freeipa.git/daemons/ipa-slapi-plugins/ipa-otp-lasttoken, branch fix_ber_scanf FreeIPA patches User must not be able to delete his last active otp token 2018-02-15T13:10:48+00:00 Florence Blanc-Renaud flo@redhat.com 2018-02-14T12:56:08+00:00 8b6506a5f1176ad768bb0e513436009906b8ff63 The 389-ds plugin for OTP last token is performing data initialization in its ipa_otp_lasttoken_init method, which is wrong according to the Plug-in Guide: > For example, the init function should not attempt to perform an > internal search or other internal operation, because the all of > the subsystems are not up and running during the init phase. This init method fills a structure containing the configuration of allowed authentication types. As the method is called too early, the method does not find any suffix and leaves the structure empty. Subsequent calls find an empty structure and take the default values (for authentication methods, the default is 1 = password). Because of that, the code consider that the global configuration defines password authentication method, and in this case it is allowed to delete a user's last otp token. The fix implements a SLAPI_PLUGIN_START_FN method that will be called when 389-ds is ready to initialize the plugin data, ensuring that the structure is properly initialized. Fixes: https://pagure.io/freeipa/issue/7012 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com> 
The 389-ds plugin for OTP last token is performing data initialization
in its ipa_otp_lasttoken_init method, which is wrong according to
the Plug-in Guide:
> For example, the init function should not attempt to perform an
> internal search or other internal operation, because the all of
> the subsystems are not up and running during the init phase.

This init method fills a structure containing the configuration of
allowed authentication types. As the method is called too early, the
method does not find any suffix and leaves the structure empty.
Subsequent calls find an empty structure and take the default values
(for authentication methods, the default is 1 = password).

Because of that, the code consider that the global configuration defines
password authentication method, and in this case it is allowed to delete
a user's last otp token.

The fix implements a SLAPI_PLUGIN_START_FN method that will be called
when 389-ds is ready to initialize the plugin data, ensuring that the
structure is properly initialized.

Fixes:
https://pagure.io/freeipa/issue/7012

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
slapi plugins: fix CFLAGS 2017-03-15T08:55:12+00:00 Jan Cholasta jcholast@redhat.com 2017-03-15T05:14:25+00:00 b7329e31f5c985b9721e3a21b1cd1bec6430129d Add explicit NSPR_CFLAGS and NSS_CFLAGS where NSPR_LIBS and NSS_LIBS is used. Use DIRSRV_CFLAGS rather than hardcode -I/usr/include/dirsrv. Append NSPR_CFLAGS to DIRSRV_CFLAGS in ./configure as slapi-plugin.h includes nspr.h. Reviewed-By: Pavel Vomacka <pvomacka@redhat.com> 
Add explicit NSPR_CFLAGS and NSS_CFLAGS where NSPR_LIBS and NSS_LIBS is
used.

Use DIRSRV_CFLAGS rather than hardcode -I/usr/include/dirsrv.

Append NSPR_CFLAGS to DIRSRV_CFLAGS in ./configure as slapi-plugin.h
includes nspr.h.

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Build: remove incorrect use of MAINTAINERCLEANFILES 2016-11-16T08:12:07+00:00 Petr Spacek pspacek@redhat.com 2016-11-11T13:37:18+00:00 d5683726d290b71eb44ab3b3150381f062e74df1 Automake manual section 13 What Gets Cleaned says that make maintainer-clean should not remove files necessary for subsequent runs of ./configure. It practically means that all usage of MAINTAINERCLEANFILES were incorrect so I've removed them. https://fedorahosted.org/freeipa/ticket/6418 Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Automake manual section 13 What Gets Cleaned says that make maintainer-clean
should not remove files necessary for subsequent runs of ./configure.

It practically means that all usage of MAINTAINERCLEANFILES were incorrect
so I've removed them.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Build: fix distribution of daemons/ipa-slapi-plugins/ipa-otp-lasttoken files 2016-11-09T12:08:32+00:00 Petr Spacek pspacek@redhat.com 2016-11-02T18:48:47+00:00 278cda7ede3777f61f31ec77199d02954512e133 https://fedorahosted.org/freeipa/ticket/6418 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Build: fix Makefile.am files to separate source and build directories 2016-11-09T12:08:32+00:00 Petr Spacek pspacek@redhat.com 2016-10-31T11:33:43+00:00 24feae47f26f40f757fbdd711399128d88c9b62c This is step forward working VPATH builds which cleanly separate sources and build artifacts. It makes the system cleaner and easier to understand. Python and web UI likely require more work to make VPATH builds working. https://fedorahosted.org/freeipa/ticket/6418 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
This is step forward working VPATH builds which cleanly separate sources
and build artifacts. It makes the system cleaner and easier to
understand.

