Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command
On Wed, 25 Jun 2014, Nathaniel McCallum wrote: On Wed, 2014-06-25 at 13:18 +0300, Alexander Bokovoy wrote: On Tue, 24 Jun 2014, Nathaniel McCallum wrote: On Tue, 2014-06-03 at 09:18 -0400, Nathaniel McCallum wrote: On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote: On 3.6.2014 05:08, Nathaniel McCallum wrote: This command calls the token sync HTTP POST call in the server providing the CLI interface to synchronization. https://fedorahosted.org/freeipa/ticket/4260 This patch depends on my patch #0055. Build fails on validation. You forgot to update API.txt and also the command misses __doc__. (not a proper review) Thanks, fixed. Attached is a new revision which is rebased on master. In addition it: 1. Moves user to a parameter and moves token to an argument. Doing it this way both mirrors the existing otptoken APIs and sets us up for future Kerberos based syncing where the username/password will be optional. 2. Converts the token ID to a DN. ACK. Please do not commit this patch yet, we are not done with its dependencies. As discussed off list, we also needed to verify the certificate so that passwords were not sent in the clear to a MITM. This has now been implemented. VERSION is bumped and ./makeapi was run. This patch is also rebased on top of my patch 0058 (which is already ACK'd), so 0058 needs to be merged before this patch (0056). Right. There is one small fix that need to be squashed prior to committing as pylint cannot get insights into function states. The patch attached. With it, ACK. -- / Alexander Bokovoy From b1e75c884fd5303dce038e4f3dc6158d93785671 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Thu, 26 Jun 2014 13:16:47 +0300 Subject: [PATCH 4/4] fixup! Add otptoken-sync command --- ipalib/plugins/otptoken.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py index 46ad77a..7b9e256 100644 --- a/ipalib/plugins/otptoken.py +++ b/ipalib/plugins/otptoken.py @@ -394,7 +394,7 @@ class otptoken_remove_managedby(LDAPRemoveMember): class HTTPSConnection(httplib.HTTPConnection): Generates an SSL HTTP connection that performs hostname validation. -ssl_kwargs = ssl.wrap_socket.func_code.co_varnames[1:ssl.wrap_socket.func_code.co_argcount] +ssl_kwargs = ssl.wrap_socket.func_code.co_varnames[1:ssl.wrap_socket.func_code.co_argcount] #pylint: disable=E1101 default_port = httplib.HTTPS_PORT def __init__(self, host, **kwargs): -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command
On 06/26/2014 01:02 PM, Alexander Bokovoy wrote: On Wed, 25 Jun 2014, Nathaniel McCallum wrote: On Wed, 2014-06-25 at 13:18 +0300, Alexander Bokovoy wrote: On Tue, 24 Jun 2014, Nathaniel McCallum wrote: On Tue, 2014-06-03 at 09:18 -0400, Nathaniel McCallum wrote: On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote: On 3.6.2014 05:08, Nathaniel McCallum wrote: This command calls the token sync HTTP POST call in the server providing the CLI interface to synchronization. https://fedorahosted.org/freeipa/ticket/4260 This patch depends on my patch #0055. Build fails on validation. You forgot to update API.txt and also the command misses __doc__. (not a proper review) Thanks, fixed. Attached is a new revision which is rebased on master. In addition it: 1. Moves user to a parameter and moves token to an argument. Doing it this way both mirrors the existing otptoken APIs and sets us up for future Kerberos based syncing where the username/password will be optional. 2. Converts the token ID to a DN. ACK. Please do not commit this patch yet, we are not done with its dependencies. As discussed off list, we also needed to verify the certificate so that passwords were not sent in the clear to a MITM. This has now been implemented. VERSION is bumped and ./makeapi was run. This patch is also rebased on top of my patch 0058 (which is already ACK'd), so 0058 needs to be merged before this patch (0056). Right. There is one small fix that need to be squashed prior to committing as pylint cannot get insights into function states. The patch attached. With it, ACK. Fixed VERSION conflict, squashed fixup patch and pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command
On Tue, 24 Jun 2014, Nathaniel McCallum wrote: On Tue, 2014-06-03 at 09:18 -0400, Nathaniel McCallum wrote: On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote: On 3.6.2014 05:08, Nathaniel McCallum wrote: This command calls the token sync HTTP POST call in the server providing the CLI interface to synchronization. https://fedorahosted.org/freeipa/ticket/4260 This patch depends on my patch #0055. Build fails on validation. You forgot to update API.txt and also the command misses __doc__. (not a proper review) Thanks, fixed. Attached is a new revision which is rebased on master. In addition it: 1. Moves user to a parameter and moves token to an argument. Doing it this way both mirrors the existing otptoken APIs and sets us up for future Kerberos based syncing where the username/password will be optional. 2. Converts the token ID to a DN. ACK. Please do not commit this patch yet, we are not done with its dependencies. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command
