Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command
On Wed, 25 Jun 2014, Nathaniel McCallum wrote: On Wed, 2014-06-25 at 13:18 +0300, Alexander Bokovoy wrote: On Tue, 24 Jun 2014, Nathaniel McCallum wrote: On Tue, 2014-06-03 at 09:18 -0400, Nathaniel McCallum wrote: On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote: On 3.6.2014 05:08, Nathaniel McCallum wrote: This command calls the token sync HTTP POST call in the server providing the CLI interface to synchronization. https://fedorahosted.org/freeipa/ticket/4260 This patch depends on my patch #0055. Build fails on validation. You forgot to update API.txt and also the command misses __doc__. (not a proper review) Thanks, fixed. Attached is a new revision which is rebased on master. In addition it: 1. Moves user to a parameter and moves token to an argument. Doing it this way both mirrors the existing otptoken APIs and sets us up for future Kerberos based syncing where the username/password will be optional. 2. Converts the token ID to a DN. ACK. Please do not commit this patch yet, we are not done with its dependencies. As discussed off list, we also needed to verify the certificate so that passwords were not sent in the clear to a MITM. This has now been implemented. VERSION is bumped and ./makeapi was run. This patch is also rebased on top of my patch 0058 (which is already ACK'd), so 0058 needs to be merged before this patch (0056). Right. There is one small fix that need to be squashed prior to committing as pylint cannot get insights into function states. The patch attached. With it, ACK. -- / Alexander Bokovoy From b1e75c884fd5303dce038e4f3dc6158d93785671 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Thu, 26 Jun 2014 13:16:47 +0300 Subject: [PATCH 4/4] fixup! Add otptoken-sync command --- ipalib/plugins/otptoken.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py index 46ad77a..7b9e256 100644 --- a/ipalib/plugins/otptoken.py +++ b/ipalib/plugins/otptoken.py @@ -394,7 +394,7 @@ class otptoken_remove_managedby(LDAPRemoveMember): class HTTPSConnection(httplib.HTTPConnection): Generates an SSL HTTP connection that performs hostname validation. -ssl_kwargs = ssl.wrap_socket.func_code.co_varnames[1:ssl.wrap_socket.func_code.co_argcount] +ssl_kwargs = ssl.wrap_socket.func_code.co_varnames[1:ssl.wrap_socket.func_code.co_argcount] #pylint: disable=E1101 default_port = httplib.HTTPS_PORT def __init__(self, host, **kwargs): -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command
On 06/26/2014 01:02 PM, Alexander Bokovoy wrote: On Wed, 25 Jun 2014, Nathaniel McCallum wrote: On Wed, 2014-06-25 at 13:18 +0300, Alexander Bokovoy wrote: On Tue, 24 Jun 2014, Nathaniel McCallum wrote: On Tue, 2014-06-03 at 09:18 -0400, Nathaniel McCallum wrote: On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote: On 3.6.2014 05:08, Nathaniel McCallum wrote: This command calls the token sync HTTP POST call in the server providing the CLI interface to synchronization. https://fedorahosted.org/freeipa/ticket/4260 This patch depends on my patch #0055. Build fails on validation. You forgot to update API.txt and also the command misses __doc__. (not a proper review) Thanks, fixed. Attached is a new revision which is rebased on master. In addition it: 1. Moves user to a parameter and moves token to an argument. Doing it this way both mirrors the existing otptoken APIs and sets us up for future Kerberos based syncing where the username/password will be optional. 2. Converts the token ID to a DN. ACK. Please do not commit this patch yet, we are not done with its dependencies. As discussed off list, we also needed to verify the certificate so that passwords were not sent in the clear to a MITM. This has now been implemented. VERSION is bumped and ./makeapi was run. This patch is also rebased on top of my patch 0058 (which is already ACK'd), so 0058 needs to be merged before this patch (0056). Right. There is one small fix that need to be squashed prior to committing as pylint cannot get insights into function states. The patch attached. With it, ACK. Fixed VERSION conflict, squashed fixup patch and pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command
On Tue, 24 Jun 2014, Nathaniel McCallum wrote: On Tue, 2014-06-03 at 09:18 -0400, Nathaniel McCallum wrote: On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote: On 3.6.2014 05:08, Nathaniel McCallum wrote: This command calls the token sync HTTP POST call in the server providing the CLI interface to synchronization. https://fedorahosted.org/freeipa/ticket/4260 This patch depends on my patch #0055. Build fails on validation. You forgot to update API.txt and also the command misses __doc__. (not a proper review) Thanks, fixed. Attached is a new revision which is rebased on master. In addition it: 1. Moves user to a parameter and moves token to an argument. Doing it this way both mirrors the existing otptoken APIs and sets us up for future Kerberos based syncing where the username/password will be optional. 2. Converts the token ID to a DN. ACK. Please do not commit this patch yet, we are not done with its dependencies. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command
On Wed, 2014-06-25 at 13:18 +0300, Alexander Bokovoy wrote:
On Tue, 24 Jun 2014, Nathaniel McCallum wrote:
On Tue, 2014-06-03 at 09:18 -0400, Nathaniel McCallum wrote:
On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote:
On 3.6.2014 05:08, Nathaniel McCallum wrote:
This command calls the token sync HTTP POST call in the server
providing
the CLI interface to synchronization.
https://fedorahosted.org/freeipa/ticket/4260
This patch depends on my patch #0055.
Build fails on validation. You forgot to update API.txt and also the
command misses __doc__.
(not a proper review)
Thanks, fixed.
Attached is a new revision which is rebased on master.
