Re: [Freeipa-devel] [PATCH 0058] Add the otptoken-add-yubikey command
On Wed, 25 Jun 2014, Nathaniel McCallum wrote:
On Wed, 2014-06-25 at 09:53 -0400, Nathaniel McCallum wrote:
On Wed, 2014-06-25 at 13:35 +0300, Alexander Bokovoy wrote:
On Mon, 23 Jun 2014, Nathaniel McCallum wrote:
On Mon, 2014-06-23 at 10:29 +0300, Alexander Bokovoy wrote:
On Fri, 20 Jun 2014, Nathaniel McCallum wrote:
On Thu, 2014-06-19 at 16:30 -0400, Nathaniel McCallum wrote:
This command behaves almost exactly like otptoken-add except:
1. The new token data is written directly to a YubiKey
2. The vendor/model/serial fields are populated from the YubiKey
=== NOTE ===
1. This patch depends on the new Fedora package: python-yubico. If you
would like to help with the package review, please assign yourself here:
https://bugzilla.redhat.com/show_bug.cgi?id=334
New version of the patch. This one works (yay!).
1. Because of the dependency on python-yubico, is this feature something
we want in core FreeIPA? As a subpackage? Separate project altogether?
The only dependency for python-yubico is pyusb.
I'd prefer to have it integrated but have a separate dummy subpackage
that pulls in all required dependencies, like, freeipa-tools-yubico.
Instead
of failing when 'ipa otptoken-add-yubikey' is called, please wrap the
python-yubico import into a code that allows reporting a message back to
the user advising to install the package.
Who is a supposed user for this command? IPA command line interface isn't
usually available on enrolled machines even though underlying Python
modules are all there. Are we talking about admins or just users?
As discussed on IRC, we are currently hard-coding lots of optional
dependencies. And breaking this apart into subpackages can be solved at
a later point. YubiKey is also a unique case: we don't expect to be
adding many more plugins like this.
For these reasons, I have kept this as a hard dependency. To ease this
transition, I have added python-yubico to F20 and EL6. You can help with
the update review here:
https://admin.fedoraproject.org/updates/python-yubico-1.2.1-3.fc20
https://admin.fedoraproject.org/updates/python-yubico-1.2.1-3.el6
3. This code currently emits a warning from the call to otptoken-add:
WARNING: API Version number was not sent, forward compatibility not
guaranteed. Assuming server's API version, 2.89
How do I fix this?
Do not filter 'version' field in options in execute().
I opted to not filter out version rather than hard-code it (pviktori's
suggestion). This is based on the fact that otptoken-add-yubikey is
tightly integrated with otptoken-add (even using some of the class
attributes from otptoken).
4. I am not sure why I have to delete the summary and value keys from
the return dictionary. It would be nice to display this summary message
just like otptoken-add.
I still need help on this.
5. Am I doing the ipatoken(vendor|model|serial) options correctly? These
aren't user settable, but we need to pass them from the yubikey
(client-side) to the server.
This is no longer needed since I am doing everything in forward().
However, listing these three as output params causes them to appear
before the token's ID. I don't think this is the right way to output
these. But this seems to me a framework issue.
6. I'm not sure my use of assert or ValueError are correct. What should
I do here?
Still need help here.
Fixed this part.
7. Considering that this is just a specialized invocation of
otptoken-add, can't we do this all on the client-side? This is why I had
originally used frontend.Local rather than frontend.Command.
You don't need to implement execute then, only forward, where you'll
forward your call to the server under otptoken_add name.
Typically in #forward we call super's forward but that is because we
in Command.forward() we simply forward the command to the remote backend,
using the self.name. In your case we shouldn't really have a separate
command on the server under the same name, so you'll need to avoid
calling
So, it should look like this:
def forward(self, *args, **kw):
perform yubikey initialization
filter out kw and args, if needed
return self.Backend.rpcclient.forward('otptoken_add', *args, **kw)
See service_show implementation for an example.
Fixed.
I'm attaching few fixups to the patch that make it proper reporting for
non-Yubikey case and also properly update VERSION.
Provisional ACK.
Merged.
This patch includes everything above and fixes the missing ./makeapi
run.
ACK. Please do not commit it yet as there is a specific order in which all
these patches should be committed.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0058] Add the otptoken-add-yubikey command
On 06/25/2014 03:53 PM, Nathaniel McCallum wrote:
On Wed, 2014-06-25 at 13:35 +0300, Alexander Bokovoy wrote:
On Mon, 23 Jun 2014, Nathaniel McCallum wrote:
On Mon, 2014-06-23 at 10:29 +0300, Alexander Bokovoy wrote:
On Fri, 20 Jun 2014, Nathaniel McCallum wrote:
On Thu, 2014-06-19 at 16:30 -0400, Nathaniel McCallum wrote:
This command behaves almost exactly like otptoken-add except:
1. The new token data is written directly to a YubiKey
2. The vendor/model/serial fields are populated from the YubiKey
=== NOTE ===
1. This patch depends on the new Fedora package: python-yubico. If you
would like to help with the package review, please assign yourself here:
https://bugzilla.redhat.com/show_bug.cgi?id=334
New version of the patch. This one works (yay!).
1. Because of the dependency on python-yubico, is this feature something
we want in core FreeIPA? As a subpackage? Separate project altogether?
The only dependency for python-yubico is pyusb.
I'd prefer to have it integrated but have a separate dummy subpackage
that pulls in all required dependencies, like, freeipa-tools-yubico.
Instead
of failing when 'ipa otptoken-add-yubikey' is called, please wrap the
python-yubico import into a code that allows reporting a message back to
the user advising to install the package.
Who is a supposed user for this command? IPA command line interface isn't
usually available on enrolled machines even though underlying Python
modules are all there. Are we talking about admins or just users?
As discussed on IRC, we are currently hard-coding lots of optional
dependencies. And breaking this apart into subpackages can be solved at
a later point. YubiKey is also a unique case: we don't expect to be
adding many more plugins like this.
For these reasons, I have kept this as a hard dependency. To ease this
transition, I have added python-yubico to F20 and EL6. You can help with
the update review here:
https://admin.fedoraproject.org/updates/python-yubico-1.2.1-3.fc20
https://admin.fedoraproject.org/updates/python-yubico-1.2.1-3.el6
3. This code currently emits a warning from the call to otptoken-add:
WARNING: API Version number was not sent, forward compatibility not
guaranteed. Assuming server's API version, 2.89
How do I fix this?
Do not filter 'version' field in options in execute().
I opted to not filter out version rather than hard-code it (pviktori's
suggestion). This is based on the fact that otptoken-add-yubikey is
tightly integrated with otptoken-add (even using some of the class
attributes from otptoken).
4. I am not sure why I have to delete the summary and value keys from
the return dictionary. It would be nice to display this summary message
just like otptoken-add.
I still need help on this.
5. Am I doing the ipatoken(vendor|model|serial) options correctly? These
aren't user settable, but we need to pass them from the yubikey
(client-side) to the server.
This is no longer needed since I am doing everything in forward().
However, listing these three as output params causes them to appear
before the token's ID. I don't think this is the right way to output
these. But this seems to me a framework issue.
6. I'm not sure my use of assert or ValueError are correct. What should
I do here?
Still need help here.
Fixed this part.
7. Considering that this is just a specialized invocation of
otptoken-add, can't we do this all on the client-side? This is why I had
originally used frontend.Local rather than frontend.Command.
You don't need to implement execute then, only forward, where you'll
forward your call to the server under otptoken_add name.
Typically in #forward we call super's forward but that is because we
in Command.forward() we simply forward the command to the remote backend,
using the self.name. In your case we shouldn't really have a separate
command on the server under the same name, so you'll need to avoid
calling
So, it should look like this:
def forward(self, *args, **kw):
perform yubikey initialization
filter out kw and args, if needed
return self.Backend.rpcclient.forward('otptoken_add', *args, **kw)
See service_show implementation for an example.
Fixed.
I'm attaching few fixups to the patch that make it proper reporting for
non-Yubikey case and also properly update VERSION.
Provisional ACK.
Merged.
Nathaniel
There was a conflict on VERSION (thanks, Petr!) and API.txt was not regenerated.
I fixed both and pushed to master.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0058] Add the otptoken-add-yubikey command
On Mon, 23 Jun 2014, Nathaniel McCallum wrote:
On Mon, 2014-06-23 at 10:29 +0300, Alexander Bokovoy wrote:
On Fri, 20 Jun 2014, Nathaniel McCallum wrote:
On Thu, 2014-06-19 at 16:30 -0400, Nathaniel McCallum wrote:
This command behaves almost exactly like otptoken-add except:
1. The new token data is written directly to a YubiKey
2. The vendor/model/serial fields are populated from the YubiKey
=== NOTE ===
1. This patch depends on the new Fedora package: python-yubico. If you
would like to help with the package review, please assign yourself here:
https://bugzilla.redhat.com/show_bug.cgi?id=334
New version of the patch. This one works (yay!).
1. Because of the dependency on python-yubico, is this feature something
we want in core FreeIPA? As a subpackage? Separate project altogether?
The only dependency for python-yubico is pyusb.
I'd prefer to have it integrated but have a separate dummy subpackage
that pulls in all required dependencies, like, freeipa-tools-yubico. Instead
of failing when 'ipa otptoken-add-yubikey' is called, please wrap the
python-yubico import into a code that allows reporting a message back to
the user advising to install the package.
Who is a supposed user for this command? IPA command line interface isn't
usually available on enrolled machines even though underlying Python
modules are all there. Are we talking about admins or just users?
As discussed on IRC, we are currently hard-coding lots of optional
dependencies. And breaking this apart into subpackages can be solved at
a later point. YubiKey is also a unique case: we don't expect to be
adding many more plugins like this.
For these reasons, I have kept this as a hard dependency. To ease this
transition, I have added python-yubico to F20 and EL6. You can help with
the update review here:
https://admin.fedoraproject.org/updates/python-yubico-1.2.1-3.fc20
https://admin.fedoraproject.org/updates/python-yubico-1.2.1-3.el6
3. This code currently emits a warning from the call to otptoken-add:
WARNING: API Version number was not sent, forward compatibility not
guaranteed. Assuming server's API version, 2.89
How do I fix this?
Do not filter 'version' field in options in execute().
I opted to not filter out version rather than hard-code it (pviktori's
suggestion). This is based on the fact that otptoken-add-yubikey is
tightly integrated with otptoken-add (even using some of the class
attributes from otptoken).
4. I am not sure why I have to delete the summary and value keys from
the return dictionary. It would be nice to display this summary message
just like otptoken-add.
I still need help on this.
5. Am I doing the ipatoken(vendor|model|serial) options correctly? These
aren't user settable, but we need to pass them from the yubikey
(client-side) to the server.
This is no longer needed since I am doing everything in forward().
However, listing these three as output params causes them to appear
before the token's ID. I don't think this is the right way to output
these. But this seems to me a framework issue.
6. I'm not sure my use of assert or ValueError are correct. What should
I do here?
Still need help here.
Fixed this part.
7. Considering that this is just a specialized invocation of
otptoken-add, can't we do this all on the client-side? This is why I had
originally used frontend.Local rather than frontend.Command.
You don't need to implement execute then, only forward, where you'll
forward your call to the server under otptoken_add name.
Typically in #forward we call super's forward but that is because we
in Command.forward() we simply forward the command to the remote backend,
using the self.name. In your case we shouldn't really have a separate
command on the server under the same name, so you'll need to avoid
calling
So, it should look like this:
def forward(self, *args, **kw):
perform yubikey initialization
filter out kw and args, if needed
return self.Backend.rpcclient.forward('otptoken_add', *args, **kw)
See service_show implementation for an example.
Fixed.
I'm attaching few fixups to the patch that make it proper reporting for
non-Yubikey case and also properly update VERSION.
Provisional ACK.
--
/ Alexander Bokovoy
From 1c83f1943a635a4b2541addd9fc21b6155fb12d6 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Wed, 25 Jun 2014 13:32:16 +0300
Subject: [PATCH 10/10] fixup! Add the otptoken-add-yubikey command
---
ipalib/plugins/otptoken_yubikey.py | 9 +++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/ipalib/plugins/otptoken_yubikey.py
b/ipalib/plugins/otptoken_yubikey.py
index 30a81e5..b4f2188 100644
--- a/ipalib/plugins/otptoken_yubikey.py
+++ b/ipalib/plugins/otptoken_yubikey.py
@@ -18,6 +18,7 @@
# along with this program. If not, see http://www.gnu.org/licenses/.
from ipalib import _, Str, IntEnum
+from ipalib.errors import NotFound
from ipalib.plugable import Registry
from
Re: [Freeipa-devel] [PATCH 0058] Add the otptoken-add-yubikey command
On Wed, 2014-06-25 at 13:35 +0300, Alexander Bokovoy wrote:
On Mon, 23 Jun 2014, Nathaniel McCallum wrote:
On Mon, 2014-06-23 at 10:29 +0300, Alexander Bokovoy wrote:
On Fri, 20 Jun 2014, Nathaniel McCallum wrote:
On Thu, 2014-06-19 at 16:30 -0400, Nathaniel McCallum wrote:
This command behaves almost exactly like otptoken-add except:
1. The new token data is written directly to a YubiKey
2. The vendor/model/serial fields are populated from the YubiKey
=== NOTE ===
1. This patch depends on the new Fedora package: python-yubico. If you
would like to help with the package review, please assign yourself here:
https://bugzilla.redhat.com/show_bug.cgi?id=334
New version of the patch. This one works (yay!).
1. Because of the dependency on python-yubico, is this feature something
we want in core FreeIPA? As a subpackage? Separate project altogether?
The only dependency for python-yubico is pyusb.
I'd prefer to have it integrated but have a separate dummy subpackage
that pulls in all required dependencies, like, freeipa-tools-yubico.
Instead
of failing when 'ipa otptoken-add-yubikey' is called, please wrap the
python-yubico import into a code that allows reporting a message back to
the user advising to install the package.
Who is a supposed user for this command? IPA command line interface isn't
usually available on enrolled machines even though underlying Python
modules are all there. Are we talking about admins or just users?
As discussed on IRC, we are currently hard-coding lots of optional
dependencies. And breaking this apart into subpackages can be solved at
a later point. YubiKey is also a unique case: we don't expect to be
adding many more plugins like this.
For these reasons, I have kept this as a hard dependency. To ease this
transition, I have added python-yubico to F20 and EL6. You can help with
the update review here:
https://admin.fedoraproject.org/updates/python-yubico-1.2.1-3.fc20
https://admin.fedoraproject.org/updates/python-yubico-1.2.1-3.el6
3. This code currently emits a warning from the call to otptoken-add:
WARNING: API Version number was not sent, forward compatibility not
guaranteed. Assuming server's API version, 2.89
How do I fix this?
Do not filter 'version' field in options in execute().
I opted to not filter out version rather than hard-code it (pviktori's
suggestion). This is based on the fact that otptoken-add-yubikey is
tightly integrated with otptoken-add (even using some of the class
attributes from otptoken).
4. I am not sure why I have to delete the summary and value keys from
the return dictionary. It would be nice to display this summary message
just like otptoken-add.
I still need help on this.
5. Am I doing the ipatoken(vendor|model|serial) options correctly? These
aren't user settable, but we need to pass them from the yubikey
(client-side) to the server.
This is no longer needed since I am doing everything in forward().
However, listing these three as output params causes them to appear
before the token's ID. I don't think this is the right way to output
these. But this seems to me a framework issue.
6. I'm not sure my use of assert or ValueError are correct. What should
I do here?
Still need help here.
Fixed this part.
7. Considering that this is just a specialized invocation of
otptoken-add, can't we do this all on the client-side? This is why I had
originally used frontend.Local rather than frontend.Command.
You don't need to implement execute then, only forward, where you'll
forward your call to the server under otptoken_add name.
Typically in #forward we call super's forward but that is because we
in Command.forward() we simply forward the command to the remote backend,
using the self.name. In your case we shouldn't really have a separate
command on the server under the same name, so you'll need to avoid
calling
So, it should look like this:
def forward(self, *args, **kw):
perform yubikey initialization
filter out kw and args, if needed
return self.Backend.rpcclient.forward('otptoken_add', *args, **kw)
See service_show implementation for an example.
Fixed.
I'm attaching few fixups to the patch that make it proper reporting for
non-Yubikey case and also properly update VERSION.
Provisional ACK.
Merged.
Nathaniel
From 4a8f119c4e8de70e6f2f997167421947f18f907f Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum npmccal...@redhat.com
Date: Thu, 19 Jun 2014 12:28:32 -0400
Subject: [PATCH] Add the otptoken-add-yubikey command
This command behaves almost exactly like otptoken-add except:
1. The new token data is written directly to a YubiKey
2. The vendor/model/serial fields are populated from the YubiKey
---
VERSION| 4 +-
freeipa.spec.in| 1 +
ipalib/plugins/otptoken.py | 2 +-
Re: [Freeipa-devel] [PATCH 0058] Add the otptoken-add-yubikey command
On Wed, 2014-06-25 at 09:53 -0400, Nathaniel McCallum wrote:
On Wed, 2014-06-25 at 13:35 +0300, Alexander Bokovoy wrote:
On Mon, 23 Jun 2014, Nathaniel McCallum wrote:
On Mon, 2014-06-23 at 10:29 +0300, Alexander Bokovoy wrote:
On Fri, 20 Jun 2014, Nathaniel McCallum wrote:
On Thu, 2014-06-19 at 16:30 -0400, Nathaniel McCallum wrote:
This command behaves almost exactly like otptoken-add except:
1. The new token data is written directly to a YubiKey
2. The vendor/model/serial fields are populated from the YubiKey
=== NOTE ===
1. This patch depends on the new Fedora package: python-yubico. If you
would like to help with the package review, please assign yourself
here:
https://bugzilla.redhat.com/show_bug.cgi?id=334
New version of the patch. This one works (yay!).
1. Because of the dependency on python-yubico, is this feature something
we want in core FreeIPA? As a subpackage? Separate project altogether?
The only dependency for python-yubico is pyusb.
I'd prefer to have it integrated but have a separate dummy subpackage
that pulls in all required dependencies, like, freeipa-tools-yubico.
Instead
of failing when 'ipa otptoken-add-yubikey' is called, please wrap the
python-yubico import into a code that allows reporting a message back to
the user advising to install the package.
Who is a supposed user for this command? IPA command line interface isn't
usually available on enrolled machines even though underlying Python
modules are all there. Are we talking about admins or just users?
As discussed on IRC, we are currently hard-coding lots of optional
dependencies. And breaking this apart into subpackages can be solved at
a later point. YubiKey is also a unique case: we don't expect to be
adding many more plugins like this.
For these reasons, I have kept this as a hard dependency. To ease this
transition, I have added python-yubico to F20 and EL6. You can help with
the update review here:
https://admin.fedoraproject.org/updates/python-yubico-1.2.1-3.fc20
https://admin.fedoraproject.org/updates/python-yubico-1.2.1-3.el6
3. This code currently emits a warning from the call to otptoken-add:
WARNING: API Version number was not sent, forward compatibility not
guaranteed. Assuming server's API version, 2.89
How do I fix this?
Do not filter 'version' field in options in execute().
I opted to not filter out version rather than hard-code it (pviktori's
suggestion). This is based on the fact that otptoken-add-yubikey is
tightly integrated with otptoken-add (even using some of the class
attributes from otptoken).
4. I am not sure why I have to delete the summary and value keys from
the return dictionary. It would be nice to display this summary message
just like otptoken-add.
I still need help on this.
5. Am I doing the ipatoken(vendor|model|serial) options correctly? These
aren't user settable, but we need to pass them from the yubikey
(client-side) to the server.
This is no longer needed since I am doing everything in forward().
However, listing these three as output params causes them to appear
before the token's ID. I don't think this is the right way to output
these. But this seems to me a framework issue.
6. I'm not sure my use of assert or ValueError are correct. What should
I do here?
Still need help here.
Fixed this part.
7. Considering that this is just a specialized invocation of
otptoken-add, can't we do this all on the client-side? This is why I had
originally used frontend.Local rather than frontend.Command.
You don't need to implement execute then, only forward, where you'll
forward your call to the server under otptoken_add name.
Typically in #forward we call super's forward but that is because we
in Command.forward() we simply forward the command to the remote
backend,
using the self.name. In your case we shouldn't really have a separate
command on the server under the same name, so you'll need to avoid
calling
So, it should look like this:
def forward(self, *args, **kw):
perform yubikey initialization
filter out kw and args, if needed
return self.Backend.rpcclient.forward('otptoken_add', *args,
**kw)
See service_show implementation for an example.
Fixed.
I'm attaching few fixups to the patch that make it proper reporting for
non-Yubikey case and also properly update VERSION.
Provisional ACK.
Merged.
This patch includes everything above and fixes the missing ./makeapi
run.
Nathaniel
From 3f877142e99c12050def9f56c650eb474320bfff Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum npmccal...@redhat.com
Date: Thu, 19 Jun 2014 12:28:32 -0400
Subject: [PATCH] Add the otptoken-add-yubikey command
This command behaves almost exactly like otptoken-add except:
1. The new token data
Re: [Freeipa-devel] [PATCH 0058] Add the otptoken-add-yubikey command
On Fri, 20 Jun 2014, Nathaniel McCallum wrote:
On Thu, 2014-06-19 at 16:30 -0400, Nathaniel McCallum wrote:
This command behaves almost exactly like otptoken-add except:
1. The new token data is written directly to a YubiKey
2. The vendor/model/serial fields are populated from the YubiKey
=== NOTE ===
1. This patch depends on the new Fedora package: python-yubico. If you
would like to help with the package review, please assign yourself here:
https://bugzilla.redhat.com/show_bug.cgi?id=334
New version of the patch. This one works (yay!).
1. Because of the dependency on python-yubico, is this feature something
we want in core FreeIPA? As a subpackage? Separate project altogether?
The only dependency for python-yubico is pyusb.
I'd prefer to have it integrated but have a separate dummy subpackage
that pulls in all required dependencies, like, freeipa-tools-yubico. Instead
of failing when 'ipa otptoken-add-yubikey' is called, please wrap the
python-yubico import into a code that allows reporting a message back to
the user advising to install the package.
Who is a supposed user for this command? IPA command line interface isn't
usually available on enrolled machines even though underlying Python
modules are all there. Are we talking about admins or just users?
2. Should the import yubico statement be inside of the
otptoken_add_yubikey.forward() method to reduce server dependencies?
Here is how we do it in ipalibs/plugins/trust.py:
try:
import pysss_murmur #pylint: disable=F0401
_murmur_installed = True
except Exception, e:
_murmur_installed = False
try:
import pysss_nss_idmap #pylint: disable=F0401
_nss_idmap_installed = True
except Exception, e:
_nss_idmap_installed = False
if api.env.in_server and api.env.context in ['lite', 'server']:
try:
import ipaserver.dcerpc #pylint: disable=F0401
_bindings_installed = True
except ImportError:
_bindings_installed = False
and then in the actual code we do
if not _bindings_installed:
raise errors.NotFound(
name=_('AD Trust setup'),
reason=_(
'Cannot perform join operation without Samba 4 support '
'installed. Make sure you have installed server-trust-ad '
'sub-package of IPA'
)
)
3. This code currently emits a warning from the call to otptoken-add:
WARNING: API Version number was not sent, forward compatibility not
guaranteed. Assuming server's API version, 2.89
How do I fix this?
Do not filter 'version' field in options in execute().
4. I am not sure why I have to delete the summary and value keys from
the return dictionary. It would be nice to display this summary message
just like otptoken-add.
5. Am I doing the ipatoken(vendor|model|serial) options correctly? These
aren't user settable, but we need to pass them from the yubikey
(client-side) to the server.
6. I'm not sure my use of assert or ValueError are correct. What should
I do here?
7. Considering that this is just a specialized invocation of
otptoken-add, can't we do this all on the client-side? This is why I had
originally used frontend.Local rather than frontend.Command.
You don't need to implement execute then, only forward, where you'll
forward your call to the server under otptoken_add name.
Typically in #forward we call super's forward but that is because we
in Command.forward() we simply forward the command to the remote backend,
using the self.name. In your case we shouldn't really have a separate
command on the server under the same name, so you'll need to avoid
calling
So, it should look like this:
def forward(self, *args, **kw):
perform yubikey initialization
filter out kw and args, if needed
return self.Backend.rpcclient.forward('otptoken_add', *args, **kw)
See service_show implementation for an example.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0058] Add the otptoken-add-yubikey command
On 06/23/2014 09:29 AM, Alexander Bokovoy wrote: On Fri, 20 Jun 2014, Nathaniel McCallum wrote: On Thu, 2014-06-19 at 16:30 -0400, Nathaniel McCallum wrote: This command behaves almost exactly like otptoken-add except: 1. The new token data is written directly to a YubiKey 2. The vendor/model/serial fields are populated from the YubiKey === NOTE === 1. This patch depends on the new Fedora package: python-yubico. If you would like to help with the package review, please assign yourself here: https://bugzilla.redhat.com/show_bug.cgi?id=334 New version of the patch. This one works (yay!). 1. Because of the dependency on python-yubico, is this feature something we want in core FreeIPA? As a subpackage? Separate project altogether? The only dependency for python-yubico is pyusb. I'd prefer to have it integrated but have a separate dummy subpackage that pulls in all required dependencies, like, freeipa-tools-yubico. Instead of failing when 'ipa otptoken-add-yubikey' is called, please wrap the python-yubico import into a code that allows reporting a message back to the user advising to install the package. +1. For 4.0, I would just fail cleanly and keep functioning if python-yubico is not configured, just like in Alexander's trust example. For 4.2, we plan to introduce subpackages (https://fedorahosted.org/freeipa/ticket/4058). This is the right time and place to introduce something like freeipa-server-otp which would contain the files and requirements for OTP. It would also give is time to get it to standard Fedora repositories if we want this functionality by default. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0058] Add the otptoken-add-yubikey command
On 06/23/2014 09:29 AM, Alexander Bokovoy wrote: On Fri, 20 Jun 2014, Nathaniel McCallum wrote: 3. This code currently emits a warning from the call to otptoken-add: WARNING: API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.89 How do I fix this? Do not filter 'version' field in options in execute(). Please hardcode the API version instead of reusing it. This will be important when otptoken_add_yubikey is put in a separate package. i.e.: +answer = self.api.Command.otptoken_add(*args, +type=u'hotp', +ipatokenotpalgorithm=u'sha1', +ipatokenhotpcounter=0, +version='2.89', +**options) This way even if otptoken_add changes in the future, the fixed version string will trigger behavior compatible with what otptoken_add_yubikey expects now. -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0058] Add the otptoken-add-yubikey command
On Mon, 2014-06-23 at 09:42 +0200, Martin Kosek wrote: On 06/23/2014 09:29 AM, Alexander Bokovoy wrote: On Fri, 20 Jun 2014, Nathaniel McCallum wrote: On Thu, 2014-06-19 at 16:30 -0400, Nathaniel McCallum wrote: This command behaves almost exactly like otptoken-add except: 1. The new token data is written directly to a YubiKey 2. The vendor/model/serial fields are populated from the YubiKey === NOTE === 1. This patch depends on the new Fedora package: python-yubico. If you would like to help with the package review, please assign yourself here: https://bugzilla.redhat.com/show_bug.cgi?id=334 New version of the patch. This one works (yay!). 1. Because of the dependency on python-yubico, is this feature something we want in core FreeIPA? As a subpackage? Separate project altogether? The only dependency for python-yubico is pyusb. I'd prefer to have it integrated but have a separate dummy subpackage that pulls in all required dependencies, like, freeipa-tools-yubico. Instead of failing when 'ipa otptoken-add-yubikey' is called, please wrap the python-yubico import into a code that allows reporting a message back to the user advising to install the package. +1. For 4.0, I would just fail cleanly and keep functioning if python-yubico is not configured, just like in Alexander's trust example. For 4.2, we plan to introduce subpackages (https://fedorahosted.org/freeipa/ticket/4058). This is the right time and place to introduce something like freeipa-server-otp which would contain the files and requirements for OTP. It would also give is time to get it to standard Fedora repositories if we want this functionality by default. python-yubico is already in F21 (as of yesterday). So, unless there is some other reason that matters, we can probably just add a hard dependency for now. Is that acceptable? Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0058] Add the otptoken-add-yubikey command
On Mon, 2014-06-23 at 10:29 +0300, Alexander Bokovoy wrote:
On Fri, 20 Jun 2014, Nathaniel McCallum wrote:
On Thu, 2014-06-19 at 16:30 -0400, Nathaniel McCallum wrote:
This command behaves almost exactly like otptoken-add except:
1. The new token data is written directly to a YubiKey
2. The vendor/model/serial fields are populated from the YubiKey
=== NOTE ===
1. This patch depends on the new Fedora package: python-yubico. If you
would like to help with the package review, please assign yourself here:
https://bugzilla.redhat.com/show_bug.cgi?id=334
New version of the patch. This one works (yay!).
1. Because of the dependency on python-yubico, is this feature something
we want in core FreeIPA? As a subpackage? Separate project altogether?
The only dependency for python-yubico is pyusb.
I'd prefer to have it integrated but have a separate dummy subpackage
that pulls in all required dependencies, like, freeipa-tools-yubico. Instead
of failing when 'ipa otptoken-add-yubikey' is called, please wrap the
python-yubico import into a code that allows reporting a message back to
the user advising to install the package.
Who is a supposed user for this command? IPA command line interface isn't
usually available on enrolled machines even though underlying Python
modules are all there. Are we talking about admins or just users?
As discussed on IRC, we are currently hard-coding lots of optional
dependencies. And breaking this apart into subpackages can be solved at
a later point. YubiKey is also a unique case: we don't expect to be
adding many more plugins like this.
For these reasons, I have kept this as a hard dependency. To ease this
transition, I have added python-yubico to F20 and EL6. You can help with
the update review here:
https://admin.fedoraproject.org/updates/python-yubico-1.2.1-3.fc20
https://admin.fedoraproject.org/updates/python-yubico-1.2.1-3.el6
3. This code currently emits a warning from the call to otptoken-add:
WARNING: API Version number was not sent, forward compatibility not
guaranteed. Assuming server's API version, 2.89
How do I fix this?
Do not filter 'version' field in options in execute().
I opted to not filter out version rather than hard-code it (pviktori's
suggestion). This is based on the fact that otptoken-add-yubikey is
tightly integrated with otptoken-add (even using some of the class
attributes from otptoken).
4. I am not sure why I have to delete the summary and value keys from
the return dictionary. It would be nice to display this summary message
just like otptoken-add.
I still need help on this.
5. Am I doing the ipatoken(vendor|model|serial) options correctly? These
aren't user settable, but we need to pass them from the yubikey
(client-side) to the server.
This is no longer needed since I am doing everything in forward().
However, listing these three as output params causes them to appear
before the token's ID. I don't think this is the right way to output
these. But this seems to me a framework issue.
6. I'm not sure my use of assert or ValueError are correct. What should
I do here?
Still need help here.
7. Considering that this is just a specialized invocation of
otptoken-add, can't we do this all on the client-side? This is why I had
originally used frontend.Local rather than frontend.Command.
You don't need to implement execute then, only forward, where you'll
forward your call to the server under otptoken_add name.
Typically in #forward we call super's forward but that is because we
in Command.forward() we simply forward the command to the remote backend,
using the self.name. In your case we shouldn't really have a separate
command on the server under the same name, so you'll need to avoid
calling
So, it should look like this:
def forward(self, *args, **kw):
perform yubikey initialization
filter out kw and args, if needed
return self.Backend.rpcclient.forward('otptoken_add', *args, **kw)
See service_show implementation for an example.
Fixed.
