#!/bin/bash
#This script will check to see if a user has an OTP token, and if not, create one and email the QR Code to the user

#Set Variables
#ARN of the secret which stores the FreeIPA Login credentials
AWS_SECRET_ARN=ARN of an AWS Secret holding your IPA user creds
#Email address to notify
NOTIFY_EMAIL=freeipa-support@domain.com
#IPA User, parsed from the secret
IPA_USER=$(aws secretsmanager get-secret-value --secret-id $AWS_SECRET_ARN | jq -r .SecretString| jq -r .username)
#IPA Password, parsed from the secret
IPA_PASSWORD=$(aws secretsmanager get-secret-value --secret-id $AWS_SECRET_ARN | jq -r .SecretString| jq -r .password)
#IPA Server URL
IPA_URL=ipa-master.ipa.domain.com
#From email
FROM_EMAIL="freeipa-noreply@domain.com"
#Set mail html file name
MAILFILE=/tmp/otptokenmail.html
#Set QR Code image file name
QRFILE=/tmp/otptokenqr.png

#Set kerberos ticket
echo $IPA_PASSWORD  | kinit $IPA_USER 

#List users not in service account groups
USERS=$(ipa user-find --not-in-groups=service-accounts --not-in-groups=admin-svc-accts --disabled=false | grep "User login:" | awk '{print $NF}')

#Function to create the token and email it
create_otptoken()
{
    TOKEN_URI=$(ipa otptoken-add --owner=$USER --no-qrcode --desc="Created Automatically by Ansible on $(date +"%Y-%m-%d_%H-%M-%S")" | grep URI | awk -F" " '{print $NF}')
    cat /dev/null > $MAILFILE
    rm -f $QRFILE
    /usr/local/bin/qr "${TOKEN_URI}" > $QRFILE

    echo "<p>" >> $MAILFILE
    echo "Congratulations, a new OTP Token has been created for your use in the FreeIPA authentication system." >> $MAILFILE
    echo "</p>" >> $MAILFILE
    echo "<p>" >> $MAILFILE
    echo "Please scan the attached QR code with the OTP Mobile Application on your device of choice." >> $MAILFILE
    echo "</p>" >> $MAILFILE
    echo "<p>" >> $MAILFILE
    echo "If the above does not work, try this link: ${TOKEN_URI}" >> $MAILFILE
    echo "</p>" >> $MAILFILE
    SUBJECT="FreeIPA OTP Token Created for $USER"
    USER_EMAIL=$(ipa user-find $USER | grep Email | awk '{print $NF}')
    (
        echo "Subject: ${SUBJECT}";
        echo "From: ${FROM_EMAIL}";
        echo "To: ${USER_EMAIL}";
        echo "MIME-Version: 1.0";
        echo 'Content-Type: multipart/mixed; boundary="OTPEMAIL"';
        echo '--OTPEMAIL';
        echo 'Content-Type: text/html; charset="utf-8"';
        echo "";
        echo "$(<$MAILFILE)";
        echo '--OTPEMAIL';
        echo 'Content-Type: image/png;name="otpqr.png"';
        echo "Content-Transfer-Encoding: base64";
        echo "Content-ID: <part1.06090408.01060107>";
        echo 'Content-Disposition: inline; filename="otpqr.png"';
        echo "$(base64 $QRFILE)";
        echo '--OTPEMAIL--';

    )|sendmail -t

    (
        echo "Subject: ${SUBJECT}";
        echo "From: ${FROM_EMAIL}";
        echo "To: ${NOTIFY_EMAIL}";
        echo "MIME-Version: 1.0";
        echo 'Content-Type: multipart/mixed; boundary="OTPEMAIL"';
        echo '--OTPEMAIL';
        echo 'Content-Type: text/html; charset="utf-8"';
        echo "";
        echo "A new OTP Token has been created for ${USER}, and information has been emailed to them.";
        echo '--OTPEMAIL--';

    )|sendmail -t

}

for USER in $USERS; do 
    #Check to see if user has OTP token
    ipa otptoken-find --owner=$USER > /dev/null 
    otp_ec=$?
    #If no otp token, create it and send email to aws-support and user
    if [[ $otp_ec != 0 ]]; then
        echo "No token found for $USER, creating one and sending it to the user...";
        create_otptoken;
    else 
        echo "$USER has a token, no need to create a new one.";
    fi
done