From dcfd274037de9d1139f7fcbe64c74ee9f9971c67 Mon Sep 17 00:00:00 2001 From: Konstantin Ryabitsev Date: Fri, 20 Sep 2013 14:40:19 -0400 Subject: [PATCH] Add support to decrypt token Plus move manpage into the right section --- contrib/{totpprov.5 => totpprov.1} | 40 ++++++++++++++++++++++++++---- contrib/totpprov.py | 34 ++++++++++++++++++------- contrib/totpprov.rst | 27 ++++++++++++-------- totpcgi.spec | 4 +-- 4 files changed, 79 insertions(+), 26 deletions(-) rename contrib/{totpprov.5 => totpprov.1} (80%) diff --git a/contrib/totpprov.5 b/contrib/totpprov.1 similarity index 80% rename from contrib/totpprov.5 rename to contrib/totpprov.1 index 91c334a..c686e2e 100644 --- a/contrib/totpprov.5 +++ b/contrib/totpprov.1 @@ -1,6 +1,6 @@ -.\" Man page generated from reStructeredText. +.\" Man page generated from reStructuredText. . -.TH TOTPPROV "2012-05-25" "0.5.0" "" +.TH TOTPPROV 1 "2013-09-20" "0.5.5" "" .SH NAME totpprov \- Simple provisioning script for totpcgi . @@ -49,10 +49,10 @@ provisioning.conf to operate on user records. .B \-\-version show program\(aqs version number and exit .TP -.B \-h, \-\-help +.B \-h\fP,\fB \-\-help show this help message and exit .TP -.BI \-c \ CONFIG_FILE, \ \-\-config\fB= CONFIG_FILE +.BI \-c \ CONFIG_FILE\fP,\fB \ \-\-config\fB= CONFIG_FILE Path to provisioning.conf (Default: /etc/totpcgi/provisioning.conf) .UNINDENT @@ -79,6 +79,9 @@ sets pincode for user .B encrypt\-user\-token encrypts existing token with the user\(aqs pincode .TP +.B decrypt\-user\-token +decrypts existing encrypted token with the user\(aqs pincode +.TP .B generate\-user\-token generates a new token for user .TP @@ -88,36 +91,64 @@ provisions a new user .SH EXAMPLES .sp To provision a user: +.INDENT 0.0 +.INDENT 3.5 .sp .nf .ft C totpprov provision\-user bobafett .ft P .fi +.UNINDENT +.UNINDENT .sp To delete a user: +.INDENT 0.0 +.INDENT 3.5 .sp .nf .ft C totpprov delete\-user bobafett .ft P .fi +.UNINDENT +.UNINDENT +.sp +To delete a token: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +totpprov delete\-user\-token bobafett +.ft P +.fi +.UNINDENT +.UNINDENT .sp To set/change user pincode: +.INDENT 0.0 +.INDENT 3.5 .sp .nf .ft C totpprov set\-user\-pincode bobafett .ft P .fi +.UNINDENT +.UNINDENT .sp To generate a new google\-authenticator token for user: +.INDENT 0.0 +.INDENT 3.5 .sp .nf .ft C totpprov generate\-user\-token bobafett .ft P .fi +.UNINDENT +.UNINDENT .SH AUTHOR konstantin@linuxfoundation.org @@ -125,5 +156,4 @@ License: GPLv2+ .SH COPYRIGHT Linux Foundation and contributors .\" Generated by docutils manpage writer. -.\" . diff --git a/contrib/totpprov.py b/contrib/totpprov.py index 8923ebc..1777e2d 100755 --- a/contrib/totpprov.py +++ b/contrib/totpprov.py @@ -134,6 +134,23 @@ def encrypt_user_token(backends, config, args): backends.secret_backend.save_user_secret(user, gaus, pincode) print 'Successfully encrypted user secret' +def decrypt_user_token(backends, config, args): + user = args[1] + pincode = getpass.getpass('Pincode for user %s: ' % user) + + # Try getting the user secret + try: + gaus = backends.secret_backend.get_user_secret(user, pincode) + except totpcgi.UserNotFound, ex: + print 'Error: No existing tokens found for user %s' % user + sys.exit(1) + except totpcgi.UserSecretError, ex: + print 'Error: Could not decrypt the secret for user %s' % user + sys.exit(1) + + backends.secret_backend.save_user_secret(user, gaus, None) + print 'Successfully decrypted user secret' + def generate_user_token(backends, config, args, pincode=None): user = args[1] @@ -228,49 +245,48 @@ def provision_user(backends, config, args): if command == 'delete-user': print 'Deleting user %s' % args[1] ays() - delete_user(backends, config, args) elif command == 'delete-user-state': print 'Deleting state data for user %s' % args[1] ays() - delete_user_state(backends, config, args) elif command == 'delete-user-pincode': print 'Deleting pincode for user %s' % args[1] ays() - delete_user_pincode(backends, config, args) elif command == 'delete-user-token': print 'Deleting token data for user %s' % args[1] ays() - delete_user_secret(backends, config, args) elif command == 'set-user-pincode': print 'Setting pincode for user %s' % args[1] ays() - set_user_pincode(backends, config, args) elif command == 'encrypt-user-token': print 'Encrypting user token for %s' % args[1] ays() - encrypt_user_token(backends, config, args) + elif command == 'decrypt-user-token': + print 'Decrypting user token for %s' % args[1] + ays() + decrypt_user_token(backends, config, args) + elif command == 'generate-user-token': print 'Generating new token for user %s' % args[1] ays() - generate_user_token(backends, config, args) elif command == 'provision-user': print 'Provisioning new TOTP user %s' % args[1] ays() - provision_user(backends, config, args) - + else: + parser.error('Unknown command: %s' % command) + diff --git a/contrib/totpprov.rst b/contrib/totpprov.rst index 29edb8a..d98aff2 100644 --- a/contrib/totpprov.rst +++ b/contrib/totpprov.rst @@ -6,10 +6,11 @@ Simple provisioning script for totpcgi -------------------------------------- :Author: konstantin@linuxfoundation.org -:Date: 2012-05-25 +:Date: 2013-09-20 :Copyright: Linux Foundation and contributors :License: GPLv2+ -:Version: 0.5.0 +:Version: 0.5.5 +:Manual section: 1 SYNOPSIS -------- @@ -31,22 +32,24 @@ OPTIONS COMMANDS -------- -delete-user +delete-user deletes user record -delete-user-state +delete-user-state deletes any existing state information for user -delete-user-pincode +delete-user-pincode deletes pincode entry for user -delete-user-token +delete-user-token deletes the token issued to user -set-user-pincode +set-user-pincode sets pincode for user -encrypt-user-token +encrypt-user-token encrypts existing token with the user's pincode -generate-user-token +decrypt-user-token + decrypts existing encrypted token with the user's pincode +generate-user-token generates a new token for user -provision-user +provision-user provisions a new user EXAMPLES @@ -59,6 +62,10 @@ To delete a user:: totpprov delete-user bobafett +To delete a token:: + + totpprov delete-user-token bobafett + To set/change user pincode:: totpprov set-user-pincode bobafett diff --git a/totpcgi.spec b/totpcgi.spec index 9ad37bc..8c2871a 100644 --- a/totpcgi.spec +++ b/totpcgi.spec @@ -114,8 +114,8 @@ install -m 0644 contrib/vhost-totpcgi-provisioning.conf \ # Install totpprov script and manpage mkdir -p -m 0755 %{buildroot}%{_bindir} install -m 0755 contrib/totpprov.py %{buildroot}%{_bindir}/totpprov -mkdir -p -m 0755 %{buildroot}%{_mandir}/man5 -install -m 0644 contrib/totpprov.5 %{buildroot}%{_mandir}/man5/ +mkdir -p -m 0755 %{buildroot}%{_mandir}/man1 +install -m 0644 contrib/totpprov.1 %{buildroot}%{_mandir}/man1/ # Install SELinux files for selinuxvariant in %{selinux_variants}