├── .gitignore
├── .travis.yml
├── BLURB
├── COPYING
├── MANIFEST.in
├── NEWS
├── README
├── README.adoc
├── conf
    └── logging.conf
├── doc
    ├── LDAP_Setup.adoc
    ├── REST_API.adoc
    └── YubiHSM_Setup.adoc
├── examples
    ├── dictionary.yubiauth
    ├── http_basic_auth.py
    └── rlm_yubiauth.pl
├── release.py
├── setup.cfg
├── setup.py
├── test
    ├── test_client_api.py
    ├── test_rest_api.py
    ├── test_users.py
    ├── test_yhsm.py
    ├── test_yubikeys.py
    └── utils.py
└── yubiauth
    ├── __init__.py
    ├── client
        ├── __init__.py
        ├── controller.py
        ├── model.py
        ├── rest.py
        ├── templates
        │   ├── assign_yubikey.html
        │   ├── base.html
        │   ├── change_password.html
        │   ├── created.html
        │   ├── form.html
        │   ├── layout.html
        │   ├── logged_in.html
        │   ├── login.html
        │   ├── manage.html
        │   ├── reauthenticate.html
        │   ├── register.html
        │   ├── revocation_code.html
        │   ├── revoke.html
        │   ├── session_required.html
        │   └── yubikey.html
        └── web.py
    ├── config.py
    ├── core
        ├── __init__.py
        ├── controller.py
        ├── ldapauth.py
        ├── model.py
        └── rest.py
    ├── default_settings.py
    ├── server.py
    ├── static
        ├── apple-touch-icon-114x114-precomposed.png
        ├── apple-touch-icon-144x144-precomposed.png
        ├── apple-touch-icon-57x57-precomposed.png
        ├── apple-touch-icon-72x72-precomposed.png
        ├── apple-touch-icon-precomposed.png
        ├── apple-touch-icon.png
        ├── css
        │   ├── bootstrap-responsive.css
        │   ├── bootstrap-responsive.min.css
        │   ├── bootstrap.css
        │   ├── bootstrap.min.css
        │   └── main.css
        ├── favicon.ico
        ├── img
        │   ├── glyphicons-halflings-white.png
        │   └── glyphicons-halflings.png
        └── js
        │   ├── main.js
        │   └── vendor
        │       ├── bootstrap.js
        │       ├── bootstrap.min.js
        │       ├── jquery-1.9.1.min.js
        │       └── modernizr-2.6.2-respond-1.1.0.min.js
    ├── util
        ├── __init__.py
        ├── controller.py
        ├── model.py
        ├── rest.py
        ├── static.py
        └── utils.py
    └── yhsm.py


/.gitignore:
--------------------------------------------------------------------------------
1 | *.pyc
2 | *.egg-info
3 | *.egg
4 | build/
5 | dist/
6 | html/
7 | .ropeproject
8 | ChangeLog
9 | 


--------------------------------------------------------------------------------
/.travis.yml:
--------------------------------------------------------------------------------
 1 | language: python
 2 | python:
 3 |   - "2.6"
 4 |   - "2.7"
 5 | # Disabled as some dependencies don't work on Python 3.
 6 | # - "3.2"
 7 | # command to install dependencies
 8 | install: "pip install -q -e . --use-mirrors"
 9 | # command to run tests
10 | script: "python setup.py test"
11 | git:
12 |   submodules: false
13 | 


--------------------------------------------------------------------------------
/BLURB:
--------------------------------------------------------------------------------
1 | Author: Yubico
2 | Basename: yubiauth
3 | Homepage: http://opensource.yubico.com/yubiauth/
4 | License: BSD-2-Clause
5 | Name: yubiauth
6 | Project: yubiauth
7 | Summary: Authentication backend written in Python


--------------------------------------------------------------------------------
/COPYING:
--------------------------------------------------------------------------------
 1 | Copyright (c) 2013 Yubico AB
 2 | All rights reserved.
 3 | 
 4 |   Redistribution and use in source and binary forms, with or
 5 |   without modification, are permitted provided that the following
 6 |   conditions are met:
 7 | 
 8 |    1. Redistributions of source code must retain the above copyright
 9 |       notice, this list of conditions and the following disclaimer.
10 |    2. Redistributions in binary form must reproduce the above
11 |       copyright notice, this list of conditions and the following
12 |       disclaimer in the documentation and/or other materials provided
13 |       with the distribution.
14 | 
15 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
16 | "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
17 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
18 | FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
19 | COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
20 | INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
21 | BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
22 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
23 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
25 | ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 | POSSIBILITY OF SUCH DAMAGE.
27 | 


--------------------------------------------------------------------------------
/MANIFEST.in:
--------------------------------------------------------------------------------
 1 | include COPYING
 2 | include NEWS
 3 | include release.py
 4 | include ChangeLog
 5 | include doc/*.md
 6 | include examples/*
 7 | include conf/*
 8 | recursive-include yubiauth/static *
 9 | recursive-include yubiauth/client/templates *
10 | 


--------------------------------------------------------------------------------
/NEWS:
--------------------------------------------------------------------------------
 1 | * Version 0.3.11 (unreleased)
 2 | 
 3 | * Version 0.3.10 (released 2015-03-11)
 4 |  ** Fix per-user "_ldap_bind_dn" attribute (which was previously ignored).
 5 |  ** Improved documentation.
 6 | 
 7 | * Version 0.3.9 (released 2014-08-02)
 8 |  ** Set pool recycle to 1h in SQLAlchemy (should prevent stale connections for MySQL).
 9 |  ** Added YubiKey lookup from LDAP.
10 |  ** Return 404 when trying to unbind a YubiKey from a user if it was not already bound.
11 | 
12 | * Version 0.3.8 (released 2014-02-21)
13 |  ** Fixed compatibility with newer versions of yubico-client.
14 |  ** Added dictionary for rlm_yubiauth.
15 |  ** Fixed an issue with "allow_empty_passwords" not working correctly.
16 | 
17 | * Version 0.3.7 (released 2013-11-25)
18 |  ** Fixed bug with LDAP user auto-creation.
19 | 
20 | * Version 0.3.6 (released 2013-11-22)
21 |  ** Added LDAP authentication.
22 | 
23 | * Version 0.3.5 (released 2013-07-19)
24 |  ** Added customizable logging configuration.
25 | 
26 | * Version 0.3.4 (released 2013-07-17)
27 |  ** Unbounded attribute values.
28 |  ** Added HTTP Basic Auth example.
29 | 
30 | * Version 0.3.3 (released 2013-06-04)
31 |  ** Renamed /client/status to /client/manage.
32 |  ** Added setting to enable user deletion.
33 | 
34 | * Version 0.3.2 (released 2013-06-04)
35 |  ** Accept longs as well as ints in YubiAuth.get_user().
36 |  ** Improved logging.
37 | 
38 | * Version 0.3.1 (released 2013-05-30)
39 |  ** Bugfix release with include_package_data = True.
40 | 
41 | * Version 0.3.0 (released 2013-05-30)
42 |  ** Added examples/ with FreeRADIUS example.
43 |  ** Use Beaker for session management.
44 |  ** Added basic client UI for user registration and management.
45 | 
46 | * Version 0.2.5 (released 2013-05-17)
47 |  ** Fixed bug where custom YKVAL URLs were ignored.
48 | 
49 | * Version 0.2.4 (released 2013-05-14)
50 |  ** Cleanup rows in user-yubikey bindings table on user/yubikey deletion.
51 |  ** Added renaming of users to core REST API.
52 | 
53 | * Version 0.2.3 (released 2013-05-07)
54 |  ** Better security for updating credentials.
55 |  ** Moved configuration file to /etc/yubico/auth/yubiauth.conf
56 | 
57 | * Version 0.2.2 (released 2013-05-07)
58 |  ** Added auto-provisioning of YubiKeys (on by default)
59 |  ** Added support for empty passwords (off by default).
60 |  ** Added YubiKey identification (off by default).
61 | 
62 | * Version 0.2.1 (released 2013-04-22)
63 |  ** Re-release of 0.2.0 as the original release was missing files.
64 | 
65 | * Version 0.2.0 (released 2013-04-22)
66 |  ** Reorganized namespace.
67 |  ** Added client API.
68 | 
69 | * Version 0.1.3 (released 2013-04-15)
70 |  ** Use latest yubico-client (1.7.0) with new module name.
71 | 
72 | * Version 0.1.2 (released 2013-04-09)
73 |  ** Prevent writing compiled version of the settings file.
74 | 
75 | * Version 0.1.1 (released 2013-04-09)
76 |  ** Added REST_PATH setting.
77 |  ** Renamed configuration file to /etc/yubico/yubiauth/yubiauth.conf
78 | 
79 | * Version 0.1 (released 2013-04-08)
80 |  ** First public release.
81 | 


--------------------------------------------------------------------------------
/README:
--------------------------------------------------------------------------------
 1 | == YubiAuth
 2 | 
 3 | NOTE: This project is deprecated and is no longer being maintained.
 4 | 
 5 | YubiAuth provides a user management system which can be used as a base for 
 6 | other systems. It allows the creation of users, which can be authenticated by
 7 | username, password, and optionally a YubiKey OTP.
 8 | 
 9 | Aside from providing a user authentication backend, YubiAuth allows storing 
10 | and retrieving arbitrary key-value attributes for each user as well as each 
11 | YubiKey.
12 | 
13 | Though effort has been made to store password hashes securely, YubiAuth also 
14 | allows using a YubiHSM for increased security.
15 | 


--------------------------------------------------------------------------------
/README.adoc:
--------------------------------------------------------------------------------
1 | README


--------------------------------------------------------------------------------
/conf/logging.conf:
--------------------------------------------------------------------------------
 1 | [loggers]
 2 | keys=root
 3 | 
 4 | [logger_root]
 5 | level=INFO
 6 | handlers=fileHandler
 7 | 
 8 | [formatters]
 9 | keys=formatter
10 | 
11 | [handlers]
12 | keys=fileHandler
13 | 
14 | [formatter_formatter]
15 | format=[%(levelname)s] %(asctime)s %(name)s: %(message)s
16 | datefmt=%Y-%m-%d %I:%M:%S
17 | 
18 | [handler_fileHandler]
19 | class=handlers.WatchedFileHandler
20 | formatter=formatter
21 | args=("/var/log/yubiauth.log",)
22 | 


--------------------------------------------------------------------------------
/doc/LDAP_Setup.adoc:
--------------------------------------------------------------------------------
 1 | == LDAP Setup
 2 | If you already have an external user database which can be used to authenticate
 3 | users over LDAP, you may use this with YubiAuth instead of the built-in
 4 | password system. When LDAP password validation is used, local password
 5 | validation will be disabled, and each time a user attempts to log in the
 6 | request will be delegated to the LDAP server. Any user that does not exist in
 7 | the LDAP database will not be able to log in. 
 8 | 
 9 | === Configuration
10 | To enable LDAP you will need to modify the configuration file, located here:
11 | 
12 | 	/etc/yubico/auth/yubiauth.conf
13 | 
14 | First off, find the USE_LDAP setting, and change it to True:
15 | 
16 | 	USE_LDAP = True
17 | 
18 | There are two more settings that are required to make things work. These are
19 | set as follows:
20 | 
21 | 	LDAP_SERVER = '<LDAP server URL>'
22 | 
23 | This is the URL to the LDAP server to use for password authentication. The
24 | format for this is defined in http://www.ietf.org/rfc/rfc4516.txt[RFC 4516].
25 | 
26 | 	LDAP_BIND_DN = '<template for Bind DN>'
27 | 
28 | This is a template for the Bind DN used to authenticate a user. The template
29 | string is passed the User object when performing authentication, and uses
30 | Pythons http://docs.python.org/2/library/string.html#formatstrings[string.format]
31 | function to format the string. The User object is passed as "user".
32 | For example:
33 | 
34 | 	LDAP_BIND_DN = 'uid={user.name},ou=People,dc=example,com'
35 | 
36 | If the user "Bob" tries to log in, the above template expands to:
37 | 
38 | 	uid=Bob,ou=People,dc=example,com
39 | 
40 | Note that while {user.name} can always be used to expand to the username,
41 | relying on other attributes may require that the user already exist in the
42 | YubiAuth database to work.
43 | 
44 | Note that what is needed to authenticate the user here is the fully qualified
45 | DN, which might not include the actual username of the user. To connect a user
46 | of with an arbitrary username to a specific LDAP user, you can either use other
47 | user attributes in the template, or use the special attribute "_ldap_bind_dn"
48 | attribute which will override the LDAP_BIND_DN on a user level.
49 | 
50 | Finally, there is an LDAP_AUTO_IMPORT setting which will automatically create
51 | a user in the YubiAuth database if the user tries to log in while LDAP is being
52 | used, and the user does not already exist in YubiAuth. This is only done once
53 | the password has been verified against the LDAP server.
54 | 
55 | For example, if the user "johndoe" tries to log in with the password "letmein",
56 | YubiAuth will query the LDAP server, and if authentication is successful, the
57 | "johndoe" user will be created in YubiAuth, so that YubiKeys may be associated
58 | with the account. If the LDAP_AUTO_IMPORT setting is turned off, then the login
59 | request will fail.
60 | 
61 | === Active Directory
62 | If you use Active Directory you can find out what the Bind DN should be by
63 | doing the following:
64 | 
65 | On the Windows Server, open a command prompt. Run the command:
66 | 
67 | 	dsquery user -name <username>
68 | 
69 | This will list the correct Bind DB to use for the user <username> (you can use
70 | a * instead of a real username and all users will be printed):
71 | 
72 | 	"CN=user1,CN=Users,DC=example,DC=com"
73 | 
74 | In the above case, the Bind DN would then be set to:
75 | 
76 | 	LDAP_BIND_DN = 'CN={user.name},CN=Users,DC=example,DC=com'
77 | 
78 | === Final steps
79 | Everything should now be configured correctly. You will need to restart your
80 | web server for the changes to take effect.
81 | 


--------------------------------------------------------------------------------
/doc/REST_API.adoc:
--------------------------------------------------------------------------------
  1 | == YubiAuth REST API
  2 | All responses are formatted as JSON. Note that the URLs given in this document
  3 | assume standard endpoints, but depending on the configuration of your settings,
  4 | these may differ. There are two separate REST APIs available, the
  5 | <<core,Core API>> and the <<client,Client API>>.
  6 | 
  7 | [[core]]
  8 | == Core API
  9 | The core API grants complete
 10 | administrative powers with the ability to create and modify users, Yubikeys,
 11 | attributes, etc. This API should never be publically exposed. 
 12 | 
 13 | [[users]]
 14 | === Users
 15 | Users each have a unique user ID as well as a unique username. Each user has a
 16 | password, and may have zero or more <<yubikeys,YubiKeys>> assigned to them. 
 17 | Users can have <<attributes,Attributes>>.
 18 | 
 19 | ==== Create a user
 20 | ===== Resource
 21 | 
 22 |  POST http://<host>/core/users
 23 | 
 24 | ===== Request
 25 | *Parameters*
 26 | 
 27 | username::
 28 |  A unique username `(required)`
 29 | 
 30 | password::
 31 |  The password to give to the user `(required)`
 32 | 
 33 | *Example*
 34 | 
 35 |  curl http://127.0.0.1:8080/core/core/users --data "username=trillian&password=foobar"
 36 | 
 37 | ===== Response
 38 | Returns a `201 Created` response, with a `Location` header pointing to the 
 39 | created resource, as well as a JSON body containing the user ID and username:
 40 | 
 41 | [source, js]
 42 | {"id": 41, "name": "trillian"}
 43 | 
 44 | ==== Listing users
 45 | ===== Resource
 46 | 
 47 |  GET http://<host>/core/users
 48 | 
 49 | ===== Request
 50 | Query parameters can optionally be provided to filter users by their Attributes,
 51 | or by their assigned YubiKeys. Only users matching the filters are shown.
 52 | 
 53 | *Example*
 54 | 
 55 |  curl http://127.0.0.1:8080/core/users?yubikey=ccccccccccce
 56 | 
 57 | ===== Response
 58 | Returns a list of user IDs and usernames, for example:
 59 | 
 60 | [source, js]
 61 | ----
 62 | [
 63 |   { 'id': 42, 'name': 'zaphod' },
 64 |   { 'id': 43, 'name': 'ford' }
 65 | ]
 66 | ----
 67 | 
 68 | ==== View a user
 69 | ===== Resource
 70 | 
 71 |  GET http://<host>/core/users/<id-or-username>
 72 | 
 73 | ===== Request
 74 | A user can be uniquely identified by either the user ID or by the username.
 75 | 
 76 | *Example*
 77 | 
 78 |  curl http://127.0.0.1:8080/core/users/43
 79 |  
 80 | or
 81 |  
 82 |  curl http://127.0.0.1:8080/core/users/ford
 83 | 
 84 | ===== Response
 85 | Returns a JSON representation of the user:
 86 | 
 87 | [source, js]
 88 | ----
 89 | {
 90 |   "attributes": {
 91 |     "full_name": "Ford Prefect"
 92 |   },
 93 |   "yubikeys": ["ccccccccccce"],
 94 |   "id": 43, 
 95 |   "name": "ford"
 96 | }
 97 | ----
 98 |  
 99 | ==== Deleting a user
100 | ===== Resource
101 | 
102 |  DELETE http://<host>/core/users/<id-or-username>
103 |  
104 | or
105 | 
106 |  POST http://<host>/core/users/<id-or-username>/delete
107 |  
108 | ===== Request
109 | Deleting a user is done by sending a DELETE request to the user. To accomodate
110 | browsers that do not support this, an alternative is available which uses POST.
111 | 
112 | *Example*
113 | 
114 |  curl -X DELETE http://127.0.0.1:8080/core/users/41
115 |  
116 | or
117 | 
118 |  curl -X POST http://127.0.0.1:8080/core/users/41/delete
119 |  
120 | ===== Response
121 | Returns an empty response with status `204 No Content` on success.
122 | 
123 | ==== (Re-) Setting a users password
124 | ===== Resource
125 | 
126 |  POST http://<host>/core/users/<id-or-username>/reset
127 | 
128 | ===== Request
129 | *Parameters*
130 | 
131 | password:
132 |  The users new password `(required)`
133 | 
134 | *Example*
135 | 
136 |  curl http://127.0.0.1:8080/core/users/41/reset --data "password=newpass"
137 | 
138 | ===== Response
139 | Returns an empty response with status `204 No Content` on success.
140 | 
141 | ==== Validating a users password and/or YubiKey OTP
142 | Checks if a given password and/or YubiKey OTP (One Time Password) is valid for the user.
143 | 
144 | ===== Resource
145 | 
146 |  GET or POST http://<host>/core/users/<id-or-username>/validate
147 | 
148 | ===== Request
149 | *Parameters*
150 | 
151 | password::
152 |  The value of the attribute to set `(optional)`
153 | 
154 | otp::
155 |  The value of the attribute to set `(optional)`
156 | 
157 | *Example*
158 | 
159 |  curl http://127.0.0.1:8080/core/users/41/validatepassword=foo&otp=ccccccccccceglgvbrbttbctichrejkvbjbgigetfgkr
160 | 
161 | ===== Response
162 | A JSON object containing "valid_password" and "valid_otp" keys, each mapping to
163 | either true or false.
164 | For example:
165 | 
166 | [source, js]
167 | ----
168 | {
169 |   "valid_password": true,
170 |   "valid_otp": false
171 | }
172 | ----
173 | 
174 | [[yubikeys]]
175 | === YubiKeys
176 | YubiKeys are identified by their unique prefixes. Each YubiKey can be assigned to
177 | zero or more <<users,Users>>, and can be enabled or disabled. Each YubiKey can have
178 | <<attributes,Attributes>>.
179 | 
180 | ==== Assigning a YubiKey to a User
181 | ===== Resource
182 | 
183 |  POST http://<host>/core/user/<id-or-username>/yubikeys
184 | 
185 | ===== Request
186 | *Parameters*
187 | 
188 | yubikey::
189 |  The prefix of the YubiKey to assign `(required)`
190 | 
191 | *Example*
192 | 
193 |  curl http://127.0.0.1:8080/core/users/1/yubikeys --data "yubikey=ccccccccccce"
194 | 
195 | ===== Response
196 | Returns an empty response with status `204 No Content` on success.
197 | 
198 | ==== View a YubiKey
199 | ===== Resource
200 | 
201 |  GET http://<host>/core/user/<id-or-username>/yubikeys/<prefix>
202 | 
203 | or
204 | 
205 |  GET http://<host>/core/yubikeys/<prefix>
206 | 
207 | ===== Request
208 | A YubiKey can be accessed either via a user to which is is assigned, or directly
209 | via its prefix alone. Note that trying to access an existing YubiKey (correct prefix)
210 | via a user to which it is NOT assigned will result in a 404 Not Found.
211 | 
212 | *Example*
213 | 
214 |  curl http://127.0.0.1:8080/core/users/1/yubikeys/ccccccccccce
215 |  
216 | or
217 | 
218 |  curl http://127.0.0.1:8080/core/yubikeys/ccccccccccce
219 | 
220 | ===== Response
221 | Returns a JSON representation of the YubiKey:
222 | 
223 | [source, js]
224 | ----
225 | {
226 |   "attributes": {},
227 |   "prefix": "ccccccccccce",
228 |   "enabled": true,
229 |   "id": 53
230 | }
231 | ----
232 | 
233 | ==== Unassigning a YubiKey for a User
234 | ===== Resource
235 | 
236 |  DELETE http://<host>/core/user/<id-or-username>/yubikeys/<prefix>
237 | 
238 | or
239 | 
240 |  POST http://<host>/core/user/<id-or-username>/yubikeys/<prefix>/delete
241 | 
242 | ===== Request
243 | Unassigning a YubiKey for a User to which it is assigned is done by sending a 
244 | HTTP DELETE request to it. NOTE that the YubiKey will still exist in the system
245 | retaining its enabled state as well as any attributes. A POST alternative is available.
246 | 
247 | *Example*
248 | 
249 |  curl -X DELETE http://127.0.0.1:8080/core/users/41/yubikeys/ccccccccccce
250 |  
251 | or
252 | 
253 |  curl -X POST http://127.0.0.1:8080/core/users/41/yubikeys/ccccccccccce/delete
254 | 
255 | ===== Response
256 | Returns an empty response with status `204 No Content` on success.
257 | 
258 | ==== Deleting a YubiKey
259 | ===== Resource
260 | 
261 |  DELETE http://<host>/core/yubikeys/<prefix>
262 | 
263 | or
264 | 
265 |  POST http://<host>/core/yubikeys/<prefix>/delete
266 | 
267 | ===== Request
268 | Deleting a YubiKey removes it together with any data it holds from the system, as well
269 | as removing any assignment to it any Users may have.
270 | 
271 | *Example*
272 | 
273 |  curl -X DELETE http://127.0.0.1:8080/core/yubikeys/ccccccccccce
274 | 
275 | or
276 | 
277 |  curl -X POST http://127.0.0.1:8080/core/yubikeys/ccccccccccce/delete
278 | 
279 | ===== Response
280 | Returns an empty response with status `204 No Content` on success.
281 | 
282 | [[attributes]]
283 | === Attributes
284 | Both <<users,Users>> and <<yubikeys,YubiKeys>> have attributes. These are accessed by 
285 | taking the path of the user or YubiKey and appending "/attributes" to the end, for example:
286 | 
287 |  http://127.0.0.1:8080/core/users/42/attributes
288 | 
289 | or
290 | 
291 |  http://127.0.0.1:8080/core/yubikeys/cccccccccccd/attributes
292 |  
293 | or
294 | 
295 |  http://127.0.0.1:8080/core/users/42/yubikeys/cccccccccccd/attributes
296 | 
297 | In the following requests, any of the above formats qualify as `attribute_base`.
298 | 
299 | ==== View attributes
300 | ===== Resource
301 | 
302 |  GET http://<host>/core/<attribute_base>
303 | 
304 | ===== Request
305 | *Example*
306 | 
307 |  curl http://127.0.0.1:8080/core/users/42/attributes
308 | 
309 | ===== Response
310 | A JSON object with key-values matching the attributes.
311 | 
312 | [source, js]
313 | ----
314 | {
315 |   "full_name": "Ford Prefect"
316 |   "email": "ford@example.com",
317 | }
318 | ----
319 | 
320 | ==== Set attribute
321 | Sets the value of an attribute. If the attribute already exists, it will be
322 | overwritten.
323 | 
324 | ===== Resource
325 | 
326 |  POST http://<host>/core/<attribute_base>
327 | 
328 | ===== Request
329 | *Parameters*
330 | 
331 | key::
332 |  The key of the attribute to set `(required)`
333 | 
334 | value::
335 |  The value of the attribute to set `(required)`
336 | 
337 | *Example*
338 | 
339 |  curl http://127.0.0.1:8080/core/users/42/attributes --data "key=email&value=ford@example.com"
340 | 
341 | ===== Response
342 | Returns an empty response with status `204 No Content` on success.
343 | 
344 | ==== Get attribute
345 | Gets the value of a single attribute.
346 | 
347 | ===== Resource
348 | 
349 |  GET http://<host>/core/<attribute_base>/<key>
350 | 
351 | ===== Request
352 | *Example*
353 | 
354 |  curl http://127.0.0.1:8080/core/users/42/attributes/email
355 | 
356 | ===== Response
357 | A JSON string, or null, for example:
358 | 
359 |  "ford@example.com"
360 | 
361 | ==== Unset/Delete attribute
362 | Removes an attribute, if it exists.
363 | 
364 | ===== Resource
365 | 
366 |  DELETE http://<host>/core/<attribute_base>/<key>
367 | 
368 | or
369 | 
370 |  POST http://<host>/core/<attribute_base>/<key>/delete
371 | 
372 | ===== Request
373 | Attributes are removed by sending a HTTP DELETE request (POST alternative 
374 | available).
375 | 
376 | *Example*
377 | 
378 |  curl -X DELETE http://127.0.0.1:8080/core/users/42/attributes/email
379 | 
380 | ===== Response
381 | Returns an empty response with status `204 No Content`.
382 | 
383 | [[client]]
384 | == Client API
385 | The client API provides user authentication and modification of individual
386 | users, as well as session management. This API can be used by clients wishing
387 | to administer a single users password and yubikeys. Many of the actions
388 | require a valid session for the user on which to perform the action.
389 | 
390 | [[authentication]]
391 | === Authentication
392 | Validate user credentials. Also see Validating a users password and/or YubiKey
393 | under <<users,Users>> in the <<core,Core API>>.
394 | 
395 | ==== Authenticate a user
396 | Checks if the provided credentials are valid and sufficient to authenticate a
397 | user. The username may be omitted if the server allows OTP based user
398 | identification, and a valid OTP is provided.
399 | 
400 | ===== Resource
401 | 
402 |  GET or POST http://<host>/client/authenticate
403 | 
404 | ===== Request
405 | *Parameters*
406 | 
407 | username::
408 |  The username of the user to authenticate `(optional)`
409 | 
410 | password::
411 |  The users password `(optional)`
412 | 
413 | otp::
414 |  A valid OTP from a YubiKey that is assigned to the user `(optional)`
415 | 
416 | *Example*
417 | 
418 |  curl http://127.0.0.1:8080/client/authenticate --data "username=trillian&password=foo"
419 | 
420 | ===== Response
421 | Returns a JSON boolean true value if the given parameters are valid and
422 | sufficient to authenticate the given user, false otherwise.
423 | 
424 | [[sessions]]
425 | === Sessions
426 | Create, view and destroy user sessions. Creating a session results in a session
427 | cookie which must been included in requests for actions requiring a session.
428 | The cookie may be passed in cookie form, or alternatively, in the
429 | X-YubiAuth-Session HTTP header. Calling a resource that requires a valid
430 | session without a valid session cookie will result in an error. For example:
431 | 
432 | [source, js]
433 | ----
434 | {
435 |   "error": "Session required!"
436 | }
437 | ----
438 | 
439 | ==== Create a session
440 | Creates a new session for the given user, returning a session cookie.
441 | 
442 | ===== Resource
443 | 
444 |  GET or POST http://<host>/client/login
445 | 
446 | ===== Request
447 | *Parameters*
448 | 
449 | username::
450 |  The username of the user to authenticate `(optional)`
451 | 
452 | password::
453 |  The users password `(optional)`
454 | 
455 | otp::
456 |  A valid OTP from a YubiKey that is assigned to the user `(optional)`
457 | 
458 | *Example*
459 | 
460 |  curl http://127.0.0.1:8080/client/login --data "username=trillian&password=foo"
461 | 
462 | ===== Response
463 | Returns a JSON object containing a session cookie if the given parameters are
464 | valid and sufficient to authenticate the given user. Returns an error
465 | otherwise. For example:
466 | 
467 | [source, js]
468 | ----
469 | {
470 |   "session": "6cfba105278bb491c35aaffe727df40664265b27d3ffe472638540bf91af73f77884be55"
471 | }
472 | ----
473 | 
474 | Besides returning the cookie in the JSON response, the HTTP response will set
475 | the session cookie as a HTTP cookie.
476 | 
477 | ==== Destroy a session
478 | ===== Resource
479 | 
480 |  GET or POST http://<host>/client/logout
481 | 
482 | ===== Request
483 | *Requires valid session*
484 | 
485 | *Example*
486 | 
487 |  curl http://127.0.0.1:8080/client/logout -H "X-YubiAuth-Session: 6cfb...be55"
488 | 
489 | ===== Response
490 | Invalidates the session and returns a JSON boolean true value if the given
491 | session cookie was valid. Returns an error otherwise.
492 | 
493 | ==== Get the status of a session
494 | ===== Resource
495 | 
496 |  GET or POST http://<host>/client/status
497 | 
498 | ===== Request
499 | *Requires valid session*
500 | 
501 | *Example*
502 | 
503 |  curl http://127.0.0.1:8080/client/status -H "X-YubiAuth-Session: 6cfb...be55"
504 | 
505 | ===== Response
506 | Returns a JSON object with information about the user if the given session
507 | cookie was valid. Returns an error otherwise. For example:
508 | 
509 | [source, js]
510 | ----
511 | {
512 |   "username": "trillian",
513 |   "user_id": 41,
514 |   "prefix": "ccccccccccce",
515 |   "_accessed_time": 1426068715.018119,
516 |   "_creation_time": 1426068593.186552
517 | }
518 | ----
519 | 
520 | ==== Change the users password
521 | Sets a new password for the authenticated uses. This requires the caller to
522 | provide authentication again, in the form of the current password and a new
523 | OTP (if applicable).
524 | 
525 | ===== Resource
526 | 
527 |  GET or POST http://<host>/client/password
528 | 
529 | ===== Request
530 | *Requires valid session*
531 | 
532 | *Parameters*
533 | 
534 | newpass::
535 |  The new password to set for the user `(required)`
536 | 
537 | oldpass::
538 |  The current password of the user `(optional)`
539 | 
540 | otp::
541 |  A valid OTP from a YubiKey that is assigned to the user `(optional)`
542 | 
543 | *Example*
544 | 
545 |  curl http://127.0.0.1:8080/client/password -d''
546 | 
547 | ===== Response
548 | Returns a JSON boolean true value if successful.
549 | 
550 | NOTE: This API is not fully documented.
551 | 


