Re: [Freeipa-devel] [PATCH 0035] ipa-kdb: validate that an OTP user has tokens

2014-02-18 Thread Nathaniel McCallum 
On Thu, 2014-02-06 at 11:02 -0500, Nathaniel McCallum wrote:
 This patch is independent of any of my other patches and can be merged
 out of order.

This patch still needs a reviewer. It is very small.

Nathaniel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0035] ipa-kdb: validate that an OTP user has tokens

2014-02-18 Thread Nathaniel McCallum 
On Tue, 2014-02-18 at 14:48 -0500, Nathaniel McCallum wrote:
 On Thu, 2014-02-06 at 11:02 -0500, Nathaniel McCallum wrote:
  This patch is independent of any of my other patches and can be merged
  out of order.
 
 This patch still needs a reviewer. It is very small.

Oops! I replied to the wrong email. Ignore this!

Nathaniel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 0035] ipa-kdb: validate that an OTP user has tokens

2014-02-06 Thread Nathaniel McCallum 
This patch is independent of any of my other patches and can be merged
out of order.

Nathaniel
From b0ffd3ca5ce905d2df1b7c7f8a8ee82a9e9af4a7 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum npmccal...@redhat.com
Date: Thu, 6 Feb 2014 10:56:46 -0500
Subject: [PATCH] ipa-kdb: validate that an OTP user has tokens

This handles the case where a user is configured for OTP in ipaUserAuthType,
but the user has not yet created any tokens. Until the user creates tokens,
the user should still be able to log in via password. This logic already
exists in LDAP, but ipa-kdb needs to perform the same validation to know
what data to return to the KDC.

https://fedorahosted.org/freeipa/ticket/4154
---
 daemons/ipa-kdb/ipa_kdb.c|  10 ++-
 daemons/ipa-kdb/ipa_kdb.h|   6 +-
 daemons/ipa-kdb/ipa_kdb_principals.c | 144 ++-
 3 files changed, 135 insertions(+), 25 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index c807bbcfa14285db96f78fc4f7b0cdd04da445b7..0f3996cdfa35374c005bc1ed174dea0816a27747 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -186,13 +186,13 @@ static const struct {
 { }
 };
 
-void ipadb_get_user_auth(LDAP *lcontext, LDAPMessage *le,
- enum ipadb_user_auth *userauth)
+void ipadb_parse_user_auth(LDAP *lcontext, LDAPMessage *le,
+   enum ipadb_user_auth *userauth)
 {
 struct berval **vals;
 int i, j;
 
-*userauth = IPADB_USER_AUTH_EMPTY;
+*userauth = IPADB_USER_AUTH_NONE;
 vals = ldap_get_values_len(lcontext, le, IPA_USER_AUTH_TYPE);
 if (!vals)
 return;
@@ -205,6 +205,8 @@ void ipadb_get_user_auth(LDAP *lcontext, LDAPMessage *le,
 }
 }
 }
+
+ldap_value_free_len(vals);
 }
 
 int ipadb_get_global_configs(struct ipadb_context *ipactx)
@@ -239,7 +241,7 @@ int ipadb_get_global_configs(struct ipadb_context *ipactx)
 }
 
 /* Check for permitted authentication types. */
-ipadb_get_user_auth(ipactx-lcontext, res, ipactx-user_auth);
+ipadb_parse_user_auth(ipactx-lcontext, res, ipactx-user_auth);
 
 vals = ldap_get_values_len(ipactx-lcontext, first,
ipaConfigString);
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 5ad256b0ecaa74a53ba0d1465462a58e7f138603..6c036e3b6403a3b5fde544dc49c9d7efbaa6ca9b 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -80,7 +80,7 @@
 struct ipadb_mspac;
 
 enum ipadb_user_auth {
-  IPADB_USER_AUTH_EMPTY= 0,
+  IPADB_USER_AUTH_NONE = 0,
   IPADB_USER_AUTH_DISABLED = 1  0,
   IPADB_USER_AUTH_PASSWORD = 1  1,
   IPADB_USER_AUTH_RADIUS   = 1  2,
@@ -275,5 +275,5 @@ void ipadb_audit_as_req(krb5_context kcontext,
 krb5_error_code error_code);
 
 /* AUTH METHODS */
-void ipadb_get_user_auth(LDAP *lcontext, LDAPMessage *le,
- enum ipadb_user_auth *user_auth);
+void ipadb_parse_user_auth(LDAP *lcontext, LDAPMessage *le,
+   enum ipadb_user_auth *user_auth);
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index a52095225eead84ba586ee7cd14510feb39b9d3b..8a8d67bb13dd1fd0dedef9dab0296b1c12d58281 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -66,6 +66,7 @@ static char *std_principal_attrs[] = {
 passwordHistory,
 IPA_KRB_AUTHZ_DATA_ATTR,
 IPA_USER_AUTH_TYPE,
+ipatokenRadiusConfigLink,
 
 objectClass,
 NULL
@@ -224,6 +225,122 @@ static int ipadb_ldap_attr_to_key_data(LDAP *lcontext, LDAPMessage *le,
 return ret;
 }
 
+static void ipadb_validate_otp(struct ipadb_context *ipactx,
+   LDAPMessage *lentry,
+   enum ipadb_user_auth *ua)
+{
+static const char *attrs[] = { dn, NULL };
+static const char *dttmpl = %Y%m%d%H%M%SZ;
+static const char *ftmpl = (
+(objectClass=ipaToken)(ipatokenOwner=%s)
+(|(ipatokenNotBefore=%s)(!(ipatokenNotBefore=*)))
+(|(ipatokenNotAfter=%s)(!(ipatokenNotAfter=*)))
+(|(ipatokenDisabled=FALSE)(!(ipatokenDisabled=*)))
+);
+krb5_error_code kerr = 0;
+LDAPMessage *res = NULL;
+char datetime[16] = {};
+char *filter = NULL;
+struct tm tm = {};
+char *dn = NULL;
+time_t now = 0;
+int count = 0;
+
+if (!(*ua  IPADB_USER_AUTH_OTP))
+return;
+
+/* Get the current time. */
+if (time(now) == (time_t) -1)
+return;
+if (gmtime_r(now, tm) == NULL)
+return;
+
+/* Make the current time string. */
+if (strftime(datetime, sizeof(datetime), dttmpl, tm) == 0)
+return;
+
+/* Make the filter. */
+dn = ldap_get_dn(ipactx-lcontext, lentry);
+if (dn == NULL)
+return;
+count = asprintf(filter, ftmpl, dn, datetime, datetime);
+ldap_memfree(dn);
+if (count  0)
+