16.2.1.18. Users¶

These are the library functions for user functions. It depends on the lib.resolver and lib.realm.

There are and must be no dependencies to the token functions (lib.token) or to webservices!

This code is tested in tests/test_lib_user.py

class privacyidea.lib.user.User(login='', realm='', resolver='', uid=None)[source]¶

The user has the attributes login, realm and resolver.

Usually a user can be found via “login@realm”.

A user object with an empty login and realm should not exist, whereas a user object could have an empty resolver.

property attributes: dict¶: returns the custom attributes of a user :return: a dictionary of attributes with keys and values

property available_info_keys: list[str]¶

returns the possible keys for user information for this user

Returns:: a list of possible keys for user information
Return type:: list

check_password(password: str) → str[source]¶

The password of the user is checked against the user source

Parameters:: password – The clear text password
Returns:: the username of the authenticated user. If unsuccessful, returns None

delete() → bool[source]¶

This deletes the user in the user store. I.e. the user in the SQL database or the LDAP gets deleted.

Returns True in case of success

delete_attribute(attribute_key: str = None) → int[source]¶

Delete the given key as custom user attribute. If no key is given, then all attributes are deleted

Parameters:: attribute_key – The key to delete
Returns:: The number of deleted rows

exist() → bool[source]¶: Check if the user object exists in the user store :return: True or False

get_search_fields() → dict[source]¶

Return the valid search fields of a user. The search fields are defined in the UserIdResolver class.

Returns:: searchFields with name (key) and type (value)
Return type:: dict

get_specific_info(attributes: list[str] = None) → dict[source]¶

returns the specified attributes for the user or all if attributes is None

Returns:: a dict with the specified user information

get_user_identifiers() → tuple[str, str, str][source]¶

This returns the UserId information from the resolver object and the resolvertype and the resolvername (former: getUserId) (former: getUserResolverId)

Returns:: The userid, the resolver type and the resolver name like (1000, “passwdresolver”, “resolver1”)
Return type:: tuple

get_user_phone(phone_type: str = 'phone', index: int = None) → str[source]¶

Returns the phone number or a list of phone numbers of a user.

Parameters:

phone_type (string) – The type of the phone, i.e. either mobile or phone (land line)
index – The index of the selected phone number of list of the phones of the user. If the index is given, this phone number as string is returned. If the index is omitted, all phone numbers are returned.

Returns:

list with phone numbers of this user object

get_user_realms() → list[str][source]¶

Returns a list of the realms, a user belongs to. Usually this will only be one realm. But if the user object has no realm but only a resolver, than all realms, containing this resolver are returned. This function is used for the policy module

Returns:: realms of the user
Return type:: list

property info: dict¶

return the detailed information for the user

Returns:: a dict with all the userinformation
Return type:: dict

is_empty() → bool[source]¶

login = ''¶

realm = ''¶

resolver = ''¶

set_attribute(attribute_key: str, attribute_value: str, attribute_type: str = None) → int[source]¶

Set a custom attribute for a user

Parameters:

attribute_key – The key of the attribute
attribute_value – The value of the attribute

Returns:

The id of the attribute setting

update_user_info(attributes: dict, password: str = None) → bool[source]¶

This updates the given attributes of a user. The attributes can be “username”, “surname”, “givenname”, “email”, “mobile”, “phone”, “password”

Parameters:

attributes – A dictionary of the attributes to be updated
password – The password of the user

Returns:

True in case of success

user_export_dict() → dict[source]¶

Returns a dictionary with the user identifiers, which can be used to assign a token to the same user after import.

Returns:: A dictionary with the user identifiers

privacyidea.lib.user.create_user(resolvername: str, attributes: dict, password: str = None) → int[source]¶

This creates a new user in the given resolver. The resolver must be editable to do so.

The attributes is a dictionary containing the keys “username”, “email”, “phone”, “mobile”, “surname”, “givenname”, “password”.

We return the UID and not the user object, since the user could be located in several realms!

Parameters:

resolvername (basestring) – The name of the resolver, in which the user should be created
attributes (dict) – Attributes of the user
password – The password of the user

Returns:

The uid of the user object

privacyidea.lib.user.get_attributes(uid: str, resolver: str, realm_id: int, requested_attributes: list[str] = None) → dict[source]¶

Returns the attributes for the given user.

Parameters:

uid – The UID of the user
resolver – The name of the resolver
realm_id – The realm_id
requested_attributes – A list of attributes to return. If None, all attributes are returned.

Returns:

A dictionary of key/values

privacyidea.lib.user.get_user_from_param(param: dict, optional_or_required: bool = True) → User[source]¶

Find the parameter user, realm and resolver and create a user object from these parameters.

An exception is raised, if a user in a realm is found in more than one resolver.

Parameters:

param – The dictionary of request parameters
optional_or_required – True (default) if the user param is optional, False if it is required (raises ParameterError when absent).

Returns:

User as found in the parameters

privacyidea.lib.user.get_user_list(param: dict = None, user: User = None, include_custom_attributes: bool = False, requested_attributes: list[str] = None) → list[dict][source]¶

This function returns a list of user dictionaries. The user dict contains the resolver and custom user attributes, if requested. If no realm is given in the param, the users from all realms are returned. The realm, resolver and editable keys are added on the lib layer and are only included in the returned user dictionaries when requested_attributes is None/empty or explicitly lists them. If only a resolver is given (no realm), the function looks up all realms containing that resolver and iterates through them, so users are always returned in a realm context with proper masking.

Fixme: Please note: If a realm and a resolver is given, the resolver is currently ignored. So all users of this realm are returned. This is the old/current behaviour. When filtering for a resolver in a realm, we should probably take care, that masked users (in low priority resolvers) are not returned.

Parameters:

param – search parameters
user – a specific user object to return
include_custom_attributes – Set to True, if you want to receive custom attributes of external users.
requested_attributes – A list of attributes to return for each user. If None or empty, all attributes are returned.

Returns:

list of user info as dictionaries

privacyidea.lib.user.get_username(user_id: str, resolvername: str) → str[source]¶

Determine the username for a given id and a resolvername.

Parameters:

user_id (string) – The id of the user in a resolver
resolvername – The name of the resolver

Returns:

the username or “” if it does not exist

Return type:

string

privacyidea.lib.user.is_attribute_at_all() → bool[source]¶: Check if there are custom user attributes at all

privacyidea.lib.user.log_used_user(user: User, other_text: str = '') → str[source]¶

This creates a log message combined of a user and another text. The user information is only added, if user.login != user.used_login

Parameters:

user (User object) – A user to log
other_text – Some additional text

Returns:

str

privacyidea.lib.user.split_user(username: str) → tuple[str, str][source]¶

Split the username of the form user@realm into the username and the realm splitting myemail@emailprovider.com@realm is also possible and will return (myemail@emailprovider.com, realm).

If for a user@domain the “domain” does not exist as realm, the name is not split, since it might be the user@domain in the default realm

If the Split@Sign configuration is disabled, the username won’t be split and the username and an empty realm will be returned.

We can also split realmuser to (user, realm)

Parameters:: username (string) – the username to split
Returns:: username and realm
Return type:: tuple