The flask based privacyidea 2.0 branch

The code was copied in from another repository.
So we might have to do some janitor work, till this branch
works well.

.gitignore

@@ -1,12 +1,9 @@
-config/token.sqlite
-*.pyc
-privacyidea.log*
-/tests/testdata/data/
-*~
-doc/_build/
 .project
 .pydevproject
 .settings/
-DEBUILD/
-privacyidea/tests/testdata/private.pem
-privacyidea/tests/testdata/public.pem
+*.sqlite
+*.pyc
+dist/
+venv/
+.coverage
+cover/

.travis.yml

@@ -11,44 +11,30 @@ install:
 # split the test run according to
 # http://blog.travis-ci.com/2012-11-28-speeding-up-your-tests-by-parallelizing-them/
 env:
-  - TESTSCRIPT=privacyidea/tests/functional/test_account.py
-  - TESTSCRIPT=privacyidea/tests/functional/test_admin.py
-  - TESTSCRIPT=privacyidea/tests/functional/test_audit.py
-  - TESTSCRIPT=privacyidea/tests/functional/test_authorize.py
-  - TESTSCRIPT=privacyidea/tests/functional/test_challenge_response.py
-  - TESTSCRIPT=privacyidea/tests/functional/test_emailtoken.py
-  - TESTSCRIPT=privacyidea/tests/functional/test_err_response.py
-  - TESTSCRIPT=privacyidea/tests/functional/test_fixes.py
-  - TESTSCRIPT=privacyidea/tests/functional/test_getotp.py
-  - TESTSCRIPT=privacyidea/tests/functional/test_getserial.py
-  - TESTSCRIPT=privacyidea/tests/functional/test_httpsms.py
-  - TESTSCRIPT=privacyidea/tests/functional/test_importotp.py
-  - TESTSCRIPT=privacyidea/tests/functional/test_ldap.py
-  - TESTSCRIPT=privacyidea/tests/functional/test_ldap2.py
-  - TESTSCRIPT=privacyidea/tests/functional/test_sql.py
-  - TESTSCRIPT=privacyidea/tests/functional/test_manage.py
-  - TESTSCRIPT=privacyidea/tests/functional/test_ocra2.py
-  - TESTSCRIPT=privacyidea/tests/functional/test_ocra.py
-  - TESTSCRIPT=privacyidea/tests/functional/test_orphaned.py
-  - TESTSCRIPT=privacyidea/tests/functional/test_passwdidresolver.py
-  - TESTSCRIPT=privacyidea/tests/functional/test_policy.py
-  - TESTSCRIPT=privacyidea/tests/functional/test_radius_token.py
-  - TESTSCRIPT=privacyidea/tests/functional/test_remote_token.py
-  - TESTSCRIPT=privacyidea/tests/functional/test_replication_sync.py
-  - TESTSCRIPT=privacyidea/tests/functional/test_selfservice.py
-  - TESTSCRIPT=privacyidea/tests/functional/test_system.py
-  - TESTSCRIPT=privacyidea/tests/functional/test_sql.py
-  - TESTSCRIPT=privacyidea/tests/functional/test_totp.py
-  - TESTSCRIPT=privacyidea/tests/functional/test_validate.py
-  - TESTSCRIPT=privacyidea/tests/functional/test_yubikey.py
-  - TESTSCRIPT=privacyidea/tests/functional/test_machine.py
-  - TESTSCRIPT=privacyidea/tests/functional/test_appliance_parser.py
-  - TESTSCRIPT=privacyidea/tests/functional/test_feitian.py
+  - TESTSCRIPT=tests/test_api_system.py
+  - TESTSCRIPT=test_api_token.py
+  - TESTSCRIPT=test_api_users.py
+  - TESTSCRIPT=test_api_validate.py
+  - TESTSCRIPT=testdata/
+  - TESTSCRIPT=test_db_model.py
+  - TESTSCRIPT=test_lib_apps.py
+  - TESTSCRIPT=test_lib_config.py
+  - TESTSCRIPT=test_lib_crypto.py
+  - TESTSCRIPT=test_lib_importotp.py
+  - TESTSCRIPT=test_lib_policy.py
+  - TESTSCRIPT=test_lib_realm.py
+  - TESTSCRIPT=test_lib_resolver.py
+  - TESTSCRIPT=test_lib_tokenclass.py
+  - TESTSCRIPT=test_lib_token.py
+  - TESTSCRIPT=test_lib_tokens_hotp.py
+  - TESTSCRIPT=test_lib_tokens_passwordtoken.py
+  - TESTSCRIPT=test_lib_tokens_totp.py
+  - TESTSCRIPT=test_lib_tokens_yubikey.py
+  - TESTSCRIPT=test_lib_user.py
+  - TESTSCRIPT=test_resolver_realm.py
 matrix:
     allow_failures:
         python: 2.6
 
-# command to run tests
-script: "./test.sh --no-html $TESTSCRIPT"
 after_success: 
     coveralls --rcfile=coveragerc

Makefile

@@ -3,13 +3,14 @@ info:
 	@echo "make clean        - remove all automatically created files"
 	@echo "make epydoc       - create the API documentation"
 	@echo "make doc-man      - create the documentation as man-page"
+	@echo "make doc-html     - create the documentation as html"
 	@echo "make pypi         - upload package to pypi"
 	@echo "make debianzie    - prepare the debian build environment in DEBUILD"
 	@echo "make builddeb     - build .deb file locally on ubuntu 14.04!"
 	@echo "make ppa-dev      - upload to launchpad development repo"
 
 #VERSION=1.3~dev5
-VERSION=1.5.1~dev1
+VERSION=1.5~dev8
 SERIES="trusty precise"
 LOCAL_SERIES=`lsb_release -a | grep Codename | cut -f2`
 
@@ -24,12 +25,8 @@ translate:
 	python setup.py compile_catalog
 clean:
 	find . -name \*.pyc -exec rm {} \;
-	rm -fr config/data
 	rm -fr build/
 	rm -fr dist/
-	rm -fr privacyIDEA.egg-info/
-	rm -fr API
-	rm -fr privacyidea/tests/testdata/data/
 	rm -fr DEBUILD
 	rm -fr RHBUILD
 	rm -fr cover
@@ -50,6 +47,9 @@ depdoc:
 doc-man:
 	(cd doc; make man)
 
+doc-html:
+	(cd doc; make html)
+
 redhat:
 	make clean
 	mkdir RHBUILD

README.md

@@ -1,77 +1,63 @@
-privacyIDEA
-===========
-privacyIDEA is an open solution for strong two-factor authentication.
-privacyIDEA aims to not bind you to any decision of the authentication protocol or 
-it does not dictate you where your user information should be stored. 
-This is achieved by its totally modular architecture.
-privacyIDEA is not only open as far as its modular architecture is concerned. 
-But privacyIDEA is completely licensed under the AGPLv3.
+Preface
+=======
 
-privacyIDEA is a fork of LinOTP.
+The new 2.0 branch is based on flask and sqlalchemy as the python backend. The web UI is based
+on angularJS and bootstrap.
 
-Code test on travis-ci.org
---------------------------
-Tests are running on travis-ci.org. See the test coverage at coveralls.io.
+At the moment the 2.0 branch is not ready for production. You can follow the setup instructions and play around.
+You are also welcome to take a look at the hopefully tidy code and contribute.
 
-[![Build Status][BS img]][Build Status]
-[![Coverage Status][CS img]][Coverage Status]
+I try to keep up a good test coverage. So run tests!
 
-[Build Status]: https://travis-ci.org/privacyidea/privacyidea
-[Coverage Status]: https://coveralls.io/r/privacyidea/privacyidea
+Setup
+=====
 
-[BS img]: https://travis-ci.org/privacyidea/privacyidea.svg?branch=master
-[CS img]: https://coveralls.io/repos/privacyidea/privacyidea/badge.png?branch=master
+You can setup the system in a virtual environment::
 
-Installation
-------------
+   mkdir privacyidea
+   cd privacyidea
+   virtualenv venv
+   source venv/bin/activate
+   pip install -r requirements.txt
 
-For installation instructions you can see the internal documentation,
-which is also contained in this git repository at
 
-https://github.com/privacyidea/privacyidea/blob/master/doc/installation/index.rst
+Running it
+==========
 
-You can also browse the documentation on the web site, which contains the
-latest released documentation and might not be the bleeding edge
+Create the database::
 
-https://www.privacyidea.org/doc/current/
+   ./manage.py createdb
 
-Token management
-----------------
+Create the first administrator::
 
-privacyIDEA has a web management interface to login for either as normal users or administrators.
-You need to create the first administrator to login. This administrator then can
-* create UserIdResolvers
-* a realm 
-* and enroll tokens.
+   ./manage.py <email> <username>
 
-To create an administrator do this:
+Run it::
 
-    $ privacyidea-create-pwidresolver-user -u admin_name -p secret_password -i 1000 >> etc/privacyidea/admin-users
+   ./manage.py runserver
 
-You then can login with the user ``admin-name`` and the password ``secret-password``. 
-All the administrators are stored in the file defined in the privacyIDEA.ini entry "privacyideaSuperuserFile".
+Now you can connect to http://localhost:5000 with your browser and login as administrator.
 
-Authentication
---------------
-You can use the web API to authenticate users. If you enrolled a token for a user, you can authenticate
-the user by calling the URL:
+Run tests
+=========
 
-    http://yourserver:5001/validate/check?user=you&pass=pin123456
+   nosetests -v --with-coverage --cover-package=privacyidea --cover-html
 
-Yubikeys
---------
-privacyIDEA supports Yubikeys. To enroll yubikeys you need to install the admin client "privacyideaadm".
+Code structure
+==============
 
-Tests
------
-If you want to see, if everything works fine, you can run the functional tests.
-There are roughly 350 sometimes complex tests, running the tests will take about
-30 minutes. Do it like this::
+The database models are defined in ``models.py`` and tested in tests/test_db_model.py.
 
-    $ python setup.py build
-    $ ./test.sh
+Based on the database models there are the libraries ``lib/config.py`` which is
+responsible for basic configuration in the database table ``config``.
+And the library ``lib/resolver.py`` which provides functions for the database
+table ``resolver``. This is tested in tests/test_lib_resolver.py.
+
+Based on the resolver there is the library ``lib/realm.py`` which provides functions
+for the database table ``realm``. Several resolvers are combined into a realm.
+
+Based on the realm there is the library ``lib/user.py`` which provides functions 
+for users. There is no database table user, since users are dynamically read from
+the user sources like SQL, LDAP, SCIM or flat files.
 
-Questions
----------
-Take a look at http://privacyidea.org and join the google group https://groups.google.com/forum/#!forum/privacyidea.
 

config.py

@@ -0,0 +1,45 @@
+import os
+basedir = os.path.abspath(os.path.dirname(__file__))
+
+
+class Config:
+    SECRET_KEY = os.environ.get('SECRET_KEY')
+    # SQL_ALCHEMY_DATABASE_URI = "mysql://privacyidea:XmbSrlqy5d4IS08zjz"
+    # "GG5HTt40Cpf5@localhost/privacyidea"
+    PI_ENCFILE = "tests/testdata/enckey"
+    PI_HSM = "default"
+
+
+class DevelopmentConfig(Config):
+    DEBUG = True
+    SECRET_KEY = os.environ.get('SECRET_KEY') or 't0p s3cr3t'
+    SQLALCHEMY_DATABASE_URI = os.environ.get('DEV_DATABASE_URL') or \
+        'sqlite:///' + os.path.join(basedir, 'data-dev.sqlite')
+
+
+class TestingConfig(Config):
+    TESTING = True
+    # This is used to encrypt the auth token
+    SECRET_KEY = 'secret'
+    SQLALCHEMY_DATABASE_URI = os.environ.get('TEST_DATABASE_URL') or \
+        'sqlite:///' + os.path.join(basedir, 'data-test.sqlite')
+    # This is used to encrypt the admin passwords
+    PI_PEPPER = ""
+    # This is only for testing encrypted files
+    PI_ENCFILE_ENC = "tests/testdata/enckey.enc"
+
+
+class ProductionConfig(Config):
+    SQLALCHEMY_DATABASE_URI = os.environ.get('DATABASE_URL') or \
+        'sqlite:///' + os.path.join(basedir, 'data.sqlite')
+    SECRET_KEY = os.environ.get('SECRET_KEY') or 't0p s3cr3t'
+    # This is used to encrypt the admin passwords
+    PI_PEPPER = "Never know..."
+
+
+config = {
+    'development': DevelopmentConfig,
+    'testing': TestingConfig,
+    'production': ProductionConfig,
+    'default': DevelopmentConfig
+}

coveragerc

@@ -1,8 +1,5 @@
 [report]
 omit =
-    privacyidea/tests/*
-    privacyidea/lib/mschap.py
-    privacyidea/lib/ext/*
 
 exclude_lines =
     pragma: no cover

deploy/apache/sites-available/privacyidea.conf

@@ -0,0 +1,61 @@
+WSGIPythonHome /home/cornelius/src/flask/venv
+<VirtualHost _default_:443>
+	ServerAdmin webmaster@localhost
+	# You might want to change this
+	ServerName localhost
+
+	DocumentRoot /var/www
+	<Directory />
+		# For Apache 2.4 you need to set this:
+		Require all granted
+		Options FollowSymLinks
+		AllowOverride None
+	</Directory>
+	<Directory /var/www/>
+		Options Indexes FollowSymLinks MultiViews
+		AllowOverride None
+		# For Apache 2.4 you need to remove the
+		# following two lines
+		#Order allow,deny
+		#allow from all
+		# For Apache 2.4 you need to set this:
+		Require all granted
+	</Directory>
+
+	WSGIScriptAlias /       /home/cornelius/src/flask/deploy/privacyideaapp.wsgi
+	#
+	# The daemon is running as user 'privacyidea'
+	# This user should have access to the encKey database encryption file
+	WSGIDaemonProcess privacyidea processes=1 threads=15 display-name=%{GROUP} user=privacyidea
+	WSGIProcessGroup privacyidea
+	WSGIPassAuthorization On
+
+	ErrorLog /var/log/apache2/error.log
+
+	LogLevel warn
+	# Do not use %q! This will reveal all parameters, including setting PINs and Keys!
+	# Using SSL_CLINET_S_DN_CN will show you, which administrator did what task
+	LogFormat "%h %l %u %t %>s \"%m %U %H\"  %b \"%{Referer}i\" \"%{User-agent}i\"" privacyIDEA
+	CustomLog /var/log/apache2/ssl_access.log privacyIDEA
+
+	#   SSL Engine Switch:
+	#   Enable/Disable SSL for this virtual host.
+	SSLEngine on
+
+	#   If both key and certificate are stored in the same file, only the
+	#   SSLCertificateFile directive is needed.
+	SSLCertificateFile    /etc/ssl/certs/privacyideaserver.pem
+	SSLCertificateKeyFile /etc/ssl/private/privacyideaserver.key
+
+	<FilesMatch "\.(cgi|shtml|phtml|php)$">
+		SSLOptions +StdEnvVars
+	</FilesMatch>
+	<Directory /usr/lib/cgi-bin>
+		SSLOptions +StdEnvVars
+	</Directory>
+	BrowserMatch ".*MSIE.*" \
+		nokeepalive ssl-unclean-shutdown \
+		downgrade-1.0 force-response-1.0
+
+
+</VirtualHost>

deploy/pi.cfg

@@ -0,0 +1,2 @@
+# The realm, where users are allowed to login as administrators
+SUPERUSER_REALM = super

deploy/privacyideaapp.wsgi

@@ -0,0 +1,4 @@
+import sys
+sys.path.insert(0, '/home/cornelius/src/flask')
+sys.stdout = sys.stderr
+from privacyidea.app import wsgi_app as application