Re: [Freeipa-devel] [PATCH 0053] Implement OTP token importing
On Wed, 18 Jun 2014, Nathaniel McCallum wrote: On Wed, 2014-06-18 at 17:48 -0400, Simo Sorce wrote: On Wed, 2014-06-18 at 17:34 -0400, Nathaniel McCallum wrote: On Tue, 2014-05-13 at 12:38 -0400, Nathaniel McCallum wrote: This patch adds support for importing tokens using RFC 6030 key container files. This includes decryption support. For sysadmin sanity, any tokens which fail to add will be written to the output file for examination. The main use case here is where a small subset of a large set of tokens fails to validate or add. Using the output file, the sysadmin can attempt to recover these specific tokens. This code is implemented as a server-side script. However, it doesn't actually need to run on the server. This was done because importing is an odd fit for the IPA command framework: 1. We need to write an output file. 2. The operation may be long-running (thousands of tokens). 3. Only admins need to perform this task and it only happens infrequently. Attached is revision 4. I believe this addresses all the points given over the last few days in all emails. The ipa_otptoken_import.py has been significantly reworked to make it simpler and easy to test, but none of the logic has changed. I have removed most of the inheritance and sorted out most of the style issues (like map() vs comprehension). I did not change the XML parsing because it appears that network access is disabled by default. I have also included a test suite which should have 100% code coverage. It even tests for features we don't support yet (like X.509). All tests pass for me. Nathaniel +++ b/install/tools/man/ipa-otptoken-import.1 @@ -0,0 +1,36 @@ +.\ A man page for ipa-compat-manage Bad Copypaste here ^^^ Thanks! Fixed. There is whitespace warning in the man page, needs to be fixed. Also, spec file changes are incomplete, man page is not there. The patch itself works fine for me with the test suite. Attached is the specfile fix, with that one and whitespace removal -- ACK. Attached also is a small fix for ipaplatform changes as specfile now has wrong scoping for the platform files. -- / Alexander Bokovoy From c4c303fc471e8ad2561bd8e3180985485981472d Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Wed, 25 Jun 2014 09:46:39 +0300 Subject: [PATCH 08/10] fixup! Implement OTP token importing --- freeipa.spec.in | 1 + 1 file changed, 1 insertion(+) diff --git a/freeipa.spec.in b/freeipa.spec.in index 63f7477..2ba9786 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -775,6 +775,7 @@ fi %{_mandir}/man1/ipa-backup.1.gz %{_mandir}/man1/ipa-restore.1.gz %{_mandir}/man1/ipa-advise.1.gz +%{_mandir}/man1/ipa-otptoken-import.1.gz %files server-trust-ad %{_sbindir}/ipa-adtrust-install -- 1.9.3 From 6e5aabecc290e170882f53de52987d675a9b78b6 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Tue, 24 Jun 2014 15:51:45 +0300 Subject: [PATCH 06/10] Fix packaging issue with doubly specified directories --- freeipa.spec.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index ed125e5..63f7477 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -837,7 +837,7 @@ fi %dir %{python_sitelib}/ipaplatform %dir %{python_sitelib}/ipaplatform/base %dir %{python_sitelib}/ipaplatform/fedora -%{python_sitelib}/ipaplatform/* +%{python_sitelib}/ipaplatform/*.py* %{python_sitelib}/ipaplatform/base/*.py* %{python_sitelib}/ipaplatform/fedora/*.py* %attr(0644,root,root) %{python_sitearch}/default_encoding_utf8.so -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0053] Implement OTP token importing
On 06/25/2014 12:40 PM, Alexander Bokovoy wrote: On Wed, 18 Jun 2014, Nathaniel McCallum wrote: On Wed, 2014-06-18 at 17:48 -0400, Simo Sorce wrote: On Wed, 2014-06-18 at 17:34 -0400, Nathaniel McCallum wrote: On Tue, 2014-05-13 at 12:38 -0400, Nathaniel McCallum wrote: This patch adds support for importing tokens using RFC 6030 key container files. This includes decryption support. For sysadmin sanity, any tokens which fail to add will be written to the output file for examination. The main use case here is where a small subset of a large set of tokens fails to validate or add. Using the output file, the sysadmin can attempt to recover these specific tokens. This code is implemented as a server-side script. However, it doesn't actually need to run on the server. This was done because importing is an odd fit for the IPA command framework: 1. We need to write an output file. 2. The operation may be long-running (thousands of tokens). 3. Only admins need to perform this task and it only happens infrequently. Attached is revision 4. I believe this addresses all the points given over the last few days in all emails. The ipa_otptoken_import.py has been significantly reworked to make it simpler and easy to test, but none of the logic has changed. I have removed most of the inheritance and sorted out most of the style issues (like map() vs comprehension). I did not change the XML parsing because it appears that network access is disabled by default. I have also included a test suite which should have 100% code coverage. It even tests for features we don't support yet (like X.509). All tests pass for me. Nathaniel +++ b/install/tools/man/ipa-otptoken-import.1 @@ -0,0 +1,36 @@ +.\ A man page for ipa-compat-manage Bad Copypaste here ^^^ Thanks! Fixed. There is whitespace warning in the man page, needs to be fixed. Also, spec file changes are incomplete, man page is not there. The patch itself works fine for me with the test suite. Attached is the specfile fix, with that one and whitespace removal -- ACK. Attached also is a small fix for ipaplatform changes as specfile now has wrong scoping for the platform files. I pushed all 3 patches to master. (I did not realize you want to just fixup your patch 0008 before I pushed the first, so I chosen a better name for it.) Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0053] Implement OTP token importing
On Wed, 2014-06-18 at 17:34 -0400, Nathaniel McCallum wrote: On Tue, 2014-05-13 at 12:38 -0400, Nathaniel McCallum wrote: This patch adds support for importing tokens using RFC 6030 key container files. This includes decryption support. For sysadmin sanity, any tokens which fail to add will be written to the output file for examination. The main use case here is where a small subset of a large set of tokens fails to validate or add. Using the output file, the sysadmin can attempt to recover these specific tokens. This code is implemented as a server-side script. However, it doesn't actually need to run on the server. This was done because importing is an odd fit for the IPA command framework: 1. We need to write an output file. 2. The operation may be long-running (thousands of tokens). 3. Only admins need to perform this task and it only happens infrequently. Attached is revision 4. I believe this addresses all the points given over the last few days in all emails. The ipa_otptoken_import.py has been significantly reworked to make it simpler and easy to test, but none of the logic has changed. I have removed most of the inheritance and sorted out most of the style issues (like map() vs comprehension). I did not change the XML parsing because it appears that network access is disabled by default. I have also included a test suite which should have 100% code coverage. It even tests for features we don't support yet (like X.509). All tests pass for me. Nathaniel +++ b/install/tools/man/ipa-otptoken-import.1 @@ -0,0 +1,36 @@ +.\ A man page for ipa-compat-manage Bad Copypaste here ^^^ Simo. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0053] Implement OTP token importing
On Fri, 13 Jun 2014, Simo Sorce wrote: On Fri, 2014-06-13 at 15:39 -0400, Nathaniel McCallum wrote: I am CC'ing Simo because he wants to review my PBKDF2 implementation. Thank you. I am a bit concerned you are using etree.parse(self.args[0]) directly with the default parser configuration. I think we should, at least, do something like this: parser = etree.XMLParser(resolve_entities=False) parser.parse(self.args[0]) We wouldn't want to inadvertently hit the network when reading this xml file, would we ? Reading the PBKDF2KeyDerivation code I see no particular issue, although I found it a bit hard to decod what it was doing as there are no comments, nor a direct reference to the algorithm you are implementing. It would be nice to have comments either before the function or within the function that gives an explanation of the algorithm being implemented so that whoever needs to read this in the future can readily understand what is going on. I've used this as reference to refresh my memory on the algorithm: http://en.wikipedia.org/wiki/PBKDF2 Btw for the final join, wouldn't it be more compact to use: dk += ''.join(map(chr,u)) ? Actually this creates a new string at each iteration... if you declare dk = [] before the loop and dk.append(''.join(map(chr, u))) in the loop. Then you can return ''.join(dk)[:self.klen] and build the final string only once. Or given you already use lambdas in there perhaps simplify even to: dk = [] for i ... ... dk.append(u) return ''.join(map(lambda x: ''.join(map(chr, x)), dk))[:self.klen] In general the flow is a bit hard to follow due to the clever use of map(), maybe a few comments sprinkled before functions about who/how is meant to use them would help the casual observer. Other than the first point though, anything else looks good to me. I read through the patch and apart from the points Simo made, I don't have much complaints. One additional thing to do is how to test it -- how to create the payload? Since this code doesn't require anything specific, it could be well tested through a CI infrastructure. Additionally, man page is missing. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0053] Implement OTP token importing
