Beispiel #1
0
def token_reporting(event, tokenrealms):
    """
    log token events into reporting table

    :param event: the event that happened, e.g. init token, delete token
    :param tokenrealms: the realm on which the event happened
    :return: nothing
    """
    realms = tokenrealms
    if not tokenrealms or len(tokenrealms) == 0:
        realms = ['/:no realm:/']
    elif not isinstance(tokenrealms, (list, tuple)):
        realms = [tokenrealms]

    for realm in realms:
        action = check_token_reporting(realm)
        mh = MonitorHandler()
        counters = mh.token_count(realm, action[:])
        for key, val in counters.items():
            report = Reporting(
                event=event, realm=realm, parameter=key, count=val)
            try:
                Session.add(report)
            except Exception as exce:
                log.exception('[save]Error during saving Report: %r' % exce)
Beispiel #2
0
    def __before__(self, action, **params):
        """
        """
        try:
            log.debug('[__before__::%r] %r', action, params)


            c.audit = request_context['audit']
            c.audit['success'] = False

            c.audit['client'] = get_client(request)

            # Session handling
            check_session(request)

            request_context['Audit'] = audit
            checkAuthorisation(scope='monitoring', method=action)

            return request

        except Exception as exception:
            log.exception(exception)
            Session.rollback()
            Session.close()
            return sendError(response, exception, context='before')

        finally:
            log.debug('[__before__::%r] done', action)
Beispiel #3
0
def get_challenges(serial=None, transid=None):
    '''
    get_challenges - give all challenges for a given token

    :param serial:   serial of the token
    :param transid:  transaction id, if None, all will be retrieved
    :return:         return a list of challenge dict
    '''
    log.debug('[get_challenges] %r' % (serial))

    challenges = []
    if transid is None and serial is None:
        return challenges

    if transid is None:
        db_challenges = Session.query(Challenge)\
            .filter(Challenge.tokenserial == u'' + serial)\
            .order_by(desc(Challenge.id))\
            .all()
    else:
        transid_len = int(getFromConfig('TransactionIdLength', 12))
        if len(transid) == transid_len:
            db_challenges = Session.query(Challenge)\
                .filter(Challenge.transid == transid)\
                .all()
        else:
            db_challenges = Session.query(Challenge)\
                .filter(Challenge.transid.startswith(transid))\
                .all()

    challenges.extend(db_challenges)

    log.debug('[getTransactions4serial] %r' % challenges)
    return challenges
Beispiel #4
0
def delete(realms, status, date=None):
    """
    delete all rows in reporting database before a given date

    :param date: (optional)day until which all rows will be deleted
    :type date: string in format: 'yyyy-mm-dd'

    :return: number of deleted rows
    """

    if not isinstance(realms, (list, tuple)):
        realms = realms.split(',')

    realm_cond = tuple()
    for realm in realms:
       realm_cond += (or_(Reporting.realm == realm),)

    status_cond = tuple()
    for stat in status:
        status_cond += (or_(Reporting.parameter == stat),)

    date_cond = tuple()
    if date:
        date_cond += (and_(Reporting.timestamp < date),)

    conds = (and_(*date_cond), or_(*realm_cond), or_(*status_cond),)

    rows = Session.query(Reporting).filter(*conds)
    row_num = rows.count()

    for row in rows:
        Session.delete(row)
    return row_num
Beispiel #5
0
def deleteRealm(realmname):
    '''
    delete the realm from the Database Table with the given name

    :param realmname: the to be deleted realm
    :type  realmname: string
    '''

    log.debug("deleting realm object with name=%s" % realmname)
    r = getRealmObject(name=realmname)
    if r is None:
        ''' if no realm is found, we re-try the lowercase name for backward compatibility '''
        r = getRealmObject(name=realmname.lower())
    realmId = 0
    if r is not None:
        realmId = r.id

        if realmId != 0:
            log.debug("Deleting token relations for realm with id %i" % realmId)
            Session.query(TokenRealm).filter(TokenRealm.realm_id == realmId).delete()
        Session.delete(r)

    else:
        log.warning("Realm with name %s was not found." % realmname)
        return False
    # now delete all relations, i.e. remove all Tokens from this realm.

    # finally we delete the 'realmname' cache
    from linotp.lib.user import delete_realm_resolver_cache
    delete_realm_resolver_cache(realmname)

    return True
Beispiel #6
0
def deleteRealm(realmname):
    '''
    delete the realm from the Database Table with the given name

    :param realmname: the to be deleted realm
    :type  realmname: string
    '''

    log.debug("[delete] delete Realm object with name=%s" % realmname)
    r = getRealmObject(name=realmname)
    if r is None:
        ''' if no realm is found, we re-try the lowercase name for backward compatibility '''
        r = getRealmObject(name=realmname.lower())
    realmId = 0
    if r is not None:
        realmId = r.id

        if realmId != 0:
            log.debug("[deleteRealm] Now deleting all realations with realm_id=%i" % realmId)
            Session.query(TokenRealm).filter(TokenRealm.realm_id == realmId).delete()
        Session.delete(r)

    else:
        log.warning("[deleteRealm] There is no realm object with the name %s to be deleted." % realmname)
        return False
    # now delete all relations, i.e. remove all Tokens from this realm.

    return True
Beispiel #7
0
    def __before__(self, action, **params):
        """
        """
        try:
            log.debug('[__before__::%r] %r', action, params)

            audit.initialize()
            c.audit['success'] = False

            c.audit['client'] = get_client(request)

