Example #1
0
    def update(self, param, reset_failcount=True):
        '''
        update - process the initialization parameters

        :param param: dict of initialization parameters
        :type param: dict

        :return: nothing
        '''

        log.debug("[update] begin. Process the initialization parameters: param %r" % (param))

        ## Remark: the otpKey is handled in the parent class

        val = getParam(param, "hashlib", optional)
        if val is not None:
            self.hashlibStr = val
        else:
            self.hashlibStr = 'sha1'

        ## check if the key_size id provided
        ## if not, we could derive it from the hashlib
        key_size = getParam(param, 'key_size', optional)
        if key_size is None:
            param['key_size'] = keylen.get(self.hashlibStr)

        param['hashlib'] = self.hashlibStr
        self.addToTokenInfo("hashlib", self.hashlibStr)

        TokenClass.update(self, param, reset_failcount)

        log.debug("[update] end. Processing the initialization parameters done.")
        return
Example #2
0
    def update(self, param):

        ## check for the required parameters
        if (self.hKeyRequired == True):
            getParam(param, "otpkey", required)

        TokenClass.update(self, param)
Example #3
0
    def update(self, param):
        # cko: changed for backward compat
        getParam(param, "pin", optional)
        if not param.has_key('otpkey'):
            param['genkey'] = 1

        TokenClass.update(self, param)
Example #4
0
    def update(self, param, reset_failcount=True):
        '''
        update - process the initialization parameters

        :param param: dict of initialization parameters
        :type param: dict

        :return: nothing
        '''

        log.debug("[update] begin. Process the initialization parameters: param %r" % (param))

        ## Remark: the otpKey is handled in the parent class

        val = getParam(param, "hashlib", optional)
        if val is not None:
            self.hashlibStr = val
        else:
            self.hashlibStr = 'sha1'

        ## check if the key_size id provided
        ## if not, we could derive it from the hashlib
        key_size = getParam(param, 'key_size', optional)
        if key_size == None:
            param['key_size'] = keylen.get(self.hashlibStr)

        param['hashlib'] = self.hashlibStr
        self.addToTokenInfo("hashlib", self.hashlibStr)

        TokenClass.update(self, param, reset_failcount)

        log.debug("[update] end. Processing the initialization parameters done.")
        return
Example #5
0
    def update(self, param):

        self.radiusServer = getParam(param, "radius.server", required)
        # if another OTP length would be specified in /admin/init this would
        # be overwritten by the parent class, which is ok.
        self.setOtpLen(6)

        val = getParam(param, "radius.local_checkpin", optional)
        if val is not None:
            self.radiusLocal_checkpin = val

        val = getParam(param, "radius.user", required)
        if val is not None:
            self.radiusUser = val

        val = getParam(param, "radius.secret", required)
        if val is not None:
            self.radiusSecret = val

        if self.radiusSecret == VOID_RADIUS_SECRET:
            log.warning("Usage of default radius secret is not recomended!!")


        TokenClass.update(self, param)
        # We need to write the secret!
        self.token.setHKey(binascii.hexlify(self.radiusSecret))

        self.addToTokenInfo("radius.server", self.radiusServer)
        self.addToTokenInfo("radius.local_checkpin", self.radiusLocal_checkpin)
        self.addToTokenInfo("radius.user", self.radiusUser)
Example #6
0
    def checkid_submit(self):
        '''
        This is called when the user accepts - hit the submit button - that he will login to the consumer
        '''
        param = request.params
        log.debug("[checkid_submit] params: %s" % param)
        redirect_token = getParam(param, "redirect_token", required)
        verify_always = getParam(param, "verify_always", optional)
        r_url, site, handle = self.storage.get_redirect(redirect_token)
        self.storage.add_site(site, handle)

        # The user checked the box, that he wants not be bothered again in the future
        # the relying party will be added to the trusted root
        login, token = self._split_cookie()
        user = self.storage.get_user_by_token(token)
        c.audit['user'], c.audit['realm'] = user.split('@', 2)
        c.audit['success'] = True
        c.audit['action_detail'] = site

        if "always" == verify_always:
            log.debug("[checkid_submit] putting into trusted root: %s, %s" % (site, handle))
            if "" != user:
                self.storage.add_trusted_root(user, site)

        log.debug("[checkid_submit] redirecting to %s" % r_url)
        redirect(r_url)
Example #7
0
    def checkid_submit(self):
        '''
        This is called when the user accepts - hit the submit button - that he will login to the consumer
        '''
        param = request.params
        log.debug("[checkid_submit] params: %s" % param)
        redirect_token = getParam(param, "redirect_token", required)
        verify_always = getParam(param, "verify_always", optional)
        r_url, site, handle = self.storage.get_redirect(redirect_token)
        self.storage.add_site(site, handle)

        # The user checked the box, that he wants not be bothered again in the future
        # the relying party will be added to the trusted root
        login, token = self._split_cookie()
        user = self.storage.get_user_by_token(token)
        c.audit['user'], c.audit['realm'] = user.split('@', 2)
        c.audit['success'] = True
        c.audit['action_detail'] = site

        if "always" == verify_always:
            log.debug("[checkid_submit] putting into trusted root: %s, %s" %
                      (site, handle))
            if "" != user:
                self.storage.add_trusted_root(user, site)

        log.debug("[checkid_submit] redirecting to %s" % r_url)
        redirect(r_url)
Example #8
0
    def setDefinition(self, param):
        """
            handle name
        """
        self.name = getParam(param, "name", required)
        # We should have no \.
        # This only leads to problems.
        nameExp = "^[A-Za-z0-9_\-]+$"
        if re.match(nameExp, self.name) is None:
            e = Exception("non conformant characters in resolver name: " + self.name + " (not in " + nameExp + ")")
            raise e

        # handle types
        self.type = getParam(param, "type", required)
        resolvertypes = get_resolver_types()
        if self.type not in resolvertypes:
            e = Exception("resolver type : %s not in %s" % (self.type, unicode(resolvertypes)))
            raise e

        resolvers = getResolverList(filter_resolver_type=self.type)
        for resolver in resolvers:
            if self.name.lower() == resolver.lower():
                if self.name == resolver:
                    continue
                e = Exception("resolver with similar name already exists: %s" % (resolver))
                raise e

        resolver_config = get_resolver_classConfig(self.type)
        if self.type in resolver_config:
            config = resolver_config.get(self.type).get("config", {})
        else:
            config = resolver_config

        for k in param:
            if k != "name" and k != "type":
                if k.startswith("type.") == True:
                    key = k[len("type.") :]
                    self.types[key] = param.get(k)
                elif k.startswith("desc.") == True:
                    key = k[len("desc.") :]
                    self.desc[key] = param.get(k)

                elif "session" == k:
                    # supress session parameter
                    pass
                else:
                    self.data[k] = param.get(k)
                    if k in config:
                        self.types[k] = config.get(k)
                    else:
                        log.warn(
                            "[setDefinition]: the passed key %r is not a "
                            "parameter for the resolver %r" % (k, self.type)
                        )
        # now check if we have for every type def an parameter
        ok = self._sanityCheck()
        if ok != True:
            raise Exception("type definition does not match parameter! %s" % unicode(param))

        return
Example #9
0
    def update(self, param):

        self.radiusServer = getParam(param, "radius.server", required)
        # if another OTP length would be specified in /admin/init this would
        # be overwritten by the parent class, which is ok.
        self.setOtpLen(6)

        val = getParam(param, "radius.local_checkpin", optional)
        if val is not None:
            self.radiusLocal_checkpin = val

        val = getParam(param, "radius.user", required)
        if val is not None:
            self.radiusUser = val

        val = getParam(param, "radius.secret", required)
        if val is not None:
            self.radiusSecret = val

        if self.radiusSecret == VOID_RADIUS_SECRET:
            log.warning("Usage of default radius secret is not recomended!!")

        TokenClass.update(self, param)
        # We need to write the secret!
        self.setOtpKey(binascii.hexlify(self.radiusSecret))

        self.addToTokenInfo("radius.server", self.radiusServer)
        self.addToTokenInfo("radius.local_checkpin", self.radiusLocal_checkpin)
        self.addToTokenInfo("radius.user", self.radiusUser)
Example #10
0
    def update(self, param):

        ## check for the required parameters
        if (self.hKeyRequired == True):
            getParam(param, "otpkey", required)

        TokenClass.update(self, param)
Example #11
0
    def __after__(
        self,
        action,
    ):
        '''

        '''
        param = request.params

        try:
            if c.audit['action'] in ['selfservice/index']:
                if isSelfTest():
                    log.debug("[__after__] Doing selftest!")
                    suser = getParam(param, "selftest_user", True)
                    if suser is not None:
                        (c.user, _foo, c.realm) = getParam(param,
                                                           "selftest_user",
                                                           True)\
                            .rpartition('@')
                    else:
                        c.realm = ""
                        c.user = "******"
                        env = request.environ
                        uuser = env.get('REMOTE_USER')
                        if uuser is not None:
                            (c.user, _foo, c.realm) = uuser.rpartition('@')

                log.debug("[__after__] authenticating as %s in realm %s!" %
                          (c.user, c.realm))

                c.audit['user'] = c.user
                c.audit['realm'] = c.realm
                c.audit['success'] = True

                if 'serial' in param:
                    c.audit['serial'] = param['serial']
                    c.audit['token_type'] = getTokenType(param['serial'])

                audit.log(c.audit)

            return response

        except webob.exc.HTTPUnauthorized as acc:
            # the exception, when an abort() is called if forwarded
            log.exception("[__after__::%r] webob.exception %r" % (action, acc))
            Session.rollback()
            Session.close()
            raise acc

        except Exception as e:
            log.exception("[__after__] failed with error: %r" % e)
            Session.rollback()
            Session.close()
            return sendError(response, e, context='after')

        finally:
            log.debug('[__after__] done')
Example #12
0
    def __after__(self, action,):
        '''

        '''
        param = request.params

        try:
            if c.audit['action'] in ['selfservice/index']:
                if isSelfTest():
                    log.debug("[__after__] Doing selftest!")
                    suser = getParam(param, "selftest_user", True)
                    if suser is not None:
                        (c.user, _foo, c.realm) = getParam(param,
                                                           "selftest_user",
                                                           True)\
                                                           .rpartition('@')
                    else:
                        c.realm = ""
                        c.user = "******"
                        env = request.environ
                        uuser = env.get('REMOTE_USER')
                        if uuser is not None:
                            (c.user, _foo, c.realm) = uuser.rpartition('@')

                log.debug("[__after__] authenticating as %s in realm %s!"
                          % (c.user, c.realm))

                c.audit['user'] = c.user
                c.audit['realm'] = c.realm
                c.audit['success'] = True

                if 'serial' in param:
                    c.audit['serial'] = param['serial']
                    c.audit['token_type'] = getTokenType(param['serial'])

                audit.log(c.audit)

            return response

        except webob.exc.HTTPUnauthorized as acc:
            # the exception, when an abort() is called if forwarded
            log.error("[__after__::%r] webob.exception %r" % (action, acc))
            log.error("[__after__] %s" % traceback.format_exc())
            Session.rollback()
            Session.close()
            raise acc

        except Exception as e:
            log.error("[__after__] failed with error: %r" % e)
            log.error("[__after__] %s" % traceback.format_exc())
            Session.rollback()
            Session.close()
            return sendError(response, e, context='after')

        finally:
            log.debug('[__after__] done')
Example #13
0
    def setDefinition(self, param):
        '''
            handle name
        '''
        self.name = getParam(param, 'name', required)
        # We should have no \.
        # This only leads to problems.
        nameExp = "^[A-Za-z0-9_\-]+$"
        if re.match(nameExp, self.name) is None:
            e = Exception("non conformant characters in resolver name: " + self.name + " (not in " + nameExp + ")")
            raise e

        # handle types
        self.type = getParam(param, 'type', required)
        resolvertypes = get_resolver_types()
        if self.type not in resolvertypes:
            e = Exception("resolver type : %s not in %s" %
                          (self.type, unicode(resolvertypes)))
            raise e

        if similar_resolver_exists(self.name):
            raise Exception('resolver with similar name already exists (%s)' %
                            self.name)

        resolver_config = get_resolver_classConfig(self.type)
        if self.type in resolver_config:
            config = resolver_config.get(self.type).get('config', {})
        else:
            config = resolver_config

        for k in param:
            if k != 'name' and k != 'type':
                if k.startswith('type.') == True:
                    key = k[len('type.'):]
                    self.types[key] = param.get(k)
                elif k.startswith('desc.') == True:
                    key = k[len('desc.'):]
                    self.desc[key] = param.get(k)

                elif 'session' == k:
                    # supress session parameter
                    pass
                else:
                    self.data[k] = param.get(k)
                    if k in config:
                        self.types[k] = config.get(k)
                    else:
                        log.warn("[setDefinition]: the passed key %r is not a "
                                 "parameter for the resolver %r" % (k, self.type))
        # now check if we have for every type def an parameter
        ok = self._sanityCheck()
        if ok != True:
            raise Exception("type definition does not match parameter! %s"
                            % unicode(param))

        return
Example #14
0
    def update(self, param, reset_failcount=False):
        self.setSyncWindow(0)
        self.setOtpLen(32)
        self.setCounterWindow(0)

        tdesc = getParam(param, "description", optional)
        if tdesc is not None:
            self.token.setDescription(tdesc)

        # requested_phase must be either "registration1" or "registration2"
        # current_phase is either "registration" or "authentication"
        requested_phase = getParam(param, "phase", optional)
        current_phase = self.getFromTokenInfo("phase", None)

        if requested_phase == "registration1" and current_phase is None:
            # This initial registration phase triggers a challenge
            # which is sent to the FIDO U2F compatible client device

            # Set the optional token pin in this first phase
            pin = getParam(param, "pin", optional)
            if pin is not None:
                TokenClass.setPin(self, pin)

            # preserve the registration state
            self.addToTokenInfo("phase", "registration")
            self.token.LinOtpIsactive = False
        elif requested_phase == "registration2" and current_phase == "registration":
            # Check the token pin
            pin = getParam(param, "pin", optional)
            if pin is None:
                pin = ""
            if check_pin(self, pin) is False:
                log.error("Wrong token pin!")
                raise ValueError("Wrong token pin!")
        # check for set phases which are not "registration1" or "registration2"
        elif requested_phase != "registration2" and requested_phase is not None:
            log.error("Wrong phase parameter!")
            raise Exception("Wrong phase parameter!")
        # only allow empty phase parameters once the token is registered successfully
        elif current_phase != "authentication" and requested_phase is None:
            log.error("Wrong phase parameter!")
            raise Exception("Wrong phase parameter!")
        # only allow "registration2" if the token already completed "registration1"
        elif current_phase != "registration" and requested_phase == "registration2":
            log.error(
                "Phase 'registration2' requested but we are not in the correct phase \
                to process the request."
            )
            raise Exception(
                "Phase 'registration2' requested but we are not in the correct phase \
                to process the request."
            )
        else:
            log.error('Unknown "phase" and "current_phase" parameter combination!')
            raise Exception('Unknown "phase" and "current_phase" parameter combination!')
Example #15
0
    def setDefinition(self, param):
        '''
            handle name
        '''
        self.name = getParam(param, 'name', required)
        # We should have no \.
        # This only leads to problems.
        nameExp = "^[A-Za-z0-9_\-]+$"
        if re.match(nameExp, self.name) is None:
            exx = Exception(
                "non conformant characters in resolver name: %s "
                " (not in %s)", self.name, nameExp)
            raise exx

        # handle types
        self.type = getParam(param, 'type', required)
        resolvertypes = get_resolver_types()
        if self.type not in resolvertypes:
            exx = Exception("resolver type : %s not in %s" %
                            (self.type, unicode(resolvertypes)))
            raise exx

        resolver_config = get_resolver_class_config(self.type)
        if self.type in resolver_config:
            config = resolver_config.get(self.type).get('config', {})
        else:
            config = resolver_config

        for k in param:
            if k != 'name' and k != 'type':
                if k.startswith('type.') is True:
                    key = k[len('type.'):]
                    self.types[key] = param.get(k)
                elif k.startswith('desc.') is True:
                    key = k[len('desc.'):]
                    self.desc[key] = param.get(k)

                elif 'session' == k:
                    # supress session parameter
                    pass
                else:
                    self.data[k] = param.get(k)
                    if k in config:
                        self.types[k] = config.get(k)
                    else:
                        log.warn("[setDefinition]: the passed key %r is not a "
                                 "parameter for the resolver %r" %
                                 (k, self.type))
        # now check if we have for every type def an parameter
        ok = self._sanityCheck()
        if ok is not True:
            raise Exception("type definition does not match parameter! %s" %
                            unicode(param))

        return
Example #16
0
    def update(self, param, reset_failcount=False):
        self.setSyncWindow(0)
        self.setOtpLen(32)
        self.setCounterWindow(0)

        tdesc = getParam(param, "description", optional)
        if tdesc is not None:
            self.token.setDescription(tdesc)

        # requested_phase must be either "registration1" or "registration2"
        # current_phase is either "registration" or "authentication"
        requested_phase = getParam(param, "phase", optional)
        current_phase = self.getFromTokenInfo('phase', None)

        if requested_phase == "registration1" and current_phase is None:
            # This initial registration phase triggers a challenge
            # which is sent to the FIDO U2F compatible client device

            # Set the optional token pin in this first phase
            pin = getParam(param, "pin", optional)
            if pin is not None:
                TokenClass.setPin(self, pin)

            # preserve the registration state
            self.addToTokenInfo('phase', 'registration')
            self.token.LinOtpIsactive = False
        elif requested_phase == "registration2" and current_phase == "registration":
            # Check the token pin
            pin = getParam(param, "pin", optional)
            if pin is None:
                pin = ''
            if check_pin(self, pin) is False:
                log.error("Wrong token pin!")
                raise ValueError("Wrong token pin!")
        # check for set phases which are not "registration1" or "registration2"
        elif requested_phase != "registration2" and requested_phase is not None:
            log.error('Wrong phase parameter!')
            raise Exception('Wrong phase parameter!')
        # only allow empty phase parameters once the token is registered successfully
        elif current_phase != "authentication" and requested_phase is None:
            log.error('Wrong phase parameter!')
            raise Exception('Wrong phase parameter!')
        # only allow "registration2" if the token already completed "registration1"
        elif current_phase != "registration" and requested_phase == "registration2":
            log.error(
                "Phase 'registration2' requested but we are not in the correct phase \
                to process the request.")
            raise Exception(
                "Phase 'registration2' requested but we are not in the correct phase \
                to process the request.")
        else:
            log.error(
                'Unknown "phase" and "current_phase" parameter combination!')
            raise Exception(
                'Unknown "phase" and "current_phase" parameter combination!')
Example #17
0
    def update(self, param):
        # cko: changed for backward compat
        getParam(param, "pin", optional)
        if not param.has_key('otpkey'):
            param['genkey'] = 1

        # mark this spass token as usable exactly once
        if param.has_key('onetime'):
            TokenClass.set_count_auth_success_max(self, 1)

        TokenClass.update(self, param)
Example #18
0
    def update(self, param):
        # cko: changed for backward compat
        getParam(param, "pin", optional)
        if not param.has_key("otpkey"):
            param["genkey"] = 1

        ## mark this spass token as usable exactly once
        if param.has_key("onetime"):
            TokenClass.set_count_auth_success_max(self, 1)

        TokenClass.update(self, param)
Example #19
0
    def update(self, param):

        ## check for the required parameters
        if (self.hKeyRequired == True):
            getParam(param, "otpkey", required)

        TokenClass.update(self, param, reset_failcount=False)

        for key in ["vasco_appl", "vasco_type", "vasco_auth"]:
            val = getParam(param, key, optional)
            if val is not None:
                self.addToTokenInfo(key, val)
Example #20
0
    def update(self, param):

        ## check for the required parameters
        if (self.hKeyRequired == True):
            getParam(param, "otpkey", required)

        TokenClass.update(self, param, reset_failcount=False)

        for key in ["vasco_appl", "vasco_type", "vasco_auth"]:
            val = getParam(param, key, optional)
            if val is not None:
                self.addToTokenInfo(key, val)
Example #21
0
    def check_yubikey(self):
        '''
        This function is used to validate the output of a yubikey

        method:
            validate/check_yubikey

        :param pass: The password that consist of the static yubikey prefix and the otp
        :type pass: string

        :return: JSON Object

        returns:
            JSON response::

                {
                    "version": "LinOTP 2.4",
                    "jsonrpc": "2.0",
                    "result": {
                        "status": true,
                        "value": false
                    },
                    "detail" : {
                        "username": username,
                        "realm": realm
                    },
                    "id": 0
                }
        '''

        param = request.params
        passw = getParam(param, "pass", required)
        try:

            ok = False
            try:
                ok, opt = checkYubikeyPass(passw)
                c.audit['success'] = ok

            except AuthorizeException as exx:
                log.warning("[check_yubikey] authorization failed for validate/check_yubikey: %r"
                            % exx)
                c.audit['success'] = False
                c.audit['info'] = unicode(exx)
                ok = False

            Session.commit()
            return sendResult(response, ok, 0, opt=opt)

        except Exception as exx:
            log.error("[check_yubikey] validate/check_yubikey failed: %r" % exx)
            log.error("[check_yubikey] %s" % traceback.format_exc())
            c.audit['info'] = unicode(exx)
            Session.rollback()
            return sendError(response, u"validate/check_yubikey failed: %s"
                             % unicode(exx), 0)

        finally:
            Session.close()
            log.debug('[check_yubikey] done')
Example #22
0
def getUserFromRequest(request, config=None):
    '''
    This function first tries to get the user from
     * a DigestAuth and otherwise from
     * basic auth and otherwise from
     * the client certificate
    '''
    d_auth = {'login': ''}

    param = request.params

    try:
        # Do BasicAuth
        if 'REMOTE_USER' in request.environ:
            d_auth['login'] = request.environ['REMOTE_USER']
            log.debug(
                "[getUserFromRequest] BasicAuth: found the "
                "REMOTE_USER: %r", d_auth)

        # Do DigestAuth
        elif 'HTTP_AUTHORIZATION' in request.environ:
            a_auth = request.environ['HTTP_AUTHORIZATION'].split(",")

            for field in a_auth:
                (key, _delimiter, value) = field.partition("=")
                d_auth[key.lstrip(' ')] = value.strip('"')

            d_auth['login'] = d_auth.get('Digest username', '') or ''

            log.debug(
                "[getUserFromRequest] DigestAuth: found "
                "this HTTP_AUTHORIZATION: %r", d_auth)

        # Do SSL Client Cert
        elif 'SSL_CLIENT_S_DN_CN' in request.environ:
            d_auth['login'] = request.environ.get('SSL_CLIENT_S_DN_CN', '')
            log.debug(
                "[getUserFromRequest] SSLClientCert Auth: found "
                "this SSL_CLIENT_S_DN_CN: %r", d_auth)

        # In case of selftest
        self_test = isSelfTest(config=config)
        log.debug("[getUserFromRequest] Doing selftest!: %r", self_test)

        if self_test:
            log.debug("[getUserFromRequest] Doing selftest!")
            param = request.params
            login = getParam(param, "selftest_admin", True)
            if login:
                d_auth['login'] = login
                log.debug(
                    "[getUserFromRequest] Found selfservice user: %r in "
                    "the request.", d_auth)

    except Exception as exx:
        log.exception(
            "[getUserFromRequest] An error occurred when trying"
            " to fetch the user from the request: %r", exx)

    return d_auth
Example #23
0
    def check_yubikey(self):
        '''
        This function is used to validate the output of a yubikey

        method:
            validate/check_yubikey

        :param pass: The password that consist of the static yubikey prefix and the otp
        :type pass: string

        :return: JSON Object

        returns:
            JSON response::

                {
                    "version": "LinOTP 2.4",
                    "jsonrpc": "2.0",
                    "result": {
                        "status": true,
                        "value": false
                    },
                    "detail" : {
                        "username": username,
                        "realm": realm
                    },
                    "id": 0
                }
        '''

        param = request.params
        passw = getParam(param, "pass", required)
        try:

            ok = False
            try:
                vh = ValidationHandler()
                ok, opt = vh.checkYubikeyPass(passw)
                c.audit['success'] = ok

            except AuthorizeException as exx:
                log.warning(
                    "[check_yubikey] authorization failed for validate/check_yubikey: %r"
                    % exx)
                c.audit['success'] = False
                c.audit['info'] = unicode(exx)
                ok = False

            Session.commit()
            return sendResult(response, ok, 0, opt=opt)

        except Exception as exx:
            log.exception("[check_yubikey] validate/check_yubikey failed: %r" %
                          exx)
            c.audit['info'] = unicode(exx)
            Session.rollback()
            return sendResult(response, False, 0)

        finally:
            Session.close()
Example #24
0
    def update(self, param, reset_failcount=True):
        '''
        update - process initialization parameters

        :param param: dict of initialization parameters
        :type param: dict

        :return: nothing

        '''
        log.debug("[update] begin. adjust the token class with: param %r" %
                  (param))

        # specific - phone
        phone = getParam(param, "phone", required)
        self.setPhone(phone)

        # # in case of the sms token, only the server must know the otpkey
        # # thus if none is provided, we let create one (in the TokenClass)
        if not param.has_key('genkey') and not param.has_key('otpkey'):
            param['genkey'] = 1

        HmacTokenClass.update(self, param, reset_failcount)

        log.debug("[update] end. all token parameters are set.")
        return
Example #25
0
    def tokeninfo(self):
        '''
        this returns the contents of /admin/show?serial=xyz in a html format
        '''
        param = request.params

        try:
            serial = getParam(param, 'serial', required)

            filterRealm = ""
            # check admin authorization
            res = checkPolicyPre('admin', 'show', param)

            filterRealm = res['realms']
            # check if policies are active at all
            # If they are not active, we are allowed to SHOW any tokens.
            pol = getAdminPolicies("show")
            if not pol['active']:
                filterRealm = ["*"]

            log.info("[tokeninfo] admin >%s< may display the following realms: %s" % (res['admin'], filterRealm))
            log.info("[tokeninfo] displaying tokens: serial: %s", serial)

            toks = TokenIterator(User("", "", ""), serial, filterRealm=filterRealm)

            ### now row by row
            lines = []
            for tok in toks:
                lines.append(tok)
            if len(lines) > 0:

                c.tokeninfo = lines[0]
            else:
                c.tokeninfo = {}

            for k in c.tokeninfo:
                if "LinOtp.TokenInfo" == k:
                    try:
                        # Try to convert string to Dictionary
                        c.tokeninfo['LinOtp.TokenInfo'] = json.loads(c.tokeninfo['LinOtp.TokenInfo'])
                    except:
                        pass

            return render('/manage/tokeninfo.mako')

        except PolicyException as pe:
            log.error("[tokeninfo] Error during checking policies: %r" % pe)
            log.error("[tokeninfo] %s" % traceback.format_exc())
            Session.rollback()
            return sendError(response, unicode(pe), 1)

        except Exception as e:
            log.error("[tokeninfo] failed! %r" % e)
            log.error("[tokeninfo] %s" % traceback.format_exc())
            Session.rollback()
            return sendError(response, e)

        finally:
            Session.close()
            log.debug('[tokeninfo] done')
Example #26
0
    def update(self, param, reset_failcount=True):
        """
        update - process initialization parameters

        :param param: dict of initialization parameters
        :type param: dict

        :return: nothing

        """
        LOG.debug("[update] begin. adjust the token class with: param %r" %
                  param)

        # specific - e-mail
        self._email_address = getParam(param,
                                       self.EMAIL_ADDRESS_KEY,
                                       optional=False)

        ## in case of the e-mail token, only the server must know the otpkey
        ## thus if none is provided, we let create one (in the TokenClass)
        if not 'genkey' in param and not 'otpkey' in param:
            param['genkey'] = 1

        HmacTokenClass.update(self, param, reset_failcount)

        LOG.debug("[update] end. all token parameters are set.")
        return
Example #27
0
    def update(self, param, reset_failcount=True):
        '''
        update - process initialization parameters

        :param param: dict of initialization parameters
        :type param: dict

        :return: nothing

        '''
        log.debug("[update] begin. adjust the token class with: param %r"
                  % (param))

        # specific - phone
        phone = getParam(param, "phone", required)
        self.setPhone(phone)

        ## in case of the sms token, only the server must know the otpkey
        ## thus if none is provided, we let create one (in the TokenClass)
        if not param.has_key('genkey') and not param.has_key('otpkey'):
            param['genkey'] = 1

        HmacTokenClass.update(self, param, reset_failcount)

        log.debug("[update] end. all token parameters are set.")
        return
Example #28
0
    def tokeninfo(self):
        """
        this returns the contents of /admin/show?serial=xyz in a html format
        """
        param = request.params

        try:
            serial = getParam(param, "serial", required)

            filterRealm = ""
            # check admin authorization
            res = checkPolicyPre("admin", "show", param)

            filterRealm = res["realms"]
            # check if policies are active at all
            # If they are not active, we are allowed to SHOW any tokens.
            pol = getAdminPolicies("show")
            if not pol["active"]:
                filterRealm = ["*"]

            log.info("[tokeninfo] admin >%s< may display the following realms: %s" % (res["admin"], filterRealm))
            log.info("[tokeninfo] displaying tokens: serial: %s", serial)

            toks = TokenIterator(User("", "", ""), serial, filterRealm=filterRealm)

            ### now row by row
            lines = []
            for tok in toks:
                lines.append(tok)
            if len(lines) > 0:

                c.tokeninfo = lines[0]
            else:
                c.tokeninfo = {}

            for k in c.tokeninfo:
                if "LinOtp.TokenInfo" == k:
                    try:
                        # Try to convert string to Dictionary
                        c.tokeninfo["LinOtp.TokenInfo"] = json.loads(c.tokeninfo["LinOtp.TokenInfo"])
                    except:
                        pass

            return render("/manage/tokeninfo.mako")

        except PolicyException as pe:
            log.error("[tokeninfo] Error during checking policies: %r" % pe)
            log.error("[tokeninfo] %s" % traceback.format_exc())
            Session.rollback()
            return sendError(response, unicode(pe), 1)

        except Exception as e:
            log.error("[tokeninfo] failed! %r" % e)
            log.error("[tokeninfo] %s" % traceback.format_exc())
            Session.rollback()
            return sendError(response, e)

        finally:
            Session.close()
            log.debug("[tokeninfo] done")
Example #29
0
    def tokeninfo(self):
        '''
        this returns the contents of /admin/show?serial=xyz in an html format
        '''
        param = request.params

        try:
            serial = getParam(param, 'serial', required)

            filterRealm = ""
            # check admin authorization
            res = checkPolicyPre('admin', 'show', param)

            # check if policies are active at all
            # If they are not active, we are allowed to SHOW any tokens.
            filterRealm = ["*"]
            if res['active'] and res['realms']:
                filterRealm = res['realms']

            log.info("[tokeninfo] admin >%s< may display the following realms:"
                     " %s" % (res['admin'], filterRealm))
            log.info("[tokeninfo] displaying tokens: serial: %s", serial)

            toks = TokenIterator(User("", "", ""), serial,
                                 filterRealm=filterRealm)

            # now row by row
            lines = []
            for tok in toks:
                lines.append(tok)
            if len(lines) > 0:
                c.tokeninfo = lines[0]
            else:
                c.tokeninfo = {}

            for k in c.tokeninfo:
                if "LinOtp.TokenInfo" == k:
                    try:
                        # Try to convert string to Dictionary
                        c.tokeninfo['LinOtp.TokenInfo'] = json.loads(
                                            c.tokeninfo['LinOtp.TokenInfo'])
                    except:
                        pass

            return render('/manage/tokeninfo.mako')

        except PolicyException as pe:
            log.exception("[tokeninfo] Error during checking policies: %r" % pe)
            Session.rollback()
            return sendError(response, unicode(pe), 1)

        except Exception as e:
            log.exception("[tokeninfo] failed! %r" % e)
            Session.rollback()
            return sendError(response, e)

        finally:
            Session.close()
            log.debug('[tokeninfo] done')
Example #30
0
def getUserFromRequest(request):
    '''
    This function first tries to get the user from
     * a DigestAuth and otherwise from
     * basic auth and otherwise from
     * the client certificate
    '''
    d_auth = {'login': ''}

    param = request.params

    try:
        # Do BasicAuth
        if request.environ.has_key('REMOTE_USER'):
            d_auth['login'] = request.environ['REMOTE_USER']
            log.debug("[getUserFromRequest] BasicAuth: found the "
                      "REMOTE_USER: %r" % d_auth)

        # Do DigestAuth
        elif request.environ.has_key('HTTP_AUTHORIZATION'):
            a_auth = request.environ['HTTP_AUTHORIZATION'].split(",")

            for field in a_auth:
                (key, _delimiter, value) = field.partition("=")
                d_auth[key.lstrip(' ')] = value.strip('"')

            if d_auth.has_key('Digest username'):
                d_auth['login'] = d_auth['Digest username']

            log.debug("[getUserFromRequest] DigestAuth: found "
                      "this HTTP_AUTHORIZATION: %r" % d_auth)

        # Do SSL Client Cert
        elif request.environ.has_key('SSL_CLIENT_S_DN_CN'):
            d_auth['login'] = request.environ.get('SSL_CLIENT_S_DN_CN')
            log.debug("[getUserFromRequest] SSLClientCert Auth: found "
                      "this SSL_CLIENT_S_DN_CN: %r" % d_auth)

        # In case of selftest
        log.debug("[getUserFromRequest] Doing selftest!: %r" % isSelfTest())

        if isSelfTest():
            log.debug("[getUserFromRequest] Doing selftest!")
            param = request.params
            d_auth['login'] = getParam(param, "selftest_admin", True)
            log.debug(
                "[getUserFromRequest] Found the user: %r in the request." %
                d_auth)

    except Exception as e:
        log.error(
            "[getUserFromRequest] An error occurred when trying to fetch "
            "the user from the request: %r" % e)
        pass

    return d_auth
Example #31
0
def getUserFromParam(param,
                     optionalOrRequired,
                     optional=False,
                     required=False):
    realm = ""
    conf = ""

    if optional:
        optionalOrRequired = True
    if required:
        optionalOrRequired = False

    log.debug("[getUserFromParam] entering function")
    user = getParam(param, "user", optionalOrRequired)
    log.debug("[getUserFromParam] got user <<%r>>" % user)

    if user is None:
        user = ""
    else:
        splitAtSign = getFromConfig("splitAtSign", "true")

        if splitAtSign.lower() == "true":
            (user, realm) = splitUser(user)

    if "realm" in param:
        realm = param["realm"]

    if user != "":
        if realm is None or realm == "":
            realm = getDefaultRealm()

    usr = User(user, realm, "")

    if "resConf" in param:
        conf = param["resConf"]
        # with the short resolvernames, we have to extract the
        # configuration name from the resolver spec
        if "(" in conf and ")" in conf:
            res_conf, resolver_typ = conf.split(" ")
            conf = res_conf
        usr.conf = conf
    else:
        if len(usr.login) > 0 or len(usr.realm) > 0 or len(usr.conf) > 0:
            res = getResolversOfUser(usr)
            usr.saveResolvers(res)
            if len(res) > 1:
                log.error("[getUserFromParam] user %r@%r in more than one "
                          "resolver: %r" % (user, realm, res))
                raise Exception("The user %s@%s is in more than one resolver:"
                                " %s" % (user, realm, unicode(res)))

    log.debug("[getUserFromParam] creating user object %r,%r,%r" %
              (user, realm, conf))
    log.debug("[getUserFromParam] created user object %r " % usr)

    return usr
Example #32
0
    def check_t(self):

        param = {}
        value = {}
        ok = False
        opt = None

        try:
            param.update(request.params)
            passw = getParam(param, "pass", required)

            transid = param.get('state', None)
            if transid is not  None:
                param['transactionid'] = transid
                del param['state']

            if transid is None:
                transid = param.get('transactionid', None)

            if transid is None:
                raise Exception("missing parameter: state or transactionid!")

            vh = ValidationHandler()
            (ok, reply) = vh.check_by_transactionid(transid=transid,
                                                    passw=passw,
                                                    options=param)

            value['value'] = ok
            value['failcount'] = int(reply.get('failcount', 0))

            c.audit['success'] = ok
            Session.commit()

            qr = param.get('qr', None)
            if qr and opt and 'message' in opt:
                try:
                    dataobj = opt.get('message')
                    param['alt'] = "%s" % opt
                    if 'transactionid' in opt:
                        param['transactionid'] = opt['transactionid']
                    return sendQRImageResult(response, dataobj, param)
                except Exception as exc:
                    log.warning("failed to send QRImage: %r " % exc)
                    return sendQRImageResult(response, opt, param)
            else:
                return sendResult(response, value, 1, opt=opt)

        except Exception as exx:
            log.exception("[check_t] validate/check_t failed: %r" % exx)
            c.audit['info'] = unicode(exx)
            Session.rollback()
            return sendResult(response, False, 0)

        finally:
            Session.close()
            log.debug('[check_t] done')
Example #33
0
    def check_t(self):

        param = {}
        value = {}
        ok = False
        opt = {}

        try:
            param.update(request.params)
            passw = getParam(param, "pass", required)

            transid = param.get('state', None)
            if transid is not None:
                param['transactionid'] = transid
                del param['state']

            if transid is None:
                transid = param.get('transactionid', None)

            if transid is None:
                raise Exception("missing parameter: state or transactionid!")

            vh = ValidationHandler()
            (ok, opt) = vh.check_by_transactionid(transid=transid,
                                                  passw=passw,
                                                  options=param)

            value['value'] = ok
            value['failcount'] = int(opt.get('failcount', 0))

            c.audit['success'] = ok
            Session.commit()

            qr = param.get('qr', None)
            if qr and opt and 'message' in opt:
                try:
                    dataobj = opt.get('message')
                    param['alt'] = "%s" % opt
                    if 'transactionid' in opt:
                        param['transactionid'] = opt['transactionid']
                    return sendQRImageResult(response, dataobj, param)
                except Exception as exc:
                    log.warning("failed to send QRImage: %r " % exc)
                    return sendQRImageResult(response, opt, param)
            else:
                return sendResult(response, value, 1, opt=opt)

        except Exception as exx:
            log.exception("[check_t] validate/check_t failed: %r" % exx)
            c.audit['info'] = unicode(exx)
            Session.rollback()
            return sendResult(response, False, 0)

        finally:
            Session.close()
            log.debug('[check_t] done')
Example #34
0
def getUserFromRequest(request, config=None):
    '''
    This function first tries to get the user from
     * a DigestAuth and otherwise from
     * basic auth and otherwise from
     * the client certificate
    '''
    d_auth = {'login': ''}

    param = request.params

    try:
        # Do BasicAuth
        if 'REMOTE_USER' in request.environ:
            d_auth['login'] = request.environ['REMOTE_USER']
            log.debug("[getUserFromRequest] BasicAuth: found the "
                      "REMOTE_USER: %r", d_auth)

        # Do DigestAuth
        elif 'HTTP_AUTHORIZATION' in request.environ:
            a_auth = request.environ['HTTP_AUTHORIZATION'].split(",")

            for field in a_auth:
                (key, _delimiter, value) = field.partition("=")
                d_auth[key.lstrip(' ')] = value.strip('"')

            d_auth['login'] = d_auth.get('Digest username', '') or ''

            log.debug("[getUserFromRequest] DigestAuth: found "
                      "this HTTP_AUTHORIZATION: %r", d_auth)

        # Do SSL Client Cert
        elif 'SSL_CLIENT_S_DN_CN' in request.environ:
            d_auth['login'] = request.environ.get('SSL_CLIENT_S_DN_CN', '')
            log.debug("[getUserFromRequest] SSLClientCert Auth: found "
                      "this SSL_CLIENT_S_DN_CN: %r", d_auth)

        # In case of selftest
        self_test = isSelfTest(config=config)
        log.debug("[getUserFromRequest] Doing selftest!: %r", self_test)

        if self_test:
            log.debug("[getUserFromRequest] Doing selftest!")
            param = request.params
            login = getParam(param, "selftest_admin", True)
            if login:
                d_auth['login'] = login
                log.debug("[getUserFromRequest] Found selfservice user: %r in "
                          "the request.", d_auth)

    except Exception as exx:
        log.exception("[getUserFromRequest] An error occurred when trying"
                      " to fetch the user from the request: %r", exx)

    return d_auth
Example #35
0
def getUserFromRequest(request):
    '''
    This function first tries to get the user from
     * a DigestAuth and otherwise from
     * basic auth and otherwise from
     * the client certificate
    '''
    d_auth = { 'login' : '' }

    param = request.params

    try:
        # Do BasicAuth
        if request.environ.has_key('REMOTE_USER'):
            d_auth['login'] = request.environ['REMOTE_USER']
            log.debug("[getUserFromRequest] BasicAuth: found the "
                      "REMOTE_USER: %r" % d_auth)

        # Do DigestAuth
        elif request.environ.has_key('HTTP_AUTHORIZATION'):
            a_auth = request.environ['HTTP_AUTHORIZATION'].split(",")

            for field in a_auth:
                (key, _delimiter, value) = field.partition("=")
                d_auth[key.lstrip(' ')] = value.strip('"')

            if d_auth.has_key('Digest username'):
                d_auth['login'] = d_auth['Digest username']

            log.debug("[getUserFromRequest] DigestAuth: found "
                      "this HTTP_AUTHORIZATION: %r" % d_auth)

        # Do SSL Client Cert
        elif request.environ.has_key('SSL_CLIENT_S_DN_CN'):
            d_auth['login'] = request.environ.get('SSL_CLIENT_S_DN_CN')
            log.debug("[getUserFromRequest] SSLClientCert Auth: found "
                      "this SSL_CLIENT_S_DN_CN: %r" % d_auth)

        # In case of selftest
        log.debug("[getUserFromRequest] Doing selftest!: %r" % isSelfTest())

        if isSelfTest():
            log.debug("[getUserFromRequest] Doing selftest!")
            param = request.params
            d_auth['login'] = getParam(param, "selftest_admin", True)
            log.debug("[getUserFromRequest] Found the user: %r in the request."
                       % d_auth)

    except Exception as e:
        log.exception("[getUserFromRequest] An error occurred when trying to fetch "
                  "the user from the request: %r" % e)
        pass

    return d_auth
Example #36
0
def getUserFromParam(param,
                     optionalOrRequired,
                     optional=False,
                     required=False):
    realm = ""

    # TODO: merge result - could this be removed
    if optional:
        optionalOrRequired = True
    if required:
        optionalOrRequired = False

    log.debug("[getUserFromParam] entering function")
    user = getParam(param, "user", optionalOrRequired)
    log.debug("[getUserFromParam] got user <<%r>>", user)

    if user is None:
        user = ""
    else:
        splitAtSign = getFromConfig("splitAtSign", "true")

        if splitAtSign.lower() == "true":
            (user, realm) = splitUser(user)

    if "realm" in param:
        realm = param["realm"]

    if user != "":
        if not realm:
            realm = getDefaultRealm()

    usr = User(user, realm, "")

    resolver_config_id = ''
    if "resConf" in param:
        resolver_config_identifier = param["resConf"]
        # with the short resolvernames, we have to extract the
        # configuration name from the resolver spec
        if "(" in resolver_config_identifier and \
           ")" in resolver_config_identifier:
            resolver_config_id, __ = resolver_config_identifier.split(" ")
        usr.resolver_config_identifier = resolver_config_id
    else:
        if len(usr.login) > 0 or \
           len(usr.realm) > 0 or \
           len(usr.resolver_config_identifier) > 0:
            res = getResolversOfUser(usr)
            usr.saveResolvers(res)

    log.debug("[getUserFromParam] creating user object %r,%r,%r", user, realm,
              resolver_config_id)
    log.debug("[getUserFromParam] created user object %r ", usr)

    return usr
Example #37
0
    def update(self, param, reset_failcount=True):
        '''
        update - process initialization parameters

        :param param: dict of initialization parameters
        :type param: dict

        :return: nothing

        '''

        getParam(param, "otpkey", required)

        ## motp token specific
        otpPin = getParam(param, "otppin", required)
        self.setUserPin(otpPin)

        TokenClass.update(self, param, reset_failcount)

        return
Example #38
0
def getUserFromParam(param, optionalOrRequired, optional=False, required=False):
    realm = ""
    conf = ""

    if optional:
        optionalOrRequired = True
    if required:
        optionalOrRequired = False

    log.debug("[getUserFromParam] entering function")
    user = getParam(param, "user", optionalOrRequired)
    log.debug("[getUserFromParam] got user <<%r>>" % user)

    if user is None:
        user = ""
    else:
        splitAtSign = getFromConfig("splitAtSign", "true")

        if splitAtSign.lower() == "true":
            (user, realm) = splitUser(user)

    if "realm" in param:
        realm = param["realm"]

    if user != "":
        if realm is None or realm == "" :
            realm = getDefaultRealm()

    usr = User(user, realm, "")

    if "resConf" in param:
        conf = param["resConf"]
        # with the short resolvernames, we have to extract the
        # configuration name from the resolver spec
        if "(" in conf and ")" in conf:
            res_conf, resolver_typ = conf.split(" ")
            conf = res_conf
        usr.conf = conf
    else:
        if len(usr.login) > 0 or len(usr.realm) > 0 or len(usr.conf) > 0:
            res = getResolversOfUser(usr)
            usr.saveResolvers(res)
            if len(res) > 1:
                log.error("[getUserFromParam] user %r@%r in more than one "
                          "resolver: %r" % (user, realm, res))
                raise Exception("The user %s@%s is in more than one resolver:"
                                " %s" % (user, realm, unicode(res)))

    log.debug("[getUserFromParam] creating user object %r,%r,%r"
              % (user, realm, conf))
    log.debug("[getUserFromParam] created user object %r " % usr)

    return usr
Example #39
0
def getUserFromParam(param, optionalOrRequired, optional=False,
                     required=False):
    realm = ""

    # TODO: merge result - could this be removed
    if optional:
        optionalOrRequired = True
    if required:
        optionalOrRequired = False

    log.debug("[getUserFromParam] entering function")
    user = getParam(param, "user", optionalOrRequired)
    log.debug("[getUserFromParam] got user <<%r>>", user)

    if user is None:
        user = ""
    else:
        splitAtSign = getFromConfig("splitAtSign", "true")

        if splitAtSign.lower() == "true":
            (user, realm) = splitUser(user)

    if "realm" in param:
        realm = param["realm"]

    if user != "":
        if not realm:
            realm = getDefaultRealm()

    usr = User(user, realm, "")

    resolver_config_id = ''
    if "resConf" in param:
        resolver_config_identifier = param["resConf"]
        # with the short resolvernames, we have to extract the
        # configuration name from the resolver spec
        if "(" in resolver_config_identifier and \
           ")" in resolver_config_identifier:
            resolver_config_id, __ = resolver_config_identifier.split(" ")
        usr.resolver_config_identifier = resolver_config_id
    else:
        if len(usr.login) > 0 or \
           len(usr.realm) > 0 or \
           len(usr.resolver_config_identifier) > 0:
            res = getResolversOfUser(usr)
            usr.saveResolvers(res)

    log.debug("[getUserFromParam] creating user object %r,%r,%r",
              user, realm, resolver_config_id)
    log.debug("[getUserFromParam] created user object %r ", usr)

    return usr
Example #40
0
    def update(self, param, reset_failcount=True):
        '''
        update - process initialization parameters

        :param param: dict of initialization parameters
        :type param: dict

        :return: nothing

        '''
        log.debug("[update] begin. adjust the token class with: param %r" % (param))

        getParam(param, "otpkey", required)

        ## motp token specific
        otpPin = getParam(param, "otppin", required)
        self.token.setUserPin(otpPin)

        TokenClass.update(self, param, reset_failcount)

        log.debug("[update] all token parameters are set.")
        return
Example #41
0
    def update(self, param):

        tokenid = getParam(param, "yubico.tokenid", required)
        if len(tokenid) < YUBICO_LEN_ID:
            log.error("[update] The token ID needs to be %i characters long!" % YUBICO_LEN_ID)
            raise Exception("The YubiKey token ID needs to be %i characters long!" % YUBICO_LEN_ID)

        if len(tokenid) > YUBICO_LEN_ID:
            tokenid = tokenid[:YUBICO_LEN_ID]

        self.tokenid = tokenid
        self.setOtpLen(44)

        TokenClass.update(self, param)

        self.addToTokenInfo("yubico.tokenid", self.tokenid)

        return
Example #42
0
    def update(self, param):

        tokenid = getParam(param, "yubico.tokenid", required)
        if len(tokenid) < YUBICO_LEN_ID:
            log.error("[update] The tokenid needs to be %i characters long!" % YUBICO_LEN_ID)
            raise Exception("The Yubikey token ID needs to be %i characters long!" % YUBICO_LEN_ID)

        if len(tokenid) > YUBICO_LEN_ID:
            tokenid = tokenid[:YUBICO_LEN_ID]

        self.tokenid = tokenid
        self.setOtpLen(44)

        TokenClass.update(self, param)

        self.addToTokenInfo("yubico.tokenid", self.tokenid)

        return
Example #43
0
    def update(self, param, reset_failcount=True):
        '''
        update - process initialization parameters

        :param param: dict of initialization parameters
        :type param: dict

        :return: nothing

        '''
        _ = context['translate']

        log.debug("[update] begin. adjust the token class with: param %r" %
                  (param))

