[Freeipa-devel] [PATCH] 0005 Verify otptoken timespan is valid

Petr Viktorin pviktori at redhat.com
Tue Jul 29 15:10:16 UTC 2014 

On 07/29/2014 03:58 PM, Jan Cholasta wrote:
> Dne 29.7.2014 v 15:52 David Kupka napsal(a):
>> On 07/29/2014 03:28 PM, Jan Cholasta wrote:
>>> Dne 29.7.2014 v 14:11 David Kupka napsal(a):
>>>> On 07/29/2014 01:21 PM, Jan Cholasta wrote:
>>>>> Dne 24.7.2014 v 10:00 David Kupka napsal(a):
>>>>>>
>>>>>>
>>>>>> On 07/23/2014 05:07 PM, Jan Cholasta wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> On 23.7.2014 15:46, David Kupka wrote:
>>>>>>>> https://fedorahosted.org/freeipa/ticket/4244
>>>>>>>
>>>>>>> 1) Use "isinstance(X, Y)" instead of "type(X) is Y".
>>>>>>
>>>>>> Thanks for advice, will try to remember.
>>>>>>>
>>>>>>> 2) When is "type(not_before) is str" or "type(not_after) is str"
>>>>>>> true?
>>>>>>> The values coming from command options or LDAP should always be
>>>>>>> datetime, never str.
>>>>>>
>>>>>> Actually, it is never true. I don't  know why I thought that there is
>>>>>> such option.
>>>>>>>
>>>>>>> 3) There are some misindentations:
>>>>>>>
>>>>>>> +            raise ValidationError(name='not_after',
>>>>>>> +                                    error='is before not_before!')
>>>>>>>
>>>>>>> +                raise ValidationError(name='not_after',
>>>>>>> +                                    error='is before not_before!')
>>>>>>>
>>>>>>> +                raise ValidationError(name='not_before',
>>>>>>> +                                    error='is after not_after!')
>>>>>>>
>>>>>>> 4) We don't do exclamation marks in errors messages.
>>>>>>
>>>>>> You re right, it's probably better not to shout at customer :)
>>>>>>>
>>>>>>> 5) Generally, when you want to validate command options, you should
>>>>>>> look
>>>>>>> into "options", not "entry_attrs".
>>>>>>>
>>>>>>> 6) This is not right:
>>>>>>>
>>>>>>> +            result =
>>>>>>> self.api.Command.otptoken_find(ipatokenuniqueid=
>>>>>>> +                entry_attrs.get('ipatokenuniqueid',
>>>>>>> None))['result']
>>>>>>>
>>>>>>> This is:
>>>>>>>
>>>>>>> +            result =
>>>>>>> self.api.Command.otptoken_show(keys[-1])['result']
>>>>>>
>>>>>> Both works, but Martin explained me why is otptoken_show better and
>>>>>> how
>>>>>> it actually works.
>>>>>>>
>>>>>>> Honza
>>>>>>>
>>>>>>
>>>>>
>>>>> Few more nitpicks:
>>>>>
>>>>> 1) You can make _check_interval a little bit shorter by removing a
>>>>> redundant if statement:
>>>>>
>>>>> +def _check_interval(not_before, not_after):
>>>>> +    if not_before and not_after:
>>>>> +        return not_before <= not_after
>>>>> +    return True
>>>> Nice :)
>>>>>
>>>>> 2) Please keep the 2 line space between the last global function and
>>>>> first class in the module.
>>>> It's good to know that there is one less rule to discover.
>>>>>
>>>>> 3) Error messages are for users' eyes, please don't use internal
>>>>> identifiers in them.
>>>> Done.
>>>>>
>>>>> 4) You don't need to check if the result of otptoken_show is empty, it
>>>>> never is.
>>>>>
>>>> Removed. Although, needless check can't hurt.
>>>>
>>>
>>> One more thing, sorry I didn't notice it earlier: You must check if
>>> 'ipatokennotbefore' and 'ipatokennotafter' keys are in opttoken-show
>>> result before using them, otherwise you might end up with:
>>>
>>>      ipa: ERROR: non-public: KeyError: 'ipatokennotbefore'
>>>      Traceback (most recent call last):
>>>        File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py",
>>> line 348, in wsgi_execute
>>>          result = self.Command[name](*args, **options)
>>>        File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line
>>> 439, in __call__
>>>          ret = self.run(*args, **options)
>>>        File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line
>>> 754, in run
>>>          return self.execute(*args, **options)
>>>        File
>>> "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line
>>> 1384, in execute
>>>          *keys, **options)
>>>        File
>>> "/usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py", line 356,
>>> in pre_callback
>>>          notbefore = result['ipatokennotbefore'][0]
>>>      KeyError: 'ipatokennotbefore'
>>>
>> Sorry for sending fifth wersion of the patch. I must test my patches
>> more carefully.
>>
>
> No problem. I must review more carefully. ACK.
>

Pushed to:
master: 724391a71b018c94aca71b588a24983e228cf2a7
ipa-4-1: 724391a71b018c94aca71b588a24983e228cf2a7
ipa-4-0: 928c87f5c89916e7bb1a6e1e5def45302a2ea8ec

-- 
Petr³

More information about the Freeipa-devel mailing list