privacyidea-checkotp 2.27 KB
#!/bin/bash
#
# privacyidea-checkotp	- shell implementation of the PrivacyIDEA OTP check for
#			  integration with FreeRadius on systems without perl
#
# Version 1.0, latest version, documentation and bugtracker available at:
#		https://gitlab.lindenaar.net/scripts/privacyidea-checkotp
#
# Copyright (c) 2015 Frederik Lindenaar
#
# This script is free software: you can redistribute and/or modify it under the
# terms of version 3 of the GNU General Public License as published by the Free
# Software Foundation, or (at your option) any later version of the license.
#
# This script is distributed in the hope that it will be useful but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
# A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along with
# this program.  If not, visit <http://www.gnu.org/licenses/> to download it.

# If called for the Outbound-User Service type, exit immediately (not supported)
if [ "$SERVICE_TYPE" = "Outbound-User" ]; then
  exit 8
fi

# Obtain parameters from command line or environment variables
if [ $# = 1 ]; then
  URL="$1/validate/check"
  LOGIN=`echo "${STRIPPED_USER_NAME:-$USER_NAME}" | sed 's/^"\(.*\)"$/\1/'`
  PASSWORD=`echo "$USER_PASSWORD" | sed 's/^"\(.*\)"$/\1/'`
  NAS=`echo "$NAS_IP_ADDRESS" | sed 's/^"\(.*\)"$/\1/'`
elif [ $# = 3 ]; then
  URL="$1/validate/check"
  LOGIN="$2"
  PASSWORD="$3"
  NAS=
elif [ $# = 4 ]; then
  URL="$1/validate/check"
  LOGIN="$2"
  PASSWORD="$3"
  NAS="$4"
else
  echo "Usage: `basename $0` <urlprefix> [login password [nasip]]"
  exit 2
fi

# Obtain the result using curl
otpresult=`/usr/bin/curl -s "$URL" --data-urlencode "user=$LOGIN" --data-urlencode "pass=$PASSWORD" --data-urlencode "client=$NAS"`

# Extract the status of the request from the returned JSON
otpstatus=`echo $otpresult | sed 's/^{.*"result": *{ *"status": *true, *"value": *\(.*\) *},.*}/\1/'`

if [ "$otpstatus" = "true" ]; then 
#  echo $LOGIN did authenticate $otpresult
  echo Auth-Type=PrivacyIDEA
  exit 0
elif [ "$otpstatus" = "false" ]; then 
#  echo $LOGIN did not authenticate $otpresult
  echo Auth-Type=REJECT
  exit 1
else
  echo Error occurred while connecting to $URL, got result: "$otpresult"
  exit 2
fi