| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IPA has some unused code from abandoned features (Radius, ipa 1.x user
input, commant-line tab completion), as well as some duplicate utilities.
This patch cleans up the utility modules.
Duplicate code consolidated into ipapython.ipautil:
{ipalib.util,ipaserver.ipautil,ipapython.ipautil}.realm_to_suffix
{ipaserver,ipapython}.ipautil.CIDict
(with style improvements from the ipaserver version)
{ipapython.entity,ipaserver.ipautil}.utf8_encode_value
{ipapython.entity,ipaserver.ipautil}.utf8_encode_values
ipalib.util.get_fqdn was removed in favor of the same function in
ipaserver.install.installutils
Removed unused code:
ipalib.util:
load_plugins_in_dir
import_plugins_subpackage
make_repr (was imported but unused; also removed from tests)
ipapython.ipautil:
format_list
parse_key_value_pairs
read_pairs_file
read_items_file
user_input_plain
AttributeValueCompleter
ItemCompleter
ipaserver.ipautil:
get_gsserror (a different version exists in ipapython.ipautil)
ipaserver.ipautil ended up empty and is removed entirely.
https://fedorahosted.org/freeipa/ticket/2650
|
|
|
|
|
|
|
|
|
|
| |
Password policies are sorted by priority. When paging is enabled, table facet uses pwpolicy-find --pkey-only to get all pwpolicies keys. Those keys are sorted on server by priority but table facet sorts them again. This breaks the priority sorting.
This patch disables the paging in passord policy serch page so the keys are sorted by priority.
TODO: we should inspect sorting in table facet more deeply and disable it if it don't break anything.
https://fedorahosted.org/freeipa/ticket/2676
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add bootstrap-autogen depdenency to lint target to force
generated files to be created.
* Add validate-src-strings to lint rules
* Add validate-src-strings as dependency to lint targett
* Remove obsolete test_lang frm test target
* Add diagnostic message to validation command in i18n.py
that outputs how many objects were scanned. Formerly it only
output a message if there were errors. This made it impossible to
distinguish an empty file from one with no errors.
* While adding the validation counts it was discovered plurals had
been omitted for some of the validation checks. Added the missing
checks for plural forms.
* Also distinguished between errors and warnings. Permit warnings to
be emitted but do not fail the validatition unless actual errors
were also detected.
|
| |
|
|
|
|
| |
corresponding to computers with fqdn and macAddress attributes
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2569
|
|
|
|
|
|
|
|
|
|
| |
Permission field is missing in delegation so it can't be set/modified.
It was added to delegation details facet and adder dialog.
The field is using checkboxes instead of multivalued textbox because it can have only two effective values: 'read' and 'write'.
https://fedorahosted.org/freeipa/ticket/2635
|
|
|
|
|
|
|
|
| |
Forms-based login procedure detects if 401 unauthorized response contains
'X-IPA-Rejection-Reason' http header with 'password-expired' value. If so
it displays an error message that user needs to reset his password.
https://fedorahosted.org/freeipa/ticket/2608
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We use custom gettext classes (e.g. GettextFactory &
NGettextFactory). We should exercise those classes with an installed
binary mo file to demonstrate we are actually returning the expected
translated strings for all strings defined as being translatable.
The test logic in install/po/test_i18n.py was recently enhanced to
make this type of testing easier and more complete.
tests/test_ipalib/test_text.py should import the new i18n test support
and run it.
Previously tests/test_ipalib/test_text.py made a feeble but incomplete
attempt to do the above but even that was often not run because the
test would skip because the necessary test files were not available
unless they had been manually created in the install/po subdir. It is
now possible to correct those deficiencies in the test.
This patch does the following:
* Moves the location of i18n test code and adjust references to it.
install/po/test_i18n.py was moved to tests/i18n.py. This permits
tests/test_ipalib/test_text.py to import the i18n test utilities
in a clean fashion. The Makefile in install/po now calls this
same file.
* Modfies test function in test_i18n.py to accept function pointers
for retreiving a translation.
* Imports test_i18n.py from the install/po directory in the tree
* Creates a tmp directory for the test localedir
* Parses the current ipa.pot file in install/po and generates
a test po and mo file with special unicode markers. It installs
the test mo file in the tmp localedir. This is accomplished by
calling create_po() from the test_i18n.py file.
* If any of the above does not work it raises nose.SkipTest with
the reason, and skips the test.
* It sets up functions to get a translation and a plural translation
via our text.GettextFactory class and text.NGettextFactory class
respectively. This are the functions we use intenally to get
translations. It set the localdir and lang which are used by those
classes to match our test configuration. It then runs a validation
test on every translation and it's plural found in the test.po file
by calling po_file_iterate and passed it the function pointers to
our internal routines.
* At the conclusion of the test it cleans up after itself.
Note: extraneous files are not created in the tree, only a tmp
directory is utilized.
Validating msgid's in C code was insufficient.
* Make the discovery of format conversions much more robust by authoring
a new function parse_printf_fmt() that is able to discover each
format conversion in a string and break it into it's individual
subparts. One of those subparts is the argument selector index. In c
code we need to know if the argumenet selector index is present to
know if translator can reorder the substitution strings.
This replaces the simplistic python_anonymous_substitutions_regexp
which was insufficient to deal with other programming languages
(e.g. c).
* Add get_prog_langs() function to return the set of programming
languages a msgid appears in. This is necessar because the msdid
validation is programming language specific.
https://fedorahosted.org/freeipa/ticket/2582
|
|
|
|
|
|
|
|
| |
certmonger now has the ability to execute a script when it renews a
certificate. This can be used to automatically restart servers so
the certificate doesn't expire in the running server.
https://fedorahosted.org/freeipa/ticket/2050
|
|
|
|
|
|
| |
Mutually exclusive checkboxes were unusual. They are not in use anymore. The functionality is removed.
https://fedorahosted.org/freeipa/ticket/2599
|
|
|
|
|
|
|
|
| |
DNS forward policy fields were using mutually exclusive checkboxes. Such behavior is unusual for users.
Checkboxes were changed to radios.
https://fedorahosted.org/freeipa/ticket/2599
|
|
|
|
|
|
|
|
| |
Permission form was missing attrs field for target=subtree. All other target types have it.
It uses multivalued text widget, same as filter, because we can't predict the target type.
https://fedorahosted.org/freeipa/ticket/2592
|
|
|
|
|
|
| |
It could lead to state where attributes from other object type were displayed instead of the correct ones.
https://fedorahosted.org/freeipa/ticket/2590
|
|
|
|
|
|
|
|
| |
This patch is changing netgroup web ui to look more like hbac or sudo rule UI. This change allows to define and display user category, host category and external host.
The core of the change is changing member attributes (user, group, host, hostgroup) to use rule_details_widget instead of separate association facets. In host case it allows to display and add external hosts.
https://fedorahosted.org/freeipa/ticket/2578
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When IPA server is configured with DNS and its hostname is not
located in a default domain, SRV records are not valid.
Additionally, httpd does not serve XMLRPC interface because it
IPA server domain-realm mapping is missing in krb5.conf. All CLI
commands were then failing.
This patch amends this configuration. It fixes SRV records in
served domain to include full FQDN instead of relative hostname
when the IPA server hostname is not located in served domain.
IPA server forward record is also placed to correct zone.
When IPA server is not in a served domain a proper domain-realm
mapping is configured to krb5.conf. The template was improved
in order to be able to hold this information.
https://fedorahosted.org/freeipa/ticket/2602
|
|
|
|
|
|
|
|
|
|
| |
We were returning '' for the first entry when hostcat and usercat were
set to all. All subsequent entries were padded with - which effectively
denied access.
This requires slapi-nis 0.40+
https://fedorahosted.org/freeipa/ticket/2192
|
|
|
|
|
|
|
|
|
|
|
|
| |
SELinux configuration for httpd instance was set for new
installations only. Upgraded IPA servers (namely 2.1.x -> 2.2.x
upgrade) missed the configuration. This lead to AVCs when httpd
tries to contact ipa_memcached and user not being able to log in.
This patch updates ipa-upgradeconfig to configure SELinux
in the same way as ipa-server-install does.
https://fedorahosted.org/freeipa/ticket/2603
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With a publicly accessible DNS tree in LDAP, anyone with an access
to the LDAP server can get all DNS data as with a zone transfer
which is already restricted with ACL. Making DNS tree not readable
to public is a common security practice and should be applied
in FreeIPA as well.
This patch adds a new deny rule to forbid access to DNS tree to
users or hosts without an appropriate permission or users which
are not members of admins group. The new permission/aci is
applied both for new installs and upgraded servers.
bind-dyndb-ldap plugin is allowed to read DNS tree without any
change because its principal is already a member of "DNS
Servers" privilege.
https://fedorahosted.org/freeipa/ticket/2569
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Problem:
When some facet perform action which modifies data, some other facet may become expired.
Example: User modifies group's description. Now group search facet contains old data and has to be refreshed.