            # Session handling
            check_session(request)

            self.request_context['Audit'] = audit

            return request

        except Exception as exception:
            log.exception(exception)
            Session.rollback()
            Session.close()
            return sendError(response, exception, context='before')

        finally:
            log.debug('[__before__::%r] done', action)
Beispiel #8
0
def get_challenges(serial=None, transid=None):
    """
    get_challenges - give all challenges for a given token

    :param serial:   serial of the token
    :param transid:  transaction id, if None, all will be retrieved
    :return:         return a list of challenge dict
    """
    LOG.debug("[get_challenges] %r" % (serial))

    challenges = []
    if transid is None and serial is None:
        return challenges

    if transid is None:
        db_challenges = (
            Session.query(Challenge).filter(Challenge.tokenserial == u"" + serial).order_by(desc(Challenge.id)).all()
        )
    else:
        db_challenges = Session.query(Challenge).filter(Challenge.transid == transid).all()

    challenges.extend(db_challenges)

    LOG.debug("[getTransactions4serial] %r" % challenges)
    return challenges
Beispiel #9
0
def set_logging_level(name, level):

    """
    sets the logging level in the database as well as
    in the current running logger

    :param name: Name of the logger
    :param level: New level (must be integer)
    """

    # --------------------------------------------------------------------------

    logger = logging.getLogger(name)
    logger.setLevel(level)

    # --------------------------------------------------------------------------

    config_entry = Session.query(LoggingConfig).get(name)

    if config_entry is None:
        new_config_entry = LoggingConfig(name, level)
        Session.add(new_config_entry)
        return

    config_entry.level = level
Beispiel #10
0
def _storeConfigEntryDB(key, value, typ=None, desc=None):
    """
    lowest level for storing database entries in the config table
    """

    confEntries = Session.query(Config).filter(Config.Key == unicode(key))
    theConf = None

    # update
    if confEntries.count() == 1:
        theConf = confEntries[0]
        theConf.Value = unicode(value)
        if (typ is not None):
            theConf.Type = unicode(typ)
        if (desc is not None):
            theConf.Description = unicode(desc)

    # insert
    elif confEntries.count() == 0:
        theConf = Config(
                        Key=unicode(key),
                        Value=unicode(value),
                        Type=unicode(typ),
                        Description=unicode(desc)
                        )
    if theConf is not None:
        Session.add(theConf)

    return 101
Beispiel #11
0
    def storageEncryption(self):
        """
        check if hsm/enckey encrypts value before storing it to config db
        :return: true if a new value gets encryptet before beeing stored in db
        """
        try:
            if hasattr(c, 'hsm') == False or isinstance(c.hsm, dict) == False:
                raise HSMException('no hsm defined in execution context!')

            hsm = c.hsm.get('obj')
            if hsm is None or hsm.isReady() == False:
                raise HSMException('hsm not ready!')

            hsm_class = str(type(hsm))
            enc_type = hsm_class.split('.')[-1]
            enc_type = enc_type.strip("'>")
            enc_name = hsm.name
            res = {'cryptmodul_type': enc_type, 'cryptmodul_name': enc_name}

            monit_handler = MonitorHandler()
            res['encryption'] = monit_handler.check_encryption()

            return sendResult(response, res, 1)

        except Exception as exception:
            log.exception(exception)
            return sendError(response, exception)

        finally:
            Session.close()
            log.debug('[encryption] done')
Beispiel #12
0
    def test_updateExisting(self):
        # Test the following conditions:
        # - An entry is created with chunklength > 1
        # - The type and description are not set
        # - The entry is reduced to one chunk
        # Verify that the resulting config entry has
        # correctly set the type and description

        key = 'linotp.testupdate'
        longvalue = '*' * 2000
        value = 'value'
        typ = None
        description = None

        _storeConfigDB(key, longvalue, typ, description)
        self.assertEqual(Session.query(Config).count(), 2)
        oldentries = Session.query(Config).all()
        self.assertEqual(len(oldentries), 2)

        _storeConfigDB(key, value, typ, description)
        entries = Session.query(Config).all()
        self.assertEqual(len(entries), 1)

        entry = entries[0]
        self.assertEqual(entry.Key, key)
        self.assertEqual(entry.Value, value)
        self.assertEqual(entry.Description, '')  # None is converted to ''
        self.assertEqual(entry.Type, typ)
Beispiel #13
0
    def login(self):
        log.debug("[login] selfservice login screen")
        identity = request.environ.get('REMOTE_USER')
        if identity is not None:
            # After login We always redirect to the start page
            redirect("/selfservice")

        Session.close()
Beispiel #14
0
 def storeRealm(self):
     if self.name is None:
         self.name = ''
     self.name = self.name.lower()
     log.debug('storeRealm()')
     Session.add(self)
     Session.commit()
     log.debug('store realm success')
     return True
Beispiel #15
0
 def deleteToken(self):
     log.debug('deleteToken()')
     ## some dbs (eg. DB2) runs in deadlock, if the TokenRealm entry
     ## is deleteted via foreign key relation
     ## so we delete it explicit
     Session.query(TokenRealm).filter(TokenRealm.token_id == self.LinOtpTokenId).delete()
     Session.delete(self)
     log.debug('delete token success')
     return True
Beispiel #16
0
    def storeRealm(self):
        if self.name is None:
            self.name = ''
        self.name = self.name.lower()

        Session.add(self)
        Session.flush()

        return True
Beispiel #17
0
 def setUpClass(cls):
     # we need a clean Session context to setup new sqlite db
     # no matter what other unittests did
     Session.close_all()
     Session.remove()
     # Use an in memory empty Sqlite database
     super(TestConfigStoreCase, cls).setUpClass()
     cls.engine = create_engine('sqlite:///:memory:')
     metadata.create_all(cls.engine)
     init_model(cls.engine)
Beispiel #18
0
    def logout(self):
        identity = request.environ.get('REMOTE_USER')
        if identity is None:
            # After logout We always redirect to the start page
            redirect("/")

        # CHANGE ME PRE-INSTALLATION TO POINT TO YOUR WEBKDC
        redirect("https://mfa-test.bsp.ox.ac.uk/elm/logout")

        Session.close()
Beispiel #19
0
def delete_reporting():
    """
    delete all rows in reporting database

    :return: number of deleted rows
    """
    rows = Session.query(Reporting)
    row_num = rows.count()
    for row in rows.all():
        Session.delete(row)
    return row_num
Beispiel #20
0
    def storeToken(self):
        if self.LinOtpUserid is None:
            self.LinOtpUserid = u''
        if self.LinOtpIdResClass is None:
            self.LinOtpIdResClass = ''
        if self.LinOtpIdResolver is None:
            self.LinOtpIdResolver = ''

        Session.add(self)
        Session.flush()

        return True
Beispiel #21
0
    def deleteToken(self):
        # some dbs (eg. DB2) runs in deadlock, if the TokenRealm entry
        # is deleteted via foreign key relation
        # so we delete it explicitly
        token_realm_entries = Session.query(TokenRealm).filter(
                            TokenRealm.token_id == self.LinOtpTokenId).all()

        for token_realm_entry in token_realm_entries:
            Session.delete(token_realm_entry)

        Session.delete(self)
        return True
Beispiel #22
0
    def __before__(self, action,):

        try:

            c.version = get_version()
            c.licenseinfo = get_copyright_info()

        except Exception as exx:
            log.exception("[__before__::%r] exception %r" % (action, exx))
            Session.rollback()
            Session.close()
            return sendError(response, exx, context='before')
Beispiel #23
0
    def __before__(self, action, **params):
        """
        Here we see, what action is to be called and check the authorization
        """

        log.debug("[__before__::%r] %r" % (action, params))

        try:

            audit.initialize()
            c.audit["success"] = False
            c.audit["client"] = get_client()
            if action != "check_t":
                check_session()

            return response

        except webob.exc.HTTPUnauthorized as acc:
            ## the exception, when an abort() is called if forwarded
            log.exception("[__before__::%r] webob.exception %r" % (action, acc))
            Session.rollback()
            Session.close()
            raise acc

        except Exception as exx:
            log.exception("[__before__::%r] exception %r" % (action, exx))
            Session.rollback()
            Session.close()
            return sendError(response, exx, context="before")

        finally:
            log.debug("[__before__::%r] done" % (action))
Beispiel #24
0
    def __before__(self, action, **params):

        log.debug("[__before__::%r] %r" % (action, params))

        try:
            c.version = get_version()
            c.licenseinfo = get_copyright_info()

        except webob.exc.HTTPUnauthorized as acc:
            ## the exception, when an abort() is called if forwarded
            log.error("[__before__::%r] webob.exception %r" % (action, acc))
            log.error("[__before__] %s" % traceback.format_exc())
            Session.rollback()
            Session.close()
            raise acc

        except Exception as exx:
            log.error("[__before__::%r] exception %r" % (action, exx))
            log.error("[__before__] %s" % traceback.format_exc())
            Session.rollback()
            Session.close()
            return sendError(response, exx, context='before')

        finally:
            log.debug("[__before__::%r] done" % (action))
Beispiel #25
0
    def __before__(self, action, **params):
        '''
        Here we see, what action is to be called and check the authorization
        '''

        log.debug("[__before__::%r] %r" % (action, params))

        try:

            c.audit = request_context['audit']
            c.audit['success'] = False
            c.audit['client'] = get_client(request)
            if action != "check_t":
                check_session(request)

            request_context['Audit'] = audit
            return response

        except webob.exc.HTTPUnauthorized as acc:
            ## the exception, when an abort() is called if forwarded
            log.exception("[__before__::%r] webob.exception %r" % (action, acc))
            Session.rollback()
            Session.close()
            raise acc

        except Exception as exx:
            log.exception("[__before__::%r] exception %r" % (action, exx))
            Session.rollback()
            Session.close()
            return sendError(response, exx, context='before')

        finally:
            log.debug("[__before__::%r] done" % (action))
Beispiel #26
0
    def delete_all(self):
        """
        method:
            reporting/delete_all

        description:
            delete the reporting database table

        returns: dict in which value is the number of deleted rows

        exception:
            if an error occurs an exception is serialized and returned
        """

        try:
            result = delete_reporting()
            Session.commit()
            return sendResult(response, result)

        except PolicyException as policy_exception:
            log.exception(policy_exception)
            Session.rollback()
            return sendError(response, unicode(policy_exception), 1)

        except Exception as exc:
            log.exception(exc)
            Session.rollback()
            return sendError(response, exc)

        finally:
            Session.close()
            log.debug('[delete_all] done')
Beispiel #27
0
def delete_before(date):
    """
    delete all rows in reporting database before a given date

    :param date: day until which all rows will be deleted
    :type date: string in format: 'yyyy-mm-dd'

    :return: number of deleted rows
    """
    rows = Session.query(Reporting).filter(Reporting.timestamp < date)
    row_num = rows.count()

    for row in rows:
        Session.delete(row)
    return row_num
Beispiel #28
0
    def _get_tokens_in_realm(self, valid_realms):
        ## get all matching realms
        realm_id_tuples = Session.query(Realm.id).\
                            filter(Realm.name.in_(valid_realms)).all()
        realm_ids = set()
        for realm_tuple in realm_id_tuples:
            realm_ids.add(realm_tuple[0])
        ## get all tokenrealm ids
        token_id_tuples = Session.query(TokenRealm.token_id).\
                    filter(TokenRealm.realm_id.in_(realm_ids)).all()
        token_ids = set()
        for token_tuple in token_id_tuples:
            token_ids.add(token_tuple[0])

        return token_ids
Beispiel #29
0
    def save(self):
        '''
        enforce the saving of a challenge
        - will guarantee the uniqness of the transaction id

        :return: transaction id of the stored challenge
        '''
        try:
            Session.add(self)
            Session.flush()

        except Exception as exce:
            log.exception('[save]Error during saving challenge')

        return self.transid
Beispiel #30
0
    def license(self):
        """
        license
        return the support status, which is community support by default
        or the support subscription info, which could be the old license
        :return: json result with license info
        """
        res = {}
        try:
            try:
                license_info, license_sig = getSupportLicenseInfo()
            except InvalidLicenseException as err:
                if err.type != 'UNLICENSED':
                    raise err
                opt = {'valid': False,
                       'message': "%r" % err
                       }
                return sendResult(response, {}, 1, opt=opt)

            # Add Extra info
            # if needed; use details = None ... for no details!)...
            license_ok, license_msg = verifyLicenseInfo(license_info,
                                                        license_sig)
            if not license_ok:
                details = {'valid': license_ok,
                           'message': license_msg
                           }
            else:
                details = {'valid': license_ok}

                res['token-num'] = int(license_info.get('token-num', 0))

                # get all active tokens from all realms (including norealm)
                monit_handler = MonitorHandler()
                active_tokencount = monit_handler.get_active_tokencount()
                res['token-active'] = active_tokencount

                res['token-left'] = res['token-num'] - active_tokencount

            return sendResult(response, res, 1, opt=details)

        except Exception as exception:
            log.exception(exception)
            return sendError(response, exception)

        finally:
            Session.close()
            log.debug('[license] done')
Beispiel #31
0
    def get_config_items(self):
        """
        iterator function, to return a config entry in the migration format

        it reads all config entries from the config table, which have the type
        password. The decrypted value is taken from the linotp config

        :return: dictionary with the config entry: key, type, description
                 and the value, which is a dict with the encryption relevant
                 data like: encrypted_data, iv, mac
        """

        config_entries = Session.query(model_config).\
                         filter(model_config.Type == 'password').all()
        for entry in config_entries:

            key = 'enc%s' % entry.Key
            value = getFromConfig(key)

            # calculate encryption and add mac from mac_data
            enc_value = self.crypter.encrypt(input_data=value,
                                             just_mac=key + entry.Value)

            config_item = {
                "Key": entry.Key,
                "Value": enc_value,
                "Type": entry.Type,
                "Description": entry.Description
            }

            yield config_item
Beispiel #32
0
    def set_config_entry(self, config_entry):
        """
        set the config entry - using the standard way, so that the new value
        will be encrypted using the new encryption key and potetialy as well an
        new iv.

        before storing the new entry, the old value in its encryted form is
        read. The


        :param config_entry: the config entry, as a dict
        :return: - nothing -
        """

        key = config_entry['Key']
        typ = config_entry['Type']
        desc = config_entry['Description']
        if desc == 'None':
            desc = None

        config_entries = Session.query(model_config).\
                         filter(model_config.Key == key).all()
        entry = config_entries[0]

        # decypt the real value
        enc_value = config_entry['Value']
        value = self.crypter.decrypt(enc_value,
                                     just_mac='enc%s' % key + entry.Value)

        _storeConfigDB(key, value, typ=typ, desc=desc)
Beispiel #33
0
    def set_token_data(self, token_data):

        serial = token_data["Serial"]
        tokens = Session.query(model_token).\
            filter(model_token.LinOtpTokenSerialnumber == serial).all()
        token = tokens[0]

        if 'TokenPin' in token_data:
            enc_pin = token_data['TokenPin']
            token_pin = self.crypter.decrypt(enc_pin,
                                             just_mac=serial +
                                             token.LinOtpPinHash)
            # prove, we can write
            enc_pin = SecretObj.encrypt_pin(token_pin)
            iv = enc_pin.split(':')[0]
            token.set_encrypted_pin(enc_pin, binascii.unhexlify(iv))

        if 'TokenUserPin' in token_data:
            token_enc_user_pin = token_data['TokenUserPin']
            user_pin = self.crypter.decrypt(token_enc_user_pin,
                                            just_mac=serial +
                                            token.LinOtpTokenPinUser)
            # prove, we can write
            iv, enc_user_pin = SecretObj.encrypt(user_pin, hsm=self.hsm)
            token.setUserPin(enc_user_pin, iv)

        # we put the current crypted seed in the mac to check if
        # something changed in meantime
        encKey = token.LinOtpKeyEnc
        enc_seed = token_data['TokenSeed']
        token_seed = self.crypter.decrypt(enc_seed, just_mac=serial + encKey)

        # the encryption of the token seed is not part of the model anymore
        iv, enc_token_seed = SecretObj.encrypt(token_seed)
        token.set_encrypted_seed(enc_token_seed, iv, reset_failcount=False)
Beispiel #34
0
def init_logging_config():

    """
    Loads the persistent logging configuration from the database,
    sets the appropriate mappers (to enrich results with request
    ids, remote addresses, etc) and adds the handler defined in
    the global configuration.

    Should be called ONCE at the start of the server
    """

    root_logger = logging.getLogger()

    for handler in root_logger.handlers:
        filter_ = RequestContextFilter()
        handler.addFilter(filter_)

    stderr_handler = logging.StreamHandler()
    formatter = ColorFormatter('%(asctime)s %(levelname)s - %(message)s')
    stderr_handler.setFormatter(formatter)

    root_logger.addHandler(stderr_handler)

    config_entries = Session.query(LoggingConfig).all()

    for config_entry in config_entries:
        logger = logging.getLogger(config_entry.name)
        logger.setLevel(config_entry.level)
Beispiel #35
0
    def active_users_total(self, realmlist):
        """
        get the total number of users of active tokens
        for all resolvers which are in allowed realms

        users are counted per resolver, so if resolver is in more than one
        realm, its uers will only be counted once

        :param realmlist: list of (existing and allowed) realms
        :return: number of users in allowed realms who own an active token
        """
        realm_cond = tuple()
        for realm in realmlist:
            realm_cond += (or_(Realm.name == realm), )

        user_and_resolver = Session.query(Token.LinOtpUserid,
                                          Token.LinOtpIdResolver,
                                          Token.LinOtpIdResClass,
                                          Token.LinOtpIsactive)\
            .join(TokenRealm)\
            .join(Realm)\
            .filter(or_(*realm_cond),
                    and_(Token.LinOtpIsactive == True,
                         Token.LinOtpIdResolver != ''))\
            .group_by(Token.LinOtpUserid, Token.LinOtpIdResolver,
                      Token.LinOtpIsactive, Token.LinOtpIdResClass)

        all_server_total = user_and_resolver.count()
        return all_server_total
    def test_storeConfigDB_encoding(self):
        # Test round trip of _storeConfigDB with entries that require
        # encoding of special characters
        conf = {
            'Key': u'linotp.TËST',
            'Value': u'VALUEÄ',
            'Type': u'TYPEß',
            'Description': u'DESCRIPTIÖN',
        }

        _storeConfigDB(conf['Key'], conf['Value'], conf['Type'],
                       conf['Description'])

        # Check value is correctly returned
        stored_value = _retrieveConfigDB(conf['Key'])
        self.assertEqual(conf['Value'], stored_value)

        # Check type, description in database
        entries = Session.query(Config).all()

        assert (len(entries) == 1)
        stored_conf = entries[0]

        for key in conf.keys():
            self.assertEqual(
                conf[key], getattr(stored_conf, key),
                "Key should match key:%s - expected %r, recevied %r" %
                (key, conf[key], getattr(stored_conf, key)))
Beispiel #37
0
    def get_sync_status(self):
        """
        check if cache and config db are synced

        if sync is True, the synctime is returned
        else, the difference (cache-time - database_time) is given
        :return: dict with keys 'sync' and 'synctime'
        """
        result = {'sync': False}

        linotp_conf = LinOtpConfig()
        linotp_time = linotp_conf.get('linotp.Config')

        # get db entry for config
        entry = Session.query(config_model).filter(
            config_model.Key == 'linotp.Config').one()
        db_time = entry.Value

        # if the times are not in syc, LinOTP keeps its status
        # cached but does not update its timestamp of sync
        if db_time == linotp_time:
            result['sync'] = True
            result['synctime'] = db_time
            now = datetime.datetime.now()
            result['now'] = unicode(now)

        else:
            format_string = '%Y-%m-%d %H:%M:%S.%f'
            linotp_t = datetime.datetime.strptime(str(linotp_time),
                                                  format_string)
            db_t = datetime.datetime.strptime(str(db_time), format_string)
            result['cache_to_db_diff'] = unicode(linotp_t - db_t)
            result['db_time'] = db_time

        return result
Beispiel #38
0
    def active_users_per_realm(self, realm=None):
        """
        get the number of users which are assigned to an active token in total
            or per realm and resolver
        :param realm: name of realm
        :return: dict with
                keys: resolvernames
                values: number of active token users
        """
        realminfo = context.get('Config').getRealms().get(realm)
        resolver_specs = realminfo.get('useridresolver', '')
        realmdict = {}

        for resolver_spec in resolver_specs:
            __, config_identifier = parse_resolver_spec(resolver_spec)
            act_users_per_resolver = Session.query(Token.LinOtpUserid,
                                                   Token.LinOtpIdResolver,
                                                   Token.LinOtpIdResClass,
                                                   Token.LinOtpIsactive)\
                .join(TokenRealm)\
                .join(Realm)\
                .filter(and_(
                            Token.LinOtpIsactive == True,
                            Token.LinOtpIdResClass == resolver_spec,
                            Realm.name == realm
                ))\
                .group_by(Token.LinOtpUserid, Token.LinOtpIdResolver,
                          Token.LinOtpIsactive, Token.LinOtpIdResClass)

            realmdict[config_identifier] = act_users_per_resolver.count()

        return realmdict
Beispiel #39
0
def getRealmObject(name=u"", id=0):
    '''
    returns the Realm Object for a given realm name.
    If the given realm name is not found, it returns "None"

    :param name: realmname to be searched
    :type  name: string

    TODO: search by id not implemented, yet
    :param id:   id of the realm object
    :type  id:   integer

    :return : realmObject - the database object
    :rtype  : the sql db object
    '''

    log.debug("Getting realm object for name=%s, id=%i", name, id)
    realmObj = None

    name = u'' + str(name)
    if (0 == id):
        realmObjects = Session.query(Realm).filter(
            func.lower(Realm.name) == name.lower())
        if realmObjects.count() > 0:
            realmObj = realmObjects[0]

    return realmObj
Beispiel #40
0
    def __after__(
        self,
        action,
    ):
        '''

        '''
        param = request.params

        try:
            if c.audit['action'] in ['selfservice/index']:
                if isSelfTest():
                    log.debug("[__after__] Doing selftest!")
                    suser = getParam(param, "selftest_user", True)
                    if suser is not None:
                        (c.user, _foo, c.realm) = getParam(param,
                                                           "selftest_user",
                                                           True)\
                            .rpartition('@')
                    else:
                        c.realm = ""
                        c.user = "******"
                        env = request.environ
                        uuser = env.get('REMOTE_USER')
                        if uuser is not None:
                            (c.user, _foo, c.realm) = uuser.rpartition('@')

                log.debug("[__after__] authenticating as %s in realm %s!" %
                          (c.user, c.realm))

                c.audit['user'] = c.user
                c.audit['realm'] = c.realm
                c.audit['success'] = True

                if 'serial' in param:
                    c.audit['serial'] = param['serial']
                    c.audit['token_type'] = getTokenType(param['serial'])

                audit.log(c.audit)

            return response

        except webob.exc.HTTPUnauthorized as acc:
            # the exception, when an abort() is called if forwarded
            log.exception("[__after__::%r] webob.exception %r" % (action, acc))
            Session.rollback()
            Session.close()
            raise acc

        except Exception as e:
            log.exception("[__after__] failed with error: %r" % e)
            Session.rollback()
            Session.close()
            return sendError(response, e, context='after')

        finally:
            log.debug('[__after__] done')
Beispiel #41
0
    def __before__(self, action,):

        log.debug("[__before__]")

        try:

            c.version = get_version()
            c.licenseinfo = get_copyright_info()

        except Exception as exx:
            log.exception("[__before__::%r] exception %r" % (action, exx))
            Session.rollback()
            Session.close()
            return sendError(response, exx, context='before')

        finally:
            log.debug("[__before__::%r] done" % (action))
Beispiel #42
0
    def __before__(self, action):

        log.debug("[__before__]")

        try:
            c.audit = request_context['audit']
            c.audit['client'] = get_client(request)
            check_session(request)

        except Exception as exx:
            log.exception("[__before__::%r] exception %r" % (action, exx))
            Session.rollback()
            Session.close()
            return sendError(response, exx, context='before')

        finally:
            log.debug("[__before__::%r] done" % (action))
Beispiel #43
0
    def save(self):
        '''
        enforce the saving of a challenge
        - will guarantee the uniqness of the transaction id

        :return: transaction id of the stored challenge
        '''
        log.debug('[save] save challenge')
        try:
            Session.add(self)
            Session.commit()
            log.debug('save challenge : success')

        except Exception as exce:
            log.exception('[save]Error during saving challenge: %r' % exce)

        return self.transid
Beispiel #44
0
    def get_active_tokencount(self):
        """
        get the number of active tokens from all realms (including norealm)

        :return: number of active tokens
        """
        active = Token.LinOtpIsactive == True
        token_active = Session.query(Token).filter(active).count()
        return token_active
Beispiel #45
0
    def encryption(self):
        """
        check if hsm encrypts value before storing it to config db
        :return:
        """
        try:
            monit_handler = MonitorHandler(context=self.request_context)
            res = {'encryption': monit_handler.check_encryption()}

            return sendResult(response, res, 1)

        except Exception as exception:
            log.exception(exception)
            return sendError(response, exception)

        finally:
            Session.close()
            log.debug('[__after__] done')
Beispiel #46
0
    def __before__(self, action, **params):

        log.debug("[__before__]")

        try:
            audit.initialize()
            c.audit['client'] = get_client()
            check_session()

        except Exception as exx:
            log.error("[__before__::%r] exception %r" % (action, exx))
            log.error("[__before__] %s" % traceback.format_exc())
            Session.rollback()
            Session.close()
            return sendError(response, exx, context='before')

        finally:
            log.debug("[__before__::%r] done" % (action))
Beispiel #47
0
    def __before__(self, action, **params):

        log.debug("[__before__::%r] %r" % (action, params))

        try:
            audit.initialize()
            c.audit['client'] = get_client(request)
            check_session(request)
            self.request_context['Audit'] = audit

        except Exception as exx:
            log.exception("[__before__::%r] exception %r" % (action, exx))
            Session.rollback()
            Session.close()
            return sendError(response, exx, context='before')

        finally:
            log.debug("[__before__::%r] done" % (action))
Beispiel #48
0
    def __after__(self):
        '''
        __after is called after every action

        :return: return the response
        :rtype:  pylons response
        '''
        try:
            return response

        except Exception as exx:
            log.exception("[__after__] exception %r" % (exx))
            Session.rollback()
            return sendError(response, exx, context='after')

        finally:
            Session.close()
            log.debug("[__after__] done")
Beispiel #49
0
    def license(self):
        """
        license
        return the support status, which is community support by default
        or the support subscription info, which could be the old license
        :return: json result with license info
        """
        res = {}
        try:
            try:
                license_info, license_sig = getSupportLicenseInfo()
            except InvalidLicenseException as err:
                if err.type != 'UNLICENSED':
                    raise err
                opt = {'valid': False, 'message': "%r" % err}
                return sendResult(response, {}, 1, opt=opt)

            # Add Extra info
            # if needed; use details = None ... for no details!)...
            license_ok, license_msg = verifyLicenseInfo(
                license_info, license_sig)
            if not license_ok:
                res = {'valid': license_ok, 'message': license_msg}
            else:
                details = {'valid': license_ok}

                res['token-num'] = int(license_info.get('token-num', 0))

                # get all active tokens from all realms (including norealm)
                monit_handler = MonitorHandler()
                active_tokencount = monit_handler.get_active_tokencount()
                res['token-active'] = active_tokencount

                res['token-left'] = res['token-num'] - active_tokencount

            return sendResult(response, res, 1)

        except Exception as exception:
            log.exception(exception)
            return sendError(response, exception)

        finally:
            Session.close()
            log.debug('[license] done')
Beispiel #50
0
def _removeConfigDB(key):
    """
    remove entry from config table

    :param key: the name of the entry
    :return: number of deleted entries
    """
    log.debug('removeConfigDB %r' % key)

    if (not key.startswith("linotp.")):
        if not key.startswith('enclinotp.'):
            key = u"linotp." + key

    confEntries = Session.query(Config).filter(
        Config.Key == unicode(key)).all()

    if not confEntries:
        return 0

    theConf = confEntries[0]

    to_be_deleted = []
    to_be_deleted.append(theConf)

    # if entry is a contious type, delete all of this kind
    if theConf.Type == 'C' and theConf.Description[:len('0:')] == '0:':
        _start, end = theConf.Description.split(':')
        search_key = "%s__[%%:%s]" % (key, end)
        cont_entries = Session.query(Config).filter(
            Config.Key.like(search_key)).all()
        to_be_deleted.extend(cont_entries)

    try:
        for entry in to_be_deleted:
            # Session.add(theConf)
            Session.delete(entry)

    except Exception as e:
        log.exception('[removeConfigDB] failed')
        raise ConfigAdminError("remove Config failed for %r: %r" % (key, e),
                               id=1133)

    return len(to_be_deleted)
Beispiel #51
0
def set_config(key, value, typ, description=None):
    '''
    create an intial config entry, if it does not exist

    :param key: the key
    :param value: the value
    :param description: the description of the key

    :return: nothing
    '''

    count = Session.query(model.Config).filter(
                        model.Config.Key == "linotp." + key).count()

    if count == 0:
        config_entry = model.Config(key, value, Type=typ, Description=description)
        Session.add(config_entry)

    return
Beispiel #52
0
    def __before__(self, action, **params):

        log.debug("[__before__]")

        try:

            c.version = get_version()
            c.licenseinfo = get_copyright_info()
            self.set_language()

        except Exception as exx:
            log.error("[__before__::%r] exception %r" % (action, exx))
            log.error("[__before__] %s" % traceback.format_exc())
            Session.rollback()
            Session.close()
            return sendError(response, exx, context='before')

        finally:
            log.debug("[__before__::%r] done" % (action))
Beispiel #53
0
    def config(self):
        """
        check if Config- Database exists

        touches DB and checks if date of last read is new
        :return:
            a json result with:
            { "head": [],
            "value": {"sync": "True"}
            }

        exception:
            if an error occurs an exception is serialized and returned
        """
        result = {}
        try:

            monit_handler = MonitorHandler()
            result = monit_handler.get_sync_status()

            # useful counts:
            counts = monit_handler.get_config_info()

            result.update(counts)

            ldap = 13 * result['ldapresolver']
            sql = 12 * result['sqlresolver']
            policies = 7 * result['policies']
            realms = result['realms']
            passwd = result['passwdresolver']
            total = result['total']

            result['netto'] = total - ldap - sql - passwd - policies - realms

            return sendResult(response, result)

        except Exception as exception:
            log.exception(exception)
            return sendError(response, exception)

        finally:
            Session.close()
            log.debug('[config] done')
Beispiel #54
0
def setup_app(conf, conf_global=None, unitTest=False):
    '''
    setup_app is the hook, which is called, when the application is created

    :param conf: the application configuration

    :return: - nothing -
    '''
    if conf_global is not None:
        if conf_global.has_key("sqlalchemy.url"):
            log.info("sqlalchemy.url")
    else:
        conf.get("sqlalchemy.url", None)

    if unitTest is True:
        log.info("Deleting previous tables...")
        meta.metadata.drop_all(bind=meta.engine)

    ## Create the tables if they don't already exist
    log.info("Creating tables...")
    meta.metadata.create_all(bind=meta.engine)

    if conf.has_key("linotpSecretFile"):
        filename = conf.get("linotpSecretFile")
        try:
            with open(filename):
                pass
        except IOError:
            log.warning("The Linotp Secret File could not be found " +
                        "-creating a new one: %s" % filename)
            f_handle = open(filename, 'ab+')
            secret = os.urandom(32 * 5)
            f_handle.write(secret)
            f_handle.close()
            os.chmod(filename, 0400)
        log.info("linotpSecretFile: %s" % filename)

    set_defaults()

    Session.commit()

    log.info("Successfully set up.")
Beispiel #55
0
    def delete_challenges(self, challenges):
        '''
        delete challenges, which match those listed ones

        :param challenges: list of (dict|int|str) challenges
        :return: result of the delete operation
        '''

        challenge_ids = []
        for challenge in challenges:
            if type(challenge) == dict:
                if challenge.has_key('id'):
                    challenge_id = challenge.get('id')
            elif type(challenge) == Challenge:
                challenge_id = challenge.get('id')
            elif type(challenge) in (unicode, str, int):
                challenge_id = challenge

            try:
                challenge_ids.append(int(challenge_id))
            except ValueError:
                ## ignore
                LOG.warning("failed to concert the challengeId %r to int()" %
                            challenge_id)

        res = 1

        # 1. get all challeges which are to be deleted
        # 2. self.token.select_challenges()

        if len(challenge_ids) > 0:

            del_challes = Session.query(Challenge).\
                filter(Challenge.tokenserial == u'' + self.token.getSerial()).\
                filter(Challenge.id.in_(challenge_ids)).all()

            for dell in del_challes:
                Session.delete(dell)
                #pass

        return res
Beispiel #56
0
def init_logging_config():
    """
    Loads the persistent logging configuration from the database

    Should be called ONCE at the start of the server
    """

    config_entries = Session.query(LoggingConfig).all()

    for config_entry in config_entries:
        logger = logging.getLogger(config_entry.name)
        logger.setLevel(config_entry.level)
Beispiel #57
0
def delete(realms, status, date=None):
    """
    delete all rows in reporting database before a given date,
    filtered by realm and status

    :param realms: the ralm to filter
    :param status: the status to filter
    :param date: (optional) day until which all rows will be deleted
    :type date: string in format: 'yyyy-mm-dd'

    :return: number of deleted rows
    """

    if not isinstance(realms, (list, tuple)):
        realms = realms.split(',')

    realm_cond = tuple()
    for realm in realms:
        realm_cond += (or_(Reporting.realm == realm), )

    status_cond = tuple()
    for stat in status:
        status_cond += (or_(Reporting.parameter == stat), )

    date_cond = tuple()
    if date:
        date_cond += (and_(Reporting.timestamp < date), )

    conds = (
        and_(*date_cond),
        or_(*realm_cond),
        or_(*status_cond),
    )

    rows = Session.query(Reporting).filter(*conds)
    row_num = rows.count()

    for row in rows:
        Session.delete(row)
    return row_num
Beispiel #58
0
    def login(self):
        log.debug("[login] selfservice login screen")
        identity = request.environ.get('repoze.who.identity')
        if identity is not None:
            # After login We always redirect to the start page
            redirect("/")

        res = {}
        try:
            c.defaultRealm = getDefaultRealm()
            res = getRealms()

            c.realmArray = []
            #log.debug("[login] %s" % str(res) )
            for (k, v) in res.items():
                c.realmArray.append(k)

            c.realmbox = getRealmBox()
            log.debug("[login] displaying realmbox: %i" % int(c.realmbox))

            Session.commit()
            response.status = '%i Logout from LinOTP selfservice' % LOGIN_CODE
            return render('/selfservice/login.mako')

        except Exception as e:
            log.exception('[login] failed %r' % e)
            Session.rollback()
            return sendError(response, e)

        finally:
            Session.close()
Beispiel #59
0
    def activeUsers(self):
        """
        method:
            monitoring/activeUsers

        description:
            for each realm, display the resolvers and
            the number of users which have at least one assigned active token
            per resolver
            the 'total' gives the number of all users, which are in an allowed
            realm and own an active token
            users are conted per resolver (not per realm), so if resolver is in
            multiple realms and one user ons tokens in 2 realms, the user will
            be counted only once

        arguments:
            * realms - optional: takes realms, only information on these realms
                will be displayed
        """
        result = {}
        try:
            param = request.params
            request_realms = param.get('realms', '').split(',')

            monit_handl = MonitorHandler()

            policies = getAdminPolicies('activeUsers', scope='monitoring')

            realm_whitelist = []
            if policies['active'] and policies['realms']:
                realm_whitelist = policies.get('realms')

            # if there are no policies for us, we are allowed to see all realms
            if not realm_whitelist or '*' in realm_whitelist:
                realm_whitelist = request_context['Realms'].keys()

            realms = match_realms(request_realms, realm_whitelist)

            realm_info = {}
            for a_realm in realms:
                realm_info[a_realm] = monit_handl.active_users_per_realm(
                    a_realm)

            result['Realms'] = realm_info
            result['total'] = monit_handl.active_users_total(realms)

            return sendResult(response, result)

        except PolicyException as policy_exception:
            log.exception(policy_exception)
            Session.rollback()
            return sendError(response, unicode(policy_exception), 1)

        except Exception as exc:
            log.exception(exc)
            Session.rollback()
            return sendError(response, exc)

        finally:
            Session.close()
Beispiel #60
0
    def get_config_info(self):
        """
        get some counts from config db
        :return: dict with keys 'total', 'ldapresolver', 'sqlresolver',
            'passwdresolver', 'policies', 'realms'
        """
        result = {}
        # the number of config entries
        result['total'] = Session.query(config_model).count()

        # the number of resolver defintions
        ldap = Session.query(config_model).filter(
            config_model.Key.like('linotp.ldapresolver.%')).count()
        result['ldapresolver'] = ldap / 13

        sql = Session.query(config_model).filter(
            config_model.Key.like('linotp.sqlresolver.%')).count()
        result['sqlresolver'] = sql / 12

        passwd = Session.query(config_model).filter(
            config_model.Key.like('linotp.passwdresolver.%')).count()
        result['passwdresolver'] = passwd

        # the number of policy definitions
        policies = Session.query(config_model).filter(
            config_model.Key.like('linotp.Policy.%')).count()
        result['policies'] = policies / 7

        # the number of realm definition (?)
        realms = Session.query(config_model).filter(
            config_model.Key.like('linotp.useridresolver.group.%')).count()
        result['realms'] = realms

        return result