def save_pin_change(request, response, serial=None):
"""
This policy function checks if the next_pin_change date should be
stored in the tokeninfo table.
1. Check scope:enrollment and
ACTION.CHANGE_PIN_FIRST_USE.
This action is used, when the administrator enrolls a token or sets a PIN
2. Check scope:enrollment and
ACTION.CHANGE_PIN_EVERY is used, if the user changes the PIN.
This function decorates /token/init and /token/setpin. The parameter
"pin" and "otppin" is investigated.
:param request:
:param action:
:return:
"""
policy_object = g.policy_object
serial = serial or request.all_data.get("serial")
if not serial:
# No serial in request, so we look into the response
serial = response.json.get("detail", {}).get("serial")
if not serial:
log.error("Can not determine serial number. Have no idea of any "
"realm!")
else:
# Determine the realm by the serial
realm = get_realms_of_token(serial, only_first_realm=True)
realm = realm or get_default_realm()
if g.logged_in_user.get("role") == ROLE.ADMIN:
pinpol = Match.realm(g, scope=SCOPE.ENROLL, action=ACTION.CHANGE_PIN_FIRST_USE,
realm=realm).policies()
if pinpol:
token = get_one_token(serial=serial)
token.set_next_pin_change(diff="0d")
elif g.logged_in_user.get("role") == ROLE.USER:
# Check for parameter "pin" or "otppin".
otppin = request.all_data.get("otppin")
pin = request.all_data.get("pin")
# The user sets a pin or enrolls a token. -> delete the pin_change
if otppin or pin:
token = get_one_token(serial=serial)
token.del_tokeninfo("next_pin_change")
# If there is a change_pin_every policy, we need to set the PIN
# anew.
pinpol = Match.realm(g, scope=SCOPE.ENROLL, action=ACTION.CHANGE_PIN_EVERY,
realm=realm).action_values(unique=True)
if pinpol:
token = get_one_token(serial=serial)
token.set_next_pin_change(diff=list(pinpol)[0])
# we do not modify the response!
return response
def poll_transaction(transaction_id=None):
"""
Given a mandatory transaction ID, check if any non-expired challenge for this transaction ID
has been answered. In this case, return true. If this is not the case, return false.
This endpoint also returns false if no challenge with the given transaction ID exists.
This is mostly useful for out-of-band tokens that should poll this endpoint
to determine when to send an authentication request to ``/validate/check``.
:jsonparam transaction_id: a transaction ID
"""
if transaction_id is None:
transaction_id = getParam(request.all_data, "transaction_id", required)
# Fetch a list of non-exired challenges with the given transaction ID
# and determine whether it contains at least one non-expired answered challenge.
matching_challenges = [
challenge
for challenge in get_challenges(transaction_id=transaction_id)
if challenge.is_valid()
]
answered_challenges = extract_answered_challenges(matching_challenges)
if answered_challenges:
result = True
log_challenges = answered_challenges
else:
result = False
log_challenges = matching_challenges
# We now determine the information that should be written to the audit log:
# * If there are no answered valid challenges, we log all token serials of challenges matching
# the transaction ID and the corresponding token owner
# * If there are any answered valid challenges, we log their token serials and the corresponding user
if log_challenges:
g.audit_object.log({
"serial":
",".join(challenge.serial for challenge in log_challenges),
})
# The token owner should be the same for all matching transactions
user = get_one_token(serial=log_challenges[0].serial).user
if user:
g.audit_object.log({
"user": user.login,
"resolver": user.resolver,
"realm": user.realm,
})
# In any case, we log the transaction ID
g.audit_object.log({
"info": u"transaction_id: {}".format(transaction_id),
"success": result
})
return send_result(result)
def remove_other_tokens(serial, username, realm):
user_obj = User(login=username, realm=realm)
# get the token which was enrolled during the triggering /token/init
token_obj = get_one_token(serial=serial, user=user_obj)
if token_obj:
tokentype = token_obj.type if REMOVE_OTHER_TOKENS_PER == "type" else None
active = True if ONLY_ACTIVE is True else None
# remove tokens if any
for tok in get_tokens(user=user_obj, tokentype=tokentype, active=active,
tokeninfo=TOKENINFO or None):
if tok.token.serial and tok.token.serial != serial:
remove_token(serial=tok.token.serial)
log.debug("- Remove token with serial {0!s}".format(tok.token.serial))
# check remaining tokens
remaining_tokens = get_tokens(user=user_obj)
log.debug("User {0!s}@{1!s} has {2!s} remaining tokens."
"".format(username, realm, len(remaining_tokens)))
for tok in remaining_tokens:
log.debug("~ a {0!s} token with serial {1!s}".format(tok.type.upper(),
tok.token.serial))
def _api_endpoint_get(cls, g, request_data):
""" Handle all GET requests to the api endpoint.
Currently this is only used for polling.
:param g: The Flask context
:param request_data: Dictionary containing the parameters of the request
:type request_data: dict
:returns: Result of the polling operation, 'True' if an unanswered and
matching challenge exists, 'False' otherwise.
:rtype: bool
"""
# By default we allow polling if the policy is not set.
allow_polling = get_action_values_from_options(
SCOPE.AUTH, PUSH_ACTION.ALLOW_POLLING,
options={'g': g}) or PushAllowPolling.ALLOW
if allow_polling == PushAllowPolling.DENY:
raise PolicyError('Polling not allowed!')
serial = getParam(request_data, "serial", optional=False)
timestamp = getParam(request_data, 'timestamp', optional=False)
signature = getParam(request_data, 'signature', optional=False)
# first check if the timestamp is in the required span
cls._check_timestamp_in_range(timestamp, POLL_TIME_WINDOW)
# now check the signature
# first get the token
try:
tok = get_one_token(serial=serial, tokentype=cls.get_class_type())
# If the push_allow_polling policy is set to "token" we also
# need to check the POLLING_ALLOWED tokeninfo. If it evaluated
# to 'False', polling is not allowed for this token. If the
# tokeninfo value evaluates to 'True' or is not set at all,
# polling is allowed for this token.
if allow_polling == PushAllowPolling.TOKEN:
if not is_true(
tok.get_tokeninfo(POLLING_ALLOWED, default='True')):
log.debug('Polling not allowed for pushtoken {0!s} due to '
'tokeninfo.'.format(serial))
raise PolicyError('Polling not allowed!')
pubkey_obj = _build_verify_object(
tok.get_tokeninfo(PUBLIC_KEY_SMARTPHONE))
sign_data = u"{serial}|{timestamp}".format(**request_data)
pubkey_obj.verify(b32decode(signature), sign_data.encode("utf8"),
padding.PKCS1v15(), hashes.SHA256())
# The signature was valid now check for an open challenge
# we need the private server key to sign the smartphone data
pem_privkey = tok.get_tokeninfo(PRIVATE_KEY_SERVER)
# We need the registration URL for the challenge
registration_url = get_action_values_from_options(
SCOPE.ENROLL, PUSH_ACTION.REGISTRATION_URL, options={'g': g})
if not registration_url:
raise ResourceNotFoundError(
'There is no registration_url defined for the '
' pushtoken {0!s}. You need to define a push_registration_url '
'in an enrollment policy.'.format(serial))
options = {'g': g}
challenges = []
challengeobject_list = get_challenges(serial=serial)
for chal in challengeobject_list:
# check if the challenge is active and not already answered
_cnt, answered = chal.get_otp_status()
if not answered and chal.is_valid():
# then return the necessary smartphone data to answer
# the challenge
sp_data = _build_smartphone_data(serial, chal.challenge,
registration_url,
pem_privkey, options)
challenges.append(sp_data)
# return the challenges as a list in the result value
result = challenges
except (ResourceNotFoundError, ParameterError, InvalidSignature,
ConfigAdminError, BinasciiError) as e:
# to avoid disclosing information we always fail with an invalid
# signature error even if the token with the serial could not be found
log.debug('{0!s}'.format(traceback.format_exc()))
log.info('The following error occurred during the signature '
'check: "{0!r}"'.format(e))
raise privacyIDEAError('Could not verify signature!')
return result
def _api_endpoint_post(cls, request_data):
""" Handle all POST requests to the api endpoint
:param request_data: Dictionary containing the parameters of the request
:type request_data: dict
:returns: The result of handling the request and a dictionary containing
the details of the request handling
:rtype: (bool, dict)
"""
details = {}
result = False
serial = getParam(request_data, "serial", optional=False)
if all(k in request_data for k in ("fbtoken", "pubkey")):
log.debug("Do the 2nd step of the enrollment.")
try:
token_obj = get_one_token(
serial=serial,
tokentype="push",
rollout_state=ROLLOUTSTATE.CLIENTWAIT)
token_obj.update(request_data)
except ResourceNotFoundError:
raise ResourceNotFoundError(
"No token with this serial number "
"in the rollout state 'clientwait'.")
init_detail_dict = request_data
details = token_obj.get_init_detail(init_detail_dict)
result = True
elif all(k in request_data for k in ("nonce", "signature")):
log.debug(
"Handling the authentication response from the smartphone.")
challenge = getParam(request_data, "nonce")
signature = getParam(request_data, "signature")
# get the token_obj for the given serial:
token_obj = get_one_token(serial=serial, tokentype="push")
pubkey_obj = _build_verify_object(
token_obj.get_tokeninfo(PUBLIC_KEY_SMARTPHONE))
# Do the 2nd step of the authentication
# Find valid challenges
challengeobject_list = get_challenges(serial=serial,
challenge=challenge)
if challengeobject_list:
# There are valid challenges, so we check this signature
for chal in challengeobject_list:
# verify the signature of the nonce
sign_data = u"{0!s}|{1!s}".format(challenge, serial)
try:
pubkey_obj.verify(b32decode(signature),
sign_data.encode("utf8"),
padding.PKCS1v15(), hashes.SHA256())
# The signature was valid
log.debug(
"Found matching challenge {0!s}.".format(chal))
chal.set_otp_status(True)
chal.save()
result = True
except InvalidSignature as _e:
pass
elif all(k in request_data
for k in ('new_fb_token', 'timestamp', 'signature')):
timestamp = getParam(request_data, 'timestamp', optional=False)
signature = getParam(request_data, 'signature', optional=False)
# first check if the timestamp is in the required span
cls._check_timestamp_in_range(timestamp, UPDATE_FB_TOKEN_WINDOW)
try:
tok = get_one_token(serial=serial,
tokentype=cls.get_class_type())
pubkey_obj = _build_verify_object(
tok.get_tokeninfo(PUBLIC_KEY_SMARTPHONE))
sign_data = u"{new_fb_token}|{serial}|{timestamp}".format(
**request_data)
pubkey_obj.verify(b32decode(signature),
sign_data.encode("utf8"), padding.PKCS1v15(),
hashes.SHA256())
# If the timestamp and signature are valid we update the token
tok.add_tokeninfo('firebase_token',
request_data['new_fb_token'])
result = True
except (ResourceNotFoundError, ParameterError, TypeError,
InvalidSignature, ConfigAdminError, BinasciiError) as e:
# to avoid disclosing information we always fail with an invalid
# signature error even if the token with the serial could not be found
log.debug('{0!s}'.format(traceback.format_exc()))
log.info('The following error occurred during the signature '
'check: "{0!r}"'.format(e))
raise privacyIDEAError('Could not verify signature!')
else:
raise ParameterError("Missing parameters!")
return result, details
def api_endpoint(cls, request, g):
"""
This provides a function which is called by the API endpoint
``/ttype/push`` which is defined in :doc:`../../api/ttype`
The method returns a tuple ``("json", {})``
This endpoint provides several functionalities:
- It is used for the 2nd enrollment step of the smartphone.
It accepts the following parameters:
.. sourcecode:: http
POST /ttype/push HTTP/1.1
Host: https://yourprivacyideaserver
serial=<token serial>
fbtoken=<firebase token>
pubkey=<public key>
- It is also used when the smartphone sends the signed response
to the challenge during authentication. The following parameters ar accepted:
.. sourcecode:: http
POST /ttype/push HTTP/1.1
Host: https://yourprivacyideaserver
serial=<token serial>
nonce=<the actual challenge>
signature=<the signed nonce>
- And it also acts as an endpoint for polling challenges:
.. sourcecode:: http
GET /ttype/push HTTP/1.1
Host: https://yourprivacyideaserver
serial=<tokenserial>
timestamp=<timestamp>
signature=SIGNATURE(<tokenserial>|<timestamp>)
More on polling can be found here: https://github.com/privacyidea/privacyidea/wiki/concept%3A-pushtoken-poll
:param request: The Flask request
:param g: The Flask global object g
:return: The json string representing the result dictionary
:rtype: tuple("json", str)
"""
details = {}
result = False
if request.method == 'POST':
serial = getParam(request.all_data, "serial", optional=False)
if serial and "fbtoken" in request.all_data and "pubkey" in request.all_data:
log.debug("Do the 2nd step of the enrollment.")
try:
token_obj = get_one_token(serial=serial,
tokentype="push",
rollout_state="clientwait")
token_obj.update(request.all_data)
except ResourceNotFoundError:
raise ResourceNotFoundError(
"No token with this serial number "
"in the rollout state 'clientwait'.")
init_detail_dict = request.all_data
details = token_obj.get_init_detail(init_detail_dict)
result = True
elif serial and "nonce" in request.all_data and "signature" in request.all_data:
log.debug(
"Handling the authentication response from the smartphone."
)
challenge = getParam(request.all_data, "nonce")
serial = getParam(request.all_data, "serial")
signature = getParam(request.all_data, "signature")
# get the token_obj for the given serial:
token_obj = get_one_token(serial=serial, tokentype="push")
pubkey_obj = _build_verify_object(
token_obj.get_tokeninfo(PUBLIC_KEY_SMARTPHONE))
# Do the 2nd step of the authentication
# Find valid challenges
challengeobject_list = get_challenges(serial=serial,
challenge=challenge)
if challengeobject_list:
# There are valid challenges, so we check this signature
for chal in challengeobject_list:
# verify the signature of the nonce
sign_data = u"{0!s}|{1!s}".format(challenge, serial)
try:
pubkey_obj.verify(b32decode(signature),
sign_data.encode("utf8"),
padding.PKCS1v15(),
hashes.SHA256())
# The signature was valid
log.debug(
"Found matching challenge {0!s}.".format(chal))
chal.set_otp_status(True)
chal.save()
result = True
except InvalidSignature as _e:
pass
else:
raise ParameterError("Missing parameters!")
elif request.method == 'GET':
# This is only used for polling
# By default we allow polling if the policy is not set.
allow_polling = get_action_values_from_options(
SCOPE.AUTH, PUSH_ACTION.ALLOW_POLLING,
options={'g': g}) or PushAllowPolling.ALLOW
if allow_polling == PushAllowPolling.DENY:
raise PolicyError('Polling not allowed!')
serial = getParam(request.all_data, "serial", optional=False)
timestamp = getParam(request.all_data, 'timestamp', optional=False)
signature = getParam(request.all_data, 'signature', optional=False)
# first check if the timestamp is in the required span
try:
ts = isoparse(timestamp)
except (ValueError, TypeError) as _e:
log.debug('{0!s}'.format(traceback.format_exc()))
raise privacyIDEAError(
'Could not parse timestamp {0!s}. '
'ISO-Format required.'.format(timestamp))
# TODO: make time delta configurable
td = timedelta(minutes=POLL_TIME_WINDOW)
# We don't know if the passed timestamp is timezone aware. If no
# timezone is passed, we assume UTC
if ts.tzinfo:
now = datetime.now(utc)
else:
now = datetime.utcnow()
if not (now - td <= ts <= now + td):
raise privacyIDEAError(
'Timestamp {0!s} not in valid range.'.format(timestamp))
# now check the signature
# first get the token
try:
tok = get_one_token(serial=serial,
tokentype=cls.get_class_type())
# If the push_allow_polling policy is set to "token" we also
# need to check the POLLING_ALLOWED tokeninfo. If it evaluated
# to 'False', polling is not allowed for this token. If the
# tokeninfo value evaluates to 'True' or is not set at all,
# polling is allowed for this token.
if allow_polling == PushAllowPolling.TOKEN:
if not is_true(
tok.get_tokeninfo(POLLING_ALLOWED,
default='True')):
log.debug(
'Polling not allowed for pushtoken {0!s} due to '
'tokeninfo.'.format(serial))
raise PolicyError('Polling not allowed!')
pubkey_obj = _build_verify_object(
tok.get_tokeninfo(PUBLIC_KEY_SMARTPHONE))
sign_data = u"{serial}|{timestamp}".format(**request.all_data)
pubkey_obj.verify(b32decode(signature),
sign_data.encode("utf8"), padding.PKCS1v15(),
hashes.SHA256())
# The signature was valid now check for an open challenge
# we need the private server key to sign the smartphone data
pem_privkey = tok.get_tokeninfo(PRIVATE_KEY_SERVER)
# we also need the FirebaseGateway for this token
fb_identifier = tok.get_tokeninfo(PUSH_ACTION.FIREBASE_CONFIG)
if not fb_identifier:
raise ResourceNotFoundError(
'The pushtoken {0!s} has no Firebase configuration '
'assigned.'.format(serial))
fb_gateway = create_sms_instance(fb_identifier)
options = {'g': g}
challenges = []
challengeobject_list = get_challenges(serial=serial)
for chal in challengeobject_list:
# check if the challenge is active and not already answered
_cnt, answered = chal.get_otp_status()
if not answered and chal.is_valid():
# then return the necessary smartphone data to answer
# the challenge
sp_data = _build_smartphone_data(
serial, chal.challenge, fb_gateway, pem_privkey,
options)
challenges.append(sp_data)
# return the challenges as a list in the result value
result = challenges
except (ResourceNotFoundError, ParameterError, InvalidSignature,
ConfigAdminError, BinasciiError) as e:
# to avoid disclosing information we always fail with an invalid
# signature error even if the token with the serial could not be found
log.debug('{0!s}'.format(traceback.format_exc()))
log.info('The following error occurred during the signature '
'check: "{0!r}"'.format(e))
raise privacyIDEAError('Could not verify signature!')
else:
raise privacyIDEAError(
'Method {0!s} not allowed in \'api_endpoint\' '
'for push token.'.format(request.method))
return "json", prepare_result(result, details=details)
def api_endpoint(cls, request, g):
"""
This provides a function which is called by the API endpoint
/ttype/push which is defined in api/ttype.py
The method returns
return "json", {}
This endpoint is used for the 2nd enrollment step of the smartphone.
Parameters sent:
* serial
* fbtoken
* pubkey
This endpoint is also used, if the smartphone sends the signed response
to the challenge during authentication
Parameters sent:
* serial
* nonce (which is the challenge)
* signature (which is the signed nonce)
:param request: The Flask request
:param g: The Flask global object g
:return: dictionary
"""
details = {}
result = False
serial = getParam(request.all_data, "serial", optional=False)
if serial and "fbtoken" in request.all_data and "pubkey" in request.all_data:
# Do the 2nd step of the enrollment
try:
token_obj = get_one_token(serial=serial,
tokentype="push",
rollout_state="clientwait")
token_obj.update(request.all_data)
except ResourceNotFoundError:
raise ResourceNotFoundError(
"No token with this serial number in the rollout state 'clientwait'."
)
init_detail_dict = request.all_data
details = token_obj.get_init_detail(init_detail_dict)
result = True
elif serial and "nonce" in request.all_data and "signature" in request.all_data:
challenge = getParam(request.all_data, "nonce")
serial = getParam(request.all_data, "serial")
signature = getParam(request.all_data, "signature")
# get the token_obj for the given serial:
token_obj = get_one_token(serial=serial, tokentype="push")
pubkey_pem = token_obj.get_tokeninfo(PUBLIC_KEY_SMARTPHONE)
# The public key of the smartphone was probably sent as urlsafe:
pubkey_pem = pubkey_pem.replace("-", "+").replace("_", "/")
# The public key was sent without any header
pubkey_pem = "-----BEGIN PUBLIC KEY-----\n{0!s}\n-----END PUBLIC KEY-----".format(
pubkey_pem.strip().replace(" ", "+"))
# Do the 2nd step of the authentication
# Find valid challenges
challengeobject_list = get_challenges(serial=serial,
challenge=challenge)
if challengeobject_list:
# There are valid challenges, so we check this signature
for chal in challengeobject_list:
# verify the signature of the nonce
pubkey_obj = serialization.load_pem_public_key(
to_bytes(pubkey_pem), default_backend())
sign_data = u"{0!s}|{1!s}".format(challenge, serial)
try:
pubkey_obj.verify(b32decode(signature),
sign_data.encode("utf8"),
padding.PKCS1v15(), hashes.SHA256())
# The signature was valid
chal.set_otp_status(True)
result = True
except InvalidSignature as e:
pass
else:
raise ParameterError("Missing parameters!")
return "json", prepare_result(result, details=details)
def do(self, action, options=None):
"""
This method executes the defined action in the given event.
:param action:
:param options: Contains the flask parameters g, request, response
and the handler_def configuration
:type options: dict
:return:
"""
ret = True
g = options.get("g")
request = options.get("request")
response = options.get("response")
content = self._get_response_content(response)
handler_def = options.get("handler_def")
handler_options = handler_def.get("options", {})
serial = request.all_data.get("serial") or \
content.get("detail", {}).get("serial") or \
g.audit_object.audit_data.get("serial")
if action.lower() in [ACTION_TYPE.SET_TOKENREALM,
ACTION_TYPE.SET_DESCRIPTION,
ACTION_TYPE.DELETE, ACTION_TYPE.DISABLE,
ACTION_TYPE.ENABLE, ACTION_TYPE.UNASSIGN,
ACTION_TYPE.SET_VALIDITY,
ACTION_TYPE.SET_COUNTWINDOW,
ACTION_TYPE.SET_TOKENINFO,
ACTION_TYPE.SET_FAILCOUNTER,
ACTION_TYPE.CHANGE_FAILCOUNTER,
ACTION_TYPE.SET_RANDOM_PIN,
ACTION_TYPE.DELETE_TOKENINFO]:
if serial:
log.info("{0!s} for token {1!s}".format(action, serial))
if action.lower() == ACTION_TYPE.SET_TOKENREALM:
realm = handler_options.get("realm")
only_realm = is_true(handler_options.get("only_realm"))
# Set the realm..
log.info("Setting realm of token {0!s} to {1!s}".format(
serial, realm))
# Add the token realm
set_realms(serial, [realm], add=not only_realm)
elif action.lower() == ACTION_TYPE.SET_RANDOM_PIN:
# If for any reason we have no value, we default to 6
length = int(handler_options.get("length") or 6)
pin = generate_password(size=length)
if set_pin(serial, pin):
content.setdefault("detail", {})["pin"] = pin
options.get("response").data = json.dumps(content)
elif action.lower() == ACTION_TYPE.DELETE:
remove_token(serial=serial)
elif action.lower() == ACTION_TYPE.DISABLE:
enable_token(serial, enable=False)
elif action.lower() == ACTION_TYPE.ENABLE:
enable_token(serial, enable=True)
elif action.lower() == ACTION_TYPE.UNASSIGN:
unassign_token(serial)
elif action.lower() == ACTION_TYPE.SET_DESCRIPTION:
description = handler_options.get("description") or ""
description, td = parse_time_offset_from_now(description)
s_now = (datetime.datetime.now(tzlocal()) + td).strftime(
AUTH_DATE_FORMAT)
set_description(serial,
description.format(
current_time=s_now,
now=s_now,
client_ip=g.client_ip,
ua_browser=request.user_agent.browser,
ua_string=request.user_agent.string))
elif action.lower() == ACTION_TYPE.SET_COUNTWINDOW:
set_count_window(serial,
int(handler_options.get("count window",
50)))
elif action.lower() == ACTION_TYPE.SET_TOKENINFO:
tokeninfo = handler_options.get("value") or ""
tokeninfo, td = parse_time_offset_from_now(tokeninfo)
s_now = (datetime.datetime.now(tzlocal()) + td).strftime(
AUTH_DATE_FORMAT)
try:
username = request.User.loginname
realm = request.User.realm
except Exception:
username = "******"
realm = "N/A"
add_tokeninfo(serial, handler_options.get("key"),
tokeninfo.format(
current_time=s_now,
now=s_now,
client_ip=g.client_ip,
username=username,
realm=realm,
ua_browser=request.user_agent.browser,
ua_string=request.user_agent.string))
elif action.lower() == ACTION_TYPE.DELETE_TOKENINFO:
delete_tokeninfo(serial, handler_options.get("key"))
elif action.lower() == ACTION_TYPE.SET_VALIDITY:
start_date = handler_options.get(VALIDITY.START)
end_date = handler_options.get(VALIDITY.END)
if start_date:
d = parse_date(start_date)
set_validity_period_start(serial, None,
d.strftime(DATE_FORMAT))
if end_date:
d = parse_date(end_date)
set_validity_period_end(serial, None,
d.strftime(DATE_FORMAT))
elif action.lower() == ACTION_TYPE.SET_FAILCOUNTER:
try:
set_failcounter(serial,
int(handler_options.get("fail counter")))
except Exception as exx:
log.warning("Misconfiguration: Failed to set fail "
"counter!")
elif action.lower() == ACTION_TYPE.CHANGE_FAILCOUNTER:
try:
token_obj = get_one_token(serial=serial)
token_obj.set_failcount(
token_obj.token.failcount + int(handler_options.get("change fail counter")))
except Exception as exx:
log.warning("Misconfiguration: Failed to increase or decrease fail "
"counter!")
else:
log.info("Action {0!s} requires serial number. But no serial "
"number could be found in request.")
if action.lower() == ACTION_TYPE.INIT:
log.info("Initializing new token")
init_param = {"type": handler_options.get("tokentype"),
"genkey": 1,
"realm": handler_options.get("realm", "")}
user = None
if is_true(handler_options.get("user")):
user = self._get_tokenowner(request)
tokentype = handler_options.get("tokentype")
# Some tokentypes need additional parameters
if handler_options.get("additional_params"):
add_params = yaml.safe_load(handler_options.get("additional_params"))
if type(add_params) == dict:
init_param.update(add_params)
if tokentype == "sms":
if handler_options.get("dynamic_phone"):
init_param["dynamic_phone"] = 1
else:
init_param['phone'] = user.get_user_phone(
phone_type='mobile', index=0)
if not init_param['phone']:
log.warning("Enrolling SMS token. But the user "
"{0!r} has no mobile number!".format(user))
if handler_options.get("sms_identifier"):
init_param["sms.identifier"] = handler_options.get("sms_identifier")
elif tokentype == "email":
if handler_options.get("dynamic_email"):
init_param["dynamic_email"] = 1
else:
init_param['email'] = user.info.get("email", "")
if not init_param['email']:
log.warning("Enrolling EMail token. But the user {0!s}"
"has no email address!".format(user))
if handler_options.get("smtp_identifier"):
init_param["email.identifier"] = handler_options.get("smtp_identifier")
elif tokentype == "motp":
init_param['motppin'] = handler_options.get("motppin")
t = init_token(param=init_param, user=user)
log.info("New token {0!s} enrolled.".format(t.token.serial))
return ret
def api_endpoint(cls, request, g):
"""
This provides a function to be plugged into the API endpoint
/ttype/<tokentype> which is defined in api/ttype.py
See :ref:`rest_ttype`.
:param request: The Flask request
:param g: The Flask global object g
:return: Flask Response or text
"""
params = request.all_data
action = getParam(params, "action", optional) or \
API_ACTIONS.AUTHENTICATION
if action not in API_ACTIONS.ALLOWED_ACTIONS:
raise ParameterError("Allowed actions are {0!s}".format(
API_ACTIONS.ALLOWED_ACTIONS))
if action == API_ACTIONS.METADATA:
session = getParam(params, "session", required)
serial = getParam(params, "serial", required)
# The user identifier is displayed in the App
# We need to set the user ID
token = get_one_token(serial=serial, tokentype="tiqr")
user_identifier, user_displayname = token.get_user_displayname()
service_identifier = get_from_config("tiqr.serviceIdentifier") or\
"org.privacyidea"
ocrasuite = get_from_config("tiqr.ocrasuite") or OCRA_DEFAULT_SUITE
service_displayname = get_from_config("tiqr.serviceDisplayname") or \
"privacyIDEA"
reg_server = get_from_config("tiqr.regServer")
auth_server = get_from_config("tiqr.authServer") or reg_server
logo_url = get_from_config("tiqr.logoUrl")
service = {"displayName": service_displayname,
"identifier": service_identifier,
"logoUrl": logo_url,
"infoUrl": "https://www.privacyidea.org",
"authenticationUrl":
"{0!s}".format(auth_server),
"ocraSuite": ocrasuite,
"enrollmentUrl":
"{0!s}?action={1!s}&session={2!s}&serial={3!s}".format(
reg_server,
API_ACTIONS.ENROLLMENT,
session, serial)
}
identity = {"identifier": user_identifier,
"displayName": user_displayname
}
res = {"service": service,
"identity": identity
}
return "json", res
elif action == API_ACTIONS.ENROLLMENT:
"""
operation: register
secret: HEX
notificationType: GCM
notificationAddress: ...
language: de
session:
serial:
"""
res = "Fail"
serial = getParam(params, "serial", required)
session = getParam(params, "session", required)
secret = getParam(params, "secret", required)
# The secret needs to be stored in the token object.
# We take the token "serial" and check, if it contains the "session"
# in the tokeninfo.
enroll_token = get_one_token(serial=serial, tokentype="tiqr")
tokeninfo_session = enroll_token.get_tokeninfo("session")
if tokeninfo_session and tokeninfo_session == session:
# save the secret
enroll_token.set_otpkey(secret)
# delete the session
enroll_token.del_tokeninfo("session")
res = "OK"
else:
raise ParameterError("Invalid Session")
return "plain", res
elif action == API_ACTIONS.AUTHENTICATION:
res = "FAIL"
userId = getParam(params, "userId", required)
session = getParam(params, "sessionKey", required)
passw = getParam(params, "response", required)
operation = getParam(params, "operation", required)
res = "INVALID_CHALLENGE"
# The sessionKey is stored in the db_challenge.transaction_id
# We need to get the token serial for this sessionKey
challenges = get_challenges(transaction_id=session)
# We found several challenges with the given transaction ID,
# and some of the challenges may belong to other tokens.
# We only handle the TiQR tokens.
for challenge in challenges:
if challenge.is_valid() and challenge.otp_valid is False:
# Challenge is still valid (time has not passed) and no
# correct response was given.
token = get_one_token(serial=challenge.serial)
if token.type.lower() == "tiqr":
# We found a TiQR token with a valid challenge with the given transaction ID
res = "INVALID_RESPONSE"
r = token.verify_response(
challenge=challenge.challenge, passw=passw)
if r > 0:
res = "OK"
# Mark the challenge as answered successfully.
challenge.set_otp_status(True)
# We have found a valid TiQR token transaction, we break out of the loop
break
cleanup_challenges()
return "plain", res
def api_endpoint(cls, request, g):
"""
This provides a function which is called by the API endpoint
/ttype/push which is defined in api/ttype.py
The method returns
return "json", {}
This endpoint is used for the 2nd enrollment step of the smartphone.
Parameters sent:
* serial
* fbtoken
* pubkey
This endpoint is also used, if the smartphone sends the signed response
to the challenge during authentication
Parameters sent:
* serial
* nonce (which is the challenge)
* signature (which is the signed nonce)
:param request: The Flask request
:param g: The Flask global object g
:return: dictionary
"""
details = {}
result = False
serial = getParam(request.all_data, "serial", optional=False)
if serial and "fbtoken" in request.all_data and "pubkey" in request.all_data:
log.debug("Do the 2nd step of the enrollment.")
try:
token_obj = get_one_token(serial=serial,
tokentype="push",
rollout_state="clientwait")
token_obj.update(request.all_data)
except ResourceNotFoundError:
raise ResourceNotFoundError("No token with this serial number in the rollout state 'clientwait'.")
init_detail_dict = request.all_data
details = token_obj.get_init_detail(init_detail_dict)
result = True
elif serial and "nonce" in request.all_data and "signature" in request.all_data:
log.debug("Handling the authentication response from the smartphone.")
challenge = getParam(request.all_data, "nonce")
serial = getParam(request.all_data, "serial")
signature = getParam(request.all_data, "signature")
# get the token_obj for the given serial:
token_obj = get_one_token(serial=serial, tokentype="push")
pubkey_pem = token_obj.get_tokeninfo(PUBLIC_KEY_SMARTPHONE)
# The public key of the smartphone was probably sent as urlsafe:
pubkey_pem = pubkey_pem.replace("-", "+").replace("_", "/")
# The public key was sent without any header
pubkey_pem = "-----BEGIN PUBLIC KEY-----\n{0!s}\n-----END PUBLIC KEY-----".format(pubkey_pem.strip().replace(" ", "+"))
# Do the 2nd step of the authentication
# Find valid challenges
challengeobject_list = get_challenges(serial=serial, challenge=challenge)
if challengeobject_list:
# There are valid challenges, so we check this signature
for chal in challengeobject_list:
# verify the signature of the nonce
pubkey_obj = serialization.load_pem_public_key(to_bytes(pubkey_pem), default_backend())
sign_data = u"{0!s}|{1!s}".format(challenge, serial)
try:
pubkey_obj.verify(b32decode(signature),
sign_data.encode("utf8"),
padding.PKCS1v15(),
hashes.SHA256())
# The signature was valid
log.debug("Found matching challenge {0!s}.".format(chal))
chal.set_otp_status(True)
chal.save()
result = True
except InvalidSignature as e:
pass
else:
raise ParameterError("Missing parameters!")
return "json", prepare_result(result, details=details)
def save_pin_change(request, response, serial=None):
"""
This policy function checks if the next_pin_change date should be
stored in the tokeninfo table.
1. Check scope:enrollment and
ACTION.CHANGE_PIN_FIRST_USE.
This action is used, when the administrator enrolls a token or sets a PIN
2. Check scope:enrollment and
ACTION.CHANGE_PIN_EVERY is used, if the user changes the PIN.
This function decorates /token/init and /token/setpin. The parameter
"pin" and "otppin" is investigated.
:param request:
:param action:
:return:
"""
content = json.loads(response.data)
policy_object = g.policy_object
serial = serial or request.all_data.get("serial")
if not serial:
# No serial in request, so we look into the response
serial = content.get("detail", {}).get("serial")
if not serial:
log.error("Can not determine serial number. Have no idea of any "
"realm!")
else:
# Determine the realm by the serial
realm = get_realms_of_token(serial, only_first_realm=True)
realm = realm or get_default_realm()
if g.logged_in_user.get("role") == ROLE.ADMIN:
pinpol = policy_object.get_policies(action=ACTION.CHANGE_PIN_FIRST_USE,
scope=SCOPE.ENROLL, realm=realm,
client=g.client_ip, active=True,
audit_data=g.audit_object.audit_data)
if pinpol:
token = get_one_token(serial=serial)
token.set_next_pin_change(diff="0d")
elif g.logged_in_user.get("role") == ROLE.USER:
# Check for parameter "pin" or "otppin".
otppin = request.all_data.get("otppin")
pin = request.all_data.get("pin")
# The user sets a pin or enrolls a token. -> delete the pin_change
if otppin or pin:
token = get_one_token(serial=serial)
token.del_tokeninfo("next_pin_change")
# If there is a change_pin_every policy, we need to set the PIN
# anew.
pinpol = policy_object.get_action_values(
ACTION.CHANGE_PIN_EVERY, scope=SCOPE.ENROLL,
realm=realm, client=g.client_ip, unique=True,
audit_data=g.audit_object.audit_data)
if pinpol:
token = get_one_token(serial=serial)
token.set_next_pin_change(diff=list(pinpol)[0])
# we do not modify the response!
return response
def api_endpoint(cls, request, g):
"""
This provides a function to be plugged into the API endpoint
/ttype/<tokentype> which is defined in api/ttype.py
See :ref:`rest_ttype`.
:param request: The Flask request
:param g: The Flask global object g
:return: Flask Response or text
"""
params = request.all_data
action = getParam(params, "action", optional) or \
API_ACTIONS.AUTHENTICATION
if action not in API_ACTIONS.ALLOWED_ACTIONS:
raise ParameterError("Allowed actions are {0!s}".format(
API_ACTIONS.ALLOWED_ACTIONS))
if action == API_ACTIONS.METADATA:
session = getParam(params, "session", required)
serial = getParam(params, "serial", required)
# The user identifier is displayed in the App
# We need to set the user ID
token = get_one_token(serial=serial, tokentype="tiqr")
user_identifier, user_displayname = token.get_user_displayname()
service_identifier = get_from_config("tiqr.serviceIdentifier") or\
"org.privacyidea"
ocrasuite = get_from_config("tiqr.ocrasuite") or OCRA_DEFAULT_SUITE
service_displayname = get_from_config("tiqr.serviceDisplayname") or \
"privacyIDEA"
reg_server = get_from_config("tiqr.regServer")
auth_server = get_from_config("tiqr.authServer") or reg_server
logo_url = get_from_config("tiqr.logoUrl")
service = {"displayName": service_displayname,
"identifier": service_identifier,
"logoUrl": logo_url,
"infoUrl": "https://www.privacyidea.org",
"authenticationUrl":
"{0!s}".format(auth_server),
"ocraSuite": ocrasuite,
"enrollmentUrl":
"{0!s}?action={1!s}&session={2!s}&serial={3!s}".format(
reg_server,
API_ACTIONS.ENROLLMENT,
session, serial)
}
identity = {"identifier": user_identifier,
"displayName": user_displayname
}
res = {"service": service,
"identity": identity
}
return "json", res
elif action == API_ACTIONS.ENROLLMENT:
"""
operation: register
secret: HEX
notificationType: GCM
notificationAddress: ...
language: de
session:
serial:
"""
res = "Fail"
serial = getParam(params, "serial", required)
session = getParam(params, "session", required)
secret = getParam(params, "secret", required)
# The secret needs to be stored in the token object.
# We take the token "serial" and check, if it contains the "session"
# in the tokeninfo.
enroll_token = get_one_token(serial=serial, tokentype="tiqr")
tokeninfo_session = enroll_token.get_tokeninfo("session")
if tokeninfo_session and tokeninfo_session == session:
# save the secret
enroll_token.set_otpkey(secret)
# delete the session
enroll_token.del_tokeninfo("session")
res = "OK"
else:
raise ParameterError("Invalid Session")
return "plain", res
elif action == API_ACTIONS.AUTHENTICATION:
res = "FAIL"
userId = getParam(params, "userId", required)
session = getParam(params, "sessionKey", required)
passw = getParam(params, "response", required)
operation = getParam(params, "operation", required)
res = "INVALID_CHALLENGE"
# The sessionKey is stored in the db_challenge.transaction_id
# We need to get the token serial for this sessionKey
challenges = get_challenges(transaction_id=session)
# We found exactly one challenge
if (len(challenges) == 1 and challenges[0].is_valid() and
challenges[0].otp_valid is False):
# Challenge is still valid (time has not passed) and no
# correct response was given.
serial = challenges[0].serial
token = get_one_token(serial=serial, tokentype="tiqr")
# We found exactly the one token
res = "INVALID_RESPONSE"
r = token.verify_response(
challenge=challenges[0].challenge, passw=passw)
if r > 0:
res = "OK"
# Mark the challenge as answered successfully.
challenges[0].set_otp_status(True)
cleanup_challenges()
return "plain", res
