From b776003cf55e1035ac83186e44f72764e52e9e0d Mon Sep 17 00:00:00 2001
From: goodNETnick <pknet@ya.ru>
Date: Mon, 7 Feb 2022 02:04:28 -0500
Subject: ocserv: T4231: Added OTP support for Openconnect 2FA

---
 .../include/auth-local-users.xml.i                 | 69 ++++++++++++++++++++++
 interface-definitions/vpn_openconnect.xml.in       | 50 +++++++++++-----
 2 files changed, 103 insertions(+), 16 deletions(-)

(limited to 'interface-definitions')

diff --git a/interface-definitions/include/auth-local-users.xml.i b/interface-definitions/include/auth-local-users.xml.i
index 8ef09554e..add2fc8e1 100644
--- a/interface-definitions/include/auth-local-users.xml.i
+++ b/interface-definitions/include/auth-local-users.xml.i
@@ -7,6 +7,10 @@
     <tagNode name="username">
       <properties>
         <help>Username used for authentication</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>Username used for authentication</description>
+        </valueHelp>
       </properties>
       <children>
         #include <include/generic-disable-node.xml.i>
@@ -15,6 +19,71 @@
             <help>Password used for authentication</help>
           </properties>
         </leafNode>
+        <node name="otp">
+          <properties>
+            <help>2FA OTP authentication parameters</help>
+          </properties>
+          <children>
+            <leafNode name="key">
+              <properties>
+                <help>Token Key Secret key for the token algorithm (see RFC 4226)</help>
+                <valueHelp>
+                  <format>txt</format>
+                  <description>OTP key in hex-encoded format</description>
+                </valueHelp>
+                <constraint>
+                  <regex>[a-fA-F0-9]{20,10000}</regex>
+                </constraint>
+                <constraintErrorMessage>Key name must in hex be alphanumerical only (min. 20 hex characters)</constraintErrorMessage>
+              </properties>
+            </leafNode>
+            <leafNode name="otp-length">
+              <properties>
+                <help>Optional. Number of digits in OTP code (default: 6)</help>
+                <valueHelp>
+                  <format>u32:6-8</format>
+                  <description>Number of digits in OTP code (default: 6)</description>
+                </valueHelp>
+                <constraint>
+                  <validator name="numeric" argument="--range 6-8"/>
+                </constraint>
+                <constraintErrorMessage>Number of digits in OTP code must be between 6 and 8</constraintErrorMessage>
+              </properties>
+            </leafNode>
+            <leafNode name="interval">
+              <properties>
+                <help>Optional. Time tokens interval in seconds (for time tokens) (default: 30)</help>
+                <valueHelp>
+                  <format>u32:5-86400</format>
+                  <description>Time tokens interval in seconds (for time tokens). (default: 30)</description>
+                </valueHelp>
+                <constraint>
+                  <validator name="numeric" argument="--range 5-86400"/>
+                </constraint>
+                <constraintErrorMessage>Time token interval must be between 5 and 86400 seconds</constraintErrorMessage>
+              </properties>
+            </leafNode>
+            <leafNode name="token-type">
+              <properties>
+                <help>Optional. Token type (default: hotp-time)</help>
+                <valueHelp>
+                  <format>hotp-time</format>
+                  <description>time-based OTP algorithm</description>
+                </valueHelp>
+                <valueHelp>
+                  <format>hotp-event</format>
+                  <description>event-based OTP algorithm</description>
+                </valueHelp>
+                <constraint>
+                  <regex>(hotp-time|hotp-event)</regex>
+                </constraint>
+                <completionHelp>
+                  <list>hotp-time hotp-event</list>
+                </completionHelp>
+              </properties>
+            </leafNode>
+          </children>
+        </node>
       </children>
     </tagNode>
   </children>
diff --git a/interface-definitions/vpn_openconnect.xml.in b/interface-definitions/vpn_openconnect.xml.in
index 0db5e79d0..a3862647c 100644
--- a/interface-definitions/vpn_openconnect.xml.in
+++ b/interface-definitions/vpn_openconnect.xml.in
@@ -13,25 +13,43 @@
               <help>Authentication for remote access SSL VPN Server</help>
             </properties>
             <children>
-              <leafNode name="mode">
+              <node name="mode">
                 <properties>
                   <help>Authentication mode used by this server</help>
-                  <valueHelp>
-                    <format>local</format>
-                    <description>Use local username/password configuration</description>
-                  </valueHelp>
-                  <valueHelp>
-                    <format>radius</format>
-                    <description>Use RADIUS server for user autentication</description>
-                  </valueHelp>
-                  <constraint>
-                    <regex>^(local|radius)$</regex>
-                  </constraint>
-                  <completionHelp>
-                    <list>local radius</list>
-                  </completionHelp>
                 </properties>
-              </leafNode>
+                <children>
+                  <leafNode name="local">
+                    <properties>
+                      <help>Use local username/password configuration (OTP supported)</help>
+                      <valueHelp>
+                        <format>password</format>
+                        <description>Password-only local authentication (default)</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>otp</format>
+                        <description>OTP-only local authentication</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>password-otp</format>
+                        <description>Password (first) + OTP local authentication</description>
+                      </valueHelp>
+                      <constraint>
+                        <regex>^(password|otp|password-otp)$</regex>
+                      </constraint>
+                      <constraintErrorMessage>Invalid authentication mode</constraintErrorMessage>
+                      <completionHelp>
+                        <list>otp password password-otp</list>
+                      </completionHelp>
+                    </properties>
+                  </leafNode>
+                  <leafNode name="radius">
+                    <properties>
+                      <help>Use RADIUS server for user autentication</help>
+                      <valueless/>
+                    </properties>
+                  </leafNode>
+                </children>
+              </node>
               #include <include/auth-local-users.xml.i>
               #include <include/radius-server-ipv4.xml.i>
               <node name="radius">
-- 
cgit v1.2.3