linotp.lib.token module

contains several token api functions

class linotp.lib.token.TokenHandler[source]

Bases: object

addTokenInfo(info, value, user, serial)[source]

sets an abitrary Tokeninfo field

assignToken(serial, user, pin, param=None)[source]

assignToken - used to assign and to unassign token

auto_assignToken(passw, user, _pin='', param=None)[source]

This function is called to auto_assign a token, when the user enters an OTP value of an not assigned token.

auto_enrollToken(passw, user, options=None)[source]

This function is called to auto_enroll a token: - when the user has no token assigned and enters his password (without

otppin=1 policy), a new email or sms token is created and will be assigned to the user. Finaly a challenge otp for this user will be created that he will receive by email or sms.
Parameters:
  • passw – password of the user - to checked against the user resolver
  • user – user object of login name and realm
  • options – optional parameters used during challenge creation
Returns:

tuple of auth success and challenge output

check_serial(serial)[source]

This checks, if a serial number is already contained.

The function returns a tuple:
(result, new_serial)

If the serial is already contained a new, modified serial new_serial is returned.

result: bool: True if the serial does not already exist.

copyTokenPin(serial_from, serial_to)[source]

This function copies the token PIN from one token to the other token. This can be used for workflows like lost token.

In fact the PinHash and the PinSeed need to be transferred

returns:
1 : success -1: no source token -2: no destination token
copyTokenRealms(serial_from, serial_to)[source]
copyTokenUser(serial_from, serial_to)[source]

This function copies the user from one token to the other This can be used for workflows like lost token

returns:
1: success -1: no source token -2: no destination token
enableToken(enable, user, serial)[source]

switch the token status to active or inactive :param enable: True::active or False::inactive :param user: all tokens of this owner :param serial: the serial number of the token

Returns:number of changed tokens
genSerial(tokenType=None, prefix=None)[source]

generate a serial number similar to the one generated in the manage web gui

Parameters:tokenType – the token type prefix is done by a lookup on the tokens
Returns:serial number
getTokenOwner(serial)[source]

returns the user object, to which the token is assigned. the token is idetified and retirved by it’s serial number

Parameters:serial – serial number of the token
Returns:user object
getTokensOfType(typ=None, realm=None, assigned=None)[source]

This function returns a list of token objects of the following type.

here we need to create the token list.
  1. all types (if typ==None)
  2. realms
  3. assigned or unassigned tokens (1/0)

TODO: rename function to “getTokens”

get_serial_by_otp(token_list=None, otp='', window=10, typ=None, realm=None, assigned=None)[source]

Returns the serial for a given OTP value and the user (serial, user)

Parameters:
  • otp
    • the otp value to be searched
  • window
    • how many OTPs should be calculated per token
  • typ
    • The tokentype
  • realm
    • The realm in which to search for the token
  • assigned
    • search either in assigned (1) or

    not assigend (0) tokens

Returns:

the serial for a given OTP value and the user

get_token_by_otp(token_list=None, otp='', window=10, typ=u'HMAC', realm=None, assigned=None)[source]
method
get_token_by_otp - from the given token list this function returns
the token, that generates the given OTP value
Parameters:
  • token_list
    • the list of token objects to be investigated
  • otpval
    • the otp value, that needs to be found
  • window
    • the window of search
  • assigned
    • or unassigned tokens (1/0)
Returns:

returns the token object.

hasOwner(serial)[source]

returns true if the token is owned by any user

initToken(param, user, tokenrealm=None)[source]

initToken - create a new token or update a token

Parameters:
  • param – the list of provided parameters in the list the serialnumber is required, the token type default ist hmac
  • user – the token owner
  • tokenrealm – the realms, to which the token belongs
Returns:

tuple of success and token object

isTokenOwner(serial, user)[source]
losttoken(serial, new_serial=None, password=None, default_validity=0, param=None)[source]

This is the workflow to handle a lost token

Parameters:
  • serial – Token serial number
  • new_serial – new serial number
  • password – new password
  • default_validity – set the token to be valid
  • param – additional arguments for the password, email or sms token as dict
Returns:

result dictionary

removeToken(user=None, serial=None)[source]

delete a token from database

Parameters:
  • user – the tokens of the user
  • serial – the token with this serial number
Returns:

the number of deleted tokens

resyncToken(otp1, otp2, user, serial, options=None)[source]

resync a token by its consecutive otps

Parameters:
  • user – the token owner
  • serial – the serial number of the token
  • options – the additional command parameters for specific token
Returns:

Success by a boolean

setCounterWindow(countWindow, user, serial)[source]
setDescription(description, user, serial)[source]
setHashLib(hashlib, user, serial)[source]

sets the Hashlib in the tokeninfo

setMaxFailCount(maxFail, user, serial)[source]
setOtpLen(otplen, user, serial)[source]
setSyncWindow(syncWindow, user, serial)[source]
unassignToken(serial, user=None, pin=None)[source]

unassignToken - used to assign and to unassign token

linotp.lib.token.add_last_accessed_info(list_of_tokenlist)[source]

if token_last_access is defined in the config, add this to the token info

linotp.lib.token.and_(*clauses)

Produce a conjunction of expressions joined by AND.

E.g.:

from sqlalchemy import and_

stmt = select([users_table]).where(
                and_(
                    users_table.c.name == 'wendy',
                    users_table.c.enrolled == True
                )
            )

The and_() conjunction is also available using the Python & operator (though note that compound expressions need to be parenthesized in order to function with Python operator precedence behavior):

stmt = select([users_table]).where(
                (users_table.c.name == 'wendy') &
                (users_table.c.enrolled == True)
            )

The and_() operation is also implicit in some cases; the Select.where() method for example can be invoked multiple times against a statement, which will have the effect of each clause being combined using and_():

stmt = select([users_table]).\
            where(users_table.c.name == 'wendy').\
            where(users_table.c.enrolled == True)

See also

or_()

linotp.lib.token.createTokenClassObject(token, typ=None)[source]

createTokenClassObject - create a token class object from a given type

Parameters:
  • token (database token) – the database refeneced token
  • typ (string) – type of to be created token
Returns:

instance of the token class object

Return type:

token class object

linotp.lib.token.genSerial(tokenType=None, prefix=None)[source]

generate a serial number similar to the one generated in the manage web gui

Parameters:tokenType – the token type prefix is done by a lookup on the tokens
Returns:serial number
linotp.lib.token.getAllTokenUsers()[source]

return a list of all users

linotp.lib.token.getOtp(serial, curTime=None)[source]

This function returns the current OTP value for a given Token. Please note, that this controller needs to be activated and that the tokentype needs to support this function.

method
getOtp - get the current OTP value
parameter
serial - serialnumber for token curTime - used for self test
return
tuple with (res, pin, otpval, passw)
linotp.lib.token.getRealms4Token(user, tokenrealm=None)[source]

get the realm objects of a user or from the tokenrealm defintion, which could be a list of realms or a single realm

helper method to enhance the code readability

Parameters:
  • user – the user wich defines the set of realms
  • tokenrealm – a string or a list of realm strings
Returns:

the list of realm objects

linotp.lib.token.getRealmsOfTokenOrUser(token)[source]

This returns the realms of either the token or of the user of the token.

linotp.lib.token.getRolloutToken4User(user=None, serial=None, tok_type=u'ocra')[source]
linotp.lib.token.getTokenConfig(tok, section=None)[source]
getTokenConfig - return the config definition
of a dynamic token
Parameters:
  • tok (string) – token type (shortname)
  • section (string) – subsection of the token definition - optional
Returns:

dict - if nothing found an empty dict

Return type:

dict

linotp.lib.token.getTokenInRealm(realm, active=True)[source]

This returns the number of tokens in one realm.

You can either query only active token or also disabled tokens.

linotp.lib.token.getTokenNumResolver(resolver=None, active=True)[source]

This returns the number of the (active) tokens if no resolver is passed, the overall token number is returned, if a resolver is passed, the token number within this resolver is returned

if active is set to false, ALL tokens are returned

linotp.lib.token.getTokenRealms(serial)[source]

This function returns a list of the realms of a token

linotp.lib.token.getTokenType(serial)[source]

Returns the tokentype of a given serial number

Parameters:serial – the serial number of the to be searched token
linotp.lib.token.getTokens4UserOrSerial(user=None, serial=None, token_type=None, _class=True)[source]
linotp.lib.token.get_multi_otp(serial, count=0, epoch_start=0, epoch_end=0, curTime=None)[source]

This function returns a list of OTP values for the given Token. Please note, that this controller needs to be activated and that the tokentype needs to support this function.

method
get_multi_otp - get the list of OTP values
parameter
serial - the serial number of the token count - number of the <count> next otp values (to be used with event or timebased tokens) epoch_start - unix time start date (used with timebased tokens) epoch_end - unix time end date (used with timebased tokens) curTime - used for selftest
return
dictionary of otp values
linotp.lib.token.get_token_owner(token)[source]

provide the owner as a user object for a given tokenclass obj

Parameters:token – tokenclass object
Returns:user object
linotp.lib.token.get_token_type_list()[source]

get_token_type_list - returns the list of the available tokentypes like hmac, spass, totp...

Returns:list of token types

:rtype : list

linotp.lib.token.get_tokenserial_of_transaction(transId)[source]

get the serial number of a token from a challenge state / transaction

Parameters:transId – the state / transaction id
Returns:the serial number or None
linotp.lib.token.newToken(token_class)[source]

newTokenClass - return a token class, which could be used as a constructor

Parameters:token_class (string) – string representation of the token class name
Returns:token class
Return type:token class
linotp.lib.token.or_(*clauses)

Produce a conjunction of expressions joined by OR.

E.g.:

from sqlalchemy import or_

stmt = select([users_table]).where(
                or_(
                    users_table.c.name == 'wendy',
                    users_table.c.name == 'jack'
                )
            )

The or_() conjunction is also available using the Python | operator (though note that compound expressions need to be parenthesized in order to function with Python operator precedence behavior):

stmt = select([users_table]).where(
                (users_table.c.name == 'wendy') |
                (users_table.c.name == 'jack')
            )

See also

and_()

linotp.lib.token.resetToken(user=None, serial=None)[source]
linotp.lib.token.setDefaults(token)[source]
linotp.lib.token.setPin(pin, user, serial, param=None)[source]

set the PIN

linotp.lib.token.setPinSo(soPin, serial)[source]
linotp.lib.token.setPinUser(userPin, serial)[source]
linotp.lib.token.setRealms(serial, realmList)[source]
linotp.lib.token.tokenExist(serial)[source]

returns true if the token exists