def test_12_compare_value_value(self):
self.assertTrue(compare_value_value("1000", ">", "999"))
self.assertTrue(compare_value_value("ABD", ">", "ABC"))
self.assertTrue(compare_value_value(1000, "==", "1000"))
self.assertTrue(compare_value_value("99", "<", "1000"))
# compare dates
self.assertTrue(compare_value_value(
datetime.now(tzlocal()).strftime(DATE_FORMAT), ">",
"2017-01-01T10:00+0200"))
self.assertFalse(compare_value_value(
datetime.now(tzlocal()).strftime(DATE_FORMAT), "<",
"2017-01-01T10:00+0200"))
# The timestamp in 10 hours is bigger than the current time
self.assertTrue(compare_value_value(
(datetime.now(tzlocal()) + timedelta(hours=10)).strftime(DATE_FORMAT),
">", datetime.now(tzlocal()).strftime(DATE_FORMAT)))
def test_12_compare_value_value(self):
self.assertTrue(compare_value_value("1000", ">", "999"))
self.assertTrue(compare_value_value("ABD", ">", "ABC"))
self.assertTrue(compare_value_value(1000, "==", "1000"))
self.assertTrue(compare_value_value("99", "<", "1000"))
# compare dates
self.assertTrue(compare_value_value(
datetime.now(tzlocal()).strftime(DATE_FORMAT), ">",
"2017-01-01T10:00+0200"))
self.assertFalse(compare_value_value(
datetime.now(tzlocal()).strftime(DATE_FORMAT), "<",
"2017-01-01T10:00+0200"))
# The timestamp in 10 hours is bigger than the current time
self.assertTrue(compare_value_value(
(datetime.now(tzlocal()) + timedelta(hours=10)).strftime(DATE_FORMAT),
">", datetime.now(tzlocal()).strftime(DATE_FORMAT)))
def test_12_compare_value_value(self):
self.assertTrue(compare_value_value("1000", ">", "999"))
self.assertTrue(compare_value_value("ABD", ">", "ABC"))
self.assertTrue(compare_value_value(1000, "==", "1000"))
self.assertTrue(compare_value_value("99", "<", "1000"))
self.assertTrue(compare_value_value(100, '>', '10'))
self.assertTrue(compare_value_value(100, '>=', '10'))
self.assertTrue(compare_value_value("100", '=>', 10))
self.assertTrue(compare_value_value(100, '>=', '100'))
self.assertFalse(compare_value_value(100, '>=', '101'))
self.assertTrue(compare_value_value('ABC', '=', 'ABC'))
self.assertTrue(compare_value_value('ABC', '!=', 'ABD'))
self.assertTrue(compare_value_value(10, '<', '100'))
self.assertTrue(compare_value_value(10, '<=', '100'))
self.assertTrue(compare_value_value("10", '=<', 100))
self.assertTrue(compare_value_value(10, '<=', '10'))
self.assertFalse(compare_value_value(10, '<=', '9'))
# compare dates
self.assertTrue(
compare_value_value(
datetime.now(tzlocal()).strftime(DATE_FORMAT), ">",
"2017-01-01T10:00+0200"))
self.assertFalse(
compare_value_value(
datetime.now(tzlocal()).strftime(DATE_FORMAT), "<",
"2017-01-01T10:00+0200"))
# The timestamp in 10 hours is bigger than the current time
self.assertTrue(
compare_value_value((datetime.now(tzlocal()) +
timedelta(hours=10)).strftime(DATE_FORMAT),
">",
datetime.now(tzlocal()).strftime(DATE_FORMAT)))
self.assertTrue(compare_value_value('+3h', '>', ''))
self.assertFalse(
compare_value_value('2017/04/20 11:30+0200', '>',
datetime.now(tzlocal()).strftime(DATE_FORMAT)))
self.assertTrue(
compare_value_value('2020-01-15T00:00', '==',
datetime(2020, 1, 15).strftime(DATE_FORMAT)))
# unexpected result: The date string can not be parsed since dateutil.parser
# does not understand locale dates. So the strings themselves are compared
# since parse_date() returns 'None'
self.assertTrue(
compare_value_value('16. März 2020', '<',
datetime(2020, 3, 15).strftime(DATE_FORMAT)))
# check for unknown comparator
self.assertRaises(Exception, compare_value_value, 5, '~=', 5)
def check_condition(self, options):
"""
Check if all conditions are met and if the action should be executed.
