def reset_twofactor_key(client_id, configuration, seed=None, interval=None):
"""Reset 2FA secret key and write to user settings file in scrambled form.
Return the new secret key on unscrambled base32 form.
"""
_logger = configuration.logger
if configuration.site_enable_gdp:
client_id = get_base_client_id(configuration,
client_id,
expand_oid_alias=False)
client_dir = client_id_dir(client_id)
key_path = os.path.join(configuration.user_settings, client_dir,
twofactor_key_name)
try:
if pyotp is None:
raise Exception("The pyotp module is missing and required for 2FA")
if not seed:
b32_key = pyotp.random_base32(length=twofactor_key_bytes)
else:
b32_key = seed
# NOTE: pyotp.random_base32 returns unicode
# which causes trouble with WSGI
b32_key = force_utf8(b32_key)
scrambled = scramble_password(configuration.site_password_salt,
b32_key)
key_fd = open(key_path, 'w')
key_fd.write(scrambled)
key_fd.close()
# Reset interval
interval_path = os.path.join(configuration.user_settings, client_dir,
twofactor_interval_name)
delete_file(interval_path, _logger, allow_missing=True)
if interval:
i_fd = open(interval_path, 'w')
i_fd.write("%d" % interval)
i_fd.close()
except Exception, exc:
_logger.error("failed in reset 2FA key: %s" % exc)
return False
# Pass optional short_id as well
if short_id:
user_dict['short_id'] = short_id
# Pass optional role as well
if role:
user_dict['role'] = role
# Encode password if set but not already encoded
salt = configuration.site_password_salt
if user_dict['password']:
try:
unscramble_password(salt, user_dict['password'])
except TypeError:
user_dict['password'] = scramble_password(
salt, user_dict['password'])
# Set account expire for use with local certificate or OpenID login
if not user_dict.has_key('expire'):
user_dict['expire'] = expire
if user_id:
user_dict['distinguished_name'] = user_id
elif not user_dict.has_key('distinguished_name'):
fill_distinguished_name(user_dict)
fill_user(user_dict)
# Now all user fields are set and we can begin adding the user
if verbose:
user_dict['comment'] = 'imported from external URI'
if password == keyword_auto:
print 'Auto generating password for user: %s' % client_id
user_dict['password'] = generate_random_password(configuration)
elif password:
print 'Setting provided password for user: %s' % client_id
user_dict['password'] = password
else:
print 'Setting empty password for user: %s' % client_id
user_dict['password'] = ''
# Encode password if set but not already encoded
if user_dict['password']:
if verbose:
print 'Scrambling password for user: %s' % client_id
user_dict['password'] = scramble_password(
configuration.site_password_salt, user_dict['password'])
# Force expire
user_dict['expire'] = expire
try:
create_user(user_dict, conf_path, db_path, force, verbose)
except Exception, exc:
print exc
continue
print 'Created %s in user database and in file system' % client_id
# NOTE: force update user_map before calling sendrequestaction!
# create_user does NOT necessarily update it due to caching time.
refresh_user_map(configuration)
'''Illegal email and organization combination:
Please read and follow the instructions in red on the request page!
If you are a student with only a @*.ku.dk address please just use KU as
organization. As long as you state that you want the account for course
purposes in the comment field, you will be given access to the necessary
resources anyway.
'''})
output_objects.append(
{'object_type': 'link', 'destination': 'javascript:history.back();',
'class': 'genericbutton', 'text': "Try again"})
return (output_objects, returnvalues.CLIENT_ERROR)
# NOTE: we save password on scrambled form only if explicitly requested
if passwordrecovery:
logger.info('saving %s scrambled password to enable recovery' % email)
scrambled_pw = scramble_password(configuration.site_password_salt,
password)
else:
logger.info('only saving %s password hash' % email)
scrambled_pw = ''
user_dict = {
'full_name': cert_name,
'organization': org,
'state': state,
'country': country,
'email': email,
'comment': comment,
'password': scrambled_pw,
'password_hash': make_hash(password),
'expire': int(time.time() + cert_valid_days * 24 * 60 * 60),
'openid_names': [],
'auth': ['migoid'],
If you are a student with only a @*.ku.dk address please just use KU as
organization. As long as you state that you want the account for course
purposes in the comment field, you will be given access to the necessary
resources anyway.
'''
})
return (output_objects, returnvalues.CLIENT_ERROR)
user_dict = {
'full_name': cert_name,
'organization': org,
'state': state,
'country': country,
'email': email,
'comment': comment,
'password': scramble_password(configuration.site_password_salt,
password),
'expire': int(time.time() + cert_valid_days * 24 * 60 * 60),
'openid_names': [],
'auth': ['migcert'],
}
fill_distinguished_name(user_dict)
user_id = user_dict['distinguished_name']
user_dict['authorized'] = (user_id == client_id)
if configuration.user_openid_providers and configuration.user_openid_alias:
user_dict['openid_names'] += \
[user_dict[configuration.user_openid_alias]]
logger.info('got account request from reqcert: %s' % user_dict)
# For testing only
if cert_name.upper().find('DO NOT SEND') != -1: