From 9baa93da1cbf56c2a6f7e82e099bc3ff3f19e2e4 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum Date: Tue, 11 Nov 2014 14:41:42 -0500 Subject: Make token auth and sync windows configurable This introduces two new CLI commands: * otpconfig-show * otpconfig-mod https://fedorahosted.org/freeipa/ticket/4511 Reviewed-By: Thierry Bordaz Reviewed-By: Petr Vobornik --- ipalib/plugins/otpconfig.py | 119 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 119 insertions(+) create mode 100644 ipalib/plugins/otpconfig.py (limited to 'ipalib') diff --git a/ipalib/plugins/otpconfig.py b/ipalib/plugins/otpconfig.py new file mode 100644 index 000000000..440440dc9 --- /dev/null +++ b/ipalib/plugins/otpconfig.py @@ -0,0 +1,119 @@ +# Authors: +# Nathaniel McCallum +# +# Copyright (C) 2014 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from ipalib import _, api, Int +from ipalib.plugable import Registry +from ipalib.plugins.baseldap import DN, LDAPObject, LDAPUpdate, LDAPRetrieve + +__doc__ = _(""" +OTP configuration + +Manage the default values that IPA uses for OTP tokens. + +EXAMPLES: + + Show basic OTP configuration: + ipa otpconfig-show + + Show all OTP configuration options: + ipa otpconfig-show --all + + Change maximum TOTP authentication window to 10 minutes: + ipa otpconfig-mod --totp-auth-window=600 + + Change maximum TOTP synchronization window to 12 hours: + ipa otpconfig-mod --totp-sync-window=43200 + + Change maximum HOTP authentication window to 5: + ipa hotpconfig-mod --hotp-auth-window=5 + + Change maximum HOTP synchronization window to 50: + ipa hotpconfig-mod --hotp-sync-window=50 +""") + +register = Registry() + + +@register() +class otpconfig(LDAPObject): + object_name = _('OTP configuration options') + default_attributes = [ + 'ipatokentotpauthwindow', + 'ipatokentotpsyncwindow', + 'ipatokenhotpauthwindow', + 'ipatokenhotpsyncwindow', + ] + + container_dn = DN(('cn', 'otp'), ('cn', 'etc')) + permission_filter_objectclasses = ['ipatokenotpconfig'] + managed_permissions = { + 'System: Read OTP Configuration': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'all', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'ipatokentotpauthwindow', 'ipatokentotpsyncwindow', + 'ipatokenhotpauthwindow', 'ipatokenhotpsyncwindow', + 'cn', + }, + }, + } + + label = _('OTP Configuration') + label_singular = _('OTP Configuration') + + takes_params = ( + Int('ipatokentotpauthwindow', + cli_name='totp_auth_window', + label=_('TOTP authentication Window'), + doc=_('TOTP authentication time variance (seconds)'), + minvalue=5, + ), + Int('ipatokentotpsyncwindow', + cli_name='totp_sync_window', + label=_('Synchronization Window'), + doc=_('TOTP synchronization time variance (seconds)'), + minvalue=5, + ), + Int('ipatokenhotpauthwindow', + cli_name='hotp_auth_window', + label=_('HOTP Authentication Window'), + doc=_('HOTP authentication skip-ahead'), + minvalue=1, + ), + Int('ipatokenhotpsyncwindow', + cli_name='hotp_sync_window', + label=_('HOTP Synchronization Window'), + doc=_('HOTP synchronization skip-ahead'), + minvalue=1, + ), + ) + + def get_dn(self, *keys, **kwargs): + return self.container_dn + api.env.basedn + + +@register() +class otpconfig_mod(LDAPUpdate): + __doc__ = _('Modify OTP configuration options.') + + +@register() +class otpconfig_show(LDAPRetrieve): + __doc__ = _('Show the current OTP configuration.') -- cgit