def __before__(self, action, **params):
'''
Here we see, what action is to be called and check the authorization
'''
try:
c.audit = request_context['audit']
c.audit['success'] = False
c.audit['client'] = get_client(request)
if action != "check_t":
check_session(request)
request_context['Audit'] = audit
return response
except webob.exc.HTTPUnauthorized as acc:
# the exception, when an abort() is called if forwarded
log.exception("[__before__::%r] webob.exception %r"
% (action, acc))
Session.rollback()
Session.close()
raise acc
except Exception as exx:
log.exception("[__before__::%r] exception %r" % (action, exx))
Session.rollback()
Session.close()
return sendError(response, exx, context='before')
def __before__(self, action, **params):
"""
"""
try:
log.debug('[__before__::%r] %r', action, params)
c.audit = request_context['audit']
c.audit['success'] = False
c.audit['client'] = get_client(request)
# Session handling
check_session(request)
request_context['Audit'] = audit
checkAuthorisation(scope='monitoring', method=action)
return request
except Exception as exception:
log.exception(exception)
Session.rollback()
Session.close()
return sendError(response, exception, context='before')
finally:
log.debug('[__before__::%r] done', action)
def __before__(self, action, **params):
"""
"""
try:
log.debug('[__before__::%r] %r', action, params)
audit.initialize()
c.audit['success'] = False
c.audit['client'] = get_client(request)
# Session handling
check_session(request)
self.request_context['Audit'] = audit
return request
except Exception as exception:
log.exception(exception)
Session.rollback()
Session.close()
return sendError(response, exception, context='before')
finally:
log.debug('[__before__::%r] done', action)
def __before__(self, **params):
"""
__before__ is called before every action
:param params: list of named arguments
:return: -nothing- or in case of an error a Response
created by sendError with the context info 'before'
"""
action = request_context['action']
try:
c.audit = request_context['audit']
c.audit['success'] = False
c.audit['client'] = get_client(request)
# Session handling
check_session(request)
audit = config.get('audit')
request_context['Audit'] = audit
checkAuthorisation(scope='monitoring', method=action)
return
except Exception as exception:
log.exception(exception)
Session.rollback()
Session.close()
return sendError(response, exception, context='before')
def __before__(self, action, **params):
'''
Here we see, what action is to be called and check the authorization
'''
log.debug("[__before__::%r] %r" % (action, params))
try:
c.audit = request_context['audit']
c.audit['success'] = False
c.audit['client'] = get_client(request)
if action != "check_t":
check_session(request)
request_context['Audit'] = audit
return response
except webob.exc.HTTPUnauthorized as acc:
## the exception, when an abort() is called if forwarded
log.exception("[__before__::%r] webob.exception %r" % (action, acc))
Session.rollback()
Session.close()
raise acc
except Exception as exx:
log.exception("[__before__::%r] exception %r" % (action, exx))
Session.rollback()
Session.close()
return sendError(response, exx, context='before')
finally:
log.debug("[__before__::%r] done" % (action))
def __before__(self, action, **params):
'''
Here we see, what action is to be called and check the authorization
'''
log.debug("[__before__::%r] %r" % (action, params))
try:
audit.initialize()
c.audit['success'] = False
c.audit['client'] = get_client()
if action != "check_t":
check_session()
return response
except webob.exc.HTTPUnauthorized as acc:
## the exception, when an abort() is called if forwarded
log.error("[__before__::%r] webob.exception %r" % (action, acc))
log.error("[__before__] %s" % traceback.format_exc())
Session.rollback()
Session.close()
raise acc
except Exception as exx:
log.error("[__before__::%r] exception %r" % (action, exx))
log.error("[__before__] %s" % traceback.format_exc())
Session.rollback()
Session.close()
return sendError(response, exx, context='before')
finally:
log.debug("[__before__::%r] done" % (action))
def __before__(self, action, **params):
"""
"""
try:
log.debug('[__before__::%r] %r', action, params)
c.audit = request_context['audit']
c.audit['success'] = False
c.audit['client'] = get_client(request)
# Session handling
check_session(request)
request_context['Audit'] = audit
checkAuthorisation(scope='monitoring', method=action)
return request
except Exception as exception:
log.exception(exception)
Session.rollback()
Session.close()
return sendError(response, exception, context='before')
finally:
log.debug('[__before__::%r] done', action)
def __before__(self, action, **params):
log.debug("[__before__::%r] %r" % (action, params))
try:
audit.initialize()
c.audit['success'] = False
c.audit['client'] = get_client(request)
c.version = get_version()
c.licenseinfo = get_copyright_info()
c.polDefs = getPolicyDefinitions()
# Session handling for the functions, that show data:
# Also exclude custom-style.css, since the CSRF check
# will always fail and return a HTTP 401 anyway.
# A HTTP 404 makes more sense.
if request.path.lower() in [
'/manage/', '/manage', '/manage/logout',
'/manage/audittrail', '/manage/policies',
'/manage/tokenview', '/manage/userview', '/manage/help',
'/manage/custom-style.css'
]:
pass
else:
check_session(request)
except Exception as exx:
log.exception("[__before__::%r] exception %r" % (action, exx))
Session.rollback()
Session.close()
return sendError(response, exx, context='before')
finally:
log.debug("[__before__::%r] done" % (action))
def __before__(self, **params):
"""
__before__ is called before every action
:param params: list of named arguments
:return: -nothing- or in case of an error a Response
created by sendError with the context info 'before'
"""
action = request_context["action"]
try:
g.audit["success"] = False
g.audit["client"] = get_client(request)
# Session handling
check_session(request)
audit = config.get("audit")
request_context["Audit"] = audit
checkAuthorisation(scope="monitoring", method=action)
return
except Exception as exception:
log.error(exception)
db.session.rollback()
return sendError(response, exception, context="before")
def __before__(self, action, **params):
"""
Here we see, what action is to be called and check the authorization
"""
log.debug("[__before__::%r] %r" % (action, params))
try:
audit.initialize()
c.audit["success"] = False
c.audit["client"] = get_client()
if action != "check_t":
check_session()
return response
except webob.exc.HTTPUnauthorized as acc:
## the exception, when an abort() is called if forwarded
log.exception("[__before__::%r] webob.exception %r" % (action, acc))
Session.rollback()
Session.close()
raise acc
except Exception as exx:
log.exception("[__before__::%r] exception %r" % (action, exx))
Session.rollback()
Session.close()
return sendError(response, exx, context="before")
finally:
log.debug("[__before__::%r] done" % (action))
def __before__(self, action, **params):
"""
"""
try:
log.debug('[__before__::%r] %r', action, params)
audit.initialize()
c.audit['success'] = False
c.audit['client'] = get_client(request)
# Session handling
check_session(request)
self.request_context['Audit'] = audit
return request
except Exception as exception:
log.exception(exception)
Session.rollback()
Session.close()
return sendError(response, exception, context='before')
finally:
log.debug('[__before__::%r] done', action)
def __before__(self, **params):
"""
__before__ is called before every action
:param params: list of named arguments
:return: -nothing- or in case of an error a Response
created by sendError with the context info 'before'
"""
action = request_context['action']
try:
c.audit = request_context['audit']
c.audit['success'] = False
c.audit['client'] = get_client(request)
c.version = get_version()
c.version_ref = base64.encodebytes(c.version.encode())[:6]
c.licenseinfo = get_copyright_info()
c.polDefs = getPolicyDefinitions()
c.display_provider = boolean(
request_context['Config'].get('display_provider', True))
# -------------------------------------------------------------- --
# check for support of setting admin password
c.admin_can_change_password = False
if ('linotpadmin.user' in config and
'linotpadmin.password' in config):
c.admin_can_change_password = True
# -------------------------------------------------------------- --
# Session handling for the functions, that show data:
# Also exclude custom-style.css, since the CSRF check
# will always fail and return a HTTP 401 anyway.
# A HTTP 404 makes more sense.
if request.path.lower() in ['/manage/', '/manage',
'/manage/logout',
'/manage/audittrail',
'/manage/policies',
'/manage/tokenview',
'/manage/userview',
'/manage/help',
'/manage/custom-style.css']:
pass
else:
check_session(request)
except Exception as exx:
log.exception("[__before__::%r] exception %r" % (action, exx))
Session.rollback()
Session.close()
return sendError(response, exx, context='before')
finally:
log.debug("[__before__::%r] done" % (action))
def __before__(self, action):
try:
c.audit = request_context['audit']
c.audit['client'] = get_client(request)
check_session(request)
except Exception as exx:
log.exception("[__before__::%r] exception %r", action, exx)
Session.rollback()
Session.close()
return sendError(response, exx, context='before')
def __before__(self, action):
try:
c.audit = request_context['audit']
c.audit['client'] = get_client(request)
check_session(request)
except Exception as exx:
log.exception("[__before__::%r] exception %r", action, exx)
Session.rollback()
Session.close()
return sendError(response, exx, context='before')
def __before__(self, action, **params):
try:
c.audit = request_context['audit']
c.audit['client'] = get_client(request)
request_context['Audit'] = audit
return response
except Exception as exx:
log.exception("[__before__::%r] exception %r" % (action, exx))
Session.rollback()
Session.close()
return sendError(response, exx, context='before')
def __before__(self, action, **params):
try:
c.audit = request_context['audit']
c.audit['client'] = get_client(request)
request_context['Audit'] = audit
return response
except Exception as exx:
log.exception("[__before__::%r] exception %r" % (action, exx))
Session.rollback()
Session.close()
return sendError(response, exx, context='before')
def __before__(self, action, **params):
try:
c.audit = request_context['audit']
c.audit['success'] = False
c.audit['client'] = get_client(request)
c.version = get_version()
c.version_ref = base64.encodestring(c.version)[:6]
c.licenseinfo = get_copyright_info()
c.polDefs = getPolicyDefinitions()
c.display_provider = boolean(
request_context['Config'].get('display_provider', True))
# -------------------------------------------------------------- --
# check for support of setting admin password
c.admin_can_change_password = False
if ('linotpadmin.user' in config and
'linotpadmin.password' in config):
c.admin_can_change_password = True
# -------------------------------------------------------------- --
# Session handling for the functions, that show data:
# Also exclude custom-style.css, since the CSRF check
# will always fail and return a HTTP 401 anyway.
# A HTTP 404 makes more sense.
if request.path.lower() in ['/manage/', '/manage',
'/manage/logout',
'/manage/audittrail',
'/manage/policies',
'/manage/tokenview',
'/manage/userview',
'/manage/help',
'/manage/custom-style.css']:
pass
else:
check_session(request)
except Exception as exx:
log.exception("[__before__::%r] exception %r" % (action, exx))
Session.rollback()
Session.close()
return sendError(response, exx, context='before')
finally:
log.debug("[__before__::%r] done" % (action))
def __before__(self, action, **params):
log.debug("[__before__::%r] %r" % (action, params))
try:
audit.initialize()
c.audit['client'] = get_client()
return response
except Exception as exx:
log.exception("[__before__::%r] exception %r" % (action, exx))
Session.rollback()
Session.close()
return sendError(response, exx, context='before')
finally:
log.debug("[__before__::%r] done" % (action))
def __before__(self, action):
log.debug("[__before__]")
try:
audit.initialize()
c.audit['client'] = get_client(request)
check_session(request)
except Exception as exx:
log.exception("[__before__::%r] exception %r" % (action, exx))
Session.rollback()
Session.close()
return sendError(response, exx, context='before')
finally:
log.debug("[__before__::%r] done" % (action))
def __before__(self, action):
log.debug("[__before__]")
try:
c.audit = self.request_context['audit']
c.audit['client'] = get_client(request)
check_session(request)
except Exception as exx:
log.exception("[__before__::%r] exception %r" % (action, exx))
Session.rollback()
Session.close()
return sendError(response, exx, context='before')
finally:
log.debug("[__before__::%r] done" % (action))
def __before__(self, **params):
"""
__before__ is called before every action
:param params: list of named arguments
:return: -nothing- or in case of an error a Response
created by sendError with the context info 'before'
"""
action = request_context["action"]
try:
g.audit["client"] = get_client(request)
check_session(request)
except Exception as exx:
log.error("[__before__::%r] exception %r", action, exx)
db.session.rollback()
return sendError(response, exx, context="before")
def __before__(self, **params):
"""
__before__ is called before every action
:param params: list of named arguments
:return: -nothing- or in case of an error a Response
created by sendError
"""
action = request_context['action']
try:
g.audit['client'] = get_client(request)
except Exception as exx:
log.exception("[__before__::%r] exception %r" % (action, exx))
db.session.rollback()
return sendError(response, exx, context='before')
def __before__(self, action, **params):
log.debug("[__before__::%r] %r" % (action, params))
try:
c.audit = request_context['audit']
c.audit['client'] = get_client(request)
check_session(request)
request_context['Audit'] = audit
except Exception as exx:
log.exception("[__before__::%r] exception %r" % (action, exx))
Session.rollback()
Session.close()
return sendError(response, exx, context='before')
finally:
log.debug("[__before__::%r] done" % (action))
def __before__(self, action, **params):
log.debug("[__before__::%r] %r" % (action, params))
try:
audit.initialize()
c.audit["client"] = get_client()
return response
except Exception as exx:
log.error("[__before__::%r] exception %r" % (action, exx))
log.error("[__before__] %s" % traceback.format_exc())
Session.rollback()
Session.close()
return sendError(response, exx, context="before")
finally:
log.debug("[__before__::%r] done" % (action))
def __before__(self, action, **params):
log.debug("[__before__]")
try:
audit.initialize()
c.audit['client'] = get_client()
check_session()
except Exception as exx:
log.error("[__before__::%r] exception %r" % (action, exx))
log.error("[__before__] %s" % traceback.format_exc())
Session.rollback()
Session.close()
return sendError(response, exx, context='before')
finally:
log.debug("[__before__::%r] done" % (action))
def __before__(self, action, **params):
log.debug("[__before__::%r] %r" % (action, params))
try:
c.audit = request_context['audit']
c.audit['client'] = get_client(request)
if request_context: # XXX why this check?
request_context['Audit'] = audit
return response
except Exception as exx:
log.exception("[__before__::%r] exception %r" % (action, exx))
Session.rollback()
Session.close()
return sendError(response, exx, context='before')
finally:
log.debug("[__before__::%r] done" % (action))
def __before__(self, **params):
'''
'''
action = request_context['action']
try:
g.audit['success'] = False
g.audit['client'] = get_client(request)
# Session handling
if action not in ['getsession', 'dropsession']:
check_session(request, scope='helpdesk')
except Exception as exx:
log.exception("[__before__::%r] exception", action)
db.session.rollback()
return sendError(None, exx, context='before')
def __before__(self, **params):
"""
__before__ is called before every action
Here we see, what action is to be called and check the authorization
:param params: list of named arguments
:return: -nothing- or in case of an error a Response
created by sendError with the context info 'before'
"""
action = request_context['action']
try:
c.audit = request_context['audit']
c.audit['success'] = False
c.audit['client'] = get_client(request)
if action != "check_t":
check_session(request)
audit = config.get('audit')
request_context['Audit'] = audit
return
except flap.HTTPUnauthorized as acc:
# the exception, when an abort() is called if forwarded
log.exception("[__before__::%r] webob.exception %r" %
(action, acc))
Session.rollback()
Session.close()
raise acc
except Exception as exx:
log.exception("[__before__::%r] exception %r" % (action, exx))
Session.rollback()
Session.close()
return sendError(response, exx, context='before')
def __before__(self, action, **params):
log.debug("[__before__::%r] %r" % (action, params))
try:
audit.initialize()
c.audit["success"] = False
c.audit["client"] = get_client()
c.version = get_version()
c.licenseinfo = get_copyright_info()
c.polDefs = getPolicyDefinitions()
# Session handling for the functions, that show data:
# Also exclude custom-style.css, since the CSRF check
# will always fail and return a HTTP 401 anyway.
# A HTTP 404 makes more sense.
if request.path.lower() in [
"/manage/",
"/manage",
"/manage/logout",
"/manage/audittrail",
"/manage/policies",
"/manage/tokenview",
"/manage/userview",
"/manage/help",
"/manage/custom-style.css",
]:
pass
else:
check_session()
except Exception as exx:
log.error("[__before__::%r] exception %r" % (action, exx))
log.error("[__before__] %s" % traceback.format_exc())
Session.rollback()
Session.close()
return sendError(response, exx, context="before")
finally:
log.debug("[__before__::%r] done" % (action))
def __before__(self, **params):
"""
__before__ is called before every action
:param params: list of named arguments
:return: -nothing- or in case of an error a Response
created by sendError with the context info 'before'
"""
action = request_context['action']
try:
c.audit = request_context['audit']
c.audit['client'] = get_client(request)
check_session(request)
audit = config.get('audit')
request_context['Audit'] = audit
except Exception as exx:
log.exception("[__before__::%r] exception %r" % (action, exx))
Session.rollback()
Session.close()
return sendError(response, exx, context='before')
def __before__(self, action, **params):
"""
"""
try:
c.audit = request_context['audit']
c.audit['success'] = False
c.audit['client'] = get_client(request)
# Session handling
check_session(request)
request_context['Audit'] = audit
checkAuthorisation(scope='reporting.access', method=action)
return request
except Exception as exception:
log.exception(exception)
Session.rollback()
Session.close()
return sendError(response, exception, context='before')
def __before__(self, action, **params):
"""
"""
try:
c.audit = request_context['audit']
c.audit['success'] = False
c.audit['client'] = get_client(request)
# Session handling
check_session(request)
request_context['Audit'] = audit
checkAuthorisation(scope='reporting.access', method=action)
return request
except Exception as exception:
log.exception(exception)
Session.rollback()
Session.close()
return sendError(response, exception, context='before')
def __before__(self, action, **params):
log.debug("[__before__::%r] %r" % (action, params))
try:
c.audit = request_context['audit']
c.audit['success'] = False
c.audit['client'] = get_client(request)
c.version = get_version()
c.licenseinfo = get_copyright_info()
c.polDefs = getPolicyDefinitions()
# Session handling for the functions, that show data:
# Also exclude custom-style.css, since the CSRF check
# will always fail and return a HTTP 401 anyway.
# A HTTP 404 makes more sense.
if request.path.lower() in ['/manage/', '/manage',
'/manage/logout',
'/manage/audittrail',
'/manage/policies',
'/manage/tokenview',
'/manage/userview',
'/manage/help',
'/manage/custom-style.css']:
pass
else:
check_session(request)
except Exception as exx:
log.exception("[__before__::%r] exception %r" % (action, exx))
Session.rollback()
Session.close()
return sendError(response, exx, context='before')
finally:
log.debug("[__before__::%r] done" % (action))
def __before__(self, action, **params):
'''
'''
try:
c.audit = request_context['audit']
c.audit['success'] = False
c.audit['client'] = get_client(request)
request_context['Audit'] = audit
# Session handling
if action not in ['getsession', 'dropsession']:
check_session(request, scope='helpdesk')
return request
except Exception as exx:
log.exception("[__before__::%r] exception", action)
Session.rollback()
Session.close()
return sendError(response, exx, context='before')
def __before__(self, action, **params):
log.debug("[__before__::%r]" % (action))
valid_request = False
try:
for key, value in params.items():
log.debug("[__before__::%r:%r]" % (key, value))
audit.initialize()
c.audit['client'] = get_client()
self.storage = config.get('openid_sql')
getCookieExpire = int(config.get("linotpOpenID.CookieExpire", -1))
self.COOKIE_EXPIRE = 3600
if getCookieExpire >= 0:
self.COOKIE_EXPIRE = getCookieExpire
c.logged_in = False
c.login = ""
c.version = get_version()
c.licenseinfo = get_copyright_info()
http_host = request.environ.get("HTTP_HOST")
log.debug("[__before__] Doing openid request from host %s" %
http_host)
if not is_valid_fqdn(http_host, split_port=True):
err = "Bad hostname: %s" % http_host
audit.log(c.audit)
c.audit["action_detail"] = err
log.error(err)
raise HTTPBadRequest(err)
self.BASEURL = request.environ.get(
"wsgi.url_scheme") + "://" + http_host
# check if the browser is logged in
login = request.cookies.get(COOKIE_NAME)
if login:
c.logged_in = True
## default return for the __before__ and __after__
log.debug("[__before__::%r]" % (response))
valid_request = True
return response
except PolicyException as pex:
log.error("[__before__::%r] policy exception %r" % (action, pex))
log.error("[__before__] %s" % traceback.format_exc())
return sendError(response, pex, context='before')
except webob.exc.HTTPUnauthorized as acc:
## the exception, when an abort() is called if forwarded
log.error("[__before__::%r] webob.exception %r" % (action, acc))
log.error("[__before__] %s" % traceback.format_exc())
raise acc
except Exception as exx:
log.error("[__before__::%r] exception %r" % (action, exx))
log.error("[__before__] %s" % traceback.format_exc())
return sendError(response, exx, context='before')
finally:
if valid_request is False:
self.storage.session.rollback()
self.storage.session.close()
log.debug("[__before__::%r] done" % (action))
def __before__(self, action):
'''
This is the authentication to self service
If you want to do ANYTHING with selfservice, you need to be
authenticated. The _before_ is executed before any other function
in this controller.
'''
try:
param = request.params
audit.initialize()
c.audit['success'] = False
c.audit['client'] = get_client(request)
c.version = get_version()
c.licenseinfo = get_copyright_info()
self.request_context['Audit'] = audit
(auth_type, auth_user) = get_auth_user(request)
if not auth_user or auth_type not in ['repoze', 'selftest']:
abort(401, "You are not authenticated")
(c.user, _foo, c.realm) = auth_user.rpartition('@')
self.authUser = User(c.user, c.realm, '')
if auth_type == "repoze":
# checking the session
if (False == check_selfservice_session(request,
request.url,
request.path,
request.cookies,
request.params
)):
c.audit['action'] = request.path[1:]
c.audit['info'] = "session expired"
audit.log(c.audit)
abort(401, "No valid session")
c.imprint = get_imprint(c.realm)
c.tokenArray = []
c.user = self.authUser.login
c.realm = self.authUser.realm
c.tokenArray = getTokenForUser(self.authUser)
# only the defined actions should be displayed
# - remark: the generic actions like enrollTT are allready approved
# to have a rendering section and included
actions = getSelfserviceActions(self.authUser,
context=self.request_context)
c.actions = actions
for policy in actions:
if "=" in policy:
(name, val) = policy.split('=')
val = val.strip()
# try if val is a simple numeric -
# w.r.t. javascript evaluation
try:
nval = int(val)
except:
nval = val
c.__setattr__(name.strip(), nval)
c.dynamic_actions = add_dynamic_selfservice_enrollment(config,
c.actions)
# we require to establish all token local defined
# policies to be initialiezd
additional_policies = add_dynamic_selfservice_policies(config,
actions)
for policy in additional_policies:
c.__setattr__(policy, -1)
c.otplen = -1
c.totp_len = -1
return response
except webob.exc.HTTPUnauthorized as acc:
# the exception, when an abort() is called if forwarded
log.info("[__before__::%r] webob.exception %r" % (action, acc))
log.info("[__before__] %s" % traceback.format_exc())
Session.rollback()
Session.close()
raise acc
except Exception as e:
log.exception("[__before__] failed with error: %r" % e)
Session.rollback()
Session.close()
return sendError(response, e, context='before')
finally:
log.debug('[__after__] done')
def create_context(self, request):
"""
create the request context for all controllers
"""
linotp_config = getLinotpConfig()
self.request_context = {}
self.request_context['Config'] = linotp_config
self.request_context['Policies'] = getPolicies(config=linotp_config)
self.request_context['translate'] = translate
request_params = {}
try:
request_params.update(request.params)
except UnicodeDecodeError as exx:
log.error("Faild to decode request parameters %r" % exx)
self.request_context['Params'] = request_params
authUser = None
try:
authUser = getUserFromRequest(request)
except UnicodeDecodeError as exx:
log.error("Faild to decode request parameters %r" % exx)
self.request_context['AuthUser'] = authUser
requestUser = None
try:
requestUser = getUserFromParam(request_params, True)
except UnicodeDecodeError as exx:
log.error("Faild to decode request parameters %r" % exx)
self.request_context['RequestUser'] = requestUser
client = None
try:
client = get_client(request=request)
except UnicodeDecodeError as exx:
log.error("Faild to decode request parameters %r" % exx)
self.request_context['Client'] = client
self.request_context['audit'] = {}
defaultRealm = ""
try:
defaultRealm = getDefaultRealm(linotp_config)
except UnicodeDecodeError as exx:
log.error("Faild to decode request parameters %r" % exx)
self.request_context['defaultRealm'] = defaultRealm
realms = None
try:
realms = getRealms(context=self.request_context)
except UnicodeDecodeError as exx:
log.error("Faild to decode request parameters %r" % exx)
self.request_context['Realms'] = realms
return
def __before__(self, action, **params):
log.debug("[__before__::%r]" % (action))
valid_request = False
try:
for key, value in params.items():
log.debug("[__before__::%r:%r]" % (key, value))
c.audit = request_context[audit]
c.audit['client'] = get_client(request)
request_context['Audit'] = audit
self.storage = config.get('openid_sql')
getCookieExpire = int(config.get("linotpOpenID.CookieExpire", -1))
self.COOKIE_EXPIRE = 3600
if getCookieExpire >= 0:
self.COOKIE_EXPIRE = getCookieExpire
c.logged_in = False
c.login = ""
c.version = get_version()
c.licenseinfo = get_copyright_info()
http_host = request.environ.get("HTTP_HOST")
log.debug("[__before__] Doing openid request from host %s" % http_host)
if not is_valid_fqdn(http_host, split_port=True):
err = "Bad hostname: %s" % http_host
audit.log(c.audit)
c.audit["action_detail"] = err
log.error(err)
raise HTTPBadRequest(err)
self.BASEURL = request.environ.get("wsgi.url_scheme") + "://" + http_host
# check if the browser is logged in
login = request.cookies.get(COOKIE_NAME)
if login:
c.logged_in = True
## default return for the __before__ and __after__
log.debug("[__before__::%r]" % (response))
valid_request = True
return response
except PolicyException as pex:
log.exception("[__before__::%r] policy exception %r" % (action, pex))
return sendError(response, pex, context='before')
except webob.exc.HTTPUnauthorized as acc:
## the exception, when an abort() is called if forwarded
log.exception("[__before__::%r] webob.exception %r" % (action, acc))
raise acc
except Exception as exx:
log.exception("[__before__::%r] exception %r" % (action, exx))
return sendError(response, exx, context='before')
finally:
if valid_request is False:
self.storage.session.rollback()
self.storage.session.close()
log.debug("[__before__::%r] done" % (action))
def __before__(self, action):
'''
This is the authentication to self service
If you want to do ANYTHING with selfservice, you need to be
authenticated. The _before_ is executed before any other function
in this controller.
'''
try:
param = request.params
audit.initialize()
c.audit['success'] = False
c.audit['client'] = get_client()
c.version = get_version()
c.licenseinfo = get_copyright_info()
if isSelfTest():
log.debug("[__before__] Doing selftest!")
uuser = getParam(param, "selftest_user", True)
if uuser is not None:
(c.user, _foo, c.realm) = uuser.rpartition('@')
else:
c.realm = ""
c.user = "******"
env = request.environ
uuser = env.get('REMOTE_USER')
if uuser is not None:
(c.user, _foo, c.realm) = uuser.rpartition('@')
self.authUser = User(c.user, c.realm, '')
log.debug("[__before__] authenticating as %s in realm %s!" % (c.user, c.realm))
else:
# Use WebAuth instead of LinOTP auth.
identity = request.environ.get('REMOTE_USER')
if identity is None:
abort(401, "You are not authenticated")
c.user = identity
# Put their current realm as the first one we find them in.
# Doesn't really matter since tokens are realm-independent.
realms = getAllUserRealms(User(identity, "", ""))
if (realms):
c.realm = realms[0]
self.authUser = User(c.user, c.realm, '')
# Check token expiry.
age = int(request.environ.get('WEBAUTH_TOKEN_EXPIRATION')) - time.time()
# Set selfservice cookie
response.set_cookie('linotp_selfservice', 'REMOTE_USER', max_age = int(age))
# Set userservice auth cookie
self.client = get_client()
authcookie = create_auth_cookie(config, identity, self.client)
response.set_cookie('userauthcookie', authcookie, max_age=360*24)
log.debug("[__before__] set the self.authUser to: %s, %s " % (self.authUser.login, self.authUser.realm))
log.debug('[__before__] param for action %s: %s' % (action, param))
# checking the session
if (False == check_selfservice_session(request.url,
request.path,
request.cookies,
request.params)):
c.audit['action'] = request.path[1:]
c.audit['info'] = "session expired"
audit.log(c.audit)
abort(401, "No valid session")
c.imprint = get_imprint(c.realm)
c.tokenArray = []
c.user = self.authUser.login
c.realm = self.authUser.realm
c.tokenArray = getTokenForUser(self.authUser)
# only the defined actions should be displayed
# - remark: the generic actions like enrollTT are allready approved
# to have a rendering section and included
actions = getSelfserviceActions(self.authUser)
c.actions = actions
for policy in actions:
if "=" in policy:
(name, val) = policy.split('=')
val = val.strip()
# try if val is a simple numeric -
# w.r.t. javascript evaluation
try:
nval = int(val)
except:
nval = val
c.__setattr__(name.strip(), nval)
c.dynamic_actions = add_dynamic_selfservice_enrollment(config,
c.actions)
# we require to establish all token local defined
# policies to be initialiezd
additional_policies = add_dynamic_selfservice_policies(config,
actions)
for policy in additional_policies:
c.__setattr__(policy, -1)
c.otplen = -1
c.totp_len = -1
return response
except webob.exc.HTTPUnauthorized as acc:
# the exception, when an abort() is called if forwarded
log.info("[__before__::%r] webob.exception %r" % (action, acc))
log.info("[__before__] %s" % traceback.format_exc())
Session.rollback()
Session.close()
raise acc
except Exception as e:
log.error("[__before__] failed with error: %r" % e)
log.error("[__before__] %s" % traceback.format_exc())
Session.rollback()
Session.close()
return sendError(response, e, context='before')
finally:
log.debug('[__before__] done')
def __before__(self, **params):
"""
__before__ is called before every action
:param params: list of named arguments
:return: -nothing- or in case of an error a Response
created by sendError with the context info 'before'
"""
action = request_context["action"]
try:
g.audit["success"] = False
g.audit["client"] = get_client(request)
c.version = get_version()
c.version_ref = base64.encodebytes(c.version.encode())[:6]
c.licenseinfo = get_copyright_info()
c.polDefs = get_policy_definitions()
c.display_provider = boolean(
request_context["Config"].get("display_provider", True)
)
# -------------------------------------------------------------- --
# check for support of setting admin password
c.admin_can_change_password = False
if (
"linotpadmin.user" in config
and "linotpadmin.password" in config
):
c.admin_can_change_password = True
# -------------------------------------------------------------- --
# Session handling for the functions, that show data:
# Also exclude custom-style.css, since the CSRF check
# will always fail and return a HTTP 401 anyway.
# A HTTP 404 makes more sense.
if request.path.lower() in [
"/manage/",
"/manage",
"/manage/login",
"/manage/audittrail",
"/manage/policies",
"/manage/tokenview",
"/manage/userview",
"/manage/help",
"/manage/custom-style.css",
]:
pass
else:
check_session(request)
except Exception as exx:
log.error("[__before__::%r] exception %r", action, exx)
db.session.rollback()
return sendError(response, exx, context="before")
finally:
log.debug("[__before__::%r] done", action)
def create_context(self, request, environment):
"""
create the request context for all controllers
"""
linotp_config = getLinotpConfig()
request_context['Config'] = linotp_config
request_context['Policies'] = parse_policies(linotp_config)
request_context['translate'] = translate
request_context['CacheManager'] = environment['beaker.cache']
initResolvers()
request_params = {}
try:
request_params.update(request.params)
except UnicodeDecodeError as exx:
log.error("Failed to decode request parameters %r" % exx)
request_context['Params'] = request_params
authUser = None
try:
authUser = getUserFromRequest(request)
except UnicodeDecodeError as exx:
log.error("Failed to decode request parameters %r" % exx)
request_context['AuthUser'] = authUser
request_context['UserLookup'] = {}
requestUser = None
try:
requestUser = getUserFromParam(request_params)
except UnicodeDecodeError as exx:
log.error("Failed to decode request parameters %r" % exx)
request_context['RequestUser'] = requestUser
client = None
try:
client = get_client(request=request)
except UnicodeDecodeError as exx:
log.error("Failed to decode request parameters %r" % exx)
request_context['Client'] = client
request_context['Audit'] = Audit
request_context['audit'] = Audit.initialize(request, client=client)
defaultRealm = ""
try:
defaultRealm = getDefaultRealm(linotp_config)
except UnicodeDecodeError as exx:
log.error("Failed to decode request parameters %r" % exx)
request_context['defaultRealm'] = defaultRealm
realms = None
try:
realms = getRealms()
except UnicodeDecodeError as exx:
log.error("Failed to decode request parameters %r" % exx)
request_context['Realms'] = realms
request_context['hsm'] = None
if hasattr(self, "hsm"):
request_context['hsm'] = self.hsm
# copy some system entries from pylons
syskeys = {
"radius.nas_identifier": "LinOTP",
"radius.dictfile": "/etc/linotp2/dictionary"
}
sysconfig = {}
for key, default in syskeys.items():
sysconfig[key] = config.get(key, default)
request_context['SystemConfig'] = sysconfig
def __before__(self, action):
'''
This is the authentication to self service. If you want to do
ANYTHING with the selfservice, you need to be authenticated. The
_before_ is executed before any other function in this controller.