On 06/14/2014 12:05 AM, Simo Sorce wrote: On Fri, 2014-06-13 at 15:39 -0400, Nathaniel McCallum wrote: I am CC'ing Simo because he wants to review my PBKDF2 implementation. Thank you. I am a bit concerned you are using etree.parse(self.args[0]) directly with the default parser configuration. I think we should, at least, do something like this: parser = etree.XMLParser(resolve_entities=False) parser.parse(self.args[0]) We wouldn't want to inadvertently hit the network when reading this xml file, would we ? Reading the PBKDF2KeyDerivation code I see no particular issue, although I found it a bit hard to decod what it was doing as there are no comments, nor a direct reference to the algorithm you are implementing. It would be nice to have comments either before the function or within the function that gives an explanation of the algorithm being implemented so that whoever needs to read this in the future can readily understand what is going on. I've used this as reference to refresh my memory on the algorithm: http://en.wikipedia.org/wiki/PBKDF2 Btw for the final join, wouldn't it be more compact to use: dk += ''.join(map(chr,u)) ? Actually this creates a new string at each iteration... if you declare dk = [] before the loop and dk.append(''.join(map(chr, u))) in the loop. Then you can return ''.join(dk)[:self.klen] and build the final string only once. Or given you already use lambdas in there perhaps simplify even to: dk = [] for i ... ... dk.append(u) return ''.join(map(lambda x: ''.join(map(chr, x)), dk))[:self.klen] If you want to use idiomatic Python, starmap(lambda a, b: a ^ b, izip(u, [ord(c) for c in l])) can be rewritten as [a ^ ord(b) for a, b in zip(u, l)] (izip is overkill if the list isn't too long) then you can use dk.extend(u) to keep a single list of ints in dk, and at the end, return ''.join(chr(c) for c in dk[:self.klen]) to turn part you need into a string. It would be nice to have some tests for this. In general the flow is a bit hard to follow due to the clever use of map(), maybe a few comments sprinkled before functions about who/how is meant to use them would help the casual observer. Other than the first point though, anything else looks good to me. Simo. I see the patch contains lots of classes with no state and a single method. I believe it would simplify the code greatly if functions were used instead. -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0053] Implement OTP token importing
On Fri, 2014-06-13 at 18:05 -0400, Simo Sorce wrote: On Fri, 2014-06-13 at 15:39 -0400, Nathaniel McCallum wrote: I am CC'ing Simo because he wants to review my PBKDF2 implementation. Thank you. I am a bit concerned you are using etree.parse(self.args[0]) directly with the default parser configuration. I think we should, at least, do something like this: parser = etree.XMLParser(resolve_entities=False) parser.parse(self.args[0]) We wouldn't want to inadvertently hit the network when reading this xml file, would we ? Argh. Yes. Thanks for this. Reading the PBKDF2KeyDerivation code I see no particular issue, although I found it a bit hard to decod what it was doing as there are no comments, nor a direct reference to the algorithm you are implementing. It would be nice to have comments either before the function or within the function that gives an explanation of the algorithm being implemented so that whoever needs to read this in the future can readily understand what is going on. I've used this as reference to refresh my memory on the algorithm: http://en.wikipedia.org/wiki/PBKDF2 There is only one PBKDF2 with differing PRFs. This is precisely what is implemented. However, I'm still working with jdennis to see if I can coax python-nss to do this for me. I'm happy to delete my own implementation. Btw for the final join, wouldn't it be more compact to use: dk += ''.join(map(chr,u)) ? My understanding is that comprehensions are now preferred. I know reduce() has been removed in Python 3.x. However, map() still appears to be there. Does anyone have the official word on the preferred style? Actually this creates a new string at each iteration... if you declare dk = [] before the loop and dk.append(''.join(map(chr, u))) in the loop. Then you can return ''.join(dk)[:self.klen] and build the final string only once. Or given you already use lambdas in there perhaps simplify even to: dk = [] for i ... ... dk.append(u) return ''.join(map(lambda x: ''.join(map(chr, x)), dk))[:self.klen] Sounds good. Let's see if nss can do this. If not, I'll clean this up. In general the flow is a bit hard to follow due to the clever use of map(), maybe a few comments sprinkled before functions about who/how is meant to use them would help the casual observer. In general, this kind of complexity is reduced somewhat in Python 3.x's new bytes/str division. I have a bytes subclass for Py3k that I like to use which implements the bitwise operators. I've even had ideas about submitting this as an upstream Python patch for the bytes class. Other than the first point though, anything else looks good to me. Thanks for looking at this! Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0053] Implement OTP token importing
