16.2.1.10. Policy Decorators¶
These are the policy decorator functions for internal (lib) policy decorators. policy decorators for the API (pre/post) are defined in api/lib/policy
The functions of this module are tested in tests/test_lib_policy_decorator.py
- privacyidea.lib.policydecorators.auth_cache(wrapped_function, user_object, passw, options=None)[source]¶
Decorate lib.token:check_user_pass. Verify, if the authentication can be found in the auth_cache.
- Parameters
wrapped_function – usually “check_user_pass”
user_object – User who tries to authenticate
passw – The PIN and OTP
options – Dict containing values for “g” and “clientip”.
- Returns
Tuple of True/False and reply-dictionary
- privacyidea.lib.policydecorators.auth_lastauth(wrapped_function, user_or_serial, passw, options=None)[source]¶
This decorator checks the policy settings of ACTION.LASTAUTH If the last authentication stored in tokeninfo last_auth_success of a token is exceeded, the authentication is denied.
The wrapped function is usually token.check_user_pass, which takes the arguments (user, passw, options={}) OR token.check_serial_pass with the arguments (user, passw, options={})
- Parameters
wrapped_function – either check_user_pass or check_serial_pass
user_or_serial – either the User user_or_serial or a serial
passw –
options – Dict containing values for “g” and “clientip”
- Returns
Tuple of True/False and reply-dictionary
- privacyidea.lib.policydecorators.auth_otppin(wrapped_function, *args, **kwds)[source]¶
Decorator to decorate the tokenclass.check_pin function.
- Depending on the ACTION.OTPPIN it
either simply accepts an empty pin
checks the pin against the userstore
or passes the request to the wrapped_function
If ACTION.OTPPIN is ACTIONVALUE.USERSTORE, the result is written to options[“otppin_userstore_success”] for the use in subsequent calls to this function in the same request (checking all token of a user).
- Parameters
wrapped_function – In this case the wrapped function should be
privacyidea.lib.tokenclass.TokenClass.check_pin()
*args – args[1] is the pin
**kwds – kwds[“options”] contains the flask g
- Returns
True or False
- privacyidea.lib.policydecorators.auth_user_does_not_exist(wrapped_function, user_object, passw, options=None)[source]¶
This decorator checks, if the user does exist at all. If the user does exist, the wrapped function is called.
The wrapped function is usually token.check_user_pass, which takes the arguments (user, passw, options={})
- Parameters
wrapped_function –
user_object –
passw –
options – Dict containing values for “g” and “clientip”
- Returns
Tuple of True/False and reply-dictionary
- privacyidea.lib.policydecorators.auth_user_has_no_token(wrapped_function, user_object, passw, options=None)[source]¶
This decorator checks if the user has a token at all. If the user has a token, the wrapped function is called.
The wrapped function is usually token.check_user_pass, which takes the arguments (user, passw, options={})
- Parameters
wrapped_function –
user_object –
passw –
options – Dict containing values for “g” and “clientip”
- Returns
Tuple of True/False and reply-dictionary
- privacyidea.lib.policydecorators.auth_user_passthru(wrapped_function, user_object, passw, options=None)[source]¶
This decorator checks the policy settings of ACTION.PASSTHRU. If the authentication against the userstore is not successful, the wrapped function is called.
The wrapped function is usually token.check_user_pass, which takes the arguments (user, passw, options={})
- Parameters
wrapped_function –
user_object –
passw –
options – Dict containing values for “g” and “clientip”
- Returns
Tuple of True/False and reply-dictionary
- privacyidea.lib.policydecorators.auth_user_timelimit(wrapped_function, user_object, passw, options=None)[source]¶
This decorator checks the policy settings of ACTION.AUTHMAXSUCCESS, ACTION.AUTHMAXFAIL If the authentication was successful, it checks, if the number of allowed successful authentications is exceeded (AUTHMAXSUCCESS).
If the AUTHMAXFAIL is exceeded it denies even a successful authentication.
The wrapped function is usually token.check_user_pass, which takes the arguments (user, passw, options={})
- Parameters
wrapped_function –
user_object –
passw –
options – Dict containing values for “g” and “clientip”
- Returns
Tuple of True/False and reply-dictionary
- privacyidea.lib.policydecorators.challenge_response_allowed(func)[source]¶
This decorator is used to wrap tokenclass.is_challenge_request. It checks, if a challenge response authentication is allowed for this token type. To allow this, the policy
scope:authentication, action:challenge_response must be set.
If the tokentype is not allowed for challenge_response, this decorator returns false.
See challenge_response.
- Parameters
func – wrapped function
- privacyidea.lib.policydecorators.config_lost_token(wrapped_function, *args, **kwds)[source]¶
Decorator to decorate the lib.token.lost_token function. Depending on ACTION.LOSTTOKENVALID, ACTION.LOSTTOKENPWCONTENTS, ACTION.LOSTTOKENPWLEN it sets the check_otp parameter, to signal how the lostToken should be generated.
- Parameters
wrapped_function – Usually the function lost_token()
*args – argument “serial” as the old serial number
**kwds – keyword arguments like “validity”, “contents”, “pw_len” kwds[“options”] contains the flask g
- Returns
calls the original function with the modified “validity”, “contents” and “pw_len” argument
- privacyidea.lib.policydecorators.force_challenge_response(wrapped_function, user_object, passw, options=None)[source]¶
- class privacyidea.lib.policydecorators.libpolicy(decorator_function)[source]¶
This is the decorator wrapper to call a specific function before a library call in contrast to prepolicy and postpolicy, which are to be called in API Calls.
The decorator expects a named parameter “options”. In this options dict it will look for the flask global “g”.
- Parameters
decorator_function – This is the policy function that is to be
called :type decorator_function: function
- privacyidea.lib.policydecorators.login_mode(wrapped_function, *args, **kwds)[source]¶
Decorator to decorate the lib.auth.check_webui_user function. Depending on ACTION.LOGINMODE it sets the check_otp parameter, to signal that the authentication should be performed against privacyIDEA.
- Parameters
wrapped_function – Usually the function check_webui_user
*args – arguments user_obj and password
**kwds – keyword arguments like options and !check_otp! kwds[“options”] contains the flask g
- Returns
calls the original function with the modified “check_otp” argument
- privacyidea.lib.policydecorators.reset_all_user_tokens(wrapped_function, *args, **kwds)[source]¶
Resets all tokens if the corresponding policy is set.
- Parameters
token – The successful token, the tokenowner is used to find policies.
tokenobject_list – The list of all the tokens of the user
options – options dictionary containing g.
- Returns
None