Base function to handle the policy entries in the database. This module only depends on the db/models.py
The functions of this module are tested in tests/test_lib_policy.py
A policy has the attributes
- name
- scope
- action
- realm
- resolver
- user
- client
- active
name is the unique identifier of a policy. scope is the area, where this policy is meant for. This can be values like admin, selfservice, authentication... scope takes only one value.
active is bool and indicates, whether a policy is active or not.
action, realm, resolver, user and client can take a comma separated list of values.
If these are empty ‘*’, this policy matches each requested realm.
If the user is empty or ‘*’, this policy matches each user. You can exclude users from matching this policy, by prepending a ‘-‘ or a ‘!’. *, -admin will match for all users except the admin.
The client is identified by its IP address. A policy can contain a list of IP addresses or subnets. You can exclude clients from subnets by prepending the client with a ‘-‘ or a ‘!’. 172.16.0.0/24, -172.16.0.17 will match each client in the subnet except the 172.16.0.17.
This is the list of usual actions.
This is a list of usual action values for e.g. policy action-values like otppin.
This is the list of possible values for the login mode.
The Policy_Object will contain all database policy entries for easy filtering and mangling. It will be created at the beginning of the request and is supposed to stay alive unchanged during the request.
would return a list of the tokentypes
scope: authorization action: serial
would return a list of allowed serials
Parameters: | unique – if set, the function will raise an exception if more |
---|
than one value is returned :return: A list of the allowed tokentypes :rtype: list
This is the list of the allowed scopes that can be used in policy definitions.
Function to delete one named policy
Parameters: | name – the name of the policy to be deleted |
---|---|
Returns: | the count of the deleted policies. |
Return type: | int |
Enable or disable the policy with the given name :param name: :return: ID of the policy
This function takes a policy list and creates an export file from it
Parameters: | policies (list of policy dictionaries) – a policy definition |
---|---|
Returns: | the contents of the file |
Return type: | string |
These are the static hard coded policy definitions. They can be enhanced by token based policy definitions, that can be found int lib.token.get_dynamic_policy_definitions.
Parameters: | scope (basestring) – Optional the scope of the policies |
---|---|
Returns: | allowed scopes with allowed actions, the type of action and a |
description. :rtype: dict
This function imports policies from a file. The file has a config_object format, i.e. the text file has a header
[<policy_name>] key = value
and key value pairs.
Parameters: | file_contents (basestring) – The contents of the file |
---|---|
Returns: | number of imported policies |
Return type: | int |
Function to set a policy. If the policy with this name already exists, it updates the policy. It expects a dict of with the following keys: :param name: The name of the policy :param scope: The scope of the policy. Something like “admin”, “system”, “authentication” :param action: A scope specific action or a comma seperated list of actions :type active: basestring :param realm: A realm, for which this policy is valid :param resolver: A resolver, for which this policy is valid :param user: A username or a list of usernames :param time: N/A if type() :param client: A client IP with optionally a subnet like 172.16.0.0/16 :param active: If the policy is active or not :type active: bool :return: The database ID od the the policy :rtype: int