def test_07_sign_and_verify(self): # Test with broken key file paths self.app.config["PI_AUDIT_KEY_PUBLIC"] = PUBLIC self.app.config["PI_AUDIT_KEY_PRIVATE"] = '/path/not/valid' with self.assertRaises(Exception): getAudit(self.app.config) self.app.config["PI_AUDIT_KEY_PRIVATE"] = PRIVATE # Log a username as unicode with a non-ascii character self.Audit.log({ "serial": "1234", "action": "token/assign", "success": True, "user": u"kölbel" }) self.Audit.finalize_log() audit_log = self.Audit.search({"user": u"kölbel"}) self.assertEqual(audit_log.total, 1) self.assertEqual(audit_log.auditdata[0].get("user"), u"kölbel") self.assertEqual(audit_log.auditdata[0].get("sig_check"), "OK") # check the raw data from DB db_entries = self.Audit.search_query({'user': u'kölbel'}) db_entry = next(db_entries) self.assertTrue(db_entry.signature.startswith('rsa_sha256_pss'), db_entry) # modify the table data db_entry.realm = 'realm1' self.Audit.session.merge(db_entry) self.Audit.session.commit() # and check if we get a failed signature check audit_log = self.Audit.search({"user": u"kölbel"}) self.assertEqual(audit_log.total, 1) self.assertEqual(audit_log.auditdata[0].get("sig_check"), "FAIL")
def test_09_check_external_audit_db(self): self.app.config["PI_AUDIT_SQL_URI"] = AUDIT_DB audit = getAudit(self.app.config) total = audit.get_count({}) self.assertEquals(total, 5) # check that we have old style signatures in the DB db_entries = audit.search_query({"user": "******"}) db_entry = next(db_entries) self.assertTrue(db_entry.signature.startswith('213842441384'), db_entry) # by default, PI_CHECK_OLD_SIGNATURES is false and thus the signature check fails audit_log = audit.search({"user": "******"}) self.assertEquals(audit_log.total, 1) self.assertEquals(audit_log.auditdata[0].get("sig_check"), "FAIL") # they validate correctly when PI_CHECK_OLD_SIGNATURES is true # we need to create a new audit object to enable the new config self.app.config['PI_CHECK_OLD_SIGNATURES'] = True audit = getAudit(self.app.config) total = audit.get_count({}) self.assertEquals(total, 5) audit_log = audit.search({"user": "******"}) self.assertEquals(audit_log.total, 1) self.assertEquals(audit_log.auditdata[0].get("sig_check"), "OK") # except for entry number 4 where the 'realm' was added afterwards audit_log = audit.search({"realm": "realm1"}) self.assertEquals(audit_log.total, 1) self.assertEquals(audit_log.auditdata[0].get("sig_check"), "FAIL")
def test_07_sign_and_verify(self): # Test with broken key file paths self.app.config["PI_AUDIT_KEY_PUBLIC"] = PUBLIC self.app.config["PI_AUDIT_KEY_PRIVATE"] = '/path/not/valid' with self.assertRaises(Exception): getAudit(self.app.config) self.app.config["PI_AUDIT_KEY_PRIVATE"] = PRIVATE # Log a username as unicode with a non-ascii character self.Audit.log({"serial": "1234", "action": "token/assign", "success": True, "user": u"kölbel"}) self.Audit.finalize_log() audit_log = self.Audit.search({"user": u"kölbel"}) self.assertEqual(audit_log.total, 1) self.assertEqual(audit_log.auditdata[0].get("user"), u"kölbel") self.assertEqual(audit_log.auditdata[0].get("sig_check"), "OK") # check the raw data from DB db_entries = self.Audit.search_query({'user': u'kölbel'}) db_entry = next(db_entries) self.assertTrue(db_entry.signature.startswith('rsa_sha256_pss'), db_entry) # modify the table data db_entry.realm = 'realm1' self.Audit.session.merge(db_entry) self.Audit.session.commit() # and check if we get a failed signature check audit_log = self.Audit.search({"user": u"kölbel"}) self.assertEquals(audit_log.total, 1) self.assertEquals(audit_log.auditdata[0].get("sig_check"), "FAIL")
def test_09_check_external_audit_db(self): self.app.config["PI_AUDIT_SQL_URI"] = AUDIT_DB audit = getAudit(self.app.config) total = audit.get_count({}) self.assertEqual(total, 5) # check that we have old style signatures in the DB db_entries = audit.search_query({"user": "******"}) db_entry = next(db_entries) self.assertTrue(db_entry.signature.startswith('213842441384'), db_entry) # by default, PI_CHECK_OLD_SIGNATURES is false and thus the signature check fails audit_log = audit.search({"user": "******"}) self.assertEqual(audit_log.total, 1) self.assertEqual(audit_log.auditdata[0].get("sig_check"), "FAIL") # they validate correctly when PI_CHECK_OLD_SIGNATURES is true # we need to create a new audit object to enable the new config self.app.config['PI_CHECK_OLD_SIGNATURES'] = True audit = getAudit(self.app.config) total = audit.get_count({}) self.assertEqual(total, 5) audit_log = audit.search({"user": "******"}) self.assertEqual(audit_log.total, 1) self.assertEqual(audit_log.auditdata[0].get("sig_check"), "OK") # except for entry number 4 where the 'realm' was added afterwards audit_log = audit.search({"realm": "realm1"}) self.assertEqual(audit_log.total, 1) self.assertEqual(audit_log.auditdata[0].get("sig_check"), "FAIL") # TODO: add new audit entry and check for new style signature # remove the audit SQL URI from app config self.app.config.pop("PI_AUDIT_SQL_URI", None)
def before_request(): """ This is executed before the request """ ensure_no_config_object() request.all_data = get_all_params(request.values, request.data) privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \ request.host g.policy_object = PolicyClass() g.audit_object = getAudit(current_app.config) g.event_config = EventConfiguration() # access_route contains the ip adresses of all clients, hops and proxies. g.client_ip = get_client_ip(request, get_from_config(SYSCONF.OVERRIDECLIENT)) g.audit_object.log({"success": False, "client": g.client_ip, "client_user_agent": request.user_agent.browser, "privacyidea_server": privacyidea_server, "action": "{0!s} {1!s}".format(request.method, request.url_rule), "action_detail": "", "info": ""}) username = getParam(request.all_data, "username") if username: # We only fill request.User, if we really have a username. # On endpoints like /auth/rights, this is not available loginname, realm = split_user(username) # overwrite the split realm if we have a realm parameter. Default back to default_realm realm = getParam(request.all_data, "realm", default=realm) or realm or get_default_realm() # Prefill the request.User. This is used by some pre-event handlers request.User = User(loginname, realm)
def before_request(): """ This is executed before the request """ ensure_no_config_object() request.all_data = get_all_params(request.values, request.data) # get additional request information such as parameters in the # call path from the view_args request.all_data.update(request.view_args) request.User = get_user_from_param(request.all_data) privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \ request.host # Create a policy_object, that reads the database audit settings # and contains the complete policy definition during the request. # This audit_object can be used in the postpolicy and prepolicy and it # can be passed to the innerpolicies. g.policy_object = PolicyClass() g.audit_object = getAudit(current_app.config, g.startdate) g.event_config = EventConfiguration() # access_route contains the ip addresses of all clients, hops and proxies. g.client_ip = get_client_ip(request, get_from_config(SYSCONF.OVERRIDECLIENT)) # Save the HTTP header in the localproxy object g.request_headers = request.headers g.serial = getParam(request.all_data, "serial", default=None) g.audit_object.log({"success": False, "action_detail": "", "client": g.client_ip, "client_user_agent": request.user_agent.browser, "privacyidea_server": privacyidea_server, "action": "{0!s} {1!s}".format(request.method, request.url_rule), "info": ""})
def before_request(): """ This is executed before the request """ privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \ request.host g.policy_object = PolicyClass() g.audit_object = getAudit(current_app.config) # We can add logic to use X-Forwarded-For g.client_ip = request.remote_addr g.audit_object.log({ "success": False, "client": g.client_ip, "client_user_agent": request.user_agent.browser, "privacyidea_server": privacyidea_server, "action": "{0!s} {1!s}".format(request.method, request.url_rule), "action_detail": "", "info": "" }) request.all_data = get_all_params(request.values, request.data)
def before_request(): """ This is executed before the request """ request.all_data = get_all_params(request.values, request.data) privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \ request.host # Create a policy_object, that reads the database audit settings # and contains the complete policy definition during the request. # This audit_object can be used in the postpolicy and prepolicy and it # can be passed to the innerpolicies. g.policy_object = PolicyClass() g.audit_object = getAudit(current_app.config) # access_route contains the ip adresses of all clients, hops and proxies. g.client_ip = request.access_route[0] if request.access_route else \ request.remote_addr g.audit_object.log({ "success": False, "action_detail": "", "client": g.client_ip, "client_user_agent": request.user_agent.browser, "privacyidea_server": privacyidea_server, "action": "{0!s} {1!s}".format(request.method, request.url_rule), "info": "" })
def before_request(): """ This is executed before the request """ ensure_no_config_object() request.all_data = get_all_params(request.values, request.data) privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \ request.host g.policy_object = PolicyClass() g.audit_object = getAudit(current_app.config) g.event_config = EventConfiguration() # access_route contains the ip adresses of all clients, hops and proxies. g.client_ip = get_client_ip(request, get_from_config(SYSCONF.OVERRIDECLIENT)) g.audit_object.log({ "success": False, "client": g.client_ip, "client_user_agent": request.user_agent.browser, "privacyidea_server": privacyidea_server, "action": "{0!s} {1!s}".format(request.method, request.url_rule), "action_detail": "", "info": "" })
def before_request(): """ This is executed before the request """ update_config_object() request.all_data = get_all_params(request.values, request.data) request.User = get_user_from_param(request.all_data) privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \ request.host # Create a policy_object, that reads the database audit settings # and contains the complete policy definition during the request. # This audit_object can be used in the postpolicy and prepolicy and it # can be passed to the innerpolicies. g.policy_object = PolicyClass() g.audit_object = getAudit(current_app.config) g.event_config = EventConfiguration() # access_route contains the ip addresses of all clients, hops and proxies. g.client_ip = get_client_ip(request, get_from_config(SYSCONF.OVERRIDECLIENT)) g.audit_object.log({"success": False, "action_detail": "", "client": g.client_ip, "client_user_agent": request.user_agent.browser, "privacyidea_server": privacyidea_server, "action": "{0!s} {1!s}".format(request.method, request.url_rule), "info": ""})
def before_request(): """ This is executed before the request. user_required checks if there is a logged in admin or user The checks for ONLY admin are preformed in api/system.py """ # remove session from param and gather all parameters, either # from the Form data or from JSON in the request body. request.all_data = get_all_params(request.values, request.data) g.policy_object = PolicyClass() g.audit_object = getAudit(current_app.config) g.event_config = EventConfiguration() # access_route contains the ip adresses of all clients, hops and proxies. g.client_ip = request.access_route[0] if request.access_route else \ request.remote_addr privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \ request.host # Already get some typical parameters to log serial = getParam(request.all_data, "serial") realm = getParam(request.all_data, "realm") user_loginname = "" if "blueprint_token" in request.endpoint: # In case of token endpoint we evaluate the user in the request. # Note: In policy-endpoint "user" is part of the policy configuration # and will cause an exception user = get_user_from_param(request.all_data) user_loginname = user.login realm = user.realm or realm g.audit_object.log({"success": False, "serial": serial, "user": user_loginname, "realm": realm, "client": g.client_ip, "client_user_agent": request.user_agent.browser, "privacyidea_server": privacyidea_server, "action": "{0!s} {1!s}".format(request.method, request.url_rule), "action_detail": "", "info": ""}) if g.logged_in_user.get("role") == "user": # A user is calling this API # In case the token API is called by the user and not by the admin we # need to restrict the token view. CurrentUser = get_user_from_param({"user": g.logged_in_user.get( "username"), "realm": g.logged_in_user.get( "realm")}) request.all_data["user"] = CurrentUser.login request.all_data["resolver"] = CurrentUser.resolver request.all_data["realm"] = CurrentUser.realm g.audit_object.log({"user": CurrentUser.login, "realm": CurrentUser.realm}) else: # An administrator is calling this API g.audit_object.log({"administrator": g.logged_in_user.get("username")})
def before_request(): """ This is executed before the request """ ensure_no_config_object() request.all_data = get_all_params(request) privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \ request.host # Create a policy_object, that reads the database audit settings # and contains the complete policy definition during the request. # This audit_object can be used in the postpolicy and prepolicy and it # can be passed to the innerpolicies. g.policy_object = PolicyClass() g.audit_object = getAudit(current_app.config) # access_route contains the ip adresses of all clients, hops and proxies. g.client_ip = get_client_ip(request, get_from_config(SYSCONF.OVERRIDECLIENT)) g.serial = getParam(request.all_data, "serial") or None g.audit_object.log({ "success": False, "action_detail": "", "client": g.client_ip, "client_user_agent": request.user_agent.browser, "privacyidea_server": privacyidea_server, "action": "{0!s} {1!s}".format(request.method, request.url_rule), "info": "" })
