14.3.1. The database model

class privacyidea.models.Admin(**kwargs)[source]

The administrators for managing the system. To manage the administrators use the command pi-manage.

In addition certain realms can be defined to be administrative realms.

Parameters
  • username (basestring) – The username of the admin

  • password (basestring) – The password of the admin (stored using PBKDF2, salt and pepper)

  • email (basestring) – The email address of the admin (not used at the moment)

class privacyidea.models.Audit(action='', success=0, serial='', token_type='', user='', realm='', resolver='', administrator='', action_detail='', info='', privacyidea_server='', client='', loglevel='default', clearance_level='default', policies='')[source]

This class stores the Audit entries

class privacyidea.models.AuthCache(username, realm, resolver, authentication, first_auth=None, last_auth=None)[source]
class privacyidea.models.CAConnector(name, catype)[source]

The table “caconnector” contains the names and types of the defined CA connectors. Each connector has a different configuration, that is stored in the table “caconnectorconfig”.

class privacyidea.models.CAConnectorConfig(caconnector_id=None, Key=None, Value=None, caconnector=None, Type='', Description='')[source]

Each CAConnector can have multiple configuration entries. Each CA Connector type can have different required config values. Therefor the configuration is stored in simple key/value pairs. If the type of a config entry is set to “password” the value of this config entry is stored encrypted.

The config entries are referenced by the id of the resolver.

class privacyidea.models.Challenge(serial, transaction_id=None, challenge='', data='', session='', validitytime=120)[source]

Table for handling of the generic challenges.

get(timestamp=False)[source]

return a dictionary of all vars in the challenge class

Parameters

timestamp (bool) – if true, the timestamp will given in a readable format 2014-11-29 21:56:43.057293

Returns

dict of vars

get_otp_status()[source]

This returns how many OTPs were already received for this challenge. and if a valid OTP was received.

Returns

tuple of count and True/False

Return type

tuple

is_valid()[source]

Returns true, if the expiration time has not passed, yet. :return: True if valid :rtype: bool

set_data(data)[source]

set the internal data of the challenge :param data: unicode data :type data: string, length 512

class privacyidea.models.ClientApplication(**kwargs)[source]

This table stores the clients, which sent an authentication request to privacyIDEA. This table is filled automatically by authentication requests.

class privacyidea.models.Config(Key, Value, Type='', Description='')[source]

The config table holds all the system configuration in key value pairs.

Additional configuration for realms, resolvers and machine resolvers is stored in specific tables.

class privacyidea.models.EventCounter(name, value=0, node='')[source]

This table stores counters of the event handler “Counter”.

Note that an event counter name does not correspond to just one, but rather several table rows, because we store event counters for each privacyIDEA node separately. This is intended to improve the performance of replicated setups, because each privacyIDEA node then only writes to its own “private” table row. This way, we avoid locking issues that would occur if all nodes write to the same table row.

decrease()[source]

Decrease the value of a counter. :return:

increase()[source]

Increase the value of a counter :return:

class privacyidea.models.EventHandler(name, event, handlermodule, action, condition='', ordering=0, options=None, id=None, conditions=None, active=True, position='post')[source]

This model holds the list of defined events and actions to this events. A handler module can be bound to an event with the corresponding condition and action.

get()[source]

Return the serialized eventhandler object including the options

Returns

complete dict

Rytpe

dict

class privacyidea.models.EventHandlerCondition(eventhandler_id, Key, Value, comparator='equal')[source]

Each EventHandler entry can have additional conditions according to the handler module

class privacyidea.models.EventHandlerOption(eventhandler_id, Key, Value, Type='', Description='')[source]

Each EventHandler entry can have additional options according to the handler module.

class privacyidea.models.MachineResolver(name, rtype)[source]

This model holds the definition to the machinestore. Machines could be located in flat files, LDAP directory or in puppet services or other…

The usual MachineResolver just holds a name and a type and a reference to its config

class privacyidea.models.MachineResolverConfig(resolver_id=None, Key=None, Value=None, resolver=None, Type='', Description='')[source]

Each Machine Resolver can have multiple configuration entries. The config entries are referenced by the id of the machine resolver

class privacyidea.models.MachineToken(machineresolver_id=None, machineresolver=None, machine_id=None, token_id=None, serial=None, application=None)[source]

The MachineToken assigns a Token and an application type to a machine. The Machine is represented as the tuple of machineresolver.id and the machine_id. The machine_id is defined by the machineresolver.

This can be an n:m mapping.

class privacyidea.models.MachineTokenOptions(machinetoken_id, key, value)[source]

This class holds an Option for the token assigned to a certain client machine. Each Token-Clientmachine-Combination can have several options.

class privacyidea.models.MethodsMixin[source]

This class mixes in some common Class table functions like delete and save

class privacyidea.models.MonitoringStats(timestamp, key, value)[source]

This is the table that stores measured, arbitrary statistic points in time.

This could be used to store time series but also to store current values, by simply fetching the last value from the database.

class privacyidea.models.PasswordReset(recoverycode, username, realm, resolver='', email=None, timestamp=None, expiration=None, expiration_seconds=3600)[source]

Table for handling password resets. This table stores the recoverycodes sent to a given user

The application should save the HASH of the recovery code. Just like the password for the Admins the appliaction shall salt and pepper the hash of the recoverycode. A database admin will not be able to inject a rogue recovery code.

A user can get several recoverycodes. A recovery code has a validity period

Optional: The email to which the recoverycode was sent, can be stored.

class privacyidea.models.PeriodicTask(name, active, interval, node_list, taskmodule, ordering, options=None, id=None)[source]

This class stores tasks that should be run periodically.

property aware_last_update

Return self.last_update with attached UTC tzinfo

get()[source]

Return the serialized periodic task object including the options and last runs. The last runs are returned as timezone-aware UTC datetimes.

Returns

complete dict

save()[source]

If the entry has an ID set, update the entry. If not, create one. Set last_update to the current time. :return: the entry ID

set_last_run(node, timestamp)[source]

Store the information that the last run of the periodic job occurred on node at timestamp. :param node: Node name as a string :param timestamp: Timestamp as UTC datetime (without timezone information) :return:

class privacyidea.models.PeriodicTaskLastRun(periodictask_id, node, timestamp)[source]

Each PeriodicTask entry stores, for each node, the timestamp of the last successful run.

property aware_timestamp

Return self.timestamp with attached UTC tzinfo

save()[source]

Create or update a PeriodicTaskLastRun entry, depending on the value of self.id. :return: the entry id

class privacyidea.models.PeriodicTaskOption(periodictask_id, key, value)[source]

Each PeriodicTask entry can have additional options according to the task module.

save()[source]

Create or update a PeriodicTaskOption entry, depending on the value of self.id :return: the entry ID

class privacyidea.models.Policy(name, active=True, scope='', action='', realm='', adminrealm='', adminuser='', resolver='', user='', client='', time='', pinode='', priority=1, check_all_resolvers=False, conditions=None)[source]

The policy table contains policy definitions which control the behaviour during

  • enrollment

  • authentication

  • authorization

  • administration

  • user actions

get(key=None)[source]

Either returns the complete policy entry or a single value :param key: return the value for this key :type key: string :return: complete dict or single value :rytpe: dict or value

get_conditions_tuples()[source]
Returns

a list of 5-tuples (section, key, comparator, value, active).

set_conditions(conditions)[source]

Replace the list of conditions of this policy with a new list of conditions, i.e. a list of 5-tuples (section, key, comparator, value, active).

class privacyidea.models.PolicyCondition(**kwargs)[source]
as_tuple()[source]
Returns

the condition as a tuple (section, key, comparator, value, active)

class privacyidea.models.PrivacyIDEAServer(**kwargs)[source]

This table can store remote privacyIDEA server definitions

class privacyidea.models.RADIUSServer(**kwargs)[source]

This table can store configurations of RADIUS servers. https://github.com/privacyidea/privacyidea/issues/321

It saves * a unique name * a description * an IP address a * a Port * a secret * timeout in seconds (default 5) * retries (default 3)

These RADIUS server definition can be used in RADIUS tokens or in a radius passthru policy.

save()[source]

If a RADIUS server with a given name is save, then the existing RADIUS server is updated.

class privacyidea.models.Realm(realm)[source]

The realm table contains the defined realms. User Resolvers can be grouped to realms. This very table contains just contains the names of the realms. The linking to resolvers is stored in the table “resolverrealm”.

class privacyidea.models.Resolver(name, rtype)[source]

The table “resolver” contains the names and types of the defined User Resolvers. As each Resolver can have different required config values the configuration of the resolvers is stored in the table “resolverconfig”.

class privacyidea.models.ResolverConfig(resolver_id=None, Key=None, Value=None, resolver=None, Type='', Description='')[source]

Each Resolver can have multiple configuration entries. Each Resolver type can have different required config values. Therefor the configuration is stored in simple key/value pairs. If the type of a config entry is set to “password” the value of this config entry is stored encrypted.

The config entries are referenced by the id of the resolver.

class privacyidea.models.ResolverRealm(resolver_id=None, realm_id=None, resolver_name=None, realm_name=None, priority=None)[source]

This table stores which Resolver is located in which realm This is a N:M relation

class privacyidea.models.SMSGateway(identifier, providermodule, description=None, options=None, headers=None)[source]

This table stores the SMS Gateway definitions. See https://github.com/privacyidea/privacyidea/wiki/concept:-Delivery-Gateway

It saves the * unique name * a description * the SMS provider module

All options and parameters are saved in other tables.

as_dict()[source]

Return the object as a dictionary

Returns

complete dict

Rytpe

dict

delete()[source]

When deleting an SMS Gateway we also delete all the options. :return:

property header_dict

Return all connected headers as a dictionary

Returns

dict

property option_dict

Return all connected options as a dictionary

Returns

dict

class privacyidea.models.SMSGatewayOption(gateway_id, Key, Value, Type=None)[source]

This table stores the options, parameters and headers for an SMS Gateway definition.

class privacyidea.models.SMTPServer(**kwargs)[source]

This table can store configurations for SMTP servers. Each entry represents an SMTP server. EMail Token, SMS SMTP Gateways or Notifications like PIN handlers are supposed to use a reference to to a server definition. Each Machine Resolver can have multiple configuration entries. The config entries are referenced by the id of the machine resolver

get()[source]
Returns

the configuration as a dictionary

class privacyidea.models.Subscription(**kwargs)[source]

This table stores the imported subscription files.

get()[source]

Return the database object as dict :return:

class privacyidea.models.TimestampMethodsMixin[source]

This class mixes in the table functions including update of the timestamp

class privacyidea.models.Token(serial, tokentype='', isactive=True, otplen=6, otpkey='', userid=None, resolver=None, realm=None, **kwargs)[source]
The table “token” contains the basic token data like
  • serial number

  • assigned user

  • secret key…

while the table “tokeninfo” contains additional information that is specific to the tokentype.

del_info(key=None)[source]

Deletes tokeninfo for a given token. If the key is omitted, all Tokeninfo is deleted.

Parameters

key – searches for the given key to delete the entry

Returns

get(key=None, fallback=None, save=False)[source]

simulate the dict behaviour to make challenge processing easier, as this will have to deal as well with ‘dict only challenges’

Parameters
  • key – the attribute name - in case of key is not provided, a dict of all class attributes are returned

  • fallback – if the attribute is not found, the fallback is returned

  • save – in case of all attributes and save==True, the timestamp is converted to a string representation

get_hashed_pin(pin)[source]

calculate a hash from a pin Fix for working with MS SQL servers MS SQL servers sometimes return a ‘<space>’ when the column is empty: ‘’

Parameters

pin (str) – the pin to hash

Returns

hashed pin with current pin_seed

Return type

str

get_info()[source]
Returns

The token info as dictionary

get_realms()[source]

return a list of the assigned realms :return: realms :rtype: list

get_user_pin()[source]

return the userPin :rtype : the PIN as a secretObject

set_hashed_pin(pin)[source]

Set the pin of the token in hashed format

Parameters

pin (str) – the pin to hash

Returns

the hashed pin

Return type

str

set_info(info)[source]

Set the additional token info for this token

Entries that end with “.type” are used as type for the keys. I.e. two entries sshkey=”XYZ” and sshkey.type=”password” will store the key sshkey as type “password”.

Parameters

info (dict) – The key-values to set for this token

set_pin(pin, hashed=True)[source]

set the OTP pin in a hashed way

set_realms(realms, add=False)[source]

Set the list of the realms. This is done by filling the tokenrealm table. :param realms: realms :type realms: list :param add: If set, the realms are added. I.e. old realms are not

deleted

set_so_pin(soPin)[source]

For smartcards this sets the security officer pin of the token

:rtype : None

update_otpkey(otpkey)[source]

in case of a new hOtpKey we have to do some more things

update_type(typ)[source]

in case the previous has been different type we must reset the counters But be aware, ray, this could also be upper and lower case mixing…

class privacyidea.models.TokenInfo(token_id, Key, Value, Type=None, Description=None)[source]

The table “tokeninfo” is used to store additional, long information that is specific to the tokentype. E.g. the tokentype “TOTP” has additional entries in the tokeninfo table for “timeStep” and “timeWindow”, which are stored in the column “Key” and “Value”.

The tokeninfo is reference by the foreign key to the “token” table.

class privacyidea.models.TokenOwner(token_id=None, serial=None, user_id=None, resolver=None, realm_id=None, realmname=None)[source]

This tables stores the owner of a token. A token can be assigned to several users.

class privacyidea.models.TokenRealm(realm_id=0, token_id=0, realmname=None)[source]

This table stores to which realms a token is assigned. A token is in the realm of the user it is assigned to. But a token can also be put into many additional realms.

save()[source]

We only save this, if it does not exist, yet.

class privacyidea.models.UserCache(username, used_login, resolver, user_id, timestamp)[source]
privacyidea.models.cleanup_challenges()[source]

Delete all challenges, that have expired.

Returns

None

privacyidea.models.get_machineresolver_id(resolvername)[source]

Return the database ID of the machine resolver :param resolvername: :return:

privacyidea.models.get_machinetoken_id(machine_id, resolver_name, serial, application)[source]

Returns the ID in the machinetoken table

Parameters
  • machine_id (basestring) – The resolverdependent machine_id

  • resolver_name (basestring) – The name of the resolver

  • serial (basestring) – the serial number of the token

  • application (basestring) – The application type

Returns

The ID of the machinetoken entry

Return type

int

privacyidea.models.get_token_id(serial)[source]

Return the database token ID for a given serial number :param serial: :return: token ID :rtpye: int

privacyidea.models.save_config_timestamp(invalidate_config=True)[source]

Save the current timestamp to the database, and optionally invalidate the current request-local config object. :param invalidate_config: defaults to True