Is the WebUI login taking into account authorization policies?

phasenohr · March 21, 2019, 5:18pm

Hello,

I would like to achieve the following:

users accessing the webUI from internal network are allowed to use any token they have configured
users accessing the webUI from outside are allowed to use only a token of type sms

So far, I have a WebUI policy with login_mode set to privacyIDEA and no IP associated to it. This means that anyone (but the admin) needs to provide an OTP to login in the web interface of PI. Perfect.

Now, as a first test, I created an authorization policy with tokentype set to sms and placed as Client the IP of my computer. Still I could log in the WebUI of PI with a paper-based token.

Thus I am wondering if the WebUI access is honouring authorization policies (and authentication policies as well).
Could anyone provide me with some information about it?

I am running version 2.22

Thank you in advance.

Best regards,
Paul Hasenohr

cornelinux · March 23, 2019, 6:15am

Hello Paul,
welcome back.
Interesting question!

The endpoint validate/check uses the policy for the tokentype:

github.com

privacyidea/privacyidea/blob/master/privacyidea/api/validate.py#L218




@validate_blueprint.route('/check', methods=['POST', 'GET'])
@validate_blueprint.route('/radiuscheck', methods=['POST', 'GET'])
@postpolicy(mangle_challenge_response, request=request)
@postpolicy(construct_radius_response, request=request)
@postpolicy(no_detail_on_fail, request=request)
@postpolicy(no_detail_on_success, request=request)
@postpolicy(add_user_detail_to_response, request=request)
@postpolicy(offline_info, request=request)
@postpolicy(check_tokeninfo, request=request)
@postpolicy(check_tokentype, request=request)
@postpolicy(check_serial, request=request)
@postpolicy(autoassign, request=request)
@prepolicy(set_realm, request=request)
@prepolicy(mangle, request=request)
@prepolicy(save_client_application_type, request=request)
@check_user_or_serial_in_request(request)
@CheckSubscription(request)
@prepolicy(api_key_required, request=request)
@event("validate_check", request, g)
def check():

The login for the webui is the /auth endpoint here:

github.com

privacyidea/privacyidea/blob/master/privacyidea/api/auth.py#L102


                        "client": g.client_ip,
                        "client_user_agent": request.user_agent.browser,
                        "privacyidea_server": privacyidea_server,
                        "action": "{0!s} {1!s}".format(request.method, request.url_rule),
                        "action_detail": "",
                        "info": ""})




@jwtauth.route('', methods=['POST'])
@postpolicy(get_webui_settings)
def get_auth_token():
    """
    This call verifies the credentials of the user and issues an
    authentication token, that is used for the later API calls. The
    authentication token has a validity, that is usually 1 hour.


    :jsonparam username: The username of the user who wants to authenticate to
        the API.
    :jsonparam password: The password/credentials of the user who wants to
        authenticate to the API.

which for reasons not decorated with the policy decorater.

The webui is then is checked here:

github.com

privacyidea/privacyidea/blob/dccc9f408a85d314a6fba1f20cba9947200dfdcb/privacyidea/lib/auth.py#L95


def get_db_admin(username):
    return Admin.query.filter(Admin.username == username).first()




def delete_db_admin(username):
    print("Deleting admin {0!s}".format(username))
    fetch_one_resource(Admin, username=username).delete()




@libpolicy(login_mode)
def check_webui_user(user_obj,
                     password,
                     options=None,
                     superuser_realms=None,
                     check_otp=False):
    """
    This function is used to authenticate the user at the web ui.
    It checks against the userstore or against OTP/privacyidea (check_otp).
    It returns a tuple of


    * true/false if the user authenticated successfully

So to answer your questions, no these policies are not checked.

Regards
Cornelius

phasenohr · March 25, 2019, 1:19pm

Hello Cornelius,

Thanks a lot for your prompt reply.
Would it require a significant amount of work to make it possible and do you think that other users would be interested in such a feature?

Best regards,
Paul

cornelinux · March 26, 2019, 3:31pm

significant is an interesting word. The answer to your second question is probably “yes”.

cornelinux · March 26, 2019, 3:34pm

See here: https://github.com/privacyidea/privacyidea/issues/1537

phasenohr · April 4, 2019, 4:11pm

Thanks for having opened an issue about it with a milestone associated to it!
And my apologies for this late answer.