def test_07_generate_password(self): # test given default characters pass_numeric = generate_password(size=12, characters=string.digits) self.assertTrue(pass_numeric.isdigit()) self.assertEqual(len(pass_numeric), 12) # test requirements, we loop to get some statistics default_chars = string.ascii_uppercase + string.ascii_lowercase + string.digits for i in range(10): password_req = generate_password(size=3, characters=default_chars, requirements=["AB", "12"]) # a character from each requirement must be found self.assertTrue( any(char in "AB" for char in password_req) and any(char in "12" for char in password_req)) self.assertEqual(len(password_req),3) # use letters for base and numbers for requirements # this cannot be achieved with a pin policy password = generate_password(size=10, characters=string.ascii_letters, requirements=[string.digits, string.digits, string.digits]) self.assertEqual(10, len(password)) self.assertEqual(3, sum(c.isdigit() for c in password)) self.assertEqual(7, sum(c.isalpha() for c in password)) # requirements define the minimum length of a password password = generate_password(size=0, characters='ABC', requirements=['1', '2', '3']) self.assertEqual(3, len(password)) # empty characters variable raises an IndexError self.assertRaises(IndexError, generate_password, characters='') # negative size without requirements results in an empty password password = generate_password(size=-1) self.assertEqual(password, '')
def update(self, param): """ This method is called during the initialization process. :param param: parameters from the token init :type param: dict :return: None """ if "genkey" in param: # We do not need the genkey! We generate anyway. # Otherwise genkey and otpkey will raise an exception in # PasswordTokenClass del param["genkey"] param["otpkey"] = generate_password(size=self.otp_len) PasswordTokenClass.update(self, param)
def create_recoverycode(user, email=None, expiration_seconds=3600, recoverycode=None, base_url=""): """ Create and send a password recovery code :param user: User for whom the password reset code should be sent :type user: User Object :param email: The optional email of the user :param recoverycode: Only used for testing purpose :return: bool """ base_url = base_url.strip("recover") base_url += "#" recoverycode = recoverycode or generate_password(size=24) hash_code = hash_with_pepper(recoverycode) # send this recoverycode # pwreset = PasswordReset(hash_code, username=user.login, realm=user.realm, expiration_seconds=expiration_seconds) pwreset.save() res = False if not user: raise UserError("User required for recovery token.") user_email = user.info.get("email") if email and email.lower() != user_email.lower(): raise UserError("The email does not match the users email.") identifier = get_from_config("recovery.identifier") if identifier: # send email r = send_email_identifier( identifier, user_email, "Your password reset", BODY.format(base_url, user.login, user.realm, recoverycode)) if not r: raise privacyIDEAError("Failed to send email. {0!s}".format(r)) else: raise ConfigAdminError("Missing configuration " "recovery.identifier.") res = True return res
def create_recoverycode(user, email=None, expiration_seconds=3600, recoverycode=None, base_url=""): """ Create and send a password recovery code :param user: User for whom the password reset code should be sent :type user: User Object :param email: The optional email of the user :param recoverycode: Only used for testing purpose :return: bool """ base_url = base_url.strip("recover") base_url += "#" recoverycode = recoverycode or generate_password(size=24) hash_code = hash_with_pepper(recoverycode) # send this recoverycode # pwreset = PasswordReset(hash_code, username=user.login, realm=user.realm, expiration_seconds=expiration_seconds) pwreset.save() res = False if not user: raise UserError("User required for recovery token.") user_email = user.info.get("email") if email and email.lower() != user_email.lower(): raise UserError("The email does not match the users email.") identifier = get_from_config("recovery.identifier") if identifier: # send email r = send_email_identifier(identifier, user_email, "Your password reset", BODY.format(base_url, user.login, user.realm, recoverycode)) if not r: raise privacyIDEAError("Failed to send email. {0!s}".format(r)) else: raise ConfigAdminError("Missing configuration " "recovery.identifier.") res = True return res
def create_token(serial, username): app = create_app(config_name="production", config_file="/etc/privacyidea/pi.cfg", silent=True) with app.app_context(): # Set global values params = {"type": TOKENTYPE} if username: user = User(username, REALM) else: user = User() if serial: params["serial"] = serial password = generate_password(size=PW_LEN, characters=BASE58) params["otplen"] = PW_LEN params["otpkey"] = password tok = init_token(params, user) return tok.token.serial, password
def do(self, action, options=None): """ This method executes the defined action in the given event. :param action: :param options: Contains the flask parameters g, request, response and the handler_def configuration :type options: dict :return: """ ret = True g = options.get("g") request = options.get("request") response = options.get("response") content = self._get_response_content(response) handler_def = options.get("handler_def") handler_options = handler_def.get("options", {}) serial = request.all_data.get("serial") or \ content.get("detail", {}).get("serial") or \ g.audit_object.audit_data.get("serial") if action.lower() in [ACTION_TYPE.SET_TOKENREALM, ACTION_TYPE.SET_DESCRIPTION, ACTION_TYPE.DELETE, ACTION_TYPE.DISABLE, ACTION_TYPE.ENABLE, ACTION_TYPE.UNASSIGN, ACTION_TYPE.SET_VALIDITY, ACTION_TYPE.SET_COUNTWINDOW, ACTION_TYPE.SET_TOKENINFO, ACTION_TYPE.SET_FAILCOUNTER, ACTION_TYPE.CHANGE_FAILCOUNTER, ACTION_TYPE.SET_RANDOM_PIN, ACTION_TYPE.DELETE_TOKENINFO]: if serial: log.info("{0!s} for token {1!s}".format(action, serial)) if action.lower() == ACTION_TYPE.SET_TOKENREALM: realm = handler_options.get("realm") only_realm = is_true(handler_options.get("only_realm")) # Set the realm.. log.info("Setting realm of token {0!s} to {1!s}".format( serial, realm)) # Add the token realm set_realms(serial, [realm], add=not only_realm) elif action.lower() == ACTION_TYPE.SET_RANDOM_PIN: # If for any reason we have no value, we default to 6 length = int(handler_options.get("length") or 6) pin = generate_password(size=length) if set_pin(serial, pin): content.setdefault("detail", {})["pin"] = pin options.get("response").data = json.dumps(content) elif action.lower() == ACTION_TYPE.DELETE: remove_token(serial=serial) elif action.lower() == ACTION_TYPE.DISABLE: enable_token(serial, enable=False) elif action.lower() == ACTION_TYPE.ENABLE: enable_token(serial, enable=True) elif action.lower() == ACTION_TYPE.UNASSIGN: unassign_token(serial) elif action.lower() == ACTION_TYPE.SET_DESCRIPTION: description = handler_options.get("description") or "" description, td = parse_time_offset_from_now(description) s_now = (datetime.datetime.now(tzlocal()) + td).strftime( AUTH_DATE_FORMAT) set_description(serial, description.format( current_time=s_now, now=s_now, client_ip=g.client_ip, ua_browser=request.user_agent.browser, ua_string=request.user_agent.string)) elif action.lower() == ACTION_TYPE.SET_COUNTWINDOW: set_count_window(serial, int(handler_options.get("count window", 50))) elif action.lower() == ACTION_TYPE.SET_TOKENINFO: tokeninfo = handler_options.get("value") or "" tokeninfo, td = parse_time_offset_from_now(tokeninfo) s_now = (datetime.datetime.now(tzlocal()) + td).strftime( AUTH_DATE_FORMAT) try: username = request.User.loginname realm = request.User.realm except Exception: username = "******" realm = "N/A" add_tokeninfo(serial, handler_options.get("key"), tokeninfo.format( current_time=s_now, now=s_now, client_ip=g.client_ip, username=username, realm=realm, ua_browser=request.user_agent.browser, ua_string=request.user_agent.string)) elif action.lower() == ACTION_TYPE.DELETE_TOKENINFO: delete_tokeninfo(serial, handler_options.get("key")) elif action.lower() == ACTION_TYPE.SET_VALIDITY: start_date = handler_options.get(VALIDITY.START) end_date = handler_options.get(VALIDITY.END) if start_date: d = parse_date(start_date) set_validity_period_start(serial, None, d.strftime(DATE_FORMAT)) if end_date: d = parse_date(end_date) set_validity_period_end(serial, None, d.strftime(DATE_FORMAT)) elif action.lower() == ACTION_TYPE.SET_FAILCOUNTER: try: set_failcounter(serial, int(handler_options.get("fail counter"))) except Exception as exx: log.warning("Misconfiguration: Failed to set fail " "counter!") elif action.lower() == ACTION_TYPE.CHANGE_FAILCOUNTER: try: token_obj = get_one_token(serial=serial) token_obj.set_failcount( token_obj.token.failcount + int(handler_options.get("change fail counter"))) except Exception as exx: log.warning("Misconfiguration: Failed to increase or decrease fail " "counter!") else: log.info("Action {0!s} requires serial number. But no serial " "number could be found in request.") if action.lower() == ACTION_TYPE.INIT: log.info("Initializing new token") init_param = {"type": handler_options.get("tokentype"), "genkey": 1, "realm": handler_options.get("realm", "")} user = None if is_true(handler_options.get("user")): user = self._get_tokenowner(request) tokentype = handler_options.get("tokentype") # Some tokentypes need additional parameters if handler_options.get("additional_params"): add_params = yaml.safe_load(handler_options.get("additional_params")) if type(add_params) == dict: init_param.update(add_params) if tokentype == "sms": if handler_options.get("dynamic_phone"): init_param["dynamic_phone"] = 1 else: init_param['phone'] = user.get_user_phone( phone_type='mobile', index=0) if not init_param['phone']: log.warning("Enrolling SMS token. But the user " "{0!r} has no mobile number!".format(user)) if handler_options.get("sms_identifier"): init_param["sms.identifier"] = handler_options.get("sms_identifier") elif tokentype == "email": if handler_options.get("dynamic_email"): init_param["dynamic_email"] = 1 else: init_param['email'] = user.info.get("email", "") if not init_param['email']: log.warning("Enrolling EMail token. But the user {0!s}" "has no email address!".format(user)) if handler_options.get("smtp_identifier"): init_param["email.identifier"] = handler_options.get("smtp_identifier") elif tokentype == "motp": init_param['motppin'] = handler_options.get("motppin") t = init_token(param=init_param, user=user) log.info("New token {0!s} enrolled.".format(t.token.serial)) return ret
def test_20_pin_policy(self): # Unspecified character specifier self.assertRaises(PolicyError, check_pin_contents, "1234", "+o") r, c = check_pin_contents("1234", "n") self.assertTrue(r) r, c = check_pin_contents(r"[[[", "n") self.assertFalse(r) r, c = check_pin_contents(r"[[[", "c") self.assertFalse(r) r, c = check_pin_contents(r"[[[", "s") self.assertTrue(r) # check the validation of a generated password with square brackets password = generate_password(size=3, requirements=['[', '[', '[']) r, c = check_pin_contents(password, "s") self.assertTrue(r) r, c = check_pin_contents("abc", "nc") self.assertFalse(r) self.assertEqual( "Missing character in PIN: {}".format(CHARLIST_CONTENTPOLICY['n']), c) r, c = check_pin_contents("123", "nc") self.assertFalse(r) self.assertEqual( r"Missing character in PIN: {}".format( CHARLIST_CONTENTPOLICY['c']), c) r, c = check_pin_contents("123", "ncs") self.assertFalse(r) self.assertTrue( r"Missing character in PIN: {}".format( CHARLIST_CONTENTPOLICY['c'] in c), c) self.assertTrue( r"Missing character in PIN: {}".format( CHARLIST_CONTENTPOLICY['s'] in c), c) r, c = check_pin_contents("1234", "") self.assertFalse(r) self.assertEqual(c, "No policy given.") # check for either number or character r, c = check_pin_contents("1234", "+cn") self.assertTrue(r) r, c = check_pin_contents("1234xxxx", "+cn") self.assertTrue(r) r, c = check_pin_contents("xxxx", "+cn") self.assertTrue(r) self.assertTrue(check_pin_contents("test1234", "+cn")[0]) self.assertTrue(check_pin_contents("test12$$", "+cn")[0]) self.assertTrue(check_pin_contents("test12", "+cn")[0]) self.assertTrue(check_pin_contents("1234", "+cn")[0]) r, c = check_pin_contents("@@@@", "+cn") self.assertFalse(r) self.assertEqual( c, "Missing character in PIN: {}{}".format( CHARLIST_CONTENTPOLICY['c'], CHARLIST_CONTENTPOLICY['n'])) # check for exclusion # No special character r, c = check_pin_contents("1234", "-s") self.assertTrue(r) r, c = check_pin_contents("1234aaaa", "-s") self.assertTrue(r) r, c = check_pin_contents("1234aaaa//", "-s") self.assertFalse(r) # A pin that falsely contains a number r, c = check_pin_contents("1234aaa", "-sn") self.assertFalse(r) self.assertEqual(c, "Not allowed character in PIN!") r, c = check_pin_contents("///aaa", "-sn") self.assertFalse(r) # A pin without a number and without a special r, c = check_pin_contents("xxxx", "-sn") self.assertTrue(r) r, c = check_pin_contents("1234@@@@", "-c") self.assertTrue(r) # A pin with only digits allowed r, c = check_pin_contents("1234", "-cs") self.assertTrue(r) r, c = check_pin_contents("a1234", "-cs") self.assertFalse(r) # A pin with only a specified list of chars r, c = check_pin_contents("1234111", "[1234]") self.assertTrue(r) r, c = check_pin_contents("12345", "[1234]") self.assertFalse(r)