[Freeipa-devel] [PATCH] 531-541 OTP UI

Petr Vobornik pvoborni at redhat.com
Fri Mar 7 17:10:13 UTC 2014 

On 27.2.2014 17:29, Petr Vobornik wrote:
> On 27.2.2014 16:51, Nathaniel McCallum wrote:
>> On Thu, 2014-02-27 at 13:35 +0100, Petr Vobornik wrote:
>>> On 21.2.2014 15:24, Petr Vobornik wrote:
>>>> On 10.2.2014 14:12, Petr Vobornik wrote:
>>>>> On 13.1.2014 17:09, Petr Vobornik wrote:
>>>>>> Hi,
>>>>>>
>>>>>> these patches implements the OTP Web UI.
>>>>>>
>>>>>> Last 5 patches is the OTP UI.
>>>>>>
>>>>>> First 6 patches is a little refactoring/bug fixes needed for them.
>>>>>> General password dialog is introduced to avoid another
>>>>>> implementation.
>>>>>>
>>>>>> Self-service UI is implemented to be very simple. Atm user can choose
>>>>>> only token name. Admin interface allows to enter all values.
>>>>>>
>>>>>> It's based on the RCUE work -> we need to push RCUE first. Thanks
>>>>>> Nathaniel for review of the last font package. It will speed
>>>>>> things up.
>>>>>>
>>>>>> Know bugs:
>>>>>> - there is clash in id's of checkboxes preventing editation of
>>>>>> subsequently displayed ones with the same name. Will be fixed in
>>>>>> separate patch.
>>>>>> - bugs caused by bugs in API (adding/removal of own tokens in
>>>>>> self-service, inability to enter key on token creation -
>>>>>> https://fedorahosted.org/freeipa/ticket/4099)
>>>>>> - datetime format (widget+validator) will be implemented in separate
>>>>>> patch
>>>>>> - no support of not reviewed CLI patches (HOTP..)
>>>>>>
>>>>>> Cgit:
>>>>>> http://fedorapeople.org/cgit/pvoborni/public_git/freeipa.git/log/?h=otp
>>>>>>
>>>>>>
>>>>>> https://fedorahosted.org/freeipa/ticket/3369
>>>>>>
>>>>>
>>>>> patch 540-1 has been updated
>>>>> - QR code is centered
>>>>> - QR code correction level was lowered from H to M
>>>>>
>>>>> All other current patches from sub-threads are attached as well (it
>>>>> was
>>>>> getting hard to keep track of them).
>>>>>
>>>>
>>>> Attaching new version of patch 537: 537-4
>>>>
>>>> It:
>>>> * adds HOTP support - new switch in adder dialog and
>>>> ipatokenhotpcounter
>>>> field in details facet
>>>> * removes 'default' radio button in adder dialog in
>>>> ipatokenotpalgorithm
>>>> and ipatokenotpdigits field
>>>>
>>>>
>>>> Btw I've encountered an issue on Web UI login when:
>>>> - user is created
>>>> - token is created for him
>>>> - admin resets user's password and changes auth type to 'otp'
>>>> - user tries to login with psw+otp
>>>>
>>>> The initial login-password call is successful but subsequent change
>>>> password fails - it uses the old psw+otp.
>>>>
>>>> I'll address this issue in https://fedorahosted.org/freeipa/ticket/3903
>>>> which is almost implemented.
>>>>
>>>>
>>>> I also plan to hide fields without any value in otp token details page
>>>> in self-service mode. This will be done after #3903 because some
>>>> prerequisites for #3903 add useful code for that task.
>>>>
>>>
>>> New version of 537 attached: 537-5
>>>
>>> It removes token type switch from selfservice page. Therefore default
>>> token type (totp) will be always created.
>>>
>>> Originated from:
>>> http://www.redhat.com/archives/freeipa-devel/2014-February/msg00532.html
>>
>> I'm not sure I understand the rationale for this (after having read the
>> other email thread). But I agree we should discuss which options should
>> be available on the self-service page.
>>
>> Just to recap the situation:
>> 1. Only token name / description are provided in the self-service UI
>> 2. All options are provided on the CLI
>>
>> I think the main question is: who should get to choose the primary token
>> type in FreeIPA? There are three possibilities:
>> 1. FreeIPA developers
>> 2. Admins
>> 3. Users
>>
>> The case for #1 is that we can't guarantee timely replication of the
>> counter attribute. On this basis, we choose TOTP as default because of
>> structural limitations. This is currently the default.
>>
>> I don't see much use for #3. But I can see an argument for #2.
>>
>> Personally, I lean toward #1. Thoughts?
>>
>> Nathaniel
>>
>
> Sorry, there is no real reason to not have HOTP there, and therefore
> 537-5 is wrong and 537-4 is OK.
>
> Rationale of the mistake:
> * self-service page has to be simple so it doesn't allow to add hw tokens
> * My thoughts were fixed to the idea that HOTP has to be hw token -
> maybe the H confused me.


Attaching new version of 537 which adds combobox control for owner 
attribute instead of textbox.

All other patches are attached as well to reduce confusion in case of 
ACK :).
-- 
Petr Vobornik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0531-2-Added-empty-value-meaning-to-boolean-formatter.patch
Type: text/x-patch
Size: 2787 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140307/6ce3729e/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0532-1-Declarative-replacement-of-array-item-in-specificati.patch
Type: text/x-patch
Size: 3642 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140307/6ce3729e/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0533-1-Fixed-doc-examples-in-Spec_mod.patch
Type: text/x-patch
Size: 1316 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140307/6ce3729e/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0534-1-Password-Dialog.patch
Type: text/x-patch
Size: 11249 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140307/6ce3729e/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0535-1-Use-general-password-dialog-for-host-OTP.patch
Type: text/x-patch
Size: 6306 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140307/6ce3729e/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0536-1-Fix-handling-of-action-visibility-change-in-action-p.patch
Type: text/x-patch
Size: 1532 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140307/6ce3729e/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0537-6-UI-for-OTP-tokens.patch
Type: text/x-patch
Size: 16490 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140307/6ce3729e/attachment-0006.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0538-1-UI-for-radius-proxy.patch
Type: text/x-patch
Size: 7703 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140307/6ce3729e/attachment-0007.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0539-1-UI-for-managing-user-auth-types.patch
Type: text/x-patch
Size: 2008 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140307/6ce3729e/attachment-0008.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0540-2-Added-QRcode-generation-to-Web-UI.patch
Type: text/x-patch
Size: 33181 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140307/6ce3729e/attachment-0009.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0541-2-Support-OTP-in-form-based-auth.patch
Type: text/x-patch
Size: 3617 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140307/6ce3729e/attachment-0010.bin>

More information about the Freeipa-devel mailing list