Allow grace period

.gitignore

@@ -2,4 +2,7 @@
 .idea/
 .tox/
 venv*/
+build/
+dist/
+privacyidea_pam.egg-info/
 .coverage

.gitlab-ci.yml

@@ -0,0 +1,36 @@
+stages:
+  - test
+  - build
+  - deploy
+
+tox:
+  stage: test
+  image:
+    name: registry.server.mila.quebec/idt/images/tox:latest
+    entrypoint: [ '/bin/sh', '-c' ]
+  script: tox
+
+package:
+  stage: build
+  image: "python:2.7"
+  only:
+    refs:
+      - master
+  variables:
+    TWINE_USERNAME: "pypi_token"
+    TWINE_REPOSITORY_URL: "https://git.server.mila.quebec/api/v4/projects/83/packages/pypi"
+  before_script:
+    - pip install twine
+  script:
+    - python setup.py sdist bdist_wheel
+    - python -m twine upload dist/*
+
+# Production has to be triggered manually
+update_login_nodes:
+  stage: deploy
+  only:
+    refs:
+      - master
+  variables:
+    ANSIBLE_TAGS: '2fa'
+  trigger: idt/provisioning/environment

.travis.yml

@@ -2,10 +2,6 @@ language: python
 sudo: false
 python:
   - 2.7
-  - 3.5
-  - 3.6
-  - 3.7
-  - 3.8
 
 # command to install dependencies
 install:

README.md

@@ -1,37 +1,64 @@
 [![Build Status](https://travis-ci.org/privacyidea/pam_python.svg?branch=master)](https://travis-ci.org/privacyidea/pam_python)
 
 This module is to be used with http://pam-python.sourceforge.net/.
-It can be used to authenticate with OTP against privacyIDEA. It will also 
+It can be used to authenticate with OTP against privacyIDEA. It will also
 cache future OTP values to enable offline authentication.
 
 To be used like this::
 
+```
    auth   requisite    pam_python.so /path/to/modules/privacyidea-pam.py
+```
 
 It can take the following parameters:
 
-**url=https://your-server** 
+**url=https://your-server**
+
+   Default is https://localhost
 
-   default is https://localhost
-
 **debug**
 
-   write debug information to the system log
-   
+   Write debug information to the system log
+
 **realm=yourRealm**
 
-   pass additional realm to privacyidea
-   
+   Pass additional realm to privacyidea
+
 **nosslverify**
 
    Do not verify the SSL certificate
-   
+
 **prompt=<Prompt>**
 
    The password prompt. Default is "Your OTP".
-
+
+**api_token=<token>**
+
+   The API Token to access admin REST API for auto-enrolment. Requires the following Actions:
+   ``{ "enrollEMAIL": true, "enrollpin": true, "tokenlist": true }``
+
+**grace=<time>**
+
+   Grace time in minutes.
+
+**user_attribute=<uid,gid,gecos>**
+
+   Override the username to send to privacyIDEA with an attribute from the
+   user's password entry
+
+**users=<list,of,users>**
+
+   Comma-separated list of users to apply the plugin to.
+   If not specified, apply to all users.
+
 **sqlfile=<file>**
 
-   This is the SQLite file that is used to store the offline authentication 
+   This is the SQLite file that is used to store the offline authentication
    information.
    The default file is /etc/privacyidea/pam.sqlite
+
+**mysql=<uri>**
+
+   Use MySQL/MariaDB instead of SQLite to store refill/history tables.
+   URI form: mysql://username:password@host:3306/db_name
+   If absent, fallback to sqlfile