Commit Graph

22 Commits

Author SHA1 Message Date
Christian Heimes
15d5e44ee8 Py3: Replace six.moves imports
Replace six.moves and six.StringIO/BytesIO imports with cannonical
Python 3 packages.

Note: six.moves.input behaves differently than builtin input function.
Therefore I left six.moves.input for now.

See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-10-05 12:06:19 +02:00
Robbie Harwood
ab636682c4 Add cmocka unit tests for ipa otpd queue code
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-08-31 21:01:46 +02:00
Robbie Harwood
fe650087b0 Clear next field when returnining list elements in queue.c
The ipa-otpd code occasionally removes elements from one queue,
inspects and modifies them, and then inserts them into
another (possibly identical, possibly different) queue.  When the next
pointer isn't cleared, this can result in element membership in both
queues, leading to double frees, or even self-referential elements,
causing infinite loops at traversal time.

Rather than eliminating the pattern, make it safe by clearing the next
field any time an element enters or exits a queue.

Related https://pagure.io/freeipa/issue/7262

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-08-31 21:01:46 +02:00
Christian Heimes
9c86d35a3f Cleanup shebang and executable bit
- Add missing executable bits to all scripts
- Remove executable bits from all files that are not scripts,
  e.g. js, html, and Python libraries.
- Remove Python shebang from all Python library files.

It's frown upon to have executable library files in site-packages.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2018-07-05 19:46:42 +02:00
Robbie Harwood
a2e8d989a3 Fix elements not being removed in otpd_queue_pop_msgid()
If the element being removed were not the queue head,
otpd_queue_pop_msgid() would not actually remove the element, leading
to potential double frees and request replays.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-05-31 11:53:25 -04:00
Stanislav Laznicka
f31797c70a Have all the scripts run in python 3 by default
The Python 3 refactoring effort is finishing, it should be safe
to turn all scripts to run in Python 3 by default.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-02-15 18:43:12 +01:00
Timo Aaltonen
076eb409a0
ipa-otpd.socket.in: Use a platform specific value for KDC service file
https://pagure.io/freeipa/issue/6845

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-04-12 16:17:51 +02:00
Nathaniel McCallum
d05d1115e4 Use RemoveOnStop to cleanup systemd sockets
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-02-17 15:19:07 +01:00
Christian Heimes
a8376a2447 Add main guards to a couple of Python scripts
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-24 16:35:43 +01:00
Petr Spacek
152ed75ff6 Build: add missing KRB5_LIBS to daemons/ipa-otpd
It was working accidentally because krb5 libs are part of OPENLDAP_LIBS.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-10-18 10:47:59 +02:00
Timo Aaltonen
6c09d6f878 Move ipa-otpd to $libexecdir/ipa
This is more consistent with the other daemons.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-13 20:55:14 +02:00
Nathaniel McCallum
0756ce7d53 Properly handle LDAP socket closures in ipa-otpd
In at least one case, when an LDAP socket closes, a read event is fired
rather than an error event. Without this patch, ipa-otpd silently
ignores this event and enters a state where all bind auths fail.

To remedy this problem, we pass error events along the same path as read
events. Should the actual read fail, we exit.

https://bugzilla.redhat.com/show_bug.cgi?id=1377858
https://fedorahosted.org/freeipa/ticket/6368

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-10-06 10:35:25 +02:00
Nathaniel McCallum
4bafba06f2 Migrate from #ifndef guards to #pragma once
Using a pragma instead of guards is easier to write, less error prone
and avoids name clashes (a source of very subtle bugs). This pragma
is supported on almost all compilers, including all the compilers we
care about: https://en.wikipedia.org/wiki/Pragma_once#Portability.

This patch does not change the autogenerated files: asn1/asn1c/*.h.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-05-29 14:04:45 +02:00
Nathaniel McCallum
168a6c7d47 Ensure that ipa-otpd bind auths validate an OTP
Before this patch, if the user was configured for either OTP or password
it was possible to do a 1FA authentication through ipa-otpd. Because this
correctly respected the configuration, it is not a security error.

However, once we begin to insert authentication indicators into the
Kerberos tickets, we cannot allow 1FA authentications through this
code path. Otherwise the ticket would contain a 2FA indicator when
only 1FA was actually performed.

To solve this problem, we have ipa-otpd send a critical control during
the bind operation which informs the LDAP server that it *MUST* validate
an OTP token for authentication to be successful. Next, we implement
support for this control in the ipa-pwd-extop plugin. The end result is
that the bind operation will always fail if the control is present and
no OTP is validated.

https://fedorahosted.org/freeipa/ticket/433

Reviewed-By: Sumit Bose <sbose@redhat.com>
2016-05-26 18:47:05 +02:00
Nathaniel McCallum
563bddce6d Don't error when find_base() fails if a base is not required
We always have to call find_base() in order to force libldap to open
the socket. However, if no base is actually required then there is
no reason to error out if find_base() fails. This condition can arise
when anonymous binds are disabled.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-01-12 12:28:44 +01:00
Petr Viktorin
65e3b9edc6 Use six.Stringio instead of StringIO.StringIO
The StringIO class was moved to the io module.
(In Python 2, io.StringIO is available, but is Unicode-only.)

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-10-07 10:27:20 +02:00
Nathaniel McCallum
6c500ccf05 Move ipa-otpd socket directory
https://fedorahosted.org/freeipa/ticket/4167
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-02-11 17:36:19 +01:00
Xiao-Long Chen
5e96fbc22a Use /usr/bin/python2
Part of the effort to port FreeIPA to Arch Linux,
where Python 3 is the default.

FreeIPA hasn't been ported to Python 3, so the code must be modified to
run /usr/bin/python2

https://fedorahosted.org/freeipa/ticket/3438

Updated by pviktori@redhat.com
2014-01-03 09:46:05 +01:00
Jan Cholasta
5e2f7b68f0 Remove CFLAGS duplication.
https://fedorahosted.org/freeipa/ticket/3896
2013-12-06 14:44:41 +01:00
Jan Cholasta
75dadc1d8f Include LDFLAGS provided by rpmbuild in global LDFLAGS in the spec file.
Remove explicitly specified hardening flags from LDFLAGS in ipa-otpd.

https://fedorahosted.org/freeipa/ticket/3896
2013-12-06 14:44:40 +01:00
Jan Cholasta
652c4e6ace Use hardening flags for ipa-optd.
https://fedorahosted.org/freeipa/ticket/4010
2013-12-02 12:37:41 +01:00
Nathaniel McCallum
203754691c Add the krb5/FreeIPA RADIUS companion daemon
This daemon listens for RADIUS packets on a well known
UNIX domain socket. When a packet is received, it queries
LDAP to see if the user is configured for RADIUS authentication.
If so, then the packet is forwarded to the 3rd party RADIUS server.
Otherwise, a bind is attempted against the LDAP server.

https://fedorahosted.org/freeipa/ticket/3366
http://freeipa.org/page/V3/OTP
2013-05-17 09:30:51 +02:00