def validate_otp(token, **kwargs):
"""
Validate newly setup OTP token
Variables:
token => Current token for temporary OTP sercret key
Arguments:
None
Data Block:
None
Result example:
{
"success": true
}
"""
uname = kwargs['user']['uname']
user_data = STORAGE.get_user(uname)
try:
token = int(token)
except ValueError:
return make_api_response({'success': False}, err="This is not a valid OTP token", status_code=400)
secret_key = flsk_session.pop('temp_otp_sk', None)
if get_totp_token(secret_key) == token:
user_data['otp_sk'] = secret_key
STORAGE.save_user(uname, user_data)
return make_api_response({'success': True})
else:
flsk_session['temp_otp_sk'] = secret_key
return make_api_response({'success': False}, err="OTP token does not match secret key", status_code=400)
def add_apikey(name, priv, **kwargs):
"""
Add an API Key for the currently logged in user with given privileges
Variables:
name => Name of the API key
priv => Requested privileges
Arguments:
None
Data Block:
None
Result example:
{"apikey": <ramdomly_generated_password>}
"""
user = kwargs['user']
user_data = STORAGE.get_user(user['uname'])
if name in [x[0] for x in user_data.get('apikeys', [])]:
return make_api_response("", err="APIKey %s already exist" % name, status_code=400)
if priv not in API_PRIV_MAP.keys():
return make_api_response("", err="Invalid APIKey privilege '%s'. "
"Choose between: %s " % (priv, API_PRIV_MAP.keys()), status_code=400)
keys = user_data.get('apikeys', [])
random_pass = get_random_password(length=48)
keys.append((name, bcrypt.encrypt(random_pass), API_PRIV_MAP[priv]))
user_data['apikeys'] = keys
STORAGE.save_user(user['uname'], user_data)
return make_api_response({"apikey": random_pass})
def bind(**kwargs):
"""
Complete registration of the new key
Variables:
None
Arguments:
data => Response to the enroll challenge
Data Block:
None
Result example:
{
"success": True
}
"""
uname = kwargs['user']['uname']
data = request.json
if "errorCode" in data:
return make_api_response({'success': False}, err=U2F_CLIENT_ERROR_MAP[data['errorCode']], status_code=400)
user = STORAGE.get_user(uname)
current_enroll = session.pop('_u2f_enroll_')
try:
device, cert = complete_registration(current_enroll, data, [APP_ID])
except Exception as e:
return make_api_response({'success': False}, err=e.message, status_code=400)
user.setdefault('u2f_devices', []).append(device.json)
STORAGE.save_user(uname, user)
return make_api_response({"success": True})
def set_user_account(username, **kwargs):
"""
Save the user account information.
Variables:
username => Name of the user to get the account info
Arguments:
None
Data Block:
{
"name": "Test user", # Name of the user
"is_active": true, # Is the user active?
"classification": "", # Max classification for user
"uname": "usertest", # Username
"is_admin": false, # Is the user admin?
"avatar": null, # Avatar of the user
"groups": ["TEST"] # Groups the user is member of
}
Result example:
{
"success": true # Saving the user info succeded
}
"""
try:
data = request.json
new_pass = data.pop('new_pass', None)
old_user = STORAGE.get_user(username)
if not old_user:
return make_api_response({"success": False},
"User %s does not exists" % username, 404)
data['apikeys'] = old_user.get('apikeys', [])
data['otp_sk'] = old_user.get('otp_sk', None)
data['u2f_devices'] = old_user.get('u2f_devices', [])
if new_pass:
if not check_password_requirements(
new_pass, strict=config.auth.internal.strict_requirements):
return make_api_response(
{"success": False},
"Password does not meet minimum password requirements.",
469)
data['password'] = get_password_hash(new_pass)
data.pop('new_pass_confirm', None)
else:
data['password'] = old_user.get('password', None)
return make_api_response(
{"success": save_user_account(username, data, kwargs['user'])})
except AccessDeniedException, e:
return make_api_response({"success": False}, e.message, 403)
def setup_otp(**kwargs):
"""
Setup OTP for the currently logged in user
Variables:
None
Arguments:
None
Data Block:
None
Result example:
{
"qrcode": <qrcode binary>,
"otp_url": 'otpauth://totp/Assemblyline:{uname}?secret={secret_key}&issuer={site}',
"secret_key": <SECRET KEY>
}
"""
uname = kwargs['user']['uname']
user_data = STORAGE.get_user(uname)
if user_data.get("otp_sk", None):
return make_api_response("", err="OTP already set for this user", status_code=400)
secret_key = generate_random_secret()
otp_url = 'otpauth://totp/{site}:{uname}?secret={secret_key}&issuer={site}'.format(uname=uname,
secret_key=secret_key,
site=config.ui.fqdn)
qc_stream = StringIO()
temp_qrcode = pyqrcode.create(otp_url)
temp_qrcode.svg(qc_stream, scale=3)
flsk_session['temp_otp_sk'] = secret_key
return make_api_response({
'qrcode': qc_stream.getvalue(),
'otp_url': otp_url,
'secret_key': secret_key
})
def disable_otp(**kwargs):
"""
Disable OTP for the currently logged in user
Variables:
None
Arguments:
None
Data Block:
None
Result example:
{
"success": true
}
"""
uname = kwargs['user']['uname']
user_data = STORAGE.get_user(uname)
user_data.pop('otp_sk', None)
STORAGE.save_user(uname, user_data)
return make_api_response({"success": True})
def enroll(**kwargs):
"""
Begin registration of a new U2F Security Token
Variables:
None
Arguments:
None
Data Block:
None
Result example:
<U2F_ENROLL_CHALLENGE_BLOCK>
"""
uname = kwargs['user']['uname']
user = STORAGE.get_user(uname)
u2f_devices = user.get('u2f_devices', [])
current_enroll = begin_registration(APP_ID, u2f_devices)
session['_u2f_enroll_'] = current_enroll.json
return make_api_response(current_enroll.data_for_client)
def clear(**kwargs):
"""
Remove currently configured security token
Variables:
None
Arguments:
None
Data Block:
None
Result example:
{
"success": true
}
"""
uname = kwargs['user']['uname']
user = STORAGE.get_user(uname)
user.pop('u2f_devices', None)
STORAGE.save_user(uname, user)
return make_api_response({'success': True})
def delete_apikey(name, **kwargs):
"""
Delete an API Key matching specified name for the currently logged in user
Variables:
name => Name of the API key
Arguments:
None
Data Block:
None
Result example:
{
"success": True
}
"""
user = kwargs['user']
user_data = STORAGE.get_user(user['uname'])
user_data['apikeys'] = [x for x in user_data.get('apikeys', []) if x[0] != name]
STORAGE.save_user(user['uname'], user_data)
return make_api_response({"success": True})
def sign(username, **_):
"""
Start signin in procedure
Variables:
username user name of the user you want to login with
Arguments:
None
Data Block:
None
Result example:
<U2F_SIGN_IN_CHALLENGE_BLOCK>
"""
user = STORAGE.get_user(username)
if not user:
return make_api_response({'success': False}, err="Bad Request", status_code=400)
challenge = begin_authentication(APP_ID, user.get('u2f_devices', []))
session['_u2f_challenge_'] = challenge.json
return make_api_response(challenge.data_for_client)