def _get_tokenowner(request):
user = request.User
serial = request.all_data.get("serial")
if user.is_empty() and serial:
# maybe the user is empty, but a serial was passed.
# Then we determine the user by the serial
try:
user = get_token_owner(serial) or User()
except Exception as exx:
user = User()
# This can happen for orphaned tokens.
log.info("Could not determine tokenowner for {0!s}. Maybe the "
"user does not exist anymore.".format(serial))
log.debug(exx)
# We now check, if the user exists at all!
try:
ui = user.info
except UserError as exx:
if exx.id in [904, 905]:
# 904: User can not be found - maybe we got here due to PassOnNoUser
# 905: This would be a parameter error - why is this here?
user = User()
else:
raise exx
return user
def _get_tokenowner(request):
user = request.User
serial = request.all_data.get("serial")
if user.is_empty() and serial:
# maybe the user is empty, but a serial was passed.
# Then we determine the user by the serial
try:
user = get_token_owner(serial) or User()
except Exception as exx:
user = User()
# This can happen for orphaned tokens.
log.info("Could not determine tokenowner for {0!s}. Maybe the "
"user does not exist anymore.".format(serial))
log.debug(exx)
# We now check, if the user exists at all!
try:
ui = user.info
except UserError as exx:
if exx.id in [904, 905]:
# 904: User can not be found - maybe we got here due to PassOnNoUser
# 905: This would be a parameter error - why is this here?
user = User()
else:
raise exx
return user
def _get_tokenowner(request):
user = request.User
serial = request.all_data.get("serial")
if user.is_empty() and serial:
# maybe the user is empty, but a serial was passed.
# Then we determine the user by the serial
user = get_token_owner(serial)
return user
def _get_tokenowner(request):
user = request.User
serial = request.all_data.get("serial")
if user.is_empty() and serial:
# maybe the user is empty, but a serial was passed.
# Then we determine the user by the serial
try:
user = get_token_owner(serial) or User()
except Exception as exx:
user = User()
# This can happen for orphaned tokens.
log.info("Could not determine tokenowner for {0!s}. Maybe the "
"user does not exist anymore.".format(serial))
log.debug(exx)
return user
def _get_tokenowner(request):
user = request.User
serial = request.all_data.get("serial")
if user.is_empty() and serial:
# maybe the user is empty, but a serial was passed.
# Then we determine the user by the serial
try:
user = get_token_owner(serial) or User()
except Exception as exx:
user = User()
# This can happen for orphaned tokens.
log.info("Could not determine tokenowner for {0!s}. Maybe the "
"user does not exist anymore.".format(serial))
log.debug(exx)
# We now check, if the user exists at all!
try:
ui = user.info
except UserError as exx:
if exx.id == 905:
user = User()
else:
raise exx
return user
def test_08_token_owner(self):
# token_has_owner
self.assertTrue(token_has_owner("hotptoken"))
self.assertFalse(token_has_owner(self.serials[0]))
# get_token_owner
user = get_token_owner("hotptoken")
self.assertTrue(user.login == "cornelius", user)
user = get_token_owner(self.serials[0])
self.assertTrue(user is None, user)
# for non existing token
user = get_token_owner("does not exist")
self.assertTrue(user is None, user)
# check if the token owner is cornelius
user = User("cornelius", realm=self.realm1, resolver=self.resolvername1)
self.assertTrue(is_token_owner("hotptoken", user),
get_token_owner("hotptoken"))
self.assertFalse(is_token_owner("hotptoken", User()),
get_token_owner("hotptoken"))
self.assertFalse(is_token_owner(self.serials[1], user),
get_token_owner(self.serials[1]))
def test_08_token_owner(self):
# token_has_owner
self.assertTrue(token_has_owner("hotptoken"))
self.assertFalse(token_has_owner(self.serials[0]))
# get_token_owner
user = get_token_owner("hotptoken")
self.assertTrue(user.login == "cornelius", user)
user = get_token_owner(self.serials[0])
self.assertTrue(user is None, user)
# for non existing token
user = get_token_owner("does not exist")
self.assertTrue(user is None, user)
# check if the token owner is cornelius
user = User("cornelius",
realm=self.realm1,
resolver=self.resolvername1)
self.assertTrue(is_token_owner("hotptoken", user),
get_token_owner("hotptoken"))
self.assertFalse(is_token_owner("hotptoken", User()),
get_token_owner("hotptoken"))
self.assertFalse(is_token_owner(self.serials[1], user),
get_token_owner(self.serials[1]))
def do(self, action, options=None):
"""
This method executes the defined action in the given event.
