Ejemplo n.º 1
0
    def checkUserPass(self, user, passw, options=None):
        """
        :param user: the to be identified user
        :param passw: the identification pass
        :param options: optional parameters, which are provided
                    to the token checkOTP / checkPass

        :return: tuple of True/False and optional information
        """

        # the upper layer will catch / at least should ;-)

        opt = None
        serial = None
        resolverClass = None
        uid = None
        user_exists = False

        if user is not None and not user.is_empty:
            # the upper layer will catch / at least should
            try:
                (uid, _resolver, resolverClass) = getUserId(
                                                    user, check_existance=True)
                user_exists = True
            except Exception as _exx:
                pass_on = context.get('Config').get(
                    'linotp.PassOnUserNotFound', False)
                if pass_on and 'true' == pass_on.lower():
                    g.audit['action_detail'] = (
                        'authenticated by PassOnUserNotFound')
                    return (True, opt)
                else:
                    g.audit['action_detail'] = 'User not found'
                    return (False, opt)

        # if we have an user, check if we forward the request to another server
        if user_exists and get_auth_forward_on_no_token(user) is False:
            servers = get_auth_forward(user)
            if servers:
                res, opt = ForwardServerPolicy.do_request(servers, env,
                                                          user, passw, options)
                return res, opt

        # ------------------------------------------------------------------ --

        th = TokenHandler()

        # ------------------------------------------------------------------ --

        # auto asignement with otp only if user has no active token

        auto_assign_otp_return = th.auto_assign_otp_only(
                                                    otp=passw,
                                                    user=user,
                                                    options=options)

        if auto_assign_otp_return is True:
            return (True, None)

        # ------------------------------------------------------------------ --

        token_type = None
        if options:
            token_type = options.get('token_type', None)

        # ------------------------------------------------------------------ --

        # if there is a serial provided in the parameters, it overwrites the
        # token selection by user

        query_user = user
        if options and 'serial' in  options and options['serial']:
            serial = options['serial']
            query_user = None

        # ------------------------------------------------------------------ --

        tokenList = getTokens4UserOrSerial(
                               query_user,
                               serial,
                               token_type=token_type,
                               read_for_update=True
                               )

        if len(tokenList) == 0:
            g.audit['action_detail'] = 'User has no tokens assigned'

            # here we check if we should to autoassign and try to do it
            auto_assign_return = th.auto_assignToken(passw, user)
            if auto_assign_return is True:
                # We can not check the token, as the OTP value is already used!
                # but we will auth the user....
                return (True, opt)

            auto_enroll_return, opt = th.auto_enrollToken(passw, user,
                                                          options=options)
            if auto_enroll_return is True:
                # we always have to return a false, as
                # we have a challenge tiggered
                return (False, opt)

            pass_on = context.get('Config').get('linotp.PassOnUserNoToken',
                                                False)
            if pass_on and 'true' == pass_on.lower():
                g.audit['action_detail'] = 'authenticated by PassOnUserNoToken'
                return (True, opt)

            # Check if there is an authentication policy passthru

            if get_auth_passthru(user):
                log.debug('user %r has no token. Checking for '
                          'passthru in realm %r' % (user.login, user.realm))
                y = getResolverObject(resolverClass)
                g.audit['action_detail'] = 'Authenticated against Resolver'
                if y.checkPass(uid, passw):
                    return (True, opt)

            # Check alternatively if there is an authentication
            # policy passOnNoToken
            elif get_auth_passOnNoToken(user):
                log.info('user %r has not token. PassOnNoToken'
                         ' set - authenticated!')
                g.audit['action_detail'] = (
                    'Authenticated by passOnNoToken policy')
                return (True, opt)

            # if we have an user, check if we forward the request to another server
            elif get_auth_forward_on_no_token(user) is True:
                servers = get_auth_forward(user)
                if servers:
                    res, opt = ForwardServerPolicy.do_request(
                                            servers, env, user, passw, options)
                    return res, opt

            return False, opt

        if passw is None:
            raise ParameterError("Missing parameter:pass", id=905)

        (res, opt) = self.checkTokenList(
            tokenList, passw, user, options=options)

        return (res, opt)
Ejemplo n.º 2
0
    def checkUserPass(self, user, passw, options=None):
        """
        :param user: the to be identified user
        :param passw: the identifiaction pass
        :param options: optional parameters, which are provided
                    to the token checkOTP / checkPass

        :return: tuple of True/False and optional information
        """

        log.debug('entering function checkUserPass(%r)'
                  % user.login)
        # the upper layer will catch / at least should ;-)

        opt = None
        serial = None
        resolverClass = None
        uid = None
        audit = context['audit']
        user_exists = False

        if user is not None and (user.isEmpty() == False):
            # the upper layer will catch / at least should
            try:
                (uid, _resolver, resolverClass) = getUserId(user)
                user_exists = True
            except:
                pass_on = context.get('Config').get(
                                            'linotp.PassOnUserNotFound', False)
                if pass_on and 'true' == pass_on.lower():
                    audit['action_detail'] = (
                                        'authenticated by PassOnUserNotFound')
                    return (True, opt)
                else:
                    audit['action_detail'] = 'User not found'
                    return (False, opt)

        # if we have an user, check if we forward the request to another server
        if user_exists:
            from linotp.lib.policy import get_auth_forward
            servers = get_auth_forward(user)
            if servers:
                if 'radius://' in servers:
                    rad = RadiusRequest(servers=servers)
                    res, opt = rad.do_request(servers, user, passw, options)
                    return res, opt
                elif 'http://' in servers or 'https://' in servers:
                    http = HttpRequest(servers=servers)
                    res, opt = http.do_request(user, passw, options)
                    return res, opt

        tokenList = linotp.lib.token.getTokens4UserOrSerial(user, serial)

        if len(tokenList) == 0:
            audit['action_detail'] = 'User has no tokens assigned'

            # here we check if we should to autoassign and try to do it
            log.debug('about to check auto_assigning')

            th = TokenHandler()
            auto_assign_return = th.auto_assignToken(passw, user)
            if auto_assign_return is True:
                # We can not check the token, as the OTP value is already used!
                # but we will auth the user....
                return (True, opt)

            auto_enroll_return, opt = th.auto_enrollToken(passw, user,
                                                            options=options)
            if auto_enroll_return is True:
                # we always have to return a false, as
                # we have a challenge tiggered
                return (False, opt)

            pass_on = context.get('Config').get('linotp.PassOnUserNoToken',
                                                         False)
            if pass_on and 'true' == pass_on.lower():
                audit['action_detail'] = 'authenticated by PassOnUserNoToken'
                return (True, opt)

            #  Check if there is an authentication policy passthru
            from linotp.lib.policy import get_auth_passthru
            if get_auth_passthru(user):
                log.debug('user %r has no token. Checking for '
                          'passthru in realm %r' % (user.login, user.realm))
                y = getResolverObject(resolverClass)
                audit['action_detail'] = 'Authenticated against Resolver'
                if y.checkPass(uid, passw):
                    return (True, opt)

            #  Check if there is an authentication policy passOnNoToken
            from linotp.lib.policy import get_auth_passOnNoToken
            if get_auth_passOnNoToken(user):
                log.info('user %r has not token. PassOnNoToken'
                         ' set - authenticated!')
                audit['action_detail'] = (
                    'Authenticated by passOnNoToken policy')
                return (True, opt)

            return (False, opt)

        if passw is None:
            raise ParameterError(u"Missing parameter:pass", id=905)

        (res, opt) = self.checkTokenList(
            tokenList, passw, user, options=options)
        log.debug('return of __checkTokenList: %r ' % (res,))

        return (res, opt)
Ejemplo n.º 3
0
    def checkUserPass(self, user, passw, options=None):
        """
        :param user: the to be identified user
        :param passw: the identifiaction pass
        :param options: optional parameters, which are provided
                    to the token checkOTP / checkPass

        :return: tuple of True/False and optional information
        """

        log.debug('entering function checkUserPass(%r)' % user.login)
        # the upper layer will catch / at least should ;-)

        opt = None
        serial = None
        resolverClass = None
        uid = None
        audit = context['audit']
        user_exists = False

        if user is not None and (user.isEmpty() is False):
            # the upper layer will catch / at least should
            try:
                (uid, _resolver, resolverClass) = getUserId(user)
                user_exists = True
            except:
                pass_on = context.get('Config').get(
                    'linotp.PassOnUserNotFound', False)
                if pass_on and 'true' == pass_on.lower():
                    audit['action_detail'] = (
                        'authenticated by PassOnUserNotFound')
                    return (True, opt)
                else:
                    audit['action_detail'] = 'User not found'
                    return (False, opt)

        # if we have an user, check if we forward the request to another server
        if user_exists:
            servers = get_auth_forward(user)
            if servers:
                res, opt = ForwardServerPolicy.do_request(
                    servers, env, user, passw, options)
                return res, opt

        tokenList = linotp.lib.token.getTokens4UserOrSerial(user, serial)

        if len(tokenList) == 0:
            audit['action_detail'] = 'User has no tokens assigned'

            # here we check if we should to autoassign and try to do it
            log.debug('about to check auto_assigning')

            th = TokenHandler()
            auto_assign_return = th.auto_assignToken(passw, user)
            if auto_assign_return is True:
                # We can not check the token, as the OTP value is already used!
                # but we will auth the user....
                return (True, opt)

            auto_enroll_return, opt = th.auto_enrollToken(passw,
                                                          user,
                                                          options=options)
            if auto_enroll_return is True:
                # we always have to return a false, as
                # we have a challenge tiggered
                return (False, opt)

            pass_on = context.get('Config').get('linotp.PassOnUserNoToken',
                                                False)
            if pass_on and 'true' == pass_on.lower():
                audit['action_detail'] = 'authenticated by PassOnUserNoToken'
                return (True, opt)

            #  Check if there is an authentication policy passthru
            from linotp.lib.policy import get_auth_passthru
            if get_auth_passthru(user):
                log.debug('user %r has no token. Checking for '
                          'passthru in realm %r' % (user.login, user.realm))
                y = getResolverObject(resolverClass)
                audit['action_detail'] = 'Authenticated against Resolver'
                if y.checkPass(uid, passw):
                    return (True, opt)

            #  Check if there is an authentication policy passOnNoToken
            from linotp.lib.policy import get_auth_passOnNoToken
            if get_auth_passOnNoToken(user):
                log.info('user %r has not token. PassOnNoToken'
                         ' set - authenticated!')
                audit['action_detail'] = (
                    'Authenticated by passOnNoToken policy')
                return (True, opt)

            return (False, opt)

        if passw is None:
            raise ParameterError(u"Missing parameter:pass", id=905)

        (res, opt) = self.checkTokenList(tokenList,
                                         passw,
                                         user,
                                         options=options)
        log.debug('return of __checkTokenList: %r ' % (res, ))

        return (res, opt)
Ejemplo n.º 4
0
    def checkUserPass(self, user, passw, options=None):
        """
        :param user: the to be identified user
        :param passw: the identification pass
        :param options: optional parameters, which are provided
                    to the token checkOTP / checkPass

        :return: tuple of True/False and optional information
        """

        # the upper layer will catch / at least should ;-)

        opt = None
        serial = None
        resolverClass = None
        uid = None
        user_exists = False

        if user:
            # the upper layer will catch / at least should
            try:
                (uid, _resolver,
                 resolverClass) = getUserId(user, check_existance=True)
                user_exists = True
            except Exception as _exx:
                pass_on = context.get("Config").get(
                    "linotp.PassOnUserNotFound", False)
                if pass_on and pass_on.lower() == "true":
                    g.audit[
                        "action_detail"] = "authenticated by PassOnUserNotFound"
                    return (True, opt)
                else:
                    g.audit["action_detail"] = "User not found"
                    return (False, opt)

        # if we have an user, check if we forward the request to another server
        if user_exists and not get_auth_forward_on_no_token(user):
            servers = get_auth_forward(user)
            if servers:
                log.info("forwarding auth request for user {} to {}".format(
                    user, servers))
                res, opt = ForwardServerPolicy.do_request(
                    servers, env, user, passw, options)
                log.info("result of auth request for user {}: ({}, {})".format(
                    user, res, opt))
                g.audit["action_detail"] = "Forwarded, result {}".format(res)
                return res, opt
            else:
                log.info(
                    "NOT forwarding auth request for user {} (no servers)".
                    format(user))
                g.audit["action_detail"] = "Not forwarded (no servers)"
        else:
            log.info(
                "NOT forwarding auth request for user {} "
                "(get_auth_forward_on_no_token returned False)".format(user))

        # ------------------------------------------------------------------ --

        th = TokenHandler()

        # ------------------------------------------------------------------ --

        # auto asignement with otp only if user has no active token

        auto_assign_otp_return = th.auto_assign_otp_only(otp=passw,
                                                         user=user,
                                                         options=options)

        if auto_assign_otp_return:
            return (True, None)

        # ------------------------------------------------------------------ --

        token_type = None
        if options:
            token_type = options.get("token_type", None)

        # ------------------------------------------------------------------ --

        # if there is a serial provided in the parameters, it overwrites the
        # token selection by user

        query_user = user
        if options and "serial" in options and options["serial"]:
            serial = options["serial"]
            query_user = None

        # ------------------------------------------------------------------ --

        tokenList = getTokens4UserOrSerial(query_user,
                                           serial,
                                           token_type=token_type,
                                           read_for_update=True)

        if len(tokenList) == 0:
            g.audit["action_detail"] = "User has no tokens assigned"

            # here we check if we should to autoassign and try to do it
            auto_assign_return = th.auto_assignToken(passw, user)
            if auto_assign_return:
                # We can not check the token, as the OTP value is already used!
                # but we will auth the user....
                return (True, opt)

            auto_enroll_return, opt = th.auto_enrollToken(passw,
                                                          user,
                                                          options=options)
            if auto_enroll_return:
                # we always have to return a false, as
                # we have a challenge tiggered
                return (False, opt)

            pass_on = context.get("Config").get("linotp.PassOnUserNoToken",
                                                False)
            if pass_on and pass_on.lower() == "true":
                g.audit["action_detail"] = "authenticated by PassOnUserNoToken"
                return (True, opt)

            # Check if there is an authentication policy passthru

            if get_auth_passthru(user):
                log.debug(
                    "user %r has no token. Checking for passthru in realm %r",
                    user.login,
                    user.realm,
                )
                y = getResolverObject(resolverClass)
                g.audit["action_detail"] = "Authenticated against Resolver"
                if y.checkPass(uid, passw):
                    return (True, opt)

            # Check alternatively if there is an authentication
            # policy passOnNoToken
            elif get_auth_passOnNoToken(user):
                log.info("user %r has not token. PassOnNoToken"
                         " set - authenticated!")
                g.audit[
                    "action_detail"] = "Authenticated by passOnNoToken policy"
                return (True, opt)

            # if we have an user, check if we forward the request to another
            # server
            elif get_auth_forward_on_no_token(user):
                servers = get_auth_forward(user)
                if servers:
                    log.info(
                        "forwarding auth request for user {} to {}".format(
                            user, servers))
                    res, opt = ForwardServerPolicy.do_request(
                        servers, env, user, passw, options)
                    log.info(
                        "result of auth request for user {}: ({}, {})".format(
                            user, res, opt))
                    g.audit["action_detail"] = "Forwarded, result {}".format(
                        res)
                    return res, opt
                else:
                    log.info(
                        "NOT forwarding auth request for user {} (no servers)".
                        format(user))
                    g.audit["action_detail"] = "Not forwarded (no servers)"

            return False, opt

        if passw is None:
            raise ParameterError("Missing parameter:pass", id=905)

        (res, opt) = self.checkTokenList(tokenList,
                                         passw,
                                         user,
                                         options=options)

        return (res, opt)
Ejemplo n.º 5
0
    def checkUserPass(self, user, passw, options=None):
        """
        :param user: the to be identified user
        :param passw: the identification pass
        :param options: optional parameters, which are provided
                    to the token checkOTP / checkPass

        :return: tuple of True/False and optional information
        """

        # the upper layer will catch / at least should ;-)

        opt = None
        serial = None
        resolverClass = None
        uid = None
        audit = context['audit']
        user_exists = False

        if user is not None and not user.is_empty:
            # the upper layer will catch / at least should
            try:
                (uid, _resolver, resolverClass) = getUserId(
                                                    user, check_existance=True)
                user_exists = True
            except Exception as _exx:
                pass_on = context.get('Config').get(
                    'linotp.PassOnUserNotFound', False)
                if pass_on and 'true' == pass_on.lower():
                    audit['action_detail'] = (
                        'authenticated by PassOnUserNotFound')
                    return (True, opt)
                else:
                    audit['action_detail'] = 'User not found'
                    return (False, opt)

        # if we have an user, check if we forward the request to another server
        if user_exists and get_auth_forward_on_no_token(user) is False:
            servers = get_auth_forward(user)
            if servers:
                res, opt = ForwardServerPolicy.do_request(servers, env,
                                                          user, passw, options)
                return res, opt

        # ------------------------------------------------------------------ --

        th = TokenHandler()

        # ------------------------------------------------------------------ --

        # auto asignement with otp only if user has no active token

        auto_assign_otp_return = th.auto_assign_otp_only(
                                                    otp=passw,
                                                    user=user,
                                                    options=options)

        if auto_assign_otp_return is True:
            return (True, None)

        # ------------------------------------------------------------------ --

        token_type = None
        if options:
            token_type = options.get('token_type', None)

        # ------------------------------------------------------------------ --

        # if there is a serial provided in the parameters, it overwrites the
        # token selection by user

        query_user = user
        if options and 'serial' in  options and options['serial']:
            serial = options['serial']
            query_user = None

        # ------------------------------------------------------------------ --

        tokenList = getTokens4UserOrSerial(
                               query_user,
                               serial,
                               token_type=token_type,
                               read_for_update=True
                               )

        if len(tokenList) == 0:
            audit['action_detail'] = 'User has no tokens assigned'

            # here we check if we should to autoassign and try to do it
            auto_assign_return = th.auto_assignToken(passw, user)
            if auto_assign_return is True:
                # We can not check the token, as the OTP value is already used!
                # but we will auth the user....
                return (True, opt)

            auto_enroll_return, opt = th.auto_enrollToken(passw, user,
                                                          options=options)
            if auto_enroll_return is True:
                # we always have to return a false, as
                # we have a challenge tiggered
                return (False, opt)

            pass_on = context.get('Config').get('linotp.PassOnUserNoToken',
                                                False)
            if pass_on and 'true' == pass_on.lower():
                audit['action_detail'] = 'authenticated by PassOnUserNoToken'
                return (True, opt)

            # Check if there is an authentication policy passthru

            if get_auth_passthru(user):
                log.debug('user %r has no token. Checking for '
                          'passthru in realm %r' % (user.login, user.realm))
                y = getResolverObject(resolverClass)
                audit['action_detail'] = 'Authenticated against Resolver'
                if y.checkPass(uid, passw):
                    return (True, opt)

            # Check alternatively if there is an authentication
            # policy passOnNoToken
            elif get_auth_passOnNoToken(user):
                log.info('user %r has not token. PassOnNoToken'
                         ' set - authenticated!')
                audit['action_detail'] = (
                    'Authenticated by passOnNoToken policy')
                return (True, opt)

            # if we have an user, check if we forward the request to another server
            elif get_auth_forward_on_no_token(user) is True:
                servers = get_auth_forward(user)
                if servers:
                    res, opt = ForwardServerPolicy.do_request(
                                            servers, env, user, passw, options)
                    return res, opt

            return False, opt

        if passw is None:
            raise ParameterError(u"Missing parameter:pass", id=905)

        (res, opt) = self.checkTokenList(
            tokenList, passw, user, options=options)

        return (res, opt)