--------------------------------------------------------------------------------
/doc/YubiHSM_Setup.adoc:
--------------------------------------------------------------------------------
  1 | == YubiHSM Setup
  2 | While YubiAuth works fine without the use of a
  3 | http://www.yubico.com/products/yubihsm/[YubiHSM], the security of your users
  4 | passwords can be greatly increased by use of one. This document describes why
  5 | you may want to use a YubiHSM together with YubiAuth, and how to set it all up.
  6 | 
  7 | === Benefits of a YubiHSM
  8 | ==== Without a YubiHSM
  9 | In the event that your server becomes compromised, an attacker may gain access
 10 | to the YubiAuth database, which stores user credentials such as usernames and
 11 | passwords. Passwords are never stored as plain text, they are always hashed
 12 | to make it as difficult as possible for an attacker to extract them. Even so,
 13 | if the attacker can guess a users password, they can use the database to
 14 | verify if their guess is correct or not. Given enough time and processing
 15 | power, an attacker test weak passwords such as words or simple phases, and
 16 | expose some of your users passwords that way.
 17 | 
 18 | ==== With a YubiHSM
 19 | When using a YubiHSM, users passwords are hashed using a keyed hash. This key
 20 | exists inside the YubiHSM hardware device, and never leaves it. Without the
 21 | physical device, it becomes impossible for an attacker to verify if a guessed
 22 | password is correct or not. This means that even if an attacker gains access
 23 | to the YubiAuth server, the attacker can at most test passwords for as long
 24 | as (s)he has access to the machine, and at a very low rate. As soon as the
 25 | intrusion becomes detected and the YubiHSM is disconnected (or the attacker
 26 | loses access), the attacker can no longer test passwords, even with a copy of
 27 | the database.
 28 | 
 29 | === Configuration
 30 | For maximum security, a YubiHSM should have as restrictive permissions set as
 31 | possible. Here are instructions on how to configure a YubiHSM with the bare
 32 | minimum required for use with YubiAuth.
 33 | 
 34 | ==== YubiHSM
 35 | Insert the YubiHSM into the USB-slot of a trusted computer, preferably one
 36 | which is not connected to the Internet (this is for initially programming the
 37 | YubiHSM) while pressing the configuration switch to enter configuration mode.
 38 | Once connected, access the device configuration by opening a terminal program,
 39 | and connecting to the device (See the
 40 | https://www.yubico.com/wp-content/uploads/2015/04/YubiHSM-Manual_1_5_0.pdf[YubiHSM Manual]
 41 | for detailed instructions). If the YubiHSM has been previously configured,
 42 | begin by erasing the old configuration as described in the manual. With an
 43 | empty configuration, program the YubiHSM in hsm mode with HMAC_SHA1_GENERATE
 44 | enabled:
 45 | 
 46 | 	NO CFG> hsm 00010000
 47 | 
 48 | Optionally, set a master password and add admin YubiKeys. See the YubiHSM
 49 | manual for more details.
 50 | 
 51 | Once configured, you will need to generate at least one key to use:
 52 | 
 53 | 	HSM> keygen 1 1 20 - using flags 00010000 and len 032
 54 | 	00000001,a90327480bdb3876cb84883b91f8795e61fb460f6ba09f2a7fa03554549fe43b
 55 | 	HSM> keycommit - Done
 56 | 
 57 | The above commands will generate a random key and commit it to memory. You
 58 | will most likely want to make note of the generated key, but it is vital that
 59 | you keep it safe. If it becomes known to an attacker the benefit of having a
 60 | YubiHSM will be lost.
 61 | 
 62 | Once done, exit the configuration mode:
 63 | 
 64 | 	HSM> exit
 65 | 
 66 | Now, remove the YubiHSM device and plug it into the YubiAuth server machine
 67 | (without pressing the configuration mode button). If the YubiHSM was
 68 | configured with a master password and/or administrator YubiKeys, you will need
 69 | to unlock the device as described in the manual (this needs to be done each
 70 | time the server is rebooted).
 71 | 
 72 | ==== python-pyhsm
 73 | Once the YubiHSM has been configured with a key that can be used for password
 74 | hashing, you need to instruct YubiAuth to use it. First off, you will need to
 75 | install the python-pyhsm package if it is not already installed. For debian
 76 | this is done by running the following command:
 77 | 
 78 | 	sudo apt-get install python-pyshm
 79 | 
 80 | The recommended way of interfacing with the YubiHSM through YubiAuth is via
 81 | the yhsm-daemon process which is part of the python-pyhsm package. This allows
 82 | multiple applications to access a single YubiHSM on the same computer. See the
 83 | https://github.com/Yubico/python-pyhsm/wiki[python-pyhsm documentation] for
 84 | more information. With the daemon running, YubiAuth can connect to it over the
 85 | loopback interface.
 86 | 
 87 | ==== YubiAuth
 88 | Now the only thing remaining is to tell YubiAuth to use the YubiHSM, which is
 89 | done by editing the configuration file located here:
 90 | 
 91 | 	/etc/yubico/auth/yubiauth.conf
 92 | 
 93 | First off, find the USE_HSM setting, and change it to True:
 94 | 
 95 | 	USE_HSM = True
 96 | 
 97 | Once that is done, the default settings should take care of the rest. You may
 98 | want to skim through the rest of the configuration file as well, to make sure
 99 | everything is correct. Make sure the YHSM_DEVICE settings is correct according
100 | to how you set up the yhsm-daemon, and make sure CRYPT_CONTEXT has the correct
101 | key handle (the yhsm_pbkdf2_sha1__key_handle setting, which should correspond
102 | to the key generated when running the keygen command in the YubiHSM step).
103 | 
104 | ===== Existing passwords
105 | If this is a new installation you can skip this section. If not, it is
106 | important to realize that existing users passwords are not automatically
107 | protected by the YubiHSM. First, their passwords have to be migrated to use
108 | the YubiHSM, which is automatically done the next time they change their
109 | password. It is up to you to get your existing users to update their
110 | passwords to get the increased security.
111 | 
112 | As an alternative, YubiAuth will automatically migrate users existing passwords
113 | when they log in. This is not quite as secure as having your users change
114 | their passwords, which we recommend you do. 
115 | 
116 | ==== Final steps
117 | Everything should now be configured correctly. You will need to restart your
118 | web server for the changes to take effect.
119 | 


--------------------------------------------------------------------------------
/examples/dictionary.yubiauth:
--------------------------------------------------------------------------------
1 | #
2 | #	YubiKey specific dictionary attributes. This file needs
3 | #	to be included in /etc/freeradius/dictionary like so:
4 | #
5 | #	$INCLUDE	/path/to/dictionary.rlm_yubiauth
6 | #
7 | 
8 | ATTRIBUTE       Yubikey-OTP       3000    string
9 | 


--------------------------------------------------------------------------------
/examples/http_basic_auth.py:
--------------------------------------------------------------------------------
  1 | # Copyright (c) 2013 Yubico AB
  2 | # All rights reserved.
  3 | #
  4 | # Redistribution and use in source and binary forms, with or without
  5 | # modification, are permitted provided that the following conditions are
  6 | # met:
  7 | #
  8 | #   * Redistributions of source code must retain the above copyright
  9 | #     notice, this list of conditions and the following disclaimer.
 10 | #
 11 | #   * Redistributions in binary form must reproduce the above
 12 | #     copyright notice, this list of conditions and the following
 13 | #     disclaimer in the documentation and/or other materials provided
 14 | #     with the distribution.
 15 | #
 16 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 17 | # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 18 | # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 19 | # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 20 | # OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 22 | # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 23 | # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 24 | # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 25 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 26 | # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 27 | 
 28 | #
 29 | # This is a working example of using a YubiAuth backend to validate HTTP BASIC
 30 | # AUTH user authentication. It can be used, for example, by mod_wsgi to add
 31 | # authetication to a WSGI application.
 32 | #
 33 | # YubiKey OTPs are expected to be appended to either the username or password.
 34 | #
 35 | 
 36 | import re
 37 | import base64
 38 | import requests
 39 | 
 40 | OTP_PATTERN = re.compile(r'^(.*)([cbdefghijklnrtuv]{44})$')
 41 | 
 42 | 
 43 | def parse_auth(auth):
 44 |     username, password = base64.b64decode(auth).split(':', 1)
 45 |     username_match = OTP_PATTERN.match(username)
 46 |     if username_match:
 47 |         username = username_match.group(1)
 48 |         otp = username_match.group(2)
 49 |     else:
 50 |         password_match = OTP_PATTERN.match(password)
 51 |         if password_match:
 52 |             password = password_match.group(1)
 53 |             otp = password_match.group(2)
 54 |         else:
 55 |             otp = None
 56 |     return username, password, otp
 57 | 
 58 | 
 59 | class YubiAuthValidator(object):
 60 |     """
 61 |     Validates HTTP BASIC authentication credentials using a YubiAuth backend.
 62 |     HTTP BASIC sends the credentials for each request. Initially we parse
 63 |     the username, password and (optionally) OTP and create a user session.
 64 |     On subsequent requests, we use the auth string as a key to lookup the
 65 |     session key and validate the session.
 66 | 
 67 |     Example:
 68 |     validator = YubiAuthValidator()
 69 |     if validator(auth):
 70 |         print 'Validation OK!'
 71 |     """
 72 |     def __init__(self, url='http://127.0.0.1/yubiauth/client'):
 73 |         self.base_url = url
 74 |         self.sessions = {}
 75 | 
 76 |     def __call__(self, auth):
 77 |         """
 78 |         Call with the Base64 encoded auth string from the request.
 79 |         Returns True on successful authentication, else False.
 80 |         """
 81 |         if auth in self.sessions:
 82 |             return self.validate_session(auth)
 83 |         return self.create_session(auth)
 84 | 
 85 |     def create_session(self, auth):
 86 |         username, password, otp = parse_auth(auth)
 87 |         if not self.validate_user(username):
 88 |             return False
 89 |         url = '%s/login' % self.base_url
 90 |         response = requests.post(url, data={
 91 |             'username': username, 'password': password, 'otp': otp})
 92 |         if response.status_code == requests.codes.ok:
 93 |             self.sessions[auth] = response.cookies['YubiAuth-Session']
 94 |             return True
 95 |         return False
 96 | 
 97 |     def validate_user(self, username):
 98 |         """
 99 |         Override this to return False if the given user shouldn't be granted
100 |         access.
101 |         """
102 |         return True
103 | 
104 |     def validate_session(self, auth):
105 |         if auth in self.sessions:
106 |             session_id = self.sessions[auth]
107 |             url = '%s/status' % self.base_url
108 |             response = requests.get(url,
109 |                                     cookies={'YubiAuth-Session': session_id})
110 |             if response.status_code == requests.codes.ok:
111 |                 return True
112 |             del self.sessions[auth]
113 |         return False
114 | 
115 | validator = YubiAuthValidator()
116 | 
117 | 
118 | # check_password function for use with mod_wsgi. To use, add this to your
119 | # Apache configuration.
120 | #
121 | # AuthType Basic
122 | # AuthName "YubiAuth"
123 | # AuthBasicProvider wsgi
124 | # WSGIAuthUserScript /path/to/http_basic_auth.py
125 | # Require valid-user
126 | def check_password(environ, user, password):
127 |     # mod_wsgi has already unpacked the username and password,
128 |     # but we expect them to be packed, so re-pack:
129 |     return validator(base64.b64encode('%s:%s' % (user, password)))
130 | 


--------------------------------------------------------------------------------
/examples/rlm_yubiauth.pl:
--------------------------------------------------------------------------------
  1 | # Copyright (c) 2013 Yubico AB
  2 | # All rights reserved.
  3 | #
  4 | # Redistribution and use in source and binary forms, with or without
  5 | # modification, are permitted provided that the following conditions are
  6 | # met:
  7 | #
  8 | #   * Redistributions of source code must retain the above copyright
  9 | #     notice, this list of conditions and the following disclaimer.
 10 | #
 11 | #   * Redistributions in binary form must reproduce the above
 12 | #     copyright notice, this list of conditions and the following
 13 | #     disclaimer in the documentation and/or other materials provided
 14 | #     with the distribution.
 15 | #
 16 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 17 | # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 18 | # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 19 | # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 20 | # OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 22 | # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 23 | # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 24 | # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 25 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 26 | # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 27 | 
 28 | #
 29 | # This is a working example of how to configure FreeRADIUS to use YubiAuth
 30 | # to authenticate users.
 31 | #
 32 | # To use, configure the rlm_perl module in FreeRadius to use this script, and
 33 | # add the Perl module to the authorize and authenticate sections of your site
 34 | # configuration.
 35 | #
 36 | # You will also need to add the accompanying dictionary file to be included in
 37 | # /etc/freeradius/dictionary
 38 | # 
 39 | # YubiKey OTPs are expected to be appended to either the username or password.
 40 | #
 41 | 
 42 | use strict;
 43 | use warnings;
 44 | use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);
 45 | use LWP::UserAgent;
 46 | 
 47 | our $id_len = 12;
 48 | our $yubiauth_url = "http://localhost/yubiauth/client/authenticate";
 49 | 
 50 | my $otp_len = 32 + $id_len;
 51 | 
 52 | ########################
 53 | # FreeRADIUS functions #
 54 | ########################
 55 | 
 56 | use constant    RLM_MODULE_REJECT=>    0;#  /* immediately reject the request */
 57 | use constant	RLM_MODULE_FAIL=>      1;#  /* module failed, don't reply */
 58 | use constant	RLM_MODULE_OK=>	2;#  /* the module is OK, continue */
 59 | use constant	RLM_MODULE_HANDLED=>   3;#  /* the module handled the request, so stop. */
 60 | use constant	RLM_MODULE_INVALID=>   4;#  /* the module considers the request invalid. */
 61 | use constant	RLM_MODULE_USERLOCK=>  5;#  /* reject the request (user is locked out) */
 62 | use constant	RLM_MODULE_NOTFOUND=>  6;#  /* user not found */
 63 | use constant	RLM_MODULE_NOOP=>      7;#  /* module succeeded without doing anything */
 64 | use constant	RLM_MODULE_UPDATED=>   8;#  /* OK (pairs modified) */
 65 | use constant	RLM_MODULE_NUMCODES=>  9;#  /* How many return codes there are */
 66 | 
 67 | 
 68 | # Extract the OTP appended to the username or password.
 69 | sub authorize {
 70 | 	# Extract OTP, if available
 71 | 	my $otp = '';
 72 | 	if($RAD_REQUEST{'User-Name'} =~ /[cbdefghijklnrtuv]{$otp_len}$/) {
 73 | 		my $username_len = length($RAD_REQUEST{'User-Name'}) - $otp_len;
 74 | 		$RAD_REQUEST{'Yubikey-OTP'} = substr $RAD_REQUEST{'User-Name'}, $username_len;
 75 | 		$RAD_REQUEST{'User-Name'} = substr $RAD_REQUEST{'User-Name'}, 0, $username_len;
 76 | 	} elsif($RAD_REQUEST{'User-Password'} =~ /[cbdefghijklnrtuv]{$otp_len}$/) {
 77 | 		my $password_len = length($RAD_REQUEST{'User-Password'}) - $otp_len;
 78 | 		$RAD_REQUEST{'Yubikey-OTP'} = substr $RAD_REQUEST{'User-Password'}, $password_len;
 79 | 		$RAD_REQUEST{'User-Password'} = substr $RAD_REQUEST{'User-Password'}, 0, $password_len;
 80 | 	}
 81 | 
 82 | 	$RAD_CHECK{'Auth-Type'} = "Perl";
 83 | 	return RLM_MODULE_UPDATED;
 84 | }
 85 | 
 86 | sub authenticate {
 87 | 	my %data = ();
 88 | 	if($RAD_REQUEST{'User-Name'} ne '') {
 89 | 		$data{'username'} = $RAD_REQUEST{'User-Name'};
 90 | 	}
 91 | 	if($RAD_REQUEST{'User-Password'} ne '') {
 92 | 		$data{'password'} = $RAD_REQUEST{'User-Password'};
 93 | 	}
 94 | 	if($RAD_REQUEST{'Yubikey-OTP'} ne '') {
 95 | 		$data{'otp'} = $RAD_REQUEST{'Yubikey-OTP'};
 96 | 	}
 97 | 
 98 | 	my $ua = LWP::UserAgent->new();
 99 | 	my $response = $ua->post($yubiauth_url, [%data]);
100 | 	my $content  = $response->decoded_content();
101 | 
102 | 	if($content eq "true") {
103 | 		return RLM_MODULE_OK;
104 | 	} else {
105 | 		$RAD_REPLY{'Reply-Message'} = $content;
106 | 		return RLM_MODULE_REJECT;
107 | 	}
108 | }
109 | 


--------------------------------------------------------------------------------
/release.py:
--------------------------------------------------------------------------------
  1 | # Copyright (c) 2013 Yubico AB
  2 | # All rights reserved.
  3 | #
  4 | #   Redistribution and use in source and binary forms, with or
  5 | #   without modification, are permitted provided that the following
  6 | #   conditions are met:
  7 | #
  8 | #    1. Redistributions of source code must retain the above copyright
  9 | #       notice, this list of conditions and the following disclaimer.
 10 | #    2. Redistributions in binary form must reproduce the above
 11 | #       copyright notice, this list of conditions and the following
 12 | #       disclaimer in the documentation and/or other materials provided
 13 | #       with the distribution.
 14 | #
 15 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 16 | # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 17 | # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 18 | # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 19 | # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 20 | # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 21 | # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 22 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 23 | # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 24 | # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
 25 | # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 26 | # POSSIBILITY OF SUCH DAMAGE.
 27 | 
 28 | from distutils import log
 29 | from distutils.core import Command
 30 | from distutils.errors import DistutilsSetupError
 31 | import os
 32 | import re
 33 | from datetime import date
 34 | 
 35 | 
 36 | class release(Command):
 37 |     description = "create and release a new version"
 38 |     user_options = [
 39 |         ('keyid', None, "GPG key to sign with"),
 40 |         ('skip-tests', None, "skip running the tests"),
 41 |         ('pypi', None, "publish to pypi"),
 42 |     ]
 43 |     boolean_options = ['skip-tests', 'pypi']
 44 | 
 45 |     def initialize_options(self):
 46 |         self.keyid = None
 47 |         self.skip_tests = 0
 48 |         self.pypi = 0
 49 | 
 50 |     def finalize_options(self):
 51 |         self.cwd = os.getcwd()
 52 |         self.fullname = self.distribution.get_fullname()
 53 |         self.name = self.distribution.get_name()
 54 |         self.version = self.distribution.get_version()
 55 | 
 56 |     def _verify_version(self):
 57 |         with open('NEWS', 'r') as news_file:
 58 |             line = news_file.readline()
 59 |         now = date.today().strftime('%Y-%m-%d')
 60 |         if not re.search(r'Version %s \(released %s\)' % (self.version, now),
 61 |                          line):
 62 |             raise DistutilsSetupError("Incorrect date/version in NEWS!")
 63 | 
 64 |     def _verify_tag(self):
 65 |         if os.system('git tag | grep -q "^%s\$"' % self.fullname) == 0:
 66 |             raise DistutilsSetupError(
 67 |                 "Tag '%s' already exists!" % self.fullname)
 68 | 
 69 |     def _sign(self):
 70 |         if os.path.isfile('dist/%s.tar.gz.asc' % self.fullname):
 71 |             # Signature exists from upload, re-use it:
 72 |             sign_opts = ['--output dist/%s.tar.gz.sig' % self.fullname,
 73 |                          '--dearmor dist/%s.tar.gz.asc' % self.fullname]
 74 |         else:
 75 |             # No signature, create it:
 76 |             sign_opts = ['--detach-sign', 'dist/%s.tar.gz' % self.fullname]
 77 |             if self.keyid:
 78 |                 sign_opts.insert(1, '--default-key ' + self.keyid)
 79 |         self.execute(os.system, ('gpg ' + (' '.join(sign_opts)),))
 80 | 
 81 |         if os.system('gpg --verify dist/%s.tar.gz.sig' % self.fullname) != 0:
 82 |             raise DistutilsSetupError("Error verifying signature!")
 83 | 
 84 |     def _tag(self):
 85 |         tag_opts = ['-s', '-m ' + self.fullname, self.fullname]
 86 |         if self.keyid:
 87 |             tag_opts[0] = '-u ' + self.keyid
 88 |         self.execute(os.system, ('git tag ' + (' '.join(tag_opts)),))
 89 | 
 90 |     def _do_call_publish(self, cmd):
 91 |         self._published = os.system(cmd) == 0
 92 | 
 93 |     def _publish(self):
 94 |         web_repo = os.getenv('YUBICO_GITHUB_REPO')
 95 |         if web_repo and os.path.isdir(web_repo):
 96 |             artifacts = [
 97 |                 'dist/%s.tar.gz' % self.fullname,
 98 |                 'dist/%s.tar.gz.sig' % self.fullname
 99 |             ]
100 |             cmd = '%s/publish %s %s %s' % (
101 |                 web_repo, self.name, self.version, ' '.join(artifacts))
102 | 
103 |             self.execute(self._do_call_publish, (cmd,))
104 |             if self._published:
105 |                 self.announce("Release published! Don't forget to:", log.INFO)
106 |                 self.announce("")
107 |                 self.announce("    (cd %s && git push)" % web_repo, log.INFO)
108 |                 self.announce("")
109 |             else:
110 |                 self.warn("There was a problem publishing the release!")
111 |         else:
112 |             self.warn("YUBICO_GITHUB_REPO not set or invalid!")
113 |             self.warn("This release will not be published!")
114 | 
115 |     def run(self):
116 |         if os.getcwd() != self.cwd:
117 |             raise DistutilsSetupError("Must be in package root!")
118 | 
119 |         self._verify_version()
120 |         self._verify_tag()
121 | 
122 |         self.execute(os.system, ('git2cl > ChangeLog',))
123 | 
124 |         if not self.skip_tests:
125 |             self.run_command('check')
126 |             # Nosetests calls sys.exit(status)
127 |             try:
128 |                 self.run_command('nosetests')
129 |             except SystemExit as e:
130 |                 if e.code != 0:
131 |                     raise DistutilsSetupError("There were test failures!")
132 | 
133 |         self.run_command('sdist')
134 | 
135 |         if self.pypi:
136 |             cmd_obj = self.distribution.get_command_obj('upload')
137 |             cmd_obj.sign = True
138 |             if self.keyid:
139 |                 cmd_obj.identity = self.keyid
140 |             self.run_command('upload')
141 | 
142 |         self._sign()
143 |         self._tag()
144 | 
145 |         self._publish()
146 | 
147 |         self.announce("Release complete! Don't forget to:", log.INFO)
148 |         self.announce("")
149 |         self.announce("    git push && git push --tags", log.INFO)
150 |         self.announce("")
151 | 


--------------------------------------------------------------------------------
/setup.cfg:
--------------------------------------------------------------------------------
1 | [nosetests]
2 | attr=!hsm
3 | 


--------------------------------------------------------------------------------
/setup.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | #
 3 | # Copyright (c) 2013 Yubico AB
 4 | # All rights reserved.
 5 | #
 6 | #   Redistribution and use in source and binary forms, with or
 7 | #   without modification, are permitted provided that the following
 8 | #   conditions are met:
 9 | #
10 | #    1. Redistributions of source code must retain the above copyright
11 | #       notice, this list of conditions and the following disclaimer.
12 | #    2. Redistributions in binary form must reproduce the above
13 | #       copyright notice, this list of conditions and the following
14 | #       disclaimer in the documentation and/or other materials provided
15 | #       with the distribution.
16 | #
17 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
18 | # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
19 | # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
20 | # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
21 | # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
22 | # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
23 | # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
25 | # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26 | # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
27 | # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 | # POSSIBILITY OF SUCH DAMAGE.
29 | #
30 | 
31 | from setuptools import setup
32 | import sys
33 | import os
34 | import re
35 | from release import release
36 | 
37 | # This is needed for Travis to run the tests without errors.
38 | # See: http://bugs.python.org/issue15881#msg170215
39 | try:
40 |     import multiprocessing
41 | except ImportError:
42 |     pass
43 | 
44 | tests_require = ['nose>=1.0', 'WebTest', 'mock']
45 | 
46 | # Don't load custom settings (for tests, etc.)
47 | os.environ['YUBIAUTH_SETTINGS'] = '/dev/null'
48 | 
49 | # Require pyhsm if running hsm tests
50 | if 'hsm' in sys.argv:
51 |     tests_require.append('pyhsm')
52 | 
53 | python_ldap = 'python-ldap' if sys.version_info[0] < 3 else 'python3-ldap'
54 | 
55 | VERSION_PATTERN = re.compile(r"(?m)^__version__\s*=\s*['\"](.+)['\"]$")
56 | 
57 | 
58 | def get_version():
59 |     """Return the current version as defined by neoman/__init__.py."""
60 | 
61 |     with open('yubiauth/__init__.py', 'r') as f:
62 |         match = VERSION_PATTERN.search(f.read())
63 |         return match.group(1)
64 | 
65 | 
66 | setup(
67 |     name='yubiauth',
68 |     version=get_version(),
69 |     author='Dain Nilsson',
70 |     author_email='dain@yubico.com',
71 |     maintainer='Yubico Open Source Maintainers',
72 |     maintainer_email='ossmaint@yubico.com',
73 |     url='https://github.com/Yubico/yubiauth',
74 |     license='BSD 2 clause',
75 |     packages=['yubiauth', 'yubiauth.core', 'yubiauth.client', 'yubiauth.util'],
76 |     include_package_data=True,
77 |     data_files=[('/etc/yubico/auth', ['conf/logging.conf'])],
78 |     install_requires=['SQLAlchemy', 'WebOb', 'passlib', 'yubico-client',
79 |                       'Beaker', 'Jinja2', 'WTForms', python_ldap],
80 |     test_suite="nose.collector",
81 |     tests_require=tests_require,
82 |     cmdclass={'release': release},
83 |     classifiers=[
84 |         'License :: OSI Approved :: BSD License',
85 |         'Operating System :: OS Independent',
86 |         'Programming Language :: Python',
87 |         'Development Status :: 4 - Beta',
88 |         'Environment :: Web Environment',
89 |         'Intended Audience :: Developers',
90 |         'Intended Audience :: System Administrators',
91 |         'Topic :: Security :: Cryptography',
92 |         'Topic :: Internet :: WWW/HTTP',
93 |         'Topic :: Internet :: WWW/HTTP :: WSGI :: Application',
94 |         'Topic :: Software Development :: Libraries :: Python Modules'
95 |     ]
96 | )
97 | 


