freeipa.git/lite-server.py, branch fixlogout FreeIPA patches New lite-server implementation 2017-02-15T16:30:36+00:00 Christian Heimes cheimes@redhat.com 2017-01-21T18:34:12+00:00 ff6e701b0077d9c8e2aacdcaecf70f885018db92 The new development server depends on werkzeug instead of paste. The werkzeug WSGI server comes with some additional features, most noticeable multi-processing server. The IPA framework is not compatible with threaded servers. Werkzeug can serve static files easily and has a fast auto-reloader. The new lite-server implementation depends on PR 314 (privilege separation). For Python 3 support, it additionally depends on PR 393. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> 
The new development server depends on werkzeug instead of paste. The
werkzeug WSGI server comes with some additional features, most
noticeable multi-processing server. The IPA framework is not compatible
with threaded servers. Werkzeug can serve static files easily and has a
fast auto-reloader.

The new lite-server implementation depends on PR 314 (privilege
separation). For Python 3 support, it additionally depends on PR 393.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Python3 pylint fixes 2016-11-25T15:18:22+00:00 Christian Heimes cheimes@redhat.com 2016-11-23T09:04:43+00:00 38e8719f728e6d54289507fe2c7f79f9272c45c0 Sprinkle 'pylint disable' comments over the code base to silence a bunch of pylint warnings on Python 3. All silenced warnings are harmless and not bugs. https://fedorahosted.org/freeipa/ticket/4985 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> 
Sprinkle 'pylint disable' comments over the code base to silence a bunch
of pylint warnings on Python 3. All silenced warnings are harmless and
not bugs.

https://fedorahosted.org/freeipa/ticket/4985

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Port from python-krbV to python-gssapi 2015-08-26T07:41:36+00:00 Michael Simacek msimacek@redhat.com 2015-07-20T14:04:07+00:00 aad73fad601f576dd83b758f4448839b4e8e87df python-krbV library is deprecated and doesn't work with python 3. Replacing all it's usages with python-gssapi. - Removed Backend.krb and KRB5_CCache classes They were wrappers around krbV classes that cannot really work without them - Added few utility functions for querying GSSAPI credentials in krb_utils module. They provide replacements for KRB5_CCache. - Merged two kinit_keytab functions - Changed ldap plugin connection defaults to match ipaldap - Unified getting default realm Using api.env.realm instead of krbV call Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
python-krbV library is deprecated and doesn't work with python 3. Replacing all
it's usages with python-gssapi.

- Removed Backend.krb and KRB5_CCache classes
  They were wrappers around krbV classes that cannot really work without them
- Added few utility functions for querying GSSAPI credentials
  in krb_utils module. They provide replacements for KRB5_CCache.
- Merged two kinit_keytab functions
- Changed ldap plugin connection defaults to match ipaldap
- Unified getting default realm
  Using api.env.realm instead of krbV call

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Use /usr/bin/python2 2014-01-03T08:46:05+00:00 Xiao-Long Chen chenxiaolong@cxl.epac.to 2013-11-27T13:53:57+00:00 5e96fbc22afa02f08f71513e7b59d3d5c6a1f9dc Part of the effort to port FreeIPA to Arch Linux, where Python 3 is the default. FreeIPA hasn't been ported to Python 3, so the code must be modified to run /usr/bin/python2 https://fedorahosted.org/freeipa/ticket/3438 Updated by pviktori@redhat.com 
Part of the effort to port FreeIPA to Arch Linux,
where Python 3 is the default.

FreeIPA hasn't been ported to Python 3, so the code must be modified to
run /usr/bin/python2

https://fedorahosted.org/freeipa/ticket/3438

Updated by pviktori@redhat.com
Tweak the session auth to reflect developer consensus. 2012-02-27T10:54:29+00:00 John Dennis jdennis@redhat.com 2012-02-15T15:26:42+00:00 9753fd423059e8d5725ead9a90a7cf1b9e0b9b85 * Increase the session ID from 48 random bits to 128. * Implement the sesison_logout RPC command. It permits the UI to send a command that destroys the users credentials in the current session. * Restores the original web URL's and their authentication protections. Adds a new URL for sessions /ipa/session/json. Restores the original Kerberos auth which was for /ipa and everything below. New /ipa/session/json URL is treated as an exception and turns all authenticaion off. Similar to how /ipa/ui is handled. * Refactor the RPC handlers in rpcserver.py such that there is one handler per URL, specifically one handler per RPC and AuthMechanism combination. * Reworked how the URL names are used to map a URL to a handler. Previously it only permitted one level in the URL path hierarchy. We now dispatch on more that one URL path component. * Renames the api.Backend.session object to wsgi_dispatch. The use of the name session was historical and is now confusing since we've implemented sessions in a different location than the api.Backend.session object, which is really a WSGI dispatcher, hence the new name wsgi_dispatch. * Bullet-proof the setting of the KRB5CCNAME environment variable. ldap2.connect already sets it via the create_context() call but just in case that's not called or not called early enough (we now have other things besides ldap which need the ccache) we explicitly set it early as soon as we know it. * Rework how we test for credential validity and expiration. The previous code did not work with s4u2proxy because it assumed the existance of a TGT. Now we first try ldap credentials and if we can't find those fallback to the TGT. This logic was moved to the KRB5_CCache object, it's an imperfect location for it but it's the only location that makes sense at the moment given some of the current code limitations. The new methods are KRB5_CCache.valid() and KRB5_CCache.endtime(). * Add two new classes to session.py AuthManager and SessionAuthManager. Their purpose is to emit authication events to interested listeners. At the moment the logout event is the only event, but the framework should support other events as they arise. * Add BuildRequires python-memcached to freeipa.spec.in * Removed the marshaled_dispatch method, it was cruft, no longer referenced. https://fedorahosted.org/freeipa/ticket/2362 
* Increase the session ID from 48 random bits to 128.

