Giter Site home page Giter Site logo

privacyidea / privacyidea Goto Github PK

View Code? Open in Web Editor NEW
1.4K 1.4K 306.0 51.93 MB

:closed_lock_with_key: multi factor authentication system (2FA, MFA, OTP Server)

Home Page: http://www.privacyidea.org

License: GNU Affero General Public License v3.0

Perl 0.08% Python 80.46% Shell 0.31% Makefile 0.14% Mako 0.01% JavaScript 12.03% HTML 6.49% CSS 0.20% PHP 0.16% Roff 0.12% Procfile 0.01%
2fa authentication ca certificates identityserver idm mfa opensource otp otp-server python two-factor two-factor-authentication

privacyidea's Issues

Create an RPM package for CentOS 7

We should provide an RPM package for CentOS.

This is not that easy, since many dependencies are not even contained in epel for CentOS 6.
...maybe with CentOS 7.

A possibility would be to provide an RPM package with the complete virtualenv setup in /opt.

SQL-Resolver with presets enhancement

The SQL-Resolver create dialog in the web-UI could contain presettings for certain SQL based web applications like:

wordpress (done)
tine 2.0 (done)
kolab... The mapping and the table name could be presetted.

Use AuthorizedKeysCommand in sshd

The sshd_conf provides "AuthorizedKeysCommand".

We could provide a controller, that returns the necessary authorized keys and we could enhance the command line client to fecht these. Then the AuthorizedKeysCommand could be configure to fetch the ssh authorized keys online from privacyIDEA.

  1. Create the controller-method and
  2. create the CLI

nginx config

provide an nginx config or/and provide a file
/etc/default/privacyidea, which may contain information about which user runs privacyidea.

In the case of nginx, we might run uwsgi as user "privacyidea". But nginx (running as www-data) also needs to access the uwsgi socket...

wizard to setup the first realm.

All howtos show, that setting up the first realm and enrolling the first token is a bit complicated! ;-)

  • we could have a wizard
  • we could preconfigure the local users
  • we could have a meta package that configures the local users, if no other realm is defined

passwdresolver: wrong error message

If you create a passwdresolver with a filename that does not exist and then add this resolver to a realm, you get an error message about a missing module.
THis is VERY misleading! :-)

You should get the error message, that the file does not exist...

support daplug dongle

We need to be able to validate OTP values from the daplug dongle, that look like this:

efekeiebekeh

b -> 0
c -> 1
d -> 2
e -> 3
f -> 4
g -> 5
h -> 6
i -> 7
j -> 8
k -> 9

Maybe it is easier to inherit a daplug type from hmac.

A 6 digit OTP value will produce a 12 character string.
A 8 digit OTP value will produce a 16 character string.

Fix pylons version conflict

Tests are not running with pylons 1.0.1
Maybe this can be fixed by reworking middleware.py and anvironment.py.

...or by migrating the framework to pyramid.

Purpose of check_session in BaseController method

Hello,

during evaluation of calling the /selfservice/... routes in a somewhat RESTful way (i. e. outside of the regular web UI), I noticed that before_identity_check in BaseController performs a "double" identity check:

  1. by reading request.environ.get('repoze.who.identity')
  2. by calling check_session in privacyidea/lib/util

The second one explicitly checks for the presence of a cookie, a session param and their equality. Since I'd like to avoid using a session mechanism for calling the routes (e. g. by using HTTP Basic Auth), I am wondering about the reason for not relying only on the first check (i. e. the one in repoze.who stack) โ€“ especially of course regarding potential security implications.

Thanks in advance for looking into this.

load tokens PSKC

The load tokens functionality needs to be enhanced with PSKC and the loadtokens test in test_admin.py needs to be written.