The the conditions are met, we return "True"
:return: True
"""
res = True
g = options.get("g")
request = options.get("request")
response = options.get("response")
e_handler_def = options.get("handler_def")
if not response or not e_handler_def:
# options is missing a response and the handler definition
# We are probably in test mode.
return True
# conditions can be correspnding to the property conditions
conditions = e_handler_def.get("conditions")
content = json.loads(response.data)
user = self._get_tokenowner(request)
serial = request.all_data.get("serial") or \
content.get("detail", {}).get("serial")
tokenrealms = []
tokentype = None
token_obj = None
if serial:
# We have determined the serial number from the request.
token_obj_list = get_tokens(serial=serial)
else:
# We have to determine the token via the user object. But only if
# the user has only one token
token_obj_list = get_tokens(user=user)
if len(token_obj_list) == 1:
token_obj = token_obj_list[0]
tokenrealms = token_obj.get_realms()
tokentype = token_obj.get_tokentype()
if "realm" in conditions:
res = user.realm == conditions.get("realm")
if "logged_in_user" in conditions and res:
# Determine the role of the user
try:
logged_in_user = g.logged_in_user
user_role = logged_in_user.get("role")
except Exception:
# A non-logged-in-user is a User, not an admin
user_role = ROLE.USER
res = user_role == conditions.get("logged_in_user")
# Check result_value only if the check condition is still True
if "result_value" in conditions and res:
condition_value = conditions.get("result_value")
result_value = content.get("result", {}).get("value")
res = condition_value == str(result_value)
# checking of max-failcounter state of the token
if "token_locked" in conditions and res:
if token_obj:
locked = token_obj.get_failcount() >= \
token_obj.get_max_failcount()
res = (conditions.get("token_locked") in ["True", True]) == \
locked
else:
# check all tokens of the user, if any token is maxfail
token_objects = get_tokens(user=user, maxfail=True)
if not ','.join([tok.get_serial() for tok in token_objects]):
res = False
if "tokenrealm" in conditions and res and tokenrealms:
res = False
for trealm in tokenrealms:
if trealm in conditions.get("tokenrealm").split(","):
res = True
break
if "serial" in conditions and res and serial:
serial_match = conditions.get("serial")
res = bool(re.match(serial_match, serial))
if CONDITION.USER_TOKEN_NUMBER in conditions and res and user:
num_tokens = get_tokens(user=user, count=True)
res = num_tokens == int(conditions.get(
CONDITION.USER_TOKEN_NUMBER))
# Token specific conditions
if token_obj:
if CONDITION.TOKENTYPE in conditions and res:
res = False
if tokentype in conditions.get(CONDITION.TOKENTYPE).split(","):
res = True
if CONDITION.TOKEN_HAS_OWNER in conditions and res:
uid = token_obj.get_user_id()
check = conditions.get(CONDITION.TOKEN_HAS_OWNER)
if uid and check in ["True", True]:
res = True
elif not uid and check in ["False", False]:
res = True
else:
log.debug("Condition token_has_owner for token {0!r} "
"not fulfilled.".format(token_obj))
res = False
if CONDITION.TOKEN_IS_ORPHANED in conditions and res:
uid = token_obj.get_user_id()
orphaned = uid and not user
check = conditions.get(CONDITION.TOKEN_IS_ORPHANED)
if orphaned and check in ["True", True]:
res = True
elif not orphaned and check in ["False", False]:
res = True
else:
log.debug(
"Condition token_is_orphaned for token {0!r} not "
"fulfilled.".format(token_obj))
res = False
if CONDITION.TOKEN_VALIDITY_PERIOD in conditions and res:
valid = token_obj.check_validity_period()
res = (conditions.get(CONDITION.TOKEN_VALIDITY_PERIOD)
in ["True", True]) == valid
if CONDITION.OTP_COUNTER in conditions and res:
res = token_obj.token.count == \
int(conditions.get(CONDITION.OTP_COUNTER))
if CONDITION.LAST_AUTH in conditions and res:
res = not token_obj.check_last_auth_newer(
conditions.get(CONDITION.LAST_AUTH))
if CONDITION.COUNT_AUTH in conditions and res:
count = token_obj.get_count_auth()
cond = conditions.get(CONDITION.COUNT_AUTH)
res = compare_condition(cond, count)
if CONDITION.COUNT_AUTH_SUCCESS in conditions and res:
count = token_obj.get_count_auth_success()
cond = conditions.get(CONDITION.COUNT_AUTH_SUCCESS)
res = compare_condition(cond, count)
if CONDITION.COUNT_AUTH_FAIL in conditions and res:
count = token_obj.get_count_auth()
c_success = token_obj.get_count_auth_success()
c_fail = count - c_success
cond = conditions.get(CONDITION.COUNT_AUTH_FAIL)
res = compare_condition(cond, c_fail)
if CONDITION.TOKENINFO in conditions and res:
cond = conditions.get(CONDITION.TOKENINFO)
# replace {now} in condition
cond, td = parse_time_offset_from_now(cond)
s_now = (datetime.datetime.now(tzlocal()) +
td).strftime(DATE_FORMAT)
cond = cond.format(now=s_now)
if len(cond.split("==")) == 2:
key, value = [x.strip() for x in cond.split("==")]
res = compare_value_value(token_obj.get_tokeninfo(key),
"==", value)
elif len(cond.split(">")) == 2:
key, value = [x.strip() for x in cond.split(">")]
res = compare_value_value(token_obj.get_tokeninfo(key),
">", value)
elif len(cond.split("<")) == 2:
key, value = [x.strip() for x in cond.split("<")]
res = compare_value_value(token_obj.get_tokeninfo(key),
"<", value)
else:
# There is a condition, but we do not know it!
log.warning("Misconfiguration in your tokeninfo "
"condition: {0!s}".format(cond))
res = False
return res
def check_condition(self, options):
"""
Check if all conditions are met and if the action should be executed.
The the conditions are met, we return "True"
:return: True
"""
g = options.get("g")
request = options.get("request")
response = options.get("response")
e_handler_def = options.get("handler_def")
if not e_handler_def:
# options is the handler definition
return True
# conditions can be corresponding to the property conditions
conditions = e_handler_def.get("conditions")
content = self._get_response_content(response)
user = self._get_tokenowner(request)
serial = request.all_data.get("serial") or \
content.get("detail", {}).get("serial")
tokenrealms = []
tokenresolvers = []
tokentype = None
token_obj = None
if serial:
# We have determined the serial number from the request.
token_obj_list = get_tokens(serial=serial)
else:
# We have to determine the token via the user object. But only if
# the user has only one token
token_obj_list = get_tokens(user=user)
if len(token_obj_list) == 1:
# There is a token involved, so we determine it's resolvers and realms
token_obj = token_obj_list[0]
tokenrealms = token_obj.get_realms()
tokentype = token_obj.get_tokentype()
all_realms = get_realms()
for tokenrealm in tokenrealms:
resolvers = all_realms.get(tokenrealm, {}).get("resolver", {})
tokenresolvers.extend([r.get("name") for r in resolvers])
tokenresolvers = list(set(tokenresolvers))
if CONDITION.CLIENT_IP in conditions:
if g and g.client_ip:
ip_policy = [
ip.strip()
for ip in conditions.get(CONDITION.CLIENT_IP).split(",")
]
found, excluded = check_ip_in_policy(g.client_ip, ip_policy)
if not found or excluded:
return False
if CONDITION.REALM in conditions:
if user.realm != conditions.get(CONDITION.REALM):
return False
if CONDITION.RESOLVER in conditions:
if user.resolver != conditions.get(CONDITION.RESOLVER):
return False
if "logged_in_user" in conditions:
# Determine the role of the user
try:
logged_in_user = g.logged_in_user
user_role = logged_in_user.get("role")
except Exception:
# A non-logged-in-user is a User, not an admin
user_role = ROLE.USER
if user_role != conditions.get("logged_in_user"):
return False
if CONDITION.RESULT_VALUE in conditions:
condition_value = conditions.get(CONDITION.RESULT_VALUE)
result_value = content.get("result", {}).get("value")
if is_true(condition_value) != is_true(result_value):
return False
if CONDITION.RESULT_STATUS in conditions:
condition_value = conditions.get(CONDITION.RESULT_STATUS)
result_status = content.get("result", {}).get("status")
if is_true(condition_value) != is_true(result_status):
return False
# checking of max-failcounter state of the token
if "token_locked" in conditions:
if token_obj:
locked = token_obj.get_failcount() >= \
token_obj.get_max_failcount()
if (conditions.get("token_locked") in ["True", True]) != \
locked:
return False
else:
# check all tokens of the user, if any token is maxfail
token_objects = get_tokens(user=user, maxfail=True)
if not ','.join([tok.get_serial() for tok in token_objects]):
return False
if CONDITION.TOKENREALM in conditions and tokenrealms:
res = False
for trealm in tokenrealms:
if trealm in conditions.get(CONDITION.TOKENREALM).split(","):
res = True
break
if not res:
return False
if CONDITION.TOKENRESOLVER in conditions and tokenresolvers:
res = False
for tres in tokenresolvers:
if tres in conditions.get(CONDITION.TOKENRESOLVER).split(","):
res = True
break
if not res:
return False
if "serial" in conditions and serial:
serial_match = conditions.get("serial")
if not bool(re.match(serial_match, serial)):
return False
if CONDITION.USER_TOKEN_NUMBER in conditions and user:
num_tokens = get_tokens(user=user, count=True)
if num_tokens != int(conditions.get(CONDITION.USER_TOKEN_NUMBER)):
return False
if CONDITION.DETAIL_ERROR_MESSAGE in conditions:
message = content.get("detail", {}).get("error", {}).get("message")
search_exp = conditions.get(CONDITION.DETAIL_ERROR_MESSAGE)
m = re.search(search_exp, message)
if not bool(m):
return False
if CONDITION.DETAIL_MESSAGE in conditions:
message = content.get("detail", {}).get("message")
search_exp = conditions.get(CONDITION.DETAIL_MESSAGE)
m = re.search(search_exp, message)
if not bool(m):
return False
# Token specific conditions
if token_obj:
if CONDITION.TOKENTYPE in conditions:
if tokentype not in conditions.get(
CONDITION.TOKENTYPE).split(","):
return False
if CONDITION.TOKEN_HAS_OWNER in conditions:
uid = token_obj.get_user_id()
check = conditions.get(CONDITION.TOKEN_HAS_OWNER)
if uid and check in ["True", True]:
res = True
elif not uid and check in ["False", False]:
res = True
else:
log.debug("Condition token_has_owner for token {0!r} "
"not fulfilled.".format(token_obj))
return False
if CONDITION.TOKEN_IS_ORPHANED in conditions:
orphaned = token_obj.is_orphaned()
check = conditions.get(CONDITION.TOKEN_IS_ORPHANED)
if orphaned and check in ["True", True]:
res = True
elif not orphaned and check in ["False", False]:
res = True
else:
log.debug(
"Condition token_is_orphaned for token {0!r} not "
"fulfilled.".format(token_obj))
return False
if CONDITION.TOKEN_VALIDITY_PERIOD in conditions:
valid = token_obj.check_validity_period()
if (conditions.get(CONDITION.TOKEN_VALIDITY_PERIOD)
in ["True", True]) != valid:
return False
if CONDITION.OTP_COUNTER in conditions:
cond = conditions.get(CONDITION.OTP_COUNTER)
if not compare_condition(cond, token_obj.token.count):
return False
if CONDITION.LAST_AUTH in conditions:
if token_obj.check_last_auth_newer(
conditions.get(CONDITION.LAST_AUTH)):
return False
if CONDITION.COUNT_AUTH in conditions:
count = token_obj.get_count_auth()
cond = conditions.get(CONDITION.COUNT_AUTH)
if not compare_condition(cond, count):
return False
if CONDITION.COUNT_AUTH_SUCCESS in conditions:
count = token_obj.get_count_auth_success()
cond = conditions.get(CONDITION.COUNT_AUTH_SUCCESS)
if not compare_condition(cond, count):
return False
if CONDITION.COUNT_AUTH_FAIL in conditions:
count = token_obj.get_count_auth()
c_success = token_obj.get_count_auth_success()
c_fail = count - c_success
cond = conditions.get(CONDITION.COUNT_AUTH_FAIL)
if not compare_condition(cond, c_fail):
return False
if CONDITION.TOKENINFO in conditions:
cond = conditions.get(CONDITION.TOKENINFO)
# replace {now} in condition
cond, td = parse_time_offset_from_now(cond)
s_now = (datetime.datetime.now(tzlocal()) +
td).strftime(DATE_FORMAT)
cond = cond.format(now=s_now)
if len(cond.split("==")) == 2:
key, value = [x.strip() for x in cond.split("==")]
if not compare_value_value(token_obj.get_tokeninfo(key),
"==", value):
return False
elif len(cond.split(">")) == 2:
key, value = [x.strip() for x in cond.split(">")]
if not compare_value_value(token_obj.get_tokeninfo(key),
">", value):
return False
elif len(cond.split("<")) == 2:
key, value = [x.strip() for x in cond.split("<")]
if not compare_value_value(token_obj.get_tokeninfo(key),
"<", value):
return False
else:
# There is a condition, but we do not know it!
log.warning("Misconfiguration in your tokeninfo "
"condition: {0!s}".format(cond))
return False
return True
def test_12_compare_value_value(self):
self.assertTrue(compare_value_value("1000", ">", "999"))
self.assertTrue(compare_value_value("ABD", ">", "ABC"))
self.assertTrue(compare_value_value(1000, "==", "1000"))
self.assertTrue(compare_value_value("99", "<", "1000"))
def check_condition(self, options):
"""
Check if all conditions are met and if the action should be executed.
The the conditions are met, we return "True"
:return: True
"""
g = options.get("g")
request = options.get("request")
response = options.get("response")
e_handler_def = options.get("handler_def")
if not e_handler_def:
# options is the handler definition
return True
# conditions can be corresponding to the property conditions
conditions = e_handler_def.get("conditions")
content = self._get_response_content(response)
user = self._get_tokenowner(request)
serial = request.all_data.get("serial") or \
content.get("detail", {}).get("serial")
tokenrealms = []
tokentype = None
token_obj = None
if serial:
# We have determined the serial number from the request.
token_obj_list = get_tokens(serial=serial)
else:
# We have to determine the token via the user object. But only if
# the user has only one token
token_obj_list = get_tokens(user=user)
if len(token_obj_list) == 1:
token_obj = token_obj_list[0]
tokenrealms = token_obj.get_realms()
tokentype = token_obj.get_tokentype()
if "realm" in conditions:
if user.realm != conditions.get("realm"):
return False
if "logged_in_user" in conditions:
# Determine the role of the user
try:
logged_in_user = g.logged_in_user
user_role = logged_in_user.get("role")
except Exception:
# A non-logged-in-user is a User, not an admin
user_role = ROLE.USER
if user_role != conditions.get("logged_in_user"):
return False
if CONDITION.RESULT_VALUE in conditions:
condition_value = conditions.get(CONDITION.RESULT_VALUE)
result_value = content.get("result", {}).get("value")
if is_true(condition_value) != is_true(result_value):
return False
if CONDITION.RESULT_STATUS in conditions:
condition_value = conditions.get(CONDITION.RESULT_STATUS)
result_status = content.get("result", {}).get("status")
if is_true(condition_value) != is_true(result_status):
return False
# checking of max-failcounter state of the token
if "token_locked" in conditions:
if token_obj:
locked = token_obj.get_failcount() >= \
token_obj.get_max_failcount()
if (conditions.get("token_locked") in ["True", True]) != \
locked:
return False
else:
# check all tokens of the user, if any token is maxfail
token_objects = get_tokens(user=user, maxfail=True)
if not ','.join([tok.get_serial() for tok in token_objects]):
return False
if "tokenrealm" in conditions and tokenrealms:
res = False
for trealm in tokenrealms:
if trealm in conditions.get("tokenrealm").split(","):
res = True
break
if not res:
return False
if "serial" in conditions and serial:
serial_match = conditions.get("serial")
if not bool(re.match(serial_match, serial)):
return False
if CONDITION.USER_TOKEN_NUMBER in conditions and user:
num_tokens = get_tokens(user=user, count=True)
if num_tokens != int(conditions.get(
CONDITION.USER_TOKEN_NUMBER)):
return False
if CONDITION.DETAIL_ERROR_MESSAGE in conditions:
message = content.get("detail", {}).get("error", {}).get("message")
search_exp = conditions.get(CONDITION.DETAIL_ERROR_MESSAGE)
m = re.search(search_exp, message)
if not bool(m):
return False
if CONDITION.DETAIL_MESSAGE in conditions:
message = content.get("detail", {}).get("message")
search_exp = conditions.get(CONDITION.DETAIL_MESSAGE)
m = re.search(search_exp, message)
if not bool(m):
return False
# Token specific conditions
if token_obj:
if CONDITION.TOKENTYPE in conditions:
if tokentype not in conditions.get(CONDITION.TOKENTYPE).split(
","):
return False
if CONDITION.TOKEN_HAS_OWNER in conditions:
uid = token_obj.get_user_id()
check = conditions.get(CONDITION.TOKEN_HAS_OWNER)
if uid and check in ["True", True]:
res = True
elif not uid and check in ["False", False]:
res = True
else:
log.debug("Condition token_has_owner for token {0!r} "
"not fulfilled.".format(token_obj))
return False
if CONDITION.TOKEN_IS_ORPHANED in conditions:
uid = token_obj.get_user_id()
orphaned = uid and not user
check = conditions.get(CONDITION.TOKEN_IS_ORPHANED)
if orphaned and check in ["True", True]:
res = True
elif not orphaned and check in ["False", False]:
res = True
else:
log.debug("Condition token_is_orphaned for token {0!r} not "
"fulfilled.".format(token_obj))
return False
if CONDITION.TOKEN_VALIDITY_PERIOD in conditions:
valid = token_obj.check_validity_period()
if (conditions.get(CONDITION.TOKEN_VALIDITY_PERIOD)
in ["True", True]) != valid:
return False
if CONDITION.OTP_COUNTER in conditions:
if token_obj.token.count != \
int(conditions.get(CONDITION.OTP_COUNTER)):
return False
if CONDITION.LAST_AUTH in conditions:
if token_obj.check_last_auth_newer(conditions.get(
CONDITION.LAST_AUTH)):
return False
if CONDITION.COUNT_AUTH in conditions:
count = token_obj.get_count_auth()
cond = conditions.get(CONDITION.COUNT_AUTH)
if not compare_condition(cond, count):
return False
if CONDITION.COUNT_AUTH_SUCCESS in conditions:
count = token_obj.get_count_auth_success()
cond = conditions.get(CONDITION.COUNT_AUTH_SUCCESS)
if not compare_condition(cond, count):
return False
if CONDITION.COUNT_AUTH_FAIL in conditions:
count = token_obj.get_count_auth()
c_success = token_obj.get_count_auth_success()
c_fail = count - c_success
cond = conditions.get(CONDITION.COUNT_AUTH_FAIL)
if not compare_condition(cond, c_fail):
return False
if CONDITION.TOKENINFO in conditions:
cond = conditions.get(CONDITION.TOKENINFO)
# replace {now} in condition
cond, td = parse_time_offset_from_now(cond)
s_now = (datetime.datetime.now(tzlocal()) + td).strftime(
DATE_FORMAT)
cond = cond.format(now=s_now)
if len(cond.split("==")) == 2:
key, value = [x.strip() for x in cond.split("==")]
if not compare_value_value(token_obj.get_tokeninfo(key),
"==", value):
return False
elif len(cond.split(">")) == 2:
key, value = [x.strip() for x in cond.split(">")]
if not compare_value_value(token_obj.get_tokeninfo(key),
">", value):
return False
elif len(cond.split("<")) == 2:
key, value = [x.strip() for x in cond.split("<")]
if not compare_value_value(token_obj.get_tokeninfo(key),
"<", value):
return False
else:
# There is a condition, but we do not know it!
log.warning("Misconfiguration in your tokeninfo "
"condition: {0!s}".format(cond))
return False
return True