On Wed, 2014-06-25 at 13:18 +0300, Alexander Bokovoy wrote: On Tue, 24 Jun 2014, Nathaniel McCallum wrote: On Tue, 2014-06-03 at 09:18 -0400, Nathaniel McCallum wrote: On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote: On 3.6.2014 05:08, Nathaniel McCallum wrote: This command calls the token sync HTTP POST call in the server providing the CLI interface to synchronization. https://fedorahosted.org/freeipa/ticket/4260 This patch depends on my patch #0055. Build fails on validation. You forgot to update API.txt and also the command misses __doc__. (not a proper review) Thanks, fixed. Attached is a new revision which is rebased on master. In addition it: 1. Moves user to a parameter and moves token to an argument. Doing it this way both mirrors the existing otptoken APIs and sets us up for future Kerberos based syncing where the username/password will be optional. 2. Converts the token ID to a DN. ACK. Please do not commit this patch yet, we are not done with its dependencies. As discussed off list, we also needed to verify the certificate so that passwords were not sent in the clear to a MITM. This has now been implemented. VERSION is bumped and ./makeapi was run. This patch is also rebased on top of my patch 0058 (which is already ACK'd), so 0058 needs to be merged before this patch (0056). Nathaniel From c06a4146d10759937116eb6ffe7201636febb1ab Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Mon, 2 Jun 2014 23:00:52 -0400 Subject: [PATCH] Add otptoken-sync command This command calls the token sync HTTP POST call in the server providing the CLI interface to synchronization. https://fedorahosted.org/freeipa/ticket/4260 --- API.txt| 9 VERSION| 4 +- ipalib/plugins/otptoken.py | 102 - 3 files changed, 112 insertions(+), 3 deletions(-) diff --git a/API.txt b/API.txt index 3c3b6447fec3c313c3038390ac7317533c530d8b..0924402764ca29711d8a9094c1e4f7dec461ab3c 100644 --- a/API.txt +++ b/API.txt @@ -2420,6 +2420,15 @@ option: Str('version?', exclude='webui') output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (type 'unicode', type 'NoneType'), None) output: PrimaryKey('value', None, None) +command: otptoken_sync +args: 1,5,1 +arg: Str('token?') +option: Password('first_code', confirm=False) +option: Password('password', confirm=False) +option: Password('second_code', confirm=False) +option: Str('user') +option: Str('version?', exclude='webui') +output: Output('result', None, None) command: passwd args: 3,1,3 arg: Str('principal', autofill=True, cli_name='user', primary_key=True) diff --git a/VERSION b/VERSION index f0c2db55658f3ab4cfafffc5735aa77b52bc9cc8..1d2e81688b9934baf1790c390452d733b9bed2e9 100644 --- a/VERSION +++ b/VERSION @@ -89,5 +89,5 @@ IPA_DATA_VERSION=2010061412 # # IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=94 -# Last change: npmaccallum - otptoken-add-yubikey +IPA_API_VERSION_MINOR=95 +# Last change: npmaccallum - otptoken-sync diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py index 7962af0035fb9ac00e68c4b642bb62aa82d498c2..46ad77a2c81842cad9085651b794fd7959d783f0 100644 --- a/ipalib/plugins/otptoken.py +++ b/ipalib/plugins/otptoken.py @@ -19,15 +19,22 @@ from ipalib.plugins.baseldap import DN, LDAPObject, LDAPAddMember, LDAPRemoveMember from ipalib.plugins.baseldap import LDAPCreate, LDAPDelete, LDAPUpdate, LDAPSearch, LDAPRetrieve -from ipalib import api, Int, Str, Bool, Flag, Bytes, IntEnum, StrEnum, _, ngettext +from ipalib import api, Int, Str, Bool, Flag, Bytes, IntEnum, StrEnum, Password, _, ngettext from ipalib.plugable import Registry from ipalib.errors import PasswordMismatch, ConversionError, LastMemberError, NotFound from ipalib.request import context +from ipalib.frontend import Local + +from backports.ssl_match_hostname import match_hostname import base64 import uuid import urllib +import urllib2 +import httplib +import urlparse import qrcode import os +import ssl __doc__ = _( OTP Tokens @@ -383,3 +390,96 @@ class otptoken_remove_managedby(LDAPRemoveMember): __doc__ = _('Remove hosts that can manage this host.') member_attributes = ['managedby'] + +class HTTPSConnection(httplib.HTTPConnection): +Generates an SSL HTTP connection that performs hostname validation. + +ssl_kwargs = ssl.wrap_socket.func_code.co_varnames[1:ssl.wrap_socket.func_code.co_argcount] +default_port = httplib.HTTPS_PORT + +def __init__(self, host, **kwargs): +# Strip out arguments we want to pass to ssl.wrap_socket() +self.__kwargs = {k: v for k, v in kwargs.items() if k in self.ssl_kwargs} +for k in
Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command
On Tue, 03 Jun 2014, Nathaniel McCallum wrote: On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote: On 3.6.2014 05:08, Nathaniel McCallum wrote: This command calls the token sync HTTP POST call in the server providing the CLI interface to synchronization. https://fedorahosted.org/freeipa/ticket/4260 This patch depends on my patch #0055. Build fails on validation. You forgot to update API.txt and also the command misses __doc__. (not a proper review) Failed for me: [root@ipa-01 rpms]# ipa otptoken-show test.token Unique ID: test.token Description: test token Owner: abbra Vendor: FreeIPA Model: hotp [root@ipa-01 rpms]# ipa otptoken-sync abbra --token=test.token Password: First Code: Second Code: ipa: ERROR: non-public: IOError: ('http error', 401, 'Unauthorized', httplib.HTTPMessage instance at 0x2cdde60) Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 129, in execute result = self.Command[_name](*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 1118, in run return self.forward(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py, line 427, in forward rsp = urllib.urlopen(sync_uri, query) File /usr/lib64/python2.7/urllib.py, line 89, in urlopen return opener.open(url, data) File /usr/lib64/python2.7/urllib.py, line 210, in open return getattr(self, name)(url, data) File /usr/lib64/python2.7/urllib.py, line 454, in open_https data) File /usr/lib64/python2.7/urllib.py, line 374, in http_error result = method(url, fp, errcode, errmsg, headers, data) File /usr/lib64/python2.7/urllib.py, line 689, in http_error_401 errcode, errmsg, headers) File /usr/lib64/python2.7/urllib.py, line 381, in http_error_default raise IOError, ('http error', errcode, errmsg, headers) IOError: ('http error', 401, 'Unauthorized', httplib.HTTPMessage instance at 0x2cdde60) ipa: ERROR: an internal error has occurred Note that I can successfully use the token. It looks like authentication with urllib.urlopen(sync_uri, query) fails. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command
On Tue, 2014-06-24 at 19:34 +0300, Alexander Bokovoy wrote: On Tue, 24 Jun 2014, Nathaniel McCallum wrote: On Tue, 2014-06-24 at 15:39 +0300, Alexander Bokovoy wrote: On Tue, 03 Jun 2014, Nathaniel McCallum wrote: On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote: On 3.6.2014 05:08, Nathaniel McCallum wrote: This command calls the token sync HTTP POST call in the server providing the CLI interface to synchronization. https://fedorahosted.org/freeipa/ticket/4260 This patch depends on my patch #0055. Build fails on validation. You forgot to update API.txt and also the command misses __doc__. (not a proper review) Failed for me: [root@ipa-01 rpms]# ipa otptoken-show test.token Unique ID: test.token Description: test token Owner: abbra Vendor: FreeIPA Model: hotp [root@ipa-01 rpms]# ipa otptoken-sync abbra --token=test.token Password: First Code: Second Code: ipa: ERROR: non-public: IOError: ('http error', 401, 'Unauthorized', httplib.HTTPMessage instance at 0x2cdde60) Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 129, in execute result = self.Command[_name](*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 1118, in run return self.forward(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py, line 427, in forward rsp = urllib.urlopen(sync_uri, query) File /usr/lib64/python2.7/urllib.py, line 89, in urlopen return opener.open(url, data) File /usr/lib64/python2.7/urllib.py, line 210, in open return getattr(self, name)(url, data) File /usr/lib64/python2.7/urllib.py, line 454, in open_https data) File /usr/lib64/python2.7/urllib.py, line 374, in http_error result = method(url, fp, errcode, errmsg, headers, data) File /usr/lib64/python2.7/urllib.py, line 689, in http_error_401 errcode, errmsg, headers) File /usr/lib64/python2.7/urllib.py, line 381, in http_error_default raise IOError, ('http error', errcode, errmsg, headers) IOError: ('http error', 401, 'Unauthorized', httplib.HTTPMessage instance at 0x2cdde60) ipa: ERROR: an internal error has occurred Note that I can successfully use the token. It looks like authentication with urllib.urlopen(sync_uri, query) fails. Works for me (just tested). I suspect you have not updated the ipa httpd config. Did you apply patches 0054, 0055 and 0056? Yes, I did apply those patches and I installed packages as an upgrade. How I supposed to update httpd config? I think we need to solve this without re-install and it should be done automatically. Oh. I thought it *was* done automatically... ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command
On Tue, 24 Jun 2014, Nathaniel McCallum wrote: On Tue, 2014-06-24 at 15:39 +0300, Alexander Bokovoy wrote: On Tue, 03 Jun 2014, Nathaniel McCallum wrote: On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote: On 3.6.2014 05:08, Nathaniel McCallum wrote: This command calls the token sync HTTP POST call in the server providing the CLI interface to synchronization. https://fedorahosted.org/freeipa/ticket/4260 This patch depends on my patch #0055. Build fails on validation. You forgot to update API.txt and also the command misses __doc__. (not a proper review) Failed for me: [root@ipa-01 rpms]# ipa otptoken-show test.token Unique ID: test.token Description: test token Owner: abbra Vendor: FreeIPA Model: hotp [root@ipa-01 rpms]# ipa otptoken-sync abbra --token=test.token Password: First Code: Second Code: ipa: ERROR: non-public: IOError: ('http error', 401, 'Unauthorized', httplib.HTTPMessage instance at 0x2cdde60) Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 129, in execute result = self.Command[_name](*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 1118, in run return self.forward(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py, line 427, in forward rsp = urllib.urlopen(sync_uri, query) File /usr/lib64/python2.7/urllib.py, line 89, in urlopen return opener.open(url, data) File /usr/lib64/python2.7/urllib.py, line 210, in open return getattr(self, name)(url, data) File /usr/lib64/python2.7/urllib.py, line 454, in open_https data) File /usr/lib64/python2.7/urllib.py, line 374, in http_error result = method(url, fp, errcode, errmsg, headers, data) File /usr/lib64/python2.7/urllib.py, line 689, in http_error_401 errcode, errmsg, headers) File /usr/lib64/python2.7/urllib.py, line 381, in http_error_default raise IOError, ('http error', errcode, errmsg, headers) IOError: ('http error', 401, 'Unauthorized', httplib.HTTPMessage instance at 0x2cdde60) ipa: ERROR: an internal error has occurred Note that I can successfully use the token. It looks like authentication with urllib.urlopen(sync_uri, query) fails. Works for me (just tested). I suspect you have not updated the ipa httpd config. Did you apply patches 0054, 0055 and 0056? Yes, I did apply those patches and I installed packages as an upgrade. How I supposed to update httpd config? I think we need to solve this without re-install and it should be done automatically. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command
On Tue, 2014-06-24 at 15:39 +0300, Alexander Bokovoy wrote: On Tue, 03 Jun 2014, Nathaniel McCallum wrote: On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote: On 3.6.2014 05:08, Nathaniel McCallum wrote: This command calls the token sync HTTP POST call in the server providing the CLI interface to synchronization. https://fedorahosted.org/freeipa/ticket/4260 This patch depends on my patch #0055. Build fails on validation. You forgot to update API.txt and also the command misses __doc__. (not a proper review) Failed for me: [root@ipa-01 rpms]# ipa otptoken-show test.token Unique ID: test.token Description: test token Owner: abbra Vendor: FreeIPA Model: hotp [root@ipa-01 rpms]# ipa otptoken-sync abbra --token=test.token Password: First Code: Second Code: ipa: ERROR: non-public: IOError: ('http error', 401, 'Unauthorized', httplib.HTTPMessage instance at 0x2cdde60) Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 129, in execute result = self.Command[_name](*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 1118, in run return self.forward(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py, line 427, in forward rsp = urllib.urlopen(sync_uri, query) File /usr/lib64/python2.7/urllib.py, line 89, in urlopen return opener.open(url, data) File /usr/lib64/python2.7/urllib.py, line 210, in open return getattr(self, name)(url, data) File /usr/lib64/python2.7/urllib.py, line 454, in open_https data) File /usr/lib64/python2.7/urllib.py, line 374, in http_error result = method(url, fp, errcode, errmsg, headers, data) File /usr/lib64/python2.7/urllib.py, line 689, in http_error_401 errcode, errmsg, headers) File /usr/lib64/python2.7/urllib.py, line 381, in http_error_default raise IOError, ('http error', errcode, errmsg, headers) IOError: ('http error', 401, 'Unauthorized', httplib.HTTPMessage instance at 0x2cdde60) ipa: ERROR: an internal error has occurred Note that I can successfully use the token. It looks like authentication with urllib.urlopen(sync_uri, query) fails. Works for me (just tested). I suspect you have not updated the ipa httpd config. Did you apply patches 0054, 0055 and 0056? Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command
On Tue, 24 Jun 2014, Nathaniel McCallum wrote: On Tue, 2014-06-24 at 19:34 +0300, Alexander Bokovoy wrote: On Tue, 24 Jun 2014, Nathaniel McCallum wrote: On Tue, 2014-06-24 at 15:39 +0300, Alexander Bokovoy wrote: On Tue, 03 Jun 2014, Nathaniel McCallum wrote: On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote: On 3.6.2014 05:08, Nathaniel McCallum wrote: This command calls the token sync HTTP POST call in the server providing the CLI interface to synchronization. https://fedorahosted.org/freeipa/ticket/4260 This patch depends on my patch #0055. Build fails on validation. You forgot to update API.txt and also the command misses __doc__. (not a proper review) Failed for me: [root@ipa-01 rpms]# ipa otptoken-show test.token Unique ID: test.token Description: test token Owner: abbra Vendor: FreeIPA Model: hotp [root@ipa-01 rpms]# ipa otptoken-sync abbra --token=test.token Password: First Code: Second Code: ipa: ERROR: non-public: IOError: ('http error', 401, 'Unauthorized', httplib.HTTPMessage instance at 0x2cdde60) Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 129, in execute result = self.Command[_name](*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 1118, in run return self.forward(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py, line 427, in forward rsp = urllib.urlopen(sync_uri, query) File /usr/lib64/python2.7/urllib.py, line 89, in urlopen return opener.open(url, data) File /usr/lib64/python2.7/urllib.py, line 210, in open return getattr(self, name)(url, data) File /usr/lib64/python2.7/urllib.py, line 454, in open_https data) File /usr/lib64/python2.7/urllib.py, line 374, in http_error result = method(url, fp, errcode, errmsg, headers, data) File /usr/lib64/python2.7/urllib.py, line 689, in http_error_401 errcode, errmsg, headers) File /usr/lib64/python2.7/urllib.py, line 381, in http_error_default raise IOError, ('http error', errcode, errmsg, headers) IOError: ('http error', 401, 'Unauthorized', httplib.HTTPMessage instance at 0x2cdde60) ipa: ERROR: an internal error has occurred Note that I can successfully use the token. It looks like authentication with urllib.urlopen(sync_uri, query) fails. Works for me (just tested). I suspect you have not updated the ipa httpd config. Did you apply patches 0054, 0055 and 0056? Yes, I did apply those patches and I installed packages as an upgrade. How I supposed to update httpd config? I think we need to solve this without re-install and it should be done automatically. Oh. I thought it *was* done automatically... No. You only modified the template which is used for an install from scratch. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command
On 06/24/2014 06:44 PM, Alexander Bokovoy wrote: On Tue, 24 Jun 2014, Nathaniel McCallum wrote: On Tue, 2014-06-24 at 19:34 +0300, Alexander Bokovoy wrote: On Tue, 24 Jun 2014, Nathaniel McCallum wrote: On Tue, 2014-06-24 at 15:39 +0300, Alexander Bokovoy wrote: On Tue, 03 Jun 2014, Nathaniel McCallum wrote: On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote: On 3.6.2014 05:08, Nathaniel McCallum wrote: This command calls the token sync HTTP POST call in the server providing the CLI interface to synchronization. https://fedorahosted.org/freeipa/ticket/4260 This patch depends on my patch #0055. Build fails on validation. You forgot to update API.txt and also the command misses __doc__. (not a proper review) Failed for me: [root@ipa-01 rpms]# ipa otptoken-show test.token Unique ID: test.token Description: test token Owner: abbra Vendor: FreeIPA Model: hotp [root@ipa-01 rpms]# ipa otptoken-sync abbra --token=test.token Password: First Code: Second Code: ipa: ERROR: non-public: IOError: ('http error', 401, 'Unauthorized', httplib.HTTPMessage instance at 0x2cdde60) Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 129, in execute result = self.Command[_name](*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 1118, in run return self.forward(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py, line 427, in forward rsp = urllib.urlopen(sync_uri, query) File /usr/lib64/python2.7/urllib.py, line 89, in urlopen return opener.open(url, data) File /usr/lib64/python2.7/urllib.py, line 210, in open return getattr(self, name)(url, data) File /usr/lib64/python2.7/urllib.py, line 454, in open_https data) File /usr/lib64/python2.7/urllib.py, line 374, in http_error result = method(url, fp, errcode, errmsg, headers, data) File /usr/lib64/python2.7/urllib.py, line 689, in http_error_401 errcode, errmsg, headers) File /usr/lib64/python2.7/urllib.py, line 381, in http_error_default raise IOError, ('http error', errcode, errmsg, headers) IOError: ('http error', 401, 'Unauthorized', httplib.HTTPMessage instance at 0x2cdde60) ipa: ERROR: an internal error has occurred Note that I can successfully use the token. It looks like authentication with urllib.urlopen(sync_uri, query) fails. Works for me (just tested). I suspect you have not updated the ipa httpd config. Did you apply patches 0054, 0055 and 0056? Yes, I did apply those patches and I installed packages as an upgrade. How I supposed to update httpd config? I think we need to solve this without re-install and it should be done automatically. Oh. I thought it *was* done automatically... No. You only modified the template which is used for an install from scratch. It *will* get updated automatically if you bump the VERSION on the first line of install/conf/ipa.conf. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command
On Tue, 2014-06-24 at 21:40 +0200, Martin Kosek wrote: On 06/24/2014 06:44 PM, Alexander Bokovoy wrote: On Tue, 24 Jun 2014, Nathaniel McCallum wrote: On Tue, 2014-06-24 at 19:34 +0300, Alexander Bokovoy wrote: On Tue, 24 Jun 2014, Nathaniel McCallum wrote: On Tue, 2014-06-24 at 15:39 +0300, Alexander Bokovoy wrote: On Tue, 03 Jun 2014, Nathaniel McCallum wrote: On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote: On 3.6.2014 05:08, Nathaniel McCallum wrote: This command calls the token sync HTTP POST call in the server providing the CLI interface to synchronization. https://fedorahosted.org/freeipa/ticket/4260 This patch depends on my patch #0055. Build fails on validation. You forgot to update API.txt and also the command misses __doc__. (not a proper review) Failed for me: [root@ipa-01 rpms]# ipa otptoken-show test.token Unique ID: test.token Description: test token Owner: abbra Vendor: FreeIPA Model: hotp [root@ipa-01 rpms]# ipa otptoken-sync abbra --token=test.token Password: First Code: Second Code: ipa: ERROR: non-public: IOError: ('http error', 401, 'Unauthorized', httplib.HTTPMessage instance at 0x2cdde60) Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 129, in execute result = self.Command[_name](*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 1118, in run return self.forward(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py, line 427, in forward rsp = urllib.urlopen(sync_uri, query) File /usr/lib64/python2.7/urllib.py, line 89, in urlopen return opener.open(url, data) File /usr/lib64/python2.7/urllib.py, line 210, in open return getattr(self, name)(url, data) File /usr/lib64/python2.7/urllib.py, line 454, in open_https data) File /usr/lib64/python2.7/urllib.py, line 374, in http_error result = method(url, fp, errcode, errmsg, headers, data) File /usr/lib64/python2.7/urllib.py, line 689, in http_error_401 errcode, errmsg, headers) File /usr/lib64/python2.7/urllib.py, line 381, in