6.1.1.3.2.19. linotp.lib.policy module¶
policy processing
- exception linotp.lib.policy.AuthorizeException(description='unspecified error!', id=510)[source]¶
Bases: linotp.lib.error.LinotpError
- exception linotp.lib.policy.PolicyException(description='unspecified error!', id=410)[source]¶
Bases: linotp.lib.error.LinotpError
- linotp.lib.policy.checkAdminAuthorization(policies, serial, user, fitAllRealms=False)[source]¶
This function checks if the token object defined by either “serial” or “user” is in the corresponding realm, where the admin has access to / fits to the given policy.
- fitAllRealms: If set to True, then the administrator must have rights
- in all realms of the token. e.g. for deleting tokens.
- returns:
- True: if admin is allowed False: if admin is not allowed
- linotp.lib.policy.checkOTPPINPolicy(pin, user)[source]¶
This function checks the given PIN (OTP PIN) against the policy returned by the function
getOTPPINPolicy
- It returns a dictionary:
- {‘success’: True/False,
- ‘error’: errortext}
At the moment this works for the selfservice portal
- linotp.lib.policy.checkPolicyPost(controller, method, param=None, user=None)[source]¶
This function will check policies after a successful action in a controller. E.g. this can be setting a random PIN after successfully enrolling a token.
Parameters: - controller – the controller context
- method – the calling action
- param – This is a dictionary with the necessary parameters.
- auth_user – This is the authenticated user. For the selfservice this will be the user in the selfservice portal, for admin or manage it will be the administrator
Returns: It returns a dictionary with the necessary results. These depend on the controller.
- linotp.lib.policy.checkPolicyPre(controller, method, param={}, authUser=None, user=None)[source]¶
This function will check for all policy definition for a certain controller/method It is run directly before doing the action in the controller. I will raise an exception, if it fails.
Parameters: param – This is a dictionary with the necessary parameters. Returns: dictionary with the necessary results. These depend on the controller.
- linotp.lib.policy.checkTokenAssigned(user)[source]¶
This internal function checks the number of assigned tokens to a user Therefor it checks the policy
“scope = enrollment”, action = “maxtoken = <number>”returns FALSE, if the user has to many tokens assigned returns TRUE, if more tokens may be assigned to the user
- linotp.lib.policy.checkTokenNum(user=None, realm=None)[source]¶
This internal function checks if the number of the tokens is valid... for a certain realm...
- Therefor it checks the policy
- “scope = enrollment”, action = “tokencount = <number>”
- linotp.lib.policy.check_auth_serial(serial, exception=False, user=None)[source]¶
Checks if the token with the serial number matches the serial authorize policy scope=authoriztaion, action=serial
Parameters: - serial (string) – The serial number of the token to check
- exception (boolean) – If “True” an exception is raised instead of returning False
- user (User object) – User to narrow down the policy
Returns: result
Return type: boolean
- linotp.lib.policy.check_auth_tokentype(serial, exception=False, user=None)[source]¶
Checks if the token type of the given serial matches the tokentype policy
Returns: True/False - returns true or false or raises an exception if exception=True
check if the given user/realm is in the given policy. The realm may contain the wildcard ‘*’, then the policy holds for all realms. If no username or ‘*’ is given, the policy holds for all users.
- attributes:
- login - loginname of the user realm - realm of the user exception - wether it should return True/False or raise an Exception
- linotp.lib.policy.create_policy_export_file(policy, filename)[source]¶
This function takes a policy dictionary and creates an export file from it
- linotp.lib.policy.deletePolicy(name)[source]¶
Function to delete one named policy
- attributes:
- name: (required) will only return the policy with the name
- linotp.lib.policy.getAdminPolicies(action, lowerRealms=False)[source]¶
This internal function returns the admin policies (of scope=admin) for the currently authenticated administrativ user.__builtins__
Parameters: - action – this is the action (like enable, disable, init...)
- lowerRealms – if set to True, the list of realms returned will be lower case.
Returns: a dictionary with the following keys: active (if policies are used) realms (the realms, in which the admin is allowed to do this action) resolvers (the resolvers in which the admin is allowed to perform
this action)
admin (the name of the authenticated admin user)
- linotp.lib.policy.getAuthorization(scope, action)[source]¶
This internal function returns the Authrorizaition within some the scope=system. for the currently authenticated administrativ user. This does not take into account the REALMS!
- arguments:
- action - this is the action
- scope = system
- read write
- returns:
- a dictionary with the following keys: active (if policies are used) admin (the name of the authenticated admin user) auth (True if admin is authorized for this action)
- linotp.lib.policy.getOTPPINEncrypt(serial=None, user=None)[source]¶
This function returns, if the otppin should be stored as an encrpyted value
- linotp.lib.policy.getOTPPINPolicies(user, scope='selfservice')[source]¶
This internal function returns the PIN policies for a realm. These policies can either be in the scope “selfservice” or “admin” The policy define when resettng an OTP PIN:
what should be the length of the otp pin
what should be the contents of the otp pin by the actions:
otp_pin_minlength = otp_pin_maxlength = otp_pin_contents = [cns] (character, number, special character)
Returns: dictionary like {contents: “cns”, min: 7, max: 10}
- linotp.lib.policy.getPolicy(param, display_inactive=False)[source]¶
Function to retrieve the list of policies.
- attributes:
name: (optional) will only return the policy with the name user: (optional) will only return the policies for this user realm: (optional) will only return the policies of this realm scope: (optional) will only return the policies within this scope action: (optional) will only return the policies with this action
The action can also be something like “otppin” and will return policies containing “otppin = 2”- returns:
- a dictionary with the policies. The name of the policy being the key
- linotp.lib.policy.getPolicyActionValue(policies, action, max=True, String=False)[source]¶
This function retrieves the int value of an action from a list of policies input
- policies: list of policies as returned from config.getPolicy
- This is a list of dictionaries
action: an action, to be searched max: if True, it will return the highest value, if there are
multiple policies if False, it will return the lowest value, if there are multiple policiesString: if True, the value is a string and not an integer
pol10: { * action: “maxtoken = 10” * scope: “enrollment” * realm: “realm1” * user: “” * time: “”}
- linotp.lib.policy.getPolicyDefinitions(scope='')[source]¶
returns the policy definitions of - allowed scopes - allowed actions in scopes - type of actions
- linotp.lib.policy.getRandomOTPPINLength(user)[source]¶
This internal function returns the length of the random otp pin that is define in policy scope = enrollment, action = otp_pin_random = 111
- linotp.lib.policy.getSelfserviceActions(user)[source]¶
This function returns the allowed actions in the self service portal for the given user
- linotp.lib.policy.get_auth_AutoSMSPolicy(realms=None)[source]¶
Returns true, if the autosms policy is set in one of the realms
- return:
- True or False
- input:
- list of realms
- linotp.lib.policy.get_auth_PinPolicy(realm=None, user=None)[source]¶
Returns the PIN policy, that defines, how the OTP PIN is to be verified within the given realm
- return:
0 - verify against fixed OTP PIN 1 - verify the password component against the
UserResolver (LPAP Password etc.)2 - verify no OTP PIN at all! Only OTP value!
- The policy is defined via
- scope : authentication realm : .... action: otppin=0/1/2 client: IP user : some user
- linotp.lib.policy.get_auth_challenge_response(user, ttype)[source]¶
returns True, if the user in this realm with this token type should be authenticated via Challenge Response
Parameters: - user – the user object
- ttype – the type of the token
Returns: bool
- linotp.lib.policy.get_auth_passOnNoToken(user)[source]¶
returns True, if the user in this realm should be always authenticated in case the user has no tokens assigned.
- linotp.lib.policy.get_auth_passthru(user)[source]¶
returns True, if the user in this realm should be authenticated against the UserIdResolver in case the user has no tokens assigned.
- linotp.lib.policy.get_autoassignment(user)[source]¶
this function checks the policy scope=enrollment, action=autoassignment This is a boolean policy. The function returns true, if autoassignment is defined.
- linotp.lib.policy.get_client_policy(client, scope=None, action=None, realm=None, user=None, find_resolver=True, userObj=None)[source]¶
This function returns the dictionary of policies for the given client.
1. First it searches for all policies matching (scope, action, realm) and checks, whether the given client is contained in the policy field client. If no policy for the given client is found it takes the policy without a client
2. Then it strips down the returnable policies to those, that only contain the username - UNLESS - none of the above policies contains a username
- then we try to find resolvers in the username (OPTIONAL)
- linotp.lib.policy.get_pin_policies(user)[source]¶
lookup for the pin policies - the list of policies is preserved for repeated lookups
: raises: exception, if more then one pin policies are matching
Parameters: user – the policies which are applicable to the user Returns: list of otppin id’s
- linotp.lib.policy.get_qrtan_url(realm)[source]¶
Returns the URL for the half automatic mode for the QR TAN token for the given realm
Returns: url string
- linotp.lib.policy.get_tokenlabel(user='', realm='', serial='')[source]¶
This internal function returns the naming of the token as defined in policy scope = enrollment, action = tokenname = <string> The string can have the following varaibles:
<u>: user <r>: realm <s>: token serialThis function is used by the creation of googleauthenticator url
- linotp.lib.policy.ignore_autoassignment_pin(user)[source]¶
- This function checks the policy
- scope=enrollment, action=ignore_autoassignment_pin
This is a boolean policy. The function returns true, if the password used in the autoassignment should not be set as token pin.
- linotp.lib.policy.is_auth_return(success=True, user=None)[source]¶
- returns True if the policy
- scope = authorization action = detail_on_success/detail_on_fail is set.
Parameters: success (bool) – Defines if we should check of the policy detaul_on_success (True) or detail_on_fail (False)
- linotp.lib.policy.setPolicy(param)[source]¶
Function to set a policy. It expects a dict of with the following keys:
- name
- action
- scope
- realm
- user
- time
- client
- linotp.lib.policy.set_realm(login, realm, exception=False)[source]¶
this function reads the policy scope: authorization, client: x.y.z, action: setrealm=new_realm and overwrites the existing realm of the user with the new_realm. This can be used, if the client is not able to pass a realm and the users are not be located in the default realm.
- returns:
- realm - name of the new realm taken from the policy