Univention Bugzilla – Attachment 5136 Details for
Bug 30722
Broken handling of Umlauts in SSL certificates
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
13 cleanups and fixes
30722_umlaut-cert.diff (text/plain), 70.47 KB, created by
Philipp Hahn
on 2013-03-18 09:38:55 CET
(
hide
)
Description:
13 cleanups and fixes
Filename:
MIME Type:
Creator:
Philipp Hahn
Created:
2013-03-18 09:38:55 CET
Size:
70.47 KB
patch
obsolete
>From ffcd4f70e2561dfd67d6788f2351f1ba56025d8e Mon Sep 17 00:00:00 2001 >Message-Id: <ffcd4f70e2561dfd67d6788f2351f1ba56025d8e.1363595740.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Fri, 15 Mar 2013 18:50:51 +0100 >Subject: [PATCH 01/13] Bug #25279: Change pwExpiry unset >Organization: Univention GmbH, Bremen, Germany > >Catch TypeError for single-valued attributes. > >Explicitly test for None value when pwExpiry is unset. >--- > .../modules/univention/admin/syntax.py | 6 +++--- > .../umc/python/udm/__init__.py | 19 +++++++++++++++---- > 2 files changed, 18 insertions(+), 7 deletions(-) > >diff --git a/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/syntax.py b/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/syntax.py >index a75e860..05f1732 100644 >--- a/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/syntax.py >+++ b/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/syntax.py >@@ -1036,11 +1036,11 @@ class date(simple): > > @classmethod > def parse(self, text): >- if self._re_iso.match(text) != None: >+ if text and self._re_iso.match(text): > year, month, day = map(lambda(x): int(x), text.split('-')) > if 1960 < year < 2100 and 1 <= month <= 12 and 1 <= day <= 31: >- return '%02d.%02d.%s' % ( day, month, str( year )[ 2 : ] ) >- if self._re_de.match(text) != None: >+ return '%02d.%02d.%02d' % (day, month, year % 100) >+ if text and self._re_de.match(text): > day, month, year = map(lambda(x): int(x), text.split('.')) > if 0 <= year <= 99 and 1 <= month <= 12 and 1 <= day <= 31: > return text >diff --git a/branches/ucs-3.1/ucs/management/univention-management-console-module-udm/umc/python/udm/__init__.py b/branches/ucs-3.1/ucs/management/univention-management-console-module-udm/umc/python/udm/__init__.py >index 4a7579c..bd2a588 100644 >--- a/branches/ucs-3.1/ucs/management/univention-management-console-module-udm/umc/python/udm/__init__.py >+++ b/branches/ucs-3.1/ucs/management/univention-management-console-module-udm/umc/python/udm/__init__.py >@@ -799,14 +799,25 @@ class Instance( Base ): > except ( udm_errors.valueInvalidSyntax, udm_errors.valueError, TypeError ), e: > subResults.append( False ) > subDetails.append( str(e) ) >- result.append( { 'property' : property_name, 'valid' : subResults, 'details' : subDetails } ) >+ result.append({ >+ 'property': property_name, >+ 'valid': subResults, >+ 'details': subDetails >+ }) > # otherwise we have a single value > else: > try: > property_obj.syntax.parse( value ) >- result.append( { 'property' : property_name, 'valid' : True } ) >- except ( udm_errors.valueInvalidSyntax, udm_errors.valueError ), e: >- result.append( { 'property' : property_name, 'valid' : False, 'details' : str( e ) } ) >+ result.append({ >+ 'property': property_name, >+ 'valid': True >+ }) >+ except (udm_errors.valueInvalidSyntax, udm_errors.valueError, TypeError), ex: >+ result.append({ >+ 'property': property_name, >+ 'valid': False, >+ 'details' : str(ex) >+ }) > > return result > >-- >1.7.10.4 > > >From 72e804a51c7c7c2fb985569de9cef238a70f73c3 Mon Sep 17 00:00:00 2001 >Message-Id: <72e804a51c7c7c2fb985569de9cef238a70f73c3.1363595740.git.hahn@univention.de> >In-Reply-To: <ffcd4f70e2561dfd67d6788f2351f1ba56025d8e.1363595740.git.hahn@univention.de> >References: <ffcd4f70e2561dfd67d6788f2351f1ba56025d8e.1363595740.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Fri, 15 Mar 2013 19:28:31 +0100 >Subject: [PATCH 02/13] Bug #25279: Fix regression test >Organization: Univention GmbH, Bremen, Germany > >Convert LDAP_Search exmaples to non-testmod cases. > >Break long lines for DNS SRV name records. > >Fix RegExp for uid(). >--- > .../modules/univention/admin/syntax.py | 14 +++++++++----- > 1 file changed, 9 insertions(+), 5 deletions(-) > >diff --git a/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/syntax.py b/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/syntax.py >index 05f1732..df16140 100644 >--- a/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/syntax.py >+++ b/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/syntax.py >@@ -702,7 +702,7 @@ class uid(simple): > """ > min_length=1 > max_length=16 >- regex = re.compile('(?u)(^[a-zA-Z0-9])[a-zA-Z0-9._-]*([a-zA-Z0-9]$)') >+ regex = re.compile('^(?!admin$)[a-zA-Z0-9][a-zA-Z0-9._-]*[a-zA-Z0-9]$', re.UNICODE) > error_message = _("Value must not contain anything other than digits, letters, dots, dash or underscore, must be at least 2 characters long, must start and end with a digit or letter, and must not be admin!") > > class uid_umlauts(simple): >@@ -1111,7 +1111,11 @@ class dnsSRVName(complex): > """ > min_elements = 2 > all_required = False >- subsyntaxes = ( ( _( 'Service' ), TwoThirdsString ), ( _( 'Protocol' ), ipProtocolSRV ), ( _( 'Extension' ), string ) ) >+ subsyntaxes = ( >+ (_('Service'), TwoThirdsString), >+ (_('Protocol'), ipProtocolSRV), >+ (_('Extension'), string) >+ ) > > class postalAddress( complex ): > delimiter = ', ' >@@ -2448,11 +2452,11 @@ class LDAP_Search( select ): > Searches can be either defined dynamically via a UDM settings/syntax > definition and using > >- >>> LDAP_Search( syntax_name = '<NAME>' ) >+ > LDAP_Search( syntax_name = '<NAME>' ) > >- or programmatically by directly instantiating >+ or programmatically by directly instantiating > >- >>> LDAP_Search( filter = '<LDAP-Search-Filter>', attribute = [ '<LDAP attributes>', ... ], value = '<LDAP attribute>', base = '<LDAP base>' ) >+ > LDAP_Search(filter='<LDAP-Search-Filter>', attribute=['<LDAP attributes>', ...], value='<LDAP attribute>', base='<LDAP base>') > """ > FILTER_PATTERN = '(&(objectClass=univentionSyntax)(cn=%s))' > >-- >1.7.10.4 > > >From 28249c1a3becde030da1f3f89f0a01afca960810 Mon Sep 17 00:00:00 2001 >Message-Id: <28249c1a3becde030da1f3f89f0a01afca960810.1363595740.git.hahn@univention.de> >In-Reply-To: <ffcd4f70e2561dfd67d6788f2351f1ba56025d8e.1363595740.git.hahn@univention.de> >References: <ffcd4f70e2561dfd67d6788f2351f1ba56025d8e.1363595740.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Fri, 15 Mar 2013 19:37:53 +0100 >Subject: [PATCH 03/13] Bug #25279: remove obsolete function >Organization: Univention GmbH, Bremen, Germany > >shift() ist unused. >--- > .../modules/univention/admin/handlers/users/user.py | 9 --------- > 1 file changed, 9 deletions(-) > >diff --git a/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py b/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py >index d555da9..c3140f8 100644 >--- a/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py >+++ b/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py >@@ -1087,15 +1087,6 @@ def GMTOffset(): > # returns the difference in hours between local time and GMT (is -1 for CET and CEST) > return time.timezone/3600 > >-def shift(string, offset): >- # shifts the string #offset chars to the left >- if offset<0: >- for i in range(0, abs(offset)): >- string=string[-1:]+string[:-1] >- else: >- for i in range(0, offset): >- string=string[1:]+string[:1] >- return string > > def load_certificate(user_certificate): > """Import a certificate in DER format""" >-- >1.7.10.4 > > >From b8b97f3a0f3f3c4a703f6ae4f4e342fa59ee1591 Mon Sep 17 00:00:00 2001 >Message-Id: <b8b97f3a0f3f3c4a703f6ae4f4e342fa59ee1591.1363595740.git.hahn@univention.de> >In-Reply-To: <ffcd4f70e2561dfd67d6788f2351f1ba56025d8e.1363595740.git.hahn@univention.de> >References: <ffcd4f70e2561dfd67d6788f2351f1ba56025d8e.1363595740.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Fri, 15 Mar 2013 19:48:34 +0100 >Subject: [PATCH 04/13] Bug #25279: Shorten univention.debug >Organization: Univention GmbH, Bremen, Germany > >Use ud. instead of univention.debug. >--- > .../univention/admin/handlers/users/user.py | 92 ++++++++++---------- > 1 file changed, 46 insertions(+), 46 deletions(-) > >diff --git a/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py b/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py >index c3140f8..4868e85 100644 >--- a/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py >+++ b/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py >@@ -57,7 +57,7 @@ import univention.admin.uldap > import univention.admin.mungeddial as mungeddial > import univention.admin.handlers.settings.prohibited_username > >-import univention.debug >+import univention.debug as ud > import univention.password > > translation=univention.admin.localization.translation('univention.admin.handlers.users') >@@ -1003,11 +1003,11 @@ def posixDaysToDate(days): > return time.strftime("%Y-%m-%d",time.gmtime(long(days)*3600*24)) > > def sambaWorkstationsMap(workstations): >- univention.debug.debug(univention.debug.ADMIN, univention.debug.ALL, 'samba: sambaWorkstationMap: in=%s; out=%s' % (workstations,string.join(workstations, ','))) >+ ud.debug(ud.ADMIN, ud.ALL, 'samba: sambaWorkstationMap: in=%s; out=%s' % (workstations,string.join(workstations, ','))) > return string.join(workstations, ',') > > def sambaWorkstationsUnmap(workstations): >- univention.debug.debug(univention.debug.ADMIN, univention.debug.ALL, 'samba: sambaWorkstationUnmap: in=%s; out=%s' % (workstations[0],string.split(workstations[0],','))) >+ ud.debug(ud.ADMIN, ud.ALL, 'samba: sambaWorkstationUnmap: in=%s; out=%s' % (workstations[0],string.split(workstations[0],','))) > return string.split(workstations[0],',') > > def logonHoursMap(logontimes): >@@ -1173,7 +1173,7 @@ def load_certificate(user_certificate): > elif re.match('^emailAddress=', i): > value['certificateSubjectMail']=string.split(i, '=')[1] > >- univention.debug.debug(univention.debug.ADMIN, univention.debug.ERROR, 'value=%s' % value) >+ ud.debug(ud.ADMIN, ud.ERROR, 'value=%s' % value) > return value > > def mapHomePostalAddress(old): >@@ -1244,7 +1244,7 @@ def unmapBase64( value ): > try: > return base64.encodestring( value[ 0 ] ) > except Exception, e: >- univention.debug.debug(univention.debug.ADMIN, univention.debug.ERROR, 'ERROR in users.user.mapBase64(): %s' % e) >+ ud.debug(ud.ADMIN, ud.ERROR, 'ERROR in users.user.mapBase64(): %s' % e) > return "" > > def mapBase64( value ): >@@ -1254,7 +1254,7 @@ def mapBase64( value ): > try: > return base64.decodestring( value ) > except Exception, e: >- univention.debug.debug(univention.debug.ADMIN, univention.debug.ERROR, 'ERROR in users.user.mapBase64(): %s' % e) >+ ud.debug(ud.ADMIN, ud.ERROR, 'ERROR in users.user.mapBase64(): %s' % e) > return "" > > mapping.register('userCertificate', 'userCertificate;binary', mapBase64, unmapBase64 ) >@@ -1360,7 +1360,7 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > if options[opt].matches(ocs): > self.options.append(opt) > else: >- univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'users/user.py: reset options to default by _define_options' ) >+ ud.debug(ud.ADMIN, ud.INFO, 'users/user.py: reset options to default by _define_options' ) > self._define_options( options ) > > if 'posix' in self.options: >@@ -1370,25 +1370,25 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > # shadowExpire contains the absolute date to expire the account. > > if 'shadowExpire' in self.oldattr and len(self.oldattr['shadowExpire']) > 0 : >- univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'userexpiry: %s' % posixDaysToDate(self.oldattr['shadowExpire'][0])) >+ ud.debug(ud.ADMIN, ud.INFO, 'userexpiry: %s' % posixDaysToDate(self.oldattr['shadowExpire'][0])) > if self.oldattr['shadowExpire'][0] != '1': > self.info['userexpiry'] = posixDaysToDate(self.oldattr['shadowExpire'][0]) > if 'shadowLastChange' in self.oldattr and 'shadowMax' in self.oldattr and len(self.oldattr['shadowLastChange']) > 0 and len(self.oldattr['shadowMax']) > 0: > try: > self.info['passwordexpiry'] = posixDaysToDate(int(self.oldattr['shadowLastChange'][0]) + int(self.oldattr['shadowMax'][0])) > except: >- univention.debug.debug(univention.debug.ADMIN, univention.debug.WARN, 'users/user: failed to calculate password expiration correctly, use only shadowMax instead') >+ ud.debug(ud.ADMIN, ud.WARN, 'users/user: failed to calculate password expiration correctly, use only shadowMax instead') > self.info['passwordexpiry'] = posixDaysToDate(int(self.oldattr['shadowMax'][0])) > > if 'kerberos' in self.options: > if self.oldattr.has_key('krb5ValidEnd'): > krb5validend=self.oldattr['krb5ValidEnd'][0] >- univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'krb5validend is: %s' % >+ ud.debug(ud.ADMIN, ud.INFO, 'krb5validend is: %s' % > krb5validend) > self.info['userexpiry']="%s-%s-%s"%(krb5validend[0:4],krb5validend[4:6],krb5validend[6:8]) > elif 'samba' in self.options: > if self.oldattr.has_key('sambaKickoffTime'): >- univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'sambaKickoffTime is: %s' % >+ ud.debug(ud.ADMIN, ud.INFO, 'sambaKickoffTime is: %s' % > self.oldattr['sambaKickoffTime'][0]) > self.info['userexpiry']=time.strftime("%Y-%m-%d",time.gmtime(long(self.oldattr['sambaKickoffTime'][0])+(3600*24))) > >@@ -1404,8 +1404,8 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > # FIXME: we should NEVER catch all exceptions > except Exception, e: > # at least write some debuging output.. >- univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'Caught exception: %s' % e ) >- univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'Continuing without dn..') >+ ud.debug(ud.ADMIN, ud.INFO, 'Caught exception: %s' % e ) >+ ud.debug(ud.ADMIN, ud.INFO, 'Continuing without dn..') > self.dn=None > return > >@@ -1418,8 +1418,8 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > self['lastname']=sn > except Exception, e: # FIXME: we should NEVER catch all exceptions > # at least write some debuging output.. >- univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'Caught exception: %s' % e ) >- univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'Continuing without dn..') >+ ud.debug(ud.ADMIN, ud.INFO, 'Caught exception: %s' % e ) >+ ud.debug(ud.ADMIN, ud.INFO, 'Continuing without dn..') > self.dn=None > return > >@@ -1461,7 +1461,7 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > self['groups']=self.lo.searchDn(filter='(&(cn=*)(|(objectClass=univentionGroup)(objectClass=sambaGroupMapping))(uniqueMember=%s))' % univention.admin.filter.escapeForLdapFilter(self.dn)) > else: > self.groupsLoaded=0 >- univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'user: open with loadGroups=false for user %s'%self['username']) >+ ud.debug(ud.ADMIN, ud.INFO, 'user: open with loadGroups=false for user %s'%self['username']) > primaryGroupNumber=self.oldattr.get('gidNumber',[''])[0] > if primaryGroupNumber: > primaryGroupResult=self.lo.searchDn('(&(cn=*)(|(objectClass=posixGroup)(objectClass=sambaGroupMapping))(gidNumber='+primaryGroupNumber+'))') >@@ -1477,7 +1477,7 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > except: > primaryGroup = None > >- univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'user: could not find primaryGroup, setting primaryGroup to %s' % primaryGroup) >+ ud.debug(ud.ADMIN, ud.INFO, 'user: could not find primaryGroup, setting primaryGroup to %s' % primaryGroup) > > self['primaryGroup']=primaryGroup > self.newPrimaryGroupDn=primaryGroup >@@ -1689,26 +1689,26 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > > # change memberUid if we have a new username > if not old_uid == new_uid and self.exists(): >- univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'users/user: rewrite memberuid after rename') >+ ud.debug(ud.ADMIN, ud.INFO, 'users/user: rewrite memberuid after rename') > for group in new_groups: > self.