def check_session(request, scope='admin'):
'''
This function checks the session cookie and compares it to
the session parameter
:param request: the request object
:param scope: by default the admin scope, but used to as well
for the scope helpdesk with the helpdesk_session
cookie name
:return: boolean
'''
if isSelfTest():
return
# check if the client is in the allowed IP range
no_session_clients = []
for no_session_client in config.get("linotpNoSessionCheck", "").split(","):
no_session_clients.append(no_session_client.strip())
client = request.environ.get('REMOTE_ADDR', None)
log.debug("[check_session] checking %s in %s"
% (client, no_session_clients))
for network in no_session_clients:
if not network:
continue
try:
if netaddr.IPAddress(client) in netaddr.IPNetwork(network):
log.debug("skipping session check since client"
" %s in allowed: %s" % (client, no_session_clients))
return
except Exception as ex:
log.warning("misconfiguration in linotpNoSessionCheck: "
"%r - %r" % (network, ex))
cookie = request.cookies.get(scope + '_session')
session = get_request_param(request, 'session')
# doing any other request, we need to check the session!
log.debug("[check_session]: session: %s" % session)
log.debug("[check_session]: cookie: %s" % cookie)
if session is None or session == "" or session != cookie:
log.error("The request did not pass a valid session!")
abort(401, "You have no valid session!")
cookie = request.cookies.get(scope + '_session')
session = get_request_param(request, 'session')
# doing any other request, we need to check the session!
log.debug("[check_session]: session: %s" % session)
log.debug("[check_session]: cookie: %s" % cookie)
if session is None or session == "" or session != cookie:
log.error("The request did not pass a valid session!")
abort(401, "You have no valid session!")
def __before__(self, **params):
"""
__before__ is called before every action
we check if the client cert was valid by looking for
the existance of a CGI environment variable. For apache
this is SSL_CLIENT_S_DN_CN. To support other servers we
read the name of the variable from the config
:param params: list of named arguments
:return: -nothing- or in case of an error a Response
created by sendError with the context info 'before'
"""
env_var = config.get('MAINTENANCE_VERIFY_CLIENT_ENV_VAR', False)
if env_var:
client_cert = request.environ.get(env_var)
if client_cert is None:
abort(401)
def check_url(self):
'''
This function works with pam_url.
'''
ok = False
param = self.request_params
try:
try:
(ok, opt) = self._check(param)
except AuthorizeException as acc:
log.warning(
"[check_url] authorization failed for validate/check_url: %r"
% acc)
c.audit['success'] = False
c.audit['action_detail'] = str(acc)
ok = False
Session.commit()
response.headers['blablafoo'] = 'application/json'
## TODO: this code seems not to be finished
if not ok:
abort(403)
else:
return "Preshared Key Todo"
except flap.HTTPUnauthorized as acc:
## the exception, when an abort() is called if forwarded
log.exception("[__before__::%r] webob.exception %r" % acc)
Session.rollback()
raise acc
except Exception as exx:
log.exception("[check_url] validate/check_url failed: %r" % exx)
Session.rollback()
return sendResult(response, False, 0)
finally:
Session.close()
def check_url(self):
"""
This function works with pam_url.
"""
ok = False
param = self.request_params
try:
try:
(ok, opt) = self._check(param)
except AuthorizeException as acc:
log.warning(
"[check_url] authorization failed for validate/check_url: %r",
acc,
)
g.audit["success"] = False
g.audit["action_detail"] = str(acc)
ok = False
db.session.commit()
response.headers["blablafoo"] = "application/json"
# TODO: this code seems not to be finished
if not ok:
abort(403)
else:
return "Preshared Key Todo"
except flap.HTTPUnauthorized as acc:
# the exception, when an abort() is called if forwarded
log.error("[__before__::%r] webob.exception %r", acc)
db.session.rollback()
raise acc
except Exception as exx:
log.error("[check_url] validate/check_url failed: %r", exx)
db.session.rollback()
return sendResult(response, False, 0)