linotp.lib.policy module

policy processing

exception linotp.lib.policy.AuthorizeException(description='unspecified error!', id=510)[source]

Bases: linotp.lib.error.LinotpError

exception linotp.lib.policy.PolicyException(description='unspecified error!', id=410)[source]

Bases: linotp.lib.error.LinotpError

linotp.lib.policy.autoassignment_forward(user)[source]

this function checks the policy scope=enrollment, action=autoassignment This is a boolean policy. The function returns true, if autoassignment is defined.

linotp.lib.policy.checkAdminAuthorization(policies, serial, user, fitAllRealms=False)[source]

This function checks if the token object defined by either “serial” or “user” is in the corresponding realm, where the admin has access to / fits to the given policy.

fitAllRealms: If set to True, then the administrator must have rights
in all realms of the token. e.g. for deleting tokens.
returns:
True: if admin is allowed False: if admin is not allowed
linotp.lib.policy.checkAuthorisation(scope, method)[source]

check if the authenticated user has the right to do the given action :param scope: scope of the policy to be checked :param method: the requested action :return: nothing if authorized, else raise PolicyException

linotp.lib.policy.checkOTPPINPolicy(pin, user)[source]

This function checks the given PIN (OTP PIN) against the policy returned by the function

getOTPPINPolicy

It returns a dictionary:
{‘success’: True/False,
‘error’: errortext}

At the moment this works for the selfservice portal

linotp.lib.policy.checkPolicyPost(controller, method, param=None, user=None)[source]

This function will check policies after a successful action in a controller. E.g. this can be setting a random PIN after successfully enrolling a token.

Parameters:
  • controller – the controller context
  • method – the calling action
  • param – This is a dictionary with the necessary parameters.
  • auth_user – This is the authenticated user. For the selfservice this will be the user in the selfservice portal, for admin or manage it will be the administrator
Returns:

It returns a dictionary with the necessary results. These depend on the controller.

linotp.lib.policy.checkPolicyPre(controller, method, param={}, authUser=None, user=None)[source]

This function will check for all policy definition for a certain controller/method It is run directly before doing the action in the controller. I will raise an exception, if it fails.

Parameters:param – This is a dictionary with the necessary parameters.
Returns:dictionary with the necessary results. These depend on the controller.
linotp.lib.policy.checkToolsAuthorisation(method, param={})[source]
linotp.lib.policy.check_auth_serial(serial, exception=False, user=None)[source]

Checks if the token with the serial number matches the serial authorize policy scope=authoriztaion, action=serial

Parameters:
  • serial (string) – The serial number of the token to check
  • exception (boolean) – If “True” an exception is raised instead of returning False
  • user (User object) – User to narrow down the policy
Returns:

result

Return type:

boolean

linotp.lib.policy.check_auth_tokentype(serial, exception=False, user=None)[source]

Checks if the token type of the given serial matches the tokentype policy

Returns:True/False - returns true or false or raises an exception if exception=True
linotp.lib.policy.check_token_reporting(realm)[source]

parse reporting policies for given realm and user :param realm: the realm to be reported :return: list of status like [assigned, active&unassigned, total]

linotp.lib.policy.check_user_authorization(login, realm, exception=False)[source]

check if the given user/realm is in the given policy. The realm may contain the wildcard ‘*’, then the policy holds for all realms. If no username or ‘*’ is given, the policy holds for all users.

attributes:
login - loginname of the user realm - realm of the user exception - wether it should return True/False or raise an Exception
linotp.lib.policy.getAdminPolicies(action, lowerRealms=False, scope='admin')[source]

This internal function returns the policies (default: of scope=admin) for the currently authenticated administrativ user.__builtins__

Parameters:
  • action – this is the action (like enable, disable, init...)
  • lowerRealms – if set to True, the list of realms returned will be lower case.
  • scope – scope of the policies, might be admin, monitoring, reporting.access
Returns:

a dictionary with the following keys:

  • active (if policies are used)
  • realms (the realms, in which the admin is allowed to do this action)
  • resolvers (the resolvers in which the admin is allowed to perform this action)
  • admin (the name of the authenticated admin user)

linotp.lib.policy.getOTPPINEncrypt(serial=None, user=None)[source]

This function returns, if the otppin should be stored as an encrpyted value

linotp.lib.policy.getPolicies()[source]
linotp.lib.policy.getPolicy(param, display_inactive=False)[source]

Function to retrieve the list of policies.

attributes:

  • name: (optional) will only return the policy with the name

  • user: (optional) will only return the policies for this user

  • realm: (optional) will only return the policies of this realm

  • scope: (optional) will only return the policies within this scope

  • action: (optional) will only return the policies with this action

    The action can also be something like “otppin” and will return policies containing “otppin = 2”

Returns:a dictionary with the policies. The name of the policy being the key
linotp.lib.policy.getPolicyActionValue(policies, action, max=True, is_string=False, subkey=None)[source]

This function retrieves the int value of an action from a list of policies input

Parameters:
  • policies – list of policies as returned from config.getPolicy This is a list of dictionaries
  • action – an action, to be searched
  • max – if True, it will return the highest value, if there are multiple policies if False, it will return the lowest value, if there are multiple policies
  • is_string – if True, the value is a string and not an integer

Example policy:

pol10: {
    action: "maxtoken = 10",
    scope: "enrollment",
    realm: "realm1",
    user: "",
    time: ""
   }
linotp.lib.policy.getSelfserviceActions(user)[source]

This function returns the allowed actions in the self service portal for the given user

linotp.lib.policy.get_auth_AutoSMSPolicy(realms=None)[source]

Returns true, if the autosms policy is set in one of the realms

return:
True or False
input:
list of realms
linotp.lib.policy.get_auth_challenge_response(user, ttype)[source]

returns True, if the user in this realm with this token type should be authenticated via Challenge Response

Parameters:
  • user – the user object
  • ttype – the type of the token
Returns:

bool

linotp.lib.policy.get_auth_forward(user)[source]

returns the list of all forwarding servers

linotp.lib.policy.get_auth_passOnNoToken(user)[source]

returns True, if the user in this realm should be always authenticated in case the user has no tokens assigned.

linotp.lib.policy.get_auth_passthru(user)[source]

returns True, if the user in this realm should be authenticated against the UserIdResolver in case the user has no tokens assigned.

linotp.lib.policy.get_auto_enrollment(user)[source]

this function checks the policy scope=enrollment, action=autoenrollment This policy policy returns the tokentyp: sms or email The function returns true, if autoenrollment is defined.

linotp.lib.policy.get_autoassignment(user)[source]

this function checks the policy scope=enrollment, action=autoassignment This is a boolean policy. The function returns true, if autoassignment is defined.

linotp.lib.policy.get_client_policy(client, scope=None, action=None, realm=None, user=None, find_resolver=True, userObj=None)[source]

This function returns the dictionary of policies for the given client.

1. First it searches for all policies matching (scope, action, realm) and checks, whether the given client is contained in the policy field client. If no policy for the given client is found it takes the policy without a client

2. Then it strips down the returnable policies to those, that only contain the username - UNLESS - none of the above policies contains a username

  1. then we try to find resolvers in the username (OPTIONAL)
  2. if nothing matched so far, we try the extended policy check
linotp.lib.policy.get_pairing_certificate_id(realms, user)[source]

returns the certificate id that should be used

linotp.lib.policy.get_pin_policies(user)[source]

lookup for the pin policies - the list of policies is preserved for repeated lookups

: raises: exception, if more then one pin policies are matching

Parameters:user – the policies which are applicable to the user
Returns:list of otppin id’s
linotp.lib.policy.get_qrtan_url(realms)[source]

Returns the URL for the half automatic mode for the QR TAN token for the given realm

Remark:there might be more than one url, if the token belongs to more than one realm
Parameters:realms – list of realms or None
Returns:url string
linotp.lib.policy.get_tokenissuer(user='', realm='', serial='')[source]

This internal function returns the issuer of the token as defined in policy scope = enrollment, action = tokenissuer = <string> The string can have the following variables:

<u>: user <r>: realm <s>: token serial

This function is used to create ‘otpauth’ tokens

linotp.lib.policy.get_tokenlabel(user='', realm='', serial='')[source]

This internal function returns the naming of the token as defined in policy scope = enrollment, action = tokenname = <string> The string can have the following variables:

  • <u>: user
  • <r>: realm
  • <s>: token serial

This function is used by the creation of googleauthenticator url

linotp.lib.policy.ignore_autoassignment_pin(user)[source]
This function checks the policy
scope=enrollment, action=ignore_autoassignment_pin

This is a boolean policy. The function returns true, if the password used in the autoassignment should not be set as token pin.

linotp.lib.policy.is_auth_return(success=True, user=None)[source]
returns True if the policy
scope = authorization action = detail_on_success/detail_on_fail is set.
Parameters:success (bool) – Defines if we should check of the policy detaul_on_success (True) or detail_on_fail (False)
linotp.lib.policy.parse_action_value(action_value)[source]

parsing the policy action value by an regular expression

linotp.lib.policy.set_realm(login, realm, exception=False)[source]

this function reads the policy scope: authorization, client: x.y.z, action: setrealm=new_realm and overwrites the existing realm of the user with the new_realm. This can be used, if the client is not able to pass a realm and the users are not be located in the default realm.

returns:
realm - name of the new realm taken from the policy
linotp.lib.policy.split_value(policy, attribute='client', marks=False)[source]
linotp.lib.policy.supports_offline(realms, token)[source]

Check if offline is allowed for the given token.

Parameters:
  • realms – the realms to be checked
  • token – the token to be checked

:returns bool

linotp.lib.policy.trigger_sms(realms=None)[source]

returns true, if a check_s should be allowed to trigger an sms