__rewrite_member_uid( group ) > > group_mod = univention.admin.modules.get('groups/group') > >- univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'users/user: check groups in old_groups') >+ ud.debug(ud.ADMIN, ud.INFO, 'users/user: check groups in old_groups') > for group in old_groups: > if group and not case_insensitive_in_list(group, self.info.get('groups', [])) and group.lower() != self['primaryGroup'].lower(): > grpobj = group_mod.object(None, self.lo, self.position, group) > grpobj.fast_member_remove( [ self.dn ], [ old_uid ] ) > >- univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'users/user: check groups in info[groups]') >+ ud.debug(ud.ADMIN, ud.INFO, 'users/user: check groups in info[groups]') > for group in self.info.get('groups', []): > if group and not case_insensitive_in_list(group, old_groups): > grpobj = group_mod.object(None, self.lo, self.position, group) > grpobj.fast_member_add( [ self.dn ], [ new_uid ] ) > > if univention.admin.baseConfig.is_true("directory/manager/user/primarygroup/update", True): >- univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'users/user: check primaryGroup') >+ ud.debug(ud.ADMIN, ud.INFO, 'users/user: check primaryGroup') > if not self.exists() and self.info.get('primaryGroup'): > grpobj = group_mod.object(None, self.lo, self.position, self.info.get('primaryGroup')) > grpobj.fast_member_add( [ self.dn ], [ new_uid ] ) >@@ -1727,7 +1727,7 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > if UIDs: > new_uids.append(UIDs[0]) > if len(UIDs) > 1: >- univention.debug.debug(univention.debug.ADMIN, univention.debug.WARN, 'users/user: A groupmember has multiple UIDs (%s %s)' % (memberDNstr, repr(uid_list))) >+ ud.debug(ud.ADMIN, ud.WARN, 'users/user: A groupmember has multiple UIDs (%s %s)' % (memberDNstr, repr(uid_list))) > self.lo.modify(group, [ ( 'memberUid', uids, new_uids ) ] ) > > def __primary_group(self): >@@ -1751,19 +1751,19 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > searchResult=self.lo.search(base=self.oldinfo['primaryGroup'], attr=['gidNumber']) > for tmp,number in searchResult: > oldPrimaryGroup = number['gidNumber'] >- univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'users/user: set gidNumber by oldinfo') >+ ud.debug(ud.ADMIN, ud.INFO, 'users/user: set gidNumber by oldinfo') > self.lo.modify(self.dn, [('gidNumber',oldPrimaryGroup[0], primaryGroupNumber[0])]) > if 'samba' in self.options: >- univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'users/user: set sambaPrimaryGroupSID by oldinfo') >+ ud.debug(ud.ADMIN, ud.INFO, 'users/user: set sambaPrimaryGroupSID by oldinfo') > self.lo.modify(self.dn, [('sambaPrimaryGroupSID',oldPrimaryGroup[0], primaryGroupSambaNumber[0])]) > else: > searchResult=self.lo.search(base=self.dn, scope='base', attr=['gidNumber']) > for tmp,number in searchResult: > oldNumber = number['gidNumber'] >- univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'users/user: set gidNumber') >+ ud.debug(ud.ADMIN, ud.INFO, 'users/user: set gidNumber') > self.lo.modify(self.dn, [('gidNumber',oldNumber, primaryGroupNumber[0])]) > if 'samba' in self.options: >- univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'users/user: set sambaPrimaryGroupSID') >+ ud.debug(ud.ADMIN, ud.INFO, 'users/user: set sambaPrimaryGroupSID') > self.lo.modify(self.dn, [('sambaPrimaryGroupSID',oldNumber, primaryGroupSambaNumber[0])]) > > >@@ -1772,7 +1772,7 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > group_mod = univention.admin.modules.get('groups/group') > grpobj = group_mod.object(None, self.lo, self.position, self.newPrimaryGroupDn) > grpobj.fast_member_add( [ self.dn ], [ new_uid ] ) >- univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'users/user: adding to new primaryGroup %s (uid=%s)' % (self.newPrimaryGroupDn, new_uid)) >+ ud.debug(ud.ADMIN, ud.INFO, 'users/user: adding to new primaryGroup %s (uid=%s)' % (self.newPrimaryGroupDn, new_uid)) > > self.save() > >@@ -1782,10 +1782,10 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > return self['username']+'@'+realm > > def _ldap_pre_create(self): >- _d=univention.debug.function('admin.handlers.users.user.object._ldap_pre_create') >+ _d=ud.function('admin.handlers.users.user.object._ldap_pre_create') > > self.dn='uid=%s,%s' % ( self['username'], self.position.getDn()) >- univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'users/user: dn was set to %s'%self.dn) >+ ud.debug(ud.ADMIN, ud.INFO, 'users/user: dn was set to %s'%self.dn) > if not self['password']: > self['password']=self.oldattr.get('password',[''])[0] > self.modifypassword=0 >@@ -1990,16 +1990,16 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > sambaPwdLastSetValue = '' # if is filled, it will be added to ml in the end > > if self.options != self.old_options: >- univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'options: %s' % self.options) >- univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'old_options: %s' % self.old_options) >+ ud.debug(ud.ADMIN, ud.INFO, 'options: %s' % self.options) >+ ud.debug(ud.ADMIN, ud.INFO, 'old_options: %s' % self.old_options) > # pki option add / remove > if 'pki' in self.options and not 'pki' in self.old_options: >- univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'added pki option') >+ ud.debug(ud.ADMIN, ud.INFO, 'added pki option') > ocs=self.oldattr.get('objectClass', []) > if not 'pkiUser' in ocs: > ml.insert(0, ('objectClass', '', 'pkiUser')) > if not 'pki' in self.options and 'pki' in self.old_options: >- univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'remove pki option') >+ ud.debug(ud.ADMIN, ud.INFO, 'remove pki option') > ocs=self.oldattr.get('objectClass', []) > if 'pkiUser' in ocs: > ml.insert(0, ('objectClass', 'pkiUser', '')) >@@ -2007,13 +2007,13 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > ml=self._remove_attr(ml,attr) > # ldap_pwd option add / remove > if 'ldap_pwd' in self.options and not 'ldap_pwd' in self.old_options: >- univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'added ldap_pwd option') >+ ud.debug(ud.ADMIN, ud.INFO, 'added ldap_pwd option') > ocs=self.oldattr.get('objectClass', []) > if not 'simpleSecurityObject' in ocs: > ml.insert(0, ('objectClass', '', 'simpleSecurityObject')) > ml.insert(0, ('objectClass', '', 'uidObject')) > if not 'ldap_pwd' in self.options and 'ldap_pwd' in self.old_options: >- univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'remove ldap_pwd option') >+ ud.debug(ud.ADMIN, ud.INFO, 'remove ldap_pwd option') > ocs=self.oldattr.get('objectClass', []) > if 'simpleSecurityObject' in ocs: > ml.insert(0, ('objectClass', 'simpleSecurityObject', '')) >@@ -2114,7 +2114,7 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > > shadowLastChangeValue = str(int(now)) > >- univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'shadowMax: %s' % shadowMax) >+ ud.debug(ud.ADMIN, ud.INFO, 'shadowMax: %s' % shadowMax) > old_shadowMax=self.oldattr.get('shadowMax', '') > if old_shadowMax != shadowMax: > ml.append(('shadowMax',self.oldattr.get('shadowMax', [''])[0], shadowMax)) >@@ -2130,7 +2130,7 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > krb5PasswordEnd='' > else: > krb5PasswordEnd="%s" % "20"+expiry[6:8]+expiry[3:5]+expiry[0:2]+"000000Z" >- univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'krb5PasswordEnd: %s' % krb5PasswordEnd) >+ ud.debug(ud.ADMIN, ud.INFO, 'krb5PasswordEnd: %s' % krb5PasswordEnd) > old_krb5PasswordEnd=self.oldattr.get('krb5PasswordEnd', '') > if old_krb5PasswordEnd != krb5PasswordEnd: > ml.append(('krb5PasswordEnd',self.oldattr.get('krb5PasswordEnd', [''])[0], krb5PasswordEnd)) >@@ -2271,7 +2271,7 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > shadowExpire='' > if self['userexpiry']: > shadowExpire="%d" % long(time.mktime(time.strptime(self['userexpiry'],"%d.%m.%y"))/3600/24+1) >- univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'shadowExpire: %s' % shadowExpire) >+ ud.debug(ud.ADMIN, ud.INFO, 'shadowExpire: %s' % shadowExpire) > old_shadowExpire=self.oldattr.get('shadowExpire', '') > if old_shadowExpire != shadowExpire: > ml.append(('shadowExpire',self.oldattr.get('shadowExpire', [''])[0], shadowExpire)) >@@ -2279,7 +2279,7 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > sambaKickoffTime='' > if self['userexpiry']: > sambaKickoffTime="%d" % long(time.mktime(time.strptime(self['userexpiry'],"%d.%m.%y"))) >- univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'sambaKickoffTime: %s' % sambaKickoffTime) >+ ud.debug(ud.ADMIN, ud.INFO, 'sambaKickoffTime: %s' % sambaKickoffTime) > old_sambaKickoffTime=self.oldattr.get('sambaKickoffTime', '') > if old_sambaKickoffTime != sambaKickoffTime: > ml.append(('sambaKickoffTime',self.oldattr.get('sambaKickoffTime', [''])[0], sambaKickoffTime)) >@@ -2287,7 +2287,7 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > krb5ValidEnd='' > if self['userexpiry']: > krb5ValidEnd="%s" % "20"+self['userexpiry'][6:8]+self['userexpiry'][3:5]+self['userexpiry'][0:2]+"000000Z" >- univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'krb5ValidEnd: %s' % krb5ValidEnd) >+ ud.debug(ud.ADMIN, ud.INFO, 'krb5ValidEnd: %s' % krb5ValidEnd) > old_krb5ValidEnd=self.oldattr.get('krb5ValidEnd', '') > if old_krb5ValidEnd != krb5ValidEnd: > if not self['userexpiry']: >@@ -2331,7 +2331,7 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > if 'kerberos' in self.options: > expiry=time.strftime("%d.%m.%y",time.gmtime((long(time.time())))) > krb5PasswordEnd="%s" % "20"+expiry[6:8]+expiry[3:5]+expiry[0:2]+"000000Z" >- univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'krb5PasswordEnd: %s' % krb5PasswordEnd) >+ ud.debug(ud.ADMIN, ud.INFO, 'krb5PasswordEnd: %s' % krb5PasswordEnd) > old_krb5PasswordEnd=self.oldattr.get('krb5PasswordEnd', '') > if old_krb5PasswordEnd != krb5PasswordEnd: > ml.append(('krb5PasswordEnd',self.oldattr.get('krb5PasswordEnd', [''])[0], krb5PasswordEnd)) >@@ -2358,7 +2358,7 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > now=(long(time.time())/3600/24) > shadowLastChangeValue = str(int(now)) > >- univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'shadowMax: %s' % shadowMax) >+ ud.debug(ud.ADMIN, ud.INFO, 'shadowMax: %s' % shadowMax) > old_shadowMax=self.oldattr.get('shadowMax', [''])[0] > if old_shadowMax != shadowMax: > ml.append(('shadowMax', old_shadowMax, shadowMax)) >@@ -2367,7 +2367,7 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > if 'samba' in self.options: > sambaPwdLastSetValue = str(long(time.time())) > # transfered into ml below >- univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'sambaPwdLastSetValue: %s' % sambaPwdLastSetValue) >+ ud.debug(ud.ADMIN, ud.INFO, 'sambaPwdLastSetValue: %s' % sambaPwdLastSetValue) > > # 4. set kerberos attribute > if 'kerberos' in self.options: >@@ -2376,7 +2376,7 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > else: > expiry=time.strftime("%d.%m.%y",time.gmtime((long(time.time()) + (expiryInterval*3600*24)))) > krb5PasswordEnd="%s" % "20"+expiry[6:8]+expiry[3:5]+expiry[0:2]+"000000Z" >- univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'krb5PasswordEnd: %s' % krb5PasswordEnd) >+ ud.debug(ud.ADMIN, ud.INFO, 'krb5PasswordEnd: %s' % krb5PasswordEnd) > old_krb5PasswordEnd=self.oldattr.get('krb5PasswordEnd', [''])[0] > if old_krb5PasswordEnd != krb5PasswordEnd: > ml.append(('krb5PasswordEnd',old_krb5PasswordEnd, krb5PasswordEnd)) >@@ -2393,9 +2393,9 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > else: > try: > self.alloc.append( ( 'mailPrimaryAddress', self[ 'mailPrimaryAddress' ] ) ) >- univention.debug.debug( univention.debug.ADMIN, univention.debug.INFO, "LOCKING: %s" % self[ 'mailPrimaryAddress' ] ) >+ ud.debug( ud.ADMIN, ud.INFO, "LOCKING: %s" % self[ 'mailPrimaryAddress' ] ) > univention.admin.allocators.request( self.lo, self.position, 'mailPrimaryAddress', value = self[ 'mailPrimaryAddress' ] ) >- univention.debug.debug( univention.debug.ADMIN, univention.debug.INFO, "LOCKING DONE: %s" % self[ 'mailPrimaryAddress' ] ) >+ ud.debug( ud.ADMIN, ud.INFO, "LOCKING DONE: %s" % self[ 'mailPrimaryAddress' ] ) > except univention.admin.uexceptions.noLock: > self.cancel() > raise univention.admin.uexceptions.mailAddressUsed >-- >1.7.10.4 > > >From 6c43e26f8300d7693c0f35ba838b19e4ac4c100a Mon Sep 17 00:00:00 2001 >Message-Id: <6c43e26f8300d7693c0f35ba838b19e4ac4c100a.1363595740.git.hahn@univention.de> >In-Reply-To: <ffcd4f70e2561dfd67d6788f2351f1ba56025d8e.1363595740.git.hahn@univention.de> >References: <ffcd4f70e2561dfd67d6788f2351f1ba56025d8e.1363595740.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Fri, 15 Mar 2013 19:33:04 +0100 >Subject: [PATCH 05/13] Bug #25279: Simplify string handling >Organization: Univention GmbH, Bremen, Germany > >string.join(_, '_') -> '_'.join(_) >string.split(_, '_') -> _.split('_') >string.find(_, '_') -> _.find('_') >--- > .../univention/admin/handlers/users/user.py | 120 +++++++++----------- > 1 file changed, 55 insertions(+), 65 deletions(-) > >diff --git a/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py b/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py >index 4868e85..2e7d469 100644 >--- a/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py >+++ b/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py >@@ -1003,12 +1003,14 @@ def posixDaysToDate(days): > return time.strftime("%Y-%m-%d",time.gmtime(long(days)*3600*24)) > > def sambaWorkstationsMap(workstations): >- ud.debug(ud.ADMIN, ud.ALL, 'samba: sambaWorkstationMap: in=%s; out=%s' % (workstations,string.join(workstations, ','))) >- return string.join(workstations, ',') >+ tmp = ','.join(workstations) >+ ud.debug(ud.ADMIN, ud.ALL, 'samba: sambaWorkstationMap: in=%s; out=%s' % (workstations, tmp)) >+ return tmp > > def sambaWorkstationsUnmap(workstations): >- ud.debug(ud.ADMIN, ud.ALL, 'samba: sambaWorkstationUnmap: in=%s; out=%s' % (workstations[0],string.split(workstations[0],','))) >- return string.split(workstations[0],',') >+ tmp = workstations[0].split(',') >+ ud.debug(ud.ADMIN, ud.ALL, 'samba: sambaWorkstationUnmap: in=%s; out=%s' % (workstations[0], tmp)) >+ return tmp > > def logonHoursMap(logontimes): > "converts the bitfield 001110010110...100 to the respective string" >@@ -1110,7 +1112,7 @@ def load_certificate(user_certificate): > > def convert_certdate (certdate): > datestring=str(certdate) >- dl=string.split(datestring) >+ dl = datestring.split() > month=[None, 'Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec' ] > try: > dl[0]=month.index(dl[0]) >@@ -1134,44 +1136,41 @@ def load_certificate(user_certificate): > if not serial: > return {} > >- >- value={} >- >- value['certificateDateNotBefore']=convert_certdate(not_before) >- value['certificateDateNotAfter']=convert_certdate(not_after) >- value['certificateVersion']=str(version) >- value['certificateSerial']=str(serial) >- >+ ATTR = { >+ "C": "Country", >+ "ST": "State", >+ "L": "Location", >+ "O": "Organisation", >+ "OU": "OrganisationalUnit", >+ "CN": "CommonName", >+ "emailAddress": "Mail", >+ }[key] >+ value = { >+ 'certificateDateNotBefore': convert_certdate(not_before), >+ 'certificateDateNotAfter': convert_certdate(not_after), >+ 'certificateVersion': str(version), >+ 'certificateSerial': str(serial), >+ } > for i in issuer.split('/'): >- if re.match('^C=', i): >- value['certificateIssuerCountry']=string.split(i, '=')[1] >- elif re.match('^ST=', i): >- value['certificateIssuerState']=string.split(i, '=')[1] >- elif re.match('^L=', i): >- value['certificateIssuerLocation']=string.split(i, '=')[1] >- elif re.match('^O=', i): >- value['certificateIssuerOrganisation']=string.split(i, '=')[1] >- elif re.match('^OU=', i): >- value['certificateIssuerOrganisationalUnit']=string.split(i, '=')[1] >- elif re.match('^CN=', i): >- value['certificateIssuerCommonName']=string.split(i, '=')[1] >- elif re.match('^emailAddress=', i): >- value['certificateIssuerMail']=string.split(i, '=')[1] >+ try: >+ key, val = i.split('=', 1) >+ except ValueError: >+ continue >+ try: >+ attr = "certificateIssuer%s" % ATTR[key] >+ except KeyError: >+ continue >+ value[attr] = val > for i in subject.split('/'): >- if re.match('^C=', i): >- value['certificateSubjectCountry']=string.split(i, '=')[1] >- elif re.match('^ST=', i): >- value['certificateSubjectState']=string.split(i, '=')[1] >- elif re.match('^L=', i): >- value['certificateSubjectLocation']=string.split(i, '=')[1] >- elif re.match('^O=', i): >- value['certificateSubjectOrganisation']=string.split(i, '=')[1] >- elif re.match('^OU=', i): >- value['certificateSubjectOrganisationalUnit']=string.split(i, '=')[1] >- elif re.match('^CN=', i): >- value['certificateSubjectCommonName']=string.split(i, '=')[1] >- elif re.match('^emailAddress=', i): >- value['certificateSubjectMail']=string.split(i, '=')[1] >+ try: >+ key, val = i.split('=', 1) >+ except ValueError: >+ continue >+ try: >+ attr = "certificateSubject%s" % ATTR[key] >+ except KeyError: >+ continue >+ value[attr] = val > > ud.debug(ud.ADMIN, ud.ERROR, 'value=%s' % value) > return value >@@ -1306,17 +1305,13 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > self['disabled']='all' > > def __is_kerberos_disabled(self): >- if self['disabled'] in ['all', 'kerberos', 'posix_kerberos', 'windows_kerberos']: >- return True >- return False >+ return self['disabled'] in ('all', 'kerberos', 'posix_kerberos', 'windows_kerberos') >+ > def __is_windows_disabled(self): >- if self['disabled'] in ['all', 'windows', 'windows_posix', 'windows_kerberos']: >- return True >- return False >+ return self['disabled'] in ('all', 'windows', 'windows_posix', 'windows_kerberos') >+ > def __is_posix_disabled(self): >- if self['disabled'] in ( 'all', 'posix', 'posix_kerberos', 'windows_posix' ): >- return True >- return False >+ return self['disabled'] in ('all', 'posix', 'posix_kerberos', 'windows_posix') > > def __pwd_is_auth_saslpassthrough(self, password): > if password.startswith('{SASL}') and univention.admin.baseConfig.get('directory/manager/web/modules/users/user/auth/saslpassthrough','no').lower() == 'keep': >@@ -1494,9 +1489,7 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > if self['passwordexpiry']: > today=time.strftime('%Y-%m-%d').split('-') > expiry=self['passwordexpiry'].split('-') >- # expiry.reverse() >- # today.reverse() >- if int(string.join(today,''))>=int(string.join(expiry,'')): >+ if int(''.join(today)) >= int(''.join(expiry)): > self['pwdChangeNextLogin']='1' > > if 'samba' in self.options: >@@ -2546,20 +2539,17 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > def __passwordInHistory(self, newpassword, pwhistory): > # first calc hash for the new pw > s = hashlib.sha1( newpassword.encode( 'utf-8' ) ) >- newpwhash = string.upper(s.hexdigest()) >- if not string.find(pwhistory, newpwhash) < 0: >- # password has already been used. >- return 1 >- return 0 >+ newpwhash = s.hexdigest().upper() >+ return pwhistory.find(newpwhash) >= 0 > > def __getPWHistory(self, newpassword, pwhistory, pwhlen): > # first calc hash for the new pw > s = hashlib.sha1( newpassword.encode( 'utf-8' ) ) >- newpwhash = string.upper(s.hexdigest()) >+ newpwhash = s.hexdigest().upper() > > # split the history >- if len(string.strip(pwhistory)): >- pwlist = string.split(pwhistory, ' ') >+ if len(pwhistory.strip()): >+ pwlist = pwhistory.split(' ') > else: > pwlist = [] > >@@ -2583,13 +2573,13 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > else: > pwlist.append(newpwhash) > # and build the new history >- res = string.join(pwlist) >+ res = ' '.join(pwlist) > return res > > def __getsmbPWHistory(self, newpassword, smbpwhistory, smbpwhlen): > # split the history >- if len(string.strip(smbpwhistory)): >- pwlist = string.split(smbpwhistory, ' ') >+ if len(smbpwhistory.strip()): >+ pwlist = smbpwhistory.split(' ') > else: > pwlist = [] > >@@ -2632,7 +2622,7 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > pwlist.append(smbpwhash) > > # and build the new history >- res = string.join(pwlist, '') >+ res = ''.join(pwlist) > return res > > def __generate_user_sid(self, uidNum): >-- >1.7.10.4 > > >From e58ef69230f2276bd77c5e7088fbb71eb21fc495 Mon Sep 17 00:00:00 2001 >Message-Id: <e58ef69230f2276bd77c5e7088fbb71eb21fc495.1363595740.git.hahn@univention.de> >In-Reply-To: <ffcd4f70e2561dfd67d6788f2351f1ba56025d8e.1363595740.git.hahn@univention.de> >References: <ffcd4f70e2561dfd67d6788f2351f1ba56025d8e.1363595740.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Fri, 15 Mar 2013 19:40:50 +0100 >Subject: [PATCH 06/13] Bug #25279: Simplify list comprehension >Organization: Univention GmbH, Bremen, Germany > >Simplify mapAddress() >Simplify mapKeyAndValue() >Simplify unmapKeyAndValue() >--- > .../univention/admin/handlers/users/user.py | 37 +++++++++++++------- > 1 file changed, 25 insertions(+), 12 deletions(-) > >diff --git a/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py b/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py >index 2e7d469..17b8cac 100644 >--- a/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py >+++ b/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py >@@ -1176,12 +1176,19 @@ def load_certificate(user_certificate): > return value > > def mapHomePostalAddress(old): >- new=[] >- for i in old: >- new.append(string.join(i, '$' )) >- return new >+ """Map address to LDAP encoding. >+ >>> mapHomePostalAddress(["a", "b", "c"]) >+ 'a$b$c' >+ """ >+ return '$'.join(old) > > def unmapHomePostalAddress(old): >+ """Expand LDAP encoded address. >+ >>> unmapHomePostalAddress(['foo']) >+ [['foo', ' ', ' ']] >+ >>> unmapHomePostalAddress(['foo$bar$baz']) >+ [['foo', 'bar', 'baz']] >+ """ > new=[] > for i in old: > if '$' in i: >@@ -1228,16 +1235,18 @@ mapping.register('displayName', 'displayName', None, univention.admin.mapping.Li > mapping.register('birthday', 'univentionBirthday', None, univention.admin.mapping.ListToString) > > def mapKeyAndValue(old): >- lst = [] >- for entry in old: >- lst.append( '%s=%s' % (entry[0], entry[1]) ) >- return lst >+ """Map (key, value) list to key=value list. >+ >>> mapKeyAndValue([("a", "b")]) >+ ['a=b'] >+ """ >+ return ["%s=%s" % tuple(entry) for entry in old] > > def unmapKeyAndValue(old): >- lst = [] >- for entry in old: >- lst.append( entry.split('=', 1) ) >- return lst >+ """Map (key=value) list to (key, value) list. >+ >>> unmapKeyAndValue(["a=b"]) >+ [('a', 'b')] >+ """ >+ return [tuple(entry.split('=', 1)) for entry in old] > > def unmapBase64( value ): > try: >@@ -2786,3 +2795,7 @@ def identify(dn, attr, canonical=0): > and not '$' in attr.get('uid',[]) > and not 'univentionHost' in attr.get('objectClass', []) > ) >+ >+if __name__ == '__main__': >+ import doctest >+ doctest.testmod() >-- >1.7.10.4 > > >From 4c2ac16f94490bb9d1033ceaf2a6eaaaaf121250 Mon Sep 17 00:00:00 2001 >Message-Id: <4c2ac16f94490bb9d1033ceaf2a6eaaaaf121250.1363595740.git.hahn@univention.de> >In-Reply-To: <ffcd4f70e2561dfd67d6788f2351f1ba56025d8e.1363595740.git.hahn@univention.de> >References: <ffcd4f70e2561dfd67d6788f2351f1ba56025d8e.1363595740.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Fri, 15 Mar 2013 19:59:16 +0100 >Subject: [PATCH 07/13] Bug #28496: Simplify samba-logonhour >Organization: Univention GmbH, Bremen, Germany > >Fix possible infinite loop >--- > .../univention/admin/handlers/users/user.py | 85 +++++--------------- > 1 file changed, 18 insertions(+), 67 deletions(-) > >diff --git a/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py b/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py >index 17b8cac..b855c3c 100644 >--- a/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py >+++ b/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py >@@ -1013,77 +1013,28 @@ def sambaWorkstationsUnmap(workstations): > return tmp > > def logonHoursMap(logontimes): >- "converts the bitfield 001110010110...100 to the respective string" >- >- # convert list of bit numbers to bit-string >- # bitstring = '0' * 168 >- bitstring = ''.join( map( lambda x: x in logontimes and '1' or '0', range( 168 ) ) ) >- >- # for idx in logontimes: >- # bitstring[ idx ] = '1' >- >- logontimes = bitstring >- >+ """Converts array of bits set to an hex-string.""" >+ octets = [0] * (24 * 7 / 8) > # the order of the bits of each byte has to be reversed. The reason for this is that >- # consecutive bytes mean consecutive 8-hrs-intervals, but the leftmost bit stands for >- # the last hour in that interval, the 2nd but leftmost bit for the second-but-last >+ # consecutive bytes mean consecutive 8-hrs-intervals, but the MSB stands for >+ # the last hour in that interval, the 2nd leftmost bit for the second-to-last > # hour and so on. We want to hide this from anybody using this feature. >- # See http://ma.ph-freiburg.de/tng/tng-technical/2003-04/msg00015.html for details. >- >- newtimes = "" >- for i in range(0,21): >- bitlist=list(logontimes[(i*8):(i*8)+8]) >- bitlist.reverse() >- newtimes+="".join(bitlist) >- logontimes = newtimes >- >- # create a hexnumber from each 8-bit-segment >- ret="" >- for i in range(0,21): >- val=0 >- exp=7 >- for j in range((i*8), (i*8)+8): >- if not (logontimes[j]=="0"): >- val+=2**exp >- exp-=1 >- # we now have: 0<=val<=255 >- hx=hex(val)[2:4] >- if len(hx)==1: hx="0"+hx >- ret+=hx >- >- return ret >+ # See <http://ma.ph-freiburg.de/tng/tng-technical/2003-04/msg00015.html> for details. >+ for hour in logontimes: >+ idx, bit = divmod(hour, 8) >+ octets[idx] |= 1 << bit >+ return ''.join(['%02x' % _ for _ in octets]) > > def logonHoursUnmap(logontimes): >- "converts the string to a bit array" >- >- times=logontimes[0][:42] >- while len(times)<42: >- times=times >- ret="" >- for i in range(0,42,2): >- val=int(times[i:i+2],16) >- ret+=intToBinary(val) >- >- # reverse order of the bits in each byte. See above for details >- newtime = "" >- for i in range(0, 21): >- bitlist=list(ret[(i*8):(i*8)+8]) >- bitlist.reverse() >- newtime+="".join(bitlist) >- >- # convert bit-string to list >- return filter( lambda i: newtime[ i ] == '1', range( 168 ) ) >- >-def intToBinary(val): >- ret="" >- while val>0: >- ret=str(val&1)+ret >- val=val>>1 >- # pad with leading 0s until length is n*8 >- if ret=="": ret="0" >- while not (len(ret)%8==0): >- ret="0"+ret >- return ret >+ """Converts hex-string to an array of bits set.""" >+ times = logontimes[0].ljust(42, '0')[:42] >+ assert len(times) == 24 * 7 / 4 >+ octets = [int(times[i : i + 2], 16) for i in range(0, len(times), 2)] >+ assert len(octets) == 24 * 7 / 8 >+ return [idx * 8 + bit >+ for (idx, value) in enumerate(octets) >+ for bit in range(8) >+ if value & (1 << bit)] > > def GMTOffset(): > # returns the difference in hours between local time and GMT (is -1 for CET and CEST) >-- >1.7.10.4 > > >From 743c09b7cb1e87ca249fed73bd62e4fb9037af97 Mon Sep 17 00:00:00 2001 >Message-Id: <743c09b7cb1e87ca249fed73bd62e4fb9037af97.1363595740.git.hahn@univention.de> >In-Reply-To: <ffcd4f70e2561dfd67d6788f2351f1ba56025d8e.1363595740.git.hahn@univention.de> >References: <ffcd4f70e2561dfd67d6788f2351f1ba56025d8e.1363595740.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Fri, 15 Mar 2013 20:37:50 +0100 >Subject: [PATCH 08/13] Bug #25279: simplify __getPwHistory >Organization: Univention GmbH, Bremen, Germany > >Code refacturing >--- > .../univention/admin/handlers/users/user.py | 89 ++++++++------------ > 1 file changed, 35 insertions(+), 54 deletions(-) > >diff --git a/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py b/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py >index b855c3c..ca481c0 100644 >--- a/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py >+++ b/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py >@@ -2020,7 +2020,7 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > return [] > if pwhistoryPolicy and pwhistoryPolicy.has_key('length') and pwhistoryPolicy['length']: > pwhlen = int(pwhistoryPolicy['length']) >- newPWHistory = self.__getPWHistory(self['password'], pwhistory, pwhlen) >+ newPWHistory = object.__getPWHistory(self['password'], pwhistory, pwhlen) > ml.append(('pwhistory', self.oldattr.get('pwhistory', [''])[0], newPWHistory)) > if pwhistoryPolicy != None and pwhistoryPolicy['pwLength'] != None and pwhistoryPolicy['pwLength'] != 0 and self['overridePWLength'] != '1': > if len(self['password']) < int(pwhistoryPolicy['pwLength']): >@@ -2502,39 +2502,33 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > newpwhash = s.hexdigest().upper() > return pwhistory.find(newpwhash) >= 0 > >- def __getPWHistory(self, newpassword, pwhistory, pwhlen): >- # first calc hash for the new pw >- s = hashlib.sha1( newpassword.encode( 'utf-8' ) ) >- newpwhash = s.hexdigest().upper() >- >- # split the history >- if len(pwhistory.strip()): >- pwlist = pwhistory.split(' ') >- else: >- pwlist = [] >- >+ @staticmethod >+ def __getPWHistory(newpassword, pwhistory, pwhlen): >+ """Save history of previopusly used passwords. >+ >>> object.__getPWHistory("a", "b", 0) >+ "b" >+ >>> object.__getPWHistory("a", "", 1) >+ "86F7E437FAA5A7FCE15D1DDCB9EAEAEA377667B8" >+ >>> object.__getPWHistory("a", "b", 1) >+ "86F7E437FAA5A7FCE15D1DDCB9EAEAEA377667B8" >+ >>> object.__getPWHistory("a", "b", 2) >+ "b 86F7E437FAA5A7FCE15D1DDCB9EAEAEA377667B8" >+ """ > #this preserves a temporary disabled history > if pwhlen > 0: >- if len(pwlist) < pwhlen: >- pwlist.append(newpwhash) >- else: >- # calc entries to cut out >- cut = 1 + len(pwlist) - pwhlen >- pwlist[0:cut] = [] >- if pwhlen > 1: >- # and append to shortened history >- pwlist.append(newpwhash) >- else: >- # or replace the history completely >- if len(pwlist) > 0: >- pwlist[0] = newpwhash >- # just to be sure... >- pwlist[1:] = [] >- else: >- pwlist.append(newpwhash) >- # and build the new history >- res = ' '.join(pwlist) >- return res >+ # first calc hash for the new pw >+ s = hashlib.sha1(newpassword.encode('utf-8')) >+ newpwhash = s.hexdigest().upper() >+ >+ # split the history >+ pwlist = pwhistory.strip().split(' ') >+ # append new hash >+ pwlist.append(newpwhash) >+ # strip old hashes >+ pwlist = pwlist[-pwhlen:] >+ # build histroy >+ pwhistory = ' '.join(pwlist) >+ return pwhistory > > def __getsmbPWHistory(self, newpassword, smbpwhistory, smbpwhlen): > # split the history >@@ -2562,28 +2556,15 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > pwdhash = hashlib.md5(salt + pwd).hexdigest().upper() > smbpwhash = hexsalt+pwdhash > >- if len(pwlist) < smbpwhlen: >- #just append >- pwlist.append(smbpwhash) >- else: >- #calc entries to cut out >- cut = 1 + len(pwlist) - smbpwhlen >- pwlist[0:cut] = [] >- if smbpwhlen > 1: >- #and append to shortened history >- pwlist.append(smbpwhash) >- else: >- # or replace the history completely >- if len(pwlist) > 0: >- pwlist[0] = smbpwhash >- # just to be sure... >- pwlist[1:] = [] >- else: >- pwlist.append(smbpwhash) >- >- # and build the new history >- res = ''.join(pwlist) >- return res >+ # split the history >+ pwlist = smbpwhistory.strip().split(' ') >+ # append new hash >+ pwlist.append(smbpwhash) >+ # strip old hashes >+ pwlist = pwlist[-smbpwhlen:] >+ # build history >+ smbpwhistory = ''.join(pwlist) >+ return smbpwhistory > > def __generate_user_sid(self, uidNum): > # TODO: cleanup function >-- >1.7.10.4 > > >From c482f369666ba4ef475856b8f31bf96f8bd1597f Mon Sep 17 00:00:00 2001 >Message-Id: <c482f369666ba4ef475856b8f31bf96f8bd1597f.1363595740.git.hahn@univention.de> >In-Reply-To: <ffcd4f70e2561dfd67d6788f2351f1ba56025d8e.1363595740.git.hahn@univention.de> >References: <ffcd4f70e2561dfd67d6788f2351f1ba56025d8e.1363595740.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Fri, 15 Mar 2013 21:31:54 +0100 >Subject: [PATCH 09/13] Bug #25279: Cleanup password function >Organization: Univention GmbH, Bremen, Germany > >--- > .../modules/univention/admin/password.py | 54 +++++++++++--------- > 1 file changed, 29 insertions(+), 25 deletions(-) > >diff --git a/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/password.py b/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/password.py >index c0fd62b..9396a83 100644 >--- a/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/password.py >+++ b/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/password.py >@@ -30,39 +30,43 @@ > # /usr/share/common-licenses/AGPL-3; if not, see > # <http://www.gnu.org/licenses/>. > >-import os, heimdal, codecs, types, string, sys >+import heimdal > import smbpasswd >-import univention.config_registry >+from univention.config_registry import ConfigRegistry >+from crypt import crypt as _crypt > >-configRegistry=univention.config_registry.ConfigRegistry() >+configRegistry = ConfigRegistry() > configRegistry.load() > > def crypt(password): > """return crypt hash""" >- >- valid = ['.', '/', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', >- 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', >- 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', >- 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', >- 'U', 'V', 'W', 'X', 'Y', 'Z', '0', '1', '2', '3', '4', '5', >- '6', '7', '8', '9' ] > salt = '' > urandom = open("/dev/urandom", "r") > for i in xrange(0, 16): # up to 16 bytes of salt are evaluated by crypt(3), overhead is ignored > o = ord(urandom.read(1)) >- while not o < 256 / len(valid) * len(valid): # make sure not to skew the distribution when using modulo >+ while not o < 256 / len(crypt.VALID) * len(crypt.VALID): # make sure not to skew the distribution when using modulo > o = ord(urandom.read(1)) >- salt = salt + valid[(o % len(valid))] >+ salt = salt + crypt.VALID[(o % len(crypt.VALID))] > urandom.close() > >- import crypt # UCRV >- method_id = {'MD5': '1', >- 'SHA256': '5', >- 'SHA-256': '5', >- 'SHA512': '6', >- 'SHA-512': '6', >- }.get(configRegistry.get('password/hashing/method', 'sha-512').upper(), 6) >- return crypt.crypt(password.encode('utf-8'), '$%s$%s$' % (method_id, salt, )) >+ method = configRegistry.get('password/hashing/method', 'sha-512').upper() >+ method_id = crypt.METHOD.get(method, 6) >+ return _crypt(password.encode('utf-8'), '$%s$%s$' % (method_id, salt, )) >+crypt.VALID = ( >+ '.', '/', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', >+ 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', >+ 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', >+ 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', >+ 'U', 'V', 