Solution:
New event was added to facet: on_update. It should be executed when facet performs action which modifies data ie: details facet update or add entry to dnsrecord.
Then entity policies were introduced. Entity policies are a objects which are stored in entity.policies. They have similar function as facet_policies - performing communications and other functionality between facets. This way facets don't have to contain such logic and thus they aren't dependant on each other.
This patch adds IPA.facet_update_policy, IPA.adder_facet_update_policy, IPA.search_facet_update_policy, IPA.details_facet_update_policy.
IPA.facet_update_policy: On facets_created it bind itself to [current entity].[source facet].[event]. Default event is on_update. When the event is executed it sets expiration flag to [dest entity].[dest facet].
IPA.search_facet_update_policy: IPA.facet_update_policy where source facet = search, dest facet = details, dest entity = current entity. Its a default policy for updatein changes from search facet to details facet. Right now it isn't needed but it will be needed when action lists come to play.
IPA.details_facet_update_policy: same as IPA.search_facet_update_policy just reversed. Very important.
IPA.adder_facet_update_policy: similar functionality, just source of the event is dialog. Default event is added (new event in entity_adder_dialog).
Entity policies should be specified in entity's spec object. If none are specified a default ones are used. Default policies are: IPA.search_facet_update_policy and IPA.details_facet_update_policy.
https://fedorahosted.org/freeipa/ticket/2075
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Problem:
For performance reason a facet may cache the data in browser's memory. There should be a flag to indicate whether a facet has expired and should be refreshed. The expired flag could be set by these events:
1) any update operation
2) changing search filter in search facet
3) switching page in a multi-paged search/association facet
4) switching direct/indirect view in association facet
5) facet expiration time
A facet should be able to use these methods to refresh itself:
6) on demand: an expired facet should be refreshed when a user opens it.
7) automatic: an open facet should automatically refresh itself when it expires.
Solution:
This patch solves cases: #2, #3, #5, #6. Case #4 works without any change. Case #1 will be solved later. Case #7 is deffered.
Default expiration timeout was set to 10 minutes.
In this patch are also updated facet.needs_update methods to reflect changes in containing facets.
https://fedorahosted.org/freeipa/ticket/2075
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
UDP port checks in ipa-replica-conncheck are too strict. The entire
conncheck fails when UDP ports cannot be verified as open. However,
UDP protocol is unrealiable by its nature and the port can also not
be checked if there is an application already bound to it. This can
happen for example when ipa-replica-conncheck is run as a part of
ipa-ca-install and the replica services are thus already running.
This patch changes the behavior of UDP port checks. The conncheck
script now rather reports a warning that UDP port cannot be verified
but does not fail the entire test.
https://fedorahosted.org/freeipa/ticket/2514
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We had been using shell scripts and sed to test our translations. But
trying to edit pot and po files with sed is nearly impossible because
the file format can vary significantly and the sed editing was failing
and gettext tools were complaining about our test strategy. We had
been using a Python script (test_i18n.py) to perform the actual test
after using shell, sed, and gettext tools to create the files. There
is a Python library (polib) which can read/write/edit pot/po/mo files
(used internally by Transifex, our translation portal). The strategy
now is to do everything in Python (in test_i18n.py). This is easier,
more robust and allows us to do more things.
* add python-polib to BuildRequires
* Remove the logic for creating the test lang from Makefile.in and
replace it with calls to test_i18n.py
* add argument parsing, usage, configuration parameters, etc. to
test_i18n.py to make it easier to use and configurable.
* add function to generate a test po and mo file. It also
writes the files and creates the test directory structure.
* Took the existing validate code and refactored it into validation
function. It used to just pick one string and test it, now it
iterates over all strings and all plural forms.
* Validate anonymous Python format substitutions in pot file
* added support for plural forms.
* Add pot po file validation for variable substitution
* In install/po subdir you can now do:
$ make test
$ make validate-pot
$ make validate-po
* The options for running test_i18n.py are:
$ ./test_i18n.py --help
Usage:
test_i18n.py --test-gettext
test_i18n.py --create-test
test_i18n.py --validate-pot [pot_file1, ...]
test_i18n.py --validate-po po_file1 [po_file2, ...]
