X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=ud-mailgate;h=d72cb9e99ea778db2ff3f6aa61f00116beb6310b;hb=14908ffbe8886fdd85bf143ef14200e0171c18cd;hp=fe9a6916afe55432c24cafe0e4233ec104a80118;hpb=41fc2a5c34f584714b2b768334d6ccc5839694f4;p=mirror%2Fuserdir-ldap.git diff --git a/ud-mailgate b/ud-mailgate index fe9a691..d72cb9e 100755 --- a/ud-mailgate +++ b/ud-mailgate @@ -7,7 +7,9 @@ import userdir_gpg, userdir_ldap, sys, traceback, time, ldap, os, commands import pwd, tempfile -import hmac, haslib +import hmac +import sha as sha1_module + from userdir_gpg import * from userdir_ldap import * @@ -93,14 +95,6 @@ DelItems = {"c": None, "VoIP": None, }; -def make_hmac(str): - F = open(PassDir+"/key-hmac","r"); - key = F.readline() - F.close(); - - return hmac.new(key, str, hashlib.sha1).hexdigest - - # Decode a GPS location from some common forms def LocDecode(Str,Dir): @@ -473,22 +467,21 @@ def DoConfirmSudopassword(Str): SudoPasswd[uuid] = (hosts, hmac) return "got confirm for sudo password %s on host(s) %s, auth code %s" % (uuid,hosts, hmac) -def FinishConfirmSudopassword(l, dn, Attrs): +def FinishConfirmSudopassword(l, uid, Attrs): global SudoPasswd result = "\n" res = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"uid="+uid, ['sudoPassword']); if len(res) != 1: raise Error, "Not exactly one hit when searching for user" - Attrs = res[0][1] - if Attrs.has_key('sudoPassword'): - inldap = Attrs['sudoPassword'] + if res[0][1].has_key('sudoPassword'): + inldap = res[0][1]['sudoPassword'] else: inldap = [] - first_entry = 0 + newldap = [] for entry in inldap: - Match = re.compile('^('+UUID_FORMAT+') (confirmed|unconfirmed) ([a-z0-9,*]+) ([^ ]+)$'),match(entry.lower()) + Match = re.compile('^('+UUID_FORMAT+') (confirmed:[0-9a-f]{40}|unconfirmed) ([a-z0-9.,*]+) ([^ ]+)$').match(entry.lower()) if Match == None: raise Error, "Could not parse existing sudopasswd entry" uuid = Match.group(1) @@ -499,27 +492,32 @@ def FinishConfirmSudopassword(l, dn, Attrs): if SudoPasswd.has_key(uuid): confirmedHosts = SudoPasswd[uuid][0] confirmedHmac = SudoPasswd[uuid][1] - if status == "confirmed": - result = result + "Entry %s for sudo password on hosts %s already confirmed.\n"%(uuid, hosts) + if status.startswith('confirmed:'): + if status == 'confirmed:'+make_sudopasswd_hmac('password-is-confirmed', uuid, hosts, cryptedpass): + result = result + "Entry %s for sudo password on hosts %s already confirmed.\n"%(uuid, hosts) + else: + result = result + "Entry %s for sudo password on hosts %s is listed as confirmed, but HMAC does not verify.\n"%(uuid, hosts) elif confirmedHosts != hosts: result = result + "Entry %s hostlist mismatch (%s vs. %s).\n"%(uuid, hosts, confirmedHosts) - elif make_hmac(':'.join([uuid, hosts, cryptedpass])) == confirmedHmac: + elif make_sudopasswd_hmac('confirm-new-password', uuid, hosts, cryptedpass) == confirmedHmac: result = result + "Entry %s for sudo password on hosts %s now confirmed.\n"%(uuid, hosts) - status = 'confirmed' + status = 'confirmed:'+make_sudopasswd_hmac('password-is-confirmed', uuid, hosts, cryptedpass) else: result = result + "Entry %s for sudo password on hosts %s HMAC verify failed.\n"%(uuid, hosts) del SudoPasswd[uuid] newentry = " ".join([uuid, status, hosts, cryptedpass]) - if first_entry: - Attrs.append((ldap.MOD_ADD,"sudoPassword",newentry)) + if len(newldap) == 0: + newldap.append((ldap.MOD_REPLACE,"sudoPassword",newentry)) else: - Attrs.append((ldap.MOD_REPLACE,"sudoPassword",newentry)) - first_entry = 1 + newldap.append((ldap.MOD_ADD,"sudoPassword",newentry)) for entry in SudoPasswd: result = result + "Entry %s that you confirm is not listed in ldap."%(entry) + for entry in newldap: + Attrs.append(entry) + return result # Handle an [almost] arbitary change @@ -573,9 +571,9 @@ def HandleChange(Reply,DnRecord,Key): try: Res = FinishConfirmSudopassword(l, GetAttr(DnRecord,"uid"), Attrs) Result = Result + Res + "\n"; - except: + except Error, e: CommitChanges = 0 - Result = Result + "ConfirmSudopassword raised an error - no changes committed\n"; + Result = Result + "FinishConfirmSudopassword raised an error (%s) - no changes committed\n"%(e); # Modify the record Dn = "uid=" + GetAttr(DnRecord,"uid") + "," + BaseDn; if CommitChanges == 1: