Re: [Freeipa-devel] [PATCH 0058] Add the otptoken-add-yubikey command
On Wed, 25 Jun 2014, Nathaniel McCallum wrote: On Wed, 2014-06-25 at 09:53 -0400, Nathaniel McCallum wrote: On Wed, 2014-06-25 at 13:35 +0300, Alexander Bokovoy wrote: On Mon, 23 Jun 2014, Nathaniel McCallum wrote: On Mon, 2014-06-23 at 10:29 +0300, Alexander Bokovoy wrote: On Fri, 20 Jun 2014, Nathaniel McCallum wrote: On Thu, 2014-06-19 at 16:30 -0400, Nathaniel McCallum wrote: This command behaves almost exactly like otptoken-add except: 1. The new token data is written directly to a YubiKey 2. The vendor/model/serial fields are populated from the YubiKey === NOTE === 1. This patch depends on the new Fedora package: python-yubico. If you would like to help with the package review, please assign yourself here: https://bugzilla.redhat.com/show_bug.cgi?id=334 New version of the patch. This one works (yay!). 1. Because of the dependency on python-yubico, is this feature something we want in core FreeIPA? As a subpackage? Separate project altogether? The only dependency for python-yubico is pyusb. I'd prefer to have it integrated but have a separate dummy subpackage that pulls in all required dependencies, like, freeipa-tools-yubico. Instead of failing when 'ipa otptoken-add-yubikey' is called, please wrap the python-yubico import into a code that allows reporting a message back to the user advising to install the package. Who is a supposed user for this command? IPA command line interface isn't usually available on enrolled machines even though underlying Python modules are all there. Are we talking about admins or just users? As discussed on IRC, we are currently hard-coding lots of optional dependencies. And breaking this apart into subpackages can be solved at a later point. YubiKey is also a unique case: we don't expect to be adding many more plugins like this. For these reasons, I have kept this as a hard dependency. To ease this transition, I have added python-yubico to F20 and EL6. You can help with the update review here: https://admin.fedoraproject.org/updates/python-yubico-1.2.1-3.fc20 https://admin.fedoraproject.org/updates/python-yubico-1.2.1-3.el6 3. This code currently emits a warning from the call to otptoken-add: WARNING: API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.89 How do I fix this? Do not filter 'version' field in options in execute(). I opted to not filter out version rather than hard-code it (pviktori's suggestion). This is based on the fact that otptoken-add-yubikey is tightly integrated with otptoken-add (even using some of the class attributes from otptoken). 4. I am not sure why I have to delete the summary and value keys from the return dictionary. It would be nice to display this summary message just like otptoken-add. I still need help on this. 5. Am I doing the ipatoken(vendor|model|serial) options correctly? These aren't user settable, but we need to pass them from the yubikey (client-side) to the server. This is no longer needed since I am doing everything in forward(). However, listing these three as output params causes them to appear before the token's ID. I don't think this is the right way to output these. But this seems to me a framework issue. 6. I'm not sure my use of assert or ValueError are correct. What should I do here? Still need help here. Fixed this part. 7. Considering that this is just a specialized invocation of otptoken-add, can't we do this all on the client-side? This is why I had originally used frontend.Local rather than frontend.Command. You don't need to implement execute then, only forward, where you'll forward your call to the server under otptoken_add name. Typically in #forward we call super's forward but that is because we in Command.forward() we simply forward the command to the remote backend, using the self.name. In your case we shouldn't really have a separate command on the server under the same name, so you'll need to avoid calling So, it should look like this: def forward(self, *args, **kw): perform yubikey initialization filter out kw and args, if needed return self.Backend.rpcclient.forward('otptoken_add', *args, **kw) See service_show implementation for an example. Fixed. I'm attaching few fixups to the patch that make it proper reporting for non-Yubikey case and also properly update VERSION. Provisional ACK. Merged. This patch includes everything above and fixes the missing ./makeapi run. ACK. Please do not commit it yet as there is a specific order in which all these patches should be committed. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0058] Add the otptoken-add-yubikey command
On 06/25/2014 03:53 PM, Nathaniel McCallum wrote: On Wed, 2014-06-25 at 13:35 +0300, Alexander Bokovoy wrote: On Mon, 23 Jun 2014, Nathaniel McCallum wrote: On Mon, 2014-06-23 at 10:29 +0300, Alexander Bokovoy wrote: On Fri, 20 Jun 2014, Nathaniel McCallum wrote: On Thu, 2014-06-19 at 16:30 -0400, Nathaniel McCallum wrote: This command behaves almost exactly like otptoken-add except: 1. The new token data is written directly to a YubiKey 2. The vendor/model/serial fields are populated from the YubiKey === NOTE === 1. This patch depends on the new Fedora package: python-yubico. If you would like to help with the package review, please assign yourself here: https://bugzilla.redhat.com/show_bug.cgi?id=334 New version of the patch. This one works (yay!). 