Options:
-h, --help show this help message and exit
-s, --show-strings show the offending string when an error is detected
--pedantic be aggressive when validating
-v, --verbose be informative
--traceback print the traceback when an exception occurs
Operational Mode:
You must select one these modes to run in
-g, --test-gettext create the test translation file(s) and exercise them
-c, --create-test create the test translation file(s)
-P, --validate-pot validate pot file(s)
-p, --validate-po validate po file(s)
Run Time Parameters:
These may be used to modify the run time defaults
--test-lang=TEST_LANG
test po file uses this as it's basename (default=test)
--lang=LANG lang used for locale, MUST be a valid lang
(default=xh_ZA)
--domain=DOMAIN translation domain used during test (default=ipa)
--locale=LOCALE locale used during test (default=test_locale)
--pot-file=POT_FILE
default pot file, used when validating pot file or
generating test po and mo files (default=ipa.pot)
https://fedorahosted.org/freeipa/ticket/2044
|
|
|
|
|
|
|
|
|
|
|
|
| |
Global DNS configuration is a nice tool to maintain a common DNS
settings stored in LDAP which are then used for all enrolled IPA
servers. However, the settings stored in LDAP override local
settings in named.conf on DNS servers.
This patch adds more information about global DNS configuration
options in install scripts and DNS module help.
https://fedorahosted.org/freeipa/ticket/2525
|
|
|
|
|
|
|
|
|
|
|
|
| |
New features in bind-dyndb-ldap and IPA DNS plugin pulled new
attributes and objectclasses. ACIs and permissions need to be
updated to allow users with appropriate permissions update
these attributes in LDAP.
This patch updates the ACI for DNS record updates and adds one
new permission to update global DNS configuration.
https://fedorahosted.org/freeipa/ticket/2510
|
|
|
|
|
|
|
|
| |
If minssf is set in configuration and this is not set then clients won't
be able to detect the available namingContexts, defaultNamingContext,
capabilities, etc.
https://fedorahosted.org/freeipa/ticket/2542
|
|
|
|
|
|
|
| |
Rebased patch sent by Yuri Chornoivan (yurchor@ukr.net). Fixes 'occured'
and 'commond' typos in FreeIPA messages.
https://fedorahosted.org/freeipa/ticket/2526
|
|
|
|
|
|
|
| |
Do cleanup on KeyboardInterrupt rather than in custom SIGINT handler in
ipa-replica-conncheck.
https://fedorahosted.org/freeipa/ticket/2127
|
|
|
|
|
|
| |
Part of support for ether maps.
https://fedorahosted.org/freeipa/ticket/2548
|
|
|
|
|
|
|
|
| |
DNS forwarder's value can consist of IP address and a port.
The syntax is '<IP ADDRESS> port <PORT>'. A new validator was created for this purpose. It is based on IP address validator.
https://fedorahosted.org/freeipa/ticket/2490
|
|
|
|
|
|
|
|
|
|
|
| |
dnsconfig was extended of new attributes, so reflecting it in UI.
New attributes:
* idnsForwardPolicy
* idnsAllowSyncPTR
* idnsZoneRefresh
https://fedorahosted.org/freeipa/ticket/2489
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Building the ipa rpms returns this:
warning: File listed twice: /usr/share/ipa/ui/extension.js
This is because of a glob:
%{_usr}/share/ipa/ui/*.js
and then more specifically:
%config(noreplace) %{_usr}/share/ipa/ui/extension.js
https://fedorahosted.org/freeipa/ticket/2253
|
|
|
|
|
|
| |
If an error content is displayed a successfull refresh doesn't show properly populated facet content. This patch adds show_content call to refresh success handlers which solves the problem.
https://fedorahosted.org/freeipa/ticket/2449
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When an error which caused calling of report_error occurt, the content of a facet got replaced by error message. There was no way how to force the facet to recreate its content and the facet became unusable.
This patch creates a containter for an error message. On error, report_error writes its content to error container, content container is hidden and error container is shown. Older comment in a code suggested to move the error message to facet's footer. A message in a footer could be missed by the user and on top of that a footer is sometimes used by various facet and we would have to solve the same problem again.
From experience the cause of an error is usually a missing pkey in a path. Therefore error information suggests user to navigate to top level. It causes to load default facets with default values so errors in navigation state shouldn't happen.
Facet content is displayed back on facet_show. If user tries to display same object as before facet's need_update() would return false, therefore need_update was modified to always return true if error is displayed.
Reproduction:
1) display any nested entity - ie DNS record
2) delete its parent pkey from path - &dnszone-pkey=example.com
3) reload the page with this path
https://fedorahosted.org/freeipa/ticket/2449
|
|
|
|
|
|
|
|
| |
HBAC Test validation message contains all missing values in form of list of links instead of general 'missing values' message and redirection to first missing value's facet.