In addition it:
1. Moves user to a parameter and moves token to an argument. Doing it
this way both mirrors the existing otptoken APIs and sets us up for
future Kerberos based syncing where the username/password will be
optional.
2. Converts the token ID to a DN.
ACK.
Please do not commit this patch yet, we are not done with its
dependencies.
As discussed off list, we also needed to verify the certificate so that
passwords were not sent in the clear to a MITM. This has now been
implemented. VERSION is bumped and ./makeapi was run. This patch is also
rebased on top of my patch 0058 (which is already ACK'd), so 0058 needs
to be merged before this patch (0056).
Nathaniel
From c06a4146d10759937116eb6ffe7201636febb1ab Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum npmccal...@redhat.com
Date: Mon, 2 Jun 2014 23:00:52 -0400
Subject: [PATCH] Add otptoken-sync command
This command calls the token sync HTTP POST call in the server providing
the CLI interface to synchronization.
https://fedorahosted.org/freeipa/ticket/4260
---
API.txt| 9
VERSION| 4 +-
ipalib/plugins/otptoken.py | 102 -
3 files changed, 112 insertions(+), 3 deletions(-)
diff --git a/API.txt b/API.txt
index 3c3b6447fec3c313c3038390ac7317533c530d8b..0924402764ca29711d8a9094c1e4f7dec461ab3c 100644
--- a/API.txt
+++ b/API.txt
@@ -2420,6 +2420,15 @@ option: Str('version?', exclude='webui')
output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
output: Output('summary', (type 'unicode', type 'NoneType'), None)
output: PrimaryKey('value', None, None)
+command: otptoken_sync
+args: 1,5,1
+arg: Str('token?')
+option: Password('first_code', confirm=False)
+option: Password('password', confirm=False)
+option: Password('second_code', confirm=False)
+option: Str('user')
+option: Str('version?', exclude='webui')
+output: Output('result', None, None)
command: passwd
args: 3,1,3
arg: Str('principal', autofill=True, cli_name='user', primary_key=True)
diff --git a/VERSION b/VERSION
index f0c2db55658f3ab4cfafffc5735aa77b52bc9cc8..1d2e81688b9934baf1790c390452d733b9bed2e9 100644
--- a/VERSION
+++ b/VERSION
@@ -89,5 +89,5 @@ IPA_DATA_VERSION=2010061412
# #
IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=94
-# Last change: npmaccallum - otptoken-add-yubikey
+IPA_API_VERSION_MINOR=95
+# Last change: npmaccallum - otptoken-sync
diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py
index 7962af0035fb9ac00e68c4b642bb62aa82d498c2..46ad77a2c81842cad9085651b794fd7959d783f0 100644
--- a/ipalib/plugins/otptoken.py
+++ b/ipalib/plugins/otptoken.py
@@ -19,15 +19,22 @@
from ipalib.plugins.baseldap import DN, LDAPObject, LDAPAddMember, LDAPRemoveMember
from ipalib.plugins.baseldap import LDAPCreate, LDAPDelete, LDAPUpdate, LDAPSearch, LDAPRetrieve
-from ipalib import api, Int, Str, Bool, Flag, Bytes, IntEnum, StrEnum, _, ngettext
+from ipalib import api, Int, Str, Bool, Flag, Bytes, IntEnum, StrEnum, Password, _, ngettext
from ipalib.plugable import Registry
from ipalib.errors import PasswordMismatch, ConversionError, LastMemberError, NotFound
from ipalib.request import context
+from ipalib.frontend import Local
+
+from backports.ssl_match_hostname import match_hostname
import base64
import uuid
import urllib
+import urllib2
+import httplib
+import urlparse
import qrcode
import os
+import ssl
__doc__ = _(
OTP Tokens
@@ -383,3 +390,96 @@ class otptoken_remove_managedby(LDAPRemoveMember):
__doc__ = _('Remove hosts that can manage this host.')
member_attributes = ['managedby']
+
+class HTTPSConnection(httplib.HTTPConnection):
+Generates an SSL HTTP connection that performs hostname validation.
+
+ssl_kwargs = ssl.wrap_socket.func_code.co_varnames[1:ssl.wrap_socket.func_code.co_argcount]
+default_port = httplib.HTTPS_PORT
+
+def __init__(self, host, **kwargs):
+# Strip out arguments we want to pass to ssl.wrap_socket()
+self.__kwargs = {k: v for k, v in kwargs.items() if k in self.ssl_kwargs}
+for k in
Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command
On Tue, 03 Jun 2014, Nathaniel McCallum wrote:
On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote:
On 3.6.2014 05:08, Nathaniel McCallum wrote:
This command calls the token sync HTTP POST call in the server providing
the CLI interface to synchronization.
https://fedorahosted.org/freeipa/ticket/4260
This patch depends on my patch #0055.
Build fails on validation. You forgot to update API.txt and also the
command misses __doc__.
(not a proper review)
Failed for me:
[root@ipa-01 rpms]# ipa otptoken-show test.token
Unique ID: test.token
Description: test token
Owner: abbra
Vendor: FreeIPA
Model: hotp
[root@ipa-01 rpms]# ipa otptoken-sync abbra --token=test.token
Password:
First Code:
Second Code:
ipa: ERROR: non-public: IOError: ('http error', 401, 'Unauthorized',
httplib.HTTPMessage instance at 0x2cdde60)
Traceback (most recent call last):
File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 129,
in execute
result = self.Command[_name](*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439,
in __call__
ret = self.run(*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 1118,
in run
return self.forward(*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py,
line 427, in forward
rsp = urllib.urlopen(sync_uri, query)
File /usr/lib64/python2.7/urllib.py, line 89, in urlopen
return opener.open(url, data)
File /usr/lib64/python2.7/urllib.py, line 210, in open
return getattr(self, name)(url, data)
File /usr/lib64/python2.7/urllib.py, line 454, in open_https
data)
File /usr/lib64/python2.7/urllib.py, line 374, in http_error
result = method(url, fp, errcode, errmsg, headers, data)
File /usr/lib64/python2.7/urllib.py, line 689, in http_error_401
errcode, errmsg, headers)
File /usr/lib64/python2.7/urllib.py, line 381, in http_error_default
raise IOError, ('http error', errcode, errmsg, headers)
IOError: ('http error', 401, 'Unauthorized', httplib.HTTPMessage instance at
0x2cdde60)
ipa: ERROR: an internal error has occurred
Note that I can successfully use the token. It looks like authentication
with urllib.urlopen(sync_uri, query) fails.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command
On Tue, 2014-06-24 at 19:34 +0300, Alexander Bokovoy wrote:
On Tue, 24 Jun 2014, Nathaniel McCallum wrote:
On Tue, 2014-06-24 at 15:39 +0300, Alexander Bokovoy wrote:
On Tue, 03 Jun 2014, Nathaniel McCallum wrote:
On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote:
On 3.6.2014 05:08, Nathaniel McCallum wrote:
This command calls the token sync HTTP POST call in the server
providing
the CLI interface to synchronization.
https://fedorahosted.org/freeipa/ticket/4260
This patch depends on my patch #0055.
Build fails on validation. You forgot to update API.txt and also the
command misses __doc__.
(not a proper review)
Failed for me:
[root@ipa-01 rpms]# ipa otptoken-show test.token
Unique ID: test.token
Description: test token
Owner: abbra
Vendor: FreeIPA
Model: hotp
[root@ipa-01 rpms]# ipa otptoken-sync abbra --token=test.token
Password:
First Code:
Second Code:
ipa: ERROR: non-public: IOError: ('http error', 401, 'Unauthorized',
httplib.HTTPMessage instance at 0x2cdde60)
Traceback (most recent call last):
File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 129,
in execute
result = self.Command[_name](*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439,
in __call__
ret = self.run(*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 1118,
in run
return self.forward(*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py,
line 427, in forward
rsp = urllib.urlopen(sync_uri, query)
File /usr/lib64/python2.7/urllib.py, line 89, in urlopen
return opener.open(url, data)
File /usr/lib64/python2.7/urllib.py, line 210, in open
return getattr(self, name)(url, data)
File /usr/lib64/python2.7/urllib.py, line 454, in open_https
data)
File /usr/lib64/python2.7/urllib.py, line 374, in http_error
result = method(url, fp, errcode, errmsg, headers, data)
File /usr/lib64/python2.7/urllib.py, line 689, in http_error_401
errcode, errmsg, headers)
File /usr/lib64/python2.7/urllib.py, line 381, in http_error_default
raise IOError, ('http error', errcode, errmsg, headers)
IOError: ('http error', 401, 'Unauthorized', httplib.HTTPMessage instance
at 0x2cdde60)
ipa: ERROR: an internal error has occurred
Note that I can successfully use the token. It looks like authentication
with urllib.urlopen(sync_uri, query) fails.
Works for me (just tested). I suspect you have not updated the ipa httpd
config. Did you apply patches 0054, 0055 and 0056?
Yes, I did apply those patches and I installed packages as an upgrade.
How I supposed to update httpd config? I think we need to solve this
without re-install and it should be done automatically.
Oh. I thought it *was* done automatically...
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command
On Tue, 24 Jun 2014, Nathaniel McCallum wrote:
On Tue, 2014-06-24 at 15:39 +0300, Alexander Bokovoy wrote:
On Tue, 03 Jun 2014, Nathaniel McCallum wrote:
On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote:
On 3.6.2014 05:08, Nathaniel McCallum wrote:
This command calls the token sync HTTP POST call in the server providing
the CLI interface to synchronization.
https://fedorahosted.org/freeipa/ticket/4260
This patch depends on my patch #0055.
Build fails on validation. You forgot to update API.txt and also the
command misses __doc__.
(not a proper review)
Failed for me:
[root@ipa-01 rpms]# ipa otptoken-show test.token
Unique ID: test.token
Description: test token
Owner: abbra
Vendor: FreeIPA
Model: hotp
[root@ipa-01 rpms]# ipa otptoken-sync abbra --token=test.token
Password:
First Code:
Second Code:
ipa: ERROR: non-public: IOError: ('http error', 401, 'Unauthorized',
httplib.HTTPMessage instance at 0x2cdde60)
Traceback (most recent call last):
File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 129,
in execute
result = self.Command[_name](*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439,
in __call__
ret = self.run(*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 1118,
in run
return self.forward(*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py,
line 427, in forward
rsp = urllib.urlopen(sync_uri, query)
File /usr/lib64/python2.7/urllib.py, line 89, in urlopen
return opener.open(url, data)
File /usr/lib64/python2.7/urllib.py, line 210, in open
return getattr(self, name)(url, data)
File /usr/lib64/python2.7/urllib.py, line 454, in open_https
data)
File /usr/lib64/python2.7/urllib.py, line 374, in http_error
result = method(url, fp, errcode, errmsg, headers, data)
File /usr/lib64/python2.7/urllib.py, line 689, in http_error_401
errcode, errmsg, headers)
File /usr/lib64/python2.7/urllib.py, line 381, in http_error_default
raise IOError, ('http error', errcode, errmsg, headers)
IOError: ('http error', 401, 'Unauthorized', httplib.HTTPMessage instance at
0x2cdde60)
ipa: ERROR: an internal error has occurred
Note that I can successfully use the token. It looks like authentication
with urllib.urlopen(sync_uri, query) fails.
Works for me (just tested). I suspect you have not updated the ipa httpd
config. Did you apply patches 0054, 0055 and 0056?
Yes, I did apply those patches and I installed packages as an upgrade.
How I supposed to update httpd config? I think we need to solve this
without re-install and it should be done automatically.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command
On Tue, 2014-06-24 at 15:39 +0300, Alexander Bokovoy wrote:
On Tue, 03 Jun 2014, Nathaniel McCallum wrote:
On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote:
On 3.6.2014 05:08, Nathaniel McCallum wrote:
This command calls the token sync HTTP POST call in the server providing
the CLI interface to synchronization.
https://fedorahosted.org/freeipa/ticket/4260
This patch depends on my patch #0055.
Build fails on validation. You forgot to update API.txt and also the
command misses __doc__.
(not a proper review)
Failed for me:
[root@ipa-01 rpms]# ipa otptoken-show test.token
Unique ID: test.token
Description: test token
Owner: abbra
Vendor: FreeIPA
Model: hotp
[root@ipa-01 rpms]# ipa otptoken-sync abbra --token=test.token
Password:
First Code:
Second Code:
ipa: ERROR: non-public: IOError: ('http error', 401, 'Unauthorized',
httplib.HTTPMessage instance at 0x2cdde60)
Traceback (most recent call last):
File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 129,
in execute
result = self.Command[_name](*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439,
in __call__
ret = self.run(*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 1118,
in run
return self.forward(*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py,
line 427, in forward
rsp = urllib.urlopen(sync_uri, query)
File /usr/lib64/python2.7/urllib.py, line 89, in urlopen
return opener.open(url, data)
File /usr/lib64/python2.7/urllib.py, line 210, in open
return getattr(self, name)(url, data)
File /usr/lib64/python2.7/urllib.py, line 454, in open_https
data)
File /usr/lib64/python2.7/urllib.py, line 374, in http_error
result = method(url, fp, errcode, errmsg, headers, data)
File /usr/lib64/python2.7/urllib.py, line 689, in http_error_401
errcode, errmsg, headers)
File /usr/lib64/python2.7/urllib.py, line 381, in http_error_default
raise IOError, ('http error', errcode, errmsg, headers)
IOError: ('http error', 401, 'Unauthorized', httplib.HTTPMessage instance at
0x2cdde60)
ipa: ERROR: an internal error has occurred
Note that I can successfully use the token. It looks like authentication
with urllib.urlopen(sync_uri, query) fails.
Works for me (just tested). I suspect you have not updated the ipa httpd
config. Did you apply patches 0054, 0055 and 0056?
Nathaniel
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command
On Tue, 24 Jun 2014, Nathaniel McCallum wrote:
On Tue, 2014-06-24 at 19:34 +0300, Alexander Bokovoy wrote:
On Tue, 24 Jun 2014, Nathaniel McCallum wrote:
On Tue, 2014-06-24 at 15:39 +0300, Alexander Bokovoy wrote:
On Tue, 03 Jun 2014, Nathaniel McCallum wrote:
On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote:
On 3.6.2014 05:08, Nathaniel McCallum wrote:
This command calls the token sync HTTP POST call in the server providing
the CLI interface to synchronization.
https://fedorahosted.org/freeipa/ticket/4260
This patch depends on my patch #0055.
Build fails on validation. You forgot to update API.txt and also the
command misses __doc__.
(not a proper review)
Failed for me:
[root@ipa-01 rpms]# ipa otptoken-show test.token
Unique ID: test.token
Description: test token
Owner: abbra
Vendor: FreeIPA
Model: hotp
[root@ipa-01 rpms]# ipa otptoken-sync abbra --token=test.token
Password:
First Code:
Second Code:
ipa: ERROR: non-public: IOError: ('http error', 401, 'Unauthorized',
httplib.HTTPMessage instance at 0x2cdde60)
Traceback (most recent call last):
File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 129,
in execute
result = self.Command[_name](*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439,
in __call__
ret = self.run(*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 1118,
in run
return self.forward(*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py,
line 427, in forward
rsp = urllib.urlopen(sync_uri, query)
File /usr/lib64/python2.7/urllib.py, line 89, in urlopen
return opener.open(url, data)
File /usr/lib64/python2.7/urllib.py, line 210, in open
return getattr(self, name)(url, data)
File /usr/lib64/python2.7/urllib.py, line 454, in open_https
data)
File /usr/lib64/python2.7/urllib.py, line 374, in http_error
result = method(url, fp, errcode, errmsg, headers, data)
File /usr/lib64/python2.7/urllib.py, line 689, in http_error_401
errcode, errmsg, headers)
File /usr/lib64/python2.7/urllib.py, line 381, in http_error_default
raise IOError, ('http error', errcode, errmsg, headers)
IOError: ('http error', 401, 'Unauthorized', httplib.HTTPMessage instance at
0x2cdde60)
ipa: ERROR: an internal error has occurred
Note that I can successfully use the token. It looks like authentication
with urllib.urlopen(sync_uri, query) fails.
Works for me (just tested). I suspect you have not updated the ipa httpd
config. Did you apply patches 0054, 0055 and 0056?
Yes, I did apply those patches and I installed packages as an upgrade.
How I supposed to update httpd config? I think we need to solve this
without re-install and it should be done automatically.
Oh. I thought it *was* done automatically...
No. You only modified the template which is used for an install from
scratch.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command
On 06/24/2014 06:44 PM, Alexander Bokovoy wrote:
On Tue, 24 Jun 2014, Nathaniel McCallum wrote:
On Tue, 2014-06-24 at 19:34 +0300, Alexander Bokovoy wrote:
On Tue, 24 Jun 2014, Nathaniel McCallum wrote:
On Tue, 2014-06-24 at 15:39 +0300, Alexander Bokovoy wrote:
On Tue, 03 Jun 2014, Nathaniel McCallum wrote:
On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote:
On 3.6.2014 05:08, Nathaniel McCallum wrote:
This command calls the token sync HTTP POST call in the server
providing
the CLI interface to synchronization.
https://fedorahosted.org/freeipa/ticket/4260
This patch depends on my patch #0055.
Build fails on validation. You forgot to update API.txt and also the
command misses __doc__.
(not a proper review)
Failed for me:
[root@ipa-01 rpms]# ipa otptoken-show test.token
Unique ID: test.token
Description: test token
Owner: abbra
Vendor: FreeIPA
Model: hotp
[root@ipa-01 rpms]# ipa otptoken-sync abbra --token=test.token
Password:
First Code:
Second Code:
ipa: ERROR: non-public: IOError: ('http error', 401, 'Unauthorized',
httplib.HTTPMessage instance at 0x2cdde60)
Traceback (most recent call last):
File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 129,
in execute
result = self.Command[_name](*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439,
in __call__
ret = self.run(*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 1118,
in run
return self.forward(*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py,
line 427, in forward
rsp = urllib.urlopen(sync_uri, query)
File /usr/lib64/python2.7/urllib.py, line 89, in urlopen
return opener.open(url, data)
File /usr/lib64/python2.7/urllib.py, line 210, in open
return getattr(self, name)(url, data)
File /usr/lib64/python2.7/urllib.py, line 454, in open_https
data)
File /usr/lib64/python2.7/urllib.py, line 374, in http_error
result = method(url, fp, errcode, errmsg, headers, data)
File /usr/lib64/python2.7/urllib.py, line 689, in http_error_401
errcode, errmsg, headers)
File /usr/lib64/python2.7/urllib.py, line 381, in http_error_default
raise IOError, ('http error', errcode, errmsg, headers)
IOError: ('http error', 401, 'Unauthorized', httplib.HTTPMessage
instance at 0x2cdde60)
ipa: ERROR: an internal error has occurred
Note that I can successfully use the token. It looks like authentication
with urllib.urlopen(sync_uri, query) fails.
Works for me (just tested). I suspect you have not updated the ipa httpd
config. Did you apply patches 0054, 0055 and 0056?
Yes, I did apply those patches and I installed packages as an upgrade.
How I supposed to update httpd config? I think we need to solve this
without re-install and it should be done automatically.
Oh. I thought it *was* done automatically...
No. You only modified the template which is used for an install from
scratch.
It *will* get updated automatically if you bump the VERSION on the first line
of install/conf/ipa.conf.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command
On Tue, 2014-06-24 at 21:40 +0200, Martin Kosek wrote:
On 06/24/2014 06:44 PM, Alexander Bokovoy wrote:
On Tue, 24 Jun 2014, Nathaniel McCallum wrote:
On Tue, 2014-06-24 at 19:34 +0300, Alexander Bokovoy wrote:
On Tue, 24 Jun 2014, Nathaniel McCallum wrote:
On Tue, 2014-06-24 at 15:39 +0300, Alexander Bokovoy wrote:
On Tue, 03 Jun 2014, Nathaniel McCallum wrote:
On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote:
On 3.6.2014 05:08, Nathaniel McCallum wrote:
This command calls the token sync HTTP POST call in the server
providing
the CLI interface to synchronization.
https://fedorahosted.org/freeipa/ticket/4260
This patch depends on my patch #0055.
Build fails on validation. You forgot to update API.txt and also the
command misses __doc__.
(not a proper review)
Failed for me:
[root@ipa-01 rpms]# ipa otptoken-show test.token
Unique ID: test.token
Description: test token
Owner: abbra
Vendor: FreeIPA
Model: hotp
[root@ipa-01 rpms]# ipa otptoken-sync abbra --token=test.token
Password:
First Code:
Second Code:
ipa: ERROR: non-public: IOError: ('http error', 401, 'Unauthorized',
httplib.HTTPMessage instance at 0x2cdde60)
Traceback (most recent call last):
File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 129,
in execute
result = self.Command[_name](*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439,
in __call__
ret = self.run(*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line
1118,
in run
return self.forward(*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py,
line 427, in forward
rsp = urllib.urlopen(sync_uri, query)
File /usr/lib64/python2.7/urllib.py, line 89, in urlopen
return opener.open(url, data)
File /usr/lib64/python2.7/urllib.py, line 210, in open
return getattr(self, name)(url, data)
File /usr/lib64/python2.7/urllib.py, line 454, in open_https
data)
File /usr/lib64/python2.7/urllib.py, line 374, in http_error
result = method(url, fp, errcode, errmsg, headers, data)
File /usr/lib64/python2.7/urllib.py, line 689, in http_error_401
errcode, errmsg, headers)
File /usr/lib64/python2.7/urllib.py, line 381, in
http_error_default
raise IOError, ('http error', errcode, errmsg, headers)
IOError: ('http error', 401, 'Unauthorized', httplib.HTTPMessage
instance at 0x2cdde60)
ipa: ERROR: an internal error has occurred
Note that I can successfully use the token. It looks like
authentication
with urllib.urlopen(sync_uri, query) fails.