--------------------------------------------------------------------------------
/test/test_client_api.py:
--------------------------------------------------------------------------------
  1 | from webtest import TestApp
  2 | from yubiauth.client.rest import application, SESSION_COOKIE, SESSION_HEADER
  3 | from yubiauth.util.model import engine
  4 | from yubiauth import create_tables, YubiAuth
  5 | from utils import setting
  6 | from mock import patch
  7 | 
  8 | 
  9 | create_tables(engine)
 10 | 
 11 | app = TestApp(application)
 12 | 
 13 | 
 14 | def setup():
 15 |     auth = YubiAuth()
 16 |     for user in auth.query_users():
 17 |         auth.get_user(user['id']).delete()
 18 |     auth.commit()
 19 |     auth.create_user('user1', 'pass1')
 20 |     auth.create_user('user2', 'pass2')
 21 |     auth.commit()
 22 |     del auth
 23 | 
 24 | 
 25 | def test_login_logout():
 26 |     app.post(
 27 |         '/login',
 28 |         {'username': 'user1', 'password': 'pass1'}
 29 |     )
 30 | 
 31 |     # Uses the cookie set by the previous call
 32 |     username = app.get('/status').json['username']
 33 |     assert username == 'user1'
 34 | 
 35 |     app.get('/logout')
 36 |     app.get('/status', status=400)
 37 | 
 38 | 
 39 | def test_header_authentication():
 40 |     json_session_id = app.post(
 41 |         '/login',
 42 |         {'username': 'user1', 'password': 'pass1'}
 43 |     ).json.get('session')
 44 | 
 45 |     session_id = app.cookies[SESSION_COOKIE]
 46 |     # Clear the cookie
 47 |     app.reset()
 48 |     app.get('/status', status=400)
 49 | 
 50 |     # Make sure cookie matches json body
 51 |     assert session_id == json_session_id
 52 | 
 53 |     headers = {SESSION_HEADER: session_id}
 54 | 
 55 |     username = app.get('/status', headers=headers).json['username']
 56 |     assert username == 'user1'
 57 | 
 58 |     app.reset()
 59 |     app.get('/logout', headers=headers)
 60 |     app.reset()
 61 |     app.get('/status', headers=headers, status=400)
 62 | 
 63 | 
 64 | def test_update_password():
 65 |     app.post(
 66 |         '/login',
 67 |         {'username': 'user1', 'password': 'pass1'}
 68 |     )
 69 | 
 70 |     app.post('/password', {
 71 |         'oldpass': 'pass1', 'newpass': 'foobar'})
 72 | 
 73 |     assert app.post('/authenticate',
 74 |                     {'username': 'user1', 'password': 'foobar'}).json
 75 | 
 76 |     app.post('/password', {
 77 |         'oldpass': 'pass1', 'newpass': 'foobar'}, status=400)
 78 | 
 79 |     app.post('/password', {
 80 |         'oldpass': 'foobar', 'newpass': 'pass1'})
 81 |     app.get('/logout')
 82 | 
 83 | 
 84 | def test_empty_password_login():
 85 |     app.post(
 86 |         '/login',
 87 |         {'username': 'user1', 'password': 'pass1'}
 88 |     )
 89 | 
 90 |     app.post('/password', {
 91 |         'oldpass': 'pass1', 'newpass': ''})
 92 | 
 93 |     assert not app.post('/authenticate',
 94 |                         {'username': 'user1'}, status=400).json
 95 | 
 96 |     with setting(allow_empty=True):
 97 |         assert app.post('/authenticate',
 98 |                         {'username': 'user1'}).json
 99 | 
100 |         app.post('/password', {
101 |             'oldpass': '', 'newpass': 'pass1'})
102 | 
103 |     app.get('/logout')
104 | 
105 | 
106 | @patch('yubiauth.util.utils.yubico', return_value=True)
107 | def test_authentication_without_username(mock):
108 |     app.post(
109 |         '/login',
110 |         {'username': 'user1', 'password': 'pass1'}
111 |     )
112 | 
113 |     otp = 'c' * 44
114 |     app.post('/yubikey', {'yubikey': otp, 'password': 'pass1'})
115 | 
116 |     assert not app.post('/authenticate',
117 |                         {'otp': otp, 'password': 'pass1'},
118 |                         status=400).json
119 | 
120 |     with setting(yubikey_id=True):
121 |         assert app.post('/authenticate',
122 |                         {'otp': otp, 'password': 'pass1'}).json
123 | 
124 |         assert not app.post('/authenticate',
125 |                             {'otp': otp, 'password': 'wrongpass'},
126 |                             status=400).json
127 |         otp = 'd' * 44
128 | 
129 |         assert not app.post('/authenticate',
130 |                             {'otp': otp, 'password': 'pass1'},
131 |                             status=400).json
132 | 
133 |     app.get('/logout')
134 | 
135 | 
136 | @patch('yubiauth.util.utils.yubico', return_value=True)
137 | def test_single_factor_login(mock):
138 |     otp = 'c' * 44
139 |     with setting(yubikey_id=True, allow_empty=True):
140 |         app.post(
141 |             '/login',
142 |             {'username': 'user1', 'password': 'pass1', 'otp': otp}
143 |         )
144 | 
145 |         app.post('/password', {
146 |             'otp': otp, 'oldpass': 'pass1', 'newpass': ''})
147 | 
148 |         assert app.post('/authenticate', {'otp': otp}).json
149 |         app.post('/login', {'otp': otp})
150 |         status = app.get('/status').json
151 |         assert status['username'] == 'user1'
152 |         app.get('/logout')
153 | 
154 |     assert not app.post('/authenticate', {'otp': otp},
155 |                         status=400).json
156 | 


--------------------------------------------------------------------------------
/test/test_rest_api.py:
--------------------------------------------------------------------------------
  1 | from webtest import TestApp
  2 | from yubiauth.core.rest import application
  3 | from yubiauth.util.model import engine
  4 | from yubiauth import create_tables, YubiAuth
  5 | 
  6 | 
  7 | create_tables(engine)
  8 | 
  9 | app = TestApp(application)
 10 | 
 11 | 
 12 | # Users
 13 | def setup():
 14 |     auth = YubiAuth()
 15 |     for user in auth.query_users():
 16 |         auth.get_user(user['id']).delete()
 17 |     auth.commit()
 18 |     del auth
 19 | 
 20 | 
 21 | def test_create_user():
 22 |     resp = app.post(
 23 |         '/users',
 24 |         {'username': 'user1', 'password': 'foo'},
 25 |         status=201
 26 |     )
 27 |     user = app.get(resp.location).json
 28 |     assert user['name'] == 'user1'
 29 |     assert user['id'] == 1
 30 |     app.post('/users', {'username': 'user2', 'password': 'bar'},
 31 |              status=201)
 32 |     app.post('/users', {'username': 'user3', 'password': 'baz'},
 33 |              status=201)
 34 | 
 35 |     assert len(app.get('/users').json) == 3
 36 | 
 37 | 
 38 | def test_delete_user_by_id():
 39 |     resp = app.post(
 40 |         '/users',
 41 |         {'username': 'redshirt', 'password': 'llap'},
 42 |         status=201
 43 |     )
 44 |     id = app.get(resp.location).json['id']
 45 | 
 46 |     app.delete('/users/%d' % id)
 47 |     app.get('/users/%d' % id, status=404)
 48 | 
 49 | 
 50 | def test_delete_user_by_name():
 51 |     resp = app.post(
 52 |         '/users',
 53 |         {'username': 'redshirt', 'password': 'llap'},
 54 |         status=201
 55 |     )
 56 |     name = app.get(resp.location).json['name']
 57 | 
 58 |     app.delete('/users/%s' % name.encode('ascii'))
 59 |     app.get('/users/%s' % name, status=404)
 60 | 
 61 | 
 62 | def test_delete_user_by_post():
 63 |     resp = app.post(
 64 |         '/users',
 65 |         {'username': 'redshirt', 'password': 'llap'},
 66 |         status=201
 67 |     )
 68 |     id = app.get(resp.location).json['id']
 69 | 
 70 |     app.post('/users/%d/delete' % id)
 71 |     app.get('/users/%d' % id, status=404)
 72 | 
 73 | 
 74 | def test_get_user_by_id():
 75 |     user = app.get('/users/1', status=200).json
 76 |     assert user['id'] == 1
 77 |     assert user['name'] == 'user1'
 78 | 
 79 | 
 80 | def test_get_user_by_name():
 81 |     user = app.get('/users/user1').json
 82 |     assert user['id'] == 1
 83 |     assert user['name'] == 'user1'
 84 | 
 85 | 
 86 | def test_validate_password_get():
 87 |     status = app.get('/users/user1/validate?password=foo'
 88 |                      ).json
 89 |     assert status['valid_password']
 90 | 
 91 | 
 92 | def test_validate_password_post():
 93 |     status = app.post(
 94 |         '/users/user1/validate',
 95 |         {'password': 'foo'}
 96 |     ).json
 97 |     assert status['valid_password']
 98 | 
 99 | 
100 | def test_reset_password():
101 |     status = app.get('/users/user1/validate?password=foo').json
102 |     assert status['valid_password']
103 |     app.post('/users/1/reset', {'password': 'foobar'})
104 | 
105 |     status = app.get('/users/user1/validate?password=foo').json
106 |     assert not status['valid_password']
107 | 
108 |     status = app.get('/users/user1/validate?password=foobar'
109 |                      ).json
110 |     assert status['valid_password']
111 | 
112 | 
113 | def test_rename_user():
114 |     app.post('/users/user1/rename', {'username': 'user2'},
115 |              status=400)
116 |     app.post('/users/user1/rename', {'username': 'new_user'})
117 |     app.get('/users/user1', status=404)
118 |     app.get('/users/new_user')
119 |     app.post('/users/new_user/rename', {'username': 'user1'})
120 |     app.get('/users/user1')
121 |     app.get('/users/new_user', status=404)
122 | 
123 | 
124 | def test_create_user_with_existing_username():
125 |     app.post('/users', {
126 |              'username': 'user1', 'password': 'bar'}, status=400)
127 | 
128 | 
129 | def test_validate_with_invalid_username():
130 |     app.post('/users/notauser/validate',
131 |              {'password': 'foo'}, status=404)
132 | 
133 |     app.post('/users/notauser/validate', status=404)
134 | 
135 | 
136 | def test_validate_with_invalid_password():
137 |     status = app.post('/users/user1/validate',
138 |                       {'password': 'wrongpassword'}).json
139 |     assert not status['valid_password']
140 | 
141 |     status = app.post('/users/user1/validate').json
142 |     assert not status['valid_password']
143 | 
144 | 
145 | def test_get_user_by_invalid_username():
146 |     assert app.get('/users/notauser', status=404)
147 | 
148 | 
149 | # YubiKeys
150 | 
151 | 
152 | PREFIX_1 = 'ccccccccccce'
153 | PREFIX_2 = 'cccccccccccd'
154 | PREFIX_3 = 'cccccccccccf'
155 | 
156 | 
157 | def test_bind_yubikeys():
158 |     yubikeys = app.get('/users/1/yubikeys').json
159 |     assert len(yubikeys) == 0
160 | 
161 |     app.post('/users/1/yubikeys', {'yubikey': PREFIX_1})
162 |     yubikeys = app.get('/users/1/yubikeys').json
163 |     assert yubikeys == [PREFIX_1]
164 | 
165 |     app.post('/users/1/yubikeys', {'yubikey': PREFIX_2})
166 |     app.post('/users/2/yubikeys', {'yubikey': PREFIX_2})
167 | 
168 |     yubikeys = app.get('/users/1/yubikeys').json
169 |     assert sorted(yubikeys) == sorted([PREFIX_1, PREFIX_2])
170 | 
171 |     user = app.get('/users/1').json
172 |     assert sorted(user['yubikeys']) == sorted([PREFIX_1, PREFIX_2])
173 | 
174 |     user = app.get('/users/2').json
175 |     assert user['yubikeys'] == [PREFIX_2]
176 | 
177 | 
178 | def test_show_yubikey():
179 |     yubikey = app.get('/users/1/yubikeys/%s' % PREFIX_1).json
180 |     assert yubikey['enabled']
181 |     assert yubikey['prefix'] == PREFIX_1
182 | 
183 | 
184 | def test_show_yubikey_for_wrong_user():
185 |     app.get('/users/2/yubikeys/%s' % PREFIX_1, status=404)
186 | 
187 | 
188 | def test_unbind_yubikeys():
189 |     app.delete('/users/1/yubikeys/%s' % PREFIX_1)
190 |     yubikeys = app.get('/users/1/yubikeys').json
191 |     assert yubikeys == [PREFIX_2]
192 | 
193 | 
194 | def test_find_user_by_yubikey():
195 |     app.post('/users/2/yubikeys', {'yubikey': PREFIX_3})
196 | 
197 |     user = app.get('/user?yubikey=%s' % PREFIX_3).json
198 |     assert user['id'] == 2
199 |     assert PREFIX_3 in user['yubikeys']
200 | 
201 | 
202 | # Attributes
203 | 
204 | 
205 | def test_assign_attributes():
206 |     val1 = 'val1'
207 |     val2 = 'value 2'
208 |     val3 = 'val3' * 1024
209 |     app.post('/users/1/attributes', {
210 |              'key': 'attr1', 'value': val1})
211 |     app.post('/users/1/attributes', {
212 |              'key': 'attr2', 'value': val2})
213 |     app.post('/users/1/attributes', {
214 |              'key': 'attr3', 'value': val3})
215 | 
216 |     attributes = app.get('/users/1/attributes').json
217 |     assert attributes['attr1'] == val1
218 |     assert attributes['attr2'] == val2
219 |     assert attributes['attr3'] == val3
220 |     assert len(attributes) == 3
221 | 
222 |     user = app.get('/users/1').json
223 |     assert user['attributes'] == attributes
224 | 
225 | 
226 | def test_find_user_by_attribute():
227 |     user1 = app.get('/user?attr1=val1&attr2=value 2').json
228 |     assert user1['id'] == 1
229 | 
230 |     user2 = app.post('/user', {
231 |                      'attr1': 'val1', 'attr2': 'value 2'}).json
232 |     assert user1 == user2
233 | 
234 | 
235 | def test_read_attribute():
236 |     value = app.get('/users/1/attributes/attr1').json
237 |     assert value == 'val1'
238 | 
239 | 
240 | def test_read_missing_attribute():
241 |     value = app.get('/users/1/attributes/foo').json
242 |     assert not value
243 | 
244 | 
245 | def test_overwrite_attributes():
246 |     app.post('/users/1/attributes', {
247 |              'key': 'attr1', 'value': 'newval'})
248 |     attributes = app.get('/users/1/attributes').json
249 | 
250 |     assert attributes['attr1'] == 'newval'
251 |     assert attributes['attr2'] == 'value 2'
252 |     assert len(attributes) == 3
253 | 
254 | 
255 | def test_unset_attributes():
256 |     app.delete('/users/1/attributes/attr1')
257 |     attributes = app.get('/users/1/attributes').json
258 | 
259 |     assert attributes['attr2'] == 'value 2'
260 |     assert len(attributes) == 2
261 | 
262 |     value = app.get('/users/1/attributes/attr1').json
263 |     assert not value
264 | 
265 | 
266 | def _basic_attribute_test(base_url):
267 |     values = {
268 |         'attr1': 'foo',
269 |         'attr2': 'bar',
270 |         'attr3': 'baz',
271 |     }
272 | 
273 |     for key, value in values.items():
274 |         app.post(base_url, {'key': key, 'value': value})
275 |         assert app.get('%s/%s' % (base_url, key)).json == value
276 | 
277 |     app.delete('%s/attr2' % (base_url))
278 |     assert not app.get('%s/attr2' % base_url).json
279 | 
280 |     app.post(base_url, {'key': 'attr3', 'value': 'newval'})
281 |     assert app.get('%s/attr3' % base_url).json == 'newval'
282 | 
283 |     del values['attr2']
284 |     values['attr3'] = 'newval'
285 |     assert app.get(base_url).json == values
286 | 
287 | 
288 | def test_user_attributes():
289 |     _basic_attribute_test('/users/1/attributes')
290 |     _basic_attribute_test('/users/2/attributes')
291 | 
292 | 
293 | def test_yubikey_attributes():
294 |     _basic_attribute_test('/yubikeys/%s/attributes' % PREFIX_1)
295 |     _basic_attribute_test(
296 |         '/users/2/yubikeys/%s/attributes' % PREFIX_2)
297 | 


--------------------------------------------------------------------------------
/test/test_users.py:
--------------------------------------------------------------------------------
 1 | from nose import with_setup
 2 | from nose.tools import raises
 3 | 
 4 | from yubiauth import create_tables
 5 | from yubiauth.core import YubiAuth
 6 | from utils import setting
 7 | 
 8 | from sqlalchemy import create_engine
 9 | from sqlalchemy.orm import sessionmaker
10 | 
11 | engine = create_engine('sqlite:///:memory:', echo=True)
12 | create_tables(engine)
13 | Session = sessionmaker(bind=engine)
14 | auth = None
15 | 
16 | 
17 | def setup():
18 |     global auth
19 |     auth = YubiAuth(Session())
20 |     teardown()
21 |     auth.create_user('user1', 'p4ssw0rd')
22 |     auth.create_user('user2', 'foo')
23 |     auth.commit()
24 | 
25 | 
26 | def teardown():
27 |     for user in auth.query_users():
28 |         auth.get_user(user['id']).delete()
29 |     auth.commit()
30 | 
31 | 
32 | @with_setup(setup, teardown)
33 | def test_create_users():
34 |     user = auth.create_user('test_user', 'test_password')
35 |     assert user.name == 'test_user'
36 | 
37 | 
38 | @with_setup(setup, teardown)
39 | @raises(Exception)
40 | def test_create_existing_username():
41 |     auth.create_user('user1', 'testing')
42 | 
43 | 
44 | @with_setup(setup, teardown)
45 | def test_validate_password():
46 |     user = auth.get_user('user1')
47 |     assert user.validate_password('p4ssw0rd')
48 |     assert not user.validate_password('foo')
49 |     assert not user.validate_password('bar')
50 | 
51 |     user2 = auth.get_user('user2')
52 |     assert user2.validate_password('foo')
53 |     assert not user2.validate_password('bar')
54 | 
55 | @with_setup(setup, teardown)
56 | def test_get_user():
57 |     user = auth.get_user('user1')
58 |     id_as_int = int(user.id)
59 |     id_as_long = long(user.id)
60 |     user_int = auth.get_user(id_as_int)
61 |     user_long = auth.get_user(id_as_long)
62 | 
63 |     assert user.name == user_int.name
64 |     assert user.name == user_long.name
65 | 
66 | 
67 | @with_setup(setup, teardown)
68 | def test_empty_password():
69 |     user = auth.get_user('user1')
70 |     user.set_password(None)
71 | 
72 |     assert not user.validate_password(None)
73 |     assert not user.validate_password('')
74 | 
75 |     with setting(allow_empty=True):
76 |         assert user.validate_password(None)
77 |         assert user.validate_password('')
78 | 


--------------------------------------------------------------------------------
/test/test_yhsm.py:
--------------------------------------------------------------------------------
 1 | from passlib.context import CryptContext
 2 | from passlib.registry import register_crypt_handler_path
 3 | 
 4 | register_crypt_handler_path('yhsm_pbkdf2_sha1', 'yubiauth.yhsm')
 5 | register_crypt_handler_path('yhsm_pbkdf2_sha256', 'yubiauth.yhsm')
 6 | register_crypt_handler_path('yhsm_pbkdf2_sha512', 'yubiauth.yhsm')
 7 | 
 8 | from nose.plugins.attrib import attr
 9 | 
10 | PASSWORDS = [
11 |     'foobar',
12 |     '',
13 |     '1234567890',
14 |     '!"#%&/()=?',
15 |     chr(150) + chr(200) + chr(255)
16 | ]
17 | 
18 | context = None
19 | 
20 | 
21 | @attr(hsm=True)
22 | def setup():
23 |     global context
24 |     context = CryptContext(
25 |         schemes=['yhsm_pbkdf2_sha1', 'yhsm_pbkdf2_sha256',
26 |                  'yhsm_pbkdf2_sha512'],
27 |         default='yhsm_pbkdf2_sha1',
28 |         all__key_handle=1,
29 |         all__rounds=10
30 |     )
31 | 
32 | 
33 | def _algorithm_test(scheme):
34 |     for pwd in PASSWORDS:
35 |         res = context.encrypt(pwd, scheme=scheme)
36 |         assert context.identify(res) == scheme
37 |         assert context.verify(pwd, res)
38 |         assert res != context.encrypt(pwd, scheme=scheme)
39 | 
40 | 
41 | @attr(hsm=True)
42 | def test_yhsm_pbkdf2_sha1():
43 |     _algorithm_test('yhsm_pbkdf2_sha1')
44 | 
45 | 
46 | @attr(hsm=True)
47 | def test_yhsm_pbkdf2_sha256():
48 |     _algorithm_test('yhsm_pbkdf2_sha256')
49 | 
50 | 
51 | @attr(hsm=True)
52 | def test_yhsm_pbkdf2_sha512():
53 |     _algorithm_test('yhsm_pbkdf2_sha512')
54 | 


--------------------------------------------------------------------------------
/test/test_yubikeys.py:
--------------------------------------------------------------------------------
 1 | from nose import with_setup
 2 | 
 3 | from yubiauth import create_tables
 4 | from yubiauth.core import YubiAuth
 5 | 
 6 | from sqlalchemy import create_engine
 7 | from sqlalchemy.orm import sessionmaker
 8 | 
 9 | engine = create_engine('sqlite:///:memory:', echo=True)
10 | create_tables(engine)
11 | Session = sessionmaker(bind=engine)
12 | auth = None
13 | 
14 | 
15 | def setup():
16 |     global auth
17 |     auth = YubiAuth(Session())
18 |     teardown()
19 |     auth.create_user('user1', 'p4ssw0rd')
20 |     auth.create_user('user2', 'foo')
21 | 
22 | 
23 | def teardown():
24 |     for user in auth.query_users():
25 |         auth.get_user(user['id']).delete()
26 | 
27 | 
28 | @with_setup(setup, teardown)
29 | def test_yubikey_assignment():
30 |     user1 = auth.get_user('user1')
31 |     user1.assign_yubikey('cccccccccccb')
32 | 
33 |     user2 = auth.get_user('user2')
34 |     user2.assign_yubikey('cccccccccccd')
35 |     user2.assign_yubikey('ccccccccccce')
36 | 
37 |     assert auth.commit()
38 | 
39 |     assert user1.yubikeys['cccccccccccb']
40 |     assert len(user2.yubikeys) == 2
41 | 


--------------------------------------------------------------------------------
/test/utils.py:
--------------------------------------------------------------------------------
 1 | __all__ = [
 2 |     'setting'
 3 | ]
 4 | 
 5 | from yubiauth.config import settings
 6 | 
 7 | 
 8 | class setting(object):
 9 |     """
10 |     Runs a block of code with specific settings.
11 |     After the block has run, the original settings are restored.
12 |     Usage:
13 |         with setting(key1=value1, key2=value2):
14 |             ...
15 |             <code with settings set>
16 |             ...
17 |     """
18 |     def __init__(self, **kwargs):
19 |         self.settings = kwargs
20 |         self.original_settings = {}
21 |         for key in self.settings:
22 |             self.original_settings[key] = settings[key]
23 | 
24 |     def __enter__(self):
25 |         for key, value in self.settings.items():
26 |             settings[key] = value
27 | 
28 |     def __exit__(self, type, value, traceback):
29 |         for key, value in self.original_settings.items():
30 |             settings[key] = value
31 | 


--------------------------------------------------------------------------------
/yubiauth/__init__.py:
--------------------------------------------------------------------------------
 1 | #
 2 | # Copyright (c) 2013 Yubico AB
 3 | # All rights reserved.
 4 | #
 5 | #   Redistribution and use in source and binary forms, with or
 6 | #   without modification, are permitted provided that the following
 7 | #   conditions are met:
 8 | #
 9 | #    1. Redistributions of source code must retain the above copyright
10 | #       notice, this list of conditions and the following disclaimer.
11 | #    2. Redistributions in binary form must reproduce the above
12 | #       copyright notice, this list of conditions and the following
13 | #       disclaimer in the documentation and/or other materials provided
14 | #       with the distribution.
15 | #
16 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
17 | # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
18 | # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
19 | # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
20 | # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
21 | # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
22 | # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
23 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
24 | # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 | # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
26 | # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 | # POSSIBILITY OF SUCH DAMAGE.
28 | #
29 | 
30 | __version__ = '0.3.11'
31 | 
32 | __all__ = [
33 |     'YubiAuth',
34 |     'settings',
35 |     'create_tables',
36 | ]
37 | 
38 | from yubiauth.config import settings
39 | from yubiauth.core.controller import YubiAuth
40 | 
41 | from yubiauth.util.model import engine
42 | from yubiauth.core.model import Base as core_base
43 | from yubiauth.client.model import Base as client_base
44 | 
45 | 
46 | def create_tables(engine=engine):
47 |     core_base.metadata.create_all(engine)
48 |     client_base.metadata.create_all(engine)
49 | 
50 | #TODO: Remove?
51 | create_tables()
52 | 


--------------------------------------------------------------------------------
/yubiauth/client/__init__.py:
--------------------------------------------------------------------------------
 1 | #
 2 | # Copyright (c) 2013 Yubico AB
 3 | # All rights reserved.
 4 | #
 5 | #   Redistribution and use in source and binary forms, with or
 6 | #   without modification, are permitted provided that the following
 7 | #   conditions are met:
 8 | #
 9 | #    1. Redistributions of source code must retain the above copyright
10 | #       notice, this list of conditions and the following disclaimer.
11 | #    2. Redistributions in binary form must reproduce the above
12 | #       copyright notice, this list of conditions and the following
13 | #       disclaimer in the documentation and/or other materials provided
14 | #       with the distribution.
15 | #
16 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
17 | # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
18 | # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
19 | # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
20 | # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
21 | # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
22 | # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
23 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
24 | # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 | # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
26 | # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 | # POSSIBILITY OF SUCH DAMAGE.
28 | #
29 | 
30 | __all__ = [
31 |     'model',
32 |     'controller',
33 |     'rest',
34 |     'Client'
35 | ]
36 | 
37 | from yubiauth.client.controller import Client
38 | 


--------------------------------------------------------------------------------
/yubiauth/client/controller.py:
--------------------------------------------------------------------------------
  1 | #
  2 | # Copyright (c) 2013 Yubico AB
  3 | # All rights reserved.
  4 | #
  5 | #   Redistribution and use in source and binary forms, with or
  6 | #   without modification, are permitted provided that the following
  7 | #   conditions are met:
  8 | #
  9 | #    1. Redistributions of source code must retain the above copyright
 10 | #       notice, this list of conditions and the following disclaimer.
 11 | #    2. Redistributions in binary form must reproduce the above
 12 | #       copyright notice, this list of conditions and the following
 13 | #       disclaimer in the documentation and/or other materials provided
 14 | #       with the distribution.
 15 | #
 16 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 17 | # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 18 | # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 19 | # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 20 | # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 21 | # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 22 | # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 23 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 24 | # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 25 | # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
 26 | # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 27 | # POSSIBILITY OF SUCH DAMAGE.
 28 | #
 29 | 
 30 | from yubiauth import settings, YubiAuth
 31 | from yubiauth.util import validate_otp
 32 | from yubiauth.util.controller import Controller
 33 | from yubiauth.util.model import Session
 34 | from yubiauth.client.model import AttributeType, PERMS
 35 | from beaker.session import Session as UserSession
 36 | import uuid
 37 | import base64
 38 | import logging
 39 | log = logging.getLogger(__name__)
 40 | 
 41 | __all__ = [
 42 |     'Client',
 43 |     'requires_otp'
 44 | ]
 45 | 
 46 | REVOKE_KEY = '_revoke'
 47 | 
 48 | 
 49 | if settings['use_ldap'] and settings['ldap_auto_import']:
 50 |     from yubiauth.core.ldapauth import LDAPAuthenticator
 51 |     global ldapauth
 52 |     ldapauth = LDAPAuthenticator(settings['ldap_server'],
 53 |                                  settings['ldap_bind_dn'])
 54 | 
 55 | 
 56 | def requires_otp(user):
 57 |     sl = settings['security_level']
 58 |     count = len([key for key in user.yubikeys.values() if key.enabled])
 59 |     return not (sl == 0 or (sl == 1 and count == 0))
 60 | 
 61 | 
 62 | def authenticate_otp(user, otp, password=None):
 63 |     if otp:
 64 |         if settings['auto_provision'] and len(user.yubikeys) == 0:
 65 |             if validate_otp(otp):
 66 |                 user.assign_yubikey(otp)
 67 |                 return True
 68 |             else:
 69 |                 return False
 70 |         else:
 71 |             return user.validate_otp(otp, password)
 72 |     else:
 73 |         return not requires_otp(user)
 74 | 
 75 | 
 76 | session_config = dict([(key[8:], value) for key, value in
 77 |                        settings['beaker'].items() if
 78 |                        key.startswith('session.')])
 79 | session_config['use_cookies'] = False
 80 | 
 81 | 
 82 | class Client(Controller):
 83 | 
 84 |     """
 85 |     Main class for accessing user data.
 86 |     """
 87 |     def __init__(self, session=Session()):
 88 |         super(Client, self).__init__(session)
 89 |         self.auth = YubiAuth(session)
 90 | 
 91 |     def _user_for_otp(self, otp):
 92 |         if settings['yubikey_id']:
 93 |             yubikey = self.auth.get_yubikey(otp[:-32])
 94 |             if yubikey.enabled and len(yubikey.users) == 1:
 95 |                 return yubikey.users[0]
 96 |         raise ValueError("Unable to locate user!")
 97 | 
 98 |     def authenticate(self, username, password, otp=None):
 99 |         try:
100 |             if not username and otp:
101 |                 user = self._user_for_otp(otp)
102 |             else:
103 |                 user = self.auth.get_user(username)
104 |         except Exception as e:
105 |             if settings['use_ldap'] and settings['ldap_auto_import'] \
106 |                     and ldapauth.authenticate(username, password):
107 |                 user = self.auth.create_user(username, None)
108 |                 user.attributes['_ldap_auto_imported'] = True
109 |                 log.info('Auto-created LDAP user: %s', username)
110 |             else:
111 |                 log.info('Authentication failed. No such user: %s', username)
112 |                 raise e
113 | 
114 |         if user.validate_password(password):
115 |             pw = 'valid password' if password else 'None (valid)'
116 |             if authenticate_otp(user, otp, password):
117 |                 log.info(
118 |                     'Authentication successful. '
119 |                     'Username: %s, password: <%s>, OTP: %s',
120 |                     username, pw, otp)
121 |                 return user
122 |         else:
123 |             pw = 'invalid password' if password else 'None (invalid)'
124 |             # Consume the OTP even if the password was incorrect.
125 |             if otp:
126 |                 validate_otp(otp)
127 |         log.info(
128 |             'Authentication failed. Username: %s, password: <%s>, OTP: %s',
129 |             username, pw, otp)
130 |         raise ValueError("Invalid credentials!")
131 | 
132 |     def create_session(self, username, password, otp=None):
133 |         user = self.authenticate(username, password, otp)
134 |         prefix = otp[:-32] if otp else None
135 |         user_session = UserSession({}, **session_config)
136 |         user_session['user_id'] = user.id
137 |         user_session['username'] = user.name
138 |         user_session['prefix'] = prefix if prefix else None
139 |         user_session.save()
140 |         return user_session
141 | 
142 |     def get_session(self, sessionId):
143 |         user_session = UserSession({}, id=sessionId, **session_config)
144 |         if user_session.is_new:
145 |             user_session.delete()
146 |             raise ValueError("Session not found!")
147 |         return user_session
148 | 
149 |     def create_attribute(self, *args, **kwargs):
150 |         attribute = AttributeType(*args, **kwargs)
151 |         self.session.add(attribute)
152 |         return attribute
153 | 
154 |     def get_attributes(self):
155 |         return self.session.query(AttributeType).all()
156 | 
157 |     def generate_revocation(self, prefix):
158 |         yubikey = self.auth.get_yubikey(prefix)
159 |         code = base64.urlsafe_b64encode(uuid.uuid4().get_bytes())
160 |         yubikey.attributes[REVOKE_KEY] = code
161 |         return code
162 | 
163 |     def revoke(self, code):
164 |         kwargs = {REVOKE_KEY: code}
165 |         keys = self.auth.query_yubikeys(**kwargs)
166 |         if not len(keys) == 1:
167 |             log.error('Revocation failed. Matching keys: %d, Code: %s',
168 |                       len(keys), code)
169 |             raise ValueError('Invalid revocation code!')
170 |         yubikey = keys[0]
171 |         yubikey.enabled = False
172 |         del yubikey.attributes[REVOKE_KEY]
173 |         log.info('Revocation successful. '
174 |                  'YubiKey [%s] has been revoked using code: %s',
175 |                  yubikey.prefix, code)
176 | 
177 |     def register(self, username, password, otp=None, attributes=None):
178 |         if not settings['registration']:
179 |             raise ValueError('User registration disabled!')
180 | 
181 |         if attributes is None:
182 |             attributes = {}
183 | 
184 |         validate_attributes(self.get_attributes(), attributes)
185 | 
186 |         if otp and not validate_otp(otp):
187 |             raise ValueError('Invalid OTP!')
188 | 
189 |         user = self.auth.create_user(username, password)
190 |         user.attributes.update(attributes)
191 |         if otp:
192 |             user.assign_yubikey(otp)
193 |         log.info('User %s registered with attributes: %r', username,
194 |                  attributes)
195 |         return user
196 | 
197 | 
198 | def validate_attributes(user_attrs, supplied_attrs, perm_level=PERMS['USER']):
199 |     for attr in user_attrs:
200 |         key = attr.key
201 |         if key in supplied_attrs:
202 |             if attr.edit_perms > perm_level:
203 |                 raise ValueError('Not permitted to set attribute: %s' % key)
204 |             if not attr.validate(supplied_attrs[key]):
205 |                 raise ValueError('Invalid value for attribute: %s = "%s"'
206 |                                  % (key, supplied_attrs[key]))
207 |         elif attr.required:
208 |             raise ValueError('Missing required attribute: %s' % key)
209 | 


--------------------------------------------------------------------------------
/yubiauth/client/model.py:
--------------------------------------------------------------------------------
  1 | #
  2 | # Copyright (c) 2013 Yubico AB
  3 | # All rights reserved.
  4 | #
  5 | #   Redistribution and use in source and binary forms, with or
  6 | #   without modification, are permitted provided that the following
  7 | #   conditions are met:
  8 | #
  9 | #    1. Redistributions of source code must retain the above copyright
 10 | #       notice, this list of conditions and the following disclaimer.
 11 | #    2. Redistributions in binary form must reproduce the above
 12 | #       copyright notice, this list of conditions and the following
 13 | #       disclaimer in the documentation and/or other materials provided
 14 | #       with the distribution.
 15 | #
 16 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 17 | # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 18 | # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 19 | # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 20 | # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 21 | # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 22 | # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 23 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 24 | # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 25 | # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
 26 | # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 27 | # POSSIBILITY OF SUCH DAMAGE.
 28 | #
 29 | 
 30 | __all__ = [
 31 |     'AttributeType',
 32 |     'PERMS'
 33 | ]
 34 | 
 35 | from sqlalchemy import Sequence, Column, Boolean, Integer, String
 36 | from sqlalchemy.ext.declarative import declarative_base
 37 | 
 38 | import re
 39 | 
 40 | from yubiauth.util.model import Deletable
 41 | 
 42 | Base = declarative_base()
 43 | 
 44 | PERMS = {
 45 |     'ALL': 1,
 46 |     'USER': 2,
 47 |     'ADMIN': 3,
 48 |     'NOBODY': 100
 49 | }
 50 | 
 51 | 
 52 | def clamp_perms(view_perms, edit_perms):
 53 |     if view_perms and not view_perms in PERMS:
 54 |         raise ValueError("Invalid value for view_perms: '%d'" % view_perms)
 55 |     if edit_perms and not edit_perms in PERMS:
 56 |         raise ValueError("Invalid value for edit_perms: '%d'" % view_perms)
 57 |     if view_perms > edit_perms:
 58 |         if edit_perms:
 59 |             raise ValueError("view_perms > edit_perms")
 60 |         edit_perms = view_perms
 61 | 
 62 |     return view_perms, edit_perms
 63 | 
 64 | 
 65 | class AttributeType(Deletable, Base):
 66 |     __tablename__ = 'attribute_types'
 67 | 
 68 |     id = Column(Integer, Sequence('attribute_type_id_seq'), primary_key=True)
 69 |     name = Column(String(32), unique=True, nullable=False)
 70 |     pattern = Column(String(128), nullable=False, default='.*')
 71 |     required = Column(Boolean, default=False)
 72 |     view_perms = Column(Integer, default=PERMS['ADMIN'])
 73 |     edit_perms = Column(Integer, default=PERMS['USER'])
 74 | 
 75 |     def __init__(self, name, pattern=None, required=False, view_perms=0,
 76 |                  edit_perms=0):
 77 |         view_perms, edit_perms = clamp_perms(view_perms, edit_perms)
 78 | 
 79 |         self.type = type
 80 |         self.name = name
 81 |         if pattern:
 82 |             self.pattern = pattern
 83 |         self.required = required
 84 |         if view_perms:
 85 |             self.view_perms = view_perms
 86 |         if edit_perms:
 87 |             self.edit_perms = edit_perms
 88 | 
 89 |     def validate(self, value):
 90 |         if not self.required and value is None:
 91 |             return True
 92 |         regex = re.compile(self.pattern)
 93 |         return bool(regex.match(value))
 94 | 
 95 |     @property
 96 |     def key(self):
 97 |         # TODO: normalize name
 98 |         return '__%s' % self.name
 99 | 
100 |     @property
101 |     def data(self):
102 |         return {
103 |             'name': self.name,
104 |             'key': self.key,
105 |             'pattern': self.pattern,
106 |             'required': self.required,
107 |             'view_perms': self.view_perms,
108 |             'edit_perms': self.edit_perms
109 |         }
110 | 
111 |     def __repr__(self):
112 |         return (
113 |             "AttributeType(name: '%s', key: '%s', pattern: '%s')" %
114 |             (self.name, self.key, self.pattern)
115 |         ).encode('utf-8')
116 | 


--------------------------------------------------------------------------------
/yubiauth/client/rest.py:
--------------------------------------------------------------------------------
  1 | #
  2 | # Copyright (c) 2013 Yubico AB
  3 | # All rights reserved.
  4 | #
  5 | #   Redistribution and use in source and binary forms, with or
  6 | #   without modification, are permitted provided that the following
  7 | #   conditions are met:
  8 | #
  9 | #    1. Redistributions of source code must retain the above copyright
 10 | #       notice, this list of conditions and the following disclaimer.
 11 | #    2. Redistributions in binary form must reproduce the above
 12 | #       copyright notice, this list of conditions and the following
 13 | #       disclaimer in the documentation and/or other materials provided
 14 | #       with the distribution.
 15 | #
 16 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 17 | # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 18 | # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 19 | # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 20 | # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 21 | # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 22 | # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 23 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 24 | # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 25 | # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
 26 | # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 27 | # POSSIBILITY OF SUCH DAMAGE.
 28 | #
 29 | 
 30 | __all__ = [
 31 |     'session_api',
 32 |     'require_session',
 33 |     'ClientAPI',
 34 |     'application',
 35 | ]
 36 | 
 37 | from wsgiref.simple_server import make_server
 38 | from webob import exc
 39 | from webob.dec import wsgify
 40 | from beaker.middleware import SessionMiddleware
 41 | from yubiauth.client import Client
 42 | from yubiauth.util import validate_otp
 43 | from yubiauth.util.rest import (REST_API, Route, json_response, json_error,
 44 |                                 extract_params)
 45 | from yubiauth import settings
 46 | 
 47 | import logging
 48 | log = logging.getLogger(__name__)
 49 | 
 50 | SESSION_COOKIE = 'YubiAuth-Session'
 51 | SESSION_HEADER = 'X-%s' % SESSION_COOKIE
 52 | REVOKE_ATTRIBUTE = '_REVOKE'
 53 | 
 54 | 
 55 | @wsgify.middleware
 56 | def ClientMiddleware(request, app):
 57 |     # Allow the session ID to be provided as a header or cookie.
 58 |     # Header takes precedence over cookie.
 59 |     if SESSION_HEADER in request.headers:
 60 |         request.cookies[SESSION_COOKIE] = request.headers[SESSION_HEADER]
 61 |     if 'yubiauth.client' in request.environ:
 62 |         return app
 63 |     try:
 64 |         with Client() as client:
 65 |             request.environ['yubiauth.client'] = client
 66 |             response = request.get_response(app)
 67 |     finally:
 68 |         del request.environ['yubiauth.client']
 69 |     return response
 70 | 
 71 | 
 72 | def session_api(app):
 73 |     return ClientMiddleware(SessionMiddleware(app, settings['beaker']))
 74 | 
 75 | 
 76 | def require_session(func=None, **kwargs):
 77 |     """
 78 |     Used to decorate a method on a REST_API to ensure that the user has
 79 |     a valid UserSession when entering the method. If not, an error will be
 80 |     returned.
 81 | 
 82 |     To customize the error, override the session_required method of the api,
 83 |     or pass an explicit error handler to the decorator.
 84 | 
 85 |     This decorator expects a valid beaker.session and yubiauth.client in the
 86 |     environ. In turn, it provides a User object as yubiauth.user.
 87 |     """
 88 | 
 89 |     error_handler = kwargs.get('error_handler', None)
 90 | 
 91 |     def inner(func):
 92 |         def new_func(self, request, *args, **kwargs):
 93 |             try:
 94 |                 session = request.environ['beaker.session']
 95 |                 client = request.environ['yubiauth.client']
 96 |                 user_id = session.get('user_id', None)
 97 |                 request.environ['yubiauth.user'] = \
 98 |                     client.auth.get_user(user_id)
 99 |             except Exception, e:
100 |                 log.warn('Action not permitted without a session: %s',
101 |                          request.url)
102 |                 if error_handler:
103 |                     return error_handler(request, e)
104 |                 elif hasattr(self, 'session_required'):
105 |                     return self.session_required(request, e)
106 |                 else:
107 |                     raise exc.HTTPBadRequest(detail='Session required!')
108 |             return func(self, request, *args, **kwargs)
109 |         return new_func
110 |     # If func is not defined, the decorator was called with parentheses.
111 |     return inner(func) if func else inner
112 | 
113 | 
114 | def get_session_cookie(request):
115 |     log.info('beaker.session: %r', request.environ['beaker.session']._headers)
116 |     headers = request.environ['beaker.session']._headers
117 |     if SESSION_COOKIE in (headers.get('cookie_set') or ''):
118 |         cookie = headers['cookie_set']
119 |     elif SESSION_COOKIE in (headers.get('cookie') or ''):
120 |         cookie = headers['cookie']
121 |     else:
122 |         return None
123 |     return cookie.split('=', 1)[1].split(';', 1)[0]
124 | 
125 | 
126 | class ClientAPI(REST_API):
127 |     __routes__ = [
128 |         Route(r'^/login$', 'login'),
129 |         Route(r'^/authenticate$', 'authenticate'),
130 |         Route(r'^/logout$', 'logout'),
131 |         Route(r'^/status$', 'status'),
132 |         Route(r'^/password$', post='change_password'),
133 |         Route(r'^/yubikey$', post='assign_yubikey'),
134 |         Route(r'^/revoke/generate$', post='generate_revocation'),
135 |         Route(r'^/revoke$', post='revoke_yubikey')
136 |     ]
137 | 
138 |     def session_required(self, request, e):
139 |         return json_error('Session required!')
140 | 
141 |     @extract_params('username?', 'password?', 'otp?')
142 |     def authenticate(self, request, username=None, password=None, otp=None):
143 |         try:
144 |             client = request.environ['yubiauth.client']
145 |             client.authenticate(username, password, otp)
146 |             return json_response(True)
147 |         except:
148 |             return json_response(False, status=400)
149 | 
150 |     @extract_params('username?', 'password?', 'otp?')
151 |     def login(self, request, username=None, password=None, otp=None):
152 |         client = request.environ['yubiauth.client']
153 |         try:
154 |             session = client.create_session(username, password, otp)
155 |             request.environ['beaker.session'].update(session)
156 |             session.delete()
157 |             return json_response({'session': get_session_cookie(request)})
158 |         except:
159 |             log.info('Login failed for username=%s', username)
160 |             log.debug('Login failure:', exc_info=True)
161 |             return json_error('Invalid credentials!')
162 | 
163 |     @require_session
164 |     def logout(self, request):
165 |         request.environ['beaker.session'].delete()
166 |         return json_response(True)
167 | 
168 |     @require_session
169 |     def status(self, request):
170 |         return json_response(request.environ['beaker.session']._session())
171 | 
172 |     @require_session
173 |     @extract_params('newpass', 'oldpass?', 'otp?')
174 |     def change_password(self, request, newpass, oldpass=None, otp=None):
175 |         client = request.environ['yubiauth.client']
176 |         user = request.environ['yubiauth.user']
177 |         try:
178 |             client.authenticate(user.name, oldpass, otp)
179 |             user.set_password(newpass)
180 |             return json_response(True)
181 |         except:
182 |             return json_error('Invalid credentials!')
183 | 
184 |     @require_session
185 |     @extract_params('yubikey', 'password', 'otp?')
186 |     def assign_yubikey(self, request, yubikey, password, otp=None):
187 |         client = request.environ['yubiauth.client']
188 |         user = request.environ['yubiauth.user']
189 |         try:
190 |             client.authenticate(user.name, password, otp)
191 |             prefix = yubikey[:-32]
192 |             if not validate_otp(yubikey):
193 |                 return json_error('Invalid OTP for new YubiKey!')
194 |             if not prefix in user.yubikeys:
195 |                 user.assign_yubikey(prefix)
196 |             return json_response(True)
197 |         except:
198 |             return json_error('Invalid credentials!')
199 | 
200 |     @require_session
201 |     @extract_params('password', 'otp')
202 |     def generate_revocation(self, request, password, otp):
203 |         client = request.environ['yubiauth.client']
204 |         user = request.environ['yubiauth.user']
205 |         try:
206 |             client.authenticate(user.name, password, otp)
207 |             code = client.generate_revocation(otp[:-32])
208 |             return json_response(code)
209 |         except:
210 |             return json_error('Invalid credentials!')
211 | 
212 |     @extract_params('code')
213 |     def revoke_yubikey(self, request, code):
214 |         client = request.environ['yubiauth.client']
215 |         try:
216 |             client.revoke(code)
217 |             return json_response(True)
218 |         except:
219 |             return json_error('Invalid code!')
220 | 
221 |     @require_session
222 |     @extract_params('password', 'otp?')
223 |     def delete_account(self, request, password, otp=None):
224 |         if not settings['deletion']:
225 |             return json_error('Account deletion disabled!')
226 |         client = request.environ['yubiauth.client']
227 |         user = request.environ['yubiauth.user']
228 |         try:
229 |             client.authenticate(user.name, password, otp)
230 |             user.delete()
231 |             return json_response(True)
232 |         except:
233 |             return json_error('Invalid credentials!')
234 | 
235 | 
236 | application = session_api(ClientAPI())
237 | 
238 | if __name__ == '__main__':
239 |     httpd = make_server('localhost', 8080, application)
240 |     httpd.serve_forever()
241 | 


--------------------------------------------------------------------------------
/yubiauth/client/templates/assign_yubikey.html:
--------------------------------------------------------------------------------
 1 | {% extends "logged_in.html" %}
 2 | 
 3 | {% from "form.html" import render_form %}
 4 | 
 5 | {% block title %}Assign YubiKey{% endblock %}
 6 | 
 7 | {% block content %}
 8 | {{ super() }}
 9 | 
10 | {{ render_form(fieldsets, 'assign_yubikey') }}
11 | 
12 | {% endblock %}
13 | 


--------------------------------------------------------------------------------
/yubiauth/client/templates/base.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <!--[if lt IE 7]>      <html class="no-js lt-ie9 lt-ie8 lt-ie7"> <![endif]-->
 3 | <!--[if IE 7]>         <html class="no-js lt-ie9 lt-ie8"> <![endif]-->
 4 | <!--[if IE 8]>         <html class="no-js lt-ie9"> <![endif]-->
 5 | <!--[if gt IE 8]><!--> <html class="no-js"> <!--<![endif]-->
 6 |     <head>
 7 | 	<base href="{{ base_url }}" />
 8 |         <meta charset="utf-8">
 9 |         <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
10 | 	<title>{% block title %}YubiAuth{% endblock %}</title>
11 |         <meta name="description" content="">
12 |         <meta name="viewport" content="width=device-width">
13 | 	<link rel="icon" type="image/png" href="../static/favicon.ico" />
14 | 
15 | 	{% block styles %}
16 | 	<link rel="stylesheet" href="../static/css/bootstrap.min.css">
17 |         <link rel="stylesheet" href="../static/css/bootstrap-responsive.min.css">
18 |         <link rel="stylesheet" href="../static/css/main.css">
19 | 	{% endblock %}
20 | 
21 |         <script src="../static/js/vendor/modernizr-2.6.2-respond-1.1.0.min.js"></script>
22 |     </head>
23 |     <body>
24 |         <!--[if lt IE 7]>
25 |             <p class="chromeframe">You are using an <strong>outdated</strong> browser. Please <a href="http://browsehappy.com/">upgrade your browser</a> or <a href="http://www.google.com/chromeframe/?redirect=true">activate Google Chrome Frame</a> to improve your experience.</p>
26 |         <![endif]-->
27 | 
28 | 	{% block body %} 
29 | 	<h1>YubiAuth</h1>
30 | 	{% endblock %}
31 | 
32 | 	{% block scripts %}
33 |         <script src="../static/js/vendor/jquery-1.9.1.min.js"></script>
34 |         <script src="../static/js/vendor/bootstrap.min.js"></script>
35 | 
36 | 	<script src="../static/js/main.js"></script>
37 | 	{% endblock %}
38 |     </body>
39 | </html>
40 | 


--------------------------------------------------------------------------------
/yubiauth/client/templates/change_password.html:
--------------------------------------------------------------------------------
 1 | {% extends "logged_in.html" %}
 2 | 
 3 | {% from "form.html" import render_form %}
 4 | 
 5 | {% block title %}Change Password{% endblock %}
 6 | 
 7 | {% block content %}
 8 | {{ super() }}
 9 | 
10 | {{ render_form(fieldsets, 'change_password') }}
11 | 
12 | {% endblock %}
13 | 


--------------------------------------------------------------------------------
/yubiauth/client/templates/created.html:
--------------------------------------------------------------------------------
 1 | {% extends "login.html" %}
 2 | 
 3 | {% block title %}Account created!{% endblock %}
 4 | 
 5 | {% block content %}
 6 | 
 7 | {{ super() }}
 8 | 
 9 | <h2>Registration successful</h2>
10 | <p>You may now log in.</p>
11 | 
12 | {% endblock %}
13 | 


--------------------------------------------------------------------------------
/yubiauth/client/templates/form.html:
--------------------------------------------------------------------------------
 1 | {%- macro form_field_label(field) -%}
 2 | 	<label for="{{ field.id }}">{{ field.label.text }}
 3 | 	{%- if field.flags.required -%}
 4 | 		<abbr title="This field is required!">*</abbr>
 5 | 	{%- endif %}</label>
 6 | {% endmacro %}
 7 | 
 8 | {%- macro form_field_description(field) -%}
 9 | 	{% if field.description %}
10 | 		<span class="help-block">{{ field.description|trim }}</span>
11 | 	{% endif %}
12 | {%- endmacro -%}
13 | 
14 | {%- macro form_field_errors(field) -%}
15 | 	{% if field.errors %}
16 | 	{%- for error in field.errors -%}
17 | 	<span class="label label-important">{{ error }}</span>
18 | 	&nbsp;
19 | 	{%- endfor -%}
20 | 	{% endif %}
21 | {%- endmacro -%}
22 | 
23 | {%- macro form_field_boolean(field) -%}
24 | 	<div class="input">
25 | 		<label class="checkbox">
26 | 			{{ field(**kwargs) }}
27 | 			<span>{{ field.label.text }}</span>
28 | 		</label>
29 | 		{{ form_field_description(field) }}
30 | 		{{ form_field_errors(field) }}
31 | 	</div>
32 | {%- endmacro -%}
33 | 
34 | {%- macro form_field(field, attrs={}) -%}
35 | 	{% if field.type == 'HiddenField' %}
36 | 		{{ field() }}
37 | 	{% else %}
38 | 		{% if field.type == 'BooleanField' %}
39 | 			{{ form_field_boolean(field, **attrs) }}
40 | 		{% else %}
41 | 			{{ form_field_label(field) }}
42 | 			{{ form_field_description(field) }}
43 | 			{% if field.type == 'RadioField' %}
44 | 				{{ field(class='radio-group', **attrs) }}
45 | 			{% elif field.type == 'IntegerField' %}
46 | 				{{ field(class='input-mini', **attrs) }}
47 | 			{% else %}
48 | 				{{ field(**attrs) }}
49 | 			{% endif %}
50 | 			{{ form_field_errors(field) }}
51 | 		{% endif %}
52 | 	{% endif %}
53 | {%- endmacro -%}
54 | 
55 | {%- macro form_fieldset(fieldset) -%}
56 | 	<fieldset>
57 | 	{% if fieldset.legend %}
58 | 		<legend>{{ fieldset.legend }}</legend>
59 | 	{% endif %}
60 | 	{% if fieldset.description %}
61 | 		<p>{{ fieldset.description|trim }}</p>
62 | 	{% endif %}
63 | 	{% for field in fieldset %}
64 | 		{% if field.type == 'HiddenField' %}
65 | 			{{ field() }}
66 | 		{% else %}
67 | 			{% if fieldset.attrs is defined and fieldset.attrs[field.id] is defined %}
68 | 				{{ form_field(field, fieldset.attrs[field.id]) }}
69 | 			{% else %}
70 | 				{{ form_field(field) }}
71 | 			{% endif %}
72 | 		{% endif %}
73 | 	{% endfor %}
74 | 	</fieldset>
75 | {%- endmacro -%}
76 | 
77 | {%- macro render_form(fieldsets, action, alert=None, submit='Submit') -%}
78 | 	{% if alert %}
79 | 	<div class="alert alert-{{ alert.type }}">
80 | 		<button type="button" class="close" data-dismiss="alert">&times;</button>
81 | 		<strong>{{ alert.title }}</strong>
82 | 		{{ alert.message }}
83 | 	</div>
84 | 	{% endif %}
85 | 
86 | 	<form action="{{ action }}" method="post">
87 | 	{% for fieldset in fieldsets %}
88 | 		{{ form_fieldset(fieldset) }}
89 | 	{% endfor %}
90 | 	<div class="form-actions">
91 | 		<input type="submit" class="btn btn-primary" value="{{ submit }}">
92 | 	</div>
93 | 	</form>
94 | {%- endmacro -%}
95 | 
96 | {{ render_form(fieldsets, target, alert, submit) }}
97 | 


--------------------------------------------------------------------------------
/yubiauth/client/templates/layout.html:
--------------------------------------------------------------------------------
 1 | {% extends "base.html" %}
 2 | 
 3 | {% block body %}
 4 | <div class="container">
 5 | 	{% for message in messages %}
 6 | 	<div class="alert{% if message.level %} alert-{{ message.level }}{% endif %}">
 7 | 		{{ message.text }}
 8 | 	</div>
 9 | 	{% endfor %}
10 | 
11 | 	{% block content %}
12 | 	<p>Content goes here</p>
13 | 	{% endblock %}
14 | 
15 | 	<hr>
16 | 
17 | 	<footer>
18 | 	<p>Powered by Yubico</p>
19 | 	</footer>
20 | 
21 | </div> <!-- /container -->
22 | 
23 | {% endblock %}
24 | 


--------------------------------------------------------------------------------
/yubiauth/client/templates/logged_in.html:
--------------------------------------------------------------------------------
 1 | {% extends "layout.html" %}
 2 | 
 3 | {% block content %}
 4 | 
 5 | <h1>YubiAuth</h1>
 6 | 
 7 | <div class="navbar">
 8 | 	<div class="navbar-inner">
 9 | 		<span class="brand">YubiAuth</span>
10 | 
11 | 		<ul class="nav">
12 | 			<li><a href="manage">Settings</a></li>
13 | 		</ul>
14 | 
15 | 		<ul class="nav pull-right">
16 | 			<li><p class="navbar-text">User: {{ user.name }}</p></li>
17 | 			<li><a href="logout">Log out</a></li>
18 | 		</ul>
19 | 	</div>
20 | </div>
21 | 
22 | 
23 | {% endblock %}
24 | 


--------------------------------------------------------------------------------
/yubiauth/client/templates/login.html:
--------------------------------------------------------------------------------
 1 | {% extends "layout.html" %}
 2 | 
 3 | {% from "form.html" import form_field, form_field_errors %}
 4 | 
 5 | {% block title %}Login{% endblock %}
 6 | 
 7 | {% block content %}
 8 | 
 9 | <h1>YubiAuth</h1>
10 | 
11 | <div class="navbar">
12 | 	<div class="navbar-inner">
13 | 		<span class="brand">Login</span>
14 | 		<form action="login" method="post" class="navbar-form pull-right">
15 | 			{{ login_form.username(placeholder='Username') }}
16 | 			{{ form_field_errors(login_form.username) }}
17 | 			{{ login_form.password(placeholder='Password') }}
18 | 			{{ form_field_errors(login_form.password) }}
19 | 			{{ login_form.yubikey(placeholder='YubiKey OTP') }}
20 | 			<input type="submit" value="Login" class="btn btn-primary"/>
21 | 		</form>
22 | 	</div>
23 | </div>
24 | 
25 | <p>Lost your YubiKey? <a href="revoke">Revoke it</a>!</p>
26 | 
27 | {% endblock %}
28 | 


--------------------------------------------------------------------------------
/yubiauth/client/templates/manage.html:
--------------------------------------------------------------------------------
 1 | {% extends "logged_in.html" %}
 2 | 
 3 | {% block title %}Manage{% endblock %}
 4 | 
 5 | {% block content %}
 6 | {{ super() }}
 7 | 
 8 | <h2>YubiKeys</h2>
 9 | 
10 | {% if user.yubikeys %}
11 | <ul>
12 | 	{% for prefix, yubikey in user.yubikeys.iteritems() %}
13 | 	<li><a href="yubikey/{{ prefix }}">{{ prefix }}</a> - {% if yubikey.enabled %}Enabled{% else %}Disabled{% endif %}</li>
14 | 	{% endfor %}
15 | </ul>
16 | {% else %}
17 | <p>You have no YubiKeys assigned.</p>
18 | {% endif %}
19 | 
20 | <form action="assign_yubikey?noauth" method="post" class="form-inline">
21 | 	<label for="yubikey">Assign a new YubiKey to your account</label><br />
22 | 	<input id="yubikey" type="text" name="yubikey" class="span4" placeholder="Enter OTP from new YubiKey" />
23 | 	<input type="submit" class="btn" value="Assign" />
24 | </form>
25 | 
26 | <a href="change_password" class="btn">Change password</a>
27 | 
28 | {% if can_delete %}
29 | <a href="delete_account" class="btn btn-danger">Delete account</a>
30 | {% endif %}
31 | 
32 | {% endblock %}
33 | 


--------------------------------------------------------------------------------
/yubiauth/client/templates/reauthenticate.html:
--------------------------------------------------------------------------------
 1 | {% extends "logged_in.html" %}
 2 | 
 3 | {% from "form.html" import render_form %}
 4 | 
 5 | {% block title %}Re-authenticate{% endblock %}
 6 | 
 7 | {% block content %}
 8 | {{ super() }}
 9 | 
10 | <h2>Re-authentication required</h2>
11 | <p>The action you are trying to perform requires you to re-enter your user credentials.</p>
12 | 
13 | {{ render_form(fieldsets, target) }}
14 | 
15 | {% endblock %}
16 | 


--------------------------------------------------------------------------------
/yubiauth/client/templates/register.html:
--------------------------------------------------------------------------------
 1 | {% extends "login.html" %}
 2 | 
 3 | 
 4 | {% from "form.html" import form_fieldset %}
 5 | 
 6 | {% block title %}Login/Register account{% endblock %}
 7 | 
 8 | {% block content %}
 9 | 
10 | {{ super() }}
11 | 
12 | <h2>Register Account</h2>
13 | 
14 | <form action="register" method="post">
15 | {{ form_fieldset(register_form) }}
16 | <input type="submit" value="Register" class="btn btn-primary"/>
17 | </form>
18 | {% endblock %}
19 | 


--------------------------------------------------------------------------------
/yubiauth/client/templates/revocation_code.html:
--------------------------------------------------------------------------------
 1 | {% extends "logged_in.html" %}
 2 | 
 3 | {% block title %}Revocation Code{% endblock %}
 4 | 
 5 | {% block content %}
 6 | {{ super() }}
 7 | 
 8 | <h2>Revocation Code Generated!</h2>
 9 | <p>Store the code in a safe place. If you lose your YubiKey, the code can be used to disable the key, even without access to your account. Any previously generated recovation code for this YubiKey has now been invalidated.</p>
10 | 
11 | <div class="well">
12 | 	<dl class="dl-horizontal">
13 | 		<dt>Prefix</dt>
14 | 		<dd><code>{{ yubikey.prefix }}</code></dd>
15 | 		<dt>Revocation code</dt>
16 | 		<dd><code>{{ code }}</code></dd>
17 | 	</dl>
18 | </div>
19 | 
20 | {% endblock %}
21 | 


--------------------------------------------------------------------------------
/yubiauth/client/templates/revoke.html:
--------------------------------------------------------------------------------
 1 | {% extends "layout.html" %}
 2 | 
 3 | {% from "form.html" import form_field, form_field_errors %}
 4 | 
 5 | {% block title %}Revoke YubiKey{% endblock %}
 6 | 
 7 | {% block content %}
 8 | 
 9 | <h1>Revoke YubiKey</h1>
10 | <p>Enter your revocation code below. Once revoked, the YubiKey will become disabled and the code will be invalidated. Note that you will NOT be able to use the revoked YubiKey to access your account. If you have multiple YubiKeys connected to it, you may log in using one of the enabled ones. Once logged in, you will be able to re-enable the revoked YubiKey, should you wish to do so. If so, you will need to generate a new revocation code for the key</p>
11 | 
12 | <form action="revoke" method="post" class="form-inline">
13 | 	<label for="revoke"><strong>Revocation code</strong></label><br />
14 | 	<input type="text" id="revoke" name="revoke" class="input-xlarge" />
15 | 	<input type="submit" value="Revoke" class="btn btn-danger"/>
16 | </form>
17 | 
18 | <a href="">Back</a>
19 | 
20 | {% endblock %}
21 | 


--------------------------------------------------------------------------------
/yubiauth/client/templates/session_required.html:
--------------------------------------------------------------------------------
 1 | {% extends "layout.html" %}
 2 | 
 3 | {% block title %}Session required!{% endblock %}
 4 | 
 5 | {% block content %}
 6 | <h1>Session required!</h1>
 7 | 
 8 | <p>The action you have tried to perform requires that you be logged in to the system.</p>
 9 | 
10 | <a href="">Log in</a>
11 | {% endblock %}
12 | 


--------------------------------------------------------------------------------
/yubiauth/client/templates/yubikey.html:
--------------------------------------------------------------------------------
 1 | {% extends "logged_in.html" %}
 2 | 
 3 | {% block title %}YubiKey: {{ yubikey.prefix }}{% endblock %}
 4 | 
 5 | {% block content %}
 6 | {{ super() }}
 7 | 
 8 | <h2>YubiKey: {{ yubikey.prefix }}</h2>
 9 | 
10 | <dl class="dl-horizontal">
11 | 	<dt>Prefix</dt>
12 | 	<dd>{{ yubikey.prefix }}</dd>
13 | 	<dt>Enabled</dt>
14 | 	<dd>{{ yubikey.enabled }}</dd>
15 | </dl>
16 | 
17 | <h3>Actions</h3>
18 | {% if yubikey.enabled %}
19 | <a href="yubikey/{{ yubikey.prefix }}/disable" class="btn">Disable YubiKey</a>
20 | {% else %}
21 | <a href="yubikey/{{ yubikey.prefix }}/enable" class="btn">Enable YubiKey</a>
22 | {% endif %}
23 | <br />
24 | <a href="yubikey/{{ yubikey.prefix }}/unassign" class="btn">Unassign YubiKey</a>
25 | <br />
26 | <a href="yubikey/{{ yubikey.prefix }}/generate" class="btn">Generate revocation code</a>
27 | <p>A revocation code can be used to disable a YubiKey if you are unable to access your account. Once generated, be sure to save the revocation code in a safe place. Generating a new code will invalidate any previously generated code.</p>
28 | 
29 | {% endblock %}
30 | 


--------------------------------------------------------------------------------
/yubiauth/client/web.py:
--------------------------------------------------------------------------------
  1 | #
  2 | # Copyright (c) 2013 Yubico AB
  3 | # All rights reserved.
  4 | #
  5 | #   Redistribution and use in source and binary forms, with or
  6 | #   without modification, are permitted provided that the following
  7 | #   conditions are met:
  8 | #
  9 | #    1. Redistributions of source code must retain the above copyright
 10 | #       notice, this list of conditions and the following disclaimer.
 11 | #    2. Redistributions in binary form must reproduce the above
 12 | #       copyright notice, this list of conditions and the following
 13 | #       disclaimer in the documentation and/or other materials provided
 14 | #       with the distribution.
 15 | #
 16 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 17 | # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 18 | # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 19 | # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 20 | # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 21 | # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 22 | # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 23 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 24 | # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 25 | # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
 26 | # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 27 | # POSSIBILITY OF SUCH DAMAGE.
 28 | #
 29 | 
 30 | __all__ = [
 31 |     'application'
 32 | ]
 33 | 
 34 | from wsgiref.simple_server import make_server
 35 | from webob import exc
 36 | from jinja2 import Environment, FileSystemLoader
 37 | from wtforms import Form
 38 | from wtforms.fields import TextField, PasswordField
 39 | from wtforms.validators import (Optional, Required, EqualTo, Regexp,
 40 |                                 ValidationError)
 41 | from yubiauth.config import settings
 42 | from yubiauth.util import validate_otp, MODHEX
 43 | from yubiauth.util.rest import REST_API, Route, extract_params
 44 | from yubiauth.client.rest import session_api, require_session
 45 | from yubiauth.client.controller import requires_otp
 46 | 
 47 | import os
 48 | import logging
 49 | log = logging.getLogger(__name__)
 50 | 
 51 | base_dir = os.path.dirname(__file__)
 52 | template_dir = os.path.join(base_dir, 'templates')
 53 | env = Environment(loader=FileSystemLoader(template_dir))
 54 | 
 55 | YUBIKEY_OTP = r'[%s]{32,64}' % MODHEX
 56 | YUBIKEY_PREFIX = r'[%s]{2,32}' % MODHEX
 57 | 
 58 | 
 59 | def redirect(request, target):
 60 |     return exc.HTTPSeeOther(location=request.relative_url(target, True))
 61 | 
 62 | 
 63 | def with_yubikey(func):
 64 |     def inner(self, request, prefix, *args, **kwargs):
 65 |         user = request.environ['yubiauth.user']
 66 |         if not prefix in user.yubikeys:
 67 |             raise exc.HTTPForbidden(detail='Unauthorized')
 68 |         return func(self, request, user.yubikeys[prefix], *args, **kwargs)
 69 |     return inner
 70 | 
 71 | 
 72 | class LoginForm(Form):
 73 |     username = TextField('Username', [Optional() if settings['yubikey_id']
 74 |                                       else Required()])
 75 |     password = PasswordField('Password', [Optional() if
 76 |                                           settings['allow_empty'] else
 77 |                                           Required()])
 78 |     yubikey = TextField('YubiKey', [Optional(), Regexp(YUBIKEY_OTP)])
 79 | 
 80 | 
 81 | class RegisterForm(Form):
 82 |     username = TextField('Username', [Required()])
 83 |     password = PasswordField('Password', [Required()])
 84 |     verify_password = PasswordField(
 85 |         'Repeat password',
 86 |         [Required(), EqualTo('password', 'Passwords do not match!')]
 87 |     )
 88 |     yubikey = TextField('YubiKey', [Optional(), Regexp(YUBIKEY_OTP)])
 89 | 
 90 | 
 91 | class ReauthenticateForm(Form):
 92 |     legend = "Re-authenticate"
 93 |     description = "Please re-authenticate to complete this action"
 94 |     password = PasswordField('Password')
 95 |     otp = TextField('YubiKey OTP', [Optional(), Regexp(YUBIKEY_OTP)])
 96 | 
 97 |     def __init__(self, request, prefix=None):
 98 |         super(ReauthenticateForm, self).__init__(request.params)
 99 |         user = request.environ['yubiauth.user']
100 |         self.username = user.name
101 |         self.client = request.environ['yubiauth.client']
102 |         self.prefix = prefix
103 |         if self.prefix:
104 |             self.otp.description = 'OTP from YubiKey with prefix: %s' % prefix
105 |         elif not requires_otp(user):
106 |             del self.otp
107 | 
108 |     def validate_otp(self, field):
109 |         if self.prefix and self.prefix != field.data[:-32]:
110 |             raise ValidationError('OTP must have prefix %s' % self.prefix)
111 | 
112 |     def authenticate(self):
113 |         password = self.password.data
114 |         otp = self.data.get('otp', None)
115 |         try:
116 |             self.client.authenticate(self.username, password, otp)
117 |             return True
118 |         except:
119 |             pass
120 |         return False
121 | 
122 | 
123 | class AssignYubikeyForm(Form):
124 |     legend = "Assign new YubiKey"
125 |     yubikey = TextField('New Yubikey OTP', [Regexp(YUBIKEY_OTP)])
126 | 
127 | 
128 | class ChangePasswordForm(Form):
129 |     legend = "Change password"
130 |     new_password = PasswordField('New Password', [Required()])
131 |     verify_password = PasswordField(
132 |         'Repeat password',
133 |         [Required(), EqualTo('new_password', 'Passwords do not match!')]
134 |     )
135 | 
136 | 
137 | class ClientUI(REST_API):
138 |     __yubikey__ = r'/yubikey/(%s)' % YUBIKEY_PREFIX
139 | 
140 |     __routes__ = [
141 |         Route(r'^/$', 'index'),
142 |         Route(r'^/revoke$', 'revoke'),
143 |         Route(r'^/login$', post='login'),
144 |         Route(r'^/register$', post='register'),
145 |         Route(r'^/logout$', 'logout'),
146 |         Route(r'^/manage$', 'manage'),
147 |         Route(r'^/assign_yubikey$', post='assign_yubikey'),
148 |         Route(r'^/change_password$', 'change_password'),
149 |         Route(r'^/delete_account$', 'delete_account'),
150 |         Route(__yubikey__ + r'$', 'yubikey'),
151 |         Route(__yubikey__ + r'/enable$', 'yubikey_enable'),
152 |         Route(__yubikey__ + r'/disable$', 'yubikey_disable'),
153 |         Route(__yubikey__ + r'/generate$', 'yubikey_generate'),
154 |         Route(__yubikey__ + r'/unassign$', 'yubikey_unassign'),
155 |     ]
156 | 
157 |     def add_message(self, message, level=None):
158 |         self._messages.append({'text': message, 'level': level})
159 | 
160 |     def _call_setup(self, request):
161 |         super(ClientUI, self)._call_setup(request)
162 |         self._messages = []
163 | 
164 |     def session_required(self, request, e):
165 |         return self.render(request, 'session_required')
166 | 
167 |     def render(self, request, tmpl, **data):
168 |         template = env.get_template('%s.html' % tmpl)
169 |         data['base_url'] = '%s/' % request.script_name
170 |         data['messages'] = self._messages
171 |         if 'yubiauth.user' in request.environ:
172 |             data['user'] = request.environ['yubiauth.user']
173 |         return template.render(data)
174 | 
175 |     def index(self, request, login_form=LoginForm(),
176 |               register_form=RegisterForm()):
177 |         login_form.yubikey.data = None
178 |         if settings['registration']:
179 |             return self.render(request, 'register', login_form=login_form,
180 |                                register_form=register_form)
181 |         else:
182 |             return self.render(request, 'login', login_form=login_form)
183 | 
184 |     def revoke(self, request):
185 |         if 'revoke' in request.params:
186 |             client = request.environ['yubiauth.client']
187 |             try:
188 |                 client.revoke(request.params['revoke'])
189 |                 self.add_message('YubiKey revoked!', 'success')
190 |             except:
191 |                 self.add_message('Invalid revocation code!', 'error')
192 |         return self.render(request, 'revoke')
193 | 
194 |     def register(self, request):
195 |         register_form = RegisterForm(request.params)
196 |         if register_form.validate():
197 |             client = request.environ['yubiauth.client']
198 |             username = register_form.username.data
199 |             password = register_form.password.data
200 |             otp = register_form.yubikey.data
201 |             if not otp:
202 |                 otp = None
203 |             try:
204 |                 user = client.register(username, password, otp)
205 |                 return self.render(request, 'created', user=user,
206 |                                    login_form=LoginForm())
207 |             except:
208 |                 self.add_message('Account registration failed!', 'error')
209 |                 log.info('Account registration failed for username=%s',
210 |                          username)
211 |                 log.debug('Registration failure:', exc_info=True)
212 |         return self.index(request, register_form=register_form)
213 | 
214 |     @extract_params('username?', 'password?', 'yubikey?')
215 |     def login(self, request, username=None, password=None, yubikey=None):
216 |         login_form = LoginForm(request.params)
217 |         if login_form.validate():
218 |             client = request.environ['yubiauth.client']
219 |             try:
220 |                 session = client.create_session(username, password, yubikey)
221 |                 request.environ['beaker.session'].update(session)
222 |                 session.delete()
223 |                 return redirect(request, 'manage')
224 |             except Exception:
225 |                 self.add_message('Login failed!', 'error')
226 |                 request.environ['beaker.session'].delete()
227 |         return self.index(request, login_form=login_form)
228 | 
229 |     @require_session
230 |     def manage(self, request):
231 |         can_delete = settings['deletion']
232 |         return self.render(request, 'manage', can_delete=can_delete)
233 | 
234 |     @require_session
235 |     @extract_params('noauth?')
236 |     def assign_yubikey(self, request, noauth=None):
237 |         assign_form = AssignYubikeyForm(request.params)
238 |         auth_form = ReauthenticateForm(request)
239 |         user = request.environ['yubiauth.user']
240 |         if noauth is not None or not assign_form.validate():
241 |             pass
242 |         elif auth_form.validate() and auth_form.authenticate():
243 |             yubikey = assign_form.yubikey.data
244 |             prefix = yubikey[:-32]
245 |             if not validate_otp(yubikey):
246 |                 self.add_message('Invalid OTP for new YubiKey!', 'error')
247 |             if not prefix in user.yubikeys:
248 |                 user.assign_yubikey(prefix)
249 |             return redirect(request, 'manage')
250 |         else:
251 |             self.add_message('Invalid credentials!', 'error')
252 | 
253 |         return self.render(request, 'assign_yubikey',
254 |                            fieldsets=[assign_form, auth_form])
255 | 
256 |     @require_session
257 |     @with_yubikey
258 |     def yubikey_unassign(self, request, yubikey):
259 |         auth_form = ReauthenticateForm(request)
260 |         if request.method == 'POST' and auth_form.validate():
261 |             if auth_form.authenticate():
262 |                 user = request.environ['yubiauth.user']
263 |                 del user.yubikeys[yubikey.prefix]
264 |                 return redirect(request, 'manage')
265 |             else:
266 |                 self.add_message('Invalid credentials!', 'error')
267 | 
268 |         return self.render(request, 'reauthenticate', yubikey=yubikey,
269 |                            fieldsets=[auth_form], target=request.path_info[1:])
270 | 
271 |     @require_session
272 |     def change_password(self, request):
273 |         password_form = ChangePasswordForm(request.params)
274 |         auth_form = ReauthenticateForm(request)
275 |         if request.method == 'POST' and password_form.validate() and \
276 |                 auth_form.validate():
277 |             if auth_form.authenticate():
278 |                 new_password = password_form.new_password.data
279 |                 user = request.environ['yubiauth.user']
280 |                 user.set_password(new_password)
281 |                 return redirect(request, 'manage')
282 |             else:
283 |                 self.add_message('Invalid credentials!', 'error')
284 | 
285 |         return self.render(request, 'change_password',
286 |                            fieldsets=[password_form, auth_form])
287 | 
288 |     @require_session
289 |     def delete_account(self, request):
290 |         if not settings['deletion']:
291 |             raise exc.HTTPForbidden(details='Account deletion disabled!')
292 |         auth_form = ReauthenticateForm(request)
293 |         if request.method == 'POST' and auth_form.validate():
294 |             if auth_form.authenticate():
295 |                 user = request.environ['yubiauth.user']
296 |                 user.delete()
297 |                 return redirect(request, '')
298 |             else:
299 |                 self.add_message('Invalid credentials!', 'error')
300 | 
301 |         return self.render(request, 'reauthenticate',
302 |                            fieldsets=[auth_form])
303 | 
304 |     @require_session(error_handler=lambda req, *x: redirect(req, ''))
305 |     def logout(self, request):
306 |         request.environ['beaker.session'].delete()
307 |         return redirect(request, '')
308 | 
309 |     @require_session
310 |     @with_yubikey
311 |     def yubikey(self, request, yubikey):
312 |         return self.render(request, 'yubikey', yubikey=yubikey)
313 | 
314 |     @require_session
315 |     @with_yubikey
316 |     def yubikey_set_enabled(self, request, yubikey, enabled):
317 |         auth_form = ReauthenticateForm(request, yubikey.prefix)
318 |         if request.method == 'POST' and auth_form.validate():
319 |             user = request.environ['yubiauth.user']
320 |             # Validate otp manually as the YubiKey might be disabled
321 |             if user.validate_password(auth_form.password.data) and \
322 |                     validate_otp(auth_form.otp.data):
323 |                 yubikey.enabled = enabled
324 |                 return redirect(request, 'yubikey/%s' % yubikey.prefix)
325 |             else:
326 |                 self.add_message('Invalid credentials!', 'error')
327 | 
328 |         return self.render(request, 'reauthenticate', yubikey=yubikey,
329 |                            fieldsets=[auth_form], target=request.path_info[1:])
330 | 
331 |     def yubikey_enable(self, *args, **kwargs):
332 |         return self.yubikey_set_enabled(*args, enabled=True, **kwargs)
333 | 
334 |     def yubikey_disable(self, *args, **kwargs):
335 |         return self.yubikey_set_enabled(*args, enabled=False, **kwargs)
336 | 
337 |     @require_session
338 |     @with_yubikey
339 |     def yubikey_generate(self, request, yubikey):
340 |         auth_form = ReauthenticateForm(request, yubikey.prefix)
341 |         if request.method == 'POST' and auth_form.validate():
342 |             if auth_form.authenticate():
343 |                 client = request.environ['yubiauth.client']
344 |                 code = client.generate_revocation(yubikey.prefix)
345 |                 return self.render(request, 'revocation_code', yubikey=yubikey,
346 |                                    code=code)
347 |             else:
348 |                 self.add_message('Invalid credentials!', 'error')
349 |         return self.render(request, 'reauthenticate', yubikey=yubikey,
350 |                            fieldsets=[auth_form], target=request.path_info[1:])
351 | 
352 | application = session_api(ClientUI())
353 | 
354 | if __name__ == '__main__':
355 |     httpd = make_server('localhost', 8080, application)
356 |     httpd.serve_forever()
357 | 


--------------------------------------------------------------------------------
/yubiauth/config.py:
--------------------------------------------------------------------------------
  1 | #
  2 | # Copyright (c) 2013 Yubico AB
  3 | # All rights reserved.
  4 | #
  5 | #   Redistribution and use in source and binary forms, with or
  6 | #   without modification, are permitted provided that the following
  7 | #   conditions are met:
  8 | #
  9 | #    1. Redistributions of source code must retain the above copyright
 10 | #       notice, this list of conditions and the following disclaimer.
 11 | #    2. Redistributions in binary form must reproduce the above
 12 | #       copyright notice, this list of conditions and the following
 13 | #       disclaimer in the documentation and/or other materials provided
 14 | #       with the distribution.
 15 | #
 16 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 17 | # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 18 | # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 19 | # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 20 | # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 21 | # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 22 | # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 23 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 24 | # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 25 | # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
 26 | # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 27 | # POSSIBILITY OF SUCH DAMAGE.
 28 | #
 29 | 
 30 | __all__ = [
 31 |     'settings'
 32 | ]
 33 | 
 34 | import sys
 35 | import imp
 36 | import errno
 37 | import os
 38 | from yubiauth import default_settings
 39 | import logging
 40 | import logging.config
 41 | 
 42 | 
 43 | SETTINGS_FILE = os.getenv('YUBIAUTH_SETTINGS',
 44 |                           '/etc/yubico/auth/yubiauth.conf')
 45 | LOG_CONFIG_FILE = os.path.join(os.path.dirname(os.path.abspath(SETTINGS_FILE)),
 46 |                                'logging.conf')
 47 | 
 48 | VALUES = {
 49 |     # Core
 50 |     'DATABASE_CONFIGURATION': 'db',
 51 |     'YKVAL_SERVERS': 'ykval',
 52 |     'YKVAL_CLIENT_ID': 'ykval_id',
 53 |     'YKVAL_CLIENT_SECRET': 'ykval_secret',
 54 |     'ALLOW_EMPTY_PASSWORDS': 'allow_empty',
 55 |     'USE_HSM': 'use_hsm',
 56 |     'YHSM_DEVICE': 'yhsm_device',
 57 |     'CRYPT_CONTEXT': 'crypt_context',
 58 |     # Client
 59 |     'CORE_URL': 'core_url',
 60 |     'SECURITY_LEVEL': 'security_level',
 61 |     'AUTO_PROVISION': 'auto_provision',
 62 |     'YUBIKEY_IDENTIFICATION': 'yubikey_id',
 63 |     'ENABLE_USER_REGISTRATION': 'registration',
 64 |     'ALLOW_USER_DELETE': 'deletion',
 65 |     'BEAKER': 'beaker',
 66 |     # LDAP
 67 |     'USE_LDAP': 'use_ldap',
 68 |     'LDAP_SERVER': 'ldap_server',
 69 |     'LDAP_BIND_DN': 'ldap_bind_dn',
 70 |     'LDAP_AUTO_IMPORT': 'ldap_auto_import',
 71 |     'LDAP_YUBIKEY_ATTRIBUTE': 'ldap_yubikey_attr'
 72 | }
 73 | 
 74 | 
 75 | def parse(conf, settings={}):
 76 |     for confkey, settingskey in VALUES.items():
 77 |         try:
 78 |             settings[settingskey] = conf.__getattribute__(confkey)
 79 |         except AttributeError:
 80 |             pass
 81 |     return settings
 82 | 
 83 | 
 84 | settings = parse(default_settings)
 85 | 
 86 | dont_write_bytecode = sys.dont_write_bytecode
 87 | try:
 88 |     sys.dont_write_bytecode = True
 89 |     user_settings = imp.load_source('user_settings', SETTINGS_FILE)
 90 |     settings = parse(user_settings, settings)
 91 | except IOError as e:
 92 |     if not e.errno in [errno.ENOENT, errno.EACCES]:
 93 |         raise e
 94 | finally:
 95 |     sys.dont_write_bytecode = dont_write_bytecode
 96 | 
 97 | if not 'session.url' in settings['beaker']:
 98 |     settings['beaker']['session.url'] = settings['db']
 99 | 
100 | if not 'YHSM_DEVICE' in os.environ and 'yhsm_device' in settings:
101 |     # The environment variable is the one that is actually used.
102 |     os.environ['YHSM_DEVICE'] = settings['yhsm_device']
103 | 
104 | # Set up logging
105 | try:
106 |     logging.config.fileConfig(LOG_CONFIG_FILE)
107 | except:
108 |     logging.basicConfig(level=logging.INFO)
109 |     log = logging.getLogger(__name__)
110 |     log.exception("Unable to configure logging. Logging to console.")
111 | 


--------------------------------------------------------------------------------
/yubiauth/core/__init__.py:
--------------------------------------------------------------------------------
 1 | #
 2 | # Copyright (c) 2013 Yubico AB
 3 | # All rights reserved.
 4 | #
 5 | #   Redistribution and use in source and binary forms, with or
 6 | #   without modification, are permitted provided that the following
 7 | #   conditions are met:
 8 | #
 9 | #    1. Redistributions of source code must retain the above copyright
10 | #       notice, this list of conditions and the following disclaimer.
11 | #    2. Redistributions in binary form must reproduce the above
12 | #       copyright notice, this list of conditions and the following
13 | #       disclaimer in the documentation and/or other materials provided
14 | #       with the distribution.
15 | #
16 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
17 | # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
18 | # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
19 | # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
20 | # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
21 | # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
22 | # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
23 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
24 | # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 | # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
26 | # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 | # POSSIBILITY OF SUCH DAMAGE.
28 | #
29 | 
30 | __all__ = [
31 |     'model',
32 |     'controller',
33 |     'rest',
34 |     'YubiAuth'
35 | ]
36 | 
37 | from yubiauth.core.controller import YubiAuth
38 | 