When a link is clicked user is redirected to value's facet.
https://fedorahosted.org/freeipa/ticket/2182
|
|
|
|
|
|
|
|
|
|
|
|
| |
Problem:
When value in checkbox is modified twice in a row (so it is at its original value) an 'undo' button is still visible even when it shouldn't be.
Cause:
IPA server sends boolean values as 'TRUE' or 'FALSE' (strings). Checkbox_widget converts them to JavaScript? boolean (true, false). Save method in checkbox_widget is returning array with a boolean. So test_dirty method always evaluates to dirty because 'FALSE' != false.
This patch is fixing the problem.
https://fedorahosted.org/freeipa/ticket/2494
|
|
|
|
|
|
|
|
|
|
| |
This will add it on upgrades too and any new certs issued will have
a subject key identifier set.
If the user has customized the profile themselves then this won't be
applied.
https://fedorahosted.org/freeipa/ticket/2446
|
|
|
|
|
|
| |
Updated UI static content to contain value and label for certificate serial_number_hex.
https://fedorahosted.org/freeipa/ticket/1991
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1991
|
|
|
|
|
|
| |
When a table is displaying a record set without entity's pkey attribute. A checkbox value isn't properly prepared. This patch adds the preparation (converts value to string).
https://fedorahosted.org/freeipa/ticket/2404
|
|
|
|
|
|
|
|
|
|
| |
Network validator allowed invalid mask format:
* leading zeros: 192.168.0.1/0024
* trailing chars: 192.168.0.1/24abcd
It was fixed.
https://fedorahosted.org/freeipa/ticket/2493
|
|
|
|
|
|
|
|
|
| |
The dn value needs to be quoted otherwise it is interpreted to be a
multi-value.
This will replace whatever value is currently set.
https://fedorahosted.org/freeipa/ticket/2452
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Server framework calls acutil.res_send() to send DNS queries used
for various DNS tests. However, once acutil is imported it does
not change its list of configured resolvers even when
/etc/resolv.conf is changed. This may lead to unexpected
resolution issues.
We should at least reload httpd when we change /etc/resolv.conf to
point to FreeIPA nameserver to force a new import of acutil and
thus workaround this bug until it is resolved in authconfig.
https://fedorahosted.org/freeipa/ticket/2481
|
|
|
|
|
|
|
|
|
|
| |
Update ipaSudoRule objectClass on upgrades to add new attributes.
Ensure uniqueness of sudoOrder in rules.
The attributes sudoNotBefore and sudoNotAfter are being added to
schema but not as Params.
https://fedorahosted.org/freeipa/ticket/1314
|
|
|
|
|
|
| |
Creating CSV values in UI is unnecessary and error-prone because server converts them back to list. Possible problems with values containing commas may occur. All occurrences of CSV joining were therefore removed.
https://fedorahosted.org/freeipa/ticket/2227
|
|
|
|
|
|
| |
Based on contribution by Brian Harrington.
https://fedorahosted.org/freeipa/ticket/2428
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Usability was imporved in Unauthorized/Login dialog.
When the dialog is opened a link which switches to login form is focus so user can do following:
1) press enter (login form is displayed and username field is focused )
2) type username
3) press tab
4) type password
5) press enter
this sequence will execute login request.
When filling form user can also press 'escape' to go back to previous form state. It's the same as if he would click on the 'back' button.
https://fedorahosted.org/freeipa/ticket/2450
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Support for forms based authentication was added to UI.
It consist of:
1) new login page
Page url is [ipa server]/ipa/ui/login.html
Page contains a login form. For authentication it sends ajax request at [ipa server]/session/json/login_password. If authentication is successfull page is redirected to [ipa server]/ipa/ui if it fails from whatever reason a message is shown.
2) new enhanced error dialog - authorization_dialog.
This dialog is displayed when user is not authorized to perform action - usually when ticket and session expires.
It is a standard error dialog which shows kerberos ticket related error message and newly offers (as a link) to use form based authentication. If user click on the link, the dialog content and buttons switch to login dialog which has same functionality as 'new login page'. User is able to return back to the error message by clicking on a back button.
login.html uses same css styles as migration page -> ipa-migration.css was merged into ipa.css.
https://fedorahosted.org/freeipa/ticket/2450
|
|
|
|
|
|
|
|
|
|
| |
Logout button was added to Web UI.
Click on logout button executes session_logout command. If command succeeds or xhr stutus is 401 (unauthorized - already logged out) page is redirected to logout.html.
logout.html is a simple page with "You have been logged out" text and a link to return back to main page.
https://fedorahosted.org/freeipa/ticket/2363
|