Python and web UI likely require more work to make VPATH builds working.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
OTP: failed search for the user of last token emits an error message 2015-01-30T10:02:16+00:00 Martin Babinsky mbabinsk@redhat.com 2015-01-28T15:26:14+00:00 d800ac867baf7335e0c4b55b945b4c06d4c0567e This patch fixes the following defect reported by covscan: """ Error: CHECKED_RETURN (CWE-252): /daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c:119: check_return: Calling "slapi_search_internal_get_entry" without checking return value (as is done elsewhere 14 out of 16 times). /daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c:402: example_checked: Example 1: "slapi_search_internal_get_entry(sdn, NULL, &config_entry, ipaenrollment_plugin_id)" has its value checked in "(rc = slapi_search_internal_get_entry(sdn, NULL, &config_entry, ipaenrollment_plugin_id)) != 0". /daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c:207: example_assign: Example 2: Assigning: "ret" = return value from "slapi_search_internal_get_entry(sdn, NULL, &config_entry, getPluginID())". /daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c:212: example_checked: Example 2 (cont.): "ret" has its value checked in "ret". /daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c:651: example_assign: Example 3: Assigning: "search_result" = return value from "slapi_search_internal_get_entry(sdn, attrlist, e2, ipapwd_plugin_id)". /daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c:653: example_checked: Example 3 (cont.): "search_result" has its value checked in "search_result != 0". /daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:1035: example_assign: Example 4: Assigning: "ret" = return value from "slapi_search_internal_get_entry(tmp_dn, NULL, &pwdop->pwdata.target, ipapwd_plugin_id)". /daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:1039: example_checked: Example 4 (cont.): "ret" has its value checked in "ret != 0". /daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:817: example_assign: Example 5: Assigning: "ret" = return value from "slapi_search_internal_get_entry(tmp_dn, NULL, &e, getPluginID())". /daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:820: example_checked: Example 5 (cont.): "ret" has its value checked in "ret == 10". """ this patch is a part of a series related to https://fedorahosted.org/freeipa/ticket/4795 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
This patch fixes the following defect reported by covscan:

"""
Error: CHECKED_RETURN (CWE-252):
/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c:119:
check_return: Calling "slapi_search_internal_get_entry" without checking
return value (as is done elsewhere 14 out of 16 times).
/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c:402:
example_checked: Example 1: "slapi_search_internal_get_entry(sdn, NULL,
&config_entry, ipaenrollment_plugin_id)" has its value checked in "(rc =
slapi_search_internal_get_entry(sdn, NULL, &config_entry,
ipaenrollment_plugin_id)) != 0".
/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c:207:
example_assign: Example 2: Assigning: "ret" = return value from
"slapi_search_internal_get_entry(sdn, NULL, &config_entry, getPluginID())".
/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c:212:
example_checked: Example 2 (cont.): "ret" has its value checked in "ret".
/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c:651:
example_assign: Example 3: Assigning: "search_result" = return value from
"slapi_search_internal_get_entry(sdn, attrlist, e2, ipapwd_plugin_id)".
/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c:653:
example_checked: Example 3 (cont.): "search_result" has its value checked in
"search_result != 0".
/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:1035:
example_assign: Example 4: Assigning: "ret" = return value from
"slapi_search_internal_get_entry(tmp_dn, NULL, &pwdop->pwdata.target,
ipapwd_plugin_id)".
/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:1039:
example_checked: Example 4 (cont.): "ret" has its value checked in "ret != 0".
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:817:
example_assign: Example 5: Assigning: "ret" = return value from
"slapi_search_internal_get_entry(tmp_dn, NULL, &e, getPluginID())".
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:820:
example_checked: Example 5 (cont.): "ret" has its value checked in "ret ==
10".
"""

this patch is a part of a series related to
https://fedorahosted.org/freeipa/ticket/4795

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Enable last token deletion when password auth type is configured 2014-12-03T07:48:56+00:00 Nathaniel McCallum npmccallum@redhat.com 2014-11-11T17:05:23+00:00 08f8acd88c1858000f5a15c3838e1bfd78551c55 Also, ensure that the last token check only executes on DNs/entries that are tokens. This resolves a large performance issue where a query was being performed to load all the user's tokens on every del/mod operation. https://fedorahosted.org/freeipa/ticket/4697 https://fedorahosted.org/freeipa/ticket/4719 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> 
Also, ensure that the last token check only executes on DNs/entries that
are tokens. This resolves a large performance issue where a query was
being performed to load all the user's tokens on every del/mod operation.

https://fedorahosted.org/freeipa/ticket/4697
https://fedorahosted.org/freeipa/ticket/4719

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Preliminary refactoring of libotp files 2014-12-03T07:48:56+00:00 Nathaniel McCallum npmccallum@redhat.com 2014-11-11T01:58:20+00:00 bdccb0c721283f17a48423ab562ab5515ecd7f8e There are no major changes in this commit other than changing filenames and symbols to have consistent namespaces. This prepares for larger changes to come in subsequent commits. Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> 
There are no major changes in this commit other than changing filenames
and symbols to have consistent namespaces. This prepares for larger
changes to come in subsequent commits.

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Remove redefinition of LOG from ipa-otp-lasttoken 2014-11-25T08:23:24+00:00 Jan Cholasta jcholast@redhat.com 2014-11-10T17:20:18+00:00 313da898bb5e88ab6507322fae137af50b1b0f7e https://fedorahosted.org/freeipa/ticket/4713 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
https://fedorahosted.org/freeipa/ticket/4713

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Fix various bugs in ipa-opt-counter and ipa-otp-lasttoken 2014-11-05T14:28:27+00:00 Jan Cholasta jcholast@redhat.com 2014-11-05T08:50:26+00:00 9062dcada48d378f7c46759607aff03c17b11163 Fixes a wrong sizeof argument and unchecked return values. https://fedorahosted.org/freeipa/ticket/4651 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Fixes a wrong sizeof argument and unchecked return values.

https://fedorahosted.org/freeipa/ticket/4651

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>