X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fuserdir-ldap.git;a=blobdiff_plain;f=ud-mailgate;h=30af5831aed09c0b05ca80d9630449faf1a6407e;hp=b40be70d2488ba3469e05cba69cc1b5c3d24116d;hb=refs%2Fheads%2Fmaster;hpb=786f3f9a89d13adcf5e742c9a7e1630d3f6b57f1 diff --git a/ud-mailgate b/ud-mailgate index b40be70..30af583 100755 --- a/ud-mailgate +++ b/ud-mailgate @@ -33,6 +33,8 @@ ChPassFrom = ConfModule.chpassfrom ChangeFrom = ConfModule.changefrom ReplayCacheFile = ConfModule.replaycachefile SSHFingerprintFile = ConfModule.fingerprintfile +TOTPTicketDirectory = ConfModule.totpticketdirectory +WebUILocation = ConfModule.webuilocation UUID_FORMAT = '[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}' machine_regex = re.compile("^[0-9a-zA-Z.-]+$") @@ -189,10 +191,11 @@ def DoArbChange(Str, Attrs): if i.lower() == attrName: attrName = i break - if attrName in ArbChanges: + if attrName not in ArbChanges: return None - if re.match(ArbChanges[attrName], G[1]) is None: + value = G[1] + if re.match(ArbChanges[attrName], value) is None: raise UDFormatError("Item does not match the required format" + ArbChanges[attrName]) Attrs.append((ldap.MOD_REPLACE, attrName, value)) @@ -368,6 +371,10 @@ def DoDNS(Str, Attrs, DnRecord): aaaarecord is None: return None + # Check for punycode. We ought to validate it before we allow it in our zone. + if Str.lower().startswith('xn--'): + return "Punycode not allowed: " + Str + # Check if the name is already taken G = re.match(r'^([-\w+]+)\s', Str) if G is None: @@ -432,7 +439,7 @@ def DoDNS(Str, Attrs, DnRecord): if p == "": if seenEmptypart: return "Invalid IPv6 address (%s): more than one :: (nothing in between colons) is not allowed" % (ipv6address) - seenEmptypart = True + seenEmptypart = True sanitized = "%s IN AAAA %s" % (hostname, ipv6address) else: raise UDFormatError("None of the types I recognize was it. I shouldn't be here. confused.") @@ -493,7 +500,7 @@ def FinishConfirmSudopassword(lc, uid, Attrs, SudoPasswd): res = lc.search_s(BaseDn, ldap.SCOPE_ONELEVEL, "uid=" + uid, ['sudoPassword']) if len(res) != 1: raise UDFormatError("Not exactly one hit when searching for user") - if sudoPassword in res[0][1]: + if 'sudoPassword' in res[0][1]: inldap = res[0][1]['sudoPassword'] else: inldap = [] @@ -683,7 +690,10 @@ def HandleChPass(Reply, DnRecord, Key): def HandleChTOTPSeed(Reply, DnRecord, Key): # Generate a random seed seed = binascii.hexlify(open("/dev/urandom", "r").read(32)) - msg = GPGEncrypt("Your new TOTP seed is '%s'\n" % (seed,), "0x" + Key[1], Key[4]) + random_id = binascii.hexlify(open("/dev/urandom", "r").read(32)) + totp_file_name = "%d-%s" % (time.time(), random_id,) + + msg = GPGEncrypt("Please go to %s/fetch-totp-seed.cgi?id=%s\n to fetch your TOTP seed" % (WebUILocation, totp_file_name), "0x" + Key[1], Key[4]) if msg is None: raise UDFormatError("Unable to generate the encrypted reply, gpg failed.") @@ -696,6 +706,12 @@ def HandleChTOTPSeed(Reply, DnRecord, Key): Reply += TemplateSubst(Subst, open(TemplatesDir + "totp-seed-changed", "r").read()) lc = connect_to_ldap_and_check_if_locked(DnRecord) + # Save the seed so the user can pick it up. + f = open(os.path.join(TOTPTicketDirectory, totp_file_name), os.O_WRONLY | os.O_CREAT) + print >> f, seed + print >> f, GetAttr(DnRecord, "uid") + f.close() + # Modify the password Rec = [(ldap.MOD_REPLACE, "totpSeed", seed)] Dn = "uid=" + GetAttr(DnRecord, "uid") + "," + BaseDn