def create_google_authenticator_url(user, realm, key, type="hmac", serial=""):
'''
This creates the google authenticator URL.
This url may only be 119 characters long.
Otherwise we qrcode.js can not create the qrcode.
If the URL would be longer, we shorten the username
We expect the key to be hexlified!
'''
# policy depends on some lib.util
if "hmac" == type.lower():
type = "hotp"
label = ""
key_bin = binascii.unhexlify(key)
# also strip the padding =, as it will get problems with the google app.
otpkey = base64.b32encode(key_bin).strip('=')
#'url' : "otpauth://hotp/%s?secret=%s&counter=0" % ( user@realm, otpkey )
base_len = len("otpauth://%s/?secret=%s&counter=0" % (type, otpkey))
max_len = 119
allowed_label_len = max_len - base_len
log.debug("[create_google_authenticator_url] we got %s characters left for the token label" % str(allowed_label_len))
label = get_tokenlabel(user, realm, serial)
label = label[0:allowed_label_len]
url_label = quote(label)
return "otpauth://%s/%s?secret=%s&counter=0" % (type, url_label, otpkey)
def create_google_authenticator_url(user, realm, key, type="hmac", serial=""):
'''
This creates the google authenticator URL.
This url may only be 119 characters long.
Otherwise we qrcode.js can not create the qrcode.
If the URL would be longer, we shorten the username
We expect the key to be hexlified!
'''
# policy depends on some lib.util
if "hmac" == type.lower():
type = "hotp"
label = ""
key_bin = binascii.unhexlify(key)
# also strip the padding =, as it will get problems with the google app.
otpkey = base64.b32encode(key_bin).strip('=')
#'url' : "otpauth://hotp/%s?secret=%s&counter=0" % ( user@realm, otpkey )
base_len = len("otpauth://%s/?secret=%s&counter=0" % (type, otpkey))
max_len = 119
allowed_label_len = max_len - base_len
log.debug(
"[create_google_authenticator_url] we got %s characters left for the token label"
% str(allowed_label_len))
label = get_tokenlabel(user, realm, serial)
label = label[0:allowed_label_len]
url_label = quote(label)
return "otpauth://%s/%s?secret=%s&counter=0" % (type, url_label, otpkey)
def create_google_authenticator(param: dict, user=None) -> str:
"""Create the google url from the parameters
:param param: dict containing the parameters
:param user: the user to which the token should be assigned
:return: the google authenticator url
"""
serial = param["serial"]
login = user and user.login or param.get("user.login", "")
realm = user and user.realm or param.get("user.realm", "")
description = param.get("description", "")
token_label = get_tokenlabel(
serial=serial, user=login, realm=realm, description=description
)
issuer = get_tokenissuer(
serial=serial, user=login, realm=realm, description=description
)
# --------------------------------------------------------------------- --
# as the issuer is also used as an url parameter,
# we add it to the parameters
param["issuer"] = issuer
# build the label, which is defined as:
# label = accountname / issuer (“:” / “%3A”) *”%20” accountname
label = quote(issuer) + ":" + quote(token_label)
return google_authenticator_url(label, param)
def test_get_tokenlabel_wo_policy(self, mock__get_client,
mock_has_client_policy):
mock__get_client.return_value = "localhost"
mock_has_client_policy.return_value = {}
res = get_tokenlabel(serial="123")
assert res == "123"
res = get_tokenlabel(serial="123", user="******")
assert res == "hugo"
res = get_tokenlabel(serial="123", user="******", realm="home")
assert res == "hugo"
res = get_tokenlabel(serial="123",
user="******",
realm="home",
description="nothing")
assert res == "hugo"
def test_get_tokenlabel_w_policy(self, mock__get_client,
mock_has_client_policy,
mock_get_action_value):
mock__get_client.return_value = "localhost"
mock_has_client_policy.return_value = {}
mock_get_action_value.return_value = "<d>.<r>.<u>.<s>"
res = get_tokenlabel(serial="!")
assert res == "...!"
res = get_tokenlabel(serial="!", user="******")
assert res == "..matters.!"
res = get_tokenlabel(serial="!", user="******", realm="else")
assert res == ".else.matters.!"
res = get_tokenlabel(serial="!",
user="******",
realm="else",
description="nothing")
assert res == "nothing.else.matters.!"
def create_oathtoken_url(user, realm, otpkey, type="hmac", serial=""):
# 'url' : 'oathtoken:///addToken?name='+serial +
# '&key='+otpkey+
# '&timeBased=false&counter=0&numDigites=6&lockdown=true',
timebased = ""
if "totp" == type.lower():
timebased = "&timeBased=true"
label = get_tokenlabel(user, realm, serial)
url_label = quote(label)
url = "oathtoken:///addToken?name=%s&lockdown=true&key=%s%s" % (
url_label, otpkey, timebased)
return url
def create_oathtoken_url(user, realm, otpkey, type="hmac", serial=""):
# 'url' : 'oathtoken:///addToken?name='+serial +
# '&key='+otpkey+
# '&timeBased=false&counter=0&numDigites=6&lockdown=true',
timebased = ""
if "totp" == type.lower():
timebased = "&timeBased=true"
label = get_tokenlabel(user, realm, serial)
url_label = quote(label)
url = "oathtoken:///addToken?name=%s&lockdown=true&key=%s%s" % (
url_label,
otpkey,
timebased
)
return url
def create_google_authenticator(param, user=None):
'''
create url for google authenticator
:param param: request dictionary
:return: string with google url
'''
typ = param.get("type", 'hotp')
if typ.lower() == 'hmac':
typ = 'hotp'
if not typ.lower() in ['totp', 'hotp']:
raise NoOtpAuthTokenException('not supported otpauth token type: %r'
% typ)
serial = param.get("serial", None)
digits = param.get("otplen", '6')
otpkey = param.get("otpkey", None)
login = ''
realm = ''
if user:
login = user.login or ''
realm = user.realm or ''
login = login or param.get('user.login', '')
realm = realm or param.get('user.realm', '')
url_param = {}
if not otpkey:
raise Exception('Failed to create token url due to missing seed!')
key = base64.b32encode(binascii.unhexlify(otpkey))
key = key.strip("=")
algo = param.get("hashlib", "sha1") or "sha1"
algo = algo.upper()
if algo not in['SHA1', 'SHA256', 'SHA512', 'MD5']:
algo = 'SHA1'
if algo != 'SHA1':
url_param['algorithm'] = algo
url_param['secret'] = key
# dont add default
if digits != '6':
url_param['digits'] = digits
if typ not in ['totp']:
url_param['counter'] = 0
if 'timeStep' in param:
url_param['period'] = param.get('timeStep')
issuer = get_tokenissuer(login, realm, serial)
if issuer:
url_param['issuer'] = quote(issuer)
ga = "otpauth://%s/%s" % (typ, serial)
qg_param = urllib.urlencode(url_param)
base_len = len(ga) + len(qg_param)
max_len = 400
allowed_label_len = max_len - base_len
log.debug("[create_google_authenticator_url] we got %s characters"
" left for the token label" % str(allowed_label_len))
# show the user login in the token prefix
if len(login) > 0:
label = get_tokenlabel(login, realm, serial)
if len(param.get('description', '')) > 0 and '<d>' in label:
label = label.replace('<d>', param.get('description'))
else:
label = serial or ''
if len(param.get('description', '')) > 0:
label = label + ':' + param.get('description')
if issuer:
label = issuer + ':' + label
label = label[0:allowed_label_len]
url_label = quote(label, ':')
ga = "otpauth://%s/%s?%s" % (typ, url_label, qg_param)
log.debug("google authenticator: %r" % ga[:20])
return ga
def create_google_authenticator(param, user=None):
'''
create url for google authenticator
:param param: request dictionary
:return: string with google url
'''
typ = param.get("type", 'hotp')
if typ.lower() == 'hmac':
typ = 'hotp'
if not typ.lower() in ['totp', 'hotp']:
raise NoOtpAuthTokenException('not supported otpauth token type: %r'
% typ)
serial = param.get("serial", None)
digits = param.get("otplen", '6')
otpkey = param.get("otpkey", None)
login = ''
realm = ''
if user:
login = user.login or ''
realm = user.realm or ''
login = login or param.get('user.login', '')
realm = realm or param.get('user.realm', '')
url_param = {}
if not otpkey:
raise Exception('Failed to create token url due to missing seed!')
key = base64.b32encode(binascii.unhexlify(otpkey))
key = key.strip("=")
algo = param.get("hashlib", "sha1") or "sha1"
algo = algo.upper()
if algo not in['SHA1', 'SHA256', 'SHA512', 'MD5']:
algo = 'SHA1'
if algo != 'SHA1':
url_param['algorithm'] = algo
url_param['secret'] = key
# dont add default
if digits != '6':
url_param['digits'] = digits
if typ not in ['totp']:
url_param['counter'] = 0
if 'timeStep' in param:
url_param['period'] = param.get('timeStep')
issuer = get_tokenissuer(login, realm, serial)
if issuer:
url_param['issuer'] = quote(issuer)
ga = "otpauth://%s/%s" % (typ, serial)
qg_param = urllib.urlencode(url_param)
base_len = len(ga) + len(qg_param)
max_len = 400
allowed_label_len = max_len - base_len
log.debug("[create_google_authenticator_url] we got %s characters"
" left for the token label" % str(allowed_label_len))
# show the user login in the token prefix
if len(login) > 0:
label = get_tokenlabel(login, realm, serial)
if len(param.get('description', '')) > 0 and '<d>' in label:
label = label.replace('<d>', param.get('description'))
else:
label = serial or ''
if len(param.get('description', '')) > 0:
label = label + ':' + param.get('description')
if issuer:
label = issuer + ':' + label
label = label[0:allowed_label_len]
url_label = quote(label, ':')
ga = "otpauth://%s/%s?%s" % (typ, url_label, qg_param)
log.debug("google authenticator: %r" % ga[:20])
return ga
