This makes ipatokenTOTPwatermark have exactly the same semantics as
ipatokenHOTPcounter.

NOTE: This patch includes an update plugin which will update existing
token objects. This should be low impact since it only updates TOTP
tokens which have never been used. TOTP tokens which have already been
used should already have ipatokenTOTPwatermark set.
From 30581e26faaebbc2fad3c1d80303f0a6ce3ad8cf Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <npmccal...@redhat.com>
Date: Thu, 18 Sep 2014 13:45:46 -0400
Subject: [PATCH] Make ipatokenTOTPwatermark a required attribute

This makes ipatokenTOTPwatermark have exactly the same semantics as
ipatokenHOTPcounter.
---
 install/share/70ipaotp.ldif                        |  2 +-
 ipalib/plugins/otptoken.py                         | 10 ++++-
 ipaserver/install/plugins/Makefile.am              |  1 +
 ipaserver/install/plugins/update_totp_otptokens.py | 49 ++++++++++++++++++++++
 4 files changed, 60 insertions(+), 2 deletions(-)
 create mode 100644 ipaserver/install/plugins/update_totp_otptokens.py

diff --git a/install/share/70ipaotp.ldif b/install/share/70ipaotp.ldif
index bc95556682ef65ba375aa2f3cab6f53621641b3f..b35ddc7796559df4588d8d140f01ef049ec12bd2 100644
--- a/install/share/70ipaotp.ldif
+++ b/install/share/70ipaotp.ldif
@@ -25,7 +25,7 @@ attributeTypes: (2.16.840.1.113730.3.8.16.1.20 NAME 'ipatokenUserMapAttribute' D
 attributeTypes: (2.16.840.1.113730.3.8.16.1.21 NAME 'ipatokenHOTPcounter' DESC 'HOTP counter' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP')
 attributeTypes: (2.16.840.1.113730.3.8.16.1.22 NAME 'ipatokenTOTPwatermark' DESC 'TOTP watermark' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP')
 objectClasses:  (2.16.840.1.113730.3.8.16.2.1  NAME 'ipaToken' SUP top ABSTRACT DESC 'Abstract token class for tokens' MUST (ipatokenUniqueID) MAY (description $ managedBy $ ipatokenOwner $ ipatokenDisabled $ ipatokenNotBefore $ ipatokenNotAfter $ ipatokenVendor $ ipatokenModel $ ipatokenSerial) X-ORIGIN 'IPA OTP')
-objectClasses:  (2.16.840.1.113730.3.8.16.2.2  NAME 'ipatokenTOTP' SUP ipaToken STRUCTURAL DESC 'TOTP Token Type' MUST (ipatokenOTPkey $ ipatokenOTPalgorithm $ ipatokenOTPdigits $ ipatokenTOTPclockOffset $ ipatokenTOTPtimeStep) MAY (ipatokenTOTPwatermark) X-ORIGIN 'IPA OTP')
+objectClasses:  (2.16.840.1.113730.3.8.16.2.2  NAME 'ipatokenTOTP' SUP ipaToken STRUCTURAL DESC 'TOTP Token Type' MUST (ipatokenOTPkey $ ipatokenOTPalgorithm $ ipatokenOTPdigits $ ipatokenTOTPclockOffset $ ipatokenTOTPtimeStep $ ipatokenTOTPwatermark) X-ORIGIN 'IPA OTP')
 objectClasses:  (2.16.840.1.113730.3.8.16.2.3  NAME 'ipatokenRadiusProxyUser' SUP top AUXILIARY DESC 'Radius Proxy User' MAY (ipatokenRadiusConfigLink $ ipatokenRadiusUserName) X-ORIGIN 'IPA OTP')
 objectClasses:  (2.16.840.1.113730.3.8.16.2.4  NAME 'ipatokenRadiusConfiguration' SUP top STRUCTURAL DESC 'Proxy Radius Configuration' MUST (cn $ ipatokenRadiusServer $ ipatokenRadiusSecret) MAY (description $ ipatokenRadiusTimeout $ ipatokenRadiusRetries $ ipatokenUserMapAttribute) X-ORIGIN 'IPA OTP')
 objectClasses:  (2.16.840.1.113730.3.8.16.2.5  NAME 'ipatokenHOTP' SUP ipaToken STRUCTURAL DESC 'HOTP Token Type' MUST (ipatokenOTPkey $ ipatokenOTPalgorithm $ ipatokenOTPdigits $ ipatokenHOTPcounter) X-ORIGIN 'IPA OTP')
diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py
index 1bd85d4b952dc51ea800ed37c49b3c50aeb31492..37b505d09e49bc7f7a46a3e6cc69beeceff8e5c4 100644
--- a/ipalib/plugins/otptoken.py
+++ b/ipalib/plugins/otptoken.py
@@ -62,7 +62,7 @@ EXAMPLES:
 register = Registry()
 
