From 6e44557b601f769d23ee74555a72e8b5cc62c0c9 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 28 Apr 2016 10:30:05 +0200 Subject: ipalib: move server-side plugins to ipaserver Move the remaining plugin code from ipalib.plugins to ipaserver.plugins. Remove the now unused ipalib.plugins package. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka --- ipaserver/plugins/otpconfig.py | 121 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 121 insertions(+) create mode 100644 ipaserver/plugins/otpconfig.py (limited to 'ipaserver/plugins/otpconfig.py') diff --git a/ipaserver/plugins/otpconfig.py b/ipaserver/plugins/otpconfig.py new file mode 100644 index 000000000..c7710468f --- /dev/null +++ b/ipaserver/plugins/otpconfig.py @@ -0,0 +1,121 @@ +# Authors: +# Nathaniel McCallum +# +# Copyright (C) 2014 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from ipalib import _, api, Int +from ipalib.plugable import Registry +from .baseldap import DN, LDAPObject, LDAPUpdate, LDAPRetrieve + +__doc__ = _(""" +OTP configuration + +Manage the default values that IPA uses for OTP tokens. + +EXAMPLES: + + Show basic OTP configuration: + ipa otpconfig-show + + Show all OTP configuration options: + ipa otpconfig-show --all + + Change maximum TOTP authentication window to 10 minutes: + ipa otpconfig-mod --totp-auth-window=600 + + Change maximum TOTP synchronization window to 12 hours: + ipa otpconfig-mod --totp-sync-window=43200 + + Change maximum HOTP authentication window to 5: + ipa hotpconfig-mod --hotp-auth-window=5 + + Change maximum HOTP synchronization window to 50: + ipa hotpconfig-mod --hotp-sync-window=50 +""") + +register = Registry() + +topic = 'otp' + + +@register() +class otpconfig(LDAPObject): + object_name = _('OTP configuration options') + default_attributes = [ + 'ipatokentotpauthwindow', + 'ipatokentotpsyncwindow', + 'ipatokenhotpauthwindow', + 'ipatokenhotpsyncwindow', + ] + + container_dn = DN(('cn', 'otp'), ('cn', 'etc')) + permission_filter_objectclasses = ['ipatokenotpconfig'] + managed_permissions = { + 'System: Read OTP Configuration': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'all', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'ipatokentotpauthwindow', 'ipatokentotpsyncwindow', + 'ipatokenhotpauthwindow', 'ipatokenhotpsyncwindow', + 'cn', + }, + }, + } + + label = _('OTP Configuration') + label_singular = _('OTP Configuration') + + takes_params = ( + Int('ipatokentotpauthwindow', + cli_name='totp_auth_window', + label=_('TOTP authentication Window'), + doc=_('TOTP authentication time variance (seconds)'), + minvalue=5, + ), + Int('ipatokentotpsyncwindow', + cli_name='totp_sync_window', + label=_('TOTP Synchronization Window'), + doc=_('TOTP synchronization time variance (seconds)'), + minvalue=5, + ), + Int('ipatokenhotpauthwindow', + cli_name='hotp_auth_window', + label=_('HOTP Authentication Window'), + doc=_('HOTP authentication skip-ahead'), + minvalue=1, + ), + Int('ipatokenhotpsyncwindow', + cli_name='hotp_sync_window', + label=_('HOTP Synchronization Window'), + doc=_('HOTP synchronization skip-ahead'), + minvalue=1, + ), + ) + + def get_dn(self, *keys, **kwargs): + return self.container_dn + api.env.basedn + + +@register() +class otpconfig_mod(LDAPUpdate): + __doc__ = _('Modify OTP configuration options.') + + +@register() +class otpconfig_show(LDAPRetrieve): + __doc__ = _('Show the current OTP configuration.') -- cgit