Parameterize Label and Issuer for otpauth: url for QR code

author: Halfwalker <deano-gitea@areyes.com> 2024-12-14 19:05:35 -0700
committer: Nicholas Johnson <mail@nicholasjohnson.ch> 2025-01-29 00:00:00 +0000
commit: ba21e8690e3fbf6ec2cbd13e93792e2e33d9d2c3b05bf862014db41480e5cd8f (patch)
tree: 7a37049c103d82b012d6a3d5e82e8d1f7f06c5035f00b14a112927c8a6bd4f3e
parent: e857ecddd90424302c31d342aba276d5c8ca9dab85eaecc69af55dd0bf5ba2e1 (diff)
download: ansible-role-google-authenticator-ba21e8690e3fbf6ec2cbd13e93792e2e33d9d2c3b05bf862014db41480e5cd8f.tar.gz
ansible-role-google-authenticator-ba21e8690e3fbf6ec2cbd13e93792e2e33d9d2c3b05bf862014db41480e5cd8f.zip
3 files changed, 44 insertions, 15 deletions
diff --git a/README.md b/README.md
index 3379199..737b5f5 100644
--- a/README.md
+++ b/README.md
@@ -6,7 +6,7 @@ This role is to install google authenticator and integrate it into ssh so that T
 
 It will create a `~/.google_authenticator` if required, and will NOT alter or remove any existing version.
 
-It will update `/etc/ssh/sshd_config.d` to ensure that a token is required for any ssh connection without an ssh key.  Connections _with_ an ssh key will not require a token, though this may be enabled so that tokens are *always* required.  Set the global **google_auth_force** variable to _true_ or an individual host entry (see below) to enable this.
+It will update `/etc/ssh/sshd_config.d` to ensure that a token is required for any ssh connection _without_ an ssh key.  Connections _with_ an ssh key will not require a token, though this may be enabled so that tokens are *always* required.  Set the global **google_auth_force** variable to _true_ or an individual host entry (see below) to enable this.
 
 ## Configuration
 
@@ -16,17 +16,23 @@ To pre-populate the TOTP secret there are two locations to place the information
 * *Much* more preferably place them into an ansible-vault encrypted file under the **vault_google_auth_config** variable.  Typically this might be in `group_vars/all/vault`
 
 The format is as follows
-| Variable | Description |
-| :--- | :--- |
-| name: | The inventory_hostname for this block |
-| force_auth: | force token for ALL ssh connections for this host |
-| secret: | Standard `.google_authenticator` secret info
+| Variable | Description | Required ? |
+| :--- | :--- | :--- |
+| name: | The inventory_hostname for this block | Required |
+| force_auth: | Force token for ALL ssh connections for this host | Optional |
+| label: | Label for the otpauth: url for the QR code | Optional |
+| issuer: | Issuer for the otpauth: url for the QR code | Optional |
+| secret: | Standard `.google_authenticator` secret info | Required |
+
+The Optional keys have default values in `defaults/main.yml`
 
 ```yaml
 # 1st line of secret can be 16 or 26 chars
 vault_google_auth_config:
   - name: host1.example.com
     force_auth: false
+    label: "Mailsys%20{{ inventory_hostname_short }}:{{ username }}"
+    issuer: "Example%20Corp%20Mailsys"
     secret: |
       6DRWZ2AWOAFAQMSI
       "RATE_LIMIT 3 30
diff --git a/defaults/main.yml b/defaults/main.yml
index 7545e05..629fb98 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -5,9 +5,12 @@ username: "{{ vault_username | default(ansible_user_id) }}"
 
 # Use google authenticator config from vault if it's there
 # 1st line secret can be 16 or 26 chars
+# NOTE: Be sure to use char encoding for spaces
 # vault_google_auth_config:
 #   - name: host1.example.com
 #     force_auth: false
+#     label: "Mailsys%20{{ inventory_hostname_short }}:{{ username }}"
+#     issuer: "Example%20Corp%20Mailsys"
 #     secret: |
 #       6DRWZ2AWOAFAQMSI
 #       "RATE_LIMIT 3 30
@@ -36,6 +39,11 @@ google_auth_config: "{{ vault_google_auth_config | default('NEW') }}"
 # Force use of token even with SSH key
 google_auth_force: false
 
+# Default label and issuer if not defined in vault_google_auth_config for the host(s)
+# NOTE: Be sure to use char encoding for spaces
+google_auth_label: "Example%20{{ inventory_hostname_short }}:{{ username }}"
+google_auth_issuer: "Example%20Inc."
+
 google_auth_packages:
   - libpam-google-authenticator
   - python3-qrcode
diff --git a/tasks/main.yml b/tasks/main.yml
index 74e0a32..882f8ad 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -116,9 +116,6 @@
     fail_msg: "The TOTP variable does not meet the required structure."
     success_msg: "The TOTP variable is valid."
 
-- debug:
-    var: google_auth_config_mine
-
 # Capture secret key - GOOGLE_SECRET=$(head -1 .google_authenticator
 - name: Extract Google Authenticator secret key
   ansible.builtin.set_fact:
@@ -133,17 +130,32 @@
   ansible.builtin.set_fact:
     google_scratch_codes: "{{ valid_lines | select('match', '^[0-9]{8}$') | list }}"
 
-- debug:
-    var: google_secret_key
-- debug:
-    var: google_scratch_codes
+- name: Extract label for {{ inventory_hostname }} if it exists
+  ansible.builtin.set_fact:
+    google_auth_label: "{{ google_auth_config | selectattr('name', 'equalto', inventory_hostname) | map(attribute='label') | first }}"
+  when: >
+    google_auth_config | selectattr('name', 'equalto', inventory_hostname) | list | length > 0 and
+    (google_auth_config | selectattr('name', 'equalto', inventory_hostname) | first).get('label') is not none and
+    (google_auth_config | selectattr('name', 'equalto', inventory_hostname) | first).get('label') != ''
+
+- name: Extract issuer for {{ inventory_hostname }} if it exists
+  ansible.builtin.set_fact:
+    google_auth_issuer: "{{ google_auth_config | selectattr('name', 'equalto', inventory_hostname) | map(attribute='issuer') | first }}"
+  when: >
+    google_auth_config | selectattr('name', 'equalto', inventory_hostname) | list | length > 0 and
+    (google_auth_config | selectattr('name', 'equalto', inventory_hostname) | first).get('issuer') is not none and
+    (google_auth_config | selectattr('name', 'equalto', inventory_hostname) | first).get('issuer') != ''
 
 # Create QR code
 - name: Create QR code for secret
-  ansible.builtin.command: "/usr/bin/qrencode -m 3 -t UTF8 otpauth://totp/{{ inventory_hostname }}:{{ username }}%3Fsecret={{ google_secret_key }}%3FIssuer={{ inventory_hostname_short }}_mailsys"
+  ansible.builtin.command: "/usr/bin/qrencode -m 3 -t UTF8 otpauth://totp/{{ google_auth_label }}?secret={{ google_secret_key }}&Issuer={{ google_auth_issuer }}"
   register: google_auth_qrcode
 
 - debug:
+    var: google_secret_key
+- debug:
+    var: google_scratch_codes
+- debug:
     msg: "{{ google_auth_qrcode.stdout }}"
 
 
@@ -176,7 +188,10 @@
           #
           PasswordAuthentication no
           # Only when global google_auth_force is true OR specific inventory_hostname has force_auth: true
-      when: google_auth_force == true or google_auth_config | selectattr('name', 'equalto', inventory_hostname) | selectattr('force_auth', 'equalto', true) | list | length > 0
+      when: >
+        google_auth_force == true or
+        (google_auth_config | selectattr('name', 'equalto', inventory_hostname) | list | length > 0 and
+        (google_auth_config | selectattr('name', 'equalto', inventory_hostname) | first).get('force_auth') is true)
   #
   # block system file updates
author	Halfwalker <deano-gitea@areyes.com>	2024-12-14 19:05:35 -0700
committer	Nicholas Johnson <mail@nicholasjohnson.ch>	2025-01-29 00:00:00 +0000
commit	ba21e8690e3fbf6ec2cbd13e93792e2e33d9d2c3b05bf862014db41480e5cd8f (patch)
tree	7a37049c103d82b012d6a3d5e82e8d1f7f06c5035f00b14a112927c8a6bd4f3e
parent	e857ecddd90424302c31d342aba276d5c8ca9dab85eaecc69af55dd0bf5ba2e1 (diff)
download	ansible-role-google-authenticator-ba21e8690e3fbf6ec2cbd13e93792e2e33d9d2c3b05bf862014db41480e5cd8f.tar.gz ansible-role-google-authenticator-ba21e8690e3fbf6ec2cbd13e93792e2e33d9d2c3b05bf862014db41480e5cd8f.zip