Re: [Freeipa-devel] [PATCH] 0003 Validate key in otptoken-add
On 24.08.2016 13:32, Tomas Krizek wrote: Fixed the typo in error message. On 08/23/2016 12:15 PM, Tomas Krizek wrote: In that case, the first version of the patch solves the issue. I'm attaching the patch once again, but it's the same as the one in the original message. On 08/23/2016 11:53 AM, Jan Cholasta wrote: On 22.8.2016 19:08, Tomas Krizek wrote: I've attached the updated patch. Hopefully I didn't forget anything else this time. On 08/22/2016 05:48 PM, Martin Basti wrote: On 22.08.2016 10:22, Tomas Krizek wrote: Seems like a good idea, I'm attaching the updated patch. Autofill does work when the param is required. On 08/19/2016 04:19 PM, Martin Basti wrote: On 16.08.2016 17:35, Tomas Krizek wrote: Hi, the attached patch fixes an error message when user provides an empty key while adding otp token. https://fedorahosted.org/freeipa/ticket/6200 I'm curious why we don't fix it here: OTPTokenKey('ipatokenotpkey?', cli_name='key', label=_('Key'), doc=_('Token secret (Base32; default: random)'), default_from=lambda: os.urandom(KEY_LENGTH), autofill=True, flags=('no_display', 'no_update', 'no_search'), ), If OTPTokenKey is mandratory, it should be required param (autofill should work in this case too) Martin^2 -- Tomas Krizek You changed API, you must regenerate API.txt (./makeapi) and increment minor version in VERSION file Option 'ipatokenotpkey?' in command 'otptoken_add/1' in API file not found Options count in otptoken_add of 22 doesn't match expected: 23 Option ipatokenotpkey of command otptoken_add in ipalib, not in API file: OTPTokenKey('ipatokenotpkey', autofill=True, cli_name='key') NACK, this is a backward incompatible change. AFAICT the option should remain optional, see the doc string: Token secret (Base32; default: random) ^^^ -- Tomas Krizek ACK Pushed to master: 6f9a029bf5d33e6c8267cb330bd48033c5517188 http://www.freeipa.org/page/Pull_request_on_Github -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0003 Validate key in otptoken-add
On 24.08.2016 13:32, Tomas Krizek wrote: Fixed the typo in error message. On 08/23/2016 12:15 PM, Tomas Krizek wrote: In that case, the first version of the patch solves the issue. I'm attaching the patch once again, but it's the same as the one in the original message. On 08/23/2016 11:53 AM, Jan Cholasta wrote: On 22.8.2016 19:08, Tomas Krizek wrote: I've attached the updated patch. Hopefully I didn't forget anything else this time. On 08/22/2016 05:48 PM, Martin Basti wrote: On 22.08.2016 10:22, Tomas Krizek wrote: Seems like a good idea, I'm attaching the updated patch. Autofill does work when the param is required. On 08/19/2016 04:19 PM, Martin Basti wrote: On 16.08.2016 17:35, Tomas Krizek wrote: Hi, the attached patch fixes an error message when user provides an empty key while adding otp token. https://fedorahosted.org/freeipa/ticket/6200 I'm curious why we don't fix it here: OTPTokenKey('ipatokenotpkey?', cli_name='key', label=_('Key'), doc=_('Token secret (Base32; default: random)'), default_from=lambda: os.urandom(KEY_LENGTH), autofill=True, flags=('no_display', 'no_update', 'no_search'), ), If OTPTokenKey is mandratory, it should be required param (autofill should work in this case too) Martin^2 -- Tomas Krizek You changed API, you must regenerate API.txt (./makeapi) and increment minor version in VERSION file Option 'ipatokenotpkey?' in command 'otptoken_add/1' in API file not found Options count in otptoken_add of 22 doesn't match expected: 23 Option ipatokenotpkey of command otptoken_add in ipalib, not in API file: OTPTokenKey('ipatokenotpkey', autofill=True, cli_name='key') NACK, this is a backward incompatible change. AFAICT the option should remain optional, see the doc string: Token secret (Base32; default: random) ^^^ -- Tomas Krizek Pushed to master: 6f9a029bf5d33e6c8267cb330bd48033c5517188 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0003 Validate key in otptoken-add
