summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins/otptoken.py
Commit message (Collapse)AuthorAgeFilesLines
* ipalib: move server-side plugins to ipaserverJan Cholasta2016-06-031-464/+0
| | | | | | | | | | Move the remaining plugin code from ipalib.plugins to ipaserver.plugins. Remove the now unused ipalib.plugins package. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* ipalib: split off client-side plugin code into ipaclientJan Cholasta2016-06-031-77/+0
| | | | | | | | | | | Provide client-side overrides for command plugins which implement any of the client-side `interactive_prompt_callback`, `forward` or `output_for_cli` methods and move the methods from the original plugins to the overrides. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* help, makeapi: specify module topic by nameJan Cholasta2016-06-031-1/+1
| | | | | | | | | | | | | Specify module topic by name rather than by name and summary. A topic module of the topic name must exist. Summary is extracted from the docstring of the topic module. This changes makes topic handling more generic and consistent between modules and commands. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* ipalib: move client-side plugins to ipaclientJan Cholasta2016-06-031-81/+1
| | | | | | | | | Move the rpcclient backend and commands which are executed on the client to ipaclient.plugins. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* Performance: Find commands: do not process members by defaultMartin Basti2016-05-311-1/+2
| | | | | | | | | | | | | | | | In all *-find commands, member attributes shouldn't be processed due high amount fo ldpaserches cause serious performance issues. For this reason --no-members option is set by default in CLI and API. To get members in *-find command option --all in CLI is rquired or 'no_members=False' or 'all=True' must be set in API call. For other commands processing of members stays unchanged. WebUI is not affected by this change. https://fedorahosted.org/freeipa/ticket/4995 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* ipalib: use relative imports for cross-plugin importsJan Cholasta2016-05-251-2/+2
| | | | | | | | | This will make it possible to move the plugin modules between ipalib, ipaclient and ipaserver without having to change the imports. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* otptoken: fix import of DNJan Cholasta2016-05-251-1/+2
| | | | | | | | | | Import DN from ipapython.dn rather than ipalib.plugins.baseldap. This will make it possible to move otptoken_sync to ipaclient. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* ipalib: make optional positional command arguments actually optionalJan Cholasta2016-05-251-0/+3
| | | | | | | | | Fix several plugins not to assume optional positional arguments have a value of None when not specified. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* parameters: remove unused ConversionError and ValidationError argumentsJan Cholasta2016-05-251-3/+3
| | | | | | | | | | Do not set the `value`, `index` and `rule` arguments when raising ConversionError and ValidationError. The arguments are unused and are not specified consistently accross the framework and plugins. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* otptoken-add: improve the robustness of QR code printingMartin Babinsky2016-03-241-7/+66
| | | | | | | | | | | The python-qrcode print_ascii() method does not work in terminals with non-UTF-8 encoding. When this is the case do not render QR code but print a warning instead. Also print a warning when the QR code size is greater that terminal width if the output is a tty. https://fedorahosted.org/freeipa/ticket/5700 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove unused importsMartin Basti2015-12-231-1/+5
| | | | | | | This patch removes unused imports, alse pylint has been configured to check unused imports. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use six.moves.urllib instead of urllib/urllib2/urlparsePetr Viktorin2015-10-071-12/+12
| | | | | | | | In Python 3, these modules are reorganized. Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Alias "unicode" to "str" under Python 3Jan Cholasta2015-09-171-0/+5
| | | | | | | | | The six way of doing this is to replace all occurences of "unicode" with "six.text_type". However, "unicode" is non-ambiguous and (arguably) easier to read. Also, using it makes the patches smaller, which should help with backporting. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use the print functionPetr Viktorin2015-09-011-2/+4
| | | | | | | | | In Python 3, `print` is no longer a statement. Call it as a function everywhere, and include the future import to remove the statement in Python 2 code as well. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Replace uses of map()Petr Viktorin2015-09-011-2/+2
| | | | | | | | | | In Python 2, map() returns a list; in Python 3 it returns an iterator. Replace all uses by list comprehensions, generators, or for loops, as required. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use Python3-compatible dict method namesPetr Viktorin2015-09-011-1/+1
| | | | | | | | | | | | | | | | | | | | | | Python 2 has keys()/values()/items(), which return lists, iterkeys()/itervalues()/iteritems(), which return iterators, and viewkeys()/viewvalues()/viewitems() which return views. Python 3 has only keys()/values()/items(), which return views. To get iterators, one can use iter() or a for loop/comprehension; for lists there's the list() constructor. When iterating through the entire dict, without modifying the dict, the difference between Python 2's items() and iteritems() is negligible, especially on small dicts (the main overhead is extra memory, not CPU time). In the interest of simpler code, this patch changes many instances of iteritems() to items(), iterkeys() to keys() etc. In other cases, helpers like six.itervalues are used. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Modernize 'except' clausesPetr Viktorin2015-08-121-1/+1
| | | | | | | The 'as' syntax works from Python 2 on, and Python 3 will drop the "comma" syntax. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Fix otptoken-remove-managedby command summaryFraser Tweedale2015-08-051-1/+1
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* otptoken: use ipapython.nsslib instead of Python's ssl moduleChristian Heimes2015-07-271-28/+8
| | | | | | | | | | | | The otptoken plugin is the only module in FreeIPA that uses Python's ssl module instead of NSS. The patch replaces ssl with NSSConnection. It uses the default NSS database to lookup trust anchors. NSSConnection uses NSS for hostname matching. The package python-backports-ssl_match_hostname is no longer required. https://fedorahosted.org/freeipa/ticket/5068 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix OTP token URI generationNathaniel McCallum2015-06-171-1/+1
| | | | | | | | Google Authenticator fails if the algorithm is not uppercase. https://fedorahosted.org/freeipa/ticket/5047 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Make lint work on Fedora 22.David Kupka2015-04-271-0/+1
| | | | | | | | | | | pylint added 'confidence' parameter to 'add_message' method of PyLinter. To be compatible with both, pre- and post- 1.4 IPALinter must accept the parameter but not pass it over. Also python3 checker was added and enabled by default. FreeIPA is still not ready for python3. Additionally few false-positives was marked. Reviewed-By: Martin Basti <mbasti@redhat.com>
* Changing the token owner changes also the managerMartin Babinsky2015-02-181-0/+13
| | | | | | | | | | This works if the change is made to a token which is owned and managed by the same person. The new owner then automatically becomes token's manager unless the attribute 'managedBy' is explicitly set otherwise. https://fedorahosted.org/freeipa/ticket/4681 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Create an OTP help topicNathaniel McCallum2014-12-051-0/+2
| | | | | | | This allows the various OTP related commands to be grouped together in the IPA CLI documentation. Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Enable QR code display by default in otptoken-addNathaniel McCallum2014-11-191-2/+3
| | | | | | | | | | This is possible because python-qrcode's output now fits in a standard terminal. Also, update ipa-otp-import and otptoken-add-yubikey to disable QR code output as it doesn't make sense in these contexts. https://fedorahosted.org/freeipa/ticket/4703 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Ensure users exist when assigning tokens to themNathaniel McCallum2014-11-131-2/+5
| | | | | | | https://fedorahosted.org/freeipa/ticket/4642 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Improve otptoken help messagesNathaniel McCallum2014-11-131-1/+17
| | | | | | https://fedorahosted.org/freeipa/ticket/4689 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Display token type when viewing tokenNathaniel McCallum2014-10-201-3/+25
| | | | | | | | | When viewing a token from the CLI or UI, the type of the token should be displayed. https://fedorahosted.org/freeipa/ticket/4563 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Remove token vendor, model and serial defaultsNathaniel McCallum2014-10-161-6/+0
| | | | | | | | | These defaults are pretty useless and cause more confusion than they are worth. The serial default never worked anyway. And now that we are displaying the token type separately, there is no reason to doubly record these data points. Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Update qrcode support for newer python-qrcodeNathaniel McCallum2014-09-111-2/+2
| | | | | | | | | This substantially reduces the FreeIPA dependencies and allows QR codes to fit in a standard terminal. https://fedorahosted.org/freeipa/ticket/4430 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Verify otptoken timespan is validDavid Kupka2014-07-291-1/+30
| | | | | | | | | When creating or modifying otptoken check that token validity start is not after validity end. https://fedorahosted.org/freeipa/ticket/4244 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipalib: Use DateTime parameter class for OTP token timestamp attributesTomas Babej2014-07-041-3/+3
| | | | | | | | For ipatokennotbefore and ipatokennotafter attributes use DateTime parameter class instead of Str, since these are represented as LDAP Generalized Time in LDAP. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add otptoken-sync commandNathaniel McCallum2014-06-261-1/+101
| | | | | | | | | This command calls the token sync HTTP POST call in the server providing the CLI interface to synchronization. https://fedorahosted.org/freeipa/ticket/4260 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add the otptoken-add-yubikey commandNathaniel McCallum2014-06-261-1/+1
| | | | | | | | This command behaves almost exactly like otptoken-add except: 1. The new token data is written directly to a YubiKey 2. The vendor/model/serial fields are populated from the YubiKey Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Make otptoken use os.urandom() for random dataNathaniel McCallum2014-06-201-2/+2
| | | | | | | This also fixes an error where the default value was not respecting the KEY_LENGTH variable. Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Add support for managedBy to tokensNathaniel McCallum2014-06-161-7/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This also constitutes a rethinking of the token ACIs after the introduction of SELFDN support. Admins, as before, have full access to all token permissions. Normal users have read/search/compare access to all of the non-secret data for tokens assigned to them, whether managed by them or not. Users can add tokens if, and only if, they will also manage this token. Managers can also read/search/compare tokens they manage. Additionally, they can write non-secret data to their managed tokens and delete them. When a normal user self-creates a token (the default behavior), then managedBy is automatically set. When an admin creates a token for another user (or no owner is assigned at all), then managed by is not set. In this second case, the token is effectively read-only for the assigned owner. This behavior enables two important other behaviors. First, an admin can create a hardware token and assign it to the user as a read-only token. Second, when the user is deleted, only his self-managed tokens are deleted. All other (read-only) tokens are instead orphaned. This permits the same token object to be reasigned to another user without loss of any counter data. https://fedorahosted.org/freeipa/ticket/4228 https://fedorahosted.org/freeipa/ticket/4259 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Split long docstrings that were recently modifiedPetr Viktorin2014-06-101-7/+7
| | | | | | | | When the strings are changed again, translators will only need to re-translate the modified parts. See: https://fedorahosted.org/freeipa/ticket/3587 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Default the token owner to the person adding the tokenNathaniel McCallum2014-05-231-1/+8
| | | | | | | | Creating tokens for yourself is the most common operation. Making this the default optimizes for the common case. Reviewed-By: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Only specify the ipatokenuniqueid default in the add operationNathaniel McCallum2014-05-231-2/+5
| | | | | | | | | | | Specifying the default in the LDAP Object causes the parameter to be specified for non-add operations. This is especially problematic when performing the modify operation as it causes the primary key to change for every modification. https://fedorahosted.org/freeipa/ticket/4227 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Fix a typo in the otptoken doc stringNathaniel McCallum2014-05-061-4/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/4289 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix token secret length RFC complianceNathaniel McCallum2014-03-051-1/+1
| | | | | | | | | RFC 4226 states the following in section 4: R6 - The algorithm MUST use a strong shared secret. The length of the shared secret MUST be at least 128 bits. This document RECOMMENDs a shared secret length of 160 bits. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Rework how otptoken defaults are handledNathaniel McCallum2014-03-051-32/+33
| | | | | | | | | | | | We had originally decided to provide defaults on the server side so that they could be part of a global config for the admin. However, on further reflection, only certain defaults really make sense given the limitations of Google Authenticator. Similarly, other defaults may be token specific. Attempting to handle defaults on the server side also makes both the UI and the generated documentation unclear. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use super() properly to avoid an exceptionNathaniel McCallum2014-02-211-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4099 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add HOTP supportNathaniel McCallum2014-02-211-7/+19
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix generation of invalid OTP URIsNathaniel McCallum2014-02-131-0/+9
| | | | | | https://fedorahosted.org/freeipa/ticket/4169 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix OTP token names/labelsNathaniel McCallum2014-02-131-3/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/4171 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add OTP support to ipalib CLINathaniel McCallum2013-12-181-0/+329
https://fedorahosted.org/freeipa/ticket/3368
generated by cgit (git 2.34.1) at 2025-09-27 01:42:55 +0000