http_error_default raise IOError, ('http error', errcode, errmsg, headers) IOError: ('http error', 401, 'Unauthorized', httplib.HTTPMessage instance at 0x2cdde60) ipa: ERROR: an internal error has occurred Note that I can successfully use the token. It looks like authentication with urllib.urlopen(sync_uri, query) fails. Works for me (just tested). I suspect you have not updated the ipa httpd config. Did you apply patches 0054, 0055 and 0056? Yes, I did apply those patches and I installed packages as an upgrade. How I supposed to update httpd config? I think we need to solve this without re-install and it should be done automatically. Oh. I thought it *was* done automatically... No. You only modified the template which is used for an install from scratch. It *will* get updated automatically if you bump the VERSION on the first line of install/conf/ipa.conf. Yup, I figured that out about 15 minutes ago by looking at your past commits. :) Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command
On Tue, 2014-06-24 at 15:39 +0300, Alexander Bokovoy wrote: On Tue, 03 Jun 2014, Nathaniel McCallum wrote: On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote: On 3.6.2014 05:08, Nathaniel McCallum wrote: This command calls the token sync HTTP POST call in the server providing the CLI interface to synchronization. https://fedorahosted.org/freeipa/ticket/4260 This patch depends on my patch #0055. Build fails on validation. You forgot to update API.txt and also the command misses __doc__. (not a proper review) Failed for me: [root@ipa-01 rpms]# ipa otptoken-show test.token Unique ID: test.token Description: test token Owner: abbra Vendor: FreeIPA Model: hotp [root@ipa-01 rpms]# ipa otptoken-sync abbra --token=test.token Password: First Code: Second Code: ipa: ERROR: non-public: IOError: ('http error', 401, 'Unauthorized', httplib.HTTPMessage instance at 0x2cdde60) Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 129, in execute result = self.Command[_name](*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 1118, in run return self.forward(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py, line 427, in forward rsp = urllib.urlopen(sync_uri, query) File /usr/lib64/python2.7/urllib.py, line 89, in urlopen return opener.open(url, data) File /usr/lib64/python2.7/urllib.py, line 210, in open return getattr(self, name)(url, data) File /usr/lib64/python2.7/urllib.py, line 454, in open_https data) File /usr/lib64/python2.7/urllib.py, line 374, in http_error result = method(url, fp, errcode, errmsg, headers, data) File /usr/lib64/python2.7/urllib.py, line 689, in http_error_401 errcode, errmsg, headers) File /usr/lib64/python2.7/urllib.py, line 381, in http_error_default raise IOError, ('http error', errcode, errmsg, headers) IOError: ('http error', 401, 'Unauthorized', httplib.HTTPMessage instance at 0x2cdde60) ipa: ERROR: an internal error has occurred Note that I can successfully use the token. It looks like authentication with urllib.urlopen(sync_uri, query) fails. This should be fixed in 0055.1. Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command
On Tue, 2014-06-03 at 09:18 -0400, Nathaniel McCallum wrote: On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote: On 3.6.2014 05:08, Nathaniel McCallum wrote: This command calls the token sync HTTP POST call in the server providing the CLI interface to synchronization. https://fedorahosted.org/freeipa/ticket/4260 This patch depends on my patch #0055. Build fails on validation. You forgot to update API.txt and also the command misses __doc__. (not a proper review) Thanks, fixed. Attached is a new revision which is rebased on master. In addition it: 1. Moves user to a parameter and moves token to an argument. Doing it this way both mirrors the existing otptoken APIs and sets us up for future Kerberos based syncing where the username/password will be optional. 2. Converts the token ID to a DN. Nathaniel From 6876cabce395ab3aee87ce2f9de3a0cb353fae47 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Mon, 2 Jun 2014 23:00:52 -0400 Subject: [PATCH] Add otptoken-sync command This command calls the token sync HTTP POST call in the server providing the CLI interface to synchronization. https://fedorahosted.org/freeipa/ticket/4260 --- API.txt| 9 ipalib/plugins/otptoken.py | 56 +- 2 files changed, 64 insertions(+), 1 deletion(-) diff --git a/API.txt b/API.txt index 0dd28068edbd37f021a58195941e102c25fa360f..ab09b089d1ff525de82c2044fac939b78a2afa05 100644 --- a/API.txt +++ b/API.txt @@ -2408,6 +2408,15 @@ option: Str('version?', exclude='webui') output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (type 'unicode', type 'NoneType'), None) output: PrimaryKey('value', None, None) +command: otptoken_sync +args: 1,5,1 +arg: Str('token?') +option: Password('first_code', confirm=False) +option: Password('password', confirm=False) +option: Password('second_code', confirm=False) +option: Str('user') +option: Str('version?', exclude='webui') +output: Output('result', None, None) command: passwd args: 3,1,3 arg: Str('principal', autofill=True, cli_name='user', primary_key=True) diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py index d834d582a16d95ab08c3f1fe1aef29160c77ae23..035328ce3260dd1c784a7cdb2aa4bf54fe6e7a27 100644 --- a/ipalib/plugins/otptoken.py +++ b/ipalib/plugins/otptoken.py @@ -19,13 +19,16 @@ from ipalib.plugins.baseldap import DN, LDAPObject, LDAPAddMember, LDAPRemoveMember from ipalib.plugins.baseldap import LDAPCreate, LDAPDelete, LDAPUpdate, LDAPSearch, LDAPRetrieve -from ipalib import api, Int, Str, Bool, Flag, Bytes, IntEnum, StrEnum, _, ngettext +from ipalib import api, Int, Str, Bool, Flag, Bytes, IntEnum, StrEnum, Password, _, ngettext from ipalib.plugable import Registry from ipalib.errors import PasswordMismatch, ConversionError, LastMemberError, NotFound from ipalib.request import context +from ipalib.frontend import Local + import base64 import uuid import urllib +import urlparse import qrcode import os @@ -383,3 +386,54 @@ class otptoken_remove_managedby(LDAPRemoveMember): __doc__ = _('Remove hosts that can manage this host.') member_attributes = ['managedby'] + +@register() +class otptoken_sync(Local): +__doc__ = _('Synchronize an OTP token.') + +header = 'X-IPA-TokenSync-Result' + +takes_options = ( +Str('user', label=_('User ID')), +Password('password', label=_('Password'), confirm=False), +Password('first_code', label=_('First Code'), confirm=False), +Password('second_code', label=_('Second Code'), confirm=False), +) + +takes_args = ( +Str('token?', label=_('Token ID')), +) + +def forward(self, *args, **kwargs): +status = {'result': {self.header: 'unknown'}} + +# Get the sync URI. +segments = list(urlparse.urlparse(self.api.env.xmlrpc_uri)) +assert segments[0] == 'https' # Ensure encryption. +segments[2] = segments[2].replace('/xml', '/session/sync_token') +sync_uri = urlparse.urlunparse(segments) + +# Prepare the query. +query = {k: v for k, v in kwargs.items() +if k in {x.name for x in self.takes_options}} +if args and args[0] is not None: +obj = self.api.Object.otptoken +query['token'] = DN((obj.primary_key.name, args[0]), +obj.container_dn, self.api.env.basedn) +query = urllib.urlencode(query) + +# Sync the token. +# WARNING: This does not validate the server's certificate. +rsp = urllib.urlopen(sync_uri, query) +if rsp.getcode() == 200: +status['result'][self.header] = rsp.info().get(self.header, 'unknown') +rsp.close() + +return status + +def output_for_cli(self, textui, result, *keys, **options): +
Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command
On 3.6.2014 05:08, Nathaniel McCallum wrote: This command calls the token sync HTTP POST call in the server providing the CLI interface to synchronization. https://fedorahosted.org/freeipa/ticket/4260 This patch depends on my patch #0055. Build fails on validation. You forgot to update API.txt and also the command misses __doc__. (not a proper review) -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command
On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote: On 3.6.2014 05:08, Nathaniel McCallum wrote: This command calls the token sync HTTP POST call in the server providing the CLI interface to synchronization. https://fedorahosted.org/freeipa/ticket/4260 This patch depends on my patch #0055. Build fails on validation. You forgot to update API.txt and also the command misses __doc__. (not a proper review) Thanks, fixed. From b3762639df8b673f449cbb742e1b40d2f6901503 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Mon, 2 Jun 2014 23:00:52 -0400 Subject: [PATCH] Add otptoken-sync command This command calls the token sync HTTP POST call in the server providing the CLI interface to synchronization. https://fedorahosted.org/freeipa/ticket/4260 --- API.txt| 9 ipalib/plugins/otptoken.py | 56 +- 2 files changed, 64 insertions(+), 1 deletion(-) diff --git a/API.txt b/API.txt index caee61a22fcbf1395fcec55e9d5f5b23c4269523..d57d244101fc61b3ecdddf7a989cffd3d5a0031f 100644 --- a/API.txt +++ b/API.txt @@ -2320,6 +2320,15 @@ option: Str('version?', exclude='webui') output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (type 'unicode', type 'NoneType'), None) output: PrimaryKey('value', None, None) +command: otptoken_sync +args: 1,5,1 +arg: Str('user') +option: Password('first_code', confirm=False) +option: Password('password', confirm=False) +option: Password('second_code', confirm=False) +option: Str('token?') +option: Str('version?', exclude='webui') +output: Output('result', None, None) command: passwd args: 3,1,3 arg: Str('principal', autofill=True, cli_name='user', primary_key=True) diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py index b264287c322381fb99c8823f7b1505ec537973ad..ed13fc6b9c8e50211522338bfb0c3ad7300c468d 100644 --- a/ipalib/plugins/otptoken.py +++ b/ipalib/plugins/otptoken.py @@ -18,14 +18,17 @@ # along with this program. If not, see http://www.gnu.org/licenses/. from ipalib.plugins.baseldap import DN, LDAPObject, LDAPCreate, LDAPDelete, LDAPUpdate, LDAPSearch, LDAPRetrieve -from ipalib import api, Int, Str, Bool, Flag, Bytes, IntEnum, StrEnum, _, ngettext +from ipalib import api, Int, Str, Bool, Flag, Bytes, IntEnum, StrEnum, Password, _, ngettext from ipalib.plugable import Registry from ipalib.errors import PasswordMismatch, ConversionError, LastMemberError, NotFound from ipalib.request import context +from ipalib.frontend import Local + import base64 import uuid import random import urllib +import urlparse import qrcode __doc__ = _( @@ -359,3 +362,54 @@ class otptoken_show(LDAPRetrieve): def