def check_base_action(request=None, action=None, anonymous=False):
"""
This decorator function takes the request and verifies the given action
for the SCOPE ADMIN or USER.
:param request:
:param action:
:param anonymous: If set to True, the user data is taken from the request
parameters.
:return: True otherwise raises an Exception
"""
ERROR = {"user": "******"
"allowed!" % action,
"admin": "Admin actions are defined, but the action %s is not "
"allowed!" % action}
params = request.all_data
policy_object = g.policy_object
username = g.logged_in_user.get("username")
role = g.logged_in_user.get("role")
scope = SCOPE.ADMIN
admin_realm = g.logged_in_user.get("realm")
realm = None
resolver = None
if role == ROLE.USER:
scope = SCOPE.USER
# Reset the admin realm
admin_realm = None
realm = realm or g.logged_in_user.get("realm")
# In certain cases we can not resolve the user by the serial!
if action not in [ACTION.AUDIT]:
realm = params.get("realm")
if type(realm) == list and len(realm) == 1:
realm = realm[0]
resolver = params.get("resolver")
# get the realm by the serial:
if not realm and params.get("serial"):
realm = get_realms_of_token(params.get("serial"),
only_first_realm=True)
# get the realm by the serial, while the serial is part of the URL like
# DELETE /token/serial
if not realm and request.view_args and request.view_args.get("serial"):
realm = get_realms_of_token(request.view_args.get("serial"),
only_first_realm=True)
action = policy_object.get_policies(action=action,
user=username,
realm=realm,
scope=scope,
resolver=resolver,
client=g.client_ip,
adminrealm=admin_realm,
active=True)
action_at_all = policy_object.get_policies(scope=scope,
active=True,
all_times=True)
if action_at_all and len(action) == 0:
raise PolicyError(ERROR.get(role))
return True
def test_16_set_realms(self):
serial = "NEWREALM01"
tokenobject = init_token({"serial": serial,
"otpkey": "1234567890123456"})
realms = get_realms_of_token(serial)
self.assertTrue(realms == [], "%s" % realms)
rnum = set_realms(serial, [self.realm1])
self.assertTrue(rnum == 1, rnum)
realms = get_realms_of_token(serial)
self.assertTrue(realms == [self.realm1], "%s" % realms)
remove_token(serial=serial)
realms = get_realms_of_token(serial)
self.assertTrue(realms == [], "%s" % realms)
def test_16_set_realms(self):
serial = "NEWREALM01"
tokenobject = init_token({
"serial": serial,
"otpkey": "1234567890123456"
})
realms = get_realms_of_token(serial)
self.assertTrue(realms == [], "%s" % realms)
rnum = set_realms(serial, [self.realm1])
self.assertTrue(rnum == 1, rnum)
realms = get_realms_of_token(serial)
self.assertTrue(realms == [self.realm1], "%s" % realms)
remove_token(serial=serial)
realms = get_realms_of_token(serial)
self.assertTrue(realms == [], "%s" % realms)
def save_pin_change(request, response, serial=None):
"""
This policy function checks if the next_pin_change date should be
stored in the tokeninfo table.
1. Check scope:enrollment and
ACTION.CHANGE_PIN_FIRST_USE.
This action is used, when the administrator enrolls a token or sets a PIN
2. Check scope:enrollment and
ACTION.CHANGE_PIN_EVERY is used, if the user changes the PIN.
This function decorates /token/init and /token/setpin. The parameter
"pin" and "otppin" is investigated.
:param request:
:param action:
:return:
"""
policy_object = g.policy_object
serial = serial or request.all_data.get("serial")
if not serial:
# No serial in request, so we look into the response
serial = response.json.get("detail", {}).get("serial")
if not serial:
log.error("Can not determine serial number. Have no idea of any "
"realm!")
else:
# Determine the realm by the serial
realm = get_realms_of_token(serial, only_first_realm=True)
realm = realm or get_default_realm()
if g.logged_in_user.get("role") == ROLE.ADMIN:
pinpol = Match.realm(g, scope=SCOPE.ENROLL, action=ACTION.CHANGE_PIN_FIRST_USE,
realm=realm).policies()
if pinpol:
token = get_one_token(serial=serial)
token.set_next_pin_change(diff="0d")
elif g.logged_in_user.get("role") == ROLE.USER:
# Check for parameter "pin" or "otppin".
otppin = request.all_data.get("otppin")
pin = request.all_data.get("pin")
# The user sets a pin or enrolls a token. -> delete the pin_change
if otppin or pin:
token = get_one_token(serial=serial)
token.del_tokeninfo("next_pin_change")
# If there is a change_pin_every policy, we need to set the PIN
# anew.
pinpol = Match.realm(g, scope=SCOPE.ENROLL, action=ACTION.CHANGE_PIN_EVERY,
realm=realm).action_values(unique=True)
if pinpol:
token = get_one_token(serial=serial)
token.set_next_pin_change(diff=list(pinpol)[0])
# we do not modify the response!
return response
def check_base_action(request=None, action=None, anonymous=False):
"""
This decorator function takes the request and verifies the given action
for the SCOPE ADMIN or USER.
:param request:
:param action:
:param anonymous: If set to True, the user data is taken from the request
parameters.
:return: True otherwise raises an Exception
"""
ERROR = {
"user":
"******"
"allowed!" % action,
"admin":
"Admin actions are defined, but the action %s is not "
"allowed!" % action
}
params = request.all_data
policy_object = g.policy_object
username = g.logged_in_user.get("username")
role = g.logged_in_user.get("role")
scope = SCOPE.ADMIN
admin_realm = g.logged_in_user.get("realm")
realm = params.get("realm")
if type(realm) == list and len(realm) == 1:
realm = realm[0]
if role == "user":
scope = SCOPE.USER
# Reset the admin realm
admin_realm = None
# get the realm by the serial:
if params.get("serial") and not realm:
realms = get_realms_of_token(params.get("serial"))
if realms:
realm = realms[0]
else:
realm = None
action = policy_object.get_policies(action=action,
user=username,
realm=realm,
scope=scope,
client=g.client_ip,
adminrealm=admin_realm,
active=True)
action_at_all = policy_object.get_policies(scope=scope,
active=True,
all_times=True)
if action_at_all and len(action) == 0:
raise PolicyError(ERROR.get(role))
return True
def test_38_autoassign(self):
user = User("autoassignuser", realm=self.realm1)
tokenobject = init_token({"serial": "AUTO001", "type": "hotp",
"otpkey": self.otpkey,
"realm": self.realm1})
tokenobject = init_token({"serial": "AUTO002", "type": "hotp",
"otpkey": "1234",
"realm": self.realm1})
realms = get_realms_of_token("AUTO001")
# The token is in realm1
self.assertTrue(self.realm1 in realms, realms)
realms = get_realms_of_token("AUTO002")
# The token is in realm1
self.assertTrue(self.realm1 in realms, realms)
# Authentication by autoassign fails due to wrong password
r, reply_dict = auto_assign_token(user, "wrong287082")
# Nevertheless the 287082 is void, now!
self.assertFalse(r)
self.assertTrue("failed to authenticate against userstore"
in reply_dict.get("message"), reply_dict)
# Authentication by autoassign
r, reply_dict = auto_assign_token(user, "test399871")
self.assertTrue(r, (r, reply_dict))
# Token is assigned
self.assertTrue(get_tokens(user=user, count=True) == 1, get_tokens(
user=user))
# Normal authentication
r = check_user_pass(user, "test520489")
self.assertTrue(r)
# Now try to assign a new token to the user, which will not work,
# as autoassignment only works for users, who have NO token.
r, reply_dict = auto_assign_token(user, "test287082")
# Autoassignment fails
self.assertFalse(r)
def check_base_action(request=None, action=None, anonymous=False):
"""
This decorator function takes the request and verifies the given action
for the SCOPE ADMIN or USER.
:param request:
:param action:
:param anonymous: If set to True, the user data is taken from the request
parameters.
:return: True otherwise raises an Exception
"""
ERROR = {"user": "******"
"allowed!" % action,
"admin": "Admin actions are defined, but the action %s is not "
"allowed!" % action}
params = request.all_data
policy_object = g.policy_object
username = g.logged_in_user.get("username")
role = g.logged_in_user.get("role")
scope = SCOPE.ADMIN
admin_realm = g.logged_in_user.get("realm")
realm = params.get("realm")
if type(realm) == list and len(realm) == 1:
realm = realm[0]
if role == "user":
scope = SCOPE.USER
# Reset the admin realm
admin_realm = None
realm = realm or g.logged_in_user.get("realm")
# get the realm by the serial:
if params.get("serial") and not realm:
realms = get_realms_of_token(params.get("serial"))
if realms:
realm = realms[0]
else:
realm = None
action = policy_object.get_policies(action=action,
user=username,
realm=realm,
scope=scope,
client=g.client_ip,
adminrealm=admin_realm,
active=True)
action_at_all = policy_object.get_policies(scope=scope,
active=True,
all_times=True)
if action_at_all and len(action) == 0:
raise PolicyError(ERROR.get(role))
return True
def test_01_set_tokenrealm(self):
# setup realms
self.setUp_user_realms()
self.setUp_user_realm2()
init_token({"serial": "SPASS01", "type": "spass"})
g = FakeFlaskG()
audit_object = FakeAudit()
audit_object.audit_data["serial"] = "SPASS01"
g.logged_in_user = {"user": "******", "role": "admin", "realm": ""}
g.audit_object = audit_object
builder = EnvironBuilder(method='POST',
data={'serial': "SPASS01"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
g.client_ip = env["REMOTE_ADDR"]
req = Request(env)
req.all_data = {"serial": "SPASS01", "type": "spass"}
resp = Response()
resp.data = """{"result": {"value": true}}"""
# Now the initiailized token will be set in realm2
options = {
"g": g,
"request": req,
"response": resp,
"handler_def": {
"options": {
"realm": "realm2"
}
}
}
t_handler = TokenEventHandler()
res = t_handler.do(ACTION_TYPE.SET_TOKENREALM, options=options)
self.assertTrue(res)
# Check if the token is contained in realm2
realms = get_realms_of_token("SPASS01")
self.assertTrue("realm2" in realms)
remove_token("SPASS01")
def check_base_action(request=None, action=None):
"""
This decorator function takes the request and verifies the given action
for the SCOPE ADMIN or USER.
:param req:
:param action:
:return: True otherwise raises an Exception
"""
ERROR = {"user": "******"
"allowed!",
"admin": "Admin actions are defined, but this action is not "
"allowed!"}
params = request.all_data
policy_object = g.policy_object
username = g.logged_in_user.get("username")
role = g.logged_in_user.get("role")
scope = SCOPE.ADMIN
admin_realm = g.logged_in_user.get("realm")
if role == "user":
scope = SCOPE.USER
# Reset the admin realm
admin_realm = None
# get the realm by the serial:
realm = params.get("realm")
if params.get("serial") and not realm:
realms = get_realms_of_token(params.get("serial"))
if len(realms) > 0:
realm = realms[0]
else:
realm = None
action = policy_object.get_policies(action=action,
user=username,
realm=realm,
scope=scope,
client=request.remote_addr,
adminrealm=admin_realm,
active=True)
action_at_all = policy_object.get_policies(scope=scope,
active=True)
if len(action_at_all) and len(action) == 0:
raise PolicyError(ERROR.get(role))
return True
def test_06_get_realms_of_token(self):
# Return a list of realmnames for a token
self.assertTrue(get_realms_of_token("hotptoken") == [self.realm1],
"%s" % get_realms_of_token("hotptoken"))
def save_pin_change(request, response, serial=None):
"""
This policy function checks if the next_pin_change date should be
stored in the tokeninfo table.
1. Check scope:enrollment and
ACTION.CHANGE_PIN_FIRST_USE.
This action is used, when the administrator enrolls a token or sets a PIN
2. Check scope:enrollment and
ACTION.CHANGE_PIN_EVERY is used, if the user changes the PIN.
This function decorates /token/init and /token/setpin. The parameter
"pin" and "otppin" is investigated.
:param request:
:param action:
:return:
"""
content = json.loads(response.data)
policy_object = g.policy_object
serial = serial or request.all_data.get("serial")
if not serial:
# No serial in request, so we look into the response
serial = content.get("detail", {}).get("serial")
if not serial:
log.error("Can not determine serial number. Have no idea of any "
"realm!")
else:
# Determine the realm by the serial
realm = get_realms_of_token(serial, only_first_realm=True)
realm = realm or get_default_realm()
if g.logged_in_user.get("role") == ROLE.ADMIN:
pinpol = policy_object.get_policies(action=ACTION.CHANGE_PIN_FIRST_USE,
scope=SCOPE.ENROLL, realm=realm,
client=g.client_ip, active=True)
if pinpol:
token = get_tokens(serial=serial)[0]
token.set_next_pin_change(diff="0d")
elif g.logged_in_user.get("role") == ROLE.USER:
# Check for parameter "pin" or "otppin".
otppin = request.all_data.get("otppin")
pin = request.all_data.get("pin")
# The user sets a pin or enrolls a token. -> delete the pin_change
if otppin or pin:
token = get_tokens(serial=serial)[0]
token.del_tokeninfo("next_pin_change")
# If there is a change_pin_every policy, we need to set the PIN
# anew.
pinpol = policy_object.get_action_values(
ACTION.CHANGE_PIN_EVERY, scope=SCOPE.ENROLL,
realm=realm, client=g.client_ip, unique=True)
if pinpol:
token = get_tokens(serial=serial)[0]
token.set_next_pin_change(diff=pinpol[0])
# we do not modify the response!
return response
def test_06_get_realms_of_token(self):
# Return a list of realmnames for a token
self.assertTrue(
get_realms_of_token("hotptoken") == [self.realm1],
"%s" % get_realms_of_token("hotptoken"))
