def __after__(self, action,): ''' ''' param = request.params try: if c.audit['action'] in ['selfservice/index']: if isSelfTest(): log.debug("[__after__] Doing selftest!") suser = getParam(param, "selftest_user", True) if suser is not None: (c.user, _foo, c.realm) = getParam(param, "selftest_user", True)\ .rpartition('@') else: c.realm = "" c.user = "******" env = request.environ uuser = env.get('REMOTE_USER') realms = getAllUserRealms(User(uuser, "", "")) if (realms): c.user = uuser c.realm = realms[0] ### This makes no sense... # c.audit['user'] = c.user # c.audit['realm'] = c.realm # else: # user = getUserFromRequest(request).get("login") # c.audit['user'] ,c.audit['realm'] = user.split('@') # uc = user.split('@') # c.audit['realm'] = uc[-1] # c.audit['user'] = '******'.join(uc[:-1]) log.debug("[__after__] authenticating as %s in realm %s!" % (c.user, c.realm)) c.audit['user'] = c.user c.audit['realm'] = c.realm c.audit['success'] = True if 'serial' in param: c.audit['serial'] = param['serial'] c.audit['token_type'] = getTokenType(param['serial']) audit.log(c.audit) return response except webob.exc.HTTPUnauthorized as acc: # the exception, when an abort() is called if forwarded log.error("[__after__::%r] webob.exception %r" % (action, acc)) log.error("[__after__] %s" % traceback.format_exc()) Session.rollback() Session.close() raise acc except Exception as e: log.error("[__after__] failed with error: %r" % e) log.error("[__after__] %s" % traceback.format_exc()) Session.rollback() Session.close() return sendError(response, e, context='after') finally: log.debug('[__after__] done')
def __before__(self, action): ''' This is the authentication to self service If you want to do ANYTHING with selfservice, you need to be authenticated. The _before_ is executed before any other function in this controller. ''' try: param = request.params audit.initialize() c.audit['success'] = False c.audit['client'] = get_client() c.version = get_version() c.licenseinfo = get_copyright_info() if isSelfTest(): log.debug("[__before__] Doing selftest!") uuser = getParam(param, "selftest_user", True) if uuser is not None: (c.user, _foo, c.realm) = uuser.rpartition('@') else: c.realm = "" c.user = "******" env = request.environ uuser = env.get('REMOTE_USER') if uuser is not None: (c.user, _foo, c.realm) = uuser.rpartition('@') self.authUser = User(c.user, c.realm, '') log.debug("[__before__] authenticating as %s in realm %s!" % (c.user, c.realm)) else: # Use WebAuth instead of LinOTP auth. identity = request.environ.get('REMOTE_USER') if identity is None: abort(401, "You are not authenticated") c.user = identity # Put their current realm as the first one we find them in. # Doesn't really matter since tokens are realm-independent. realms = getAllUserRealms(User(identity, "", "")) if (realms): c.realm = realms[0] self.authUser = User(c.user, c.realm, '') # Check token expiry. age = int(request.environ.get('WEBAUTH_TOKEN_EXPIRATION')) - time.time() # Set selfservice cookie response.set_cookie('linotp_selfservice', 'REMOTE_USER', max_age = int(age)) # Set userservice auth cookie self.client = get_client() authcookie = create_auth_cookie(config, identity, self.client) response.set_cookie('userauthcookie', authcookie, max_age=360*24) log.debug("[__before__] set the self.authUser to: %s, %s " % (self.authUser.login, self.authUser.realm)) log.debug('[__before__] param for action %s: %s' % (action, param)) # checking the session if (False == check_selfservice_session(request.url, request.path, request.cookies, request.params)): c.audit['action'] = request.path[1:] c.audit['info'] = "session expired" audit.log(c.audit) abort(401, "No valid session") c.imprint = get_imprint(c.realm) c.tokenArray = [] c.user = self.authUser.login c.realm = self.authUser.realm c.tokenArray = getTokenForUser(self.authUser) # only the defined actions should be displayed # - remark: the generic actions like enrollTT are allready approved # to have a rendering section and included actions = getSelfserviceActions(self.authUser) c.actions = actions for policy in actions: if "=" in policy: (name, val) = policy.split('=') val = val.strip() # try if val is a simple numeric - # w.r.t. javascript evaluation try: nval = int(val) except: nval = val c.__setattr__(name.strip(), nval) c.dynamic_actions = add_dynamic_selfservice_enrollment(config, c.actions) # we require to establish all token local defined # policies to be initialiezd additional_policies = add_dynamic_selfservice_policies(config, actions) for policy in additional_policies: c.__setattr__(policy, -1) c.otplen = -1 c.totp_len = -1 return response except webob.exc.HTTPUnauthorized as acc: # the exception, when an abort() is called if forwarded log.info("[__before__::%r] webob.exception %r" % (action, acc)) log.info("[__before__] %s" % traceback.format_exc()) Session.rollback() Session.close() raise acc except Exception as e: log.error("[__before__] failed with error: %r" % e) log.error("[__before__] %s" % traceback.format_exc()) Session.rollback() Session.close() return sendError(response, e, context='before') finally: log.debug('[__before__] done')