1. Because of the dependency on python-yubico, is this feature something we want in core FreeIPA? As a subpackage? Separate project altogether? The only dependency for python-yubico is pyusb. I'd prefer to have it integrated but have a separate dummy subpackage that pulls in all required dependencies, like, freeipa-tools-yubico. Instead of failing when 'ipa otptoken-add-yubikey' is called, please wrap the python-yubico import into a code that allows reporting a message back to the user advising to install the package. Who is a supposed user for this command? IPA command line interface isn't usually available on enrolled machines even though underlying Python modules are all there. Are we talking about admins or just users? As discussed on IRC, we are currently hard-coding lots of optional dependencies. And breaking this apart into subpackages can be solved at a later point. YubiKey is also a unique case: we don't expect to be adding many more plugins like this. For these reasons, I have kept this as a hard dependency. To ease this transition, I have added python-yubico to F20 and EL6. You can help with the update review here: https://admin.fedoraproject.org/updates/python-yubico-1.2.1-3.fc20 https://admin.fedoraproject.org/updates/python-yubico-1.2.1-3.el6 3. This code currently emits a warning from the call to otptoken-add: WARNING: API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.89 How do I fix this? Do not filter 'version' field in options in execute(). I opted to not filter out version rather than hard-code it (pviktori's suggestion). This is based on the fact that otptoken-add-yubikey is tightly integrated with otptoken-add (even using some of the class attributes from otptoken). 4. I am not sure why I have to delete the summary and value keys from the return dictionary. It would be nice to display this summary message just like otptoken-add. I still need help on this. 5. Am I doing the ipatoken(vendor|model|serial) options correctly? These aren't user settable, but we need to pass them from the yubikey (client-side) to the server. This is no longer needed since I am doing everything in forward(). However, listing these three as output params causes them to appear before the token's ID. I don't think this is the right way to output these. But this seems to me a framework issue. 6. I'm not sure my use of assert or ValueError are correct. What should I do here? Still need help here. Fixed this part. 7. Considering that this is just a specialized invocation of otptoken-add, can't we do this all on the client-side? This is why I had originally used frontend.Local rather than frontend.Command. You don't need to implement execute then, only forward, where you'll forward your call to the server under otptoken_add name. Typically in #forward we call super's forward but that is because we in Command.forward() we simply forward the command to the remote backend, using the self.name. In your case we shouldn't really have a separate command on the server under the same name, so you'll need to avoid calling So, it should look like this: def forward(self, *args, **kw): perform yubikey initialization filter out kw and args, if needed return self.Backend.rpcclient.forward('otptoken_add', *args, **kw) See service_show implementation for an example. Fixed. I'm attaching few fixups to the patch that make it proper reporting for non-Yubikey case and also properly update VERSION. Provisional ACK. Merged. Nathaniel There was a conflict on VERSION (thanks, Petr!) and API.txt was not regenerated. I fixed both and pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0058] Add the otptoken-add-yubikey command
On Mon, 23 Jun 2014, Nathaniel McCallum wrote: On Mon, 2014-06-23 at 10:29 +0300, Alexander Bokovoy wrote: On Fri, 20 Jun 2014, Nathaniel McCallum wrote: On Thu, 2014-06-19 at 16:30 -0400, Nathaniel McCallum wrote: This command behaves almost exactly like otptoken-add except: 1. The new token data is written directly to a YubiKey 2. The vendor/model/serial fields are populated from the YubiKey === NOTE === 1. This patch depends on the new Fedora package: python-yubico. If you would like to help with the package review, please assign yourself here: https://bugzilla.redhat.com/show_bug.cgi?id=334 New version of the patch. This one works (yay!). 1. Because of the dependency on python-yubico, is this feature something we want in core FreeIPA? As a subpackage? Separate project altogether? The only dependency for python-yubico is pyusb. I'd prefer to have it integrated but have a separate dummy subpackage that pulls in all required dependencies, like, freeipa-tools-yubico. Instead of failing when 'ipa otptoken-add-yubikey' is called, please wrap the python-yubico import into a code that allows reporting a message back to the user advising to install the package. Who is a supposed user for this command? IPA command line interface isn't usually available on enrolled machines even though underlying Python modules are all there. Are we talking about admins or just users? As discussed on IRC, we are currently hard-coding lots of optional dependencies. And breaking this apart into subpackages can be solved at a later point. YubiKey is also a unique case: we don't expect to be adding many more plugins like this. For these reasons, I have kept this as a hard dependency. To ease this transition, I have added python-yubico to F20 and EL6. You can help with the update review here: https://admin.fedoraproject.org/updates/python-yubico-1.2.1-3.fc20 https://admin.fedoraproject.org/updates/python-yubico-1.2.1-3.el6 3. This code currently emits a warning from the call to otptoken-add: WARNING: API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.89 How do I fix this? Do not filter 'version' field in options in execute(). I opted to not filter out version rather than hard-code it (pviktori's suggestion). This is based on the fact that otptoken-add-yubikey is tightly integrated with otptoken-add (even using some of the class attributes from otptoken). 