def test_02_set_default_realm(self):
(added, failed) = set_realm("realm2", [self.resolvername2])
self.assertTrue(len(added) == 1)
self.assertTrue(len(failed) == 0)
realm = get_default_realm()
self.assertTrue(realm == self.realm1)
set_default_realm("realm2")
realm = get_default_realm()
self.assertTrue(realm == "realm2")
set_default_realm()
realm = get_default_realm()
self.assertTrue(realm is None, realm)
def test_02_set_default_realm(self):
(added, failed) = set_realm("realm2",
[self.resolvername2])
self.assertTrue(len(added) == 1)
self.assertTrue(len(failed) == 0)
realm = get_default_realm()
self.assertTrue(realm == self.realm1)
set_default_realm("realm2")
realm = get_default_realm()
self.assertTrue(realm == "realm2")
set_default_realm()
realm = get_default_realm()
self.assertTrue(realm is None, realm)
def before_request():
"""
This is executed before the request
"""
ensure_no_config_object()
request.all_data = get_all_params(request.values, request.data)
privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \
request.host
g.policy_object = PolicyClass()
g.audit_object = getAudit(current_app.config)
g.event_config = EventConfiguration()
# access_route contains the ip adresses of all clients, hops and proxies.
g.client_ip = get_client_ip(request,
get_from_config(SYSCONF.OVERRIDECLIENT))
g.audit_object.log({"success": False,
"client": g.client_ip,
"client_user_agent": request.user_agent.browser,
"privacyidea_server": privacyidea_server,
"action": "{0!s} {1!s}".format(request.method, request.url_rule),
"action_detail": "",
"info": ""})
username = getParam(request.all_data, "username")
if username:
# We only fill request.User, if we really have a username.
# On endpoints like /auth/rights, this is not available
loginname, realm = split_user(username)
# overwrite the split realm if we have a realm parameter. Default back to default_realm
realm = getParam(request.all_data, "realm", default=realm) or realm or get_default_realm()
# Prefill the request.User. This is used by some pre-event handlers
request.User = User(loginname, realm)
def save_pin_change(request, response, serial=None):
"""
This policy function checks if the next_pin_change date should be
stored in the tokeninfo table.
1. Check scope:enrollment and
ACTION.CHANGE_PIN_FIRST_USE.
This action is used, when the administrator enrolls a token or sets a PIN
2. Check scope:enrollment and
ACTION.CHANGE_PIN_EVERY is used, if the user changes the PIN.
This function decorates /token/init and /token/setpin. The parameter
"pin" and "otppin" is investigated.
:param request:
:param action:
:return:
"""
policy_object = g.policy_object
serial = serial or request.all_data.get("serial")
if not serial:
# No serial in request, so we look into the response
serial = response.json.get("detail", {}).get("serial")
if not serial:
log.error("Can not determine serial number. Have no idea of any "
"realm!")
else:
# Determine the realm by the serial
realm = get_realms_of_token(serial, only_first_realm=True)
realm = realm or get_default_realm()
if g.logged_in_user.get("role") == ROLE.ADMIN:
pinpol = Match.realm(g, scope=SCOPE.ENROLL, action=ACTION.CHANGE_PIN_FIRST_USE,
realm=realm).policies()
if pinpol:
token = get_one_token(serial=serial)
token.set_next_pin_change(diff="0d")
elif g.logged_in_user.get("role") == ROLE.USER:
# Check for parameter "pin" or "otppin".
otppin = request.all_data.get("otppin")
pin = request.all_data.get("pin")
# The user sets a pin or enrolls a token. -> delete the pin_change
if otppin or pin:
token = get_one_token(serial=serial)
token.del_tokeninfo("next_pin_change")
# If there is a change_pin_every policy, we need to set the PIN
# anew.
pinpol = Match.realm(g, scope=SCOPE.ENROLL, action=ACTION.CHANGE_PIN_EVERY,
realm=realm).action_values(unique=True)
if pinpol:
token = get_one_token(serial=serial)
token.set_next_pin_change(diff=list(pinpol)[0])
# we do not modify the response!
return response
def get_users(realm, include_inactive):
app = create_app(config_name="production",
config_file="/etc/privacyidea/pi.cfg",
silent=True)
with app.app_context():
realm = realm or get_default_realm()
params = {"realm": realm}
ulist = get_user_list(params)
active = None
if include_inactive:
active = True
for user in ulist:
user_obj = User(user.get("username"), realm, user.get("resolver"))
toks = get_tokens(user=user_obj, active=active)
if len(toks) == 0:
print(user.get("username"))
def get_auth_token():
"""
This call verifies the credentials of the user and issues an
authentication token, that is used for the later API calls. The
authentication token has a validity, that is usually 1 hour.
:jsonparam username: The username of the user who wants to authenticate to
the API.
:jsonparam password: The password/credentials of the user who wants to
authenticate to the API.
:return: A json response with an authentication token, that needs to be
used in any further request.
:status 200: in case of success
:status 401: if authentication fails
**Example Authentication Request**:
.. sourcecode:: http
POST /auth HTTP/1.1
Host: example.com
Accept: application/json
username=admin
password=topsecret
**Example Authentication Response**:
.. sourcecode:: http
HTTP/1.0 200 OK
Content-Length: 354
Content-Type: application/json
{
"id": 1,
"jsonrpc": "2.0",
"result": {
"status": true,
"value": {
"token": "eyJhbGciOiJIUz....jdpn9kIjuGRnGejmbFbM"
}
},
"version": "privacyIDEA unknown"
}
**Response for failed authentication**:
.. sourcecode:: http
HTTP/1.1 401 UNAUTHORIZED
Content-Type: application/json
Content-Length: 203
{
"id": 1,
"jsonrpc": "2.0",
"result": {
"error": {
"code": -401,
"message": "missing Authorization header"
},
"status": false
},
"version": "privacyIDEA unknown",
"config": {
"logout_time": 30
}
}
"""
validity = timedelta(hours=1)
username = getParam(request.all_data, "username")
password = getParam(request.all_data, "password")
realm = getParam(request.all_data, "realm")
details = {}
if username is None:
raise AuthError(_("Authentication failure. Missing Username"),
id=ERROR.AUTHENTICATE_MISSING_USERNAME)
if realm:
username = username + "@" + realm
# Failsafe to have the user attempt in the log, whatever happens
# This can be overwritten later
g.audit_object.log({"user": username, "realm": realm})
secret = current_app.secret_key
superuser_realms = current_app.config.get("SUPERUSER_REALM", [])
# This is the default role for the logged in user.
# The role privileges may be risen to "admin"
role = ROLE.USER
# The way the user authenticated. This could be
# "password" = The admin user DB or the user store
# "pi" = The admin or the user is authenticated against privacyIDEA
# "remote_user" = authenticated by webserver
authtype = "password"
# Verify the password
admin_auth = False
user_auth = False
loginname, realm = split_user(username)
realm = realm or get_default_realm()
user_obj = User()
# Check if the remote user is allowed
if (request.remote_user == username) and is_remote_user_allowed(request):
# Authenticated by the Web Server
# Check if the username exists
# 1. in local admins
# 2. in a realm
# 2a. is an admin realm
authtype = "remote_user "
if db_admin_exist(username):
role = ROLE.ADMIN
admin_auth = True
g.audit_object.log({
"success": True,
"user": "",
"administrator": username,
"info": "internal admin"
})
else:
# check, if the user exists
user_obj = User(loginname, realm)
g.audit_object.log({
"user": user_obj.login,
"realm": user_obj.realm,
"info": log_used_user(user_obj)
})
if user_obj.exist():
user_auth = True
if user_obj.realm in superuser_realms:
role = ROLE.ADMIN
admin_auth = True
elif verify_db_admin(username, password):
role = ROLE.ADMIN
admin_auth = True
# This admin is not in the default realm!
realm = ""
g.audit_object.log({
"success": True,
"user": "",
"administrator": username,
"info": "internal admin"
})
else:
# The user could not be identified against the admin database,
# so we do the rest of the check
options = {"g": g, "clientip": g.client_ip}
for key, value in request.all_data.items():
if value and key not in ["g", "clientip"]:
options[key] = value
user_obj = User(loginname, realm)
user_auth, role, details = check_webui_user(
user_obj,
password,
options=options,
superuser_realms=superuser_realms)
details = details or {}
if role == ROLE.ADMIN:
g.audit_object.log({
"user":
"",
"administrator":
user_obj.login,
"realm":
user_obj.realm,
"resolver":
user_obj.resolver,
"serial":
details.get('serial', None),
"info":
u"{0!s}|loginmode={1!s}".format(log_used_user(user_obj),
details.get("loginmode"))
})
else:
g.audit_object.log({
"user":
user_obj.login,
"realm":
user_obj.realm,
"resolver":
user_obj.resolver,
"serial":
details.get('serial', None),
"info":
u"{0!s}|loginmode={1!s}".format(log_used_user(user_obj),
details.get("loginmode"))
})
if not admin_auth and not user_auth:
raise AuthError(_("Authentication failure. Wrong credentials"),
id=ERROR.AUTHENTICATE_WRONG_CREDENTIALS,
details=details or {})
else:
g.audit_object.log({"success": True})
request.User = user_obj
# If the HSM is not ready, we need to create the nonce in another way!
hsm = init_hsm()
if hsm.is_ready:
nonce = geturandom(hex=True)
# Add the role to the JWT, so that we can verify it internally
# Add the authtype to the JWT, so that we could use it for access
# definitions
rights = g.policy_object.ui_get_rights(role, realm, loginname,
g.client_ip)
menus = g.policy_object.ui_get_main_menus(
{
"username": loginname,
"role": role,
"realm": realm
}, g.client_ip)
else:
import os
nonce = hexlify_and_unicode(os.urandom(20))
rights = []
menus = []
# What is the log level?
log_level = current_app.config.get("PI_LOGLEVEL", 30)
token = jwt.encode(
{
"username": loginname,
"realm": realm,
"nonce": nonce,
"role": role,
"authtype": authtype,
"exp": datetime.utcnow() + validity,
"rights": rights
},
secret,
algorithm='HS256').decode('utf8')
# Add the role to the response, so that the WebUI can make decisions
# based on this (only show selfservice, not the admin part)
return send_result(
{
"token": token,
"role": role,
"username": loginname,
"realm": realm,
"log_level": log_level,
"rights": rights,
"menus": menus
},
details=details)
def get_webui_settings(request, response):
"""
This decorator is used in the /auth API to add configuration information
like the logout_time or the policy_template_url to the response.
:param request: flask request object
:param response: flask response object
:return: the response
"""
content = json.loads(response.data)
# check, if the authentication was successful, then we need to do nothing
if content.get("result").get("status") is True:
role = content.get("result").get("value").get("role")
loginname = content.get("result").get("value").get("username")
realm = content.get("result").get("value").get("realm")
realm = realm or get_default_realm()
policy_object = g.policy_object
try:
client = g.client_ip
except Exception:
client = None
logout_time_pol = policy_object.get_action_values(
action=ACTION.LOGOUTTIME,
scope=SCOPE.WEBUI,
realm=realm,
client=client,
unique=True)
timeout_action_pol = policy_object.get_action_values(
action=ACTION.TIMEOUT_ACTION,
scope=SCOPE.WEBUI,
realm=realm,
client=client,
unique=True)
token_page_size_pol = policy_object.get_action_values(
action=ACTION.TOKENPAGESIZE,
scope=SCOPE.WEBUI,
realm=realm,
client=client,
unique=True)
user_page_size_pol = policy_object.get_action_values(
action=ACTION.USERPAGESIZE,
scope=SCOPE.WEBUI,
realm=realm,
client=client,
unique=True)
token_wizard_2nd = bool(
role == ROLE.USER
and policy_object.get_policies(action=ACTION.TOKENWIZARD2ND,
scope=SCOPE.WEBUI,
realm=realm,
client=client,
active=True))
token_wizard = False
if role == ROLE.USER:
token_wizard_pol = policy_object.get_policies(
action=ACTION.TOKENWIZARD,
scope=SCOPE.WEBUI,
realm=realm,
client=client,
active=True)
