From f2c99eeaf5c8b9529b52cbbed29dda4f09193a7e Mon Sep 17 00:00:00 2001 From: Aaron Tan Date: Tue, 28 Mar 2017 13:18:09 -0400 Subject: [PATCH] Basic tacacs+ CTiT. --- awx/settings/defaults.py | 8 +++++ awx/sso/conf.py | 70 ++++++++++++++++++++++++++++++++++++++-- awx/sso/fields.py | 5 +++ 3 files changed, 81 insertions(+), 2 deletions(-) diff --git a/awx/settings/defaults.py b/awx/settings/defaults.py index e3af1781db..3a1ec97993 100644 --- a/awx/settings/defaults.py +++ b/awx/settings/defaults.py @@ -313,6 +313,14 @@ RADIUS_SERVER = '' RADIUS_PORT = 1812 RADIUS_SECRET = '' +# TACACS+ settings (default host to empty string to skip using TACACS+ auth). +# Note: These settings may be overridden by database settings. +TACACSPLUS_HOST = '' +TACACSPLUS_PORT = 49 +TACACSPLUS_SECRET = '' +TACACSPLUS_SESSION_TIMEOUT = 5 +TACACSPLUS_AUTH_PROTOCOL = 'ascii' + # Seconds before auth tokens expire. # Note: This setting may be overridden by database settings. AUTH_TOKEN_EXPIRATION = 1800 diff --git a/awx/sso/conf.py b/awx/sso/conf.py index 3a2b2b77a8..fa1ce5ccc7 100644 --- a/awx/sso/conf.py +++ b/awx/sso/conf.py @@ -33,7 +33,7 @@ multiple organizations, otherwise the single default organization is used regardless of the key. Values are dictionaries defining the options for each organization's membership. For each organization it is possible to specify which users are automatically users of the organization and also -which users can administer the organization. +which users can administer the organization. - admins: None, True/False, string or list of strings. If None, organization admins will not be updated. @@ -51,7 +51,7 @@ which users can administer the organization. administrative list. - users: None, True/False, string or list of strings. Same rules apply as for admins. -- remove_users: True/False. Defaults to True. Same rules as apply for +- remove_users: True/False. Defaults to True. Same rules as apply for remove_admins.\ ''') @@ -520,6 +520,72 @@ register( encrypted=True, ) +############################################################################### +# TACACSPLUS AUTHENTICATION SETTINGS +############################################################################### + +register( + 'TACACSPLUS_HOST', + field_class=fields.CharField, + allow_blank=True, + default='', + label=_('TACACS+ Server'), + help_text=_('Hostname of TACACS+ server.'), + category=_('TACACSPLUS'), + category_slug='tacacsplus', + feature_required='enterprise_auth', +) + +register( + 'TACACSPLUS_PORT', + field_class=fields.IntegerField, + min_value=1, + max_value=65535, + default=49, + label=_('TACACS+ Port'), + help_text=_('Port number of TACACS+ server.'), + category=_('TACACSPLUS'), + category_slug='tacacsplus', + feature_required='enterprise_auth', +) + +register( + 'TACACSPLUS_SECRET', + field_class=fields.TACACSPLUSSecretField, + allow_blank=True, + default='', + label=_('TACACS+ Secret'), + help_text=_('Shared secret for authenticating to TACACS+ server.'), + category=_('TACACSPLUS'), + category_slug='tacacsplus', + feature_required='enterprise_auth', + encrypted=True, +) + +register( + 'TACACSPLUS_SESSION_TIMEOUT', + field_class=fields.IntegerField, + min_value=0, + default=5, + label=_('TACACS+ Auth Session Timeout'), + help_text=_('TACACS+ session timeout value in seconds. Set to 0 to cancel timeout.'), + category=_('TACACSPLUS'), + category_slug='tacacsplus', + feature_required='enterprise_auth', +) + +register( + 'TACACSPLUS_AUTH_PROTOCOL', + field_class=fields.ChoiceField, + choices=['ascii', 'pap'], + default='ascii', + label=_('TACACS+ Authentication Protocol'), + help_text=_('Choose the authentication protocol used by TACACS+ client.'), + category=_('TACACSPLUS'), + category_slug='tacacsplus', + feature_required='enterprise_auth', +) + ############################################################################### # GOOGLE OAUTH2 AUTHENTICATION SETTINGS ############################################################################### diff --git a/awx/sso/fields.py b/awx/sso/fields.py index 338178b288..a94cff3f7d 100644 --- a/awx/sso/fields.py +++ b/awx/sso/fields.py @@ -470,6 +470,11 @@ class RADIUSSecretField(fields.CharField): return value +class TACACSPLUSSecretField(RADIUSSecretField): + + pass + + class SocialMapStringRegexField(fields.CharField): def to_representation(self, value):