add 2fa op files and update template

2 files changed, 112 insertions, 0 deletions

diff --git a/src/completion/list_openvpn_users.py b/src/completion/list_openvpn_users.py
new file mode 100755
index 000000000..c472dbeab
--- /dev/null
+++ b/src/completion/list_openvpn_users.py
@@ -0,0 +1,48 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2019-2021 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import os
+import sys
+import argparse
+
+from vyos.config import Config
+from vyos.util import dict_search
+
+def get_user_from_interface(interface):
+    config = Config()
+    base = ['interfaces', 'openvpn', interface]
+    openvpn = config.get_config_dict(base, effective=True, key_mangling=('-', '_'))
+    users = []
+
+    try:
+        for user in (dict_search('server.client', openvpn[interface]) or []):
+            users.append(user.split(',')[0])
+    except:
+        pass
+
+    return users
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser()
+    parser.add_argument("-i", "--interface", type=str, help="List users per interface")
+    args = parser.parse_args()
+
+    users = []
+
+    users = get_user_from_interface(args.interface)
+
+    print(" ".join(users))
+
diff --git a/src/op_mode/show_openvpn_2fa.py b/src/op_mode/show_openvpn_2fa.py
new file mode 100755
index 000000000..8600f755d
--- /dev/null
+++ b/src/op_mode/show_openvpn_2fa.py
@@ -0,0 +1,64 @@
+#!/usr/bin/env python3
+
+# Copyright 2017, 2021 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+import re
+import socket
+import urllib.parse
+import argparse
+
+from vyos.util import popen
+
+otp_file = '/config/auth/openvpn/{interface}-otp-secrets'
+
+def get_2fa_secret(interface, client):
+    try:
+        with open(otp_file.format(interface=interface), "r") as f:
+            users = f.readlines()
+            for user in users:
+                if re.search('^' + client + ' ', user):
+                    return user.split(':')[3]
+    except:
+        pass
+
+def get_2fa_uri(client, secret):
+    hostname = socket.gethostname()
+    fqdn = socket.getfqdn()
+    uri = 'otpauth://totp/{hostname}:{client}@{fqdn}?secret={secret}'
+
+    return urllib.parse.quote(uri.format(hostname=hostname, client=client, fqdn=fqdn, secret=secret), safe='/:@?=')
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(add_help=False, description='Show 2fa information')
+    parser.add_argument('--intf', action="store", type=str, default='', help='only show the specified interface')
+    parser.add_argument('--user', action="store", type=str, default='', help='only show the specified users')
+    parser.add_argument('--action', action="store", type=str, default='show', help='action to perform')
+
+    args = parser.parse_args()
+    secret = get_2fa_secret(args.intf, args.user)
+
+    if args.action == "secret" and secret:
+        print(secret)
+
+    if args.action == "uri" and secret:
+        uri = get_2fa_uri(args.user, secret)
+        print(uri)
+
+    if args.action == "qrcode" and secret:
+        uri = get_2fa_uri(args.user, secret)
+        qrcode,err = popen('qrencode -t ansiutf8', input=uri)
+        print(qrcode)
+