'''
try:
c.audit = request_context['audit']
c.audit['success'] = False
c.audit['client'] = get_client(request)
c.version = get_version()
c.licenseinfo = get_copyright_info()
request_context['Audit'] = audit
(auth_type, auth_user) = get_auth_user(request)
if not auth_user or auth_type not in ['repoze', 'selftest']:
abort(401, "You are not authenticated")
(c.user, _foo, c.realm) = auth_user.rpartition('@')
self.authUser = User(c.user, c.realm, '')
if auth_type == "repoze":
# checking the session only for not_form_access actions
if action not in self.form_access_methods:
call_url = "selfservice/%s" % action
valid_session = check_selfservice_session(
url=call_url,
cookies=request.cookies,
params=request.params)
if not valid_session:
c.audit['action'] = request.path[1:]
c.audit['info'] = "session expired"
audit.log(c.audit)
abort(401, "No valid session")
c.imprint = get_imprint(c.realm)
c.tokenArray = []
c.user = self.authUser.login
c.realm = self.authUser.realm
# only the defined actions should be displayed
# - remark: the generic actions like enrollTT are allready approved
# to have a rendering section and included
actions = getSelfserviceActions(self.authUser)
c.actions = actions
for policy in actions:
if policy:
if "=" not in policy:
c.__setattr__(policy, -1)
else:
(name, val) = policy.split('=')
val = val.strip()
# try if val is a simple numeric -
# w.r.t. javascript evaluation
try:
nval = int(val)
except:
nval = val
c.__setattr__(name.strip(), nval)
c.dynamic_actions = add_dynamic_selfservice_enrollment(
config, c.actions)
# we require to establish all token local defined
# policies to be initialiezd
additional_policies = add_dynamic_selfservice_policies(
config, actions)
for policy in additional_policies:
c.__setattr__(policy, -1)
c.otplen = -1
c.totp_len = -1
return response
except webob.exc.HTTPUnauthorized as acc:
# the exception, when an abort() is called if forwarded
log.info("[__before__::%r] webob.exception %r" % (action, acc))
log.info("[__before__] %s" % traceback.format_exc())
Session.rollback()
Session.close()
raise acc
except Exception as e:
log.exception("[__before__] failed with error: %r" % e)
Session.rollback()
Session.close()
return sendError(response, e, context='before')
finally:
log.debug('[__after__] done')
def __before__(self, action):
'''
This is the authentication to self service
If you want to do ANYTHING with selfservice, you need to be
authenticated. The _before_ is executed before any other function
in this controller.
'''
try:
param = request.params
audit.initialize()
c.audit['success'] = False
c.audit['client'] = get_client()
c.version = get_version()
c.licenseinfo = get_copyright_info()
if isSelfTest():
log.debug("[__before__] Doing selftest!")
uuser = getParam(param, "selftest_user", True)
if uuser is not None:
(c.user, _foo, c.realm) = uuser.rpartition('@')
else:
c.realm = ""
c.user = "******"
env = request.environ
uuser = env.get('REMOTE_USER')
if uuser is not None:
(c.user, _foo, c.realm) = uuser.rpartition('@')
if c.user in ['--u--']:
abort(401, "No valid session")
self.authUser = User(c.user, c.realm, '')
log.debug("[__before__] authenticating as %s in realm %s!"
% (c.user, c.realm))
else:
identity = request.environ.get('repoze.who.identity')
if identity is None:
abort(401, "You are not authenticated")
log.debug("[__before__] doing getAuthFromIdentity in action %s"
% action)
user_id = request.environ.get('repoze.who.identity')\
.get('repoze.who.userid')
if type(user_id) == unicode:
user_id = user_id.encode(ENCODING)
identity = user_id.decode(ENCODING)
log.debug("[__before__] getting identity from repoze.who: %r"
% identity)
(c.user, _foo, c.realm) = identity.rpartition('@')
self.authUser = User(c.user, c.realm, '')
log.debug("[__before__] set the self.authUser to: %s, %s "
% (self.authUser.login, self.authUser.realm))
log.debug('[__before__] param for action %s: %s'
% (action, param))
# checking the session
if (False == check_selfservice_session(request.url,
request.path,
request.cookies,
request.params
)):
c.audit['action'] = request.path[1:]
c.audit['info'] = "session expired"
audit.log(c.audit)
abort(401, "No valid session")
c.imprint = get_imprint(c.realm)
c.tokenArray = []
c.user = self.authUser.login
c.realm = self.authUser.realm
c.tokenArray = getTokenForUser(self.authUser)
# only the defined actions should be displayed
# - remark: the generic actions like enrollTT are allready approved
# to have a rendering section and included
actions = getSelfserviceActions(self.authUser)
c.actions = actions
for policy in actions:
if "=" in policy:
(name, val) = policy.split('=')
val = val.strip()
# try if val is a simple numeric -
# w.r.t. javascript evaluation
try:
nval = int(val)
except:
nval = val
c.__setattr__(name.strip(), nval)
c.dynamic_actions = add_dynamic_selfservice_enrollment(config,
c.actions)
# we require to establish all token local defined
# policies to be initialiezd
additional_policies = add_dynamic_selfservice_policies(config,
actions)
for policy in additional_policies:
c.__setattr__(policy, -1)
c.otplen = -1
c.totp_len = -1
return response
except webob.exc.HTTPUnauthorized as acc:
# the exception, when an abort() is called if forwarded
log.info("[__before__::%r] webob.exception %r" % (action, acc))
log.info("[__before__] %s" % traceback.format_exc())
Session.rollback()
Session.close()
raise acc
except Exception as e:
log.error("[__before__] failed with error: %r" % e)
log.error("[__before__] %s" % traceback.format_exc())
Session.rollback()
Session.close()
return sendError(response, e, context='before')
finally:
log.debug('[__after__] done')
def create_context(self, request, environment):
"""
create the request context for all controllers
"""
linotp_config = getLinotpConfig()
request_context['Config'] = linotp_config
request_context['Policies'] = parse_policies(linotp_config)
request_context['translate'] = translate
request_context['CacheManager'] = environment['beaker.cache']
request_context['Path'] = environment.get("PATH_INFO", "") or ""
request_context['hsm'] = self.hsm
request_params = {}
try:
request_params.update(request.params)
except UnicodeDecodeError as exx:
log.error("Failed to decode request parameters %r" % exx)
request_context['Params'] = request_params
initResolvers()
client = None
try:
client = get_client(request=request)
except UnicodeDecodeError as exx:
log.error("Failed to decode request parameters %r" % exx)
request_context['Client'] = client
request_context['Audit'] = Audit
request_context['audit'] = Audit.initialize(request, client=client)
authUser = None
try:
authUser = getUserFromRequest(request)
except UnicodeDecodeError as exx:
log.error("Failed to decode request parameters %r" % exx)
request_context['AuthUser'] = authUser
request_context['UserLookup'] = {}
requestUser = None
try:
requestUser = getUserFromParam(request_params)
except UnicodeDecodeError as exx:
log.error("Failed to decode request parameters %r" % exx)
request_context['RequestUser'] = requestUser
defaultRealm = ""
try:
defaultRealm = getDefaultRealm(linotp_config)
except UnicodeDecodeError as exx:
log.error("Failed to decode request parameters %r" % exx)
request_context['defaultRealm'] = defaultRealm
realms = None
try:
realms = getRealms()
except UnicodeDecodeError as exx:
log.error("Failed to decode request parameters %r" % exx)
request_context['Realms'] = realms
# ------------------------------------------------------------------ --
# for the setup of encrypted data, we require the hsm is instatiated
# and available in the request context
if not self.secret_key:
init_key_partition(linotp_config, partition=0)
# ------------------------------------------------------------------ --
# copy some system entries from pylons
syskeys = {
"radius.nas_identifier": "LinOTP",
"radius.dictfile": "/etc/linotp2/dictionary"
}
sysconfig = {}
for key, default in syskeys.items():
sysconfig[key] = config.get(key, default)
request_context['SystemConfig'] = sysconfig
def __before__(self, action):
'''
This is the authentication to self service. If you want to do
ANYTHING with the selfservice, you need to be authenticated. The
_before_ is executed before any other function in this controller.
'''
self.redirect = None
try:
c.version = get_version()
c.licenseinfo = get_copyright_info()
c.audit = request_context['audit']
c.audit['success'] = False
self.client = get_client(request)
c.audit['client'] = self.client
request_context['Audit'] = audit
# -------------------------------------------------------------- --
# handle requests which dont require authetication
if action in ['logout', 'custom_style']:
return
# -------------------------------------------------------------- --
# get the authenticated user
auth_type, auth_user, auth_state = get_auth_user(request)
# -------------------------------------------------------------- --
# handle not authenticated requests
if not auth_user or auth_type not in ['user_selfservice']:
if action in ['login']:
return
if action in ['index']:
self.redirect = True
redirect(url(controller='selfservice', action='login'))
else:
abort(403, "No valid session")
# -------------------------------------------------------------- --
# handle authenticated requests
# there is only one special case, which is the login that
# could be forwarded to the index page
if action in ['login']:
if auth_state != 'authenticated':
return
self.redirect = True
redirect(url(controller='selfservice', action='index'))
# -------------------------------------------------------------- --
# in case of user_selfservice, an unauthenticated request should always go to login
if auth_user and auth_type is 'user_selfservice' \
and auth_state is not 'authenticated':
self.redirect = True
redirect(url(controller='selfservice', action='login'))
# futher processing with the authenticated user
if auth_state != 'authenticated':
abort(403, "No valid session")
c.user = auth_user.login
c.realm = auth_user.realm
self.authUser = auth_user
# -------------------------------------------------------------- --
# authenticated session verification
if auth_type == 'user_selfservice':
# checking the session only for not_form_access actions
if action not in self.form_access_methods:
valid_session = check_session(request, auth_user,
self.client)
if not valid_session:
c.audit['action'] = request.path[1:]
c.audit['info'] = "session expired"
audit.log(c.audit)
abort(403, "No valid session")
# -------------------------------------------------------------- --
c.imprint = get_imprint(c.realm)
c.tokenArray = []
c.user = self.authUser.login
c.realm = self.authUser.realm
# only the defined actions should be displayed
# - remark: the generic actions like enrollTT are allready approved
# to have a rendering section and included
actions = getSelfserviceActions(self.authUser)
c.actions = actions
for policy in actions:
if policy:
if "=" not in policy:
c.__setattr__(policy, -1)
else:
(name, val) = policy.split('=')
val = val.strip()
# try if val is a simple numeric -
# w.r.t. javascript evaluation
try:
nval = int(val)
except ValueError:
nval = val
c.__setattr__(name.strip(), nval)
c.dynamic_actions = add_dynamic_selfservice_enrollment(
config, c.actions)
# we require to establish all token local defined
# policies to be initialiezd
additional_policies = add_dynamic_selfservice_policies(
config, actions)
for policy in additional_policies:
c.__setattr__(policy, -1)
c.otplen = -1
c.totp_len = -1
c.pin_policy = _get_auth_PinPolicy(user=self.authUser)
return response
except (webob.exc.HTTPUnauthorized, webob.exc.HTTPForbidden) as acc:
# the exception, when an abort() is called if forwarded
log.info("[__before__::%r] webob.exception %r" % (action, acc))
Session.rollback()
Session.close()
raise acc
except HTTPFound as exx:
raise exx
except Exception as e:
log.exception("[__before__] failed with error: %r" % e)
Session.rollback()
Session.close()
return sendError(response, e, context='before')
def create_context(self, request, environment):
"""
create the request context for all controllers
"""
linotp_config = getLinotpConfig()
# make the request id available in the request context
request_context['RequestId'] = environment['REQUEST_ID']
# a request local cache to get the user info from the resolver
request_context['UserLookup'] = {}
# a request local cache to get the resolver from user and realm
request_context['UserRealmLookup'] = {}
request_context['Config'] = linotp_config
request_context['Policies'] = parse_policies(linotp_config)
request_context['translate'] = translate
request_context['CacheManager'] = environment['beaker.cache']
routes = environment.get('pylons.routes_dict', {})
path = "/%s/%s" % (routes['controller'], routes['action'])
request_context['Path'] = path
request_context['hsm'] = self.hsm
initResolvers()
client = None
try:
client = get_client(request=request)
except UnicodeDecodeError as exx:
log.error("Failed to decode request parameters %r" % exx)
request_context['Client'] = client
request_context['Audit'] = Audit
request_context['audit'] = Audit.initialize(request, client=client)
authUser = None
try:
authUser = getUserFromRequest(request)
except UnicodeDecodeError as exx:
log.error("Failed to decode request parameters %r" % exx)
request_context['AuthUser'] = authUser
request_context['UserLookup'] = {}
# ------------------------------------------------------------------ --
# get the current resolvers
resolvers = []
try:
resolvers = getResolverList(config=linotp_config)
except UnicodeDecodeError as exx:
log.error("Failed to decode request parameters %r" % exx)
request_context['Resolvers'] = resolvers
# ------------------------------------------------------------------ --
# get the current realms
realms = {}
try:
realms = getRealms()
except UnicodeDecodeError as exx:
log.error("Failed to decode request parameters %r" % exx)
request_context['Realms'] = realms
# ------------------------------------------------------------------ --
defaultRealm = ""
try:
defaultRealm = getDefaultRealm(linotp_config)
except UnicodeDecodeError as exx:
log.error("Failed to decode request parameters %r" % exx)
request_context['defaultRealm'] = defaultRealm
# ------------------------------------------------------------------ --
# load the requesting user
from linotp.useridresolver.UserIdResolver import (
ResolverNotAvailable)
requestUser = None
try:
requestUser = getUserFromParam(self.request_params)
except UnicodeDecodeError as exx:
log.error("Failed to decode request parameters %r", exx)
except (ResolverNotAvailable, NoResolverFound) as exx:
log.error("Failed to connect to server %r", exx)
request_context['RequestUser'] = requestUser
# ------------------------------------------------------------------ --
# load the providers
from linotp.provider import Provider_types
from linotp.provider import getProvider
provider = {}
for provider_type in Provider_types.keys():
provider[provider_type] = getProvider(provider_type)
request_context['Provider'] = provider
# ------------------------------------------------------------------ --
# for the setup of encrypted data, we require the hsm is instatiated
# and available in the request context
if not self.secret_key:
init_key_partition(linotp_config, partition=0)
# ------------------------------------------------------------------ --
# copy some system entries from pylons
syskeys = {
"radius.nas_identifier": "LinOTP",
"radius.dictfile": "/etc/linotp2/dictionary"
}
sysconfig = {}
for key, default in syskeys.items():
sysconfig[key] = config.get(key, default)
request_context['SystemConfig'] = sysconfig
def create_context(self, request):
"""
create the request context for all controllers
"""
linotp_config = getLinotpConfig()
request_context['Config'] = linotp_config
request_context['Policies'] = getPolicies()
request_context['translate'] = translate
initResolvers()
request_params = {}
try:
request_params.update(request.params)
except UnicodeDecodeError as exx:
log.error("Faild to decode request parameters %r" % exx)
request_context['Params'] = request_params
authUser = None
try:
authUser = getUserFromRequest(request)
except UnicodeDecodeError as exx:
log.error("Faild to decode request parameters %r" % exx)
request_context['AuthUser'] = authUser
requestUser = None
try:
requestUser = getUserFromParam(request_params, True)
except UnicodeDecodeError as exx:
log.error("Faild to decode request parameters %r" % exx)
request_context['RequestUser'] = requestUser
client = None
try:
client = get_client(request=request)
except UnicodeDecodeError as exx:
log.error("Faild to decode request parameters %r" % exx)
request_context['Client'] = client
request_context['Audit'] = Audit
request_context['audit'] = Audit.initialize(request,
client=client)
defaultRealm = ""
try:
defaultRealm = getDefaultRealm(linotp_config)
except UnicodeDecodeError as exx:
log.error("Faild to decode request parameters %r" % exx)
request_context['defaultRealm'] = defaultRealm
realms = None
try:
realms = getRealms()
except UnicodeDecodeError as exx:
log.error("Faild to decode request parameters %r" % exx)
request_context['Realms'] = realms
request_context['hsm'] = None
if hasattr(self, "hsm"):
request_context['hsm'] = self.hsm
# copy some system entries from pylons
syskeys = {
"radius.nas_identifier": "LinOTP",
"radius.dictfile": "/etc/linotp2/dictionary"
}
sysconfig = {}
for key, default in syskeys.items():
try:
sysconfig[key] = config.get(key, default)
except:
log.info('no sytem config entry %s' % key)
request_context['SystemConfig'] = sysconfig
def __before__(self, **params):
"""
__before__ is called before every action
This is the authentication to self service. If you want to do
ANYTHING with the selfservice, you need to be authenticated. The
_before_ is executed before any other function in this controller.
:param params: list of named arguments
:return: -nothing- or in case of an error a Response
created by sendError with the context info 'before'
"""
action = request_context['action']
self.redirect = None
try:
c.version = get_version()
c.licenseinfo = get_copyright_info()
c.version_ref = base64.encodebytes(c.version.encode())[:6]
g.audit['success'] = False
self.client = get_client(request)
g.audit['client'] = self.client
# -------------------------------------------------------------- --
# handle requests which dont require authetication
if action in ['logout', 'custom_style']:
return
# -------------------------------------------------------------- --
# get the authenticated user
auth_type, auth_user, auth_state = get_auth_user(request)
# -------------------------------------------------------------- --
# handle not authenticated requests
if not auth_user or auth_type not in ['user_selfservice']:
if action in ['login']:
return
if action in ['index']:
self.redirect = True
return redirect(url_for('.login'))
else:
raise Unauthorized('No valid session')
# -------------------------------------------------------------- --
# handle authenticated requests
# there is only one special case, which is the login that
# could be forwarded to the index page
if action in ['login']:
if auth_state != 'authenticated':
return
self.redirect = True
return redirect(url_for('.index'))
# -------------------------------------------------------------- --
# in case of user_selfservice, an unauthenticated request should always go to login
if auth_user and auth_type == 'user_selfservice' \
and auth_state != 'authenticated':
self.redirect = True
return redirect(url_for('.login'))
# futher processing with the authenticated user
if auth_state != 'authenticated':
raise Unauthorized('No valid session')
c.user = auth_user.login
c.realm = auth_user.realm
self.authUser = auth_user
# -------------------------------------------------------------- --
# authenticated session verification
if auth_type == 'user_selfservice':
# checking the session only for not_form_access actions
if action not in self.form_access_methods:
valid_session = check_session(request,
auth_user,
self.client)
if not valid_session:
g.audit['action'] = request.path[1:]
g.audit['info'] = "session expired"
current_app.audit_obj.log(g.audit)
raise Unauthorized('No valid session')
# -------------------------------------------------------------- --
c.imprint = get_imprint(c.realm)
c.tokenArray = []
c.user = self.authUser.login
c.realm = self.authUser.realm
# only the defined actions should be displayed
# - remark: the generic actions like enrollTT are allready approved
# to have a rendering section and included
actions = get_selfservice_actions(self.authUser)
c.actions = actions
for action_name, action_value in actions.items():
if action_value is True:
c.__setattr__(action_name, -1)
continue
c.__setattr__(action_name, action_value)
c.dynamic_actions = add_dynamic_selfservice_enrollment(config,
c.actions)
# we require to establish all token local defined
# policies to be initialiezd
additional_policies = add_dynamic_selfservice_policies(config,
actions)
for policy in additional_policies:
c.__setattr__(policy, -1)
c.otplen = -1
c.totp_len = -1
c.pin_policy = _get_auth_PinPolicy(user=self.authUser)
except (flap.HTTPUnauthorized, flap.HTTPForbidden) as acc:
# the exception, when an abort() is called if forwarded
log.info("[__before__::%r] webob.exception %r" % (action, acc))
db.session.rollback()
raise acc
except Exception as e:
log.exception("[__before__] failed with error: %r" % e)
db.session.rollback()
return sendError(response, e, context='before')