14.3.1. The database model¶
-
class
privacyidea.models.
Admin
(**kwargs)[source]¶ The administrators for managing the system. To manage the administrators use the command pi-manage.
In addition certain realms can be defined to be administrative realms.
Parameters: - username (basestring) – The username of the admin
- password (basestring) – The password of the admin (stored using PBKDF2, salt and pepper)
- email (basestring) – The email address of the admin (not used at the moment)
-
class
privacyidea.models.
Audit
(action='', success=0, serial='', token_type='', user='', realm='', resolver='', administrator='', action_detail='', info='', privacyidea_server='', client='', loglevel='default', clearance_level='default')[source]¶ This class stores the Audit entries
-
class
privacyidea.models.
CAConnector
(name, catype)[source]¶ The table “caconnector” contains the names and types of the defined CA connectors. Each connector has a different configuration, that is stored in the table “caconnectorconfig”.
-
class
privacyidea.models.
CAConnectorConfig
(caconnector_id=None, Key=None, Value=None, caconnector=None, Type='', Description='')[source]¶ Each CAConnector can have multiple configuration entries. Each CA Connector type can have different required config values. Therefor the configuration is stored in simple key/value pairs. If the type of a config entry is set to “password” the value of this config entry is stored encrypted.
The config entries are referenced by the id of the resolver.
-
class
privacyidea.models.
Challenge
(serial, transaction_id=None, challenge=u'', data=u'', session=u'', validitytime=120)[source]¶ Table for handling of the generic challenges.
-
get
(timestamp=False)[source]¶ return a dictionary of all vars in the challenge class
Parameters: timestamp (bool) – if true, the timestamp will given in a readable format 2014-11-29 21:56:43.057293 Returns: dict of vars
-
get_otp_status
()[source]¶ This returns how many OTPs were already received for this challenge. and if a valid OTP was received.
Returns: tuple of count and True/False Return type: tuple
-
-
class
privacyidea.models.
ClientApplication
(**kwargs)[source]¶ This table stores the clients, which sent an authentication request to privacyIDEA. This table is filled automatically by authentication requests.
-
class
privacyidea.models.
Config
(Key, Value, Type=u'', Description=u'')[source]¶ The config table holds all the system configuration in key value pairs.
Additional configuration for realms, resolvers and machine resolvers is stored in specific tables.
-
class
privacyidea.models.
EventHandler
(name, event, handlermodule, action, condition='', ordering=0, options=None, id=None, conditions=None, active=True)[source]¶ This model holds the list of defined events and actions to this events. A handler module can be bound to an event with the corresponding condition and action.
-
class
privacyidea.models.
EventHandlerCondition
(eventhandler_id, Key, Value, comparator='equal')[source]¶ Each EventHandler entry can have additional conditions according to the handler module
-
class
privacyidea.models.
EventHandlerOption
(eventhandler_id, Key, Value, Type='', Description='')[source]¶ Each EventHandler entry can have additional options according to the handler module.
-
class
privacyidea.models.
MachineResolver
(name, rtype)[source]¶ This model holds the definition to the machinestore. Machines could be located in flat files, LDAP directory or in puppet services or other...
The usual MachineResolver just holds a name and a type and a reference to its config
-
class
privacyidea.models.
MachineResolverConfig
(resolver_id=None, Key=None, Value=None, resolver=None, Type='', Description='')[source]¶ Each Machine Resolver can have multiple configuration entries. The config entries are referenced by the id of the machine resolver
-
class
privacyidea.models.
MachineToken
(machineresolver_id=None, machineresolver=None, machine_id=None, token_id=None, serial=None, application=None)[source]¶ The MachineToken assigns a Token and an application type to a machine. The Machine is represented as the tuple of machineresolver.id and the machine_id. The machine_id is defined by the machineresolver.
This can be an n:m mapping.
-
class
privacyidea.models.
MachineTokenOptions
(machinetoken_id, key, value)[source]¶ This class holds an Option for the token assigned to a certain client machine. Each Token-Clientmachine-Combination can have several options.
-
class
privacyidea.models.
MethodsMixin
[source]¶ This class mixes in some common Class table functions like delete and save
-
class
privacyidea.models.
PasswordReset
(recoverycode, username, realm, resolver='', email=None, timestamp=None, expiration=None, expiration_seconds=3600)[source]¶ Table for handling password resets. This table stores the recoverycodes sent to a given user
The application should save the HASH of the recovery code. Just like the password for the Admins the appliaction shall salt and pepper the hash of the recoverycode. A database admin will not be able to inject a rogue recovery code.
A user can get several recoverycodes. A recovery code has a validity period
Optional: The email to which the recoverycode was sent, can be stored.
-
class
privacyidea.models.
Policy
(name, active=True, scope='', action='', realm='', adminrealm='', resolver='', user='', client='', time='', condition=0, check_all_resolvers=False)[source]¶ The policy table contains policy definitions which control the behaviour during
- enrollment
- authentication
- authorization
- administration
- user actions
-
class
privacyidea.models.
RADIUSServer
(**kwargs)[source]¶ This table can store configurations of RADIUS servers. https://github.com/privacyidea/privacyidea/issues/321
It saves * a unique name * a description * an IP address a * a Port * a secret
These RADIUS server definition can be used in RADIUS tokens or in a radius passthru policy.
-
class
privacyidea.models.
Realm
(realm)[source]¶ The realm table contains the defined realms. User Resolvers can be grouped to realms. This very table contains just contains the names of the realms. The linking to resolvers is stored in the table “resolverrealm”.
-
class
privacyidea.models.
Resolver
(name, rtype)[source]¶ The table “resolver” contains the names and types of the defined User Resolvers. As each Resolver can have different required config values the configuration of the resolvers is stored in the table “resolverconfig”.
-
class
privacyidea.models.
ResolverConfig
(resolver_id=None, Key=None, Value=None, resolver=None, Type='', Description='')[source]¶ Each Resolver can have multiple configuration entries. Each Resolver type can have different required config values. Therefor the configuration is stored in simple key/value pairs. If the type of a config entry is set to “password” the value of this config entry is stored encrypted.
The config entries are referenced by the id of the resolver.
-
class
privacyidea.models.
ResolverRealm
(resolver_id=None, realm_id=None, resolver_name=None, realm_name=None, priority=None)[source]¶ This table stores which Resolver is located in which realm This is a N:M relation
-
class
privacyidea.models.
SMSGateway
(identifier, providermodule, description=None, options=None)[source]¶ This table stores the SMS Gateway definitions. See https://github.com/privacyidea/privacyidea/wiki/concept:-Delivery-Gateway
It saves the * unique name * a description * the SMS provider module
All options and parameters are saved in other tables.
-
option_dict
¶ Return all connected options as a dictionary
Returns: dict
-
-
class
privacyidea.models.
SMSGatewayOption
(gateway_id, Key, Value, Type=None)[source]¶ This table stores the options and parameters for an SMS Gateway definition.
-
class
privacyidea.models.
SMTPServer
(**kwargs)[source]¶ This table can store configurations for SMTP servers. Each entry represents an SMTP server. EMail Token, SMS SMTP Gateways or Notifications like PIN handlers are supposed to use a reference to to a server definition. Each Machine Resolver can have multiple configuration entries. The config entries are referenced by the id of the machine resolver
-
class
privacyidea.models.
Subscription
(**kwargs)[source]¶ This table stores the imported subscription files.
-
class
privacyidea.models.
TimestampMethodsMixin
[source]¶ This class mixes in the table functions including update of the timestamp
-
class
privacyidea.models.
Token
(serial, tokentype=u'', isactive=True, otplen=6, otpkey=u'', userid=None, resolver=None, realm=None, **kwargs)[source]¶ - The table “token” contains the basic token data like
- serial number
- assigned user
- secret key...
while the table “tokeninfo” contains additional information that is specific to the tokentype.
-
del_info
(key=None)[source]¶ Deletes tokeninfo for a given token. If the key is omitted, all Tokeninfo is deleted.
Parameters: key – searches for the given key to delete the entry Returns:
-
get
(key=None, fallback=None, save=False)[source]¶ simulate the dict behaviour to make challenge processing easier, as this will have to deal as well with ‘dict only challenges’
Parameters: - key – the attribute name - in case of key is not provided, a dict of all class attributes are returned
- fallback – if the attribute is not found, the fallback is returned
- save – in case of all attributes and save==True, the timestamp is converted to a string representation
-
get_hashed_pin
(pin)[source]¶ calculate a hash from a pin Fix for working with MS SQL servers MS SQL servers sometimes return a ‘<space>’ when the column is empty: ‘’
-
set_info
(info)[source]¶ Set the additional token info for this token
Entries that end with ”.type” are used as type for the keys. I.e. two entries sshkey=”XYZ” and sshkey.type=”password” will store the key sshkey as type “password”.
Parameters: info (dict) – The key-values to set for this token
-
set_realms
(realms, add=False)[source]¶ Set the list of the realms. This is done by filling the tokenrealm table. :param realms: realms :type realms: list :param add: If set, the realms are added. I.e. old realms are not
deleted
-
set_so_pin
(soPin)[source]¶ For smartcards this sets the security officer pin of the token
:rtype : None
-
split_pin_pass
(passwd, prepend=True)[source]¶ The password is split into the PIN and the OTP component. THe token knows its length, so it can split accordingly.
Parameters: - passwd – The password that is to be split
- prepend – The PIN is put in front of the OTP value
Returns: tuple of (res, pin, otpval)
-
class
privacyidea.models.
TokenInfo
(token_id, Key, Value, Type=None, Description=None)[source]¶ The table “tokeninfo” is used to store additional, long information that is specific to the tokentype. E.g. the tokentype “TOTP” has additional entries in the tokeninfo table for “timeStep” and “timeWindow”, which are stored in the column “Key” and “Value”.
The tokeninfo is reference by the foreign key to the “token” table.
-
class
privacyidea.models.
TokenRealm
(realm_id=0, token_id=0, realmname=None)[source]¶ This table stored to wich realms a token is assigned. A token is in the realm of the user it is assigned to. But a token can also be put into many additional realms.
-
privacyidea.models.
cleanup_challenges
()[source]¶ Delete all challenges, that have expired.
Returns: None
-
privacyidea.models.
get_machineresolver_id
(resolvername)[source]¶ Return the database ID of the machine resolver :param resolvername: :return:
-
privacyidea.models.
get_machinetoken_id
(machine_id, resolver_name, serial, application)[source]¶ Returns the ID in the machinetoken table
Parameters: - machine_id (basestring) – The resolverdependent machine_id
- resolver_name (basestring) – The name of the resolver
- serial (basestring) – the serial number of the token
- application (basestring) – The application type
Returns: The ID of the machinetoken entry
Return type: int