Add totpcgi role.

2014-12-06 23:57:44 +00:00 · 2014-12-06 23:57:44 +00:00 · 6af7a7b8a7
commit 6af7a7b8a7
parent 07e24f8448
20 changed files with 1174 additions and 0 deletions
--- a/roles/totpcgi/templates/provisioning-httpd.conf.j2
+++ b/roles/totpcgi/templates/provisioning-httpd.conf.j2
@ -0,0 +1,44 @@
+Listen 8444
+<VirtualHost *:8444>
+  LoadModule suexec_module modules/mod_suexec.so
+
+  DocumentRoot /var/www/totpcgi-provisioning
+  ServerName fas01.stg.phx2.fedoraproject.org:8444
+  ErrorLog /var/log/httpd/totpcgi-provisioning-error.log
+  SuexecUserGroup totpcgiprov totpcgiprov
+
+  AddHandler cgi-script .cgi
+  DirectoryIndex index.cgi
+
+  Header set Cache-Control no-cache
+  Header set Expires 0
+
+  #SSLEngine on
+  #SSLCertificateFile /etc/pki/totpcgi/totpcgi-server.crt
+  #SSLCertificateKeyFile /etc/pki/totpcgi/totpcgi-server.key
+  #SSLCACertificateFile /etc/pki/totpcgi/totpcgi-ca.crt
+
+  #CustomLog /var/log/httpd/totpcgi-provisioning-ssl-request-log \
+  #  "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+  <Directory "/var/www/totpcgi-provisioning">
+    Options ExecCGI
+  </Directory>
+
+  <Location />
+    AuthType Basic
+    AuthName "Fedora totpcgi"
+
+    Auth_PG_host db-fas
+    Auth_PG_port 5432
+    Auth_PG_user fasreadonly
+    Auth_PG_pwd {{ fasReadOnlyPassword }}
+    Auth_PG_database fas2
+    Auth_PG_pwd_table people
+    Auth_PG_uid_field username
+    Auth_PG_pwd_field password
+    Auth_PG_pwd_whereclause " and status='active'"
+
+    Require valid-user
+  </Location>
+</VirtualHost>
--- a/roles/totpcgi/templates/provisioning.conf.j2
+++ b/roles/totpcgi/templates/provisioning.conf.j2
@ -0,0 +1,88 @@
+[secret]
+# Whether to encrypt the secret when we generate it. Encrypting the secret
+# with the user's pincode means that even if the .totp file is leaked, an
+# attacker will not be able to get the secret without knowing the user's
+# pincode. The downside is that if a user forgets their pincode, both the
+# pincode and the secret will need to be fully re-provisioned.
+# Setting to "True" will also turn off scratch-token support.
+encrypt_secret = False
+
+# You can allow for some clock drift between the client and server by setting
+# the permitted window size. Window size is calculated in 10-second intervals,
+# so a window size of 6 allows clock drift of 60 seconds in either direction.
+window_size = 3
+
+# First value is the number of times. Second value is the number of seconds.
+# So, "3, 30" means "3 falures within 30 seconds"
+rate_limit = 3, 30
+
+# How many scratch tokens to generate. Note, that this setting is ignored
+# if encrypt_secret is set to True.
+scratch_tokens_n = 5
+
+# This identifies the token in the Google Authenticator application. It comes
+# very handy when users have more than one token, so set this to something
+# descriptive of your environment.
+{% if environment == "staging" %}
+totp_user_mask = $username@stg.fedoraproject.org
+{% else %}
+totp_user_mask = $username@fedoraproject.org
+{% endif %}
+
+# Used by provisioning.cgi
+# Where the provisioning CGI is located, with regards to the web root.
+action_url = /totpcgiprovision/index.cgi
+
+# Used by provisioning.cgi
+# Where provisioning.css and provisioning-print.css are located with regards
+# to the web root.
+css_root = /totpcgiprovision/
+
+# Used by provisioning.cgi
+# Where to find the templates files.
+templates_dir = /etc/totpcgi/templates
+
+# Used by provisioning.cgi
+# Whether to rely on HTTP auth to handle authentication.
+# As we don't get the password, only the username, turning this on
+# will automatically set encrypt_secret to false.
+#
+# Be careful turning this on.
+trust_http_auth = True
+
+
+[pincode]
+# Which hashing mechanism to use. Valid entries: md5, bcrypt, sha256, sha512
+usehash = sha256
+
+# Whether to compile the DBM database (only meaningful with the file backend)
+makedb = True
+
+# The backends are pretty much the same as in totpcgi.conf, except if you
+# are using the postgresql secret backend, you need to connect as a user
+# that is allowed to modify user records (e.g. totpcgi_admin).
+[secret_backend]
+;engine = file
+;secrets_dir = /etc/totpcgi/totp
+
+; For PostgreSQL backend:
+engine = pgsql
+pg_connect_string = user={{ totpcgiadminDBUser }} password={{ totpcgiadminDBPassword }} host=db-fas01 dbname=totpcgi
+
+[pincode_backend]
+engine = pgsql
+pg_connect_string = user={{ totpcgiadminDBUser }} password={{ totpcgiadminDBPassword }} host=db-fas01 dbname=totpcgi
+
+; For LDAP backend (simple bind auth):
+;engine = ldap
+;ldap_url    = ldaps://ipa.example.com:636/
+;ldap_dn     = uid=$username,cn=users,cn=accounts,dc=example,dc=com
+;ldap_cacert = /etc/pki/tls/certs/ipa-ca.crt
+
+[state_backend]
+;engine = file
+;state_dir = /var/lib/totpcgi
+
+; For PostgreSQL backend:
+engine = pgsql
+pg_connect_string = user={{ totpcgiadminDBUser }} password={{ totpcgiadminDBPassword }} host=db-fas01 dbname=totpcgi
--- a/roles/totpcgi/templates/totpcgi.conf.j2
+++ b/roles/totpcgi/templates/totpcgi.conf.j2
@ -0,0 +1,31 @@
+[main]
+require_pincode = True
+success_string = OK
+{% if env == "staging" %}
+fas_url = https://admin.stg.fedoraproject.org/accounts/
+{% else %}
+fas_url = https://admin.fedoraproject.org/accounts/
+{% endif %}
+
+[secret_backend]
+; For PostgreSQL backend:
+engine = pgsql
+pg_connect_string = user={{ totpcgiDBUser }} password={{ totpcgiDBPassword }} host=db-fas01 dbname=totpcgi
+
+[pincode_backend]
+engine = pgsql
+pg_connect_string = user={{ totpcgiDBUser }} password={{ totpcgiDBPassword }} host=db-fas01 dbname=totpcgi
+
+; For LDAP backend (simple bind auth):
+;engine = ldap
+;ldap_url    = ldaps://ipa.example.com:636/
+;ldap_dn     = uid=$username,cn=users,cn=accounts,dc=example,dc=com
+;ldap_cacert = /etc/pki/tls/certs/ipa-ca.crt
+
+[state_backend]
+;engine = file
+;state_dir = /var/lib/totpcgi
+
+; For PostgreSQL backend:
+engine = pgsql
+pg_connect_string = user={{ totpcgiDBUser }} password={{ totpcgiDBPassword }} host=db-fas01 dbname=totpcgi