def mangle_challenge_response(request, response): """ This policy decorator is used in the AUTH scope to decorate the /validate/check endpoint. It can modify the contents of the response "detail"->"message" to allow a better readability for a challenge response text. :param request: :param response: :return: """ if not response.is_json: # This can happen with the validate/radiuscheck endpoint return response content = response.json user_obj = request.User header_pol = Match.user(g, scope=SCOPE.AUTH, action=ACTION.CHALLENGETEXT_HEADER, user_object=user_obj).action_values( unique=True, allow_white_space_in_action=True) footer_pol = Match.user(g, scope=SCOPE.AUTH, action=ACTION.CHALLENGETEXT_FOOTER, user_object=user_obj).action_values( unique=True, allow_white_space_in_action=True) if header_pol: multi_challenge = content.get("detail", {}).get("multi_challenge") if multi_challenge: message = list(header_pol)[0] footer = "" if footer_pol: footer = list(footer_pol)[0] # We actually have challenge response messages = content.get("detail", {}).get("messages") or [] messages = sorted(set(messages)) if message[-4:].lower() in ["<ol>", "<ul>"]: for m in messages: message += u"<li>{0!s}</li>\n".format(m) else: message += "\n" message += ", ".join(messages) message += "\n" # Add the footer message += footer content["detail"]["message"] = message response.set_data(json.dumps(content)) return response
def auth_user_has_no_token(wrapped_function, user_object, passw, options=None): """ This decorator checks if the user has a token at all. If the user has a token, the wrapped function is called. The wrapped function is usually token.check_user_pass, which takes the arguments (user, passw, options={}) :param wrapped_function: :param user_object: :param passw: :param options: Dict containing values for "g" and "clientip" :return: Tuple of True/False and reply-dictionary """ from privacyidea.lib.token import get_tokens options = options or {} g = options.get("g") if g: pass_no_token = Match.user(g, scope=SCOPE.AUTH, action=ACTION.PASSNOTOKEN, user_object=user_object).policies(write_to_audit_log=False) if pass_no_token: # Now we need to check, if the user really has no token. tokencount = get_tokens(user=user_object, count=True) if tokencount == 0: g.audit_object.add_policy([p.get("name") for p in pass_no_token]) return True, {"message": u"user has no token, accepted due to '{!s}'".format( pass_no_token[0].get("name"))} # If nothing else returned, we return the wrapped function return wrapped_function(user_object, passw, options)
def auth_user_does_not_exist(wrapped_function, user_object, passw, options=None): """ This decorator checks, if the user does exist at all. If the user does exist, the wrapped function is called. The wrapped function is usually token.check_user_pass, which takes the arguments (user, passw, options={}) :param wrapped_function: :param user_object: :param passw: :param options: Dict containing values for "g" and "clientip" :return: Tuple of True/False and reply-dictionary """ options = options or {} g = options.get("g") if g: pass_no_user = Match.user(g, scope=SCOPE.AUTH, action=ACTION.PASSNOUSER, user_object=user_object).policies(write_to_audit_log=False) if pass_no_user: # Check if user object exists if not user_object.exist(): g.audit_object.add_policy([p.get("name") for p in pass_no_user]) return True, {"message": u"user does not exist, accepted due to '{!s}'".format( pass_no_user[0].get("name"))} # If nothing else returned, we return the wrapped function return wrapped_function(user_object, passw, options)
def _get_sms_text(options): """ This returns the SMSTEXT from the policy "smstext" options contains data like clientip, g, user and also the Request parameters like "challenge" or "pass". :param options: contains user and g object. :type options: dict :return: Message template :rtype: basestring """ message = "<otp>" g = options.get("g") user_object = options.get("user") if g: messages = Match.user(g, scope=SCOPE.AUTH, action=SMSACTION.SMSTEXT, user_object=user_object if user_object else None).action_values(unique=True) if len(messages) == 1: message = list(messages)[0] # Replace the {challenge}: message = message.format(challenge=options.get("challenge")) return message
def login_mode(wrapped_function, *args, **kwds): """ Decorator to decorate the lib.auth.check_webui_user function. Depending on ACTION.LOGINMODE it sets the check_otp parameter, to signal that the authentication should be performed against privacyIDEA. :param wrapped_function: Usually the function check_webui_user :param `*args`: arguments user_obj and password :param `**kwds`: keyword arguments like options and !check_otp! kwds["options"] contains the flask g :return: calls the original function with the modified "check_otp" argument """ # if tokenclass.check_pin is called in any other way, options may be None # or it might have no element "g". options = kwds.get("options") or {} g = options.get("g") if g: # We need the user but we do not need the password user_object = args[0] # get the policy login_mode_dict = Match.user(g, scope=SCOPE.WEBUI, action=ACTION.LOGINMODE, user_object=user_object).action_values(unique=True) if login_mode_dict: # There is a login mode policy if list(login_mode_dict)[0] == LOGINMODE.PRIVACYIDEA: # The original function should check against privacyidea! kwds["check_otp"] = True if list(login_mode_dict)[0] == LOGINMODE.DISABLE: # The login to the webui is disabled raise PolicyError("The login for this user is disabled.") return wrapped_function(*args, **kwds)
def challenge_response_wrapper(*args, **kwds): options = kwds.get("options", {}) g = options.get("g") token = args[0] user_object = kwds.get("user") or User() if g: allowed_tokentypes_dict = Match.user(g, scope=SCOPE.AUTH, action=ACTION.CHALLENGERESPONSE, user_object=user_object)\ .action_values(unique=False, write_to_audit_log=False) log.debug("Found these allowed tokentypes: {0!s}".format( list(allowed_tokentypes_dict))) # allowed_tokentypes_dict.keys() is a list of actions from several policies. I # could look like this: # ["tiqr hotp totp", "tiqr motp"] chal_resp_found = False for toks in allowed_tokentypes_dict: if token.get_tokentype().upper() in [ x.upper() for x in toks.split(" ") ]: # This token is allowed to to chal resp chal_resp_found = True g.audit_object.add_policy( allowed_tokentypes_dict.get(toks)) if not chal_resp_found: # No policy to allow this token to do challenge response return False f_result = func(*args, **kwds) return f_result
def reset_all_user_tokens(wrapped_function, *args, **kwds): """ Resets all tokens if the corresponding policy is set. :param token: The successful token, the tokenowner is used to find policies. :param tokenobject_list: The list of all the tokens of the user :param options: options dictionary containing g. :return: None """ tokenobject_list = args[0] options = kwds.get("options") or {} g = options.get("g") allow_reset = kwds.get("allow_reset_all_tokens") r = wrapped_function(*args, **kwds) # A successful authentication was done if r[0] and g and allow_reset: token_owner = tokenobject_list[0].user reset_all = Match.user( g, scope=SCOPE.AUTH, action=ACTION.RESETALLTOKENS, user_object=token_owner if token_owner else None).policies() if reset_all: log.debug( "Reset failcounter of all tokens of {0!s}".format(token_owner)) for tok_obj_reset in tokenobject_list: try: tok_obj_reset.reset() except Exception: log.debug("registration token does not exist anymore and " "cannot be reset.") return r
def check_tokentype(request, response): """ This policy function is to be used in a decorator of an API function. It checks, if the token, that was used in the API call is of a type that is allowed to be used. If not, a PolicyException is raised. :param response: The response of the decorated function :type response: Response object :return: A new (maybe modified) response """ tokentype = response.json.get("detail", {}).get("type") user_object = request.User allowed_tokentypes = Match.user( g, scope=SCOPE.AUTHZ, action=ACTION.TOKENTYPE, user_object=user_object).action_values(unique=False) if tokentype and allowed_tokentypes and tokentype not in allowed_tokentypes: # If we have tokentype policies, but # the tokentype is not allowed, we raise an exception g.audit_object.log({ "success": False, 'action_detail': "Tokentype {0!r} not allowed for " "authentication".format(tokentype) }) raise PolicyError("Tokentype not allowed for authentication!") return response
def is_authorized(request, response): """ This policy decorator is used in the AUTHZ scope to decorate the /validate/check and /validate/triggerchallenge endpoint. I will cause authentication to fail, if the policy authorized=deny_access is set. :param request: :param response: :return: """ if not response.is_json: # This can happen with the validate/radiuscheck endpoint return response authorized_pol = Match.user(g, scope=SCOPE.AUTHZ, action=ACTION.AUTHORIZED, user_object=request.User).action_values( unique=True, allow_white_space_in_action=True) if authorized_pol: if list(authorized_pol)[0] == AUTHORIZED.DENY: raise ValidateError( "User is not authorized to authenticate under these conditions." ) return response
def config_lost_token(wrapped_function, *args, **kwds): """ Decorator to decorate the lib.token.lost_token function. Depending on ACTION.LOSTTOKENVALID, ACTION.LOSTTOKENPWCONTENTS, ACTION.LOSTTOKENPWLEN it sets the check_otp parameter, to signal how the lostToken should be generated. :param wrapped_function: Usually the function lost_token() :param args: argument "serial" as the old serial number :param kwds: keyword arguments like "validity", "contents", "pw_len" kwds["options"] contains the flask g :return: calls the original function with the modified "validity", "contents" and "pw_len" argument """ # if called in any other way, options may be None # or it might have no element "g". from privacyidea.lib.token import get_tokens options = kwds.get("options") or {} g = options.get("g") if g: # We need the old serial number, to determine the user - if it exist. serial = args[0] toks = get_tokens(serial=serial) if len(toks) == 1: user_object = toks[0].user # get the policy contents_dict = Match.user(g, scope=SCOPE.ENROLL, action=ACTION.LOSTTOKENPWCONTENTS, user_object=user_object if user_object else None)\ .action_values(unique=True) validity_dict = Match.user(g, scope=SCOPE.ENROLL, action=ACTION.LOSTTOKENVALID, user_object=user_object if user_object else None)\ .action_values(unique=True) pw_len_dict = Match.user(g, scope=SCOPE.ENROLL, action=ACTION.LOSTTOKENPWLEN, user_object=user_object if user_object else None)\ .action_values(unique=True) if contents_dict: kwds["contents"] = list(contents_dict)[0] if validity_dict: kwds["validity"] = int(list(validity_dict)[0]) if pw_len_dict: kwds["pw_len"] = int(list(pw_len_dict)[0]) return wrapped_function(*args, **kwds)
def auth_lastauth(wrapped_function, user_or_serial, passw, options=None): """ This decorator checks the policy settings of ACTION.LASTAUTH If the last authentication stored in tokeninfo last_auth_success of a token is exceeded, the authentication is denied. The wrapped function is usually token.check_user_pass, which takes the arguments (user, passw, options={}) OR token.check_serial_pass with the arguments (user, passw, options={}) :param wrapped_function: either check_user_pass or check_serial_pass :param user_or_serial: either the User user_or_serial or a serial :param passw: :param options: Dict containing values for "g" and "clientip" :return: Tuple of True/False and reply-dictionary """ # First we call the wrapped function res, reply_dict = wrapped_function(user_or_serial, passw, options) options = options or {} g = options.get("g") if g and res: # in case of a serial: if isinstance(user_or_serial, User): user_object = user_or_serial serial = reply_dict.get("serial") else: # in case of a serial: user_object = None serial = user_or_serial # In case of a passthru policy we have no serial in the response # So we may only continue, if we have a serial. if serial: from privacyidea.lib.token import get_tokens try: token = get_tokens(serial=serial)[0] except IndexError: # In the special case of a registration token, # the token does not exist anymore. So we immediately return return res, reply_dict last_auth_dict = Match.user(g, scope=SCOPE.AUTHZ, action=ACTION.LASTAUTH, user_object=user_object).action_values(unique=True, write_to_audit_log=False) if len(last_auth_dict) == 1: res = token.check_last_auth_newer(list(last_auth_dict)[0]) if not res: reply_dict["message"] = "The last successful " \ "authentication was %s. " \ "It is to long ago." % \ token.get_tokeninfo(ACTION.LASTAUTH) g.audit_object.add_policy(next(iter(last_auth_dict.values()))) # set the last successful authentication, if res still true if res: token.add_tokeninfo(ACTION.LASTAUTH, datetime.datetime.now(tzlocal())) return res, reply_dict
def auth_cache(wrapped_function, user_object, passw, options=None): """ Decorate lib.token:check_user_pass. Verify, if the authentication can be found in the auth_cache. :param wrapped_function: usually "check_user_pass" :param user_object: User who tries to authenticate :param passw: The PIN and OTP :param options: Dict containing values for "g" and "clientip". :return: Tuple of True/False and reply-dictionary """ options = options or {} g = options.get("g") auth_cache_dict = None if g: auth_cache_dict = Match.user(g, scope=SCOPE.AUTH, action=ACTION.AUTH_CACHE, user_object=user_object).action_values( unique=True, write_to_audit_log=False) if auth_cache_dict: auth_times = list(auth_cache_dict)[0].split("/") # determine first_auth from policy! first_offset = parse_timedelta(auth_times[0]) first_auth = datetime.datetime.utcnow() - first_offset last_auth = first_auth # Default if no last auth exists max_auths = 0 # Default value, 0 has no effect on verification # Use auth cache when number of allowed authentications is defined if len(auth_times) == 2: if re.match(r"^\d+$", auth_times[1]): max_auths = int(auth_times[1]) else: # Determine last_auth delta from policy last_offset = parse_timedelta(auth_times[1]) last_auth = datetime.datetime.utcnow() - last_offset result = verify_in_cache(user_object.login, user_object.realm, user_object.resolver, passw, first_auth=first_auth, last_auth=last_auth, max_auths=max_auths) if result: g.audit_object.add_policy(next(iter(auth_cache_dict.values()))) return True, {"message": "Authenticated by AuthCache."} # If nothing else returned, call the wrapped function res, reply_dict = wrapped_function(user_object, passw, options) if auth_cache_dict and res: # If authentication is successful, we store the password in auth_cache add_to_cache(user_object.login, user_object.realm, user_object.resolver, passw) return res, reply_dict
def auth_otppin(wrapped_function, *args, **kwds): """ Decorator to decorate the tokenclass.check_pin function. Depending on the ACTION.OTPPIN it * either simply accepts an empty pin * checks the pin against the userstore * or passes the request to the wrapped_function :param wrapped_function: In this case the wrapped function should be :py:func:`privacyidea.lib.tokenclass.TokenClass.check_pin` :param `*args`: args[1] is the pin :param `**kwds`: kwds["options"] contains the flask g :return: True or False """ # if tokenclass.check_pin is called in any other way, options may be None # or it might have no element "g". options = kwds.get("options") or {} g = options.get("g") if g: token = args[0] pin = args[1] clientip = options.get("clientip") user_object = kwds.get("user") if not user_object: # No user in the parameters, so we need to determine the owner of # the token user_object = token.user realms = token.get_realms() if not user_object and len(realms): # if the token has not owner, we take a realm. user_object = User("", realm=realms[0]) if not user_object: # If we still have no user and no tokenrealm, we create an empty # user object. user_object = User("", realm="") # get the policy otppin_dict = Match.user( g, scope=SCOPE.AUTH, action=ACTION.OTPPIN, user_object=user_object).action_values(unique=True) if otppin_dict: if list(otppin_dict)[0] == ACTIONVALUE.NONE: if pin == "": # No PIN checking, we expect an empty PIN! return True else: return False if list(otppin_dict)[0] == ACTIONVALUE.USERSTORE: rv = user_object.check_password(pin) return rv is not None # call and return the original check_pin function return wrapped_function(*args, **kwds)
def check_verify_enrollment(request, response): """ This policy decorator is used in the ENROLL scope to decorate the /token/init If will check for action=verify_enrollment and ask the user in a 2nd step to provide information to verify, that the token was successfully enrolled. :param request: :param response: :return: """ serial = response.json.get("detail").get("serial") verify = request.all_data.get("verify") if verify: # In case we are in a 2nd step verification, we must early exit return response tokenobj_list = get_tokens(serial=serial) if len(tokenobj_list) == 1: tokenobj = tokenobj_list[0] # check if this token type can do verify enrollment if tokenobj.can_verify_enrollment: # Get policies verify_pol_dict = Match.user( g, scope=SCOPE.ENROLL, action=ACTION.VERIFY_ENROLLMENT, user_object=request.User).action_values( unique=False, allow_white_space_in_action=True, write_to_audit_log=False) # verify_pol_dict.keys() is a list of actions from several policies. It # could look like this: # ["hotp totp", "hotp email"] do_verify_enrollment = False for toks in verify_pol_dict: if tokenobj.get_tokentype().upper() in [ x.upper() for x in toks.split(" ") ]: # This token is supposed to do verify enrollment do_verify_enrollment = True g.audit_object.add_policy(verify_pol_dict.get(toks)) if do_verify_enrollment: content = response.json content["detail"][ "verify"] = tokenobj.prepare_verify_enrollment() content["detail"]["rollout_state"] = ROLLOUTSTATE.VERIFYPENDING tokenobj.token.rollout_state = ROLLOUTSTATE.VERIFYPENDING tokenobj.token.save() response.set_data(json.dumps(content)) else: log.warning("No distinct token object found in enrollment response!") return response
def add_user_detail_to_response(request, response): """ This policy decorated is used in the AUTHZ scope. If the boolean value add_user_in_response is set, the details will contain a dictionary "user" with all user details. :param request: :param response: :return: """ content = response.json # Check for ADD USER IN RESPONSE detail_pol = Match.user(g, scope=SCOPE.AUTHZ, action=ACTION.ADDUSERINRESPONSE, user_object=request.User)\ .policies(write_to_audit_log=False) if detail_pol and content.get("result", {}).get("value") and request.User: # The policy was set, we need to add the user # details ui = request.User.info.copy() ui["password"] = "" for key, value in ui.items(): if type(value) == datetime.datetime: ui[key] = str(value) content.setdefault("detail", {})["user"] = ui g.audit_object.add_policy([p.get("name") for p in detail_pol]) # Check for ADD RESOLVER IN RESPONSE detail_pol = Match.user(g, scope=SCOPE.AUTHZ, action=ACTION.ADDRESOLVERINRESPONSE, user_object=request.User)\ .policies(write_to_audit_log=False) if detail_pol and content.get("result", {}).get("value") and request.User: # The policy was set, we need to add the resolver and the realm content.setdefault("detail", {})["user-resolver"] = request.User.resolver content["detail"]["user-realm"] = request.User.realm g.audit_object.add_policy([p.get("name") for p in detail_pol]) response.set_data(json.dumps(content)) return response
def _get_auto_email(options): """ This returns the AUTOEMAIL setting. :param options: contains user and g object. :optins type: dict :return: True if an SMS should be sent automatically :rtype: bool """ autosms = False g = options.get("g") user_object = options.get("user") if g: autoemailpol = Match.user(g, scope=SCOPE.AUTH, action=EMAILACTION.EMAILAUTO, user_object=user_object).policies() autosms = len(autoemailpol) >= 1 return autosms
def _get_email_text_or_subject(options, action=EMAILACTION.EMAILTEXT, default="<otp>"): """ This returns the EMAILTEXT or EMAILSUBJECT from the policy "emailtext" or "emailsubject :param options: contains user and g object. :type options: dict :param action: The action - either emailtext or emailsubject :param default: If no policy can be found, this is the default text :return: Message template, MIME type (one of "plain", "html") :rtype: (basestring, basestring) """ message = default mimetype = "plain" g = options.get("g") user_object = options.get("user") if g: messages = Match.user(g, scope=SCOPE.AUTH, action=action, user_object=user_object if user_object else None)\ .action_values(unique=True, allow_white_space_in_action=True) if len(messages) == 1: message = list(messages)[0] message = message.format(challenge=options.get("challenge")) if message.startswith("file:"): # We read the template from the file. try: with open(message[5:], "r") as f: message = f.read() mimetype = "html" except Exception as e: # pragma: no cover message = default log.warning(u"Failed to read email template: {0!r}".format(e)) log.debug(u"{0!s}".format(traceback.format_exc())) return message, mimetype
def autoassign(request, response): """ This decorator decorates the function /validate/check. Depending on ACTION.AUTOASSIGN it checks if the user has no token and if the given OTP-value matches a token in the users realm, that is not yet assigned to any user. If a token can be found, it assigns the token to the user also taking into account ACTION.MAXTOKENUSER and ACTION.MAXTOKENREALM. :return: """ content = response.json # check, if the authentication was successful, then we need to do nothing if content.get("result").get("value") is False: user_obj = request.User #user_obj = get_user_from_param(request.all_data) password = request.all_data.get("pass", "") if user_obj.login and user_obj.realm: # If there is no user in the request (because it is a serial # authentication request) we immediately bail out # check if the policy is defined autoassign_values = Match.user(g, scope=SCOPE.ENROLL, action=ACTION.AUTOASSIGN, user_object=user_obj).action_values(unique=True, write_to_audit_log=False) # check if the user has no token if autoassign_values and get_tokens(user=user_obj, count=True) == 0: # Check if the token would match # get all unassigned tokens in the realm and look for # a matching OTP: realm_tokens = get_tokens(realm=user_obj.realm, assigned=False) for token_obj in realm_tokens: (res, pin, otp) = token_obj.split_pin_pass(password) if res: pin_check = True if list(autoassign_values)[0] == \ AUTOASSIGNVALUE.USERSTORE: # If the autoassign policy is set to userstore, # we need to check against the userstore. pin_check = user_obj.check_password(pin) if pin_check: otp_check = token_obj.check_otp(otp) if otp_check >= 0: # we found a matching token # check MAXTOKENUSER and MAXTOKENREALM check_max_token_user(request=request) check_max_token_realm(request=request) # Assign token assign_token(serial=token_obj.token.serial, user=user_obj, pin=pin) # Set the response to true content.get("result")["value"] = True # Set the serial number detail = content.setdefault("detail", {}) detail["serial"] = token_obj.token.serial detail["otplen"] = token_obj.token.otplen detail["type"] = token_obj.type detail["message"] = "Token assigned to user via Autoassignment" response.set_data(json.dumps(content)) g.audit_object.log( {"success": True, "info": "Token assigned via auto assignment", "serial": token_obj.token.serial}) # The token was assigned by autoassign. We save the first policy name g.audit_object.add_policy(next(iter(autoassign_values.values()))) break return response
def get_webui_settings(request, response): """ This decorator is used in the /auth API to add configuration information like the logout_time or the policy_template_url to the response. :param request: flask request object :param response: flask response object :return: the response """ content = response.json # check, if the authentication was successful, then we need to do nothing if content.get("result").get("status") is True: role = content.get("result").get("value").get("role") loginname = content.get("result").get("value").get("username") realm = content.get("result").get("value").get("realm") or get_default_realm() # At this point the logged in user is not necessarily a user object. It can # also be a local admin. logout_time_pol = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.LOGOUTTIME, user=loginname, realm=realm).action_values(unique=True) timeout_action_pol = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.TIMEOUT_ACTION, user=loginname, realm=realm).action_values(unique=True) token_page_size_pol = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.TOKENPAGESIZE, user=loginname, realm=realm).action_values(unique=True) user_page_size_pol = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.USERPAGESIZE, user=loginname, realm=realm).action_values(unique=True) token_wizard_2nd = bool(role == ROLE.USER and Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.TOKENWIZARD2ND, user=loginname, realm=realm).policies()) admin_dashboard = (role == ROLE.ADMIN and Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.ADMIN_DASHBOARD, user=loginname, realm=realm).any()) token_wizard = False dialog_no_token = False if role == ROLE.USER: user_obj = User(loginname, realm) user_token_num = get_tokens(user=user_obj, count=True) token_wizard_pol = Match.user(g, scope=SCOPE.WEBUI, action=ACTION.TOKENWIZARD, user_object=user_obj).any() # We also need to check, if the user has not tokens assigned. # If the user has no tokens, we run the wizard. If the user # already has tokens, we do not run the wizard. token_wizard = token_wizard_pol and (user_token_num == 0) dialog_no_token_pol = Match.user(g, scope=SCOPE.WEBUI, action=ACTION.DIALOG_NO_TOKEN, user_object=user_obj).any() dialog_no_token = dialog_no_token_pol and (user_token_num == 0) user_details_pol = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.USERDETAILS, user=loginname, realm=realm).policies() search_on_enter = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.SEARCH_ON_ENTER, user=loginname, realm=realm).policies() hide_welcome = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.HIDE_WELCOME, user=loginname, realm=realm).any() hide_buttons = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.HIDE_BUTTONS, user=loginname, realm=realm).any() default_tokentype_pol = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.DEFAULT_TOKENTYPE, user=loginname, realm=realm).action_values(unique=True) show_seed = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.SHOW_SEED, user=loginname, realm=realm).any() show_node = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.SHOW_NODE, realm=realm).any() qr_ios_authenticator = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.SHOW_IOS_AUTHENTICATOR, user=loginname, realm=realm).any() qr_android_authenticator = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.SHOW_ANDROID_AUTHENTICATOR, user=loginname, realm=realm).any() qr_custom_authenticator_url = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.SHOW_CUSTOM_AUTHENTICATOR, user=loginname, realm=realm).action_values(unique=True) qr_image_android = create_img(DEFAULT_ANDROID_APP_URL) if qr_android_authenticator else None qr_image_ios = create_img(DEFAULT_IOS_APP_URL) if qr_ios_authenticator else None qr_image_custom = create_img(list(qr_custom_authenticator_url)[0]) if qr_custom_authenticator_url else None token_page_size = DEFAULT_PAGE_SIZE user_page_size = DEFAULT_PAGE_SIZE default_tokentype = DEFAULT_TOKENTYPE if len(token_page_size_pol) == 1: token_page_size = int(list(token_page_size_pol)[0]) if len(user_page_size_pol) == 1: user_page_size = int(list(user_page_size_pol)[0]) if len(default_tokentype_pol) == 1: default_tokentype = list(default_tokentype_pol)[0] logout_time = DEFAULT_LOGOUT_TIME if len(logout_time_pol) == 1: logout_time = int(list(logout_time_pol)[0]) timeout_action = DEFAULT_TIMEOUT_ACTION if len(timeout_action_pol) == 1: timeout_action = list(timeout_action_pol)[0] policy_template_url_pol = Match.action_only(g, scope=SCOPE.WEBUI, action=ACTION.POLICYTEMPLATEURL).action_values(unique=True) policy_template_url = DEFAULT_POLICY_TEMPLATE_URL if len(policy_template_url_pol) == 1: policy_template_url = list(policy_template_url_pol)[0] indexed_preset_attribute = Match.realm(g, scope=SCOPE.WEBUI, action="indexedsecret_preset_attribute", realm=realm).action_values(unique=True) if len(indexed_preset_attribute) == 1: content["result"]["value"]["indexedsecret_preset_attribute"] = list(indexed_preset_attribute)[0] # This only works for users, because the value of the policy does not change while logged in. if role == ROLE.USER and \ Match.user(g, SCOPE.USER, "indexedsecret_force_attribute", user_obj).action_values(unique=False): content["result"]["value"]["indexedsecret_force_attribute"] = 1 content["result"]["value"]["logout_time"] = logout_time content["result"]["value"]["token_page_size"] = token_page_size content["result"]["value"]["user_page_size"] = user_page_size content["result"]["value"]["policy_template_url"] = policy_template_url content["result"]["value"]["default_tokentype"] = default_tokentype content["result"]["value"]["user_details"] = len(user_details_pol) > 0 content["result"]["value"]["token_wizard"] = token_wizard content["result"]["value"]["token_wizard_2nd"] = token_wizard_2nd content["result"]["value"]["admin_dashboard"] = admin_dashboard content["result"]["value"]["dialog_no_token"] = dialog_no_token content["result"]["value"]["search_on_enter"] = len(search_on_enter) > 0 content["result"]["value"]["timeout_action"] = timeout_action content["result"]["value"]["hide_welcome"] = hide_welcome content["result"]["value"]["hide_buttons"] = hide_buttons content["result"]["value"]["show_seed"] = show_seed content["result"]["value"]["show_node"] = get_privacyidea_node() if show_node else "" content["result"]["value"]["subscription_status"] = subscription_status() content["result"]["value"]["qr_image_android"] = qr_image_android content["result"]["value"]["qr_image_ios"] = qr_image_ios content["result"]["value"]["qr_image_custom"] = qr_image_custom response.set_data(json.dumps(content)) return response
def get_webui_settings(request, response): """ This decorator is used in the /auth API to add configuration information like the logout_time or the policy_template_url to the response. :param request: flask request object :param response: flask response object :return: the response """ content = response.json # check, if the authentication was successful, then we need to do nothing if content.get("result").get("status") is True: role = content.get("result").get("value").get("role") loginname = content.get("result").get("value").get("username") realm = content.get("result").get("value").get("realm") realm = realm or get_default_realm() logout_time_pol = Match.realm(g, scope=SCOPE.WEBUI, action=ACTION.LOGOUTTIME, realm=realm).action_values(unique=True) timeout_action_pol = Match.realm( g, scope=SCOPE.WEBUI, action=ACTION.TIMEOUT_ACTION, realm=realm).action_values(unique=True) token_page_size_pol = Match.realm( g, scope=SCOPE.WEBUI, action=ACTION.TOKENPAGESIZE, realm=realm).action_values(unique=True) user_page_size_pol = Match.realm( g, scope=SCOPE.WEBUI, action=ACTION.USERPAGESIZE, realm=realm).action_values(unique=True) token_wizard_2nd = (role == ROLE.USER and Match.realm( g, scope=SCOPE.WEBUI, action=ACTION.TOKENWIZARD2ND, realm=realm).policies()) token_wizard = False dialog_no_token = False if role == ROLE.USER: user_obj = User(loginname, realm) user_token_num = get_tokens(user=user_obj, count=True) token_wizard_pol = Match.user(g, scope=SCOPE.WEBUI, action=ACTION.TOKENWIZARD, user_object=user_obj).any() # We also need to check, if the user has not tokens assigned. # If the user has no tokens, we run the wizard. If the user # already has tokens, we do not run the wizard. token_wizard = token_wizard_pol and (user_token_num == 0) dialog_no_token_pol = Match.user(g, scope=SCOPE.WEBUI, action=ACTION.DIALOG_NO_TOKEN, user_object=user_obj).any() dialog_no_token = dialog_no_token_pol and (user_token_num == 0) user_details_pol = Match.realm(g, scope=SCOPE.WEBUI, action=ACTION.USERDETAILS, realm=realm).policies() search_on_enter = Match.realm(g, scope=SCOPE.WEBUI, action=ACTION.SEARCH_ON_ENTER, realm=realm).policies() hide_welcome = Match.realm(g, scope=SCOPE.WEBUI, action=ACTION.HIDE_WELCOME, realm=realm).any() hide_buttons = Match.realm(g, scope=SCOPE.WEBUI, action=ACTION.HIDE_BUTTONS, realm=realm).any() default_tokentype_pol = Match.realm( g, scope=SCOPE.WEBUI, action=ACTION.DEFAULT_TOKENTYPE, realm=realm).action_values(unique=True) show_seed = Match.realm(g, scope=SCOPE.WEBUI, action=ACTION.SHOW_SEED, realm=realm).any() token_page_size = DEFAULT_PAGE_SIZE user_page_size = DEFAULT_PAGE_SIZE default_tokentype = DEFAULT_TOKENTYPE if len(token_page_size_pol) == 1: token_page_size = int(list(token_page_size_pol)[0]) if len(user_page_size_pol) == 1: user_page_size = int(list(user_page_size_pol)[0]) if len(default_tokentype_pol) == 1: default_tokentype = list(default_tokentype_pol)[0] logout_time = DEFAULT_LOGOUT_TIME if len(logout_time_pol) == 1: logout_time = int(list(logout_time_pol)[0]) timeout_action = DEFAULT_TIMEOUT_ACTION if len(timeout_action_pol) == 1: timeout_action = list(timeout_action_pol)[0] policy_template_url_pol = Match.action_only( g, scope=SCOPE.WEBUI, action=ACTION.POLICYTEMPLATEURL).action_values(unique=True) policy_template_url = DEFAULT_POLICY_TEMPLATE_URL if len(policy_template_url_pol) == 1: policy_template_url = list(policy_template_url_pol)[0] content["result"]["value"]["logout_time"] = logout_time content["result"]["value"]["token_page_size"] = token_page_size content["result"]["value"]["user_page_size"] = user_page_size content["result"]["value"]["policy_template_url"] = policy_template_url content["result"]["value"]["default_tokentype"] = default_tokentype content["result"]["value"]["user_details"] = len(user_details_pol) > 0 content["result"]["value"]["token_wizard"] = token_wizard content["result"]["value"]["token_wizard_2nd"] = token_wizard_2nd content["result"]["value"]["dialog_no_token"] = dialog_no_token content["result"]["value"]["search_on_enter"] = len( search_on_enter) > 0 content["result"]["value"]["timeout_action"] = timeout_action content["result"]["value"]["hide_welcome"] = hide_welcome content["result"]["value"]["hide_buttons"] = hide_buttons content["result"]["value"]["show_seed"] = show_seed content["result"]["value"][ "subscription_status"] = subscription_status() response.set_data(json.dumps(content)) return response
def auth_user_timelimit(wrapped_function, user_object, passw, options=None): """ This decorator checks the policy settings of ACTION.AUTHMAXSUCCESS, ACTION.AUTHMAXFAIL If the authentication was successful, it checks, if the number of allowed successful authentications is exceeded (AUTHMAXSUCCESS). If the AUTHMAXFAIL is exceed it denies even a successful authentication. The wrapped function is usually token.check_user_pass, which takes the arguments (user, passw, options={}) :param wrapped_function: :param user_object: :param passw: :param options: Dict containing values for "g" and "clientip" :return: Tuple of True/False and reply-dictionary """ # First we call the wrapped function res, reply_dict = wrapped_function(user_object, passw, options) options = options or {} g = options.get("g") if g: max_success_dict = Match.user(g, scope=SCOPE.AUTHZ, action=ACTION.AUTHMAXSUCCESS, user_object=user_object).action_values( unique=True, write_to_audit_log=False) max_fail_dict = Match.user(g, scope=SCOPE.AUTHZ, action=ACTION.AUTHMAXFAIL, user_object=user_object).action_values( unique=True, write_to_audit_log=False) # Check for maximum failed authentications # Always - also in case of unsuccessful authentication if len(max_fail_dict) == 1: policy_count, tdelta = parse_timelimit(list(max_fail_dict)[0]) fail_c = g.audit_object.get_count( { "user": user_object.login, "realm": user_object.realm, "action": "%/validate/check" }, success=False, timedelta=tdelta) log.debug("Checking users timelimit %s: %s " "failed authentications with /validate/check" % (list(max_fail_dict)[0], fail_c)) fail_auth_c = g.audit_object.get_count( { "user": user_object.login, "realm": user_object.realm, "info": "%loginmode=privacyIDEA%", "action": "%/auth" }, success=False, timedelta=tdelta) log.debug("Checking users timelimit %s: %s " "failed authentications with /auth" % (list(max_fail_dict)[0], fail_auth_c)) if fail_c + fail_auth_c >= policy_count: res = False reply_dict["message"] = ("Only %s failed authentications " "per %s" % (policy_count, tdelta)) g.audit_object.add_policy(next(iter(max_fail_dict.values()))) if res: # Check for maximum successful authentications # Only in case of a successful authentication if len(max_success_dict) == 1: policy_count, tdelta = parse_timelimit( list(max_success_dict)[0]) # check the successful authentications for this user succ_c = g.audit_object.get_count( { "user": user_object.login, "realm": user_object.realm, "action": "%/validate/check" }, success=True, timedelta=tdelta) log.debug("Checking users timelimit %s: %s " "successful authentications with /validate/check" % (list(max_success_dict)[0], succ_c)) succ_auth_c = g.audit_object.get_count( { "user": user_object.login, "realm": user_object.realm, "info": "%loginmode=privacyIDEA%", "action": "%/auth" }, success=True, timedelta=tdelta) log.debug("Checking users timelimit %s: %s " "successful authentications with /auth" % (list(max_success_dict)[0], succ_auth_c)) if succ_c + succ_auth_c >= policy_count: res = False reply_dict["message"] = ("Only %s successful " "authentications per %s" % (policy_count, tdelta)) return res, reply_dict
def auth_user_passthru(wrapped_function, user_object, passw, options=None): """ This decorator checks the policy settings of ACTION.PASSTHRU. If the authentication against the userstore is not successful, the wrapped function is called. The wrapped function is usually token.check_user_pass, which takes the arguments (user, passw, options={}) :param wrapped_function: :param user_object: :param passw: :param options: Dict containing values for "g" and "clientip" :return: Tuple of True/False and reply-dictionary """ from privacyidea.lib.token import get_tokens from privacyidea.lib.token import assign_token options = options or {} g = options.get("g") if g: policy_object = g.policy_object pass_thru = Match.user( g, scope=SCOPE.AUTH, action=ACTION.PASSTHRU, user_object=user_object).policies(write_to_audit_log=False) # We only go to passthru, if the user has no tokens! if pass_thru and get_tokens(user=user_object, count=True) == 0: # Ensure that there are no conflicting action values within the same priority policy_object.check_for_conflicts(pass_thru, "passthru") pass_thru_action = pass_thru[0].get("action").get("passthru") policy_name = pass_thru[0].get("name") if pass_thru_action in ["userstore", True]: # Now we need to check the userstore password if user_object.check_password(passw): g.audit_object.add_policy( [p.get("name") for p in pass_thru]) return True, { "message": u"against userstore due to '{!s}'".format(policy_name) } else: # We are doing RADIUS passthru log.info("Forwarding the authentication request to the radius " "server %s" % pass_thru_action) radius = get_radius(pass_thru_action) r = radius.request(radius.config, user_object.login, passw) if r: g.audit_object.add_policy( [p.get("name") for p in pass_thru]) # TODO: here we can check, if the token should be assigned. passthru_assign = Match.user( g, scope=SCOPE.AUTH, action=ACTION.PASSTHRU_ASSIGN, user_object=user_object).action_values(unique=True) messages = [] if passthru_assign: components = list(passthru_assign)[0].split(":") if len(components) >= 2: prepend_pin = components[0] == "pin" otp_length = int(components[int(prepend_pin)]) pin, otp = split_pin_pass(passw, otp_length, prepend_pin) realm_tokens = get_tokens(realm=user_object.realm, assigned=False) window = 100 if len(components) == 3: window = int(components[2]) for token_obj in realm_tokens: otp_check = token_obj.check_otp(otp, window=window) if otp_check >= 0: # We do not check any max tokens per realm or user, # since this very user currently has no token # and the unassigned token already was contained in the user's realm assign_token(serial=token_obj.token.serial, user=user_object, pin=pin) messages.append( u"autoassigned {0!s}".format( token_obj.token.serial)) break else: log.warning( "Wrong value in passthru_assign policy: {0!s}". format(passthru_assign)) messages.append( u"against RADIUS server {!s} due to '{!s}'".format( pass_thru_action, policy_name)) return True, {'message': ",".join(messages)} # If nothing else returned, we return the wrapped function return wrapped_function(user_object, passw, options)
def check_otp(self, otpval, counter=None, window=None, options=None): """ This checks the response of a previous challenge. :param otpval: N/A :param counter: The authentication counter :param window: N/A :param options: contains "clientdata", "signaturedata" and "transaction_id" :return: A value > 0 in case of success """ ret = -1 clientdata = options.get("clientdata") signaturedata = options.get("signaturedata") transaction_id = options.get("transaction_id") # The challenge in the challenge DB object is saved in hex challenge = binascii.unhexlify(options.get("challenge", "")) if clientdata and signaturedata and transaction_id and challenge: # This is a valid response for a U2F token challenge_url = url_encode(challenge) clientdata = url_decode(clientdata) clientdata_dict = json.loads(to_unicode(clientdata)) client_challenge = clientdata_dict.get("challenge") if challenge_url != client_challenge: return ret if clientdata_dict.get("typ") != "navigator.id.getAssertion": raise ValidateError("Incorrect navigator.id") #client_origin = clientdata_dict.get("origin") signaturedata = url_decode(signaturedata) signaturedata_hex = hexlify_and_unicode(signaturedata) user_presence, counter, signature = parse_response_data( signaturedata_hex) user_pub_key = self.get_tokeninfo("pubKey") app_id = self.get_tokeninfo("appId") if check_response(user_pub_key, app_id, clientdata, hexlify_and_unicode(signature), counter, user_presence): # Signature verified. # check, if the counter increased! if counter > self.get_otp_count(): self.set_otp_count(counter) ret = counter # At this point we can check, if the attestation # certificate is authorized. # If not, we can raise a policy exception if not attestation_certificate_allowed( { "attestation_issuer": self.get_tokeninfo("attestation_issuer"), "attestation_serial": self.get_tokeninfo("attestation_serial"), "attestation_subject": self.get_tokeninfo("attestation_subject") }, Match.user(options.get("g"), scope=SCOPE.AUTHZ, action=U2FACTION.REQ, user_object=self.user if self.user else None).action_values(unique=False)): log.warning( "The U2F device {0!s} is not allowed to authenticate due to policy restriction" .format(self.token.serial)) raise PolicyError("The U2F device is not allowed " "to authenticate due to policy " "restriction.") else: log.warning("The signature of %s was valid, but contained " "an old counter." % self.token.serial) else: log.warning("Checking response for token {0!s} failed.".format( self.token.serial)) return ret
def check(): """ check the authentication for a user or a serial number. Either a ``serial`` or a ``user`` is required to authenticate. The PIN and OTP value is sent in the parameter ``pass``. In case of successful authentication it returns ``result->value: true``. In case of a challenge response authentication a parameter ``exception=1`` can be passed. This would result in a HTTP 500 Server Error response if an error occurred during sending of SMS or Email. In case ``/validate/radiuscheck`` is requested, the responses are modified as follows: A successful authentication returns an empty HTTP 204 response. An unsuccessful authentication returns an empty HTTP 400 response. Error responses are the same responses as for the ``/validate/check`` endpoint. :param serial: The serial number of the token, that tries to authenticate. :param user: The loginname/username of the user, who tries to authenticate. :param realm: The realm of the user, who tries to authenticate. If the realm is omitted, the user is looked up in the default realm. :param pass: The password, that consists of the OTP PIN and the OTP value. :param otponly: If set to 1, only the OTP value is verified. This is used in the management UI. Only used with the parameter serial. :param transaction_id: The transaction ID for a response to a challenge request :param state: The state ID for a response to a challenge request :return: a json result with a boolean "result": true **Example Validation Request**: .. sourcecode:: http POST /validate/check HTTP/1.1 Host: example.com Accept: application/json user=user realm=realm1 pass=s3cret123456 **Example response** for a successful authentication: .. sourcecode:: http HTTP/1.1 200 OK Content-Type: application/json { "detail": { "message": "matching 1 tokens", "serial": "PISP0000AB00", "type": "spass" }, "id": 1, "jsonrpc": "2.0", "result": { "status": true, "value": true }, "version": "privacyIDEA unknown" } **Example response** for this first part of a challenge response authentication: .. sourcecode:: http HTTP/1.1 200 OK Content-Type: application/json { "detail": { "serial": "PIEM0000AB00", "type": "email", "transaction_id": "12345678901234567890", "multi_challenge: [ {"serial": "PIEM0000AB00", "transaction_id": "12345678901234567890", "message": "Please enter otp from your email"}, {"serial": "PISM12345678", "transaction_id": "12345678901234567890", "message": "Please enter otp from your SMS"} ] }, "id": 1, "jsonrpc": "2.0", "result": { "status": true, "value": false }, "version": "privacyIDEA unknown" } In this example two challenges are triggered, one with an email and one with an SMS. The application and thus the user has to decide, which one to use. They can use either. .. note:: All challenge response tokens have the same transaction_id in this case. """ user = request.User serial = getParam(request.all_data, "serial") password = getParam(request.all_data, "pass", required) otp_only = getParam(request.all_data, "otponly") options = {"g": g, "clientip": g.client_ip} # Add all params to the options for key, value in request.all_data.items(): if value and key not in ["g", "clientip"]: options[key] = value allowed_tokentypes = Match.user( g, scope=SCOPE.AUTHZ, action=ACTION.TOKENTYPE, user_object=user).action_values(unique=False) if allowed_tokentypes: options["type"] = allowed_tokentypes g.audit_object.log({ "user": user.login, "resolver": user.resolver, "realm": user.realm }) if serial: if user: # check if the given token belongs to the user if not get_tokens(user=user, serial=serial, count=True): raise ParameterError( 'Given serial does not belong to given user!') if not otp_only: result, details = check_serial_pass(serial, password, options=options) else: result, details = check_otp(serial, password) else: result, details = check_user_pass(user, password, options=options) g.audit_object.log({ "info": log_used_user(user, details.get("message")), "success": result, "serial": serial or details.get("serial"), "token_type": details.get("type") }) return send_result(result, details=details)
def trigger_challenge(): """ An administrator can call this endpoint if he has the right of ``triggerchallenge`` (scope: admin). He can pass a ``user`` name and or a ``serial`` number. privacyIDEA will trigger challenges for all native challenges response tokens, possessed by this user or only for the given serial number. The request needs to contain a valid PI-Authorization header. :param user: The loginname/username of the user, who tries to authenticate. :param realm: The realm of the user, who tries to authenticate. If the realm is omitted, the user is looked up in the default realm. :param serial: The serial number of the token. :return: a json result with a "result" of the number of matching challenge response tokens **Example response** for a successful triggering of challenge: .. sourcecode:: http {"jsonrpc": "2.0", "signature": "1939...146964", "detail": {"transaction_ids": ["03921966357577766962"], "messages": ["Enter the OTP from the SMS:"], "threadid": 140422378276608}, "versionnumber": "unknown", "version": "privacyIDEA unknown", "result": {"status": true, "value": 1}, "time": 1482223663.517212, "id": 1} **Example response** for response, if the user has no challenge token: .. sourcecode:: http {"detail": {"messages": [], "threadid": 140031212377856, "transaction_ids": []}, "id": 1, "jsonrpc": "2.0", "result": {"status": true, "value": 0}, "signature": "205530282...54508", "time": 1484303812.346576, "version": "privacyIDEA 2.17", "versionnumber": "2.17"} **Example response** for a failed triggering of a challenge. In this case the ``status`` will be ``false``. .. sourcecode:: http {"detail": null, "id": 1, "jsonrpc": "2.0", "result": {"error": {"code": 905, "message": "ERR905: The user can not be found in any resolver in this realm!"}, "status": false}, "signature": "14468...081555", "time": 1484303933.72481, "version": "privacyIDEA 2.17"} """ user = request.User serial = getParam(request.all_data, "serial") details = {"messages": [], "transaction_ids": []} options = {"g": g, "clientip": g.client_ip, "user": user} allowed_tokentypes = Match.user( g, scope=SCOPE.AUTHZ, action=ACTION.TOKENTYPE, user_object=user).action_values(unique=False) token_objs = get_tokens(tokentype=allowed_tokentypes, serial=serial, user=user, active=True, revoked=False, locked=False) # Only use the tokens, that are allowed to do challenge response chal_resp_tokens = [ token_obj for token_obj in token_objs if "challenge" in token_obj.mode ] create_challenges_from_tokens(chal_resp_tokens, details, options) result_obj = len(details.get("multi_challenge")) challenge_serials = [ challenge_info["serial"] for challenge_info in details["multi_challenge"] ] g.audit_object.log({ "user": user.login, "resolver": user.resolver, "realm": user.realm, "success": result_obj > 0, "info": log_used_user(user, "triggered {0!s} challenges".format(result_obj)), "serial": ",".join(challenge_serials), }) return send_result(result_obj, details=details)