def setPolicy(policy):
'''
define and store a policy definition
:param policy: dict with the following keys:
* name
* action
* scope
* realm
* user
* time
* client
:return: dict with the results of the stored entries
'''
ret = {}
_ = context['translate']
name = policy.get('name')
if 'active' not in policy:
policy['active'] = "True"
# check that the name does not contain any bad characters
if not PolicyNameRegex.match(name):
raise Exception(
_("The name of the policy may only contain "
"the characters a-zA-Z0-9_."))
# verify the required policy attributes
required_attributes = ['action', 'scope', 'realm']
for required_attribute in required_attributes:
if (required_attribute not in policy
or not policy[required_attribute]):
raise PolicyWarning("Missing attribute %s in "
"policy %s" % (required_attribute, name))
# before storing the policy, we have to check the impact:
# if there is a problem, we will raise an exception with a warning
_check_policy_impact(**policy)
# transpose the forwardServer policy action as it might
# contain sensitive data
policy["action"] = ForwardServerPolicy.prepare_forward(policy["action"])
attributes = [
'action', 'scope', 'realm', 'user', 'time', 'client', 'active'
]
for attr in attributes:
key = "Policy.%s.%s" % (name, attr)
value = policy[attr]
typ = ""
descr = "a policy definition"
ret[attr] = storeConfig(key, value, typ, descr)
return ret
def setPolicy(policy):
'''
define and store a policy definition
:param policy: dict with the following keys:
* name
* action
* scope
* realm
* user
* time
* client
:return: dict with the results of the stored entries
'''
ret = {}
_ = context['translate']
name = policy.get('name')
if 'active' not in policy:
policy['active'] = "True"
# check that the name does not contain any bad characters
if not PolicyNameRegex.match(name):
raise Exception(_("The name of the policy may only contain "
"the characters a-zA-Z0-9_."))
# verify the required policy attributes
required_attributes = ['action', 'scope', 'realm']
for required_attribute in required_attributes:
if (required_attribute not in policy or
not policy[required_attribute]):
raise PolicyWarning("Missing attribute %s in "
"policy %s" % (required_attribute, name))
# before storing the policy, we have to check the impact:
# if there is a problem, we will raise an exception with a warning
_check_policy_impact(**policy)
# transpose the forwardServer policy action as it might
# contain sensitive data
policy["action"] = ForwardServerPolicy.prepare_forward(policy["action"])
attributes = ['action', 'scope', 'realm', 'user',
'time', 'client', 'active']
for attr in attributes:
key = "Policy.%s.%s" % (name, attr)
value = policy[attr]
typ = ""
descr = "a policy definition"
ret[attr] = storeConfig(key, value, typ, descr)
return ret
def setPolicy(param):
'''
Function to set a policy. It expects a dict of with the following keys:
* name
* action
* scope
* realm
* user
* time
* client
'''
ret = {}
name = param.get('name')
action = param.get('action')
scope = param.get('scope')
realm = param.get('realm')
user = param.get('user')
time = param.get('time')
client = param.get('client')
active = param.get('active', "True")
# before storing the policy, we have to check the impact:
# if there is a problem, we will raise an exception with a warning
if context and 'Policies' in context:
policies = context['Policies']
else:
policies = getPolicies()
_check_policy_impact(policies=policies, **param)
action = ForwardServerPolicy.prepare_forward(action)
ret["action"] = storeConfig("Policy.%s.action" % name,
action, "", "a policy definition")
ret["scope"] = storeConfig("Policy.%s.scope" % name,
scope, "", "a policy definition")
ret["realm"] = storeConfig("Policy.%s.realm" % name,
realm, "", "a policy definition")
ret["user"] = storeConfig("Policy.%s.user" % name,
user, "", "a policy definition")
ret["time"] = storeConfig("Policy.%s.time" % name,
time, "", "a policy definition")