Nathaniel
From f9d233bf2c46d86ff6ee3801495c90825d0daf6f Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum npmccal...@redhat.com
Date: Thu, 19 Jun 2014 12:28:32 -0400
Subject: [PATCH] Add the otptoken-add-yubikey command
This command behaves almost exactly like otptoken-add except:
1. The new token data is written directly to a YubiKey
2. The vendor/model/serial fields are populated from the YubiKey
---
freeipa.spec.in| 1 +
ipalib/plugins/otptoken.py | 2 +-
ipalib/plugins/otptoken_yubikey.py | 134 +
3 files changed, 136 insertions(+), 1 deletion(-)
create mode 100644 ipalib/plugins/otptoken_yubikey.py
diff --git a/freeipa.spec.in b/freeipa.spec.in
index b719b4a21fd2263a6fb58b3dffd4784868e630e9..a0a0bc184c9e5f5d8c611534486d9ec74c7396cf 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -305,6 +305,7 @@ Requires: python-netaddr
Requires:
Re: [Freeipa-devel] [PATCH 0058] Add the otptoken-add-yubikey command
Hi, On 19.6.2014 22:30, Nathaniel McCallum wrote: This command behaves almost exactly like otptoken-add except: 1. The new token data is written directly to a YubiKey 2. The vendor/model/serial fields are populated from the YubiKey === NOTE === 1. This patch depends on the new Fedora package: python-yubico. If you would like to help with the package review, please assign yourself here: https://bugzilla.redhat.com/show_bug.cgi?id=334 2. This patch doesn't actually work and I could use some help. The call to api.Command.otptoken_add() fails with: ipa: ERROR: non-public: AttributeError: no context.rpcclient in thread 'MainThread' Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 129, in execute result = self.Command[_name](*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 1118, in run return self.forward(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py, line 471, in forward **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 755, in run return self.forward(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 776, in forward return self.Backend.rpcclient.forward(self.name, *args, **kw) File /usr/lib/python2.7/site-packages/ipalib/rpc.py, line 874, in forward command = getattr(self.conn, name) File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 97, in __get_conn self.id, threading.currentThread().getName()) AttributeError: no context.rpcclient in thread 'MainThread' ipa: ERROR: an internal error has occurred This happens because when you use frontend.Local, no connection to the server is created (see cli.run()). Instead of using frontend.Local and overriding forward(), use frontend.Command and override execute(). Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0058] Add the otptoken-add-yubikey command
On Thu, 2014-06-19 at 16:30 -0400, Nathaniel McCallum wrote:
This command behaves almost exactly like otptoken-add except:
1. The new token data is written directly to a YubiKey
2. The vendor/model/serial fields are populated from the YubiKey
=== NOTE ===
1. This patch depends on the new Fedora package: python-yubico. If you
would like to help with the package review, please assign yourself here:
https://bugzilla.redhat.com/show_bug.cgi?id=334
New version of the patch. This one works (yay!).
1. Because of the dependency on python-yubico, is this feature something
we want in core FreeIPA? As a subpackage? Separate project altogether?
The only dependency for python-yubico is pyusb.
2. Should the import yubico statement be inside of the
otptoken_add_yubikey.forward() method to reduce server dependencies?
3. This code currently emits a warning from the call to otptoken-add:
WARNING: API Version number was not sent, forward compatibility not
guaranteed. Assuming server's API version, 2.89
How do I fix this?
4. I am not sure why I have to delete the summary and value keys from
the return dictionary. It would be nice to display this summary message
just like otptoken-add.
5. Am I doing the ipatoken(vendor|model|serial) options correctly? These
aren't user settable, but we need to pass them from the yubikey
(client-side) to the server.
6. I'm not sure my use of assert or ValueError are correct. What should
I do here?
7. Considering that this is just a specialized invocation of
otptoken-add, can't we do this all on the client-side? This is why I had
originally used frontend.Local rather than frontend.Command.
Nathaniel
From 06ab253297b1428bcdd2a8c9a1a82532e828081a Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum npmccal...@redhat.com
Date: Thu, 19 Jun 2014 12:28:32 -0400
Subject: [PATCH] Add the otptoken-add-yubikey command
This command behaves almost exactly like otptoken-add except:
1. The new token data is written directly to a YubiKey
2. The vendor/model/serial fields are populated from the YubiKey
---
freeipa.spec.in| 1 +
ipalib/plugins/otptoken.py | 106 -
2 files changed, 106 insertions(+), 1 deletion(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index b719b4a21fd2263a6fb58b3dffd4784868e630e9..4228c88f939a361a32da6f875c48db8adee3cdc1 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -158,6 +158,7 @@ Requires(pre): certmonger = 0.65
Requires(pre): 389-ds-base = 1.3.2.11
Requires: fontawesome-fonts
Requires: open-sans-fonts
+Requires: python-yubico
# With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the
# entire SELinux policy is stored in the system policy
diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py
index d834d582a16d95ab08c3f1fe1aef29160c77ae23..7d5fff1665afe1ce48254ff1ecb5472e7d3b0b87 100644
--- a/ipalib/plugins/otptoken.py
+++ b/ipalib/plugins/otptoken.py
@@ -21,6 +21,7 @@ from ipalib.plugins.baseldap import DN, LDAPObject, LDAPAddMember, LDAPRemoveMem
from ipalib.plugins.baseldap import LDAPCreate, LDAPDelete, LDAPUpdate, LDAPSearch, LDAPRetrieve
from ipalib import api, Int, Str, Bool, Flag, Bytes, IntEnum, StrEnum, _, ngettext
from ipalib.plugable import Registry
+from ipalib.frontend import Command
from ipalib.errors import PasswordMismatch, ConversionError, LastMemberError, NotFound
from ipalib.request import context
import base64
@@ -28,6 +29,7 @@ import uuid
import urllib
import qrcode
import os
+import yubico
__doc__ = _(
OTP Tokens
@@ -196,7 +198,7 @@ class otptoken(LDAPObject):
),
IntEnum('ipatokenotpdigits?',
cli_name='digits',
-label=_('Display length'),
+label=_('Digits'),
values=(6, 8),
default=6,
autofill=True,
@@ -383,3 +385,105 @@ class otptoken_remove_managedby(LDAPRemoveMember):
__doc__ = _('Remove hosts that can manage this host.')
member_attributes = ['managedby']
+
+@register()
+class otptoken_add_yubikey(Command):
+__doc__ = _('Add a new YubiKey OTP token.')
