[Freeipa-devel] [PATCH] 0005 Verify otptoken timespan is valid

[David Kupka]

https://fedorahosted.org/freeipa/ticket/4244
--
David Kupka

From 513fd9b6cf7502ed08e31318dd9425bc12392720 Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Wed, 23 Jul 2014 15:32:18 +0200
Subject: [PATCH] Verify otptoken timespan is valid

When creating or modifying otptoken check that token validity start is not after
validity end.

https://fedorahosted.org/freeipa/ticket/4244
---
 ipalib/plugins/otptoken.py | 38 +++++++++++++++++++++++++++++++++++++-
 1 file changed, 37 insertions(+), 1 deletion(-)

diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py
index 2880ee660d5dcdb18c504f50d7b72f5b8fb43d48..7dc01caafdf73e3f54bb4fbdb2ee5e8540e09e74 100644
--- a/ipalib/plugins/otptoken.py
+++ b/ipalib/plugins/otptoken.py
@@ -21,7 +21,7 @@ from ipalib.plugins.baseldap import DN, LDAPObject, LDAPAddMember, LDAPRemoveMem
 from ipalib.plugins.baseldap import LDAPCreate, LDAPDelete, LDAPUpdate, LDAPSearch, LDAPRetrieve
 from ipalib import api, Int, Str, Bool, DateTime, Flag, Bytes, IntEnum, StrEnum, Password, _, ngettext
 from ipalib.plugable import Registry
-from ipalib.errors import PasswordMismatch, ConversionError, LastMemberError, NotFound
+from ipalib.errors import PasswordMismatch, ConversionError, LastMemberError, NotFound, ValidationError
 from ipalib.request import context
 from ipalib.frontend import Local
 
@@ -103,6 +103,17 @@ def _normalize_owner(userobj, entry_attrs):
     if owner is not None:
         entry_attrs['ipatokenowner'] = userobj.get_dn(owner)
 
+def _check_interval(not_before, not_after):
+
+    if not_before and not_after:
+        if type(not_before) is str:
+            not_before = DateTime('not_before')._convert_scalar(not_before)
+        if type(not_after) is str:
+            not_after = DateTime('not_after')._convert_scalar(not_after)
+
+        if not_before > not_after:
+            return False
+    return True
 
 @register()
 class otptoken(LDAPObject):
@@ -254,6 +265,11 @@ class otptoken_add(LDAPCreate):
             entry_attrs['ipatokenuniqueid'] = str(uuid.uuid4())
             dn = DN("ipatokenuniqueid=%s" % entry_attrs['ipatokenuniqueid'], dn)
 
+        if not _check_interval(entry_attrs.get('ipatokennotbefore', None),
+                               entry_attrs.get('ipatokennotafter', None)):
+            raise ValidationError(name='not_after',
+                                    error='is before not_before!')
+
         # Set the object class and defaults for specific token types
         entry_attrs['objectclass'] = otptoken.object_class + ['ipatoken' + options['type']]
         for ttype, tattrs in TOKEN_TYPES.items():
@@ -336,6 +352,26 @@ class otptoken_mod(LDAPUpdate):
     msg_summary = _('Modified OTP token "%(value)s"')
 
     def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+        notafter_set = True
+        notbefore = entry_attrs.get('ipatokennotbefore', None)
+        notafter = entry_attrs.get('ipatokennotafter', None)
+        # notbefore xor notafter, exactly one of them is not None
+        if bool(notbefore) ^ bool(notafter):
+            result = self.api.Command.otptoken_find(ipatokenuniqueid=
+                entry_attrs.get('ipatokenuniqueid', None))['result']
+            if result:
+                if notbefore is None:
+                    notbefore = result[0]['ipatokennotbefore'][0]
+                if notafter is None:
+                    notafter_set = False
+                    notafter = result[0]['ipatokennotafter'][0]
+        if not _check_interval(notbefore, notafter):
+            if notafter_set:
+                raise ValidationError(name='not_after',
+                                    error='is before not_before!')
+            else:
+                raise ValidationError(name='not_before',
+                                    error='is after not_after!')
         _normalize_owner(self.api.Object.user, entry_attrs)
         return dn
 
-- 
1.9.3


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel