def check_subscription(application):
"""
This checks if the subscription for the given application is valid.
In case of a failure an Exception is raised.
:param application: the name of the application to check
:return: bool
"""
if application.lower() in APPLICATIONS.keys():
subscriptions = get_subscription(application) or get_subscription(
application.lower())
if len(subscriptions) == 0:
# get the number of active assigned tokens
num_tokens = get_tokens(assigned=True, active=True, count=True)
if num_tokens > APPLICATIONS.get(application.lower()) \
and raise_exception_probability():
raise SubscriptionError(
description="No subscription for your client.",
application=application)
else:
subscription = subscriptions[0]
expire_date = subscription.get("date_till")
if expire_date < datetime.datetime.now():
# subscription has expired
if raise_exception_probability(subscription):
raise SubscriptionError(description="Your subscription "
"expired.",
application=application)
else:
# subscription is still valid, so check the signature.
check_signature(subscription)
return True
def check_subscription(application):
"""
This checks if the subscription for the given application is valid.
In case of a failure an Exception is raised.
:param application: the name of the application to check
:return: bool
"""
subscriptions = get_subscription(application) or get_subscription(
application.lower())
if application.lower() in [
"demo_application", "owncloud", "privacyidea-cp", "privacyideacp"
]:
if len(subscriptions) == 0:
if raise_exception_probability():
raise SubscriptionError(
description="No subscription for your client.",
application=application)
else:
subscription = subscriptions[0]
expire_date = subscription.get("date_till")
if expire_date < datetime.datetime.now():
# subscription has expired
if raise_exception_probability(subscription):
raise SubscriptionError(description="Your subscription "
"expired.",
application=application)
else:
# subscription is still valid, so check the signature.
check_signature(subscription)
return True
def check_signature(subscription):
"""
This function checks the signature of a subscription. If the signature
checking fails, a SignatureError / Exception is raised.
:param subscription: The dict of the subscription
:return: True
"""
vendor = subscription.get("by_name").split()[0]
enckey = current_app.config.get("PI_ENCFILE", "/etc/privacyidea/enckey")
dirname = os.path.dirname(enckey)
# In dirname we are searching for <vendor>.pem
filename = "{0!s}/{1!s}.pem".format(dirname, vendor)
with open(filename, "r") as file_handle:
public = file_handle.read()
r = False
try:
# remove the minutes 00:00:00
subscription["date_from"] = subscription.get("date_from").strftime(
SUBSCRIPTION_DATE_FORMAT)
subscription["date_till"] = subscription.get("date_till").strftime(
SUBSCRIPTION_DATE_FORMAT)
sign_string = SIGN_FORMAT.format(**subscription)
RSAkey = RSA.importKey(public)
hashvalue = SHA256.new(sign_string).digest()
signature = long(subscription.get("signature") or "100")
r = RSAkey.verify(hashvalue, (signature, ))
subscription["date_from"] = datetime.datetime.strptime(
subscription.get("date_from"), SUBSCRIPTION_DATE_FORMAT)
subscription["date_till"] = datetime.datetime.strptime(
subscription.get("date_till"), SUBSCRIPTION_DATE_FORMAT)
except Exception as exx:
log.debug(traceback.format_exc())
raise SubscriptionError(
"Verifying the signature of your subscription "
"failed.",
application=subscription.get("application"))
if not r:
raise SubscriptionError(
"Signature of your subscription does not "
"match.",
application=subscription.get("application"))
return r
def check_signature(subscription):
"""
This function checks the signature of a subscription. If the signature
checking fails, a SignatureError / Exception is raised.
:param subscription: The dict of the subscription
:return: True
"""
vendor = subscription.get("by_name").split()[0]
enckey = get_app_config_value("PI_ENCFILE", "/etc/privacyidea/enckey")
dirname = os.path.dirname(enckey)
# In dirname we are searching for <vendor>.pem
filename = u"{0!s}/{1!s}.pem".format(dirname, vendor)
try:
# remove the minutes 00:00:00
subscription["date_from"] = subscription.get("date_from").strftime(SUBSCRIPTION_DATE_FORMAT)
subscription["date_till"] = subscription.get("date_till").strftime(SUBSCRIPTION_DATE_FORMAT)
sign_string = SIGN_FORMAT.format(**subscription)
with open(filename, 'rb') as key_file:
sign_obj = Sign(private_key=None, public_key=key_file.read())
signature = subscription.get('signature', '100')
r = sign_obj.verify(sign_string, signature, verify_old_sigs=True)
subscription["date_from"] = datetime.datetime.strptime(
subscription.get("date_from"),
SUBSCRIPTION_DATE_FORMAT)
subscription["date_till"] = datetime.datetime.strptime(
subscription.get("date_till"),
SUBSCRIPTION_DATE_FORMAT)
except Exception as _e:
log.debug(traceback.format_exc())
raise SubscriptionError("Verifying the signature of your subscription "
"failed.",
application=subscription.get("application"))
if not r:
raise SubscriptionError("Signature of your subscription does not "
"match.",
application=subscription.get("application"))
return r
def check_subscription(application, max_free_subscriptions=None):
"""
This checks if the subscription for the given application is valid.
In case of a failure an Exception is raised.
:param application: the name of the application to check
:param max_free_subscriptions: the maximum number of subscriptions
without a subscription file. If not given, the default is used.
:return: bool
"""
if application.lower() in APPLICATIONS:
subscriptions = get_subscription(application) or get_subscription(
application.lower())
# get the number of users with active tokens
token_users = get_users_with_active_tokens()
free_subscriptions = max_free_subscriptions or APPLICATIONS.get(
application.lower())
if len(subscriptions) == 0:
if token_users > free_subscriptions:
raise SubscriptionError(
description="No subscription for your client.",
application=application)
else:
subscription = subscriptions[0]
expire_date = subscription.get("date_till")
if expire_date < datetime.datetime.now():
# subscription has expired
if raise_exception_probability(subscription):
raise SubscriptionError(description="Your subscription "
"expired.",
application=application)
else:
# subscription is still valid, so check the signature.
check_signature(subscription)
if token_users > subscription.get("num_tokens"):
# subscription is exceeded
raise SubscriptionError(description="Too many users "
"with assigned tokens. "
"Subscription exceeded.",
application="privacyIDEA")
return True