Works for me (just tested). I suspect you have not updated the ipa httpd
config. Did you apply patches 0054, 0055 and 0056?
Yes, I did apply those patches and I installed packages as an upgrade.
How I supposed to update httpd config? I think we need to solve this
without re-install and it should be done automatically.
Oh. I thought it *was* done automatically...
No. You only modified the template which is used for an install from
scratch.
It *will* get updated automatically if you bump the VERSION on the first
line
of install/conf/ipa.conf.
Yup, I figured that out about 15 minutes ago by looking at your past
commits. :)
Nathaniel
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command
On Tue, 2014-06-24 at 15:39 +0300, Alexander Bokovoy wrote:
On Tue, 03 Jun 2014, Nathaniel McCallum wrote:
On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote:
On 3.6.2014 05:08, Nathaniel McCallum wrote:
This command calls the token sync HTTP POST call in the server providing
the CLI interface to synchronization.
https://fedorahosted.org/freeipa/ticket/4260
This patch depends on my patch #0055.
Build fails on validation. You forgot to update API.txt and also the
command misses __doc__.
(not a proper review)
Failed for me:
[root@ipa-01 rpms]# ipa otptoken-show test.token
Unique ID: test.token
Description: test token
Owner: abbra
Vendor: FreeIPA
Model: hotp
[root@ipa-01 rpms]# ipa otptoken-sync abbra --token=test.token
Password:
First Code:
Second Code:
ipa: ERROR: non-public: IOError: ('http error', 401, 'Unauthorized',
httplib.HTTPMessage instance at 0x2cdde60)
Traceback (most recent call last):
File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 129,
in execute
result = self.Command[_name](*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439,
in __call__
ret = self.run(*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 1118,
in run
return self.forward(*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py,
line 427, in forward
rsp = urllib.urlopen(sync_uri, query)
File /usr/lib64/python2.7/urllib.py, line 89, in urlopen
return opener.open(url, data)
File /usr/lib64/python2.7/urllib.py, line 210, in open
return getattr(self, name)(url, data)
File /usr/lib64/python2.7/urllib.py, line 454, in open_https
data)
File /usr/lib64/python2.7/urllib.py, line 374, in http_error
result = method(url, fp, errcode, errmsg, headers, data)
File /usr/lib64/python2.7/urllib.py, line 689, in http_error_401
errcode, errmsg, headers)
File /usr/lib64/python2.7/urllib.py, line 381, in http_error_default
raise IOError, ('http error', errcode, errmsg, headers)
IOError: ('http error', 401, 'Unauthorized', httplib.HTTPMessage instance at
0x2cdde60)
ipa: ERROR: an internal error has occurred
Note that I can successfully use the token. It looks like authentication
with urllib.urlopen(sync_uri, query) fails.
This should be fixed in 0055.1.
Nathaniel
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command
On Tue, 2014-06-03 at 09:18 -0400, Nathaniel McCallum wrote:
On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote:
On 3.6.2014 05:08, Nathaniel McCallum wrote:
This command calls the token sync HTTP POST call in the server providing
the CLI interface to synchronization.
https://fedorahosted.org/freeipa/ticket/4260
This patch depends on my patch #0055.
Build fails on validation. You forgot to update API.txt and also the
command misses __doc__.
(not a proper review)
Thanks, fixed.
Attached is a new revision which is rebased on master.
In addition it:
1. Moves user to a parameter and moves token to an argument. Doing it
this way both mirrors the existing otptoken APIs and sets us up for
future Kerberos based syncing where the username/password will be
optional.
2. Converts the token ID to a DN.
Nathaniel
From 6876cabce395ab3aee87ce2f9de3a0cb353fae47 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum npmccal...@redhat.com
Date: Mon, 2 Jun 2014 23:00:52 -0400
Subject: [PATCH] Add otptoken-sync command
This command calls the token sync HTTP POST call in the server providing
the CLI interface to synchronization.
https://fedorahosted.org/freeipa/ticket/4260
---
API.txt| 9
ipalib/plugins/otptoken.py | 56 +-
2 files changed, 64 insertions(+), 1 deletion(-)
diff --git a/API.txt b/API.txt
index 0dd28068edbd37f021a58195941e102c25fa360f..ab09b089d1ff525de82c2044fac939b78a2afa05 100644
--- a/API.txt
+++ b/API.txt
@@ -2408,6 +2408,15 @@ option: Str('version?', exclude='webui')
output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
output: Output('summary', (type 'unicode', type 'NoneType'), None)
output: PrimaryKey('value', None, None)
+command: otptoken_sync
+args: 1,5,1
+arg: Str('token?')
+option: Password('first_code', confirm=False)
+option: Password('password', confirm=False)
+option: Password('second_code', confirm=False)
+option: Str('user')
+option: Str('version?', exclude='webui')
+output: Output('result', None, None)
command: passwd
args: 3,1,3
arg: Str('principal', autofill=True, cli_name='user', primary_key=True)
diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py
index d834d582a16d95ab08c3f1fe1aef29160c77ae23..035328ce3260dd1c784a7cdb2aa4bf54fe6e7a27 100644
--- a/ipalib/plugins/otptoken.py
+++ b/ipalib/plugins/otptoken.py
@@ -19,13 +19,16 @@
from ipalib.plugins.baseldap import DN, LDAPObject, LDAPAddMember, LDAPRemoveMember
from ipalib.plugins.baseldap import LDAPCreate, LDAPDelete, LDAPUpdate, LDAPSearch, LDAPRetrieve
-from ipalib import api, Int, Str, Bool, Flag, Bytes, IntEnum, StrEnum, _, ngettext
+from ipalib import api, Int, Str, Bool, Flag, Bytes, IntEnum, StrEnum, Password, _, ngettext
from ipalib.plugable import Registry
from ipalib.errors import PasswordMismatch, ConversionError, LastMemberError, NotFound
from ipalib.request import context
+from ipalib.frontend import Local
+
import base64
import uuid
import urllib
+import urlparse
import qrcode
import os
@@ -383,3 +386,54 @@ class otptoken_remove_managedby(LDAPRemoveMember):
__doc__ = _('Remove hosts that can manage this host.')
member_attributes = ['managedby']
+
+@register()
+class otptoken_sync(Local):
+__doc__ = _('Synchronize an OTP token.')
