def __init__(self, aToken):
HmacTokenClass.__init__(self, aToken)
self.setType(u"email")
self.hKeyRequired = False
# we support various hashlib methods, but only on create
# which is effectively set in the update
self.hashlibStr = context['Config'].get("hotp.hashlib", "sha1")
self.mode = ['challenge']
def update(self, param, reset_failcount=True):
"""
update - process initialization parameters
:param param: dict of initialization parameters
:type param: dict
:return: nothing
"""
LOG.debug("[update] begin. adjust the token class with: param %r"
% param)
_ = context['translate']
# specific - e-mail
self._email_address = param[self.EMAIL_ADDRESS_KEY]
# in scope selfservice - check if edit_email is allowed
# if not allowed to edit, check if the email is the same
# as from the user data
if param.get('::scope::', {}).get('selfservice', False):
user = param['::scope::']['user']
if not is_email_editable(user):
u_info = getUserDetail(user)
u_email = u_info.get('email', None)
if u_email.strip() != self._email_address.strip():
raise Exception(_('User is not allowed to set '
'email address'))
# in case of the e-mail token, only the server must know the otpkey
# thus if none is provided, we let create one (in the TokenClass)
if 'genkey' not in param and 'otpkey' not in param:
param['genkey'] = 1
HmacTokenClass.update(self, param, reset_failcount)
LOG.debug("[update] end. all token parameters are set.")
return
def checkOtp(self, anOtpVal, counter, window, options=None):
'''
checkOtp - check the otpval of a token against a given counter
in the + window range
:param passw: the to be verified passw/pin
:type passw: string
:return: counter if found, -1 if not found
:rtype: int
'''
if not options:
options = {}
ret = HmacTokenClass.checkOtp(self, anOtpVal, counter, window)
if ret != -1:
if self.isValid() is False:
ret = -1
if ret >= 0:
if get_auth_AutoSMSPolicy():
user = None
message = "<otp>"
realms = self.getRealms()
if realms:
_sms_ret, message = get_auth_smstext(realm=realms[0])
if 'user' in options:
user = options.get('user', None)
if user:
_sms_ret, message = get_auth_smstext(realm=user.realm)
realms = self.getRealms()
if 'data' in options or 'message' in options:
message = options.get('data',
options.get('message', '<otp>'))
try:
_success, message = self.sendSMS(message=message)
except Exception as exx:
log.exception(exx)
finally:
self.incOtpCounter(ret, reset=False)
if ret >= 0:
msg = "otp verification was successful!"
else:
msg = "otp verification failed!"
log.debug(msg)
return ret
def update(self, param, reset_failcount=True):
"""
update - process initialization parameters
:param param: dict of initialization parameters
:type param: dict
:return: nothing
"""
LOG.debug("[update] begin. adjust the token class with: param %r",
param)
# specific - e-mail
self._email_address = param[self.EMAIL_ADDRESS_KEY]
# in scope selfservice - check if edit_email is allowed
# if not allowed to edit, check if the email is the same
# as from the user data
if param.get("::scope::", {}).get("selfservice", False):
user = param["::scope::"]["user"]
if not is_email_editable(user):
u_info = getUserDetail(user)
u_email = u_info.get("email", None)
if u_email.strip() != self._email_address.strip():
raise Exception(
_("User is not allowed to set email address"))
# in case of the e-mail token, only the server must know the otpkey
# thus if none is provided, we let create one (in the TokenClass)
if "genkey" not in param and "otpkey" not in param:
param["genkey"] = 1
HmacTokenClass.update(self, param, reset_failcount)
LOG.debug("[update] end. all token parameters are set.")
return
def test_validate_seed(self, moch_getFromConfig):
"""provided seed should be a valid HEX string"""
hmac_token = HmacTokenClass(FakeTokenModel())
goodseed = "1234ab18790bdef1234"
hmac_token.validate_seed(goodseed)
badseed = "1234ab18790bdef1234g"
with self.assertRaises(InvalidSeedException) as cm:
hmac_token.validate_seed(badseed)
the_exception = cm.exception
errormsg = (
"The provided token seed contains non-hexadecimal characters")
self.assertEqual(errormsg, the_exception.msg)
anotherbadseed = "1234ab187fH90bdef1234"
with self.assertRaises(InvalidSeedException) as cm:
hmac_token.validate_seed(anotherbadseed)
the_exception = cm.exception
errormsg = (
"The provided token seed contains non-hexadecimal characters")
self.assertEqual(errormsg, the_exception.msg)
def test_hmac_hashlib_sha1(mock_getFromConfig):
mock_getFromConfig.return_value = 'sha1'
hmac_token = HmacTokenClass(FakeTokenModel())
assert hmac_token.hashlibStr == 'sha1'
def update(self, param):
'''
update - process the initialization parameters
:param param: dict of initialization parameters
:type param: dict
:return: nothing
'''
## check for the required parameters
val = param.get("hashlib")
if val is not None:
self.hashlibStr = val
else:
self.hashlibStr = 'sha1'
otpKey = ''
if (self.hKeyRequired is True):
genkey = int(param.get("genkey", 0))
if 1 == genkey:
# if hashlibStr not in keylen dict, this will raise an Exception
otpKey = generate_otpkey(keylen.get(self.hashlibStr))
del param['genkey']
else:
# genkey not set: check otpkey is given
# this will raise an exception if otpkey is not present
try:
otpKey = param['otpkey']
except KeyError:
raise ParameterError("Missing parameter: 'serial'")
# finally set the values for the update
param['otpkey'] = otpKey
param['hashlib'] = self.hashlibStr
val = param.get("otplen")
if val is not None:
self.setOtpLen(int(val))
else:
self.setOtpLen(getFromConfig("DefaultOtpLen"))
val = param.get("timeStep")
if val is not None:
self.timeStep = val
val = param.get("timeWindow")
if val is not None:
self.timeWindow = val
val = param.get("timeShift")
if val is not None:
self.timeShift = val
HmacTokenClass.update(self, param)
if self.timeWindow is not None and self.timeWindow != '':
self.addToTokenInfo("timeWindow", self.timeWindow)
if self.timeShift is not None and self.timeShift != '':
self.addToTokenInfo("timeShift", self.timeShift)
if self.timeStep is not None and self.timeStep != '':
self.addToTokenInfo("timeStep", self.timeStep)
if self.hashlibStr:
self.addToTokenInfo("hashlib", self.hashlibStr)
return
def update(self, param):
'''
update - process the initialization parameters
:param param: dict of initialization parameters
:type param: dict
:return: nothing
'''
## check for the required parameters
val = param.get("hashlib")
if val is not None:
self.hashlibStr = val
else:
self.hashlibStr = 'sha1'
otpKey = ''
if (self.hKeyRequired is True):
genkey = int(param.get("genkey", 0))
if 1 == genkey:
# if hashlibStr not in keylen dict, this will raise an Exception
otpKey = generate_otpkey(keylen.get(self.hashlibStr))
del param['genkey']
else:
# genkey not set: check otpkey is given
# this will raise an exception if otpkey is not present
try:
otpKey = param['otpkey']
except KeyError:
raise ParameterError("Missing parameter: 'serial'")
# finally set the values for the update
param['otpkey'] = otpKey
param['hashlib'] = self.hashlibStr
val = param.get("otplen")
if val is not None:
self.setOtpLen(int(val))
else:
self.setOtpLen(getFromConfig("DefaultOtpLen"))
val = param.get("timeStep")
if val is not None:
self.timeStep = val
val = param.get("timeWindow")
if val is not None:
self.timeWindow = val
val = param.get("timeShift")
if val is not None:
self.timeShift = val
HmacTokenClass.update(self, param)
if self.timeWindow is not None and self.timeWindow != '':
self.addToTokenInfo("timeWindow", self.timeWindow)
if self.timeShift is not None and self.timeShift != '':
self.addToTokenInfo("timeShift", self.timeShift)
if self.timeStep is not None and self.timeStep != '':
self.addToTokenInfo("timeStep", self.timeStep)
if self.hashlibStr:
self.addToTokenInfo("hashlib", self.hashlibStr)
return
def test_hmac_hashlib_sha256(mock_getFromConfig):
mock_getFromConfig.return_value = "sha1"
hmac_token = HmacTokenClass(FakeTokenModel("sha256"))
assert hmac_token.hashlibStr == "sha256"