def test_07_sign_and_verify(self):
# Test with broken key file paths
self.app.config["PI_AUDIT_KEY_PUBLIC"] = PUBLIC
self.app.config["PI_AUDIT_KEY_PRIVATE"] = '/path/not/valid'
with self.assertRaises(Exception):
getAudit(self.app.config)
self.app.config["PI_AUDIT_KEY_PRIVATE"] = PRIVATE
# Log a username as unicode with a non-ascii character
self.Audit.log({
"serial": "1234",
"action": "token/assign",
"success": True,
"user": u"kölbel"
})
self.Audit.finalize_log()
audit_log = self.Audit.search({"user": u"kölbel"})
self.assertEqual(audit_log.total, 1)
self.assertEqual(audit_log.auditdata[0].get("user"), u"kölbel")
self.assertEqual(audit_log.auditdata[0].get("sig_check"), "OK")
# check the raw data from DB
db_entries = self.Audit.search_query({'user': u'kölbel'})
db_entry = next(db_entries)
self.assertTrue(db_entry.signature.startswith('rsa_sha256_pss'),
db_entry)
# modify the table data
db_entry.realm = 'realm1'
self.Audit.session.merge(db_entry)
self.Audit.session.commit()
# and check if we get a failed signature check
audit_log = self.Audit.search({"user": u"kölbel"})
self.assertEqual(audit_log.total, 1)
self.assertEqual(audit_log.auditdata[0].get("sig_check"), "FAIL")
def test_09_check_external_audit_db(self):
self.app.config["PI_AUDIT_SQL_URI"] = AUDIT_DB
audit = getAudit(self.app.config)
total = audit.get_count({})
self.assertEquals(total, 5)
# check that we have old style signatures in the DB
db_entries = audit.search_query({"user": "******"})
db_entry = next(db_entries)
self.assertTrue(db_entry.signature.startswith('213842441384'), db_entry)
# by default, PI_CHECK_OLD_SIGNATURES is false and thus the signature check fails
audit_log = audit.search({"user": "******"})
self.assertEquals(audit_log.total, 1)
self.assertEquals(audit_log.auditdata[0].get("sig_check"), "FAIL")
# they validate correctly when PI_CHECK_OLD_SIGNATURES is true
# we need to create a new audit object to enable the new config
self.app.config['PI_CHECK_OLD_SIGNATURES'] = True
audit = getAudit(self.app.config)
total = audit.get_count({})
self.assertEquals(total, 5)
audit_log = audit.search({"user": "******"})
self.assertEquals(audit_log.total, 1)
self.assertEquals(audit_log.auditdata[0].get("sig_check"), "OK")
# except for entry number 4 where the 'realm' was added afterwards
audit_log = audit.search({"realm": "realm1"})
self.assertEquals(audit_log.total, 1)
self.assertEquals(audit_log.auditdata[0].get("sig_check"), "FAIL")
def test_07_sign_and_verify(self):
# Test with broken key file paths
self.app.config["PI_AUDIT_KEY_PUBLIC"] = PUBLIC
self.app.config["PI_AUDIT_KEY_PRIVATE"] = '/path/not/valid'
with self.assertRaises(Exception):
getAudit(self.app.config)
self.app.config["PI_AUDIT_KEY_PRIVATE"] = PRIVATE
# Log a username as unicode with a non-ascii character
self.Audit.log({"serial": "1234",
"action": "token/assign",
"success": True,
"user": u"kölbel"})
self.Audit.finalize_log()
audit_log = self.Audit.search({"user": u"kölbel"})
self.assertEqual(audit_log.total, 1)
self.assertEqual(audit_log.auditdata[0].get("user"), u"kölbel")
self.assertEqual(audit_log.auditdata[0].get("sig_check"), "OK")
# check the raw data from DB
db_entries = self.Audit.search_query({'user': u'kölbel'})
db_entry = next(db_entries)
self.assertTrue(db_entry.signature.startswith('rsa_sha256_pss'), db_entry)
# modify the table data
db_entry.realm = 'realm1'
self.Audit.session.merge(db_entry)
self.Audit.session.commit()
# and check if we get a failed signature check
audit_log = self.Audit.search({"user": u"kölbel"})
self.assertEquals(audit_log.total, 1)
self.assertEquals(audit_log.auditdata[0].get("sig_check"), "FAIL")
def test_09_check_external_audit_db(self):
self.app.config["PI_AUDIT_SQL_URI"] = AUDIT_DB
audit = getAudit(self.app.config)
total = audit.get_count({})
self.assertEqual(total, 5)
# check that we have old style signatures in the DB
db_entries = audit.search_query({"user": "******"})
db_entry = next(db_entries)
self.assertTrue(db_entry.signature.startswith('213842441384'),
db_entry)
# by default, PI_CHECK_OLD_SIGNATURES is false and thus the signature check fails
audit_log = audit.search({"user": "******"})
self.assertEqual(audit_log.total, 1)
self.assertEqual(audit_log.auditdata[0].get("sig_check"), "FAIL")
# they validate correctly when PI_CHECK_OLD_SIGNATURES is true
# we need to create a new audit object to enable the new config
self.app.config['PI_CHECK_OLD_SIGNATURES'] = True
audit = getAudit(self.app.config)
total = audit.get_count({})
self.assertEqual(total, 5)
audit_log = audit.search({"user": "******"})
self.assertEqual(audit_log.total, 1)
self.assertEqual(audit_log.auditdata[0].get("sig_check"), "OK")
# except for entry number 4 where the 'realm' was added afterwards
audit_log = audit.search({"realm": "realm1"})
self.assertEqual(audit_log.total, 1)
self.assertEqual(audit_log.auditdata[0].get("sig_check"), "FAIL")
# TODO: add new audit entry and check for new style signature
# remove the audit SQL URI from app config
self.app.config.pop("PI_AUDIT_SQL_URI", None)
def before_request():
"""
This is executed before the request
"""
ensure_no_config_object()
request.all_data = get_all_params(request.values, request.data)
privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \
request.host
g.policy_object = PolicyClass()
g.audit_object = getAudit(current_app.config)
g.event_config = EventConfiguration()
# access_route contains the ip adresses of all clients, hops and proxies.
g.client_ip = get_client_ip(request,
get_from_config(SYSCONF.OVERRIDECLIENT))
g.audit_object.log({"success": False,
"client": g.client_ip,
"client_user_agent": request.user_agent.browser,
"privacyidea_server": privacyidea_server,
"action": "{0!s} {1!s}".format(request.method, request.url_rule),
"action_detail": "",
"info": ""})
username = getParam(request.all_data, "username")
if username:
# We only fill request.User, if we really have a username.
# On endpoints like /auth/rights, this is not available
loginname, realm = split_user(username)
# overwrite the split realm if we have a realm parameter. Default back to default_realm
realm = getParam(request.all_data, "realm", default=realm) or realm or get_default_realm()
# Prefill the request.User. This is used by some pre-event handlers
request.User = User(loginname, realm)
def before_request():
"""
This is executed before the request
"""
ensure_no_config_object()
request.all_data = get_all_params(request.values, request.data)
# get additional request information such as parameters in the
# call path from the view_args
request.all_data.update(request.view_args)
request.User = get_user_from_param(request.all_data)
privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \
request.host
# Create a policy_object, that reads the database audit settings
# and contains the complete policy definition during the request.
# This audit_object can be used in the postpolicy and prepolicy and it
# can be passed to the innerpolicies.
g.policy_object = PolicyClass()
g.audit_object = getAudit(current_app.config, g.startdate)
g.event_config = EventConfiguration()
# access_route contains the ip addresses of all clients, hops and proxies.
g.client_ip = get_client_ip(request, get_from_config(SYSCONF.OVERRIDECLIENT))
# Save the HTTP header in the localproxy object
g.request_headers = request.headers
g.serial = getParam(request.all_data, "serial", default=None)
g.audit_object.log({"success": False,
"action_detail": "",
"client": g.client_ip,
"client_user_agent": request.user_agent.browser,
"privacyidea_server": privacyidea_server,
"action": "{0!s} {1!s}".format(request.method, request.url_rule),
"info": ""})
def before_request():
"""
This is executed before the request
"""
privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \
request.host
g.policy_object = PolicyClass()
g.audit_object = getAudit(current_app.config)
# We can add logic to use X-Forwarded-For
g.client_ip = request.remote_addr
g.audit_object.log({
"success":
False,
"client":
g.client_ip,
"client_user_agent":
request.user_agent.browser,
"privacyidea_server":
privacyidea_server,
"action":
"{0!s} {1!s}".format(request.method, request.url_rule),
"action_detail":
"",
"info":
""
})
request.all_data = get_all_params(request.values, request.data)
def before_request():
"""
This is executed before the request
"""
request.all_data = get_all_params(request.values, request.data)
privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \
request.host
# Create a policy_object, that reads the database audit settings
# and contains the complete policy definition during the request.
# This audit_object can be used in the postpolicy and prepolicy and it
# can be passed to the innerpolicies.
g.policy_object = PolicyClass()
g.audit_object = getAudit(current_app.config)
# access_route contains the ip adresses of all clients, hops and proxies.
g.client_ip = request.access_route[0] if request.access_route else \
request.remote_addr
g.audit_object.log({
"success":
False,
"action_detail":
"",
"client":
g.client_ip,
"client_user_agent":
request.user_agent.browser,
"privacyidea_server":
privacyidea_server,
"action":
"{0!s} {1!s}".format(request.method, request.url_rule),
"info":
""
})
def before_request():
"""
This is executed before the request
"""
ensure_no_config_object()
request.all_data = get_all_params(request.values, request.data)
privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \
request.host
g.policy_object = PolicyClass()
g.audit_object = getAudit(current_app.config)
g.event_config = EventConfiguration()
# access_route contains the ip adresses of all clients, hops and proxies.
g.client_ip = get_client_ip(request,
get_from_config(SYSCONF.OVERRIDECLIENT))
g.audit_object.log({
"success":
False,
"client":
g.client_ip,
"client_user_agent":
request.user_agent.browser,
"privacyidea_server":
privacyidea_server,
"action":
"{0!s} {1!s}".format(request.method, request.url_rule),
"action_detail":
"",
"info":
""
})
def before_request():
"""
This is executed before the request
"""
update_config_object()
request.all_data = get_all_params(request.values, request.data)
request.User = get_user_from_param(request.all_data)
privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \
request.host
# Create a policy_object, that reads the database audit settings
# and contains the complete policy definition during the request.
# This audit_object can be used in the postpolicy and prepolicy and it
# can be passed to the innerpolicies.
g.policy_object = PolicyClass()
g.audit_object = getAudit(current_app.config)
g.event_config = EventConfiguration()
# access_route contains the ip addresses of all clients, hops and proxies.
g.client_ip = get_client_ip(request, get_from_config(SYSCONF.OVERRIDECLIENT))
g.audit_object.log({"success": False,
"action_detail": "",
"client": g.client_ip,
"client_user_agent": request.user_agent.browser,
"privacyidea_server": privacyidea_server,
"action": "{0!s} {1!s}".format(request.method, request.url_rule),
"info": ""})
def before_request():
"""
This is executed before the request.
user_required checks if there is a logged in admin or user
The checks for ONLY admin are preformed in api/system.py
"""
# remove session from param and gather all parameters, either
# from the Form data or from JSON in the request body.
request.all_data = get_all_params(request.values, request.data)
g.policy_object = PolicyClass()
g.audit_object = getAudit(current_app.config)
g.event_config = EventConfiguration()
# access_route contains the ip adresses of all clients, hops and proxies.
g.client_ip = request.access_route[0] if request.access_route else \
request.remote_addr
privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \
request.host
# Already get some typical parameters to log
serial = getParam(request.all_data, "serial")
realm = getParam(request.all_data, "realm")
user_loginname = ""
if "blueprint_token" in request.endpoint:
# In case of token endpoint we evaluate the user in the request.
# Note: In policy-endpoint "user" is part of the policy configuration
# and will cause an exception
user = get_user_from_param(request.all_data)
user_loginname = user.login
realm = user.realm or realm
g.audit_object.log({"success": False,
"serial": serial,
"user": user_loginname,
"realm": realm,
"client": g.client_ip,
"client_user_agent": request.user_agent.browser,
"privacyidea_server": privacyidea_server,
"action": "{0!s} {1!s}".format(request.method, request.url_rule),
"action_detail": "",
"info": ""})
if g.logged_in_user.get("role") == "user":
# A user is calling this API
# In case the token API is called by the user and not by the admin we
# need to restrict the token view.
CurrentUser = get_user_from_param({"user":
g.logged_in_user.get(
"username"),
"realm": g.logged_in_user.get(
"realm")})
request.all_data["user"] = CurrentUser.login
request.all_data["resolver"] = CurrentUser.resolver
request.all_data["realm"] = CurrentUser.realm
g.audit_object.log({"user": CurrentUser.login,
"realm": CurrentUser.realm})
else:
# An administrator is calling this API
g.audit_object.log({"administrator": g.logged_in_user.get("username")})
def before_request():
"""
This is executed before the request
"""
ensure_no_config_object()
request.all_data = get_all_params(request)
privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \
request.host
# Create a policy_object, that reads the database audit settings
# and contains the complete policy definition during the request.
# This audit_object can be used in the postpolicy and prepolicy and it
# can be passed to the innerpolicies.
g.policy_object = PolicyClass()
g.audit_object = getAudit(current_app.config)
# access_route contains the ip adresses of all clients, hops and proxies.
g.client_ip = get_client_ip(request,
get_from_config(SYSCONF.OVERRIDECLIENT))
g.serial = getParam(request.all_data, "serial") or None
g.audit_object.log({
"success":
False,
"action_detail":
"",
"client":
g.client_ip,
"client_user_agent":
request.user_agent.browser,
"privacyidea_server":
privacyidea_server,
"action":
"{0!s} {1!s}".format(request.method, request.url_rule),
"info":
""
})
def setUp(self):
pass
self.config = {"PI_AUDIT_MODULE":
"privacyidea.lib.auditmodules.sqlaudit",
"PI_AUDIT_KEY_PRIVATE": "tests/testdata/private.pem",
"PI_AUDIT_KEY_PUBLIC": "tests/testdata/public.pem",
"PI_AUDIT_SQL_URI": "sqlite://"}
self.Audit = getAudit(self.config)
self.Audit.clear()
def __init__(self, *args, **kw):
"""
base controller constructor
:param *args: generic argument array
:param **kw: generic argument dict
:return: None
"""
self.parent = super(WSGIController, self)
self.parent.__init__(*args, **kw)
self.audit = getAudit()
self.audit.initialize()
# make the OpenID SQL Instance globally available
openid_sql = config.get('openid_sql', None)
if openid_sql is None:
try:
openid_storage = SQLStorage()
config['openid_sql'] = openid_storage
except Exception as exx:
config['openid_sql'] = exx
log.error("Failed to configure openid_sql: %r" % exx)
app_setup_done = config.get('app_setup_done', False)
if app_setup_done is False:
try:
setup_app(config)
config['app_setup_done'] = True
except Exception as exx:
config['app_setup_done'] = False
log.error("Failed to serve request: %r" % exx)
raise exx
l_config = init_privacyIDEA_config()
resolver_setup_done = config.get('resolver_setup_done', False)
if resolver_setup_done is False:
try:
cache_dir = config.get("app_conf", {}).get("cache_dir", None)
setupResolvers(config=l_config, cache_dir=cache_dir)
config['resolver_setup_done'] = True
except Exception as exx:
config['resolver_setup_done'] = False
log.error("Failed to setup resolver: %r" % exx)
raise exx
initResolvers()
# Add protection against click jacking
response.headers["X-Frame-Options"] = "SAMEORIGIN"
c.help_url = config.get('help_url')
return
def before_request():
"""
This is executed before the request.
user_required checks if there is a logged in admin or user
The checks for ONLY admin are preformed in api/system.py
"""
# remove session from param and gather all parameters, either
# from the Form data or from JSON in the request body.
request.all_data = get_all_params(request.values, request.data)
g.policy_object = PolicyClass()
g.audit_object = getAudit(current_app.config)
# We can add logic to use X-Forwarded-For
g.client_ip = request.remote_addr
privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \
request.host
# Already get some typical parameters to log
serial = getParam(request.all_data, "serial")
realm = getParam(request.all_data, "realm")
user = get_user_from_param(request.all_data)
# log it
g.audit_object.log({"success": False,
"serial": serial,
"user": user.login,
"realm": user.realm or realm,
"client": g.client_ip,
"client_user_agent": request.user_agent.browser,
"privacyidea_server": privacyidea_server,
"action": "{0!s} {1!s}".format(request.method, request.url_rule),
"action_detail": "",
"info": ""})
if g.logged_in_user.get("role") == "user":
# A user is calling this API
# In case the token API is called by the user and not by the admin we
# need to restrict the token view.
CurrentUser = get_user_from_param({"user":
g.logged_in_user.get(
"username"),
"realm": g.logged_in_user.get(
"realm")})
request.all_data["user"] = CurrentUser.login
request.all_data["resolver"] = CurrentUser.resolver
request.all_data["realm"] = CurrentUser.realm
g.audit_object.log({"user": CurrentUser.login,
"realm": CurrentUser.realm})
else:
# An administrator is calling this API
g.audit_object.log({"administrator": g.logged_in_user.get("username")})
def before_request():
"""
This is executed before the request
"""
g.policy_object = PolicyClass()
g.audit_object = getAudit(current_app.config)
g.audit_object.log({"success": False,
"client": request.remote_addr,
"client_user_agent": request.user_agent.browser,
"privacyidea_server": request.host,
"action": "%s %s" % (request.method, request.url_rule),
"action_detail": "",
"info": ""})
request.all_data = get_all_params(request.values, request.data)
def before_request():
"""
This is executed before the request.
user_required checks if there is a logged in admin or user
The checks for ONLY admin are preformed in api/system.py
"""
# remove session from param and gather all parameters, either
# from the Form data or from JSON in the request body.
request.all_data = get_all_params(request.values, request.data)
g.policy_object = PolicyClass()
g.audit_object = getAudit(current_app.config)
# Already get some typical parameters to log
serial = getParam(request.all_data, "serial")
realm = getParam(request.all_data, "realm")
# log it
g.audit_object.log({
"success": False,
"serial": serial,
"realm": realm,
"client": request.remote_addr,
"client_user_agent": request.user_agent.browser,
"privacyidea_server": request.host,
"action": "%s %s" % (request.method, request.url_rule),
"action_detail": "",
"info": ""
})
if g.logged_in_user.get("role") == "user":
# A user is calling this API
# In case the token API is called by the user and not by the admin we
# need to restrict the token view.
CurrentUser = get_user_from_param({
"user":
g.logged_in_user.get("username"),
"realm":
g.logged_in_user.get("realm")
})
request.all_data["user"] = CurrentUser.login
request.all_data["resolver"] = CurrentUser.resolver
request.all_data["realm"] = CurrentUser.realm
g.audit_object.log({
"user": CurrentUser.login,
"realm": CurrentUser.realm
})
else:
# An administrator is calling this API
g.audit_object.log({"administrator": g.logged_in_user.get("username")})
def event_wrapper(*args, **kwds):
# here we have to evaluate the event configuration from the
# DB table eventhandler and based on the self.eventname etc...
# TODO: do Pre-Event Handling
f_result = func(*args, **kwds)
# Post-Event Handling
e_handles = self.g.event_config.get_handled_events(self.eventname)
for e_handler_def in e_handles:
log.debug("Handling event {eventname} with "
"{eventDef}".format(eventname=self.eventname,
eventDef=e_handler_def))
event_handler_name = e_handler_def.get("handlermodule")
event_handler = get_handler_object(event_handler_name)
# The "action is determined by the event configuration
# In the options we can pass the mailserver configuration
options = {
"request": self.request,
"g": self.g,
"response": f_result,
"handler_def": e_handler_def
}
if event_handler.check_condition(options=options):
log.debug("Handling event {eventname} with options"
"{options}".format(eventname=self.eventname,
options=options))
# create a new audit object
event_audit = getAudit(self.g.audit_object.config)
# copy all values from the originial audit entry
event_audit_data = dict(self.g.audit_object.audit_data)
event_audit_data["action"] = "EVENT {trigger}>>" \
"{handler}:{action}".format(
trigger=self.eventname,
handler=e_handler_def.get("handlermodule"),
action=e_handler_def.get("action"))
event_audit_data["action_detail"] = "{0!s}".format(
e_handler_def.get("options"))
event_audit_data["info"] = e_handler_def.get("name")
event_audit.log(event_audit_data)
event_handler.do(e_handler_def.get("action"),
options=options)
# In case the handler has modified the response
f_result = options.get("response")
# set audit object to success
event_audit.log({"success": True})
event_audit.finalize_log()
return f_result
def event_wrapper(*args, **kwds):
# here we have to evaluate the event configuration from the
# DB table eventhandler and based on the self.eventname etc...
# TODO: do Pre-Event Handling
f_result = func(*args, **kwds)
# Post-Event Handling
e_handles = self.g.event_config.get_handled_events(self.eventname)
for e_handler_def in e_handles:
log.debug("Handling event {eventname} with "
"{eventDef}".format(eventname=self.eventname,
eventDef=e_handler_def))
event_handler_name = e_handler_def.get("handlermodule")
event_handler = get_handler_object(event_handler_name)
# The "action is determined by the event configuration
# In the options we can pass the mailserver configuration
options = {"request": self.request,
"g": self.g,
"response": f_result,
"handler_def": e_handler_def}
if event_handler.check_condition(options=options):
log.debug("Handling event {eventname} with options"
"{options}".format(eventname=self.eventname,
options=options))
# create a new audit object
event_audit = getAudit(self.g.audit_object.config)
# copy all values from the originial audit entry
event_audit_data = dict(self.g.audit_object.audit_data)
event_audit_data["action"] = "EVENT {trigger}>>" \
"{handler}:{action}".format(
trigger=self.eventname,
handler=e_handler_def.get("handlermodule"),
action=e_handler_def.get("action"))
event_audit_data["action_detail"] = "{0!s}".format(
e_handler_def.get("options"))
event_audit_data["info"] = e_handler_def.get("name")
event_audit.log(event_audit_data)
event_handler.do(e_handler_def.get("action"),
options=options)
# In case the handler has modified the response
f_result = options.get("response")
# set audit object to success
event_audit.log({"success": True})
event_audit.finalize_log()
return f_result
def before_request():
"""
This is executed before the request
"""
request.all_data = get_all_params(request.values, request.data)
# Create a policy_object, that reads the database audit settings
# and contains the complete policy definition during the request.
# This audit_object can be used in the postpolicy and prepolicy and it
# can be passed to the innerpolicies.
g.policy_object = PolicyClass()
g.audit_object = getAudit(current_app.config)
g.audit_object.log({"success": False,
"action_detail": "",
"client": request.remote_addr,
"client_user_agent": request.user_agent.browser,
"privacyidea_server": request.host,
"action": "%s %s" % (request.method, request.url_rule),
"info": ""})
def before_request():
"""
This is executed before the request
"""
privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \
request.host
g.policy_object = PolicyClass()
g.audit_object = getAudit(current_app.config)
# We can add logic to use X-Forwarded-For
g.client_ip = request.remote_addr
g.audit_object.log({"success": False,
"client": g.client_ip,
"client_user_agent": request.user_agent.browser,
"privacyidea_server": privacyidea_server,
"action": "{0!s} {1!s}".format(request.method, request.url_rule),
"action_detail": "",
"info": ""})
request.all_data = get_all_params(request.values, request.data)
def before_request():
"""
This is executed before the request
"""
request.all_data = get_all_params(request.values, request.data)
privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \
request.host
g.policy_object = PolicyClass()
g.audit_object = getAudit(current_app.config)
# access_route contains the ip adresses of all clients, hops and proxies.
g.client_ip = get_client_ip(request,
get_from_config(SYSCONF.OVERRIDECLIENT))
g.audit_object.log({"success": False,
"client": g.client_ip,
"client_user_agent": request.user_agent.browser,
"privacyidea_server": privacyidea_server,
"action": "{0!s} {1!s}".format(request.method, request.url_rule),
"action_detail": "",
"info": ""})
def before_request():
"""
This is executed before the request
"""
request.all_data = get_all_params(request.values, request.data)
# Create a policy_object, that reads the database audit settings
# and contains the complete policy definition during the request.
# This audit_object can be used in the postpolicy and prepolicy and it
# can be passed to the innerpolicies.
g.policy_object = PolicyClass()
g.audit_object = getAudit(current_app.config)
g.audit_object.log({
"success": False,
"action_detail": "",
"client": request.remote_addr,
"client_user_agent": request.user_agent.browser,
"privacyidea_server": request.host,
"action": "%s %s" % (request.method, request.url_rule),
"info": ""
})
def before_request():
"""
This is executed before the request
"""
request.all_data = get_all_params(request.values, request.data)
privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \
request.host
# Create a policy_object, that reads the database audit settings
# and contains the complete policy definition during the request.
# This audit_object can be used in the postpolicy and prepolicy and it
# can be passed to the innerpolicies.
g.policy_object = PolicyClass()
g.audit_object = getAudit(current_app.config)
# We can add logic to use X-Forwarded-For
g.client_ip = request.remote_addr
g.audit_object.log({"success": False,
"action_detail": "",
"client": g.client_ip,
"client_user_agent": request.user_agent.browser,
"privacyidea_server": privacyidea_server,
"action": "{0!s} {1!s}".format(request.method, request.url_rule),
"info": ""})
def before_request():
"""
This is executed before the request.
user_required checks if there is a logged in admin or user
The checks for ONLY admin are preformed in api/system.py
"""
# remove session from param and gather all parameters, either
# from the Form data or from JSON in the request body.
ensure_no_config_object()
request.all_data = get_all_params(request.values, request.data)
if g.logged_in_user.get("role") == "user":
# A user is calling this API. First thing we do is restricting the user parameter.
# ...to restrict token view, audit view or token actions.
request.all_data["user"] = g.logged_in_user.get("username")
request.all_data["realm"] = g.logged_in_user.get("realm")
try:
request.User = get_user_from_param(request.all_data)
# overwrite or set the resolver parameter in case of a logged in user
if g.logged_in_user.get("role") == "user":
request.all_data["resolver"] = request.User.resolver
except AttributeError:
# Some endpoints do not need users OR e.g. the setPolicy endpoint
# takes a list as the userobject
request.User = None
except UserError:
# In cases like the policy API, the parameter "user" is part of the
# policy and will not resolve to a user object
request.User = User()
g.policy_object = PolicyClass()
g.audit_object = getAudit(current_app.config)
g.event_config = EventConfiguration()
# access_route contains the ip adresses of all clients, hops and proxies.
g.client_ip = get_client_ip(request,
get_from_config(SYSCONF.OVERRIDECLIENT))
privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \
request.host
# Already get some typical parameters to log
serial = getParam(request.all_data, "serial")
if serial:
tokentype = get_token_type(serial)
else:
tokentype = None
if request.User:
audit_username = request.User.login
audit_realm = request.User.realm
audit_resolver = request.User.resolver
else:
audit_realm = getParam(request.all_data, "realm")
audit_resolver = getParam(request.all_data, "resolver")
audit_username = getParam(request.all_data, "user")
g.audit_object.log({
"success":
False,
"serial":
serial,
"user":
audit_username,
"realm":
audit_realm,
"resolver":
audit_resolver,
"token_type":
tokentype,
"client":
g.client_ip,
"client_user_agent":
request.user_agent.browser,
"privacyidea_server":
privacyidea_server,
"action":
"{0!s} {1!s}".format(request.method, request.url_rule),
"action_detail":
"",
"info":
""
})
if g.logged_in_user.get("role") == "admin":
# An administrator is calling this API
g.audit_object.log({"administrator": g.logged_in_user.get("username")})
def before_request():
"""
This is executed before the request.
user_required checks if there is a logged in admin or user
The checks for ONLY admin are preformed in api/system.py
"""
# remove session from param and gather all parameters, either
# from the Form data or from JSON in the request body.
g.config_object = ConfigClass()
request.all_data = get_all_params(request.values, request.data)
try:
request.User = get_user_from_param(request.all_data)
except AttributeError:
# Some endpoints do not need users OR e.g. the setPolicy endpoint
# takes a list as the userobject
request.User = None
except UserError:
# In cases like the policy API, the parameter "user" is part of the
# policy and will not resolve to a user object
pass
g.policy_object = PolicyClass()
g.audit_object = getAudit(current_app.config)
g.event_config = EventConfiguration()
# access_route contains the ip adresses of all clients, hops and proxies.
g.client_ip = get_client_ip(request,
get_from_config(SYSCONF.OVERRIDECLIENT))
privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \
request.host
# Already get some typical parameters to log
serial = getParam(request.all_data, "serial")
if serial and "**" not in serial:
tokentype = get_token_type(serial)
else:
tokentype = None
realm = getParam(request.all_data, "realm")
user_loginname = ""
resolver = ""
if "token_blueprint" in request.endpoint:
# In case of token endpoint we evaluate the user in the request.
# Note: In policy-endpoint "user" is part of the policy configuration
# and will cause an exception
user = get_user_from_param(request.all_data)
user_loginname = user.login
realm = user.realm or realm
resolver = user.resolver
g.audit_object.log({"success": False,
"serial": serial,
"user": user_loginname,
"realm": realm,
"resolver": resolver,
"token_type": tokentype,
"client": g.client_ip,
"client_user_agent": request.user_agent.browser,
"privacyidea_server": privacyidea_server,
"action": "{0!s} {1!s}".format(request.method, request.url_rule),
"action_detail": "",
"info": ""})
if g.logged_in_user.get("role") == "user":
# A user is calling this API
# In case the token API is called by the user and not by the admin we
# need to restrict the token view.
CurrentUser = get_user_from_param({"user":
g.logged_in_user.get(
"username"),
"realm": g.logged_in_user.get(
"realm")})
request.all_data["user"] = CurrentUser.login
request.all_data["resolver"] = CurrentUser.resolver
request.all_data["realm"] = CurrentUser.realm
g.audit_object.log({"user": CurrentUser.login,
"resolver": CurrentUser.resolver,
"realm": CurrentUser.realm})
else:
# An administrator is calling this API
g.audit_object.log({"administrator": g.logged_in_user.get("username")})
def setUp(self):
self.Audit = getAudit(self.app.config)
self.Audit.clear()
def before_request():
"""
This is executed before the request.
user_required checks if there is a logged in admin or user
The checks for ONLY admin are preformed in api/system.py
"""
# remove session from param and gather all parameters, either
# from the Form data or from JSON in the request body.
request.all_data = get_all_params(request.values, request.data)
g.policy_object = PolicyClass()
g.audit_object = getAudit(current_app.config)
# We can add logic to use X-Forwarded-For
g.client_ip = request.remote_addr
privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \
request.host
# Already get some typical parameters to log
serial = getParam(request.all_data, "serial")
realm = getParam(request.all_data, "realm")
user_loginname = ""
if "blueprint_token" in request.endpoint:
# In case of token endpoint we evaluate the user in the request.
# Note: In policy-endpoint "user" is part of the policy configuration
# and will cause an exception
user = get_user_from_param(request.all_data)
user_loginname = user.login
realm = user.realm or realm
g.audit_object.log({
"success":
False,
"serial":
serial,
"user":
user_loginname,
"realm":
realm,
"client":
g.client_ip,
"client_user_agent":
request.user_agent.browser,
"privacyidea_server":
privacyidea_server,
"action":
"{0!s} {1!s}".format(request.method, request.url_rule),
"action_detail":
"",
"info":
""
})
if g.logged_in_user.get("role") == "user":
# A user is calling this API
# In case the token API is called by the user and not by the admin we
# need to restrict the token view.
CurrentUser = get_user_from_param({
"user":
g.logged_in_user.get("username"),
"realm":
g.logged_in_user.get("realm")
})
request.all_data["user"] = CurrentUser.login
request.all_data["resolver"] = CurrentUser.resolver
request.all_data["realm"] = CurrentUser.realm
g.audit_object.log({
"user": CurrentUser.login,
"realm": CurrentUser.realm
})
else:
# An administrator is calling this API
g.audit_object.log({"administrator": g.logged_in_user.get("username")})
def setUp(self):
self.Audit = getAudit(self.app.config)
self.assertEqual(self.Audit.name, 'sqlaudit')
self.Audit.clear()
def before_request():
"""
This is executed before the request.
user_required checks if there is a logged in admin or user
The checks for ONLY admin are preformed in api/system.py
"""
# remove session from param and gather all parameters, either
# from the Form data or from JSON in the request body.
g.config_object = ConfigClass()
request.all_data = get_all_params(request.values, request.data)
try:
request.User = get_user_from_param(request.all_data)
except AttributeError:
# Some endpoints do not need users OR e.g. the setPolicy endpoint
# takes a list as the userobject
request.User = None
except UserError:
# In cases like the policy API, the parameter "user" is part of the
# policy and will not resolve to a user object
request.User = User()
g.policy_object = PolicyClass()
g.audit_object = getAudit(current_app.config)
g.event_config = EventConfiguration()
# access_route contains the ip adresses of all clients, hops and proxies.
g.client_ip = get_client_ip(request,
get_from_config(SYSCONF.OVERRIDECLIENT))
privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \
request.host
# Already get some typical parameters to log
serial = getParam(request.all_data, "serial")
if serial and "**" not in serial:
tokentype = get_token_type(serial)
else:
tokentype = None
realm = getParam(request.all_data, "realm")
user_loginname = ""
resolver = ""
if "token_blueprint" in request.endpoint:
# In case of token endpoint we evaluate the user in the request.
# Note: In policy-endpoint "user" is part of the policy configuration
# and will cause an exception
user = get_user_from_param(request.all_data)
user_loginname = user.login
realm = user.realm or realm
resolver = user.resolver
g.audit_object.log({
"success":
False,
"serial":
serial,
"user":
user_loginname,
"realm":
realm,
"resolver":
resolver,
"token_type":
tokentype,
"client":
g.client_ip,
"client_user_agent":
request.user_agent.browser,
"privacyidea_server":
privacyidea_server,
"action":
"{0!s} {1!s}".format(request.method, request.url_rule),
"action_detail":
"",
"info":
""
})
if g.logged_in_user.get("role") == "user":
# A user is calling this API
# In case the token API is called by the user and not by the admin we
# need to restrict the token view.
CurrentUser = get_user_from_param({
"user":
g.logged_in_user.get("username"),
"realm":
g.logged_in_user.get("realm")
})
request.all_data["user"] = CurrentUser.login
request.all_data["resolver"] = CurrentUser.resolver
request.all_data["realm"] = CurrentUser.realm
g.audit_object.log({
"user": CurrentUser.login,
"resolver": CurrentUser.resolver,
"realm": CurrentUser.realm
})
else:
# An administrator is calling this API
g.audit_object.log({"administrator": g.logged_in_user.get("username")})
def setUp(self):
self.Audit = getAudit(self.app.config)
self.Audit.clear()
