[Freeipa-devel] [PATCH 0065] Don't allow users to create tokens with a specified ID

Tue, 16 Sep 2014 10:33:43 -0700 

We perform this enforcement at the API level since:
* DS level enforcement would be difficult
* ipatokenUniqueID generation already happens at the API level

It may be nice in the future to perform enforcement in the DS itself.
However, the question of the location of enforcement is largely an
aesthetic issue.

https://fedorahosted.org/freeipa/ticket/4456

From d52d7b5ed8514057a0d55ac2009576dadcec1cef Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <npmccal...@redhat.com>
Date: Tue, 16 Sep 2014 13:21:05 -0400
Subject: [PATCH] Don't allow users to create tokens with a specified ID

We perform this enforcement at the API level since:
* DS level enforcement would be difficult
* ipatokenUniqueID generation already happens at the API level

It may be nice in the future to perform enforcement in the DS itself.
However, the question of the location of enforcement is largely an
aesthetic issue.

https://fedorahosted.org/freeipa/ticket/4456
---
 ipalib/plugins/otptoken.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py
index 1bd85d4b952dc51ea800ed37c49b3c50aeb31492..231e383e3a3bc8506bed1c72f2859c2832c240a1 100644
--- a/ipalib/plugins/otptoken.py
+++ b/ipalib/plugins/otptoken.py
@@ -259,6 +259,14 @@ class otptoken_add(LDAPCreate):
             entry_attrs['ipatokenuniqueid'] = str(uuid.uuid4())
             dn = DN("ipatokenuniqueid=%s" % entry_attrs['ipatokenuniqueid'], dn)
 
+        # Ensure that no token id is specified if the user is not an admin.
+        else:
+            gresult = self.api.Command.group_show(cn=u'admins')['result']
+            uresult = self.api.Command.user_find(whoami=True)['result']
+            if uresult[0]['uid'][0] not in gresult['member_user']:
+                raise ValidationError(name='ipatokenuniqueid',
+                                      error='can only be specified by admins')
+
         if not _check_interval(options.get('ipatokennotbefore', None),
                                options.get('ipatokennotafter', None)):
             raise ValidationError(name='not_after',
-- 
2.1.0


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to