linotp.lib.policy package

policy processing

exception linotp.lib.policy.AuthorizeException(description='unspecified error!')

Bases: LinotpError

exception linotp.lib.policy.MaxTokenRealmPolicyException(description='unspecified error!')

Bases: PolicyException

Token count policy violation in a realm.

error_code = 413

exception linotp.lib.policy.MaxTokenTypeUserPolicyException(description='unspecified error!')

Bases: PolicyException

Token count policy violation of a user for a single token type.

error_code = 412

exception linotp.lib.policy.MaxTokenUserPolicyException(description='unspecified error!')

Bases: PolicyException

Token count policy violation of a user across all token types.

error_code = 411

exception linotp.lib.policy.PolicyException(description='unspecified error!')

Bases: LinotpError

Generic exception class for unspecified policy violations.

error_code = 410

linotp.lib.policy.autoassignment_forward(user)

Return the status of autoassigment forwarding.

this function checks the policy scope=enrollment, action=autoassignment This is a boolean policy. The function returns true, if autoassignment is defined.

linotp.lib.policy.checkAdminAuthorization(policies, serial, user, fitAllRealms=False)

This function checks if the token object defined by either “serial” or “user” is in the corresponding realm, where the admin has access to / fits to the given policy.

fitAllRealms: If set to True, then the administrator must have rights

in all realms of the token. e.g. for deleting tokens.

returns:

True: if admin is allowed False: if admin is not allowed

linotp.lib.policy.checkAuthorisation(scope, method)

Check if the authenticated user has the right to do the given action.

Parameters

• scope – scope of the policy to be checked

• method – the requested action

Returns

nothing if authorized, else raise PolicyException

linotp.lib.policy.checkOTPPINPolicy(pin, user)

This function checks the given PIN (OTP PIN) against the policy returned by the function

getOTPPINPolicy

It returns a dictionary:

{‘success’: True/False,

‘error’: errortext}

At the moment this works for the selfservice portal

linotp.lib.policy.checkPolicyPost(controller, method, param=None, user=None)

This function will check policies after a successful action in a controller. E.g. this can be setting a random PIN after successfully enrolling a token.

Parameters

• controller – the controller context

• method – the calling action

• param – This is a dictionary with the necessary parameters.

• auth_user – This is the authenticated user. For the selfservice this will be the user in the selfservice portal, for admin or manage it will be the administrator

Returns

It returns a dictionary with the necessary results. These depend on the controller.

linotp.lib.policy.checkPolicyPre(controller, method, param=None, authUser=None, user=None)

This function will check for all policy definition for a certain controller/method It is run directly before doing the action in the controller. I will raise an exception, if it fails.

Parameters

param – This is a dictionary with the necessary parameters.

Returns

dictionary with the necessary results. These depend on the controller.

linotp.lib.policy.checkToolsAuthorisation(method, param=None)

linotp.lib.policy.check_auth_serial(serial, exception=False, user=None)

Checks if the token with the serial number matches the serial authorize policy scope=authoriztaion, action=serial

Parameters

• serial (string) – The serial number of the token to check

• exception (boolean) – If “True” an exception is raised instead of returning False

• user (User object) – User to narrow down the policy

Returns

result

Return type

boolean

linotp.lib.policy.check_auth_tokentype(serial, exception=False, user=None)

Checks if the token type of the given serial matches the tokentype policy.

Returns

True/False - returns true or false or raises an exception if exception=True

linotp.lib.policy.check_token_reporting(realm)

parse reporting policies for given realm and user :param realm: the realm to be reported :return: list of status like [assigned, active&unassigned, total]

linotp.lib.policy.check_user_authorization(login, realm, exception=False)

check if the given user/realm is in the given policy. The realm may contain the wildcard ‘*’, then the policy holds for all realms. If no username or ‘*’ is given, the policy holds for all users.

attributes:

login - loginname of the user realm - realm of the user exception - wether it should return True/False or raise an Exception

linotp.lib.policy.createRandomPin(user, min_pin_length)

create a random pin

Parameters

• min_pin_length – the requested minimum pin length

• user – user defines the realm/user policy selection

Returns

the new pin

linotp.lib.policy.delete_on_authentication_exceed(user, realms=None)

returns True if the token should be disable, if max auth count is reached

linotp.lib.policy.disable_on_authentication_exceed(user, realms=None)

returns True if the token should be disable, if max auth count is reached

linotp.lib.policy.getAdminPolicies(action, scope='admin')

This internal function returns the policies (default: of scope=admin) for the currently authenticated administrativ user.__builtins__

Parameters

• action – this is the action (like enable, disable, init…)

• scope – scope of the policies, might be admin, monitoring, reporting.access

Returns

a dictionary with the following keys:

• active (if policies are used)

• realms (the realms, in which the admin is allowed to do this action)

• resolvers (the resolvers in which the admin is allowed to perform this action)

• admin (the name of the authenticated admin user)

linotp.lib.policy.getOTPPINEncrypt(serial=None, user=None)

This function returns, if the otppin should be stored as an encrpyted value

linotp.lib.policy.get_auth_AutoSMSPolicy(realms=None)

Returns true, if the autosms policy is set in one of the realms.

return:

True or False

input:

list of realms

linotp.lib.policy.get_auth_challenge_response(user, ttype)

returns True, if the user in this realm with this token type should be authenticated via Challenge Response

Parameters

• user – the user object

• ttype – the type of the token

Returns

bool

linotp.lib.policy.get_auth_forward(user)

Returns the list of all forwarding servers.

linotp.lib.policy.get_auth_forward_on_no_token(user)

returns True, if the user in this realm should be forwarded in case the user has no tokens assigned.

linotp.lib.policy.get_auth_passOnNoToken(user)

returns True, if the user in this realm should be always authenticated in case the user has no tokens assigned.

linotp.lib.policy.get_auth_passthru(user)

returns True, if the user in this realm should be authenticated against the UserIdResolver in case the user has no tokens assigned.

linotp.lib.policy.get_auto_enrollment(user)

this function checks the policy scope=enrollment, action=autoenrollment This policy policy returns the tokentyp: sms or email The function returns true, if autoenrollment is defined.

linotp.lib.policy.get_autoassignment(user)

this function checks the policy scope=enrollment, action=autoassignment This is a boolean policy. The function returns true, if autoassignment is defined.

linotp.lib.policy.get_autoassignment_from_realm(user)

this function checks the policy scope=enrollment,

action=autoassignment_from_realm

Returns

the realm where the tokens should be taken from

linotp.lib.policy.get_autoassignment_without_pass(user)

Check if autoassigment without password for the user is allowed.

Returns

boolean

linotp.lib.policy.get_partition(realms, user)

Get the partition (key pair identifier) that should be used.

linotp.lib.policy.get_pin_policies(user)

lookup for the pin policies - the list of policies is preserved for repeated lookups

: raises: exception, if more then one pin policies are matching

Parameters

user – the policies which are applicable to the user

Returns

list of otppin id’s

linotp.lib.policy.get_single_auth_policy(policy_name, user=None, realms=None)

Retrieves a policy value and checks if the value is consistent across realms.

Parameters

• policy_name – the name of the policy, e.g: * qrtoken_pairing_callback_url * qrtoken_pairing_callback_sms * qrtoken_challenge_response_url * qrtoken_challenge_response_sms

• realms – the realms that his policy should be effective in

linotp.lib.policy.get_tokenissuer(serial, user='', realm='', description='')

Get the token issuer.

This internal function returns the issuer of the token as defined in policy scope = enrollment, action = tokenissuer = <string> The string can have the following variables:

<u>: user <r>: realm <s>: token serial <d>: the token description

This function is used to create ‘otpauth’ tokens

Parameters

• user – the user login string

• realm – the realm of the user

• serial – the token serial

• description – the token description

Returns

the tokenlabel string - default is ‘LinOTP’

linotp.lib.policy.get_tokenlabel(serial, user='', realm='', description='')

Get the label for a token.

This internal function returns the naming of the token as defined in policy scope = enrollment, action = tokenname = <string> The string can have the following variables: - <u>: user - <r>: realm - <s>: token serial - <d>: the token description

This function is used to create ‘otpauth’ tokens

Parameters

• user – the user login string

• realm – the realm of the user

• serial – the token serial

• description – the token description

Returns

the tokenlabel string - default is user or serial

linotp.lib.policy.ignore_autoassignment_pin(user)

Should autoassignment pin be ignored?

This function checks the policy

scope=enrollment, action=ignore_autoassignment_pin

This is a boolean policy. The function returns true, if the password used in the autoassignment should not be set as token pin.

linotp.lib.policy.is_auth_return(success=True, user=None)

returns True if the policy

scope = authorization action = detail_on_success/detail_on_fail is set.

Parameters

success (bool) – Defines if we should check of the policy detaul_on_success (True) or detail_on_fail (False)

linotp.lib.policy.parse_policy(composite_key, value)

Parses policy data from a config entry

linotp.lib.policy.purge_enrollment_token(user, realm=None)

Get status of enrollment token purging.

lookup in the policies if the rollout token should be removed after the successfull login with a second token

Parameters

user – the token owner

Returns

boolean

linotp.lib.policy.set_realm(login, realm, exception=False)

this function reads the policy scope: authorization, client: x.y.z, action: setrealm=new_realm and overwrites the existing realm of the user with the new_realm. This can be used, if the client is not able to pass a realm and the users are not be located in the default realm.

returns:

realm - name of the new realm taken from the policy

linotp.lib.policy.supports_offline(realms, token)

Check if offline is allowed for the given token.

Parameters

• realms – the realms to be checked

• token – the token to be checked

:returns bool

linotp.lib.policy.trigger_phone_call_on_empty_pin(realms=None)

Trigger a phone call on empty pin?

returns true if a check_s should be allowed to trigger an phone call for the voice token

linotp.lib.policy.trigger_sms(realms=None)

Status, if a check_s should be allowed to trigger an sms.

Submodules

• linotp.lib.policy.action module
  • PolicyActionTyping
    • PolicyActionTyping.convert()
    • PolicyActionTyping.convert_actions()
  • get_action_value()
  • get_selfservice_action_value()
  • get_selfservice_actions()
• linotp.lib.policy.definitions module
  • get_policy_definitions()
• linotp.lib.policy.evaluate module
  • PolicyEvaluator
    • PolicyEvaluator.add_filter()
    • PolicyEvaluator.add_match_type()
    • PolicyEvaluator.evaluate()
    • PolicyEvaluator.filter_for_action()
    • PolicyEvaluator.filter_for_active()
    • PolicyEvaluator.filter_for_client()
    • PolicyEvaluator.filter_for_name()
    • PolicyEvaluator.filter_for_realm()
    • PolicyEvaluator.filter_for_scope()
    • PolicyEvaluator.filter_for_time()
    • PolicyEvaluator.filter_for_user()
    • PolicyEvaluator.has_policy()
    • PolicyEvaluator.reset_filters()
    • PolicyEvaluator.select()
    • PolicyEvaluator.set_filters()
  • action_compare()
  • bool_compare()
  • cron_compare()
  • ip_list_compare()
  • string_compare()
  • time_list_compare()
  • user_list_compare()
  • value_list_compare()
  • wildcard_icase_list_compare()
  • wildcard_list_compare()
• linotp.lib.policy.filter module
  • AttributeCompare
    • AttributeCompare.compare()
    • AttributeCompare.set_key_val_compare()
    • AttributeCompare.set_user_access()
  • UserDomainCompare
    • UserDomainCompare.compare()
    • UserDomainCompare.exists()
• linotp.lib.policy.forward module
  • ForwardServerPolicy
    • ForwardServerPolicy.Path_index
    • ForwardServerPolicy.Query_index
    • ForwardServerPolicy.do_request()
    • ForwardServerPolicy.prepare_forward()
• linotp.lib.policy.manage module
  • PolicyWarning
  • create_policy_export_file()
  • deletePolicy()
  • import_policies()
  • setPolicy()
• linotp.lib.policy.maxtoken module
  • check_maxtoken()
  • check_maxtoken_for_user()
  • check_maxtoken_for_user_by_type()
• linotp.lib.policy.processing module
  • getPolicy()
  • get_client_policy()
  • has_client_policy()
  • is_authorized()
  • search_policy()
• linotp.lib.policy.util module
  • are_the_same()
  • get_copy_of_policies()
  • get_policies()
  • get_realm_from_policies()
  • get_resolvers_for_realms()
  • parse_action_value()
  • parse_policies()
  • split_value()