GithubFollow/One-KVM
1
0
Fork 0
mirror of https://github.com/mofeng-git/One-KVM.git synced 2025-12-12 01:00:29 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

pikvm/pikvm#1459: TOTP valid_window=5

Browse Source
This commit is contained in:
Maxim Devaev 2025-01-15 00:46:29 +02:00
parent d3549ab52b
commit b6c73aceb7
4 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
kvmd/apps/__init__.py
View File

@ -370,6 +370,7 @@ def _get_config_scheme() -> dict:
}, },
"totp": { "totp": {
"valid_window": Option(1, type=functools.partial(valid_number, min=0, max=5)),
"secret": { "secret": {
"file": Option("/etc/kvmd/totp.secret", type=valid_abs_path, if_empty=""), "file": Option("/etc/kvmd/totp.secret", type=valid_abs_path, if_empty=""),
}, },

1
kvmd/apps/kvmd/__init__.py
View File

@ -86,6 +86,7 @@ def main(argv: (list[str] | None)=None) -> None:
external_kwargs=(config.auth.external._unpack(ignore=["type"]) if config.auth.external.type else {}), external_kwargs=(config.auth.external._unpack(ignore=["type"]) if config.auth.external.type else {}),
totp_secret_path=config.auth.totp.secret.file, totp_secret_path=config.auth.totp.secret.file,
totp_valid_window=config.auth.totp.valid_window,
), ),
info_manager=InfoManager(global_config), info_manager=InfoManager(global_config),
log_reader=(LogReader() if config.log_reader.enabled else None), log_reader=(LogReader() if config.log_reader.enabled else None),

6
kvmd/apps/kvmd/auth.py
View File

@ -34,7 +34,7 @@ from ...htserver import HttpExposed
# ===== # =====
class AuthManager: class AuthManager: # pylint: disable=too-many-instance-attributes
def __init__( def __init__(
self, self,
enabled: bool, enabled: bool,
@ -47,6 +47,7 @@ class AuthManager:
external_type: str, external_type: str,
external_kwargs: dict, external_kwargs: dict,
totp_valid_window: int,
totp_secret_path: str, totp_secret_path: str,
) -> None: ) -> None:
@ -70,6 +71,7 @@ class AuthManager:
self.__external_service = get_auth_service_class(external_type)(**external_kwargs) self.__external_service = get_auth_service_class(external_type)(**external_kwargs)
get_logger().info("Using external auth service %r", self.__external_service.get_plugin_name()) get_logger().info("Using external auth service %r", self.__external_service.get_plugin_name())
self.__totp_valid_window = totp_valid_window
self.__totp_secret_path = totp_secret_path self.__totp_secret_path = totp_secret_path
self.__tokens: dict[str, str] = {} # {token: user} self.__tokens: dict[str, str] = {} # {token: user}
@ -95,7 +97,7 @@ class AuthManager:
secret = file.read().strip() secret = file.read().strip()
if secret: if secret:
code = passwd[-6:] code = passwd[-6:]
if not pyotp.TOTP(secret).verify(code): if not pyotp.TOTP(secret).verify(code, valid_window=self.__totp_valid_window):
get_logger().error("Got access denied for user %r by TOTP", user) get_logger().error("Got access denied for user %r by TOTP", user)
return False return False
passwd = passwd[:-6] passwd = passwd[:-6]

2
testenv/tests/apps/kvmd/test_auth.py
View File

@ -69,6 +69,7 @@ async def _get_configured_manager(
external_type=("htpasswd" if external_path else ""), external_type=("htpasswd" if external_path else ""),
external_kwargs=(_make_service_kwargs(external_path) if external_path else {}), external_kwargs=(_make_service_kwargs(external_path) if external_path else {}),
totp_valid_window=0,
totp_secret_path="", totp_secret_path="",
) )
@ -200,6 +201,7 @@ async def test_ok__disabled() -> None:
external_type="", external_type="",
external_kwargs={}, external_kwargs={},
totp_valid_window=0,
totp_secret_path="", totp_secret_path="",
) )