15.2.1.8. Policy Decorators

These are the policy decorator functions for internal (lib) policy decorators. policy decorators for the API (pre/post) are defined in api/lib/policy

The functions of this module are tested in tests/test_lib_policy_decorator.py

privacyidea.lib.policydecorators.auth_cache(wrapped_function, user_object, passw, options=None)[source]

Decorate lib.token:check_user_pass. Verify, if the authentication can be found in the auth_cache.

Parameters
  • wrapped_function – usually “check_user_pass”

  • user_object – User who tries to authenticate

  • passw – The PIN and OTP

  • options – Dict containing values for “g” and “clientip”.

Returns

Tuple of True/False and reply-dictionary

privacyidea.lib.policydecorators.auth_lastauth(wrapped_function, user_or_serial, passw, options=None)[source]

This decorator checks the policy settings of ACTION.LASTAUTH If the last authentication stored in tokeninfo last_auth_success of a token is exceeded, the authentication is denied.

The wrapped function is usually token.check_user_pass, which takes the arguments (user, passw, options={}) OR token.check_serial_pass with the arguments (user, passw, options={})

Parameters
  • wrapped_function – either check_user_pass or check_serial_pass

  • user_or_serial – either the User user_or_serial or a serial

  • passw

  • options – Dict containing values for “g” and “clientip”

Returns

Tuple of True/False and reply-dictionary

privacyidea.lib.policydecorators.auth_otppin(wrapped_function, *args, **kwds)[source]

Decorator to decorate the tokenclass.check_pin function. Depending on the ACTION.OTPPIN it * either simply accepts an empty pin * checks the pin against the userstore * or passes the request to the wrapped_function

Parameters

wrapped_function – In this case the wrapped function should be

tokenclass.check_ping :param *args: args[1] is the pin :param **kwds: kwds[“options”] contains the flask g :return: True or False

privacyidea.lib.policydecorators.auth_user_does_not_exist(wrapped_function, user_object, passw, options=None)[source]

This decorator checks, if the user does exist at all. If the user does exist, the wrapped function is called.

The wrapped function is usually token.check_user_pass, which takes the arguments (user, passw, options={})

Parameters
  • wrapped_function

  • user_object

  • passw

  • options – Dict containing values for “g” and “clientip”

Returns

Tuple of True/False and reply-dictionary

privacyidea.lib.policydecorators.auth_user_has_no_token(wrapped_function, user_object, passw, options=None)[source]

This decorator checks if the user has a token at all. If the user has a token, the wrapped function is called.

The wrapped function is usually token.check_user_pass, which takes the arguments (user, passw, options={})

Parameters
  • wrapped_function

  • user_object

  • passw

  • options – Dict containing values for “g” and “clientip”

Returns

Tuple of True/False and reply-dictionary

privacyidea.lib.policydecorators.auth_user_passthru(wrapped_function, user_object, passw, options=None)[source]

This decorator checks the policy settings of ACTION.PASSTHRU. If the authentication against the userstore is not successful, the wrapped function is called.

The wrapped function is usually token.check_user_pass, which takes the arguments (user, passw, options={})

Parameters
  • wrapped_function

  • user_object

  • passw

  • options – Dict containing values for “g” and “clientip”

Returns

Tuple of True/False and reply-dictionary

privacyidea.lib.policydecorators.auth_user_timelimit(wrapped_function, user_object, passw, options=None)[source]

This decorator checks the policy settings of ACTION.AUTHMAXSUCCESS, ACTION.AUTHMAXFAIL If the authentication was successful, it checks, if the number of allowed successful authentications is exceeded (AUTHMAXSUCCESS).

If the AUTHMAXFAIL is exceed it denies even a successful authentication.

The wrapped function is usually token.check_user_pass, which takes the arguments (user, passw, options={})

Parameters
  • wrapped_function

  • user_object

  • passw

  • options – Dict containing values for “g” and “clientip”

Returns

Tuple of True/False and reply-dictionary

privacyidea.lib.policydecorators.challenge_response_allowed(func)[source]

This decorator is used to wrap tokenclass.is_challenge_request. It checks, if a challenge response authentication is allowed for this token type. To allow this, the policy

scope:authentication, action:challenge_response must be set.

If the tokentype is not allowed for challenge_response, this decorator returns false.

See challenge_response.

Parameters

func – wrapped function

privacyidea.lib.policydecorators.config_lost_token(wrapped_function, *args, **kwds)[source]

Decorator to decorate the lib.token.lost_token function. Depending on ACTION.LOSTTOKENVALID, ACTION.LOSTTOKENPWCONTENTS, ACTION.LOSTTOKENPWLEN it sets the check_otp parameter, to signal how the lostToken should be generated.

Parameters
  • wrapped_function – Usually the function lost_token()

  • args – argument “serial” as the old serial number

  • kwds – keyword arguments like “validity”, “contents”, “pw_len”

kwds[“options”] contains the flask g

Returns

calls the original function with the modified “validity”,

“contents” and “pw_len” argument

class privacyidea.lib.policydecorators.libpolicy(decorator_function)[source]

This is the decorator wrapper to call a specific function before a library call in contrast to prepolicy and postpolicy, which are to be called in API Calls.

The decorator expects a named parameter “options”. In this options dict it will look for the flask global “g”.

privacyidea.lib.policydecorators.login_mode(wrapped_function, *args, **kwds)[source]

Decorator to decorate the lib.auth.check_webui_user function. Depending on ACTION.LOGINMODE it sets the check_otp parameter, to signal that the authentication should be performed against privacyIDEA.

Parameters
  • wrapped_function – Usually the function check_webui_user

  • args – arguments user_obj and password

  • kwds – keyword arguments like options and !check_otp!

kwds[“options”] contains the flask g :return: calls the original function with the modified “check_otp” argument

privacyidea.lib.policydecorators.reset_all_user_tokens(wrapped_function, *args, **kwds)[source]

Resets all tokens if the corresponding policy is set.

Parameters
  • token – The successful token, the tokenowner is used to find policies.

  • tokenobject_list – The list of all the tokens of the user

  • options – options dictionary containing g.

Returns

None