| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
| |
To DNS record adder dialog were added a_extra_create_reverse and aaaa_extra_create_reverse options.
It's UI part of #2009.
https://fedorahosted.org/freeipa/ticket/2349
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
New attributes were added to DNS zone details facet.
Attributes:
idnsallowquery
idnsallowtransfer
idnsforwarders
idnsforwardpolicy
idnsallowsyncptr
New network address validator created for idnsallowquery and idnsallowtransfer attributes.
Network address validator also added to dnszone adder dialog - from_ip field.
https://fedorahosted.org/freeipa/ticket/2351
|
| |
|
|
|
|
|
|
|
|
| |
Problem:
UI doesn't have a control for selecting one or none value from given set of values.
Solution:
Attribute mutex was added to checkboxes_widget. When it is set, checking some value causes that all other values are unchecked.
https://fedorahosted.org/freeipa/ticket/2351
|
| |
|
|
| |
Tickets: #2349 #2350 #2351 #2367
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Adjust URL's
- rename /ipa/login -> /ipa/session/login_kerberos
- add /ipa/session/login_password
* Adjust Kerberos protection on URL's in ipa.conf
* Bump VERSION in httpd ipa.conf to pick up session changes.
* Adjust login URL in ipa.js
* Add InvalidSessionPassword to errors.py
* Rename krblogin class to login_kerberos for consistency with
new login_password class
* Implement login_password.kinit() method which invokes
/usr/bin/kinit as a subprocess
* Add login_password class for WSGI dispatch, accepts POST
application/x-www-form-urlencoded user & password
parameters. We form the Kerberos principal from the server's
realm.
* Add function krb5_unparse_ccache()
* Refactor code to share common code
* Clean up use of ccache names, be consistent
* Replace read_krbccache_file(), store_krbccache_file(), delete_krbccache_file()
with load_ccache_data(), bind_ipa_ccache(), release_ipa_ccache().
bind_ipa_ccache() now sets environment KRB5CCNAME variable.
release_ipa_ccache() now clears environment KRB5CCNAME variable.
* ccache names should now support any ccache storage scheme,
not just FILE based ccaches
* Add utilies to return HTTP status from wsgi handlers,
use constants for HTTP status code for consistency.
Use utilies for returning from wsgi handlers rather than
duplicated code.
* Add KerberosSession.finalize_kerberos_acquisition() method
so different login handlers can share common code.
* add Requires: krb5-workstation to server (server now calls kinit)
* Fix test_rpcserver.py to use new dispatch inside route() method
https://fedorahosted.org/freeipa/ticket/2095
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Increase the session ID from 48 random bits to 128.
* Implement the sesison_logout RPC command. It permits the UI to send
a command that destroys the users credentials in the current
session.
* Restores the original web URL's and their authentication
protections. Adds a new URL for sessions /ipa/session/json. Restores
the original Kerberos auth which was for /ipa and everything
below. New /ipa/session/json URL is treated as an exception and
turns all authenticaion off. Similar to how /ipa/ui is handled.
* Refactor the RPC handlers in rpcserver.py such that there is one
handler per URL, specifically one handler per RPC and AuthMechanism
combination.
* Reworked how the URL names are used to map a URL to a
handler. Previously it only permitted one level in the URL path
hierarchy. We now dispatch on more that one URL path component.
* Renames the api.Backend.session object to wsgi_dispatch. The use of
the name session was historical and is now confusing since we've
implemented sessions in a different location than the
api.Backend.session object, which is really a WSGI dispatcher, hence
the new name wsgi_dispatch.
* Bullet-proof the setting of the KRB5CCNAME environment
variable. ldap2.connect already sets it via the create_context()
call but just in case that's not called or not called early enough
(we now have other things besides ldap which need the ccache) we
explicitly set it early as soon as we know it.
