def check_yubikey(self):
'''
This function is used to validate the output of a yubikey
method:
validate/check_yubikey
:param pass: The password that consist of the static yubikey prefix and the otp
:type pass: string
:return: JSON Object
returns:
JSON response::
{
"version": "LinOTP 2.4",
"jsonrpc": "2.0",
"result": {
"status": true,
"value": false
},
"detail" : {
"username": username,
"realm": realm
},
"id": 0
}
'''
try:
try:
passw = self.request_params['pass']
except KeyError:
raise ParameterError("Missing parameter: 'pass'")
ok = False
try:
vh = ValidationHandler()
ok, opt = vh.checkYubikeyPass(passw)
g.audit['success'] = ok
except AuthorizeException as exx:
log.warning(
"[check_yubikey] authorization failed for validate/check_yubikey: %r"
% exx)
g.audit['success'] = False
g.audit['info'] = str(exx)
ok = False
db.session.commit()
return sendResult(response, ok, 0, opt=opt)
except Exception as exx:
log.exception("[check_yubikey] validate/check_yubikey failed: %r" %
exx)
g.audit['info'] = str(exx)
db.session.rollback()
return sendResult(response, False, 0)
def check_yubikey(self):
'''
This function is used to validate the output of a yubikey
method:
validate/check_yubikey
:param pass: The password that consist of the static yubikey prefix and the otp
:type pass: string
:return: JSON Object
returns:
JSON response::
{
"version": "LinOTP 2.4",
"jsonrpc": "2.0",
"result": {
"status": true,
"value": false
},
"detail" : {
"username": username,
"realm": realm
},
"id": 0
}
'''
param = request.params
passw = getParam(param, "pass", required)
try:
ok = False
try:
vh = ValidationHandler()
ok, opt = vh.checkYubikeyPass(passw)
c.audit['success'] = ok
except AuthorizeException as exx:
log.warning(
"[check_yubikey] authorization failed for validate/check_yubikey: %r"
% exx)
c.audit['success'] = False
c.audit['info'] = unicode(exx)
ok = False
Session.commit()
return sendResult(response, ok, 0, opt=opt)
except Exception as exx:
log.exception("[check_yubikey] validate/check_yubikey failed: %r" %
exx)
c.audit['info'] = unicode(exx)
Session.rollback()
return sendResult(response, False, 0)
finally:
Session.close()
def reject_transaction(self):
"""
rejects a transaction.
needs the mandatory url query parameters:
* transactionid: unique id for the transaction
* signature: signature for the rejection
"""
try:
param = self.request_params.copy()
# -------------------------------------------------------------- --
# check the parameters
if 'signature' not in param:
raise ParameterError("Missing parameter: 'signature'!")
if 'transactionid' not in param:
raise ParameterError("Missing parameter: 'transactionid'!")
# -------------------------------------------------------------- --
# start the processing
passw = {'reject': param['signature']}
transid = param['transactionid']
vh = ValidationHandler()
ok, _opt = vh.check_by_transactionid(transid=transid,
passw=passw,
options=param)
# -------------------------------------------------------------- --
# finish the result
if 'serial' in _opt:
g.audit['serial'] = _opt['serial']
if 'token_type' in _opt:
g.audit['token_type'] = _opt['token_type']
g.audit['info'] = 'reject transaction: %r' % ok
g.audit['success'] = ok
db.session.commit()
return sendResult(response, ok)
except Exception as exx:
log.exception("validate/reject_transaction failed: %r" % exx)
g.audit['info'] = "%r" % exx
db.session.rollback()
return sendResult(response, False, 0)
def check_t(self):
param = {}
value = {}
ok = False
opt = {}
try:
param.update(request.params)
if 'pass' not in param:
raise ParameterError("Missing parameter: 'pass'")
passw = param['pass']
transid = param.get('state', None)
if transid is not None:
param['transactionid'] = transid
del param['state']
if transid is None:
transid = param.get('transactionid', None)
if transid is None:
raise Exception("missing parameter: state or transactionid!")
vh = ValidationHandler()
(ok, opt) = vh.check_by_transactionid(transid=transid,
passw=passw,
options=param)
value['value'] = ok
value['failcount'] = int(opt.get('failcount', 0))
c.audit['success'] = ok
Session.commit()
qr = param.get('qr', None)
if qr and opt and 'message' in opt:
try:
dataobj = opt.get('message')
param['alt'] = "%s" % opt
if 'transactionid' in opt:
param['transactionid'] = opt['transactionid']
return sendQRImageResult(response, dataobj, param)
except Exception as exc:
log.warning("failed to send QRImage: %r " % exc)
return sendQRImageResult(response, opt, param)
else:
return sendResult(response, value, 1, opt=opt)
except Exception as exx:
log.exception("[check_t] validate/check_t failed: %r" % exx)
c.audit['info'] = unicode(exx)
Session.rollback()
return sendResult(response, False, 0)
finally:
Session.close()
def check_yubikey(self):
'''
This function is used to validate the output of a yubikey
method:
validate/check_yubikey
:param pass: The password that consist of the static yubikey prefix and the otp
:type pass: string
:return: JSON Object
returns:
JSON response::
{
"version": "LinOTP 2.4",
"jsonrpc": "2.0",
"result": {
"status": true,
"value": false
},
"detail" : {
"username": username,
"realm": realm
},
"id": 0
}
'''
param = request.params
passw = getParam(param, "pass", required)
try:
ok = False
try:
vh = ValidationHandler()
ok, opt = vh.checkYubikeyPass(passw)
c.audit['success'] = ok
except AuthorizeException as exx:
log.warning("[check_yubikey] authorization failed for validate/check_yubikey: %r"
% exx)
c.audit['success'] = False
c.audit['info'] = unicode(exx)
ok = False
Session.commit()
return sendResult(response, ok, 0, opt=opt)
except Exception as exx:
log.exception("[check_yubikey] validate/check_yubikey failed: %r" % exx)
c.audit['info'] = unicode(exx)
Session.rollback()
return sendResult(response, False, 0)
finally:
Session.close()
log.debug('[check_yubikey] done')
def accept_transaction(self):
"""
confirms a transaction.
needs the mandatory url query parameters:
* transactionid: unique id for the transaction
* signature: signature for the confirmation
"""
try:
param = self.request_params.copy()
# -------------------------------------------------------------- --
# check the parameters
if "signature" not in param:
raise ParameterError("Missing parameter: 'signature'!")
if "transactionid" not in param:
raise ParameterError("Missing parameter: 'transactionid'!")
# -------------------------------------------------------------- --
# start the processing
passw = {"accept": param["signature"]}
transid = param["transactionid"]
vh = ValidationHandler()
ok, _opt = vh.check_by_transactionid(
transid=transid, passw=passw, options=param
)
# -------------------------------------------------------------- --
# finish the result
if "serial" in _opt:
g.audit["serial"] = _opt["serial"]
if "token_type" in _opt:
g.audit["token_type"] = _opt["token_type"]
g.audit["info"] = "accept transaction: %r" % ok
g.audit["success"] = ok
db.session.commit()
return sendResult(response, ok)
except Exception as exx:
log.error("validate/accept_transaction failed: %r", exx)
g.audit["info"] = "%r" % exx
db.session.rollback()
return sendResult(response, False, 0)
def accept_transaction(self):
"""
confirms a transaction.
needs the mandatory url query parameters:
* transactionid: unique id for the transaction
* signature: signature for the confirmation
"""
try:
param = {}
param.update(request.params)
# -------------------------------------------------------------- --
# check the parameters
if 'signature' not in param:
raise ParameterError("Missing parameter: 'signature'!")
if 'transactionid' not in param:
raise ParameterError("Missing parameter: 'transactionid'!")
# -------------------------------------------------------------- --
# start the processing
passw = {'accept': param['signature']}
transid = param['transactionid']
vh = ValidationHandler()
ok, _opt = vh.check_by_transactionid(transid=transid,
passw=passw,
options=param)
# -------------------------------------------------------------- --
# finish the result
c.audit['info'] = 'accept transaction: %r' % ok
c.audit['success'] = ok
Session.commit()
return sendResult(response, ok)
except Exception as exx:
log.exception("validate/accept_transaction failed: %r" % exx)
c.audit['info'] = "%r" % exx
Session.rollback()
return sendResult(response, False, 0)
finally:
Session.close()
def check_t(self):
param = self.request_params.copy()
value = {}
ok = False
opt = {}
try:
if 'pass' not in param:
raise ParameterError("Missing parameter: 'pass'")
passw = param['pass']
transid = param.get('state', None)
if transid is not None:
param['transactionid'] = transid
del param['state']
if transid is None:
transid = param.get('transactionid', None)
if transid is None:
raise Exception("missing parameter: state or transactionid!")
vh = ValidationHandler()
(ok, opt) = vh.check_by_transactionid(transid=transid,
passw=passw,
options=param)
value['value'] = ok
value['failcount'] = int(opt.get('failcount', 0))
c.audit['success'] = ok
Session.commit()
qr = param.get('qr', None)
if qr and opt and 'message' in opt:
try:
dataobj = opt.get('message')
param['alt'] = "%s" % opt
if 'transactionid' in opt:
param['transactionid'] = opt['transactionid']
return sendQRImageResult(response, dataobj, param)
except Exception as exc:
log.warning("failed to send QRImage: %r " % exc)
return sendQRImageResult(response, opt, param)
else:
return sendResult(response, value, 1, opt=opt)
except Exception as exx:
log.exception("[check_t] validate/check_t failed: %r" % exx)
c.audit['info'] = unicode(exx)
Session.rollback()
return sendResult(response, False, 0)
finally:
Session.close()
def check_status(self):
"""
check the status of a transaction - for polling support
"""
try:
param = {}
param.update(request.params)
#
# we require either state or transactionid as parameter
transid = param.get('state', param.get('transactionid', None))
if not transid:
raise ParameterError(_('Missing required parameter "state" or '
'"transactionid"!'))
#
# serial is an optional parameter
serial = param.get('serial', None)
#
# but user is an required parameter
if "user" not in param:
raise ParameterError(_('Missing required parameter "serial"'
' or "user"!'))
user = getUserFromParam(param)
passw = param.get('pass', None)
if passw is None:
raise ParameterError(_('Missing required parameter "pass"!'))
use_offline = param.get('use_offline', False)
va = ValidationHandler()
ok, opt = va.check_status(transid=transid, user=user,
serial=serial, password=passw,
use_offline=use_offline)
c.audit['success'] = ok
c.audit['info'] = unicode(opt)
Session.commit()
return sendResult(response, ok, 0, opt=opt)
except Exception as exx:
log.exception("check_status failed: %r" % exx)
c.audit['info'] = unicode(exx)
Session.rollback()
return sendResult(response, False, 0)
finally:
Session.close()
def check_t(self):
param = self.request_params.copy()
value = {}
ok = False
opt = {}
try:
if "pass" not in param:
raise ParameterError("Missing parameter: 'pass'")
passw = param["pass"]
transid = param.get("state", None)
if transid is not None:
param["transactionid"] = transid
del param["state"]
if transid is None:
transid = param.get("transactionid", None)
if transid is None:
raise Exception("missing parameter: state or transactionid!")
vh = ValidationHandler()
(ok, opt) = vh.check_by_transactionid(
transid=transid, passw=passw, options=param
)
value["value"] = ok
value["failcount"] = int(opt.get("failcount", 0))
g.audit["success"] = ok
db.session.commit()
qr = param.get("qr", None)
if qr and opt and "message" in opt:
try:
dataobj = opt.get("message")
param["alt"] = "%s" % opt
if "transactionid" in opt:
param["transactionid"] = opt["transactionid"]
return sendQRImageResult(response, dataobj, param)
except Exception as exc:
log.warning("failed to send QRImage: %r ", exc)
return sendQRImageResult(response, opt, param)
else:
return sendResult(response, value, 1, opt=opt)
except Exception as exx:
log.error("[check_t] validate/check_t failed: %r", exx)
g.audit["info"] = str(exx)
db.session.rollback()
return sendResult(response, False, 0)
def check_status(self):
"""
check the status of a transaction - for polling support
"""
try:
param = self.request_params
#
# we require either state or transactionid as parameter
transid = param.get('state', param.get('transactionid', None))
if not transid:
raise ParameterError(
_('Missing required parameter "state" or '
'"transactionid"!'))
#
# serial is an optional parameter
serial = param.get('serial', None)
# user is an optional parameter:
# if no 'user' in the parameters, the User object will be empty
user = getUserFromParam(param)
passw = param.get('pass')
if passw is None:
raise ParameterError(_('Missing required parameter "pass"!'))
use_offline = param.get('use_offline', False)
va = ValidationHandler()
ok, opt = va.check_status(transid=transid,
user=user,
serial=serial,
password=passw,
use_offline=use_offline)
g.audit['success'] = ok
g.audit['info'] = str(opt)
db.session.commit()
return sendResult(response, ok, 0, opt=opt)
except Exception as exx:
log.exception("check_status failed: %r" % exx)
g.audit['info'] = str(exx)
db.session.rollback()
return sendResult(response, False, 0)
def check_status(self):
"""
check the status of a transaction - for polling support
"""
try:
param = self.request_params
#
# we require either state or transactionid as parameter
transid = param.get('state', param.get('transactionid', None))
if not transid:
raise ParameterError(_('Missing required parameter "state" or '
'"transactionid"!'))
#
# serial is an optional parameter
serial = param.get('serial', None)
# user is an optional parameter:
# if no 'user' in the parameters, the User object will be empty
user = getUserFromParam(param)
passw = param.get('pass')
if passw is None:
raise ParameterError(_('Missing required parameter "pass"!'))
use_offline = param.get('use_offline', False)
va = ValidationHandler()
ok, opt = va.check_status(transid=transid, user=user,
serial=serial, password=passw,
use_offline=use_offline)
c.audit['success'] = ok
c.audit['info'] = unicode(opt)
Session.commit()
return sendResult(response, ok, 0, opt=opt)
except Exception as exx:
log.exception("check_status failed: %r" % exx)
c.audit['info'] = unicode(exx)
Session.rollback()
return sendResult(response, False, 0)
finally:
Session.close()
def check_status(self):
"""
check the status of a transaction - for polling support
"""
param = {}
ok = False
opt = None
try:
param.update(request.params)
transid = param.get('state', param.get('transactionid', None))
if not transid:
raise ParameterError(_('Missing required parameter "state" or '
'"transactionid"!'))
serial = param.get('serial', None)
user = getUserFromParam(param, False)
if not user and not serial:
raise ParameterError(_('Missing required parameter "serial"'
' or "user"!'))
passw = param.get('pass', None)
if not passw:
raise ParameterError(_('Missing required parameter "pass"!'))
use_offline = param.get('use_offline', False)
va = ValidationHandler()
ok, opt = va.check_status(transid=transid, user=user,
serial=serial, password=passw,
use_offline=use_offline)
c.audit['success'] = ok
c.audit['info'] = unicode(opt)
Session.commit()
return sendResult(response, ok, 0, opt=opt)
except Exception as exx:
log.exception("check_status failed: %r" % exx)
c.audit['info'] = unicode(exx)
Session.rollback()
return sendResult(response, False, 0)
finally:
Session.close()
log.debug('[check] done')
def test_validate_check_with_serial(
self, mocked_geUserId, mocked_get_auth_forward,
mocked_checkTokenList, mocked_auth_forward_no_token):
"""
test calling checkUserPass with serial in the list of optional args
"""
# ------------------------------------------------------------------ --
# test setup
user = User('root', 'anywhere')
passw = "Test123!"
serial = 'tok123'
options = {'serial': serial}
mocked_auth_forward_no_token.return_value = True
mocked_geUserId.return_value = ('uid', 'resolver', 'resolverClass')
mocked_get_auth_forward.return_value = None
mocked_checkTokenList.return_value = True, None
# ------------------------------------------------------------------ --
# if serial was given, there should be only one token in the tokenlist
# when calling of checkTokenList
vh = ValidationHandler()
_result = vh.checkUserPass(user, passw, options=options)
call_args = mocked_checkTokenList.call_args
token_list = call_args[0][0]
assert len(token_list) == 1
# ------------------------------------------------------------------ --
# if no serial was given, there should be 2 token in the tokenlist
# when calling of checkTokenList
vh = ValidationHandler()
_result = vh.checkUserPass(user, passw, options=None)
call_args = mocked_checkTokenList.call_args
token_list = call_args[0][0]
assert len(token_list) > 1
return
def test_validate_check_with_serial(
self,
mocked_geUserId,
mocked_get_auth_forward,
mocked_checkTokenList,
mocked_auth_forward_no_token,
):
"""
test calling checkUserPass with serial in the list of optional args
"""
# ------------------------------------------------------------------ --
# test setup
user = User("root", "anywhere")
passw = "Test123!"
serial = "tok123"
options = {"serial": serial}
mocked_auth_forward_no_token.return_value = True
mocked_geUserId.return_value = ("uid", "resolver", "resolverClass")
mocked_get_auth_forward.return_value = None
mocked_checkTokenList.return_value = True, None
# ------------------------------------------------------------------ --
# if serial was given, there should be only one token in the tokenlist
# when calling of checkTokenList
vh = ValidationHandler()
_result = vh.checkUserPass(user, passw, options=options)
call_args = mocked_checkTokenList.call_args
token_list = call_args[0][0]
assert len(token_list) == 1
# ------------------------------------------------------------------ --
# if no serial was given, there should be 2 token in the tokenlist
# when calling of checkTokenList
vh = ValidationHandler()
_result = vh.checkUserPass(user, passw, options=None)
call_args = mocked_checkTokenList.call_args
token_list = call_args[0][0]
assert len(token_list) > 1
return
def check(self):
'''
This function is used to login
method:
openid/check
arguments:
user - user to login
realm - in which realm the user should login
pass - password
returns:
JSON response
'''
ok = False
param = {}
do_redirect = None
message = None
try:
param.update(request.params)
same_user = True
passw = getParam(param, "pass", optional)
## getUserFromParam will return default realm if no realm is
## provided via @ append or extra parameter realm
## if the provided realm does not exist, the realm is left empty
user = getUserFromParam(param, optional)
## if the requested user has a realm specified (via @realm append)
## and this is not the same as the user from getUserFromParam
## the requested user is not a valid one!
p_user = param.get('user', '')
if "@" in p_user:
if p_user != "%s@%s" % (user.login, user.realm):
same_user = False
c.audit['user'] = user.login
c.audit['realm'] = user.realm or getDefaultRealm()
vh = ValidationHandler()
if same_user is True:
(ok, opt) = vh.checkUserPass(user, passw)
c.audit['success'] = ok
if ok:
## if the user authenticated successfully we need to set the cookie aka
## the ticket and we need to remember this ticket.
user = "******" % (user.login, c.audit['realm'])
log.debug("[check] user=%s" % user)
token = self.storage.set_user_token(user,
expire=self.COOKIE_EXPIRE)
log.debug("[check] token=%s" % token)
cookie = "%s:%s" % (user, token)
log.debug("[check] cookie=%s" % cookie)
response.set_cookie(COOKIE_NAME,
cookie,
max_age=self.COOKIE_EXPIRE)
else:
message = "Your login attempt was not successful!"
Session.commit()
# Only if we logged in successfully we redirect to the original
# page (Servive Provider). Otherwise we will redirect to the
# status page
p = {}
redirect_to = getParam(param, "redirect_to", optional)
if redirect_to and ok:
p = {}
for k in [
'openid.return_to', "openid.realm", "openid.ns",
"openid.claimed_id", "openid.mode", "openid.identity"
]:
p[k] = param[k]
else:
if message is not None:
p["message"] = message
redirect_to = "/openid/status"
do_redirect = url(str("%s?%s" % (redirect_to, urlencode(p))))
except Exception as exx:
log.exception("[check] openid/check failed: %r" % exx)
Session.rollback()
return sendError(response, "openid/check failed: %r" % exx, 0)
finally:
Session.close()
log.debug('[check] done')
if do_redirect:
log.debug("[check] now redirecting to %s" % do_redirect)
redirect(do_redirect)
def reject_transaction(self):
"""
rejects a transaction.
needs the mandatory url query parameters:
* transactionid: unique id for the transaction
* signature: signature for the rejection
"""
try:
param = self.request_params.copy()
# -------------------------------------------------------------- --
# check the parameters
if 'signature' not in param:
raise ParameterError("Missing parameter: 'signature'!")
if 'transactionid' not in param:
raise ParameterError("Missing parameter: 'transactionid'!")
# -------------------------------------------------------------- --
# start the processing
passw = {'reject': param['signature']}
transid = param['transactionid']
vh = ValidationHandler()
ok, _opt = vh.check_by_transactionid(transid=transid,
passw=passw,
options=param)
# -------------------------------------------------------------- --
# finish the result
if 'serial' in _opt:
c.audit['serial'] = _opt['serial']
if 'token_type' in _opt:
c.audit['token_type'] = _opt['token_type']
c.audit['info'] = 'reject transaction: %r' % ok
c.audit['success'] = ok
Session.commit()
return sendResult(response, ok)
except Exception as exx:
log.exception("validate/reject_transaction failed: %r" % exx)
c.audit['info'] = "%r" % exx
Session.rollback()
return sendResult(response, False, 0)
finally:
Session.close()
def check_s(self):
'''
This function is used to validate the serial and the otp value/password.
method:
validate/check_s
arguments:
* serial: the serial number of the token
* pass: the password that consists of a possible fixes password component
and the OTP value
returns:
JSON response
'''
param = {}
param.update(request.params)
options = {}
options.update(param)
for k in ['user', 'serial', "pass", "init"]:
if k in options:
del options[k]
if 'init' in param:
if isSelfTest() is True:
options['initTime'] = param.get('init')
try:
passw = getParam(param, "pass", optional)
serial = getParam(param, 'serial', optional)
if serial is None:
user = getParam(param, 'user', optional)
if user is not None:
user = getUserFromParam(param, optional)
toks = getTokens4UserOrSerial(user=user)
if len(toks) == 0:
raise Exception("No token found!")
elif len(toks) > 1:
raise Exception("More than one token found!")
else:
tok = toks[0].token
desc = tok.get()
realms = desc.get('LinOtp.RealmNames')
if realms is None or len(realms) == 0:
realm = getDefaultRealm()
elif len(realms) > 0:
realm = realms[0]
userInfo = getUserInfo(tok.LinOtpUserid, tok.LinOtpIdResolver, tok.LinOtpIdResClass)
user = User(login=userInfo.get('username'), realm=realm)
serial = tok.getSerial()
c.audit['serial'] = serial
if isSelfTest() is True:
initTime = getParam(param, "init", optional)
if initTime is not None:
if options is None:
options = {}
options['initTime'] = initTime
options['scope'] = {"check_s": True}
vh = ValidationHandler()
(ok, opt) = vh.checkSerialPass(serial, passw, options=options)
c.audit['success'] = ok
Session.commit()
qr = param.get('qr', None)
if qr and opt and 'message' in opt:
try:
dataobj = opt.get('message')
param['alt'] = "%s" % opt
if 'transactionid' in opt:
param['transactionid'] = opt['transactionid']
return sendQRImageResult(response, dataobj, param)
except Exception as exc:
log.warning("failed to send QRImage: %r " % exc)
return sendQRImageResult(response, opt, param)
else:
return sendResult(response, ok, 0, opt=opt)
except Exception as exx:
log.exception("[check_s] validate/check_s failed: %r" % exx)
c.audit['info'] = unicode(exx)
Session.rollback()
return sendResult(response, False, id=0, status=False)
finally:
Session.close()
log.debug('[check_s] done')
def _check(self, param):
"""
basic check function, that can be used by different controllers
:param param: dict of all caller parameters
:type param: dict
:return: Tuple of True or False and opt
:rtype: Tuple(boolean, opt)
"""
opt = None
options = {}
# put everything in the options but the user, pass, init
options.update(param)
for para in ["pass", "user", "init"]:
if para in options:
del options[para]
passw = param.get("pass")
user = getUserFromParam(param)
# support for challenge verification
challenge = param.get("challenge")
if challenge is not None:
options = {}
options["challenge"] = challenge
g.audit["user"] = user.login
realm = user.realm or getDefaultRealm()
g.audit["realm"] = realm
# AUTHORIZATION Pre Check
# we need to overwrite the user.realm in case the
# user does not exist in the original realm (setrealm-policy)
user.realm = set_realm(user.login, realm, exception=True)
check_user_authorization(user.login, user.realm, exception=True)
vh = ValidationHandler()
(ok, opt) = vh.checkUserPass(user, passw, options=options)
g.audit.update(request_context.get("audit", {}))
g.audit["success"] = ok
if ok:
# AUTHORIZATION post check
check_auth_tokentype(g.audit["serial"], exception=True, user=user)
check_auth_serial(g.audit["serial"], exception=True, user=user)
# add additional details
if is_auth_return(ok, user=user):
if opt is None:
opt = {}
if ok:
opt["realm"] = g.audit.get("realm")
opt["user"] = g.audit.get("user")
opt["tokentype"] = g.audit.get("token_type")
opt["serial"] = g.audit.get("serial")
else:
opt["error"] = g.audit.get("action_detail")
return (ok, opt)
def _check(self, param):
'''
basic check function, that can be used by different controllers
:param param: dict of all caller parameters
:type param: dict
:return: Tuple of True or False and opt
:rtype: Tuple(boolean, opt)
'''
opt = None
options = {}
## put everythin in the options but the user, pass, init
options.update(param)
for para in ["pass", "user", "init"]:
if options.has_key(para):
del options[para]
passw = getParam(param, "pass", optional)
user = getUserFromParam(param, optional)
# support for ocra application challenge verification
challenge = getParam(param, "challenge", optional)
if challenge is not None:
options = {}
options['challenge'] = challenge
c.audit['user'] = user.login
realm = user.realm or getDefaultRealm()
c.audit['realm'] = realm
# AUTHORIZATION Pre Check
# we need to overwrite the user.realm in case the user does not exist in the original realm (setrealm-policy)
user.realm = set_realm(user.login, realm, exception=True)
check_user_authorization(user.login, user.realm, exception=True)
if isSelfTest() is True:
initTime = getParam(param, "init", optional)
if initTime is not None:
if options is None:
options = {}
options['initTime'] = initTime
vh = ValidationHandler()
(ok, opt) = vh.checkUserPass(user, passw, options=options)
c.audit.update(request_context.get('audit'))
c.audit['success'] = ok
if ok:
# AUTHORIZATION post check
check_auth_tokentype(c.audit['serial'], exception=True, user=user)
check_auth_serial(c.audit['serial'], exception=True, user=user)
# add additional details
if is_auth_return(ok, user=user):
if opt is None:
opt = {}
if ok:
opt['realm'] = c.audit.get('realm')
opt['user'] = c.audit.get('user')
opt['tokentype'] = c.audit.get('token_type')
opt['serial'] = c.audit.get('serial')
else:
opt['error'] = c.audit.get('action_detail')
return (ok, opt)
def check_s(self):
"""
This function is used to validate the serial and the otp value/password.
If the otppin policy is set, the endpoint /validate/check_s does not work.
method:
validate/check_s
arguments:
* serial: the serial number of the token
* pass: the password that consists of a possible fixes password component
and the OTP value
returns:
JSON response
"""
param = self.request_params
options = {}
options.update(param)
for k in ["user", "serial", "pass", "init"]:
if k in options:
del options[k]
try:
passw = param.get("pass")
serial = param.get("serial")
if serial is None:
user = param.get("user")
if user is not None:
user = getUserFromParam(param)
toks = getTokens4UserOrSerial(user=user)
if len(toks) == 0:
raise Exception("No token found!")
elif len(toks) > 1:
raise Exception("More than one token found!")
else:
tok = toks[0].token
desc = tok.get()
realms = desc.get("LinOtp.RealmNames")
if realms is None or len(realms) == 0:
realm = getDefaultRealm()
elif len(realms) > 0:
realm = realms[0]
userInfo = getUserInfo(
tok.LinOtpUserid,
tok.LinOtpIdResolver,
tok.LinOtpIdResClass,
)
user = User(
login=userInfo.get("username"), realm=realm
)
serial = tok.getSerial()
g.audit["serial"] = serial
options["scope"] = {"check_s": True}
vh = ValidationHandler()
(ok, opt) = vh.checkSerialPass(serial, passw, options=options)
g.audit["success"] = ok
db.session.commit()
qr = param.get("qr", None)
if qr and opt and "message" in opt:
try:
dataobj = opt.get("message")
param["alt"] = "%s" % opt
if "transactionid" in opt:
param["transactionid"] = opt["transactionid"]
return sendQRImageResult(response, dataobj, param)
except Exception as exc:
log.warning("failed to send QRImage: %r ", exc)
return sendQRImageResult(response, opt, param)
else:
return sendResult(response, ok, 0, opt=opt)
except Exception as exx:
log.error("[check_s] validate/check_s failed: %r", exx)
g.audit["info"] = str(exx)
db.session.rollback()
return sendResult(response, False, id=0, status=False)
def check_t(self):
param = {}
value = {}
ok = False
opt = None
try:
param.update(request.params)
passw = getParam(param, "pass", required)
transid = param.get('state', None)
if transid is not None:
param['transactionid'] = transid
del param['state']
if transid is None:
transid = param.get('transactionid', None)
if transid is None:
raise Exception("missing parameter: state or transactionid!")
serial = get_tokenserial_of_transaction(transId=transid)
if serial is None:
value['value'] = False
value['failure'] = 'No challenge for transaction %r found'\
% transid
else:
param['serial'] = serial
tokens = getTokens4UserOrSerial(serial=serial)
if len(tokens) == 0 or len(tokens) > 1:
raise Exception('tokenmismatch for token serial: %s'
% (unicode(serial)))
theToken = tokens[0]
tok = theToken.token
realms = tok.getRealmNames()
if realms is None or len(realms) == 0:
realm = getDefaultRealm()
elif len(realms) > 0:
realm = realms[0]
userInfo = getUserInfo(tok.LinOtpUserid, tok.LinOtpIdResolver, tok.LinOtpIdResClass)
user = User(login=userInfo.get('username'), realm=realm)
vh = ValidationHandler()
(ok, opt) = vh.checkSerialPass(
serial, passw, user=user, options=param)
value['value'] = ok
failcount = theToken.getFailCount()
value['failcount'] = int(failcount)
c.audit['success'] = ok
#c.audit['info'] += "%s=%s, " % (k, value)
Session.commit()
qr = param.get('qr', None)
if qr and opt and 'message' in opt:
try:
dataobj = opt.get('message')
param['alt'] = "%s" % opt
if 'transactionid' in opt:
param['transactionid'] = opt['transactionid']
return sendQRImageResult(response, dataobj, param)
except Exception as exc:
log.warning("failed to send QRImage: %r " % exc)
return sendQRImageResult(response, opt, param)
else:
return sendResult(response, value, 1, opt=opt)
except Exception as exx:
log.exception("[check_t] validate/check_t failed: %r" % exx)
c.audit['info'] = unicode(exx)
Session.rollback()
return sendResult(response, False, 0)
finally:
Session.close()
log.debug('[check_t] done')
def _check(self, param):
'''
basic check function, that can be used by different controllers
:param param: dict of all caller parameters
:type param: dict
:return: Tuple of True or False and opt
:rtype: Tuple(boolean, opt)
'''
opt = None
options = {}
# put everything in the options but the user, pass, init
options.update(param)
for para in ["pass", "user", "init"]:
if options.has_key(para):
del options[para]
passw = param.get("pass")
user = getUserFromParam(param)
# support for ocra application challenge verification
challenge = param.get("challenge")
if challenge is not None:
options = {}
options['challenge'] = challenge
c.audit['user'] = user.login
realm = user.realm or getDefaultRealm()
c.audit['realm'] = realm
# AUTHORIZATION Pre Check
# we need to overwrite the user.realm in case the
# user does not exist in the original realm (setrealm-policy)
user.realm = set_realm(user.login, realm, exception=True)
check_user_authorization(user.login, user.realm, exception=True)
if isSelfTest() is True:
initTime = param.get("init")
if initTime is not None:
if options is None:
options = {}
options['initTime'] = initTime
vh = ValidationHandler()
(ok, opt) = vh.checkUserPass(user, passw, options=options)
c.audit.update(request_context.get('audit'))
c.audit['success'] = ok
if ok:
# AUTHORIZATION post check
check_auth_tokentype(c.audit['serial'], exception=True, user=user)
check_auth_serial(c.audit['serial'], exception=True, user=user)
# add additional details
if is_auth_return(ok, user=user):
if opt is None:
opt = {}
if ok:
opt['realm'] = c.audit.get('realm')
opt['user'] = c.audit.get('user')
opt['tokentype'] = c.audit.get('token_type')
opt['serial'] = c.audit.get('serial')
else:
opt['error'] = c.audit.get('action_detail')
return (ok, opt)
def check_status(self):
"""
check the status of a transaction - for polling support
"""
try:
param = self.request_params
#
# we require either state or transactionid as parameter
transid = param.get("state", param.get("transactionid", None))
if not transid:
raise ParameterError(
_(
'Missing required parameter "state" or '
'"transactionid"!'
)
)
#
# serial is an optional parameter
serial = param.get("serial", None)
# user is an optional parameter:
# if no 'user' in the parameters, the User object will be empty
user = getUserFromParam(param)
passw = param.get("pass")
if passw is None:
raise ParameterError(_('Missing required parameter "pass"!'))
use_offline = param.get("use_offline", False)
va = ValidationHandler()
ok, opt = va.check_status(
transid=transid,
user=user,
serial=serial,
password=passw,
use_offline=use_offline,
)
serials = []
types = []
owner = None
challenges = Challenges.lookup_challenges(transid=transid)
for ch in challenges:
tokens = getTokens4UserOrSerial(serial=ch.getTokenSerial())
if not tokens:
continue
for token in tokens:
serials.append(token.getSerial())
types.append(token.getType())
if not owner:
owner = get_token_owner(token)
if owner:
g.audit["user"] = g.audit["user"] or owner.login
g.audit["realm"] = g.audit["realm"] or owner.realm
g.audit["serial"] = " ".join(serials)
g.audit["token_type"] = " ".join(types)
g.audit["success"] = ok
g.audit["info"] = str(opt)
db.session.commit()
return sendResult(response, ok, 0, opt=opt)
except Exception as exx:
log.error("check_status failed: %r", exx)
g.audit["info"] = str(exx)
db.session.rollback()
return sendResult(response, False, 0)
def check_t(self):
"""
method:
ocra/check_t
description:
verify the response of the ocra token
arguments:
* transactionid: (required - string)
Dies ist eine Transaktions-ID, die bei der Challenge ausgegeben wurde.
* pass: (required - string)
die response, die der OCRA Token auf Grund der Challenge berechnet hat
returns:
A JSON response::
{
"version": "LinOTP 2.4",
"jsonrpc": "2.0",
"result": {
"status": true,
"value": {
"failcount" : 3,
"result": false
}
},
"id": 0
}
exception:
"""
res = {}
description = 'ocra/check_t: validate a token request.'
try:
param = getLowerParams(request.params)
log.info("[check_t] check OCRA token: %r" % param)
#checkPolicyPre('ocra', "check_t")
passw = getParam(param, 'pass' , optional)
if passw is None:
## raise exception'''
log.exception("[check_t] missing pass ")
raise ParameterError("Usage: %s Missing parameter 'pass'." % description, id=77)
transid = getParam(param, 'transactionid', optional)
if transid is None:
## raise exception'''
log.exception("[check_t] missing transactionid, user or serial number of token")
raise ParameterError("Usage: %s Missing parameter 'transactionid'." % description, id=77)
## if we have a transaction, get serial from this challenge
value = {}
ocraChallenge = OcraTokenClass.getTransaction(transid)
if ocraChallenge is not None:
serial = ocraChallenge.tokenserial
tokens = getTokens4UserOrSerial(serial=serial)
if len(tokens) == 0 or len(tokens) > 1:
raise Exception('tokenmismatch for token serial: %s'
% (unicode(serial)))
theToken = tokens[0]
tok = theToken.token
desc = tok.get()
realms = desc.get('LinOtp.RealmNames')
if realms is None or len(realms) == 0:
realm = getDefaultRealm()
elif len(realms) > 0:
realm = realms[0]
userInfo = getUserInfo(tok.LinOtpUserid, tok.LinOtpIdResolver, tok.LinOtpIdResClass)
user = User(login=userInfo.get('username'), realm=realm)
vh = ValidationHandler()
(ok, opt) = vh.checkSerialPass(serial, passw, user=user,
options={'transactionid': transid})
failcount = theToken.getFailCount()
value['result'] = ok
value['failcount'] = int(failcount)
else:
## no challenge found for this transid
value['result'] = False
value['failure'] = 'No challenge for transaction %r found'\
% transid
c.audit['success'] = res
#c.audit['info'] += "%s=%s, " % (k, value)
Session.commit()
return sendResult(response, value, 1)
except Exception as e :
log.exception("[check_t] failed: %r" % e)
Session.rollback()
return sendResult(response, unicode(e), 0)
finally:
Session.close()
log.debug("[check_t] done")
def check(self):
'''
This function is used to login
method:
openid/check
arguments:
user - user to login
realm - in which realm the user should login
pass - password
returns:
JSON response
'''
ok = False
param = {}
do_redirect = None
message = None
try:
param.update(request.params)
same_user = True
passw = getParam(param, "pass", optional)
## getUserFromParam will return default realm if no realm is
## provided via @ append or extra parameter realm
## if the provided realm does not exist, the realm is left empty
user = getUserFromParam(param, optional)
## if the requested user has a realm specified (via @realm append)
## and this is not the same as the user from getUserFromParam
## the requested user is not a valid one!
p_user = param.get('user', '')
if "@" in p_user:
if p_user != "%s@%s" % (user.login, user.realm):
same_user = False
c.audit['user'] = user.login
c.audit['realm'] = user.realm or getDefaultRealm()
vh = ValidationHandler()
if same_user is True:
(ok, opt) = vh.checkUserPass(user, passw)
c.audit['success'] = ok
if ok:
## if the user authenticated successfully we need to set the cookie aka
## the ticket and we need to remember this ticket.
user = "******" % (user.login, c.audit['realm'])
log.debug("[check] user=%s" % user)
token = self.storage.set_user_token(user, expire=self.COOKIE_EXPIRE)
log.debug("[check] token=%s" % token)
cookie = "%s:%s" % (user, token)
log.debug("[check] cookie=%s" % cookie)
response.set_cookie(COOKIE_NAME, cookie, max_age=self.COOKIE_EXPIRE)
else:
message = "Your login attempt was not successful!"
Session.commit()
# Only if we logged in successfully we redirect to the original
# page (Servive Provider). Otherwise we will redirect to the
# status page
p = {}
redirect_to = getParam(param, "redirect_to", optional)
if redirect_to and ok:
p = {}
for k in [ 'openid.return_to', "openid.realm", "openid.ns", "openid.claimed_id", "openid.mode",
"openid.identity" ]:
p[k] = param[k]
else:
if message is not None:
p["message"] = message
redirect_to = "/openid/status"
do_redirect = url(str("%s?%s" % (redirect_to, urlencode(p))))
except Exception as exx:
log.exception("[check] openid/check failed: %r" % exx)
Session.rollback()
return sendError(response, "openid/check failed: %r" % exx, 0)
finally:
Session.close()
log.debug('[check] done')
if do_redirect:
log.debug("[check] now redirecting to %s" % do_redirect)
redirect(do_redirect)
def check_t(self):
"""
method:
ocra/check_t
description:
verify the response of the ocra token
arguments:
* transactionid: (required - string)
Dies ist eine Transaktions-ID, die bei der Challenge
ausgegeben wurde.
* pass: (required - string)
die response, die der OCRA Token auf Grund der Challenge
berechnet hat
returns:
A JSON response::
{
"version": "LinOTP 2.4",
"jsonrpc": "2.0",
"result": {
"status": true,
"value": {
"failcount" : 3,
"result": false
}
},
"id": 0
}
exception:
"""
res = {}
description = 'ocra/check_t: validate a token request.'
try:
param = getLowerParams(request.params)
log.info("[check_t] check OCRA token: %r" % param)
# TODO: checkPolicyPre('ocra', "check_t")
passw = param.get('pass')
if passw is None:
# raise exception'''
log.exception("[check_t] missing pass ")
raise ParameterError("Usage: %s Missing parameter "
"'pass'." % description, id=77)
transid = param.get('transactionid')
if not transid:
# raise exception
log.exception("[check_t] missing transactionid, user or "
"serial number of token")
raise ParameterError("Usage: %s Missing parameter "
"'transactionid'." % description, id=77)
# if we have a transaction, get serial from this challenge
value = {}
ocraChallenge = OcraTokenClass.getTransaction(transid)
if ocraChallenge is not None:
serial = ocraChallenge.tokenserial
tokens = getTokens4UserOrSerial(serial=serial)
if len(tokens) == 0 or len(tokens) > 1:
raise Exception('tokenmismatch for token serial: %s'
% (unicode(serial)))
theToken = tokens[0]
tok = theToken.token
desc = tok.get()
realms = desc.get('LinOtp.RealmNames')
if realms is None or len(realms) == 0:
realm = getDefaultRealm()
elif len(realms) > 0:
realm = realms[0]
userInfo = getUserInfo(tok.LinOtpUserid,
tok.LinOtpIdResolver,
tok.LinOtpIdResClass)
user = User(login=userInfo.get('username'), realm=realm)
vh = ValidationHandler()
(ok, _opt) = vh.checkSerialPass(
serial,
passw,
user=user,
options={'transactionid': transid})
failcount = theToken.getFailCount()
value['result'] = ok
value['failcount'] = int(failcount)
else:
# no challenge found for this transid
value['result'] = False
value['failure'] = ('No challenge for transaction %r found'
% transid)
c.audit['success'] = res
Session.commit()
return sendResult(response, value, 1)
except Exception as exx:
log.exception("[check_t] failed: %r", exx)
Session.rollback()
return sendResult(response, unicode(exx), 0)
finally:
Session.close()
def check_s(self):
'''
This function is used to validate the serial and the otp value/password.
method:
validate/check_s
arguments:
* serial: the serial number of the token
* pass: the password that consists of a possible fixes password component
and the OTP value
returns:
JSON response
'''
param = self.request_params
options = {}
options.update(param)
for k in ['user', 'serial', "pass", "init"]:
if k in options:
del options[k]
if 'init' in param:
if isSelfTest() is True:
options['initTime'] = param.get('init')
try:
passw = param.get("pass")
serial = param.get('serial')
if serial is None:
user = param.get('user')
if user is not None:
user = getUserFromParam(param)
toks = getTokens4UserOrSerial(user=user)
if len(toks) == 0:
raise Exception("No token found!")
elif len(toks) > 1:
raise Exception("More than one token found!")
else:
tok = toks[0].token
desc = tok.get()
realms = desc.get('LinOtp.RealmNames')
if realms is None or len(realms) == 0:
realm = getDefaultRealm()
elif len(realms) > 0:
realm = realms[0]
userInfo = getUserInfo(tok.LinOtpUserid,
tok.LinOtpIdResolver,
tok.LinOtpIdResClass)
user = User(login=userInfo.get('username'),
realm=realm)
serial = tok.getSerial()
c.audit['serial'] = serial
if isSelfTest() is True:
initTime = param.get("init")
if initTime is not None:
if options is None:
options = {}
options['initTime'] = initTime
options['scope'] = {"check_s": True}
vh = ValidationHandler()
(ok, opt) = vh.checkSerialPass(serial, passw, options=options)
c.audit['success'] = ok
Session.commit()
qr = param.get('qr', None)
if qr and opt and 'message' in opt:
try:
dataobj = opt.get('message')
param['alt'] = "%s" % opt
if 'transactionid' in opt:
param['transactionid'] = opt['transactionid']
return sendQRImageResult(response, dataobj, param)
except Exception as exc:
log.warning("failed to send QRImage: %r " % exc)
return sendQRImageResult(response, opt, param)
else:
return sendResult(response, ok, 0, opt=opt)
except Exception as exx:
log.exception("[check_s] validate/check_s failed: %r" % exx)
c.audit['info'] = unicode(exx)
Session.rollback()
return sendResult(response, False, id=0, status=False)
finally:
Session.close()
def confirm_transaction(self):
"""
verfiy the transaction
- the next verification step in a multifactor authentication.
* param action: accept or deny
* param signature: signature of the accepted or denied
transaction
* param: transactionid * : the continuation id of the authorisation /
authentication processing
"""
try:
param = {}
param.update(request.params)
# -------------------------------------------------------------- --
# check the parameters
if 'signature' not in param:
raise ParameterError("Missing parameter: 'signature'!")
if 'transactionid' not in param:
raise ParameterError("Missing parameter: 'transactionid'!")
if 'action' not in param:
raise ParameterError("Missing parameter: 'action'!")
if param['action'] not in ['accept', 'reject']:
raise ParameterError("Missing action parameter value:"
" 'accept' or 'reject'!")
# -------------------------------------------------------------- --
# start the processing
action = param['action']
passw = {action: param['signature']}
transid = param['transactionid']
vh = ValidationHandler()
ok, _opt = vh.check_by_transactionid(transid=transid,
passw=passw,
options=param)
# -------------------------------------------------------------- --
# finish the result
value = {action: ok}
c.audit['info'] = '%s transaction: %r' % (action, ok)
c.audit['success'] = ok
Session.commit()
return sendResult(response, value)
except Exception as exx:
log.exception("validate/check_transaction failed: %r" % exx)
c.audit['info'] = "%r" % exx
Session.rollback()
return sendResult(response, False, 0)
finally:
Session.close()
