def check(self):
'''
This function is used to validate the username and the otp value/password.
method:
validate/check
arguments:
* user: The username or loginname
* pass: The password that consist of a possible fixed password component and the OTP value
* realm (optional): An optional realm to match the user to a useridresolver
* challenge (optional): optional challenge + otp verification for challenge response token. This indicates, that tis request is a challenge request.
* data (optional): optional challenge + otp verification for challenge response token. This indicates, that tis request is a challenge request.
* state (optional): The optional id to respond to a previous challenge.
* transactionid (optional): The optional id to respond to a previous challenge.
returns:
JSON response::
{
"version": "LinOTP 2.4",
"jsonrpc": "2.0",
"result": {
"status": true,
"value": false
},
"id": 0
}
If ``status`` is ``true`` the request was handled successfully.
If ``value`` is ``true`` the user was authenticated successfully.
'''
param = self.request_params.copy()
ok = False
opt = None
try:
# prevent the detection if a user exist
# by sending a request w.o. pass parameter
try:
(ok, opt) = self._check(param)
except (AuthorizeException, ParameterError) as exx:
log.warning(
"[check] authorization failed for validate/check: %r" %
exx)
c.audit['success'] = False
c.audit['info'] = unicode(exx)
ok = False
if is_auth_return(ok):
if opt is None:
opt = {}
opt['error'] = c.audit.get('info')
Session.commit()
qr = param.get('qr', None)
if qr and opt and 'message' in opt:
try:
dataobj = opt.get('message')
param['alt'] = "%s" % opt
if 'transactionid' in opt:
param['transactionid'] = opt['transactionid']
return sendQRImageResult(response, dataobj, param)
except Exception as exc:
log.warning("failed to send QRImage: %r " % exc)
return sendQRImageResult(response, opt, param)
else:
return sendResult(response, ok, 0, opt=opt)
except Exception as exx:
log.exception("[check] validate/check failed: %r" % exx)
# If an internal error occurs or the SMS gateway did not send the SMS, we write this to the detail info.
c.audit['info'] = "%r" % exx
Session.rollback()
return sendResult(response, False, 0)
finally:
Session.close()
def _check(self, param):
'''
basic check function, that can be used by different controllers
:param param: dict of all caller parameters
:type param: dict
:return: Tuple of True or False and opt
:rtype: Tuple(boolean, opt)
'''
opt = None
options = {}
# put everything in the options but the user, pass, init
options.update(param)
for para in ["pass", "user", "init"]:
if options.has_key(para):
del options[para]
passw = param.get("pass")
user = getUserFromParam(param)
# support for ocra application challenge verification
challenge = param.get("challenge")
if challenge is not None:
options = {}
options['challenge'] = challenge
c.audit['user'] = user.login
realm = user.realm or getDefaultRealm()
c.audit['realm'] = realm
# AUTHORIZATION Pre Check
# we need to overwrite the user.realm in case the
# user does not exist in the original realm (setrealm-policy)
user.realm = set_realm(user.login, realm, exception=True)
check_user_authorization(user.login, user.realm, exception=True)
if isSelfTest() is True:
initTime = param.get("init")
if initTime is not None:
if options is None:
options = {}
options['initTime'] = initTime
vh = ValidationHandler()
(ok, opt) = vh.checkUserPass(user, passw, options=options)
c.audit.update(request_context.get('audit'))
c.audit['success'] = ok
if ok:
# AUTHORIZATION post check
check_auth_tokentype(c.audit['serial'], exception=True, user=user)
check_auth_serial(c.audit['serial'], exception=True, user=user)
# add additional details
if is_auth_return(ok, user=user):
if opt is None:
opt = {}
if ok:
opt['realm'] = c.audit.get('realm')
opt['user'] = c.audit.get('user')
opt['tokentype'] = c.audit.get('token_type')
opt['serial'] = c.audit.get('serial')
else:
opt['error'] = c.audit.get('action_detail')
return (ok, opt)
def check(self):
'''
This function is used to validate the username and the otp value/password.
method:
validate/check
arguments:
* user: The username or loginname
* pass: The password that consist of a possible fixed password component and the OTP value
* realm (optional): An optional realm to match the user to a useridresolver
* challenge (optional): optional challenge + otp verification for challenge response token. This indicates, that tis request is a challenge request.
* data (optional): optional challenge + otp verification for challenge response token. This indicates, that tis request is a challenge request.
* state (optional): The optional id to respond to a previous challenge.
* transactionid (optional): The optional id to respond to a previous challenge.
returns:
JSON response::
{
"version": "LinOTP 2.4",
"jsonrpc": "2.0",
"result": {
"status": true,
"value": false
},
"id": 0
}
If ``status`` is ``true`` the request was handled successfully.
If ``value`` is ``true`` the user was authenticated successfully.
'''
param = {}
ok = False
opt = None
try:
param.update(request.params)
# prevent the detection if a user exist
# by sending a request w.o. pass parameter
try:
(ok, opt) = self._check(param)
except (AuthorizeException, ParameterError) as exx:
log.warning("[check] authorization failed for validate/check: %r"
% exx)
c.audit['success'] = False
c.audit['info'] = unicode(exx)
ok = False
if is_auth_return(ok):
if opt is None:
opt = {}
opt['error'] = c.audit.get('info')
Session.commit()
qr = param.get('qr', None)
if qr and opt and 'message' in opt:
try:
dataobj = opt.get('message')
param['alt'] = "%s" % opt
if 'transactionid' in opt:
param['transactionid'] = opt['transactionid']
return sendQRImageResult(response, dataobj, param)
except Exception as exc:
log.warning("failed to send QRImage: %r " % exc)
return sendQRImageResult(response, opt, param)
else:
return sendResult(response, ok, 0, opt=opt)
except Exception as exx:
log.exception("[check] validate/check failed: %r" % exx)
# If an internal error occurs or the SMS gateway did not send the SMS, we write this to the detail info.
c.audit['info'] = unicode(exx)
Session.rollback()
return sendResult(response, False, 0)
finally:
Session.close()
log.debug('[check] done')
def _check(self, param):
'''
basic check function, that can be used by different controllers
:param param: dict of all caller parameters
:type param: dict
:return: Tuple of True or False and opt
:rtype: Tuple(boolean, opt)
'''
opt = None
options = {}
## put everythin in the options but the user, pass, init
options.update(param)
for para in ["pass", "user", "init"]:
if options.has_key(para):
del options[para]
passw = getParam(param, "pass", optional)
user = getUserFromParam(param, optional)
# support for ocra application challenge verification
challenge = getParam(param, "challenge", optional)
if challenge is not None:
options = {}
options['challenge'] = challenge
c.audit['user'] = user.login
realm = user.realm or getDefaultRealm()
c.audit['realm'] = realm
# AUTHORIZATION Pre Check
# we need to overwrite the user.realm in case the user does not exist in the original realm (setrealm-policy)
user.realm = set_realm(user.login, realm, exception=True)
check_user_authorization(user.login, user.realm, exception=True)
if isSelfTest() is True:
initTime = getParam(param, "init", optional)
if initTime is not None:
if options is None:
options = {}
options['initTime'] = initTime
vh = ValidationHandler()
(ok, opt) = vh.checkUserPass(user, passw, options=options)
c.audit.update(request_context.get('audit'))
c.audit['success'] = ok
if ok:
# AUTHORIZATION post check
check_auth_tokentype(c.audit['serial'], exception=True, user=user)
check_auth_serial(c.audit['serial'], exception=True, user=user)
# add additional details
if is_auth_return(ok, user=user):
if opt is None:
opt = {}
if ok:
opt['realm'] = c.audit.get('realm')
opt['user'] = c.audit.get('user')
opt['tokentype'] = c.audit.get('token_type')
opt['serial'] = c.audit.get('serial')
else:
opt['error'] = c.audit.get('action_detail')
return (ok, opt)
def check(self):
"""
This function is used to validate the username and the otp value/password.
method:
validate/check
arguments:
* user: The username or loginname
* pass: The password that consist of a possible fixed password component and the OTP value
* realm (optional): The realm to be used to match the user to a useridresolver
* challenge (optional): This param indicates, that this request is a challenge request.
* data (optional): Data to use to generate a challenge
* state (optional): A state id of an existing challenge to respond to
* transactionid (optional): A transaction id of an existing challenge to respond to
* serial (optional): Serial of a token to use instead of the matching tokens found for the given user and pass
returns:
JSON response::
{
"version": "LinOTP 2.4",
"jsonrpc": "2.0",
"result": {
"status": true,
"value": false
},
"id": 0
}
If ``status`` is ``true`` the request was handled successfully.
If ``value`` is ``true`` the user was authenticated successfully.
"""
param = self.request_params.copy()
ok = False
opt = None
try:
# prevent the detection if a user exist
# by sending a request w.o. pass parameter
try:
(ok, opt) = self._check(param)
except (AuthorizeException, ParameterError) as exx:
log.warning(
"[check] authorization failed for validate/check: %r", exx
)
g.audit["success"] = False
g.audit["info"] = str(exx)
ok = False
if is_auth_return(ok):
if opt is None:
opt = {}
opt["error"] = g.audit.get("info")
db.session.commit()
qr = param.get("qr", None)
if qr and opt and "message" in opt:
try:
dataobj = opt.get("message")
param["alt"] = "%s" % opt
if "transactionid" in opt:
param["transactionid"] = opt["transactionid"]
return sendQRImageResult(response, dataobj, param)
except Exception as exc:
log.warning("failed to send QRImage: %r ", exc)
return sendQRImageResult(response, opt, param)
else:
return sendResult(response, ok, 0, opt=opt)
except Exception as exx:
log.error("[check] validate/check failed: %r", exx)
# If an internal error occurs or the SMS gateway did not send the
# SMS, we write this to the detail info.
g.audit["info"] = "%r" % exx
db.session.rollback()
return sendResult(response, False, 0)
finally:
db.session.close()
def _check(self, param):
"""
basic check function, that can be used by different controllers
:param param: dict of all caller parameters
:type param: dict
:return: Tuple of True or False and opt
:rtype: Tuple(boolean, opt)
"""
opt = None
options = {}
# put everything in the options but the user, pass, init
options.update(param)
for para in ["pass", "user", "init"]:
if para in options:
del options[para]
passw = param.get("pass")
user = getUserFromParam(param)
# support for challenge verification
challenge = param.get("challenge")
if challenge is not None:
options = {}
options["challenge"] = challenge
g.audit["user"] = user.login
realm = user.realm or getDefaultRealm()
g.audit["realm"] = realm
# AUTHORIZATION Pre Check
# we need to overwrite the user.realm in case the
# user does not exist in the original realm (setrealm-policy)
user.realm = set_realm(user.login, realm, exception=True)
check_user_authorization(user.login, user.realm, exception=True)
vh = ValidationHandler()
(ok, opt) = vh.checkUserPass(user, passw, options=options)
g.audit.update(request_context.get("audit", {}))
g.audit["success"] = ok
if ok:
# AUTHORIZATION post check
check_auth_tokentype(g.audit["serial"], exception=True, user=user)
check_auth_serial(g.audit["serial"], exception=True, user=user)
# add additional details
if is_auth_return(ok, user=user):
if opt is None:
opt = {}
if ok:
opt["realm"] = g.audit.get("realm")
opt["user"] = g.audit.get("user")
opt["tokentype"] = g.audit.get("token_type")
opt["serial"] = g.audit.get("serial")
else:
opt["error"] = g.audit.get("action_detail")
return (ok, opt)
