def authenticate(self, username, password, otp=None):
try:
if not username and otp:
user = self._user_for_otp(otp)
else:
user = self.auth.get_user(username)
except Exception as e:
if settings['use_ldap'] and settings['ldap_auto_import'] \
and ldapauth.authenticate(username, password):
user = self.auth.create_user(username, None)
user.attributes['_ldap_auto_imported'] = True
log.info('Auto-created LDAP user: %s', username)
else:
log.info('Authentication failed. No such user: %s', username)
raise e
if user.validate_password(password):
pw = 'valid password' if password else 'None (valid)'
if authenticate_otp(user, otp, password):
log.info(
'Authentication successful. '
'Username: %s, password: <%s>, OTP: %s', username, pw, otp)
return user
else:
pw = 'invalid password' if password else 'None (invalid)'
# Consume the OTP even if the password was incorrect.
if otp:
validate_otp(otp)
log.info(
'Authentication failed. Username: %s, password: <%s>, OTP: %s',
username, pw, otp)
raise ValueError("Invalid credentials!")
def authenticate(self, username, password, otp=None):
try:
if not username and otp:
user = self._user_for_otp(otp)
else:
user = self.auth.get_user(username)
except Exception as e:
if settings['use_ldap'] and settings['ldap_auto_import'] \
and ldapauth.authenticate(username, password):
user = self.auth.create_user(username, None)
user.attributes['_ldap_auto_imported'] = True
log.info('Auto-created LDAP user: %s', username)
else:
log.info('Authentication failed. No such user: %s', username)
raise e
if user.validate_password(password):
pw = 'valid password' if password else 'None (valid)'
if authenticate_otp(user, otp, password):
log.info(
'Authentication successful. '
'Username: %s, password: <%s>, OTP: %s',
username, pw, otp)
return user
else:
pw = 'invalid password' if password else 'None (invalid)'
# Consume the OTP even if the password was incorrect.
if otp:
validate_otp(otp)
log.info(
'Authentication failed. Username: %s, password: <%s>, OTP: %s',
username, pw, otp)
raise ValueError("Invalid credentials!")
def authenticate_otp(user, otp, password=None):
if otp:
if settings['auto_provision'] and len(user.yubikeys) == 0:
if validate_otp(otp):
user.assign_yubikey(otp)
return True
else:
return False
else:
return user.validate_otp(otp, password)
else:
return not requires_otp(user)
def authenticate_otp(user, otp, password=None):
if otp:
if settings['auto_provision'] and len(user.yubikeys) == 0:
if validate_otp(otp):
user.assign_yubikey(otp)
return True
else:
return False
else:
return user.validate_otp(otp, password)
else:
return not requires_otp(user)
def assign_yubikey(self, request, yubikey, password, otp=None):
client = request.environ['yubiauth.client']
user = request.environ['yubiauth.user']
try:
client.authenticate(user.name, password, otp)
prefix = yubikey[:-32]
if not validate_otp(yubikey):
return json_error('Invalid OTP for new YubiKey!')
if not prefix in user.yubikeys:
user.assign_yubikey(prefix)
return json_response(True)
except:
return json_error('Invalid credentials!')
def assign_yubikey(self, request, yubikey, password, otp=None):
client = request.environ['yubiauth.client']
user = request.environ['yubiauth.user']
try:
client.authenticate(user.name, password, otp)
prefix = yubikey[:-32]
if not validate_otp(yubikey):
return json_error('Invalid OTP for new YubiKey!')
if not prefix in user.yubikeys:
user.assign_yubikey(prefix)
return json_response(True)
except:
return json_error('Invalid credentials!')
def yubikey_set_enabled(self, request, yubikey, enabled):
auth_form = ReauthenticateForm(request, yubikey.prefix)
if request.method == 'POST' and auth_form.validate():
user = request.environ['yubiauth.user']
# Validate otp manually as the YubiKey might be disabled
if user.validate_password(auth_form.password.data) and \
validate_otp(auth_form.otp.data):
yubikey.enabled = enabled
return redirect(request, 'yubikey/%s' % yubikey.prefix)
else:
self.add_message('Invalid credentials!', 'error')
return self.render(request, 'reauthenticate', yubikey=yubikey,
fieldsets=[auth_form], target=request.path_info[1:])
def yubikey_set_enabled(self, request, yubikey, enabled):
auth_form = ReauthenticateForm(request, yubikey.prefix)
if request.method == 'POST' and auth_form.validate():
user = request.environ['yubiauth.user']
# Validate otp manually as the YubiKey might be disabled
if user.validate_password(auth_form.password.data) and \
validate_otp(auth_form.otp.data):
yubikey.enabled = enabled
return redirect(request, 'yubikey/%s' % yubikey.prefix)
else:
self.add_message('Invalid credentials!', 'error')
return self.render(request,
'reauthenticate',
yubikey=yubikey,
fieldsets=[auth_form],
target=request.path_info[1:])
def validate_otp(self, otp):
"""
Validates a YubiKey OTP (One Time Password) for the user.
@param otp: The OTP to validate.
@type otp: string
@return: True if the OTP was valid, and from a YubiKey belonging
to the user. False if not.
@rtype: bool
"""
prefix = otp[:-32]
otp_valid = validate_otp(otp)
if prefix in self.yubikeys:
return otp_valid and self.yubikeys[prefix].enabled
return False
def register(self, username, password, otp=None, attributes=None):
if not settings['registration']:
raise ValueError('User registration disabled!')
if attributes is None:
attributes = {}
validate_attributes(self.get_attributes(), attributes)
if otp and not validate_otp(otp):
raise ValueError('Invalid OTP!')
user = self.auth.create_user(username, password)
user.attributes.update(attributes)
if otp:
user.assign_yubikey(otp)
log.info('User %s registered with attributes: %r', username,
attributes)
return user
def register(self, username, password, otp=None, attributes=None):
if not settings['registration']:
raise ValueError('User registration disabled!')
if attributes is None:
attributes = {}
validate_attributes(self.get_attributes(), attributes)
if otp and not validate_otp(otp):
raise ValueError('Invalid OTP!')
user = self.auth.create_user(username, password)
user.attributes.update(attributes)
if otp:
user.assign_yubikey(otp)
log.info('User %s registered with attributes: %r', username,
attributes)
return user
def validate_otp(self, otp, password=None):
"""
Validates a YubiKey OTP (One Time Password) for the user.
@param otp: The OTP to validate.
@type otp: string
@return: True if the OTP was valid, and from a YubiKey belonging
to the user. False if not.
@rtype: bool
"""
prefix = otp[:-32]
otp_valid = validate_otp(otp)
if settings['use_ldap'] and settings['ldap_yubikey_attr']:
return otp_valid and ldapauth.validate_yubikey(self.name, password, prefix, settings['ldap_yubikey_attr'])
elif prefix in self.yubikeys:
return otp_valid and self.yubikeys[prefix].enabled
return False
def assign_yubikey(self, request, noauth=None):
assign_form = AssignYubikeyForm(request.params)
auth_form = ReauthenticateForm(request)
user = request.environ['yubiauth.user']
if noauth is not None or not assign_form.validate():
pass
elif auth_form.validate() and auth_form.authenticate():
yubikey = assign_form.yubikey.data
prefix = yubikey[:-32]
if not validate_otp(yubikey):
self.add_message('Invalid OTP for new YubiKey!', 'error')
if not prefix in user.yubikeys:
user.assign_yubikey(prefix)
return redirect(request, 'manage')
else:
self.add_message('Invalid credentials!', 'error')
return self.render(request, 'assign_yubikey',
fieldsets=[assign_form, auth_form])
def assign_yubikey(self, request, noauth=None):
assign_form = AssignYubikeyForm(request.params)
auth_form = ReauthenticateForm(request)
user = request.environ['yubiauth.user']
if noauth is not None or not assign_form.validate():
pass
elif auth_form.validate() and auth_form.authenticate():
yubikey = assign_form.yubikey.data
prefix = yubikey[:-32]
if not validate_otp(yubikey):
self.add_message('Invalid OTP for new YubiKey!', 'error')
if not prefix in user.yubikeys:
user.assign_yubikey(prefix)
return redirect(request, 'manage')
else:
self.add_message('Invalid credentials!', 'error')
return self.render(request,
'assign_yubikey',
fieldsets=[assign_form, auth_form])
def validate_otp(self, otp, password=None):
"""
Validates a YubiKey OTP (One Time Password) for the user.
@param otp: The OTP to validate.
@type otp: string
@return: True if the OTP was valid, and from a YubiKey belonging
to the user. False if not.
@rtype: bool
"""
prefix = otp[:-32]
otp_valid = validate_otp(otp)
if settings['use_ldap'] and settings['ldap_yubikey_attr']:
return otp_valid and ldapauth.validate_yubikey(
self, password, prefix, settings['ldap_yubikey_attr'])
elif prefix in self.yubikeys:
return otp_valid and self.yubikeys[prefix].enabled
return False
