ChangeFrom = ConfModule.changefrom
ReplayCacheFile = ConfModule.replaycachefile
SSHFingerprintFile = ConfModule.fingerprintfile
+TOTPTicketDirectory = ConfModule.totpticketdirectory
+WebUILocation = ConfModule.webuilocation
UUID_FORMAT = '[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'
machine_regex = re.compile("^[0-9a-zA-Z.-]+$")
if i.lower() == attrName:
attrName = i
break
- if attrName in ArbChanges:
+ if attrName not in ArbChanges:
return None
- if re.match(ArbChanges[attrName], G[1]) is None:
+ value = G[1]
+ if re.match(ArbChanges[attrName], value) is None:
raise UDFormatError("Item does not match the required format" + ArbChanges[attrName])
Attrs.append((ldap.MOD_REPLACE, attrName, value))
aaaarecord is None:
return None
+ # Check for punycode. We ought to validate it before we allow it in our zone.
+ if Str.lower().startswith('xn--'):
+ return "Punycode not allowed: " + Str
+
# Check if the name is already taken
G = re.match(r'^([-\w+]+)\s', Str)
if G is None:
if p == "":
if seenEmptypart:
return "Invalid IPv6 address (%s): more than one :: (nothing in between colons) is not allowed" % (ipv6address)
- seenEmptypart = True
+ seenEmptypart = True
sanitized = "%s IN AAAA %s" % (hostname, ipv6address)
else:
raise UDFormatError("None of the types I recognize was it. I shouldn't be here. confused.")
return "got confirm for sudo password %s on host(s) %s, auth code %s" % (uuid, hosts, hmac)
-def FinishConfirmSudopassword(l, uid, Attrs, SudoPasswd):
+def FinishConfirmSudopassword(lc, uid, Attrs, SudoPasswd):
result = "\n"
if len(SudoPasswd) == 0:
res = lc.search_s(BaseDn, ldap.SCOPE_ONELEVEL, "uid=" + uid, ['sudoPassword'])
if len(res) != 1:
raise UDFormatError("Not exactly one hit when searching for user")
- if sudoPassword in res[0][1]:
+ if 'sudoPassword' in res[0][1]:
inldap = res[0][1]['sudoPassword']
else:
inldap = []
if CommitChanges == 1 and len(SudoPasswd) > 0: # only if we are still good to go
try:
- Res = FinishConfirmSudopassword(l, GetAttr(DnRecord, "uid"), Attrs, SudoPasswd)
+ Res = FinishConfirmSudopassword(lc, GetAttr(DnRecord, "uid"), Attrs, SudoPasswd)
if Res is not None:
Result += Res + "\n"
except Error, e:
def HandleChTOTPSeed(Reply, DnRecord, Key):
# Generate a random seed
seed = binascii.hexlify(open("/dev/urandom", "r").read(32))
- msg = GPGEncrypt("Your new TOTP seed is '%s'\n" % (seed,), "0x" + Key[1], Key[4])
+ random_id = binascii.hexlify(open("/dev/urandom", "r").read(32))
+ totp_file_name = "%d-%s" % (time.time(), random_id,)
+
+ msg = GPGEncrypt("Please go to %s/fetch-totp-seed.cgi?id=%s\n to fetch your TOTP seed" % (WebUILocation, totp_file_name), "0x" + Key[1], Key[4])
if msg is None:
raise UDFormatError("Unable to generate the encrypted reply, gpg failed.")
Reply += TemplateSubst(Subst, open(TemplatesDir + "totp-seed-changed", "r").read())
lc = connect_to_ldap_and_check_if_locked(DnRecord)
+ # Save the seed so the user can pick it up.
+ f = open(os.path.join(TOTPTicketDirectory, totp_file_name), os.O_WRONLY | os.O_CREAT)
+ print >> f, seed
+ print >> f, GetAttr(DnRecord, "uid")
+ f.close()
+
# Modify the password
Rec = [(ldap.MOD_REPLACE, "totpSeed", seed)]
Dn = "uid=" + GetAttr(DnRecord, "uid") + "," + BaseDn
projects / mirror / userdir-ldap.git / blobdiff