[Freeipa-devel] [PATCH 0053] Implement OTP token importing

Jan Cholasta jcholast at redhat.com
Wed Jun 11 12:24:45 UTC 2014 

Hi,

On 13.5.2014 18:40, Nathaniel McCallum wrote:
> On Tue, 2014-05-13 at 12:38 -0400, Nathaniel McCallum wrote:
>> This patch adds support for importing tokens using RFC 6030 key
>> container files. This includes decryption support. For sysadmin sanity,
>> any tokens which fail to add will be written to the output file for
>> examination. The main use case here is where a small subset of a large
>> set of tokens fails to validate or add. Using the output file, the
>> sysadmin can attempt to recover these specific tokens.
>>
>> This code is implemented as a server-side script. However, it doesn't
>> actually need to run on the server. This was done because importing is
>> an odd fit for the IPA command framework:
>> 1. We need to write an output file.
>> 2. The operation may be long-running (thousands of tokens).
>> 3. Only admins need to perform this task and it only happens
>> infrequently.
>
> I forgot to put the link to the ticket in the commit message. Fixed.

1) I think you should initialize NSS in ipa_otptoken_import.py, not in 
the ipa-otptoken-import script.


2) The pep8 tool reports a lot of errors in ipa_otptoken_import.py.


3) Other error messages are in the form "message: %s", I think this one 
should use that form as well:

+        if encoding != 'DECIMAL':
+            raise ValidationError('Unsupported encoding (%s)!' % encoding)


4) This is not right:

+                except:
+                    self.log.warn("Error adding token: " + 
str(sys.exc_info()[1]))

I think it should be something like this instead:

     except ValidationError, e:
         self.log.warn("Error adding token: %s", e)


5) There is no man page for ipa-otptoken-import.


6) Output file is created even when ipa-otptoken-import fails with 
"Unable to connect to LDAP! Did you kinit?" and other initialization 
errors, which makes subsequent ipa-otptoken-import fail with "Output 
file already exists!".


7) When a key is specified by reference in Key/KeyReference instead of 
directly in Key/Data/Secret like in 
<http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/pskctool/tests/pskc-figure4.xml>, 
import fails with "Key not found in token!". I would expect a different 
error message.


8) Importing 
<http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/pskctool/tests/pskc-figure5.xml> 
produces this output:

/usr/lib/python2.7/site-packages/ipaserver/install/ipa_otptoken_import.py:307: 
FutureWarning: The behavior of this method will change in future 
versions. Use specific 'len(elem)' or 'elem is not None' test instead.
   if data.get('pinpolicy', None):
Error adding token: 'NoneType' object has no attribute 'strip'


9) Using an arbitrary file in -k produces this output:

(SEC_ERROR_INVALID_KEY) The key does not support the requested operation.
Traceback (most recent call last):
   File "/usr/sbin/ipa-otptoken-import", line 29, in <module>
     nss.nss_shutdown()
nss.error.NSPRError: (SEC_ERROR_BUSY) NSS could not shutdown. Objects 
are still in use.


10) Importing 
<http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/pskctool/tests/pskc-figure7.xml> 
and 
<http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/pskctool/tests/pskc-figure8.xml> 
produces this output:

Error adding token: object of type 'NoneType' has no len()


11) Importing 
<http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/pskctool/tests/pskc-all.xml> 
or 
<http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/pskctool/tests/pskc-all-signed.xml> 
produces this output:

/usr/lib/python2.7/site-packages/ipaserver/install/ipa_otptoken_import.py:304: 
FutureWarning: The behavior of this method will change in future 
versions. Use specific 'len(elem)' or 'elem is not None' test instead.
   if data.get('maxtransact', None):
/usr/lib/python2.7/site-packages/ipaserver/install/ipa_otptoken_import.py:307: 
FutureWarning: The behavior of this method will change in future 
versions. Use specific 'len(elem)' or 'elem is not None' test instead.
   if data.get('pinpolicy', None):


12) Importing 
<http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/pskctool/tests/pskc-invalid.xml> 
succeeds, but it should fail.


13) Importing 
<http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/libpskc/examples/pskc-mini.xml> 
fails, but it should succeed, I think.


Honza

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list