We could use beautifulsoup:

from BeautifulSoup import BeautifulSoup

x="""<foo>
   <bar>
      <type foobar="1"/>
      <type foobar="2"/>
   </bar>
</foo>"""

y=BeautifulSoup(x)

>>> y.foo.bar.type["foobar"]
u'1'
>>> y.foo.bar.findAll("type")
[<type foobar="1"></type>, <type foobar="2"></type>]
>>> y.foo.bar.findAll("type")[0]["foobar"]
u'1'
>>> y.foo.bar.findAll("type")[1]["foobar"]
u'2'

not optimal session timeout

The repoze.who reissue_time is not configured optimal.
The cookie timeout is set to 600sec, the reissue to 540. I.e. if a user works for 8 minutes he works with the old cookie. Then he pauses for 2 minutes and comes back at 601 sec.
The timeout is over and the cookie was not reissued.

We change this to timeout=600 and reissue=timeout/2.

The timeout can be configured via:

privacyIDEASessionTimout

Delete application fails

Deleting Application fails in the WebUI.
Deleting application with the command line client works fine.

This is the error log from the webUI:

2014/08/20 - 15:30:20 ERROR {140522189699008} [privacyidea.controllers.machine][deltoken #455] Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/privacyidea/controllers/machine.py", line 442, in deltoken
res = deltoken(machine_name, serial, application)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", line 95, in wrapper
f_result = func(args, *kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/machine.py", line 240, in deltoken
MachineToken.application == application)).delete()
File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/query.py", line 2603, in delete
delete_op.exec
()
File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/persistence.py", line 816, in exec

self._do_exec()
File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/persistence.py", line 942, in _do_exec
params=self.query._params)
File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py", line 934, in execute
clause, params or {})
File "/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 662, in execute
params)
File "/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 761, in _execute_clauseelement
compiled_sql, distilled_params
File "/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 874, in _execute_context
context)
File "/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 1024, in _handle_dbapi_exception
exc_info
File "/usr/lib/python2.7/dist-packages/sqlalchemy/util/compat.py", line 196, in raise_from_cause
reraise(type(exception), exception, tb=exc_tb)
File "/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 867, in _execute_context
context)
File "/usr/lib/python2.7/dist-packages/sqlalchemy/engine/default.py", line 324, in do_execute
cursor.execute(statement, parameters)
File "/usr/lib/python2.7/dist-packages/MySQLdb/cursors.py", line 174, in execute
self.errorhandler(self, exc, value)
File "/usr/lib/python2.7/dist-packages/MySQLdb/connections.py", line 36, in defaulterrorhandler
raise errorclass, errorvalue
IntegrityError: (IntegrityError) (1451, 'Cannot delete or update a parent row: a foreign key constraint fails (privacyidea.MachineTokenOptions, CONSTRAINT MachineTokenOptions_ibfk_1 FOREIGN KEY (machinetoken_id) REFERENCES MachineToken (id))') 'DELETE FROM MachineToken WHERE MachineToken.token_id = %s AND MachineToken.machine_id = %s AND MachineToken.application = %s' (43L, 2L, 'ssh')

sipgate SMS

Support sipgate SMS with xmlrpc

Create a new sms provider, either a sipgateProvider or a common xmlrpcProvider.

documentation

Add online documentation.
This should be available on the website and from within the management.

It should also be possible to access the documentation from certain dialogs and jump from those dialogs directly to the corresponding topic in the documentation.

WebUI: multiple token selections

Selecting multiple tokens in the WebUI can lead to problems, if multiple tokens are selected accidentially and those tokens are assigned to a user.
Then all tokens will be assigned, even if the tokens are assigned to other users at the moment.

What can be done?

  1. A setting could define: Only allow one token to be selected.
  2. Each time several tokens are selected, we could add a security questions: "You want to operate on many tokens... proceed? Are you sure? Did you ask bill?"

In the left column were the selected tokens are displayed, we could add a button "unselect all tokens".

The session timeout does allow the last action

The admin webui provides a session timeout.
When waiting for a while, the session times out. When e.g. enabling or disabling a token, the web ui response, that the session timed out. But nevertheless the action is performed!
When re-login you can see, that the token is deactivated.

