def test_getUserInfo_fallback(self, mock_lookup_user_in_resolver): """ verify that the fallback is an empty dict for - lookup result is None - no userid as input is provided """ mock_lookup_user_in_resolver.return_value = None, None, None assert {} == getUserInfo('userId', 'resolver', 'resolver_conf') assert {} == getUserInfo(None, 'resolver', 'resolver_conf')
def samlcheck(self): ''' This function is used to validate the username and the otp value/password in a SAML environment. If ``linotp.allowSamlAttributes = True`` then the attributes of the authenticated users are also contained in the response. method: validate/samlcheck arguments: * user: username / loginname * pass: the password that consists of a possible fixes password component and the OTP value * realm: optional realm to match the user to a useridresolver returns: JSON response ''' try: opt = None param = self.request_params (ok, opt) = self._check(param) attributes = {} if True == ok: allowSAML = False try: allowSAML = getFromConfig("allowSamlAttributes") except: log.warning("[samlcheck] Calling controller samlcheck. But allowSamlAttributes is False.") if "True" == allowSAML: ## Now we get the attributes of the user user = getUserFromParam(param) (uid, resId, resIdC) = getUserId(user) userInfo = getUserInfo(uid, resId, resIdC) log.debug("[samlcheck] getting attributes for: %s@%s" % (user.login, user.realm)) res = userInfo for key in ['username', 'surname', 'mobile', 'phone', 'givenname', 'email']: if key in res: attributes[key] = res[key] Session.commit() return sendResult(response, { 'auth': ok, 'attributes' : attributes } , 0, opt) except Exception as exx: log.exception("[samlcheck] validate/check failed: %r" % exx) Session.rollback() return sendResult(response, False, 0) finally: Session.close()
def samlcheck(self): ''' This function is used to validate the username and the otp value/password in a SAML environment. If ``linotp.allowSamlAttributes = True`` then the attributes of the authenticated users are also contained in the response. method: validate/samlcheck arguments: * user: username / loginname * pass: the password that consists of a possible fixes password component and the OTP value * realm: optional realm to match the user to a useridresolver returns: JSON response ''' try: opt = None param = request.params (ok, opt) = self._check(param) attributes = {} if True == ok: allowSAML = False try: allowSAML = getFromConfig("allowSamlAttributes") except: log.warning("[samlcheck] Calling controller samlcheck. But allowSamlAttributes is False.") if "True" == allowSAML: ## Now we get the attributes of the user user = getUserFromParam(param) (uid, resId, resIdC) = getUserId(user) userInfo = getUserInfo(uid, resId, resIdC) log.debug("[samlcheck] getting attributes for: %s@%s" % (user.login, user.realm)) res = userInfo for key in ['username', 'surname', 'mobile', 'phone', 'givenname', 'email']: if key in res: attributes[key] = res[key] Session.commit() return sendResult(response, { 'auth': ok, 'attributes' : attributes } , 0, opt) except Exception as exx: log.exception("[samlcheck] validate/check failed: %r" % exx) Session.rollback() return sendResult(response, False, 0) finally: Session.close()
def get_userinfo(user): (uid, resolver, resolver_class) = getUserId(user) uinfo = getUserInfo(uid, resolver, resolver_class) if 'cryptpass' in uinfo: del uinfo['cryptpass'] return uinfo
def getUserDetail(self, tok): userInfo = {} uInfo = {} userInfo["User.description"] = u'' userInfo["User.userid"] = u'' userInfo["User.username"] = u'' for field in self.user_fields: userInfo["User.%s" % field] = u'' if tok.LinOtpUserid: # userInfo["User.description"] = u'/:no user info:/' userInfo["User.userid"] = u'/:no user info:/' userInfo["User.username"] = u'/:no user info:/' uInfo = None try: uInfo = getUserInfo(tok.LinOtpUserid, tok.LinOtpIdResolver, tok.LinOtpIdResClass) except NoResolverFound: log.error("no user info found!") if uInfo is not None and len(uInfo) > 0: if uInfo.has_key("description"): description = uInfo.get("description") if isinstance(description, str): userInfo["User.description"] = description.decode( ENCODING) else: userInfo["User.description"] = description if uInfo.has_key("userid"): userid = uInfo.get("userid") if isinstance(userid, str): userInfo["User.userid"] = userid.decode(ENCODING) else: userInfo["User.userid"] = userid if uInfo.has_key("username"): username = uInfo.get("username") if isinstance(username, str): userInfo["User.username"] = username.decode(ENCODING) else: userInfo["User.username"] = username for field in self.user_fields: fieldvalue = uInfo.get(field, "") if isinstance(fieldvalue, str): userInfo["User.%s" % field] = fieldvalue.decode(ENCODING) else: userInfo["User.%s" % field] = fieldvalue return (userInfo, uInfo)
def get_userinfo(user): (uid, resolver, resolver_class) = getUserId(user) uinfo = getUserInfo(uid, resolver, resolver_class) if "cryptpass" in uinfo: del uinfo["cryptpass"] uinfo["realm"] = user.realm return uinfo
def getUserDetail(self, tok): userInfo = {} uInfo = {} userInfo["User.description"] = u'' userInfo["User.userid"] = u'' userInfo["User.username"] = u'' for field in self.user_fields: userInfo["User.%s" % field] = u'' if tok.LinOtpUserid: # userInfo["User.description"] = u'/:no user info:/' userInfo["User.userid"] = u'/:no user info:/' userInfo["User.username"] = u'/:no user info:/' uInfo = None try: uInfo = getUserInfo( tok.LinOtpUserid, tok.LinOtpIdResolver, tok.LinOtpIdResClass) except NoResolverFound: log.error("no user info found!") if uInfo is not None and len(uInfo) > 0: if uInfo.has_key("description"): description = uInfo.get("description") if isinstance(description, str): userInfo["User.description"] = description.decode(ENCODING) else: userInfo["User.description"] = description if uInfo.has_key("userid"): userid = uInfo.get("userid") if isinstance(userid, str): userInfo["User.userid"] = userid.decode(ENCODING) else: userInfo["User.userid"] = userid if uInfo.has_key("username"): username = uInfo.get("username") if isinstance(username, str): userInfo["User.username"] = username.decode(ENCODING) else: userInfo["User.username"] = username for field in self.user_fields: fieldvalue = uInfo.get(field, "") if isinstance(fieldvalue, str): userInfo["User.%s" % field] = fieldvalue.decode(ENCODING) else: userInfo["User.%s" % field] = fieldvalue return (userInfo, uInfo)
def samlcheck(self): """ This function is used to validate the username and the otp value/password in a SAML environment. If ``linotp.allowSamlAttributes = True`` then the attributes of the authenticated users are also contained in the response. method: validate/samlcheck arguments: * user: username / loginname * pass: the password that consists of a possible fixes password component and the OTP value * realm: optional realm to match the user to a useridresolver returns: JSON response """ try: opt = None param = request.params (ok, opt) = self._check(param) attributes = {} if True == ok: allowSAML = False try: allowSAML = getFromConfig("allowSamlAttributes") except: log.warning("[samlcheck] Calling controller samlcheck. But allowSamlAttributes == False.") if "True" == allowSAML: ## Now we get the attributes of the user user = getUserFromParam(param, optional) (uid, resId, resIdC) = getUserId(user) userInfo = getUserInfo(uid, resId, resIdC) # users = getUserList({ 'username':user.getUser()} , user) log.debug("[samlcheck] getting attributes for: %s@%s" % (user.getUser(), user.getRealm())) res = userInfo for key in ["username", "surname", "mobile", "phone", "givenname", "email"]: if key in res: attributes[key] = res[key] Session.commit() return sendResult(response, {"auth": ok, "attributes": attributes}, 0, opt) except Exception as exx: log.error("[samlcheck] validate/check failed: %r" % exx) log.error("[samlcheck] %s" % traceback.format_exc()) Session.rollback() return sendError(response, "validate/samlcheck failed: %s" % unicode(exx), 0) finally: Session.close() log.debug("[samlcheck] done")
def checkSerialPass(self, serial, passw, options=None, user=None): """ This function checks the otp for a given serial :attention: the parameter user must be set, as the pin policy==1 will verify the user pin """ token_type = options.get("token_type", None) tokenList = getTokens4UserOrSerial(None, serial, token_type=token_type, read_for_update=True) if passw is None: # other than zero or one token should not happen, as serial is # unique if len(tokenList) == 1: theToken = tokenList[0] tok = theToken.token realms = tok.getRealmNames() if realms is None or len(realms) == 0: realm = getDefaultRealm() elif len(realms) > 0: realm = realms[0] userInfo = getUserInfo( tok.LinOtpUserid, tok.LinOtpIdResolver, tok.LinOtpIdResClass, ) user = User(login=userInfo.get("username"), realm=realm) user.info = userInfo if theToken.is_challenge_request(passw, user, options=options): (res, opt) = Challenges.create_challenge(theToken, options) res = False else: raise ParameterError("Missing parameter: pass", id=905) else: raise Exception("No token found: " "unable to create challenge for %s" % serial) else: (res, opt) = self.checkTokenList(tokenList, passw, user=user, options=options) return (res, opt)
def test_getUserInfo_good(self, mock_lookup_user_in_resolver): """ verify that the lookup result is forwarded """ mock_lookup_user_in_resolver.return_value = '1223', 'myResolver', { 'login': '******', 'email': '*****@*****.**' } userInfo = getUserInfo('userId', 'resolver', 'resolver_conf') assert userInfo['login'] == 'heinz' return
def checkSerialPass(self, serial, passw, options=None, user=None): """ This function checks the otp for a given serial :attention: the parameter user must be set, as the pin policy==1 will verify the user pin """ log.debug('checking for serial %r' % serial) tokenList = linotp.lib.token.getTokens4UserOrSerial(None, serial) if passw is None: # other than zero or one token should not happen, as serial is # unique if len(tokenList) == 1: theToken = tokenList[0] tok = theToken.token realms = tok.getRealmNames() if realms is None or len(realms) == 0: realm = getDefaultRealm() elif len(realms) > 0: realm = realms[0] userInfo = getUserInfo(tok.LinOtpUserid, tok.LinOtpIdResolver, tok.LinOtpIdResClass) user = User(login=userInfo.get('username'), realm=realm) user.info = userInfo if theToken.is_challenge_request(passw, user, options=options): (res, opt) = Challenges.create_challenge(theToken, options) res = False else: raise ParameterError('Missing parameter: pass', id=905) else: raise Exception('No token found: ' 'unable to create challenge for %s' % serial) else: log.debug('checking len(pass)=%r for serial %r' % (len(passw), serial)) (res, opt) = self.checkTokenList(tokenList, passw, user=user, options=options) return (res, opt)
def checkSerialPass(self, serial, passw, options=None, user=None): """ This function checks the otp for a given serial :attention: the parameter user must be set, as the pin policy==1 will verify the user pin """ log.debug('checking for serial %r' % serial) tokenList = linotp.lib.token.getTokens4UserOrSerial( None, serial) if passw is None: # other than zero or one token should not happen, as serial is # unique if len(tokenList) == 1: theToken = tokenList[0] tok = theToken.token realms = tok.getRealmNames() if realms is None or len(realms) == 0: realm = getDefaultRealm() elif len(realms) > 0: realm = realms[0] userInfo = getUserInfo(tok.LinOtpUserid, tok.LinOtpIdResolver, tok.LinOtpIdResClass) user = User(login=userInfo.get('username'), realm=realm) user.info = userInfo if theToken.is_challenge_request(passw, user, options=options): (res, opt) = Challenges.create_challenge( theToken, options) res = False else: raise ParameterError('Missing parameter: pass', id=905) else: raise Exception('No token found: ' 'unable to create challenge for %s' % serial) else: log.debug('checking len(pass)=%r for serial %r' % (len(passw), serial)) (res, opt) = self.checkTokenList( tokenList, passw, user=user, options=options) return (res, opt)
def getUserDetail(self, tok): userInfo = {} uInfo = {} userInfo["User.description"] = u"" userInfo["User.userid"] = u"" userInfo["User.username"] = u"" for field in self.user_fields: userInfo["User.%s" % field] = u"" if tok.LinOtpUserid: # userInfo["User.description"] = u'/:no user info:/' userInfo["User.userid"] = u"/:no user info:/" userInfo["User.username"] = u"/:no user info:/" uInfo = getUserInfo(tok.LinOtpUserid, tok.LinOtpIdResolver, tok.LinOtpIdResClass) if uInfo is not None and len(uInfo) > 0: if "description" in uInfo: description = uInfo.get("description") if isinstance(description, str): userInfo["User.description"] = description.decode(ENCODING) else: userInfo["User.description"] = description if "userid" in uInfo: userid = uInfo.get("userid") if isinstance(userid, str): userInfo["User.userid"] = userid.decode(ENCODING) else: userInfo["User.userid"] = userid if "username" in uInfo: username = uInfo.get("username") if isinstance(username, str): userInfo["User.username"] = username.decode(ENCODING) else: userInfo["User.username"] = username for field in self.user_fields: fieldvalue = uInfo.get(field, "") if isinstance(fieldvalue, str): userInfo["User.%s" % field] = fieldvalue.decode(ENCODING) else: userInfo["User.%s" % field] = fieldvalue return (userInfo, uInfo)
def getUserDetail(self, tok): userInfo = {} uInfo = {} userInfo["User.description"] = "" userInfo["User.userid"] = "" userInfo["User.username"] = "" for field in self.user_fields: userInfo["User.%s" % field] = "" if tok.LinOtpUserid: # userInfo["User.description"] = u'/:no user info:/' userInfo["User.userid"] = "/:no user info:/" userInfo["User.username"] = "******" uInfo = None try: uInfo = getUserInfo( tok.LinOtpUserid, tok.LinOtpIdResolver, tok.LinOtpIdResClass, ) except NoResolverFound: log.error("no user info found!") if uInfo is not None and len(uInfo) > 0: if "description" in uInfo: description = uInfo.get("description") userInfo["User.description"] = description if "userid" in uInfo: userid = uInfo.get("userid") userInfo["User.userid"] = userid if "username" in uInfo: username = uInfo.get("username") userInfo["User.username"] = username for field in self.user_fields: fieldvalue = uInfo.get(field, "") userInfo["User.%s" % field] = fieldvalue return (userInfo, uInfo)
def test_getUserInfo_good(self, mock_lookup_user_in_resolver): """ verify that the lookup result is forwarded """ mock_lookup_user_in_resolver.return_value = ( "1223", "myResolver", { "login": "******", "email": "*****@*****.**" }, ) userInfo = getUserInfo("userId", "resolver", "resolver_conf") assert userInfo["login"] == "heinz" return
def get_userinfo(login): uinfo = {} if '@' in login: uuser, rrealm = login.split("@") user = User(uuser, rrealm) else: realm = getDefaultRealm() user = User(login, realm) (uid, resolver, resolver_class) = getUserId(user) uinfo = getUserInfo(uid, resolver, resolver_class) # the passwd resolver should not expose the crypted/hasehd password if 'cryptpass' in uinfo: del uinfo['cryptpass'] return uinfo
def get_userinfo(login): uinfo = {} if "@" in login: uuser, rrealm = login.split("@") user = User(uuser, rrealm) else: realm = getDefaultRealm() user = User(login, realm) (uid, resolver, resolver_class) = getUserId(user) uinfo = getUserInfo(uid, resolver, resolver_class) # the passwd resolver should not expose the crypted/hasehd password if "cryptpass" in uinfo: del uinfo["cryptpass"] return uinfo
def get_user_detail(self): """ get detail info about openid cookie owner :return: tuple of (email,firstname,lastname,fullname) """ email = "" fullname = "" firstname = "" lastname = "" ## search in userresolvers for user detail user = self.user if "@" not in user: user = "******" % (user, getDefaultRealm()) login, realm = user.split('@') usr = User(login, realm) (userid, res_id, res_conf) = getUserId(usr) usr_detail = getUserInfo(userid, res_id, res_conf) if "email" in usr_detail: email = usr_detail["email"] if "givenname" in usr_detail: firstname = usr_detail["givenname"] if "surname" in usr_detail: lastname = usr_detail["surname"] if firstname and lastname: fullname = "%s %s" % (firstname, lastname) elif firstname: fullname = "%s" % firstname elif lastname: fullname = "%s" % lastname return (email, firstname, lastname, fullname)
def migrate_resolver(self, src=None, target=None, filter_serials=None): """ support the migration of owned tokens from one resolver to a new one the idea is: - get all tokens from one resolver - for each token, the the owner - from the owner get the login name - with the login name get the uid from the target resolver - update the new_id in the token """ ret = {} if not src or not target: raise Exception("Missing src or target resolver defintion!") now = datetime.now() stime = now.strftime("%s") g.audit["action_detail"] = "migration from %s to %s" % ( src["resolvername"], target["resolvername"], ) ret["src"] = src ret["target"] = target ret["value"] = False ret["message"] = "" search = getResolverClassName(src["type"], src["resolvername"]) target_resolver = getResolverClassName(target["type"], target["resolvername"]) # get all tokens of src resolver tokens = self._get_tokens_for_resolver(search, serials=filter_serials) num_migration = 0 serials = set() for token in tokens: serial = token.get("LinOtpTokenSerialnumber") userid = token.get("LinOtpUserid") resolverC = token.get("LinOtpIdResClass") # now do the lookup of the uid in the # src resolver to get the login uInfo = getUserInfo(userid, "", resolverC) login = uInfo.get("username") try: y = getResolverObject(target_resolver) uid = y.getUserId(login) if not uid: log.warning( "User %s not found in target resolver %r", login, target_resolver, ) continue token.LinOtpIdResClass = target_resolver token.LinOtpUserid = uid # TODO: adjust token.LinOtpIdResolver = target["type"] db.session.add(token) num_migration += 1 serials.add(serial) except Exception as exx: log.error( "Faild to set new resolver data for token %s: %r", serial, exx, ) ret["value"] = True ret["message"] = _("%d tokens of %d migrated") % ( num_migration, len(tokens), ) g.audit["info"] = "[%s] %s" % (stime, ret["message"]) g.audit["serial"] = ",".join(list(serials)) g.audit["success"] = True return ret
def check_s(self): ''' This function is used to validate the serial and the otp value/password. method: validate/check_s arguments: * serial: the serial number of the token * pass: the password that consists of a possible fixes password component and the OTP value returns: JSON response ''' param = self.request_params options = {} options.update(param) for k in ['user', 'serial', "pass", "init"]: if k in options: del options[k] if 'init' in param: if isSelfTest() is True: options['initTime'] = param.get('init') try: passw = param.get("pass") serial = param.get('serial') if serial is None: user = param.get('user') if user is not None: user = getUserFromParam(param) toks = getTokens4UserOrSerial(user=user) if len(toks) == 0: raise Exception("No token found!") elif len(toks) > 1: raise Exception("More than one token found!") else: tok = toks[0].token desc = tok.get() realms = desc.get('LinOtp.RealmNames') if realms is None or len(realms) == 0: realm = getDefaultRealm() elif len(realms) > 0: realm = realms[0] userInfo = getUserInfo(tok.LinOtpUserid, tok.LinOtpIdResolver, tok.LinOtpIdResClass) user = User(login=userInfo.get('username'), realm=realm) serial = tok.getSerial() c.audit['serial'] = serial if isSelfTest() is True: initTime = param.get("init") if initTime is not None: if options is None: options = {} options['initTime'] = initTime options['scope'] = {"check_s": True} vh = ValidationHandler() (ok, opt) = vh.checkSerialPass(serial, passw, options=options) c.audit['success'] = ok Session.commit() qr = param.get('qr', None) if qr and opt and 'message' in opt: try: dataobj = opt.get('message') param['alt'] = "%s" % opt if 'transactionid' in opt: param['transactionid'] = opt['transactionid'] return sendQRImageResult(response, dataobj, param) except Exception as exc: log.warning("failed to send QRImage: %r " % exc) return sendQRImageResult(response, opt, param) else: return sendResult(response, ok, 0, opt=opt) except Exception as exx: log.exception("[check_s] validate/check_s failed: %r" % exx) c.audit['info'] = unicode(exx) Session.rollback() return sendResult(response, False, id=0, status=False) finally: Session.close()
def check_s(self): ''' This function is used to validate the serial and the otp value/password. method: validate/check_s arguments: * serial: the serial number of the token * pass: the password that consists of a possible fixes password component and the OTP value returns: JSON response ''' param = {} param.update(request.params) options = {} options.update(param) for k in ['user', 'serial', "pass", "init"]: if k in options: del options[k] if 'init' in param: if isSelfTest() == True: options['initTime'] = param.get('init') try: passw = getParam(param, "pass", optional) serial = getParam(param, 'serial', optional) if serial is None: user = getParam(param, 'user', optional) if user is not None: user = getUserFromParam(param, optional) toks = getTokens4UserOrSerial(user=user) if len(toks) == 0: raise Exception("No token found!") elif len(toks) > 1: raise Exception("More than one token found!") else: tok = toks[0].token desc = tok.get() realms = desc.get('LinOtp.RealmNames') if realms is None or len(realms) == 0: realm = getDefaultRealm() elif len(realms) > 0: realm = realms[0] userInfo = getUserInfo(tok.LinOtpUserid, tok.LinOtpIdResolver, tok.LinOtpIdResClass) user = User(login=userInfo.get('username'), realm=realm) serial = tok.getSerial() c.audit['serial'] = serial if isSelfTest() == True: initTime = getParam(param, "init", optional) if initTime is not None: if options is None: options = {} options['initTime'] = initTime (ok, opt) = checkSerialPass(serial, passw, options=options) c.audit['success'] = ok Session.commit() qr = getParam(param, 'qr', optional) if qr is not None and opt is not None and opt.has_key('message'): try: dataobj = opt.get('message') param['alt'] = "%s" % opt return sendQRImageResult(response, dataobj, param) except Exception as exc: log.warning("failed to send QRImage: %r " % exc) return sendQRImageResult(response, opt, param) else: return sendResult(response, ok, 0, opt=opt) except Exception as exx: log.error("[check_s] validate/check_s failed: %r" % exx) log.error("[check_s] %s" % traceback.format_exc()) c.audit['info'] = unicode(exx) Session.rollback() return sendError(response, "validate/check_s failed: %s" % unicode(exx), 0) finally: Session.close() log.debug('[check_s] done')
def check_s(self): """ This function is used to validate the serial and the otp value/password. method: validate/check_s arguments: * serial: the serial number of the token * pass: the password that consists of a possible fixes password component and the OTP value returns: JSON response """ param = {} param.update(request.params) options = {} options.update(param) for k in ["user", "serial", "pass", "init"]: if k in options: del options[k] if "init" in param: if isSelfTest() == True: options["initTime"] = param.get("init") try: passw = getParam(param, "pass", optional) serial = getParam(param, "serial", optional) if serial is None: user = getParam(param, "user", optional) if user is not None: user = getUserFromParam(param, optional) toks = getTokens4UserOrSerial(user=user) if len(toks) == 0: raise Exception("No token found!") elif len(toks) > 1: raise Exception("More than one token found!") else: tok = toks[0].token desc = tok.get() realms = desc.get("LinOtp.RealmNames") if realms is None or len(realms) == 0: realm = getDefaultRealm() elif len(realms) > 0: realm = realms[0] userInfo = getUserInfo(tok.LinOtpUserid, tok.LinOtpIdResolver, tok.LinOtpIdResClass) user = User(login=userInfo.get("username"), realm=realm) serial = tok.getSerial() c.audit["serial"] = serial if isSelfTest() == True: initTime = getParam(param, "init", optional) if initTime is not None: if options is None: options = {} options["initTime"] = initTime (ok, opt) = checkSerialPass(serial, passw, options=options) c.audit["success"] = ok Session.commit() qr = getParam(param, "qr", optional) if qr is not None and opt is not None and opt.has_key("message"): try: dataobj = opt.get("message") param["alt"] = "%s" % opt return sendQRImageResult(response, dataobj, param) except Exception as exc: log.warning("failed to send QRImage: %r " % exc) return sendQRImageResult(response, opt, param) else: return sendResult(response, ok, 0, opt=opt) except Exception as exx: log.error("[check_s] validate/check_s failed: %r" % exx) log.error("[check_s] %s" % traceback.format_exc()) c.audit["info"] = unicode(exx) Session.rollback() return sendError(response, "validate/check_s failed: %s" % unicode(exx), 0) finally: Session.close() log.debug("[check_s] done")
def check_t(self): param = {} value = {} ok = False opt = None try: param.update(request.params) passw = getParam(param, "pass", required) transid = param.get('state', None) if transid is not None: param['transactionid'] = transid del param['state'] if transid is None: transid = param.get('transactionid', None) if transid is None: raise Exception("missing parameter: state or transactionid!") serial = get_tokenserial_of_transaction(transId=transid) if serial is None: value['value'] = False value['failure'] = 'No challenge for transaction %r found'\ % transid else: param['serial'] = serial tokens = getTokens4UserOrSerial(serial=serial) if len(tokens) == 0 or len(tokens) > 1: raise Exception('tokenmismatch for token serial: %s' % (unicode(serial))) theToken = tokens[0] tok = theToken.token realms = tok.getRealmNames() if realms is None or len(realms) == 0: realm = getDefaultRealm() elif len(realms) > 0: realm = realms[0] userInfo = getUserInfo(tok.LinOtpUserid, tok.LinOtpIdResolver, tok.LinOtpIdResClass) user = User(login=userInfo.get('username'), realm=realm) (ok, opt) = checkSerialPass(serial, passw, user=user, options=param) value['value'] = ok failcount = theToken.getFailCount() value['failcount'] = int(failcount) c.audit['success'] = ok #c.audit['info'] += "%s=%s, " % (k, value) Session.commit() qr = param.get('qr', None) if qr and opt and 'message' in opt: try: dataobj = opt.get('message') param['alt'] = "%s" % opt if 'transactionid' in opt: param['transactionid'] = opt['transactionid'] return sendQRImageResult(response, dataobj, param) except Exception as exc: log.warning("failed to send QRImage: %r " % exc) return sendQRImageResult(response, opt, param) else: return sendResult(response, value, 1, opt=opt) except Exception as exx: log.error("[check_t] validate/check_t failed: %r" % exx) log.error("[check_t] %s" % traceback.format_exc()) c.audit['info'] = unicode(exx) Session.rollback() return sendError(response, "validate/check_t failed: %s" % unicode(exx), 0) finally: Session.close() log.debug('[check_t] done')