Fixed the typo in error message. On 08/23/2016 12:15 PM, Tomas Krizek wrote: In that case, the first version of the patch solves the issue. I'm attaching the patch once again, but it's the same as the one in the original message. On 08/23/2016 11:53 AM, Jan Cholasta wrote: On 22.8.2016 19:08, Tomas Krizek wrote: I've attached the updated patch. Hopefully I didn't forget anything else this time. On 08/22/2016 05:48 PM, Martin Basti wrote: On 22.08.2016 10:22, Tomas Krizek wrote: Seems like a good idea, I'm attaching the updated patch. Autofill does work when the param is required. On 08/19/2016 04:19 PM, Martin Basti wrote: On 16.08.2016 17:35, Tomas Krizek wrote: Hi, the attached patch fixes an error message when user provides an empty key while adding otp token. https://fedorahosted.org/freeipa/ticket/6200 I'm curious why we don't fix it here: OTPTokenKey('ipatokenotpkey?', cli_name='key', label=_('Key'), doc=_('Token secret (Base32; default: random)'), default_from=lambda: os.urandom(KEY_LENGTH), autofill=True, flags=('no_display', 'no_update', 'no_search'), ), If OTPTokenKey is mandratory, it should be required param (autofill should work in this case too) Martin^2 -- Tomas Krizek You changed API, you must regenerate API.txt (./makeapi) and increment minor version in VERSION file Option 'ipatokenotpkey?' in command 'otptoken_add/1' in API file not found Options count in otptoken_add of 22 doesn't match expected: 23 Option ipatokenotpkey of command otptoken_add in ipalib, not in API file: OTPTokenKey('ipatokenotpkey', autofill=True, cli_name='key') NACK, this is a backward incompatible change. AFAICT the option should remain optional, see the doc string: Token secret (Base32; default: random) ^^^ -- Tomas Krizek From 14ecfa5f5730af5f8d1d54f8524d546d42f5ce2e Mon Sep 17 00:00:00 2001 From: Tomas KrizekDate: Wed, 24 Aug 2016 13:29:37 +0200 Subject: [PATCH] Validate key in otptoken-add Verify that key is not empty when adding otp token. If it is empty, raise an appropriate error. https://fedorahosted.org/freeipa/ticket/6200 --- ipaserver/plugins/otptoken.py | 4 1 file changed, 4 insertions(+) diff --git a/ipaserver/plugins/otptoken.py b/ipaserver/plugins/otptoken.py index 15b25e07a905257f016de68a3d9e182447699d0e..a7b436aa5690c42b56d7937e608b9d574b22e10b 100644 --- a/ipaserver/plugins/otptoken.py +++ b/ipaserver/plugins/otptoken.py @@ -323,6 +323,10 @@ class otptoken_add(LDAPCreate): except (NotFound, IndexError): pass +# Check if key is not empty +if entry_attrs['ipatokenotpkey'] is None: +raise ValidationError(name='key', error=_(u'cannot be empty')) + # Build the URI parameters args = {} args['issuer'] = issuer -- 2.7.4 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0003 Validate key in otptoken-add
On 22.8.2016 19:08, Tomas Krizek wrote: I've attached the updated patch. Hopefully I didn't forget anything else this time. On 08/22/2016 05:48 PM, Martin Basti wrote: On 22.08.2016 10:22, Tomas Krizek wrote: Seems like a good idea, I'm attaching the updated patch. Autofill does work when the param is required. On 08/19/2016 04:19 PM, Martin Basti wrote: On 16.08.2016 17:35, Tomas Krizek wrote: Hi, the attached patch fixes an error message when user provides an empty key while adding otp token. https://fedorahosted.org/freeipa/ticket/6200 I'm curious why we don't fix it here: OTPTokenKey('ipatokenotpkey?', cli_name='key', label=_('Key'), doc=_('Token secret (Base32; default: random)'), default_from=lambda: os.urandom(KEY_LENGTH), autofill=True, flags=('no_display', 'no_update', 'no_search'), ), If OTPTokenKey is mandratory, it should be required param (autofill should work in this case too) Martin^2 -- Tomas Krizek You changed API, you must regenerate API.txt (./makeapi) and increment minor version in VERSION file Option 'ipatokenotpkey?' in command 'otptoken_add/1' in API file not found Options count in otptoken_add of 22 doesn't match expected: 23 Option ipatokenotpkey of command otptoken_add in ipalib, not in API file: OTPTokenKey('ipatokenotpkey', autofill=True, cli_name='key') NACK, this is a backward incompatible change. AFAICT the option should remain optional, see the doc string: Token secret (Base32; default: random) ^^^ -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0003 Validate key in otptoken-add
On 22.08.2016 19:05, Martin Basti wrote: On 22.08.2016 17:48, Martin Basti wrote: On 22.08.2016 10:22, Tomas Krizek wrote: Seems like a good idea, I'm attaching the updated patch. Autofill does work when the param is required. On 08/19/2016 04:19 PM, Martin Basti wrote: On 16.08.2016 17:35, Tomas Krizek wrote: Hi, the attached patch fixes an error message when user provides an empty key while adding otp token. https://fedorahosted.org/freeipa/ticket/6200 I'm curious why we don't fix it here: OTPTokenKey('ipatokenotpkey?', cli_name='key', label=_('Key'), doc=_('Token secret (Base32; default: random)'), default_from=lambda: os.urandom(KEY_LENGTH), autofill=True, flags=('no_display', 'no_update', 'no_search'), ), If OTPTokenKey is mandratory, it should be required param (autofill should work in this case too) Martin^2 -- Tomas Krizek You changed API, you must regenerate API.txt (./makeapi) and increment minor version in VERSION file Option 'ipatokenotpkey?' in command 'otptoken_add/1' in API file not found Options count in otptoken_add of 22 doesn't match expected: 23 Option ipatokenotpkey of command otptoken_add in ipalib, not in API file: OTPTokenKey('ipatokenotpkey', autofill=True, cli_name='key') Martin^2 [root@vm-058-107 ~]# ipa otptoken-add --key='ORSXG5DFON2AU===' Usage: ipa [global-options] otptoken-add [ID] [options] ipa: error: --key option does not take a value Well patch doesnt work for me, Honza may know if this is expected behavior of framework or just params bug Martin62 My, bad this is expected. Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0003 Validate key in otptoken-add
I've attached the updated patch. Hopefully I didn't forget anything else this time. On 08/22/2016 05:48 PM, Martin Basti wrote: On 22.08.2016 10:22, Tomas Krizek wrote: Seems like a good idea, I'm attaching the updated patch. Autofill does work when the param is required. On 08/19/2016 04:19 PM, Martin Basti wrote: On 16.08.2016 17:35, Tomas Krizek wrote: Hi, the attached patch fixes an error message when user provides an empty key while adding otp token. https://fedorahosted.org/freeipa/ticket/6200 I'm curious why we don't fix it here: OTPTokenKey('ipatokenotpkey?', cli_name='key', label=_('Key'), doc=_('Token secret (Base32; default: random)'), default_from=lambda: os.urandom(KEY_LENGTH), autofill=True, flags=('no_display', 'no_update', 'no_search'), ), If OTPTokenKey is mandratory, it should be required param (autofill should work in this case too) Martin^2 -- Tomas Krizek You changed API, you must regenerate API.txt (./makeapi) and increment minor version in VERSION file Option 'ipatokenotpkey?' in command 'otptoken_add/1' in API file not found Options count in otptoken_add of 22 doesn't match expected: 23 Option ipatokenotpkey of command otptoken_add in ipalib, not in API file: OTPTokenKey('ipatokenotpkey', autofill=True, cli_name='key') Martin^2 -- Tomas Krizek From 5a0e3586a8fd3b31ad8fa2ce092e01e9b36154fc Mon Sep 17 00:00:00 2001 From: Tomas KrizekDate: Mon, 22 Aug 2016 19:04:21 +0200 Subject: [PATCH] Validate key in otptoken-add Make the OTP token key mandatory and show an appropriate error message if the user enters an empty key. https://fedorahosted.org/freeipa/ticket/6200 --- API.txt | 2 +- VERSION | 4 ++-- ipaserver/plugins/otptoken.py | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/API.txt b/API.txt index 5b83bfbd0b457b77e0522ab7d83abfae4df3ebe9..3039832d3b250b5e29b8b932763ef17a479cbd5a 100644 --- a/API.txt +++ b/API.txt @@ -3271,7 +3271,7 @@ option: DateTime('ipatokennotafter?', cli_name='not_after') option: DateTime('ipatokennotbefore?', cli_name='not_before') option: StrEnum('ipatokenotpalgorithm?', autofill=True, cli_name='algo', default=u'sha1', values=[u'sha1', u'sha256', u'sha384', u'sha512']) option: IntEnum('ipatokenotpdigits?', autofill=True, cli_name='digits', default=6, values=[6, 8]) -option: OTPTokenKey('ipatokenotpkey?', autofill=True, cli_name='key') +option: OTPTokenKey('ipatokenotpkey', autofill=True, cli_name='key') option: Str('ipatokenowner?', cli_name='owner') option: Str('ipatokenserial?', cli_name='serial') option: Int('ipatokentotpclockoffset?', autofill=True, cli_name='offset', default=0) diff --git a/VERSION b/VERSION index a8b89ed305bcfdf2990a7400d005a68d734fa7e8..9473c820ed7b776a3fda1378f160d2e27f31c3ee 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412 # # IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=212 -# Last change: ab: service: add flag to allow S4U2Self +IPA_API_VERSION_MINOR=213 +# Last change: tkrizek: ipatokenotpkey: set as required diff --git a/ipaserver/plugins/otptoken.py b/ipaserver/plugins/otptoken.py index 39012e2f9106c33c520e19f14331fc440333015a..15b25e07a905257f016de68a3d9e182447699d0e 100644 --- a/ipaserver/plugins/otptoken.py +++ b/ipaserver/plugins/otptoken.py @@ -208,7 +208,7 @@ class otptoken(LDAPObject): label=_('Serial'), doc=_('Token serial (informational only)'), ), -OTPTokenKey('ipatokenotpkey?', +OTPTokenKey('ipatokenotpkey', cli_name='key', label=_('Key'), doc=_('Token secret (Base32; default: random)'), -- 2.7.4 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0003 Validate key in otptoken-add
On 22.08.2016 17:48, Martin Basti wrote: On 22.08.2016 10:22, Tomas Krizek wrote: Seems like a good idea, I'm attaching the updated patch. Autofill does work when the param is required. On 08/19/2016 04:19 PM, Martin Basti wrote: On 16.08.2016 17:35, Tomas Krizek wrote: Hi, the attached patch fixes an error message when user provides an empty key while adding otp token. https://fedorahosted.org/freeipa/ticket/6200 I'm curious why we don't fix it here: OTPTokenKey('ipatokenotpkey?', cli_name='key', label=_('Key'), doc=_('Token secret (Base32; default: random)'), default_from=lambda: os.urandom(KEY_LENGTH), autofill=True, flags=('no_display', 'no_update', 'no_search'), ), If OTPTokenKey is mandratory, it should be required param (autofill should work in this case too) Martin^2 -- Tomas Krizek You changed API, you must regenerate API.txt (./makeapi) and increment minor version in VERSION file Option 'ipatokenotpkey?' in command 'otptoken_add/1' in API file not found Options count in otptoken_add of 22 doesn't match expected: 23 Option ipatokenotpkey of command otptoken_add in ipalib, not in API file: OTPTokenKey('ipatokenotpkey', autofill=True, cli_name='key') Martin^2 [root@vm-058-107 ~]# ipa otptoken-add --key='ORSXG5DFON2AU===' Usage: ipa [global-options] otptoken-add [ID] [options] ipa: error: --key option does not take a value Well patch doesnt work for me, Honza may know if this is expected behavior of framework or just params bug Martin62 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0003 Validate key in otptoken-add
On 22.08.2016 10:22, Tomas Krizek wrote: Seems like a good idea, I'm attaching the updated patch. Autofill does work when the param is required. On 08/19/2016 04:19 PM, Martin Basti wrote: On 16.08.2016 17:35, Tomas Krizek wrote: Hi, the attached patch fixes an error message when user provides an empty key while adding otp token. https://fedorahosted.org/freeipa/ticket/6200 I'm curious why we don't fix it here: OTPTokenKey('ipatokenotpkey?', cli_name='key', label=_('Key'), doc=_('Token secret (Base32; default: random)'), default_from=lambda: os.urandom(KEY_LENGTH), autofill=True, flags=('no_display', 'no_update', 'no_search'), ), If OTPTokenKey is mandratory, it should be required param (autofill should work in this case too) Martin^2 -- Tomas Krizek You changed API, you must regenerate API.txt (./makeapi) and increment minor version in VERSION file Option 'ipatokenotpkey?' in command 'otptoken_add/1' in API file not found Options count in otptoken_add of 22 doesn't match expected: 23 Option ipatokenotpkey of command otptoken_add in ipalib, not in API file: OTPTokenKey('ipatokenotpkey', autofill=True, cli_name='key') Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] 0003 Validate key in otptoken-add
Hi, the attached patch fixes an error message when user provides an empty key while adding otp token. https://fedorahosted.org/freeipa/ticket/6200 -- Tomas Krizek From 806e0cf73dcc3ccbfd620b7865561682ea2e37f5 Mon Sep 17 00:00:00 2001 From: Tomas KrizekDate: Tue, 16 Aug 2016 14:10:49 +0200 Subject: [PATCH] Validate key in otptoken-add Verify that key is not empty when adding otp token. If it is empty, raise an appropriate error. https://fedorahosted.org/freeipa/ticket/6200 --- ipaserver/plugins/otptoken.py | 4 1 file changed, 4 insertions(+) diff --git a/ipaserver/plugins/otptoken.py b/ipaserver/plugins/otptoken.py index 39012e2f9106c33c520e19f14331fc440333015a..4429edc2f08a18e973773239d7b1db0a01aafb99 100644 --- a/ipaserver/plugins/otptoken.py +++ b/ipaserver/plugins/otptoken.py @@ -323,6 +323,10 @@ class otptoken_add(LDAPCreate): except (NotFound, IndexError): pass +# Check if key is not empty +if entry_attrs['ipatokenotpkey'] is None: +raise ValidationError(name='key', error=_(u'can not be empty')) + # Build the URI parameters args = {} args['issuer'] = issuer -- 2.7.4 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code