linotp.lib.policy module

policy processing

exception linotp.lib.policy.AuthorizeException(description='unspecified error!')[source]

Bases: linotp.lib.error.LinotpError

exception linotp.lib.policy.PolicyException(description='unspecified error!')[source]

Bases: linotp.lib.error.LinotpError

linotp.lib.policy.autoassignment_forward(user)[source]

this function checks the policy scope=enrollment, action=autoassignment This is a boolean policy. The function returns true, if autoassignment is defined.

linotp.lib.policy.checkAdminAuthorization(policies, serial, user, fitAllRealms=False)[source]

This function checks if the token object defined by either “serial” or “user” is in the corresponding realm, where the admin has access to / fits to the given policy.

fitAllRealms: If set to True, then the administrator must have rights
in all realms of the token. e.g. for deleting tokens.
returns:
True: if admin is allowed False: if admin is not allowed
linotp.lib.policy.checkAuthorisation(scope, method)[source]

check if the authenticated user has the right to do the given action :param scope: scope of the policy to be checked :param method: the requested action :return: nothing if authorized, else raise PolicyException

linotp.lib.policy.checkOTPPINPolicy(pin, user)[source]

This function checks the given PIN (OTP PIN) against the policy returned by the function

getOTPPINPolicy

It returns a dictionary:
{‘success’: True/False,
‘error’: errortext}

At the moment this works for the selfservice portal

linotp.lib.policy.checkPolicyPost(controller, method, param=None, user=None)[source]

This function will check policies after a successful action in a controller. E.g. this can be setting a random PIN after successfully enrolling a token.

Parameters:
  • controller – the controller context
  • method – the calling action
  • param – This is a dictionary with the necessary parameters.
  • auth_user – This is the authenticated user. For the selfservice this will be the user in the selfservice portal, for admin or manage it will be the administrator
Returns:

It returns a dictionary with the necessary results. These depend on the controller.

linotp.lib.policy.checkPolicyPre(controller, method, param=None, authUser=None, user=None)[source]

This function will check for all policy definition for a certain controller/method It is run directly before doing the action in the controller. I will raise an exception, if it fails.

Parameters:param – This is a dictionary with the necessary parameters.
Returns:dictionary with the necessary results. These depend on the controller.
linotp.lib.policy.checkToolsAuthorisation(method, param=None)[source]
linotp.lib.policy.check_auth_serial(serial, exception=False, user=None)[source]

Checks if the token with the serial number matches the serial authorize policy scope=authoriztaion, action=serial

Parameters:
  • serial (string) – The serial number of the token to check
  • exception (boolean) – If “True” an exception is raised instead of returning False
  • user (User object) – User to narrow down the policy
Returns:

result

Return type:

boolean

linotp.lib.policy.check_auth_tokentype(serial, exception=False, user=None)[source]

Checks if the token type of the given serial matches the tokentype policy

Returns:True/False - returns true or false or raises an exception if exception=True
linotp.lib.policy.check_token_reporting(realm)[source]

parse reporting policies for given realm and user :param realm: the realm to be reported :return: list of status like [assigned, active&unassigned, total]

linotp.lib.policy.check_user_authorization(login, realm, exception=False)[source]

check if the given user/realm is in the given policy. The realm may contain the wildcard ‘*’, then the policy holds for all realms. If no username or ‘*’ is given, the policy holds for all users.

attributes:
login - loginname of the user realm - realm of the user exception - wether it should return True/False or raise an Exception
linotp.lib.policy.delete_on_authentication_exceed(user, realms=None)[source]

returns True if the token should be disable, if max auth count is reached

linotp.lib.policy.disable_on_authentication_exceed(user, realms=None)[source]

returns True if the token should be disable, if max auth count is reached

linotp.lib.policy.getAdminPolicies(action, scope='admin')[source]

This internal function returns the policies (default: of scope=admin) for the currently authenticated administrativ user.__builtins__

Parameters:
  • action – this is the action (like enable, disable, init...)
  • scope – scope of the policies, might be admin, monitoring, reporting.access
Returns:

a dictionary with the following keys:

  • active (if policies are used)
  • realms (the realms, in which the admin is allowed to do this action)
  • resolvers (the resolvers in which the admin is allowed to perform this action)
  • admin (the name of the authenticated admin user)

linotp.lib.policy.getOTPPINEncrypt(serial=None, user=None)[source]

This function returns, if the otppin should be stored as an encrpyted value

linotp.lib.policy.getSelfserviceActions(user)[source]

This function returns the allowed actions in the self service portal for the given user

linotp.lib.policy.get_auth_AutoSMSPolicy(realms=None)[source]

Returns true, if the autosms policy is set in one of the realms

return:
True or False
input:
list of realms
linotp.lib.policy.get_auth_challenge_response(user, ttype)[source]

returns True, if the user in this realm with this token type should be authenticated via Challenge Response

Parameters:
  • user – the user object
  • ttype – the type of the token
Returns:

bool

linotp.lib.policy.get_auth_forward(user)[source]

returns the list of all forwarding servers

linotp.lib.policy.get_auth_passOnNoToken(user)[source]

returns True, if the user in this realm should be always authenticated in case the user has no tokens assigned.

linotp.lib.policy.get_auth_passthru(user)[source]

returns True, if the user in this realm should be authenticated against the UserIdResolver in case the user has no tokens assigned.

linotp.lib.policy.get_auto_enrollment(user)[source]

this function checks the policy scope=enrollment, action=autoenrollment This policy policy returns the tokentyp: sms or email The function returns true, if autoenrollment is defined.

linotp.lib.policy.get_autoassignment(user)[source]

this function checks the policy scope=enrollment, action=autoassignment This is a boolean policy. The function returns true, if autoassignment is defined.

linotp.lib.policy.get_autoassignment_from_realm(user)[source]
this function checks the policy scope=enrollment,
action=autoassignment_from_realm
Returns:the realm where the tokens should be taken from
linotp.lib.policy.get_autoassignment_without_pass(user)[source]

check if autoassigment without password for the user is allowed

Returns:boolean
linotp.lib.policy.get_partition(realms, user)[source]

returns the partition (key pair identifier) that should be used

linotp.lib.policy.get_pin_policies(user)[source]

lookup for the pin policies - the list of policies is preserved for repeated lookups

: raises: exception, if more then one pin policies are matching

Parameters:user – the policies which are applicable to the user
Returns:list of otppin id’s
linotp.lib.policy.get_qrtan_url(realms)[source]

Returns the URL for the half automatic mode for the QR TAN token for the given realm

Remark:there might be more than one url, if the token belongs to more than one realm
Parameters:realms – list of realms or None
Returns:url string
linotp.lib.policy.get_single_auth_policy(policy_name, user=None, realms=None)[source]

Retrieves a policy value and checks if the value is consistent across realms.

Parameters:
  • policy_name – the name of the policy, e.g: * qrtoken_pairing_callback_url * qrtoken_pairing_callback_sms * qrtoken_challenge_response_url * qrtoken_challenge_response_sms
  • realms – the realms that his policy should be effective in
linotp.lib.policy.get_tokenissuer(user='', realm='', serial='')[source]

This internal function returns the issuer of the token as defined in policy scope = enrollment, action = tokenissuer = <string> The string can have the following variables:

<u>: user <r>: realm <s>: token serial

This function is used to create ‘otpauth’ tokens

linotp.lib.policy.get_tokenlabel(user='', realm='', serial='')[source]

This internal function returns the naming of the token as defined in policy scope = enrollment, action = tokenname = <string> The string can have the following variables:

  • <u>: user
  • <r>: realm
  • <s>: token serial

This function is used by the creation of googleauthenticator url

linotp.lib.policy.ignore_autoassignment_pin(user)[source]
This function checks the policy
scope=enrollment, action=ignore_autoassignment_pin

This is a boolean policy. The function returns true, if the password used in the autoassignment should not be set as token pin.

linotp.lib.policy.is_auth_return(success=True, user=None)[source]
returns True if the policy
scope = authorization action = detail_on_success/detail_on_fail is set.
Parameters:success (bool) – Defines if we should check of the policy detaul_on_success (True) or detail_on_fail (False)
linotp.lib.policy.parse_policy(composite_key, value)[source]

Parses policy data from a config entry

linotp.lib.policy.set_realm(login, realm, exception=False)[source]

this function reads the policy scope: authorization, client: x.y.z, action: setrealm=new_realm and overwrites the existing realm of the user with the new_realm. This can be used, if the client is not able to pass a realm and the users are not be located in the default realm.

returns:
realm - name of the new realm taken from the policy
linotp.lib.policy.supports_offline(realms, token)[source]

Check if offline is allowed for the given token.

Parameters:
  • realms – the realms to be checked
  • token – the token to be checked

:returns bool

linotp.lib.policy.trigger_phone_call_on_empty_pin(realms=None)[source]

returns true if a check_s should be allowed to trigger an phone call for the voice token

linotp.lib.policy.trigger_sms(realms=None)[source]

returns true, if a check_s should be allowed to trigger an sms