freeipa-generate-otp-tokens/freeIPA_otp_tokens.bash

95 lines
3.5 KiB
Bash
Raw Permalink Normal View History

2019-10-11 14:45:52 -04:00
#!/bin/bash
#This script will check to see if a user has an OTP token, and if not, create one and email the QR Code to the user
#Set Variables
#ARN of the secret which stores the FreeIPA Login credentials
AWS_SECRET_ARN=ARN of an AWS Secret holding your IPA user creds
#Email address to notify
NOTIFY_EMAIL=freeipa-support@domain.com
#IPA User, parsed from the secret
IPA_USER=$(aws secretsmanager get-secret-value --secret-id $AWS_SECRET_ARN | jq -r .SecretString| jq -r .username)
#IPA Password, parsed from the secret
IPA_PASSWORD=$(aws secretsmanager get-secret-value --secret-id $AWS_SECRET_ARN | jq -r .SecretString| jq -r .password)
#IPA Server URL
IPA_URL=ipa-master.ipa.domain.com
#From email
FROM_EMAIL="freeipa-noreply@domain.com"
#Set mail html file name
MAILFILE=/tmp/otptokenmail.html
#Set QR Code image file name
QRFILE=/tmp/otptokenqr.png
#Set kerberos ticket
echo $IPA_PASSWORD | kinit $IPA_USER
#List users not in service account groups
USERS=$(ipa user-find --not-in-groups=service-accounts --not-in-groups=admin-svc-accts --disabled=false | grep "User login:" | awk '{print $NF}')
#Function to create the token and email it
create_otptoken()
{
TOKEN_URI=$(ipa otptoken-add --owner=$USER --no-qrcode --desc="Created Automatically by Ansible on $(date +"%Y-%m-%d_%H-%M-%S")" | grep URI | awk -F" " '{print $NF}')
cat /dev/null > $MAILFILE
rm -f $QRFILE
/usr/local/bin/qr "${TOKEN_URI}" > $QRFILE
echo "<p>" >> $MAILFILE
echo "Congratulations, a new OTP Token has been created for your use in the FreeIPA authentication system." >> $MAILFILE
echo "</p>" >> $MAILFILE
echo "<p>" >> $MAILFILE
echo "Please scan the attached QR code with the OTP Mobile Application on your device of choice." >> $MAILFILE
echo "</p>" >> $MAILFILE
echo "<p>" >> $MAILFILE
echo "If the above does not work, try this link: ${TOKEN_URI}" >> $MAILFILE
echo "</p>" >> $MAILFILE
SUBJECT="FreeIPA OTP Token Created for $USER"
USER_EMAIL=$(ipa user-find $USER | grep Email | awk '{print $NF}')
(
echo "Subject: ${SUBJECT}";
echo "From: ${FROM_EMAIL}";
echo "To: ${USER_EMAIL}";
echo "MIME-Version: 1.0";
echo 'Content-Type: multipart/mixed; boundary="OTPEMAIL"';
echo '--OTPEMAIL';
echo 'Content-Type: text/html; charset="utf-8"';
echo "";
echo "$(<$MAILFILE)";
echo '--OTPEMAIL';
echo 'Content-Type: image/png;name="otpqr.png"';
echo "Content-Transfer-Encoding: base64";
echo "Content-ID: <part1.06090408.01060107>";
echo 'Content-Disposition: inline; filename="otpqr.png"';
echo "$(base64 $QRFILE)";
echo '--OTPEMAIL--';
)|sendmail -t
(
echo "Subject: ${SUBJECT}";
echo "From: ${FROM_EMAIL}";
echo "To: ${NOTIFY_EMAIL}";
echo "MIME-Version: 1.0";
echo 'Content-Type: multipart/mixed; boundary="OTPEMAIL"';
echo '--OTPEMAIL';
echo 'Content-Type: text/html; charset="utf-8"';
echo "";
echo "A new OTP Token has been created for ${USER}, and information has been emailed to them.";
echo '--OTPEMAIL--';
)|sendmail -t
}
for USER in $USERS; do
#Check to see if user has OTP token
ipa otptoken-find --owner=$USER > /dev/null
otp_ec=$?
#If no otp token, create it and send email to aws-support and user
if [[ $otp_ec != 0 ]]; then
echo "No token found for $USER, creating one and sending it to the user...";
create_otptoken;
else
echo "$USER has a token, no need to create a new one.";
fi
done