mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 08:00:02 -06:00
Add the otptoken-add-yubikey command
This command behaves almost exactly like otptoken-add except: 1. The new token data is written directly to a YubiKey 2. The vendor/model/serial fields are populated from the YubiKey Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
parent
14b38b7704
commit
2767fb584a
12
API.txt
12
API.txt
@ -2326,6 +2326,18 @@ option: Str('version?', exclude='webui')
|
||||
output: Output('completed', <type 'int'>, None)
|
||||
output: Output('failed', <type 'dict'>, None)
|
||||
output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
|
||||
command: otptoken_add_yubikey
|
||||
args: 1,8,1
|
||||
arg: Str('ipatokenuniqueid?', cli_name='id', primary_key=True)
|
||||
option: Str('description?', cli_name='desc')
|
||||
option: Bool('ipatokendisabled?', cli_name='disabled')
|
||||
option: Str('ipatokennotafter?', cli_name='not_after')
|
||||
option: Str('ipatokennotbefore?', cli_name='not_before')
|
||||
option: IntEnum('ipatokenotpdigits?', autofill=True, cli_name='digits', default=6, values=(6, 8))
|
||||
option: Str('ipatokenowner?', cli_name='owner')
|
||||
option: IntEnum('slot?', cli_name='slot', values=(1, 2))
|
||||
option: Str('version?', exclude='webui')
|
||||
output: Output('result', None, None)
|
||||
command: otptoken_del
|
||||
args: 1,2,3
|
||||
arg: Str('ipatokenuniqueid', attribute=True, cli_name='id', multivalue=True, primary_key=True, query=True, required=True)
|
||||
|
4
VERSION
4
VERSION
@ -89,5 +89,5 @@ IPA_DATA_VERSION=20100614120000
|
||||
# #
|
||||
########################################################
|
||||
IPA_API_VERSION_MAJOR=2
|
||||
IPA_API_VERSION_MINOR=94
|
||||
# Last change: pvoborni - Add OTP option to passwd command
|
||||
IPA_API_VERSION_MINOR=95
|
||||
# Last change: npmaccallum - otptoken-add-yubikey
|
||||
|
@ -306,6 +306,7 @@ Requires: libipa_hbac-python
|
||||
Requires: python-qrcode
|
||||
Requires: python-pyasn1
|
||||
Requires: python-dateutil
|
||||
Requires: python-yubico
|
||||
|
||||
Obsoletes: ipa-python >= 1.0
|
||||
|
||||
|
@ -196,7 +196,7 @@ class otptoken(LDAPObject):
|
||||
),
|
||||
IntEnum('ipatokenotpdigits?',
|
||||
cli_name='digits',
|
||||
label=_('Display length'),
|
||||
label=_('Digits'),
|
||||
values=(6, 8),
|
||||
default=6,
|
||||
autofill=True,
|
||||
|
139
ipalib/plugins/otptoken_yubikey.py
Normal file
139
ipalib/plugins/otptoken_yubikey.py
Normal file
@ -0,0 +1,139 @@
|
||||
# Authors:
|
||||
# Nathaniel McCallum <npmccallum@redhat.com>
|
||||
#
|
||||
# Copyright (C) 2014 Red Hat
|
||||
# see file 'COPYING' for use and warranty information
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
from ipalib import _, Str, IntEnum
|
||||
from ipalib.errors import NotFound
|
||||
from ipalib.plugable import Registry
|
||||
from ipalib.frontend import Command
|
||||
from ipalib.plugins.otptoken import otptoken
|
||||
|
||||
import os
|
||||
|
||||
import yubico
|
||||
|
||||
__doc__ = _("""
|
||||
YubiKey Tokens
|
||||
""") + _("""
|
||||
Manage YubiKey tokens.
|
||||
""") + _("""
|
||||
This code is an extension to the otptoken plugin and provides support for
|
||||
reading/writing YubiKey tokens directly.