:param action:
:param options:
:return:
"""
ret = True
g = options.get("g")
request = options.get("request")
try:
logged_in_user = g.logged_in_user
except Exception:
logged_in_user = {}
user = get_user_from_param(request.all_data)
serial = request.all_data.get("serial")
if user.is_empty() and serial:
# maybe the user is empty, but a serial was passed.
# Then we determine the user by the serial
user = get_token_owner(serial)
if not user.is_empty() and user.login and logged_in_user.get("role") ==\
ROLE.ADMIN:
body = options.get("body") or DEFAULT_BODY
body = body.format(
admin=logged_in_user.get("username"),
realm=logged_in_user.get("realm"),
action=request.path,
serial=g.audit_object.audit_data.get("serial"),
url=request.url_root,
user=user.info.get("givenname")
)
if action.lower() == "sendmail":
emailconfig = options.get("emailconfig")
useremail = user.info.get("email")
subject = options.get("subject") or "An action was performed on " \
"your token."
try:
ret = send_email_identifier(emailconfig,
recipient=useremail,
subject=subject, body=body)
except Exception as exx:
log.error("Failed to send email: {0!s}".format(exx))
ret = False
if ret:
log.info("Sent a notification email to user {0}".format(user))
else:
log.warning("Failed to send a notification email to user "
"{0}".format(user))
elif action.lower() == "sendsms":
smsconfig = options.get("smsconfig")
userphone = user.info.get("mobile")
try:
ret = send_sms_identifier(smsconfig, userphone, body)
except Exception as exx:
log.error("Failed to send sms: {0!s}".format(exx))
ret = False
if ret:
log.info("Sent a notification sms to user {0}".format(user))
else:
log.warning("Failed to send a notification email to user "
"{0}".format(user))
return ret
def before_request():
"""
This is executed before the request.
user_required checks if there is a logged in admin or user
The checks for ONLY admin are preformed in api/system.py
"""
# remove session from param and gather all parameters, either
# from the Form data or from JSON in the request body.
ensure_no_config_object()
request.all_data = get_all_params(request)
if g.logged_in_user.get("role") == "user":
# A user is calling this API. First thing we do is restricting the user parameter.
# ...to restrict token view, audit view or token actions.
request.all_data["user"] = g.logged_in_user.get("username")
request.all_data["realm"] = g.logged_in_user.get("realm")
try:
request.User = get_user_from_param(request.all_data)
# overwrite or set the resolver parameter in case of a logged in user
if g.logged_in_user.get("role") == "user":
request.all_data["resolver"] = request.User.resolver
except AttributeError:
# Some endpoints do not need users OR e.g. the setPolicy endpoint
# takes a list as the userobject
request.User = None
except UserError:
# In cases like the policy API, the parameter "user" is part of the
# policy and will not resolve to a user object
request.User = User()
g.policy_object = PolicyClass()
g.audit_object = getAudit(current_app.config, g.startdate)
g.event_config = EventConfiguration()
# access_route contains the ip adresses of all clients, hops and proxies.
g.client_ip = get_client_ip(request,
get_from_config(SYSCONF.OVERRIDECLIENT))
# Save the HTTP header in the localproxy object
g.request_headers = request.headers
privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \
request.host
# Already get some typical parameters to log
serial = getParam(request.all_data, "serial")
if serial and not "*" in serial:
g.serial = serial
tokentype = get_token_type(serial)
if not request.User:
# We determine the user object by the given serial number
try:
request.User = get_token_owner(serial) or User()
except ResourceNotFoundError:
# The serial might not exist! This would raise an exception
pass
else:
g.serial = None
tokentype = None
if request.User:
audit_username = request.User.login
audit_realm = request.User.realm
audit_resolver = request.User.resolver
else:
audit_realm = getParam(request.all_data, "realm")
audit_resolver = getParam(request.all_data, "resolver")
audit_username = getParam(request.all_data, "user")
g.audit_object.log({
"success":
False,
"serial":
serial,
"user":
audit_username,
"realm":
audit_realm,
"resolver":
audit_resolver,
"token_type":
tokentype,
"client":
g.client_ip,
"client_user_agent":
request.user_agent.browser,
"privacyidea_server":
privacyidea_server,
"action":
"{0!s} {1!s}".format(request.method, request.url_rule),
"action_detail":
"",
"info":
""
})
if g.logged_in_user.get("role") == "admin":
# An administrator is calling this API
g.audit_object.log({"administrator": g.logged_in_user.get("username")})