        # specific - phone
        phone = getParam(param, "phone", required)

        # in scope selfservice - check if edit_sms is allowed
        # if not allowed to edit, check if the phone is the same
        # as from the user data
        if param.get('::scope::', {}).get('selfservice', False):
            user = param['::scope::']['user']
            if not is_phone_editable(user):
                u_info = getUserDetail(user)
                u_phone = u_info.get('mobile', u_info.get('phone', None))
                if u_phone != phone:
                    raise Exception(
                        _('User is not allowed to '
                          'set phone number'))

        self.setPhone(phone)

        # in case of the sms token, only the server must know the otpkey
        # thus if none is provided, we let create one (in the TokenClass)
        if 'genkey' not in param and 'otpkey' not in param:
            param['genkey'] = 1

        HmacTokenClass.update(self, param, reset_failcount)

        log.debug("[update] end. all token parameters are set.")
        return
Example #44
0
    def update(self, param, reset_failcount=True):
        '''
        update - process initialization parameters

        :param param: dict of initialization parameters
        :type param: dict

        :return: nothing

        '''
        _ = context['translate']

        log.debug("[update] begin. adjust the token class with: param %r"
                  % (param))

        # specific - phone
        phone = getParam(param, "phone", required)

        # in scope selfservice - check if edit_sms is allowed
        # if not allowed to edit, check if the phone is the same
        # as from the user data
        if param.get('::scope::', {}).get('selfservice', False):
            user = param['::scope::']['user']
            if not is_phone_editable(user):
                u_info = getUserDetail(user)
                u_phone = u_info.get('mobile', u_info.get('phone', None))
                if u_phone != phone:
                    raise Exception(_('User is not allowed to '
                                      'set phone number'))

        self.setPhone(phone)

        # in case of the sms token, only the server must know the otpkey
        # thus if none is provided, we let create one (in the TokenClass)
        if 'genkey' not in param and 'otpkey' not in param:
            param['genkey'] = 1

        HmacTokenClass.update(self, param, reset_failcount)

        log.debug("[update] end. all token parameters are set.")
        return
Example #45
0
    def update(self, param, reset_failcount=True):
        """
        update - process initialization parameters

        :param param: dict of initialization parameters
        :type param: dict

        :return: nothing

        """
        log.debug("[update] begin. adjust the token class with: param %r" % (param))

        # specific - phone
        phone = getParam(param, "phone", required)

        # in scope selfservice - check if edit_sms is allowed
        # if not allowed to edit, check if the phone is the same
        # as from the user data
        if param.get("::scope::", {}).get("selfservice", False):
            user = param["::scope::"]["user"]
            if not is_phone_editable(user):
                u_info = getUserDetail(user)
                u_phone = u_info.get("mobile", u_info.get("phone", None))
                if u_phone != phone:
                    raise Exception(_("User is not allowed to " "set phone number"))

        self.setPhone(phone)

        # in case of the sms token, only the server must know the otpkey
        # thus if none is provided, we let create one (in the TokenClass)
        if "genkey" not in param and "otpkey" not in param:
            param["genkey"] = 1

        HmacTokenClass.update(self, param, reset_failcount)

        log.debug("[update] end. all token parameters are set.")
        return
Example #46
0
    def update(self, param, reset_failcount=True):
        """
        update - process initialization parameters

        :param param: dict of initialization parameters
        :type param: dict

        :return: nothing

        """
        LOG.debug("[update] begin. adjust the token class with: param %r" % param)

        # specific - e-mail
        self._email_address = getParam(param, self.EMAIL_ADDRESS_KEY, optional=False)

        ## in case of the e-mail token, only the server must know the otpkey
        ## thus if none is provided, we let create one (in the TokenClass)
        if not 'genkey' in param and not 'otpkey' in param:
            param['genkey'] = 1

        HmacTokenClass.update(self, param, reset_failcount)

        LOG.debug("[update] end. all token parameters are set.")
        return
Example #47
0
    def update(self, param):
        """
        second phase of the init process - updates parameters

        :param param: the request parameters
        :return: - nothing -
        """

        self.remoteServer = getParam(param, "remote.server", required)
        # if another OTP length would be specified in /admin/init this would
        # be overwritten by the parent class, which is ok.
        self.setOtpLen(6)

        val = getParam(param, "remote.local_checkpin", optional)
        if val is not None:
            self.remoteLocalCheckpin = val

        val = getParam(param, "remote.serial", optional)
        if val is not None:
            self.remoteSerial = val

        val = getParam(param, "remote.user", optional)
        if val is not None:
            self.remoteUser = val

        val = getParam(param, "remote.realm", optional)
        if val is not None:
            self.remoteRealm = val

        val = getParam(param, "remote.resConf", optional)
        if val is not None:
            self.remoteResConf = val

        TokenClass.update(self, param)

        self.addToTokenInfo("remote.server", self.remoteServer)
        self.addToTokenInfo("remote.serial", self.remoteSerial)
        self.addToTokenInfo("remote.user", self.remoteUser)
        self.addToTokenInfo("remote.local_checkpin", self.remoteLocalCheckpin)
        self.addToTokenInfo("remote.realm", self.remoteRealm)
        self.addToTokenInfo("remote.resConf", self.remoteResConf)

        return
Example #48
0
    def update(self, param):
        """
        second phase of the init process - updates parameters

        :param param: the request parameters
        :return: - nothing -
        """

        self.remoteServer = getParam(param, "remote.server", required)
        # if another OTP length would be specified in /admin/init this would
        # be overwritten by the parent class, which is ok.
        self.setOtpLen(6)

        val = getParam(param, "remote.local_checkpin", optional)
        if val is not None:
            self.remoteLocalCheckpin = val

        val = getParam(param, "remote.serial", optional)
        if val is not None:
            self.remoteSerial = val

        val = getParam(param, "remote.user", optional)
        if val is not None:
            self.remoteUser = val

        val = getParam(param, "remote.realm", optional)
        if val is not None:
            self.remoteRealm = val

        val = getParam(param, "remote.resConf", optional)
        if val is not None:
            self.remoteResConf = val

        TokenClass.update(self, param)

        self.addToTokenInfo("remote.server", self.remoteServer)
        self.addToTokenInfo("remote.serial", self.remoteSerial)
        self.addToTokenInfo("remote.user", self.remoteUser)
        self.addToTokenInfo("remote.local_checkpin", self.remoteLocalCheckpin)
        self.addToTokenInfo("remote.realm", self.remoteRealm)
        self.addToTokenInfo("remote.resConf", self.remoteResConf)

        return
Example #49
0
    def getInitDetail(self, params, user=None):
        """
        to complete the token normalisation, the response of the initialisation
        should be built by the token specific method, the getInitDetails
        """
        response_detail = {}

        info = self.getInfo()
        response_detail.update(info)
        response_detail['serial'] = self.getSerial()

        # get requested phase
        requested_phase = getParam(params, "phase", optional=False)

        if requested_phase == "registration1":
            # We are in registration phase 1
            # We create a 32 bytes otp key (from urandom)
            # which is used as the registration challenge
            challenge = base64.urlsafe_b64encode(binascii.unhexlify(self._genOtpKey_(32)))
            self.addToTokenInfo('challenge', challenge)

            # save the appId to the TokenInfo
            # An appId passed as parameter is preferred over an appId defined in a policy
            appId = ''
            if 'appid' in params:
                appId = params.get('appid')
            else:
                # No appId passed as parameter - fall back to the policy
                # Get the appId as specified in the enrollment policy 'u2f_app_id'
                # for the specific realm
                # If the token has multiple realms, the appIds are checked for conflicts.
                # It could be discussed whether the token should use the appId of the default
                # realm, when the token is not attached to any realms
                realms = self.token.getRealmNames()
                for realm in realms:
                    get_policy_params = {
                        'action': 'u2f_app_id',
                        'scope': 'enrollment',
                        'realm': realm
                        }
                    policy_value = getPolicyActionValue(getPolicy(get_policy_params),
                                                        'u2f_app_id',
                                                        String=True
                                                        )
                    # Check for appId conflicts
                    if appId and policy_value:
                        if appId != policy_value:
                            log.error("Conflicting appId values in u2f policies.")
                            raise Exception("Conflicting appId values in u2f policies.")
                    appId = policy_value

            if not appId:
                log.error("No appId defined.")
                raise Exception("No appId defined.")
            self.addToTokenInfo('appId', appId)

            # create U2F RegisterRequest object and append it to the response as 'message'
            appId = self._get_app_id()
            register_request = {'challenge': challenge,
                                'version': 'U2F_V2',
                                'appId': appId
                                }
            response_detail['registerrequest'] = register_request

        elif requested_phase == "registration2":
            # We are in registration phase 2
            # process the data generated by the u2f compatible token device
            registerResponse = ""

            otpkey = None
            if 'otpkey' in params:
                otpkey = params.get('otpkey')

            if otpkey is not None:
                # otpkey holds the JSON RegisterResponse object as specified by the FIDO Alliance
                try:
                    registerResponse = json.loads(otpkey)
                except ValueError as ex:
                    log.error("Invalid JSON format - value error %r", (ex))
                    raise Exception('Invalid JSON format')

                try:
                    registrationData = registerResponse['registrationData']
                    clientData = registerResponse['clientData']
                except AttributeError as ex:
                    log.error(
                        "Couldn't find keyword in JSON object - attribute error %r ", (ex))
                    raise Exception("Couldn't find keyword in JSON object")

                # registrationData and clientData are urlsafe base64 encoded
                # correct padding errors (length should be multiples of 4)
                # fill up the registrationData with '=' to the correct padding
                registrationData = registrationData + \
                    ('=' * (4 - (len(registrationData) % 4)))
                clientData = clientData + ('=' * (4 - (len(clientData) % 4)))
                registrationData = base64.urlsafe_b64decode(
                    registrationData.encode('ascii'))
                clientData = base64.urlsafe_b64decode(clientData.encode('ascii'))

                # parse the raw registrationData according to the specification
                (userPublicKey, keyHandle, X509cert, signature) = \
                    self._parseRegistrationData(registrationData)

                # check the received clientData object
                if not self._checkClientData(
                    clientData, 'registration', self.getFromTokenInfo('challenge', None)):
                    raise ValueError("Received invalid clientData object. Aborting...")

                # prepare the applicationParameter and challengeParameter needed for
                # verification of the registration signature
                appId = self._get_app_id()
                applicationParameter = sha256(appId).digest()
                challengeParameter = sha256(clientData).digest()

                # verify the registration signature
                self._validateRegistrationSignature(applicationParameter,
                                                    challengeParameter,
                                                    keyHandle,
                                                    userPublicKey,
                                                    X509cert,
                                                    signature
                                                    )

                # save the key handle and the user public key in the Tokeninfo field for
                # future use
                self.addToTokenInfo('keyHandle', base64.urlsafe_b64encode(keyHandle))
                self.addToTokenInfo('publicKey', base64.urlsafe_b64encode(userPublicKey))
                self.addToTokenInfo('counter', '0')
                self.addToTokenInfo('phase', 'authentication')
                # remove the registration challenge from the token info
                self.removeFromTokenInfo('challenge')
                # Activate the token
                self.token.LinOtpIsactive = True
            else:
                log.error("No otpkey set!")
                raise ValueError("No otpkey set")
        else:
            log.error("Unsupported phase: %s", requested_phase)
            raise Exception("Unsupported phase: %s", requested_phase)

        return response_detail
Example #50
0
 def getDefinition(self, param):
     self.name = getParam(param, 'resolver', required)
     return getResolverInfo(self.name)
Example #51
0
    def getmultiotp(self):
        '''
        This function is used to retrieve multiple otp values for a given user or a given serial
        If the user has more than one token, the list of the tokens is returend.

        method:
            gettoken/getmultiotp

        arguments:
            serial  - the serial number of the token
            count   - number of otp values to return
            curTime - used ONLY for internal testing: datetime.datetime object

        returns:
            JSON response
        '''

        getotp_active = config.get("linotpGetotp.active")
        if "True" != getotp_active:
            return sendError(response, "getotp is not activated.", 0)

        param = request.params
        ret = {}

        try:
            serial = getParam(param, "serial", required)
            count = int(getParam(param, "count", required))
            curTime = getParam(param, "curTime", optional)
            view = getParam(param, "view", optional)

            r1 = checkPolicyPre('admin', 'getotp', param)
            log.debug("[getmultiotp] admin-getotp returned %s" % r1)

            max_count = checkPolicyPre('gettoken', 'max_count', param)
            log.debug("[getmultiotp] checkpolicypre returned %s" % max_count)
            if count > max_count:
                count = max_count

            log.debug("[getmultiotp] retrieving OTP value for token %s" %
                      serial)
            ret = get_multi_otp(serial, count=int(count), curTime=curTime)
            ret["serial"] = serial

            c.audit['success'] = True
            Session.commit()

            if view:
                c.ret = ret
                return render('/manage/multiotp_view.mako')
            else:
                return sendResult(response, ret, 0)

        except PolicyException as pe:
            log.error("[getotp] gettoken/getotp policy failed: %r" % pe)
            log.error("[getotp] %s" % traceback.format_exc())
            Session.rollback()
            return sendError(response, unicode(pe), 1)

        except Exception as e:
            log.error("[getmultiotp] gettoken/getmultiotp failed: %r" % e)
            log.error("[getmultiotp] %s" % traceback.format_exc())
            Session.rollback()
            return sendError(response,
                             "gettoken/getmultiotp failed: %s" % unicode(e), 0)

        finally:
            Session.close()
            log.debug("[getmultiotp] done")
Example #52
0
    def check(self):
        '''
        This function is used to login

        method:
            openid/check

        arguments:
            user     - user to login
            realm    - in which realm the user should login
            pass     - password

        returns:
            JSON response
        '''
        ok = False
        param = {}
        do_redirect = None
        message = None

        try:
            param.update(request.params)

            same_user = True
            passw = getParam(param, "pass", optional)

            ## getUserFromParam will return default realm if no realm is
            ## provided via @ append or extra parameter realm
            ## if the provided realm does not exist, the realm is left empty
            user = getUserFromParam(param, optional)

            ## if the requested user has a realm specified (via @realm append)
            ## and this is not the same as the user from getUserFromParam
            ## the requested user is not a valid one!
            p_user = param.get('user', '')
            if "@" in p_user:
                if p_user != "%s@%s" % (user.login, user.realm):
                    same_user = False

            c.audit['user'] = user.login
            c.audit['realm'] = user.realm or getDefaultRealm()

            if same_user is True:
                (ok, opt) = checkUserPass(user, passw)

            c.audit['success'] = ok

            if ok:
                ## if the user authenticated successfully we need to set the cookie aka
                ## the ticket and we need to remember this ticket.
                user = "******" % (user.login, c.audit['realm'])
                log.debug("[check] user=%s" % user)
                token = self.storage.set_user_token(user,
                                                    expire=self.COOKIE_EXPIRE)
                log.debug("[check] token=%s" % token)
                cookie = "%s:%s" % (user, token)
                log.debug("[check] cookie=%s" % cookie)
                response.set_cookie(COOKIE_NAME,
                                    cookie,
                                    max_age=self.COOKIE_EXPIRE)
            else:
                message = "Your login attempt was not successful!"

            Session.commit()
            # Only if we logged in successfully we redirect to the original
            # page (Servive Provider). Otherwise we will redirect to the
            # status page

            p = {}
            redirect_to = getParam(param, "redirect_to", optional)
            if redirect_to and ok:
                p = {}
                for k in [
                        'openid.return_to', "openid.realm", "openid.ns",
                        "openid.claimed_id", "openid.mode", "openid.identity"
                ]:
                    p[k] = param[k]
            else:
                if message is not None:
                    p["message"] = message
                redirect_to = "/openid/status"

            do_redirect = url(str("%s?%s" % (redirect_to, urlencode(p))))

        except Exception as exx:
            log.error("[check] openid/check failed: %r" % exx)
            log.error("[__before__] %s" % traceback.format_exc())
            Session.rollback()
            return sendError(response, "openid/check failed: %r" % exx, 0)

        finally:
            Session.close()
            log.debug('[check] done')

        if do_redirect:
            log.debug("[check] now redirecting to %s" % do_redirect)
            redirect(do_redirect)
Example #53
0
    def getmultiotp(self):
        '''
        This function is used to retrieve multiple otp values for a given user
        or a given serial. If the user has more than one token, the list of
        the tokens is returend.

        method:
            gettoken/getmultiotp

        arguments:
            serial  - the serial number of the token
            count   - number of otp values to return
            curTime - used ONLY for internal testing: datetime.datetime object

        returns:
            JSON response
        '''

        getotp_active = config.get("GETOTP_ENABLED")
        if not getotp_active:
            return sendError(response, "getotp is not activated.", 0)

        param = self.request_params
        ret = {}

        try:
            serial = getParam(param, "serial", required)
            count = int(getParam(param, "count", required))
            curTime = getParam(param, "curTime", optional)
            view = getParam(param, "view", optional)

            r1 = checkPolicyPre('admin', 'getotp', param)
            log.debug("[getmultiotp] admin-getotp policy: %s", r1)

            max_count = checkPolicyPre('gettoken', 'max_count', param)
            log.debug("[getmultiotp] maxcount policy: %s", max_count)
            if count > max_count:
                count = max_count

            log.debug("[getmultiotp] retrieving OTP value for token %s",
                      serial)
            ret = get_multi_otp(serial, count=int(count), curTime=curTime)
            ret["serial"] = serial

            g.audit['success'] = True
            db.session.commit()

            if view:
                c.ret = ret
                return render('/manage/multiotp_view.mako').decode('utf-8')
            else:
                return sendResult(response, ret, 0)

        except PolicyException as pe:
            log.exception("[getotp] gettoken/getotp policy failed: %r", pe)
            db.session.rollback()
            return sendError(response, str(pe), 1)

        except Exception as exx:
            log.exception("[getmultiotp] gettoken/getmultiotp failed: %r", exx)
            db.session.rollback()
            return sendError(response, "gettoken/getmultiotp failed: %r" % exx,
                             0)
Example #54
0
    def getotp(self):
        '''
        This function is used to retrieve the current otp value for a given
        user or a given serial. If the user has more than one token, the list
        of the tokens is returend.

        method:
            gettoken/getotp

        arguments:
            user    - username / loginname
            realm   - additional realm to match the user to a useridresolver
            serial  - the serial number of the token
            curTime - used ONLY for internal testing: datetime.datetime object

        returns:
            JSON response
        '''

        getotp_active = config.get("GETOTP_ENABLED")
        if not getotp_active:
            return sendError(response, "getotp is not activated.", 0)

        param = self.request_params
        ret = {}
        res = -1
        otpval = ""
        passw = ""
        serials = []

        try:

            serial = getParam(param, "serial", optional)
            user = getUserFromParam(param)
            curTime = getParam(param, "curTime", optional)

            g.audit['user'] = user.login
            if "" != user.login:
                g.audit['realm'] = user.realm or getDefaultRealm()

            if serial:
                log.debug("[getotp] retrieving OTP value for token %s", serial)

            elif user.login:
                log.debug(
                    "[getotp] retrieving OTP value for token for user "
                    "%s@%s", user.login, user.realm)

                toks = getTokens4UserOrSerial(user, serial)
                tokennum = len(toks)

                if tokennum > 1:
                    log.debug("[getotp] The user has more than one token."
                              "Returning the list of serials")
                    res = -3
                    for token in toks:
                        serials.append(token.getSerial())
                elif 1 == tokennum:
                    serial = toks[0].getSerial()
                    log.debug(
                        "[getotp] retrieving OTP for token %s for user"
                        " %s@%s", serial, user.login, user.realm)
                else:
                    log.debug("[getotp] no token found for user %s@%s",
                              user.login, user.realm)
                    res = -4
            else:
                res = -5

            # if a serial was given or a unique serial could be
            # received from the given user.

            if serial:
                max_count = checkPolicyPre('gettoken', 'max_count', param)
                log.debug("[getmultiotp] max_count policy: %s", max_count)
                if max_count <= 0:
                    return sendError(
                        response, "The policy forbids receiving"
                        " OTP values for the token %s in "
                        "this realm" % serial, 1)

                (res, pin, otpval, passw) = getOtp(serial, curTime=curTime)

            g.audit['success'] = True

            if int(res) < 0:
                ret['result'] = False
                if -1 == otpval:
                    ret['description'] = "No Token with this serial number"
                if -2 == otpval:
                    ret['description'] = ("This Token does not support the"
                                          " getOtp function")
                if -3 == otpval:
                    ret['description'] = "The user has more than one token"
                    ret['serials'] = serials
                if -4 == otpval:
                    ret['description'] = "No Token found for this user"
                if -5 == otpval:
                    ret['description'] = ("you need to provide a user or "
                                          "a serial")
            else:
                ret['result'] = True
                ret['otpval'] = otpval
                ret['pin'] = pin
                ret['pass'] = passw

            db.session.commit()
            return sendResult(response, ret, 0)

        except PolicyException as pe:
            log.exception("[getotp] gettoken/getotp policy failed: %r", pe)
            db.session.rollback()
            return sendError(response, str(pe), 1)

        except Exception as exx:
            log.exception("[getotp] gettoken/getotp failed: %r", exx)
            db.session.rollback()
            return sendError(response, "gettoken/getotp failed: %s" % exx, 0)
Example #55
0
    def load_form(self):
        '''
        This shows the enrollment form for a requested token type.

        implicit parameters are:

        :param type: token type
        :param scope: defines the rendering scope

        :return: rendered html of the requested token
        '''
        res = ''
        param = {}

        try:

            param.update(request.params)

            act = getParam(param, "type", required)
            try:
                (tok, section, scope) = act.split('.')
            except Exception:
                return res

            if section != 'selfservice':
                return res

            g = config['pylons.app_globals']
            tokenclasses = copy.deepcopy(g.tokenclasses)

            if tok in tokenclasses:
                tclass = tokenclasses.get(tok)
                tclt = newToken(tclass)
                if hasattr(tclt, 'getClassInfo'):
                    sections = tclt.getClassInfo(section, {})
                    if scope in sections.keys():
                        section = sections.get(scope)
                        page = section.get('page')
                        c.scope = page.get('scope')
                        c.authUser = self.authUser
                        html = page.get('html')
                        res = render(os.path.sep + html)
                        res = remove_empty_lines(res)

            Session.commit()
            return res

        except CompileException as exx:
            log.exception("[load_form] compile error while processing %r.%r:" %
                                                                (tok, scope))
            log.error("[load_form] %r" % exx)
            Session.rollback()
            raise Exception(exx)

        except Exception as exx:
            Session.rollback()
            error = ('error (%r) accessing form data for: tok:%r, scope:%r'
                                ', section:%r' % (exx, tok, scope, section))
            log.exception(error)
            return '<pre>%s</pre>' % error

        finally:
            Session.close()
            log.debug('[load_form] done')
Example #56
0
    def _check(self, param):
        '''
        basic check function, that can be used by different controllers

        :param param: dict of all caller parameters
        :type param: dict

        :return: Tuple of True or False and opt
        :rtype: Tuple(boolean, opt)

        '''
        opt = None

        options = {}

        # put everything in the options but the user, pass, init
        options.update(param)
        for para in ["pass", "user", "init"]:
            if options.has_key(para):
                del options[para]

        passw = getParam(param, "pass", optional)
        user = getUserFromParam(param, optional)

        # support for ocra application challenge verification
        challenge = getParam(param, "challenge", optional)
        if challenge is not None:
            options = {}
            options['challenge'] = challenge

        c.audit['user'] = user.login
        realm = user.realm or getDefaultRealm()
        c.audit['realm'] = realm

        # AUTHORIZATION Pre Check
        # we need to overwrite the user.realm in case the
        # user does not exist in the original realm (setrealm-policy)
        user.realm = set_realm(user.login, realm, exception=True)
        check_user_authorization(user.login, user.realm, exception=True)

        if isSelfTest() is True:
            initTime = getParam(param, "init", optional)
            if initTime is not None:
                if options is None:
                    options = {}
                options['initTime'] = initTime
        vh = ValidationHandler()
        (ok, opt) = vh.checkUserPass(user, passw, options=options)

        c.audit.update(request_context.get('audit'))
        c.audit['success'] = ok

        if ok:
            # AUTHORIZATION post check
            check_auth_tokentype(c.audit['serial'], exception=True, user=user)
            check_auth_serial(c.audit['serial'], exception=True, user=user)

        # add additional details
        if is_auth_return(ok, user=user):
            if opt is None:
                opt = {}
            if ok:
                opt['realm'] = c.audit.get('realm')
                opt['user'] = c.audit.get('user')
                opt['tokentype'] = c.audit.get('token_type')
                opt['serial'] = c.audit.get('serial')
            else:
                opt['error'] = c.audit.get('action_detail')

        return (ok, opt)
Example #57
0
    def check(self):
        '''
        This function is used to login

        method:
            openid/check

        arguments:
            user     - user to login
            realm    - in which realm the user should login
            pass     - password

        returns:
            JSON response
        '''
        ok = False
        param = {}
        do_redirect = None
        message = None

        try:
            param.update(request.params)

            same_user = True
            passw = getParam(param, "pass", optional)

            ## getUserFromParam will return default realm if no realm is
            ## provided via @ append or extra parameter realm
            ## if the provided realm does not exist, the realm is left empty
            user = getUserFromParam(param, optional)

            ## if the requested user has a realm specified (via @realm append)
            ## and this is not the same as the user from getUserFromParam
            ## the requested user is not a valid one!
            p_user = param.get('user', '')
            if "@" in p_user:
                if p_user != "%s@%s" % (user.login, user.realm):
                    same_user = False

            c.audit['user'] = user.login
            c.audit['realm'] = user.realm or getDefaultRealm()
            vh = ValidationHandler()
            if same_user is True:
                (ok, opt) = vh.checkUserPass(user, passw)

            c.audit['success'] = ok

            if ok:
                ## if the user authenticated successfully we need to set the cookie aka
                ## the ticket and we need to remember this ticket.
                user = "******" % (user.login, c.audit['realm'])
                log.debug("[check] user=%s" % user)
                token = self.storage.set_user_token(user, expire=self.COOKIE_EXPIRE)
                log.debug("[check] token=%s" % token)
                cookie = "%s:%s" % (user, token)
                log.debug("[check] cookie=%s" % cookie)
                response.set_cookie(COOKIE_NAME, cookie, max_age=self.COOKIE_EXPIRE)
            else:
                message = "Your login attempt was not successful!"

            Session.commit()
            # Only if we logged in successfully we redirect to the original
            # page (Servive Provider). Otherwise we will redirect to the
            # status page

            p = {}
            redirect_to = getParam(param, "redirect_to", optional)
            if redirect_to and ok:
                p = {}
                for k in  [ 'openid.return_to', "openid.realm", "openid.ns", "openid.claimed_id", "openid.mode",
                            "openid.identity" ]:
                    p[k] = param[k]
            else:
                if message is not None:
                    p["message"] = message
                redirect_to = "/openid/status"

            do_redirect = url(str("%s?%s" % (redirect_to, urlencode(p))))

        except Exception as exx:
            log.exception("[check] openid/check failed: %r" % exx)
            Session.rollback()
            return sendError(response, "openid/check failed: %r" % exx, 0)

        finally:
            Session.close()
            log.debug('[check] done')

        if do_redirect:
            log.debug("[check] now redirecting to %s" % do_redirect)
            redirect(do_redirect)
Example #58
0
    def check_s(self):
        '''
        This function is used to validate the serial and the otp value/password.

        method:
            validate/check_s

        arguments:
            * serial:  the serial number of the token
            * pass:    the password that consists of a possible fixes password component
                        and the OTP value

        returns:
            JSON response
        '''
        param = {}
        param.update(request.params)

        options = {}
        options.update(param)
        for k in ['user', 'serial', "pass", "init"]:
            if k in options:
                del options[k]

        if 'init' in param:
            if isSelfTest() is True:
                options['initTime'] = param.get('init')

        try:
            passw = getParam(param, "pass", optional)
            serial = getParam(param, 'serial', optional)
            if serial is None:
                user = getParam(param, 'user', optional)
                if user is not None:
                    user = getUserFromParam(param, optional)
                    toks = getTokens4UserOrSerial(user=user)
                    if len(toks) == 0:
                        raise Exception("No token found!")
                    elif len(toks) > 1:
                        raise Exception("More than one token found!")
                    else:
                        tok = toks[0].token
                        desc = tok.get()
                        realms = desc.get('LinOtp.RealmNames')
                        if realms is None or len(realms) == 0:
                            realm = getDefaultRealm()
                        elif len(realms) > 0:
                            realm = realms[0]

                        userInfo = getUserInfo(tok.LinOtpUserid,
                                               tok.LinOtpIdResolver,
                                               tok.LinOtpIdResClass)
                        user = User(login=userInfo.get('username'),
                                    realm=realm)

                        serial = tok.getSerial()

            c.audit['serial'] = serial

            if isSelfTest() is True:
                initTime = getParam(param, "init", optional)
                if initTime is not None:
                    if options is None:
                        options = {}
                    options['initTime'] = initTime

            options['scope'] = {"check_s": True}
            vh = ValidationHandler()
            (ok, opt) = vh.checkSerialPass(serial, passw, options=options)
            c.audit['success'] = ok
            Session.commit()

            qr = param.get('qr', None)
            if qr and opt and 'message' in opt:
                try:
                    dataobj = opt.get('message')
                    param['alt'] = "%s" % opt
                    if 'transactionid' in opt:
                        param['transactionid'] = opt['transactionid']
                    return sendQRImageResult(response, dataobj, param)
                except Exception as exc:
                    log.warning("failed to send QRImage: %r " % exc)
                    return sendQRImageResult(response, opt, param)
            else:
                return sendResult(response, ok, 0, opt=opt)

        except Exception as exx:
            log.exception("[check_s] validate/check_s failed: %r" % exx)
            c.audit['info'] = unicode(exx)
            Session.rollback()
            return sendResult(response, False, id=0, status=False)

        finally:
            Session.close()
            log.debug('[check_s] done')