--------------------------------------------------------------------------------
/yubiauth/core/controller.py:
--------------------------------------------------------------------------------
  1 | #
  2 | # Copyright (c) 2013 Yubico AB
  3 | # All rights reserved.
  4 | #
  5 | #   Redistribution and use in source and binary forms, with or
  6 | #   without modification, are permitted provided that the following
  7 | #   conditions are met:
  8 | #
  9 | #    1. Redistributions of source code must retain the above copyright
 10 | #       notice, this list of conditions and the following disclaimer.
 11 | #    2. Redistributions in binary form must reproduce the above
 12 | #       copyright notice, this list of conditions and the following
 13 | #       disclaimer in the documentation and/or other materials provided
 14 | #       with the distribution.
 15 | #
 16 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 17 | # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 18 | # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 19 | # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 20 | # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 21 | # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 22 | # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 23 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 24 | # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 25 | # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
 26 | # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 27 | # POSSIBILITY OF SUCH DAMAGE.
 28 | #
 29 | 
 30 | from yubiauth.util.controller import Controller
 31 | from yubiauth.util.model import Session
 32 | from yubiauth.core.model import User, YubiKey, AttributeAssociation
 33 | from numbers import Integral
 34 | import logging
 35 | log = logging.getLogger(__name__)
 36 | 
 37 | __all__ = [
 38 |     'YubiAuth'
 39 | ]
 40 | 
 41 | 
 42 | class YubiAuth(Controller):
 43 |     """
 44 |     Main class for interacting with the YubiAuth backend.
 45 |     """
 46 |     def __init__(self, session=Session()):
 47 |         super(YubiAuth, self).__init__(session)
 48 | 
 49 |     def query_users(self, **kwargs):
 50 |         """
 51 |         Performs a query on all available users.
 52 | 
 53 |         Gets a list of all users matching the filter, represented as dicts
 54 |         containing id and name.
 55 | 
 56 |         Filtering is dony by supplying keyword arguments, where each key-value
 57 |         pair will match an Attribute for the user.
 58 | 
 59 |         A special keyword "yubikey" will create a filter on users assigned
 60 |         to the YubiKey with the prefix of the value given.
 61 | 
 62 |         Example:
 63 | 
 64 |         # Get users with the YubiKey ccccccccccce:
 65 |         query_users(yubikey='ccccccccccce')
 66 | 
 67 |         # Get users with the attribute 'area' equal to 'Stockholm'
 68 |         # AND the attribute 'admin' equal to 'True':
 69 |         query_users(area='Stockholm', admin='True')
 70 | 
 71 |         For more advanced querying, use the session attribute directly.
 72 | 
 73 |         @return: A list of users
 74 |         @rtype: list
 75 |         """
 76 |         query = self.session.query(User.id, User.name)
 77 | 
 78 |         if 'yubikey' in kwargs:
 79 |             query = query.filter(User.yubikeys.any(prefix=kwargs['yubikey']))
 80 |             del kwargs['yubikey']
 81 | 
 82 |         for key in kwargs:
 83 |             query = query.filter(
 84 |                 User._attribute_association.has(
 85 |                     AttributeAssociation._attributes.any(
 86 |                         key=key,
 87 |                         value=kwargs[key]
 88 |                     )
 89 |                 )
 90 |             )
 91 | 
 92 |         result = query.all()
 93 | 
 94 |         log.debug('User query: %r resulted in %d matches', kwargs, len(result))
 95 |         return [{'id': row[0], 'name': row[1]} for row in result]
 96 | 
 97 |     def query_yubikeys(self, **kwargs):
 98 |         """
 99 |         Performs a query on all available YubiKeys.
100 | 
101 |         Gets a list of all YubiKeys matching the filter.
102 | 
103 |         Filtering is dony by supplying keyword arguments, where each key-value
104 |         pair will match an Attribute for the YubiKey.
105 | 
106 |         Example:
107 |         # Get YubiKey with the attribute 'revoke' equal to 'foo':
108 |         query_yubikeys(revoke='foo')
109 | 
110 |         @return: A list of YubiKeys
111 |         @rtype: list
112 |         """
113 |         query = self.session.query(YubiKey)
114 | 
115 |         for key in kwargs:
116 |             query = query.filter(
117 |                 YubiKey._attribute_association.has(
118 |                     AttributeAssociation._attributes.any(
119 |                         key=key,
120 |                         value=kwargs[key]
121 |                     )
122 |                 )
123 |             )
124 | 
125 |         result = query.all()
126 |         log.debug('YubiKey query: %r resulted in %d matches', kwargs,
127 |                   len(result))
128 |         return result
129 | 
130 |     def get_user(self, user_username_or_id):
131 |         """
132 |         Does a lookup for a user based on a username or ID.
133 | 
134 |         For practicality also checks if the argument is a C{User},
135 |         in which case it is returned as-is.
136 | 
137 |         @param user_username_or_id: A username or user ID
138 |         @type user_username_or_id: C{User} or string or int
139 |         """
140 |         if isinstance(user_username_or_id, User):
141 |             return user_username_or_id
142 |         else:
143 |             query = self.session.query(User)
144 |             try:
145 |                 if isinstance(user_username_or_id, Integral):
146 |                     user = query.get(user_username_or_id)
147 |                     if user:
148 |                         log.debug('User lookup id=%d successful',
149 |                                   user_username_or_id)
150 |                         return user
151 |                 else:
152 |                     user = query.filter(User.name == user_username_or_id).one()
153 |                     log.debug('User lookup username=%s successful',
154 |                               user_username_or_id)
155 |                     return user
156 |             except:
157 |                 pass
158 | 
159 |         log.debug('User lookup on: %r of type: %s failed', user_username_or_id,
160 |                   type(user_username_or_id))
161 |         raise LookupError('User not found!')
162 | 
163 |     def get_yubikey(self, prefix):
164 |         """
165 |         Gets a YubiKey by its prefix.
166 | 
167 |         @param prefix: A YubiKey prefix
168 |         @type prefix: string
169 |         """
170 |         key = self.session.query(YubiKey).filter(
171 |             YubiKey.prefix == prefix).one()
172 |         log.debug('YubiKey lookup prefix=%s failed', prefix)
173 |         return key
174 | 
175 |     def create_user(self, username, password):
176 |         """
177 |         Creates a new user.
178 | 
179 |         @param username: A unique username to give the new user.
180 |         @type username: string
181 | 
182 |         @param password: The password to give the new user.
183 |         @type password: string
184 | 
185 |         @return: The created user.
186 |         @rtype: C{User}
187 |         """
188 |         try:
189 |             self.get_user(username)
190 |         except:
191 |             user = User(username, password)
192 |             self.session.add(user)
193 |             log.info('User created: %s', user.name)
194 |             return user
195 |         log.error('Create user failed! Username exists: %s',
196 |                   username)
197 |         raise ValueError('A user with that username already exists!')
198 | 


--------------------------------------------------------------------------------
/yubiauth/core/ldapauth.py:
--------------------------------------------------------------------------------
  1 | #
  2 | # Copyright (c) 2013 Yubico AB
  3 | # All rights reserved.
  4 | #
  5 | #   Redistribution and use in source and binary forms, with or
  6 | #   without modification, are permitted provided that the following
  7 | #   conditions are met:
  8 | #
  9 | #    1. Redistributions of source code must retain the above copyright
 10 | #       notice, this list of conditions and the following disclaimer.
 11 | #    2. Redistributions in binary form must reproduce the above
 12 | #       copyright notice, this list of conditions and the following
 13 | #       disclaimer in the documentation and/or other materials provided
 14 | #       with the distribution.
 15 | #
 16 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 17 | # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 18 | # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 19 | # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 20 | # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 21 | # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 22 | # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 23 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 24 | # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 25 | # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
 26 | # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 27 | # POSSIBILITY OF SUCH DAMAGE.
 28 | #
 29 | 
 30 | __all__ = [
 31 |     'LDAPAuthenticator'
 32 | ]
 33 | 
 34 | import ldap
 35 | import logging
 36 | log = logging.getLogger(__name__)
 37 | 
 38 | 
 39 | class UserStub(object):
 40 | 
 41 |     def __init__(self, name):
 42 |         self.name = name
 43 |         self.attributes = {}
 44 | 
 45 | 
 46 | class LDAPAuthenticator(object):
 47 | 
 48 |     """Authenticates users against an external LDAP server."""
 49 | 
 50 |     def __init__(self, ldap_server, bind_dn):
 51 |         self.ldap_server = ldap_server
 52 |         self.bind_dn = bind_dn
 53 | 
 54 |     def _bind(self, user, password):
 55 |         """
 56 |         Binds the ldap and returns a connection object
 57 | 
 58 |         """
 59 |         if isinstance(user, basestring):
 60 |             user = UserStub(user)
 61 |         conn = None
 62 |         tmpl = user.attributes.get('_ldap_bind_dn', self.bind_dn)
 63 |         try:
 64 |             bind_dn = tmpl.format(user=user)
 65 |         except Exception:
 66 |             log.exception("Error in LDAP Bind DN template expansion")
 67 |             return (None, None)
 68 |         try:
 69 |             conn = ldap.initialize(self.ldap_server)
 70 |             conn.set_option(ldap.OPT_NETWORK_TIMEOUT, 10.0)
 71 |             conn.simple_bind_s(bind_dn, password)
 72 |             log.info("LDAP authentication successful. "
 73 |                      "Bind DN: %s, server: %s", bind_dn, self.ldap_server)
 74 |             return (conn, bind_dn)
 75 |         except ldap.LDAPError:
 76 |             log.exception("LDAP authentication failed. "
 77 |                           "Bind DN: %s, server: %s", bind_dn, self.ldap_server)
 78 |             return (None, bind_dn)
 79 | 
 80 |     def authenticate(self, user, password):
 81 |         conn, dn = self._bind(user, password)
 82 |         if conn:
 83 |             conn.unbind_s()
 84 |             return True
 85 |         else:
 86 |             return False
 87 | 
 88 |     def validate_yubikey(self, user, password, prefix, yk_attr):
 89 |         """
 90 |         Performs a simple bind and check the OTP prefix against LDAP using the
 91 |         LDAP attribute in yk_attr.
 92 | 
 93 |         """
 94 |         conn, dn = self._bind(user, password)
 95 |         if not conn:
 96 |             return False
 97 | 
 98 |         try:
 99 |             dn, entry = conn.search_s(dn, ldap.SCOPE_BASE)[0]
100 |             conn.unbind_s()
101 |             if yk_attr not in entry or prefix not in entry[yk_attr]:
102 |                 return False
103 |             return True
104 | 
105 |         except ldap.LDAPError:
106 |             log.exception("LDAP lookup failed for yubikey. "
107 |                           "Bind DN: %s, server: %s", dn, self.ldap_server)
108 |             return False
109 | 


--------------------------------------------------------------------------------
/yubiauth/core/model.py:
--------------------------------------------------------------------------------
  1 | #
  2 | # Copyright (c) 2013 Yubico AB
  3 | # All rights reserved.
  4 | #
  5 | #   Redistribution and use in source and binary forms, with or
  6 | #   without modification, are permitted provided that the following
  7 | #   conditions are met:
  8 | #
  9 | #    1. Redistributions of source code must retain the above copyright
 10 | #       notice, this list of conditions and the following disclaimer.
 11 | #    2. Redistributions in binary form must reproduce the above
 12 | #       copyright notice, this list of conditions and the following
 13 | #       disclaimer in the documentation and/or other materials provided
 14 | #       with the distribution.
 15 | #
 16 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 17 | # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 18 | # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 19 | # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 20 | # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 21 | # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 22 | # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 23 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 24 | # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 25 | # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
 26 | # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 27 | # POSSIBILITY OF SUCH DAMAGE.
 28 | #
 29 | 
 30 | __all__ = [
 31 |     'User',
 32 |     'Attribute',
 33 |     'YubiKey',
 34 |     'Base',
 35 | ]
 36 | 
 37 | from UserDict import DictMixin
 38 | from yubiauth.config import settings
 39 | from yubiauth.util import validate_otp
 40 | from yubiauth.util.model import Session, Deletable
 41 | 
 42 | from sqlalchemy import (Sequence, Column, Boolean, Integer, String, Text,
 43 |                         ForeignKey, UniqueConstraint, Table)
 44 | from sqlalchemy.ext.declarative import declarative_base, declared_attr
 45 | from sqlalchemy.orm import relationship, backref
 46 | from sqlalchemy.orm.collections import attribute_mapped_collection
 47 | from sqlalchemy.ext.associationproxy import association_proxy
 48 | 
 49 | from passlib.context import CryptContext
 50 | from passlib.registry import register_crypt_handler_path
 51 | 
 52 | if settings['use_ldap']:
 53 |     from yubiauth.core.ldapauth import LDAPAuthenticator
 54 |     global ldapauth
 55 |     ldapauth = LDAPAuthenticator(settings['ldap_server'],
 56 |                                  settings['ldap_bind_dn'])
 57 | 
 58 | if settings['use_hsm']:
 59 |     register_crypt_handler_path('yhsm_pbkdf2_sha1', 'yubiauth.yhsm')
 60 |     register_crypt_handler_path('yhsm_pbkdf2_sha256', 'yubiauth.yhsm')
 61 |     register_crypt_handler_path('yhsm_pbkdf2_sha512', 'yubiauth.yhsm')
 62 | 
 63 | 
 64 | Base = declarative_base()
 65 | 
 66 | pwd_context = CryptContext(**settings['crypt_context'])
 67 | 
 68 | 
 69 | user_yubikeys = Table(
 70 |     'user_yubikeys',
 71 |     Base.metadata,
 72 |     Column('user_id', Integer, ForeignKey('users.id', ondelete='cascade')),
 73 |     Column('yubikey_id', Integer,
 74 |            ForeignKey('yubikeys.id', ondelete='cascade'))
 75 | )
 76 | 
 77 | 
 78 | class AttributeAssociation(Base):
 79 |     """
 80 |     Holds Attributes. Each AttributeHolder has one of these.
 81 | 
 82 |     cvar id: Primary key.
 83 |     cvar discriminator: The name of the type of the owner.
 84 |     cvar attributes: Dict of attributes.
 85 |     cvar owner: The owner of the attributes.
 86 |     """
 87 |     __tablename__ = 'attribute_associations'
 88 | 
 89 |     id = Column(Integer, Sequence('attr_assoc_seq'), primary_key=True)
 90 |     discriminator = Column('discriminator', String(16))
 91 |     _attributes = relationship(
 92 |         'Attribute',
 93 |         backref='association',
 94 |         order_by='Attribute.key',
 95 |         collection_class=attribute_mapped_collection('key'),
 96 |         cascade='all, delete-orphan'
 97 |     )
 98 |     attributes = association_proxy(
 99 |         '_attributes',
100 |         'value',
101 |         creator=lambda k, v: Attribute(k, v)
102 |     )
103 | 
104 |     @property
105 |     def owner(self):
106 |         return getattr(self, '%s_owner' % self.discriminator)
107 | 
108 | 
109 | class Attribute(Base):
110 |     """
111 |     Holds an attribute for an AttributeHolder.
112 | 
113 |     An AttributeHolder can have zero or more attributes, though each attribute
114 |     must have a unique key per user.
115 | 
116 |     cvar id: Primary key.
117 |     cvar key: The key of the attribute.
118 |     cvar value: The value of the attribute.
119 |     cvar owner: The owner of the attribute.
120 |     """
121 |     __tablename__ = 'attributes'
122 |     __table_args__ = (UniqueConstraint('association_id', 'key',
123 |                                        name='_owner_key_uc'),)
124 | 
125 |     id = Column(Integer, Sequence('attribute_id_seq'), primary_key=True)
126 |     _association_id = Column('association_id', Integer, ForeignKey(
127 |         'attribute_associations.id'))
128 |     key = Column(String(32), nullable=False)
129 |     value = Column(Text(), nullable=False)
130 |     owner = association_proxy('association', 'owner')
131 | 
132 |     def __init__(self, key, value):
133 |         self.key = key
134 |         self.value = value
135 | 
136 |     def __repr__(self):
137 |         return ('%s = %s' % (self.key, self.value)).encode('utf-8')
138 | 
139 | 
140 | class AttributeProxy(DictMixin):
141 |         """
142 |         Proxy used in AttributeHolder used to give access to Attributes
143 |         via an AttributeAssociation object, creating that object when
144 |         necessary.
145 |         """
146 |         def __init__(self, owner):
147 |             self.owner = owner
148 | 
149 |         @property
150 |         def has_assoc(self):
151 |             return bool(self.owner._attribute_association)
152 | 
153 |         @property
154 |         def assoc(self):
155 |             if not self.owner._attribute_association:
156 |                 discriminator = self.owner.__class__.__name__.lower()
157 |                 self.owner._attribute_association = AttributeAssociation(
158 |                     discriminator=discriminator)
159 |             return self.owner._attribute_association
160 | 
161 |         def __getitem__(self, key):
162 |             if self.has_assoc:
163 |                 return self.assoc.attributes[key]
164 |             raise KeyError(key)
165 | 
166 |         def __setitem__(self, key, value):
167 |             self.assoc.attributes[key] = value
168 | 
169 |         def __delitem__(self, key):
170 |             if self.has_assoc:
171 |                 del self.assoc.attributes[key]
172 |             else:
173 |                 raise KeyError(key)
174 | 
175 |         def keys(self):
176 |             if self.has_assoc:
177 |                 return self.assoc.attributes.keys()
178 |             return []
179 | 
180 |         def copy(self):
181 |             copy = {}
182 |             copy.update(self)
183 |             return copy
184 | 
185 | 
186 | class AttributeHolder(object):
187 |     """
188 |     Mixin class for model objects that should hold Attributes.
189 | 
190 |     Attributes can be easily accessed through common dict operations.
191 | 
192 |     holder.attributes['foo'] = 'bar'
193 |     holder.attributes = {'key1': 'val', 'key2': 'otherval'}
194 |     """
195 | 
196 |     @property
197 |     def attributes(self):
198 |         if '_attributes' not in self.__dict__:
199 |             self._attributes = AttributeProxy(self)
200 |         return self._attributes
201 | 
202 |     @attributes.setter
203 |     def attributes(self, value):
204 |         self.attributes.clear()
205 |         self.attributes.update(value)
206 | 
207 |     @declared_attr
208 |     def _discriminator(cls):
209 |         return cls.__name__.lower()
210 | 
211 |     @declared_attr
212 |     def _attribute_association_id(cls):
213 |         return Column('attribute_association_id', Integer, ForeignKey(
214 |             'attribute_associations.id'))
215 | 
216 |     @declared_attr
217 |     def _attribute_association(cls):
218 |         return relationship('AttributeAssociation', backref=backref(
219 |             '%s_owner' % cls._discriminator, uselist=False),
220 |             cascade='all, delete')
221 | 
222 | 
223 | class User(AttributeHolder, Deletable, Base):
224 |     """
225 |     A user.
226 | 
227 |     Has a unique id and username, as well as a password and zero or
228 |     more YubiKeys. Each user also has a key-value mapping of attributes.
229 | 
230 |     @cvar id: ID column.
231 |     @cvar name: Name column.
232 |     @cvar auth: Authentication data column.
233 |     @cvar yubikeys: Dict of the users YubiKeys, with public IDs as keys.
234 |     @cvar attributes: Dict of the users attributes.
235 |     """
236 |     __tablename__ = 'users'
237 | 
238 |     id = Column(Integer, Sequence('user_id_seq'), primary_key=True)
239 |     name = Column(String(32), nullable=False, unique=True)
240 |     auth = Column(String(128))
241 |     yubikeys = relationship(
242 |         'YubiKey',
243 |         secondary=user_yubikeys,
244 |         backref='users',
245 |         order_by='YubiKey.prefix',
246 |         collection_class=attribute_mapped_collection('prefix'),
247 |     )
248 | 
249 |     def __init__(self, name, password):
250 |         self.name = name
251 |         self.set_password(password)
252 |         super(User, self).__init__()
253 | 
254 |     def assign_yubikey(self, prefix_or_otp):
255 |         """
256 |         Assigns a YubiKey to the user.
257 | 
258 |         @param prefix_or_otp: The public ID of a YubiKey, or a full OTP.
259 |         @type prefix_or_otp: string
260 |         """
261 |         if len(prefix_or_otp) > 32:
262 |             prefix = prefix_or_otp[:-32]
263 |         else:
264 |             prefix = prefix_or_otp
265 | 
266 |         session = Session.object_session(self)
267 |         existing_key = session.query(YubiKey).filter(
268 |             YubiKey.prefix == prefix).first()
269 | 
270 |         if existing_key:
271 |             existing_key.users.append(self)
272 |         else:
273 |             self.yubikeys[prefix] = YubiKey(prefix)
274 |         return self.yubikeys[prefix]
275 | 
276 |     def set_password(self, password):
277 |         """
278 |         Sets the password of the user. An empty String is treated as no
279 |         password. If no password is set the user either can't log in (default)
280 |         or, if the ALLOW_EMPTY_PASSWORDS setting is set to True, the user may
281 |         log in without providing a password.
282 | 
283 |         @param password: The new password to set for the user.
284 |         @type password: string
285 |         """
286 |         if settings['use_ldap'] and password:
287 |             raise ValueError("Cannot set password when using LDAP")
288 | 
289 |         if password:
290 |             self.auth = pwd_context.encrypt(password)
291 |         else:
292 |             self.auth = None
293 | 
294 |     def validate_password(self, password):
295 |         """
296 |         Validates a password.
297 | 
298 |         @param password: A password to validate for the user.
299 |         @type password: string
300 | 
301 |         @return: True if the password was valid, False if not.
302 |         @rtype bool
303 |         """
304 |         if settings['use_ldap']:
305 |             return ldapauth.authenticate(self, password)
306 | 
307 |         if not self.auth and not password:
308 |             return settings['allow_empty'] is True
309 | 
310 |         valid, new_auth = pwd_context.\
311 |             verify_and_update(password, self.auth)
312 |         if valid:
313 |             if new_auth:
314 |                 self.auth = new_auth
315 |             return True
316 |         return False
317 | 
318 |     def validate_otp(self, otp, password=None):
319 |         """
320 |         Validates a YubiKey OTP (One Time Password) for the user.
321 | 
322 |         @param otp: The OTP to validate.
323 |         @type otp: string
324 | 
325 |         @return: True if the OTP was valid, and from a YubiKey belonging
326 |         to the user. False if not.
327 |         @rtype: bool
328 |         """
329 |         prefix = otp[:-32]
330 |         otp_valid = validate_otp(otp)
331 |         if settings['use_ldap'] and settings['ldap_yubikey_attr']:
332 |             return otp_valid and ldapauth.validate_yubikey(
333 |                 self, password, prefix, settings['ldap_yubikey_attr'])
334 |         elif prefix in self.yubikeys:
335 |             return otp_valid and self.yubikeys[prefix].enabled
336 | 
337 |         return False
338 | 
339 |     @property
340 |     def data(self):
341 |         return {
342 |             'id': self.id,
343 |             'name': self.name,
344 |             'attributes': self.attributes.copy(),
345 |             'yubikeys': self.yubikeys.keys()
346 |         }
347 | 
348 |     def __repr__(self):
349 |         return (
350 |             "User(id: %r, name: '%s', yubikeys: %r, attributes: %r)" %
351 |             (self.id, self.name, self.yubikeys.keys(), self.attributes)
352 |         ).encode('utf-8')
353 | 
354 | 
355 | class YubiKey(AttributeHolder, Deletable, Base):
356 |     """
357 |     A reference to a YubiKey.
358 | 
359 |     This class connects a particular YubiKey to a C{User} in a many-to-one
360 |     relationship. It is also used to validate OTPs (One Time Passwords)
361 |     from the YubiKey.
362 | 
363 |     @cvar id: ID column.
364 |     @cvar prefix: YubiKey public ID column.
365 |     @cvar user_id: FK of the owner.
366 |     """
367 |     __tablename__ = 'yubikeys'
368 | 
369 |     id = Column(Integer, Sequence('yubikey_id_seq'), primary_key=True)
370 |     prefix = Column(String(32), nullable=False, unique=True)
371 |     enabled = Column(Boolean, default=True)
372 | 
373 |     def __init__(self, prefix):
374 |         self.prefix = prefix
375 |         super(YubiKey, self).__init__()
376 | 
377 |     @property
378 |     def data(self):
379 |         return {
380 |             'id': self.id,
381 |             'prefix': self.prefix,
382 |             'enabled': self.enabled,
383 |             'attributes': self.attributes.copy()
384 |         }
385 | 
386 |     def __repr__(self):
387 |         return ("YubiKey(id: %r, prefix: '%s')" %
388 |                 (self.id, self.prefix)).encode('utf-8')
389 | 


--------------------------------------------------------------------------------
/yubiauth/core/rest.py:
--------------------------------------------------------------------------------
  1 | #
  2 | # Copyright (c) 2013 Yubico AB
  3 | # All rights reserved.
  4 | #
  5 | #   Redistribution and use in source and binary forms, with or
  6 | #   without modification, are permitted provided that the following
  7 | #   conditions are met:
  8 | #
  9 | #    1. Redistributions of source code must retain the above copyright
 10 | #       notice, this list of conditions and the following disclaimer.
 11 | #    2. Redistributions in binary form must reproduce the above
 12 | #       copyright notice, this list of conditions and the following
 13 | #       disclaimer in the documentation and/or other materials provided
 14 | #       with the distribution.
 15 | #
 16 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 17 | # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 18 | # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 19 | # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 20 | # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 21 | # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 22 | # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 23 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 24 | # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 25 | # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
 26 | # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 27 | # POSSIBILITY OF SUCH DAMAGE.
 28 | #
 29 | 
 30 | from wsgiref.simple_server import make_server
 31 | from webob import exc
 32 | import re
 33 | 
 34 | from yubiauth.core import YubiAuth
 35 | from yubiauth.util import MODHEX
 36 | from yubiauth.util.rest import (
 37 |     REST_API, Route, no_content, json_response, json_error, extract_params)
 38 | 
 39 | ID_PATTERN = r'\d+'
 40 | USERNAME_PATTERN = '(?=.*[a-zA-Z\xc0-\xff])[-_a-zA-Z0-9\xc0-\xff]{3,}'
 41 | PASSWORD_PATTERN = r'\S{3,}'
 42 | YUBIKEY_PATTERN = r'[%s]{0,64}' % MODHEX
 43 | ATTRIBUTE_KEY_PATTERN = r'[-_a-zA-Z0-9]+'
 44 | 
 45 | ID_RE = re.compile(r'^%s$' % ID_PATTERN)
 46 | 
 47 | 
 48 | class CoreAPI(REST_API):
 49 |     __user__ = r'^/users/(%s|%s)' % (ID_PATTERN, USERNAME_PATTERN)
 50 |     __user_attribute__ = __user__ + r'/attributes/(%s)' % ATTRIBUTE_KEY_PATTERN
 51 |     __user_yubikey__ = __user__ + r'/yubikeys/(%s)' % YUBIKEY_PATTERN
 52 |     __yubikey__ = r'^/yubikeys/(%s)' % YUBIKEY_PATTERN
 53 |     __yubikey_attribute__ = __yubikey__ + r'/attributes/(%s)' %\
 54 |         ATTRIBUTE_KEY_PATTERN
 55 |     __user_yubikey_attribute__ = __user_yubikey__ + r'/attributes/(%s)' %\
 56 |         ATTRIBUTE_KEY_PATTERN
 57 | 
 58 |     __routes__ = [
 59 |         Route(r'^/user$', 'find_user'),
 60 |         Route(r'^/users$', get='list_users', post='create_user'),
 61 |         Route(__user__ + r'$', get='show_user', delete='delete_user'),
 62 |         Route(__user__ + r'/reset$', post='reset_password'),
 63 |         Route(__user__ + r'/rename$', post='rename_user'),
 64 |         Route(__user__ + r'/delete$', post='delete_user'),
 65 |         Route(__user__ + r'/validate$', 'validate'),
 66 |         Route(__user__ + r'/attributes$', get='list_user_attributes',
 67 |               post='set_user_attribute'),
 68 |         Route(__user_attribute__ + r'$', get='show_user_attribute',
 69 |               delete='unset_user_attribute'),
 70 |         Route(__user_attribute__ + r'/delete$', post='unset_user_attribute'),
 71 |         Route(__user__ + r'/yubikeys$', get='list_yubikeys',
 72 |               post='bind_yubikey'),
 73 | 
 74 |         Route(__user_yubikey__ + r'$', get='show_yubikey',
 75 |               delete='unbind_yubikey'),
 76 |         Route(__user_yubikey__ + r'/delete$', post='unbind_yubikey'),
 77 |         Route(__user_yubikey__ + r'/attributes$',
 78 |               get='list_yubikey_attributes', post='set_yubikey_attribute'),
 79 |         Route(__user_yubikey_attribute__ + r'$', get='show_yubikey_attribute',
 80 |               delete='unset_yubikey_attribute'),
 81 |         Route(__user_yubikey_attribute__ + r'/delete$',
 82 |               post='unset_yubikey_attribute'),
 83 | 
 84 |         Route(__yubikey__ + r'$', get='show_yubikey', delete='delete_yubikey'),
 85 |         Route(__yubikey__ + r'/delete$', post='delete_yubikey'),
 86 |         Route(__yubikey__ + r'/attributes$', get='list_yubikey_attributes',
 87 |               post='set_yubikey_attribute'),
 88 |         Route(__yubikey_attribute__ + r'$', get='show_yubikey_attribute',
 89 |               delete='unset_yubikey_attribute'),
 90 |         Route(__yubikey_attribute__ + r'/delete$',
 91 |               post='unset_yubikey_attribute')
 92 |     ]
 93 | 
 94 |     def _call_setup(self, request):
 95 |         request.auth = YubiAuth()
 96 | 
 97 |     def _call_teardown(self, request, response):
 98 |         request.auth.commit()
 99 |         del request.auth
100 | 
101 |     def _get_user(self, request, username_or_id):
102 |         if ID_RE.match(username_or_id):
103 |             username_or_id = int(username_or_id)
104 | 
105 |         try:
106 |             return request.auth.get_user(username_or_id)
107 |         except:
108 |             raise exc.HTTPNotFound
109 | 
110 |     def _get_yubikey(self, request, *args):
111 |         try:
112 |             if len(args) == 1:
113 |                 return request.auth.get_yubikey(args[0])
114 |             elif len(args) >= 2:
115 |                 user = self._get_user(request, args[0])
116 |                 return user.yubikeys[args[1]]
117 |         except:
118 |             pass
119 | 
120 |         raise exc.HTTPNotFound
121 | 
122 |     # Users
123 | 
124 |     def find_user(self, request):
125 |         users = request.auth.query_users(**request.params)
126 |         if len(users) == 1:
127 |             user_id = users[0]['id']
128 |             user = request.auth.get_user(user_id)
129 |             response = json_response(user.data)
130 |             response.headers.add('Link', '<%s>; rel="canonical"' %
131 |                                  request.relative_url('users/%d' % user_id))
132 |             return response
133 | 
134 |         raise exc.HTTPNotFound
135 | 
136 |     def list_users(self, request):
137 |         return json_response(request.auth.query_users(**request.params))
138 | 
139 |     @extract_params('username', 'password')
140 |     def create_user(self, request, username, password):
141 |         try:
142 |             user = request.auth.create_user(username, password)
143 |             request.auth.commit()
144 |             url = '%s/users/%d' % (request.script_name, user.id)
145 |             return json_response({
146 |                 'id': user.id,
147 |                 'name': user.name
148 |             }, location=url, status=201)
149 |         except Exception, e:
150 |             return json_error(e.message)
151 | 
152 |     def show_user(self, request, username_or_id):
153 |         user = self._get_user(request, username_or_id)
154 |         return json_response(user.data)
155 | 
156 |     @extract_params('password')
157 |     def reset_password(self, request, username_or_id, password):
158 |         user = self._get_user(request, username_or_id)
159 |         user.set_password(password)
160 | 
161 |         return no_content()
162 | 
163 |     @extract_params('username')
164 |     def rename_user(self, request, username_or_id, username):
165 |         user = self._get_user(request, username_or_id)
166 |         try:
167 |             request.auth.get_user(username)
168 |             return json_error('User "%s" already exists!' % username)
169 |         except:
170 |             user.name = username
171 | 
172 |         return no_content()
173 | 
174 |     def delete_user(self, request, username_or_id):
175 |         user = self._get_user(request, username_or_id)
176 |         user.delete()
177 | 
178 |         return no_content()
179 | 
180 |     # Attributes
181 | 
182 |     def _list_attributes(self, owner):
183 |         return json_response(owner.attributes.copy())
184 | 
185 |     def list_user_attributes(self, request, username_or_id):
186 |         return self._list_attributes(self._get_user(request, username_or_id))
187 | 
188 |     def list_yubikey_attributes(self, request, *args):
189 |         return self._list_attributes(self._get_yubikey(request, *args))
190 | 
191 |     def _show_attribute(self, owner, attribute_key):
192 |         if attribute_key in owner.attributes:
193 |             return json_response(owner.attributes[attribute_key])
194 |         return json_response(None)
195 | 
196 |     def show_user_attribute(self, request, username_or_id, attribute_key):
197 |         return self._show_attribute(self._get_user(request, username_or_id),
198 |                                     attribute_key)
199 | 
200 |     def show_yubikey_attribute(self, request, *args):
201 |         attribute_key = args[-1]
202 |         return self._show_attribute(self._get_yubikey(request, *args[:-1]),
203 |                                     attribute_key)
204 | 
205 |     @extract_params('key', 'value')
206 |     def _set_attribute(self, request, owner, key, value):
207 |         owner.attributes[key] = value
208 | 
209 |         return no_content()
210 | 
211 |     def set_user_attribute(self, request, username_or_id):
212 |         return self._set_attribute(request, self._get_user(request,
213 |                                                            username_or_id))
214 | 
215 |     def set_yubikey_attribute(self, request, *args):
216 |         return self._set_attribute(request, self._get_yubikey(request, *args))
217 | 
218 |     def _unset_attribute(self, owner, attribute_key):
219 |         if attribute_key in owner.attributes:
220 |             del owner.attributes[attribute_key]
221 | 
222 |         return no_content()
223 | 
224 |     def unset_user_attribute(self, request, username_or_id, attribute_key):
225 |         return self._unset_attribute(self._get_user(request, username_or_id),
226 |                                      attribute_key)
227 | 
228 |     def unset_yubikey_attribute(self, request, *args):
229 |         attribute_key = args[-1]
230 |         return self._unset_attribute(self._get_yubikey(request, *args[:-1]),
231 |                                      attribute_key)
232 | 
233 |     # YubiKeys
234 | 
235 |     def list_yubikeys(self, request, username_or_id):
236 |         user = self._get_user(request, username_or_id)
237 |         return json_response(user.yubikeys.keys())
238 | 
239 |     def show_yubikey(self, request, *args):
240 |         yubikey = self._get_yubikey(request, *args)
241 |         return json_response(yubikey.data)
242 | 
243 |     @extract_params('yubikey')
244 |     def bind_yubikey(self, request, username_or_id, yubikey):
245 |         user = self._get_user(request, username_or_id)
246 |         user.assign_yubikey(yubikey)
247 | 
248 |         return no_content()
249 | 
250 |     def unbind_yubikey(self, request, username_or_id, prefix):
251 |         user = self._get_user(request, username_or_id)
252 |         try:
253 |             del user.yubikeys[prefix]
254 |         except KeyError:
255 |             raise exc.HTTPNotFound
256 | 
257 |         return no_content()
258 | 
259 |     def delete_yubikey(self, request, prefix):
260 |         yubikey = self._get_yubikey(request, prefix)
261 |         yubikey.delete()
262 | 
263 |         return no_content()
264 | 
265 |     # Validate
266 | 
267 |     def validate(self, request, username_or_id):
268 |         user = self._get_user(request, username_or_id)
269 |         valid_pass = False
270 |         valid_otp = False
271 |         password = None
272 |         otp = None
273 | 
274 |         if 'password' in request.params:
275 |             password = request.params['password']
276 |         if 'otp' in request.params:
277 |             otp = request.params['otp']
278 |         if password:
279 |             valid_pass = user.validate_password(password)
280 |         if otp:
281 |             valid_otp = user.validate_otp(otp, password)
282 | 
283 |         return json_response({
284 |             'valid_password': valid_pass,
285 |             'valid_otp': valid_otp
286 |         })
287 | 
288 | 
289 | application = CoreAPI()
290 | 
291 | 
292 | if __name__ == '__main__':
293 |     httpd = make_server('localhost', 8080, application)
294 |     httpd.serve_forever()
295 | 


--------------------------------------------------------------------------------
/yubiauth/default_settings.py:
--------------------------------------------------------------------------------
  1 | #
  2 | # Core API settings
  3 | #
  4 | 
  5 | # Database configuration string
  6 | DATABASE_CONFIGURATION = 'sqlite:///:memory:'
  7 | 
  8 | # YubiKey Validation Server URLs
  9 | YKVAL_SERVERS = [
 10 |     'https://api.yubico.com/wsapi/2.0/verify',
 11 |     'https://api2.yubico.com/wsapi/2.0/verify',
 12 |     'https://api3.yubico.com/wsapi/2.0/verify',
 13 |     'https://api4.yubico.com/wsapi/2.0/verify',
 14 |     'https://api5.yubico.com/wsapi/2.0/verify'
 15 | ]
 16 | 
 17 | # YubiKey Validation server API key and secret
 18 | YKVAL_CLIENT_ID = 11004
 19 | YKVAL_CLIENT_SECRET = '5Vm3Zp2mUTQHMo1DeG9tdojpc1Y='
 20 | 
 21 | # Allow users with no password to log in without providing a password.
 22 | # When set to False (default), a user with no password will be unable to log
 23 | # in.
 24 | #
 25 | # WARNING: In combination with the SECURITY_LEVEL settings, this setting may
 26 | # allow a user to log in using ONLY a username. If you're unsure if you need
 27 | # this, leave it to False.
 28 | ALLOW_EMPTY_PASSWORDS = False
 29 | 
 30 | # LDAP server configuration
 31 | # YubiAuth can optionally use an LDAP server such as OpenLDAP or Active
 32 | # Directory to validate users instead of the built-in user database.
 33 | # NOTE: When USE_LDAP is set to True, password validation will go through LDAP
 34 | # and changing the password of a user will not work.
 35 | USE_LDAP = False
 36 | 
 37 | # LDAP server URI to bind to.
 38 | LDAP_SERVER = "ldap://127.0.0.1"
 39 | 
 40 | # Template for the bind DN to use for a user. The User object will be passed to
 41 | # the templates .format() method, and it's attributes can thus be used within
 42 | # the DN. For example: {user.name} can be used.
 43 | # For Active Directory, the following command can be used on the Windows Server
 44 | # to determine the Bind DN: "dsquery user -name *"
 45 | #
 46 | # NOTE: If a user has an attribute named _ldap_bind_dn, this will override the
 47 | # below setting for that user only.
 48 | LDAP_BIND_DN = "uid={user.name},ou=People,dc=example,dc=com"
 49 | 
 50 | # When True, users will be automatically created in YubiAuth when a user that
 51 | # exists in the LDAP database tried to authenticate using correct credentials.
 52 | LDAP_AUTO_IMPORT = True
 53 | 
 54 | # Use a YubiHSM for increased security
 55 | # This requires the pyhsm package, and should be used with the yhsm-daemon
 56 | # utility that comes with it.
 57 | USE_HSM = False
 58 | 
 59 | # YubiHSM, only used if USE_HSM is True.
 60 | # Setting the 'YHSM_DEVICE' environment variable will override this.
 61 | YHSM_DEVICE = 'yhsm://localhost:5348'
 62 | 
 63 | # Passlib configuration
 64 | # Will default to using yhsm_pbkdf2_sha1 for password hashes if a HSM is
 65 | # available.
 66 | CRYPT_CONTEXT = {
 67 |     'schemes': ['yhsm_pbkdf2_sha1', 'sha256_crypt'] if USE_HSM
 68 |     else ['sha256_crypt'],
 69 |     'deprecated': ['sha256_crypt'] if USE_HSM else [],
 70 |     'default': 'yhsm_pbkdf2_sha1' if USE_HSM else 'sha256_crypt',
 71 |     'yhsm_pbkdf2_sha1__key_handle': 1,
 72 |     'all__vary_rounds': 0.1,
 73 |     'sha256_crypt__min_rounds': 80000,
 74 |     'admin__sha256_crypt__min_rounds': 160000
 75 | }
 76 | 
 77 | #
 78 | # Client API settings
 79 | #
 80 | 
 81 | # Defines who is required to provide a YubiKey OTP when logging in.
 82 | # The available levels are:
 83 | # 0 = Permissive. OTPs are not required to authenticate, by anyone.
 84 | #
 85 | # 1 = Require when provisioned. OTPs are required by all users that have a
 86 | # YubiKey assigned to them.
 87 | #
 88 | # 2 = Always require. OTPs are required by all users. If no YubiKey has been
 89 | # assigned, that user cannot log in, unless auto-provisioning is enabled.
 90 | #
 91 | # WARNING: In combination with the ALLOW_EMPTY_PASSWORDS settings, setting
 92 | # this to 0 may allow a user to log in using ONLY a username.
 93 | SECURITY_LEVEL = 1
 94 | 
 95 | # Auto-provision YubiKeys.
 96 | # When enabled, an attempt to authenticate a user that doesn't have a YubiKey
 97 | # assigned with a valid YubiKey OTP, will cause that YubiKey to become
 98 | # automatically assigned to the user.
 99 | AUTO_PROVISION = True
100 | 
101 | # When set to True, allow users authenticating with a YubiKey to omit their
102 | # username, using the OTP to do a lookup on the username.
103 | YUBIKEY_IDENTIFICATION = False
104 | 
105 | # When set to True, allow users to register accounts via the client API.
106 | ENABLE_USER_REGISTRATION = False
107 | 
108 | # When set to True, allow users to delete their own accounts via the client
109 | # API.
110 | ALLOW_USER_DELETE = False
111 | 
112 | # Beaker configuration, which is used for session management.
113 | BEAKER = {
114 |     'session.lock_dir': '/tmp/cache/lock',
115 |     'session.type': 'ext:database',
116 |     'session.auto': True,
117 |     'session.key': 'YubiAuth-Session',
118 |     'session.secret': 'LGnYUI5ZeSQ5ooGykySO9vMHKKyGwoC1',
119 | }
120 | 
121 | LDAP_YUBIKEY_ATTRIBUTE = ''
122 | 


--------------------------------------------------------------------------------
/yubiauth/server.py:
--------------------------------------------------------------------------------
 1 | #
 2 | # Copyright (c) 2013 Yubico AB
 3 | # All rights reserved.
 4 | #
 5 | #   Redistribution and use in source and binary forms, with or
 6 | #   without modification, are permitted provided that the following
 7 | #   conditions are met:
 8 | #
 9 | #    1. Redistributions of source code must retain the above copyright
10 | #       notice, this list of conditions and the following disclaimer.
11 | #    2. Redistributions in binary form must reproduce the above
12 | #       copyright notice, this list of conditions and the following
13 | #       disclaimer in the documentation and/or other materials provided
14 | #       with the distribution.
15 | #
16 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
17 | # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
18 | # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
19 | # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
20 | # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
21 | # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
22 | # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
23 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
24 | # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 | # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
26 | # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 | # POSSIBILITY OF SUCH DAMAGE.
28 | #
29 | 
30 | import os
31 | from wsgiref.simple_server import make_server
32 | from webob import exc
33 | from webob.dec import wsgify
34 | import logging
35 | 
36 | from yubiauth.core.rest import application as core_rest
37 | from yubiauth.client.rest import application as client_rest
38 | from yubiauth.client.web import application as client_web
39 | from yubiauth.util.static import DirectoryApp, FileApp
40 | 
41 | STATIC_ASSETS = ['js', 'css', 'img', 'favicon.ico']
42 | 
43 | 
44 | class YubiAuthAPI(object):
45 |     def __init__(self):
46 |         base_dir = os.path.dirname(__file__)
47 |         static_dir = os.path.join(base_dir, 'static')
48 |         static_app = DirectoryApp(static_dir)
49 |         favicon_app = FileApp(os.path.join(static_dir, 'favicon.ico'))
50 | 
51 |         self._apps = {
52 |             'core': core_rest,
53 |             'client': client_rest,
54 |             'ui': client_web,
55 |             'static': static_app,
56 |             'favicon.ico': favicon_app
57 |         }
58 | 
59 |     @wsgify
60 |     def __call__(self, request):
61 |         base_path = request.environ.get('BASE_PATH', '/')
62 |         if not request.script_name and request.path_info.startswith(base_path):
63 |             request.script_name = base_path
64 |             request.path_info = request.path_info[len(base_path):]
65 | 
66 |         app_key = request.path_info_pop()
67 |         if app_key in self._apps:
68 |             return request.get_response(self._apps[app_key])
69 | 
70 |         raise exc.HTTPNotFound
71 | 
72 | 
73 | application = YubiAuthAPI()
74 | 
75 | if __name__ == '__main__':
76 |     logging.basicConfig(level=logging.DEBUG)
77 | 
78 |     httpd = make_server('localhost', 8080, application)
79 |     httpd.serve_forever()
80 | 


--------------------------------------------------------------------------------
/yubiauth/static/apple-touch-icon-114x114-precomposed.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Yubico/yubiauth/c52ea78280f15d562d3dfb999b303efd2f7d79ea/yubiauth/static/apple-touch-icon-114x114-precomposed.png


--------------------------------------------------------------------------------
/yubiauth/static/apple-touch-icon-144x144-precomposed.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Yubico/yubiauth/c52ea78280f15d562d3dfb999b303efd2f7d79ea/yubiauth/static/apple-touch-icon-144x144-precomposed.png


--------------------------------------------------------------------------------
/yubiauth/static/apple-touch-icon-57x57-precomposed.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Yubico/yubiauth/c52ea78280f15d562d3dfb999b303efd2f7d79ea/yubiauth/static/apple-touch-icon-57x57-precomposed.png


--------------------------------------------------------------------------------
/yubiauth/static/apple-touch-icon-72x72-precomposed.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Yubico/yubiauth/c52ea78280f15d562d3dfb999b303efd2f7d79ea/yubiauth/static/apple-touch-icon-72x72-precomposed.png


--------------------------------------------------------------------------------
/yubiauth/static/apple-touch-icon-precomposed.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Yubico/yubiauth/c52ea78280f15d562d3dfb999b303efd2f7d79ea/yubiauth/static/apple-touch-icon-precomposed.png


--------------------------------------------------------------------------------
/yubiauth/static/apple-touch-icon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Yubico/yubiauth/c52ea78280f15d562d3dfb999b303efd2f7d79ea/yubiauth/static/apple-touch-icon.png


--------------------------------------------------------------------------------
/yubiauth/static/css/bootstrap-responsive.min.css:
--------------------------------------------------------------------------------
 1 | /*!
 2 |  * Bootstrap Responsive v2.3.0
 3 |  *
 4 |  * Copyright 2012 Twitter, Inc
 5 |  * Licensed under the Apache License v2.0
 6 |  * http://www.apache.org/licenses/LICENSE-2.0
 7 |  *
 8 |  * Designed and built with all the love in the world @twitter by @mdo and @fat.
 9 |  */.clearfix{*zoom:1}.clearfix:before,.clearfix:after{display:table;line-height:0;content:""}.clearfix:after{clear:both}.hide-text{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.input-block-level{display:block;width:100%;min-height:30px;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}@-ms-viewport{width:device-width}.hidden{display:none;visibility:hidden}.visible-phone{display:none!important}.visible-tablet{display:none!important}.hidden-desktop{display:none!important}.visible-desktop{display:inherit!important}@media(min-width:768px) and (max-width:979px){.hidden-desktop{display:inherit!important}.visible-desktop{display:none!important}.visible-tablet{display:inherit!important}.hidden-tablet{display:none!important}}@media(max-width:767px){.hidden-desktop{display:inherit!important}.visible-desktop{display:none!important}.visible-phone{display:inherit!important}.hidden-phone{display:none!important}}.visible-print{display:none!important}@media print{.visible-print{display:inherit!important}.hidden-print{display:none!important}}@media(min-width:1200px){.row{margin-left:-30px;*zoom:1}.row:before,.row:after{display:table;line-height:0;content:""}.row:after{clear:both}[class*="span"]{float:left;min-height:1px;margin-left:30px}.container,.navbar-static-top .container,.navbar-fixed-top .container,.navbar-fixed-bottom .container{width:1170px}.span12{width:1170px}.span11{width:1070px}.span10{width:970px}.span9{width:870px}.span8{width:770px}.span7{width:670px}.span6{width:570px}.span5{width:470px}.span4{width:370px}.span3{width:270px}.span2{width:170px}.span1{width:70px}.offset12{margin-left:1230px}.offset11{margin-left:1130px}.offset10{margin-left:1030px}.offset9{margin-left:930px}.offset8{margin-left:830px}.offset7{margin-left:730px}.offset6{margin-left:630px}.offset5{margin-left:530px}.offset4{margin-left:430px}.offset3{margin-left:330px}.offset2{margin-left:230px}.offset1{margin-left:130px}.row-fluid{width:100%;*zoom:1}.row-fluid:before,.row-fluid:after{display:table;line-height:0;content:""}.row-fluid:after{clear:both}.row-fluid [class*="span"]{display:block;float:left;width:100%;min-height:30px;margin-left:2.564102564102564%;*margin-left:2.5109110747408616%;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}.row-fluid [class*="span"]:first-child{margin-left:0}.row-fluid .controls-row [class*="span"]+[class*="span"]{margin-left:2.564102564102564%}.row-fluid .span12{width:100%;*width:99.94680851063829%}.row-fluid .span11{width:91.45299145299145%;*width:91.39979996362975%}.row-fluid .span10{width:82.90598290598291%;*width:82.8527914166212%}.row-fluid .span9{width:74.35897435897436%;*width:74.30578286961266%}.row-fluid .span8{width:65.81196581196582%;*width:65.75877432260411%}.row-fluid .span7{width:57.26495726495726%;*width:57.21176577559556%}.row-fluid .span6{width:48.717948717948715%;*width:48.664757228587014%}.row-fluid .span5{width:40.17094017094017%;*width:40.11774868157847%}.row-fluid .span4{width:31.623931623931625%;*width:31.570740134569924%}.row-fluid .span3{width:23.076923076923077%;*width:23.023731587561375%}.row-fluid .span2{width:14.52991452991453%;*width:14.476723040552828%}.row-fluid .span1{width:5.982905982905983%;*width:5.929714493544281%}.row-fluid .offset12{margin-left:105.12820512820512%;*margin-left:105.02182214948171%}.row-fluid .offset12:first-child{margin-left:102.56410256410257%;*margin-left:102.45771958537915%}.row-fluid .offset11{margin-left:96.58119658119658%;*margin-left:96.47481360247316%}.row-fluid .offset11:first-child{margin-left:94.01709401709402%;*margin-left:93.91071103837061%}.row-fluid .offset10{margin-left:88.03418803418803%;*margin-left:87.92780505546462%}.row-fluid .offset10:first-child{margin-left:85.47008547008548%;*margin-left:85.36370249136206%}.row-fluid .offset9{margin-left:79.48717948717949%;*margin-left:79.38079650845607%}.row-fluid .offset9:first-child{margin-left:76.92307692307693%;*margin-left:76.81669394435352%}.row-fluid .offset8{margin-left:70.94017094017094%;*margin-left:70.83378796144753%}.row-fluid .offset8:first-child{margin-left:68.37606837606839%;*margin-left:68.26968539734497%}.row-fluid .offset7{margin-left:62.393162393162385%;*margin-left:62.28677941443899%}.row-fluid .offset7:first-child{margin-left:59.82905982905982%;*margin-left:59.72267685033642%}.row-fluid .offset6{margin-left:53.84615384615384%;*margin-left:53.739770867430444%}.row-fluid .offset6:first-child{margin-left:51.28205128205128%;*margin-left:51.175668303327875%}.row-fluid .offset5{margin-left:45.299145299145295%;*margin-left:45.1927623204219%}.row-fluid .offset5:first-child{margin-left:42.73504273504273%;*margin-left:42.62865975631933%}.row-fluid .offset4{margin-left:36.75213675213675%;*margin-left:36.645753773413354%}.row-fluid .offset4:first-child{margin-left:34.18803418803419%;*margin-left:34.081651209310785%}.row-fluid .offset3{margin-left:28.205128205128204%;*margin-left:28.0987452264048%}.row-fluid .offset3:first-child{margin-left:25.641025641025642%;*margin-left:25.53464266230224%}.row-fluid .offset2{margin-left:19.65811965811966%;*margin-left:19.551736679396257%}.row-fluid .offset2:first-child{margin-left:17.094017094017094%;*margin-left:16.98763411529369%}.row-fluid .offset1{margin-left:11.11111111111111%;*margin-left:11.004728132387708%}.row-fluid .offset1:first-child{margin-left:8.547008547008547%;*margin-left:8.440625568285142%}input,textarea,.uneditable-input{margin-left:0}.controls-row [class*="span"]+[class*="span"]{margin-left:30px}input.span12,textarea.span12,.uneditable-input.span12{width:1156px}input.span11,textarea.span11,.uneditable-input.span11{width:1056px}input.span10,textarea.span10,.uneditable-input.span10{width:956px}input.span9,textarea.span9,.uneditable-input.span9{width:856px}input.span8,textarea.span8,.uneditable-input.span8{width:756px}input.span7,textarea.span7,.uneditable-input.span7{width:656px}input.span6,textarea.span6,.uneditable-input.span6{width:556px}input.span5,textarea.span5,.uneditable-input.span5{width:456px}input.span4,textarea.span4,.uneditable-input.span4{width:356px}input.span3,textarea.span3,.uneditable-input.span3{width:256px}input.span2,textarea.span2,.uneditable-input.span2{width:156px}input.span1,textarea.span1,.uneditable-input.span1{width:56px}.thumbnails{margin-left:-30px}.thumbnails>li{margin-left:30px}.row-fluid .thumbnails{margin-left:0}}@media(min-width:768px) and (max-width:979px){.row{margin-left:-20px;*zoom:1}.row:before,.row:after{display:table;line-height:0;content:""}.row:after{clear:both}[class*="span"]{float:left;min-height:1px;margin-left:20px}.container,.navbar-static-top .container,.navbar-fixed-top .container,.navbar-fixed-bottom .container{width:724px}.span12{width:724px}.span11{width:662px}.span10{width:600px}.span9{width:538px}.span8{width:476px}.span7{width:414px}.span6{width:352px}.span5{width:290px}.span4{width:228px}.span3{width:166px}.span2{width:104px}.span1{width:42px}.offset12{margin-left:764px}.offset11{margin-left:702px}.offset10{margin-left:640px}.offset9{margin-left:578px}.offset8{margin-left:516px}.offset7{margin-left:454px}.offset6{margin-left:392px}.offset5{margin-left:330px}.offset4{margin-left:268px}.offset3{margin-left:206px}.offset2{margin-left:144px}.offset1{margin-left:82px}.row-fluid{width:100%;*zoom:1}.row-fluid:before,.row-fluid:after{display:table;line-height:0;content:""}.row-fluid:after{clear:both}.row-fluid [class*="span"]{display:block;float:left;width:100%;min-height:30px;margin-left:2.7624309392265194%;*margin-left:2.709239449864817%;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}.row-fluid [class*="span"]:first-child{margin-left:0}.row-fluid .controls-row [class*="span"]+[class*="span"]{margin-left:2.7624309392265194%}.row-fluid .span12{width:100%;*width:99.94680851063829%}.row-fluid .span11{width:91.43646408839778%;*width:91.38327259903608%}.row-fluid .span10{width:82.87292817679558%;*width:82.81973668743387%}.row-fluid .span9{width:74.30939226519337%;*width:74.25620077583166%}.row-fluid .span8{width:65.74585635359117%;*width:65.69266486422946%}.row-fluid .span7{width:57.18232044198895%;*width:57.12912895262725%}.row-fluid .span6{width:48.61878453038674%;*width:48.56559304102504%}.row-fluid .span5{width:40.05524861878453%;*width:40.00205712942283%}.row-fluid .span4{width:31.491712707182323%;*width:31.43852121782062%}.row-fluid .span3{width:22.92817679558011%;*width:22.87498530621841%}.row-fluid .span2{width:14.3646408839779%;*width:14.311449394616199%}.row-fluid .span1{width:5.801104972375691%;*width:5.747913483013988%}.row-fluid .offset12{margin-left:105.52486187845304%;*margin-left:105.41847889972962%}.row-fluid .offset12:first-child{margin-left:102.76243093922652%;*margin-left:102.6560479605031%}.row-fluid .offset11{margin-left:96.96132596685082%;*margin-left:96.8549429881274%}.row-fluid .offset11:first-child{margin-left:94.1988950276243%;*margin-left:94.09251204890089%}.row-fluid .offset10{margin-left:88.39779005524862%;*margin-left:88.2914070765252%}.row-fluid .offset10:first-child{margin-left:85.6353591160221%;*margin-left:85.52897613729868%}.row-fluid .offset9{margin-left:79.8342541436464%;*margin-left:79.72787116492299%}.row-fluid .offset9:first-child{margin-left:77.07182320441989%;*margin-left:76.96544022569647%}.row-fluid .offset8{margin-left:71.2707182320442%;*margin-left:71.16433525332079%}.row-fluid .offset8:first-child{margin-left:68.50828729281768%;*margin-left:68.40190431409427%}.row-fluid .offset7{margin-left:62.70718232044199%;*margin-left:62.600799341718584%}.row-fluid .offset7:first-child{margin-left:59.94475138121547%;*margin-left:59.838368402492065%}.row-fluid .offset6{margin-left:54.14364640883978%;*margin-left:54.037263430116376%}.row-fluid .offset6:first-child{margin-left:51.38121546961326%;*margin-left:51.27483249088986%}.row-fluid .offset5{margin-left:45.58011049723757%;*margin-left:45.47372751851417%}.row-fluid .offset5:first-child{margin-left:42.81767955801105%;*margin-left:42.71129657928765%}.row-fluid .offset4{margin-left:37.01657458563536%;*margin-left:36.91019160691196%}.row-fluid .offset4:first-child{margin-left:34.25414364640884%;*margin-left:34.14776066768544%}.row-fluid .offset3{margin-left:28.45303867403315%;*margin-left:28.346655695309746%}.row-fluid .offset3:first-child{margin-left:25.69060773480663%;*margin-left:25.584224756083227%}.row-fluid .offset2{margin-left:19.88950276243094%;*margin-left:19.783119783707537%}.row-fluid .offset2:first-child{margin-left:17.12707182320442%;*margin-left:17.02068884448102%}.row-fluid .offset1{margin-left:11.32596685082873%;*margin-left:11.219583872105325%}.row-fluid .offset1:first-child{margin-left:8.56353591160221%;*margin-left:8.457152932878806%}input,textarea,.uneditable-input{margin-left:0}.controls-row [class*="span"]+[class*="span"]{margin-left:20px}input.span12,textarea.span12,.uneditable-input.span12{width:710px}input.span11,textarea.span11,.uneditable-input.span11{width:648px}input.span10,textarea.span10,.uneditable-input.span10{width:586px}input.span9,textarea.span9,.uneditable-input.span9{width:524px}input.span8,textarea.span8,.uneditable-input.span8{width:462px}input.span7,textarea.span7,.uneditable-input.span7{width:400px}input.span6,textarea.span6,.uneditable-input.span6{width:338px}input.span5,textarea.span5,.uneditable-input.span5{width:276px}input.span4,textarea.span4,.uneditable-input.span4{width:214px}input.span3,textarea.span3,.uneditable-input.span3{width:152px}input.span2,textarea.span2,.uneditable-input.span2{width:90px}input.span1,textarea.span1,.uneditable-input.span1{width:28px}}@media(max-width:767px){body{padding-right:20px;padding-left:20px}.navbar-fixed-top,.navbar-fixed-bottom,.navbar-static-top{margin-right:-20px;margin-left:-20px}.container-fluid{padding:0}.dl-horizontal dt{float:none;width:auto;clear:none;text-align:left}.dl-horizontal dd{margin-left:0}.container{width:auto}.row-fluid{width:100%}.row,.thumbnails{margin-left:0}.thumbnails>li{float:none;margin-left:0}[class*="span"],.uneditable-input[class*="span"],.row-fluid [class*="span"]{display:block;float:none;width:100%;margin-left:0;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}.span12,.row-fluid .span12{width:100%;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}.row-fluid [class*="offset"]:first-child{margin-left:0}.input-large,.input-xlarge,.input-xxlarge,input[class*="span"],select[class*="span"],textarea[class*="span"],.uneditable-input{display:block;width:100%;min-height:30px;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}.input-prepend input,.input-append input,.input-prepend input[class*="span"],.input-append input[class*="span"]{display:inline-block;width:auto}.controls-row [class*="span"]+[class*="span"]{margin-left:0}.modal{position:fixed;top:20px;right:20px;left:20px;width:auto;margin:0}.modal.fade{top:-100px}.modal.fade.in{top:20px}}@media(max-width:480px){.nav-collapse{-webkit-transform:translate3d(0,0,0)}.page-header h1 small{display:block;line-height:20px}input[type="checkbox"],input[type="radio"]{border:1px solid #ccc}.form-horizontal .control-label{float:none;width:auto;padding-top:0;text-align:left}.form-horizontal .controls{margin-left:0}.form-horizontal .control-list{padding-top:0}.form-horizontal .form-actions{padding-right:10px;padding-left:10px}.media .pull-left,.media .pull-right{display:block;float:none;margin-bottom:10px}.media-object{margin-right:0;margin-left:0}.modal{top:10px;right:10px;left:10px}.modal-header .close{padding:10px;margin:-10px}.carousel-caption{position:static}}@media(max-width:979px){body{padding-top:0}.navbar-fixed-top,.navbar-fixed-bottom{position:static}.navbar-fixed-top{margin-bottom:20px}.navbar-fixed-bottom{margin-top:20px}.navbar-fixed-top .navbar-inner,.navbar-fixed-bottom .navbar-inner{padding:5px}.navbar .container{width:auto;padding:0}.navbar .brand{padding-right:10px;padding-left:10px;margin:0 0 0 -5px}.nav-collapse{clear:both}.nav-collapse .nav{float:none;margin:0 0 10px}.nav-collapse .nav>li{float:none}.nav-collapse .nav>li>a{margin-bottom:2px}.nav-collapse .nav>.divider-vertical{display:none}.nav-collapse .nav .nav-header{color:#777;text-shadow:none}.nav-collapse .nav>li>a,.nav-collapse .dropdown-menu a{padding:9px 15px;font-weight:bold;color:#777;-webkit-border-radius:3px;-moz-border-radius:3px;border-radius:3px}.nav-collapse .btn{padding:4px 10px 4px;font-weight:normal;-webkit-border-radius:4px;-moz-border-radius:4px;border-radius:4px}.nav-collapse .dropdown-menu li+li a{margin-bottom:2px}.nav-collapse .nav>li>a:hover,.nav-collapse .nav>li>a:focus,.nav-collapse .dropdown-menu a:hover,.nav-collapse .dropdown-menu a:focus{background-color:#f2f2f2}.navbar-inverse .nav-collapse .nav>li>a,.navbar-inverse .nav-collapse .dropdown-menu a{color:#999}.navbar-inverse .nav-collapse .nav>li>a:hover,.navbar-inverse .nav-collapse .nav>li>a:focus,.navbar-inverse .nav-collapse .dropdown-menu a:hover,.navbar-inverse .nav-collapse .dropdown-menu a:focus{background-color:#111}.nav-collapse.in .btn-group{padding:0;margin-top:5px}.nav-collapse .dropdown-menu{position:static;top:auto;left:auto;display:none;float:none;max-width:none;padding:0;margin:0 15px;background-color:transparent;border:0;-webkit-border-radius:0;-moz-border-radius:0;border-radius:0;-webkit-box-shadow:none;-moz-box-shadow:none;box-shadow:none}.nav-collapse .open>.dropdown-menu{display:block}.nav-collapse .dropdown-menu:before,.nav-collapse .dropdown-menu:after{display:none}.nav-collapse .dropdown-menu .divider{display:none}.nav-collapse .nav>li>.dropdown-menu:before,.nav-collapse .nav>li>.dropdown-menu:after{display:none}.nav-collapse .navbar-form,.nav-collapse .navbar-search{float:none;padding:10px 15px;margin:10px 0;border-top:1px solid #f2f2f2;border-bottom:1px solid #f2f2f2;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,0.1),0 1px 0 rgba(255,255,255,0.1);-moz-box-shadow:inset 0 1px 0 rgba(255,255,255,0.1),0 1px 0 rgba(255,255,255,0.1);box-shadow:inset 0 1px 0 rgba(255,255,255,0.1),0 1px 0 rgba(255,255,255,0.1)}.navbar-inverse .nav-collapse .navbar-form,.navbar-inverse .nav-collapse .navbar-search{border-top-color:#111;border-bottom-color:#111}.navbar .nav-collapse .nav.pull-right{float:none;margin-left:0}.nav-collapse,.nav-collapse.collapse{height:0;overflow:hidden}.navbar .btn-navbar{display:block}.navbar-static .navbar-inner{padding-right:10px;padding-left:10px}}@media(min-width:980px){.nav-collapse.collapse{height:auto!important;overflow:visible!important}}
10 | 


--------------------------------------------------------------------------------
/yubiauth/static/css/main.css:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | /* ==========================================================================
 4 |    Author's custom styles
 5 |    ========================================================================== */
 6 | 
 7 | 
 8 | 
 9 | 
10 | 
11 | 
12 | 
13 | 
14 | 
15 | 
16 | 
17 | 
18 | 
19 | 
20 | 
21 | 
22 | 
23 | 


--------------------------------------------------------------------------------
/yubiauth/static/favicon.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Yubico/yubiauth/c52ea78280f15d562d3dfb999b303efd2f7d79ea/yubiauth/static/favicon.ico


--------------------------------------------------------------------------------
/yubiauth/static/img/glyphicons-halflings-white.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Yubico/yubiauth/c52ea78280f15d562d3dfb999b303efd2f7d79ea/yubiauth/static/img/glyphicons-halflings-white.png


--------------------------------------------------------------------------------
/yubiauth/static/img/glyphicons-halflings.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Yubico/yubiauth/c52ea78280f15d562d3dfb999b303efd2f7d79ea/yubiauth/static/img/glyphicons-halflings.png


--------------------------------------------------------------------------------
/yubiauth/static/js/main.js:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/yubiauth/util/__init__.py:
--------------------------------------------------------------------------------
 1 | #
 2 | # Copyright (c) 2013 Yubico AB
 3 | # All rights reserved.
 4 | #
 5 | #   Redistribution and use in source and binary forms, with or
 6 | #   without modification, are permitted provided that the following
 7 | #   conditions are met:
 8 | #
 9 | #    1. Redistributions of source code must retain the above copyright
10 | #       notice, this list of conditions and the following disclaimer.
11 | #    2. Redistributions in binary form must reproduce the above
12 | #       copyright notice, this list of conditions and the following
13 | #       disclaimer in the documentation and/or other materials provided
14 | #       with the distribution.
15 | #
16 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
17 | # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
18 | # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
19 | # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
20 | # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
21 | # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
22 | # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
23 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
24 | # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 | # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
26 | # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 | # POSSIBILITY OF SUCH DAMAGE.
28 | #
29 | 
30 | __all__ = [
31 |     'model',
32 |     'controller',
33 |     'rest',
34 |     'MODHEX',
35 |     'validate_otp'
36 | ]
37 | 
38 | from yubiauth.util.utils import MODHEX, validate_otp
39 | 


--------------------------------------------------------------------------------
/yubiauth/util/controller.py:
--------------------------------------------------------------------------------
 1 | #
 2 | # Copyright (c) 2013 Yubico AB
 3 | # All rights reserved.
 4 | #
 5 | #   Redistribution and use in source and binary forms, with or
 6 | #   without modification, are permitted provided that the following
 7 | #   conditions are met:
 8 | #
 9 | #    1. Redistributions of source code must retain the above copyright
10 | #       notice, this list of conditions and the following disclaimer.
11 | #    2. Redistributions in binary form must reproduce the above
12 | #       copyright notice, this list of conditions and the following
13 | #       disclaimer in the documentation and/or other materials provided
14 | #       with the distribution.
15 | #
16 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
17 | # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
18 | # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
19 | # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
20 | # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
21 | # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
22 | # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
23 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
24 | # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 | # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
26 | # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 | # POSSIBILITY OF SUCH DAMAGE.
28 | #
29 | 
30 | __all__ = [
31 |     'Controller'
32 | ]
33 | 
34 | from sqlalchemy.exc import IntegrityError, InvalidRequestError
35 | 
36 | 
37 | class Controller(object):
38 |     """
39 |     Base class for creating Controllers that deal with models.
40 |     """
41 |     def __init__(self, session):
42 |         self.session = session
43 | 
44 |     def __del__(self):
45 |         self.session.close()
46 | 
47 |     def __enter__(self):
48 |         return self
49 | 
50 |     def __exit__(self, type, value, traceback):
51 |         if not isinstance(value, Exception):
52 |             self.commit()
53 |         self.session.close()
54 | 
55 |     def commit(self):
56 |         """
57 |         Commits any unchanged modifications to the database.
58 | 
59 |         @return: True if successful, False on error
60 |         @rtype: bool
61 |         """
62 |         try:
63 |             self.session.commit()
64 |             return True
65 |         except IntegrityError, InvalidRequestError:
66 |             self.session.rollback()
67 |             return False
68 | 


--------------------------------------------------------------------------------
/yubiauth/util/model.py:
--------------------------------------------------------------------------------
 1 | #
 2 | # Copyright (c) 2013 Yubico AB
 3 | # All rights reserved.
 4 | #
 5 | #   Redistribution and use in source and binary forms, with or
 6 | #   without modification, are permitted provided that the following
 7 | #   conditions are met:
 8 | #
 9 | #    1. Redistributions of source code must retain the above copyright
10 | #       notice, this list of conditions and the following disclaimer.
11 | #    2. Redistributions in binary form must reproduce the above
12 | #       copyright notice, this list of conditions and the following
13 | #       disclaimer in the documentation and/or other materials provided
14 | #       with the distribution.
15 | #
16 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
17 | # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
18 | # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
19 | # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
20 | # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
21 | # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
22 | # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
23 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
24 | # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 | # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
26 | # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 | # POSSIBILITY OF SUCH DAMAGE.
28 | #
29 | 
30 | __all__ = [
31 |     'engine',
32 |     'Session',
33 |     'Deletable'
34 | ]
35 | 
36 | from yubiauth.config import settings
37 | 
38 | from sqlalchemy import create_engine
39 | from sqlalchemy.orm import sessionmaker
40 | 
41 | 
42 | engine = create_engine(settings['db'], echo=False, pool_recycle=3600)
43 | Session = sessionmaker(bind=engine)
44 | 
45 | 
46 | class Deletable(object):
47 |     """
48 |     Mixin for model objects which should have a delete method.
49 |     """
50 | 
51 |     def delete(self):
52 |         self._deleted = True
53 |         session = Session.object_session(self)
54 |         if not session:
55 |             pass
56 |         elif self in session.new:
57 |             session.expunge(self)
58 |         else:
59 |             session.delete(self)
60 | 
61 |     @property
62 |     def is_deleted(self):
63 |         return hasattr(self, '_deleted')
64 | 


--------------------------------------------------------------------------------
/yubiauth/util/rest.py:
--------------------------------------------------------------------------------
  1 | # Copyright (c) 2013 Yubico AB
  2 | # All rights reserved.
  3 | #
  4 | #   Redistribution and use in source and binary forms, with or
  5 | #   without modification, are permitted provided that the following
  6 | #   conditions are met:
  7 | #
  8 | #    1. Redistributions of source code must retain the above copyright
  9 | #       notice, this list of conditions and the following disclaimer.
 10 | #    2. Redistributions in binary form must reproduce the above
 11 | #       copyright notice, this list of conditions and the following
 12 | #       disclaimer in the documentation and/or other materials provided
 13 | #       with the distribution.
 14 | #
 15 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 16 | # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 17 | # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 18 | # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 19 | # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 20 | # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 21 | # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 22 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 23 | # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 24 | # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
 25 | # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 26 | # POSSIBILITY OF SUCH DAMAGE.
 27 | #
 28 | 
 29 | __all__ = [
 30 |     'Route',
 31 |     'REST_API',
 32 |     'json_response',
 33 |     'json_error',
 34 |     'extract_params'
 35 | ]
 36 | 
 37 | from webob import exc, Response, Request
 38 | from webob.dec import wsgify
 39 | 
 40 | import json
 41 | import re
 42 | 
 43 | 
 44 | def no_content():
 45 |     return exc.HTTPNoContent()
 46 |     #return Response(status=204, content_type=None)
 47 | 
 48 | 
 49 | def json_response(data, **kwargs):
 50 |     return Response(json.dumps(data), content_type='application/json',
 51 |                     **kwargs)
 52 | 
 53 | 
 54 | def json_error(message, **kwargs):
 55 |     if not 'status' in kwargs:
 56 |         kwargs['status'] = 400
 57 |     return json_response({'error': message}, **kwargs)
 58 | 
 59 | 
 60 | class extract_params(object):
 61 |     """
 62 |     Decorator for extracting request parameters into kwargs.
 63 |     Suffix the parameter with a question mark (?) to make it optional.
 64 |     """
 65 |     def __init__(self, *params):
 66 |         self.params = params
 67 | 
 68 |     def _find_request(self, args):
 69 |             for arg in args:
 70 |                 if type(arg) == Request:
 71 |                     self.request = arg
 72 |                     return True
 73 |             return False
 74 | 
 75 |     def _extract_params(self):
 76 |         self.extracted = {}
 77 |         for param in self.params:
 78 |             if param.endswith('?'):
 79 |                 param = param[:-1]
 80 |             elif not param in self.request.params:
 81 |                 return False
 82 |             if param in self.request.params and not param in self.extracted:
 83 |                 self.extracted[param] = self.request.params[param]
 84 |         return True
 85 | 
 86 |     def __call__(self, func):
 87 |         def inner(*args, **kwargs):
 88 |             if not self._find_request(args):
 89 |                 return json_error('Unable to find request!', status=500)
 90 | 
 91 |             if not self._extract_params():
 92 |                 return json_error('Missing required parameter(s)!')
 93 | 
 94 |             kwargs.update(self.extracted)
 95 |             return func(*args, **kwargs)
 96 |         return inner
 97 | 
 98 | 
 99 | class Route(object):
100 |     def __init__(self, pattern_str, controller=None, **kwargs):
101 |         self.pattern = re.compile(pattern_str)
102 | 
103 |         if controller:
104 |             self.get = controller
105 |             self.post = controller
106 |         if 'get' in kwargs:
107 |             self.get = kwargs['get']
108 |         if 'post' in kwargs:
109 |             self.post = kwargs['post']
110 |         if 'delete' in kwargs:
111 |             self.delete = kwargs['delete']
112 | 
113 |     def get_controller(self, request):
114 |         match = self.pattern.match(request.path_info)
115 | 
116 |         if match:
117 |             try:
118 |                 controller = self.__getattribute__(request.method.lower())
119 |                 return controller, match.groups()
120 |             except AttributeError:
121 |                 return json_error('Method %s not allowed' % request.method,
122 |                                   status=405), None
123 | 
124 |         return None, None
125 | 
126 | 
127 | class REST_API(object):
128 |     __routes__ = []
129 | 
130 |     @wsgify
131 |     def __call__(self, request, *args, **kwargs):
132 |         for route in self.__routes__:
133 |             controller, sub_args = route.get_controller(request)
134 |             if controller:
135 |                 if isinstance(controller, Response):
136 |                     return controller
137 |                 self._call_setup(request)
138 |                 args += sub_args
139 |                 response = None
140 |                 try:
141 |                     controller = self.__getattribute__(controller)
142 |                     response = controller(request, *args, **kwargs)
143 |                 finally:
144 |                     self._call_teardown(request, response)
145 |                 return response
146 | 
147 |         raise exc.HTTPNotFound
148 | 
149 |     def _call_setup(self, request):
150 |         pass
151 | 
152 |     def _call_teardown(self, request, response):
153 |         pass
154 | 


--------------------------------------------------------------------------------
/yubiauth/util/static.py:
--------------------------------------------------------------------------------
  1 | # Copyright (c) 2007 Ian Bicking and Contributors
  2 | #
  3 | # Permission is hereby granted, free of charge, to any person obtaining a copy
  4 | # of this software and associated documentation files (the "Software"), to deal
  5 | # in the Software without restriction, including without limitation the rights
  6 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  7 | # copies of the Software, and to permit persons to whom the Software is
  8 | # furnished to do so, subject to the following conditions:
  9 | #
 10 | # The above copyright notice and this permission notice shall be included in
 11 | # all copies or substantial portions of the Software.
 12 | #
 13 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 14 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 15 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 16 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 17 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 18 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 19 | # SOFTWARE.
 20 | 
 21 | import mimetypes
 22 | import os
 23 | 
 24 | from webob import exc
 25 | from webob.dec import wsgify
 26 | from webob.response import Response
 27 | 
 28 | __all__ = [
 29 |     'FileApp', 'DirectoryApp',
 30 | ]
 31 | 
 32 | mimetypes._winreg = None # do not load mimetypes from windows registry
 33 | mimetypes.add_type('text/javascript', '.js') # stdlib default is application/x-javascript
 34 | mimetypes.add_type('image/x-icon', '.ico') # not among defaults
 35 | 
 36 | 
 37 | class FileApp(object):
 38 |     """An application that will send the file at the given filename.
 39 | 
 40 |     Adds a mime type based on `mimetypes.guess_type()`.
 41 |     """
 42 | 
 43 |     def __init__(self, filename, **kw):
 44 |         self.filename = filename
 45 |         content_type, content_encoding = mimetypes.guess_type(filename)
 46 |         kw.setdefault('content_type', content_type)
 47 |         kw.setdefault('content_encoding', content_encoding)
 48 |         kw.setdefault('accept_ranges', 'bytes')
 49 |         self.kw = kw
 50 | 
 51 |     @wsgify
 52 |     def __call__(self, req):
 53 |         if req.method not in ('GET', 'HEAD'):
 54 |             return exc.HTTPMethodNotAllowed("You cannot %s a file" %
 55 |                                             req.method)
 56 |         try:
 57 |             stat = os.stat(self.filename)
 58 |         except (IOError, OSError) as e:
 59 |             msg = "Can't open %r: %s" % (self.filename, e)
 60 |             return exc.HTTPNotFound(comment=msg)
 61 | 
 62 |         try:
 63 |             file = open(self.filename, 'rb')
 64 |         except (IOError, OSError) as e:
 65 |             msg = "You are not permitted to view this file (%s)" % e
 66 |             return exc.HTTPForbidden(msg)
 67 | 
 68 |         return Response(
 69 |             app_iter = FileIter(file),
 70 |             content_length = stat.st_size,
 71 |             last_modified = stat.st_mtime,
 72 |             #@@ etag
 73 |             **self.kw
 74 |         ).conditional_response_app
 75 | 
 76 | 
 77 | class FileIter(object):
 78 |     def __init__(self, file):
 79 |         self.file = file
 80 | 
 81 |     def app_iter_range(self, seek=None, limit=None, block_size=1<<16):
 82 |         """Iter over the content of the file.
 83 | 
 84 |         You can set the `seek` parameter to read the file starting from a
 85 |         specific position.
 86 | 
 87 |         You can set the `limit` parameter to read the file up to specific
 88 |         position.
 89 | 
 90 |         Finally, you can change the number of bytes read at once by setting the
 91 |         `block_size` parameter.
 92 |         """
 93 | 
 94 |         if seek:
 95 |             self.file.seek(seek)
 96 |             if limit is not None:
 97 |                 limit -= seek
 98 |         try:
 99 |             while True:
100 |                 data = self.file.read(min(block_size, limit)
101 |                                       if limit is not None
102 |                                       else block_size)
103 |                 if not data:
104 |                     return
105 |                 yield data
106 |                 if limit is not None:
107 |                     limit -= len(data)
108 |                     if limit <= 0:
109 |                         return
110 |         finally:
111 |             self.file.close()
112 | 
113 |     __iter__ = app_iter_range
114 | 
115 | 
116 | class DirectoryApp(object):
117 |     """An application that dispatches requests to corresponding `FileApp`s based
118 |     on PATH_INFO.
119 | 
120 |     This app double-checks not to serve any files that are not in a
121 |     subdirectory.  To customize `FileApp` instances creation, override
122 |     `make_fileapp` method.
123 |     """
124 | 
125 |     def __init__(self, path, **kw):
126 |         self.path = os.path.abspath(path)
127 |         if not self.path.endswith(os.path.sep):
128 |             self.path += os.path.sep
129 |         assert os.path.isdir(self.path)
130 |         self.fileapp_kw = kw
131 | 
132 |     def make_fileapp(self, path):
133 |         return FileApp(path, **self.fileapp_kw)
134 | 
135 |     @wsgify
136 |     def __call__(self, req):
137 |         path = os.path.abspath(os.path.join(self.path,
138 |                                             req.path_info.lstrip('/')))
139 |         if not os.path.isfile(path):
140 |             return exc.HTTPNotFound(comment=path)
141 |         elif not path.startswith(self.path):
142 |             return exc.HTTPForbidden()
143 |         else:
144 |             return self.make_fileapp(path)
145 | 


--------------------------------------------------------------------------------
/yubiauth/util/utils.py:
--------------------------------------------------------------------------------
 1 | #
 2 | # Copyright (c) 2013 Yubico AB
 3 | # All rights reserved.
 4 | #
 5 | #   Redistribution and use in source and binary forms, with or
 6 | #   without modification, are permitted provided that the following
 7 | #   conditions are met:
 8 | #
 9 | #    1. Redistributions of source code must retain the above copyright
10 | #       notice, this list of conditions and the following disclaimer.
11 | #    2. Redistributions in binary form must reproduce the above
12 | #       copyright notice, this list of conditions and the following
13 | #       disclaimer in the documentation and/or other materials provided
14 | #       with the distribution.
15 | #
16 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
17 | # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
18 | # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
19 | # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
20 | # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
21 | # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
22 | # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
23 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
24 | # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 | # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
26 | # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 | # POSSIBILITY OF SUCH DAMAGE.
28 | #
29 | 
30 | __all__ = [
31 |     'validate_otp',
32 |     'MODHEX'
33 | ]
34 | 
35 | from yubiauth.config import settings
36 | from yubico_client import Yubico, __version__ as version
37 | from yubico_client import yubico as yubico_constants
38 | 
39 | 
40 | kwargs = {}
41 | 
42 | urls_no_proto = [url[8:] if url.startswith('https://') else
43 |                  url[7:] if url.startswith('http://') else
44 |                  url for url in settings['ykval']]
45 | use_https = all(url.startswith('https://') for url in settings['ykval'])
46 | 
47 | if version < (1, 8, 0):  # No URL passing, except through hack.
48 |     yubico_constants.API_URLS = urls_no_proto
49 | elif version < (1, 9, 0):  # 1.8.0 introduces URL passing, without protocol.
50 |     kwargs['api_urls'] = urls_no_proto
51 | else:  # 1.9.0 or later
52 |     kwargs['api_urls'] = settings['ykval']
53 | 
54 | if version < (1, 9, 0):  # 1.9.0 removes use_https parameter.
55 |     kwargs['use_https'] = use_https
56 | 
57 | 
58 | yubico = Yubico(settings['ykval_id'], settings['ykval_secret'], **kwargs)
59 | 
60 | MODHEX = 'cbdefghijklnrtuv'
61 | 
62 | 
63 | def validate_otp(otp):
64 |     try:
65 |         return yubico.verify(otp)
66 |     except:
67 |         return False
68 | 


--------------------------------------------------------------------------------
/yubiauth/yhsm.py:
--------------------------------------------------------------------------------
  1 | #
  2 | # Copyright (c) 2013 Yubico AB
  3 | # All rights reserved.
  4 | #
  5 | #   Redistribution and use in source and binary forms, with or
  6 | #   without modification, are permitted provided that the following
  7 | #   conditions are met:
  8 | #
  9 | #    1. Redistributions of source code must retain the above copyright
 10 | #       notice, this list of conditions and the following disclaimer.
 11 | #    2. Redistributions in binary form must reproduce the above
 12 | #       copyright notice, this list of conditions and the following
 13 | #       disclaimer in the documentation and/or other materials provided
 14 | #       with the distribution.
 15 | #
 16 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 17 | # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 18 | # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 19 | # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 20 | # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 21 | # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 22 | # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 23 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 24 | # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 25 | # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
 26 | # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 27 | # POSSIBILITY OF SUCH DAMAGE.
 28 | #
 29 | 
 30 | __all__ = [
 31 |     'yhsm_pbkdf2_sha1',
 32 |     'yhsm_pbkdf2_sha256',
 33 |     'yhsm_pbkdf2_sha512'
 34 | ]
 35 | 
 36 | import os
 37 | from base64 import b64encode, b64decode
 38 | from passlib.utils import (to_hash_str, to_unicode)
 39 | from passlib.hash import pbkdf2_sha1, pbkdf2_sha256, pbkdf2_sha512
 40 | 
 41 | from pyhsm.base import YHSM
 42 | from pyhsm.util import key_handle_to_int
 43 | 
 44 | _UDOLLAR = u'$'
 45 | _UKH = u'kh='
 46 | _UDEFAULT_KH = u'1'
 47 | 
 48 | DEFAULT_DEVICE = 'daemon://localhost:5348'
 49 | 
 50 | hsm = YHSM(device=os.getenv('YHSM_DEVICE', DEFAULT_DEVICE))
 51 | 
 52 | 
 53 | def _yhsm__init__(base, self, key_handle=_UDEFAULT_KH, **kwds):
 54 |     super(base, self).__init__(**kwds)
 55 |     self.key_handle = key_handle
 56 | 
 57 | 
 58 | def _yhsmfrom_string(base, cls, hash):
 59 |     if not hash:
 60 |         raise ValueError('No hash specified')
 61 |     hash = to_unicode(hash, 'ascii', 'hash')
 62 | 
 63 |     if not hash.startswith(cls.ident):
 64 |         raise ValueError('invalid %s hash' % (cls.name))
 65 | 
 66 |     hash = hash[len(cls.ident):]
 67 | 
 68 |     if hash.startswith(_UKH):
 69 |         part, hash = hash.split(_UDOLLAR, 1)
 70 |         key_handle = part[len(_UKH):]
 71 |     else:
 72 |         key_handle = _UDEFAULT_KH
 73 | 
 74 |     inner_config, chk = hash.rsplit('$', 1)
 75 |     inner = base.from_string('%s%s' % (base.ident, inner_config))
 76 | 
 77 |     params = {}
 78 |     for kwd in inner.setting_kwds:
 79 |         try:
 80 |             params[kwd] = inner.__getattribute__(kwd)
 81 |         except AttributeError:
 82 |             pass
 83 |     params['key_handle'] = key_handle
 84 |     params['checksum'] = b64decode(chk.encode('ascii'))
 85 | 
 86 |     return cls(**params)
 87 | 
 88 | 
 89 | def _yhsm_hash_needs_update(base, cls, hash, **opts):
 90 |     key = 'deprecated_key_handles'
 91 |     if key in opts:
 92 |         for kh in opts[key].split(','):
 93 |             if 'kh=%s' % kh in hash:
 94 |                 return True
 95 |     return False
 96 | 
 97 | 
 98 | def _yhsmto_string(base, self):
 99 |     hash = self.ident
100 | 
101 |     inner_str = super(base, self).to_string()
102 |     inner_str = inner_str[len(self.ident):].rsplit('$', 1)[0]
103 | 
104 |     chk = b64encode(self.checksum).decode('ascii')
105 | 
106 |     hash += u'%s%s$%s$%s' % (
107 |         _UKH,
108 |         self.key_handle,
109 |         inner_str,
110 |         chk
111 |     )
112 | 
113 |     return to_hash_str(hash)
114 | 
115 | 
116 | def _yhsmcalc_checksum(base, self, secret):
117 |     base_chk = super(base, self).calc_checksum(secret)
118 |     result = hsm.hmac_sha1(key_handle_to_int(self.key_handle), base_chk)
119 | 
120 |     return result.result.hash_result
121 | 
122 | 
123 | def _make_yhsm_handler(base, base_name):
124 |     name = 'yhsm_%s' % (base_name)
125 |     ident = u'$yhsm-%s$' % (base_name.replace('_', '-'))
126 |     return type(name, (base,), dict(
127 |         name=name,
128 |         ident=ident,
129 |         setting_kwds=('key_handle',) + base.setting_kwds,
130 |         checksum_size=20,
131 |         __init__=lambda *args, **kwargs: _yhsm__init__(base, *args, **kwargs),
132 |         from_string=classmethod(lambda *args, **kwargs: _yhsmfrom_string(
133 |             base, *args, **kwargs)),
134 |         _hash_needs_update=classmethod(lambda *args, **kwargs:
135 |                                        _yhsm_hash_needs_update(
136 |                                            base, *args, **kwargs)),
137 |         to_string=lambda *args, **kwargs: _yhsmto_string(
138 |             base, *args, **kwargs),
139 |         calc_checksum=lambda *args, **kwargs: _yhsmcalc_checksum(base, *args,
140 |                                                                  **kwargs)
141 |     ))
142 | 
143 | 
144 | yhsm_pbkdf2_sha1 = _make_yhsm_handler(pbkdf2_sha1, 'pbkdf2_sha1')
145 | yhsm_pbkdf2_sha256 = _make_yhsm_handler(pbkdf2_sha256, 'pbkdf2_sha256')
146 | yhsm_pbkdf2_sha512 = _make_yhsm_handler(pbkdf2_sha512, 'pbkdf2_sha512')
147 | 


--------------------------------------------------------------------------------