def get_default_settings(cls, g, params):
"""
This method returns a dictionary with default settings for token
enrollment.
These default settings are defined in SCOPE.USER or SCOPE.ADMIN and are
totp_hashlib, totp_timestep and totp_otplen.
If these are set, the user or admin will only be able to enroll tokens
with these values.
The returned dictionary is added to the parameters of the API call.
:param g: context object, see documentation of ``Match``
:param params: The call parameters
:type params: dict
:return: default parameters
"""
ret = {}
if not g.logged_in_user:
return ret
(role, username, userrealm, adminuser,
adminrealm) = determine_logged_in_userparams(g.logged_in_user, params)
hashlib_pol = Match.generic(
g,
scope=role,
action="totp_hashlib",
user=username,
realm=userrealm,
adminuser=adminuser,
adminrealm=adminrealm).action_values(unique=True)
if hashlib_pol:
ret["hashlib"] = list(hashlib_pol)[0]
timestep_pol = Match.generic(
g,
scope=role,
action="totp_timestep",
user=username,
realm=userrealm,
adminuser=adminuser,
adminrealm=adminrealm).action_values(unique=True)
if timestep_pol:
ret["timeStep"] = list(timestep_pol)[0]
otplen_pol = Match.generic(
g,
scope=role,
action="totp_otplen",
user=username,
realm=userrealm,
adminuser=adminuser,
adminrealm=adminrealm).action_values(unique=True)
if otplen_pol:
ret["otplen"] = list(otplen_pol)[0]
return ret
def get_default_settings(cls, g, params):
"""
This method returns a dictionary with additional settings for token
enrollment.
The settings that are evaluated are
SCOPE.ADMIN|SCOPE.USER, action=trusted_Assertion_CA_path
It sets a list of configured paths.
The returned dictionary is added to the parameters of the API call.
:param g: context object, see documentation of ``Match``
:param params: The call parameters
:type params: dict
:return: default parameters
"""
ret = {ACTION.TRUSTED_CA_PATH: DEFAULT_CA_PATH}
(role, username, userrealm, adminuser,
adminrealm) = determine_logged_in_userparams(g.logged_in_user, params)
# Now we fetch CA-pathes from the policies
paths = Match.generic(g,
scope=role,
action=ACTION.TRUSTED_CA_PATH,
user=username,
realm=userrealm,
adminuser=adminuser,
adminrealm=adminrealm).action_values(
unique=False,
allow_white_space_in_action=True)
if paths:
ret[ACTION.TRUSTED_CA_PATH] = list(paths)
return ret
def is_password_reset(g):
"""
Check if password reset is allowed.
We need to check, if a user policy with password_reset exists AND if an
editable resolver exists. Otherwise password_reset does not make any sense.
:return: True or False
"""
rlist = get_resolver_list(editable=True)
log.debug("Number of editable resolvers: {0!s}".format(len(rlist)))
pwreset = Match.generic(
g, scope=SCOPE.USER,
action=ACTION.PASSWORDRESET).allowed(write_to_audit_log=False)
log.debug("Password reset allowed via policies: {0!s}".format(pwreset))
return bool(rlist and pwreset)
def get_webui_settings(request, response):
"""
This decorator is used in the /auth API to add configuration information
like the logout_time or the policy_template_url to the response.
:param request: flask request object
:param response: flask response object
:return: the response
"""
content = response.json
# check, if the authentication was successful, then we need to do nothing
if content.get("result").get("status") is True:
role = content.get("result").get("value").get("role")
loginname = content.get("result").get("value").get("username")
realm = content.get("result").get("value").get("realm") or get_default_realm()
# At this point the logged in user is not necessarily a user object. It can
# also be a local admin.
logout_time_pol = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.LOGOUTTIME,
user=loginname, realm=realm).action_values(unique=True)
timeout_action_pol = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.TIMEOUT_ACTION,
user=loginname, realm=realm).action_values(unique=True)
token_page_size_pol = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.TOKENPAGESIZE,
user=loginname, realm=realm).action_values(unique=True)
user_page_size_pol = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.USERPAGESIZE,
user=loginname, realm=realm).action_values(unique=True)
token_wizard_2nd = bool(role == ROLE.USER
and Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.TOKENWIZARD2ND,
user=loginname, realm=realm).policies())
admin_dashboard = (role == ROLE.ADMIN
and Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.ADMIN_DASHBOARD,
user=loginname, realm=realm).any())
token_wizard = False
dialog_no_token = False
if role == ROLE.USER:
user_obj = User(loginname, realm)
user_token_num = get_tokens(user=user_obj, count=True)
token_wizard_pol = Match.user(g, scope=SCOPE.WEBUI, action=ACTION.TOKENWIZARD, user_object=user_obj).any()
# We also need to check, if the user has not tokens assigned.
# If the user has no tokens, we run the wizard. If the user
# already has tokens, we do not run the wizard.
token_wizard = token_wizard_pol and (user_token_num == 0)
dialog_no_token_pol = Match.user(g, scope=SCOPE.WEBUI, action=ACTION.DIALOG_NO_TOKEN,
user_object=user_obj).any()
dialog_no_token = dialog_no_token_pol and (user_token_num == 0)
user_details_pol = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.USERDETAILS,
user=loginname, realm=realm).policies()
search_on_enter = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.SEARCH_ON_ENTER,
user=loginname, realm=realm).policies()
hide_welcome = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.HIDE_WELCOME,
user=loginname, realm=realm).any()
hide_buttons = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.HIDE_BUTTONS,
user=loginname, realm=realm).any()
default_tokentype_pol = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.DEFAULT_TOKENTYPE,
user=loginname, realm=realm).action_values(unique=True)
show_seed = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.SHOW_SEED,
user=loginname, realm=realm).any()
show_node = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.SHOW_NODE, realm=realm).any()
qr_ios_authenticator = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.SHOW_IOS_AUTHENTICATOR,
user=loginname, realm=realm).any()
qr_android_authenticator = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.SHOW_ANDROID_AUTHENTICATOR,
user=loginname, realm=realm).any()
qr_custom_authenticator_url = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.SHOW_CUSTOM_AUTHENTICATOR,
user=loginname, realm=realm).action_values(unique=True)
qr_image_android = create_img(DEFAULT_ANDROID_APP_URL) if qr_android_authenticator else None
qr_image_ios = create_img(DEFAULT_IOS_APP_URL) if qr_ios_authenticator else None
qr_image_custom = create_img(list(qr_custom_authenticator_url)[0]) if qr_custom_authenticator_url else None
token_page_size = DEFAULT_PAGE_SIZE
user_page_size = DEFAULT_PAGE_SIZE
default_tokentype = DEFAULT_TOKENTYPE
if len(token_page_size_pol) == 1:
token_page_size = int(list(token_page_size_pol)[0])
if len(user_page_size_pol) == 1:
user_page_size = int(list(user_page_size_pol)[0])
if len(default_tokentype_pol) == 1:
default_tokentype = list(default_tokentype_pol)[0]
logout_time = DEFAULT_LOGOUT_TIME
if len(logout_time_pol) == 1:
logout_time = int(list(logout_time_pol)[0])
timeout_action = DEFAULT_TIMEOUT_ACTION
if len(timeout_action_pol) == 1:
timeout_action = list(timeout_action_pol)[0]
policy_template_url_pol = Match.action_only(g, scope=SCOPE.WEBUI,
action=ACTION.POLICYTEMPLATEURL).action_values(unique=True)
policy_template_url = DEFAULT_POLICY_TEMPLATE_URL
if len(policy_template_url_pol) == 1:
policy_template_url = list(policy_template_url_pol)[0]
indexed_preset_attribute = Match.realm(g, scope=SCOPE.WEBUI, action="indexedsecret_preset_attribute",
realm=realm).action_values(unique=True)
if len(indexed_preset_attribute) == 1:
content["result"]["value"]["indexedsecret_preset_attribute"] = list(indexed_preset_attribute)[0]
# This only works for users, because the value of the policy does not change while logged in.
if role == ROLE.USER and \
Match.user(g, SCOPE.USER, "indexedsecret_force_attribute", user_obj).action_values(unique=False):
content["result"]["value"]["indexedsecret_force_attribute"] = 1
content["result"]["value"]["logout_time"] = logout_time
content["result"]["value"]["token_page_size"] = token_page_size
content["result"]["value"]["user_page_size"] = user_page_size
content["result"]["value"]["policy_template_url"] = policy_template_url
content["result"]["value"]["default_tokentype"] = default_tokentype
content["result"]["value"]["user_details"] = len(user_details_pol) > 0
content["result"]["value"]["token_wizard"] = token_wizard
content["result"]["value"]["token_wizard_2nd"] = token_wizard_2nd
content["result"]["value"]["admin_dashboard"] = admin_dashboard
content["result"]["value"]["dialog_no_token"] = dialog_no_token
content["result"]["value"]["search_on_enter"] = len(search_on_enter) > 0
content["result"]["value"]["timeout_action"] = timeout_action
content["result"]["value"]["hide_welcome"] = hide_welcome
content["result"]["value"]["hide_buttons"] = hide_buttons
content["result"]["value"]["show_seed"] = show_seed
content["result"]["value"]["show_node"] = get_privacyidea_node() if show_node else ""
content["result"]["value"]["subscription_status"] = subscription_status()
content["result"]["value"]["qr_image_android"] = qr_image_android
content["result"]["value"]["qr_image_ios"] = qr_image_ios
content["result"]["value"]["qr_image_custom"] = qr_image_custom
response.set_data(json.dumps(content))
return response
def single_page_application():
instance = request.script_root
if instance == "/":
instance = ""
# The backend URL should come from the configuration of the system.
backend_url = ""
if current_app.config.get("PI_UI_DEACTIVATED"):
# Do not provide the UI
return send_html(render_template("deactivated.html"))
# The default theme. We can change this later
theme = current_app.config.get("PI_CSS", DEFAULT_THEME)
theme = theme.strip('/')
# Get further customizations
customization = current_app.config.get("PI_CUSTOMIZATION",
"/static/customize/")
customization = customization.strip('/')
custom_css = customization + "/css/custom.css" if current_app.config.get("PI_CUSTOM_CSS") else ""
# Enrollment-Wizard:
# PI_CUSTOMIZATION/views/includes/token.enroll.pre.top.html
# PI_CUSTOMIZATION/views/includes/token.enroll.pre.bottom.html
# PI_CUSTOMIZATION/views/includes/token.enroll.post.top.html
# PI_CUSTOMIZATION/views/includes/token.enroll.post.bottom.html
# Get the hidden external links
external_links = current_app.config.get("PI_EXTERNAL_LINKS", True)
# Read the UI translation warning
translation_warning = current_app.config.get("PI_TRANSLATION_WARNING", False)
# Get the logo file
logo = current_app.config.get("PI_LOGO", "privacyIDEA1.png")
browser_lang = request.accept_languages.best_match(["en", "de", "de-DE", "nl", "fr", "it", "es"], default="en").split("-")[0]
# The page title can be configured in pi.cfg
page_title = current_app.config.get("PI_PAGE_TITLE", "privacyIDEA Authentication System")
# check if login with REMOTE_USER is allowed.
remote_user = ""
password_reset = False
if not hasattr(request, "all_data"):
request.all_data = {}
# Depending on displaying the realm dropdown, we fill realms or not.
realms = ""
realm_dropdown = Match.action_only(g, scope=SCOPE.WEBUI, action=ACTION.REALMDROPDOWN)\
.policies(write_to_audit_log=False)
show_node = get_privacyidea_node() \
if Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.SHOW_NODE).any(write_to_audit_log=False) else ""
if realm_dropdown:
try:
realm_dropdown_values = Match.action_only(g, scope=SCOPE.WEBUI, action=ACTION.REALMDROPDOWN) \
.action_values(unique=False, write_to_audit_log=False)
# Use the realms from the policy.
realms = ",".join(realm_dropdown_values)
except AttributeError as _e:
# The policy is still a boolean realm_dropdown action
# Thus we display ALL realms
realms = ",".join(get_realms())
try:
r = is_remote_user_allowed(request, write_to_audit_log=False)
force_remote_user = r == REMOTE_USER.FORCE
if r != REMOTE_USER.DISABLE:
remote_user = request.remote_user
password_reset = is_password_reset(g)
hsm_ready = True
except HSMException:
hsm_ready = False
# Use policies to determine the customization of menu
# and baseline. get_action_values returns an array!
sub_state = subscription_status()
customization_menu_file = Match.action_only(g, action=ACTION.CUSTOM_MENU,
scope=SCOPE.WEBUI)\
.action_values(unique=True, allow_white_space_in_action=True, write_to_audit_log=False)
if len(customization_menu_file) and list(customization_menu_file)[0] \
and sub_state not in [1, 2]:
customization_menu_file = list(customization_menu_file)[0]
else:
customization_menu_file = "templates/menu.html"
customization_baseline_file = Match.action_only(g, action=ACTION.CUSTOM_BASELINE,
scope=SCOPE.WEBUI) \
.action_values(unique=True, allow_white_space_in_action=True, write_to_audit_log=False)
if len(customization_baseline_file) and list(customization_baseline_file)[0] \
and sub_state not in [1, 2]:
customization_baseline_file = list(customization_baseline_file)[0]
else:
customization_baseline_file = "templates/baseline.html"
login_text = Match.action_only(g, action=ACTION.LOGIN_TEXT, scope=SCOPE.WEBUI) \
.action_values(unique=True, allow_white_space_in_action=True, write_to_audit_log=False)
if len(login_text) and list(login_text)[0] and sub_state not in [1, 2]:
login_text = list(login_text)[0]
else:
login_text = ""
gdpr_link = Match.action_only(g, action=ACTION.GDPR_LINK, scope=SCOPE.WEBUI) \
.action_values(unique=True, allow_white_space_in_action=True, write_to_audit_log=False)
if len(gdpr_link) and list(gdpr_link)[0] and sub_state not in [1, 2]:
gdpr_link = list(gdpr_link)[0]
else:
gdpr_link = ""
render_context = {
'instance': instance,
'backendUrl': backend_url,
'browser_lang': browser_lang,
'remote_user': remote_user,
'force_remote_user': force_remote_user,
'theme': theme,
'translation_warning': translation_warning,
'password_reset': password_reset,
'hsm_ready': hsm_ready,
'has_job_queue': str(has_job_queue()),
'customization': customization,
'custom_css': custom_css,
'customization_menu_file': customization_menu_file,
'customization_baseline_file': customization_baseline_file,
'realms': realms,
'show_node': show_node,
'external_links': external_links,
'login_text': login_text,
'gdpr_link': gdpr_link,
'logo': logo,
'page_title': page_title
}
index_page = current_app.config.get("PI_INDEX_HTML") or "index.html"
return send_html(render_template(index_page, **render_context))