4. I am not sure why I have to delete the summary and value keys from the return dictionary. It would be nice to display this summary message just like otptoken-add. I still need help on this. 5. Am I doing the ipatoken(vendor|model|serial) options correctly? These aren't user settable, but we need to pass them from the yubikey (client-side) to the server. This is no longer needed since I am doing everything in forward(). However, listing these three as output params causes them to appear before the token's ID. I don't think this is the right way to output these. But this seems to me a framework issue. 6. I'm not sure my use of assert or ValueError are correct. What should I do here? Still need help here. Fixed this part. 7. Considering that this is just a specialized invocation of otptoken-add, can't we do this all on the client-side? This is why I had originally used frontend.Local rather than frontend.Command. You don't need to implement execute then, only forward, where you'll forward your call to the server under otptoken_add name. Typically in #forward we call super's forward but that is because we in Command.forward() we simply forward the command to the remote backend, using the self.name. In your case we shouldn't really have a separate command on the server under the same name, so you'll need to avoid calling So, it should look like this: def forward(self, *args, **kw): perform yubikey initialization filter out kw and args, if needed return self.Backend.rpcclient.forward('otptoken_add', *args, **kw) See service_show implementation for an example. Fixed. I'm attaching few fixups to the patch that make it proper reporting for non-Yubikey case and also properly update VERSION. Provisional ACK. -- / Alexander Bokovoy From 1c83f1943a635a4b2541addd9fc21b6155fb12d6 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Wed, 25 Jun 2014 13:32:16 +0300 Subject: [PATCH 10/10] fixup! Add the otptoken-add-yubikey command --- ipalib/plugins/otptoken_yubikey.py | 9 +++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/ipalib/plugins/otptoken_yubikey.py b/ipalib/plugins/otptoken_yubikey.py index 30a81e5..b4f2188 100644 --- a/ipalib/plugins/otptoken_yubikey.py +++ b/ipalib/plugins/otptoken_yubikey.py @@ -18,6 +18,7 @@ # along with this program. If not, see http://www.gnu.org/licenses/. from ipalib import _, Str, IntEnum +from ipalib.errors import NotFound from ipalib.plugable import Registry from
Re: [Freeipa-devel] [PATCH 0058] Add the otptoken-add-yubikey command
On Wed, 2014-06-25 at 13:35 +0300, Alexander Bokovoy wrote: On Mon, 23 Jun 2014, Nathaniel McCallum wrote: On Mon, 2014-06-23 at 10:29 +0300, Alexander Bokovoy wrote: On Fri, 20 Jun 2014, Nathaniel McCallum wrote: On Thu, 2014-06-19 at 16:30 -0400, Nathaniel McCallum wrote: This command behaves almost exactly like otptoken-add except: 1. The new token data is written directly to a YubiKey 2. The vendor/model/serial fields are populated from the YubiKey === NOTE === 1. This patch depends on the new Fedora package: python-yubico. If you would like to help with the package review, please assign yourself here: https://bugzilla.redhat.com/show_bug.cgi?id=334 New version of the patch. This one works (yay!). 1. Because of the dependency on python-yubico, is this feature something we want in core FreeIPA? As a subpackage? Separate project altogether? The only dependency for python-yubico is pyusb. I'd prefer to have it integrated but have a separate dummy subpackage that pulls in all required dependencies, like, freeipa-tools-yubico. Instead of failing when 'ipa otptoken-add-yubikey' is called, please wrap the python-yubico import into a code that allows reporting a message back to the user advising to install the package. Who is a supposed user for this command? IPA command line interface isn't usually available on enrolled machines even though underlying Python modules are all there. Are we talking about admins or just users? As discussed on IRC, we are currently hard-coding lots of optional dependencies. And breaking this apart into subpackages can be solved at a later point. YubiKey is also a unique case: we don't expect to be adding many more plugins like this. For these reasons, I have kept this as a hard dependency. To ease this transition, I have added python-yubico to F20 and EL6. You can help with the update review here: https://admin.fedoraproject.org/updates/python-yubico-1.2.1-3.fc20 https://admin.fedoraproject.org/updates/python-yubico-1.2.1-3.el6 3. This code currently emits a warning from the call to otptoken-add: WARNING: API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.89 How do I fix this? Do not filter 'version' field in options in execute(). I opted to not filter out version rather than hard-code it (pviktori's suggestion). This is based on the fact that otptoken-add-yubikey is tightly integrated with otptoken-add (even using some of the class attributes from otptoken). 4. I am not sure why I have to delete the summary and value keys from the return dictionary. It would be nice to display this summary message just like otptoken-add. I still need help on this. 5. Am I doing the ipatoken(vendor|model|serial) options correctly? These aren't user settable, but we need to pass them from the yubikey (client-side) to the server. This is no longer needed since I am doing everything in forward(). However, listing these three as output params causes them to appear before the token's ID. I don't think this is the right way to output these. But this seems to me a framework issue. 