Re: [Freeipa-devel] [PATCH] 0263-password-expiration-label
On 07/05/2011 04:41 PM, Endi Sukma Dewata wrote: On 7/5/2011 3:38 PM, Adam Young wrote: ACK but it needs a rebase. Rebased and pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0263-password-expiration-label
On 7/5/2011 3:38 PM, Adam Young wrote: ACK but it needs a rebase. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0263-password-expiration-label
From 14c2126baf538238f671541967a9ff1a39cca6b2 Mon Sep 17 00:00:00 2001 From: Adam Young Date: Tue, 5 Jul 2011 14:55:03 -0400 Subject: [PATCH] password expiration label --- API.txt|2 +- install/ui/test/data/ipa_init.json | 36 +++- ipalib/plugins/config.py |2 +- 3 files changed, 17 insertions(+), 23 deletions(-) diff --git a/API.txt b/API.txt index 5f423302e15386fbc4dbd2f5616eda005aa3411d..c6ad1c5139c23ff0399a816b9aaeb4665fe0562f 100644 --- a/API.txt +++ b/API.txt @@ -340,7 +340,7 @@ option: IA5Str('ipagroupsearchfields', attribute=True, autofill=False, cli_name= option: Bool('ipamigrationenabled', attribute=True, autofill=False, cli_name='enable_migration', label=Gettext('Enable migration mode', domain='ipa', localedir=None), multivalue=False, required=False) option: List('ipagroupobjectclasses', attribute=True, autofill=False, cli_name='groupobjectclasses', label=Gettext('Default group objectclasses', domain='ipa', localedir=None), multivalue=True, required=False) option: List('ipauserobjectclasses', attribute=True, autofill=False, cli_name='userobjectclasses', label=Gettext('Default user objectclasses', domain='ipa', localedir=None), multivalue=True, required=False) -option: Int('ipapwdexpadvnotify', attribute=True, autofill=False, cli_name='pwdexpnotify', label=Gettext('Password Expiration Notification', domain='ipa', localedir=None), minvalue=0, multivalue=False, required=False) +option: Int('ipapwdexpadvnotify', attribute=True, autofill=False, cli_name='pwdexpnotify', label=Gettext('Password Expiration Notification (days)', domain='ipa', localedir=None), minvalue=0, multivalue=False, required=False) option: Str('addattr*', validate_add_attribute, cli_name='addattr', exclude='webui') option: Str('setattr*', validate_set_attribute, cli_name='setattr', exclude='webui') option: Flag('rights', autofill=True, default=False, label=Gettext('Rights', domain='ipa', localedir=None)) diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json index a7af638418efb42a6cfdb32c6182b8fb1b19d42c..7f145e3feaed0ab202391d8964c14235a97c768f 100644 --- a/install/ui/test/data/ipa_init.json +++ b/install/ui/test/data/ipa_init.json @@ -8653,7 +8653,7 @@ "flags": [], "hint": null, "include": null, -"label": "Password Expiration Notification", +"label": "Password Expiration Notification (days)", "maxvalue": 2147483647, "minvalue": 0, "multivalue": false, @@ -10579,9 +10579,7 @@ ], "memberindirect": [ "user", -"group", -"netgroup", -"role" +"group" ], "memberof": [ "group", @@ -11996,7 +11994,6 @@ "sudorule" ], "memberofindirect": [ -"host", "hostgroup", "hbacrule", "sudorule" @@ -15815,10 +15812,10 @@ }, "user": { "account": "Account Settings", -"account_status": "Account status", +"account_status": "Account Status", "activate": "Activate", -"activation_link": "Click to ${action}", "activation_confirmation": "Are you sure you want to ${action} the user?The change will take effect immediately.", +"activation_link": "Click to ${action}", "active": "Active", "contact": "Contact Settings", "deactivate": "Deactivate", @@ -15880,37 +15877,34 @@ "Administrator" ], "gidnumber": [ -"196560" +"19320" ], "homedirectory": [ "/home/admin" ], "ipauniqueid": [ -"9e262c00-a357-11e0-a074-525400b55a47" +"c300021e-a445-11e0-80b9-525400b55a47" ], "krbextradata": [ { +"__base64__": "AAL2bA5Ocm9v
Re: [Freeipa-devel] [PATCH] 0262-validate-ints
On 7/5/2011 3:00 PM, Adam Young wrote: 1. The validation process should stop after finding the first problem. So the validate_integers() needs to return a value which is then checked by validate() to determine if it should continue. Not really necessary. The validation is still correct, but subsequent checking will be redundant. This is no longer an issue in this patch because the pattern checking is moved into meta_validate(). But suppose we have additional checkings after meta_validate() they could be redundant. We'll address that when that actually happens. 2. This is actually an existing problem, so it can be addressed later. If a widget only has a metadata but not param_info (not sure if this ever happens) it will only execute integer validation but not the pattern validation. The metadata and param_info are actually the same thing so we should be able to merge them, but it might require significant changes. Fixed There is still an issue in validate(), the required flag is only checked if param_info is available (which is probably always the case). Ideally the param_info should be renamed into metadata, thus avoiding multiple validations as well. This can be addressed later. ACK and pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 045 Add DNS record modification command
On 03/30/2011 11:13 AM, Martin Kosek wrote: Since this is a new-feature type patch it should be pushed only to master. --- The DNS record plugin does not support modification of a record. One can only add A type addresses to a DNS record or remove the current ones. To actually change a DNS record value it has to be removed and then added with a desired value. This patch adds a new DNS plugin command "dnsrecord-mod" which enables user to: - modify a DNS record value (note than DNS record can hold multiple values and those will be overwritten) - remove a DNS record when an empty value is passed New tests for this new command have been added to the CLI test suite. https://fedorahosted.org/freeipa/ticket/1137 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel dns.py has changed enough that this needs a rebase, but from my visual inspection it looks correct. Can you post an updated patch? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 198 Fixed object_name usage.
On 7/5/2011 3:07 PM, Adam Young wrote: I the strings in the plugins are supposed to be read by people, they should be internationalized. Is there any reason to not surround both object_name and object_name_plural with _( )? The original values were not internationalized and also sometimes they are used in a message that are not internationalized either. I think internationalizing the server messages should be done in a separate ticket. ACK. Pushed to master. Please open a ticket for the I18N of server messages https://fedorahosted.org/freeipa/ticket/1435 -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 198 Fixed object_name usage.
On 07/05/2011 03:22 PM, Endi Sukma Dewata wrote: On 7/5/2011 1:45 PM, Adam Young wrote: On 07/05/2011 02:30 PM, Endi Sukma Dewata wrote: The object_name attribute was used as both an identifier and a label which sometimes require different values (e.g. hbacrule vs. HBAC rule). The code that uses object_name as an identifier has been changed to use the 'name' attribute instead. The values of the object_name attribute have been fixed to become proper labels. Ticket #1217 I the strings in the plugins are supposed to be read by people, they should be internationalized. Is there any reason to not surround both object_name and object_name_plural with _( )? The original values were not internationalized and also sometimes they are used in a message that are not internationalized either. I think internationalizing the server messages should be done in a separate ticket. ACK. Pushed to master. Please open a ticket for the I18N of server messages ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0262-validate-ints
On 07/05/2011 02:27 PM, Endi Sukma Dewata wrote: On 7/5/2011 9:37 AM, Adam Young wrote: Some issues: 1. The validation process should stop after finding the first problem. So the validate_integers() needs to return a value which is then checked by validate() to determine if it should continue. Not really necessary. 2. This is actually an existing problem, so it can be addressed later. If a widget only has a metadata but not param_info (not sure if this ever happens) it will only execute integer validation but not the pattern validation. The metadata and param_info are actually the same thing so we should be able to merge them, but it might require significant changes. Fixed 3. There are jslint warnings. The 'message' variable declaration needs to be moved into validate_integers(). Fixed From 2e64d03b7e0211851857c75e39989830c191500f Mon Sep 17 00:00:00 2001 From: Adam Young Date: Tue, 5 Jul 2011 10:35:50 -0400 Subject: [PATCH] validate ints validate integers whether meta comes from metadata or param_info https://fedorahosted.org/freeipa/ticket/1415 --- install/ui/widget.js | 73 +++-- 1 files changed, 40 insertions(+), 33 deletions(-) diff --git a/install/ui/widget.js b/install/ui/widget.js index 2ea345d9adb0014bdae8e84ef95a304bd8635196..cd3a5c60e2153b25c0fce58ebaf94cf3f51f1ffe 100644 --- a/install/ui/widget.js +++ b/install/ui/widget.js @@ -70,6 +70,44 @@ IPA.widget = function(spec) { that._entity_name = entity_name; }); + +function meta_validate(meta, value){ +var message; + +if (meta.type == 'int') { +if (!value.match(/^-?\d+$/)) { +that.valid = false; +that.show_error(IPA.messages.widget.validation.integer); +return; +} + +if (meta.minvalue && value < meta.minvalue) { +that.valid = false; +message = IPA.messages.widget.validation.min_value; +message = message.replace('${value}', meta.minvalue); +that.show_error(message); +return; +} + +if (meta.maxvalue && value > meta.maxvalue) { +that.valid = false; +message = IPA.messages.widget.validation.max_value; +message = message.replace('${value}', meta.maxvalue); +that.show_error(message); +return; +} +} +if (meta.pattern) { +var regex = new RegExp(meta.pattern); +if (!value.match(regex)) { +that.valid = false; +that.show_error(meta.pattern_errmsg); +return; +} +} + +} + /*returns true and clears the error message if the field value passes the validation pattern. If the field value does not pass validation, displays the error message and returns false. */ @@ -78,7 +116,6 @@ IPA.widget = function(spec) { that.hide_error(); that.valid = true; -var message; var values = that.save(); if (!values || !values.length) { @@ -97,40 +134,10 @@ IPA.widget = function(spec) { } if (that.metadata) { -if (that.metadata.type == 'int') { -if (!value.match(/^-?\d+$/)) { -that.valid = false; -that.show_error(IPA.messages.widget.validation.integer); -return; -} - -if (that.metadata.minvalue && value < that.metadata.minvalue) { -that.valid = false; -message = IPA.messages.widget.validation.min_value; -message = message.replace('${value}', that.metadata.minvalue); -that.show_error(message); -return; -} - -if (that.metadata.maxvalue && value > that.metadata.maxvalue) { -that.valid = false; -message = IPA.messages.widget.validation.max_value; -message = message.replace('${value}', that.metadata.maxvalue); -that.show_error(message); -return; -} -} +meta_validate(that.metadata,value); } - if (that.param_info) { -if (that.param_info.pattern) { -var regex = new RegExp(that.param_info.pattern); -if (!value.match(regex)) { -that.valid = false; -that.show_error(that.param_info.pattern_errmsg); -return; -} -} +meta_validate(that.param_info,value); } }; -- 1.7.5.2 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 198 Fixed object_name usage.
On 7/5/2011 1:45 PM, Adam Young wrote: On 07/05/2011 02:30 PM, Endi Sukma Dewata wrote: The object_name attribute was used as both an identifier and a label which sometimes require different values (e.g. hbacrule vs. HBAC rule). The code that uses object_name as an identifier has been changed to use the 'name' attribute instead. The values of the object_name attribute have been fixed to become proper labels. Ticket #1217 I the strings in the plugins are supposed to be read by people, they should be internationalized. Is there any reason to not surround both object_name and object_name_plural with _( )? The original values were not internationalized and also sometimes they are used in a message that are not internationalized either. I think internationalizing the server messages should be done in a separate ticket. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 818 add password expiration notify to default attr list
I pushed this as a one-liner. https://fedorahosted.org/freeipa/ticket/1416 rob >From d9f1fb5c8cedf844d1110c91489f460635a101d9 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Tue, 5 Jul 2011 15:03:19 -0400 Subject: [PATCH] Add pwd expiration notif (ipapwdexpadvnotify) to config plugin def attr list https://fedorahosted.org/freeipa/ticket/1416 --- ipalib/plugins/config.py |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py index d05e4f4..cbca860 100644 --- a/ipalib/plugins/config.py +++ b/ipalib/plugins/config.py @@ -86,6 +86,7 @@ class config(LDAPObject): 'ipadefaultprimarygroup', 'ipadefaultemaildomain', 'ipasearchtimelimit', 'ipasearchrecordslimit', 'ipausersearchfields', 'ipagroupsearchfields', 'ipamigrationenabled', 'ipacertificatesubjectbase', +'ipapwdexpadvnotify', ] label = _('Configuration') -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 198 Fixed object_name usage.
On 07/05/2011 02:30 PM, Endi Sukma Dewata wrote: The object_name attribute was used as both an identifier and a label which sometimes require different values (e.g. hbacrule vs. HBAC rule). The code that uses object_name as an identifier has been changed to use the 'name' attribute instead. The values of the object_name attribute have been fixed to become proper labels. Ticket #1217 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I the strings in the plugins are supposed to be read by people, they should be internationalized. Is there any reason to not surround both object_name and object_name_plural with _( )? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0262-validate-ints
On 7/5/2011 9:37 AM, Adam Young wrote: Some issues: 1. The validation process should stop after finding the first problem. So the validate_integers() needs to return a value which is then checked by validate() to determine if it should continue. 2. This is actually an existing problem, so it can be addressed later. If a widget only has a metadata but not param_info (not sure if this ever happens) it will only execute integer validation but not the pattern validation. The metadata and param_info are actually the same thing so we should be able to merge them, but it might require significant changes. 3. There are jslint warnings. The 'message' variable declaration needs to be moved into validate_integers(). -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 818 find_entry_by_attr() should fail if multiple entries are found
It will only ever return one entry so if more than one are found then we raise an exception. This is most easily seen in the host plugin where we search on the server shortname which can be the same across sub-domains (e.g. foo.example.com & foo.lab.example.com). https://fedorahosted.org/freeipa/ticket/1388 rob >From f52e98e12f133ca45b57653c3d69c356e361fce3 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Tue, 5 Jul 2011 13:36:48 -0400 Subject: [PATCH] find_entry_by_attr() should fail if multiple entries are found It will only ever return one entry so if more than one are found then we raise an exception. This is most easily seen in the host plugin where we search on the server shortname which can be the same across sub-domains (e.g. foo.example.com & foo.lab.example.com). https://fedorahosted.org/freeipa/ticket/1388 --- ipalib/errors.py | 17 ipaserver/plugins/ldap2.py|7 +- tests/test_xmlrpc/test_host_plugin.py | 35 + 3 files changed, 58 insertions(+), 1 deletions(-) diff --git a/ipalib/errors.py b/ipalib/errors.py index 74bc5f679502f91f860e2f376620a37d98dc9746..c6389da81f60d06ebae610ef45a4246cb4fe165d 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -1209,6 +1209,23 @@ class AttrValueNotFound(ExecutionError): format = _('%(attr)s does not contain \'%(value)s\'') +class SingleMatchExpected(ExecutionError): +""" +**4027** Raised when a search should return a single match + +For example: + +>>> raise SingleMatchExpected(found=9) +Traceback (most recent call last): + ... +SingleMatchExpected: The search criteria was not specific enough. Expected 1 and found 9. +""" + +errno = 4027 +rval = 1 +format = _('The search criteria was not specific enough. Expected 1 and found %(found)d.') + + class BuiltinError(ExecutionError): """ **4100** Base class for builtin execution errors (*4100 - 4199*). diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index 5d6d21d43cab7e1337af6667c027c4e1d956ea9f..6f34984caf85fce7a8174bad10255299a45fc5d4 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -620,7 +620,12 @@ class ldap2(CrudBackend, Encoder): """ search_kw = {attr: value, 'objectClass': object_class} filter = self.make_filter(search_kw, rules=self.MATCH_ALL) -return self.find_entries(filter, attrs_list, base_dn)[0][0] +(entries, truncated) = self.find_entries(filter, attrs_list, base_dn) + +if len(entries) > 1: +raise errors.SingleMatchExpected(found=len(entries)) +else: +return entries[0] def get_entry(self, dn, attrs_list=None, time_limit=None, size_limit=None, normalize=True): diff --git a/tests/test_xmlrpc/test_host_plugin.py b/tests/test_xmlrpc/test_host_plugin.py index f4e020ed7abcd1ccf9de0df32b5d00c898b5b088..793729629eda71a3800b87b9068378207492f426 100644 --- a/tests/test_xmlrpc/test_host_plugin.py +++ b/tests/test_xmlrpc/test_host_plugin.py @@ -39,6 +39,8 @@ dn2 = u'fqdn=%s,cn=computers,cn=accounts,%s' % (fqdn2, api.env.basedn) fqdn3 = u'testhost2.%s' % api.env.domain short3 = u'testhost2' dn3 = u'fqdn=%s,cn=computers,cn=accounts,%s' % (fqdn3, api.env.basedn) +fqdn4 = u'testhost2.lab.%s' % api.env.domain +dn4 = u'fqdn=%s,cn=computers,cn=accounts,%s' % (fqdn4, api.env.basedn) # We can use the same cert we generated for the service tests fd = open('tests/test_xmlrpc/service.crt', 'r') @@ -53,6 +55,7 @@ class test_host(Declarative): ('host_del', [fqdn1], {}), ('host_del', [fqdn2], {}), ('host_del', [fqdn3], {}), +('host_del', [fqdn4], {}), ('service_del', [service1], {}), ] @@ -295,6 +298,32 @@ class test_host(Declarative): dict( +desc='Create %r' % fqdn4, +command=('host_add', [fqdn4], +dict( +description=u'Test host 4', +l=u'Undisclosed location 4', +force=True, +), +), +expected=dict( +value=fqdn4, +summary=u'Added host "%s"' % fqdn4, +result=dict( +dn=dn4, +fqdn=[fqdn4], +description=[u'Test host 4'], +l=[u'Undisclosed location 4'], +krbprincipalname=[u'host/%s@%s' % (fqdn4, api.env.realm)], +objectclass=objectclasses.host, +ipauniqueid=[fuzzy_uuid], +managedby_host=[u'%s' % fqdn4], +), +), +), + + +dict( desc='Add managedby_host %r to %r' % (fqdn1, fqdn3), command=('host_add_managedby', [fqdn3], dict( @@ -363,6 +392,12 @@ class test_host(Declarative): ), +dict( +
Re: [Freeipa-devel] [PATCH] 817 Add option to wait for values
Rob Crittenden wrote: Rob Crittenden wrote: 389-ds postop plugins, such as the managed entry and memberof plugins, add values after the data has been returned to the client. In the case of the managed entry plugin this affects the parent entry as well (adds an objectclass value). This wreaks havoc on our tests as the values don't match what we expect. The solution is to wait for the postop plugins to finish their work, then return. I've added this as an option. The downside is it is going to naturally slow things down, so it is off by default. It is currently only used in the hostgroup plugin. The option is wait_for_attr. Add this to ~/.ipa/default.conf and set it to True and all the current tests will pass (assuming you apply patches 814-816 as well). So now we won't have any excuses for missing test failures in the unit tests... rob Bah, found a small problem. Self-NACK. rob Updated patch attached. Note that I don't think there is a way for us to handle things like memberof_indirect. We wouldn't know to wait. rob >From 298182164a8426c121a70ecb51e4be1c9e8bef75 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Fri, 1 Jul 2011 15:32:31 -0400 Subject: [PATCH] Optionally wait for 389-ds postop plugins to complete Add a new command that lets you wait for an attribute to appear in a value. Using this you can do things like wait for a managed entry to be created, adding a new objectclass to the parent entry. This is controlled by a new booleon option, wait_for_attr, defaulting to False. https://fedorahosted.org/freeipa/ticket/1144 --- ipalib/constants.py |1 + ipalib/plugins/baseldap.py | 32 ipalib/plugins/hostgroup.py |7 +++ 3 files changed, 40 insertions(+), 0 deletions(-) diff --git a/ipalib/constants.py b/ipalib/constants.py index 23e80257d0a9b513ceb2478411ede8bcf1acdbe9..026e0735441eabf8dbe63fffa85da69aa151c5d7 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -148,6 +148,7 @@ DEFAULT_CONFIG = ( # Enable certain optional plugins: ('enable_ra', False), ('ra_plugin', 'selfsign'), +('wait_for_attr', False), # Used when verifying that the API hasn't changed. Not for production. ('validate_api', False), diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 2e9991317c5d97cae4495e957a692dfc1f6dfa75..2967c1274d164eba933f36a61c313ef4d975703f 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -238,6 +238,38 @@ def wait_for_memberof(keys, entry_start, completed, show_command, adding=True): return entry_attrs +def wait_for_value(ldap, dn, attr, value): +""" +389-ds postoperation plugins are executed after the data has been +returned to a client. This means that plugins that add data in a +postop are not included in data returned to the user. + +The downside of waiting is that this increases the time of the +command. +""" +# Loop a few times to give the postop-plugin a chance to complete +# Don't sleep for more than 6 seconds. +x = 0 +while x < 20: +# sleep first because the first search, even on a quiet system, +# almost always fails. +time.sleep(.3) +x = x + 1 + +# FIXME: put a try/except around here? I think it is probably better +# to just let the exception filter up to the caller. +(dn, entry_attrs) = ldap.get_entry( dn, ['*']) +if attr in entry_attrs: +if isinstance(entry_attrs[attr], (list, tuple)): +values = map(lambda y:y.lower(), entry_attrs[attr]) +if value.lower() in values: +break +else: +if value.lower() == entry_attrs[attr].lower(): +break + +return entry_attrs[attr] + class LDAPObject(Object): """ Object representing a LDAP entry. diff --git a/ipalib/plugins/hostgroup.py b/ipalib/plugins/hostgroup.py index c5b96056bfdcd6d039ff1eec68124684324b081d..1d201f3b0d2965822effb69f8a41e38061d5b2b4 100644 --- a/ipalib/plugins/hostgroup.py +++ b/ipalib/plugins/hostgroup.py @@ -98,6 +98,13 @@ class hostgroup_add(LDAPCreate): msg_summary = _('Added hostgroup "%(value)s"') +def post_callback(self, ldap, dn, entry_attrs, *keys, **options): +if self.api.env.wait_for_attr: +ldap = self.obj.backend +entry_attrs['objectclass'] = wait_for_value(ldap, dn, 'objectclass', 'mepOriginEntry') +return dn + + api.register(hostgroup_add) -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 045 Add DNS record modification command
On 03/30/2011 04:52 PM, Adam Young wrote: On 03/30/2011 11:13 AM, Martin Kosek wrote: Since this is a new-feature type patch it should be pushed only to master. --- The DNS record plugin does not support modification of a record. One can only add A type addresses to a DNS record or remove the current ones. To actually change a DNS record value it has to be removed and then added with a desired value. This patch adds a new DNS plugin command "dnsrecord-mod" which enables user to: - modify a DNS record value (note than DNS record can hold multiple values and those will be overwritten) - remove a DNS record when an empty value is passed New tests for this new command have been added to the CLI test suite. https://fedorahosted.org/freeipa/ticket/1137 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel NACK, The problem is that if there are 10 A records, and I only want to modify one, I have no way to specify which one. The API should be something like: ipa dnsrecord-mod ayoung.boston.devel.redhat.com testa 10.10.2.3 --a-rec=,10.11.12.13 Alternatively, we can decide that we are not going to do mod, and have the WebUI do a delete and an add: ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel This objection is withdrawn. Going to retest this patch with a change to the ui. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Proposal: drop DENY rules from HBAC
On Tue, 2011-07-05 at 10:53 -0400, Dmitri Pal wrote: > I disagree with the server side UI changes. > IMO the IPA server should detect the DENY rules at the upgrade step > and > fail the upgrade asking administrator to remove the rules first. No, upgrades time is the wrong time to ask for complex changes. > Carrying them forward in the UI means that we would allow IPA to have > the rules but it would ignore them creating a security whole. IPA does not do the enforcing so it does not observe/ignore them at all. The client (sssd) does the enforcing, so the only place to handle security issues is there. > Since some admins do not use UI it will be even worse. That's why we are dealing with the problem in the client. The UI is just to warn in advance those admins that stubbornly refuse to read release notes and test their clients. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Proposal: drop DENY rules from HBAC
On 07/01/2011 10:28 AM, Simo Sorce wrote: > On Wed, 2011-06-29 at 16:25 -0400, Jakub Hrozek wrote: > >> By removing the deny rules, do we break compatibility with anything else >> than the IPA tech preview in RHEL and upstream FreeIPA 2.0? > > Ok we've had a somewhat heated discussion internally about how to deal > with the transition phase for those admins that decided to use HBAC DENY > rules. Hopefully very few did and so very few people will actually be > impacted, but we need to handle those cases the best we can to avoid > security issues for those users. > > Here is a rough plan I'd like to get both developers *AND* users > feedback on if you care about it. > > The premise to the following plan is that very few administrators, > unfortunately, carefully read release notes before upgrading, so simply > dropping and ignoring DENY rules is felt as something we can't do. > > We split the solution in 2 parts, one on the SSSD side (the only client > currently able to understand IPA HBAC rules), and one on the server > side. > > SSSD: > Inconveniencing clients is probably the easiest way to cause the least > disruption and attracting the administrators attention. > The idea here is to treat any DENY rule as actually a DENY-ALL rule. > Basically causing any login attempt for any service to fail as soon as > the new sssd package will be installed. > Even though admins normally do not read release notes, they still do a > few