On 06/16/2014 06:23 PM, Nathaniel McCallum wrote: On Fri, 2014-06-13 at 18:05 -0400, Simo Sorce wrote: On Fri, 2014-06-13 at 15:39 -0400, Nathaniel McCallum wrote: I am CC'ing Simo because he wants to review my PBKDF2 implementation. Thank you. I am a bit concerned you are using etree.parse(self.args[0]) directly with the default parser configuration. I think we should, at least, do something like this: parser = etree.XMLParser(resolve_entities=False) parser.parse(self.args[0]) We wouldn't want to inadvertently hit the network when reading this xml file, would we ? Argh. Yes. Thanks for this. lxml.etree.XMLParser has a separate option for this, no_network, which is True by default. Reading the PBKDF2KeyDerivation code I see no particular issue, although I found it a bit hard to decod what it was doing as there are no comments, nor a direct reference to the algorithm you are implementing. It would be nice to have comments either before the function or within the function that gives an explanation of the algorithm being implemented so that whoever needs to read this in the future can readily understand what is going on. I've used this as reference to refresh my memory on the algorithm: http://en.wikipedia.org/wiki/PBKDF2 There is only one PBKDF2 with differing PRFs. This is precisely what is implemented. However, I'm still working with jdennis to see if I can coax python-nss to do this for me. I'm happy to delete my own implementation. Btw for the final join, wouldn't it be more compact to use: dk += ''.join(map(chr,u)) ? My understanding is that comprehensions are now preferred. I know reduce() has been removed in Python 3.x. However, map() still appears to be there. Does anyone have the official word on the preferred style? Here's my view, strictly unofficial: Comprehensions are better in almost all cases. This (converting each value) is just about the only one where map is more concise, and roughly equally readable. So, for consistency, it's better to use comprehensions everywhere. Actually this creates a new string at each iteration... if you declare dk = [] before the loop and dk.append(''.join(map(chr, u))) in the loop. Then you can return ''.join(dk)[:self.klen] and build the final string only once. Or given you already use lambdas in there perhaps simplify even to: dk = [] for i ... ... dk.append(u) return ''.join(map(lambda x: ''.join(map(chr, x)), dk))[:self.klen] Sounds good. Let's see if nss can do this. If not, I'll clean this up. In general the flow is a bit hard to follow due to the clever use of map(), maybe a few comments sprinkled before functions about who/how is meant to use them would help the casual observer. In general, this kind of complexity is reduced somewhat in Python 3.x's new bytes/str division. I have a bytes subclass for Py3k that I like to use which implements the bitwise operators. I've even had ideas about submitting this as an upstream Python patch for the bytes class. Try the python-ideas list first. There's a recent thread there from Nick Coghlan on a similar topic, you might want to read it. -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0053] Implement OTP token importing
On Mon, 2014-06-16 at 11:53 +0300, Alexander Bokovoy wrote: On Fri, 13 Jun 2014, Simo Sorce wrote: On Fri, 2014-06-13 at 15:39 -0400, Nathaniel McCallum wrote: I am CC'ing Simo because he wants to review my PBKDF2 implementation. Thank you. I am a bit concerned you are using etree.parse(self.args[0]) directly with the default parser configuration. I think we should, at least, do something like this: parser = etree.XMLParser(resolve_entities=False) parser.parse(self.args[0]) We wouldn't want to inadvertently hit the network when reading this xml file, would we ? Reading the PBKDF2KeyDerivation code I see no particular issue, although I found it a bit hard to decod what it was doing as there are no comments, nor a direct reference to the algorithm you are implementing. It would be nice to have comments either before the function or within the function that gives an explanation of the algorithm being implemented so that whoever needs to read this in the future can readily understand what is going on. I've used this as reference to refresh my memory on the algorithm: http://en.wikipedia.org/wiki/PBKDF2 Btw for the final join, wouldn't it be more compact to use: dk += ''.join(map(chr,u)) ? Actually this creates a new string at each iteration... if you declare dk = [] before the loop and dk.append(''.join(map(chr, u))) in the loop. Then you can return ''.join(dk)[:self.klen] and build the final string only once. Or given you already use lambdas in there perhaps simplify even to: dk = [] for i ... ... dk.append(u) return ''.join(map(lambda x: ''.join(map(chr, x)), dk))[:self.klen] In general the flow is a bit hard to follow due to the clever use of map(), maybe a few comments sprinkled before functions about who/how is meant to use them would help the casual observer. Other than the first point though, anything else looks good to me. I read through the patch and apart from the points Simo made, I don't have much complaints. One additional thing to do is how to test it -- how to create the payload? Since this code doesn't require anything specific, it could be well tested through a CI infrastructure. I don't see why we can't use the samples that jcholast dug up as test data since they come from the RFC. The noted fix for Figure 7 should be included so that the test works. Additionally, man page is missing. The man page should be in 0053.2. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0053] Implement OTP token importing
