def test_02_set_default_realm(self): (added, failed) = set_realm("realm2", [self.resolvername2]) self.assertTrue(len(added) == 1) self.assertTrue(len(failed) == 0) realm = get_default_realm() self.assertTrue(realm == self.realm1) set_default_realm("realm2") realm = get_default_realm() self.assertTrue(realm == "realm2") set_default_realm() realm = get_default_realm() self.assertTrue(realm is None, realm)
def before_request(): """ This is executed before the request """ ensure_no_config_object() request.all_data = get_all_params(request.values, request.data) privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \ request.host g.policy_object = PolicyClass() g.audit_object = getAudit(current_app.config) g.event_config = EventConfiguration() # access_route contains the ip adresses of all clients, hops and proxies. g.client_ip = get_client_ip(request, get_from_config(SYSCONF.OVERRIDECLIENT)) g.audit_object.log({"success": False, "client": g.client_ip, "client_user_agent": request.user_agent.browser, "privacyidea_server": privacyidea_server, "action": "{0!s} {1!s}".format(request.method, request.url_rule), "action_detail": "", "info": ""}) username = getParam(request.all_data, "username") if username: # We only fill request.User, if we really have a username. # On endpoints like /auth/rights, this is not available loginname, realm = split_user(username) # overwrite the split realm if we have a realm parameter. Default back to default_realm realm = getParam(request.all_data, "realm", default=realm) or realm or get_default_realm() # Prefill the request.User. This is used by some pre-event handlers request.User = User(loginname, realm)
def save_pin_change(request, response, serial=None): """ This policy function checks if the next_pin_change date should be stored in the tokeninfo table. 1. Check scope:enrollment and ACTION.CHANGE_PIN_FIRST_USE. This action is used, when the administrator enrolls a token or sets a PIN 2. Check scope:enrollment and ACTION.CHANGE_PIN_EVERY is used, if the user changes the PIN. This function decorates /token/init and /token/setpin. The parameter "pin" and "otppin" is investigated. :param request: :param action: :return: """ policy_object = g.policy_object serial = serial or request.all_data.get("serial") if not serial: # No serial in request, so we look into the response serial = response.json.get("detail", {}).get("serial") if not serial: log.error("Can not determine serial number. Have no idea of any " "realm!") else: # Determine the realm by the serial realm = get_realms_of_token(serial, only_first_realm=True) realm = realm or get_default_realm() if g.logged_in_user.get("role") == ROLE.ADMIN: pinpol = Match.realm(g, scope=SCOPE.ENROLL, action=ACTION.CHANGE_PIN_FIRST_USE, realm=realm).policies() if pinpol: token = get_one_token(serial=serial) token.set_next_pin_change(diff="0d") elif g.logged_in_user.get("role") == ROLE.USER: # Check for parameter "pin" or "otppin". otppin = request.all_data.get("otppin") pin = request.all_data.get("pin") # The user sets a pin or enrolls a token. -> delete the pin_change if otppin or pin: token = get_one_token(serial=serial) token.del_tokeninfo("next_pin_change") # If there is a change_pin_every policy, we need to set the PIN # anew. pinpol = Match.realm(g, scope=SCOPE.ENROLL, action=ACTION.CHANGE_PIN_EVERY, realm=realm).action_values(unique=True) if pinpol: token = get_one_token(serial=serial) token.set_next_pin_change(diff=list(pinpol)[0]) # we do not modify the response! return response
def get_users(realm, include_inactive): app = create_app(config_name="production", config_file="/etc/privacyidea/pi.cfg", silent=True) with app.app_context(): realm = realm or get_default_realm() params = {"realm": realm} ulist = get_user_list(params) active = None if include_inactive: active = True for user in ulist: user_obj = User(user.get("username"), realm, user.get("resolver")) toks = get_tokens(user=user_obj, active=active) if len(toks) == 0: print(user.get("username"))
def get_auth_token(): """ This call verifies the credentials of the user and issues an authentication token, that is used for the later API calls. The authentication token has a validity, that is usually 1 hour. :jsonparam username: The username of the user who wants to authenticate to the API. :jsonparam password: The password/credentials of the user who wants to authenticate to the API. :return: A json response with an authentication token, that needs to be used in any further request. :status 200: in case of success :status 401: if authentication fails **Example Authentication Request**: .. sourcecode:: http POST /auth HTTP/1.1 Host: example.com Accept: application/json username=admin password=topsecret **Example Authentication Response**: .. sourcecode:: http HTTP/1.0 200 OK Content-Length: 354 Content-Type: application/json { "id": 1, "jsonrpc": "2.0", "result": { "status": true, "value": { "token": "eyJhbGciOiJIUz....jdpn9kIjuGRnGejmbFbM" } }, "version": "privacyIDEA unknown" } **Response for failed authentication**: .. sourcecode:: http HTTP/1.1 401 UNAUTHORIZED Content-Type: application/json Content-Length: 203 { "id": 1, "jsonrpc": "2.0", "result": { "error": { "code": -401, "message": "missing Authorization header" }, "status": false }, "version": "privacyIDEA unknown", "config": { "logout_time": 30 } } """ validity = timedelta(hours=1) username = getParam(request.all_data, "username") password = getParam(request.all_data, "password") realm = getParam(request.all_data, "realm") details = {} if username is None: raise AuthError(_("Authentication failure. Missing Username"), id=ERROR.AUTHENTICATE_MISSING_USERNAME) if realm: username = username + "@" + realm # Failsafe to have the user attempt in the log, whatever happens # This can be overwritten later g.audit_object.log({"user": username, "realm": realm}) secret = current_app.secret_key superuser_realms = current_app.config.get("SUPERUSER_REALM", []) # This is the default role for the logged in user. # The role privileges may be risen to "admin" role = ROLE.USER # The way the user authenticated. This could be # "password" = The admin user DB or the user store # "pi" = The admin or the user is authenticated against privacyIDEA # "remote_user" = authenticated by webserver authtype = "password" # Verify the password admin_auth = False user_auth = False loginname, realm = split_user(username) realm = realm or get_default_realm() user_obj = User() # Check if the remote user is allowed if (request.remote_user == username) and is_remote_user_allowed(request): # Authenticated by the Web Server # Check if the username exists # 1. in local admins # 2. in a realm # 2a. is an admin realm authtype = "remote_user " if db_admin_exist(username): role = ROLE.ADMIN admin_auth = True g.audit_object.log({ "success": True, "user": "", "administrator": username, "info": "internal admin" }) else: # check, if the user exists user_obj = User(loginname, realm) g.audit_object.log({ "user": user_obj.login, "realm": user_obj.realm, "info": log_used_user(user_obj) }) if user_obj.exist(): user_auth = True if user_obj.realm in superuser_realms: role = ROLE.ADMIN admin_auth = True elif verify_db_admin(username, password): role = ROLE.ADMIN admin_auth = True # This admin is not in the default realm! realm = "" g.audit_object.log({ "success": True, "user": "", "administrator": username, "info": "internal admin" }) else: # The user could not be identified against the admin database, # so we do the rest of the check options = {"g": g, "clientip": g.client_ip} for key, value in request.all_data.items(): if value and key not in ["g", "clientip"]: options[key] = value user_obj = User(loginname, realm) user_auth, role, details = check_webui_user( user_obj, password, options=options, superuser_realms=superuser_realms) details = details or {} if role == ROLE.ADMIN: g.audit_object.log({ "user": "", "administrator": user_obj.login, "realm": user_obj.realm, "resolver": user_obj.resolver, "serial": details.get('serial', None), "info": u"{0!s}|loginmode={1!s}".format(log_used_user(user_obj), details.get("loginmode")) }) else: g.audit_object.log({ "user": user_obj.login, "realm": user_obj.realm, "resolver": user_obj.resolver, "serial": details.get('serial', None), "info": u"{0!s}|loginmode={1!s}".format(log_used_user(user_obj), details.get("loginmode")) }) if not admin_auth and not user_auth: raise AuthError(_("Authentication failure. Wrong credentials"), id=ERROR.AUTHENTICATE_WRONG_CREDENTIALS, details=details or {}) else: g.audit_object.log({"success": True}) request.User = user_obj # If the HSM is not ready, we need to create the nonce in another way! hsm = init_hsm() if hsm.is_ready: nonce = geturandom(hex=True) # Add the role to the JWT, so that we can verify it internally # Add the authtype to the JWT, so that we could use it for access # definitions rights = g.policy_object.ui_get_rights(role, realm, loginname, g.client_ip) menus = g.policy_object.ui_get_main_menus( { "username": loginname, "role": role, "realm": realm }, g.client_ip) else: import os nonce = hexlify_and_unicode(os.urandom(20)) rights = [] menus = [] # What is the log level? log_level = current_app.config.get("PI_LOGLEVEL", 30) token = jwt.encode( { "username": loginname, "realm": realm, "nonce": nonce, "role": role, "authtype": authtype, "exp": datetime.utcnow() + validity, "rights": rights }, secret, algorithm='HS256').decode('utf8') # Add the role to the response, so that the WebUI can make decisions # based on this (only show selfservice, not the admin part) return send_result( { "token": token, "role": role, "username": loginname, "realm": realm, "log_level": log_level, "rights": rights, "menus": menus }, details=details)
def get_webui_settings(request, response): """ This decorator is used in the /auth API to add configuration information like the logout_time or the policy_template_url to the response. :param request: flask request object :param response: flask response object :return: the response """ content = json.loads(response.data) # check, if the authentication was successful, then we need to do nothing if content.get("result").get("status") is True: role = content.get("result").get("value").get("role") loginname = content.get("result").get("value").get("username") realm = content.get("result").get("value").get("realm") realm = realm or get_default_realm() policy_object = g.policy_object try: client = g.client_ip except Exception: client = None logout_time_pol = policy_object.get_action_values( action=ACTION.LOGOUTTIME, scope=SCOPE.WEBUI, realm=realm, client=client, unique=True) timeout_action_pol = policy_object.get_action_values( action=ACTION.TIMEOUT_ACTION, scope=SCOPE.WEBUI, realm=realm, client=client, unique=True) token_page_size_pol = policy_object.get_action_values( action=ACTION.TOKENPAGESIZE, scope=SCOPE.WEBUI, realm=realm, client=client, unique=True) user_page_size_pol = policy_object.get_action_values( action=ACTION.USERPAGESIZE, scope=SCOPE.WEBUI, realm=realm, client=client, unique=True) token_wizard_2nd = bool( role == ROLE.USER and policy_object.get_policies(action=ACTION.TOKENWIZARD2ND, scope=SCOPE.WEBUI, realm=realm, client=client, active=True)) token_wizard = False if role == ROLE.USER: token_wizard_pol = policy_object.get_policies( action=ACTION.TOKENWIZARD, scope=SCOPE.WEBUI, realm=realm, client=client, active=True) # We also need to check, if the user has not tokens assigned. # If the user has no tokens, we run the wizard. If the user # already has tokens, we do not run the wizard. if token_wizard_pol: token_wizard = get_tokens(user=User(loginname, realm), count=True) == 0 user_details_pol = policy_object.get_policies( action=ACTION.USERDETAILS, scope=SCOPE.WEBUI, realm=realm, client=client, active=True) search_on_enter = policy_object.get_policies( action=ACTION.SEARCH_ON_ENTER, scope=SCOPE.WEBUI, realm=realm, client=client, active=True) hide_welcome = policy_object.get_policies(action=ACTION.HIDE_WELCOME, scope=SCOPE.WEBUI, realm=realm, client=client, active=True) hide_welcome = bool(hide_welcome) default_tokentype_pol = policy_object.get_action_values( action=ACTION.DEFAULT_TOKENTYPE, scope=SCOPE.WEBUI, realm=realm, client=client, unique=True) token_page_size = DEFAULT_PAGE_SIZE user_page_size = DEFAULT_PAGE_SIZE default_tokentype = DEFAULT_TOKENTYPE if len(token_page_size_pol) == 1: token_page_size = int(token_page_size_pol[0]) if len(user_page_size_pol) == 1: user_page_size = int(user_page_size_pol[0]) if len(default_tokentype_pol) == 1: default_tokentype = default_tokentype_pol[0] logout_time = DEFAULT_LOGOUT_TIME if len(logout_time_pol) == 1: logout_time = int(logout_time_pol[0]) timeout_action = DEFAULT_TIMEOUT_ACTION if len(timeout_action_pol) == 1: timeout_action = timeout_action_pol[0] policy_template_url_pol = policy_object.get_action_values( action=ACTION.POLICYTEMPLATEURL, scope=SCOPE.WEBUI, client=client, unique=True) policy_template_url = DEFAULT_POLICY_TEMPLATE_URL if len(policy_template_url_pol) == 1: policy_template_url = policy_template_url_pol[0] content["result"]["value"]["logout_time"] = logout_time content["result"]["value"]["token_page_size"] = token_page_size content["result"]["value"]["user_page_size"] = user_page_size content["result"]["value"]["policy_template_url"] = policy_template_url content["result"]["value"]["default_tokentype"] = default_tokentype content["result"]["value"]["user_details"] = len(user_details_pol) > 0 content["result"]["value"]["token_wizard"] = token_wizard content["result"]["value"]["token_wizard_2nd"] = token_wizard_2nd content["result"]["value"]["search_on_enter"] = len( search_on_enter) > 0 content["result"]["value"]["timeout_action"] = timeout_action content["result"]["value"]["hide_welcome"] = hide_welcome content["result"]["value"][ "subscription_status"] = subscription_status() response.data = json.dumps(content) return response
def get_auth_token(): """ This call verifies the credentials of the user and issues an authentication token, that is used for the later API calls. The authentication token has a validity, that is usually 1 hour. :jsonparam username: The username of the user who wants to authenticate to the API. :jsonparam password: The password/credentials of the user who wants to authenticate to the API. :return: A json response with an authentication token, that needs to be used in any further request. :status 200: in case of success :status 401: if authentication fails **Example Authentication Request**: .. sourcecode:: http POST /auth HTTP/1.1 Host: example.com Accept: application/json username=admin password=topsecret **Example Authentication Response**: .. sourcecode:: http HTTP/1.0 200 OK Content-Length: 354 Content-Type: application/json { "id": 1, "jsonrpc": "2.0", "result": { "status": true, "value": { "token": "eyJhbGciOiJIUz....jdpn9kIjuGRnGejmbFbM" } }, "version": "privacyIDEA unknown" } **Response for failed authentication**: .. sourcecode:: http HTTP/1.1 401 UNAUTHORIZED Content-Type: application/json Content-Length: 203 { "id": 1, "jsonrpc": "2.0", "result": { "error": { "code": -401, "message": "missing Authorization header" }, "status": false }, "version": "privacyIDEA unknown", "config": { "logout_time": 30 } } """ validity = timedelta(hours=1) username = request.all_data.get("username") password = request.all_data.get("password") realm = request.all_data.get("realm") details = {} if realm: username = username + "@" + realm g.audit_object.log({"user": username}) secret = current_app.secret_key superuser_realms = current_app.config.get("SUPERUSER_REALM", []) # This is the default role for the logged in user. # The role privileges may be risen to "admin" role = ROLE.USER # The way the user authenticated. This could be # "password" = The admin user DB or the user store # "pi" = The admin or the user is authenticated against privacyIDEA # "remote_user" = authenticated by webserver authtype = "password" if username is None: raise AuthError("Authentication failure", "missing Username", status=401) # Verify the password admin_auth = False user_auth = False loginname, realm = split_user(username) realm = realm or get_default_realm() # Check if the remote user is allowed if (request.remote_user == username) and is_remote_user_allowed(request): # Authenticated by the Web Server # Check if the username exists # 1. in local admins # 2. in a realm # 2a. is an admin realm authtype = "remote_user " if db_admin_exist(username): role = ROLE.ADMIN admin_auth = True g.audit_object.log({"success": True, "user": "", "administrator": username, "info": "internal admin"}) else: # check, if the user exists user_obj = User(loginname, realm) if user_obj.exist(): user_auth = True if user_obj.realm in superuser_realms: role = ROLE.ADMIN admin_auth = True elif verify_db_admin(username, password): role = ROLE.ADMIN admin_auth = True # This admin is not in the default realm! realm = "" g.audit_object.log({"success": True, "user": "", "administrator": username, "info": "internal admin"}) else: # The user could not be identified against the admin database, # so we do the rest of the check options = {"g": g, "clientip": g.client_ip} for key, value in request.all_data.items(): if value and key not in ["g", "clientip"]: options[key] = value user_obj = User(loginname, realm) user_auth, role, details = check_webui_user(user_obj, password, options=options, superuser_realms= superuser_realms) if role == ROLE.ADMIN: g.audit_object.log({"user": "", "administrator": username}) if not admin_auth and not user_auth: raise AuthError("Authentication failure", "Wrong credentials", status=401, details=details or {}) else: g.audit_object.log({"success": True}) # If the HSM is not ready, we need to create the nonce in another way! hsm = init_hsm() if hsm.is_ready: nonce = geturandom(hex=True) # Add the role to the JWT, so that we can verify it internally # Add the authtype to the JWT, so that we could use it for access # definitions rights = g.policy_object.ui_get_rights(role, realm, loginname, g.client_ip) else: import os import binascii nonce = binascii.hexlify(os.urandom(20)) rights = [] # What is the log level? log_level = current_app.config.get("PI_LOGLEVEL", 30) token = jwt.encode({"username": loginname, "realm": realm, "nonce": nonce, "role": role, "authtype": authtype, "exp": datetime.utcnow() + validity, "rights": rights}, secret) # Add the role to the response, so that the WebUI can make decisions # based on this (only show selfservice, not the admin part) return send_result({"token": token, "role": role, "username": loginname, "realm": realm, "log_level": log_level, "rights": rights}, details=details)
def get_webui_settings(request, response): """ This decorator is used in the /auth API to add configuration information like the logout_time or the policy_template_url to the response. :param request: flask request object :param response: flask response object :return: the response """ content = response.json # check, if the authentication was successful, then we need to do nothing if content.get("result").get("status") is True: role = content.get("result").get("value").get("role") loginname = content.get("result").get("value").get("username") realm = content.get("result").get("value").get("realm") or get_default_realm() # At this point the logged in user is not necessarily a user object. It can # also be a local admin. logout_time_pol = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.LOGOUTTIME, user=loginname, realm=realm).action_values(unique=True) timeout_action_pol = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.TIMEOUT_ACTION, user=loginname, realm=realm).action_values(unique=True) token_page_size_pol = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.TOKENPAGESIZE, user=loginname, realm=realm).action_values(unique=True) user_page_size_pol = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.USERPAGESIZE, user=loginname, realm=realm).action_values(unique=True) token_wizard_2nd = bool(role == ROLE.USER and Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.TOKENWIZARD2ND, user=loginname, realm=realm).policies()) admin_dashboard = (role == ROLE.ADMIN and Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.ADMIN_DASHBOARD, user=loginname, realm=realm).any()) token_wizard = False dialog_no_token = False if role == ROLE.USER: user_obj = User(loginname, realm) user_token_num = get_tokens(user=user_obj, count=True) token_wizard_pol = Match.user(g, scope=SCOPE.WEBUI, action=ACTION.TOKENWIZARD, user_object=user_obj).any() # We also need to check, if the user has not tokens assigned. # If the user has no tokens, we run the wizard. If the user # already has tokens, we do not run the wizard. token_wizard = token_wizard_pol and (user_token_num == 0) dialog_no_token_pol = Match.user(g, scope=SCOPE.WEBUI, action=ACTION.DIALOG_NO_TOKEN, user_object=user_obj).any() dialog_no_token = dialog_no_token_pol and (user_token_num == 0) user_details_pol = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.USERDETAILS, user=loginname, realm=realm).policies() search_on_enter = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.SEARCH_ON_ENTER, user=loginname, realm=realm).policies() hide_welcome = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.HIDE_WELCOME, user=loginname, realm=realm).any() hide_buttons = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.HIDE_BUTTONS, user=loginname, realm=realm).any() default_tokentype_pol = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.DEFAULT_TOKENTYPE, user=loginname, realm=realm).action_values(unique=True) show_seed = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.SHOW_SEED, user=loginname, realm=realm).any() show_node = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.SHOW_NODE, realm=realm).any() qr_ios_authenticator = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.SHOW_IOS_AUTHENTICATOR, user=loginname, realm=realm).any() qr_android_authenticator = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.SHOW_ANDROID_AUTHENTICATOR, user=loginname, realm=realm).any() qr_custom_authenticator_url = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.SHOW_CUSTOM_AUTHENTICATOR, user=loginname, realm=realm).action_values(unique=True) qr_image_android = create_img(DEFAULT_ANDROID_APP_URL) if qr_android_authenticator else None qr_image_ios = create_img(DEFAULT_IOS_APP_URL) if qr_ios_authenticator else None qr_image_custom = create_img(list(qr_custom_authenticator_url)[0]) if qr_custom_authenticator_url else None token_page_size = DEFAULT_PAGE_SIZE user_page_size = DEFAULT_PAGE_SIZE default_tokentype = DEFAULT_TOKENTYPE if len(token_page_size_pol) == 1: token_page_size = int(list(token_page_size_pol)[0]) if len(user_page_size_pol) == 1: user_page_size = int(list(user_page_size_pol)[0]) if len(default_tokentype_pol) == 1: default_tokentype = list(default_tokentype_pol)[0] logout_time = DEFAULT_LOGOUT_TIME if len(logout_time_pol) == 1: logout_time = int(list(logout_time_pol)[0]) timeout_action = DEFAULT_TIMEOUT_ACTION if len(timeout_action_pol) == 1: timeout_action = list(timeout_action_pol)[0] policy_template_url_pol = Match.action_only(g, scope=SCOPE.WEBUI, action=ACTION.POLICYTEMPLATEURL).action_values(unique=True) policy_template_url = DEFAULT_POLICY_TEMPLATE_URL if len(policy_template_url_pol) == 1: policy_template_url = list(policy_template_url_pol)[0] indexed_preset_attribute = Match.realm(g, scope=SCOPE.WEBUI, action="indexedsecret_preset_attribute", realm=realm).action_values(unique=True) if len(indexed_preset_attribute) == 1: content["result"]["value"]["indexedsecret_preset_attribute"] = list(indexed_preset_attribute)[0] # This only works for users, because the value of the policy does not change while logged in. if role == ROLE.USER and \ Match.user(g, SCOPE.USER, "indexedsecret_force_attribute", user_obj).action_values(unique=False): content["result"]["value"]["indexedsecret_force_attribute"] = 1 content["result"]["value"]["logout_time"] = logout_time content["result"]["value"]["token_page_size"] = token_page_size content["result"]["value"]["user_page_size"] = user_page_size content["result"]["value"]["policy_template_url"] = policy_template_url content["result"]["value"]["default_tokentype"] = default_tokentype content["result"]["value"]["user_details"] = len(user_details_pol) > 0 content["result"]["value"]["token_wizard"] = token_wizard content["result"]["value"]["token_wizard_2nd"] = token_wizard_2nd content["result"]["value"]["admin_dashboard"] = admin_dashboard content["result"]["value"]["dialog_no_token"] = dialog_no_token content["result"]["value"]["search_on_enter"] = len(search_on_enter) > 0 content["result"]["value"]["timeout_action"] = timeout_action content["result"]["value"]["hide_welcome"] = hide_welcome content["result"]["value"]["hide_buttons"] = hide_buttons content["result"]["value"]["show_seed"] = show_seed content["result"]["value"]["show_node"] = get_privacyidea_node() if show_node else "" content["result"]["value"]["subscription_status"] = subscription_status() content["result"]["value"]["qr_image_android"] = qr_image_android content["result"]["value"]["qr_image_ios"] = qr_image_ios content["result"]["value"]["qr_image_custom"] = qr_image_custom response.set_data(json.dumps(content)) return response
def get_webui_settings(request, response): """ This decorator is used in the /auth API to add configuration information like the logout_time or the policy_template_url to the response. :param request: flask request object :param response: flask response object :return: the response """ content = json.loads(response.data) # check, if the authentication was successful, then we need to do nothing if content.get("result").get("status") is True: _role = content.get("result").get("value").get("role") username = content.get("result").get("value").get("username") # get the realm _loginname, realm = split_user(username) if not realm: realm = get_default_realm() policy_object = g.policy_object try: client = request.remote_addr except Exception: client = None logout_time_pol = policy_object.get_action_values( action=ACTION.LOGOUTTIME, scope=SCOPE.WEBUI, realm=realm, client=client, unique=True) token_page_size_pol = policy_object.get_action_values( action=ACTION.TOKENPAGESIZE, scope=SCOPE.WEBUI, realm=realm, client=client, unique=True ) user_page_size_pol = policy_object.get_action_values( action=ACTION.USERPAGESIZE, scope=SCOPE.WEBUI, realm=realm, client=client, unique=True ) user_details_pol = policy_object.get_policies( action=ACTION.USERDETAILS, scope=SCOPE.WEBUI, realm=realm, client=client ) default_tokentype_pol = policy_object.get_action_values( action=ACTION.DEFAULT_TOKENTYPE, scope=SCOPE.WEBUI, realm=realm, client=client, unique=True ) token_page_size = DEFAULT_PAGE_SIZE user_page_size = DEFAULT_PAGE_SIZE default_tokentype = DEFAULT_TOKENTYPE if len(token_page_size_pol) == 1: token_page_size = int(token_page_size_pol[0]) if len(user_page_size_pol) == 1: user_page_size = int(user_page_size_pol[0]) if len(default_tokentype_pol) == 1: default_tokentype = default_tokentype_pol[0] logout_time = DEFAULT_LOGOUT_TIME if len(logout_time_pol) == 1: logout_time = int(logout_time_pol[0]) policy_template_url_pol = policy_object.get_action_values( action=ACTION.POLICYTEMPLATEURL, scope=SCOPE.WEBUI, client=client, unique=True) policy_template_url = DEFAULT_POLICY_TEMPLATE_URL if len(policy_template_url_pol) == 1: policy_template_url = policy_template_url_pol[0] content["result"]["value"]["logout_time"] = logout_time content["result"]["value"]["token_page_size"] = token_page_size content["result"]["value"]["user_page_size"] = user_page_size content["result"]["value"]["policy_template_url"] = policy_template_url content["result"]["value"]["default_tokentype"] = default_tokentype content["result"]["value"]["user_details"] = len(user_details_pol) > 0 response.data = json.dumps(content) return response
def get_webui_settings(request, response): """ This decorator is used in the /auth API to add configuration information like the logout_time or the policy_template_url to the response. :param request: flask request object :param response: flask response object :return: the response """ content = json.loads(response.data) # check, if the authentication was successful, then we need to do nothing if content.get("result").get("status") is True: role = content.get("result").get("value").get("role") loginname = content.get("result").get("value").get("username") realm = content.get("result").get("value").get("realm") realm = realm or get_default_realm() policy_object = g.policy_object try: client = g.client_ip except Exception: client = None logout_time_pol = policy_object.get_action_values( action=ACTION.LOGOUTTIME, scope=SCOPE.WEBUI, realm=realm, client=client, unique=True) token_page_size_pol = policy_object.get_action_values( action=ACTION.TOKENPAGESIZE, scope=SCOPE.WEBUI, realm=realm, client=client, unique=True ) user_page_size_pol = policy_object.get_action_values( action=ACTION.USERPAGESIZE, scope=SCOPE.WEBUI, realm=realm, client=client, unique=True ) token_wizard_2nd = bool(role == ROLE.USER and policy_object.get_policies(action=ACTION.TOKENWIZARD2ND, scope=SCOPE.WEBUI, realm=realm, client=client)) token_wizard = False if role == ROLE.USER: token_wizard_pol = policy_object.get_policies( action=ACTION.TOKENWIZARD, scope=SCOPE.WEBUI, realm=realm, client=client ) # We also need to check, if the user has not tokens assigned. # If the user has no tokens, we run the wizard. If the user # already has tokens, we do not run the wizard. if token_wizard_pol: token_wizard = get_tokens(user=User(loginname, realm), count=True) == 0 user_details_pol = policy_object.get_policies( action=ACTION.USERDETAILS, scope=SCOPE.WEBUI, realm=realm, client=client ) default_tokentype_pol = policy_object.get_action_values( action=ACTION.DEFAULT_TOKENTYPE, scope=SCOPE.WEBUI, realm=realm, client=client, unique=True ) token_page_size = DEFAULT_PAGE_SIZE user_page_size = DEFAULT_PAGE_SIZE default_tokentype = DEFAULT_TOKENTYPE if len(token_page_size_pol) == 1: token_page_size = int(token_page_size_pol[0]) if len(user_page_size_pol) == 1: user_page_size = int(user_page_size_pol[0]) if len(default_tokentype_pol) == 1: default_tokentype = default_tokentype_pol[0] logout_time = DEFAULT_LOGOUT_TIME if len(logout_time_pol) == 1: logout_time = int(logout_time_pol[0]) policy_template_url_pol = policy_object.get_action_values( action=ACTION.POLICYTEMPLATEURL, scope=SCOPE.WEBUI, client=client, unique=True) policy_template_url = DEFAULT_POLICY_TEMPLATE_URL if len(policy_template_url_pol) == 1: policy_template_url = policy_template_url_pol[0] content["result"]["value"]["logout_time"] = logout_time content["result"]["value"]["token_page_size"] = token_page_size content["result"]["value"]["user_page_size"] = user_page_size content["result"]["value"]["policy_template_url"] = policy_template_url content["result"]["value"]["default_tokentype"] = default_tokentype content["result"]["value"]["user_details"] = len(user_details_pol) > 0 content["result"]["value"]["token_wizard"] = token_wizard content["result"]["value"]["token_wizard_2nd"] = token_wizard_2nd response.data = json.dumps(content) return response
def save_pin_change(request, response, serial=None): """ This policy function checks if the next_pin_change date should be stored in the tokeninfo table. 1. Check scope:enrollment and ACTION.CHANGE_PIN_FIRST_USE. This action is used, when the administrator enrolls a token or sets a PIN 2. Check scope:enrollment and ACTION.CHANGE_PIN_EVERY is used, if the user changes the PIN. This function decorates /token/init and /token/setpin. The parameter "pin" and "otppin" is investigated. :param request: :param action: :return: """ content = json.loads(response.data) policy_object = g.policy_object serial = serial or request.all_data.get("serial") if not serial: # No serial in request, so we look into the response serial = content.get("detail", {}).get("serial") if not serial: log.error("Can not determine serial number. Have no idea of any " "realm!") else: # Determine the realm by the serial realm = get_realms_of_token(serial, only_first_realm=True) realm = realm or get_default_realm() if g.logged_in_user.get("role") == ROLE.ADMIN: pinpol = policy_object.get_policies(action=ACTION.CHANGE_PIN_FIRST_USE, scope=SCOPE.ENROLL, realm=realm, client=g.client_ip, active=True) if pinpol: token = get_tokens(serial=serial)[0] token.set_next_pin_change(diff="0d") elif g.logged_in_user.get("role") == ROLE.USER: # Check for parameter "pin" or "otppin". otppin = request.all_data.get("otppin") pin = request.all_data.get("pin") # The user sets a pin or enrolls a token. -> delete the pin_change if otppin or pin: token = get_tokens(serial=serial)[0] token.del_tokeninfo("next_pin_change") # If there is a change_pin_every policy, we need to set the PIN # anew. pinpol = policy_object.get_action_values( ACTION.CHANGE_PIN_EVERY, scope=SCOPE.ENROLL, realm=realm, client=g.client_ip, unique=True) if pinpol: token = get_tokens(serial=serial)[0] token.set_next_pin_change(diff=pinpol[0]) # we do not modify the response! return response
def get_webui_settings(request, response): """ This decorator is used in the /auth API to add configuration information like the logout_time or the policy_template_url to the response. :param request: flask request object :param response: flask response object :return: the response """ content = response.json # check, if the authentication was successful, then we need to do nothing if content.get("result").get("status") is True: role = content.get("result").get("value").get("role") loginname = content.get("result").get("value").get("username") realm = content.get("result").get("value").get("realm") realm = realm or get_default_realm() logout_time_pol = Match.realm(g, scope=SCOPE.WEBUI, action=ACTION.LOGOUTTIME, realm=realm).action_values(unique=True) timeout_action_pol = Match.realm( g, scope=SCOPE.WEBUI, action=ACTION.TIMEOUT_ACTION, realm=realm).action_values(unique=True) token_page_size_pol = Match.realm( g, scope=SCOPE.WEBUI, action=ACTION.TOKENPAGESIZE, realm=realm).action_values(unique=True) user_page_size_pol = Match.realm( g, scope=SCOPE.WEBUI, action=ACTION.USERPAGESIZE, realm=realm).action_values(unique=True) token_wizard_2nd = (role == ROLE.USER and Match.realm( g, scope=SCOPE.WEBUI, action=ACTION.TOKENWIZARD2ND, realm=realm).policies()) token_wizard = False dialog_no_token = False if role == ROLE.USER: user_obj = User(loginname, realm) user_token_num = get_tokens(user=user_obj, count=True) token_wizard_pol = Match.user(g, scope=SCOPE.WEBUI, action=ACTION.TOKENWIZARD, user_object=user_obj).any() # We also need to check, if the user has not tokens assigned. # If the user has no tokens, we run the wizard. If the user # already has tokens, we do not run the wizard. token_wizard = token_wizard_pol and (user_token_num == 0) dialog_no_token_pol = Match.user(g, scope=SCOPE.WEBUI, action=ACTION.DIALOG_NO_TOKEN, user_object=user_obj).any() dialog_no_token = dialog_no_token_pol and (user_token_num == 0) user_details_pol = Match.realm(g, scope=SCOPE.WEBUI, action=ACTION.USERDETAILS, realm=realm).policies() search_on_enter = Match.realm(g, scope=SCOPE.WEBUI, action=ACTION.SEARCH_ON_ENTER, realm=realm).policies() hide_welcome = Match.realm(g, scope=SCOPE.WEBUI, action=ACTION.HIDE_WELCOME, realm=realm).any() hide_buttons = Match.realm(g, scope=SCOPE.WEBUI, action=ACTION.HIDE_BUTTONS, realm=realm).any() default_tokentype_pol = Match.realm( g, scope=SCOPE.WEBUI, action=ACTION.DEFAULT_TOKENTYPE, realm=realm).action_values(unique=True) show_seed = Match.realm(g, scope=SCOPE.WEBUI, action=ACTION.SHOW_SEED, realm=realm).any() token_page_size = DEFAULT_PAGE_SIZE user_page_size = DEFAULT_PAGE_SIZE default_tokentype = DEFAULT_TOKENTYPE if len(token_page_size_pol) == 1: token_page_size = int(list(token_page_size_pol)[0]) if len(user_page_size_pol) == 1: user_page_size = int(list(user_page_size_pol)[0]) if len(default_tokentype_pol) == 1: default_tokentype = list(default_tokentype_pol)[0] logout_time = DEFAULT_LOGOUT_TIME if len(logout_time_pol) == 1: logout_time = int(list(logout_time_pol)[0]) timeout_action = DEFAULT_TIMEOUT_ACTION if len(timeout_action_pol) == 1: timeout_action = list(timeout_action_pol)[0] policy_template_url_pol = Match.action_only( g, scope=SCOPE.WEBUI, action=ACTION.POLICYTEMPLATEURL).action_values(unique=True) policy_template_url = DEFAULT_POLICY_TEMPLATE_URL if len(policy_template_url_pol) == 1: policy_template_url = list(policy_template_url_pol)[0] content["result"]["value"]["logout_time"] = logout_time content["result"]["value"]["token_page_size"] = token_page_size content["result"]["value"]["user_page_size"] = user_page_size content["result"]["value"]["policy_template_url"] = policy_template_url content["result"]["value"]["default_tokentype"] = default_tokentype content["result"]["value"]["user_details"] = len(user_details_pol) > 0 content["result"]["value"]["token_wizard"] = token_wizard content["result"]["value"]["token_wizard_2nd"] = token_wizard_2nd content["result"]["value"]["dialog_no_token"] = dialog_no_token content["result"]["value"]["search_on_enter"] = len( search_on_enter) > 0 content["result"]["value"]["timeout_action"] = timeout_action content["result"]["value"]["hide_welcome"] = hide_welcome content["result"]["value"]["hide_buttons"] = hide_buttons content["result"]["value"]["show_seed"] = show_seed content["result"]["value"][ "subscription_status"] = subscription_status() response.set_data(json.dumps(content)) return response
def get_auth_token(): """ This call verifies the credentials of the user and issues an authentication token, that is used for the later API calls. The authentication token has a validity, that is usually 1 hour. :jsonparam username: The username of the user who wants to authenticate to the API. :type username: basestring :jsonparam password: The password/credentials of the user who wants to authenticate to the API. :return: A json response with an authentication token, that needs to be used in any further request. :status 200: in case of success :status 401: if authentication fails **Example Authentication Request**: .. sourcecode:: http POST /auth HTTP/1.1 Host: example.com Accept: application/json username=admin password=topsecret **Example Authentication Response**: .. sourcecode:: http HTTP/1.0 200 OK Content-Length: 354 Content-Type: application/json { "id": 1, "jsonrpc": "2.0", "result": { "status": true, "value": { "token": "eyJhbGciOiJIUz....jdpn9kIjuGRnGejmbFbM" } }, "version": "privacyIDEA unknown" } **Response for failed authentication**: .. sourcecode:: http HTTP/1.1 401 UNAUTHORIZED Content-Type: application/json Content-Length: 203 { "id": 1, "jsonrpc": "2.0", "result": { "error": { "code": -401, "message": "missing Authorization header" }, "status": false }, "version": "privacyIDEA unknown", "config": { "logout_time": 30 } } """ validity = timedelta(hours=1) username = request.all_data.get("username") password = request.all_data.get("password") realm = "" secret = current_app.secret_key # This is the default role for the logged in user. # The role privileges may be risen to "admin" role = ROLE.USER # The way the user authenticated. This could be # "password" = The admin user DB or the user store # "pi" = The admin or the user is authenticated against privacyIDEA authtype = "password" if username is None: raise AuthError("Authentication failure", "missing Username", status=401) # Verify the password admin_auth = False user_auth = False if verify_db_admin(username, password): role = ROLE.ADMIN admin_auth = True if not admin_auth: # The user could not be identified against the admin database, # so we do the rest of the check username, realm = split_user(username) realm = realm or get_default_realm() user_obj = User(username, realm) options = {"g": g, "clientip": request.remote_addr} transaction_id = getParam(request.all_data, "transaction_id") state = getParam(request.all_data, "state") if transaction_id: options["transaction_id"] = transaction_id if state: options["state"] = state superuser_realms = current_app.config.get("SUPERUSER_REALM", []) user_auth, role, details = check_webui_user(user_obj, password, options=options, superuser_realms= superuser_realms) # The details with the transaction_id are raised with the AuthError details = details or {} if not admin_auth and not user_auth: raise AuthError("Authentication failure", "Wrong credentials", status=401, details=details) # Add the role to the JWT, so that we can verify it internally # Add the authtype to the JWT, so that we could use it for access # definitions token = jwt.encode({"username": username, "realm": realm, "nonce": geturandom(hex=True), "role": role, "authtype": authtype, "exp": datetime.utcnow() + validity, "rights": "TODO"}, secret) g.audit_object.log({"success": True, "administrator": username, "jwt_token": token}) # Add the role to the response, so that the WebUI can make decisions # based on this (only show selfservice, not the admin part) return send_result({"token": token, "role": role, "username": username, "realm": realm, "rights": "TODO"})
def get_webui_settings(request, response): """ This decorator is used in the /auth API to add configuration information like the logout_time or the policy_template_url to the response. :param request: flask request object :param response: flask response object :return: the response """ content = json.loads(response.data) # check, if the authentication was successful, then we need to do nothing if content.get("result").get("status") is True: _role = content.get("result").get("value").get("role") username = content.get("result").get("value").get("username") # get the realm _loginname, realm = split_user(username) if not realm: realm = get_default_realm() policy_object = g.policy_object try: client = request.remote_addr except Exception: client = None logout_time_pol = policy_object.get_action_values( action=ACTION.LOGOUTTIME, scope=SCOPE.WEBUI, realm=realm, client=client, unique=True) token_page_size_pol = policy_object.get_action_values( action=ACTION.TOKENPAGESIZE, scope=SCOPE.WEBUI, realm=realm, client=client, unique=True) user_page_size_pol = policy_object.get_action_values( action=ACTION.USERPAGESIZE, scope=SCOPE.WEBUI, realm=realm, client=client, unique=True) user_details_pol = policy_object.get_policies( action=ACTION.USERDETAILS, scope=SCOPE.WEBUI, realm=realm, client=client) default_tokentype_pol = policy_object.get_action_values( action=ACTION.DEFAULT_TOKENTYPE, scope=SCOPE.WEBUI, realm=realm, client=client, unique=True) token_page_size = DEFAULT_PAGE_SIZE user_page_size = DEFAULT_PAGE_SIZE default_tokentype = DEFAULT_TOKENTYPE if len(token_page_size_pol) == 1: token_page_size = int(token_page_size_pol[0]) if len(user_page_size_pol) == 1: user_page_size = int(user_page_size_pol[0]) if len(default_tokentype_pol) == 1: default_tokentype = default_tokentype_pol[0] logout_time = DEFAULT_LOGOUT_TIME if len(logout_time_pol) == 1: logout_time = int(logout_time_pol[0]) policy_template_url_pol = policy_object.get_action_values( action=ACTION.POLICYTEMPLATEURL, scope=SCOPE.WEBUI, client=client, unique=True) policy_template_url = DEFAULT_POLICY_TEMPLATE_URL if len(policy_template_url_pol) == 1: policy_template_url = policy_template_url_pol[0] content["result"]["value"]["logout_time"] = logout_time content["result"]["value"]["token_page_size"] = token_page_size content["result"]["value"]["user_page_size"] = user_page_size content["result"]["value"]["policy_template_url"] = policy_template_url content["result"]["value"]["default_tokentype"] = default_tokentype content["result"]["value"]["user_details"] = len(user_details_pol) > 0 response.data = json.dumps(content) return response