Initial totp-fetch-seed implementation, not complete yet

diff --git a/debian/changelog b/debian/changelog
index 6f560a6..5572b7c 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-userdir-ldap-cgi (0.3.43) UNRELEASED; urgency=medium
+userdir-ldap-cgi (0.3.43~) UNRELEASED; urgency=medium
 
   [ Peter Palfrader ]
   * html/Makefile: searchform.html also requires domains.tab
@@ -6,6 +6,7 @@ userdir-ldap-cgi (0.3.43) UNRELEASED; urgency=medium
   [ Tollef Fog Heen ]
   * Ship a /var/cache/userdir-ldap/totp directory where ud-mailgate can
     put totp secrets to be picked up.
+  * Add totp-fetch-seed.cgi for fetching totp seeds.
 
  -- Tollef Fog Heen <tfheen@debian.org>  Tue, 23 Jul 2019 23:07:19 +0200
 

diff --git a/debian/control b/debian/control
index bc986b1..084244c 100644 (file)
--- a/debian/control
+++ b/debian/control
@@ -19,6 +19,8 @@ Depends: userdir-ldap,
        libnet-ldap-perl,
        libossp-uuid-perl,
        liburi-perl,
+       libconvert-base32-perl,
+       libgd-barcode-perl,
        gnupg (>=1.0.3),
        python,
        python-crack | python-cracklib,

diff --git a/debian/rules b/debian/rules
index 409bba0..b49cd7b 100755 (executable)
--- a/debian/rules
+++ b/debian/rules
@@ -49,6 +49,7 @@ binary-indep: build
        install -m 644 html/searchform.html $(i)/var/www/userdir-ldap/
        install -m 644 html/searchhelp.html $(i)/var/www/userdir-ldap/
        install -m 644 html/searchresults.html $(i)/var/www/userdir-ldap/
+       install -m 644 html/fetch-totp-seed.html $(i)/var/www/userdir-ldap/
        install -m 644 html/update.html $(i)/var/www/userdir-ldap/
        chown www-data:www-data $(i)/var/cache/userdir-ldap/web-cookies/
        chmod u=rwx,g=,o= $(i)/var/cache/userdir-ldap/web-cookies/

diff --git a/fetch-totp-seed.cgi b/fetch-totp-seed.cgi
new file mode 100644 (file)
index 0000000..639b7eb
--- /dev/null
+++ b/fetch-totp-seed.cgi
@@ -0,0 +1,49 @@
+#! /usr/bin/perl -T
+
+use lib '.';
+use strict;
+use warnings;
+use CGI;
+use Util;
+use Convert::Base32;
+use MIME::Base64;
+use GD::Barcode::QRcode;
+
+# Global settings...
+my %config = &Util::ReadConfigFile;
+
+my $query = new CGI;
+
+my $random_id = $query->param('id');
+$random_id =~ /^((\d+)-([a-f0-9]+))$/;
+$random_id = $1;
+my $timestamp = $2;
+
+if ($timestamp + 1800 < time()) {
+       &Util::HTMLError("Timestamp too old, please request a new seed");
+}
+
+my $filename = $config{totpticketdirectory} . "/" . $random_id;
+open(my $fh, "<", $filename) or &Util::HTMLError("TOTP seed file not found or permission denied: $! ; $filename");
+my $seed = encode_base32(pack('H*', <$fh>));
+close $fh;
+#unlink $filename;
+
+my $totpurl = "otpauth://totp/Debian?secret=$seed&issuer=Debian";
+my $totppng = "data:image/png;base64, " .
+       encode_base64(GD::Barcode::QRcode->new($totpurl,
+                                              { ModuleSize => 10 })->plot->png);
+
+&Util::HTMLSendHeader;
+open (F, "<", "fetch-totp-seed.html") || &Util::HTMLError($!);
+while (<F>) {
+    s/~totppng~/$totppng/g;
+    s/~totpseed~/$seed/g;
+    print;
+  }
+  close F;
+
+# fill out HTML template with QR code (inline svg/png?)
+# self-link with png link to avoid changing content-security-policy (change it back)
+
+exit 0;

diff --git a/html/fetch-totp-seed.wml b/html/fetch-totp-seed.wml
new file mode 100644 (file)
index 0000000..c57ffe2
--- /dev/null
+++ b/html/fetch-totp-seed.wml
@@ -0,0 +1,9 @@
+#use wml::db.d.o title="Your debian.org TOTP seed"
+
+Please scan the QR code using your phone.
+
+<img src="~totppng~">
+
+You can also manually input the following shared secret into your TOTP compatible app:
+
+~totpseed~