'W', 'X', 'Y', 'Z', '0', '1', '2', '3', '4', '5', >+ '6', '7', '8', '9', >+ ) >+crypt.METHOD = { >+ 'MD5': '1', >+ 'SHA256': '5', >+ 'SHA-256': '5', >+ 'SHA512': '6', >+ 'SHA-512': '6', >+ } > > def ntlm(password): > """return tuple with NT and LanMan hash""" >@@ -77,18 +81,18 @@ def ntlm(password): > return (nt, lm) > > def krb5_asn1(principal, password, krb5_context=None): >- list=[] >- if type(principal) == types.UnicodeType: >+ if isinstance(principal, unicode): > principal = str( principal ) >- if type(password) == types.UnicodeType: >+ if isinstance(password, unicode): > password = str( password ) > if not krb5_context: > krb5_context = heimdal.context() >+ result = [] > for krb5_etype in krb5_context.get_permitted_enctypes(): > if str(krb5_etype) == 'des3-cbc-md5' and configRegistry.is_false('password/krb5/enctype/des3-cbc-md5', True): > continue > krb5_principal = heimdal.principal(krb5_context, principal) > krb5_keyblock = heimdal.keyblock(krb5_context, krb5_etype, password, krb5_principal) > krb5_salt = heimdal.salt(krb5_context, krb5_principal) >- list.append(heimdal.asn1_encode_key(krb5_keyblock, krb5_salt, 0)) >- return list >+ result.append(heimdal.asn1_encode_key(krb5_keyblock, krb5_salt, 0)) >+ return result >-- >1.7.10.4 > > >From 1ced12ad1ef2bfc77a28803a8dadd6dd418a6a14 Mon Sep 17 00:00:00 2001 >Message-Id: <1ced12ad1ef2bfc77a28803a8dadd6dd418a6a14.1363595740.git.hahn@univention.de> >In-Reply-To: <ffcd4f70e2561dfd67d6788f2351f1ba56025d8e.1363595740.git.hahn@univention.de> >References: <ffcd4f70e2561dfd67d6788f2351f1ba56025d8e.1363595740.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Fri, 15 Mar 2013 21:39:27 +0100 >Subject: [PATCH 10/13] Bug #25279: Simplify hex decode/encode >Organization: Univention GmbH, Bremen, Germany > >Simplify conversion of binary data to hex string back to binary data. >--- > .../modules/univention/admin/handlers/users/user.py | 9 ++------- > 1 file changed, 2 insertions(+), 7 deletions(-) > >diff --git a/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py b/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py >index ca481c0..d40d1b8 100644 >--- a/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py >+++ b/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py >@@ -2538,16 +2538,11 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > pwlist = [] > > #calculate the password hash & salt >- salt='' > urandom = open('/dev/urandom', 'r') > #get 16 bytes from urandom for salting our hash >- rand = urandom.read(16) >- for i in range(0, len(rand)): >- salt = salt + '%.2X' % ord(rand[i]) >+ salt = urandom.read(16) > #we have to have that in hex >- hexsalt = salt >- #and binary for calculating the md5 >- salt = self.getbytes(salt) >+ hexsalt = salt.encode('hex').upper() > #we need the ntpwd binary data to > pwd = self.getbytes(newpassword) > #calculating hash. sored as a 32byte hex in sambePasswordHistory, >-- >1.7.10.4 > > >From 75b36086e3a63c0ba08a6254f13a514a14efa99a Mon Sep 17 00:00:00 2001 >Message-Id: <75b36086e3a63c0ba08a6254f13a514a14efa99a.1363595740.git.hahn@univention.de> >In-Reply-To: <ffcd4f70e2561dfd67d6788f2351f1ba56025d8e.1363595740.git.hahn@univention.de> >References: <ffcd4f70e2561dfd67d6788f2351f1ba56025d8e.1363595740.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Fri, 15 Mar 2013 21:40:38 +0100 >Subject: [PATCH 11/13] Bug #25279: Remove getbytes() >Organization: Univention GmbH, Bremen, Germany > >Use .decode('hex') instead of custom function >--- > .../modules/univention/admin/handlers/users/user.py | 7 +------ > 1 file changed, 1 insertion(+), 6 deletions(-) > >diff --git a/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py b/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py >index d40d1b8..2b83daf 100644 >--- a/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py >+++ b/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py >@@ -2544,7 +2544,7 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > #we have to have that in hex > hexsalt = salt.encode('hex').upper() > #we need the ntpwd binary data to >- pwd = self.getbytes(newpassword) >+ pwd = newpassword.decode('hex') > #calculating hash. sored as a 32byte hex in sambePasswordHistory, > #syntax like that: [Salt][MD5(Salt+Hash)] > # First 16bytes ^ ^ last 16bytes. >@@ -2597,11 +2597,6 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > > return userSid > >- def getbytes(self, string): >- #return byte values of a string (for smbPWHistory) >- bytes = [int(string[i:i+2], 16) for i in xrange(0, len(string), 2)] >- return struct.pack("%iB" % len(bytes), *bytes) >- > def cancel(self): > for i,j in self.alloc: > univention.admin.allocators.release(self.lo, self.position, i, j) >-- >1.7.10.4 > > >From 7c131d6329c940a9274f9c1d9e13701892259ee7 Mon Sep 17 00:00:00 2001 >Message-Id: <7c131d6329c940a9274f9c1d9e13701892259ee7.1363595740.git.hahn@univention.de> >In-Reply-To: <ffcd4f70e2561dfd67d6788f2351f1ba56025d8e.1363595740.git.hahn@univention.de> >References: <ffcd4f70e2561dfd67d6788f2351f1ba56025d8e.1363595740.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Fri, 15 Mar 2013 21:42:25 +0100 >Subject: [PATCH 12/13] Bug #25279: Code cleanup >Organization: Univention GmbH, Bremen, Germany > >Add test cases. >Declare methods as static for easier testing. >Rename use of Python internal names. >Explicitly close open file handle. >Remove now unused imports. >--- > .../univention/admin/handlers/users/user.py | 70 +++++++++++--------- > 1 file changed, 39 insertions(+), 31 deletions(-) > >diff --git a/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py b/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py >index 2b83daf..67ed4d0 100644 >--- a/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py >+++ b/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py >@@ -32,11 +32,9 @@ > > import hashlib > import os >-import string > import re > import copy > import time >-import types > import struct > import tempfile > from M2Crypto import X509 >@@ -2015,12 +2013,12 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > pwhistoryPolicy = self.loadPolicyObject('policies/pwhistory') > if self['overridePWHistory'] != '1': > #TODO: if checkbox "override pwhistory" is not set >- if self.__passwordInHistory(self['password'], pwhistory): >+ if object._passwordInHistory(self['password'], pwhistory): > raise univention.admin.uexceptions.pwalreadyused > return [] > if pwhistoryPolicy and pwhistoryPolicy.has_key('length') and pwhistoryPolicy['length']: > pwhlen = int(pwhistoryPolicy['length']) >- newPWHistory = object.__getPWHistory(self['password'], pwhistory, pwhlen) >+ newPWHistory = object._getPWHistory(self['password'], pwhistory, pwhlen) > ml.append(('pwhistory', self.oldattr.get('pwhistory', [''])[0], newPWHistory)) > if pwhistoryPolicy != None and pwhistoryPolicy['pwLength'] != None and pwhistoryPolicy['pwLength'] != 0 and self['overridePWLength'] != '1': > if len(self['password']) < int(pwhistoryPolicy['pwLength']): >@@ -2132,10 +2130,10 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > sambaPwdLastSetValue = str(long(time.time())) > > smbpwhistoryPolicy = self.loadPolicyObject('policies/pwhistory') >- if smbpwhistoryPolicy != None and smbpwhistoryPolicy['length'] != None: >+ if smbpwhistoryPolicy and smbpwhistoryPolicy['length'] != None: > smbpwhlen = int(pwhistoryPolicy['length']) > smbpwhistory=self.oldattr.get('sambaPasswordHistory',[''])[0] >- newsmbPWHistory = self.