# We also need to check, if the user has not tokens assigned.
# If the user has no tokens, we run the wizard. If the user
# already has tokens, we do not run the wizard.
if token_wizard_pol:
token_wizard = get_tokens(user=User(loginname, realm),
count=True) == 0
user_details_pol = policy_object.get_policies(
action=ACTION.USERDETAILS,
scope=SCOPE.WEBUI,
realm=realm,
client=client,
active=True)
search_on_enter = policy_object.get_policies(
action=ACTION.SEARCH_ON_ENTER,
scope=SCOPE.WEBUI,
realm=realm,
client=client,
active=True)
hide_welcome = policy_object.get_policies(action=ACTION.HIDE_WELCOME,
scope=SCOPE.WEBUI,
realm=realm,
client=client,
active=True)
hide_welcome = bool(hide_welcome)
default_tokentype_pol = policy_object.get_action_values(
action=ACTION.DEFAULT_TOKENTYPE,
scope=SCOPE.WEBUI,
realm=realm,
client=client,
unique=True)
token_page_size = DEFAULT_PAGE_SIZE
user_page_size = DEFAULT_PAGE_SIZE
default_tokentype = DEFAULT_TOKENTYPE
if len(token_page_size_pol) == 1:
token_page_size = int(token_page_size_pol[0])
if len(user_page_size_pol) == 1:
user_page_size = int(user_page_size_pol[0])
if len(default_tokentype_pol) == 1:
default_tokentype = default_tokentype_pol[0]
logout_time = DEFAULT_LOGOUT_TIME
if len(logout_time_pol) == 1:
logout_time = int(logout_time_pol[0])
timeout_action = DEFAULT_TIMEOUT_ACTION
if len(timeout_action_pol) == 1:
timeout_action = timeout_action_pol[0]
policy_template_url_pol = policy_object.get_action_values(
action=ACTION.POLICYTEMPLATEURL,
scope=SCOPE.WEBUI,
client=client,
unique=True)
policy_template_url = DEFAULT_POLICY_TEMPLATE_URL
if len(policy_template_url_pol) == 1:
policy_template_url = policy_template_url_pol[0]
content["result"]["value"]["logout_time"] = logout_time
content["result"]["value"]["token_page_size"] = token_page_size
content["result"]["value"]["user_page_size"] = user_page_size
content["result"]["value"]["policy_template_url"] = policy_template_url
content["result"]["value"]["default_tokentype"] = default_tokentype
content["result"]["value"]["user_details"] = len(user_details_pol) > 0
content["result"]["value"]["token_wizard"] = token_wizard
content["result"]["value"]["token_wizard_2nd"] = token_wizard_2nd
content["result"]["value"]["search_on_enter"] = len(
search_on_enter) > 0
content["result"]["value"]["timeout_action"] = timeout_action
content["result"]["value"]["hide_welcome"] = hide_welcome
content["result"]["value"][
"subscription_status"] = subscription_status()
response.data = json.dumps(content)
return response
def get_auth_token():
"""
This call verifies the credentials of the user and issues an
authentication token, that is used for the later API calls. The
authentication token has a validity, that is usually 1 hour.
:jsonparam username: The username of the user who wants to authenticate to
the API.
:jsonparam password: The password/credentials of the user who wants to
authenticate to the API.
:return: A json response with an authentication token, that needs to be
used in any further request.
:status 200: in case of success
:status 401: if authentication fails
**Example Authentication Request**:
.. sourcecode:: http
POST /auth HTTP/1.1
Host: example.com
Accept: application/json
username=admin
password=topsecret
**Example Authentication Response**:
.. sourcecode:: http
HTTP/1.0 200 OK
Content-Length: 354
Content-Type: application/json
{
"id": 1,
"jsonrpc": "2.0",
"result": {
"status": true,
"value": {
"token": "eyJhbGciOiJIUz....jdpn9kIjuGRnGejmbFbM"
}
},
"version": "privacyIDEA unknown"
}
**Response for failed authentication**:
.. sourcecode:: http
HTTP/1.1 401 UNAUTHORIZED
Content-Type: application/json
Content-Length: 203
{
"id": 1,
"jsonrpc": "2.0",
"result": {
"error": {
"code": -401,
"message": "missing Authorization header"
},
"status": false
},
"version": "privacyIDEA unknown",
"config": {
"logout_time": 30
}
}
"""
validity = timedelta(hours=1)
username = request.all_data.get("username")
password = request.all_data.get("password")
realm = request.all_data.get("realm")
details = {}
if realm:
username = username + "@" + realm
g.audit_object.log({"user": username})
secret = current_app.secret_key
superuser_realms = current_app.config.get("SUPERUSER_REALM", [])
# This is the default role for the logged in user.
# The role privileges may be risen to "admin"
role = ROLE.USER
# The way the user authenticated. This could be
# "password" = The admin user DB or the user store
# "pi" = The admin or the user is authenticated against privacyIDEA
# "remote_user" = authenticated by webserver
authtype = "password"
if username is None:
raise AuthError("Authentication failure",
"missing Username",
status=401)
# Verify the password
admin_auth = False
user_auth = False
loginname, realm = split_user(username)
realm = realm or get_default_realm()
# Check if the remote user is allowed
if (request.remote_user == username) and is_remote_user_allowed(request):
# Authenticated by the Web Server
# Check if the username exists
# 1. in local admins
# 2. in a realm
# 2a. is an admin realm
authtype = "remote_user "
if db_admin_exist(username):
role = ROLE.ADMIN
admin_auth = True
g.audit_object.log({"success": True,
"user": "",
"administrator": username,
"info": "internal admin"})
else:
# check, if the user exists
user_obj = User(loginname, realm)
if user_obj.exist():
user_auth = True
if user_obj.realm in superuser_realms:
role = ROLE.ADMIN
admin_auth = True
elif verify_db_admin(username, password):
role = ROLE.ADMIN
admin_auth = True
# This admin is not in the default realm!
realm = ""
g.audit_object.log({"success": True,
"user": "",
"administrator": username,
"info": "internal admin"})
else:
# The user could not be identified against the admin database,
# so we do the rest of the check
options = {"g": g,
"clientip": g.client_ip}
for key, value in request.all_data.items():
if value and key not in ["g", "clientip"]:
options[key] = value
user_obj = User(loginname, realm)
user_auth, role, details = check_webui_user(user_obj,
password,
options=options,
superuser_realms=
superuser_realms)
if role == ROLE.ADMIN:
g.audit_object.log({"user": "",
"administrator": username})
if not admin_auth and not user_auth:
raise AuthError("Authentication failure",
"Wrong credentials", status=401,
details=details or {})
else:
g.audit_object.log({"success": True})
# If the HSM is not ready, we need to create the nonce in another way!
hsm = init_hsm()
if hsm.is_ready:
nonce = geturandom(hex=True)
# Add the role to the JWT, so that we can verify it internally
# Add the authtype to the JWT, so that we could use it for access
# definitions
rights = g.policy_object.ui_get_rights(role, realm, loginname,
g.client_ip)
else:
import os
import binascii
nonce = binascii.hexlify(os.urandom(20))
rights = []
# What is the log level?
log_level = current_app.config.get("PI_LOGLEVEL", 30)
token = jwt.encode({"username": loginname,
"realm": realm,
"nonce": nonce,
"role": role,
"authtype": authtype,
"exp": datetime.utcnow() + validity,
"rights": rights},
secret)
# Add the role to the response, so that the WebUI can make decisions
# based on this (only show selfservice, not the admin part)
return send_result({"token": token,
"role": role,
"username": loginname,
"realm": realm,
"log_level": log_level,
"rights": rights},
details=details)
def get_webui_settings(request, response):
"""
This decorator is used in the /auth API to add configuration information
like the logout_time or the policy_template_url to the response.
:param request: flask request object
:param response: flask response object
:return: the response
"""
content = response.json
# check, if the authentication was successful, then we need to do nothing
if content.get("result").get("status") is True:
role = content.get("result").get("value").get("role")
loginname = content.get("result").get("value").get("username")
realm = content.get("result").get("value").get("realm") or get_default_realm()
# At this point the logged in user is not necessarily a user object. It can
# also be a local admin.
logout_time_pol = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.LOGOUTTIME,
user=loginname, realm=realm).action_values(unique=True)
timeout_action_pol = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.TIMEOUT_ACTION,
user=loginname, realm=realm).action_values(unique=True)
token_page_size_pol = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.TOKENPAGESIZE,
user=loginname, realm=realm).action_values(unique=True)
user_page_size_pol = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.USERPAGESIZE,
user=loginname, realm=realm).action_values(unique=True)
token_wizard_2nd = bool(role == ROLE.USER
and Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.TOKENWIZARD2ND,
user=loginname, realm=realm).policies())
admin_dashboard = (role == ROLE.ADMIN
and Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.ADMIN_DASHBOARD,
user=loginname, realm=realm).any())
token_wizard = False
dialog_no_token = False
if role == ROLE.USER:
user_obj = User(loginname, realm)
user_token_num = get_tokens(user=user_obj, count=True)
token_wizard_pol = Match.user(g, scope=SCOPE.WEBUI, action=ACTION.TOKENWIZARD, user_object=user_obj).any()
# We also need to check, if the user has not tokens assigned.
# If the user has no tokens, we run the wizard. If the user
# already has tokens, we do not run the wizard.
token_wizard = token_wizard_pol and (user_token_num == 0)
dialog_no_token_pol = Match.user(g, scope=SCOPE.WEBUI, action=ACTION.DIALOG_NO_TOKEN,
user_object=user_obj).any()
dialog_no_token = dialog_no_token_pol and (user_token_num == 0)
user_details_pol = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.USERDETAILS,
user=loginname, realm=realm).policies()
search_on_enter = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.SEARCH_ON_ENTER,
user=loginname, realm=realm).policies()
hide_welcome = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.HIDE_WELCOME,
user=loginname, realm=realm).any()
hide_buttons = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.HIDE_BUTTONS,
user=loginname, realm=realm).any()
default_tokentype_pol = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.DEFAULT_TOKENTYPE,
user=loginname, realm=realm).action_values(unique=True)
show_seed = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.SHOW_SEED,
user=loginname, realm=realm).any()
show_node = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.SHOW_NODE, realm=realm).any()
qr_ios_authenticator = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.SHOW_IOS_AUTHENTICATOR,
user=loginname, realm=realm).any()
qr_android_authenticator = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.SHOW_ANDROID_AUTHENTICATOR,
user=loginname, realm=realm).any()
qr_custom_authenticator_url = Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.SHOW_CUSTOM_AUTHENTICATOR,
user=loginname, realm=realm).action_values(unique=True)
qr_image_android = create_img(DEFAULT_ANDROID_APP_URL) if qr_android_authenticator else None
qr_image_ios = create_img(DEFAULT_IOS_APP_URL) if qr_ios_authenticator else None
qr_image_custom = create_img(list(qr_custom_authenticator_url)[0]) if qr_custom_authenticator_url else None
token_page_size = DEFAULT_PAGE_SIZE
user_page_size = DEFAULT_PAGE_SIZE
default_tokentype = DEFAULT_TOKENTYPE
if len(token_page_size_pol) == 1:
token_page_size = int(list(token_page_size_pol)[0])
if len(user_page_size_pol) == 1:
user_page_size = int(list(user_page_size_pol)[0])
if len(default_tokentype_pol) == 1:
default_tokentype = list(default_tokentype_pol)[0]
logout_time = DEFAULT_LOGOUT_TIME
if len(logout_time_pol) == 1:
logout_time = int(list(logout_time_pol)[0])
timeout_action = DEFAULT_TIMEOUT_ACTION
if len(timeout_action_pol) == 1:
timeout_action = list(timeout_action_pol)[0]
policy_template_url_pol = Match.action_only(g, scope=SCOPE.WEBUI,
action=ACTION.POLICYTEMPLATEURL).action_values(unique=True)
policy_template_url = DEFAULT_POLICY_TEMPLATE_URL
if len(policy_template_url_pol) == 1:
policy_template_url = list(policy_template_url_pol)[0]
indexed_preset_attribute = Match.realm(g, scope=SCOPE.WEBUI, action="indexedsecret_preset_attribute",
realm=realm).action_values(unique=True)
if len(indexed_preset_attribute) == 1:
content["result"]["value"]["indexedsecret_preset_attribute"] = list(indexed_preset_attribute)[0]
# This only works for users, because the value of the policy does not change while logged in.
if role == ROLE.USER and \
Match.user(g, SCOPE.USER, "indexedsecret_force_attribute", user_obj).action_values(unique=False):
content["result"]["value"]["indexedsecret_force_attribute"] = 1
content["result"]["value"]["logout_time"] = logout_time
content["result"]["value"]["token_page_size"] = token_page_size
content["result"]["value"]["user_page_size"] = user_page_size
content["result"]["value"]["policy_template_url"] = policy_template_url
content["result"]["value"]["default_tokentype"] = default_tokentype
content["result"]["value"]["user_details"] = len(user_details_pol) > 0
content["result"]["value"]["token_wizard"] = token_wizard
content["result"]["value"]["token_wizard_2nd"] = token_wizard_2nd
content["result"]["value"]["admin_dashboard"] = admin_dashboard
content["result"]["value"]["dialog_no_token"] = dialog_no_token
content["result"]["value"]["search_on_enter"] = len(search_on_enter) > 0
content["result"]["value"]["timeout_action"] = timeout_action
content["result"]["value"]["hide_welcome"] = hide_welcome
content["result"]["value"]["hide_buttons"] = hide_buttons
content["result"]["value"]["show_seed"] = show_seed
content["result"]["value"]["show_node"] = get_privacyidea_node() if show_node else ""
content["result"]["value"]["subscription_status"] = subscription_status()
content["result"]["value"]["qr_image_android"] = qr_image_android
content["result"]["value"]["qr_image_ios"] = qr_image_ios
content["result"]["value"]["qr_image_custom"] = qr_image_custom
response.set_data(json.dumps(content))
return response
def get_webui_settings(request, response):
"""
This decorator is used in the /auth API to add configuration information
like the logout_time or the policy_template_url to the response.
:param request: flask request object
:param response: flask response object
:return: the response
"""
content = json.loads(response.data)
# check, if the authentication was successful, then we need to do nothing
if content.get("result").get("status") is True:
_role = content.get("result").get("value").get("role")
username = content.get("result").get("value").get("username")
# get the realm
_loginname, realm = split_user(username)
if not realm:
realm = get_default_realm()
policy_object = g.policy_object
try:
client = request.remote_addr
except Exception:
client = None
logout_time_pol = policy_object.get_action_values(
action=ACTION.LOGOUTTIME,
scope=SCOPE.WEBUI,
realm=realm,
client=client,
unique=True)
token_page_size_pol = policy_object.get_action_values(
action=ACTION.TOKENPAGESIZE,
scope=SCOPE.WEBUI,
realm=realm,
client=client,
unique=True
)
user_page_size_pol = policy_object.get_action_values(
action=ACTION.USERPAGESIZE,
scope=SCOPE.WEBUI,
realm=realm,
client=client,
unique=True
)
user_details_pol = policy_object.get_policies(
action=ACTION.USERDETAILS,
scope=SCOPE.WEBUI,
realm=realm,
client=client
)
default_tokentype_pol = policy_object.get_action_values(
action=ACTION.DEFAULT_TOKENTYPE,
scope=SCOPE.WEBUI,
realm=realm,
client=client,
unique=True
)
token_page_size = DEFAULT_PAGE_SIZE
user_page_size = DEFAULT_PAGE_SIZE
default_tokentype = DEFAULT_TOKENTYPE
if len(token_page_size_pol) == 1:
token_page_size = int(token_page_size_pol[0])
if len(user_page_size_pol) == 1:
user_page_size = int(user_page_size_pol[0])
if len(default_tokentype_pol) == 1:
default_tokentype = default_tokentype_pol[0]
logout_time = DEFAULT_LOGOUT_TIME
if len(logout_time_pol) == 1:
logout_time = int(logout_time_pol[0])
policy_template_url_pol = policy_object.get_action_values(
action=ACTION.POLICYTEMPLATEURL,
scope=SCOPE.WEBUI,
client=client,
unique=True)
policy_template_url = DEFAULT_POLICY_TEMPLATE_URL
if len(policy_template_url_pol) == 1:
policy_template_url = policy_template_url_pol[0]
content["result"]["value"]["logout_time"] = logout_time
content["result"]["value"]["token_page_size"] = token_page_size
content["result"]["value"]["user_page_size"] = user_page_size
content["result"]["value"]["policy_template_url"] = policy_template_url
content["result"]["value"]["default_tokentype"] = default_tokentype
content["result"]["value"]["user_details"] = len(user_details_pol) > 0
response.data = json.dumps(content)
return response
def get_webui_settings(request, response):
"""
This decorator is used in the /auth API to add configuration information
like the logout_time or the policy_template_url to the response.
:param request: flask request object
:param response: flask response object
:return: the response
"""
content = json.loads(response.data)
# check, if the authentication was successful, then we need to do nothing
if content.get("result").get("status") is True:
role = content.get("result").get("value").get("role")
loginname = content.get("result").get("value").get("username")
realm = content.get("result").get("value").get("realm")
realm = realm or get_default_realm()
policy_object = g.policy_object
try:
client = g.client_ip
except Exception:
client = None
logout_time_pol = policy_object.get_action_values(
action=ACTION.LOGOUTTIME,
scope=SCOPE.WEBUI,
realm=realm,
client=client,
unique=True)
token_page_size_pol = policy_object.get_action_values(
action=ACTION.TOKENPAGESIZE,
scope=SCOPE.WEBUI,
realm=realm,
client=client,
unique=True
)
user_page_size_pol = policy_object.get_action_values(
action=ACTION.USERPAGESIZE,
scope=SCOPE.WEBUI,
realm=realm,
client=client,
unique=True
)
token_wizard_2nd = bool(role == ROLE.USER and
policy_object.get_policies(action=ACTION.TOKENWIZARD2ND,
scope=SCOPE.WEBUI,
realm=realm,
client=client))
token_wizard = False
if role == ROLE.USER:
token_wizard_pol = policy_object.get_policies(
action=ACTION.TOKENWIZARD,
scope=SCOPE.WEBUI,
realm=realm,
client=client
)
# We also need to check, if the user has not tokens assigned.
# If the user has no tokens, we run the wizard. If the user
# already has tokens, we do not run the wizard.
if token_wizard_pol:
token_wizard = get_tokens(user=User(loginname, realm),
count=True) == 0
user_details_pol = policy_object.get_policies(
action=ACTION.USERDETAILS,
scope=SCOPE.WEBUI,
realm=realm,
client=client
)
default_tokentype_pol = policy_object.get_action_values(
action=ACTION.DEFAULT_TOKENTYPE,
scope=SCOPE.WEBUI,
realm=realm,
client=client,
unique=True
)
token_page_size = DEFAULT_PAGE_SIZE
user_page_size = DEFAULT_PAGE_SIZE
default_tokentype = DEFAULT_TOKENTYPE
if len(token_page_size_pol) == 1:
token_page_size = int(token_page_size_pol[0])
if len(user_page_size_pol) == 1:
user_page_size = int(user_page_size_pol[0])
if len(default_tokentype_pol) == 1:
default_tokentype = default_tokentype_pol[0]
logout_time = DEFAULT_LOGOUT_TIME
if len(logout_time_pol) == 1:
logout_time = int(logout_time_pol[0])
policy_template_url_pol = policy_object.get_action_values(
action=ACTION.POLICYTEMPLATEURL,
scope=SCOPE.WEBUI,
client=client,
unique=True)
policy_template_url = DEFAULT_POLICY_TEMPLATE_URL
if len(policy_template_url_pol) == 1:
policy_template_url = policy_template_url_pol[0]
content["result"]["value"]["logout_time"] = logout_time
content["result"]["value"]["token_page_size"] = token_page_size
content["result"]["value"]["user_page_size"] = user_page_size
content["result"]["value"]["policy_template_url"] = policy_template_url
content["result"]["value"]["default_tokentype"] = default_tokentype
content["result"]["value"]["user_details"] = len(user_details_pol) > 0
content["result"]["value"]["token_wizard"] = token_wizard
content["result"]["value"]["token_wizard_2nd"] = token_wizard_2nd
response.data = json.dumps(content)
return response
def save_pin_change(request, response, serial=None):
"""
This policy function checks if the next_pin_change date should be
stored in the tokeninfo table.
1. Check scope:enrollment and
ACTION.CHANGE_PIN_FIRST_USE.
This action is used, when the administrator enrolls a token or sets a PIN
2. Check scope:enrollment and
ACTION.CHANGE_PIN_EVERY is used, if the user changes the PIN.
This function decorates /token/init and /token/setpin. The parameter
"pin" and "otppin" is investigated.
:param request:
:param action:
:return:
"""
content = json.loads(response.data)
policy_object = g.policy_object
serial = serial or request.all_data.get("serial")
if not serial:
# No serial in request, so we look into the response
serial = content.get("detail", {}).get("serial")
if not serial:
log.error("Can not determine serial number. Have no idea of any "
"realm!")
else:
# Determine the realm by the serial
realm = get_realms_of_token(serial, only_first_realm=True)
realm = realm or get_default_realm()
if g.logged_in_user.get("role") == ROLE.ADMIN:
pinpol = policy_object.get_policies(action=ACTION.CHANGE_PIN_FIRST_USE,
scope=SCOPE.ENROLL, realm=realm,
client=g.client_ip, active=True)
if pinpol:
token = get_tokens(serial=serial)[0]
token.set_next_pin_change(diff="0d")
elif g.logged_in_user.get("role") == ROLE.USER:
# Check for parameter "pin" or "otppin".
otppin = request.all_data.get("otppin")
pin = request.all_data.get("pin")
# The user sets a pin or enrolls a token. -> delete the pin_change
if otppin or pin:
token = get_tokens(serial=serial)[0]
token.del_tokeninfo("next_pin_change")
# If there is a change_pin_every policy, we need to set the PIN
# anew.
pinpol = policy_object.get_action_values(
ACTION.CHANGE_PIN_EVERY, scope=SCOPE.ENROLL,
realm=realm, client=g.client_ip, unique=True)
if pinpol:
token = get_tokens(serial=serial)[0]
token.set_next_pin_change(diff=pinpol[0])
# we do not modify the response!
return response
def get_webui_settings(request, response):
"""
This decorator is used in the /auth API to add configuration information
like the logout_time or the policy_template_url to the response.
:param request: flask request object
:param response: flask response object
:return: the response
"""
content = response.json
# check, if the authentication was successful, then we need to do nothing
if content.get("result").get("status") is True:
role = content.get("result").get("value").get("role")
loginname = content.get("result").get("value").get("username")
realm = content.get("result").get("value").get("realm")
realm = realm or get_default_realm()
logout_time_pol = Match.realm(g,
scope=SCOPE.WEBUI,
action=ACTION.LOGOUTTIME,
realm=realm).action_values(unique=True)
timeout_action_pol = Match.realm(
g, scope=SCOPE.WEBUI, action=ACTION.TIMEOUT_ACTION,
realm=realm).action_values(unique=True)
token_page_size_pol = Match.realm(
g, scope=SCOPE.WEBUI, action=ACTION.TOKENPAGESIZE,
realm=realm).action_values(unique=True)
user_page_size_pol = Match.realm(
g, scope=SCOPE.WEBUI, action=ACTION.USERPAGESIZE,
realm=realm).action_values(unique=True)
token_wizard_2nd = (role == ROLE.USER and Match.realm(
g, scope=SCOPE.WEBUI, action=ACTION.TOKENWIZARD2ND,
realm=realm).policies())
token_wizard = False
dialog_no_token = False
if role == ROLE.USER:
user_obj = User(loginname, realm)
user_token_num = get_tokens(user=user_obj, count=True)
token_wizard_pol = Match.user(g,
scope=SCOPE.WEBUI,
action=ACTION.TOKENWIZARD,
user_object=user_obj).any()
# We also need to check, if the user has not tokens assigned.
# If the user has no tokens, we run the wizard. If the user
# already has tokens, we do not run the wizard.
token_wizard = token_wizard_pol and (user_token_num == 0)
dialog_no_token_pol = Match.user(g,
scope=SCOPE.WEBUI,
action=ACTION.DIALOG_NO_TOKEN,
user_object=user_obj).any()
dialog_no_token = dialog_no_token_pol and (user_token_num == 0)
user_details_pol = Match.realm(g,
scope=SCOPE.WEBUI,
action=ACTION.USERDETAILS,
realm=realm).policies()
search_on_enter = Match.realm(g,
scope=SCOPE.WEBUI,
action=ACTION.SEARCH_ON_ENTER,
realm=realm).policies()
hide_welcome = Match.realm(g,
scope=SCOPE.WEBUI,
action=ACTION.HIDE_WELCOME,
realm=realm).any()
hide_buttons = Match.realm(g,
scope=SCOPE.WEBUI,
action=ACTION.HIDE_BUTTONS,
realm=realm).any()
default_tokentype_pol = Match.realm(
g, scope=SCOPE.WEBUI, action=ACTION.DEFAULT_TOKENTYPE,
realm=realm).action_values(unique=True)
show_seed = Match.realm(g,
scope=SCOPE.WEBUI,
action=ACTION.SHOW_SEED,
realm=realm).any()
token_page_size = DEFAULT_PAGE_SIZE
user_page_size = DEFAULT_PAGE_SIZE
default_tokentype = DEFAULT_TOKENTYPE
if len(token_page_size_pol) == 1:
token_page_size = int(list(token_page_size_pol)[0])
if len(user_page_size_pol) == 1:
user_page_size = int(list(user_page_size_pol)[0])
if len(default_tokentype_pol) == 1:
default_tokentype = list(default_tokentype_pol)[0]
logout_time = DEFAULT_LOGOUT_TIME
if len(logout_time_pol) == 1:
logout_time = int(list(logout_time_pol)[0])
timeout_action = DEFAULT_TIMEOUT_ACTION
if len(timeout_action_pol) == 1:
timeout_action = list(timeout_action_pol)[0]
policy_template_url_pol = Match.action_only(
g, scope=SCOPE.WEBUI,
action=ACTION.POLICYTEMPLATEURL).action_values(unique=True)
policy_template_url = DEFAULT_POLICY_TEMPLATE_URL
if len(policy_template_url_pol) == 1:
policy_template_url = list(policy_template_url_pol)[0]
content["result"]["value"]["logout_time"] = logout_time
content["result"]["value"]["token_page_size"] = token_page_size
content["result"]["value"]["user_page_size"] = user_page_size
content["result"]["value"]["policy_template_url"] = policy_template_url
content["result"]["value"]["default_tokentype"] = default_tokentype
content["result"]["value"]["user_details"] = len(user_details_pol) > 0
content["result"]["value"]["token_wizard"] = token_wizard
content["result"]["value"]["token_wizard_2nd"] = token_wizard_2nd
content["result"]["value"]["dialog_no_token"] = dialog_no_token
content["result"]["value"]["search_on_enter"] = len(
search_on_enter) > 0
content["result"]["value"]["timeout_action"] = timeout_action
content["result"]["value"]["hide_welcome"] = hide_welcome
content["result"]["value"]["hide_buttons"] = hide_buttons
content["result"]["value"]["show_seed"] = show_seed
content["result"]["value"][
"subscription_status"] = subscription_status()
response.set_data(json.dumps(content))
return response
def get_auth_token():
"""
This call verifies the credentials of the user and issues an
authentication token, that is used for the later API calls. The
authentication token has a validity, that is usually 1 hour.
:jsonparam username: The username of the user who wants to authenticate to
the API.
:type username: basestring
:jsonparam password: The password/credentials of the user who wants to
authenticate to the API.
:return: A json response with an authentication token, that needs to be
used in any further request.