The session timeout needs to be checked before doing the action. Or the action has to be avoided to be done, if the session timed out.

Take a look at lib.base:before_identity_check.

Install 1.3 on CentOS 7: Download error

Not sure if it's supported yet, but when trying to install on CentOS 7, I get the following trace:

pip install privacyidea
Downloading/unpacking privacyidea
  Using download cache from /web/python/pip_cache/https%3A%2F%2Fpypi.python.org%2Fpackages%2Fsource%2Fp%2FprivacyIDEA%2FprivacyIDEA-1.3.tar.gz
  Running setup.py egg_info for package privacyidea
    Traceback (most recent call last):
      File "<string>", line 16, in <module>
      File "/opt/privacyidea/build/privacyidea/setup.py", line 131, in <module>
        long_description=get_file_contents('README.md')
      File "/usr/lib64/python2.7/distutils/core.py", line 112, in setup
        _setup_distribution = dist = klass(attrs)
      File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/dist.py", line 265, in __init__
        self.fetch_build_eggs(attrs.pop('setup_requires'))
      File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/dist.py", line 289, in fetch_build_eggs
        parse_requirements(requires), installer=self.fetch_build_egg
      File "/opt/privacyidea/lib/python2.7/site-packages/pkg_resources.py", line 618, in resolve
        dist = best[req.key] = env.best_match(req, self, installer)
      File "/opt/privacyidea/lib/python2.7/site-packages/pkg_resources.py", line 862, in best_match
        return self.obtain(req, installer) # try and download/install
      File "/opt/privacyidea/lib/python2.7/site-packages/pkg_resources.py", line 874, in obtain
        return installer(requirement)
      File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/dist.py", line 339, in fetch_build_egg
        return cmd.easy_install(req)
      File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 611, in easy_install
        self.local_index
      File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 583, in fetch_distribution
        self.prescan()
      File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 481, in prescan
        list(map(self.scan_url, self.to_scan))
      File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 765, in scan_url
        self.process_url(url, True)
      File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 303, in process_url
        f = self.open_url(url, "Download error on %s: %%s -- Some packages may not be found!" % url)
      File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 699, in open_url
        return open_with_auth(url, self.opener)
      File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 898, in _socket_timeout
        return func(*args, **kwargs)
      File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 945, in open_with_auth
        fp = opener(request)
      File "/usr/lib64/python2.7/urllib2.py", line 404, in open
        response = self._open(req, data)
      File "/usr/lib64/python2.7/urllib2.py", line 422, in _open
        '_open', req)
      File "/usr/lib64/python2.7/urllib2.py", line 382, in _call_chain
        result = func(*args)
      File "/usr/lib64/python2.7/urllib2.py", line 1216, in http_open
        return self.do_open(httplib.HTTPConnection, req)
      File "/usr/lib64/python2.7/urllib2.py", line 1189, in do_open
        r = h.getresponse(buffering=True)
      File "/usr/lib64/python2.7/httplib.py", line 1045, in getresponse
        response.begin()
      File "/usr/lib64/python2.7/httplib.py", line 409, in begin
        version, status, reason = self._read_status()
      File "/usr/lib64/python2.7/httplib.py", line 365, in _read_status
        line = self.fp.readline(_MAXLINE + 1)
      File "/usr/lib64/python2.7/socket.py", line 476, in readline
        data = self._sock.recv(self._rbufsize)
    socket.timeout: timed out
    Complete output from command python setup.py egg_info:
    Traceback (most recent call last):

  File "<string>", line 16, in <module>

  File "/opt/privacyidea/build/privacyidea/setup.py", line 131, in <module>

    long_description=get_file_contents('README.md')

  File "/usr/lib64/python2.7/distutils/core.py", line 112, in setup

    _setup_distribution = dist = klass(attrs)

