privacyidea
privacyidea copied to clipboard
privacyidea
policy scope webui - userinfo groups is working as additional condition
Top-level intent
What did you try to achieve?
different webui policies for different ldap groups
eg.: one with loginmode=privacyidea and another one with loginmode=disabled
Steps to reproduce
- create a new policy with scope webui
- add additional conditions userinfo groups contains eg: CN=Group1,OU=Groups,DC=example,DC=com
- configure some action like loginmode or tokenwizard
- try to login
Expected outcome
What do you think, how the system should have worked? authentication successful
Actual outcome
What did actually happen? Authentication failed. Policy 'example' has condition on userinfo, but an according object is not available
Configuration
- privacyIDEA version: 3.9.3
- Installation method: docker
- docker image: khalibre/privacyidea:main-python-3.9.18-slim-bookworm
- Python version: 3.9.18
- Operating system: Ubuntu 22.04.2 LTS
- Webserver: Traefik/GUNICORN
- Token database: MariaDB
Log file
Set PI_LOGLEVEL = logging.DEBUG in pi.cfg and take a look at the privacyidea.log! If appropriate, attach the log file or paste relevant portions.
[2024-07-20 22:38:16,429][12][140108651400064][ERROR][privacyidea.lib.policy:988] Policy 'example' has condition on userinfo, but the according object is not available - possible programming error File "/opt/privacyidea/bin/gunicorn", line 8, in <module>
sys.exit(run())
File "/opt/privacyidea/lib/python3.9/site-packages/gunicorn/app/wsgiapp.py", line 67, in run
WSGIApplication("%(prog)s [OPTIONS] [APP_MODULE]", prog=prog).run()
File "/opt/privacyidea/lib/python3.9/site-packages/gunicorn/app/base.py", line 236, in run
super().run()
File "/opt/privacyidea/lib/python3.9/site-packages/gunicorn/app/base.py", line 72, in run
Arbiter(self).run()
File "/opt/privacyidea/lib/python3.9/site-packages/gunicorn/arbiter.py", line 202, in run
self.manage_workers()
File "/opt/privacyidea/lib/python3.9/site-packages/gunicorn/arbiter.py", line 571, in manage_workers
self.spawn_workers()
File "/opt/privacyidea/lib/python3.9/site-packages/gunicorn/arbiter.py", line 642, in spawn_workers
self.spawn_worker()
File "/opt/privacyidea/lib/python3.9/site-packages/gunicorn/arbiter.py", line 609, in spawn_worker
worker.init_process()
File "/opt/privacyidea/lib/python3.9/site-packages/gunicorn/workers/base.py", line 142, in init_process
self.run()
File "/opt/privacyidea/lib/python3.9/site-packages/gunicorn/workers/sync.py", line 126, in run
self.run_for_one(timeout)
File "/opt/privacyidea/lib/python3.9/site-packages/gunicorn/workers/sync.py", line 70, in run_for_one
self.accept(listener)
File "/opt/privacyidea/lib/python3.9/site-packages/gunicorn/workers/sync.py", line 32, in accept
self.handle(listener, client, addr)
File "/opt/privacyidea/lib/python3.9/site-packages/gunicorn/workers/sync.py", line 135, in handle
self.handle_request(listener, req, client, addr)
File "/opt/privacyidea/lib/python3.9/site-packages/gunicorn/workers/sync.py", line 178, in handle_request
respiter = self.wsgi(environ, resp.start_response)
File "/opt/privacyidea/lib/python3.9/site-packages/flask/app.py", line 2464, in __call__
return self.wsgi_app(environ, start_response)
File "/opt/privacyidea/lib/python3.9/site-packages/flask/app.py", line 2447, in wsgi_app
response = self.full_dispatch_request()
File "/opt/privacyidea/lib/python3.9/site-packages/flask/app.py", line 1950, in full_dispatch_request
rv = self.dispatch_request()
File "/opt/privacyidea/lib/python3.9/site-packages/flask/app.py", line 1936, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File "/opt/privacyidea/lib/python3.9/site-packages/privacyidea/api/lib/prepolicy.py", line 159, in policy_wrapper
return wrapped_function(*args, **kwds)
File "/opt/privacyidea/lib/python3.9/site-packages/privacyidea/api/lib/prepolicy.py", line 159, in policy_wrapper
return wrapped_function(*args, **kwds)
File "/opt/privacyidea/lib/python3.9/site-packages/privacyidea/api/lib/prepolicy.py", line 159, in policy_wrapper
return wrapped_function(*args, **kwds)
[Previous line repeated 2 more times]
File "/opt/privacyidea/lib/python3.9/site-packages/privacyidea/api/lib/postpolicy.py", line 113, in policy_wrapper
return self.function(self.request, response, *args, **kwds)
File "/opt/privacyidea/lib/python3.9/site-packages/privacyidea/api/lib/postpolicy.py", line 555, in get_webui_settings
and Match.generic(g, scope=SCOPE.WEBUI, action=ACTION.TOKENWIZARD2ND,
File "/opt/privacyidea/lib/python3.9/site-packages/privacyidea/lib/policy.py", line 2752, in policies
return self._g.policy_object.match_policies(audit_data=audit_data, request_headers=request_headers,
File "/opt/privacyidea/lib/python3.9/site-packages/privacyidea/lib/log.py", line 185, in log_wrapper
f_result = func(*args, **kwds)
File "/opt/privacyidea/lib/python3.9/site-packages/privacyidea/lib/policy.py", line 778, in match_policies
reduced_policies = self.filter_policies_by_conditions(reduced_policies, user_object, request_headers,
File "/opt/privacyidea/lib/python3.9/site-packages/privacyidea/lib/policy.py", line 813, in filter_policies_by_conditions
if not self._policy_matches_info_condition(policy, key, comparator, value,
File "/opt/privacyidea/lib/python3.9/site-packages/privacyidea/lib/policy.py", line 990, in _policy_matches_info_condition
"{!s}.".format(policy['name'], type, ''.join(traceback.format_stack())))
.```
Why is Authenticator Pro is getting removed from the Google Play Store 😢
Dear @jamie-mh,
Oh no! The main reason for this app is to not sell users' info, right? This is because your rating is higher than theirs and they want to intimidate. Like with all the alternative YT apps. It's ridiculous that they have to stomp out anyone who has something better than them. it's not like they don't own everything and that you have to succumb to using their play store. Oh well, we will promote everywhere else. I wouldn't want to be where the owners don't play fair anyways.
