Add the otptoken-add-yubikey command

This command behaves almost exactly like otptoken-add except:
1. The new token data is written directly to a YubiKey
2. The vendor/model/serial fields are populated from the YubiKey

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Nathaniel McCallum 2014-06-19 12:28:32 -04:00 committed by Martin Kosek
parent 14b38b7704
commit 2767fb584a
5 changed files with 155 additions and 3 deletions

12
API.txt
View File

@ -2326,6 +2326,18 @@ option: Str('version?', exclude='webui')
output: Output('completed', <type 'int'>, None) output: Output('completed', <type 'int'>, None)
output: Output('failed', <type 'dict'>, None) output: Output('failed', <type 'dict'>, None)
output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
command: otptoken_add_yubikey
args: 1,8,1
arg: Str('ipatokenuniqueid?', cli_name='id', primary_key=True)
option: Str('description?', cli_name='desc')
option: Bool('ipatokendisabled?', cli_name='disabled')
option: Str('ipatokennotafter?', cli_name='not_after')
option: Str('ipatokennotbefore?', cli_name='not_before')
option: IntEnum('ipatokenotpdigits?', autofill=True, cli_name='digits', default=6, values=(6, 8))
option: Str('ipatokenowner?', cli_name='owner')
option: IntEnum('slot?', cli_name='slot', values=(1, 2))
option: Str('version?', exclude='webui')
output: Output('result', None, None)
command: otptoken_del command: otptoken_del
args: 1,2,3 args: 1,2,3
arg: Str('ipatokenuniqueid', attribute=True, cli_name='id', multivalue=True, primary_key=True, query=True, required=True) arg: Str('ipatokenuniqueid', attribute=True, cli_name='id', multivalue=True, primary_key=True, query=True, required=True)

View File

@ -89,5 +89,5 @@ IPA_DATA_VERSION=20100614120000
# # # #
######################################################## ########################################################
IPA_API_VERSION_MAJOR=2 IPA_API_VERSION_MAJOR=2
IPA_API_VERSION_MINOR=94 IPA_API_VERSION_MINOR=95
# Last change: pvoborni - Add OTP option to passwd command # Last change: npmaccallum - otptoken-add-yubikey

View File

@ -306,6 +306,7 @@ Requires: libipa_hbac-python
Requires: python-qrcode Requires: python-qrcode
Requires: python-pyasn1 Requires: python-pyasn1
Requires: python-dateutil Requires: python-dateutil
Requires: python-yubico
Obsoletes: ipa-python >= 1.0 Obsoletes: ipa-python >= 1.0

View File

@ -196,7 +196,7 @@ class otptoken(LDAPObject):
), ),
IntEnum('ipatokenotpdigits?', IntEnum('ipatokenotpdigits?',
cli_name='digits', cli_name='digits',
label=_('Display length'), label=_('Digits'),
values=(6, 8), values=(6, 8),
default=6, default=6,
autofill=True, autofill=True,

View File

@ -0,0 +1,139 @@
# Authors:
# Nathaniel McCallum <npmccallum@redhat.com>
#
# Copyright (C) 2014 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from ipalib import _, Str, IntEnum
from ipalib.errors import NotFound
from ipalib.plugable import Registry
from ipalib.frontend import Command
from ipalib.plugins.otptoken import otptoken
import os
import yubico
__doc__ = _("""
YubiKey Tokens
""") + _("""
Manage YubiKey tokens.
""") + _("""
This code is an extension to the otptoken plugin and provides support for
reading/writing YubiKey tokens directly.
""") + _("""
EXAMPLES:
""") + _("""
Add a new token:
ipa otptoken-add-yubikey --owner=jdoe --desc="My YubiKey"
""")
register = Registry()
@register()
class otptoken_add_yubikey(Command):
__doc__ = _('Add a new YubiKey OTP token.')
takes_args = (
Str('ipatokenuniqueid?',
cli_name='id',
label=_('Unique ID'),
primary_key=True,
),
)
takes_options = Command.takes_options + (
IntEnum('slot?',
cli_name='slot',
label=_('YubiKey slot'),
values=(1, 2),
),
) + tuple(x for x in otptoken.takes_params if x.name in (
'description',
'ipatokenowner',
'ipatokendisabled',
'ipatokennotbefore',
'ipatokennotafter',
'ipatokenotpdigits'
))
has_output_params = Command.has_output_params + \
tuple(x for x in otptoken.takes_params if x.name in (
'ipatokenvendor',
'ipatokenmodel',
'ipatokenserial',
))
def forward(self, *args, **kwargs):
# Open the YubiKey
try:
yk = yubico.find_yubikey()
except yubico.yubikey.YubiKeyError, e:
raise NotFound(reason=_('No YubiKey found'))
assert yk.version_num() >= (2, 1)
# If no slot is specified, find the first free slot.
if kwargs.get('slot', None) is None:
try:
used = yk.status().valid_configs()
kwargs['slot'] = sorted({1, 2}.difference(used))[0]
except IndexError:
raise NotFound(reason=_('No free YubiKey slot!'))
# Create the key (NOTE: the length is fixed).
key = os.urandom(20)
# Write the config.
cfg = yk.init_config()
cfg.mode_oath_hotp(key, kwargs['ipatokenotpdigits'])
cfg.extended_flag('SERIAL_API_VISIBLE', True)
yk.write_config(cfg, slot=kwargs['slot'])
# Filter the options we want to pass.
options = {k: v for k, v in kwargs.items() if k in (
'version',
'description',
'ipatokenowner',
'ipatokendisabled',
'ipatokennotbefore',
'ipatokennotafter',
'ipatokenotpdigits',
)}
# Run the command.
answer = self.Backend.rpcclient.forward('otptoken_add',
*args,
type=u'hotp',
ipatokenvendor=u'YubiCo',
ipatokenmodel=unicode(yk.model),
ipatokenserial=unicode(yk.serial()),
ipatokenotpalgorithm=u'sha1',
ipatokenhotpcounter=0,
ipatokenotpkey=key,
**options)
# Suppress values we don't want to return.
for k in (u'uri', u'ipatokenotpkey'):
if k in answer.get('result', {}):
del answer['result'][k]
# Return which slot was used for writing.
answer.get('result', {})['slot'] = kwargs['slot']
del answer['value'] # Why does this cause an error if omitted?
del answer['summary'] # Why does this cause an error if omitted?
return answer