https://fedorahosted.org/freeipa/ticket/4244 -- David Kupka
From 513fd9b6cf7502ed08e31318dd9425bc12392720 Mon Sep 17 00:00:00 2001 From: David Kupka <dku...@redhat.com> Date: Wed, 23 Jul 2014 15:32:18 +0200 Subject: [PATCH] Verify otptoken timespan is valid
When creating or modifying otptoken check that token validity start is not after validity end. https://fedorahosted.org/freeipa/ticket/4244 --- ipalib/plugins/otptoken.py | 38 +++++++++++++++++++++++++++++++++++++- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py index 2880ee660d5dcdb18c504f50d7b72f5b8fb43d48..7dc01caafdf73e3f54bb4fbdb2ee5e8540e09e74 100644 --- a/ipalib/plugins/otptoken.py +++ b/ipalib/plugins/otptoken.py @@ -21,7 +21,7 @@ from ipalib.plugins.baseldap import DN, LDAPObject, LDAPAddMember, LDAPRemoveMem from ipalib.plugins.baseldap import LDAPCreate, LDAPDelete, LDAPUpdate, LDAPSearch, LDAPRetrieve from ipalib import api, Int, Str, Bool, DateTime, Flag, Bytes, IntEnum, StrEnum, Password, _, ngettext from ipalib.plugable import Registry -from ipalib.errors import PasswordMismatch, ConversionError, LastMemberError, NotFound +from ipalib.errors import PasswordMismatch, ConversionError, LastMemberError, NotFound, ValidationError from ipalib.request import context from ipalib.frontend import Local @@ -103,6 +103,17 @@ def _normalize_owner(userobj, entry_attrs): if owner is not None: entry_attrs['ipatokenowner'] = userobj.get_dn(owner) +def _check_interval(not_before, not_after): + + if not_before and not_after: + if type(not_before) is str: + not_before = DateTime('not_before')._convert_scalar(not_before) + if type(not_after) is str: + not_after = DateTime('not_after')._convert_scalar(not_after) + + if not_before > not_after: + return False + return True @register() class otptoken(LDAPObject): @@ -254,6 +265,11 @@ class otptoken_add(LDAPCreate): entry_attrs['ipatokenuniqueid'] = str(uuid.uuid4()) dn = DN("ipatokenuniqueid=%s" % entry_attrs['ipatokenuniqueid'], dn) + if not _check_interval(entry_attrs.get('ipatokennotbefore', None), + entry_attrs.get('ipatokennotafter', None)): + raise ValidationError(name='not_after', + error='is before not_before!') + # Set the object class and defaults for specific token types entry_attrs['objectclass'] = otptoken.object_class + ['ipatoken' + options['type']] for ttype, tattrs in TOKEN_TYPES.items(): @@ -336,6 +352,26 @@ class otptoken_mod(LDAPUpdate): msg_summary = _('Modified OTP token "%(value)s"') def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + notafter_set = True + notbefore = entry_attrs.get('ipatokennotbefore', None) + notafter = entry_attrs.get('ipatokennotafter', None) + # notbefore xor notafter, exactly one of them is not None + if bool(notbefore) ^ bool(notafter): + result = self.api.Command.otptoken_find(ipatokenuniqueid= + entry_attrs.get('ipatokenuniqueid', None))['result'] + if result: + if notbefore is None: + notbefore = result[0]['ipatokennotbefore'][0] + if notafter is None: + notafter_set = False + notafter = result[0]['ipatokennotafter'][0] + if not _check_interval(notbefore, notafter): + if notafter_set: + raise ValidationError(name='not_after', + error='is before not_before!') + else: + raise ValidationError(name='not_before', + error='is after not_after!') _normalize_owner(self.api.Object.user, entry_attrs) return dn -- 1.9.3
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel