Example #1
0
def get_context(config, user, client):
    """
    get the user dependend rendering context

    :param user: the selfservice auth user
    :param realm: the selfservice realm
    :param client: the selfservice client info - required for pre_context
    :return: context dict, with all rendering attributes

    """
    context = get_pre_context(client)

    context["user"] = get_userinfo(user)
    context["imprint"] = get_imprint(user.realm)
    context["tokenArray"] = getTokenForUser(user)

    context["actions"] = list()
    for policy in getSelfserviceActions(user):
        if "=" not in policy:
            context["actions"].append(policy.strip())
        else:
            (name, val) = policy.split('=')
            name = name.strip()
            val = val.strip()
            # try if settings value is a simple numeric
            try:
                val = int(val)
            except ValueError:
                pass

            context["settings"][name] = val

    return context
Example #2
0
    def webprovisiongoogletoken(self):
        '''
        This is the form for an google token to do web provisioning.
        '''
        try:
            c.actions = getSelfserviceActions(self.authUser)
            return render('/selfservice/webprovisiongoogle.mako')

        except Exception as exx:
            log.exception("[webprovisiongoogletoken] failed with error: %r" %
                          exx)
            return sendError(response, exx)
Example #3
0
    def webprovisiongoogletoken(self):
        '''
        This is the form for an google token to do web provisioning.
        '''
        try:
            c.actions = getSelfserviceActions(self.authUser)
            return render('/selfservice/webprovisiongoogle.mako')
        except Exception as exx:
            log.error("[webprovisiongoogletoken] failed with error: %r" % exx)
            log.error("[webprovisiongoogletoken] %s" % traceback.format_exc())
            return sendError(response, exx)

        finally:
            log.debug('[webprovisiongoogletoken] done')
Example #4
0
    def webprovisiongoogletoken(self):
        '''
        This is the form for an google token to do web provisioning.
        '''
        try:
            c.actions = getSelfserviceActions(self.authUser,
                                              context=self.request_context)
            return render('/selfservice/webprovisiongoogle.mako')

        except Exception as exx:
            log.exception("[webprovisiongoogletoken] failed with error: %r" % exx)
            return sendError(response, exx)

        finally:
            log.debug('[webprovisiongoogletoken] done')
Example #5
0
    def webprovisiongoogletoken(self):
        '''
        This is the form for an google token to do web provisioning.
        '''
        try:
            c.actions = getSelfserviceActions(self.authUser,
                                              context=self.request_context)
            return render('/selfservice/webprovisiongoogle.mako')

        except Exception as exx:
            log.exception("[webprovisiongoogletoken] failed with error: %r" %
                          exx)
            return sendError(response, exx)

        finally:
            log.debug('[webprovisiongoogletoken] done')
Example #6
0
def get_context(config, user, realm, client):
    """
    get the user dependend rendering context

    :param user: the selfservice user
    :param realm: the selfservice realm
    :param client: the selfservice client info - required for pre_context
    :return: context dict, with all rendering attributes

    """

    req_context = get_pre_context(client)

    req_context["user"] = user
    req_context["realm"] = realm
    authUser = User(user, realm)
    req_context["imprint"] = get_imprint(req_context["realm"])
    req_context["tokenArray"] = getTokenForUser(authUser)

    # show the defined actions, which have a rendering
    actions = getSelfserviceActions(authUser)
    req_context["actions"] = actions
    for policy in actions:
        if "=" in policy:
            (name, val) = policy.split('=')
            val = val.strip()
            # try if val is a simple numeric -
            # w.r.t. javascript evaluation
            try:
                nval = int(val)
            except:
                nval = val
            req_context[name.strip()] = nval

    req_context["dynamic_actions"] = add_dynamic_selfservice_enrollment(
        config, actions)

    # TODO: to establish all token local defined policies
    additional_policies = add_dynamic_selfservice_policies(config, actions)
    for policy in additional_policies:
        req_context[policy] = -1

    # TODO: add_local_policies() currently not implemented!!
    req_context["otplen"] = -1
    req_context["totp_len"] = -1

    return req_context
Example #7
0
def get_context(config, user, realm, client):
    """
    get the user dependend rendering context

    :param user: the selfservice user
    :param realm: the selfservice realm
    :param client: the selfservice client info - required for pre_context
    :return: context dict, with all rendering attributes

    """


    context = get_pre_context(client)

    context["user"] = user
    context["realm"] = realm
    authUser = User(user, realm)
    context["imprint"] = get_imprint(context["realm"])
    context["tokenArray"] = getTokenForUser(authUser)

    # show the defined actions, which have a rendering
    actions = getSelfserviceActions(authUser)
    context["actions"] = actions
    for policy in actions:
        if "=" in policy:
            (name, val) = policy.split('=')
            val = val.strip()
            # try if val is a simple numeric -
            # w.r.t. javascript evaluation
            try:
                nval = int(val)
            except:
                nval = val
            context[name.strip()] = nval

    context["dynamic_actions"] = add_dynamic_selfservice_enrollment(config, actions)

    # TODO: to establish all token local defined policies
    additional_policies = add_dynamic_selfservice_policies(config, actions)
    for policy in additional_policies:
        context[policy] = -1

    # TODO: add_local_policies() currently not implemented!!
    context["otplen"] = -1
    context["totp_len"] = -1

    return context
Example #8
0
    def __before__(self, action):
        '''
        This is the authentication to self service
        If you want to do ANYTHING with selfservice, you need to be
        authenticated.  The _before_ is executed before any other function
        in this controller.
        '''

        try:

            param = request.params

            audit.initialize()
            c.audit['success'] = False
            c.audit['client'] = get_client(request)

            c.version = get_version()
            c.licenseinfo = get_copyright_info()

            self.request_context['Audit'] = audit

            (auth_type, auth_user) = get_auth_user(request)

            if not auth_user or auth_type not in ['repoze', 'selftest']:
                abort(401, "You are not authenticated")

            (c.user, _foo, c.realm) = auth_user.rpartition('@')
            self.authUser = User(c.user, c.realm, '')

            if auth_type == "repoze":
                # checking the session
                if (False == check_selfservice_session(request,
                                                       request.url,
                                                       request.path,
                                                       request.cookies,
                                                       request.params
                                                       )):
                    c.audit['action'] = request.path[1:]
                    c.audit['info'] = "session expired"
                    audit.log(c.audit)
                    abort(401, "No valid session")

            c.imprint = get_imprint(c.realm)

            c.tokenArray = []

            c.user = self.authUser.login
            c.realm = self.authUser.realm
            c.tokenArray = getTokenForUser(self.authUser)

            # only the defined actions should be displayed
            # - remark: the generic actions like enrollTT are allready approved
            #   to have a rendering section and included
            actions = getSelfserviceActions(self.authUser,
                                            context=self.request_context)
            c.actions = actions
            for policy in actions:
                if "=" in policy:
                    (name, val) = policy.split('=')
                    val = val.strip()
                    # try if val is a simple numeric -
                    # w.r.t. javascript evaluation
                    try:
                        nval = int(val)
                    except:
                        nval = val
                    c.__setattr__(name.strip(), nval)

            c.dynamic_actions = add_dynamic_selfservice_enrollment(config,
                                                                   c.actions)

            # we require to establish all token local defined
            # policies to be initialiezd
            additional_policies = add_dynamic_selfservice_policies(config,
                                                                   actions)
            for policy in additional_policies:
                c.__setattr__(policy, -1)

            c.otplen = -1
            c.totp_len = -1


            return response

        except webob.exc.HTTPUnauthorized as acc:
            # the exception, when an abort() is called if forwarded
            log.info("[__before__::%r] webob.exception %r" % (action, acc))
            log.info("[__before__] %s" % traceback.format_exc())
            Session.rollback()
            Session.close()
            raise acc

        except Exception as e:
            log.exception("[__before__] failed with error: %r" % e)
            Session.rollback()
            Session.close()
            return sendError(response, e, context='before')

        finally:
            log.debug('[__after__] done')
Example #9
0
    def __before__(self, action):
        '''
        This is the authentication to self service. If you want to do
        ANYTHING with the selfservice, you need to be authenticated. The
        _before_ is executed before any other function in this controller.
        '''

        self.redirect = None

        try:
            c.version = get_version()
            c.licenseinfo = get_copyright_info()

            c.audit = request_context['audit']
            c.audit['success'] = False
            self.client = get_client(request)
            c.audit['client'] = self.client

            request_context['Audit'] = audit

            # -------------------------------------------------------------- --

            # handle requests which dont require authetication

            if action in ['logout', 'custom_style']:
                return

            # -------------------------------------------------------------- --

            # get the authenticated user

            auth_type, auth_user, auth_state = get_auth_user(request)

            # -------------------------------------------------------------- --

            # handle not authenticated requests

            if not auth_user or auth_type not in ['user_selfservice']:

                if action in ['login']:
                    return

                if action in ['index']:
                    self.redirect = True
                    redirect(url(controller='selfservice', action='login'))

                else:
                    abort(403, "No valid session")

            # -------------------------------------------------------------- --

            # handle authenticated requests

            # there is only one special case, which is the login that
            # could be forwarded to the index page

            if action in ['login']:
                if auth_state != 'authenticated':
                    return

                self.redirect = True
                redirect(url(controller='selfservice', action='index'))

            # -------------------------------------------------------------- --

            # in case of user_selfservice, an unauthenticated request should always go to login
            if auth_user and auth_type is 'user_selfservice' \
                    and auth_state is not 'authenticated':
                self.redirect = True
                redirect(url(controller='selfservice', action='login'))

            # futher processing with the authenticated user

            if auth_state != 'authenticated':
                abort(403, "No valid session")

            c.user = auth_user.login
            c.realm = auth_user.realm
            self.authUser = auth_user

            # -------------------------------------------------------------- --

            # authenticated session verification

            if auth_type == 'user_selfservice':

                # checking the session only for not_form_access actions
                if action not in self.form_access_methods:

                    valid_session = check_session(request, auth_user,
                                                  self.client)

                    if not valid_session:
                        c.audit['action'] = request.path[1:]
                        c.audit['info'] = "session expired"
                        audit.log(c.audit)

                        abort(403, "No valid session")

            # -------------------------------------------------------------- --

            c.imprint = get_imprint(c.realm)

            c.tokenArray = []

            c.user = self.authUser.login
            c.realm = self.authUser.realm

            # only the defined actions should be displayed
            # - remark: the generic actions like enrollTT are allready approved
            #   to have a rendering section and included
            actions = getSelfserviceActions(self.authUser)
            c.actions = actions
            for policy in actions:
                if policy:
                    if "=" not in policy:
                        c.__setattr__(policy, -1)
                    else:
                        (name, val) = policy.split('=')
                        val = val.strip()
                        # try if val is a simple numeric -
                        # w.r.t. javascript evaluation
                        try:
                            nval = int(val)
                        except ValueError:
                            nval = val
                        c.__setattr__(name.strip(), nval)

            c.dynamic_actions = add_dynamic_selfservice_enrollment(
                config, c.actions)

            # we require to establish all token local defined
            # policies to be initialiezd
            additional_policies = add_dynamic_selfservice_policies(
                config, actions)
            for policy in additional_policies:
                c.__setattr__(policy, -1)

            c.otplen = -1
            c.totp_len = -1

            c.pin_policy = _get_auth_PinPolicy(user=self.authUser)

            return response

        except (webob.exc.HTTPUnauthorized, webob.exc.HTTPForbidden) as acc:
            # the exception, when an abort() is called if forwarded
            log.info("[__before__::%r] webob.exception %r" % (action, acc))
            Session.rollback()
            Session.close()
            raise acc

        except HTTPFound as exx:
            raise exx

        except Exception as e:
            log.exception("[__before__] failed with error: %r" % e)
            Session.rollback()
            Session.close()
            return sendError(response, e, context='before')
Example #10
0
    def __before__(self, action):
        '''
        This is the authentication to self service. If you want to do
        ANYTHING with the selfservice, you need to be authenticated. The
        _before_ is executed before any other function in this controller.
        '''

        try:
            c.audit = request_context['audit']
            c.audit['success'] = False
            c.audit['client'] = get_client(request)

            c.version = get_version()
            c.licenseinfo = get_copyright_info()

            request_context['Audit'] = audit

            (auth_type, auth_user) = get_auth_user(request)

            if not auth_user or auth_type not in ['repoze', 'selftest']:
                abort(401, "You are not authenticated")

            (c.user, _foo, c.realm) = auth_user.rpartition('@')
            self.authUser = User(c.user, c.realm, '')

            if auth_type == "repoze":
                # checking the session only for not_form_access actions
                if action not in self.form_access_methods:
                    call_url = "selfservice/%s" % action
                    valid_session = check_selfservice_session(
                        url=call_url,
                        cookies=request.cookies,
                        params=request.params)
                    if not valid_session:
                        c.audit['action'] = request.path[1:]
                        c.audit['info'] = "session expired"
                        audit.log(c.audit)
                        abort(401, "No valid session")

            c.imprint = get_imprint(c.realm)

            c.tokenArray = []

            c.user = self.authUser.login
            c.realm = self.authUser.realm

            # only the defined actions should be displayed
            # - remark: the generic actions like enrollTT are allready approved
            #   to have a rendering section and included
            actions = getSelfserviceActions(self.authUser)
            c.actions = actions
            for policy in actions:
                if policy:
                    if "=" not in policy:
                        c.__setattr__(policy, -1)
                    else:
                        (name, val) = policy.split('=')
                        val = val.strip()
                        # try if val is a simple numeric -
                        # w.r.t. javascript evaluation
                        try:
                            nval = int(val)
                        except:
                            nval = val
                        c.__setattr__(name.strip(), nval)

            c.dynamic_actions = add_dynamic_selfservice_enrollment(
                config, c.actions)

            # we require to establish all token local defined
            # policies to be initialiezd
            additional_policies = add_dynamic_selfservice_policies(
                config, actions)
            for policy in additional_policies:
                c.__setattr__(policy, -1)

            c.otplen = -1
            c.totp_len = -1

            return response

        except webob.exc.HTTPUnauthorized as acc:
            # the exception, when an abort() is called if forwarded
            log.info("[__before__::%r] webob.exception %r" % (action, acc))
            log.info("[__before__] %s" % traceback.format_exc())
            Session.rollback()
            Session.close()
            raise acc

        except Exception as e:
            log.exception("[__before__] failed with error: %r" % e)
            Session.rollback()
            Session.close()
            return sendError(response, e, context='before')

        finally:
            log.debug('[__after__] done')
Example #11
0
    def __before__(self, action):
        '''
        This is the authentication to self service
        If you want to do ANYTHING with selfservice, you need to be
        authenticated.  The _before_ is executed before any other function
        in this controller.
        '''

        try:

            param = request.params

            audit.initialize()
            c.audit['success'] = False
            c.audit['client'] = get_client()

            c.version = get_version()
            c.licenseinfo = get_copyright_info()
            if isSelfTest():
                log.debug("[__before__] Doing selftest!")
                uuser = getParam(param, "selftest_user", True)
                if uuser is not None:
                    (c.user, _foo, c.realm) = uuser.rpartition('@')
                else:
                    c.realm = ""
                    c.user = "******"
                    env = request.environ
                    uuser = env.get('REMOTE_USER')
                    if uuser is not None:
                        (c.user, _foo, c.realm) = uuser.rpartition('@')

                if c.user in ['--u--']:
                    abort(401, "No valid session")

                self.authUser = User(c.user, c.realm, '')
                log.debug("[__before__] authenticating as %s in realm %s!"
                          % (c.user, c.realm))
            else:
                identity = request.environ.get('repoze.who.identity')
                if identity is None:
                    abort(401, "You are not authenticated")

                log.debug("[__before__] doing getAuthFromIdentity in action %s"
                          % action)

                user_id = request.environ.get('repoze.who.identity')\
                                         .get('repoze.who.userid')
                if type(user_id) == unicode:
                    user_id = user_id.encode(ENCODING)
                identity = user_id.decode(ENCODING)
                log.debug("[__before__] getting identity from repoze.who: %r"
                           % identity)

                (c.user, _foo, c.realm) = identity.rpartition('@')
                self.authUser = User(c.user, c.realm, '')

                log.debug("[__before__] set the self.authUser to: %s, %s "
                          % (self.authUser.login, self.authUser.realm))
                log.debug('[__before__] param for action %s: %s'
                          % (action, param))

                # checking the session
                if (False == check_selfservice_session(request.url,
                                                       request.path,
                                                       request.cookies,
                                                       request.params
                                                       )):
                    c.audit['action'] = request.path[1:]
                    c.audit['info'] = "session expired"
                    audit.log(c.audit)
                    abort(401, "No valid session")

            c.imprint = get_imprint(c.realm)

            c.tokenArray = []

            c.user = self.authUser.login
            c.realm = self.authUser.realm

            c.tokenArray = getTokenForUser(self.authUser)

            # only the defined actions should be displayed
            # - remark: the generic actions like enrollTT are allready approved
            #   to have a rendering section and included
            actions = getSelfserviceActions(self.authUser)
            c.actions = actions
            for policy in actions:
                if "=" in policy:
                    (name, val) = policy.split('=')
                    val = val.strip()
                    # try if val is a simple numeric -
                    # w.r.t. javascript evaluation
                    try:
                        nval = int(val)
                    except:
                        nval = val
                    c.__setattr__(name.strip(), nval)

            c.dynamic_actions = add_dynamic_selfservice_enrollment(config,
                                                                   c.actions)

            # we require to establish all token local defined
            # policies to be initialiezd
            additional_policies = add_dynamic_selfservice_policies(config,
                                                                   actions)
            for policy in additional_policies:
                c.__setattr__(policy, -1)

            c.otplen = -1
            c.totp_len = -1

            return response

        except webob.exc.HTTPUnauthorized as acc:
            # the exception, when an abort() is called if forwarded
            log.info("[__before__::%r] webob.exception %r" % (action, acc))
            log.info("[__before__] %s" % traceback.format_exc())
            Session.rollback()
            Session.close()
            raise acc

        except Exception as e:
            log.error("[__before__] failed with error: %r" % e)
            log.error("[__before__] %s" % traceback.format_exc())
            Session.rollback()
            Session.close()
            return sendError(response, e, context='before')

        finally:
            log.debug('[__after__] done')
Example #12
0
    def __before__(self, action):
        '''
        This is the authentication to self service
        If you want to do ANYTHING with selfservice, you need to be
        authenticated.  The _before_ is executed before any other function
        in this controller.
        '''

        try:

            param = request.params

            audit.initialize()
            c.audit['success'] = False
            c.audit['client'] = get_client()


            c.version = get_version()
            c.licenseinfo = get_copyright_info()
            if isSelfTest():
                log.debug("[__before__] Doing selftest!")
                uuser = getParam(param, "selftest_user", True)
                if uuser is not None:
                    (c.user, _foo, c.realm) = uuser.rpartition('@')
                else:
                    c.realm = ""
                    c.user = "******"
                    env = request.environ
                    uuser = env.get('REMOTE_USER')
                    if uuser is not None:
                        (c.user, _foo, c.realm) = uuser.rpartition('@')

                self.authUser = User(c.user, c.realm, '')
                log.debug("[__before__] authenticating as %s in realm %s!" % (c.user, c.realm))
            else:
                # Use WebAuth instead of LinOTP auth.
                identity = request.environ.get('REMOTE_USER')
                if identity is None:
					abort(401, "You are not authenticated")

                c.user = identity

                # Put their current realm as the first one we find them in.
                # Doesn't really matter since tokens are realm-independent.
                realms = getAllUserRealms(User(identity, "", ""))
                if (realms):
                    c.realm = realms[0]

                self.authUser = User(c.user, c.realm, '')

                # Check token expiry.
            	age = int(request.environ.get('WEBAUTH_TOKEN_EXPIRATION')) - time.time()

                # Set selfservice cookie
            	response.set_cookie('linotp_selfservice', 'REMOTE_USER', max_age = int(age))

                # Set userservice auth cookie
                self.client = get_client()
                authcookie = create_auth_cookie(config, identity, self.client)
                response.set_cookie('userauthcookie', authcookie, max_age=360*24)

                log.debug("[__before__] set the self.authUser to: %s, %s " % (self.authUser.login, self.authUser.realm))
                log.debug('[__before__] param for action %s: %s' % (action, param))

                # checking the session
                if (False == check_selfservice_session(request.url,
                                                       request.path,
                                                       request.cookies,
                                                       request.params)):
                    c.audit['action'] = request.path[1:]
                    c.audit['info'] = "session expired"
                    audit.log(c.audit)
                    abort(401, "No valid session")

            c.imprint = get_imprint(c.realm)

            c.tokenArray = []

            c.user = self.authUser.login
            c.realm = self.authUser.realm
            c.tokenArray = getTokenForUser(self.authUser)

            # only the defined actions should be displayed
            # - remark: the generic actions like enrollTT are allready approved
            #   to have a rendering section and included
            actions = getSelfserviceActions(self.authUser)
            c.actions = actions
            for policy in actions:
                if "=" in policy:
                    (name, val) = policy.split('=')
                    val = val.strip()
                    # try if val is a simple numeric -
                    # w.r.t. javascript evaluation
                    try:
                        nval = int(val)
                    except:
                        nval = val
                    c.__setattr__(name.strip(), nval)

            c.dynamic_actions = add_dynamic_selfservice_enrollment(config,
                                                                   c.actions)

            # we require to establish all token local defined
            # policies to be initialiezd
            additional_policies = add_dynamic_selfservice_policies(config,
                                                                   actions)
            for policy in additional_policies:
                c.__setattr__(policy, -1)

            c.otplen = -1
            c.totp_len = -1

            return response

        except webob.exc.HTTPUnauthorized as acc:
            # the exception, when an abort() is called if forwarded
            log.info("[__before__::%r] webob.exception %r" % (action, acc))
            log.info("[__before__] %s" % traceback.format_exc())
            Session.rollback()
            Session.close()
            raise acc

        except Exception as e:
            log.error("[__before__] failed with error: %r" % e)
            log.error("[__before__] %s" % traceback.format_exc())
            Session.rollback()
            Session.close()
            return sendError(response, e, context='before')

        finally:
            log.debug('[__before__] done')