+
+takes_args = (
+Str('ipatokenuniqueid?',
+cli_name='id',
+label=_('Unique ID'),
+primary_key=True,
+),
+)
+
+takes_options = Command.takes_options + (
+IntEnum('slot?',
+cli_name='slot',
+label=_('YubiKey slot'),
+values=(1, 2),
+),
+Str('ipatokenvendor?',
+cli_name='vendor',
+label=_('Vendor'),
+flags=('no_option')
+),
+Str('ipatokenmodel?',
+cli_name='model',
+label=_('Model'),
+flags=('no_option')
+),
+Str('ipatokenserial?',
+cli_name='serial',
+label=_('Serial'),
+flags=('no_option')
+),
+) + tuple([x for x in otptoken.takes_params if x.name in (
+'description',
+
[Freeipa-devel] [PATCH 0058] Add the otptoken-add-yubikey command
This command behaves almost exactly like otptoken-add except:
1. The new token data is written directly to a YubiKey
2. The vendor/model/serial fields are populated from the YubiKey
=== NOTE ===
1. This patch depends on the new Fedora package: python-yubico. If you
would like to help with the package review, please assign yourself here:
https://bugzilla.redhat.com/show_bug.cgi?id=334
2. This patch doesn't actually work and I could use some help. The call
to api.Command.otptoken_add() fails with:
ipa: ERROR: non-public: AttributeError: no context.rpcclient in thread
'MainThread'
Traceback (most recent call last):
File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 129,
in execute
result = self.Command[_name](*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439,
in __call__
ret = self.run(*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 1118,
in run
return self.forward(*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py,
line 471, in forward
**options)
File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439,
in __call__
ret = self.run(*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 755,
in run
return self.forward(*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 776,
in forward
return self.Backend.rpcclient.forward(self.name, *args, **kw)
File /usr/lib/python2.7/site-packages/ipalib/rpc.py, line 874, in
forward
command = getattr(self.conn, name)
File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 97, in
__get_conn
self.id, threading.currentThread().getName())
AttributeError: no context.rpcclient in thread 'MainThread'
ipa: ERROR: an internal error has occurred
From 75f1a74dd2476d61fc47e5ab184acaf84261fe54 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum npmccal...@redhat.com
Date: Thu, 19 Jun 2014 12:28:32 -0400
Subject: [PATCH] Add the otptoken-add-yubikey command
This command behaves almost exactly like otptoken-add except:
1. The new token data is written directly to a YubiKey
2. The vendor/model/serial fields are populated from the YubiKey
---
freeipa.spec.in| 1 +
ipalib/plugins/otptoken.py | 83 ++
2 files changed, 84 insertions(+)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index b719b4a21fd2263a6fb58b3dffd4784868e630e9..4228c88f939a361a32da6f875c48db8adee3cdc1 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -158,6 +158,7 @@ Requires(pre): certmonger = 0.65
Requires(pre): 389-ds-base = 1.3.2.11
Requires: fontawesome-fonts
Requires: open-sans-fonts
+Requires: python-yubico
# With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the
# entire SELinux policy is stored in the system policy
diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py
index d834d582a16d95ab08c3f1fe1aef29160c77ae23..9746d2c96753111a05864b7151b12761553785a3 100644
--- a/ipalib/plugins/otptoken.py
+++ b/ipalib/plugins/otptoken.py
@@ -21,6 +21,7 @@ from ipalib.plugins.baseldap import DN, LDAPObject, LDAPAddMember, LDAPRemoveMem
from ipalib.plugins.baseldap import LDAPCreate, LDAPDelete, LDAPUpdate, LDAPSearch, LDAPRetrieve
from ipalib import api, Int, Str, Bool, Flag, Bytes, IntEnum, StrEnum, _, ngettext
from ipalib.plugable import Registry
+from ipalib.frontend import Local
from ipalib.errors import PasswordMismatch, ConversionError, LastMemberError, NotFound
from ipalib.request import context
import base64
@@ -28,6 +29,7 @@ import uuid
import urllib
import qrcode
import os
+import yubico
__doc__ = _(
OTP Tokens
@@ -383,3 +385,84 @@ class otptoken_remove_managedby(LDAPRemoveMember):
__doc__ = _('Remove hosts that can manage this host.')
member_attributes = ['managedby']
+
+@register()
+class otptoken_add_yubikey(Local):
+__doc__ = _('Add a new YubiKey OTP token.')
+
+takes_args = (
+Str('ipatokenuniqueid?',
+cli_name='id',
+label=_('Unique ID'),
+primary_key=True,
+),
+)
+
+takes_options = Local.takes_options + (
+IntEnum('slot?',
+cli_name='slot',
+label=_('YubiKey slot'),
+values=(1, 2),
+),
+) + tuple([x for x in otptoken.takes_params if x.name in (
+'description',
+'ipatokenowner',
+'ipatokendisabled',
+'ipatokennotbefore',
+'ipatokennotafter',
+'ipatokenotpkey',
+'ipatokenotpdigits'
+)])
+
+def write_yubikey(self, **kwargs):
+assert len(kwargs['ipatokenotpkey']) == 20
+
+# Open the YubiKey
+yk = yubico.find_yubikey()
+
+# If no slot is specified, find the first free slot.
+slot = kwargs.get('slot', None)
+if slot is None:
+try:
+used = yk.status().valid_configs()
+slot = sorted({1,
