13.2.1.5. Policy Module

Base function to handle the policy entries in the database. This module only depends on the db/models.py

The functions of this module are tested in tests/test_lib_policy.py

A policy has the attributes

  • name
  • scope
  • action
  • realm
  • resolver
  • user
  • client
  • active

name is the unique identifier of a policy. scope is the area, where this policy is meant for. This can be values like admin, selfservice, authentication... scope takes only one value.

active is bool and indicates, whether a policy is active or not.

action, realm, resolver, user and client can take a comma separated list of values.

13.2.1.5.1. realm and resolver

If these are empty ‘*’, this policy matches each requested realm.

13.2.1.5.2. user

If the user is empty or ‘*’, this policy matches each user. You can exclude users from matching this policy, by prepending a ‘-‘ or a ‘!’. *, -admin will match for all users except the admin.

13.2.1.5.3. client

The client is identified by its IP address. A policy can contain a list of IP addresses or subnets. You can exclude clients from subnets by prepending the client with a ‘-‘ or a ‘!’. 172.16.0.0/24, -172.16.0.17 will match each client in the subnet except the 172.16.0.17.

class privacyidea.lib.policy.ACTION[source]

This is the list of usual actions.

ADDUSER = 'adduser'
APIKEY = 'api_key_required'
ASSIGN = 'assign'
AUDIT = 'auditlog'
AUTHITEMS = 'fetch_authentication_items'
AUTHMAXFAIL = 'auth_max_fail'
AUTHMAXSUCCESS = 'auth_max_success'
AUTOASSIGN = 'autoassignment'
CACONNECTORDELETE = 'caconnectordelete'
CACONNECTORREAD = 'caconnectorread'
CACONNECTORWRITE = 'caconnectorwrite'
CHALLENGERESPONSE = 'challenge_response'
CONFIGDOCUMENTATION = 'system_documentation'
COPYTOKENPIN = 'copytokenpin'
COPYTOKENUSER = 'copytokenuser'
DEFAULT_TOKENTYPE = 'default_tokentype'
DELETE = 'delete'
DELETEUSER = 'deleteuser'
DISABLE = 'disable'
ENABLE = 'enable'
ENCRYPTPIN = 'encrypt_pin'
GETSERIAL = 'getserial'
IMPORT = 'importtokens'
LASTAUTH = 'last_auth'
LOGINMODE = 'login_mode'
LOGOUTTIME = 'logout_time'
LOSTTOKEN = 'losttoken'
LOSTTOKENPWCONTENTS = 'losttoken_PW_contents'
LOSTTOKENPWLEN = 'losttoken_PW_length'
LOSTTOKENVALID = 'losttoken_valid'
MACHINELIST = 'machinelist'
MACHINERESOLVERDELETE = 'mresolverdelete'
MACHINERESOLVERWRITE = 'mresolverwrite'
MACHINETOKENS = 'manage_machine_tokens'
MANGLE = 'mangle'
MAXTOKENREALM = 'max_token_per_realm'
MAXTOKENUSER = 'max_token_per_user'
NODETAILFAIL = 'no_detail_on_fail'
NODETAILSUCCESS = 'no_detail_on_success'
OTPPIN = 'otppin'
OTPPINCONTENTS = 'otp_pin_contents'
OTPPINMAXLEN = 'otp_pin_maxlength'
OTPPINMINLEN = 'otp_pin_minlength'
OTPPINRANDOM = 'otp_pin_random'
PASSNOTOKEN = 'passOnNoToken'
PASSNOUSER = 'passOnNoUser'
PASSTHRU = 'passthru'
PINHANDLING = 'pinhandling'
POLICYDELETE = 'policydelete'
POLICYTEMPLATEURL = 'policy_template_url'
POLICYWRITE = 'policywrite'
REMOTE_USER = 'remote_user'
RESET = 'reset'
RESOLVERDELETE = 'resolverdelete'
RESOLVERWRITE = 'resolverwrite'
RESYNC = 'resync'
REVOKE = 'revoke'
SERIAL = 'serial'
SET = 'set'
SETHSM = 'set_hsm_password'
SETPIN = 'setpin'
SETREALM = 'setrealm'
SYSTEMDELETE = 'configdelete'
SYSTEMWRITE = 'configwrite'
TOKENLABEL = 'tokenlabel'
TOKENPAGESIZE = 'token_page_size'
TOKENREALMS = 'tokenrealms'
TOKENTYPE = 'tokentype'
UNASSIGN = 'unassign'
UPDATEUSER = 'updateuser'
USERDETAILS = 'user_details'
USERLIST = 'userlist'
USERPAGESIZE = 'user_page_size'
class privacyidea.lib.policy.ACTIONVALUE[source]

This is a list of usual action values for e.g. policy action-values like otppin.

DISABLE = 'disable'
NONE = 'none'
TOKENPIN = 'tokenpin'
USERSTORE = 'userstore'
class privacyidea.lib.policy.AUTOASSIGNVALUE[source]

This is the possible values for autoassign

NONE = 'any_pin'
USERSTORE = 'userstore'
class privacyidea.lib.policy.LOGINMODE[source]

This is the list of possible values for the login mode.

DISABLE = 'disable'
PRIVACYIDEA = 'privacyIDEA'
USERSTORE = 'userstore'
class privacyidea.lib.policy.PolicyClass[source]

The Policy_Object will contain all database policy entries for easy filtering and mangling. It will be created at the beginning of the request and is supposed to stay alive unchanged during the request.

get_action_values(action, scope='authorization', realm=None, resolver=None, user=None, client=None, unique=False, allow_white_space_in_action=False)[source]
Get the defined action values for a certain action like
scope: authorization action: tokentype

would return a list of the tokentypes

scope: authorization action: serial

would return a list of allowed serials

Parameters:
  • unique

    if set, the function will raise an exception if more

    than one value is returned

  • allow_white_space_in_action (bool) – Some policies like emailtext would allow entering text with whitespaces. These whitespaces must not be used to separate action values!
Returns:

A list of the allowed tokentypes

Return type:

list

get_policies(name=None, scope=None, realm=None, active=None, resolver=None, user=None, client=None, action=None, adminrealm=None)[source]

Return the policies of the given filter values

Parameters:
  • name
  • scope
  • realm
  • active
  • resolver
  • user
  • client
  • action
  • adminrealm – This is the realm of the admin. This is only evaluated in the scope admin.
Returns:

list of policies

Return type:

list of dicts

ui_get_enroll_tokentypes(client, logged_in_user)[source]

Return a dictioary of the allowed tokentypes for the logged in user. This used for the token enrollment UI.

It looks like this:

{“hotp”: “HOTP: event based One Time Passwords”,
“totp”: “TOTP: time based One Time Passwords”, “spass”: “SPass: Simple Pass token. Static passwords”, “motp”: “mOTP: classical mobile One Time Passwords”, “sshkey”: “SSH Public Key: The public SSH key”, “yubikey”: “Yubikey AES mode: One Time Passwords with Yubikey”, “remote”: “Remote Token: Forward authentication request to another server”, “yubico”: “Yubikey Cloud mode: Forward authentication request to YubiCloud”, “radius”: “RADIUS: Forward authentication request to a RADIUS server”, “email”: “EMail: Send a One Time Passwort to the users email address”, “sms”: “SMS: Send a One Time Password to the users mobile phone”, “certificate”: “Certificate: Enroll an x509 Certificate Token.”}
Parameters:
  • client (basestring) – Client IP address
  • logged_in_user (dict) – The Dict of the logged in user
Returns:

list of token types, the user may enroll

ui_get_rights(scope, realm, username, client=None)[source]

Get the rights derived from the policies for the given realm and user. Works for admins and normal users. It fetches all policies for this user and compiles a maximum list of allowed rights, that can be used to hide certain UI elements.

Parameters:
  • scope – Can be SCOPE.ADMIN or SCOPE.USER
  • realm – Is either user users realm or the adminrealm
  • username – The loginname of the user
  • client – The HTTP client IP
Returns:

A list of actions

class privacyidea.lib.policy.REMOTE_USER[source]

The list of possible values for the remote_user policy.

ACTIVE = 'allowed'
DISABLE = 'disable'
class privacyidea.lib.policy.SCOPE[source]

This is the list of the allowed scopes that can be used in policy definitions.

ADMIN = 'admin'
AUDIT = 'audit'
AUTH = 'authentication'
AUTHZ = 'authorization'
ENROLL = 'enrollment'
GETTOKEN = 'gettoken'
USER = 'user'
WEBUI = 'webui'
privacyidea.lib.policy.delete_policy(*args, **kwds)[source]

Function to delete one named policy

Parameters:name – the name of the policy to be deleted
Returns:the count of the deleted policies.
Return type:int
privacyidea.lib.policy.enable_policy(*args, **kwds)[source]

Enable or disable the policy with the given name :param name: :return: ID of the policy

privacyidea.lib.policy.export_policies(*args, **kwds)[source]

This function takes a policy list and creates an export file from it

Parameters:policies (list of policy dictionaries) – a policy definition
Returns:the contents of the file
Return type:string
privacyidea.lib.policy.get_static_policy_definitions(*args, **kwds)[source]

These are the static hard coded policy definitions. They can be enhanced by token based policy definitions, that can be found in lib.token.get_dynamic_policy_definitions.

Parameters:scope (basestring) – Optional the scope of the policies
Returns:allowed scopes with allowed actions, the type of action and a

description. :rtype: dict

privacyidea.lib.policy.import_policies(*args, **kwds)[source]

This function imports policies from a file. The file has a config_object format, i.e. the text file has a header

[<policy_name>] key = value

and key value pairs.

Parameters:file_contents (basestring) – The contents of the file
Returns:number of imported policies
Return type:int
privacyidea.lib.policy.set_policy(*args, **kwds)[source]

Function to set a policy. If the policy with this name already exists, it updates the policy. It expects a dict of with the following keys: :param name: The name of the policy :param scope: The scope of the policy. Something like “admin”, “system”, “authentication” :param action: A scope specific action or a comma separated list of actions :type active: basestring :param realm: A realm, for which this policy is valid :param resolver: A resolver, for which this policy is valid :param user: A username or a list of usernames :param time: N/A if type() :param client: A client IP with optionally a subnet like 172.16.0.0/16 :param active: If the policy is active or not :type active: bool :return: The database ID od the the policy :rtype: int