def create_google_authenticator(param: dict, user=None) -> str:
"""Create the google url from the parameters
:param param: dict containing the parameters
:param user: the user to which the token should be assigned
:return: the google authenticator url
"""
serial = param["serial"]
login = user and user.login or param.get("user.login", "")
realm = user and user.realm or param.get("user.realm", "")
description = param.get("description", "")
token_label = get_tokenlabel(
serial=serial, user=login, realm=realm, description=description
)
issuer = get_tokenissuer(
serial=serial, user=login, realm=realm, description=description
)
# --------------------------------------------------------------------- --
# as the issuer is also used as an url parameter,
# we add it to the parameters
param["issuer"] = issuer
# build the label, which is defined as:
# label = accountname / issuer (“:” / “%3A”) *”%20” accountname
label = quote(issuer) + ":" + quote(token_label)
return google_authenticator_url(label, param)
def test_tokenissuer(
self,
mocked__get_client,
mocked__get_policies,
mocked_get_policy_definitions,
):
"""Verify that the tokenissuer is evaluated from general."""
mocked__get_client.return_value = "127.0.0.1"
mocked_get_policy_definitions.return_value = {
"enrollment": {
"tokenissuer": {
"type": "str",
"desc": "the issuer label for the google authenticator.",
},
}
}
policy_set = copy.deepcopy(PolicySet)
# ----------------------------------------------------------------- --
# verify that general policy is honored
policy_set["general"]["action"] = "tokenissuer=<s>:<u>@<r>"
mocked__get_policies.return_value = policy_set
issuer = get_tokenissuer(user="******",
realm="defaultrealm",
serial="mySerial")
assert issuer == "mySerial:fake_user@defaultrealm"
# ----------------------------------------------------------------- --
# verify that if set, user specific policy is honored
policy_set["fake_user"]["action"] = "dummy, tokenissuer=<u>@<r>"
mocked__get_policies.return_value = policy_set
issuer = get_tokenissuer(user="******",
realm="defaultrealm",
serial="mySerial")
assert issuer == "fake_user@defaultrealm"
def test_get_tokenissuer_wo_policy(self, mock__get_client,
mock_has_client_policy):
mock__get_client.return_value = "localhost"
mock_has_client_policy.return_value = {}
res = get_tokenissuer(serial="123")
assert res == "LinOTP"
res = get_tokenissuer(serial="123", user="******")
assert res == "LinOTP"
res = get_tokenissuer(serial="123", user="******", realm="home")
assert res == "LinOTP"
res = get_tokenissuer(serial="123",
user="******",
realm="home",
description="nothing")
assert res == "LinOTP"
def test_tokenissuer(self, mocked__get_client, mocked__get_policies,
mocked_get_policy_definitions):
"""Verify that the tokenissuer is evaluated from general."""
mocked__get_client.return_value = '127.0.0.1'
mocked_get_policy_definitions.return_value = {
'enrollment': {
'tokenissuer': {
'type': 'str',
'desc': 'the issuer label for the google authenticator.'
},
}
}
policy_set = copy.deepcopy(PolicySet)
# ----------------------------------------------------------------- --
# verify that general policy is honored
policy_set['general']['action'] = 'tokenissuer=<s>:<u>@<r>'
mocked__get_policies.return_value = policy_set
issuer = get_tokenissuer(user='******',
realm='defaultrealm',
serial='mySerial')
assert issuer == 'mySerial:fake_user@defaultrealm'
# ----------------------------------------------------------------- --
# verify that if set, user specific policy is honored
policy_set['fake_user']['action'] = 'dummy, tokenissuer=<u>@<r>'
mocked__get_policies.return_value = policy_set
issuer = get_tokenissuer(user='******',
realm='defaultrealm',
serial='mySerial')
assert issuer == 'fake_user@defaultrealm'
def test_get_tokenissuer_w_policy(self, mock__get_client,
mock_has_client_policy,
mock_get_action_value):
mock__get_client.return_value = "localhost"
mock_has_client_policy.return_value = {}
mock_get_action_value.return_value = "<d>.<r>.<u>.<s>"
res = get_tokenissuer(serial="!")
assert res == "...!"
res = get_tokenissuer(serial="!", user="******")
assert res == "..matters.!"
res = get_tokenissuer(serial="!", user="******", realm="else")
assert res == ".else.matters.!"
res = get_tokenissuer(serial="!",
user="******",
realm="else",
description="nothing")
assert res == "nothing.else.matters.!"
def test_autoassignment(
self,
mocked__get_client,
mocked__get_policies,
mocked_get_policy_definitions,
):
"""Verify that the autoassignment is evaluated from general."""
mocked__get_client.return_value = "127.0.0.1"
policy_set = copy.deepcopy(PolicySet)
# ----------------------------------------------------------------- --
# verify that general policy is honored
policy_set["general"]["action"] = "autoassignment"
mocked__get_policies.return_value = policy_set
mocked_get_policy_definitions.return_value = {
"enrollment": {
"autoassignment": {
"type":
"bool",
"desc":
"users can assign a token just by using the "
"unassigned token to authenticate.",
},
}
}
fake_user = LinotpUser(login="******", realm="defaultrealm")
assert get_autoassignment(fake_user), "autoassigment should be set!"
# ----------------------------------------------------------------- --
# verify that if set, user specific policy is honored
policy_set["fake_user"]["action"] = "tokenissuer=<u>, autoassignment"
mocked__get_policies.return_value = policy_set
issuer = get_tokenissuer(user="******",
realm="defaultrealm",
serial="mySerial")
assert issuer == "fake_user"
def test_autoassignment(self, mocked__get_client, mocked__get_policies,
mocked_get_policy_definitions):
"""Verify that the autoassignment is evaluated from general."""
mocked__get_client.return_value = '127.0.0.1'
policy_set = copy.deepcopy(PolicySet)
# ----------------------------------------------------------------- --
# verify that general policy is honored
policy_set['general']['action'] = 'autoassignment'
mocked__get_policies.return_value = policy_set
mocked_get_policy_definitions.return_value = {
'enrollment': {
'autoassignment': {
'type':
'bool',
'desc':
'users can assign a token just by using the '
'unassigned token to authenticate.'
},
}
}
fake_user = LinotpUser(login='******', realm='defaultrealm')
assert get_autoassignment(fake_user), 'autoassigment should be set!'
# ----------------------------------------------------------------- --
# verify that if set, user specific policy is honored
policy_set['fake_user']['action'] = 'tokenissuer=<u>, autoassignment'
mocked__get_policies.return_value = policy_set
issuer = get_tokenissuer(user='******',
realm='defaultrealm',
serial='mySerial')
assert issuer == 'fake_user'
def create_google_authenticator(param, user=None):
'''
create url for google authenticator
:param param: request dictionary
:return: string with google url
'''
typ = param.get("type", 'hotp')
if typ.lower() == 'hmac':
typ = 'hotp'
if not typ.lower() in ['totp', 'hotp']:
raise NoOtpAuthTokenException('not supported otpauth token type: %r'
% typ)
serial = param.get("serial", None)
digits = param.get("otplen", '6')
otpkey = param.get("otpkey", None)
login = ''
realm = ''
if user:
login = user.login or ''
realm = user.realm or ''
login = login or param.get('user.login', '')
realm = realm or param.get('user.realm', '')
url_param = {}
if not otpkey:
raise Exception('Failed to create token url due to missing seed!')
key = base64.b32encode(binascii.unhexlify(otpkey))
key = key.strip("=")
algo = param.get("hashlib", "sha1") or "sha1"
algo = algo.upper()
if algo not in['SHA1', 'SHA256', 'SHA512', 'MD5']:
algo = 'SHA1'
if algo != 'SHA1':
url_param['algorithm'] = algo
url_param['secret'] = key
# dont add default
if digits != '6':
url_param['digits'] = digits
if typ not in ['totp']:
url_param['counter'] = 0
if 'timeStep' in param:
url_param['period'] = param.get('timeStep')
issuer = get_tokenissuer(login, realm, serial)
if issuer:
url_param['issuer'] = quote(issuer)
ga = "otpauth://%s/%s" % (typ, serial)
qg_param = urllib.urlencode(url_param)
base_len = len(ga) + len(qg_param)
max_len = 400
allowed_label_len = max_len - base_len
log.debug("[create_google_authenticator_url] we got %s characters"
" left for the token label" % str(allowed_label_len))
# show the user login in the token prefix
if len(login) > 0:
label = get_tokenlabel(login, realm, serial)
if len(param.get('description', '')) > 0 and '<d>' in label:
label = label.replace('<d>', param.get('description'))
else:
label = serial or ''
if len(param.get('description', '')) > 0:
label = label + ':' + param.get('description')
if issuer:
label = issuer + ':' + label
label = label[0:allowed_label_len]
url_label = quote(label, ':')
ga = "otpauth://%s/%s?%s" % (typ, url_label, qg_param)
log.debug("google authenticator: %r" % ga[:20])
return ga
def create_google_authenticator(param, user=None):
'''
create url for google authenticator
:param param: request dictionary
:return: string with google url
'''
typ = param.get("type", 'hotp')
if typ.lower() == 'hmac':
typ = 'hotp'
if not typ.lower() in ['totp', 'hotp']:
raise NoOtpAuthTokenException('not supported otpauth token type: %r'
% typ)
serial = param.get("serial", None)
digits = param.get("otplen", '6')
otpkey = param.get("otpkey", None)
login = ''
realm = ''
if user:
login = user.login or ''
realm = user.realm or ''
login = login or param.get('user.login', '')
realm = realm or param.get('user.realm', '')
url_param = {}
if not otpkey:
raise Exception('Failed to create token url due to missing seed!')
key = base64.b32encode(binascii.unhexlify(otpkey))
key = key.strip("=")
algo = param.get("hashlib", "sha1") or "sha1"
algo = algo.upper()
if algo not in['SHA1', 'SHA256', 'SHA512', 'MD5']:
algo = 'SHA1'
if algo != 'SHA1':
url_param['algorithm'] = algo
url_param['secret'] = key
# dont add default
if digits != '6':
url_param['digits'] = digits
if typ not in ['totp']:
url_param['counter'] = 0
if 'timeStep' in param:
url_param['period'] = param.get('timeStep')
issuer = get_tokenissuer(login, realm, serial)
if issuer:
url_param['issuer'] = quote(issuer)
ga = "otpauth://%s/%s" % (typ, serial)
qg_param = urllib.urlencode(url_param)
base_len = len(ga) + len(qg_param)
max_len = 400
allowed_label_len = max_len - base_len
log.debug("[create_google_authenticator_url] we got %s characters"
" left for the token label" % str(allowed_label_len))
# show the user login in the token prefix
if len(login) > 0:
label = get_tokenlabel(login, realm, serial)
if len(param.get('description', '')) > 0 and '<d>' in label:
label = label.replace('<d>', param.get('description'))
else:
label = serial or ''
if len(param.get('description', '')) > 0:
label = label + ':' + param.get('description')
if issuer:
label = issuer + ':' + label
label = label[0:allowed_label_len]
url_label = quote(label, ':')
ga = "otpauth://%s/%s?%s" % (typ, url_label, qg_param)
log.debug("google authenticator: %r" % ga[:20])
return ga