post_callback(self, ldap, dn, entry_attrs, *keys, **options): _convert_owner(self.api.Object.user, entry_attrs, options) return super(otptoken_show, self).post_callback(ldap, dn, entry_attrs, *keys, **options) + +@register() +class otptoken_sync(Local): +__doc__ = _('Synchronize an OTP token.') + +header = 'X-IPA-TokenSync-Result' + +# Currently, we force specifying the user and password. If we get +# kerberos-based syncing in the future, it might be nice to make +# these parameters optional. +takes_options = ( +Str('token?', label=_('Token ID')), +Password('password', label=_('Password'), confirm=False), +Password('first_code', label=_('First Code'), confirm=False), +Password('second_code', label=_('Second Code'), confirm=False), +) + +takes_args = ( +Str('user', label=_('User ID')), +) + +def forward(self, *args, **kwargs): +status = {'result': {self.header: 'unknown'}} + +# Get the sync URI. +segments = list(urlparse.urlparse(self.api.env.xmlrpc_uri)) +assert segments[0] == 'https' # Ensure encryption. +segments[2] = segments[2].replace('/xml', '/session/sync_token') +sync_uri = urlparse.urlunparse(segments) + +# Prepare the query. +query = {k: v for k, v in kwargs.items() +if k in {x.name for x in self.takes_options}} +query['user'] = args[0] +query = urllib.urlencode(query) + +# Sync the token. +# WARNING: This does not validate the server's certificate. +rsp = urllib.urlopen(sync_uri, query) +if rsp.getcode() == 200: +status['result'][self.header] = rsp.info().get(self.header, 'unknown') +rsp.close() + +return status + +def output_for_cli(self, textui, result, *keys, **options): +textui.print_plain({ +'ok': 'Token synchronized.', +'error': 'Error contacting server!', +'invalid-credentials': 'Invalid Credentials!', +}.get(result['result'][self.header], 'Unknown Error!')) -- 2.0.0 ___
[Freeipa-devel] [PATCH 0056] Add otptoken-sync command
This command calls the token sync HTTP POST call in the server providing the CLI interface to synchronization. https://fedorahosted.org/freeipa/ticket/4260 This patch depends on my patch #0055. From 316b2ed7deb6fa8a01e565143077d2cdfa711032 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Mon, 2 Jun 2014 23:00:52 -0400 Subject: [PATCH] Add otptoken-sync command This command calls the token sync HTTP POST call in the server providing the CLI interface to synchronization. https://fedorahosted.org/freeipa/ticket/4260 --- ipalib/plugins/otptoken.py | 54 +- 1 file changed, 53 insertions(+), 1 deletion(-) diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py index b264287c322381fb99c8823f7b1505ec537973ad..e597588a481023631a73e502c265cbf0c4551365 100644 --- a/ipalib/plugins/otptoken.py +++ b/ipalib/plugins/otptoken.py @@ -18,14 +18,17 @@ # along with this program. If not, see http://www.gnu.org/licenses/. from ipalib.plugins.baseldap import DN, LDAPObject, LDAPCreate, LDAPDelete, LDAPUpdate, LDAPSearch, LDAPRetrieve -from ipalib import api, Int, Str, Bool, Flag, Bytes, IntEnum, StrEnum, _, ngettext +from ipalib import api, Int, Str, Bool, Flag, Bytes, IntEnum, StrEnum, Password, _, ngettext from ipalib.plugable import Registry from ipalib.errors import PasswordMismatch, ConversionError, LastMemberError, NotFound from ipalib.request import context +from ipalib.frontend import Local + import base64 import uuid import random import urllib +import urlparse import qrcode __doc__ = _( @@ -359,3 +362,52 @@ class otptoken_show(LDAPRetrieve): def post_callback(self, ldap, dn, entry_attrs, *keys, **options): _convert_owner(self.api.Object.user, entry_attrs, options) return super(otptoken_show, self).post_callback(ldap, dn, entry_attrs, *keys, **options) + +@register() +class otptoken_sync(Local): +header = 'X-IPA-TokenSync-Result' + +# Currently, we force specifying the user and password. If we get +# kerberos-based syncing in the future, it might be nice to make +# these parameters optional. +takes_options = ( +Str('token?', label=_('Token ID')), +Password('password', label=_('Password'), confirm=False), +Password('first_code', label=_('First Code'), confirm=False), +Password('second_code', label=_('Second Code'), confirm=False), +) + +takes_args = ( +Str('user', label=_('User ID')), +) + +def forward(self, *args, **kwargs): +status = {'result': {self.header: 'unknown'}} + +# Get the sync URI. +segments = list(urlparse.urlparse(self.api.env.xmlrpc_uri)) +assert segments[0] == 'https' # Ensure encryption. +segments[2] = segments[2].replace('/xml', '/session/sync_token') +sync_uri = urlparse.urlunparse(segments) + +# Prepare the query. +query = {k: v for k, v in kwargs.items() +if k in {x.name for x in self.takes_options}} +query['user'] = args[0] +query = urllib.urlencode(query) + +# Sync the token. +# WARNING: This does not validate the server's certificate. +rsp = urllib.urlopen(sync_uri, query) +if rsp.getcode() == 200: +status['result'][self.header] = rsp.info().get(self.header, 'unknown') +rsp.close() + +return status + +def output_for_cli(self, textui, result, *keys, **options): +textui.print_plain({ +'ok': 'Token synchronized.', +'error': 'Error contacting server!', +'invalid-credentials': 'Invalid Credentials!', +}.get(result['result'][self.header], 'Unknown Error!')) -- 2.0.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel