manage pam_oath auth file

oathupdate

#!/usr/bin/env python3
# update OTP auth file of pam_oath

OATHFILE = '/etc/users.oath'

from base64 import b16encode, b16decode, b32encode
from sys import argv
import os
import subprocess as sp

if len(argv) < 2:
	print(f'''usage: {argv[0]} [options] user
manage otp auth file
options:
  -d  remove oath auth
  -l  reset creds but do not show
  -v  view creds''')
	exit(1)

cmd = None
user = None
for o in argv[1:]:
	if not (cmd is None) and o in {'-d', '-l', '-v'}:
		raise RuntimeError('conflicting operations')
	if o == '-d':
		cmd = 'delete'
	elif o == '-l':
		cmd = 'lock'
	elif o == '-v':
		cmd = 'view'
	elif o.startswith('-'):
		raise RuntimeError(f'unknown option {o}')
	else:
		if user:
			raise RuntimeError('user already specified')
		user = o

if not cmd:
	cmd = 'update'

lines = None
with open(OATHFILE) as f:
	lines = f.readlines()

uline = None

if cmd in {'update', 'delete', 'lock'}:
	uidx = -1
	for i in range(len(lines)):
		l = lines[i].strip()
		if l.startswith('#'):
			continue
		l = l.split()
		if l[1] == user:
			uline = l
			uidx = i
			break
	if uidx >= 0:
		lines.pop(uidx)

if cmd in {'update', 'lock'}:
	k = None
	with open('/dev/urandom', 'rb') as f:
		k = f.read(10)
	uline = ['HOTP/T30/6', user, '-', b16encode(k).decode().lower()]
	lines.append(' '.join(uline))

with open(OATHFILE, 'w') as f:
	for l in lines:
		f.write(l.strip() + '\n')

if cmd in {'update', 'view'}:
	if not uline:
		raise RuntimeError('user not found')
	b32 = b32encode(b16decode(uline[3].upper())).decode()
	print(f'secret in base32 is {b32}')
	sp.run(['qrencode', '-t', 'ANSI256UTF8'], input=f'otpauth://totp/pam_oath:{user}@{os.uname().nodename}?secret={b32}&issuer=pam_oath', universal_newlines=True)