ret["client"] = storeConfig("Policy.%s.client" % name,
client, "", "a policy definition")
ret["active"] = storeConfig("Policy.%s.active" % name,
active, "", "a policy definition")
return ret
def setPolicy(param):
'''
Function to set a policy. It expects a dict of with the following keys:
* name
* action
* scope
* realm
* user
* time
* client
'''
ret = {}
name = param.get('name')
action = param.get('action')
scope = param.get('scope')
realm = param.get('realm')
user = param.get('user')
time = param.get('time')
client = param.get('client')
active = param.get('active', "True")
# before storing the policy, we have to check the impact:
# if there is a problem, we will raise an exception with a warning
if context and 'Policies' in context:
policies = context['Policies']
else:
policies = getPolicies()
_check_policy_impact(policies=policies, **param)
action = ForwardServerPolicy.prepare_forward(action)
ret["action"] = storeConfig("Policy.%s.action" % name, action, "",
"a policy definition")
ret["scope"] = storeConfig("Policy.%s.scope" % name, scope, "",
"a policy definition")
ret["realm"] = storeConfig("Policy.%s.realm" % name, realm, "",
"a policy definition")
ret["user"] = storeConfig("Policy.%s.user" % name, user, "",
"a policy definition")
ret["time"] = storeConfig("Policy.%s.time" % name, time, "",
"a policy definition")
ret["client"] = storeConfig("Policy.%s.client" % name, client, "",
"a policy definition")
ret["active"] = storeConfig("Policy.%s.active" % name, active, "",
"a policy definition")
return ret
def checkUserPass(self, user, passw, options=None):
"""
:param user: the to be identified user
:param passw: the identification pass
:param options: optional parameters, which are provided
to the token checkOTP / checkPass
:return: tuple of True/False and optional information
"""
# the upper layer will catch / at least should ;-)
opt = None
serial = None
resolverClass = None
uid = None
user_exists = False
if user is not None and not user.is_empty:
# the upper layer will catch / at least should
try:
(uid, _resolver, resolverClass) = getUserId(
user, check_existance=True)
user_exists = True
except Exception as _exx:
pass_on = context.get('Config').get(
'linotp.PassOnUserNotFound', False)
if pass_on and 'true' == pass_on.lower():
g.audit['action_detail'] = (
'authenticated by PassOnUserNotFound')
return (True, opt)
else:
g.audit['action_detail'] = 'User not found'
return (False, opt)
# if we have an user, check if we forward the request to another server
if user_exists and get_auth_forward_on_no_token(user) is False:
servers = get_auth_forward(user)
if servers:
res, opt = ForwardServerPolicy.do_request(servers, env,
user, passw, options)
return res, opt
# ------------------------------------------------------------------ --
th = TokenHandler()
# ------------------------------------------------------------------ --
# auto asignement with otp only if user has no active token
auto_assign_otp_return = th.auto_assign_otp_only(
otp=passw,
user=user,
options=options)
if auto_assign_otp_return is True:
return (True, None)
# ------------------------------------------------------------------ --
token_type = None
if options:
token_type = options.get('token_type', None)
# ------------------------------------------------------------------ --
# if there is a serial provided in the parameters, it overwrites the
# token selection by user
query_user = user
if options and 'serial' in options and options['serial']:
serial = options['serial']
query_user = None
# ------------------------------------------------------------------ --
tokenList = getTokens4UserOrSerial(
query_user,
serial,
token_type=token_type,
read_for_update=True
)
if len(tokenList) == 0:
g.audit['action_detail'] = 'User has no tokens assigned'
# here we check if we should to autoassign and try to do it
auto_assign_return = th.auto_assignToken(passw, user)
if auto_assign_return is True:
