feat[totp]: add user TOTP configuration check #16
+86
−11
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
The code now checks if the user has TOTP configured. If so, the input is split by the last index of the '/' character, instead of every occurrence of the character. The #14 issue should be resolved in this branch. If there is no TOTP configured for the user, the logic remains the same as in the current master branch.
This code introduces two additional configuration options:
realmapiusername
andrealmapiassword
, which are required for theIsTOTPConfigured
function to run flawlessly. These configurations describe a Keycloak service user that should be present in the realm and has at least therealm-management->view-users
role assigned. This user is used to call the Keycloak admin API and check if the SSH user has TOTP configured.Notes:
realm-management->view-users
role assigned if TOTP is configured.config.toml
should not be readable by non-admin users of the system (for example permissions should be set to 640) to prevent compromise Keycloak API user.Doubts:
IsTOTPConfigured
function should be in a separeted package fileFixes #14
Type of change
How Has This Been Tested?
This was tested by configuring PAM with this module to use a Keycloak instance. A bunch of users were tested with TOPT configured as well as with no TOTP configuration. Multiple occurrences of '/' were added to users passwords to test if splitting works correctly.
Checklist:
master