:status 200: in case of success
:status 401: if authentication fails
**Example Authentication Request**:
.. sourcecode:: http
POST /auth HTTP/1.1
Host: example.com
Accept: application/json
username=admin
password=topsecret
**Example Authentication Response**:
.. sourcecode:: http
HTTP/1.0 200 OK
Content-Length: 354
Content-Type: application/json
{
"id": 1,
"jsonrpc": "2.0",
"result": {
"status": true,
"value": {
"token": "eyJhbGciOiJIUz....jdpn9kIjuGRnGejmbFbM"
}
},
"version": "privacyIDEA unknown"
}
**Response for failed authentication**:
.. sourcecode:: http
HTTP/1.1 401 UNAUTHORIZED
Content-Type: application/json
Content-Length: 203
{
"id": 1,
"jsonrpc": "2.0",
"result": {
"error": {
"code": -401,
"message": "missing Authorization header"
},
"status": false
},
"version": "privacyIDEA unknown",
"config": {
"logout_time": 30
}
}
"""
validity = timedelta(hours=1)
username = request.all_data.get("username")
password = request.all_data.get("password")
realm = ""
secret = current_app.secret_key
# This is the default role for the logged in user.
# The role privileges may be risen to "admin"
role = ROLE.USER
# The way the user authenticated. This could be
# "password" = The admin user DB or the user store
# "pi" = The admin or the user is authenticated against privacyIDEA
authtype = "password"
if username is None:
raise AuthError("Authentication failure",
"missing Username",
status=401)
# Verify the password
admin_auth = False
user_auth = False
if verify_db_admin(username, password):
role = ROLE.ADMIN
admin_auth = True
if not admin_auth:
# The user could not be identified against the admin database,
# so we do the rest of the check
username, realm = split_user(username)
realm = realm or get_default_realm()
user_obj = User(username, realm)
options = {"g": g,
"clientip": request.remote_addr}
transaction_id = getParam(request.all_data, "transaction_id")
state = getParam(request.all_data, "state")
if transaction_id:
options["transaction_id"] = transaction_id
if state:
options["state"] = state
superuser_realms = current_app.config.get("SUPERUSER_REALM", [])
user_auth, role, details = check_webui_user(user_obj,
password,
options=options,
superuser_realms=
superuser_realms)
# The details with the transaction_id are raised with the AuthError
details = details or {}
if not admin_auth and not user_auth:
raise AuthError("Authentication failure",
"Wrong credentials", status=401,
details=details)
# Add the role to the JWT, so that we can verify it internally
# Add the authtype to the JWT, so that we could use it for access
# definitions
token = jwt.encode({"username": username,
"realm": realm,
"nonce": geturandom(hex=True),
"role": role,
"authtype": authtype,
"exp": datetime.utcnow() + validity,
"rights": "TODO"},
secret)
g.audit_object.log({"success": True,
"administrator": username,
"jwt_token": token})
# Add the role to the response, so that the WebUI can make decisions
# based on this (only show selfservice, not the admin part)
return send_result({"token": token,
"role": role,
"username": username,
"realm": realm,
"rights": "TODO"})
def get_webui_settings(request, response):
"""
This decorator is used in the /auth API to add configuration information
like the logout_time or the policy_template_url to the response.
:param request: flask request object
:param response: flask response object
:return: the response
"""
content = json.loads(response.data)
# check, if the authentication was successful, then we need to do nothing
if content.get("result").get("status") is True:
_role = content.get("result").get("value").get("role")
username = content.get("result").get("value").get("username")
# get the realm
_loginname, realm = split_user(username)
if not realm:
realm = get_default_realm()
policy_object = g.policy_object
try:
client = request.remote_addr
except Exception:
client = None
logout_time_pol = policy_object.get_action_values(
action=ACTION.LOGOUTTIME,
scope=SCOPE.WEBUI,
realm=realm,
client=client,
unique=True)
token_page_size_pol = policy_object.get_action_values(
action=ACTION.TOKENPAGESIZE,
scope=SCOPE.WEBUI,
realm=realm,
client=client,
unique=True)
user_page_size_pol = policy_object.get_action_values(
action=ACTION.USERPAGESIZE,
scope=SCOPE.WEBUI,
realm=realm,
client=client,
unique=True)
user_details_pol = policy_object.get_policies(
action=ACTION.USERDETAILS,
scope=SCOPE.WEBUI,
realm=realm,
client=client)
default_tokentype_pol = policy_object.get_action_values(
action=ACTION.DEFAULT_TOKENTYPE,
scope=SCOPE.WEBUI,
realm=realm,
client=client,
unique=True)
token_page_size = DEFAULT_PAGE_SIZE
user_page_size = DEFAULT_PAGE_SIZE
default_tokentype = DEFAULT_TOKENTYPE
if len(token_page_size_pol) == 1:
token_page_size = int(token_page_size_pol[0])
if len(user_page_size_pol) == 1:
user_page_size = int(user_page_size_pol[0])
if len(default_tokentype_pol) == 1:
default_tokentype = default_tokentype_pol[0]
logout_time = DEFAULT_LOGOUT_TIME
if len(logout_time_pol) == 1:
logout_time = int(logout_time_pol[0])
policy_template_url_pol = policy_object.get_action_values(
action=ACTION.POLICYTEMPLATEURL,
scope=SCOPE.WEBUI,
client=client,
unique=True)
policy_template_url = DEFAULT_POLICY_TEMPLATE_URL
if len(policy_template_url_pol) == 1:
policy_template_url = policy_template_url_pol[0]
content["result"]["value"]["logout_time"] = logout_time
content["result"]["value"]["token_page_size"] = token_page_size
content["result"]["value"]["user_page_size"] = user_page_size
content["result"]["value"]["policy_template_url"] = policy_template_url
content["result"]["value"]["default_tokentype"] = default_tokentype
content["result"]["value"]["user_details"] = len(user_details_pol) > 0
response.data = json.dumps(content)
return response