6. I'm not sure my use of assert or ValueError are correct. What should I do here? Still need help here. Fixed this part. 7. Considering that this is just a specialized invocation of otptoken-add, can't we do this all on the client-side? This is why I had originally used frontend.Local rather than frontend.Command. You don't need to implement execute then, only forward, where you'll forward your call to the server under otptoken_add name. Typically in #forward we call super's forward but that is because we in Command.forward() we simply forward the command to the remote backend, using the self.name. In your case we shouldn't really have a separate command on the server under the same name, so you'll need to avoid calling So, it should look like this: def forward(self, *args, **kw): perform yubikey initialization filter out kw and args, if needed return self.Backend.rpcclient.forward('otptoken_add', *args, **kw) See service_show implementation for an example. Fixed. I'm attaching few fixups to the patch that make it proper reporting for non-Yubikey case and also properly update VERSION. Provisional ACK. Merged. Nathaniel From 4a8f119c4e8de70e6f2f997167421947f18f907f Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Thu, 19 Jun 2014 12:28:32 -0400 Subject: [PATCH] Add the otptoken-add-yubikey command This command behaves almost exactly like otptoken-add except: 1. The new token data is written directly to a YubiKey 2. The vendor/model/serial fields are populated from the YubiKey --- VERSION| 4 +- freeipa.spec.in| 1 + ipalib/plugins/otptoken.py | 2 +-
Re: [Freeipa-devel] [PATCH 0058] Add the otptoken-add-yubikey command
On Wed, 2014-06-25 at 09:53 -0400, Nathaniel McCallum wrote: On Wed, 2014-06-25 at 13:35 +0300, Alexander Bokovoy wrote: On Mon, 23 Jun 2014, Nathaniel McCallum wrote: On Mon, 2014-06-23 at 10:29 +0300, Alexander Bokovoy wrote: On Fri, 20 Jun 2014, Nathaniel McCallum wrote: On Thu, 2014-06-19 at 16:30 -0400, Nathaniel McCallum wrote: This command behaves almost exactly like otptoken-add except: 1. The new token data is written directly to a YubiKey 2. The vendor/model/serial fields are populated from the YubiKey === NOTE === 1. This patch depends on the new Fedora package: python-yubico. If you would like to help with the package review, please assign yourself here: https://bugzilla.redhat.com/show_bug.cgi?id=334 New version of the patch. This one works (yay!). 1. Because of the dependency on python-yubico, is this feature something we want in core FreeIPA? As a subpackage? Separate project altogether? The only dependency for python-yubico is pyusb. I'd prefer to have it integrated but have a separate dummy subpackage that pulls in all required dependencies, like, freeipa-tools-yubico. Instead of failing when 'ipa otptoken-add-yubikey' is called, please wrap the python-yubico import into a code that allows reporting a message back to the user advising to install the package. Who is a supposed user for this command? IPA command line interface isn't usually available on enrolled machines even though underlying Python modules are all there. Are we talking about admins or just users? As discussed on IRC, we are currently hard-coding lots of optional dependencies. And breaking this apart into subpackages can be solved at a later point. YubiKey is also a unique case: we don't expect to be adding many more plugins like this. For these reasons, I have kept this as a hard dependency. To ease this transition, I have added python-yubico to F20 and EL6. You can help with the update review here: https://admin.fedoraproject.org/updates/python-yubico-1.2.1-3.fc20 https://admin.fedoraproject.org/updates/python-yubico-1.2.1-3.el6 3. This code currently emits a warning from the call to otptoken-add: WARNING: API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.89 How do I fix this? Do not filter 'version' field in options in execute(). I opted to not filter out version rather than hard-code it (pviktori's suggestion). This is based on the fact that otptoken-add-yubikey is tightly integrated with otptoken-add (even using some of the class attributes from otptoken). 4. I am not sure why I have to delete the summary and value keys from the return dictionary. It would be nice to display this summary message just like otptoken-add. I still need help on this. 5. Am I doing the ipatoken(vendor|model|serial) options correctly? These aren't user settable, but we need to pass them from the yubikey (client-side) to the server. This is no longer needed since I am doing everything in forward(). However, listing these three as output params causes them to appear before the token's ID. I don't think this is the right way to output these. But this seems to me a framework issue. 6. I'm not sure my use of assert or ValueError are correct. What should I do here? Still need help here. Fixed this part. 7. Considering that this is just a specialized invocation of otptoken-add, can't we do this all on the client-side? This is why I had originally used frontend.Local rather than frontend.Command. You don't need to implement execute then, only forward, where you'll forward your call to the server under otptoken_add name. Typically in #forward we call super's forward but that is because we in Command.forward() we simply forward the command to the remote backend, using the self.name. In your case we shouldn't really have a separate command on the server under the same name, so you'll need to avoid calling So, it should look like this: def forward(self, *args, **kw): perform yubikey initialization filter out kw and args, if needed return self.Backend.rpcclient.forward('otptoken_add', *args, **kw) See service_show implementation for an example. Fixed. I'm attaching few fixups to the patch that make it proper reporting for non-Yubikey case and also properly update VERSION. Provisional ACK. Merged. This patch includes everything above and fixes the missing ./makeapi run. Nathaniel From 3f877142e99c12050def9f56c650eb474320bfff Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Thu, 19 Jun 2014 12:28:32 -0400 Subject: [PATCH] Add the otptoken-add-yubikey command This command behaves almost exactly like otptoken-add except: 1. The new token data
Re: [Freeipa-devel] [PATCH 0058] Add the otptoken-add-yubikey command
On Fri, 20 Jun 2014, Nathaniel McCallum wrote: On Thu, 2014-06-19 at 16:30 -0400, Nathaniel McCallum wrote: This command behaves almost exactly like otptoken-add except: 1. The new token data is written directly to a YubiKey 2. The vendor/model/serial fields are populated from the YubiKey === NOTE === 1. This patch depends on the new Fedora package: python-yubico. If you would like to help with the package review, please assign yourself here: https://bugzilla.redhat.com/show_bug.cgi?id=334 New version of the patch. This one works (yay!). 1. Because of the dependency on python-yubico, is this feature something we want in core FreeIPA? As a subpackage? Separate project altogether? The only dependency for python-yubico is pyusb. I'd prefer to have it integrated but have a separate dummy subpackage that pulls in all required dependencies, like, freeipa-tools-yubico. Instead of failing when 'ipa otptoken-add-yubikey' is called, please wrap the python-yubico import into a code that allows reporting a message back to the user advising to install the package. Who is a supposed user for this command? IPA command line interface isn't usually available on enrolled machines even though underlying Python modules are all there. Are we talking about admins or just users? 2. Should the import yubico statement be inside of the otptoken_add_yubikey.forward() method to reduce server dependencies? Here is how we do it in ipalibs/plugins/trust.py: try: import pysss_murmur #pylint: disable=F0401 _murmur_installed = True except Exception, e: _murmur_installed = False try: import pysss_nss_idmap #pylint: disable=F0401 _nss_idmap_installed = True except Exception, e: _nss_idmap_installed = False if api.env.in_server and api.env.context in ['lite', 'server']: try: import ipaserver.dcerpc #pylint: disable=F0401 _bindings_installed = True except ImportError: _bindings_installed = False and then in the actual code we do if not _bindings_installed: raise errors.NotFound( name=_('AD Trust setup'), reason=_( 'Cannot perform join operation without Samba 4 support ' 'installed. Make sure you have installed server-trust-ad ' 'sub-package of IPA' ) ) 3. This code currently emits a warning from the call to otptoken-add: WARNING: API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.89 How do I fix this? Do not filter 'version' field in options in execute(). 4. I am not sure why I have to delete the summary and value keys from the return dictionary. It would be nice to display this summary message just like otptoken-add. 5. Am I doing the ipatoken(vendor|model|serial) options correctly? These aren't user settable, but we need to pass them from the yubikey (client-side) to the server. 6. I'm not sure my use of assert or ValueError are correct. What should I do here? 7. Considering that this is just a specialized invocation of otptoken-add, can't we do this all on the client-side? This is why I had originally used frontend.Local rather than frontend.Command. You don't need to implement execute then, only forward, where you'll forward your call to the server under otptoken_add name. Typically in #forward we call super's forward but that is because we in Command.forward() we simply forward the command to the remote backend, using the self.name. In your case we shouldn't really have a separate command on the server under the same name, so you'll need to avoid calling So, it should look like this: def forward(self, *args, **kw): perform yubikey initialization filter out kw and args, if needed return self.Backend.rpcclient.forward('otptoken_add', *args, **kw) See service_show implementation for an example. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0058] Add the otptoken-add-yubikey command
On 06/23/2014 09:29 AM, Alexander Bokovoy wrote: On Fri, 20 Jun 2014, Nathaniel McCallum wrote: On Thu, 2014-06-19 at 16:30 -0400, Nathaniel McCallum wrote: This command behaves almost exactly like otptoken-add except: 1. The new token data is written directly to a YubiKey 2. The vendor/model/serial fields are populated from the YubiKey === NOTE === 1. This patch depends on the new Fedora package: python-yubico. If you would like to help with the package review, please assign yourself here: https://bugzilla.redhat.com/show_bug.cgi?id=334 New version of the patch. This one works (yay!). 1. Because of the dependency on python-yubico, is this feature something we want in core FreeIPA? As a subpackage? Separate project altogether? The only dependency for python-yubico is pyusb. I'd prefer to have it integrated but have a separate dummy subpackage that pulls in all required dependencies, like, freeipa-tools-yubico. Instead of failing when 'ipa otptoken-add-yubikey' is called, please wrap the python-yubico import into a code that allows reporting a message back to the user advising to install the package. +1. For 4.0, I would just fail cleanly and keep functioning if python-yubico is not configured, just like in Alexander's trust example. For 4.2, we plan to introduce subpackages (https://fedorahosted.org/freeipa/ticket/4058). This is the right time and place to introduce something like freeipa-server-otp which would contain the files and requirements for OTP. It would also give is time to get it to standard Fedora repositories if we want this functionality by default. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0058] Add the otptoken-add-yubikey command
On 06/23/2014 09:29 AM, Alexander Bokovoy wrote: On Fri, 20 Jun 2014, Nathaniel McCallum wrote: 3. This code currently emits a warning from the call to otptoken-add: WARNING: API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.89 How do I fix this? Do not filter 'version' field in options in execute(). Please hardcode the API version instead of reusing it. This will be important when otptoken_add_yubikey is put in a separate package. i.e.: +answer = self.api.Command.otptoken_add(*args, +type=u'hotp', +ipatokenotpalgorithm=u'sha1', +ipatokenhotpcounter=0, +version='2.89', +**options) This way even if otptoken_add changes in the future, the fixed version string will trigger behavior compatible with what otptoken_add_yubikey expects now. -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0058] Add the otptoken-add-yubikey command
On Mon, 2014-06-23 at 09:42 +0200, Martin Kosek wrote: On 06/23/2014 09:29 AM, Alexander Bokovoy wrote: On Fri, 20 Jun 2014, Nathaniel McCallum wrote: On Thu, 2014-06-19 at 16:30 -0400, Nathaniel McCallum wrote: This command behaves almost exactly like otptoken-add except: 1. The new token data is written directly to a YubiKey 2. The vendor/model/serial fields are populated from the YubiKey === NOTE === 1. This patch depends on the new Fedora package: python-yubico. If you would like to help with the package review, please assign yourself here: https://bugzilla.redhat.com/show_bug.cgi?id=334 New version of the patch. This one works (yay!). 1. Because of the dependency on python-yubico, is this feature something we want in core FreeIPA? As a subpackage? Separate project altogether? The only dependency for python-yubico is pyusb. I'd prefer to have it integrated but have a separate dummy subpackage that pulls in all required dependencies, like, freeipa-tools-yubico. Instead of failing when 'ipa otptoken-add-yubikey' is called, please wrap the python-yubico import into a code that allows reporting a message back to the user advising to install the package. +1. For 4.0, I would just fail cleanly and keep functioning if python-yubico is not configured, just like in Alexander's trust example. For 4.2, we plan to introduce subpackages (https://fedorahosted.org/freeipa/ticket/4058). This is the right time and place to introduce something like freeipa-server-otp which would contain the files and requirements for OTP. It would also give is time to get it to standard Fedora repositories if we want this functionality by default. python-yubico is already in F21 (as of yesterday). So, unless there is some other reason that matters, we can probably just add a hard dependency for now. Is that acceptable? Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0058] Add the otptoken-add-yubikey command
On Mon, 2014-06-23 at 10:29 +0300, Alexander Bokovoy wrote: On Fri, 20 Jun 2014, Nathaniel McCallum wrote: On Thu, 2014-06-19 at 16:30 -0400, Nathaniel McCallum wrote: This command behaves almost exactly like otptoken-add except: 1. The new token data is written directly to a YubiKey 2. The vendor/model/serial fields are populated from the YubiKey === NOTE === 1. This patch depends on the new Fedora package: python-yubico. If you would like to help with the package review, please assign yourself here: https://bugzilla.redhat.com/show_bug.cgi?id=334 New version of the patch. This one works (yay!). 1. Because of the dependency on python-yubico, is this feature something we want in core FreeIPA? As a subpackage? Separate project altogether? The only dependency for python-yubico is pyusb. I'd prefer to have it integrated but have a separate dummy subpackage that pulls in all required dependencies, like, freeipa-tools-yubico. Instead of failing when 'ipa otptoken-add-yubikey' is called, please wrap the python-yubico import into a code that allows reporting a message back to the user advising to install the package. Who is a supposed user for this command? IPA command line interface isn't usually available on enrolled machines even though underlying Python modules are all there. Are we talking about admins or just users? As discussed on IRC, we are currently hard-coding lots of optional dependencies. And breaking this apart into subpackages can be solved at a later point. YubiKey is also a unique case: we don't expect to be adding many more plugins like this. For these reasons, I have kept this as a hard dependency. To ease this transition, I have added python-yubico to F20 and EL6. You can help with the update review here: https://admin.fedoraproject.org/updates/python-yubico-1.2.1-3.fc20 https://admin.fedoraproject.org/updates/python-yubico-1.2.1-3.el6 3. This code currently emits a warning from the call to otptoken-add: WARNING: API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.89 How do I fix this? Do not filter 'version' field in options in execute(). I opted to not filter out version rather than hard-code it (pviktori's suggestion). This is based on the fact that otptoken-add-yubikey is tightly integrated with otptoken-add (even using some of the class attributes from otptoken). 4. I am not sure why I have to delete the summary and value keys from the return dictionary. It would be nice to display this summary message just like otptoken-add. I still need help on this. 5. Am I doing the ipatoken(vendor|model|serial) options correctly? These aren't user settable, but we need to pass them from the yubikey (client-side) to the server. This is no longer needed since I am doing everything in forward(). However, listing these three as output params causes them to appear before the token's ID. I don't think this is the right way to output these. But this seems to me a framework issue. 6. I'm not sure my use of assert or ValueError are correct. What should I do here? Still need help here. 7. Considering that this is just a specialized invocation of otptoken-add, can't we do this all on the client-side? This is why I had originally used frontend.Local rather than frontend.Command. You don't need to implement execute then, only forward, where you'll forward your call to the server under otptoken_add name. Typically in #forward we call super's forward but that is because we in Command.forward() we simply forward the command to the remote backend, using the self.name. In your case we shouldn't really have a separate command on the server under the same name, so you'll need to avoid calling So, it should look like this: def forward(self, *args, **kw): perform yubikey initialization filter out kw and args, if needed return self.Backend.rpcclient.forward('otptoken_add', *args, **kw) See service_show implementation for an example. Fixed. Nathaniel From f9d233bf2c46d86ff6ee3801495c90825d0daf6f Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Thu, 19 Jun 2014 12:28:32 -0400 Subject: [PATCH] Add the otptoken-add-yubikey command This command behaves almost exactly like otptoken-add except: 1. The new token data is written directly to a YubiKey 2. The vendor/model/serial fields are populated from the YubiKey --- freeipa.spec.in| 1 + ipalib/plugins/otptoken.py | 2 +- ipalib/plugins/otptoken_yubikey.py | 134 + 3 files changed, 136 insertions(+), 1 deletion(-) create mode 100644 ipalib/plugins/otptoken_yubikey.py diff --git a/freeipa.spec.in b/freeipa.spec.in index b719b4a21fd2263a6fb58b3dffd4784868e630e9..a0a0bc184c9e5f5d8c611534486d9ec74c7396cf 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -305,6 +305,7 @@ Requires: python-netaddr Requires:
Re: [Freeipa-devel] [PATCH 0058] Add the otptoken-add-yubikey command
Hi, On 19.6.2014 22:30, Nathaniel McCallum wrote: This command behaves almost exactly like otptoken-add except: 1. The new token data is written directly to a YubiKey 2. The vendor/model/serial fields are populated from the YubiKey === NOTE === 1. This patch depends on the new Fedora package: python-yubico. If you would like to help with the package review, please assign yourself here: https://bugzilla.redhat.com/show_bug.cgi?id=334 2. This patch doesn't actually work and I could use some help. The call to api.Command.otptoken_add() fails with: ipa: ERROR: non-public: AttributeError: no context.rpcclient in thread 'MainThread' Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 129, in execute result = self.Command[_name](*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 1118, in run return self.forward(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py, line 471, in forward **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 755, in run return self.forward(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 776, in forward return self.Backend.rpcclient.forward(self.name, *args, **kw) File /usr/lib/python2.7/site-packages/ipalib/rpc.py, line 874, in forward command = getattr(self.conn, name) File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 97, in __get_conn self.id, threading.currentThread().getName()) AttributeError: no context.rpcclient in thread 'MainThread' ipa: ERROR: an internal error has occurred This happens because when you use frontend.Local, no connection to the server is created (see cli.run()). Instead of using frontend.Local and overriding forward(), use frontend.Command and override execute(). Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0058] Add the otptoken-add-yubikey command
On Thu, 2014-06-19 at 16:30 -0400, Nathaniel McCallum wrote: This command behaves almost exactly like otptoken-add except: 1. The new token data is written directly to a YubiKey 2. The vendor/model/serial fields are populated from the YubiKey === NOTE === 1. This patch depends on the new Fedora package: python-yubico. If you would like to help with the package review, please assign yourself here: https://bugzilla.redhat.com/show_bug.cgi?id=334 New version of the patch. This one works (yay!). 1. Because of the dependency on python-yubico, is this feature something we want in core FreeIPA? As a subpackage? Separate project altogether? The only dependency for python-yubico is pyusb. 2. Should the import yubico statement be inside of the otptoken_add_yubikey.forward() method to reduce server dependencies? 3. This code currently emits a warning from the call to otptoken-add: WARNING: API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.89 How do I fix this? 4. I am not sure why I have to delete the summary and value keys from the return dictionary. It would be nice to display this summary message just like otptoken-add. 5. Am I doing the ipatoken(vendor|model|serial) options correctly? These aren't user settable, but we need to pass them from the yubikey (client-side) to the server. 6. I'm not sure my use of assert or ValueError are correct. What should I do here? 7. Considering that this is just a specialized invocation of otptoken-add, can't we do this all on the client-side? This is why I had originally used frontend.Local rather than frontend.Command. Nathaniel From 06ab253297b1428bcdd2a8c9a1a82532e828081a Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Thu, 19 Jun 2014 12:28:32 -0400 Subject: [PATCH] Add the otptoken-add-yubikey command This command behaves almost exactly like otptoken-add except: 1. The new token data is written directly to a YubiKey 2. The vendor/model/serial fields are populated from the YubiKey --- freeipa.spec.in| 1 + ipalib/plugins/otptoken.py | 106 - 2 files changed, 106 insertions(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index b719b4a21fd2263a6fb58b3dffd4784868e630e9..4228c88f939a361a32da6f875c48db8adee3cdc1 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -158,6 +158,7 @@ Requires(pre): certmonger = 0.65 Requires(pre): 389-ds-base = 1.3.2.11 Requires: fontawesome-fonts Requires: open-sans-fonts +Requires: python-yubico # With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the # entire SELinux policy is stored in the system policy diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py index d834d582a16d95ab08c3f1fe1aef29160c77ae23..7d5fff1665afe1ce48254ff1ecb5472e7d3b0b87 100644 --- a/ipalib/plugins/otptoken.py +++ b/ipalib/plugins/otptoken.py @@ -21,6 +21,7 @@ from ipalib.plugins.baseldap import DN, LDAPObject, LDAPAddMember, LDAPRemoveMem from ipalib.plugins.baseldap import LDAPCreate, LDAPDelete, LDAPUpdate, LDAPSearch, LDAPRetrieve from ipalib import api, Int, Str, Bool, Flag, Bytes, IntEnum, StrEnum, _, ngettext from ipalib.plugable import Registry +from ipalib.frontend import Command from ipalib.errors import PasswordMismatch, ConversionError, LastMemberError, NotFound from ipalib.request import context import base64 @@ -28,6 +29,7 @@ import uuid import urllib import qrcode import os +import yubico __doc__ = _( OTP Tokens @@ -196,7 +198,7 @@ class otptoken(LDAPObject): ), IntEnum('ipatokenotpdigits?', cli_name='digits', -label=_('Display length'), +label=_('Digits'), values=(6, 8), default=6, autofill=True, @@ -383,3 +385,105 @@ class otptoken_remove_managedby(LDAPRemoveMember): __doc__ = _('Remove hosts that can manage this host.') member_attributes = ['managedby'] + +@register() +class otptoken_add_yubikey(Command): +__doc__ = _('Add a new YubiKey OTP token.') + +takes_args = ( +Str('ipatokenuniqueid?', +cli_name='id', +label=_('Unique ID'), +primary_key=True, +), +) + +takes_options = Command.takes_options + ( +IntEnum('slot?', +cli_name='slot', +label=_('YubiKey slot'), +values=(1, 2), +), +Str('ipatokenvendor?', +cli_name='vendor', +label=_('Vendor'), +flags=('no_option') +), +Str('ipatokenmodel?', +cli_name='model', +label=_('Model'), +flags=('no_option') +), +Str('ipatokenserial?', +cli_name='serial', +label=_('Serial'), +flags=('no_option') +), +) + tuple([x for x in otptoken.takes_params if x.name in ( +'description', +
[Freeipa-devel] [PATCH 0058] Add the otptoken-add-yubikey command
This command behaves almost exactly like otptoken-add except: 1. The new token data is written directly to a YubiKey 2. The vendor/model/serial fields are populated from the YubiKey === NOTE === 1. This patch depends on the new Fedora package: python-yubico. If you would like to help with the package review, please assign yourself here: https://bugzilla.redhat.com/show_bug.cgi?id=334 2. This patch doesn't actually work and I could use some help. The call to api.Command.otptoken_add() fails with: ipa: ERROR: non-public: AttributeError: no context.rpcclient in thread 'MainThread' Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 129, in execute result = self.Command[_name](*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 1118, in run return self.forward(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py, line 471, in forward **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 755, in run return self.forward(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 776, in forward return self.Backend.rpcclient.forward(self.name, *args, **kw) File /usr/lib/python2.7/site-packages/ipalib/rpc.py, line 874, in forward command = getattr(self.conn, name) File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 97, in __get_conn self.id, threading.currentThread().getName()) AttributeError: no context.rpcclient in thread 'MainThread' ipa: ERROR: an internal error has occurred From 75f1a74dd2476d61fc47e5ab184acaf84261fe54 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Thu, 19 Jun 2014 12:28:32 -0400 Subject: [PATCH] Add the otptoken-add-yubikey command This command behaves almost exactly like otptoken-add except: 1. The new token data is written directly to a YubiKey 2. The vendor/model/serial fields are populated from the YubiKey --- freeipa.spec.in| 1 + ipalib/plugins/otptoken.py | 83 ++ 2 files changed, 84 insertions(+) diff --git a/freeipa.spec.in b/freeipa.spec.in index b719b4a21fd2263a6fb58b3dffd4784868e630e9..4228c88f939a361a32da6f875c48db8adee3cdc1 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -158,6 +158,7 @@ Requires(pre): certmonger = 0.65 Requires(pre): 389-ds-base = 1.3.2.11 Requires: fontawesome-fonts Requires: open-sans-fonts +Requires: python-yubico # With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the # entire SELinux policy is stored in the system policy diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py index d834d582a16d95ab08c3f1fe1aef29160c77ae23..9746d2c96753111a05864b7151b12761553785a3 100644 --- a/ipalib/plugins/otptoken.py +++ b/ipalib/plugins/otptoken.py @@ -21,6 +21,7 @@ from ipalib.plugins.baseldap import DN, LDAPObject, LDAPAddMember, LDAPRemoveMem from ipalib.plugins.baseldap import LDAPCreate, LDAPDelete, LDAPUpdate, LDAPSearch, LDAPRetrieve from ipalib import api, Int, Str, Bool, Flag, Bytes, IntEnum, StrEnum, _, ngettext from ipalib.plugable import Registry +from ipalib.frontend import Local from ipalib.errors import PasswordMismatch, ConversionError, LastMemberError, NotFound from ipalib.request import context import base64 @@ -28,6 +29,7 @@ import uuid import urllib import qrcode import os +import yubico __doc__ = _( OTP Tokens @@ -383,3 +385,84 @@ class otptoken_remove_managedby(LDAPRemoveMember): __doc__ = _('Remove hosts that can manage this host.') member_attributes = ['managedby'] + +@register() +class otptoken_add_yubikey(Local): +__doc__ = _('Add a new YubiKey OTP token.') + +takes_args = ( +Str('ipatokenuniqueid?', +cli_name='id', +label=_('Unique ID'), +primary_key=True, +), +) + +takes_options = Local.takes_options + ( +IntEnum('slot?', +cli_name='slot', +label=_('YubiKey slot'), +values=(1, 2), +), +) + tuple([x for x in otptoken.takes_params if x.name in ( +'description', +'ipatokenowner', +'ipatokendisabled', +'ipatokennotbefore', +'ipatokennotafter', +'ipatokenotpkey', +'ipatokenotpdigits' +)]) + +def write_yubikey(self, **kwargs): +assert len(kwargs['ipatokenotpkey']) == 20 + +# Open the YubiKey +yk = yubico.find_yubikey() + +# If no slot is specified, find the first free slot. +slot = kwargs.get('slot', None) +if slot is None: +try: +used = yk.status().valid_configs() +slot = sorted({1,