Пример #1
0
def main():
    from privacyidea.app import create_app
    from privacyidea.lib.token import get_tokens, unassign_token, assign_token
    from privacyidea.lib.user import User

    app = create_app(config_name="production",
                     config_file=PI_CONFIG,
                     silent=True)
    with app.app_context():
        tokens = get_tokens(resolver=FROM_RESOLVER)
        for token in tokens:
            user = token.user
            # find user in other resolver
            if user.exist():
                other_user = User(user.login,
                                  resolver=TO_RESOLVER,
                                  realm=MIGRATE_REALM)
                if other_user.exist():
                    print('{0!s}: {1!s} -> {2!s}'.format(
                        token.get_serial(), user, other_user))
                    unassign_token(token.get_serial())
                    token.add_user(other_user)
                else:
                    print(
                        '{0!s}: {1!s} -> Could not find user with login {2!s} '
                        'in resolver {3!s}'.format(token.get_serial(), user,
                                                   user.login, TO_RESOLVER))
            else:
                print('{0!s}: Could not find user for token in resolver '
                      '{1!s}'.format(token.get_serial(), FROM_RESOLVER))
Пример #2
0
    def _get_tokenowner(request):
        user = request.User
        serial = request.all_data.get("serial")
        if user.is_empty() and serial:
            # maybe the user is empty, but a serial was passed.
            # Then we determine the user by the serial
            try:
                user = get_token_owner(serial) or User()
            except Exception as exx:
                user = User()
                # This can happen for orphaned tokens.
                log.info("Could not determine tokenowner for {0!s}. Maybe the "
                         "user does not exist anymore.".format(serial))
                log.debug(exx)
        # If the user does not exist, we set an empty user
        if not user.exist():
            user = User()

        return user
Пример #3
0
def assign_user(resolver, realm, username, email, givenname, surname, serial, pin):
    app = create_app(config_name="production",
                     config_file="/etc/privacyidea/pi.cfg",
                     silent=True)

    with app.app_context():
        # User operations
        try:
            print("+ Processing user {0!s} in {1!s}/{2!s}.".format(username, resolver, realm))
            user_obj = User(username, realm, resolver=resolver)
        except UserError as err:
            sys.stderr.write(" +-- Failed finding user: {0!s}.\n".format(err))
            return

        if not user_obj.exist():
            print(" +- Creating user {0!s} in {1!s}/{2!s}.".format(username, resolver, realm))
            try:
                create_user(resolver, {"username": username,
                                       "email": email,
                                       "givenname": givenname,
                                       "surname": surname}, password="")
                user_obj = User(username, realm, resolver=resolver)
            except UserError as err:
                sys.stderr.write("+-- Failed to create user: {0!s}.\n".format(err))
                return
            except Exception as err:
                sys.stderr.write("+-- Failed to create user: {0!s}.\n".format(err))
                return

        # Token operations
        try:
            print(" +- Processing token {0!s}".format(serial))
            t = assign_token(serial, user_obj, pin)
            print(" +-- Assigned token to user {0!s}.".format(user_obj))
        except TokenAdminError as err:
            sys.stderr.write(" +-- Failed assigning token {0!s}: {1!s}.\n".format(serial, err))
        except ResourceNotFoundError as err:
            sys.stderr.write(" +-- Failed assigning token {0!s}: {1!s}.\n".format(serial, err))
Пример #4
0
def get_auth_token():
    """
    This call verifies the credentials of the user and issues an
    authentication token, that is used for the later API calls. The
    authentication token has a validity, that is usually 1 hour.

    :jsonparam username: The username of the user who wants to authenticate to
        the API.
    :jsonparam password: The password/credentials of the user who wants to
        authenticate to the API.

    :return: A json response with an authentication token, that needs to be
        used in any further request.

    :status 200: in case of success
    :status 401: if authentication fails

    **Example Authentication Request**:

    .. sourcecode:: http

       POST /auth HTTP/1.1
       Host: example.com
       Accept: application/json

       username=admin
       password=topsecret

    **Example Authentication Response**:

    .. sourcecode:: http

       HTTP/1.0 200 OK
       Content-Length: 354
       Content-Type: application/json

       {
            "id": 1,
            "jsonrpc": "2.0",
            "result": {
                "status": true,
                "value": {
                    "token": "eyJhbGciOiJIUz....jdpn9kIjuGRnGejmbFbM"
                }
            },
            "version": "privacyIDEA unknown"
       }

    **Response for failed authentication**:

    .. sourcecode:: http

       HTTP/1.1 401 UNAUTHORIZED
       Content-Type: application/json
       Content-Length: 203

       {
          "id": 1,
          "jsonrpc": "2.0",
          "result": {
            "error": {
              "code": -401,
              "message": "missing Authorization header"
            },
            "status": false
          },
          "version": "privacyIDEA unknown",
          "config": {
            "logout_time": 30
          }
       }

    """
    validity = timedelta(hours=1)
    username = getParam(request.all_data, "username")
    password = getParam(request.all_data, "password")
    realm = getParam(request.all_data, "realm")
    details = {}

    if username is None:
        raise AuthError(_("Authentication failure. Missing Username"),
                        id=ERROR.AUTHENTICATE_MISSING_USERNAME)

    if realm:
        username = username + "@" + realm

    # Failsafe to have the user attempt in the log, whatever happens
    # This can be overwritten later
    g.audit_object.log({"user": username, "realm": realm})

    secret = current_app.secret_key
    superuser_realms = current_app.config.get("SUPERUSER_REALM", [])
    # This is the default role for the logged in user.
    # The role privileges may be risen to "admin"
    role = ROLE.USER
    # The way the user authenticated. This could be
    # "password" = The admin user DB or the user store
    # "pi" = The admin or the user is authenticated against privacyIDEA
    # "remote_user" = authenticated by webserver
    authtype = "password"
    # Verify the password
    admin_auth = False
    user_auth = False

    loginname, realm = split_user(username)
    realm = realm or get_default_realm()

    user_obj = User()

    # Check if the remote user is allowed
    if (request.remote_user == username) and is_remote_user_allowed(request):
        # Authenticated by the Web Server
        # Check if the username exists
        # 1. in local admins
        # 2. in a realm
        # 2a. is an admin realm
        authtype = "remote_user "
        if db_admin_exist(username):
            role = ROLE.ADMIN
            admin_auth = True
            g.audit_object.log({
                "success": True,
                "user": "",
                "administrator": username,
                "info": "internal admin"
            })
        else:
            # check, if the user exists
            user_obj = User(loginname, realm)
            g.audit_object.log({
                "user": user_obj.login,
                "realm": user_obj.realm,
                "info": log_used_user(user_obj)
            })
            if user_obj.exist():
                user_auth = True
                if user_obj.realm in superuser_realms:
                    role = ROLE.ADMIN
                    admin_auth = True

    elif verify_db_admin(username, password):
        role = ROLE.ADMIN
        admin_auth = True
        # This admin is not in the default realm!
        realm = ""
        g.audit_object.log({
            "success": True,
            "user": "",
            "administrator": username,
            "info": "internal admin"
        })

    else:
        # The user could not be identified against the admin database,
        # so we do the rest of the check
        options = {"g": g, "clientip": g.client_ip}
        for key, value in request.all_data.items():
            if value and key not in ["g", "clientip"]:
                options[key] = value
        user_obj = User(loginname, realm)
        user_auth, role, details = check_webui_user(
            user_obj,
            password,
            options=options,
            superuser_realms=superuser_realms)
        details = details or {}
        if role == ROLE.ADMIN:
            g.audit_object.log({
                "user":
                "",
                "administrator":
                user_obj.login,
                "realm":
                user_obj.realm,
                "resolver":
                user_obj.resolver,
                "serial":
                details.get('serial', None),
                "info":
                u"{0!s}|loginmode={1!s}".format(log_used_user(user_obj),
                                                details.get("loginmode"))
            })
        else:
            g.audit_object.log({
                "user":
                user_obj.login,
                "realm":
                user_obj.realm,
                "resolver":
                user_obj.resolver,
                "serial":
                details.get('serial', None),
                "info":
                u"{0!s}|loginmode={1!s}".format(log_used_user(user_obj),
                                                details.get("loginmode"))
            })

    if not admin_auth and not user_auth:
        raise AuthError(_("Authentication failure. Wrong credentials"),
                        id=ERROR.AUTHENTICATE_WRONG_CREDENTIALS,
                        details=details or {})
    else:
        g.audit_object.log({"success": True})
        request.User = user_obj

    # If the HSM is not ready, we need to create the nonce in another way!
    hsm = init_hsm()
    if hsm.is_ready:
        nonce = geturandom(hex=True)
        # Add the role to the JWT, so that we can verify it internally
        # Add the authtype to the JWT, so that we could use it for access
        # definitions
        rights = g.policy_object.ui_get_rights(role, realm, loginname,
                                               g.client_ip)
        menus = g.policy_object.ui_get_main_menus(
            {
                "username": loginname,
                "role": role,
                "realm": realm
            }, g.client_ip)
    else:
        import os
        nonce = hexlify_and_unicode(os.urandom(20))
        rights = []
        menus = []

    # What is the log level?
    log_level = current_app.config.get("PI_LOGLEVEL", 30)

    token = jwt.encode(
        {
            "username": loginname,
            "realm": realm,
            "nonce": nonce,
            "role": role,
            "authtype": authtype,
            "exp": datetime.utcnow() + validity,
            "rights": rights
        },
        secret,
        algorithm='HS256').decode('utf8')

    # Add the role to the response, so that the WebUI can make decisions
    # based on this (only show selfservice, not the admin part)
    return send_result(
        {
            "token": token,
            "role": role,
            "username": loginname,
            "realm": realm,
            "log_level": log_level,
            "rights": rights,
            "menus": menus
        },
        details=details)
Пример #5
0
def get_auth_token():
    """
    This call verifies the credentials of the user and issues an
    authentication token, that is used for the later API calls. The
    authentication token has a validity, that is usually 1 hour.

    :jsonparam username: The username of the user who wants to authenticate to
        the API.
    :jsonparam password: The password/credentials of the user who wants to
        authenticate to the API.

    :return: A json response with an authentication token, that needs to be
        used in any further request.

    :status 200: in case of success
    :status 401: if authentication fails

    **Example Authentication Request**:

    .. sourcecode:: http

       POST /auth HTTP/1.1
       Host: example.com
       Accept: application/json

       username=admin
       password=topsecret

    **Example Authentication Response**:

    .. sourcecode:: http

       HTTP/1.0 200 OK
       Content-Length: 354
       Content-Type: application/json

       {
            "id": 1,
            "jsonrpc": "2.0",
            "result": {
                "status": true,
                "value": {
                    "token": "eyJhbGciOiJIUz....jdpn9kIjuGRnGejmbFbM"
                }
            },
            "version": "privacyIDEA unknown"
       }

    **Response for failed authentication**:

    .. sourcecode:: http

       HTTP/1.1 401 UNAUTHORIZED
       Content-Type: application/json
       Content-Length: 203

       {
          "id": 1,
          "jsonrpc": "2.0",
          "result": {
            "error": {
              "code": -401,
              "message": "missing Authorization header"
            },
            "status": false
          },
          "version": "privacyIDEA unknown",
          "config": {
            "logout_time": 30
          }
       }

    """
    validity = timedelta(hours=1)
    username = request.all_data.get("username")
    password = request.all_data.get("password")
    realm = request.all_data.get("realm")
    details = {}
    if realm:
        username = username + "@" + realm

    g.audit_object.log({"user": username})

    secret = current_app.secret_key
    superuser_realms = current_app.config.get("SUPERUSER_REALM", [])
    # This is the default role for the logged in user.
    # The role privileges may be risen to "admin"
    role = ROLE.USER
    # The way the user authenticated. This could be
    # "password" = The admin user DB or the user store
    # "pi" = The admin or the user is authenticated against privacyIDEA
    # "remote_user" = authenticated by webserver
    authtype = "password"
    if username is None:
        raise AuthError("Authentication failure",
                        "missing Username",
                        status=401)
    # Verify the password
    admin_auth = False
    user_auth = False

    loginname, realm = split_user(username)
    realm = realm or get_default_realm()

    # Check if the remote user is allowed
    if (request.remote_user == username) and is_remote_user_allowed(request):
        # Authenticated by the Web Server
        # Check if the username exists
        # 1. in local admins
        # 2. in a realm
        # 2a. is an admin realm
        authtype = "remote_user "
        if db_admin_exist(username):
            role = ROLE.ADMIN
            admin_auth = True
            g.audit_object.log({"success": True,
                                "user": "",
                                "administrator": username,
                                "info": "internal admin"})
        else:
            # check, if the user exists
            user_obj = User(loginname, realm)
            if user_obj.exist():
                user_auth = True
                if user_obj.realm in superuser_realms:
                    role = ROLE.ADMIN
                    admin_auth = True

    elif verify_db_admin(username, password):
        role = ROLE.ADMIN
        admin_auth = True
        # This admin is not in the default realm!
        realm = ""
        g.audit_object.log({"success": True,
                            "user": "",
                            "administrator": username,
                            "info": "internal admin"})

    else:
        # The user could not be identified against the admin database,
        # so we do the rest of the check
        options = {"g": g,
                   "clientip": g.client_ip}
        for key, value in request.all_data.items():
            if value and key not in ["g", "clientip"]:
                options[key] = value
        user_obj = User(loginname, realm)
        user_auth, role, details = check_webui_user(user_obj,
                                                    password,
                                                    options=options,
                                                    superuser_realms=
                                                    superuser_realms)
        if role == ROLE.ADMIN:
            g.audit_object.log({"user": "",
                                "administrator": username})

    if not admin_auth and not user_auth:
        raise AuthError("Authentication failure",
                        "Wrong credentials", status=401,
                        details=details or {})
    else:
        g.audit_object.log({"success": True})

    # If the HSM is not ready, we need to create the nonce in another way!
    hsm = init_hsm()
    if hsm.is_ready:
        nonce = geturandom(hex=True)
        # Add the role to the JWT, so that we can verify it internally
        # Add the authtype to the JWT, so that we could use it for access
        # definitions
        rights = g.policy_object.ui_get_rights(role, realm, loginname,
                                               g.client_ip)
    else:
        import os
        import binascii
        nonce = binascii.hexlify(os.urandom(20))
        rights = []

    # What is the log level?
    log_level = current_app.config.get("PI_LOGLEVEL", 30)

    token = jwt.encode({"username": loginname,
                        "realm": realm,
                        "nonce": nonce,
                        "role": role,
                        "authtype": authtype,
                        "exp": datetime.utcnow() + validity,
                        "rights": rights},
                       secret)

    # Add the role to the response, so that the WebUI can make decisions
    # based on this (only show selfservice, not the admin part)
    return send_result({"token": token,
                        "role": role,
                        "username": loginname,
                        "realm": realm,
                        "log_level": log_level,
                        "rights": rights},
                       details=details)
Пример #6
0
 def test_15_user_exist(self):
     root = User("root", resolver=self.resolvername1, realm=self.realm1)
     self.assertTrue(root.exist())
Пример #7
0
 def test_15_user_exist(self):
     root = User("root", resolver=self.resolvername1, realm=self.realm1)
     self.assertTrue(root.exist())
Пример #8
0
def register_post():
    """
    Register a new user in the realm/userresolver. To do so, the user
    resolver must be writeable like an SQLResolver.

    Registering a user in fact creates a new user and also creates the first
    token for the user. The following values are needed to register the user:

    * username (mandatory)
    * givenname (mandatory)
    * surname (mandatory)
    * email address (mandatory)
    * password (mandatory)
    * mobile phone (optional)
    * telephone (optional)

    The user receives a registration token via email to be able to login with
    his self chosen password and the registration token.

    :jsonparam username: The login name of the new user. Check if it already
        exists
    :jsonparam givenname: The givenname of the new user
    :jsonparam surname: The surname of the new user
    :jsonparam email: The email address of the new user
    :jsonparam password: The password of the new user. This is the resolver
        password of the new user.
    :jsonparam mobile: The mobile phone number
    :jsonparam phone: The phone number (land line) of the new user

    :return: a json result with a boolean "result": true
    """
    username = getParam(request.all_data, "username", required)
    surname = getParam(request.all_data, "surname", required)
    givenname = getParam(request.all_data, "givenname", required)
    email = getParam(request.all_data, "email", required)
    password = getParam(request.all_data, "password", required)
    mobile = getParam(request.all_data, "mobile")
    phone = getParam(request.all_data, "phone")
    options = {"g": g, "clientip": request.remote_addr}
    g.audit_object.log({"info": username})
    # Add all params to the options
    for key, value in request.all_data.items():
        if value and key not in ["g", "clientip"]:
            options[key] = value

    # 1. determine, in which resolver/realm the user should be created
    realm = g.policy_object.get_action_values(ACTION.REALM,
                                              scope=SCOPE.REGISTER,
                                              unique=True)
    if not realm:
        # No policy for realm, so we use the default realm
        realm = get_default_realm
    else:
        # we use the first realm in the list
        realm = realm[0]
    resolvername = g.policy_object.get_action_values(ACTION.RESOLVER,
                                                     scope=SCOPE.REGISTER,
                                                     unique=True)
    if not resolvername:
        raise RegistrationError("No resolver specified to register in!")
    resolvername = resolvername[0]
    # Check if the user exists
    user = User(username, realm=realm, resolver=resolvername)
    if user.exist():
        raise RegistrationError("The username is already registered!")
    # Create user
    uid = create_user(
        resolvername, {
            "username": username,
            "email": email,
            "phone": phone,
            "mobile": mobile,
            "surname": surname,
            "givenname": givenname,
            "password": password
        })

    # 3. create a registration token for this user
    user = User(username, realm=realm, resolver=resolvername)
    token = init_token({"type": "registration"}, user=user)
    # 4. send the registration token to the users email
    registration_key = token.init_details.get("otpkey")
    smtpconfig = g.policy_object.get_action_values(ACTION.EMAILCONFIG,
                                                   scope=SCOPE.REGISTER,
                                                   unique=True)
    if not smtpconfig:
        raise RegistrationError("No SMTP server configuration specified!")
    smtpconfig = smtpconfig[0]
    # Send the registration key via email
    r = send_email_identifier(
        smtpconfig, email, "Your privacyIDEA registration",
        "Your registration token is %s" % registration_key)
    log.debug("Registration email sent to %s" % email)

    g.audit_object.log({"success": r})
    return send_result(r)
Пример #9
0
def create_token(resolver, realm, tokentype, username, email, givenname,
                 surname, pin):
    app = create_app(config_name="production",
                     config_file="/etc/privacyidea/pi.cfg",
                     silent=True)

    with app.app_context():
        # User operations
        try:
            print("+ Processing user {0!s} in {1!s}/{2!s}.".format(
                username, resolver, realm))
            user_obj = User(username, realm, resolver=resolver)
        except UserError as err:
            sys.stderr.write(" +-- Failed finding user: {0!s}.\n".format(err))
            return

        if not user_obj.exist():
            print(" +- Creating user {0!s} in {1!s}/{2!s}.".format(
                username, resolver, realm))
            try:
                create_user(resolver, {
                    "username": username,
                    "email": email,
                    "givenname": givenname,
                    "surname": surname
                },
                            password="")
            except UserError as err:
                sys.stderr.write(
                    " +-- Failed to create user: {0!s}.\n".format(err))
                return
            except Exception as err:
                sys.stderr.write(
                    " +-- Failed to create user: {0!s}.\n".format(err))
                return

        # Token operations
        try:
            params = {}
            params["user"] = username
            params["realm"] = realm
            params["type"] = tokentype
            params["genkey"] = 1
            params["pin"] = pin
            r = requests.post('https://localhost/auth',
                              verify=False,
                              data={
                                  "username": API_USER,
                                  "password": API_PASSWORD
                              })
            authorization = r.json().get("result").get("value").get("token")
            r = requests.post('https://localhost/token/init',
                              verify=False,
                              data=params,
                              headers={"Authorization": authorization})
            result = r.json().get("result")
            detail = r.json().get("detail")
            if not result.get("status"):
                sys.stderr.write(" +-- Failed to create token: {0!s}\n".format(
                    result.get("error", {}).get("message")))
            if result.get("value"):
                print(" +-- Created token {0!s}.".format(detail.get("serial")))
        except Exception as err:
            sys.stderr.write(
                " +-- Failed to communicated to privacyIDEA: {0!s}\n".format(
                    err))
Пример #10
0
def register_post():
    """
    Register a new user in the realm/userresolver. To do so, the user
    resolver must be writeable like an SQLResolver.

    Registering a user in fact creates a new user and also creates the first
    token for the user. The following values are needed to register the user:

    * username (mandatory)
    * givenname (mandatory)
    * surname (mandatory)
    * email address (mandatory)
    * password (mandatory)
    * mobile phone (optional)
    * telephone (optional)

    The user receives a registration token via email to be able to login with
    his self chosen password and the registration token.

    :jsonparam username: The login name of the new user. Check if it already
        exists
    :jsonparam givenname: The givenname of the new user
    :jsonparam surname: The surname of the new user
    :jsonparam email: The email address of the new user
    :jsonparam password: The password of the new user. This is the resolver
        password of the new user.
    :jsonparam mobile: The mobile phone number
    :jsonparam phone: The phone number (land line) of the new user

    :return: a json result with a boolean "result": true
    """
    username = getParam(request.all_data, "username", required)
    surname = getParam(request.all_data, "surname", required)
    givenname = getParam(request.all_data, "givenname", required)
    email = getParam(request.all_data, "email", required)
    password = getParam(request.all_data, "password", required)
    mobile = getParam(request.all_data, "mobile")
    phone = getParam(request.all_data, "phone")
    options = {"g": g,
               "clientip": request.remote_addr}
    g.audit_object.log({"info": username})
    # Add all params to the options
    for key, value in request.all_data.items():
            if value and key not in ["g", "clientip"]:
                options[key] = value

    # 1. determine, in which resolver/realm the user should be created
    realm = g.policy_object.get_action_values(ACTION.REALM,
                                              scope=SCOPE.REGISTER,
                                              unique=True)
    if not realm:
        # No policy for realm, so we use the default realm
        realm = get_default_realm
    else:
        # we use the first realm in the list
        realm = realm[0]
    resolvername = g.policy_object.get_action_values(ACTION.RESOLVER,
                                                     scope=SCOPE.REGISTER,
                                                     unique=True)
    if not resolvername:
        raise RegistrationError("No resolver specified to register in!")
    resolvername = resolvername[0]
    # Check if the user exists
    user = User(username, realm=realm, resolver=resolvername)
    if user.exist():
        raise RegistrationError("The username is already registered!")
    # Create user
    uid = create_user(resolvername, {"username": username,
                                     "email": email,
                                     "phone": phone,
                                     "mobile": mobile,
                                     "surname": surname,
                                     "givenname": givenname,
                                     "password": password})

    # 3. create a registration token for this user
    user = User(username, realm=realm, resolver=resolvername)
    token = init_token({"type": "registration"}, user=user)
    # 4. send the registration token to the users email
    registration_key = token.init_details.get("otpkey")
    smtpconfig = g.policy_object.get_action_values(ACTION.EMAILCONFIG,
                                                   scope=SCOPE.REGISTER,
                                                   unique=True)
    if not smtpconfig:
        raise RegistrationError("No SMTP server configuration specified!")
    smtpconfig = smtpconfig[0]
    # Send the registration key via email
    r = send_email_identifier(smtpconfig, email,
                              "Your privacyIDEA registration",
                              "Your registration token is %s" %
                              registration_key)
    log.debug("Registration email sent to %s" % email)

    g.audit_object.log({"success": r})
    return send_result(r)
Пример #11
0
def assign_user(resolver, realm, username, email, givenname, surname, serial,
                pin, validity, hard_or_soft):
    app = create_app(config_name="production",
                     config_file="/etc/privacyidea/pi.cfg",
                     silent=True)

    with app.app_context():
        # User operations
        try:
            print("+ Processing user {0!s} in {1!s}/{2!s}.".format(
                username, resolver, realm))
            user_obj = User(username, realm, resolver=resolver)
        except UserError as err:
            sys.stderr.write(" +-- Failed finding user: {0!s}.\n".format(err))
            return

        if not user_obj.exist():
            # Create new user
            print(" +- Creating user {0!s} in {1!s}/{2!s}.".format(
                username, resolver, realm))
            try:
                create_user(resolver, {
                    "username": username,
                    "email": email,
                    "givenname": givenname,
                    "surname": surname
                },
                            password="")
                user_obj = User(username, realm, resolver=resolver)
            except UserError as err:
                sys.stderr.write(
                    "+-- Failed to create user: {0!s}.\n".format(err))
                return
            except Exception as err:
                sys.stderr.write(
                    "+-- Failed to create user: {0!s}.\n".format(err))
                return
        else:
            # Update existing user
            print(" +- Updating user {0!s} in {1!s}/{2!s}.".format(
                username, resolver, realm))
            user_obj.update_user_info({
                "email": email,
                "givenname": givenname,
                "surname": surname
            })

        # Token operations

        ## Assign token or create registration code
        if hard_or_soft.strip().upper() == HARDWARE:
            if serial:
                # Assign an existing token
                try:
                    print(" +- Processing token {0!s}".format(serial))
                    t = assign_token(serial, user_obj, pin)
                    print(
                        " +-- Assigned token to user {0!s}.".format(user_obj))
                except TokenAdminError as err:
                    sys.stderr.write(
                        " +-- Failed assigning token {0!s}: {1!s}.\n".format(
                            serial, err))
                except ResourceNotFoundError as err:
                    sys.stderr.write(
                        " +-- Failed assigning token {0!s}: {1!s}.\n".format(
                            serial, err))
            else:
                sys.stderr.write(
                    "+-- User {0!s} is supposed to get a hardware token, but no serial defined!"
                    .format(user_obj))
        elif hard_or_soft.strip().upper() == SOFTWARE:
            # Create a registration code, since no serial number is given
            print(" +- Creating token of type {0!s}.".format(TOKEN_TYPE))
            params = {
                "type": TOKEN_TYPE,
                "genkey": 1,
                "user": user_obj.login,
                "realm": user_obj.realm
            }
            r = requests.post('https://localhost/token/init',
                              verify=False,
                              data=params,
                              headers={"Authorization": get_auth_tok()})
            if not r.json().get("result").get("status"):
                sys.stderr.write(
                    " +-- Failed to create token for user {0!s}.".format(
                        user_obj))
        else:
            sys.stderr.write(
                "+-- Unknown Hard/Soft specifier for user {0!s}: {1!s}".format(
                    user_obj, hard_or_soft))

        # Create RADIUS token with validity period
        print(" +- Creating RADIUS token for user {0!s}.".format(user_obj))
        tok = init_token(
            {
                "type": "radius",
                "radius.identifier": RADIUS_IDENTIFIER,
                "radius.user": user_obj.login
            },
            user=user_obj)
        for k, v in TOKENINFO.items():
            tok.add_tokeninfo(k, v)
        validity_end = datetime.datetime.now() + datetime.timedelta(
            int(validity))
        tok.set_validity_period_end(
            validity_end.strftime("%Y-%m-%d %H:%M:00 CET"))