def check_t(self): """ method: ocra/check_t description: verify the response of the ocra token arguments: * transactionid: (required - string) Dies ist eine Transaktions-ID, die bei der Challenge ausgegeben wurde. * pass: (required - string) die response, die der OCRA Token auf Grund der Challenge berechnet hat returns: A JSON response:: { "version": "LinOTP 2.4", "jsonrpc": "2.0", "result": { "status": true, "value": { "failcount" : 3, "result": false } }, "id": 0 } exception: """ res = {} description = 'ocra/check_t: validate a token request.' try: param = getLowerParams(request.params) log.info("[check_t] check OCRA token: %r" % param) #checkPolicyPre('ocra', "check_t") passw = getParam(param, 'pass' , optional) if passw is None: ## raise exception''' log.exception("[check_t] missing pass ") raise ParameterError("Usage: %s Missing parameter 'pass'." % description, id=77) transid = getParam(param, 'transactionid', optional) if transid is None: ## raise exception''' log.exception("[check_t] missing transactionid, user or serial number of token") raise ParameterError("Usage: %s Missing parameter 'transactionid'." % description, id=77) ## if we have a transaction, get serial from this challenge value = {} ocraChallenge = OcraTokenClass.getTransaction(transid) if ocraChallenge is not None: serial = ocraChallenge.tokenserial tokens = getTokens4UserOrSerial(serial=serial) if len(tokens) == 0 or len(tokens) > 1: raise Exception('tokenmismatch for token serial: %s' % (unicode(serial))) theToken = tokens[0] tok = theToken.token desc = tok.get() realms = desc.get('LinOtp.RealmNames') if realms is None or len(realms) == 0: realm = getDefaultRealm() elif len(realms) > 0: realm = realms[0] userInfo = getUserInfo(tok.LinOtpUserid, tok.LinOtpIdResolver, tok.LinOtpIdResClass) user = User(login=userInfo.get('username'), realm=realm) vh = ValidationHandler() (ok, opt) = vh.checkSerialPass(serial, passw, user=user, options={'transactionid': transid}) failcount = theToken.getFailCount() value['result'] = ok value['failcount'] = int(failcount) else: ## no challenge found for this transid value['result'] = False value['failure'] = 'No challenge for transaction %r found'\ % transid c.audit['success'] = res #c.audit['info'] += "%s=%s, " % (k, value) Session.commit() return sendResult(response, value, 1) except Exception as e : log.exception("[check_t] failed: %r" % e) Session.rollback() return sendResult(response, unicode(e), 0) finally: Session.close() log.debug("[check_t] done")
def migrate_resolver(self, src=None, target=None, filter_serials=None): """ support the migration of owned tokens from one resolver to a new one the idea is: - get all tokens from one resolver - for each token, the the owner - from the owner get the login name - with the login name get the uid from the target resolver - update the new_id in the token """ _ = context['translate'] ret = {} if not src or not target: raise Exception("Missing src or target resolver defintion!") audit = context.get('audit') now = datetime.now() stime = now.strftime("%s") audit['action_detail'] = ( "migration from %s to %s" % (src['resolvername'], target['resolvername'])) ret['src'] = src ret['target'] = target ret['value'] = False ret['message'] = '' search = getResolverClassName(src['type'], src['resolvername']) target_resolver = getResolverClassName(target['type'], target['resolvername']) # get all tokens of src resolver tokens = self._get_tokens_for_resolver(search, serials=filter_serials) num_migration = 0 serials = set() for token in tokens: serial = token.get('LinOtpTokenSerialnumber') userid = token.get('LinOtpUserid') resolverC = token.get('LinOtpIdResClass') # now do the lookup of the uid in the # src resolver to get the login uInfo = getUserInfo(userid, '', resolverC) login = uInfo.get('username') try: y = getResolverObject(target_resolver) uid = y.getUserId(login) if not uid: log.warning("User %s not found in target resolver %r", login, target_resolver) continue token.LinOtpIdResClass = target_resolver token.LinOtpUserid = uid # TODO: adjust token.LinOtpIdResolver = target['type'] Session.add(token) num_migration += 1 serials.add(serial) except Exception as exx: log.exception( "Faild to set new resolver data for token %s: %r" % (serial, exx)) ret['value'] = True ret['message'] = (_("%d tokens of %d migrated") % (num_migration, len(tokens))) log.info(ret['message']) audit['info'] = "[%s] %s" % (stime, ret['message']) audit['serial'] = ",".join(list(serials)) audit['success'] = True context['audit'] = audit return ret
def migrate_resolver(self, src=None, target=None, filter_serials=None): """ support the migration of owned tokens from one resolver to a new one the idea is: - get all tokens from one resolver - for each token, the the owner - from the owner get the login name - with the login name get the uid from the target resolver - update the new_id in the token """ _ = context['translate'] ret = {} if not src or not target: raise Exception("Missing src or target resolver defintion!") audit = context.get('audit') now = datetime.now() stime = now.strftime("%s") audit['action_detail'] = ("migration from %s to %s" % (src['resolvername'], target['resolvername'])) ret['src'] = src ret['target'] = target ret['value'] = False ret['message'] = '' search = getResolverClassName(src['type'], src['resolvername']) target_resolver = getResolverClassName(target['type'], target['resolvername']) # get all tokens of src resolver tokens = self._get_tokens_for_resolver(search, serials=filter_serials) num_migration = 0 serials = set() for token in tokens: serial = token.get('LinOtpTokenSerialnumber') userid = token.get('LinOtpUserid') resolverC = token.get('LinOtpIdResClass') # now do the lookup of the uid in the # src resolver to get the login uInfo = getUserInfo(userid, '', resolverC) login = uInfo.get('username') try: y = getResolverObject(target_resolver) uid = y.getUserId(login) if not uid: log.warning("User %s not found in target resolver %r", login, target_resolver) continue token.LinOtpIdResClass = target_resolver token.LinOtpUserid = uid # TODO: adjust token.LinOtpIdResolver = target['type'] Session.add(token) num_migration += 1 serials.add(serial) except Exception as exx: log.exception("Faild to set new resolver data for token %s: %r" % (serial, exx)) ret['value'] = True ret['message'] = (_("%d tokens of %d migrated") % (num_migration, len(tokens))) log.info(ret['message']) audit['info'] = "[%s] %s" % (stime, ret['message']) audit['serial'] = ",".join(list(serials)) audit['success'] = True context['audit'] = audit return ret
def check_s(self): ''' This function is used to validate the serial and the otp value/password. method: validate/check_s arguments: * serial: the serial number of the token * pass: the password that consists of a possible fixes password component and the OTP value returns: JSON response ''' param = {} param.update(request.params) options = {} options.update(param) for k in ['user', 'serial', "pass", "init"]: if k in options: del options[k] if 'init' in param: if isSelfTest() is True: options['initTime'] = param.get('init') try: passw = getParam(param, "pass", optional) serial = getParam(param, 'serial', optional) if serial is None: user = getParam(param, 'user', optional) if user is not None: user = getUserFromParam(param, optional) toks = getTokens4UserOrSerial(user=user) if len(toks) == 0: raise Exception("No token found!") elif len(toks) > 1: raise Exception("More than one token found!") else: tok = toks[0].token desc = tok.get() realms = desc.get('LinOtp.RealmNames') if realms is None or len(realms) == 0: realm = getDefaultRealm() elif len(realms) > 0: realm = realms[0] userInfo = getUserInfo(tok.LinOtpUserid, tok.LinOtpIdResolver, tok.LinOtpIdResClass) user = User(login=userInfo.get('username'), realm=realm) serial = tok.getSerial() c.audit['serial'] = serial if isSelfTest() is True: initTime = getParam(param, "init", optional) if initTime is not None: if options is None: options = {} options['initTime'] = initTime options['scope'] = {"check_s": True} vh = ValidationHandler() (ok, opt) = vh.checkSerialPass(serial, passw, options=options) c.audit['success'] = ok Session.commit() qr = param.get('qr', None) if qr and opt and 'message' in opt: try: dataobj = opt.get('message') param['alt'] = "%s" % opt if 'transactionid' in opt: param['transactionid'] = opt['transactionid'] return sendQRImageResult(response, dataobj, param) except Exception as exc: log.warning("failed to send QRImage: %r " % exc) return sendQRImageResult(response, opt, param) else: return sendResult(response, ok, 0, opt=opt) except Exception as exx: log.exception("[check_s] validate/check_s failed: %r" % exx) c.audit['info'] = unicode(exx) Session.rollback() return sendResult(response, False, id=0, status=False) finally: Session.close() log.debug('[check_s] done')
def check_t(self): param = {} value = {} ok = False opt = None try: param.update(request.params) passw = getParam(param, "pass", required) transid = param.get('state', None) if transid is not None: param['transactionid'] = transid del param['state'] if transid is None: transid = param.get('transactionid', None) if transid is None: raise Exception("missing parameter: state or transactionid!") serial = get_tokenserial_of_transaction(transId=transid) if serial is None: value['value'] = False value['failure'] = 'No challenge for transaction %r found'\ % transid else: param['serial'] = serial tokens = getTokens4UserOrSerial(serial=serial) if len(tokens) == 0 or len(tokens) > 1: raise Exception('tokenmismatch for token serial: %s' % (unicode(serial))) theToken = tokens[0] tok = theToken.token realms = tok.getRealmNames() if realms is None or len(realms) == 0: realm = getDefaultRealm() elif len(realms) > 0: realm = realms[0] userInfo = getUserInfo(tok.LinOtpUserid, tok.LinOtpIdResolver, tok.LinOtpIdResClass) user = User(login=userInfo.get('username'), realm=realm) (ok, opt) = checkSerialPass(serial, passw, user=user, options=param) value['value'] = ok failcount = theToken.getFailCount() value['failcount'] = int(failcount) c.audit['success'] = ok #c.audit['info'] += "%s=%s, " % (k, value) Session.commit() qr = getParam(param, 'qr', optional) if qr is not None and opt is not None and opt.has_key('message'): try: dataobj = opt.get('message') param['alt'] = "%s" % opt return sendQRImageResult(response, dataobj, param) except Exception as exc: log.warning("failed to send QRImage: %r " % exc) return sendQRImageResult(response, opt, param) else: return sendResult(response, value, 1, opt=opt) except Exception as exx: log.error("[check_t] validate/check_t failed: %r" % exx) log.error("[check_t] %s" % traceback.format_exc()) c.audit['info'] = unicode(exx) Session.rollback() return sendError(response, "validate/check_t failed: %s" % unicode(exx), 0) finally: Session.close() log.debug('[check_t] done')
def check_t(self): """ method: ocra/check_t description: verify the response of the ocra token arguments: * transactionid: (required - string) Dies ist eine Transaktions-ID, die bei der Challenge ausgegeben wurde. * pass: (required - string) die response, die der OCRA Token auf Grund der Challenge berechnet hat returns: A JSON response:: { "version": "LinOTP 2.4", "jsonrpc": "2.0", "result": { "status": true, "value": { "failcount" : 3, "result": false } }, "id": 0 } exception: """ res = {} description = 'ocra/check_t: validate a token request.' try: param = getLowerParams(request.params) log.info("[check_t] check OCRA token: %r" % param) # TODO: checkPolicyPre('ocra', "check_t") passw = param.get('pass') if passw is None: # raise exception''' log.exception("[check_t] missing pass ") raise ParameterError("Usage: %s Missing parameter " "'pass'." % description, id=77) transid = param.get('transactionid') if not transid: # raise exception log.exception("[check_t] missing transactionid, user or " "serial number of token") raise ParameterError("Usage: %s Missing parameter " "'transactionid'." % description, id=77) # if we have a transaction, get serial from this challenge value = {} ocraChallenge = OcraTokenClass.getTransaction(transid) if ocraChallenge is not None: serial = ocraChallenge.tokenserial tokens = getTokens4UserOrSerial(serial=serial) if len(tokens) == 0 or len(tokens) > 1: raise Exception('tokenmismatch for token serial: %s' % (unicode(serial))) theToken = tokens[0] tok = theToken.token desc = tok.get() realms = desc.get('LinOtp.RealmNames') if realms is None or len(realms) == 0: realm = getDefaultRealm() elif len(realms) > 0: realm = realms[0] userInfo = getUserInfo(tok.LinOtpUserid, tok.LinOtpIdResolver, tok.LinOtpIdResClass) user = User(login=userInfo.get('username'), realm=realm) vh = ValidationHandler() (ok, _opt) = vh.checkSerialPass( serial, passw, user=user, options={'transactionid': transid}) failcount = theToken.getFailCount() value['result'] = ok value['failcount'] = int(failcount) else: # no challenge found for this transid value['result'] = False value['failure'] = ('No challenge for transaction %r found' % transid) c.audit['success'] = res Session.commit() return sendResult(response, value, 1) except Exception as exx: log.exception("[check_t] failed: %r", exx) Session.rollback() return sendResult(response, unicode(exx), 0) finally: Session.close()
def check_s(self): """ This function is used to validate the serial and the otp value/password. If the otppin policy is set, the endpoint /validate/check_s does not work. method: validate/check_s arguments: * serial: the serial number of the token * pass: the password that consists of a possible fixes password component and the OTP value returns: JSON response """ param = self.request_params options = {} options.update(param) for k in ["user", "serial", "pass", "init"]: if k in options: del options[k] try: passw = param.get("pass") serial = param.get("serial") if serial is None: user = param.get("user") if user is not None: user = getUserFromParam(param) toks = getTokens4UserOrSerial(user=user) if len(toks) == 0: raise Exception("No token found!") elif len(toks) > 1: raise Exception("More than one token found!") else: tok = toks[0].token desc = tok.get() realms = desc.get("LinOtp.RealmNames") if realms is None or len(realms) == 0: realm = getDefaultRealm() elif len(realms) > 0: realm = realms[0] userInfo = getUserInfo( tok.LinOtpUserid, tok.LinOtpIdResolver, tok.LinOtpIdResClass, ) user = User( login=userInfo.get("username"), realm=realm ) serial = tok.getSerial() g.audit["serial"] = serial options["scope"] = {"check_s": True} vh = ValidationHandler() (ok, opt) = vh.checkSerialPass(serial, passw, options=options) g.audit["success"] = ok db.session.commit() qr = param.get("qr", None) if qr and opt and "message" in opt: try: dataobj = opt.get("message") param["alt"] = "%s" % opt if "transactionid" in opt: param["transactionid"] = opt["transactionid"] return sendQRImageResult(response, dataobj, param) except Exception as exc: log.warning("failed to send QRImage: %r ", exc) return sendQRImageResult(response, opt, param) else: return sendResult(response, ok, 0, opt=opt) except Exception as exx: log.error("[check_s] validate/check_s failed: %r", exx) g.audit["info"] = str(exx) db.session.rollback() return sendResult(response, False, id=0, status=False)