summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins/otptoken.py
Commit message (Collapse)AuthorAgeFilesLines
* Use six.moves.urllib instead of urllib/urllib2/urlparsePetr Viktorin2015-10-071-12/+12
| | | | | | | | In Python 3, these modules are reorganized. Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Alias "unicode" to "str" under Python 3Jan Cholasta2015-09-171-0/+5
| | | | | | | | | The six way of doing this is to replace all occurences of "unicode" with "six.text_type". However, "unicode" is non-ambiguous and (arguably) easier to read. Also, using it makes the patches smaller, which should help with backporting. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use the print functionPetr Viktorin2015-09-011-2/+4
| | | | | | | | | In Python 3, `print` is no longer a statement. Call it as a function everywhere, and include the future import to remove the statement in Python 2 code as well. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Replace uses of map()Petr Viktorin2015-09-011-2/+2
| | | | | | | | | | In Python 2, map() returns a list; in Python 3 it returns an iterator. Replace all uses by list comprehensions, generators, or for loops, as required. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use Python3-compatible dict method namesPetr Viktorin2015-09-011-1/+1
| | | | | | | | | | | | | | | | | | | | | | Python 2 has keys()/values()/items(), which return lists, iterkeys()/itervalues()/iteritems(), which return iterators, and viewkeys()/viewvalues()/viewitems() which return views. Python 3 has only keys()/values()/items(), which return views. To get iterators, one can use iter() or a for loop/comprehension; for lists there's the list() constructor. When iterating through the entire dict, without modifying the dict, the difference between Python 2's items() and iteritems() is negligible, especially on small dicts (the main overhead is extra memory, not CPU time). In the interest of simpler code, this patch changes many instances of iteritems() to items(), iterkeys() to keys() etc. In other cases, helpers like six.itervalues are used. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Modernize 'except' clausesPetr Viktorin2015-08-121-1/+1
| | | | | | | The 'as' syntax works from Python 2 on, and Python 3 will drop the "comma" syntax. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Fix otptoken-remove-managedby command summaryFraser Tweedale2015-08-051-1/+1
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* otptoken: use ipapython.nsslib instead of Python's ssl moduleChristian Heimes2015-07-271-28/+8
| | | | | | | | | | | | The otptoken plugin is the only module in FreeIPA that uses Python's ssl module instead of NSS. The patch replaces ssl with NSSConnection. It uses the default NSS database to lookup trust anchors. NSSConnection uses NSS for hostname matching. The package python-backports-ssl_match_hostname is no longer required. https://fedorahosted.org/freeipa/ticket/5068 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix OTP token URI generationNathaniel McCallum2015-06-171-1/+1
| | | | | | | | Google Authenticator fails if the algorithm is not uppercase. https://fedorahosted.org/freeipa/ticket/5047 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Make lint work on Fedora 22.David Kupka2015-04-271-0/+1
| | | | | | | | | | | pylint added 'confidence' parameter to 'add_message' method of PyLinter. To be compatible with both, pre- and post- 1.4 IPALinter must accept the parameter but not pass it over. Also python3 checker was added and enabled by default. FreeIPA is still not ready for python3. Additionally few false-positives was marked. Reviewed-By: Martin Basti <mbasti@redhat.com>
* Changing the token owner changes also the managerMartin Babinsky2015-02-181-0/+13
| | | | | | | | | | This works if the change is made to a token which is owned and managed by the same person. The new owner then automatically becomes token's manager unless the attribute 'managedBy' is explicitly set otherwise. https://fedorahosted.org/freeipa/ticket/4681 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Create an OTP help topicNathaniel McCallum2014-12-051-0/+2
| | | | | | | This allows the various OTP related commands to be grouped together in the IPA CLI documentation. Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Enable QR code display by default in otptoken-addNathaniel McCallum2014-11-191-2/+3
| | | | | | | | | | This is possible because python-qrcode's output now fits in a standard terminal. Also, update ipa-otp-import and otptoken-add-yubikey to disable QR code output as it doesn't make sense in these contexts. https://fedorahosted.org/freeipa/ticket/4703 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Ensure users exist when assigning tokens to themNathaniel McCallum2014-11-131-2/+5
| | | | | | | https://fedorahosted.org/freeipa/ticket/4642 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Improve otptoken help messagesNathaniel McCallum2014-11-131-1/+17
| | | | | | https://fedorahosted.org/freeipa/ticket/4689 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Display token type when viewing tokenNathaniel McCallum2014-10-201-3/+25
| | | | | | | | | When viewing a token from the CLI or UI, the type of the token should be displayed. https://fedorahosted.org/freeipa/ticket/4563 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Remove token vendor, model and serial defaultsNathaniel McCallum2014-10-161-6/+0
| | | | | | | | | These defaults are pretty useless and cause more confusion than they are worth. The serial default never worked anyway. And now that we are displaying the token type separately, there is no reason to doubly record these data points. Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Update qrcode support for newer python-qrcodeNathaniel McCallum2014-09-111-2/+2
