X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=ud-mailgate;h=bd77120ebcf1089cb5a88100e5cab8760f0600fd;hb=b87aa2309e65df00e0134ea5fd6aea63486e70eb;hp=49b26aeaed3d661797922af57b67d07c5d7942e3;hpb=28c3209e235e0d637172a1c5acd1e4142a58f8da;p=mirror%2Fuserdir-ldap.git diff --git a/ud-mailgate b/ud-mailgate index 49b26ae..bd77120 100755 --- a/ud-mailgate +++ b/ud-mailgate @@ -33,6 +33,8 @@ ChPassFrom = ConfModule.chpassfrom ChangeFrom = ConfModule.changefrom ReplayCacheFile = ConfModule.replaycachefile SSHFingerprintFile = ConfModule.fingerprintfile +TOTPTicketDirectory = ConfModule.totpticketdirectory +WebUILocation = ConfModule.webuilocation UUID_FORMAT = '[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}' machine_regex = re.compile("^[0-9a-zA-Z.-]+$") @@ -189,10 +191,11 @@ def DoArbChange(Str, Attrs): if i.lower() == attrName: attrName = i break - if attrName in ArbChanges: + if attrName not in ArbChanges: return None - if re.match(ArbChanges[attrName], G[1]) is None: + value = G[1] + if re.match(ArbChanges[attrName], value) is None: raise UDFormatError("Item does not match the required format" + ArbChanges[attrName]) Attrs.append((ldap.MOD_REPLACE, attrName, value)) @@ -432,7 +435,7 @@ def DoDNS(Str, Attrs, DnRecord): if p == "": if seenEmptypart: return "Invalid IPv6 address (%s): more than one :: (nothing in between colons) is not allowed" % (ipv6address) - seenEmptypart = True + seenEmptypart = True sanitized = "%s IN AAAA %s" % (hostname, ipv6address) else: raise UDFormatError("None of the types I recognize was it. I shouldn't be here. confused.") @@ -484,7 +487,7 @@ def DoConfirmSudopassword(Str, SudoPasswd): return "got confirm for sudo password %s on host(s) %s, auth code %s" % (uuid, hosts, hmac) -def FinishConfirmSudopassword(l, uid, Attrs, SudoPasswd): +def FinishConfirmSudopassword(lc, uid, Attrs, SudoPasswd): result = "\n" if len(SudoPasswd) == 0: @@ -493,7 +496,7 @@ def FinishConfirmSudopassword(l, uid, Attrs, SudoPasswd): res = lc.search_s(BaseDn, ldap.SCOPE_ONELEVEL, "uid=" + uid, ['sudoPassword']) if len(res) != 1: raise UDFormatError("Not exactly one hit when searching for user") - if sudoPassword in res[0][1]: + if 'sudoPassword' in res[0][1]: inldap = res[0][1]['sudoPassword'] else: inldap = [] @@ -553,7 +556,7 @@ def connect_to_ldap_and_check_if_locked(DnRecord): if (GetAttr(Attrs[0], "userPassword").find("*LK*") != -1) \ or GetAttr(Attrs[0], "userPassword").startswith("!"): raise UDNotAllowedError("This account is locked") - return l + return lc # Handle an [almost] arbitary change @@ -599,7 +602,7 @@ def HandleChange(Reply, DnRecord, Key): if CommitChanges == 1 and len(SudoPasswd) > 0: # only if we are still good to go try: - Res = FinishConfirmSudopassword(l, GetAttr(DnRecord, "uid"), Attrs, SudoPasswd) + Res = FinishConfirmSudopassword(lc, GetAttr(DnRecord, "uid"), Attrs, SudoPasswd) if Res is not None: Result += Res + "\n" except Error, e: @@ -683,7 +686,10 @@ def HandleChPass(Reply, DnRecord, Key): def HandleChTOTPSeed(Reply, DnRecord, Key): # Generate a random seed seed = binascii.hexlify(open("/dev/urandom", "r").read(32)) - msg = GPGEncrypt("Your new TOTP seed is '%s'\n" % (seed,), "0x" + Key[1], Key[4]) + random_id = binascii.hexlify(open("/dev/urandom", "r").read(32)) + totp_file_name = "%d-%s" % (time.time(), random_id,) + + msg = GPGEncrypt("Please go to %s/fetch-totp-seed?id=%s\n to fetch your TOTP seed" % (WebUILocation, totp_file_name), "0x" + Key[1], Key[4]) if msg is None: raise UDFormatError("Unable to generate the encrypted reply, gpg failed.") @@ -696,6 +702,11 @@ def HandleChTOTPSeed(Reply, DnRecord, Key): Reply += TemplateSubst(Subst, open(TemplatesDir + "totp-seed-changed", "r").read()) lc = connect_to_ldap_and_check_if_locked(DnRecord) + # Save the seed so the user can pick it up. + f = open(os.path.join(TOTPTicketDirectory, totp_file_name), os.O_WRONLY | os.O_CREAT) + f.write(seed) + f.close() + # Modify the password Rec = [(ldap.MOD_REPLACE, "totpSeed", seed)] Dn = "uid=" + GetAttr(DnRecord, "uid") + "," + BaseDn