linotp.lib.policy package

policy processing

exception linotp.lib.policy.AuthorizeException(description='unspecified error!')

Bases: LinotpError

exception linotp.lib.policy.MaxTokenRealmPolicyException(description='unspecified error!')

Bases: PolicyException

Token count policy violation in a realm.

error_code = 413
exception linotp.lib.policy.MaxTokenTypeUserPolicyException(description='unspecified error!')

Bases: PolicyException

Token count policy violation of a user for a single token type.

error_code = 412
exception linotp.lib.policy.MaxTokenUserPolicyException(description='unspecified error!')

Bases: PolicyException

Token count policy violation of a user across all token types.

error_code = 411
exception linotp.lib.policy.PolicyException(description='unspecified error!')

Bases: LinotpError

Generic exception class for unspecified policy violations.

error_code = 410
linotp.lib.policy.autoassignment_forward(user)

Return the status of autoassigment forwarding.

this function checks the policy scope=enrollment, action=autoassignment This is a boolean policy. The function returns true, if autoassignment is defined.

linotp.lib.policy.checkAdminAuthorization(policies, serial, user, fitAllRealms=False)

This function checks if the token object defined by either “serial” or “user” is in the corresponding realm, where the admin has access to / fits to the given policy.

fitAllRealms: If set to True, then the administrator must have rights

in all realms of the token. e.g. for deleting tokens.

returns:

True: if admin is allowed False: if admin is not allowed

linotp.lib.policy.checkAuthorisation(scope, method)

Check if the authenticated user has the right to do the given action.

Parameters

  • scope – scope of the policy to be checked

  • method – the requested action

Returns

nothing if authorized, else raise PolicyException

linotp.lib.policy.checkOTPPINPolicy(pin, user)

This function checks the given PIN (OTP PIN) against the policy returned by the function

getOTPPINPolicy

It returns a dictionary:
{‘success’: True/False,

‘error’: errortext}

At the moment this works for the selfservice portal

linotp.lib.policy.checkPolicyPost(controller, method, param=None, user=None)

This function will check policies after a successful action in a controller. E.g. this can be setting a random PIN after successfully enrolling a token.

Parameters

  • controller – the controller context

  • method – the calling action

  • param – This is a dictionary with the necessary parameters.

  • auth_user – This is the authenticated user. For the selfservice this will be the user in the selfservice portal, for admin or manage it will be the administrator

Returns

It returns a dictionary with the necessary results. These depend on the controller.

linotp.lib.policy.checkPolicyPre(controller, method, param=None, authUser=None, user=None)

This function will check for all policy definition for a certain controller/method It is run directly before doing the action in the controller. I will raise an exception, if it fails.

Parameters

param – This is a dictionary with the necessary parameters.

Returns

dictionary with the necessary results. These depend on the controller.

linotp.lib.policy.checkToolsAuthorisation(method, param=None)
linotp.lib.policy.check_auth_serial(serial, exception=False, user=None)

Checks if the token with the serial number matches the serial authorize policy scope=authoriztaion, action=serial

Parameters

  • serial (string) – The serial number of the token to check

  • exception (boolean) – If “True” an exception is raised instead of returning False

  • user (User object) – User to narrow down the policy

Returns

result

Return type

boolean

linotp.lib.policy.check_auth_tokentype(serial, exception=False, user=None)

Checks if the token type of the given serial matches the tokentype policy.

Returns

True/False - returns true or false or raises an exception if exception=True

linotp.lib.policy.check_user_authorization(login, realm, exception=False)

check if the given user/realm is in the given policy. The realm may contain the wildcard ‘*’, then the policy holds for all realms. If no username or ‘*’ is given, the policy holds for all users.

attributes:

login - loginname of the user realm - realm of the user exception - wether it should return True/False or raise an Exception

linotp.lib.policy.createRandomPin(user, min_pin_length)

create a random pin

Parameters

  • min_pin_length – the requested minimum pin length

  • user – user defines the realm/user policy selection

Returns

the new pin

linotp.lib.policy.delete_on_authentication_exceed(user, realms=None)

returns True if the token should be disable, if max auth count is reached

linotp.lib.policy.disable_on_authentication_exceed(user, realms=None)

returns True if the token should be disable, if max auth count is reached

linotp.lib.policy.getAdminPolicies(action, scope='admin')

This internal function returns the policies (default: of scope=admin) for the currently authenticated administrativ user.__builtins__

Parameters

  • action – this is the action (like enable, disable, init…)

  • scope – scope of the policies, might be admin, monitoring, reporting.access

Returns

a dictionary with the following keys:

  • active (if policies are used)

  • realms (the realms, in which the admin is allowed to do this action)

  • resolvers (the resolvers in which the admin is allowed to perform this action)

  • admin (the name of the authenticated admin user)

linotp.lib.policy.getOTPPINEncrypt(serial=None, user=None)

This function returns, if the otppin should be stored as an encrpyted value

linotp.lib.policy.get_active_token_statuses_for_reporting(realm)

parse reporting policies for given realm and user :param realm: the realm to be reported :return: list of status like [assigned, active&unassigned, total]

linotp.lib.policy.get_auth_AutoSMSPolicy(realms=None)

Returns true, if the autosms policy is set in one of the realms.

return:

True or False

input:

list of realms

linotp.lib.policy.get_auth_challenge_response(user, ttype)

returns True, if the user in this realm with this token type should be authenticated via Challenge Response

Parameters

  • user – the user object

  • ttype – the type of the token

Returns

bool

linotp.lib.policy.get_auth_forward(user)

Returns the list of all forwarding servers.

linotp.lib.policy.get_auth_forward_on_no_token(user)

returns True, if the user in this realm should be forwarded in case the user has no tokens assigned.

linotp.lib.policy.get_auth_passOnNoToken(user)

returns True, if the user in this realm should be always authenticated in case the user has no tokens assigned.

linotp.lib.policy.get_auth_passthru(user)

returns True, if the user in this realm should be authenticated against the UserIdResolver in case the user has no tokens assigned.

linotp.lib.policy.get_auto_enrollment(user)

this function checks the policy scope=enrollment, action=autoenrollment This policy policy returns the tokentyp: sms or email The function returns true, if autoenrollment is defined.

linotp.lib.policy.get_autoassignment(user)

this function checks the policy scope=enrollment, action=autoassignment This is a boolean policy. The function returns true, if autoassignment is defined.

linotp.lib.policy.get_autoassignment_from_realm(user)
this function checks the policy scope=enrollment,

action=autoassignment_from_realm

Returns

the realm where the tokens should be taken from

linotp.lib.policy.get_autoassignment_without_pass(user)

Check if autoassigment without password for the user is allowed.

Returns

boolean

linotp.lib.policy.get_partition(realms, user)

Get the partition (key pair identifier) that should be used.

linotp.lib.policy.get_pin_policies(user)

lookup for the pin policies - the list of policies is preserved for repeated lookups

: raises: exception, if more then one pin policies are matching

Parameters

user – the policies which are applicable to the user

Returns

list of otppin id’s

linotp.lib.policy.get_single_auth_policy(policy_name, user=None, realms=None)

Retrieves a policy value and checks if the value is consistent across realms.

Parameters

  • policy_name – the name of the policy, e.g: * qrtoken_pairing_callback_url * qrtoken_pairing_callback_sms * qrtoken_challenge_response_url * qrtoken_challenge_response_sms

  • realms – the realms that his policy should be effective in

linotp.lib.policy.get_tokenissuer(serial, user='', realm='', description='')

Get the token issuer.

This internal function returns the issuer of the token as defined in policy scope = enrollment, action = tokenissuer = <string> The string can have the following variables:

<u>: user <r>: realm <s>: token serial <d>: the token description

This function is used to create ‘otpauth’ tokens

Parameters

  • user – the user login string

  • realm – the realm of the user

  • serial – the token serial

  • description – the token description

Returns

the tokenlabel string - default is ‘LinOTP’

linotp.lib.policy.get_tokenlabel(serial, user='', realm='', description='')

Get the label for a token.

This internal function returns the naming of the token as defined in policy scope = enrollment, action = tokenname = <string> The string can have the following variables: - <u>: user - <r>: realm - <s>: token serial - <d>: the token description

This function is used to create ‘otpauth’ tokens

Parameters

  • user – the user login string

  • realm – the realm of the user

  • serial – the token serial

  • description – the token description

Returns

the tokenlabel string - default is user or serial

linotp.lib.policy.ignore_autoassignment_pin(user)

Should autoassignment pin be ignored?

This function checks the policy

scope=enrollment, action=ignore_autoassignment_pin

This is a boolean policy. The function returns true, if the password used in the autoassignment should not be set as token pin.

linotp.lib.policy.is_auth_return(success=True, user=None)
returns True if the policy

scope = authorization action = detail_on_success/detail_on_fail is set.

Parameters

success (bool) – Defines if we should check of the policy detaul_on_success (True) or detail_on_fail (False)

linotp.lib.policy.match_allowed_realms(scope: str, action: str, requested_realms: List[str])

Returns a list of realm names the user is allowed to access for given scope.action.

Args:

scope (str): policy scope action (str): policy action requested_realms (List[str]): List of realms, the user wants to access.

Use [“*”] to match against all realms including “/:no realm:/”.

Returns:

List[str]: List of realms the user is allowed to access for given action.

linotp.lib.policy.parse_policy(composite_key, value)

Parses policy data from a config entry

linotp.lib.policy.purge_enrollment_token(user, realm=None)

Get status of enrollment token purging.

lookup in the policies if the rollout token should be removed after the successfull login with a second token

Parameters

user – the token owner

Returns

boolean

linotp.lib.policy.set_realm(login, realm, exception=False)

this function reads the policy scope: authorization, client: x.y.z, action: setrealm=new_realm and overwrites the existing realm of the user with the new_realm. This can be used, if the client is not able to pass a realm and the users are not be located in the default realm.

returns:

realm - name of the new realm taken from the policy

linotp.lib.policy.supports_offline(realms, token)

Check if offline is allowed for the given token.

Parameters

  • realms – the realms to be checked

  • token – the token to be checked

:returns bool

linotp.lib.policy.trigger_sms(realms=None)

Status, if a check_s should be allowed to trigger an sms.

Submodules