"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "privacyidea/lib/policydecorators.py" between
privacyidea-3.5.2.tar.gz and privacyidea-3.6.tar.gz

About: privacyIDEA is a flexible two factor authentication server that can be used to enhance the security of existing applications like local login, VPN, remote access, SSH connections or access to web sites.

policydecorators.py  (privacyidea-3.5.2):policydecorators.py  (privacyidea-3.6)
skipping to change at line 47 skipping to change at line 47
# You should have received a copy of the GNU Affero General Public # You should have received a copy of the GNU Affero General Public
# License along with this program. If not, see <http://www.gnu.org/licenses/>. # License along with this program. If not, see <http://www.gnu.org/licenses/>.
# #
""" """
These are the policy decorator functions for internal (lib) policy decorators. These are the policy decorator functions for internal (lib) policy decorators.
policy decorators for the API (pre/post) are defined in api/lib/policy policy decorators for the API (pre/post) are defined in api/lib/policy
The functions of this module are tested in tests/test_lib_policy_decorator.py The functions of this module are tested in tests/test_lib_policy_decorator.py
""" """
import logging import logging
import re
from privacyidea.lib.policy import Match from privacyidea.lib.policy import Match
from privacyidea.lib.error import PolicyError, privacyIDEAError from privacyidea.lib.error import PolicyError, privacyIDEAError
import functools import functools
from privacyidea.lib.policy import ACTION, SCOPE, ACTIONVALUE, LOGINMODE from privacyidea.lib.policy import ACTION, SCOPE, ACTIONVALUE, LOGINMODE
from privacyidea.lib.user import User from privacyidea.lib.user import User
from privacyidea.lib.utils import parse_timelimit, parse_timedelta, split_pin_pa ss from privacyidea.lib.utils import parse_timelimit, parse_timedelta, split_pin_pa ss
from privacyidea.lib.authcache import verify_in_cache, add_to_cache from privacyidea.lib.authcache import verify_in_cache, add_to_cache
import datetime import datetime
from dateutil.tz import tzlocal from dateutil.tz import tzlocal
skipping to change at line 156 skipping to change at line 157
:param wrapped_function: usually "check_user_pass" :param wrapped_function: usually "check_user_pass"
:param user_object: User who tries to authenticate :param user_object: User who tries to authenticate
:param passw: The PIN and OTP :param passw: The PIN and OTP
:param options: Dict containing values for "g" and "clientip". :param options: Dict containing values for "g" and "clientip".
:return: Tuple of True/False and reply-dictionary :return: Tuple of True/False and reply-dictionary
""" """
options = options or {} options = options or {}
g = options.get("g") g = options.get("g")
auth_cache_dict = None auth_cache_dict = None
if g: if g:
auth_cache_dict = Match.user(g, scope=SCOPE.AUTH, action=ACTION.AUTH_CAC HE, auth_cache_dict = Match.user(g, scope=SCOPE.AUTH, action=ACTION.AUTH_CAC HE,
user_object=user_object).action_values(uniq ue=True, write_to_audit_log=False) user_object=user_object).action_values(uniq ue=True, write_to_audit_log=False)
if auth_cache_dict: if auth_cache_dict:
# verify in cache and return an early success
auth_times = list(auth_cache_dict)[0].split("/") auth_times = list(auth_cache_dict)[0].split("/")
# determine first_auth from policy! # determine first_auth from policy!
first_offset = parse_timedelta(auth_times[0]) first_offset = parse_timedelta(auth_times[0])
first_auth = datetime.datetime.utcnow() - first_offset
last_auth = first_auth # Default if no last auth exists
max_auths = 0 # Default value, 0 has no effect on verification
# Use auth cache when number of allowed authentications is defined
if len(auth_times) == 2: if len(auth_times) == 2:
# Determine last_auth from policy if re.match(r"^\d+$", auth_times[1]):
last_offset = parse_timedelta(auth_times[1]) max_auths = int(auth_times[1])
else: else:
# If there is no last_auth, it is equal to first_auth # Determine last_auth delta from policy
last_offset = first_offset last_offset = parse_timedelta(auth_times[1])
last_auth = datetime.datetime.utcnow() - last_offset
first_auth = datetime.datetime.utcnow() - first_offset
last_auth = datetime.datetime.utcnow() - last_offset
result = verify_in_cache(user_object.login, user_object.realm, result = verify_in_cache(user_object.login, user_object.realm,
user_object.resolver, passw, user_object.resolver, passw,
first_auth=first_auth, first_auth=first_auth,
last_auth=last_auth) last_auth=last_auth,
max_auths=max_auths)
if result: if result:
g.audit_object.add_policy(next(iter(auth_cache_dict.values()))) g.audit_object.add_policy(next(iter(auth_cache_dict.values())))
return True, {"message": "Authenticated by AuthCache."} return True, {"message": "Authenticated by AuthCache."}
# If nothing else returned, call the wrapped function # If nothing else returned, call the wrapped function
res, reply_dict = wrapped_function(user_object, passw, options) res, reply_dict = wrapped_function(user_object, passw, options)
if auth_cache_dict and res: if auth_cache_dict and res:
# If authentication is successful, we store the password in auth_cache # If authentication is successful, we store the password in auth_cache
add_to_cache(user_object.login, user_object.realm, user_object.resolver, passw) add_to_cache(user_object.login, user_object.realm, user_object.resolver, passw)
return res, reply_dict return res, reply_dict
 End of changes. 9 change blocks. 
9 lines changed or deleted 16 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)