* Implement the sesison_logout RPC command. It permits the UI to send
  a command that destroys the users credentials in the current
  session.

* Restores the original web URL's and their authentication
  protections. Adds a new URL for sessions /ipa/session/json. Restores
  the original Kerberos auth which was for /ipa and everything
  below. New /ipa/session/json URL is treated as an exception and
  turns all authenticaion off. Similar to how /ipa/ui is handled.

* Refactor the RPC handlers in rpcserver.py such that there is one
  handler per URL, specifically one handler per RPC and AuthMechanism
  combination.

* Reworked how the URL names are used to map a URL to a
  handler. Previously it only permitted one level in the URL path
  hierarchy. We now dispatch on more that one URL path component.

* Renames the api.Backend.session object to wsgi_dispatch. The use of
  the name session was historical and is now confusing since we've
  implemented sessions in a different location than the
  api.Backend.session object, which is really a WSGI dispatcher, hence
  the new name wsgi_dispatch.

* Bullet-proof the setting of the KRB5CCNAME environment
  variable. ldap2.connect already sets it via the create_context()
  call but just in case that's not called or not called early enough
  (we now have other things besides ldap which need the ccache) we
  explicitly set it early as soon as we know it.

* Rework how we test for credential validity and expiration. The
  previous code did not work with s4u2proxy because it assumed the
  existance of a TGT. Now we first try ldap credentials and if we
  can't find those fallback to the TGT. This logic was moved to the
  KRB5_CCache object, it's an imperfect location for it but it's the
  only location that makes sense at the moment given some of the
  current code limitations. The new methods are KRB5_CCache.valid()
  and KRB5_CCache.endtime().

* Add two new classes to session.py AuthManager and
  SessionAuthManager. Their purpose is to emit authication events to
  interested listeners. At the moment the logout event is the only
  event, but the framework should support other events as they arise.

* Add BuildRequires python-memcached to freeipa.spec.in

* Removed the marshaled_dispatch method, it was cruft, no longer
  referenced.

https://fedorahosted.org/freeipa/ticket/2362
Add labels so HBAC and Sudo rules show under hosts/hostgroups. 2012-01-16T11:37:12+00:00 Rob Crittenden rcritten@redhat.com 2011-12-02T19:27:47+00:00 f7753bf55cf713b93f1c12d0fc6dde7f804dd975 Also fix a bunch of trailing whitespace. https://fedorahosted.org/freeipa/ticket/1751 
Also fix a bunch of trailing whitespace.

https://fedorahosted.org/freeipa/ticket/1751
rename static to ui 2011-01-20T14:12:47+00:00 Adam Young ayoung@redhat.com 2011-01-19T17:26:14+00:00 b9ad279ad2d8d93dd501115a028783cf8fe7fcbd Directory rename 
Directory rename
Execute /usr/bin/python directly instead of /usr/bin/env python 2011-01-14T21:27:48+00:00 Rob Crittenden rcritten@redhat.com 2011-01-13T17:26:30+00:00 d7bd9138c803659bbcc3320a4656478ee73f2b3d ticket 608 
ticket 608
Change FreeIPA license to GPLv3+ 2010-12-20T22:19:53+00:00 Jakub Hrozek jhrozek@redhat.com 2010-12-09T12:59:11+00:00 7493d781dfcaa7995f7864a09ad39ba6a89f1a9c The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239 
The changes include:
 * Change license blobs in source files to mention GPLv3+ not GPLv2 only
 * Add GPLv3+ license text
 * Package COPYING not LICENSE as the license blobs (even the old ones)
   mention COPYING specifically, it is also more common, I think

 https://fedorahosted.org/freeipa/ticket/239
SUDO Rule Search and Details Pages 2010-11-19T21:53:30+00:00 Endi S. Dewata edewata@redhat.com 2010-11-19T02:17:14+00:00 379a9cc41f04d36538aee11839c1222d408b4f99 The search and details pages for SUDO Rule have been added. Codes that are shared with HBAC have been moved to rule.js. The following methods were renamed for consistency: - ipa_details_load() -> ipa_details_refresh() - ipa_details_display() -> ipa_details_load() The ipa_details_cache has been removed because the cache is now stored in each widget. The index.xhtml has been removed. All references to it has been changed to index.html. The Unselect All checkbox has been fixed. Unnecessary parameter 'container' has been removed. The unit test has been updated and new test data has been added. 
The search and details pages for SUDO Rule have been added. Codes
that are shared with HBAC have been moved to rule.js.

The following methods were renamed for consistency:
 - ipa_details_load() -> ipa_details_refresh()
 - ipa_details_display() -> ipa_details_load()

The ipa_details_cache has been removed because the cache is now
stored in each widget.

The index.xhtml has been removed. All references to it has been
changed to index.html.

The Unselect All checkbox has been fixed. Unnecessary parameter
'container' has been removed.

The unit test has been updated and new test data has been added.