def authenticate(self, username, password, otp=None): try: if not username and otp: user = self._user_for_otp(otp) else: user = self.auth.get_user(username) except Exception as e: if settings['use_ldap'] and settings['ldap_auto_import'] \ and ldapauth.authenticate(username, password): user = self.auth.create_user(username, None) user.attributes['_ldap_auto_imported'] = True log.info('Auto-created LDAP user: %s', username) else: log.info('Authentication failed. No such user: %s', username) raise e if user.validate_password(password): pw = 'valid password' if password else 'None (valid)' if authenticate_otp(user, otp, password): log.info( 'Authentication successful. ' 'Username: %s, password: <%s>, OTP: %s', username, pw, otp) return user else: pw = 'invalid password' if password else 'None (invalid)' # Consume the OTP even if the password was incorrect. if otp: validate_otp(otp) log.info( 'Authentication failed. Username: %s, password: <%s>, OTP: %s', username, pw, otp) raise ValueError("Invalid credentials!")
def authenticate_otp(user, otp, password=None): if otp: if settings['auto_provision'] and len(user.yubikeys) == 0: if validate_otp(otp): user.assign_yubikey(otp) return True else: return False else: return user.validate_otp(otp, password) else: return not requires_otp(user)
def assign_yubikey(self, request, yubikey, password, otp=None): client = request.environ['yubiauth.client'] user = request.environ['yubiauth.user'] try: client.authenticate(user.name, password, otp) prefix = yubikey[:-32] if not validate_otp(yubikey): return json_error('Invalid OTP for new YubiKey!') if not prefix in user.yubikeys: user.assign_yubikey(prefix) return json_response(True) except: return json_error('Invalid credentials!')
def yubikey_set_enabled(self, request, yubikey, enabled): auth_form = ReauthenticateForm(request, yubikey.prefix) if request.method == 'POST' and auth_form.validate(): user = request.environ['yubiauth.user'] # Validate otp manually as the YubiKey might be disabled if user.validate_password(auth_form.password.data) and \ validate_otp(auth_form.otp.data): yubikey.enabled = enabled return redirect(request, 'yubikey/%s' % yubikey.prefix) else: self.add_message('Invalid credentials!', 'error') return self.render(request, 'reauthenticate', yubikey=yubikey, fieldsets=[auth_form], target=request.path_info[1:])
def validate_otp(self, otp): """ Validates a YubiKey OTP (One Time Password) for the user. @param otp: The OTP to validate. @type otp: string @return: True if the OTP was valid, and from a YubiKey belonging to the user. False if not. @rtype: bool """ prefix = otp[:-32] otp_valid = validate_otp(otp) if prefix in self.yubikeys: return otp_valid and self.yubikeys[prefix].enabled return False
def register(self, username, password, otp=None, attributes=None): if not settings['registration']: raise ValueError('User registration disabled!') if attributes is None: attributes = {} validate_attributes(self.get_attributes(), attributes) if otp and not validate_otp(otp): raise ValueError('Invalid OTP!') user = self.auth.create_user(username, password) user.attributes.update(attributes) if otp: user.assign_yubikey(otp) log.info('User %s registered with attributes: %r', username, attributes) return user
def validate_otp(self, otp, password=None): """ Validates a YubiKey OTP (One Time Password) for the user. @param otp: The OTP to validate. @type otp: string @return: True if the OTP was valid, and from a YubiKey belonging to the user. False if not. @rtype: bool """ prefix = otp[:-32] otp_valid = validate_otp(otp) if settings['use_ldap'] and settings['ldap_yubikey_attr']: return otp_valid and ldapauth.validate_yubikey(self.name, password, prefix, settings['ldap_yubikey_attr']) elif prefix in self.yubikeys: return otp_valid and self.yubikeys[prefix].enabled return False
def assign_yubikey(self, request, noauth=None): assign_form = AssignYubikeyForm(request.params) auth_form = ReauthenticateForm(request) user = request.environ['yubiauth.user'] if noauth is not None or not assign_form.validate(): pass elif auth_form.validate() and auth_form.authenticate(): yubikey = assign_form.yubikey.data prefix = yubikey[:-32] if not validate_otp(yubikey): self.add_message('Invalid OTP for new YubiKey!', 'error') if not prefix in user.yubikeys: user.assign_yubikey(prefix) return redirect(request, 'manage') else: self.add_message('Invalid credentials!', 'error') return self.render(request, 'assign_yubikey', fieldsets=[assign_form, auth_form])
def validate_otp(self, otp, password=None): """ Validates a YubiKey OTP (One Time Password) for the user. @param otp: The OTP to validate. @type otp: string @return: True if the OTP was valid, and from a YubiKey belonging to the user. False if not. @rtype: bool """ prefix = otp[:-32] otp_valid = validate_otp(otp) if settings['use_ldap'] and settings['ldap_yubikey_attr']: return otp_valid and ldapauth.validate_yubikey( self, password, prefix, settings['ldap_yubikey_attr']) elif prefix in self.yubikeys: return otp_valid and self.yubikeys[prefix].enabled return False