linotp.lib.token module

contains several token api functions

class linotp.lib.token.TokenHandler

Bases: object

addTokenInfo(info, value, user, serial)

sets an abitrary Tokeninfo field

assignToken(serial, user, pin, param=None)

assignToken - used to assign and to unassign token

auto_assignToken(passw, user, _pin='', param=None)

This function is called to auto_assign a token, when the user enters an OTP value of an not assigned token.

auto_assign_otp_only(otp, user, options=None)

This function is called to auto_assign a token, when the user enters an OTP value of an not assigned token.

auto_enrollToken(passw, user, options=None)

This function is called to auto_enroll a token: - when the user has no token assigned and enters his password (without

otppin=1 policy), a new email or sms token is created and will be assigned to the user. Finaly a challenge otp for this user will be created that he will receive by email or sms.

Parameters

  • passw – password of the user - to checked against the user resolver

  • user – user object of login name and realm

  • options – optional parameters used during challenge creation

Returns

tuple of auth success and challenge output

check_serial(serial)

This checks, if a serial number is already contained.

The function returns a tuple:

(result, new_serial)

If the serial is already contained a new, modified serial new_serial is returned.

result: bool: True if the serial does not already exist.

copyTokenPin(serial_from, serial_to)

This function copies the token PIN from one token to the other token. This can be used for workflows like lost token.

In fact the PinHash and the PinSeed need to be transferred

returns:

1 : success -1: no source token -2: no destination token

copyTokenRealms(serial_from, serial_to)
copyTokenUser(serial_from, serial_to)

This function copies the user from one token to the other This can be used for workflows like lost token

returns:

1: success -1: no source token -2: no destination token

enableToken(enable, user, serial)

switch the token status to active or inactive :param enable: True::active or False::inactive :param user: all tokens of this owner :param serial: the serial number of the token

Returns

number of changed tokens

genSerial(tokenType=None, prefix=None)

generate a serial number similar to the one generated in the manage web gui

Parameters

tokenType – the token type prefix is done by a lookup on the tokens

Returns

serial number

getTokenOwner(serial)

returns the user object, to which the token is assigned. the token is idetified and retirved by it’s serial number

Parameters

serial – serial number of the token

Returns

user object

getTokensOfType(typ=None, realm=None, assigned=None)

This function returns a list of token objects of the following type.

here we need to create the token list.

  1. all types (if typ==None)

  2. realms

  3. assigned or unassigned tokens (1/0)

TODO: rename function to “getTokens”

get_serial_by_otp(token_list=None, otp='', window=10, typ=None, realm=None, assigned=None)

Returns the serial for a given OTP value and the user (serial, user)

Parameters

  • otp

    • the otp value to be searched

  • window

    • how many OTPs should be calculated per token

  • typ

    • The tokentype

  • realm

    • The realm in which to search for the token

  • assigned

    • search either in assigned (1) or

    not assigend (0) tokens

Returns

the serial for a given OTP value and the user

get_token_by_otp(token_list=None, otp='', window=10, typ='HMAC', realm=None, assigned=None)
method
get_token_by_otp - from the given token list this function returns

the token, that generates the given OTP value

Parameters

  • token_list

    • the list of token objects to be investigated

  • otpval

    • the otp value, that needs to be found

  • window

    • the window of search

  • assigned

    • or unassigned tokens (1/0)

Returns

returns the token object.

hasOwner(serial)

returns true if the token is owned by any user

Parameters

serial – the token serial number

Returns

boolean - True if it has an owner

initToken(param, user, tokenrealm=None)

initToken - create a new token or update a token

Parameters

  • param – the list of provided parameters in the list the serialnumber is required, the token type default ist hmac

  • user – the token owner

  • tokenrealm – the realms, to which the token belongs

Returns

tuple of success and token object

isTokenOwner(serial, user)

verify that user is the token owner

Parameters

  • serial – the token serial

  • user – the given user

Returns

boolean - True on success

losttoken(serial, new_serial=None, password=None, param=None)

This is the workflow to handle a lost token

Parameters

  • serial – Token serial number

  • new_serial – new serial number

  • password – new password

  • param – additional arguments for the password, email or sms token as dict

Returns

result dictionary

removeToken(user=None, serial=None)

delete a token from database

Parameters

  • user – the tokens of the user

  • serial – the token with this serial number

Returns

the number of deleted tokens

resyncToken(otp1, otp2, user, serial, options=None)

resync a token by its consecutive otps

Parameters

  • user – the token owner

  • serial – the serial number of the token

  • options – the additional command parameters for specific token

Returns

Success by a boolean

setCounterWindow(countWindow, user, serial)
setDescription(description, user=None, serial=None)
setHashLib(hashlib, user, serial)

sets the Hashlib in the tokeninfo

setMaxFailCount(maxFail, user, serial)
setOtpLen(otplen, user, serial)
setSyncWindow(syncWindow, user, serial)
unassignToken(serial, user=None, pin=None)

unassignToken - used to assign and to unassign token

linotp.lib.token.add_last_accessed_info(list_of_tokens)

small wrapper to set the accessed time info

linotp.lib.token.add_last_verified_info(list_of_tokens)

small wrapper to set the verified time info

linotp.lib.token.add_time_info(list_of_tokens, mode='accessed')

add time info to token if token_last_access is defined in the config. it is used as a filter to only preserve information which is compliant with the data preserving policy

Parameters

  • list_of_tokens – all tokens which should get a time stamp update

  • mode – which token data should be stored

linotp.lib.token.createTokenClassObject(token: ~linotp.model.token.Token, token_type: <module 'string' from '/usr/lib/python3.7/string.py'> = None)

createTokenClassObject - create a token class object from a given type

Parameters

  • token (Token) – a raw token as retrieved from the database

  • token_type (string) – type of the token object to be created

Returns

a token instance with type-specific behavior

Return type

subclass of TokenClass

linotp.lib.token.genSerial(tokenType=None, prefix=None)

generate a serial number similar to the one generated in the manage web gui

Parameters

tokenType – the token type prefix is done by a lookup on the tokens

Returns

serial number

linotp.lib.token.getNumTokenUsers(resolver=None, active=True, realm=None, count_forward_tokens=False)

get the number of distinct the token users

Parameters

  • resolver – count only the token users per resolver

  • active – boolean - count base only on active tokens

  • count_forward_tokens – boolean - count the forward tokens

Returns

the number of token users

linotp.lib.token.getOtp(serial, curTime=None)

This function returns the current OTP value for a given Token. Please note, that this controller needs to be activated and that the tokentype needs to support this function.

method

getOtp - get the current OTP value

parameter

serial - serialnumber for token curTime - used for self test

return

tuple with (res, pin, otpval, passw)

linotp.lib.token.getRealms4Token(user, tokenrealm=None)

get the realm objects of a user or from the tokenrealm defintion, which could be a list of realms or a single realm

helper method to enhance the code readability

Parameters

  • user – the user wich defines the set of realms

  • tokenrealm – a string or a list of realm strings

Returns

the list of realm objects

linotp.lib.token.getRealmsOfTokenOrUser(token)

This returns the realms of either the token or of the user of the token.

linotp.lib.token.getRolloutToken4User(user=None, serial=None, tok_type='ocra2')
linotp.lib.token.getTokenConfig(tok, section=None)
getTokenConfig - return the config definition

of a dynamic token

Parameters

  • tok (string) – token type (shortname)

  • section (string) – subsection of the token definition - optional

Returns

dict - if nothing found an empty dict

Return type

dict

linotp.lib.token.getTokenInRealm(realm, active=True)

This returns the number of tokens in one realm.

You can either query only active token or also disabled tokens.

linotp.lib.token.getTokenNumResolver(resolver=None, active=True, count_forward_tokens=False)

get the number of used tokens

in the database could be tokens of ResolverClass:

useridresolver. or useridresolveree.

so we have to make sure - there is no ‘useridresolveree’ in the searchterm and - there is a wildcard search: second replace Remark: when the token is loaded the response to the resolver class is adjusted

Parameters

  • resolver – count only the token users per resolver

  • active – boolean - count base only on active tokens

  • count_forward_tokens – boolean - count the forward tokens

Returns

the number of token

linotp.lib.token.getTokenRealms(serial)

This function returns a list of the realms of a token

linotp.lib.token.getTokenType(serial)

Returns the tokentype of a given serial number

Parameters

serial – the serial number of the to be searched token

linotp.lib.token.get_multi_otp(serial, count=0, epoch_start=0, epoch_end=0, curTime=None)

This function returns a list of OTP values for the given Token. Please note, that this controller needs to be activated and that the tokentype needs to support this function.

method

get_multi_otp - get the list of OTP values

parameter

serial - the serial number of the token count - number of the <count> next otp values (to be used with event or timebased tokens) epoch_start - unix time start date (used with timebased tokens) epoch_end - unix time end date (used with timebased tokens) curTime - used for token test

return

dictionary of otp values

linotp.lib.token.get_raw_token(serial: <module 'string' from '/usr/lib/python3.7/string.py'>)
linotp.lib.token.get_raw_tokens(user: ~linotp.lib.user.User = None, serial: <module 'string' from '/usr/lib/python3.7/string.py'> = None, token_type: <module 'string' from '/usr/lib/python3.7/string.py'> = None, read_for_update: bool = False, active: bool = None) List[Token]

Get a list of tokens of type Token, an object containing the database fields for the token and little more.

It does not provide tokens with type-specific functionality. If that is what you are looking for, please use get_tokens() instead.

The result can be filtered by owner, serial, type and activation status.

Additionally, the flag read_for_update specifies whether a lock on the database is required. This is necessary when obtaining a list of tokens for validation purposes.

linotp.lib.token.get_token(serial: <module 'string' from '/usr/lib/python3.7/string.py'>)
linotp.lib.token.get_token_owner(token)

provide the owner as a user object for a given tokenclass obj

Parameters

token – tokenclass object

Returns

user object

linotp.lib.token.get_token_type_list()

get_token_type_list - returns the list of the available tokentypes like hmac, spass, totp…

Returns

list of token types

linotp.lib.token.get_tokens(user: ~linotp.lib.user.User = None, serial: <module 'string' from '/usr/lib/python3.7/string.py'> = None, token_type: <module 'string' from '/usr/lib/python3.7/string.py'> = None, read_for_update: bool = False, active: bool = None)

Get a list of tokens of type TokenClass or any of its subclasses.

The result can be filtered by owner, serial, type and activation status.

Additionally, the flag read_for_update specifies whether a lock on the database is required. This is necessary when obtaining a list of tokens for validation purposes.

linotp.lib.token.get_tokenserial_of_transaction(transId)

get the serial number of a token from a challenge state / transaction

Parameters

transId – the state / transaction id

Returns

the serial number or None

linotp.lib.token.get_used_tokens_count(resolver=None, active=True, realm=None)

get the number of used tokens

Parameters

  • resolver – count only the token users per resolver

  • active – boolean - count base only on active tokens

Returns

the number of token / token user

linotp.lib.token.remove_token(token)

remove a token and all related entries like challenges or realm reference

Parameters

token – Token or TokenClass object

linotp.lib.token.resetToken(user=None, serial=None)
linotp.lib.token.setDefaults(token)
linotp.lib.token.setPin(pin, user, serial, param=None)

set the PIN

linotp.lib.token.setPinSo(soPin, serial)
linotp.lib.token.setPinUser(userPin, serial)
linotp.lib.token.setRealms(serial, realmList)
linotp.lib.token.tokenExist(serial)

returns true if the token exists

linotp.lib.token.token_owner_iterator()

iterate all tokens for serial and users