# We can not check the token, as the OTP value is already used!
# but we will auth the user....
return (True, opt)
auto_enroll_return, opt = th.auto_enrollToken(passw, user,
options=options)
if auto_enroll_return is True:
# we always have to return a false, as
# we have a challenge tiggered
return (False, opt)
pass_on = context.get('Config').get('linotp.PassOnUserNoToken',
False)
if pass_on and 'true' == pass_on.lower():
g.audit['action_detail'] = 'authenticated by PassOnUserNoToken'
return (True, opt)
# Check if there is an authentication policy passthru
if get_auth_passthru(user):
log.debug('user %r has no token. Checking for '
'passthru in realm %r' % (user.login, user.realm))
y = getResolverObject(resolverClass)
g.audit['action_detail'] = 'Authenticated against Resolver'
if y.checkPass(uid, passw):
return (True, opt)
# Check alternatively if there is an authentication
# policy passOnNoToken
elif get_auth_passOnNoToken(user):
log.info('user %r has not token. PassOnNoToken'
' set - authenticated!')
g.audit['action_detail'] = (
'Authenticated by passOnNoToken policy')
return (True, opt)
# if we have an user, check if we forward the request to another server
elif get_auth_forward_on_no_token(user) is True:
servers = get_auth_forward(user)
if servers:
res, opt = ForwardServerPolicy.do_request(
servers, env, user, passw, options)
return res, opt
return False, opt
if passw is None:
raise ParameterError("Missing parameter:pass", id=905)
(res, opt) = self.checkTokenList(
tokenList, passw, user, options=options)
return (res, opt)
def checkUserPass(self, user, passw, options=None):
"""
:param user: the to be identified user
:param passw: the identification pass
:param options: optional parameters, which are provided
to the token checkOTP / checkPass
:return: tuple of True/False and optional information
"""
# the upper layer will catch / at least should ;-)
opt = None
serial = None
resolverClass = None
uid = None
user_exists = False
if user:
# the upper layer will catch / at least should
try:
(uid, _resolver,
resolverClass) = getUserId(user, check_existance=True)
user_exists = True
except Exception as _exx:
pass_on = context.get("Config").get(
"linotp.PassOnUserNotFound", False)
if pass_on and pass_on.lower() == "true":
g.audit[
"action_detail"] = "authenticated by PassOnUserNotFound"
return (True, opt)
else:
g.audit["action_detail"] = "User not found"
return (False, opt)
# if we have an user, check if we forward the request to another server
if user_exists and not get_auth_forward_on_no_token(user):
servers = get_auth_forward(user)
if servers:
log.info("forwarding auth request for user {} to {}".format(
user, servers))
res, opt = ForwardServerPolicy.do_request(
servers, env, user, passw, options)
log.info("result of auth request for user {}: ({}, {})".format(
user, res, opt))
g.audit["action_detail"] = "Forwarded, result {}".format(res)
return res, opt
else:
log.info(
"NOT forwarding auth request for user {} (no servers)".
format(user))
g.audit["action_detail"] = "Not forwarded (no servers)"
else:
log.info(
"NOT forwarding auth request for user {} "
"(get_auth_forward_on_no_token returned False)".format(user))
# ------------------------------------------------------------------ --
th = TokenHandler()
# ------------------------------------------------------------------ --
# auto asignement with otp only if user has no active token
auto_assign_otp_return = th.auto_assign_otp_only(otp=passw,
user=user,
options=options)
if auto_assign_otp_return:
return (True, None)
# ------------------------------------------------------------------ --
token_type = None
if options:
token_type = options.get("token_type", None)
# ------------------------------------------------------------------ --
# if there is a serial provided in the parameters, it overwrites the
# token selection by user
query_user = user
if options and "serial" in options and options["serial"]:
serial = options["serial"]
query_user = None
# ------------------------------------------------------------------ --
tokenList = getTokens4UserOrSerial(query_user,
serial,
token_type=token_type,
read_for_update=True)
if len(tokenList) == 0:
g.audit["action_detail"] = "User has no tokens assigned"
# here we check if we should to autoassign and try to do it
auto_assign_return = th.auto_assignToken(passw, user)
if auto_assign_return:
