Patch set contains both API/server and Web UI parts.

[PATCH] 659 ldap2: add otp support to modify_password
[PATCH] 660 rpcserver: add otp support to change_password handler
[PATCH] 661 ipa-passwd: add OTP support
[PATCH] 662 webui: support password change with OTP in login screen
[PATCH] 663 webui: placeholder attribute support in textbox and textarea
[PATCH] 664 webui: add placeholders to login screen
[PATCH] 665 webui: rebase user password dialog on password dialog and add otp support
[PATCH] 666 webui: support otp in reset_password.html

https://fedorahosted.org/freeipa/ticket/4262
--
Petr Vobornik
From e69a9acdb4cb7b16826b5b929000b52d09407d79 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvobo...@redhat.com>
Date: Fri, 23 May 2014 16:07:33 +0200
Subject: [PATCH] webui: support otp in reset_password.html

https://fedorahosted.org/freeipa/ticket/4262
---
 install/ui/reset_password.html | 10 ++++++++++
 install/ui/reset_password.js   | 10 ++++++++--
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/install/ui/reset_password.html b/install/ui/reset_password.html
index 2b758922615aacda46b9ddbdbf2a973cd2391830..598fe8f1e9cc440699ccfdd0000257dd6f569fc4 100644
--- a/install/ui/reset_password.html
+++ b/install/ui/reset_password.html
@@ -75,6 +75,16 @@
             </div>
             <div class="form-group">
                 <div class="col-sm-4 control-label">
+                    <label for="otp">OTP</label>
+                </div>
+                <div class="col-sm-8 controls">
+                    <div class="widget text-widget">
+                        <input type="password" class="form-control" name="otp" id="otp" accesskey="o">
+                    </div>
+                </div>
+            </div>
+            <div class="form-group">
+                <div class="col-sm-4 control-label">
                     <label for="new_password">New Password</label>
                 </div>
                 <div class="col-sm-8 controls">
diff --git a/install/ui/reset_password.js b/install/ui/reset_password.js
index 5555a17bc3334c60d4949e379c7374251453ec4e..bc08349876ea18d204ce4d6e8ae7724878967620 100644
--- a/install/ui/reset_password.js
+++ b/install/ui/reset_password.js
@@ -20,7 +20,7 @@
 
 var RP = {}; //Reset Password Page
 
-RP.reset_password = function(username, old_password, new_password) {
+RP.reset_password = function(username, old_password, new_password, otp) {
 
     //possible results: 'ok', 'invalid-password', 'policy-error'
 
@@ -55,6 +55,10 @@ RP.reset_password = function(username, old_password, new_password) {
         new_password: new_password
     };
 
+    if (otp) {
+        data.otp = otp;
+    }
+
     request = {
         url: '/ipa/session/change_password',
         data: data,
@@ -89,6 +93,7 @@ RP.on_submit = function() {
 
     var username = $('#user').val();
     var current_password = $('#old_password').val();
+    var otp = $('#otp').val();
     var new_password = $('#new_password').val();
     var verify_password = $('#verify_password').val();
 
@@ -102,7 +107,7 @@ RP.on_submit = function() {
         return;
     }
 
-    var result = RP.reset_password(username, current_password, new_password);
+    var result = RP.reset_password(username, current_password, new_password, otp);
 
     if (result.status !== 'ok') {
         RP.show_error(result.message);
@@ -116,6 +121,7 @@ RP.reset_form = function() {
     $('.alert-danger').css('display', 'none');
     $('.alert-success').css('display', 'none');
     $('#old_password').val('');
+    $('#otp').val('');
     $('#new_password').val('');
     $('#verify_password').val('');
 };
-- 
1.9.0

From 137db64c6b58fcb8e1bd673eaa82765d37a6a6f1 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvobo...@redhat.com>
Date: Thu, 22 May 2014 16:20:02 +0200
Subject: [PATCH] webui: rebase user password dialog on password dialog and add
 otp support

https://fedorahosted.org/freeipa/ticket/4262
---
 install/ui/src/freeipa/dialogs/password.js |  11 +-
 install/ui/src/freeipa/ipa.js              |  26 ++--
 install/ui/src/freeipa/user.js             | 193 ++++++++---------------------
 ipatests/test_webui/test_user.py           |   4 +-
 4 files changed, 77 insertions(+), 157 deletions(-)

diff --git a/install/ui/src/freeipa/dialogs/password.js b/install/ui/src/freeipa/dialogs/password.js
index 35f96e4b79f32c56082c0f2874afd7869cd0848a..fa672901d589aaf7308ff7e2b6af545be544df4b 100644
--- a/install/ui/src/freeipa/dialogs/password.js
+++ b/install/ui/src/freeipa/dialogs/password.js
@@ -51,6 +51,7 @@ dialogs.password.default_fields_pre_op =  function(spec) {
     spec.width = spec.width || 400;
     spec.sections = spec.sections || [
         {
+            name: 'general',
             fields: [
                 {
                     name: name,
@@ -193,7 +194,7 @@ dialogs.password.dialog = function(spec) {
         for (var j=0; j<fields.length; j++) {
             var field = fields[j];
             var values = field.save();
-            if (!values || values.length === 0) continue;
+            if (!values || values.length === 0 || !field.enabled) continue;
             if (field.flags.indexOf('no_command') > -1) continue;
 
             if (values.length === 1) {
@@ -212,10 +213,12 @@ dialogs.password.dialog = function(spec) {
     that.create_command = function() {
 
         var options = that.make_otions();
+        var entity = null;
+        if (that.entity) entity = that.entity.name;
         var command = rpc.command({
-            entity: that.entity.name,
+            entity: entity,
             method: that.method,
-            args: that.pkeys,
+            args: that.args,
             options: options,
             on_success: function(data) {
                 that.on_success();
@@ -301,7 +304,7 @@ dialogs.password.action = function(spec) {
             ds.$type = 'password';
         }
         var dialog = builder.build('dialog', ds);
-        dialog.pkeys = facet.get_pkeys();
+        dialog.args = facet.get_pkeys();
         dialog.succeeded.attach(function() {
             if (that.refresh) facet.refresh();
         });
diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js
index 66d92b6e0726211f2a87bc25f84b26319756a9ee..be671d8f4246e769c019a544783314504f6977e2 100644
--- a/install/ui/src/freeipa/ipa.js
+++ b/install/ui/src/freeipa/ipa.js
@@ -619,20 +619,20 @@ IPA.update_password_expiration = function() {
  * @member IPA
  */
 IPA.password_selfservice = function() {
-    var reset_dialog = IPA.user_password_dialog({
-        pkey: IPA.whoami.uid[0],
-        on_success: function() {
-            var command = IPA.get_whoami_command();
-            var orig_on_success = command.on_success;
-            command.on_success = function(data, text_status, xhr) {
-                orig_on_success.call(this, data, text_status, xhr);
-                IPA.update_password_expiration();
-            };
-            command.execute();
+    var reset_dialog = builder.build('dialog', {
+        $type: 'user_password',
+        args: [IPA.whoami.uid[0]]
+    });
+    reset_dialog.succeeded.attach(function() {
+        var command = IPA.get_whoami_command();
+        var orig_on_success = command.on_success;
+        command.on_success = function(data, text_status, xhr) {
+            orig_on_success.call(this, data, text_status, xhr);
+            IPA.update_password_expiration();
+        };
+        command.execute();
 
-            IPA.notify_success(text.get('@i18n:password.password_change_complete'));
-            reset_dialog.close();
-        }
+        IPA.notify_success(text.get('@i18n:password.password_change_complete'));
     });
     reset_dialog.open();
 };
diff --git a/install/ui/src/freeipa/user.js b/install/ui/src/freeipa/user.js
index 270f0b2cc157ab5f06921a1a9a39278b5fc13727..2c88d50f54a96d4a9392b909d5e57eef344fc673 100644
--- a/install/ui/src/freeipa/user.js
+++ b/install/ui/src/freeipa/user.js
@@ -22,18 +22,20 @@
  */
 
 define([
+        './builder',
         './ipa',
         './jquery',
         './phases',
         './reg',
         './rpc',
         './text',
+        './dialogs/password',
         './details',
         './search',
         './association',
         './entity',
         './certificate'],
-    function(IPA, $, phases, reg, rpc, text) {
+    function(builder, IPA, $, phases, reg, rpc, text, password_dialog) {
 
 /**
  * User module
@@ -518,155 +520,57 @@ IPA.user_password_widget = function(spec) {
     return that;
 };
 
-IPA.user_password_dialog = function(spec) {
+IPA.user.password_dialog_pre_op0 = function(spec) {
 
-    spec = spec || {};
+    spec.password_name = spec.password_name || 'password';
+    return spec;
+};
 
-    spec.width = spec.width || 400;
-    spec.title = spec.title || '@i18n:password.reset_password';
-    spec.sections = spec.sections || [];
+IPA.user.password_dialog_pre_op = function(spec) {
 
-    spec.sections.push(
-        {
-            name: 'input',
-            fields: [
-                {
-                    name: 'current_password',
-                    label: '@i18n:password.current_password',
-                    $type: 'password',
-                    required: true
-                },
-                {
-                    name: 'password1',
-                    label: '@i18n:password.new_password',
-                    $type: 'password',
-                    required: true
-                },
-                {
-                    name: 'password2',
-                    label: '@i18n:password.verify_password',
-                    $type: 'password',
-                    validators: [{
-                        $type: 'same_password',
-                        other_field: 'password1'
-                    }],
-                    required: true
-                }
-            ]
-        });
+    spec.sections[0].fields.splice(0, 0, {
+        name: 'current_password',
+        label: '@i18n:password.current_password',
+        $type: 'password',
+        required: true
+    }, {
+         name: 'otp',
+        label: '@i18n:password.otp',
+        $type: 'password'
+    });
 
-    var that = IPA.dialog(spec);
+    spec.method = spec.method || 'passwd';
 
-    IPA.confirm_mixin().apply(that);
+    return spec;
+};
 
-    that.success_handler = spec.on_success;
-    that.error_handler = spec.on_error;
-    that.pkey = spec.pkey;
+IPA.user.password_dialog = function(spec) {
+
+    var that = password_dialog.dialog(spec);
 
     that.is_self_service = function() {
-        var self_service = that.pkey === IPA.whoami.uid[0];
+        var self_service = that.args[0] === IPA.whoami.uid[0];
         return self_service;
     };
 
     that.open = function() {
-
-        var self_service = that.is_self_service();
-        var section = that.widgets.get_widget('input');
-        var current_password_f = that.fields.get_field('current_password');
-
         that.dialog_open();
-        section.set_row_visible('current_password', self_service);
-        current_password_f.set_required(self_service);
+
+        var self_service = that.is_self_service();
+        var current_pw_f = that.fields.get_field('current_password');
+        var current_pw_w = that.widgets.get_widget('general.current_password');
+        var otp_f = that.fields.get_field('otp');
+        var otp_w = that.widgets.get_widget('general.otp');
+
+        current_pw_f.set_required(self_service);
+        current_pw_f.set_enabled(self_service);
+        current_pw_w.set_visible(self_service);
+        otp_f.set_enabled(self_service);
+        otp_w.set_visible(self_service);
+
         that.focus_first_element();
     };
 
-    that.create_buttons = function() {
-
-        that.create_button({
-            name: 'reset_password',
-            label: '@i18n:password.reset_password',
-            click: that.on_reset_click
-        });
-
-        that.create_button({
-            name: 'cancel',
-            label: '@i18n:buttons.cancel',
-            click: function() {
-                that.close();
-            }
-        });
-    };
-
-    that.on_confirm = function() {
-        that.on_reset_click();
-    };
-
-    that.on_reset_click = function() {
-
-        if (!that.validate()) return;
-
-        var self_service = that.is_self_service();
-
-        var record = {};
-        that.save(record);
-
-        var current_password = self_service ? record.current_password[0] : undefined;
-        var new_password = record.password1[0];
-        var repeat_password = record.password2[0];
-
-        that.set_password(
-            that.pkey,
-            current_password,
-            new_password,
-            that.on_reset_success,
-            that.on_reset_error);
-    };
-
-    that.set_password = function(pkey, current_password, password, on_success, on_error) {
-
-        var command = rpc.command({
-            method: 'passwd',
-            args: [ pkey ],
-            options: {
-                current_password: current_password,
-                password: password
-            },
-            on_success: on_success,
-            on_error: on_error
-        });
-
-        command.execute();
-    };
-
-    that.on_reset_success = function(data, text_status, xhr) {
-
-        if (that.success_handler) {
-            that.success_handler.call(this, data, text_status, xhr);
-        } else {
-            IPA.notify_success('@i18n:password.password_change_complete');
-            that.close();
-
-            // refresh password expiration field
-            that.facet.refresh();
-
-            if (that.is_self_service()) {
-                var command = IPA.get_whoami_command();
-                command.execute();
-            }
-        }
-    };
-
-    that.on_reset_error = function(xhr, text_status, error_thrown) {
-
-        if (that.error_handler) {
-            that.error_handler.call(this, xhr, text_status, error_thrown);
-        } else {
-            that.close();
-        }
-    };
-
-    that.create_buttons();
-
     return that;
 };
 
@@ -681,10 +585,17 @@ IPA.user.reset_password_action = function(spec) {
 
     that.execute_action = function(facet) {
 
-        var dialog = IPA.user_password_dialog({
-            entity: facet.entity,
-            facet: facet,
-            pkey: facet.get_pkey()
+        var dialog = builder.build('dialog', {
+            $type: 'user_password',
+            args: [facet.get_pkey()]
+        });
+
+        dialog.succeeded.attach(function() {
+            facet.refresh();
+            if (dialog.is_self_service()) {
+                var command = IPA.get_whoami_command();
+                command.execute();
+            }
         });
 
         dialog.open();
@@ -706,8 +617,14 @@ exp.entity_spec = make_spec();
 exp.register = function() {
     var e = reg.entity;
     var a = reg.action;
+    var d = reg.dialog;
     e.register({type: 'user', spec: exp.entity_spec});
     a.register('reset_password', IPA.user.reset_password_action);
+    d.copy('password', 'user_password', {
+        factory: IPA.user.password_dialog,
+        pre_ops: [IPA.user.password_dialog_pre_op]
+    });
+    d.register_pre_op('user_password', IPA.user.password_dialog_pre_op0, true);
 };
 phases.on('registration', exp.register);
 
diff --git a/ipatests/test_webui/test_user.py b/ipatests/test_webui/test_user.py
index 766fdafb4ee700fc2a4131dbf92d694be8d17188..4c189db89accd7fc0ac242007bbc2fde0ade89d2 100644
--- a/ipatests/test_webui/test_user.py
+++ b/ipatests/test_webui/test_user.py
@@ -246,7 +246,7 @@ class test_user(UI_driver):
         self.assert_dialog()
 
         fields = [
-            ('password', 'password1', password),
+            ('password', 'password', password),
             ('password', 'password2', password),
         ]
 
@@ -254,6 +254,6 @@ class test_user(UI_driver):
             fields.append(('password', 'current_password', current))
 
         self.fill_fields(fields)
-        self.dialog_button_click('reset_password')
+        self.dialog_button_click('confirm')
         self.wait_for_request(n=3)
         self.assert_no_error_dialog()
-- 
1.9.0

From 083632ce2e6458eca42ff98e5f2776b29be9b886 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvobo...@redhat.com>
Date: Thu, 22 May 2014 14:48:22 +0200
Subject: [PATCH] webui: add placeholders to login screen

