From 5458c241af90f0fd7e06b5aac40171da7f08d038 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Wed, 28 Sep 2022 12:39:07 +0200 Subject: [PATCH] ipa otptoken-sync: return error when sync fails The command ipa otptoken-sync does not properly handle errors happening during the synchronization step. - Even if an error is detected (such as invalid password provided), the command exits with return code = 0. An error message is displayed but the exit code should be 1. - When an invalid token is provided, the token is not synchronized but the error is not reported back to the ipa otptoken-sync command. The first issue can be fixed by raising an exception when the HTTP response contains an header with an error. The second issue is fixed by returning LDAP_INVALID_CREDENTIALS to ldap bind with the sync control if synchronization fails. Fixes: https://pagure.io/freeipa/issue/9248 Signed-off-by: Florence Blanc-Renaud Reviewed-By: Rob Crittenden --- daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 3 +++ ipaclient/plugins/otptoken.py | 13 ++++++++----- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c index ee5be3eba02b219f13e8771ce8ba6d510f1c397b..edf45df5957117771418f574cb1babab7ebaf0ed 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c @@ -1502,6 +1502,9 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) } } + /* Reset rc to make sure errors are reported*/ + rc = LDAP_INVALID_CREDENTIALS; + /* Authenticate the user. */ ret = ipapwd_authenticate(dn, entry, credentials); if (ret) { diff --git a/ipaclient/plugins/otptoken.py b/ipaclient/plugins/otptoken.py index 14dee751c8f36a676c9115fbed0db1eca9ba0f1c..3f389c46be2feedf0bb7cb95bd451bf0e6fe6333 100644 --- a/ipaclient/plugins/otptoken.py +++ b/ipaclient/plugins/otptoken.py @@ -22,6 +22,7 @@ import sys from ipaclient.frontend import MethodOverride from ipalib import api, Str, Password, _ +from ipalib import errors from ipalib.messages import add_message, ResultFormattingError from ipalib.plugable import Registry from ipalib.frontend import Local @@ -180,11 +181,13 @@ class otptoken_sync(Local): status['result'][self.header] = rsp.info().get(self.header, 'unknown') rsp.close() + if status['result'][self.header] != "ok": + msg = {'error': 'Error contacting server!', + 'invalid-credentials': 'Invalid Credentials!', + }.get(status['result'][self.header], 'Unknown Error!') + raise errors.ExecutionError( + message=_("Unable to synchronize token: %s") % msg) return status def output_for_cli(self, textui, result, *keys, **options): - textui.print_plain({ - 'ok': 'Token synchronized.', - 'error': 'Error contacting server!', - 'invalid-credentials': 'Invalid Credentials!', - }.get(result['result'][self.header], 'Unknown Error!')) + textui.print_plain('Token synchronized.') -- 2.37.3