+
+header = 'X-IPA-TokenSync-Result'
+
+takes_options = (
+Str('user', label=_('User ID')),
+Password('password', label=_('Password'), confirm=False),
+Password('first_code', label=_('First Code'), confirm=False),
+Password('second_code', label=_('Second Code'), confirm=False),
+)
+
+takes_args = (
+Str('token?', label=_('Token ID')),
+)
+
+def forward(self, *args, **kwargs):
+status = {'result': {self.header: 'unknown'}}
+
+# Get the sync URI.
+segments = list(urlparse.urlparse(self.api.env.xmlrpc_uri))
+assert segments[0] == 'https' # Ensure encryption.
+segments[2] = segments[2].replace('/xml', '/session/sync_token')
+sync_uri = urlparse.urlunparse(segments)
+
+# Prepare the query.
+query = {k: v for k, v in kwargs.items()
+if k in {x.name for x in self.takes_options}}
+if args and args[0] is not None:
+obj = self.api.Object.otptoken
+query['token'] = DN((obj.primary_key.name, args[0]),
+obj.container_dn, self.api.env.basedn)
+query = urllib.urlencode(query)
+
+# Sync the token.
+# WARNING: This does not validate the server's certificate.
+rsp = urllib.urlopen(sync_uri, query)
+if rsp.getcode() == 200:
+status['result'][self.header] = rsp.info().get(self.header, 'unknown')
+rsp.close()
+
+return status
+
+def output_for_cli(self, textui, result, *keys, **options):
+
Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command
On 3.6.2014 05:08, Nathaniel McCallum wrote: This command calls the token sync HTTP POST call in the server providing the CLI interface to synchronization. https://fedorahosted.org/freeipa/ticket/4260 This patch depends on my patch #0055. Build fails on validation. You forgot to update API.txt and also the command misses __doc__. (not a proper review) -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command
On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote:
On 3.6.2014 05:08, Nathaniel McCallum wrote:
This command calls the token sync HTTP POST call in the server providing
the CLI interface to synchronization.
https://fedorahosted.org/freeipa/ticket/4260
This patch depends on my patch #0055.
Build fails on validation. You forgot to update API.txt and also the
command misses __doc__.
(not a proper review)
Thanks, fixed.
From b3762639df8b673f449cbb742e1b40d2f6901503 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum npmccal...@redhat.com
Date: Mon, 2 Jun 2014 23:00:52 -0400
Subject: [PATCH] Add otptoken-sync command
This command calls the token sync HTTP POST call in the server providing
the CLI interface to synchronization.
https://fedorahosted.org/freeipa/ticket/4260
---
API.txt| 9
ipalib/plugins/otptoken.py | 56 +-
2 files changed, 64 insertions(+), 1 deletion(-)
diff --git a/API.txt b/API.txt
index caee61a22fcbf1395fcec55e9d5f5b23c4269523..d57d244101fc61b3ecdddf7a989cffd3d5a0031f 100644
--- a/API.txt
+++ b/API.txt
@@ -2320,6 +2320,15 @@ option: Str('version?', exclude='webui')
output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
output: Output('summary', (type 'unicode', type 'NoneType'), None)
output: PrimaryKey('value', None, None)
+command: otptoken_sync
+args: 1,5,1
+arg: Str('user')
+option: Password('first_code', confirm=False)
+option: Password('password', confirm=False)
+option: Password('second_code', confirm=False)
+option: Str('token?')
+option: Str('version?', exclude='webui')
+output: Output('result', None, None)
command: passwd
args: 3,1,3
arg: Str('principal', autofill=True, cli_name='user', primary_key=True)
diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py
index b264287c322381fb99c8823f7b1505ec537973ad..ed13fc6b9c8e50211522338bfb0c3ad7300c468d 100644
--- a/ipalib/plugins/otptoken.py
+++ b/ipalib/plugins/otptoken.py
@@ -18,14 +18,17 @@
# along with this program. If not, see http://www.gnu.org/licenses/.
from ipalib.plugins.baseldap import DN, LDAPObject, LDAPCreate, LDAPDelete, LDAPUpdate, LDAPSearch, LDAPRetrieve
-from ipalib import api, Int, Str, Bool, Flag, Bytes, IntEnum, StrEnum, _, ngettext
+from ipalib import api, Int, Str, Bool, Flag, Bytes, IntEnum, StrEnum, Password, _, ngettext
from ipalib.plugable import Registry
from ipalib.errors import PasswordMismatch, ConversionError, LastMemberError, NotFound
from ipalib.request import context
+from ipalib.frontend import Local
+
import base64
import uuid
import random
import urllib
+import urlparse
import qrcode
__doc__ = _(
@@ -359,3 +362,54 @@ class otptoken_show(LDAPRetrieve):
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
_convert_owner(self.api.Object.user, entry_attrs, options)
return super(otptoken_show, self).post_callback(ldap, dn, entry_attrs, *keys, **options)
+
+@register()
+class otptoken_sync(Local):
+__doc__ = _('Synchronize an OTP token.')
+
+header = 'X-IPA-TokenSync-Result'
+
+# Currently, we force specifying the user and password. If we get
+# kerberos-based syncing in the future, it might be nice to make
+# these parameters optional.
+takes_options = (
+Str('token?', label=_('Token ID')),
+Password('password', label=_('Password'), confirm=False),
+Password('first_code', label=_('First Code'), confirm=False),
+Password('second_code', label=_('Second Code'), confirm=False),
+)
+
+takes_args = (
+Str('user', label=_('User ID')),
+)
+
+def forward(self, *args, **kwargs):
+status = {'result': {self.header: 'unknown'}}
+
+# Get the sync URI.
+segments = list(urlparse.urlparse(self.api.env.xmlrpc_uri))
+assert segments[0] == 'https' # Ensure encryption.
+segments[2] = segments[2].replace('/xml', '/session/sync_token')
+sync_uri = urlparse.urlunparse(segments)
+
+# Prepare the query.
+query = {k: v for k, v in kwargs.items()
+if k in {x.name for x in self.takes_options}}
+query['user'] = args[0]
+query = urllib.urlencode(query)
+
+# Sync the token.
+# WARNING: This does not validate the server's certificate.
+rsp = urllib.urlopen(sync_uri, query)
+if rsp.getcode() == 200:
+status['result'][self.header] = rsp.info().get(self.header, 'unknown')
+rsp.close()
+
+return status
+
+def output_for_cli(self, textui, result, *keys, **options):
+textui.print_plain({
+'ok': 'Token synchronized.',
+'error': 'Error contacting server!',
+'invalid-credentials': 'Invalid Credentials!',
+}.get(result['result'][self.header], 'Unknown Error!'))
--
2.0.0
___
[Freeipa-devel] [PATCH 0056] Add otptoken-sync command
This command calls the token sync HTTP POST call in the server providing
the CLI interface to synchronization.
https://fedorahosted.org/freeipa/ticket/4260
This patch depends on my patch #0055.
From 316b2ed7deb6fa8a01e565143077d2cdfa711032 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum npmccal...@redhat.com
Date: Mon, 2 Jun 2014 23:00:52 -0400
Subject: [PATCH] Add otptoken-sync command
This command calls the token sync HTTP POST call in the server providing
the CLI interface to synchronization.
https://fedorahosted.org/freeipa/ticket/4260
---
ipalib/plugins/otptoken.py | 54 +-
1 file changed, 53 insertions(+), 1 deletion(-)
diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py
index b264287c322381fb99c8823f7b1505ec537973ad..e597588a481023631a73e502c265cbf0c4551365 100644
--- a/ipalib/plugins/otptoken.py
+++ b/ipalib/plugins/otptoken.py
@@ -18,14 +18,17 @@
# along with this program. If not, see http://www.gnu.org/licenses/.
from ipalib.plugins.baseldap import DN, LDAPObject, LDAPCreate, LDAPDelete, LDAPUpdate, LDAPSearch, LDAPRetrieve
-from ipalib import api, Int, Str, Bool, Flag, Bytes, IntEnum, StrEnum, _, ngettext
+from ipalib import api, Int, Str, Bool, Flag, Bytes, IntEnum, StrEnum, Password, _, ngettext
from ipalib.plugable import Registry
from ipalib.errors import PasswordMismatch, ConversionError, LastMemberError, NotFound
from ipalib.request import context
+from ipalib.frontend import Local
+
import base64
import uuid
import random
import urllib
+import urlparse
import qrcode
__doc__ = _(
@@ -359,3 +362,52 @@ class otptoken_show(LDAPRetrieve):
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
_convert_owner(self.api.Object.user, entry_attrs, options)
return super(otptoken_show, self).post_callback(ldap, dn, entry_attrs, *keys, **options)
+
+@register()
+class otptoken_sync(Local):
+header = 'X-IPA-TokenSync-Result'
+
+# Currently, we force specifying the user and password. If we get
+# kerberos-based syncing in the future, it might be nice to make
+# these parameters optional.
+takes_options = (
+Str('token?', label=_('Token ID')),
+Password('password', label=_('Password'), confirm=False),
+Password('first_code', label=_('First Code'), confirm=False),
+Password('second_code', label=_('Second Code'), confirm=False),
+)
+
+takes_args = (
+Str('user', label=_('User ID')),
+)
+
+def forward(self, *args, **kwargs):
+status = {'result': {self.header: 'unknown'}}
+
+# Get the sync URI.
+segments = list(urlparse.urlparse(self.api.env.xmlrpc_uri))
+assert segments[0] == 'https' # Ensure encryption.
+segments[2] = segments[2].replace('/xml', '/session/sync_token')
+sync_uri = urlparse.urlunparse(segments)
+
+# Prepare the query.
+query = {k: v for k, v in kwargs.items()
+if k in {x.name for x in self.takes_options}}
+query['user'] = args[0]
+query = urllib.urlencode(query)
+
+# Sync the token.
+# WARNING: This does not validate the server's certificate.
+rsp = urllib.urlopen(sync_uri, query)
+if rsp.getcode() == 200:
+status['result'][self.header] = rsp.info().get(self.header, 'unknown')
+rsp.close()
+
+return status
+
+def output_for_cli(self, textui, result, *keys, **options):
+textui.print_plain({
+'ok': 'Token synchronized.',
+'error': 'Error contacting server!',
+'invalid-credentials': 'Invalid Credentials!',
+}.get(result['result'][self.header], 'Unknown Error!'))
--
2.0.0
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