* Rework how we test for credential validity and expiration. The
previous code did not work with s4u2proxy because it assumed the
existance of a TGT. Now we first try ldap credentials and if we
can't find those fallback to the TGT. This logic was moved to the
KRB5_CCache object, it's an imperfect location for it but it's the
only location that makes sense at the moment given some of the
current code limitations. The new methods are KRB5_CCache.valid()
and KRB5_CCache.endtime().
* Add two new classes to session.py AuthManager and
SessionAuthManager. Their purpose is to emit authication events to
interested listeners. At the moment the logout event is the only
event, but the framework should support other events as they arise.
* Add BuildRequires python-memcached to freeipa.spec.in
* Removed the marshaled_dispatch method, it was cruft, no longer
referenced.
https://fedorahosted.org/freeipa/ticket/2362
|
| |
|
|
|
|
|
|
|
|
| |
Missing options were added to Web UI's IPA Server/Configuration page.
* ipaconfigstring
* ipaselinuxusermaporder
* ipaselinuxusermapdefault
https://fedorahosted.org/freeipa/ticket/2285
https://fedorahosted.org/freeipa/ticket/2400
|
| |
|
|
|
|
| |
Attribute table was modified to skip creation of option for empty value.
https://fedorahosted.org/freeipa/ticket/2291
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Address column in A, AAAA DNS records was exented of redirection capabilities.
Redirection dialog is shown after a click on a value.
Dialog does following steps:
1) fetch all dns zones
2) find most accurate reverse zone for IP address
2 -fail) show error message, stop
3) checks if target record exists in the zone
3 -fail) show 'dns record create link', stop
4) redirects
Click on 'dns record create link':
1) creates record
1 -fail) show error, stop
2) redirects
https://fedorahosted.org/freeipa/ticket/1975
|
| |
|
|
|
|
|
|
| |
To user and host details pages was added ipasshpubkey attribute.
New widget for ssh public keys was created.
https://fedorahosted.org/freeipa/ticket/2340
|
| |
|
|
|
|
|
| |
In user group adder dialog, the "Is this a POSIX group?" was replaced with "POSIX group".
In host search facet, the "Enrolled?" was replaced with "Enrolled".
https://fedorahosted.org/freeipa/ticket/2353
|
| |
|
|
|
|
|
|
|
|
| |
Problem:
Entity link (eg: to hosts in dns record or to dns record in host) is not changing its state when linked record doesn't exist. The link can remain wrongly enabled from previous state.
Fixed:
The link is disabled when target doesn't exist.
https://fedorahosted.org/freeipa/ticket/2364
|
| |
|
|
|
|
|
|
|
|
| |
The patch fixes a problem in error_handler_login() when it gets
an error other than 401.
The login_url is not needed for fixtures because it does not need
authentication.
The patch also fixes jslint warnings and formatting issues.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a session manager and support for caching
authentication in the session. Major elements of the patch are:
* Add a session manager to support cookie based sessions which
stores session data in a memcached entry.
* Add ipalib/krb_utils.py which contains functions to parse ccache
names, format principals, format KRB timestamps, and a KRB_CCache
class which reads ccache entry and allows one to extract information
such as the principal, credentials, credential timestamps, etc.
* Move krb constants defined in ipalib/rpc.py to ipa_krb_utils.py so
that all kerberos items are co-located.
* Modify javascript in ipa.js so that the IPA.command() RPC call
checks for authentication needed error response and if it receives
it sends a GET request to /ipa/login URL to refresh credentials.
* Add session_auth_duration config item to constants.py, used to
configure how long a session remains valid.
* Add parse_time_duration utility to ipalib/util.py. Used to parse the
session_auth_duration config item.
* Update the default.conf.5 man page to document session_auth_duration
config item (also added documentation for log_manager config items
which had been inadvertantly omitted from a previous commit).
* Add SessionError object to ipalib/errors.py
* Move Kerberos protection in Apache config from /ipa to /ipa/xml and
/ipa/login
* Add SessionCCache class to session.py to manage temporary Kerberos
ccache file in effect for the duration of an RPC command.
* Adds a krblogin plugin used to implement the /ipa/login
handler. login handler sets the session expiration time, currently
60 minutes or the expiration of the TGT, whichever is shorter. It
also copies the ccache provied by mod_auth_kerb into the session
data. The json handler will later extract and validate the ccache
belonging to the session.
* Refactored the WSGI handlers so that json and xlmrpc could have
independent behavior, this also moves where create and destroy
context occurs, now done in the individual handler rather than the
parent class.
* The json handler now looks up the session data, validates the ccache
bound to the session, if it's expired replies with authenicated
needed error.
* Add documentation to session.py. Fully documents the entire process,
got questions, read the doc.
* Add exclusions to make-lint as needed.
|
| |
|
|
|
|
|
| |
Hard-coded labels in Automember UI have been moved into internal.py to
allow translation.
https://fedorahosted.org/freeipa/ticket/2195
|
| |
|
|
|
|
|
|
| |
In this patch was implemented and added a control for defining default automember groups.
There is a difference from UXD spec. In the spec the control was placed below table in the search facet. This was not working well with the combobox in the control. Open combobox requires some space below it. As it was placed at the bottom of the page it created unwanted blank space and forced showing scrollbars. Moving the control above the table solves the problem without rewriting combobox logic. It can be rewritten and moved down later.
https://fedorahosted.org/freeipa/ticket/2195
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
New UI for automember.
Implemented:
* search facet core
* rule details facet
* attribute_table_widget - new base class for tables which contains multivalued attribute with special add/remove commands
* adding/removing conditions in details facet
TODO:
* label translations
* UI for defining default rules
https://fedorahosted.org/freeipa/ticket/2195
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In current implementation target facet of navigation(from menu) and redirection is always one exact facet per entity. There isn't a way to navigate to different facet from menu or redirect to different facets from various facets.
This patch adds:
* possibility to define menu items which can navigate to different facets of various entities. This also means that now current menu tree can contain leafs with the same entity.
* possibility to define redirection target per facet - it is needed to keep breadcrumb navigation consistent with various navigation tree patch leading to same entity leafs.
This functionality is needed for Automember UI. Automember UI is designed as if it was for two entities but it is in fact only one.
https://fedorahosted.org/freeipa/ticket/2195
|
| |
|
|
|
|
|
|
|
|
|
| |
The user details page was modified to show the password expiration
date next to the existing password field.
Fixed problem resetting password in self-service mode. The JSON
interface for the passwd command requires the username to be
specified although the equivalent CLI command doesn't require it.
Ticket #2064
|
| |
|
|
|
|
|
| |
The textareas used to display certificates were modified to use
fixed font.
Ticket #2017
|
| |
|
|
|
|
|
| |
Users do not have add/delete permission in self-service mode, so
the search facet was modified to hide the Add/Delete buttons.
Ticket #2188
|
| |
|
|
|
|
|
|
|
|
|
| |
The status formatter was modified to show enabled/disabled icon
before the status text.
The format classes were renamed to formatter to avoid confusion
with the format() method. A new parameter 'type' was added to the
formatter to determine the output type (e.g. text/html).
Ticket #1996
|
| |
|
|
|
|
|
| |
The host managed-by adder dialog has been fixed to use the new
--not-man-hosts option to filter out hosts that are already added.
Ticket #1675
|
| |
|
|
|
|
|
|
| |
Paging in DNS record search facet was disabled because there was a mismatch between primary keys sent by server and values displayed in the facet.
The facet was modified to enable paging. To preserve amount of information which was displayed before, current rows have variable height - they can contain more that one line depending on number of values in the record. Each record has a checkbox and indsname in its first line to distinguish one record from others. Because there is only one checkbox for record, delete command is called with --rem-all option which causes that entire record is removed. Individual values can be deleted in record's details facet.
https://fedorahosted.org/freeipa/ticket/2094
|
| |
|
|
|
|
| |
DNS UI was modified to offer structured way of defining DNS records.
https://fedorahosted.org/freeipa/ticket/2208
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Web UI is caching records. Currently only possible ways how to display updated record which was changed elsewhere - ie. in CLI are:
* refresh page in browser (takes really long on slow vpns)
* search facet: change filter, find, change filter back, find
* entity details: go to search, select other entry, go back to search, select original entry
* association facet: same as entity details
These are unconvenient methods.
This patch adds Refresh button to search, details and association facet. This button executes facets refresh method.
https://fedorahosted.org/freeipa/ticket/2051
|
| |
|
|
|
|
|
|
|
| |
This patch modifies the status attributes in users, DNS zones,
HBAC/sudo rules, HBAC test, and SELinux User Map to use the same
label (i.e. Status) and values (i.e. Enabled/Disabled). The method
to change the status will be modified separately.
Ticket #2247
|
| |
|
|
|
|
|
|
| |
The users, HBAC/sudo rules, HBAC test, and SELinux list pages have
been modified to show disabled entries in gray. Icons will be added
separately.
Ticket #1996
|
| |
|
|
|
|
|
|
|
|
|
| |
The automount keys search facet has been modified to support paging.
Since the automountkey-find command doesn't support --pkey-only
option, the facet is configured such that during a refresh operation
it will retrieve all entries (including the key and info attributes)
and then display only the ones that are supposed to be visible in
the current page.
Ticket #2093
|
| |
|
|
|
|
| |
This patch adds UI for SELinux user mapping. Its design is based on HBAC Rule design.
https://fedorahosted.org/freeipa/ticket/2145
|
| |
|
|
|
|
|
|
| |
Paging has been enabled on self-service permissions and delegations
list pages. The search facet's get_pkeys() has been fixed to handle
non-array value. New test data files have been added as well.
Ticket #2092
|
| |
|
|
|
|
|
|
|
| |
Due to a recent change the deleting automount keys and DNS records no
longer worked. The functions that are supposed to get the selected
values has been fixed to use the correct names and element type. They
also have been converted into methods of the search facets.
Ticket #2256
|
| |
|
|
|
|
|
|
|
|
| |
The certificate request dialog box has been modified to show
the OpenSSL commands for generating a CSR.
The realm and entry names in the test data have been fixed to
be more consistent.
Ticket #1012
|
| |
|
|
|
|
|
|
|
| |
Also fixed minor issues reagarding IP addresses or multivalued field:
- removed unnecessary method overrides from multivalued_field
- fixed extract_child_value method in multivalued_widget to return '' instead of empty arrays when value array is empty
- net.js - changed method name and error message from 'trailing zeros' to 'leading zeros'
https://fedorahosted.org/freeipa/ticket/1466
|
| |
|
|
|
|
| |
The attribute was added to adder dialog and details facet. It uses entity select (group) widget.
https://fedorahosted.org/freeipa/ticket/2101
|
| |
|
|
|
|
|
|
| |
The user details facet has been modified to load the user data,
password policy and Kerberos ticket policy in a single batch
command.
Ticket #703
|
| |
|
|
|
|
|
|
| |
The user details page has been modified to show the password policy
and Kerberos ticket policy that apply to the user. The policies are
currently displayed as read-only.
Ticket #703
|
| |
|
|
|
|
|
|
| |
The user search facet has been modified to show the account status.
The IPA.boolean_format has been converted into a class to allow
behavior customization.
Ticket #1996
|
| |
|
|
|
|
| |
IPv6 parsing was incorrectly evaluating ':' as a valid IPv6 address.
https://fedorahosted.org/freeipa/ticket/1466
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/1466
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/1466
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Current validation logic supports only validation based on metadata. It can be extended only by overriding field's validation method. This approach requires creating subclasses of field for each different format of desired value. It's inconvenient for cases like adding the same validation logic to two different subclasses of field.
This patch is adding support for creating custom validators.
Validator is an object which contains validation logic. Validation is executed in a validate(value, context) method. This method checks if the value is valid and returns a validation result. Validation result is a simple object which contains valid property and an error message if valid is false.
Field is extended by validators property. It can be set in spec object or later. It should contain instances of validators for the field. Validators are run in field's validation method.
This patch is a prerequisite for:
https://fedorahosted.org/freeipa/ticket/1466
|
| |
|
|
|
|
|
|
|
|
| |
The JSON server has been modified to return the version number
in all responses. The UI has been modified to keep the version
obtained during env operation and check the version returned
in subsequent operations. If the version changes the UI will
reload itself.
Ticket #946
|
| |
|
|
|
|
|
|
|
|
| |
The JSON server has been modified to return the principal name
in all responses. The UI has been modified to keep the principal
obtained during whoami operation and check the principal returned
in subsequent operations. If the principal changes the UI will
reload itself.
Ticket #1400
|
| |
|
|
|
|
|
|
|
| |
Added support of parsing and validation of IPv4 and IPv6 addresses.
Class IP.address can also create reverse address from any valid IPv4 or IPv6 address.
This functionality is needed for tickets:
https://fedorahosted.org/freeipa/ticket/1466
https://fedorahosted.org/freeipa/ticket/1975
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The IPA.get_entity() has been modified to accept either entity name
or entity object. If it receives an entity object it will return
the object itself. Otherwise, it will resolve the name in the entity
registry.
The other_entity variables have been modified to store a reference
to the entity object instead of its name. The test cases have been
modified to use real entity objects instead of just the names.
Ticket #2042
|
| |
|
|
|
|
| |
Fixed regression in labels introduced by refactoring #1515.
https://fedorahosted.org/freeipa/ticket/1515
|
| |
|
|
|
|
|
|
| |
Columns can have width set or not. Without setting the width it was computed based on tbody width and number of columns. This method is working well if no column has width set. The disadvantage of this approach is that all columns have the same width and so they are not reflecting their possible usage. Flag columns such as 'external' in rule association tables or various 'enable' flags in search facets can be narrower. If we set them fixed small width it will have different size because this width is not currently added to the computation.
This is fixing this problem so dynamic and fixed width can be combined and the columns have desired width.
https://fedorahosted.org/freeipa/ticket/2200
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Problem:
Rule association widget was displaying standard records with external records in one table. User couldn't distinguish the values. When clicking on the external record link it navigated to appropriate page for that entity. But for external value there is no record to show so it displayed error.
Solution:
* For tables with possible external values a 'external' column was added. It displays "True" if the value is external and nothing if not. Displaying nothing is intentional. If user sees some text in external column he imidiately knows that the record is external without even reading the "True" text.
* Rows with external values don't have a link for navigating to record page. This prevents showing the error as no record exists.
Additional changes:
* Association table widget was stripped of get_records method. Loading records isn't its resposibility it's a resposibility of field.
* Column was extended by possible suppressing of link creation. It's done by optional suppress_link argument in setup method.
* To allow setting suppress_link attribute in inherited tables a new overridable method was created - setup_column.
Posible future improvements:
* Table is using dynamic setting of width for columns. Each column has the same width. For flag columns such as 'external' the width of the column is too big. It would be better to be able to set smaller fixed width and the rest of the columns width (without the width set) would be computed (to fit the table).
* When a table has displayed buttons in its last column header the cells in column header have different vertical alignmnent. It should be united.
https://fedorahosted.org/freeipa/ticket/1993
|
| |
|
|
|
|
| |
It's a fix for regression introduced by widget refactoring #2040.
https://fedorahosted.org/freeipa/ticket/2040
|
