Page MenuHomePhabricator
Files F3414052

0001-Add-passwords-oath-token-as-auth-method.patch
csteipp (Chris Steipp)
Actions

Authored By
csteipp
Feb 24 2016, 9:40 PM
Size
4 KB
Referenced Files
None
Subscribers
None

0001-Add-passwords-oath-token-as-auth-method.patch
View Options

From da6150b3415e30e6c5d067e31ea11a9bfb0e0100 Mon Sep 17 00:00:00 2001
From: csteipp <csteipp@wikimedia.org>
Date: Mon, 8 Feb 2016 15:07:57 -0800
Subject: [PATCH] Add passwords + oath token as auth method
Adds OATH 2FA checking to the standard Password auth plugin. Passwords
are handeled by the normal password backend, then this patch also
checks if a user has two-factor enabled, and if so, if the user
supplied the correct TOTP token.
You will also need to update keystone.conf to update the mysql database
host/credentials to access the oath secret seed, set by mediawiki. For
example,
[oath]
dbuser = wiki_user
dbpass = s3kr3ts
dbname = labswiki
dbhost = localhost
---
keystone/auth/plugins/password.py | 38 ++++++++++++++++++++++++++++++++++++++
keystone/common/config.py | 14 ++++++++++++++
2 files changed, 52 insertions(+)
diff --git a/keystone/auth/plugins/password.py b/keystone/auth/plugins/password.py
index 16492a3..7c01824 100644
--- a/keystone/auth/plugins/password.py
+++ b/keystone/auth/plugins/password.py
@@ -13,6 +13,7 @@
# under the License.
from oslo_log import log
+from oslo_config import cfg
from keystone import auth
from keystone.auth import plugins as auth_plugins
@@ -20,11 +21,15 @@ from keystone.common import dependency
from keystone import exception
from keystone.i18n import _
+import oath
+import base64
+import mysql.connector
METHOD_NAME = 'password'
LOG = log.getLogger(__name__)
+CONF = cfg.CONF
@dependency.requires('identity_api')
class Password(auth.AuthMethodHandler):
@@ -45,4 +50,37 @@ class Password(auth.AuthMethodHandler):
msg = _('Invalid username or password')
raise exception.Unauthorized(msg)
+ # Password auth succeeded, check two-factor
+ # LOG.debug("OATH: Doing 2FA for user_info " + ( "%s(%r)" % (user_info.__class__, user_info.__dict__) ) )
+ # LOG.debug("OATH: Doing 2FA for auth_payload " + ( "%s(%r)" % (auth_payload.__class__, auth_payload) ) )
+ cnx = mysql.connector.connect(
+ user=CONF.oath.dbuser,
+ password=CONF.oath.dbpass,
+ database=CONF.oath.dbname,
+ host=CONF.oath.dbhost)
+ cur = cnx.cursor(buffered=True)
+ sql = ('SELECT oath.secret as secret from user '
+ 'left join oathauth_users as oath on oath.id = user.user_id '
+ 'where user.user_name = %s LIMIT 1')
+ cur.execute(sql, (user_info.user_ref['name'], ))
+ secret = cur.fetchone()[0]
+
+ if secret:
+ if 'totp' in auth_payload['user']:
+ (p, d) = oath.accept_totp(
+ base64.b16encode(base64.b32decode(secret)),
+ auth_payload['user']['totp'])
+ if p:
+ LOG.debug("OATH: 2FA passed")
+ else:
+ LOG.debug("OATH: 2FA failed")
+ msg = _('Invalid two-factor token')
+ raise exception.Unauthorized(msg)
+ else:
+ LOG.debug("OATH: 2FA failed, missing totp param")
+ msg = _('Missing two-factor token')
+ raise exception.Unauthorized(msg)
+ else:
+ LOG.debug("OATH: user '%s' does not have 2FA enabled.", user_info.user_ref['name'])
+
auth_context['user_id'] = user_info.user_id
diff --git a/keystone/common/config.py b/keystone/common/config.py
index 81f64b0..e5a3ffe 100644
--- a/keystone/common/config.py
+++ b/keystone/common/config.py
@@ -503,6 +503,20 @@ FILE_OPTIONS = {
cfg.IntOpt('access_token_duration', default=86400,
help='Duration (in seconds) for the OAuth Access Token.'),
],
+ 'oath': [
+ cfg.StrOpt('dbuser',
+ default='wiki_user',
+ help='Database user for retrieving OATH secret.'),
+ cfg.StrOpt('dbpass',
+ default='12345',
+ help='Database password for retrieving OATH secret.'),
+ cfg.StrOpt('dbhost',
+ default='localhost',
+ help='Database host for retrieving OATH secret.'),
+ cfg.StrOpt('dbname',
+ default='labswiki',
+ help='Database name for retrieving OATH secret.'),
+ ],
'federation': [
cfg.StrOpt('driver',
default='sql',
--
1.9.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3401361
Default Alt Text
0001-Add-passwords-oath-token-as-auth-method.patch (4 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits