if the server
isn't available.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nisdomain validation:
Added pattern to the 'nisdomain' parameter to validate the specified
nisdomain name. According to most common use cases the same pattern as
for netgroup should fit. Unit-tests added.
https://fedorahosted.org/freeipa/ticket/2448
'add_external_pre_callback' function was created to allow validation of
all external members. Validation is based on usage of objects primary
key parameter. The 'add_external_pre_callback' fucntion has to be called
directly from in the 'pre_callback' function. This change affects
netgroup, hbacrule and sudorule commands.
For hostname, the validator allows non-fqdn and underscore characters.
validate_hostname function in ipalib.util was modified and contains
additional option that allows hostname to contain underscore characters.
This option is disabled by default.
Unit-tests added.
https://fedorahosted.org/freeipa/ticket/2447
|
| |
|
|
|
|
|
| |
These test that command lines are parsed to correct Command arguments.
Includes some tests for interactive prompts.
To make this possible cli.run is broken up into several pieces.
|
| |
|
|
|
|
|
|
|
| |
Replace all occurences of create_default with equivalent default_from
and remove create_default from the framework. This is needed for
proper parameter validation, as there is no way to tell which
parameters to validate prior to calling create_default, because
create_default does not provide information about which parameters are
used for generating the default value.
|
| |
|
|
| |
ticket 2521
|
| |
|
|
|
|
| |
If a zone index is present in an IPv6 address, it is ignored.
ticket 2138
|
| |
|
|
|
|
|
|
|
|
|
| |
Some of our tests used unintended extra options, or options with
misspelled, wrongly copy-pasted or otherwise bad names. These are
ignored, so the intended argument was treated as missing. The test
itself can still pass but may be rendered ineffective or fragile.
This only fixes those of such errors that appear in the test suite.
Fixing code in the framework and actual rejecting of unknown
arguments is deferred for later (ticket #2509).
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There were cases where DNS plugin was too tolerant in a raw DNS
record option (--<rrtype-rec) processing. It let people specify
DNS record parts options in dnsrecord-mod operations for some
record without specifying the record that should be updated. It
also ignored DNS record parts in dnsrecord-add operation when the
raw DNS record value was already set via --<rrtype>-rec option.
This patch hardens the processing and returns error in both
described cases to make the processes clearer and more robust.
All these use cases were also covered by new unit tests.
https://fedorahosted.org/freeipa/ticket/2551
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
DNS plugin contains several RR type record validators run in
pre_callback which cannot be used as standard param validator
as it needs more data and resources that standard validators
provide. However, the precallback validators are not run for
DNS records created by new structured options and thus an invalid
value may slip in.
This patch moves the execution of these precallback validators
_after_ the processing of structured DNS options. It also cleans
them up a little and makes them more robust.
https://fedorahosted.org/freeipa/ticket/2550
|
| |
|
|
|
|
|
|
|
|
| |
get_allowed_attributes function was improved to look for allowed
attributes also in the superior objectclasses of specified objectclass.
This fixes the regression caused by patch for ticket #2293. Test-case
for unit-test was also created.
https://fedorahosted.org/freeipa/ticket/2293
|
| |
|
|
| |
Validation is going to catch the invalid hostname before the mod is tried.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Splitting on commas is not an idempotent operation:
'a,b\,c' -> ('a', 'b,c') -> ('a', 'b', 'c')
That means we can't do it when the call is forwarded, so this is only
done on the CLI. The UI already sends values as a tuple.
Replace escaping in the csv parser with quoting. Quoted strings can have
embedded commas instead of having to escape them. This prevents the csv
parser from eating all escape characters.
Also, document Param's csv arguments, and update tests.
https://fedorahosted.org/freeipa/ticket/2417
https://fedorahosted.org/freeipa/ticket/2227
|
| |
|
|
|
|
|
|
|
|
|
| |
Add a support for new global options in bind-dyndb-ldap, that is:
* idnsforwardpolicy: Default policy for conditional forwarding
* idnsallowsyncptr: Allow globaly PTR synchronization for dynamic
updates
* idnszonerefresh: Default interval between regular polls of the
name server for new DNS zones
https://fedorahosted.org/freeipa/ticket/2439
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some of our tests checked for exceptions using an error-prone
try block: they allowed the expected exception to pass, but sometimes
forgot an else block, so the test passed when an exception wasn't
thrown.
This changes the tests to use the appropriate nose tools (raises,
assert_raises).
For consistency, tests that had a correct else block are also changed.
Also fix some test problems that were hidden by the above:
- in some sudorule and HBAC tests, change the *_add_user argument name
from `users` to `user`
- don't remove HBAC testing data while it was still used
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/2487
|
| |
|
|
|
| |
The ipausers group is no longer a POSIX group by default.
Reflect that in the tests.
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/1991
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Empty sequences (and sequences of empty strings) are normalized
to None, but the member filter code expected a list.
This patch extends a test for missing options to also catch
false values.
The functional change is from `if param_name in options:` to
`if options.get(param_name):`; the rest of the patch is code
de-duplication and tests.
These are CSV params with csv_skipspace set, so on the CLI, empty
set is given as a string with just spaces and commas (including
the empty string).
https://fedorahosted.org/freeipa/ticket/2479
|
| |
|
|
|
|
|
|
|
| |
Previously the commands were compared as serialized strings.
Differences in serializations meant commands with special characters
weren't found in the checked list.
Use the DN class to compare DNs correctly.
https://fedorahosted.org/freeipa/ticket/2483
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Update ipaSudoRule objectClass on upgrades to add new attributes.
Ensure uniqueness of sudoOrder in rules.
The attributes sudoNotBefore and sudoNotAfter are being added to
schema but not as Params.
https://fedorahosted.org/freeipa/ticket/1314
|
| | |
|
| |
|
|
|
|
| |
HTTP_Status needs to subclass from Plugin because it does its own logging.
Add tests for other methods of HTTP_Status
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There may be cases, for whatever reason, that an otherwise illegal
entry gets created that doesn't match the criteria for a valid
user/host/group name. If this happens (i.e. migration) there is no way
to remove this using the IPA tools because we always applied the name
pattern. So you can't, for example, delete a user with an illegal name.
Primary keys are cloned with query=True in PKQuery which causes no
rules to be applied on mod/show/find. This reverts a change from commit
3a5e26a0 which applies class rules when query=True (for enforcing no
white space).
Replace rdnattr with rdn_is_primary_key. This was meant to tell us when
an RDN change was necessary to do a rename. There could be a disconnect
where the rdnattr wasn't the primary key and in that case we don't
need to do an RDN change, so use a boolean instead so that it is
clear that RDN == primary key.
Add a test to ensure that nowhitespace is actually enforced.
https://fedorahosted.org/freeipa/ticket/2115
Related: https://fedorahosted.org/freeipa/ticket/2089
Whitespace tickets:
https://fedorahosted.org/freeipa/ticket/1285
https://fedorahosted.org/freeipa/ticket/1286
https://fedorahosted.org/freeipa/ticket/1287
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
DNS plugin did not check DNS zone and DNS record validity and
user was thus able to create domains like "foo bar" or other
invalid DNS labels which would really confuse both user and
bind-dyndb-ldap plugin.
This patch at first consolidates hostname/domain name validators
so that they use common functions and we don't have regular
expressions and other checks defined in several places. These
new cleaned validators are then used for zone/record name
validation.
https://fedorahosted.org/freeipa/ticket/2384
|
| |
|
|
|
|
|
|
|
|
|
| |
When adding or modifying permission with both type and attributes
specified, check whether the attributes are allowed for specified type.
In case of disallowed attributes raises the ObjectclassViolation
exception.
New tests were also added to the unit-tests.
https://fedorahosted.org/freeipa/ticket/2293
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Adjust URL's
- rename /ipa/login -> /ipa/session/login_kerberos
- add /ipa/session/login_password
* Adjust Kerberos protection on URL's in ipa.conf
* Bump VERSION in httpd ipa.conf to pick up session changes.
* Adjust login URL in ipa.js
* Add InvalidSessionPassword to errors.py
* Rename krblogin class to login_kerberos for consistency with
new login_password class
* Implement login_password.kinit() method which invokes
/usr/bin/kinit as a subprocess
* Add login_password class for WSGI dispatch, accepts POST
application/x-www-form-urlencoded user & password
parameters. We form the Kerberos principal from the server's
realm.
* Add function krb5_unparse_ccache()
* Refactor code to share common code
* Clean up use of ccache names, be consistent
* Replace read_krbccache_file(), store_krbccache_file(), delete_krbccache_file()
with load_ccache_data(), bind_ipa_ccache(), release_ipa_ccache().
bind_ipa_ccache() now sets environment KRB5CCNAME variable.
release_ipa_ccache() now clears environment KRB5CCNAME variable.
* ccache names should now support any ccache storage scheme,
not just FILE based ccaches
* Add utilies to return HTTP status from wsgi handlers,
use constants for HTTP status code for consistency.
Use utilies for returning from wsgi handlers rather than
duplicated code.
* Add KerberosSession.finalize_kerberos_acquisition() method
so different login handlers can share common code.
* add Requires: krb5-workstation to server (server now calls kinit)
* Fix test_rpcserver.py to use new dispatch inside route() method
https://fedorahosted.org/freeipa/ticket/2095
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Increase the session ID from 48 random bits to 128.
* Implement the sesison_logout RPC command. It permits the UI to send
a command that destroys the users credentials in the current
session.
* Restores the original web URL's and their authentication
protections. Adds a new URL for sessions /ipa/session/json. Restores
the original Kerberos auth which was for /ipa and everything
below. New /ipa/session/json URL is treated as an exception and
turns all authenticaion off. Similar to how /ipa/ui is handled.
* Refactor the RPC handlers in rpcserver.py such that there is one
handler per URL, specifically one handler per RPC and AuthMechanism
combination.
* Reworked how the URL names are used to map a URL to a
handler. Previously it only permitted one level in the URL path
hierarchy. We now dispatch on more that one URL path component.
* Renames the api.Backend.session object to wsgi_dispatch. The use of
the name session was historical and is now confusing since we've
implemented sessions in a different location than the
api.Backend.session object, which is really a WSGI dispatcher, hence
the new name wsgi_dispatch.
* Bullet-proof the setting of the KRB5CCNAME environment
variable. ldap2.connect already sets it via the create_context()
call but just in case that's not called or not called early enough
(we now have other things besides ldap which need the ccache) we
explicitly set it early as soon as we know it.
* Rework how we test for credential validity and expiration. The
previous code did not work with s4u2proxy because it assumed the
existance of a TGT. Now we first try ldap credentials and if we
can't find those fallback to the TGT. This logic was moved to the
KRB5_CCache object, it's an imperfect location for it but it's the
only location that makes sense at the moment given some of the
current code limitations. The new methods are KRB5_CCache.valid()
and KRB5_CCache.endtime().
* Add two new classes to session.py AuthManager and
SessionAuthManager. Their purpose is to emit authication events to
interested listeners. At the moment the logout event is the only
event, but the framework should support other events as they arise.
* Add BuildRequires python-memcached to freeipa.spec.in
* Removed the marshaled_dispatch method, it was cruft, no longer
referenced.
https://fedorahosted.org/freeipa/ticket/2362
|
| |
|
|
|
|
| |
Apply this to hostgroup names as well since they can be linked.
https://fedorahosted.org/freeipa/ticket/2221
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adding reverse DNS record may be a time consuming task, especially
for IPv6 addresses. Having a way to automatically create a reverse
record when a forward record is created could speed up the process.
host-add command already has this possibility.
This patch takes advantage of the new per-type API and adds new
options for A/AAAA record types: --a-create-reverse and
--aaaa-create-reverse. These commands can be used to automatically
create reverse records for new A/AAAA addresses (both forward
and reverse zones need to be managed by FreeIPA server):
ipa dnsrecord-add example.com foo --a-rec=10.0.0.1 --a-create-reverse
This command would add a new A record to record foo in zone
example.com and a PTR record to appropriate reverse zone for
IP address 10.0.0.1 (for example PTR record 1 in zone
0.0.10.in-addr.arpa. pointing to foo.example.com.).
Few modification were done to new DNS API to support this feature:
- Refactor --ip-address option handling from host-add and place it
to dns.py to be used by both modules
- Add support for "extra" per-type options
- Hide DNS record part options in dnsrecord_find command as they
have no effect for this command
https://fedorahosted.org/freeipa/ticket/2009
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Provide a way to specify BIND allow-query and allow-transfer ACLs
for DNS zones.
IMPORTANT: new bind-dyndb-ldap adds a zone transfer ability. To
avoid zone information leaks to unintended places, allow-transfer
ACL for every zone is by default set to none and has to be
explicitly enabled by an Administrator. This is done both for new
DNS zones and old DNS zones during RPM update via new DNS upgrade
plugin.
https://fedorahosted.org/freeipa/ticket/1211
|
