[Freeipa-devel] [PATCH 0053] Implement OTP token importing

Nathaniel McCallum npmccallum at redhat.com
Wed Jun 11 21:41:49 UTC 2014 

On Wed, 2014-06-11 at 14:24 +0200, Jan Cholasta wrote:
> Hi,
> 
> On 13.5.2014 18:40, Nathaniel McCallum wrote:
> > On Tue, 2014-05-13 at 12:38 -0400, Nathaniel McCallum wrote:
> >> This patch adds support for importing tokens using RFC 6030 key
> >> container files. This includes decryption support. For sysadmin sanity,
> >> any tokens which fail to add will be written to the output file for
> >> examination. The main use case here is where a small subset of a large
> >> set of tokens fails to validate or add. Using the output file, the
> >> sysadmin can attempt to recover these specific tokens.
> >>
> >> This code is implemented as a server-side script. However, it doesn't
> >> actually need to run on the server. This was done because importing is
> >> an odd fit for the IPA command framework:
> >> 1. We need to write an output file.
> >> 2. The operation may be long-running (thousands of tokens).
> >> 3. Only admins need to perform this task and it only happens
> >> infrequently.
> >
> > I forgot to put the link to the ticket in the commit message. Fixed.
> 
> 1) I think you should initialize NSS in ipa_otptoken_import.py, not in 
> the ipa-otptoken-import script.

Fixed.

> 2) The pep8 tool reports a lot of errors in ipa_otptoken_import.py.

Fixed (mostly). The remaining output from pep8 is, I think, entirely
justifiable.

> 3) Other error messages are in the form "message: %s", I think this one 
> should use that form as well:
> 
> +        if encoding != 'DECIMAL':
> +            raise ValidationError('Unsupported encoding (%s)!' % encoding)

Fixed.

> 4) This is not right:
> 
> +                except:
> +                    self.log.warn("Error adding token: " + 
> str(sys.exc_info()[1]))
> 
> I think it should be something like this instead:
> 
>      except ValidationError, e:
>          self.log.warn("Error adding token: %s", e)

Fixed.

> 5) There is no man page for ipa-otptoken-import.

TODO (tomorrow).

> 6) Output file is created even when ipa-otptoken-import fails with 
> "Unable to connect to LDAP! Did you kinit?" and other initialization 
> errors, which makes subsequent ipa-otptoken-import fail with "Output 
> file already exists!".

Fixed.

> 7) When a key is specified by reference in Key/KeyReference instead of 
> directly in Key/Data/Secret like in 
> <http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/pskctool/tests/pskc-figure4.xml>, 
> import fails with "Key not found in token!". I would expect a different 
> error message.

This error is now: Referenced keys are not supported!

> 8) Importing 
> <http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/pskctool/tests/pskc-figure5.xml> 
> produces this output:
> 
> /usr/lib/python2.7/site-packages/ipaserver/install/ipa_otptoken_import.py:307: 
> FutureWarning: The behavior of this method will change in future 
> versions. Use specific 'len(elem)' or 'elem is not None' test instead.
>    if data.get('pinpolicy', None):
> Error adding token: 'NoneType' object has no attribute 'strip'

This now states:
Error adding token: PINPolicy policy not supported!
Error adding token: Unsupported token type!

> 9) Using an arbitrary file in -k produces this output:
> 
> (SEC_ERROR_INVALID_KEY) The key does not support the requested operation.
> Traceback (most recent call last):
>    File "/usr/sbin/ipa-otptoken-import", line 29, in <module>
>      nss.nss_shutdown()
> nss.error.NSPRError: (SEC_ERROR_BUSY) NSS could not shutdown. Objects 
> are still in use.

What do you mean by "arbitrary file"? A file that is not the key?
Like /dev/null? I'm not able to reproduce this.

> 10) Importing 
> <http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/pskctool/tests/pskc-figure7.xml> 
> and 
> <http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/pskctool/tests/pskc-figure8.xml> 
> produces this output:
> 
> Error adding token: object of type 'NoneType' has no len()

Import fails with:
Derived keys are not currently supported!
 or
X.509 keys are not currently supported!

It would be nice to support these in the future.

> 11) Importing 
> <http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/pskctool/tests/pskc-all.xml> 
> or 
> <http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/pskctool/tests/pskc-all-signed.xml> 
> produces this output:
> 
> /usr/lib/python2.7/site-packages/ipaserver/install/ipa_otptoken_import.py:304: 
> FutureWarning: The behavior of this method will change in future 
> versions. Use specific 'len(elem)' or 'elem is not None' test instead.
>    if data.get('maxtransact', None):
> /usr/lib/python2.7/site-packages/ipaserver/install/ipa_otptoken_import.py:307: 
> FutureWarning: The behavior of this method will change in future 
> versions. Use specific 'len(elem)' or 'elem is not None' test instead.
>    if data.get('pinpolicy', None):

Both of these now output:
Error adding token: NumberOfTransactions policy not supported!

> 12) Importing 
> <http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/pskctool/tests/pskc-invalid.xml> 
> succeeds, but it should fail.

This now errors with:
PSKC file is invalid!

> 13) Importing 
> <http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/libpskc/examples/pskc-mini.xml> 
> fails, but it should succeed, I think.

I think this should fail in our case since we can't possibly support
that configuration.

Nathaniel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-npmccallum-0053.1-Implement-OTP-token-importing.patch
Type: text/x-patch
Size: 21605 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140611/fb81a17c/attachment.bin>

More information about the Freeipa-devel mailing list