def setUp(self): pass self.config = {"PI_AUDIT_MODULE": "privacyidea.lib.auditmodules.sqlaudit", "PI_AUDIT_KEY_PRIVATE": "tests/testdata/private.pem", "PI_AUDIT_KEY_PUBLIC": "tests/testdata/public.pem", "PI_AUDIT_SQL_URI": "sqlite://"} self.Audit = getAudit(self.config) self.Audit.clear()
def __init__(self, *args, **kw): """ base controller constructor :param *args: generic argument array :param **kw: generic argument dict :return: None """ self.parent = super(WSGIController, self) self.parent.__init__(*args, **kw) self.audit = getAudit() self.audit.initialize() # make the OpenID SQL Instance globally available openid_sql = config.get('openid_sql', None) if openid_sql is None: try: openid_storage = SQLStorage() config['openid_sql'] = openid_storage except Exception as exx: config['openid_sql'] = exx log.error("Failed to configure openid_sql: %r" % exx) app_setup_done = config.get('app_setup_done', False) if app_setup_done is False: try: setup_app(config) config['app_setup_done'] = True except Exception as exx: config['app_setup_done'] = False log.error("Failed to serve request: %r" % exx) raise exx l_config = init_privacyIDEA_config() resolver_setup_done = config.get('resolver_setup_done', False) if resolver_setup_done is False: try: cache_dir = config.get("app_conf", {}).get("cache_dir", None) setupResolvers(config=l_config, cache_dir=cache_dir) config['resolver_setup_done'] = True except Exception as exx: config['resolver_setup_done'] = False log.error("Failed to setup resolver: %r" % exx) raise exx initResolvers() # Add protection against click jacking response.headers["X-Frame-Options"] = "SAMEORIGIN" c.help_url = config.get('help_url') return
def before_request(): """ This is executed before the request. user_required checks if there is a logged in admin or user The checks for ONLY admin are preformed in api/system.py """ # remove session from param and gather all parameters, either # from the Form data or from JSON in the request body. request.all_data = get_all_params(request.values, request.data) g.policy_object = PolicyClass() g.audit_object = getAudit(current_app.config) # We can add logic to use X-Forwarded-For g.client_ip = request.remote_addr privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \ request.host # Already get some typical parameters to log serial = getParam(request.all_data, "serial") realm = getParam(request.all_data, "realm") user = get_user_from_param(request.all_data) # log it g.audit_object.log({"success": False, "serial": serial, "user": user.login, "realm": user.realm or realm, "client": g.client_ip, "client_user_agent": request.user_agent.browser, "privacyidea_server": privacyidea_server, "action": "{0!s} {1!s}".format(request.method, request.url_rule), "action_detail": "", "info": ""}) if g.logged_in_user.get("role") == "user": # A user is calling this API # In case the token API is called by the user and not by the admin we # need to restrict the token view. CurrentUser = get_user_from_param({"user": g.logged_in_user.get( "username"), "realm": g.logged_in_user.get( "realm")}) request.all_data["user"] = CurrentUser.login request.all_data["resolver"] = CurrentUser.resolver request.all_data["realm"] = CurrentUser.realm g.audit_object.log({"user": CurrentUser.login, "realm": CurrentUser.realm}) else: # An administrator is calling this API g.audit_object.log({"administrator": g.logged_in_user.get("username")})
def before_request(): """ This is executed before the request """ g.policy_object = PolicyClass() g.audit_object = getAudit(current_app.config) g.audit_object.log({"success": False, "client": request.remote_addr, "client_user_agent": request.user_agent.browser, "privacyidea_server": request.host, "action": "%s %s" % (request.method, request.url_rule), "action_detail": "", "info": ""}) request.all_data = get_all_params(request.values, request.data)
def before_request(): """ This is executed before the request. user_required checks if there is a logged in admin or user The checks for ONLY admin are preformed in api/system.py """ # remove session from param and gather all parameters, either # from the Form data or from JSON in the request body. request.all_data = get_all_params(request.values, request.data) g.policy_object = PolicyClass() g.audit_object = getAudit(current_app.config) # Already get some typical parameters to log serial = getParam(request.all_data, "serial") realm = getParam(request.all_data, "realm") # log it g.audit_object.log({ "success": False, "serial": serial, "realm": realm, "client": request.remote_addr, "client_user_agent": request.user_agent.browser, "privacyidea_server": request.host, "action": "%s %s" % (request.method, request.url_rule), "action_detail": "", "info": "" }) if g.logged_in_user.get("role") == "user": # A user is calling this API # In case the token API is called by the user and not by the admin we # need to restrict the token view. CurrentUser = get_user_from_param({ "user": g.logged_in_user.get("username"), "realm": g.logged_in_user.get("realm") }) request.all_data["user"] = CurrentUser.login request.all_data["resolver"] = CurrentUser.resolver request.all_data["realm"] = CurrentUser.realm g.audit_object.log({ "user": CurrentUser.login, "realm": CurrentUser.realm }) else: # An administrator is calling this API g.audit_object.log({"administrator": g.logged_in_user.get("username")})
def event_wrapper(*args, **kwds): # here we have to evaluate the event configuration from the # DB table eventhandler and based on the self.eventname etc... # TODO: do Pre-Event Handling f_result = func(*args, **kwds) # Post-Event Handling e_handles = self.g.event_config.get_handled_events(self.eventname) for e_handler_def in e_handles: log.debug("Handling event {eventname} with " "{eventDef}".format(eventname=self.eventname, eventDef=e_handler_def)) event_handler_name = e_handler_def.get("handlermodule") event_handler = get_handler_object(event_handler_name) # The "action is determined by the event configuration # In the options we can pass the mailserver configuration options = { "request": self.request, "g": self.g, "response": f_result, "handler_def": e_handler_def } if event_handler.check_condition(options=options): log.debug("Handling event {eventname} with options" "{options}".format(eventname=self.eventname, options=options)) # create a new audit object event_audit = getAudit(self.g.audit_object.config) # copy all values from the originial audit entry event_audit_data = dict(self.g.audit_object.audit_data) event_audit_data["action"] = "EVENT {trigger}>>" \ "{handler}:{action}".format( trigger=self.eventname, handler=e_handler_def.get("handlermodule"), action=e_handler_def.get("action")) event_audit_data["action_detail"] = "{0!s}".format( e_handler_def.get("options")) event_audit_data["info"] = e_handler_def.get("name") event_audit.log(event_audit_data) event_handler.do(e_handler_def.get("action"), options=options) # In case the handler has modified the response f_result = options.get("response") # set audit object to success event_audit.log({"success": True}) event_audit.finalize_log() return f_result
def event_wrapper(*args, **kwds): # here we have to evaluate the event configuration from the # DB table eventhandler and based on the self.eventname etc... # TODO: do Pre-Event Handling f_result = func(*args, **kwds) # Post-Event Handling e_handles = self.g.event_config.get_handled_events(self.eventname) for e_handler_def in e_handles: log.debug("Handling event {eventname} with " "{eventDef}".format(eventname=self.eventname, eventDef=e_handler_def)) event_handler_name = e_handler_def.get("handlermodule") event_handler = get_handler_object(event_handler_name) # The "action is determined by the event configuration # In the options we can pass the mailserver configuration options = {"request": self.request, "g": self.g, "response": f_result, "handler_def": e_handler_def} if event_handler.check_condition(options=options): log.debug("Handling event {eventname} with options" "{options}".format(eventname=self.eventname, options=options)) # create a new audit object event_audit = getAudit(self.g.audit_object.config) # copy all values from the originial audit entry event_audit_data = dict(self.g.audit_object.audit_data) event_audit_data["action"] = "EVENT {trigger}>>" \ "{handler}:{action}".format( trigger=self.eventname, handler=e_handler_def.get("handlermodule"), action=e_handler_def.get("action")) event_audit_data["action_detail"] = "{0!s}".format( e_handler_def.get("options")) event_audit_data["info"] = e_handler_def.get("name") event_audit.log(event_audit_data) event_handler.do(e_handler_def.get("action"), options=options) # In case the handler has modified the response f_result = options.get("response") # set audit object to success event_audit.log({"success": True}) event_audit.finalize_log() return f_result
def before_request(): """ This is executed before the request """ request.all_data = get_all_params(request.values, request.data) # Create a policy_object, that reads the database audit settings # and contains the complete policy definition during the request. # This audit_object can be used in the postpolicy and prepolicy and it # can be passed to the innerpolicies. g.policy_object = PolicyClass() g.audit_object = getAudit(current_app.config) g.audit_object.log({"success": False, "action_detail": "", "client": request.remote_addr, "client_user_agent": request.user_agent.browser, "privacyidea_server": request.host, "action": "%s %s" % (request.method, request.url_rule), "info": ""})
def before_request(): """ This is executed before the request """ privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \ request.host g.policy_object = PolicyClass() g.audit_object = getAudit(current_app.config) # We can add logic to use X-Forwarded-For g.client_ip = request.remote_addr g.audit_object.log({"success": False, "client": g.client_ip, "client_user_agent": request.user_agent.browser, "privacyidea_server": privacyidea_server, "action": "{0!s} {1!s}".format(request.method, request.url_rule), "action_detail": "", "info": ""}) request.all_data = get_all_params(request.values, request.data)
def before_request(): """ This is executed before the request """ request.all_data = get_all_params(request.values, request.data) privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \ request.host g.policy_object = PolicyClass() g.audit_object = getAudit(current_app.config) # access_route contains the ip adresses of all clients, hops and proxies. g.client_ip = get_client_ip(request, get_from_config(SYSCONF.OVERRIDECLIENT)) g.audit_object.log({"success": False, "client": g.client_ip, "client_user_agent": request.user_agent.browser, "privacyidea_server": privacyidea_server, "action": "{0!s} {1!s}".format(request.method, request.url_rule), "action_detail": "", "info": ""})
def before_request(): """ This is executed before the request """ request.all_data = get_all_params(request.values, request.data) # Create a policy_object, that reads the database audit settings # and contains the complete policy definition during the request. # This audit_object can be used in the postpolicy and prepolicy and it # can be passed to the innerpolicies. g.policy_object = PolicyClass() g.audit_object = getAudit(current_app.config) g.audit_object.log({ "success": False, "action_detail": "", "client": request.remote_addr, "client_user_agent": request.user_agent.browser, "privacyidea_server": request.host, "action": "%s %s" % (request.method, request.url_rule), "info": "" })
def before_request(): """ This is executed before the request """ request.all_data = get_all_params(request.values, request.data) privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \ request.host # Create a policy_object, that reads the database audit settings # and contains the complete policy definition during the request. # This audit_object can be used in the postpolicy and prepolicy and it # can be passed to the innerpolicies. g.policy_object = PolicyClass() g.audit_object = getAudit(current_app.config) # We can add logic to use X-Forwarded-For g.client_ip = request.remote_addr g.audit_object.log({"success": False, "action_detail": "", "client": g.client_ip, "client_user_agent": request.user_agent.browser, "privacyidea_server": privacyidea_server, "action": "{0!s} {1!s}".format(request.method, request.url_rule), "info": ""})
def before_request(): """ This is executed before the request. user_required checks if there is a logged in admin or user The checks for ONLY admin are preformed in api/system.py """ # remove session from param and gather all parameters, either # from the Form data or from JSON in the request body. ensure_no_config_object() request.all_data = get_all_params(request.values, request.data) if g.logged_in_user.get("role") == "user": # A user is calling this API. First thing we do is restricting the user parameter. # ...to restrict token view, audit view or token actions. request.all_data["user"] = g.logged_in_user.get("username") request.all_data["realm"] = g.logged_in_user.get("realm") try: request.User = get_user_from_param(request.all_data) # overwrite or set the resolver parameter in case of a logged in user if g.logged_in_user.get("role") == "user": request.all_data["resolver"] = request.User.resolver except AttributeError: # Some endpoints do not need users OR e.g. the setPolicy endpoint # takes a list as the userobject request.User = None except UserError: # In cases like the policy API, the parameter "user" is part of the # policy and will not resolve to a user object request.User = User() g.policy_object = PolicyClass() g.audit_object = getAudit(current_app.config) g.event_config = EventConfiguration() # access_route contains the ip adresses of all clients, hops and proxies. g.client_ip = get_client_ip(request, get_from_config(SYSCONF.OVERRIDECLIENT)) privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \ request.host # Already get some typical parameters to log serial = getParam(request.all_data, "serial") if serial: tokentype = get_token_type(serial) else: tokentype = None if request.User: audit_username = request.User.login audit_realm = request.User.realm audit_resolver = request.User.resolver else: audit_realm = getParam(request.all_data, "realm") audit_resolver = getParam(request.all_data, "resolver") audit_username = getParam(request.all_data, "user") g.audit_object.log({ "success": False, "serial": serial, "user": audit_username, "realm": audit_realm, "resolver": audit_resolver, "token_type": tokentype, "client": g.client_ip, "client_user_agent": request.user_agent.browser, "privacyidea_server": privacyidea_server, "action": "{0!s} {1!s}".format(request.method, request.url_rule), "action_detail": "", "info": "" }) if g.logged_in_user.get("role") == "admin": # An administrator is calling this API g.audit_object.log({"administrator": g.logged_in_user.get("username")})
def before_request(): """ This is executed before the request. user_required checks if there is a logged in admin or user The checks for ONLY admin are preformed in api/system.py """ # remove session from param and gather all parameters, either # from the Form data or from JSON in the request body. g.config_object = ConfigClass() request.all_data = get_all_params(request.values, request.data) try: request.User = get_user_from_param(request.all_data) except AttributeError: # Some endpoints do not need users OR e.g. the setPolicy endpoint # takes a list as the userobject request.User = None except UserError: # In cases like the policy API, the parameter "user" is part of the # policy and will not resolve to a user object pass g.policy_object = PolicyClass() g.audit_object = getAudit(current_app.config) g.event_config = EventConfiguration() # access_route contains the ip adresses of all clients, hops and proxies. g.client_ip = get_client_ip(request, get_from_config(SYSCONF.OVERRIDECLIENT)) privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \ request.host # Already get some typical parameters to log serial = getParam(request.all_data, "serial") if serial and "**" not in serial: tokentype = get_token_type(serial) else: tokentype = None realm = getParam(request.all_data, "realm") user_loginname = "" resolver = "" if "token_blueprint" in request.endpoint: # In case of token endpoint we evaluate the user in the request. # Note: In policy-endpoint "user" is part of the policy configuration # and will cause an exception user = get_user_from_param(request.all_data) user_loginname = user.login realm = user.realm or realm resolver = user.resolver g.audit_object.log({"success": False, "serial": serial, "user": user_loginname, "realm": realm, "resolver": resolver, "token_type": tokentype, "client": g.client_ip, "client_user_agent": request.user_agent.browser, "privacyidea_server": privacyidea_server, "action": "{0!s} {1!s}".format(request.method, request.url_rule), "action_detail": "", "info": ""}) if g.logged_in_user.get("role") == "user": # A user is calling this API # In case the token API is called by the user and not by the admin we # need to restrict the token view. CurrentUser = get_user_from_param({"user": g.logged_in_user.get( "username"), "realm": g.logged_in_user.get( "realm")}) request.all_data["user"] = CurrentUser.login request.all_data["resolver"] = CurrentUser.resolver request.all_data["realm"] = CurrentUser.realm g.audit_object.log({"user": CurrentUser.login, "resolver": CurrentUser.resolver, "realm": CurrentUser.realm}) else: # An administrator is calling this API g.audit_object.log({"administrator": g.logged_in_user.get("username")})
def setUp(self): self.Audit = getAudit(self.app.config) self.Audit.clear()
def before_request(): """ This is executed before the request. user_required checks if there is a logged in admin or user The checks for ONLY admin are preformed in api/system.py """ # remove session from param and gather all parameters, either # from the Form data or from JSON in the request body. request.all_data = get_all_params(request.values, request.data) g.policy_object = PolicyClass() g.audit_object = getAudit(current_app.config) # We can add logic to use X-Forwarded-For g.client_ip = request.remote_addr privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \ request.host # Already get some typical parameters to log serial = getParam(request.all_data, "serial") realm = getParam(request.all_data, "realm") user_loginname = "" if "blueprint_token" in request.endpoint: # In case of token endpoint we evaluate the user in the request. # Note: In policy-endpoint "user" is part of the policy configuration # and will cause an exception user = get_user_from_param(request.all_data) user_loginname = user.login realm = user.realm or realm g.audit_object.log({ "success": False, "serial": serial, "user": user_loginname, "realm": realm, "client": g.client_ip, "client_user_agent": request.user_agent.browser, "privacyidea_server": privacyidea_server, "action": "{0!s} {1!s}".format(request.method, request.url_rule), "action_detail": "", "info": "" }) if g.logged_in_user.get("role") == "user": # A user is calling this API # In case the token API is called by the user and not by the admin we # need to restrict the token view. CurrentUser = get_user_from_param({ "user": g.logged_in_user.get("username"), "realm": g.logged_in_user.get("realm") }) request.all_data["user"] = CurrentUser.login request.all_data["resolver"] = CurrentUser.resolver request.all_data["realm"] = CurrentUser.realm g.audit_object.log({ "user": CurrentUser.login, "realm": CurrentUser.realm }) else: # An administrator is calling this API g.audit_object.log({"administrator": g.logged_in_user.get("username")})
def setUp(self): self.Audit = getAudit(self.app.config) self.assertEqual(self.Audit.name, 'sqlaudit') self.Audit.clear()
def before_request(): """ This is executed before the request. user_required checks if there is a logged in admin or user The checks for ONLY admin are preformed in api/system.py """ # remove session from param and gather all parameters, either # from the Form data or from JSON in the request body. g.config_object = ConfigClass() request.all_data = get_all_params(request.values, request.data) try: request.User = get_user_from_param(request.all_data) except AttributeError: # Some endpoints do not need users OR e.g. the setPolicy endpoint # takes a list as the userobject request.User = None except UserError: # In cases like the policy API, the parameter "user" is part of the # policy and will not resolve to a user object request.User = User() g.policy_object = PolicyClass() g.audit_object = getAudit(current_app.config) g.event_config = EventConfiguration() # access_route contains the ip adresses of all clients, hops and proxies. g.client_ip = get_client_ip(request, get_from_config(SYSCONF.OVERRIDECLIENT)) privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \ request.host # Already get some typical parameters to log serial = getParam(request.all_data, "serial") if serial and "**" not in serial: tokentype = get_token_type(serial) else: tokentype = None realm = getParam(request.all_data, "realm") user_loginname = "" resolver = "" if "token_blueprint" in request.endpoint: # In case of token endpoint we evaluate the user in the request. # Note: In policy-endpoint "user" is part of the policy configuration # and will cause an exception user = get_user_from_param(request.all_data) user_loginname = user.login realm = user.realm or realm resolver = user.resolver g.audit_object.log({ "success": False, "serial": serial, "user": user_loginname, "realm": realm, "resolver": resolver, "token_type": tokentype, "client": g.client_ip, "client_user_agent": request.user_agent.browser, "privacyidea_server": privacyidea_server, "action": "{0!s} {1!s}".format(request.method, request.url_rule), "action_detail": "", "info": "" }) if g.logged_in_user.get("role") == "user": # A user is calling this API # In case the token API is called by the user and not by the admin we # need to restrict the token view. CurrentUser = get_user_from_param({ "user": g.logged_in_user.get("username"), "realm": g.logged_in_user.get("realm") }) request.all_data["user"] = CurrentUser.login request.all_data["resolver"] = CurrentUser.resolver request.all_data["realm"] = CurrentUser.realm g.audit_object.log({ "user": CurrentUser.login, "resolver": CurrentUser.resolver, "realm": CurrentUser.realm }) else: # An administrator is calling this API g.audit_object.log({"administrator": g.logged_in_user.get("username")})