13.2.1.7. Policy Decorators

These are the policy decorator functions for internal (lib) policy decorators. policy decorators for the API (pre/post) are defined in api/lib/policy

The functions of this module are tested in tests/test_lib_policy_decorator.py

privacyidea.lib.policydecorators.auth_otppin(wrapped_function, *args, **kwds)[source]

Decorator to decorate the tokenclass.check_pin function. Depending on the ACTION.OTPPIN it * either simply accepts an empty pin * checks the pin against the userstore * or passes the request to the wrapped_function

Parameters:wrapped_function – In this case the wrapped function should be

tokenclass.check_ping :param *args: args[1] is the pin :param **kwds: kwds[“options”] contains the flask g :return: True or False

privacyidea.lib.policydecorators.auth_user_does_not_exist(wrapped_function, user_object, passw, options=None)[source]

This decorator checks, if the user does exist at all. If the user does exist, the wrapped function is called.

The wrapped function is usually token.check_user_pass, which takes the arguments (user, passw, options={})

Parameters:
  • wrapped_function
  • user_object
  • passw
  • options – Dict containing values for “g” and “clientip”
Returns:

Tuple of True/False and reply-dictionary
privacyidea.lib.policydecorators.auth_user_has_no_token(wrapped_function, user_object, passw, options=None)[source]

This decorator checks if the user has a token at all. If the user has a token, the wrapped function is called.

The wrapped function is usually token.check_user_pass, which takes the arguments (user, passw, options={})

Parameters:
  • wrapped_function
  • user_object
  • passw
  • options – Dict containing values for “g” and “clientip”
Returns:

Tuple of True/False and reply-dictionary
privacyidea.lib.policydecorators.auth_user_passthru(wrapped_function, user_object, passw, options=None)[source]

This decorator checks the policy settings of ACTION.PASSTHRU. If the authentication against the userstore is not successful, the wrapped function is called.

The wrapped function is usually token.check_user_pass, which takes the arguments (user, passw, options={})

Parameters:
  • wrapped_function
  • user_object
  • passw
  • options – Dict containing values for “g” and “clientip”
Returns:

Tuple of True/False and reply-dictionary
privacyidea.lib.policydecorators.challenge_response_allowed(func)[source]

This decorator is used to wrap tokenclass.is_challenge_request. It checks, if a challenge response authentication is allowed for this token type. To allow this, the policy

scope:authentication, action:challenge_response must be set.

If the tokentype is not allowed for challenge_response, this decorator returns false.

See challenge_response.

Parameters:func – wrapped function
privacyidea.lib.policydecorators.config_lost_token(wrapped_function, *args, **kwds)[source]

Decorator to decorate the lib.token.lost_token function. Depending on ACTION.LOSTTOKENVALID, ACTION.LOSTTOKENPWCONTENTS, ACTION.LOSTTOKENPWLEN it sets the check_otp parameter, to signal how the lostToken should be generated.

Parameters:
  • wrapped_function – Usually the function lost_token()
  • args – argument “serial” as the old serial number
  • kwds – keyword arguments like “validity”, “contents”, “pw_len”

kwds[“options”] contains the flask g

Returns:calls the original function with the modified “validity”,

“contents” and “pw_len” argument

class privacyidea.lib.policydecorators.libpolicy(decorator_function)[source]

This is the decorator wrapper to call a specific function before a library call in contrast to prepolicy and postpolicy, which are to be called in API Calls.

The decorator expects a named parameter “options”. In this options dict it will look for the flask global “g”.

privacyidea.lib.policydecorators.login_mode(wrapped_function, *args, **kwds)[source]

Decorator to decorate the lib.auth.check_webui_user function. Depending on ACTION.LOGINMODE it sets the check_otp parameter, to signal that the authentication should be performed against privacyIDEA.

Parameters:
  • wrapped_function – Usually the function check_webui_user
  • args – arguments user_obj and password
  • kwds – keyword arguments like options and !check_otp!

kwds[“options”] contains the flask g :return: calls the original function with the modified “check_otp” argument