Add a key and a value to the DB tokeninfo :param key: :param value: :return:
High level interface which covers the check_pin and check_otp This is the method that verifies single shot authentication like they are done with push button tokens.
It is a high level interface to support other tokens as well, which do not have a pin and otp separation - they could overwrite this method
If the authentication succeeds an OTP counter needs to be increased, i.e. the OTP value that was used for this authentication is invalidated!
Parameters: |
|
---|---|
Returns: | returns tuple of 1. true or false for the pin match, 2. the otpcounter (int) and the 3. reply (dict) that will be added as
|
Return type: | tuple |
Just clean up all challenges, for which the expiration has expired.
Returns: | None |
---|
This function checks the count_auth and the count_auth_success. If the count_auth is less than count_auth_max and count_auth_success is less than count_auth_success_max it returns True. Otherwise False.
Returns: | success if the counter is less than max |
---|---|
Return type: | bool |
This method verifies if there is a matching challenge for the given passw and also verifies if the response is correct.
It then returns the new otp_counter of the token.
In case of success the otp_counter will be >= 0.
Parameters: |
|
---|---|
Returns: | return otp_counter. If -1, challenge does not match |
Return type: | int |
Checks if the failcounter is exceeded. It returns True, if the failcounter is less than maxfail :return: True or False
This checks the OTP value, AFTER the upper level did the checkPIN
In the base class we do not know, how to calculate the OTP value. So we return -1. In case of success, we should return >=0, the counter
Parameters: |
|
---|---|
Returns: | counter of the matching OTP value. |
Return type: | int |
checks if the given OTP value is/are values of this very token. This is used to autoassign and to determine the serial number of a token.
Parameters: |
|
---|---|
Returns: | True or a value > 0 in case of success |
Check the PIN of the given Password. Usually this is only dependent on the token itself, but the user object can cause certain policies.
Each token could implement its own PIN checking behaviour.
Parameters: |
|
---|---|
Returns: | If the PIN is correct, return True |
Return type: | bool |
This checks if the datetime.datetime.now() is within the validity period of the token.
Returns: | success |
---|---|
Return type: | bool |
This method creates a challenge, which is submitted to the user. The submitted challenge will be preserved in the challenge database.
If no transaction id is given, the system will create a transaction id and return it, so that the response can refer to this transaction.
Parameters: |
|
---|---|
Returns: | tuple of (bool, message, transactionid, attributes) |
Return type: | tuple |
The return tuple builds up like this: bool if submit was successful; message which is displayed in the JSON response; additional attributes, which are displayed in the JSON response.
This returns the token data as a dictionary. It is used to display the token list at /token/list.
Returns: | The token data as dict |
---|---|
Return type: | dict |
Returns a hashlib function for a given string :param hLibStr: the hashlib :type hLibStr: string :return: the hashlib :rtype: function
to complete the token normalisation, the response of the initialiastion should be build by this token specific method.
get_init_detail returns additional information after an admin/init like the QR code of an HOTP/TOTP token. Can be anything else.
Parameters: |
|
---|---|
Returns: | additional descriptions |
Return type: | dict |
return the status of the token rollout
Returns: | return the status dict. |
---|---|
Return type: | dict |
This returns a dictionary of multiple future OTP values of a token.
Parameters: |
|
---|---|
Returns: | True/False, error text, OTP dictionary |
Return type: | Tuple |
The default token does not support getting the otp value will return a tuple of four values a negative value is a failure.
Returns: | something like: (1, pin, otpval, combined) |
---|
Return a list of realms the token is assigned to :return: realms :rtype:l list
return the complete token info or a single key of the tokeninfo. When returning the complete token info dictionary encrypted entries are not decrypted. If you want to receive a decrypted value, you need to call it directly with the key.
Parameters: |
|
---|---|
Returns: | the value for the key |
Return type: | int or string |
return the user (owner) of a token If the token has no owner assigned, we return None
Returns: | The owner of the token |
---|---|
Return type: | User object |
returns the end of validity period (if set) if not set, “” is returned. :return: the end of the validity period :rtype: string
returns the start of validity period (if set) if not set, “” is returned. :return: the start of the validity period :rtype: string
return the token state as dicts with keys like type, token, mode... :return: token as dict
Increase the counter, that counts authentications - successful and unsuccessful
Increase the otp counter and store the token in the database :param counter: the new counter value. If counter is given, than
the counter is increased by (counter+1) If the counter is not given, the counter is increased by +1
Parameters: | reset (bool) – reset the failcounter if set to True |
---|---|
Returns: | the new counter value |
This method checks, if this is a request, that triggers a challenge.
