X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fuserdir-ldap.git;a=blobdiff_plain;f=ud-mailgate;h=30af5831aed09c0b05ca80d9630449faf1a6407e;hp=49b26aeaed3d661797922af57b67d07c5d7942e3;hb=HEAD;hpb=28c3209e235e0d637172a1c5acd1e4142a58f8da diff --git a/ud-mailgate b/ud-mailgate index 49b26ae..30af583 100755 --- a/ud-mailgate +++ b/ud-mailgate @@ -33,6 +33,8 @@ ChPassFrom = ConfModule.chpassfrom ChangeFrom = ConfModule.changefrom ReplayCacheFile = ConfModule.replaycachefile SSHFingerprintFile = ConfModule.fingerprintfile +TOTPTicketDirectory = ConfModule.totpticketdirectory +WebUILocation = ConfModule.webuilocation UUID_FORMAT = '[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}' machine_regex = re.compile("^[0-9a-zA-Z.-]+$") @@ -189,10 +191,11 @@ def DoArbChange(Str, Attrs): if i.lower() == attrName: attrName = i break - if attrName in ArbChanges: + if attrName not in ArbChanges: return None - if re.match(ArbChanges[attrName], G[1]) is None: + value = G[1] + if re.match(ArbChanges[attrName], value) is None: raise UDFormatError("Item does not match the required format" + ArbChanges[attrName]) Attrs.append((ldap.MOD_REPLACE, attrName, value)) @@ -368,6 +371,10 @@ def DoDNS(Str, Attrs, DnRecord): aaaarecord is None: return None + # Check for punycode. We ought to validate it before we allow it in our zone. + if Str.lower().startswith('xn--'): + return "Punycode not allowed: " + Str + # Check if the name is already taken G = re.match(r'^([-\w+]+)\s', Str) if G is None: @@ -432,7 +439,7 @@ def DoDNS(Str, Attrs, DnRecord): if p == "": if seenEmptypart: return "Invalid IPv6 address (%s): more than one :: (nothing in between colons) is not allowed" % (ipv6address) - seenEmptypart = True + seenEmptypart = True sanitized = "%s IN AAAA %s" % (hostname, ipv6address) else: raise UDFormatError("None of the types I recognize was it. I shouldn't be here. confused.") @@ -484,7 +491,7 @@ def DoConfirmSudopassword(Str, SudoPasswd): return "got confirm for sudo password %s on host(s) %s, auth code %s" % (uuid, hosts, hmac) -def FinishConfirmSudopassword(l, uid, Attrs, SudoPasswd): +def FinishConfirmSudopassword(lc, uid, Attrs, SudoPasswd): result = "\n" if len(SudoPasswd) == 0: @@ -493,7 +500,7 @@ def FinishConfirmSudopassword(l, uid, Attrs, SudoPasswd): res = lc.search_s(BaseDn, ldap.SCOPE_ONELEVEL, "uid=" + uid, ['sudoPassword']) if len(res) != 1: raise UDFormatError("Not exactly one hit when searching for user") - if sudoPassword in res[0][1]: + if 'sudoPassword' in res[0][1]: inldap = res[0][1]['sudoPassword'] else: inldap = [] @@ -553,7 +560,7 @@ def connect_to_ldap_and_check_if_locked(DnRecord): if (GetAttr(Attrs[0], "userPassword").find("*LK*") != -1) \ or GetAttr(Attrs[0], "userPassword").startswith("!"): raise UDNotAllowedError("This account is locked") - return l + return lc # Handle an [almost] arbitary change @@ -599,7 +606,7 @@ def HandleChange(Reply, DnRecord, Key): if CommitChanges == 1 and len(SudoPasswd) > 0: # only if we are still good to go try: - Res = FinishConfirmSudopassword(l, GetAttr(DnRecord, "uid"), Attrs, SudoPasswd) + Res = FinishConfirmSudopassword(lc, GetAttr(DnRecord, "uid"), Attrs, SudoPasswd) if Res is not None: Result += Res + "\n" except Error, e: @@ -683,7 +690,10 @@ def HandleChPass(Reply, DnRecord, Key): def HandleChTOTPSeed(Reply, DnRecord, Key): # Generate a random seed seed = binascii.hexlify(open("/dev/urandom", "r").read(32)) - msg = GPGEncrypt("Your new TOTP seed is '%s'\n" % (seed,), "0x" + Key[1], Key[4]) + random_id = binascii.hexlify(open("/dev/urandom", "r").read(32)) + totp_file_name = "%d-%s" % (time.time(), random_id,) + + msg = GPGEncrypt("Please go to %s/fetch-totp-seed.cgi?id=%s\n to fetch your TOTP seed" % (WebUILocation, totp_file_name), "0x" + Key[1], Key[4]) if msg is None: raise UDFormatError("Unable to generate the encrypted reply, gpg failed.") @@ -696,6 +706,12 @@ def HandleChTOTPSeed(Reply, DnRecord, Key): Reply += TemplateSubst(Subst, open(TemplatesDir + "totp-seed-changed", "r").read()) lc = connect_to_ldap_and_check_if_locked(DnRecord) + # Save the seed so the user can pick it up. + f = open(os.path.join(TOTPTicketDirectory, totp_file_name), os.O_WRONLY | os.O_CREAT) + print >> f, seed + print >> f, GetAttr(DnRecord, "uid") + f.close() + # Modify the password Rec = [(ldap.MOD_REPLACE, "totpSeed", seed)] Dn = "uid=" + GetAttr(DnRecord, "uid") + "," + BaseDn