linotp.tokens.pushtoken.pushtoken module

class linotp.tokens.pushtoken.pushtoken.PushTokenClass(token_model_object)

Bases: TokenClass, StatefulTokenMixin

challenge_janitor(matching_challenges, challenges)

This is the pushtoken challenges janitor.

The idea is to not close any challenge and rely on the timeout of the challenges

Parameters

  • matching_challenges – the list of matching challenges (ignored)

  • challenges – all current challenges (ignored)

Returns

list of all challenges, which should be closed

checkOtp(passwd, counter, window, options=None)

checks if the supplied challenge response is correct.

Parameters

  • passwd – The challenge response

  • options – A dictionary of parameters passed by the upper layer (used for transaction_id in this context)

  • counter – legacy API (unused)

  • window – legacy API (unused)

Raises

TokenStateError – If token state is not ‘active’ or ‘pairing_challenge_sent’

Returns

-1 for failure, 1 for success

createChallenge(transaction_id, options)

entry hook for the challenge logic. when this function is called a challenge with an transaction was created.

Parameters

  • transaction_id – A unique transaction id used to identity the challenge object

  • options – additional options as a dictionary

Raises

TokenStateError – If token state is not ‘active’ or ‘pairing_response_received’

Returns

A tuple (success, message, data, attributes) with success being a boolean indicating if the call to this method was successful, message being a string that is passed to the user, attributes being additional output data (unused in here)

create_challenge_url(transaction_id, content_type, callback_url='', message=None, login=None, host=None)

creates a challenge url (looking like lseqr://push/<base64string>), returns the url and the unencrypted challenge data

Parameters

  • transaction_id – The transaction id generated by LinOTP

  • content_type – One of the types CONTENT_TYPE_SIGNREQ, CONTENT_TYPE_PAIRING, CONTENT_TYPE_LOGIN

  • callback_url – callback url (optional), default is empty string

  • message – the transaction message, that should be signed by the client. Only for content type CONTENT_TYPE_SIGNREQ

  • login – the login name of the user. Only for content type CONTENT_TYPE_LOGIN

  • host – hostname of the user. Only for content type CONTENT_TYPE_LOGIN

Returns

tuple (challenge_url, sig_base), with challenge_url being the push url and sig_base the message, that is used for the client signature

classmethod getClassInfo(key=None, ret='all')
classmethod getClassPrefix()
classmethod getClassType()
getInitDetail(params, user=None)

returns initialization details in the enrollment process (gets called after update method). used here to pass the pairing url to the user

Parameters

  • params – parameters provided by the client

  • user – (unused)

Raises

TokenStateError – If token state is not ‘initialized’

Returns

a dict consisting of a ‘pairing_url’ entry, containing the pairing url and a ‘pushtoken_pairing_url’ entry containing a data structure used in the manage frontend in the enrollment process

get_enrollment_status()

provide token enrollment status

isActive()
pair(pairing_data)

If token has state ‘unpaired’ it saves the data from the pairing response and changes the state to ‘pairing_response_received’

If token is already in ‘active’ state it changes the gda supplied in the pairing response under the condition that the public key matches (re-pairing case)

If token is not in ‘active’ state and a new gda is supplied in the pairing response, we reject this as this might be a pairing spoofing from a second device

Raises

TokenStateError – If token state is not ‘active’ or ‘unpaired’ or ‘pairing spoofing’ has been detected

Parameters

pairing_data – A PushTokenPairingData object

statusValidationSuccess()

callback to enable a status change, on authentication success

update(params)

initialization entry hook for the enrollment process.

Parameters

params – parameters provided by the client

Raises

  • Exception – If the client supplied unrecognized configuration parameters for this token type

  • Exception – If the policy ‘pushtoken_pairing_callback_url’ was not set.

  • TokenStateError – If token state is not None (default pre-enrollment state)