| | | | | | | | | This substantially reduces the FreeIPA dependencies and allows QR codes to fit in a standard terminal. https://fedorahosted.org/freeipa/ticket/4430 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Verify otptoken timespan is validDavid Kupka2014-07-291-1/+30
| | | | | | | | | When creating or modifying otptoken check that token validity start is not after validity end. https://fedorahosted.org/freeipa/ticket/4244 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipalib: Use DateTime parameter class for OTP token timestamp attributesTomas Babej2014-07-041-3/+3
| | | | | | | | For ipatokennotbefore and ipatokennotafter attributes use DateTime parameter class instead of Str, since these are represented as LDAP Generalized Time in LDAP. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add otptoken-sync commandNathaniel McCallum2014-06-261-1/+101
| | | | | | | | | This command calls the token sync HTTP POST call in the server providing the CLI interface to synchronization. https://fedorahosted.org/freeipa/ticket/4260 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add the otptoken-add-yubikey commandNathaniel McCallum2014-06-261-1/+1
| | | | | | | | This command behaves almost exactly like otptoken-add except: 1. The new token data is written directly to a YubiKey 2. The vendor/model/serial fields are populated from the YubiKey Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Make otptoken use os.urandom() for random dataNathaniel McCallum2014-06-201-2/+2
| | | | | | | This also fixes an error where the default value was not respecting the KEY_LENGTH variable. Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Add support for managedBy to tokensNathaniel McCallum2014-06-161-7/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This also constitutes a rethinking of the token ACIs after the introduction of SELFDN support. Admins, as before, have full access to all token permissions. Normal users have read/search/compare access to all of the non-secret data for tokens assigned to them, whether managed by them or not. Users can add tokens if, and only if, they will also manage this token. Managers can also read/search/compare tokens they manage. Additionally, they can write non-secret data to their managed tokens and delete them. When a normal user self-creates a token (the default behavior), then managedBy is automatically set. When an admin creates a token for another user (or no owner is assigned at all), then managed by is not set. In this second case, the token is effectively read-only for the assigned owner. This behavior enables two important other behaviors. First, an admin can create a hardware token and assign it to the user as a read-only token. Second, when the user is deleted, only his self-managed tokens are deleted. All other (read-only) tokens are instead orphaned. This permits the same token object to be reasigned to another user without loss of any counter data. https://fedorahosted.org/freeipa/ticket/4228 https://fedorahosted.org/freeipa/ticket/4259 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Split long docstrings that were recently modifiedPetr Viktorin2014-06-101-7/+7
| | | | | | | | When the strings are changed again, translators will only need to re-translate the modified parts. See: https://fedorahosted.org/freeipa/ticket/3587 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Default the token owner to the person adding the tokenNathaniel McCallum2014-05-231-1/+8
| | | | | | | | Creating tokens for yourself is the most common operation. Making this the default optimizes for the common case. Reviewed-By: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Only specify the ipatokenuniqueid default in the add operationNathaniel McCallum2014-05-231-2/+5
| | | | | | | | | | | Specifying the default in the LDAP Object causes the parameter to be specified for non-add operations. This is especially problematic when performing the modify operation as it causes the primary key to change for every modification. https://fedorahosted.org/freeipa/ticket/4227 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Fix a typo in the otptoken doc stringNathaniel McCallum2014-05-061-4/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/4289 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix token secret length RFC complianceNathaniel McCallum2014-03-051-1/+1
| | | | | | | | | RFC 4226 states the following in section 4: R6 - The algorithm MUST use a strong shared secret. The length of the shared secret MUST be at least 128 bits. This document RECOMMENDs a shared secret length of 160 bits. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Rework how otptoken defaults are handledNathaniel McCallum2014-03-051-32/+33
| | | | | | | | | | | | We had originally decided to provide defaults on the server side so that they could be part of a global config for the admin. However, on further reflection, only certain defaults really make sense given the limitations of Google Authenticator. Similarly, other defaults may be token specific. Attempting to handle defaults on the server side also makes both the UI and the generated documentation unclear. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use super() properly to avoid an exceptionNathaniel McCallum2014-02-211-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4099 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add HOTP supportNathaniel McCallum2014-02-211-7/+19
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix generation of invalid OTP URIsNathaniel McCallum2014-02-131-0/+9
| | | | | | https://fedorahosted.org/freeipa/ticket/4169 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix OTP token names/labelsNathaniel McCallum2014-02-131-3/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/4171 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add OTP support to ipalib CLINathaniel McCallum2013-12-181-0/+329
https://fedorahosted.org/freeipa/ticket/3368
generated by cgit (git 2.34.1) at 2025-09-01 03:14:53 +0000