From c96e1e65fb3f89f73f905e9eac5ca4edc6666815 Mon Sep 17 00:00:00 2001
From: Russ Long <rlong@nabancard.com>
Date: Fri, 11 Oct 2019 14:45:52 -0400
Subject: [PATCH] Initial Commit

---
 README.md               |  8 ++++
 freeIPA_otp_tokens.bash | 94 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 102 insertions(+)
 create mode 100644 README.md
 create mode 100644 freeIPA_otp_tokens.bash

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..e8abc3d
--- /dev/null
+++ b/README.md
@@ -0,0 +1,8 @@
+# Purpose
+To parse the list of users not in the defined service accounts group, and ensure all have OTP tokens configured. If they do not, generate a token and email it to the user.
+
+# Usage
+1. Download script to location of your choice
+2. Update variables at top of file, and service accounts groups listed on line 26
+3. Run Script
+4. Ensure user recieves email, and the NOTIFY_EMAIL address will also receive a notification
diff --git a/freeIPA_otp_tokens.bash b/freeIPA_otp_tokens.bash
new file mode 100644
index 0000000..2a69115
--- /dev/null
+++ b/freeIPA_otp_tokens.bash
@@ -0,0 +1,94 @@
+#!/bin/bash
+#This script will check to see if a user has an OTP token, and if not, create one and email the QR Code to the user
+
+#Set Variables
+#ARN of the secret which stores the FreeIPA Login credentials
+AWS_SECRET_ARN=ARN of an AWS Secret holding your IPA user creds
+#Email address to notify
+NOTIFY_EMAIL=freeipa-support@domain.com
+#IPA User, parsed from the secret
+IPA_USER=$(aws secretsmanager get-secret-value --secret-id $AWS_SECRET_ARN | jq -r .SecretString| jq -r .username)
+#IPA Password, parsed from the secret
+IPA_PASSWORD=$(aws secretsmanager get-secret-value --secret-id $AWS_SECRET_ARN | jq -r .SecretString| jq -r .password)
+#IPA Server URL
+IPA_URL=ipa-master.ipa.domain.com
+#From email
+FROM_EMAIL="freeipa-noreply@domain.com"
+#Set mail html file name
+MAILFILE=/tmp/otptokenmail.html
+#Set QR Code image file name
+QRFILE=/tmp/otptokenqr.png
+
+#Set kerberos ticket
+echo $IPA_PASSWORD  | kinit $IPA_USER 
+
+#List users not in service account groups
+USERS=$(ipa user-find --not-in-groups=service-accounts --not-in-groups=admin-svc-accts --disabled=false | grep "User login:" | awk '{print $NF}')
+
+#Function to create the token and email it
+create_otptoken()
+{
+    TOKEN_URI=$(ipa otptoken-add --owner=$USER --no-qrcode --desc="Created Automatically by Ansible on $(date +"%Y-%m-%d_%H-%M-%S")" | grep URI | awk -F" " '{print $NF}')
+    cat /dev/null > $MAILFILE
+    rm -f $QRFILE
+    /usr/local/bin/qr "${TOKEN_URI}" > $QRFILE
+
+    echo "<p>" >> $MAILFILE
+    echo "Congratulations, a new OTP Token has been created for your use in the FreeIPA authentication system." >> $MAILFILE
+    echo "</p>" >> $MAILFILE
+    echo "<p>" >> $MAILFILE
+    echo "Please scan the attached QR code with the OTP Mobile Application on your device of choice." >> $MAILFILE
+    echo "</p>" >> $MAILFILE
+    echo "<p>" >> $MAILFILE
+    echo "If the above does not work, try this link: ${TOKEN_URI}" >> $MAILFILE
+    echo "</p>" >> $MAILFILE
+    SUBJECT="FreeIPA OTP Token Created for $USER"
+    USER_EMAIL=$(ipa user-find $USER | grep Email | awk '{print $NF}')
+    (
+        echo "Subject: ${SUBJECT}";
+        echo "From: ${FROM_EMAIL}";
+        echo "To: ${USER_EMAIL}";
+        echo "MIME-Version: 1.0";
+        echo 'Content-Type: multipart/mixed; boundary="OTPEMAIL"';
+        echo '--OTPEMAIL';
+        echo 'Content-Type: text/html; charset="utf-8"';
+        echo "";
+        echo "$(<$MAILFILE)";
+        echo '--OTPEMAIL';
+        echo 'Content-Type: image/png;name="otpqr.png"';
+        echo "Content-Transfer-Encoding: base64";
+        echo "Content-ID: <part1.06090408.01060107>";
+        echo 'Content-Disposition: inline; filename="otpqr.png"';
+        echo "$(base64 $QRFILE)";
+        echo '--OTPEMAIL--';
+
+    )|sendmail -t
+
+    (
+        echo "Subject: ${SUBJECT}";
+        echo "From: ${FROM_EMAIL}";
+        echo "To: ${NOTIFY_EMAIL}";
+        echo "MIME-Version: 1.0";
+        echo 'Content-Type: multipart/mixed; boundary="OTPEMAIL"';
+        echo '--OTPEMAIL';
+        echo 'Content-Type: text/html; charset="utf-8"';
+        echo "";
+        echo "A new OTP Token has been created for ${USER}, and information has been emailed to them.";
+        echo '--OTPEMAIL--';
+
+    )|sendmail -t
+
+}
+
+for USER in $USERS; do 
+    #Check to see if user has OTP token
+    ipa otptoken-find --owner=$USER > /dev/null 
+    otp_ec=$?
+    #If no otp token, create it and send email to aws-support and user
+    if [[ $otp_ec != 0 ]]; then
+        echo "No token found for $USER, creating one and sending it to the user...";
+        create_otptoken;
+    else 
+        echo "$USER has a token, no need to create a new one.";
+    fi
+done