def _get_tokenowner(request): user = request.User serial = request.all_data.get("serial") if user.is_empty() and serial: # maybe the user is empty, but a serial was passed. # Then we determine the user by the serial try: user = get_token_owner(serial) or User() except Exception as exx: user = User() # This can happen for orphaned tokens. log.info("Could not determine tokenowner for {0!s}. Maybe the " "user does not exist anymore.".format(serial)) log.debug(exx) # We now check, if the user exists at all! try: ui = user.info except UserError as exx: if exx.id in [904, 905]: # 904: User can not be found - maybe we got here due to PassOnNoUser # 905: This would be a parameter error - why is this here? user = User() else: raise exx return user
def _get_tokenowner(request): user = request.User serial = request.all_data.get("serial") if user.is_empty() and serial: # maybe the user is empty, but a serial was passed. # Then we determine the user by the serial user = get_token_owner(serial) return user
def _get_tokenowner(request): user = request.User serial = request.all_data.get("serial") if user.is_empty() and serial: # maybe the user is empty, but a serial was passed. # Then we determine the user by the serial try: user = get_token_owner(serial) or User() except Exception as exx: user = User() # This can happen for orphaned tokens. log.info("Could not determine tokenowner for {0!s}. Maybe the " "user does not exist anymore.".format(serial)) log.debug(exx) return user
def _get_tokenowner(request): user = request.User serial = request.all_data.get("serial") if user.is_empty() and serial: # maybe the user is empty, but a serial was passed. # Then we determine the user by the serial try: user = get_token_owner(serial) or User() except Exception as exx: user = User() # This can happen for orphaned tokens. log.info("Could not determine tokenowner for {0!s}. Maybe the " "user does not exist anymore.".format(serial)) log.debug(exx) # We now check, if the user exists at all! try: ui = user.info except UserError as exx: if exx.id == 905: user = User() else: raise exx return user
def test_08_token_owner(self): # token_has_owner self.assertTrue(token_has_owner("hotptoken")) self.assertFalse(token_has_owner(self.serials[0])) # get_token_owner user = get_token_owner("hotptoken") self.assertTrue(user.login == "cornelius", user) user = get_token_owner(self.serials[0]) self.assertTrue(user is None, user) # for non existing token user = get_token_owner("does not exist") self.assertTrue(user is None, user) # check if the token owner is cornelius user = User("cornelius", realm=self.realm1, resolver=self.resolvername1) self.assertTrue(is_token_owner("hotptoken", user), get_token_owner("hotptoken")) self.assertFalse(is_token_owner("hotptoken", User()), get_token_owner("hotptoken")) self.assertFalse(is_token_owner(self.serials[1], user), get_token_owner(self.serials[1]))
def do(self, action, options=None): """ This method executes the defined action in the given event. :param action: :param options: :return: """ ret = True g = options.get("g") request = options.get("request") try: logged_in_user = g.logged_in_user except Exception: logged_in_user = {} user = get_user_from_param(request.all_data) serial = request.all_data.get("serial") if user.is_empty() and serial: # maybe the user is empty, but a serial was passed. # Then we determine the user by the serial user = get_token_owner(serial) if not user.is_empty() and user.login and logged_in_user.get("role") ==\ ROLE.ADMIN: body = options.get("body") or DEFAULT_BODY body = body.format( admin=logged_in_user.get("username"), realm=logged_in_user.get("realm"), action=request.path, serial=g.audit_object.audit_data.get("serial"), url=request.url_root, user=user.info.get("givenname") ) if action.lower() == "sendmail": emailconfig = options.get("emailconfig") useremail = user.info.get("email") subject = options.get("subject") or "An action was performed on " \ "your token." try: ret = send_email_identifier(emailconfig, recipient=useremail, subject=subject, body=body) except Exception as exx: log.error("Failed to send email: {0!s}".format(exx)) ret = False if ret: log.info("Sent a notification email to user {0}".format(user)) else: log.warning("Failed to send a notification email to user " "{0}".format(user)) elif action.lower() == "sendsms": smsconfig = options.get("smsconfig") userphone = user.info.get("mobile") try: ret = send_sms_identifier(smsconfig, userphone, body) except Exception as exx: log.error("Failed to send sms: {0!s}".format(exx)) ret = False if ret: log.info("Sent a notification sms to user {0}".format(user)) else: log.warning("Failed to send a notification email to user " "{0}".format(user)) return ret
def before_request(): """ This is executed before the request. user_required checks if there is a logged in admin or user The checks for ONLY admin are preformed in api/system.py """ # remove session from param and gather all parameters, either # from the Form data or from JSON in the request body. ensure_no_config_object() request.all_data = get_all_params(request) if g.logged_in_user.get("role") == "user": # A user is calling this API. First thing we do is restricting the user parameter. # ...to restrict token view, audit view or token actions. request.all_data["user"] = g.logged_in_user.get("username") request.all_data["realm"] = g.logged_in_user.get("realm") try: request.User = get_user_from_param(request.all_data) # overwrite or set the resolver parameter in case of a logged in user if g.logged_in_user.get("role") == "user": request.all_data["resolver"] = request.User.resolver except AttributeError: # Some endpoints do not need users OR e.g. the setPolicy endpoint # takes a list as the userobject request.User = None except UserError: # In cases like the policy API, the parameter "user" is part of the # policy and will not resolve to a user object request.User = User() g.policy_object = PolicyClass() g.audit_object = getAudit(current_app.config, g.startdate) g.event_config = EventConfiguration() # access_route contains the ip adresses of all clients, hops and proxies. g.client_ip = get_client_ip(request, get_from_config(SYSCONF.OVERRIDECLIENT)) # Save the HTTP header in the localproxy object g.request_headers = request.headers privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \ request.host # Already get some typical parameters to log serial = getParam(request.all_data, "serial") if serial and not "*" in serial: g.serial = serial tokentype = get_token_type(serial) if not request.User: # We determine the user object by the given serial number try: request.User = get_token_owner(serial) or User() except ResourceNotFoundError: # The serial might not exist! This would raise an exception pass else: g.serial = None tokentype = None if request.User: audit_username = request.User.login audit_realm = request.User.realm audit_resolver = request.User.resolver else: audit_realm = getParam(request.all_data, "realm") audit_resolver = getParam(request.all_data, "resolver") audit_username = getParam(request.all_data, "user") g.audit_object.log({ "success": False, "serial": serial, "user": audit_username, "realm": audit_realm, "resolver": audit_resolver, "token_type": tokentype, "client": g.client_ip, "client_user_agent": request.user_agent.browser, "privacyidea_server": privacyidea_server, "action": "{0!s} {1!s}".format(request.method, request.url_rule), "action_detail": "", "info": "" }) if g.logged_in_user.get("role") == "admin": # An administrator is calling this API g.audit_object.log({"administrator": g.logged_in_user.get("username")})