Always, L.
Does removal from the Play Store mean that Wear OS compatibility will break or be discontinued? I notice that the website's comparison says it's not supported in the F-Droid version. The Wear OS companion app is the only reason I chose to use Authenticator Pro.
Does removal from the Play Store mean that Wear OS compatibility will break or be discontinued?
WearOS app certainly needs to be signed to communicate. That actually is what makes Authenticator so great.
How much would you need for a PO-box ? Maybe we could help with the Donate button.
You could also contact a company or a non-profit organization, in France we have Framasoft that is a huge promoter of open source.
Edit : I read the policy, and as a personal developer, it indicates that only your country would be public and not the whole address (which is displayed for companies). At least in the French version (maybe our personal data are more protected by GDPR)
As @MisterDams said, according to Play Console help article (looks like a EU version of the article), Google Play will only show the country:
Google will display your legal name, your country (as per your legal address), and developer email address on Google Play. If you decide to monetize on Google Play then Google will display your full address.
I hope this calms your worries, @jamie-mh. If not, I respect your choice!
If you go through with the deletion, what will happen to the Wear OS app?
The issue is that I've monetised apps on the account in the past. Despite them being unpublished, the rule applies to all apps, even to those created way before the policy was implemented. I've confirmed this with the Google Play developer support.
Since my account is tainted, the only option is to create a new one and republish the app under a different name. The app won't be removed from anyone's device though.
This sucks because of a few reasons:
- There are restrictions in place for new Google Play accounts - I guess to prevent spam. Not sure how difficult this is to adhere to.
- Users will stop receiving updates and they won't be notified that the app is no longer available. To migrate, they would need to uninstall the old one, install the new one and restore a backup.
I realise that Google Play is the only reasonable way to distribute the Wear OS app. You can sideload APKs but that's not exactly intuitive.
@jamie-mh I see, that's an unfortunate situation. I'd be fine with sideloading the Wear OS app, but I can see that others might be uncomfortable with that.
Did you already published your app to F-Droid? Maybe I missing something, but I'm unable to find it there.
upd: ah, sorry, found a repo - https://authenticatorpro.jmh.me/fdroid/repo/
@jamie-mh Can the git release autoupdate from github or display a notification when there's an update?
Any thoughts on allowing donations for PO box, etc? Hard for me to recommend this app when new users can't install it from the Play Store.
Thanks for all your work
What is the reason using a separated F-Droid repository instead of the "normal" F-Droid repository?
I'm dealing with this myself on my own developer account. I believe you should be able to create a new unmonetized developer account and transfer the app to it. I'm happy to sponsor the registration fee for a new dev account if needed.
@jamie-mh Can the git release autoupdate from github or display a notification when there's an update? You can use Obtanium. https://github.com/ImranR98/Obtainium
Seconding the recommendation of Obtanium. That's actually how I get and update Authenticator Pro, too.
I'm dealing with this myself on my own developer account. I believe you should be able to create a new unmonetized developer account and transfer the app to it. I'm happy to sponsor the registration fee for a new dev account if needed.
No idea what the fee is but I'd be willing to contribute as well.
Did someone already manage to sideload the app to WearOS without play store?
Struggling a little bit here... Is there some tutorial?
That kind of stinks, I was wondering why it was no longer installed on my device. Heads up for anyone that does have it installed via playstore, it may auto uninstall so make sure you have backups.
That kind of stinks, I was wondering why it was no longer installed on my device. Heads up for anyone that does have it installed via playstore, it may auto uninstall so make sure you have backups.
Wow this is super scary if it auto uninstalls, does this actually happen?
That kind of stinks, I was wondering why it was no longer installed on my device. Heads up for anyone that does have it installed via playstore, it may auto uninstall so make sure you have backups.
I doubt it was removed automatically. From https://support.google.com/googleplay/answer/12246761?hl=en:
If an app is removed from Google Play, will the app be removed from my device? No, the app will not be removed from your device. You can continue to use the app, however you will not be able to update your app. If you remove the app from your device, you will not be able to redownload the app unless the developer is able to republish it to Google Play.
That kind of stinks, I was wondering why it was no longer installed on my device. Heads up for anyone that does have it installed via playstore, it may auto uninstall so make sure you have backups.
Wow this is super scary if it auto uninstalls, does this actually happen?
Mine did on my phone anyway, I had to re-download from my f-droid client and restore my backup. This also makes me wonder about the watch app and if there will be an easy way to download it or if it will have continued support. I personally use the watch app on a daily basis.
That kind of stinks, I was wondering why it was no longer installed on my device. Heads up for anyone that does have it installed via playstore, it may auto uninstall so make sure you have backups.
I doubt it was removed automatically. From https://support.google.com/googleplay/answer/12246761?hl=en:
If an app is removed from Google Play, will the app be removed from my device? No, the app will not be removed from your device. You can continue to use the app, however you will not be able to update your app. If you remove the app from your device, you will not be able to redownload the app unless the developer is able to republish it to Google Play.
I would assume the same. I am only posting my experience which is this morning I could no longer find the app installed on my device. I am the only person that has access to my device. There should be no reason an app should uninstall automatically, but it was clearly not installed on my phone(S24U) anymore and I did not remove it as I depend on it on a daily basis. Maybe I just ran into a bug, or something else has caused this strange behavior, but regardless of if it happened to me it could happen to others.
Edit: To clarify what I mean above, there are circumstances that the google play store may automatically remove an app from a device after it being removed from the google play store which includes actions of the developer, possible security concerns, users device policies, etc. Being an authentication app there could be the "security concerns", or because the dev isn't agreeing to the new policy(which I understand and support devs decision) it could fall under "developers actions". Where I mention users device policies and that I could possibly have had something else go wrong is I do have work policies installed to my phone that is required for security reasons by my work and it does monitor for valid apps and it could have possible decided that it was not a safe app to have installed.
I've imported all my codes from here to 2fas and apart from grid view it's just as good.
Make a new account and make a "Pro" version of the app. Charge $1 or $2 for the Pro version (Or the watch app?!)!!
I think we'd all be happy to chip in to help you find a way to cover you on this!
Please republish with a new account and just add a 15$ price tag. I'll gladly pay again for your app. Sure others will too...
WearOS looks like it doesn't work anymore. I sideloaded the APK on my watch and I get the dreaded blue cloud.
@nuttylmao Make sure you're using the correct apks. I just got a new phone and ran into the same issue initially but all is working well now.
https://github.com/jamie-mh/AuthenticatorPro/releases/tag/1.25.2
You'll want the "me.jmh.authenticatorpro.apk" for your phone and "me.jmh.authenticatorpro.wearos.apk" for your watch.
WearOS looks like it doesn't work anymore. I sideloaded the APK on my watch and I get the dreaded blue cloud.
The phone app connection to the wearOS doesn't work on the fdroid or other version so make sure you grab the ones NOT labeled as such.
me.jmh.authenticatorpro.apk me.jmh.authenticatorpro.wearos.apk
@nuttylmao Make sure you're using the correct apks. I just got a new phone and ran into the same issue initially but all is working well now.
https://github.com/jamie-mh/AuthenticatorPro/releases/tag/1.25.2
You'll want the "me.jmh.authenticatorpro.apk" for your phone and "me.jmh.authenticatorpro.wearos.apk" for your watch.
I'm almost positive that's what I did. I'm definitely using that APK for my watch because I just got a new watch today and it was the only way to get it on the watch since it's not on the Play Store anymore.
WearOS looks like it doesn't work anymore. I sideloaded the APK on my watch and I get the dreaded blue cloud.
The phone app connection to the wearOS only works with the play store
It's not on the Play Store anymore which was my point.
WearOS looks like it doesn't work anymore. I sideloaded the APK on my watch and I get the dreaded blue cloud.
The phone app connection to the wearOS only works with the play store
It's not on the Play Store anymore which was my point.
Yeah, I didn't word it quite right. I fix my comment.
I did have the same issue at first... I installed both and added the tile and saw the no connection cloud. BUT! Just now I OPENED THE APP on my watch, rather than just going to the tile, and all is fine.
Did you launch the app once after you installed it, before you went to the tile?
I'm dealing with this myself on my own developer account. I believe you should be able to create a new unmonetized developer account and transfer the app to it. I'm happy to sponsor the registration fee for a new dev account if needed.
No idea what the fee is but I'd be willing to contribute as well.
Looks like it's only $25 to register
@jamie-mh, have you decided what you'd like to do yet? We'll get your $25 back and then some! 🤘