I am CC'ing Simo because he wants to review my PBKDF2 implementation. On Wed, 2014-06-11 at 17:41 -0400, Nathaniel McCallum wrote: On Wed, 2014-06-11 at 14:24 +0200, Jan Cholasta wrote: Hi, On 13.5.2014 18:40, Nathaniel McCallum wrote: On Tue, 2014-05-13 at 12:38 -0400, Nathaniel McCallum wrote: This patch adds support for importing tokens using RFC 6030 key container files. This includes decryption support. For sysadmin sanity, any tokens which fail to add will be written to the output file for examination. The main use case here is where a small subset of a large set of tokens fails to validate or add. Using the output file, the sysadmin can attempt to recover these specific tokens. This code is implemented as a server-side script. However, it doesn't actually need to run on the server. This was done because importing is an odd fit for the IPA command framework: 1. We need to write an output file. 2. The operation may be long-running (thousands of tokens). 3. Only admins need to perform this task and it only happens infrequently. I forgot to put the link to the ticket in the commit message. Fixed. 1) I think you should initialize NSS in ipa_otptoken_import.py, not in the ipa-otptoken-import script. Fixed. 2) The pep8 tool reports a lot of errors in ipa_otptoken_import.py. Fixed (mostly). The remaining output from pep8 is, I think, entirely justifiable. 3) Other error messages are in the form message: %s, I think this one should use that form as well: +if encoding != 'DECIMAL': +raise ValidationError('Unsupported encoding (%s)!' % encoding) Fixed. 4) This is not right: +except: +self.log.warn(Error adding token: + str(sys.exc_info()[1])) I think it should be something like this instead: except ValidationError, e: self.log.warn(Error adding token: %s, e) Fixed. 5) There is no man page for ipa-otptoken-import. TODO (tomorrow). Fixed. 6) Output file is created even when ipa-otptoken-import fails with Unable to connect to LDAP! Did you kinit? and other initialization errors, which makes subsequent ipa-otptoken-import fail with Output file already exists!. Fixed. 7) When a key is specified by reference in Key/KeyReference instead of directly in Key/Data/Secret like in http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/pskctool/tests/pskc-figure4.xml, import fails with Key not found in token!. I would expect a different error message. This error is now: Referenced keys are not supported! 8) Importing http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/pskctool/tests/pskc-figure5.xml produces this output: /usr/lib/python2.7/site-packages/ipaserver/install/ipa_otptoken_import.py:307: FutureWarning: The behavior of this method will change in future versions. Use specific 'len(elem)' or 'elem is not None' test instead. if data.get('pinpolicy', None): Error adding token: 'NoneType' object has no attribute 'strip' This now states: Error adding token: PINPolicy policy not supported! Error adding token: Unsupported token type! 9) Using an arbitrary file in -k produces this output: (SEC_ERROR_INVALID_KEY) The key does not support the requested operation. Traceback (most recent call last): File /usr/sbin/ipa-otptoken-import, line 29, in module nss.nss_shutdown() nss.error.NSPRError: (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use. What do you mean by arbitrary file? A file that is not the key? Like /dev/null? I'm not able to reproduce this. 10) Importing http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/pskctool/tests/pskc-figure7.xml and http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/pskctool/tests/pskc-figure8.xml produces this output: Error adding token: object of type 'NoneType' has no len() Import fails with: Derived keys are not currently supported! or X.509 keys are not currently supported! It would be nice to support these in the future. I added support for derived keys. However, pskc-figure7.xml appears to have a problem. This problem is actually in RFC 6030 itself (where pskc-figure7.xml comes from). According to the xenc11 standard, all of these tags should be in the xenc11 namespace (not pkcs5 or undefined as given in RFC 6030): pkcs5:PBKDF2-params Salt SpecifiedEj7/PEpyEpw=/Specified /Salt IterationCount1000/IterationCount KeyLength16/KeyLength PRF/ /pkcs5:PBKDF2-params When fixing this error in pskc-figure7.xml, key derivation works in this latest patch. 11) Importing http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/pskctool/tests/pskc-all.xml or
Re: [Freeipa-devel] [PATCH 0053] Implement OTP token importing
On Fri, 2014-06-13 at 15:39 -0400, Nathaniel McCallum wrote: I am CC'ing Simo because he wants to review my PBKDF2 implementation. Thank you. I am a bit concerned you are using etree.parse(self.args[0]) directly with the default parser configuration. I think we should, at least, do something like this: parser = etree.XMLParser(resolve_entities=False) parser.parse(self.args[0]) We wouldn't want to inadvertently hit the network when reading this xml file, would we ? Reading the PBKDF2KeyDerivation code I see no particular issue, although I found it a bit hard to decod what it was doing as there are no comments, nor a direct reference to the algorithm you are implementing. It would be nice to have comments either before the function or within the function that gives an explanation of the algorithm being implemented so that whoever needs to read this in the future can readily understand what is going on. I've used this as reference to refresh my memory on the algorithm: http://en.wikipedia.org/wiki/PBKDF2 Btw for the final join, wouldn't it be more compact to use: dk += ''.join(map(chr,u)) ? Actually this creates a new string at each iteration... if you declare dk = [] before the loop and dk.append(''.join(map(chr, u))) in the loop. Then you can return ''.join(dk)[:self.klen] and build the final string only once. Or given you already use lambdas in there perhaps simplify even to: dk = [] for i ... ... dk.append(u) return ''.join(map(lambda x: ''.join(map(chr, x)), dk))[:self.klen] In general the flow is a bit hard to follow due to the clever use of map(), maybe a few comments sprinkled before functions about who/how is meant to use them would help the casual observer. Other than the first point though, anything else looks good to me. Simo. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0053] Implement OTP token importing
Hi, On 13.5.2014 18:40, Nathaniel McCallum wrote: On Tue, 2014-05-13 at 12:38 -0400, Nathaniel McCallum wrote: This patch adds support for importing tokens using RFC 6030 key container files. This includes decryption support. For sysadmin sanity, any tokens which fail to add will be written to the output file for examination. The main use case here is where a small subset of a large set of tokens fails to validate or add. Using the output file, the sysadmin can attempt to recover these specific tokens. This code is implemented as a server-side script. However, it doesn't actually need to run on the server. This was done because importing is an odd fit for the IPA command framework: 1. We need to write an output file. 2. The operation may be long-running (thousands of tokens). 3. Only admins need to perform this task and it only happens infrequently. I forgot to put the link to the ticket in the commit message. Fixed. 1) I think you should initialize NSS in ipa_otptoken_import.py, not in the ipa-otptoken-import script. 2) The pep8 tool reports a lot of errors in ipa_otptoken_import.py. 3) Other error messages are in the form message: %s, I think this one should use that form as well: +if encoding != 'DECIMAL': +raise ValidationError('Unsupported encoding (%s)!' % encoding) 4) This is not right: +except: +self.log.warn(Error adding token: + str(sys.exc_info()[1])) I think it should be something like this instead: except ValidationError, e: self.log.warn(Error adding token: %s, e) 5) There is no man page for ipa-otptoken-import. 6) Output file is created even when ipa-otptoken-import fails with Unable to connect to LDAP! Did you kinit? and other initialization errors, which makes subsequent ipa-otptoken-import fail with Output file already exists!. 7) When a key is specified by reference in Key/KeyReference instead of directly in Key/Data/Secret like in http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/pskctool/tests/pskc-figure4.xml, import fails with Key not found in token!. I would expect a different error message. 8) Importing http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/pskctool/tests/pskc-figure5.xml produces this output: /usr/lib/python2.7/site-packages/ipaserver/install/ipa_otptoken_import.py:307: FutureWarning: The behavior of this method will change in future versions. Use specific 'len(elem)' or 'elem is not None' test instead. if data.get('pinpolicy', None): Error adding token: 'NoneType' object has no attribute 'strip' 9) Using an arbitrary file in -k produces this output: (SEC_ERROR_INVALID_KEY) The key does not support the requested operation. Traceback (most recent call last): File /usr/sbin/ipa-otptoken-import, line 29, in module nss.nss_shutdown() nss.error.NSPRError: (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use. 10) Importing http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/pskctool/tests/pskc-figure7.xml and http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/pskctool/tests/pskc-figure8.xml produces this output: Error adding token: object of type 'NoneType' has no len() 11) Importing http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/pskctool/tests/pskc-all.xml or http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/pskctool/tests/pskc-all-signed.xml produces this output: /usr/lib/python2.7/site-packages/ipaserver/install/ipa_otptoken_import.py:304: FutureWarning: The behavior of this method will change in future versions. Use specific 'len(elem)' or 'elem is not None' test instead. if data.get('maxtransact', None): /usr/lib/python2.7/site-packages/ipaserver/install/ipa_otptoken_import.py:307: FutureWarning: The behavior of this method will change in future versions. Use specific 'len(elem)' or 'elem is not None' test instead. if data.get('pinpolicy', None): 12) Importing http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/pskctool/tests/pskc-invalid.xml succeeds, but it should fail. 13) Importing http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/libpskc/examples/pskc-mini.xml fails, but it should succeed, I think. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0053] Implement OTP token importing
On Wed, 2014-06-11 at 14:24 +0200, Jan Cholasta wrote: Hi, On 13.5.2014 18:40, Nathaniel McCallum wrote: On Tue, 2014-05-13 at 12:38 -0400, Nathaniel McCallum wrote: This patch adds support for importing tokens using RFC 6030 key container files. This includes decryption support. For sysadmin sanity, any tokens which fail to add will be written to the output file for examination. The main use case here is where a small subset of a large set of tokens fails to validate or add. Using the output file, the sysadmin can attempt to recover these specific tokens. This code is implemented as a server-side script. However, it doesn't actually need to run on the server. This was done because importing is an odd fit for the IPA command framework: 1. We need to write an output file. 2. The operation may be long-running (thousands of tokens). 3. Only admins need to perform this task and it only happens infrequently. I forgot to put the link to the ticket in the commit message. Fixed. 1) I think you should initialize NSS in ipa_otptoken_import.py, not in the ipa-otptoken-import script. Fixed. 2) The pep8 tool reports a lot of errors in ipa_otptoken_import.py. Fixed (mostly). The remaining output from pep8 is, I think, entirely justifiable. 3) Other error messages are in the form message: %s, I think this one should use that form as well: +if encoding != 'DECIMAL': +raise ValidationError('Unsupported encoding (%s)!' % encoding) Fixed. 4) This is not right: +except: +self.log.warn(Error adding token: + str(sys.exc_info()[1])) I think it should be something like this instead: except ValidationError, e: self.log.warn(Error adding token: %s, e) Fixed. 5) There is no man page for ipa-otptoken-import. TODO (tomorrow). 6) Output file is created even when ipa-otptoken-import fails with Unable to connect to LDAP! Did you kinit? and other initialization errors, which makes subsequent ipa-otptoken-import fail with Output file already exists!. Fixed. 7) When a key is specified by reference in Key/KeyReference instead of directly in Key/Data/Secret like in http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/pskctool/tests/pskc-figure4.xml, import fails with Key not found in token!. I would expect a different error message. This error is now: Referenced keys are not supported! 8) Importing http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/pskctool/tests/pskc-figure5.xml produces this output: /usr/lib/python2.7/site-packages/ipaserver/install/ipa_otptoken_import.py:307: FutureWarning: The behavior of this method will change in future versions. Use specific 'len(elem)' or 'elem is not None' test instead. if data.get('pinpolicy', None): Error adding token: 'NoneType' object has no attribute 'strip' This now states: Error adding token: PINPolicy policy not supported! Error adding token: Unsupported token type! 9) Using an arbitrary file in -k produces this output: (SEC_ERROR_INVALID_KEY) The key does not support the requested operation. Traceback (most recent call last): File /usr/sbin/ipa-otptoken-import, line 29, in module nss.nss_shutdown() nss.error.NSPRError: (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use. What do you mean by arbitrary file? A file that is not the key? Like /dev/null? I'm not able to reproduce this. 10) Importing http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/pskctool/tests/pskc-figure7.xml and http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/pskctool/tests/pskc-figure8.xml produces this output: Error adding token: object of type 'NoneType' has no len() Import fails with: Derived keys are not currently supported! or X.509 keys are not currently supported! It would be nice to support these in the future. 11) Importing http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/pskctool/tests/pskc-all.xml or http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/pskctool/tests/pskc-all-signed.xml produces this output: /usr/lib/python2.7/site-packages/ipaserver/install/ipa_otptoken_import.py:304: FutureWarning: The behavior of this method will change in future versions. Use specific 'len(elem)' or 'elem is not None' test instead. if data.get('maxtransact', None): /usr/lib/python2.7/site-packages/ipaserver/install/ipa_otptoken_import.py:307: FutureWarning: The behavior of this method will change in future versions. Use specific 'len(elem)' or 'elem is not None' test instead. if data.get('pinpolicy', None): Both of these now output: Error adding token: NumberOfTransactions policy not supported! 12) Importing http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/pskctool/tests/pskc-invalid.xml succeeds, but it should fail. This now errors with: PSKC file is invalid! 13) Importing
Re: [Freeipa-devel] [PATCH 0053] Implement OTP token importing
On Tue, 2014-05-13 at 12:38 -0400, Nathaniel McCallum wrote: This patch adds support for importing tokens using RFC 6030 key container files. This includes decryption support. For sysadmin sanity, any tokens which fail to add will be written to the output file for examination. The main use case here is where a small subset of a large set of tokens fails to validate or add. Using the output file, the sysadmin can attempt to recover these specific tokens. This code is implemented as a server-side script. However, it doesn't actually need to run on the server. This was done because importing is an odd fit for the IPA command framework: 1. We need to write an output file. 2. The operation may be long-running (thousands of tokens). 3. Only admins need to perform this task and it only happens infrequently. I forgot to put the link to the ticket in the commit message. Fixed. From b7576825077b68ed68ff3a811c05cbc3eb4e4c12 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Thu, 8 May 2014 11:06:16 -0400 Subject: [PATCH] Implement OTP token importing This patch adds support for importing tokens using RFC 6030 key container files. This includes decryption support. For sysadmin sanity, any tokens which fail to add will be written to the output file for examination. The main use case here is where a small subset of a large set of tokens fails to validate or add. Using the output file, the sysadmin can attempt to recover these specific tokens. This code is implemented as a server-side script. However, it doesn't actually need to run on the server. This was done because importing is an odd fit for the IPA command framework: 1. We need to write an output file. 2. The operation may be long-running (thousands of tokens). 3. Only admins need to perform this task and it only happens infrequently. https://fedorahosted.org/freeipa/ticket/4261 --- freeipa.spec.in | 2 + install/tools/Makefile.am| 1 + install/tools/ipa-otptoken-import| 29 +++ ipaserver/install/ipa_otptoken_import.py | 419 +++ 4 files changed, 451 insertions(+) create mode 100755 install/tools/ipa-otptoken-import create mode 100644 ipaserver/install/ipa_otptoken_import.py diff --git a/freeipa.spec.in b/freeipa.spec.in index 4e3fd7351757be773fae0b02c55549910c5b37ad..850cca85b6deb5ce4a5656fb2328c7a4d6bcc8cb 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -307,6 +307,7 @@ Requires: python-netaddr Requires: libipa_hbac-python Requires: python-qrcode Requires: python-pyasn1 +Requires: python-dateutil Obsoletes: ipa-python = 1.0 @@ -660,6 +661,7 @@ fi %{_sbindir}/ipa-csreplica-manage %{_sbindir}/ipa-server-certinstall %{_sbindir}/ipa-ldap-updater +%{_sbindir}/ipa-otptoken-import %{_sbindir}/ipa-compat-manage %{_sbindir}/ipa-nis-manage %{_sbindir}/ipa-managed-entries diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am index 2cf66c6dfc1c272bb423253902e7339e7d159567..485be91b7bca2b0f3822a70d0f027793208918c1 100644 --- a/install/tools/Makefile.am +++ b/install/tools/Makefile.am @@ -20,6 +20,7 @@ sbin_SCRIPTS = \ ipa-nis-manage \ ipa-managed-entries \ ipa-ldap-updater \ + ipa-otptoken-import \ ipa-upgradeconfig \ ipa-backup \ ipa-restore \ diff --git a/install/tools/ipa-otptoken-import b/install/tools/ipa-otptoken-import new file mode 100755 index ..8184a6afe04e816727a34085edc458a4d90bf470 --- /dev/null +++ b/install/tools/ipa-otptoken-import @@ -0,0 +1,29 @@ +#! /usr/bin/python2 -E +# Authors: Nathaniel McCallum npmccal...@redhat.com +# +# Copyright (C) 2014 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# + +from ipaserver.install.ipa_otptoken_import import OTPTokenImport +import nss.nss as nss + +nss.nss_init_nodb() + +try: +OTPTokenImport.run_cli() +finally: +nss.nss_shutdown() diff --git a/ipaserver/install/ipa_otptoken_import.py b/ipaserver/install/ipa_otptoken_import.py new file mode 100644 index ..b8281a90a876cef0eff68396dd2c60f446e6ce98 --- /dev/null +++ b/ipaserver/install/ipa_otptoken_import.py @@ -0,0 +1,419 @@ +# Authors: Nathaniel McCallum npmccal...@redhat.com +# +# Copyright (C) 2014 Red Hat +# see file 'COPYING' for use and