The default behaviour to trigger a challenge is, if the passw parameter only contains the correct token pin and the request contains a data or a challenge key i.e. if the options parameter contains a key data or challenge.
Each token type can decide on its own under which condition a challenge is triggered by overwriting this method.
please note: in case of pin policy == 2 (no pin is required) the check_pin would always return true! Thus each request containing a data or challenge would trigger a challenge!
Parameters: |
|
---|---|
Returns: | true or false |
Return type: | bool |
This method checks, if this is a request, that is the response to a previously sent challenge.
The default behaviour to check if this is the response to a previous challenge is simply by checking if the request contains a parameter state or transactionid i.e. checking if the options parameter contains a key state or transactionid.
This method does not try to verify the response itself! It only determines, if this is a response for a challenge or not. The response is verified in check_challenge_response.
Parameters: |
|
---|---|
Returns: | true or false |
Return type: | bool |
Sets the counter for the occurred login attepms as key “count_auth” in token info :param count: a number :type count: int
Sets the counter for the maximum allowed login attemps as key “count_auth_max” in token info :param count: a number :type count: int
Sets the counter for the occurred successful logins as key “count_auth_success” in token info :param count: a number :type count: int
Sets the counter for the maximum allowed successful logins as key “count_auth_success_max” in token info :param count: a number :type count: int
Set the description on the database level
Parameters: | description (string) – description of the token |
---|
set the PIN of a token. Usually the pin is stored in a hashed way. :param pin: the pin to be set for the token :type pin: basestring :param encrypt: If set to True, the pin is stored encrypted and
can be retrieved from the database again
Set the list of the realms of a token. :param realms: realms the token should be assigned to :type realms: list
Set the tokeninfo field in the DB. Old values will be deleted. :param info: dictionary with key and value :type info: dict :return:
Set the tokentype in this object and also in the underlying database-Token-object.
Parameters: | tokentype (string) – The type of the token like HOTP or TOTP |
---|
Set the user attributes (uid, resolvername, resolvertype) of a token.
Parameters: |
|
---|---|
Returns: | None |
(was setUid) Set the user attributes of a token :param uid: The user id in the user source :param resolvername: The name of the resolver :param resolvertype: The type of the resolver :return: None
sets the end date of the validity period for a token :param end_date: the end date in the format “%d/%m/%y %H:%M”
if the format is wrong, the method will throw an exception
sets the start date of the validity period for a token :param start_date: the start date in the format “%d/%m/%y %H:%M”
if the format is wrong, the method will throw an exception
Split the password into the token PIN and the OTP value
take the given password and split it into the PIN and the OTP value. The splitting can be dependent of certain policies. The policies may depend on the user.
Each token type may define its own way to slit the PIN and the OTP value.
Parameters: |
|
---|---|
Returns: | tuple of pin and otp value |
Returns: | tuple of (split status, pin, otp value) |
Return type: | tuple |
Token to implement a registration code. It can be used to create a registration code or a “TAN” which can be used once by a user to authenticate somewhere. After this registration code is used, the token is automatically deleted.
The idea is to provide a workflow, where the user can get a registration code by e.g. postal mail and then use this code as the initial first factor to authenticate to the UI to enroll real tokens.
A registration code can be created by an administrative task with the token/init api like this:
Example Authentication Request:
POST /auth HTTP/1.1 Host: example.com Accept: application/json type=register user=cornelius realm=realm1Example response:
HTTP/1.1 200 OK Content-Type: application/json { "detail": { "registrationcode": "12345808124095097608" }, "id": 1, "jsonrpc": "2.0", "result": { "status": true, "value": true }, "version": "privacyIDEA unknown" }
This checks the static password
Parameters: | anOtpVal – This contains the “OTP” value, which is the static |
---|
password :return: result of password check, 0 in case of success, -1 if fail :rtype: int
returns a subtree of the token definition
Parameters: |
|
---|---|
Returns: | subsection if key exists or user defined |
Return type: | dict or scalar |
Token to implement an X509 certificate. The certificate can be enrolled by sending a CSR to the server. privacyIDEA is capable of working with different CA connectors.
Valid parameters are request or certificate, both PEM encoded. If you pass a request you also need to pass the ca that should be used to sign the request. Passing a certificate just uploads the certificate to a new token object.
A certificate token can be created by an administrative task with the token/init api like this:
Example Authentication Request:
POST /auth HTTP/1.1 Host: example.com Accept: application/json type=certificate user=cornelius realm=realm1 request=<PEM encoded request> ca=<name of the ca connector>Example response:
HTTP/1.1 200 OK Content-Type: application/json { "detail": { "certificate": "...PEM..." }, "id": 1, "jsonrpc": "2.0", "result": { "status": true, "value": true }, "version": "privacyIDEA unknown" }