  File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/dist.py", line 265, in __init__

    self.fetch_build_eggs(attrs.pop('setup_requires'))

  File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/dist.py", line 289, in fetch_build_eggs

    parse_requirements(requires), installer=self.fetch_build_egg

  File "/opt/privacyidea/lib/python2.7/site-packages/pkg_resources.py", line 618, in resolve

    dist = best[req.key] = env.best_match(req, self, installer)

  File "/opt/privacyidea/lib/python2.7/site-packages/pkg_resources.py", line 862, in best_match

    return self.obtain(req, installer) # try and download/install

  File "/opt/privacyidea/lib/python2.7/site-packages/pkg_resources.py", line 874, in obtain

    return installer(requirement)

  File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/dist.py", line 339, in fetch_build_egg

    return cmd.easy_install(req)

  File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 611, in easy_install

    self.local_index

  File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 583, in fetch_distribution

    self.prescan()

  File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 481, in prescan

    list(map(self.scan_url, self.to_scan))

  File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 765, in scan_url

    self.process_url(url, True)

  File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 303, in process_url

    f = self.open_url(url, "Download error on %s: %%s -- Some packages may not be found!" % url)

  File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 699, in open_url

    return open_with_auth(url, self.opener)

  File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 898, in _socket_timeout

    return func(*args, **kwargs)

  File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 945, in open_with_auth

    fp = opener(request)

  File "/usr/lib64/python2.7/urllib2.py", line 404, in open

    response = self._open(req, data)

  File "/usr/lib64/python2.7/urllib2.py", line 422, in _open

    '_open', req)

  File "/usr/lib64/python2.7/urllib2.py", line 382, in _call_chain

    result = func(*args)

  File "/usr/lib64/python2.7/urllib2.py", line 1216, in http_open

    return self.do_open(httplib.HTTPConnection, req)

  File "/usr/lib64/python2.7/urllib2.py", line 1189, in do_open

    r = h.getresponse(buffering=True)

  File "/usr/lib64/python2.7/httplib.py", line 1045, in getresponse

    response.begin()

  File "/usr/lib64/python2.7/httplib.py", line 409, in begin

    version, status, reason = self._read_status()

  File "/usr/lib64/python2.7/httplib.py", line 365, in _read_status

    line = self.fp.readline(_MAXLINE + 1)

  File "/usr/lib64/python2.7/socket.py", line 476, in readline

    data = self._sock.recv(self._rbufsize)

socket.timeout: timed out

----------------------------------------
Cleaning up...
Command python setup.py egg_info failed with error code 1 in /opt/privacyidea/build/privacyidea

Glad to try anything you might consider.
Best,
KurtB

Journal and rollback

A journal that allows the rollback or undo of administrator actions.

Each admin audit log entry could save the modified token row, before it is modified.
Thus it could be possible to search the audit log for an administrator event, select this audit entry and click the "undo" button.
This would be the start with the token table.

Thinking of Config or Realm table would be more complicated.
Database snapshots or copy on write might not simply allow an undo of one special event last week. What would happen with actions in between?

Default values in Token config dialog

The Token Config dialog complains about missing values of RADIUS token and REMOTE token... even if you did not configure those tokens.

Either choose some sensible default values of deactivate this config, so the dialog does not need to complain.

Backup and Restore

Create a backup and restore for the appliance setup tui.
The backup should be created in cronjobs.

base-path

It should be possible to run privacyIDEA not only at root (like
/manage/
/admin/show/

but also on an additional base path like
/base/manage
/base/admin/show

login with command line client

When the realm box is active, you can not login with the command line client.
This is because the command line client sends the username "user@realm".
And the server adds to this "@defaultrealm". This user of course does not exist.

THe server should not add the @defaultrealm, if a username with "@realm" is given (of course only if we do "splitAtSign")

TiQR token

support for enrollment of TiQR token, which could be inherited from the OCRA token.

Add issuing client certificates

Somehow we might also issue client certificates.

As we have a self sevice portal, this might be ideal to enroll certificates in the client.
Either by creating the keypair in the browser or by uploading pkcs10 requests.

http://serverfault.com/questions/617901/solution-for-ssl-client-certificates-with-user-self-service/

https://developer.mozilla.org/en-US/docs/Web/HTML/Element/keygen

A module system should be able to define, WHAT signs the certificate request.
Thus we could provide modules that use a simple openssl CA to sign a certificate request or a module could connect to some other enterprise CA to sign the certificate.
Several different modules/CAs should be usable at the same time...

See the wiki: https://github.com/privacyidea/privacyidea/wiki/concept%3A-certificates


fix some config logic

splitAtSign does split if it is not set in the config database.
But if it is not set in the DB; the CB is not checked in the UI - also it splits!

the login.help button should be on by default. (same as splitAtSign)

SSH token

Add an SSH token, which includes the public key and provides this public key to the client machine so that this public key can be merged into the authorized keys.

Why not use salt:
http://docs.saltstack.com/en/latest/ref/states/all/salt.states.ssh_auth.html

Additional salt modules could also write the LUKS slot...
or the authorized keys.
Thus only the salt master would communicate to privacyIDEA and salt would distribute the authentication items to the machines.

...see the salt wiki page.

disabled SSH tokens

disabled SSH tokens will be removed from the authorized_keys.
(done)

The reading of the public keys and the pushing to salt will be performed in the package privacyideaadm.

add RADIUS support

Add the perl module to forward the radius request to privacyIDEA.

This radius module should run without manually installing modules from CPAN.

memory leak

The sqlaudit module has a memory leak.

monitoring the process with htop
start paster with mysql database
run 10000 requests with a passwd user with an SPASS token: $ ab -n 10000 -c 2 http://127.0.0.1:5001/validate/check?user=corny\&pass=test

With the sqlaudit module active the consumed memory will increase from 100MB to 1200MB. The memory will not be freed.
Owner
privacyidea commented on 16. Mai

This Problems does not seem to be connected to the sqlaudit module. Even when deactivating the audit and the policies in the validate controller, the memory is leaked.
privacyidea referenced this issue on 16. Mai
Closed
remove dictionaries and del #5
Owner
privacyidea commented on 18. Mai

We change this to be a known issue.
With closing #5, a setup with Apache and MySQL only eats up 23MB when doing 10.000 authentication requests.

We assume this to be tolerable at the moment, especially due to the fact, that the apache will be reloaded once a day for log rotation.

improve the SMSProvider UI

The UI of the sms provider should be improved.
Either via a better UI, a direct online help or presets.

getUserFromRequest

The getUserFromRequest should probably also try to get the username (administrator) from the repoze.who parameters.

reassign a token

This is related to #45.

If a token is already assigned to some user, the assign this token should not be possible right away to a second/other user.
Possibilities:

  1. avoid reassign at all. If assigning a serial number, we might check, if this serial number is already assigned. (this could be configurable)
  2. Define a policy scope=admin,action=reassign, that needs to be set if an admin is allowed to reassign a token.

Implementation could also be done in to steps, first 1 and then 2.

If a reassign is done, the OTP counter should not get resetted.

Add Token2 support

Token2 is a smartphone app that can enroll motp token with a QRcode and protect TOTP token with a PIN.
Add the QRCode enrollment of motp token.

end to display encryption

We need to provide an API for the end to display encryption.

  1. New Token Type
  2. Know the encryption key
  3. /validate/check: generate a challenge and calculate the encrypted image and return the encrypted image with a keypad in it
  4. /validate/check: receive the clicked coordinates as response. The coordinates could be transferred as the pass parameter to keep the interface intact. The tokentype might then split the pass into the coordinates and check with the challenge, if the coordinates match the challenged code/keypad.

More information are to be gathered at wiki page.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.