X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=ud-mailgate;h=1ba2c53412b23158c4a7e1b6f08a88fe77f60449;hb=0539c19e661f05d992fdeb6e05ec9dcf99bb691d;hp=fe9a6916afe55432c24cafe0e4233ec104a80118;hpb=41fc2a5c34f584714b2b768334d6ccc5839694f4;p=mirror%2Fuserdir-ldap.git

diff --git a/ud-mailgate b/ud-mailgate
index fe9a691..1ba2c53 100755
--- a/ud-mailgate
+++ b/ud-mailgate
@@ -7,7 +7,7 @@
 
 import userdir_gpg, userdir_ldap, sys, traceback, time, ldap, os, commands
 import pwd, tempfile
-import hmac, haslib
+
 from userdir_gpg import *
 from userdir_ldap import *
 
@@ -82,7 +82,6 @@ DelItems = {"c": None,
             "jpegPhoto": None,
             "dnsZoneEntry": None,
 	    "sshRSAAuthKey": None,
-	    "sshDSAAuthKey": None,
             "birthDate" : None,
             "mailGreylisting": None,
             "mailCallout": None,
@@ -93,14 +92,6 @@ DelItems = {"c": None,
             "VoIP": None,
             };
 
-def make_hmac(str):
-   F = open(PassDir+"/key-hmac","r");
-   key = F.readline()
-   F.close();
-
-   return hmac.new(key, str, hashlib.sha1).hexdigest
-
-
 
 # Decode a GPS location from some common forms
 def LocDecode(Str,Dir):
@@ -461,7 +452,7 @@ def DoRBL(Str,Attrs):
 
 # Handle a ConfirmSudoPassword request
 def DoConfirmSudopassword(Str):
-   Match = re.compile('^confirm sudopassword ('+UUID_FORMAT+') ([a-z0-9,*]+) ([0-9a-f]{40})$').match(Str.lower())
+   Match = re.compile('^confirm sudopassword ('+UUID_FORMAT+') ([a-z0-9.,*]+) ([0-9a-f]{40})$').match(Str)
    if Match == None:
       return None
 
@@ -473,22 +464,21 @@ def DoConfirmSudopassword(Str):
    SudoPasswd[uuid] = (hosts, hmac)
    return "got confirm for sudo password %s on host(s) %s, auth code %s" % (uuid,hosts, hmac)
 
-def FinishConfirmSudopassword(l, dn, Attrs):
+def FinishConfirmSudopassword(l, uid, Attrs):
    global SudoPasswd
    result = "\n"
 
    res = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"uid="+uid, ['sudoPassword']);
    if len(res) != 1:
       raise Error, "Not exactly one hit when searching for user"
-   Attrs = res[0][1]
-   if Attrs.has_key('sudoPassword'):
-      inldap = Attrs['sudoPassword']
+   if res[0][1].has_key('sudoPassword'):
+      inldap = res[0][1]['sudoPassword']
    else:
       inldap = []
 
-   first_entry = 0
+   newldap = []
    for entry in inldap:
-      Match = re.compile('^('+UUID_FORMAT+') (confirmed|unconfirmed) ([a-z0-9,*]+) ([^ ]+)$'),match(entry.lower())
+      Match = re.compile('^('+UUID_FORMAT+') (confirmed:[0-9a-f]{40}|unconfirmed) ([a-z0-9.,*]+) ([^ ]+)$').match(entry)
       if Match == None:
          raise Error, "Could not parse existing sudopasswd entry"
       uuid = Match.group(1)
@@ -499,27 +489,32 @@ def FinishConfirmSudopassword(l, dn, Attrs):
       if SudoPasswd.has_key(uuid):
          confirmedHosts = SudoPasswd[uuid][0]
          confirmedHmac = SudoPasswd[uuid][1]
-         if status == "confirmed":
-            result = result + "Entry %s for sudo password on hosts %s already confirmed.\n"%(uuid, hosts)
+         if status.startswith('confirmed:'):
+            if status == 'confirmed:'+make_passwd_hmac('password-is-confirmed', 'sudo', uid, ,uuid, hosts, cryptedpass):
+               result = result + "Entry %s for sudo password on hosts %s already confirmed.\n"%(uuid, hosts)
+            else:
+               result = result + "Entry %s for sudo password on hosts %s is listed as confirmed, but HMAC does not verify.\n"%(uuid, hosts)
          elif confirmedHosts != hosts:
             result = result + "Entry %s hostlist mismatch (%s vs. %s).\n"%(uuid, hosts, confirmedHosts)
-         elif make_hmac(':'.join([uuid, hosts, cryptedpass])) == confirmedHmac:
+         elif make_passwd_hmac('confirm-new-password', 'sudo', uid, uuid, hosts, cryptedpass) == confirmedHmac:
             result = result + "Entry %s for sudo password on hosts %s now confirmed.\n"%(uuid, hosts)
-            status = 'confirmed'
+            status = 'confirmed:'+make_passwd_hmac('password-is-confirmed', 'sudo', uid, uuid, hosts, cryptedpass)
          else:
             result = result + "Entry %s for sudo password on hosts %s HMAC verify failed.\n"%(uuid, hosts)
          del SudoPasswd[uuid]
 
       newentry = " ".join([uuid, status, hosts, cryptedpass])
-      if first_entry:
-         Attrs.append((ldap.MOD_ADD,"sudoPassword",newentry))
+      if len(newldap) == 0:
+         newldap.append((ldap.MOD_REPLACE,"sudoPassword",newentry))
       else:
-         Attrs.append((ldap.MOD_REPLACE,"sudoPassword",newentry))
-         first_entry = 1
+         newldap.append((ldap.MOD_ADD,"sudoPassword",newentry))
 
    for entry in SudoPasswd:
       result = result + "Entry %s that you confirm is not listed in ldap."%(entry)
 
+   for entry in newldap:
+      Attrs.append(entry)
+
    return result
 
 # Handle an [almost] arbitary change
@@ -573,9 +568,9 @@ def HandleChange(Reply,DnRecord,Key):
    try:
       Res = FinishConfirmSudopassword(l, GetAttr(DnRecord,"uid"), Attrs)
       Result = Result + Res + "\n";
-   except:
+   except Error, e:
       CommitChanges = 0
-      Result = Result + "ConfirmSudopassword raised an error - no changes committed\n";
+      Result = Result + "FinishConfirmSudopassword raised an error (%s) - no changes committed\n"%(e);
    # Modify the record
    Dn = "uid=" + GetAttr(DnRecord,"uid") + "," + BaseDn;
    if CommitChanges == 1: