13.3.2.5. Policy Module

Base function to handle the policy entries in the database. This module only depends on the db/models.py

The functions of this module are tested in tests/test_lib_policy.py

A policy has the attributes

• name
• scope
• action
• realm
• resolver
• user
• client
• active

name is the unique identifier of a policy. scope is the area, where this policy is meant for. This can be values like admin, selfservice, authentication... scope takes only one value.

active is bool and indicates, whether a policy is active or not.

action, realm, resolver, user and client can take a comma separated list of values.

13.3.2.5.1. realm and resolver

If these are empty ‘*’, this policy matches each requested realm.

13.3.2.5.2. user

If the user is empty or ‘*’, this policy matches each user. You can exclude users from matching this policy, by prepending a ‘-‘ or a ‘!’. *, -admin will match for all users except the admin.

13.3.2.5.3. client

The client is identified by its IP address. A policy can contain a list of IP addresses or subnets. You can exclude clients from subnets by prepending the client with a ‘-‘ or a ‘!’. 172.16.0.0/24, -172.16.0.17 will match each client in the subnet except the 172.16.0.17.

class privacyidea.lib.policy.ACTION

This is the list of usual actions.

ASSIGN = 'assign'

AUDIT = 'auditlog'

AUTHITEMS = 'fetch_authentication_items'

AUTOASSIGN = 'autoassignment'

CACONNECTORDELETE = 'caconnectordelete'

CACONNECTORREAD = 'caconnectorread'

CACONNECTORWRITE = 'caconnectorwrite'

COPYTOKENPIN = 'copytokenpin'

COPYTOKENUSER = 'copytokenuser'

DELETE = 'delete'

DISABLE = 'disable'

ENABLE = 'enable'

ENCRYPTPIN = 'encrypt_pin'

GETSERIAL = 'getserial'

IMPORT = 'importtokens'

LOGINMODE = 'login_mode'

LOGOUTTIME = 'logout_time'

LOSTTOKEN = 'losttoken'

LOSTTOKENPWCONTENTS = 'losttoken_PW_contents'

LOSTTOKENPWLEN = 'losttoken_PW_length'

LOSTTOKENVALID = 'losttoken_valid'

MACHINELIST = 'machinelist'

MACHINERESOLVERDELETE = 'mresolverdelete'

MACHINERESOLVERWRITE = 'mresolverwrite'

MACHINETOKENS = 'manage_machine_tokens'

MAXTOKENREALM = 'max_token_per_realm'

MAXTOKENUSER = 'max_token_per_user'

NODETAILFAIL = 'no_detail_on_fail'

NODETAILSUCCESS = 'no_detail_on_success'

OTPPIN = 'otppin'

OTPPINCONTENTS = 'otp_pin_contents'

OTPPINMAXLEN = 'otp_pin_maxlength'

OTPPINMINLEN = 'otp_pin_minlength'

OTPPINRANDOM = 'otp_pin_random'

PASSNOTOKEN = 'passOnNoToken'

PASSNOUSER = 'passOnNoUser'

PASSTHRU = 'passthru'

POLICYDELETE = 'policydelete'

POLICYWRITE = 'policywrite'

RESET = 'reset'

RESOLVERDELETE = 'resolverdelete'

RESOLVERWRITE = 'resolverwrite'

RESYNC = 'resync'

SERIAL = 'serial'

SET = 'set'

SETPIN = 'setpin'

SETREALM = 'setrealm'

SYSTEMDELETE = 'configdelete'

SYSTEMWRITE = 'configwrite'

TOKENLABEL = 'tokenlabel'

TOKENREALMS = 'tokenrealms'

TOKENTYPE = 'tokentype'

UNASSIGN = 'unassign'

USERLIST = 'userlist'

class privacyidea.lib.policy.ACTIONVALUE

This is a list of usual action values for e.g. policy action-values like otppin.

NONE = 'none'

TOKENPIN = 'tokenpin'

USERSTORE = 'userstore'

class privacyidea.lib.policy.LOGINMODE

This is the list of possible values for the login mode.

PRIVACYIDEA = 'privacyIDEA'

USERSTORE = 'userstore'

class privacyidea.lib.policy.PolicyClass

The Policy_Object will contain all database policy entries for easy filtering and mangling. It will be created at the beginning of the request and is supposed to stay alive unchanged during the request.

get_action_values(action, scope='authorization', realm=None, resolver=None, user=None, client=None, unique=False, allow_white_space_in_action=False)

Get the defined action values for a certain action like

scope: authorization action: tokentype

would return a list of the tokentypes

scope: authorization action: serial

would return a list of allowed serials

Parameters:

• unique – if set, the function will raise an exception if more than one value is returned
• allow_white_space_in_action (bool) – Some policies like emailtext would allow entering text with whitespaces. These whitespaces must not be used to seperate action values!

Returns:

A list of the allowed tokentypes

Return type:

list

get_policies(name=None, scope=None, realm=None, active=None, resolver=None, user=None, client=None, action=None)

Return the policies of the given filter values

Parameters:

• name –
• scope –
• realm –
• active –
• resolver –
• user –
• client –
• action –

Returns:

list of policies

Return type:

list of dicts

class privacyidea.lib.policy.SCOPE

This is the list of the allowed scopes that can be used in policy definitions.

ADMIN = 'admin'

AUDIT = 'audit'

AUTH = 'authentication'

AUTHZ = 'authorization'

ENROLL = 'enrollment'

GETTOKEN = 'gettoken'

USER = 'user'

WEBUI = 'webui'

privacyidea.lib.policy.delete_policy(*args, **kwds)

Function to delete one named policy

Parameters:name – the name of the policy to be deleted Returns:the count of the deleted policies. Return type:int

privacyidea.lib.policy.enable_policy(*args, **kwds)

Enable or disable the policy with the given name :param name: :return: ID of the policy

privacyidea.lib.policy.export_policies(*args, **kwds)

This function takes a policy list and creates an export file from it

Parameters:policies (list of policy dictionaries) – a policy definition Returns:the contents of the file Return type:string

privacyidea.lib.policy.get_static_policy_definitions(*args, **kwds)

These are the static hard coded policy definitions. They can be enhanced by token based policy definitions, that can be found int lib.token.get_dynamic_policy_definitions.

Parameters:scope (basestring) – Optional the scope of the policies Returns:allowed scopes with allowed actions, the type of action and a

description. :rtype: dict

privacyidea.lib.policy.import_policies(*args, **kwds)

This function imports policies from a file. The file has a config_object format, i.e. the text file has a header

[<policy_name>] key = value

and key value pairs.

Parameters:file_contents (basestring) – The contents of the file Returns:number of imported policies Return type:int

privacyidea.lib.policy.set_policy(*args, **kwds)

Function to set a policy. If the policy with this name already exists, it updates the policy. It expects a dict of with the following keys: :param name: The name of the policy :param scope: The scope of the policy. Something like “admin”, “system”, “authentication” :param action: A scope specific action or a comma seperated list of actions :type active: basestring :param realm: A realm, for which this policy is valid :param resolver: A resolver, for which this policy is valid :param user: A username or a list of usernames :param time: N/A if type() :param client: A client IP with optionally a subnet like 172.16.0.0/16 :param active: If the policy is active or not :type active: bool :return: The database ID od the the policy :rtype: int