|
||||
""") + _("""
|
||||
EXAMPLES:
|
||||
""") + _("""
|
||||
Add a new token:
|
||||
ipa otptoken-add-yubikey --owner=jdoe --desc="My YubiKey"
|
||||
""")
|
||||
|
||||
register = Registry()
|
||||
|
||||
@register()
|
||||
class otptoken_add_yubikey(Command):
|
||||
__doc__ = _('Add a new YubiKey OTP token.')
|
||||
|
||||
takes_args = (
|
||||
Str('ipatokenuniqueid?',
|
||||
cli_name='id',
|
||||
label=_('Unique ID'),
|
||||
primary_key=True,
|
||||
),
|
||||
)
|
||||
|
||||
takes_options = Command.takes_options + (
|
||||
IntEnum('slot?',
|
||||
cli_name='slot',
|
||||
label=_('YubiKey slot'),
|
||||
values=(1, 2),
|
||||
),
|
||||
) + tuple(x for x in otptoken.takes_params if x.name in (
|
||||
'description',
|
||||
'ipatokenowner',
|
||||
'ipatokendisabled',
|
||||
'ipatokennotbefore',
|
||||
'ipatokennotafter',
|
||||
'ipatokenotpdigits'
|
||||
))
|
||||
|
||||
has_output_params = Command.has_output_params + \
|
||||
tuple(x for x in otptoken.takes_params if x.name in (
|
||||
'ipatokenvendor',
|
||||
'ipatokenmodel',
|
||||
'ipatokenserial',
|
||||
))
|
||||
|
||||
def forward(self, *args, **kwargs):
|
||||
# Open the YubiKey
|
||||
try:
|
||||
yk = yubico.find_yubikey()
|
||||
except yubico.yubikey.YubiKeyError, e:
|
||||
raise NotFound(reason=_('No YubiKey found'))
|
||||
|
||||
assert yk.version_num() >= (2, 1)
|
||||
|
||||
# If no slot is specified, find the first free slot.
|
||||
if kwargs.get('slot', None) is None:
|
||||
try:
|
||||
used = yk.status().valid_configs()
|
||||
kwargs['slot'] = sorted({1, 2}.difference(used))[0]
|
||||
except IndexError:
|
||||
raise NotFound(reason=_('No free YubiKey slot!'))
|
||||
|
||||
# Create the key (NOTE: the length is fixed).
|
||||
key = os.urandom(20)
|
||||
|
||||
# Write the config.
|
||||
cfg = yk.init_config()
|
||||
cfg.mode_oath_hotp(key, kwargs['ipatokenotpdigits'])
|
||||
cfg.extended_flag('SERIAL_API_VISIBLE', True)
|
||||
yk.write_config(cfg, slot=kwargs['slot'])
|
||||
|
||||
# Filter the options we want to pass.
|
||||
options = {k: v for k, v in kwargs.items() if k in (
|
||||
'version',
|
||||
'description',
|
||||
'ipatokenowner',
|
||||
'ipatokendisabled',
|
||||
'ipatokennotbefore',
|
||||
'ipatokennotafter',
|
||||
'ipatokenotpdigits',
|
||||
)}
|
||||
|
||||
# Run the command.
|
||||
answer = self.Backend.rpcclient.forward('otptoken_add',
|
||||
*args,
|
||||
type=u'hotp',
|
||||
ipatokenvendor=u'YubiCo',
|
||||
ipatokenmodel=unicode(yk.model),
|
||||
ipatokenserial=unicode(yk.serial()),
|
||||
ipatokenotpalgorithm=u'sha1',
|
||||
ipatokenhotpcounter=0,
|
||||
ipatokenotpkey=key,
|
||||
**options)
|
||||
|
||||
# Suppress values we don't want to return.
|
||||
for k in (u'uri', u'ipatokenotpkey'):
|
||||
if k in answer.get('result', {}):
|
||||
del answer['result'][k]
|
||||
|
||||
# Return which slot was used for writing.
|
||||
answer.get('result', {})['slot'] = kwargs['slot']
|
||||
|
||||
del answer['value'] # Why does this cause an error if omitted?
|
||||
del answer['summary'] # Why does this cause an error if omitted?
|
||||
return answer
|
Loading…
Reference in New Issue
Block a user