def check_base_action(request=None, action=None, anonymous=False): """ This decorator function takes the request and verifies the given action for the SCOPE ADMIN or USER. :param request: :param action: :param anonymous: If set to True, the user data is taken from the request parameters. :return: True otherwise raises an Exception """ ERROR = {"user": "******" "allowed!" % action, "admin": "Admin actions are defined, but the action %s is not " "allowed!" % action} params = request.all_data policy_object = g.policy_object username = g.logged_in_user.get("username") role = g.logged_in_user.get("role") scope = SCOPE.ADMIN admin_realm = g.logged_in_user.get("realm") realm = None resolver = None if role == ROLE.USER: scope = SCOPE.USER # Reset the admin realm admin_realm = None realm = realm or g.logged_in_user.get("realm") # In certain cases we can not resolve the user by the serial! if action not in [ACTION.AUDIT]: realm = params.get("realm") if type(realm) == list and len(realm) == 1: realm = realm[0] resolver = params.get("resolver") # get the realm by the serial: if not realm and params.get("serial"): realm = get_realms_of_token(params.get("serial"), only_first_realm=True) # get the realm by the serial, while the serial is part of the URL like # DELETE /token/serial if not realm and request.view_args and request.view_args.get("serial"): realm = get_realms_of_token(request.view_args.get("serial"), only_first_realm=True) action = policy_object.get_policies(action=action, user=username, realm=realm, scope=scope, resolver=resolver, client=g.client_ip, adminrealm=admin_realm, active=True) action_at_all = policy_object.get_policies(scope=scope, active=True, all_times=True) if action_at_all and len(action) == 0: raise PolicyError(ERROR.get(role)) return True
def test_16_set_realms(self): serial = "NEWREALM01" tokenobject = init_token({"serial": serial, "otpkey": "1234567890123456"}) realms = get_realms_of_token(serial) self.assertTrue(realms == [], "%s" % realms) rnum = set_realms(serial, [self.realm1]) self.assertTrue(rnum == 1, rnum) realms = get_realms_of_token(serial) self.assertTrue(realms == [self.realm1], "%s" % realms) remove_token(serial=serial) realms = get_realms_of_token(serial) self.assertTrue(realms == [], "%s" % realms)
def test_16_set_realms(self): serial = "NEWREALM01" tokenobject = init_token({ "serial": serial, "otpkey": "1234567890123456" }) realms = get_realms_of_token(serial) self.assertTrue(realms == [], "%s" % realms) rnum = set_realms(serial, [self.realm1]) self.assertTrue(rnum == 1, rnum) realms = get_realms_of_token(serial) self.assertTrue(realms == [self.realm1], "%s" % realms) remove_token(serial=serial) realms = get_realms_of_token(serial) self.assertTrue(realms == [], "%s" % realms)
def save_pin_change(request, response, serial=None): """ This policy function checks if the next_pin_change date should be stored in the tokeninfo table. 1. Check scope:enrollment and ACTION.CHANGE_PIN_FIRST_USE. This action is used, when the administrator enrolls a token or sets a PIN 2. Check scope:enrollment and ACTION.CHANGE_PIN_EVERY is used, if the user changes the PIN. This function decorates /token/init and /token/setpin. The parameter "pin" and "otppin" is investigated. :param request: :param action: :return: """ policy_object = g.policy_object serial = serial or request.all_data.get("serial") if not serial: # No serial in request, so we look into the response serial = response.json.get("detail", {}).get("serial") if not serial: log.error("Can not determine serial number. Have no idea of any " "realm!") else: # Determine the realm by the serial realm = get_realms_of_token(serial, only_first_realm=True) realm = realm or get_default_realm() if g.logged_in_user.get("role") == ROLE.ADMIN: pinpol = Match.realm(g, scope=SCOPE.ENROLL, action=ACTION.CHANGE_PIN_FIRST_USE, realm=realm).policies() if pinpol: token = get_one_token(serial=serial) token.set_next_pin_change(diff="0d") elif g.logged_in_user.get("role") == ROLE.USER: # Check for parameter "pin" or "otppin". otppin = request.all_data.get("otppin") pin = request.all_data.get("pin") # The user sets a pin or enrolls a token. -> delete the pin_change if otppin or pin: token = get_one_token(serial=serial) token.del_tokeninfo("next_pin_change") # If there is a change_pin_every policy, we need to set the PIN # anew. pinpol = Match.realm(g, scope=SCOPE.ENROLL, action=ACTION.CHANGE_PIN_EVERY, realm=realm).action_values(unique=True) if pinpol: token = get_one_token(serial=serial) token.set_next_pin_change(diff=list(pinpol)[0]) # we do not modify the response! return response
def check_base_action(request=None, action=None, anonymous=False): """ This decorator function takes the request and verifies the given action for the SCOPE ADMIN or USER. :param request: :param action: :param anonymous: If set to True, the user data is taken from the request parameters. :return: True otherwise raises an Exception """ ERROR = { "user": "******" "allowed!" % action, "admin": "Admin actions are defined, but the action %s is not " "allowed!" % action } params = request.all_data policy_object = g.policy_object username = g.logged_in_user.get("username") role = g.logged_in_user.get("role") scope = SCOPE.ADMIN admin_realm = g.logged_in_user.get("realm") realm = params.get("realm") if type(realm) == list and len(realm) == 1: realm = realm[0] if role == "user": scope = SCOPE.USER # Reset the admin realm admin_realm = None # get the realm by the serial: if params.get("serial") and not realm: realms = get_realms_of_token(params.get("serial")) if realms: realm = realms[0] else: realm = None action = policy_object.get_policies(action=action, user=username, realm=realm, scope=scope, client=g.client_ip, adminrealm=admin_realm, active=True) action_at_all = policy_object.get_policies(scope=scope, active=True, all_times=True) if action_at_all and len(action) == 0: raise PolicyError(ERROR.get(role)) return True
def test_38_autoassign(self): user = User("autoassignuser", realm=self.realm1) tokenobject = init_token({"serial": "AUTO001", "type": "hotp", "otpkey": self.otpkey, "realm": self.realm1}) tokenobject = init_token({"serial": "AUTO002", "type": "hotp", "otpkey": "1234", "realm": self.realm1}) realms = get_realms_of_token("AUTO001") # The token is in realm1 self.assertTrue(self.realm1 in realms, realms) realms = get_realms_of_token("AUTO002") # The token is in realm1 self.assertTrue(self.realm1 in realms, realms) # Authentication by autoassign fails due to wrong password r, reply_dict = auto_assign_token(user, "wrong287082") # Nevertheless the 287082 is void, now! self.assertFalse(r) self.assertTrue("failed to authenticate against userstore" in reply_dict.get("message"), reply_dict) # Authentication by autoassign r, reply_dict = auto_assign_token(user, "test399871") self.assertTrue(r, (r, reply_dict)) # Token is assigned self.assertTrue(get_tokens(user=user, count=True) == 1, get_tokens( user=user)) # Normal authentication r = check_user_pass(user, "test520489") self.assertTrue(r) # Now try to assign a new token to the user, which will not work, # as autoassignment only works for users, who have NO token. r, reply_dict = auto_assign_token(user, "test287082") # Autoassignment fails self.assertFalse(r)
def check_base_action(request=None, action=None, anonymous=False): """ This decorator function takes the request and verifies the given action for the SCOPE ADMIN or USER. :param request: :param action: :param anonymous: If set to True, the user data is taken from the request parameters. :return: True otherwise raises an Exception """ ERROR = {"user": "******" "allowed!" % action, "admin": "Admin actions are defined, but the action %s is not " "allowed!" % action} params = request.all_data policy_object = g.policy_object username = g.logged_in_user.get("username") role = g.logged_in_user.get("role") scope = SCOPE.ADMIN admin_realm = g.logged_in_user.get("realm") realm = params.get("realm") if type(realm) == list and len(realm) == 1: realm = realm[0] if role == "user": scope = SCOPE.USER # Reset the admin realm admin_realm = None realm = realm or g.logged_in_user.get("realm") # get the realm by the serial: if params.get("serial") and not realm: realms = get_realms_of_token(params.get("serial")) if realms: realm = realms[0] else: realm = None action = policy_object.get_policies(action=action, user=username, realm=realm, scope=scope, client=g.client_ip, adminrealm=admin_realm, active=True) action_at_all = policy_object.get_policies(scope=scope, active=True, all_times=True) if action_at_all and len(action) == 0: raise PolicyError(ERROR.get(role)) return True
def test_01_set_tokenrealm(self): # setup realms self.setUp_user_realms() self.setUp_user_realm2() init_token({"serial": "SPASS01", "type": "spass"}) g = FakeFlaskG() audit_object = FakeAudit() audit_object.audit_data["serial"] = "SPASS01" g.logged_in_user = {"user": "******", "role": "admin", "realm": ""} g.audit_object = audit_object builder = EnvironBuilder(method='POST', data={'serial': "SPASS01"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" g.client_ip = env["REMOTE_ADDR"] req = Request(env) req.all_data = {"serial": "SPASS01", "type": "spass"} resp = Response() resp.data = """{"result": {"value": true}}""" # Now the initiailized token will be set in realm2 options = { "g": g, "request": req, "response": resp, "handler_def": { "options": { "realm": "realm2" } } } t_handler = TokenEventHandler() res = t_handler.do(ACTION_TYPE.SET_TOKENREALM, options=options) self.assertTrue(res) # Check if the token is contained in realm2 realms = get_realms_of_token("SPASS01") self.assertTrue("realm2" in realms) remove_token("SPASS01")
def check_base_action(request=None, action=None): """ This decorator function takes the request and verifies the given action for the SCOPE ADMIN or USER. :param req: :param action: :return: True otherwise raises an Exception """ ERROR = {"user": "******" "allowed!", "admin": "Admin actions are defined, but this action is not " "allowed!"} params = request.all_data policy_object = g.policy_object username = g.logged_in_user.get("username") role = g.logged_in_user.get("role") scope = SCOPE.ADMIN admin_realm = g.logged_in_user.get("realm") if role == "user": scope = SCOPE.USER # Reset the admin realm admin_realm = None # get the realm by the serial: realm = params.get("realm") if params.get("serial") and not realm: realms = get_realms_of_token(params.get("serial")) if len(realms) > 0: realm = realms[0] else: realm = None action = policy_object.get_policies(action=action, user=username, realm=realm, scope=scope, client=request.remote_addr, adminrealm=admin_realm, active=True) action_at_all = policy_object.get_policies(scope=scope, active=True) if len(action_at_all) and len(action) == 0: raise PolicyError(ERROR.get(role)) return True
def test_06_get_realms_of_token(self): # Return a list of realmnames for a token self.assertTrue(get_realms_of_token("hotptoken") == [self.realm1], "%s" % get_realms_of_token("hotptoken"))
def save_pin_change(request, response, serial=None): """ This policy function checks if the next_pin_change date should be stored in the tokeninfo table. 1. Check scope:enrollment and ACTION.CHANGE_PIN_FIRST_USE. This action is used, when the administrator enrolls a token or sets a PIN 2. Check scope:enrollment and ACTION.CHANGE_PIN_EVERY is used, if the user changes the PIN. This function decorates /token/init and /token/setpin. The parameter "pin" and "otppin" is investigated. :param request: :param action: :return: """ content = json.loads(response.data) policy_object = g.policy_object serial = serial or request.all_data.get("serial") if not serial: # No serial in request, so we look into the response serial = content.get("detail", {}).get("serial") if not serial: log.error("Can not determine serial number. Have no idea of any " "realm!") else: # Determine the realm by the serial realm = get_realms_of_token(serial, only_first_realm=True) realm = realm or get_default_realm() if g.logged_in_user.get("role") == ROLE.ADMIN: pinpol = policy_object.get_policies(action=ACTION.CHANGE_PIN_FIRST_USE, scope=SCOPE.ENROLL, realm=realm, client=g.client_ip, active=True) if pinpol: token = get_tokens(serial=serial)[0] token.set_next_pin_change(diff="0d") elif g.logged_in_user.get("role") == ROLE.USER: # Check for parameter "pin" or "otppin". otppin = request.all_data.get("otppin") pin = request.all_data.get("pin") # The user sets a pin or enrolls a token. -> delete the pin_change if otppin or pin: token = get_tokens(serial=serial)[0] token.del_tokeninfo("next_pin_change") # If there is a change_pin_every policy, we need to set the PIN # anew. pinpol = policy_object.get_action_values( ACTION.CHANGE_PIN_EVERY, scope=SCOPE.ENROLL, realm=realm, client=g.client_ip, unique=True) if pinpol: token = get_tokens(serial=serial)[0] token.set_next_pin_change(diff=pinpol[0]) # we do not modify the response! return response
def test_06_get_realms_of_token(self): # Return a list of realmnames for a token self.assertTrue( get_realms_of_token("hotptoken") == [self.realm1], "%s" % get_realms_of_token("hotptoken"))