test upgrades before upgrading the whole set of clients they > administer. > By having SSSD deny logins if any DENY rule is found (and spamming the > log with pointers at the same time) we hope to give admins a good enough > "wake up something changed" call. > > This change will be prominently advertised in SSSD release notes. > Also to ease the pain for those places where the Server and client > admins are different groups, we plan to add a transitional configuration > option. This option will allow admins to ignore DENY rules entirely. The > option will default to the DENYALL behavior described above, but admins > will be able to toggle it to ignore so they can keep testing the client, > while they make sure to warn the Server admins that DENY rules support > is going to be dropped. > > FreeIPA: > On the server side instead we will add 2 visual cues to the WebUI and > probably something to the CLI commands used to manage HBAC rules. > > In the WebUI, pending UXD and UI developers approval/feedback we will > have a prominent error message in the main page only for administrators > that are allowed to manage HBAC rules. This warning will be shown if any > DENY rule exist on the server. > In the HBAC pages, deny rules will be highlighted and text explaining > they are not supported anymore and need to be removed will be shown. > > These warnings will be dropped down the road after 1 more point release. > > Of course Release notes will prominently highlight this change so that > most admins will be prepared to handle this change. > > > Hopefully people will have enough cues to properly handle the situation. > > > Simo. > I disagree with the server side UI changes. IMO the IPA server should detect the DENY rules at the upgrade step and fail the upgrade asking administrator to remove the rules first. Carrying them forward in the UI means that we would allow IPA to have the rules but it would ignore them creating a security whole. Since some admins do not use UI it will be even worse. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0262-validate-ints
From 0c9bc7e2f2370abdc67c5e74a827d9975966f5dc Mon Sep 17 00:00:00 2001 From: Adam Young Date: Tue, 5 Jul 2011 10:35:50 -0400 Subject: [PATCH] validate ints validate integers whether meta comes from metadata or param_info https://fedorahosted.org/freeipa/ticket/1415 --- install/ui/widget.js | 53 - 1 files changed, 30 insertions(+), 23 deletions(-) diff --git a/install/ui/widget.js b/install/ui/widget.js index 2ea345d9adb0014bdae8e84ef95a304bd8635196..d38516e4717e2b32dc6b3a91b6ea1cd75cb42fff 100644 --- a/install/ui/widget.js +++ b/install/ui/widget.js @@ -70,6 +70,34 @@ IPA.widget = function(spec) { that._entity_name = entity_name; }); + +function validate_integers(meta, value){ +if (meta.type == 'int') { +if (!value.match(/^-?\d+$/)) { +that.valid = false; +that.show_error(IPA.messages.widget.validation.integer); +return; +} + +if (meta.minvalue && value < meta.minvalue) { +that.valid = false; +message = IPA.messages.widget.validation.min_value; +message = message.replace('${value}', meta.minvalue); +that.show_error(message); +return; +} + +if (meta.maxvalue && value > meta.maxvalue) { +that.valid = false; +message = IPA.messages.widget.validation.max_value; +message = message.replace('${value}', meta.maxvalue); +that.show_error(message); +return; +} +} + +} + /*returns true and clears the error message if the field value passes the validation pattern. If the field value does not pass validation, displays the error message and returns false. */ @@ -97,32 +125,11 @@ IPA.widget = function(spec) { } if (that.metadata) { -if (that.metadata.type == 'int') { -if (!value.match(/^-?\d+$/)) { -that.valid = false; -that.show_error(IPA.messages.widget.validation.integer); -return; -} - -if (that.metadata.minvalue && value < that.metadata.minvalue) { -that.valid = false; -message = IPA.messages.widget.validation.min_value; -message = message.replace('${value}', that.metadata.minvalue); -that.show_error(message); -return; -} - -if (that.metadata.maxvalue && value > that.metadata.maxvalue) { -that.valid = false; -message = IPA.messages.widget.validation.max_value; -message = message.replace('${value}', that.metadata.maxvalue); -that.show_error(message); -return; -} -} +validate_integers(that.metadata,value); } if (that.param_info) { +validate_integers(that.param_info,value); if (that.param_info.pattern) { var regex = new RegExp(that.param_info.pattern); if (!value.match(regex)) { -- 1.7.5.2 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel