API Policies

Pre Policies

These are the policy decorators as PRE conditions for the API calls. I.e. these conditions are executed before the wrapped API call. This module uses the policy base functions from privacyidea.lib.policy but also components from flask like g.

Wrapping the functions in a decorator class enables easy modular testing.

The functions of this module are tested in tests/test_api_lib_policy.py

privacyidea.api.lib.prepolicy.check_base_action(request=None, action=None)

This decorator function takes the request and verifies the given action for the SCOPE ADMIN or USER. :param req: :param action: :return: True otherwise raises an Exception

privacyidea.api.lib.prepolicy.check_max_token_realm(request=None, action=None)

Pre Policy This checks the maximum token per realm. Check ACTION.MAXTOKENREALM

This decorator can wrap:

/token/init (with a realm and user) /token/assign /token/tokenrealms

Parameters:

• req (Request Object) – The request that is intercepted during the API call
• action (basestring) – An optional Action

Returns:

True otherwise raises an Exception

privacyidea.api.lib.prepolicy.check_max_token_user(request=None, action=None)

Pre Policy This checks the maximum token per user policy. Check ACTION.MAXTOKENUSER

This decorator can wrap:

/token/init (with a realm and user) /token/assign

Parameters:

• req –
• action –

Returns:

True otherwise raises an Exception

privacyidea.api.lib.prepolicy.check_token_init(request=None, action=None)

This decorator function takes the request and verifies if the requested tokentype is allowed to be enrolled in the SCOPE ADMIN or the SCOPE USER. :param request: :param action: :return: True or an Exception is raised

privacyidea.api.lib.prepolicy.check_token_upload(request=None, action=None)

This decorator function takes the request and verifies the given action for scope ADMIN :param req: :param filename: :return:

privacyidea.api.lib.prepolicy.init_random_pin(request=None, action=None)

This policy function is to be used as a decorator in the API init function. If the policy is set accordingly it adds a random PIN to the request.all_data like.

It uses the policy SCOPE.ENROLL, ACTION.OTPPINRANDOM to set a random OTP PIN during Token enrollment

privacyidea.api.lib.prepolicy.init_tokenlabel(request=None, action=None)

This policy function is to be used as a decorator in the API init function. It adds the tokenlabel definition to the params like this: params : { “tokenlabel”: “<u>@<r>” }

It uses the policy SCOPE.ENROLL, ACTION.TOKENLABEL to set the tokenlabel of Smartphone tokens during enrollment and this fill the details of the response.

class privacyidea.api.lib.prepolicy.prepolicy(function, request, action=None)

This is the decorator wrapper to call a specific function before an API call. The prepolicy decorator is to be used in the API calls.

privacyidea.api.lib.prepolicy.set_realm(request=None, action=None)

Pre Policy This pre condition gets the current realm and verifies if the realm should be rewritten due to the policy definition. I takes the realm from the request and - if a policy matches - replaces this realm with the realm defined in the policy

Check ACTION.SETREALM

This decorator should wrap

/validate/check

Parameters:

• req (Request Object) – The request that is intercepted during the API call
• action (basestring) – An optional Action

Returns:

Always true. Modified the parameter request

Post Policies

These are the policy decorators as POST conditions for the API calls. I.e. these conditions are executed after the wrapped API call. This module uses the policy base functions from privacyidea.lib.policy but also components from flask like g.

Wrapping the functions in a decorator class enables easy modular testing.

The functions of this module are tested in tests/test_api_lib_policy.py

privacyidea.api.lib.postpolicy.autoassign(request, response)

This decorator decorates the function /validate/check. Depending on ACTION.AUTOASSIGN it checks if the user has no token and if the given OTP-value matches a token in the users realm, that is not yet assigned to any user.

If a token can be found, it assigns the token to the user also taking into account ACTION.MAXTOKENUSER and ACTION.MAXTOKENREALM. :return:

privacyidea.api.lib.postpolicy.check_serial(request, response)

This policy function is to be used in a decorator of an API function. It checks, if the token, that was used in the API call has a serial number that is allowed to be used.

If not, a PolicyException is raised.

Parameters:response (Response object) – The response of the decorated function Returns:A new (maybe modified) response

privacyidea.api.lib.postpolicy.check_tokentype(request, response)

This policy function is to be used in a decorator of an API function. It checks, if the token, that was used in the API call is of a type that is allowed to be used.

If not, a PolicyException is raised.

Parameters:response (Response object) – The response of the decorated function Returns:A new (maybe modified) response

privacyidea.api.lib.postpolicy.no_detail_on_fail(request, response)

This policy function is used with the AUTHZ scope. If the boolean value no_detail_on_fail is set, the details will be stripped if the authentication request failed.

Parameters:

• request –
• response –

Returns:

privacyidea.api.lib.postpolicy.no_detail_on_success(request, response)

This policy function is used with the AUTHZ scope. If the boolean value no_detail_on_success is set, the details will be stripped if the authentication request was successful.

Parameters:

• request –
• response –

Returns:

class privacyidea.api.lib.postpolicy.postpolicy(function, request=None)

Decorator that allows to call a specific function after the decorated function. The postpolicy decorator is to be used in the API calls.