---
 install/ui/src/freeipa/widgets/LoginScreen.js | 8 +++++++-
 install/ui/test/data/ipa_init.json            | 3 +++
 ipalib/plugins/internal.py                    | 3 +++
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/install/ui/src/freeipa/widgets/LoginScreen.js b/install/ui/src/freeipa/widgets/LoginScreen.js
index 701c88cf12f07e7d7e4d4efc44d980f332656042..78991d0a93d6b9d3507d3afe31587ed1f3b55ed9 100644
--- a/install/ui/src/freeipa/widgets/LoginScreen.js
+++ b/install/ui/src/freeipa/widgets/LoginScreen.js
@@ -568,6 +568,7 @@ define(['dojo/_base/declare',
             $type: 'text',
             name: 'username',
             label: text.get('@i18n:login.username', "Username"),
+            placeholder: text.get('@i18n:login.username', "Username"),
             show_errors: false,
             undo: false
         },
@@ -575,6 +576,7 @@ define(['dojo/_base/declare',
             $type: 'password',
             name: 'password',
             label: text.get('@i18n:login.password', "Password"),
+            placeholder: text.get('@i18n:login.password_and_otp', 'Password or Password+One-Time-Password'),
             show_errors: false,
             undo: false
         },
@@ -589,13 +591,15 @@ define(['dojo/_base/declare',
             name: 'current_password',
             $type: 'password',
             label: text.get('@i18n:login.current_password', "Current Password"),
+            placeholder: text.get('@i18n:login.current_password', "Current Password"),
             show_errors: false,
             undo: false
         },
         {
             name: 'otp',
             $type: 'password',
-            label: text.get('@i18n:login.current_password', "OTP"),
+            label: text.get('@i18n:password.otp', "OTP"),
+            placeholder: text.get('@i18n:password.otp_long', 'One-Time-Password'),
             show_errors: false,
             undo: false
         },
@@ -604,6 +608,7 @@ define(['dojo/_base/declare',
             $type: 'password',
             required: true,
             label: text.get('@i18n:password.new_password)', "New Password"),
+            placeholder: text.get('@i18n:password.new_password)', "New Password"),
             show_errors: false,
             undo: false
         },
@@ -612,6 +617,7 @@ define(['dojo/_base/declare',
             $type: 'password',
             required: true,
             label: text.get('@i18n:password.verify_password', "Verify Password"),
+            placeholder: text.get('@i18n:password.new_password)', "New Password"),
             validators: [{
                 $type: 'same_password',
                 other_field: 'new_password'
diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json
index 8a96e23307de76624f94f2046d288181841b25ed..2ce5120e9042a3b4e4f20f3ae24c60880da813da 100644
--- a/install/ui/test/data/ipa_init.json
+++ b/install/ui/test/data/ipa_init.json
@@ -512,7 +512,10 @@
                         "invalid_password": "The password or username you entered is incorrect.",
                         "new_password": "New Password",
                         "new_password_required": "New password is required",
+                        "otp": "OTP",
+                        "otp_long": "One-Time-Password",
                         "password": "Password",
+                        "password_and_otp": "Password or Password+One-Time-Password",
                         "password_change_complete": "Password change complete",
                         "password_must_match": "Passwords must match",
                         "reset_failure": "Password reset was not successful.",
diff --git a/ipalib/plugins/internal.py b/ipalib/plugins/internal.py
index e3c0faff13c86bec76c5f309a7bb43cdb59b4d97..4a3745ae7a28910e2089d7775ef4b0f40bb571da 100644
--- a/ipalib/plugins/internal.py
+++ b/ipalib/plugins/internal.py
@@ -652,7 +652,10 @@ class i18n_messages(Command):
             "invalid_password": _("The password or username you entered is incorrect."),
             "new_password": _("New Password"),
             "new_password_required": _("New password is required"),
+            "otp": _("OTP"),
+            "otp_long": _("One-Time-Password"),
             "password": _("Password"),
+            "password_and_otp": _("Password or Password+One-Time-Password"),
             "password_change_complete": _("Password change complete"),
             "password_must_match": _("Passwords must match"),
             "reset_failure": _("Password reset was not successful."),
-- 
1.9.0

From 522aed3f57939839c74dfbfc5bf035755fb597a3 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvobo...@redhat.com>
Date: Thu, 22 May 2014 14:47:44 +0200
Subject: [PATCH] webui: placeholder attribute support in textbox and textarea

---
 install/ui/src/freeipa/widget.js | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/install/ui/src/freeipa/widget.js b/install/ui/src/freeipa/widget.js
index 0a9c491f3ba113043303112feed64c2e8cb54b10..645ee59177d7732b0c91ed89880d2623a0d2fe34 100644
--- a/install/ui/src/freeipa/widget.js
+++ b/install/ui/src/freeipa/widget.js
@@ -269,6 +269,12 @@ IPA.input_widget = function(spec) {
     var that = IPA.widget(spec);
 
     /**
+     * Placeholder
+     * @property {string}
+     */
+    that.placeholder = text.get(spec.placeholder);
+
+    /**
      * Widget's width.
      * @deprecated
      * @property {number}
@@ -709,6 +715,7 @@ IPA.text_widget = function(spec) {
             'class': 'form-control',
             size: that.size,
             title: that.tooltip,
+            placeholder: that.placeholder,
             keyup: function() {
                 that.on_value_changed();
             }
@@ -1975,6 +1982,7 @@ IPA.textarea_widget = function (spec) {
             'class': 'form-control',
             readOnly: !!that.read_only,
             title: that.tooltip,
+            placeholder: that.placeholder,
             keyup: function() {
                 that.on_value_changed();
             }
-- 
1.9.0

From 569a4088c27b24c5e26c38868c199274252c9179 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvobo...@redhat.com>
Date: Fri, 23 May 2014 15:54:53 +0200
Subject: [PATCH] webui: support password change with OTP in login screen

https://fedorahosted.org/freeipa/ticket/4262
---
 install/ui/src/freeipa/ipa.js                 |  6 +++-
 install/ui/src/freeipa/widgets/LoginScreen.js | 51 +++++++++++++++++++++++----
 2 files changed, 49 insertions(+), 8 deletions(-)

diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js
index 8a1ebaed76e1bd5bbecec7e80a35197191c55920..66d92b6e0726211f2a87bc25f84b26319756a9ee 100644
--- a/install/ui/src/freeipa/ipa.js
+++ b/install/ui/src/freeipa/ipa.js
@@ -516,7 +516,7 @@ IPA.login_password = function(username, password) {
  * @return {string} result.status
  * @return {string} result.message
  */
-IPA.reset_password = function(username, old_password, new_password) {
+IPA.reset_password = function(username, old_password, new_password, otp) {
 
     //possible results: 'ok', 'invalid-password', 'policy-error'
 
@@ -553,6 +553,10 @@ IPA.reset_password = function(username, old_password, new_password) {
         new_password: new_password
     };
 
+    if (otp) {
+        data.otp = otp;
+    }
+
     request = {
         url: '/ipa/session/change_password',
         data: data,
diff --git a/install/ui/src/freeipa/widgets/LoginScreen.js b/install/ui/src/freeipa/widgets/LoginScreen.js
index 349a3da1d9ed082df15083dd0d7feb0f242909b2..701c88cf12f07e7d7e4d4efc44d980f332656042 100644
--- a/install/ui/src/freeipa/widgets/LoginScreen.js
+++ b/install/ui/src/freeipa/widgets/LoginScreen.js
@@ -78,6 +78,8 @@ define(['dojo/_base/declare',
 
         password_expired: "Your password has expired. Please enter a new password.",
 
+        password_change_complete: "Password change complete",
+
         denied: "Sorry you are not allowed to access this service.",
 
         caps_warning_msg: "Warning: CAPS LOCK key is on",
@@ -417,23 +419,36 @@ define(['dojo/_base/declare',
             if (!this.validate()) return;
 
             var psw_f = this.get_field('password');
+            var psw_f2 = this.get_field('current_password');
+            var otp_f = this.get_field('otp');
             var new_f = this.get_field('new_password');
             var ver_f = this.get_field('verify_password');
             var username_f = this.get_field('username');
 
+            var psw = psw_f2.get_value()[0] || psw_f.get_value()[0];
+            var otp = otp_f.get_value()[0];
+
             var result = IPA.reset_password(
                 username_f.get_value()[0],
-                psw_f.get_value()[0],
-                new_f.get_value()[0]);
+                psw,
+                new_f.get_value()[0],
+                otp);
 
             if (result.status === 'ok') {
-                psw_f.set_value(new_f.get_value());
-                this.login();
+                val_summary.add_success('login', this.password_change_complete);
+                psw_f.set_value('');
+                psw_f2.set_value('');
+                // do not login if otp is used because it will fail (reuse of OTP)
+                if (!otp) {
+                    psw_f.set_value(new_f.get_value());
+                    this.login();
+                }
                 this.set('view', 'login');
             } else {
                 val_summary.add_error('login', result.message);
             }
 
+            otp_f.set_value('');
             new_f.set_value('');
             ver_f.set_value('');
         },
@@ -456,7 +471,12 @@ define(['dojo/_base/declare',
             }
             if (this.password_enabled()) {
                 this.use_fields(['username', 'password']);
-                this.get_widget('username').focus_input();
+                var username_f = this.get_field('username');
+                if (username_f.get_value()[0]) {
+                    this.get_widget('password').focus_input();
+                } else {
+                    this.get_widget('username').focus_input();
+                }
             } else {
                 this.use_fields([]);
                 this.login_btn_node.focus();
@@ -469,14 +489,14 @@ define(['dojo/_base/declare',
             if (this.buttons_node) {
                 construct.place(this.reset_btn_node, this.buttons_node);
             }
-            this.use_fields(['username_r', 'new_password', 'verify_password']);
+            this.use_fields(['username_r', 'current_password', 'otp', 'new_password', 'verify_password']);
 
             var val_summary = this.get_widget('validation');
 
             var u_f = this.fields.get('username');
             var u_r_f = this.fields.get('username_r');
             u_r_f.set_value(u_f.get_value());
-            this.get_widget('new_password').focus_input();
+            this.get_widget('current_password').focus_input();
         },
 
         use_fields: function(names) {
@@ -536,6 +556,9 @@ define(['dojo/_base/declare',
 
             this.kerberos_msg = this.kerberos_msg.replace('${host}', window.location.hostname);
 
+            this.password_change_complete = text.get(spec.password_change_complete ||
+                '@i18n:password.password_change_complete', this.password_change_complete);
+
             this.krb_auth_failed = text.get(spec.krb_auth_failed, this.krb_auth_failed);
         }
     });
@@ -563,6 +586,20 @@ define(['dojo/_base/declare',
             undo: false
         },
         {
+            name: 'current_password',
+            $type: 'password',
+            label: text.get('@i18n:login.current_password', "Current Password"),
+            show_errors: false,
+            undo: false
+        },
+        {
+            name: 'otp',
+            $type: 'password',
+            label: text.get('@i18n:login.current_password', "OTP"),
+            show_errors: false,
+            undo: false
+        },
+        {
             name: 'new_password',
             $type: 'password',
             required: true,
-- 
1.9.0

From 1c2d53213e269d3fd515368c64b472fac2a75586 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvobo...@redhat.com>
Date: Fri, 23 May 2014 09:36:49 +0200
Subject: [PATCH] ipa-passwd: add OTP support

https://fedorahosted.org/freeipa/ticket/4262
---
 API.txt                  |  3 ++-
 VERSION                  |  4 ++--
 ipalib/plugins/passwd.py | 11 ++++++++++-
 3 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/API.txt b/API.txt
index 84769522bcd1cdbb4fc3748a950fbb3c6771e7ad..3092fbeede0b6eab7a302e9a2349a0188616b918 100644
--- a/API.txt
+++ b/API.txt
@@ -2321,10 +2321,11 @@ output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDA
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: PrimaryKey('value', None, None)
 command: passwd
-args: 3,1,3
+args: 3,2,3
 arg: Str('principal', autofill=True, cli_name='user', primary_key=True)
 arg: Password('password')
 arg: Password('current_password', autofill=True, confirm=False)
+option: Password('otp?', confirm=False)
 option: Str('version?', exclude='webui')
 output: Output('result', <type 'bool'>, None)
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
diff --git a/VERSION b/VERSION
index 97b8f6fae0c23961c9d2b9330cc3dbad40ff992f..34c022f5c2dfcfca43c408a05107545f862766d8 100644
--- a/VERSION
+++ b/VERSION
@@ -89,5 +89,5 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=88
-# Last change: mbasti - Added 'dns_name_values' capability
+IPA_API_VERSION_MINOR=89
+# Last change: pvoborni - Add OTP option to passwd command
diff --git a/ipalib/plugins/passwd.py b/ipalib/plugins/passwd.py
index 95b9b6017b79260bb6fc17b4a369ef3517c9e202..f5fc14d510ea7eea1e16435fe11d982d4ca49d79 100644
--- a/ipalib/plugins/passwd.py
+++ b/ipalib/plugins/passwd.py
@@ -89,6 +89,14 @@ class passwd(Command):
         ),
     )
 
+    takes_options =  (
+        Password('otp?',
+                 label=_('OTP'),
+                 doc=_('One Time Password'),
+                 confirm=False,
+        ),
+    )
+
     has_output = output.standard_value
     msg_summary = _('Changed password for "%(value)s"')
 
@@ -121,7 +129,8 @@ class passwd(Command):
         if current_password == MAGIC_VALUE:
             ldap.modify_password(entry_attrs.dn, password)
         else:
-            ldap.modify_password(entry_attrs.dn, password, current_password)
+            otp = options.get('otp')
+            ldap.modify_password(entry_attrs.dn, password, current_password, otp)
 
         return dict(
             result=True,
-- 
1.9.0

From 554699a89efb7b31eb0c950b51d55210de4fbe52 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvobo...@redhat.com>
Date: Fri, 23 May 2014 15:54:18 +0200
Subject: [PATCH] rpcserver: add otp support to change_password handler

https://fedorahosted.org/freeipa/ticket/4262
---
 ipaserver/rpcserver.py | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index edce2365464f71e2a073e13b309bf12bc25cf510..d3c81f08ee70c7393acc8b9c833d6ca6d71b5468 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -1042,7 +1042,7 @@ class change_password(Backend, HTTP_Status):
             return self.bad_request(environ, start_response, "cannot parse query data")
 
         data = {}
-        for field in ('user', 'old_password', 'new_password'):
+        for field in ('user', 'old_password', 'new_password', 'otp'):
             value = query_dict.get(field, None)
             if value is not None:
                 if len(value) == 1:
@@ -1050,7 +1050,7 @@ class change_password(Backend, HTTP_Status):
                 else:
                     return self.bad_request(environ, start_response, "more than one %s parameter"
                                             % field)
-            else:
+            elif field != 'otp':  # otp is optional
                 return self.bad_request(environ, start_response, "no %s specified" % field)
 
         # start building the response
@@ -1065,9 +1065,12 @@ class change_password(Backend, HTTP_Status):
                      self.api.env.container_user, self.api.env.basedn)
 
         try:
+            pw = data['old_password']
+            if data.get('otp'):
+                pw = data['old_password'] + data['otp']
             conn = ldap2(shared_instance=False,
                          ldap_uri=self.api.env.ldap_uri)
-            conn.connect(bind_dn=bind_dn, bind_pw=data['old_password'])
+            conn.connect(bind_dn=bind_dn, bind_pw=pw)
         except (NotFound, ACIError):
             result = 'invalid-password'
             message = 'The old password or username is not correct.'
@@ -1077,7 +1080,7 @@ class change_password(Backend, HTTP_Status):
                     data['user'], str(e))
         else:
             try:
-                conn.modify_password(bind_dn, data['new_password'], data['old_password'])
+                conn.modify_password(bind_dn, data['new_password'], data['old_password'], skip_bind=True)
             except ExecutionError, e:
                 result = 'policy-error'
                 policy_error = escape(str(e))
-- 
1.9.0

From c8e6f71313eb7c837044b02abe520fcca0513e40 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvobo...@redhat.com>
Date: Fri, 23 May 2014 15:53:54 +0200
Subject: [PATCH] ldap2: add otp support to modify_password

https://fedorahosted.org/freeipa/ticket/4262
---
 ipaserver/plugins/ldap2.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index aa9a001c6c64d5e8e94316ab2f736993ce6903ee..74c9c1ec63ebb122c27a5e86e4a129af4cc9d49d 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -406,18 +406,21 @@ class ldap2(LDAPClient, CrudBackend):
 
         return False
 
-    def modify_password(self, dn, new_pass, old_pass=''):
+    def modify_password(self, dn, new_pass, old_pass='', otp='', skip_bind=False):
         """Set user password."""
 
         assert isinstance(dn, DN)
 
         # The python-ldap passwd command doesn't verify the old password
         # so we'll do a simple bind to validate it.
-        if old_pass != '':
+        if not skip_bind and old_pass != '':
+            pw = old_pass
+            if (otp):
+                pw = old_pass+otp
             with self.error_handler():
                 conn = IPASimpleLDAPObject(
                     self.ldap_uri, force_schema_updates=False)
-                conn.simple_bind_s(dn, old_pass)
+                conn.simple_bind_s(dn, pw)
                 conn.unbind_s()
 
         with self.error_handler():
-- 
1.9.0

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to