__getsmbPWHistory(password_nt, smbpwhistory, smbpwhlen) >+ newsmbPWHistory = object._getsmbPWHistory(password_nt, smbpwhistory, smbpwhlen) > ml.append(('sambaPasswordHistory', self.oldattr.get('sambaPasswordHistory', [''])[0], newsmbPWHistory)) > > if 'kerberos' in self.options: >@@ -2371,7 +2369,7 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > ml.insert(0, ('objectClass', '', 'automount')) > > am_host=share['host'] >- if not self['homeSharePath'] or type(self['homeSharePath']) not in [types.StringType, types.UnicodeType]: >+ if not self['homeSharePath'] or not isinstance(self['homeSharePath'], basestring): > raise univention.admin.uexceptions.missingInformation, _('%(homeSharePath)s must be given if %(homeShare)s is given.') % {'homeSharePath' : _('Home share path'), 'homeShare' : _('Home share')} > else: > am_path = os.path.abspath(os.path.join(share['path'], self['homeSharePath'])) >@@ -2496,23 +2494,33 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > self.move_subelements(tmpdn, olddn, subelements, ignore_license) > raise > >- def __passwordInHistory(self, newpassword, pwhistory): >+ @staticmethod >+ def _passwordInHistory(newpassword, pwhistory): >+ """Check if new password was already used. >+ >>> object._passwordInHistory('a', '') >+ False >+ >>> object._passwordInHistory('a', 'b') >+ False >+ >>> object._passwordInHistory('a', 'b 86F7E437FAA5A7FCE15D1DDCB9EAEAEA377667B8') >+ True >+ """ > # first calc hash for the new pw >- s = hashlib.sha1( newpassword.encode( 'utf-8' ) ) >+ s = hashlib.sha1(newpassword.encode('utf-8')) > newpwhash = s.hexdigest().upper() >- return pwhistory.find(newpwhash) >= 0 >+ pwlist = pwhistory.strip().split(' ') >+ return newpwhash in pwlist > > @staticmethod >- def __getPWHistory(newpassword, pwhistory, pwhlen): >+ def _getPWHistory(newpassword, pwhistory, pwhlen): > """Save history of previopusly used passwords. >- >>> object.__getPWHistory("a", "b", 0) >- "b" >- >>> object.__getPWHistory("a", "", 1) >- "86F7E437FAA5A7FCE15D1DDCB9EAEAEA377667B8" >- >>> object.__getPWHistory("a", "b", 1) >- "86F7E437FAA5A7FCE15D1DDCB9EAEAEA377667B8" >- >>> object.__getPWHistory("a", "b", 2) >- "b 86F7E437FAA5A7FCE15D1DDCB9EAEAEA377667B8" >+ >>> object._getPWHistory('a', 'b', 0) >+ 'b' >+ >>> object._getPWHistory('a', '', 1) >+ '86F7E437FAA5A7FCE15D1DDCB9EAEAEA377667B8' >+ >>> object._getPWHistory('a', 'b', 1) >+ '86F7E437FAA5A7FCE15D1DDCB9EAEAEA377667B8' >+ >>> object._getPWHistory('a', 'b', 2) >+ 'b 86F7E437FAA5A7FCE15D1DDCB9EAEAEA377667B8' > """ > #this preserves a temporary disabled history > if pwhlen > 0: >@@ -2530,26 +2538,26 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > pwhistory = ' '.join(pwlist) > return pwhistory > >- def __getsmbPWHistory(self, newpassword, smbpwhistory, smbpwhlen): >- # split the history >- if len(smbpwhistory.strip()): >- pwlist = smbpwhistory.split(' ') >- else: >- pwlist = [] >- >+ @staticmethod >+ def _getsmbPWHistory(self, newpassword, smbpwhistory, smbpwhlen): >+ """Save history of previopusly used passwords. >+ """ > #calculate the password hash & salt > urandom = open('/dev/urandom', 'r') >- #get 16 bytes from urandom for salting our hash >- salt = urandom.read(16) >+ try: >+ #get 16 bytes from urandom for salting our hash >+ salt = urandom.read(16) >+ finally: >+ urandom.close() > #we have to have that in hex > hexsalt = salt.encode('hex').upper() > #we need the ntpwd binary data to >- pwd = newpassword.decode('hex') >+ password = newpassword.decode('hex') > #calculating hash. sored as a 32byte hex in sambePasswordHistory, > #syntax like that: [Salt][MD5(Salt+Hash)] > # First 16bytes ^ ^ last 16bytes. >- pwdhash = hashlib.md5(salt + pwd).hexdigest().upper() >- smbpwhash = hexsalt+pwdhash >+ pwdhash = hashlib.md5(salt + password).hexdigest().upper() >+ smbpwhash = hexsalt + pwdhash > > # split the history > pwlist = smbpwhistory.strip().split(' ') >-- >1.7.10.4 > > >From fffb75cdc49cc97f02f44c7e7288ccf0b2e9944f Mon Sep 17 00:00:00 2001 >Message-Id: <fffb75cdc49cc97f02f44c7e7288ccf0b2e9944f.1363595740.git.hahn@univention.de> >In-Reply-To: <ffcd4f70e2561dfd67d6788f2351f1ba56025d8e.1363595740.git.hahn@univention.de> >References: <ffcd4f70e2561dfd67d6788f2351f1ba56025d8e.1363595740.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Sat, 16 Mar 2013 14:01:56 +0100 >Subject: [PATCH 13/13] Bug #30722: Fix certificate handling >Organization: Univention GmbH, Bremen, Germany > >Directly access certificate information instead of working on strings. >--- > .../univention/admin/handlers/users/user.py | 116 ++++++-------------- > 1 file changed, 33 insertions(+), 83 deletions(-) > >diff --git a/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py b/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py >index 67ed4d0..707f7e6 100644 >--- a/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py >+++ b/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py >@@ -1041,51 +1041,35 @@ def GMTOffset(): > > def load_certificate(user_certificate): > """Import a certificate in DER format""" >- certificate = base64.decodestring( user_certificate ) >- >- tempf=tempfile.mktemp() >- fh=open(tempf,'w') >- fh.write( certificate ) >- fh.close() >- >- x509 = X509.load_cert( tempf, format = X509.FORMAT_DER ) >- os.unlink( tempf ) >- if not x509: >+ if not user_certificate: > return {} >- >- not_after=x509.get_not_after() >- not_before=x509.get_not_before() >- >- if not not_after or not not_before: >- return {} >- >- def convert_certdate (certdate): >- datestring=str(certdate) >- dl = datestring.split() >- month=[None, 'Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec' ] >- try: >- dl[0]=month.index(dl[0]) >- except: >- return '' >- return "%s-%02d-%02d" % ( dl[ 3 ], int( dl[ 0 ] ), int( dl[ 1 ] ) ) >- >- issuer=str(x509.get_issuer()) >- if not issuer: >- return {} >- >- subject=str(x509.get_subject()) >- if not subject: >- return {} >- >- version=x509.get_version() >- if not version: >+ try: >+ certificate = base64.decodestring( user_certificate ) >+ except base64.binascii.Error, ex: > return {} >- >- serial=x509.get_serial_number() >- if not serial: >+ try: >+ x509 = X509.load_cert_string(certificate, X509.FORMAT_DER) >+ >+ values = { >+ 'certificateDateNotBefore': x509.get_not_before().get_datetime().date().isoformat(), >+ 'certificateDateNotAfter': x509.get_not_after().get_datetime().date().isoformat(), >+ 'certificateVersion': str(x509.get_version()), >+ 'certificateSerial': str(x509.get_serial_number()), >+ } >+ flags = X509.m2.XN_FLAG_SEP_MULTILINE & ~X509.m2.ASN1_STRFLGS_ESC_MSB | X509.m2.ASN1_STRFLGS_UTF8_CONVERT >+ for entity, prefix in ( >+ (x509.get_issuer(), "certificateIssuer"), >+ (x509.get_subject(), "certificateSubject"), >+ ): >+ for key, attr in load_certificate.ATTR.items(): >+ value = getattr(entity, key) >+ values[prefix + attr] = value >+ except (X509.X509Error, AttributeError), ex: > return {} > >- ATTR = { >+ ud.debug(ud.ADMIN, ud.ERROR, 'value=%s' % values) >+ return values >+load_certificate.ATTR = { > "C": "Country", > "ST": "State", > "L": "Location", >@@ -1093,36 +1077,7 @@ def load_certificate(user_certificate): > "OU": "OrganisationalUnit", > "CN": "CommonName", > "emailAddress": "Mail", >- }[key] >- value = { >- 'certificateDateNotBefore': convert_certdate(not_before), >- 'certificateDateNotAfter': convert_certdate(not_after), >- 'certificateVersion': str(version), >- 'certificateSerial': str(serial), > } >- for i in issuer.split('/'): >- try: >- key, val = i.split('=', 1) >- except ValueError: >- continue >- try: >- attr = "certificateIssuer%s" % ATTR[key] >- except KeyError: >- continue >- value[attr] = val >- for i in subject.split('/'): >- try: >- key, val = i.split('=', 1) >- except ValueError: >- continue >- try: >- attr = "certificateSubject%s" % ATTR[key] >- except KeyError: >- continue >- value[attr] = val >- >- ud.debug(ud.ADMIN, ud.ERROR, 'value=%s' % value) >- return value > > def mapHomePostalAddress(old): > """Map address to LDAP encoding. >@@ -1532,7 +1487,8 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > self.old_options= copy.deepcopy( self.options ) > > >- def __certificate_clean(self): >+ def reload_certificate(self): >+ """Reload user certificate.""" > self.info['certificateSubjectCountry']='' > self.info['certificateSubjectState']='' > self.info['certificateSubjectLocation']='' >@@ -1551,19 +1507,13 @@ class object( univention.admin.handlers.simpleLdap, mungeddial.Support ): > self.info['certificateDateNotAfter']='' > self.info['certificateVersion']='' > self.info['certificateSerial']='' >- self.info['userCertificate']='' >- >- def reload_certificate(self): >- >- if self.info.get( 'userCertificate' ): >- values=load_certificate(self.info['userCertificate']) >- if not values: >- self.__certificate_clean() >- else: >- for i in values.keys(): >- self.info[i]=values[i] >+ certificate = self.info.get('userCertificate') >+ values = load_certificate(certificate) >+ if values: >+ for key, value in values.items(): >+ self.info[key] = value > else: >- self.__certificate_clean() >+ self.info['userCertificate'] = '' > > def hasChanged(self, key): > if key == 'disabled': >-- >1.7.10.4 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=5136">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 30722
: 5136