def setPolicy(param): ''' Function to set a policy. It expects a dict of with the following keys: * name * action * scope * realm * user * time * client ''' ret = {} name = param.get('name') action = param.get('action') scope = param.get('scope') realm = param.get('realm') user = param.get('user') time = param.get('time') client = param.get('client') active = param.get('active', "True") # before storing the policy, we have to check the impact: # if there is a problem, we will raise an exception with a warning if context and 'Policies' in context: policies = context['Policies'] else: policies = getPolicies() _check_policy_impact(policies=policies, **param) action = ForwardServerPolicy.prepare_forward(action) ret["action"] = storeConfig("Policy.%s.action" % name, action, "", "a policy definition") ret["scope"] = storeConfig("Policy.%s.scope" % name, scope, "", "a policy definition") ret["realm"] = storeConfig("Policy.%s.realm" % name, realm, "", "a policy definition") ret["user"] = storeConfig("Policy.%s.user" % name, user, "", "a policy definition") ret["time"] = storeConfig("Policy.%s.time" % name, time, "", "a policy definition") ret["client"] = storeConfig("Policy.%s.client" % name, client, "", "a policy definition") ret["active"] = storeConfig("Policy.%s.active" % name, active, "", "a policy definition") return ret
def deletePolicy(name, enforce=False): ''' Function to delete one named policy attributes: name: (required) will only return the policy with the name ''' res = {} if not re.match('^[a-zA-Z0-9_]*$', name): raise ServerError( "policy name may only contain the " "characters a-zA-Z0-9_", id=8888) if context and 'Config' in context: Config = context['Config'] else: Config = getLinotpConfig() if context and 'Policies' in context: policies = context['Policies'] else: policies = getPolicies() # check if due to delete of the policy a lockout could happen param = policies.get(name) # delete is same as inactive ;-) if param: param['active'] = "False" param['name'] = name param['enforce'] = enforce _check_policy_impact(**param) delEntries = [] for entry in Config: if entry.startswith("linotp.Policy.%s." % name): delEntries.append(entry) for entry in delEntries: # delete this entry. log.debug("[deletePolicy] removing key: %s" % entry) ret = removeFromConfig(entry) res[entry] = ret return res
def deletePolicy(name, enforce=False): ''' Function to delete one named policy attributes: name: (required) will only return the policy with the name ''' res = {} if not re.match('^[a-zA-Z0-9_]*$', name): raise ServerError("policy name may only contain the " "characters a-zA-Z0-9_", id=8888) if context and 'Config' in context: Config = context['Config'] else: Config = getLinotpConfig() if context and 'Policies' in context: policies = context['Policies'] else: policies = getPolicies() # check if due to delete of the policy a lockout could happen param = policies.get(name) # delete is same as inactive ;-) if param: param['active'] = "False" param['name'] = name param['enforce'] = enforce _check_policy_impact(policies=policies, **param) delEntries = [] for entry in Config: if entry.startswith("linotp.Policy.%s." % name): delEntries.append(entry) for entry in delEntries: #delete this entry. log.debug("[deletePolicy] removing key: %s" % entry) ret = removeFromConfig(entry) res[entry] = ret return res
def _check_policy_impact(policies=None, scope='', action='', active='True', client='', realm='', time=None, user=None, name='', enforce=False): """ check if applying the policy will lock the user out """ # Currently only system policies are checked if scope.lower() not in ['system']: return reason = '' no_system_write_policy = True active_system_policy = False pol = {'scope': scope, 'action': action, 'active': active, 'client': client, 'realm': realm, 'user': user, 'time': time } if not policies: policies = getPolicies() # in case of a policy change exclude this one from comparison if name in policies: del policies[name] # add the new policy and check the constrains policies[name] = pol for policy in policies.values(): # do we have a system policy that is active? p_scope = policy['scope'].lower() p_active = policy['active'].lower() if p_scope == 'system' and p_active == 'true': active_system_policy = True # get the policy actions p_actions = [] for act in policy.get('action', '').split(','): p_actions.append(act.strip()) #check if there is a write in the actions if '*' in p_actions or 'write' in p_actions: no_system_write_policy = False break # for any system policy: # if no user is defined defined this can as well result in a lockout if not user.strip(): reason = "no user defined for system policy %s!" % name # same for empty realm if not realm.strip(): reason = "no realm defined for system policy %s!" % name # if there has been no system policy with write option # and there are active system policy left if no_system_write_policy and active_system_policy: reason = "no active system policy with 'write' permission defined!" if reason and enforce is False: raise PolicyWarning("Warning: potential lockout due to policy " "defintion: %s" % reason) # admin policy could as well result in lockout return
def _check_policy_impact(scope='', action='', active='True', client='', realm='', time=None, user=None, name='', enforce=False): """ check if applying the policy will lock the user out """ # Currently only system policies are checked if scope.lower() not in ['system']: return reason = '' no_system_write_policy = True active_system_policy = False pol = { 'scope': scope, 'action': action, 'active': active, 'client': client, 'realm': realm, 'user': user, 'time': time } if context and 'Policies' in context: policies = context['Policies'] else: policies = getPolicies() # in case of a policy change exclude this one from comparison if name in policies: del policies[name] # add the new policy and check the constrains policies[name] = pol for policy in policies.values(): # do we have a system policy that is active? p_scope = policy['scope'].lower() p_active = policy['active'].lower() if p_scope == 'system' and p_active == 'true': active_system_policy = True # get the policy actions p_actions = [] for act in policy.get('action', '').split(','): p_actions.append(act.strip()) # check if there is a write in the actions if '*' in p_actions or 'write' in p_actions: no_system_write_policy = False break # for any system policy: # if no user is defined defined this can as well result in a lockout if not user.strip(): reason = "no user defined for system policy %s!" % name # same for empty realm if not realm.strip(): reason = "no realm defined for system policy %s!" % name # if there has been no system policy with write option # and there are active system policy left if no_system_write_policy and active_system_policy: reason = "no active system policy with 'write' permission defined!" if reason and enforce is False: raise PolicyWarning("Warning: potential lockout due to policy " "defintion: %s" % reason) # admin policy could as well result in lockout return
def create_context(self, request): """ create the request context for all controllers """ linotp_config = getLinotpConfig() request_context['Config'] = linotp_config request_context['Policies'] = getPolicies() request_context['translate'] = translate initResolvers() request_params = {} try: request_params.update(request.params) except UnicodeDecodeError as exx: log.error("Faild to decode request parameters %r" % exx) request_context['Params'] = request_params authUser = None try: authUser = getUserFromRequest(request) except UnicodeDecodeError as exx: log.error("Faild to decode request parameters %r" % exx) request_context['AuthUser'] = authUser requestUser = None try: requestUser = getUserFromParam(request_params, True) except UnicodeDecodeError as exx: log.error("Faild to decode request parameters %r" % exx) request_context['RequestUser'] = requestUser client = None try: client = get_client(request=request) except UnicodeDecodeError as exx: log.error("Faild to decode request parameters %r" % exx) request_context['Client'] = client request_context['Audit'] = Audit request_context['audit'] = Audit.initialize(request, client=client) defaultRealm = "" try: defaultRealm = getDefaultRealm(linotp_config) except UnicodeDecodeError as exx: log.error("Faild to decode request parameters %r" % exx) request_context['defaultRealm'] = defaultRealm realms = None try: realms = getRealms() except UnicodeDecodeError as exx: log.error("Faild to decode request parameters %r" % exx) request_context['Realms'] = realms request_context['hsm'] = None if hasattr(self, "hsm"): request_context['hsm'] = self.hsm # copy some system entries from pylons syskeys = { "radius.nas_identifier": "LinOTP", "radius.dictfile": "/etc/linotp2/dictionary" } sysconfig = {} for key, default in syskeys.items(): try: sysconfig[key] = config.get(key, default) except: log.info('no sytem config entry %s' % key) request_context['SystemConfig'] = sysconfig
def create_context(self, request, environment): """ create the request context for all controllers """ linotp_config = getLinotpConfig() request_context['Config'] = linotp_config request_context['Policies'] = getPolicies() request_context['translate'] = translate request_context['CacheManager'] = environment['beaker.cache'] initResolvers() request_params = {} try: request_params.update(request.params) except UnicodeDecodeError as exx: log.error("Failed to decode request parameters %r" % exx) request_context['Params'] = request_params authUser = None try: authUser = getUserFromRequest(request) except UnicodeDecodeError as exx: log.error("Failed to decode request parameters %r" % exx) request_context['AuthUser'] = authUser request_context['UserLookup'] = {} requestUser = None try: requestUser = getUserFromParam(request_params) except UnicodeDecodeError as exx: log.error("Failed to decode request parameters %r" % exx) request_context['RequestUser'] = requestUser client = None try: client = get_client(request=request) except UnicodeDecodeError as exx: log.error("Failed to decode request parameters %r" % exx) request_context['Client'] = client request_context['Audit'] = Audit request_context['audit'] = Audit.initialize(request, client=client) defaultRealm = "" try: defaultRealm = getDefaultRealm(linotp_config) except UnicodeDecodeError as exx: log.error("Failed to decode request parameters %r" % exx) request_context['defaultRealm'] = defaultRealm realms = None try: realms = getRealms() except UnicodeDecodeError as exx: log.error("Failed to decode request parameters %r" % exx) request_context['Realms'] = realms request_context['hsm'] = None if hasattr(self, "hsm"): request_context['hsm'] = self.hsm # copy some system entries from pylons syskeys = { "radius.nas_identifier": "LinOTP", "radius.dictfile": "/etc/linotp2/dictionary" } sysconfig = {} for key, default in syskeys.items(): sysconfig[key] = config.get(key, default) request_context['SystemConfig'] = sysconfig
def create_context(self, request): """ create the request context for all controllers """ linotp_config = getLinotpConfig() self.request_context = {} self.request_context['Config'] = linotp_config self.request_context['Policies'] = getPolicies(config=linotp_config) self.request_context['translate'] = translate request_params = {} try: request_params.update(request.params) except UnicodeDecodeError as exx: log.error("Faild to decode request parameters %r" % exx) self.request_context['Params'] = request_params authUser = None try: authUser = getUserFromRequest(request) except UnicodeDecodeError as exx: log.error("Faild to decode request parameters %r" % exx) self.request_context['AuthUser'] = authUser requestUser = None try: requestUser = getUserFromParam(request_params, True) except UnicodeDecodeError as exx: log.error("Faild to decode request parameters %r" % exx) self.request_context['RequestUser'] = requestUser client = None try: client = get_client(request=request) except UnicodeDecodeError as exx: log.error("Faild to decode request parameters %r" % exx) self.request_context['Client'] = client self.request_context['audit'] = {} defaultRealm = "" try: defaultRealm = getDefaultRealm(linotp_config) except UnicodeDecodeError as exx: log.error("Faild to decode request parameters %r" % exx) self.request_context['defaultRealm'] = defaultRealm realms = None try: realms = getRealms(context=self.request_context) except UnicodeDecodeError as exx: log.error("Faild to decode request parameters %r" % exx) self.request_context['Realms'] = realms return