From e93c28f8c5412c6f84d725b9192ebe37e0e0ef3e Mon Sep 17 00:00:00 2001
From: David Kupka <dkupka@redhat.com>
Date: Thu, 25 Aug 2016 11:53:39 +0200
Subject: [PATCH] otptoken, permission: Convert custom type parameters on
 server

Force client to send the value of ipatokenotpkey and ipapermlocation as
entered by user.

https://fedorahosted.org/freeipa/ticket/6247
---
 ipaserver/plugins/otptoken.py   | 2 ++
 ipaserver/plugins/permission.py | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/ipaserver/plugins/otptoken.py b/ipaserver/plugins/otptoken.py
index f695678..a1930c3 100644
--- a/ipaserver/plugins/otptoken.py
+++ b/ipaserver/plugins/otptoken.py
@@ -214,6 +214,8 @@ class otptoken(LDAPObject):
             doc=_('Token secret (Base32; default: random)'),
             default_from=lambda: os.urandom(KEY_LENGTH),
             autofill=True,
+            # force server-side conversion
+            normalizer=lambda x: x,
             flags=('no_display', 'no_update', 'no_search'),
         ),
         StrEnum('ipatokenotpalgorithm?',
diff --git a/ipaserver/plugins/permission.py b/ipaserver/plugins/permission.py
index 830773a..0c040ce 100644
--- a/ipaserver/plugins/permission.py
+++ b/ipaserver/plugins/permission.py
@@ -283,6 +283,8 @@ class permission(baseldap.LDAPObject):
             cli_name='subtree',
             label=_('Subtree'),
             doc=_('Subtree to apply permissions to'),
+            # force server-side conversion
+            normalizer=lambda x: x,
             flags={'ask_create'},
         ),
         Str(