Skip to content
Permalink
Browse files

Create merge branch to merge 2.23.5 into master

  • Loading branch information...
cornelinux committed Mar 13, 2019
2 parents c89c545 + 0ae0717 commit f1c2f5493224a7f6dce323978630e6d97ce204ff
@@ -5,6 +5,13 @@ Version 3.0, 2019-03-xx
X-Forwarded-For if the original (REMOTE_ADDR) is allowed to overwrite the client ip.
(Side effect of #1392)

Version 2.23.5, 2019-03-04

Fixes:
* Fix authcache
* Fix correct syncwindow for manually resyncing TOTP tokens


Version 2.23.4, 2019-02-06

Fixes:
@@ -4,6 +4,15 @@ python-privacyidea (3.0~dev1-1trusty) trusty; urgency=medium

-- Cornelius Kölbel <cornelius.koelbel@netknights.it> Wed, 21 Nov 2018 15:00:00 +0200

python-privacyidea (2.23.5-1trusty) trusty; urgency=medium

Fixes:
* Fix authcache
* Fix correct syncwindow for manually resyncing TOTP tokens

-- Cornelius Kölbel <cornelius.koelbel@netknights.it> Mon, 04 Mar 2019 18:00:00 +0200


python-privacyidea (2.23.4-1trusty) trusty; urgency=medium

Fixes:
@@ -1,3 +1,12 @@
privacyidea-venv (2.23.5-1) jessie; urgency=medium

Fixes:
* Fix authcache
* Fix correct syncwindow for manually resyncing TOTP tokens

-- Cornelius Kölbel <cornelius.koelbel@netknights.it> Mon, 04 Mar 2019 18:00:00 +0200


privacyidea-venv (2.23.4-1) jessie; urgency=medium

Fixes:
@@ -85,6 +85,7 @@ from sqlalchemy import create_engine, desc, MetaData
from sqlalchemy.orm import sessionmaker
from privacyidea.lib.auditmodules.sqlaudit import LogEntry
from privacyidea.lib.audit import getAudit
from privacyidea.lib.authcache import cleanup as authcache_cleanup
from privacyidea.lib.utils import parse_timedelta
from privacyidea.lib.crypto import create_hsm_object
from Crypto.PublicKey import RSA
@@ -106,6 +107,7 @@ event_manager = Manager(usage='Manage events')
api_manager = Manager(usage="Manage API keys")
ca_manager = Manager(usage="Manage Certificate Authorities")
audit_manager = Manager(usage="Manage Audit log")
authcache_manager = Manager(usage="Manage AuthCache")
hsm_manager = Manager(usage="Manage HSM")
manager.add_command('db', MigrateCommand)
manager.add_command('admin', admin_manager)
@@ -117,6 +119,7 @@ manager.add_command('event', event_manager)
manager.add_command('api', api_manager)
manager.add_command('ca', ca_manager)
manager.add_command('audit', audit_manager)
manager.add_command('authcache', authcache_manager)
manager.add_command('hsm', hsm_manager)


@@ -574,6 +577,16 @@ except TypeError:
profile = manager.command(profile)


@authcache_manager.command
def cleanup(minutes=480):
"""
Remove entries from the authcache, where last_auth entry is older than
the given number of minutes.
"""
r = authcache_cleanup(int(minutes))
print(u"Entries deleted: {0!s}".format(r))


@manager.option('--highwatermark', '--hw', help="If entries exceed this value, "
"old entries are deleted.")
@manager.option('--lowwatermark', '--lw', help="Keep this number of entries.")
@@ -19,7 +19,6 @@
# You should have received a copy of the GNU Affero General Public
# License along with this program. If not, see <http://www.gnu.org/licenses/>.
#

from ..models import AuthCache, db
from sqlalchemy import and_
from privacyidea.lib.crypto import hash
@@ -61,6 +60,21 @@ def delete_from_cache(username, realm, resolver, password):
return r


def cleanup(minutes):
"""
Will delete all authcache entries, where last_auth column is older than
the given minutes.
:param minutes: Age of the last_authentication in minutes
:type minutes: int
:return:
"""
cleanuptime = datetime.datetime.utcnow() - datetime.timedelta(minutes=minutes)
r = db.session.query(AuthCache).filter(AuthCache.last_auth < cleanuptime).delete()
db.session.commit()
return r


def verify_in_cache(username, realm, resolver, password,
first_auth = None,
last_auth = None):
@@ -418,7 +418,6 @@ def auth_user_timelimit(wrapped_function, user_object, passw, options=None):
reply_dict["message"] = ("Only %s successfull "
"authentications per %s"
% (policy_count, tdelta))
g.audit_object.add_policy(next(iter(max_success_dict.values())))

return res, reply_dict

@@ -723,4 +722,4 @@ def reset_all_user_tokens(wrapped_function, *args, **kwds):
"registration token does not exist anymore and "
"cannot be reset.")

return r
return r
@@ -465,15 +465,16 @@ def resync(self, otp1, otp2, options=None):
oCount = self.get_otp_count()

log.debug("tokenCounter: {0!r}".format(oCount))
log.debug("now checking window {0!s}, timeStepping {1!s}".format(self.timewindow, self.timestep))
sync_window = self.get_sync_window()
log.debug("now checking window {0!s}, timeStepping {1!s}".format(sync_window, self.timestep))
# check 2nd value
hmac2Otp = HmacOtp(secretHOtp,
counter,
otplen,
self.get_hashlib(self.hashlib))
log.debug("{0!s} in otpkey: {1!s} ".format(otp2, secretHOtp))
res2 = hmac2Otp.checkOtp(otp2,
int(self.timewindow / self.timestep),
int(sync_window),
symetric=True) # TEST -remove the 10
log.debug("res 2: {0!r}".format(res2))
# check 1st value
@@ -483,7 +484,7 @@ def resync(self, otp1, otp2, options=None):
self.get_hashlib(self.hashlib))
log.debug("{0!s} in otpkey: {1!s} ".format(otp1, secretHOtp))
res1 = hmac2Otp.checkOtp(otp1,
int(self.timewindow / self.timestep),
int(sync_window),
symetric=True) # TEST -remove the 10
log.debug("res 1: {0!r}".format(res1))

@@ -7,7 +7,8 @@

from privacyidea.lib.authcache import (add_to_cache, delete_from_cache,
update_cache_last_auth, verify_in_cache,
_hash_password)
_hash_password,
cleanup)
from privacyidea.models import AuthCache
import datetime

@@ -92,7 +93,23 @@ def test_03_delete_old_entries(self):
r = AuthCache.query.filter(AuthCache.username == "grandpa").first()
self.assertEqual(r, None)

def test_04_cleanup_authcache(self):
# cleanup everything!
r = cleanup(100000000)
# Create some entries:
AuthCache("grandpa", self.realm, self.resolver, _hash_password(self.password),
first_auth=datetime.datetime.utcnow() - datetime.timedelta(
days=10),
last_auth=datetime.datetime.utcnow() - datetime.timedelta(
days=2)).save()
AuthCache("grandpa", self.realm, self.resolver, _hash_password(self.password),
first_auth=datetime.datetime.utcnow() - datetime.timedelta(
minutes=10),
last_auth=datetime.datetime.utcnow() - datetime.timedelta(
minutes=2)).save()



# Now we delete entries, that are older than 20 minutes. Only the 2 days old
# should be deleted. Not the 2 minutes old.
r = cleanup(10)
self.assertEqual(1, r)

@@ -603,15 +603,24 @@ def test_23_resync(self):
token = TotpTokenClass(db_token)
token.update({"otpkey": self.otpkey,
"otplen": 6})
token.token.count = 47251400
token.set_sync_window(1000)
# Successful resync
# 705493 -> 47251649
# 589836 -> 47251650
# So the token might be at time 47251650,
# but the server time is 47251600

# The server time is 2000*30 seconds further, the resync will fail
# 47253650 - 47251650 = 2000 ticks away
token.token.count = 47251400
r = token.resync("705493", "589836",
options={"initTime": 47253650 * 30})
self.assertFalse(r)
# Successful resync
token.token.count = 47251400
# The server time is 200*30 seconds further
# 47251850 - 47251650 = 200 ticks away
r = token.resync("705493", "589836",
options={"initTime": 47251650 * 30})
options={"initTime": 47251850 * 30})
self.assertTrue(r is True, r)
# resync fails
token.token.count = 0

0 comments on commit f1c2f54

Please sign in to comment.
You can’t perform that action at this time.