 TOKEN_TYPES = {
-    u'totp': ['ipatokentotpclockoffset', 'ipatokentotptimestep'],
+    u'totp': ['ipatokentotpclockoffset', 'ipatokentotptimestep', 'ipatokentotpwatermark'],
     u'hotp': ['ipatokenhotpcounter']
 }
 
@@ -237,6 +237,14 @@ class otptoken(LDAPObject):
             minvalue=0,
             flags=('no_update'),
         ),
+        Int('ipatokentotpwatermark',
+            cli_name='counter',
+            label=_('Counter'),
+            default=0,
+            autofill=True,
+            minvalue=0,
+            flags=('no_output', 'no_option'),
+        ),
     )
 
 
diff --git a/ipaserver/install/plugins/Makefile.am b/ipaserver/install/plugins/Makefile.am
index 7cf0495131b2108ee78a79758cee42ec344652c7..afc78c4241d7e35664f1c1feba6e1c3c21dd45d0 100644
--- a/ipaserver/install/plugins/Makefile.am
+++ b/ipaserver/install/plugins/Makefile.am
@@ -9,6 +9,7 @@ app_PYTHON = 			\
 	dns.py			\
 	updateclient.py		\
 	update_services.py	\
+	update_totp_otptokens.py	\
 	update_anonymous_aci.py	\
 	update_pacs.py		\
 	ca_renewal_master.py	\
diff --git a/ipaserver/install/plugins/update_totp_otptokens.py b/ipaserver/install/plugins/update_totp_otptokens.py
new file mode 100644
index 0000000000000000000000000000000000000000..eeb9d55fd1a4ade25366de1e2afb7f2fb69f644f
--- /dev/null
+++ b/ipaserver/install/plugins/update_totp_otptokens.py
@@ -0,0 +1,49 @@
+# Authors:
+#   Nathaniel McCallum <npmccal...@redhat.com>
+#
+# Copyright (C) 2014  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from ipaserver.install.plugins.baseupdate import PostUpdate
+from ipalib.plugable import Registry
+from ipalib import api, errors
+from ipapython.dn import DN
+
+register = Registry()
+
+@register()
+class update_totp_otptokens(PostUpdate):
+    """
+    Ensure that TOTP tokens have ipatokenTOTPwatermark set.
+    """
+
+    FILTER = "(&(objectClass=ipatokenTOTP)(!(ipatokenTOTPwatermark=*)))"
+    DN = DN(api.env.container_otp, api.env.basedn)
+
+    def execute(self, **options):
+        try:
+            entries, truncated = self.obj.backend.find_entries(self.FILTER, [], self.DN)
+        except errors.NotFound:
+            return (False, False, [])
+
+        updates = {}
+        for entry in entries:
+            updates[entry.dn] = {
+                'dn': entry.dn,
+                'updates': ['addifnew:ipatokenTOTPwatermark:0']
+            }
+
+        return (False, True, [updates])
-- 
2.1.0

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to