X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fuserdir-ldap.git;a=blobdiff_plain;f=ud-mailgate;h=30af5831aed09c0b05ca80d9630449faf1a6407e;hp=cd6b5177c513ea2b9093ebc6eeea5b3df62f2eea;hb=HEAD;hpb=20ea7eaf0d2818ccbf38972f9f3d32fe3690120b

diff --git a/ud-mailgate b/ud-mailgate
index cd6b517..30af583 100755
--- a/ud-mailgate
+++ b/ud-mailgate
@@ -33,6 +33,8 @@ ChPassFrom = ConfModule.chpassfrom
 ChangeFrom = ConfModule.changefrom
 ReplayCacheFile = ConfModule.replaycachefile
 SSHFingerprintFile = ConfModule.fingerprintfile
+TOTPTicketDirectory = ConfModule.totpticketdirectory
+WebUILocation = ConfModule.webuilocation
 
 UUID_FORMAT = '[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'
 machine_regex = re.compile("^[0-9a-zA-Z.-]+$")
@@ -369,6 +371,10 @@ def DoDNS(Str, Attrs, DnRecord):
        aaaarecord is None:
         return None
 
+    # Check for punycode.  We ought to validate it before we allow it in our zone.
+    if Str.lower().startswith('xn--'):
+        return "Punycode not allowed: " + Str
+
     # Check if the name is already taken
     G = re.match(r'^([-\w+]+)\s', Str)
     if G is None:
@@ -684,7 +690,10 @@ def HandleChPass(Reply, DnRecord, Key):
 def HandleChTOTPSeed(Reply, DnRecord, Key):
     # Generate a random seed
     seed = binascii.hexlify(open("/dev/urandom", "r").read(32))
-    msg = GPGEncrypt("Your new TOTP seed is '%s'\n" % (seed,), "0x" + Key[1], Key[4])
+    random_id = binascii.hexlify(open("/dev/urandom", "r").read(32))
+    totp_file_name = "%d-%s" % (time.time(), random_id,)
+
+    msg = GPGEncrypt("Please go to %s/fetch-totp-seed.cgi?id=%s\n to fetch your TOTP seed" % (WebUILocation, totp_file_name), "0x" + Key[1], Key[4])
 
     if msg is None:
         raise UDFormatError("Unable to generate the encrypted reply, gpg failed.")
@@ -697,6 +706,12 @@ def HandleChTOTPSeed(Reply, DnRecord, Key):
     Reply += TemplateSubst(Subst, open(TemplatesDir + "totp-seed-changed", "r").read())
 
     lc = connect_to_ldap_and_check_if_locked(DnRecord)
+    # Save the seed so the user can pick it up.
+    f = open(os.path.join(TOTPTicketDirectory, totp_file_name), os.O_WRONLY | os.O_CREAT)
+    print >> f, seed
+    print >> f, GetAttr(DnRecord, "uid")
+    f.close()
+
     # Modify the password
     Rec = [(ldap.MOD_REPLACE, "totpSeed", seed)]
     Dn = "uid=" + GetAttr(DnRecord, "uid") + "," + BaseDn