# We can not check the token, as the OTP value is already used!
# but we will auth the user....
return (True, opt)
auto_enroll_return, opt = th.auto_enrollToken(passw,
user,
options=options)
if auto_enroll_return:
# we always have to return a false, as
# we have a challenge tiggered
return (False, opt)
pass_on = context.get("Config").get("linotp.PassOnUserNoToken",
False)
if pass_on and pass_on.lower() == "true":
g.audit["action_detail"] = "authenticated by PassOnUserNoToken"
return (True, opt)
# Check if there is an authentication policy passthru
if get_auth_passthru(user):
log.debug(
"user %r has no token. Checking for passthru in realm %r",
user.login,
user.realm,
)
y = getResolverObject(resolverClass)
g.audit["action_detail"] = "Authenticated against Resolver"
if y.checkPass(uid, passw):
return (True, opt)
# Check alternatively if there is an authentication
# policy passOnNoToken
elif get_auth_passOnNoToken(user):
log.info("user %r has not token. PassOnNoToken"
" set - authenticated!")
g.audit[
"action_detail"] = "Authenticated by passOnNoToken policy"
return (True, opt)
# if we have an user, check if we forward the request to another
# server
elif get_auth_forward_on_no_token(user):
servers = get_auth_forward(user)
if servers:
log.info(
"forwarding auth request for user {} to {}".format(
user, servers))
res, opt = ForwardServerPolicy.do_request(
servers, env, user, passw, options)
log.info(
"result of auth request for user {}: ({}, {})".format(
user, res, opt))
g.audit["action_detail"] = "Forwarded, result {}".format(
res)
return res, opt
else:
log.info(
"NOT forwarding auth request for user {} (no servers)".
format(user))
g.audit["action_detail"] = "Not forwarded (no servers)"
return False, opt
if passw is None:
raise ParameterError("Missing parameter:pass", id=905)
(res, opt) = self.checkTokenList(tokenList,
passw,
user,
options=options)
return (res, opt)
def checkUserPass(self, user, passw, options=None):
"""
:param user: the to be identified user
:param passw: the identifiaction pass
:param options: optional parameters, which are provided
to the token checkOTP / checkPass
:return: tuple of True/False and optional information
"""
log.debug('entering function checkUserPass(%r)'
% user.login)
# the upper layer will catch / at least should ;-)
opt = None
serial = None
resolverClass = None
uid = None
audit = context['audit']
user_exists = False
if user is not None and (user.isEmpty() is False):
# the upper layer will catch / at least should
try:
(uid, _resolver, resolverClass) = getUserId(user)
user_exists = True
except:
pass_on = context.get('Config').get(
'linotp.PassOnUserNotFound', False)
if pass_on and 'true' == pass_on.lower():
audit['action_detail'] = (
'authenticated by PassOnUserNotFound')
return (True, opt)
else:
audit['action_detail'] = 'User not found'
return (False, opt)
# if we have an user, check if we forward the request to another server
if user_exists:
servers = get_auth_forward(user)
if servers:
res, opt = ForwardServerPolicy.do_request(servers, env,
user, passw, options)
return res, opt
tokenList = linotp.lib.token.getTokens4UserOrSerial(user, serial)
if len(tokenList) == 0:
audit['action_detail'] = 'User has no tokens assigned'
# here we check if we should to autoassign and try to do it
log.debug('about to check auto_assigning')
th = TokenHandler()
auto_assign_return = th.auto_assignToken(passw, user)
if auto_assign_return is True:
# We can not check the token, as the OTP value is already used!
# but we will auth the user....
return (True, opt)
auto_enroll_return, opt = th.auto_enrollToken(passw, user,
options=options)
if auto_enroll_return is True:
# we always have to return a false, as
# we have a challenge tiggered
return (False, opt)
pass_on = context.get('Config').get('linotp.PassOnUserNoToken',
False)
if pass_on and 'true' == pass_on.lower():
audit['action_detail'] = 'authenticated by PassOnUserNoToken'
return (True, opt)
# Check if there is an authentication policy passthru
from linotp.lib.policy import get_auth_passthru
if get_auth_passthru(user):
log.debug('user %r has no token. Checking for '
'passthru in realm %r' % (user.login, user.realm))
y = getResolverObject(resolverClass)
audit['action_detail'] = 'Authenticated against Resolver'
if y.checkPass(uid, passw):
return (True, opt)
# Check if there is an authentication policy passOnNoToken
from linotp.lib.policy import get_auth_passOnNoToken
if get_auth_passOnNoToken(user):
log.info('user %r has not token. PassOnNoToken'
' set - authenticated!')
audit['action_detail'] = (
'Authenticated by passOnNoToken policy')
return (True, opt)
return (False, opt)
if passw is None:
raise ParameterError(u"Missing parameter:pass", id=905)
(res, opt) = self.checkTokenList(
tokenList, passw, user, options=options)
log.debug('return of __checkTokenList: %r ' % (res,))
return (res, opt)
def checkUserPass(self, user, passw, options=None):
"""
:param user: the to be identified user
:param passw: the identifiaction pass
:param options: optional parameters, which are provided
to the token checkOTP / checkPass
:return: tuple of True/False and optional information
"""
log.debug('entering function checkUserPass(%r)' % user.login)
# the upper layer will catch / at least should ;-)
opt = None
serial = None
resolverClass = None
uid = None
audit = context['audit']
user_exists = False
if user is not None and (user.isEmpty() is False):
# the upper layer will catch / at least should
try:
(uid, _resolver, resolverClass) = getUserId(user)
user_exists = True
except:
pass_on = context.get('Config').get(
'linotp.PassOnUserNotFound', False)
if pass_on and 'true' == pass_on.lower():
audit['action_detail'] = (
'authenticated by PassOnUserNotFound')
return (True, opt)
else:
audit['action_detail'] = 'User not found'
return (False, opt)
# if we have an user, check if we forward the request to another server
if user_exists:
servers = get_auth_forward(user)
if servers:
res, opt = ForwardServerPolicy.do_request(
servers, env, user, passw, options)
return res, opt
tokenList = linotp.lib.token.getTokens4UserOrSerial(user, serial)
if len(tokenList) == 0:
audit['action_detail'] = 'User has no tokens assigned'
# here we check if we should to autoassign and try to do it
log.debug('about to check auto_assigning')
th = TokenHandler()
auto_assign_return = th.auto_assignToken(passw, user)
if auto_assign_return is True:
# We can not check the token, as the OTP value is already used!
# but we will auth the user....
return (True, opt)
auto_enroll_return, opt = th.auto_enrollToken(passw,
user,
options=options)
if auto_enroll_return is True:
# we always have to return a false, as
# we have a challenge tiggered
return (False, opt)
pass_on = context.get('Config').get('linotp.PassOnUserNoToken',
False)
if pass_on and 'true' == pass_on.lower():
audit['action_detail'] = 'authenticated by PassOnUserNoToken'
return (True, opt)
# Check if there is an authentication policy passthru
from linotp.lib.policy import get_auth_passthru
if get_auth_passthru(user):
log.debug('user %r has no token. Checking for '
'passthru in realm %r' % (user.login, user.realm))
y = getResolverObject(resolverClass)
audit['action_detail'] = 'Authenticated against Resolver'
if y.checkPass(uid, passw):
return (True, opt)
# Check if there is an authentication policy passOnNoToken
from linotp.lib.policy import get_auth_passOnNoToken
if get_auth_passOnNoToken(user):
log.info('user %r has not token. PassOnNoToken'
' set - authenticated!')
audit['action_detail'] = (
'Authenticated by passOnNoToken policy')
return (True, opt)
return (False, opt)
if passw is None:
raise ParameterError(u"Missing parameter:pass", id=905)
(res, opt) = self.checkTokenList(tokenList,
passw,
user,
options=options)
log.debug('return of __checkTokenList: %r ' % (res, ))
return (res, opt)
def checkUserPass(self, user, passw, options=None):
"""
:param user: the to be identified user
:param passw: the identification pass
:param options: optional parameters, which are provided
to the token checkOTP / checkPass
:return: tuple of True/False and optional information
"""
# the upper layer will catch / at least should ;-)
opt = None
serial = None
resolverClass = None
uid = None
audit = context['audit']
user_exists = False
if user is not None and not user.is_empty:
# the upper layer will catch / at least should
try:
(uid, _resolver, resolverClass) = getUserId(
user, check_existance=True)
user_exists = True
except Exception as _exx:
pass_on = context.get('Config').get(
'linotp.PassOnUserNotFound', False)
if pass_on and 'true' == pass_on.lower():
audit['action_detail'] = (
'authenticated by PassOnUserNotFound')
return (True, opt)
else:
audit['action_detail'] = 'User not found'
return (False, opt)
# if we have an user, check if we forward the request to another server
if user_exists and get_auth_forward_on_no_token(user) is False:
servers = get_auth_forward(user)
if servers:
res, opt = ForwardServerPolicy.do_request(servers, env,
user, passw, options)
return res, opt
# ------------------------------------------------------------------ --
th = TokenHandler()
# ------------------------------------------------------------------ --
# auto asignement with otp only if user has no active token
auto_assign_otp_return = th.auto_assign_otp_only(
otp=passw,
user=user,
options=options)
if auto_assign_otp_return is True:
return (True, None)
# ------------------------------------------------------------------ --
token_type = None
if options:
token_type = options.get('token_type', None)
# ------------------------------------------------------------------ --
# if there is a serial provided in the parameters, it overwrites the
# token selection by user
query_user = user
if options and 'serial' in options and options['serial']:
serial = options['serial']
query_user = None
# ------------------------------------------------------------------ --
tokenList = getTokens4UserOrSerial(
query_user,
serial,
token_type=token_type,
read_for_update=True
)
if len(tokenList) == 0:
audit['action_detail'] = 'User has no tokens assigned'
# here we check if we should to autoassign and try to do it
auto_assign_return = th.auto_assignToken(passw, user)
if auto_assign_return is True:
# We can not check the token, as the OTP value is already used!
# but we will auth the user....
return (True, opt)
auto_enroll_return, opt = th.auto_enrollToken(passw, user,
options=options)
if auto_enroll_return is True:
# we always have to return a false, as
# we have a challenge tiggered
return (False, opt)
pass_on = context.get('Config').get('linotp.PassOnUserNoToken',
False)
if pass_on and 'true' == pass_on.lower():
audit['action_detail'] = 'authenticated by PassOnUserNoToken'
return (True, opt)
# Check if there is an authentication policy passthru
if get_auth_passthru(user):
log.debug('user %r has no token. Checking for '
'passthru in realm %r' % (user.login, user.realm))
y = getResolverObject(resolverClass)
audit['action_detail'] = 'Authenticated against Resolver'
if y.checkPass(uid, passw):
return (True, opt)
# Check alternatively if there is an authentication
# policy passOnNoToken
elif get_auth_passOnNoToken(user):
log.info('user %r has not token. PassOnNoToken'
' set - authenticated!')
audit['action_detail'] = (
'Authenticated by passOnNoToken policy')
return (True, opt)
# if we have an user, check if we forward the request to another server
elif get_auth_forward_on_no_token(user) is True:
servers = get_auth_forward(user)
if servers:
res, opt = ForwardServerPolicy.do_request(
servers, env, user, passw, options)
return res, opt
return False, opt
if passw is None:
raise ParameterError(u"Missing parameter:pass", id=905)
(res, opt) = self.checkTokenList(
tokenList, passw, user, options=options)
return (res, opt)
