14.2.1.7. API Policies¶
14.2.1.7.1. Pre Policies¶
These are the policy decorators as PRE conditions for the API calls. I.e. these conditions are executed before the wrapped API call. This module uses the policy base functions from edumfa.lib.policy but also components from flask like g.
Wrapping the functions in a decorator class enables easy modular testing.
The functions of this module are tested in tests/test_api_lib_policy.py
- edumfa.api.lib.prepolicy.allowed_audit_realm(request=None, action=None)[source]¶
This decorator function takes the request and adds additional parameters to the request according to the policy for the SCOPE.ADMIN or ACTION.AUDIT :param request: :param action: :return: True
- edumfa.api.lib.prepolicy.api_key_required(request=None, action=None)[source]¶
This is a decorator for check_user_pass and check_serial_pass. It checks, if a policy scope=auth, action=apikeyrequired is set. If so, the validate request will only performed, if a JWT token is passed with role=validate.
- edumfa.api.lib.prepolicy.auditlog_age(request=None, action=None)[source]¶
This pre condition checks for the policy auditlog_age and set the “timelimit” parameter of the audit search API.
Check ACTION.AUDIT_AGE
The decorator can wrap GET /audit/
- Parameters:
request (Request Object) – The request that is intercepted during the API call
action (basestring) – An optional Action
- Returns:
Always true. Modified the parameter request
- edumfa.api.lib.prepolicy.check_admin_tokenlist(request=None, action=None)[source]¶
Depending on the policy scope=admin, action=tokenlist, the allowed_realms parameter is set to define, the token of which realms and administrator is allowed to see.
Sets the allowed_realms None: means the admin has no restrictions []: the admin can not see any realms [“realm1”, “realm2”…]: the admin can see these realms
- Parameters:
request
- Returns:
- edumfa.api.lib.prepolicy.check_anonymous_user(request=None, action=None)[source]¶
This decorator function takes the request and verifies the given action for the SCOPE USER without an authenticated user but the user from the parameters.
This is used with password_reset
- Parameters:
request
action
- Returns:
True otherwise raises an Exception
- edumfa.api.lib.prepolicy.check_base_action(request=None, action=None, anonymous=False)[source]¶
This decorator function takes the request and verifies the given action for the SCOPE ADMIN or USER.
- Parameters:
request
action
anonymous – If set to True, the user data is taken from the request parameters.
- Returns:
True otherwise raises an Exception
- edumfa.api.lib.prepolicy.check_custom_user_attributes(request=None, action=None)[source]¶
This pre condition checks for the policies delete_custom_user_attributes and set_custom_user_attributes, if the user or admin is allowed to set or deleted the requested attribute.
It decorates POST /user/attribute and DELETE /user/attribute/…
- Parameters:
request (Request Object) – The request that is intercepted during the API call
action – An optional action, (would be set/delete)
- Returns:
Raises a PolicyError, if the wrong attribute is given.
- edumfa.api.lib.prepolicy.check_external(request=None, action='init')[source]¶
This decorator is a hook to an external check function, that is called before the token/init or token/assign API.
- Parameters:
request (flask Request object) – The REST request
action (basestring) – This is either “init” or “assign”
- Returns:
either True or an Exception is raised
- edumfa.api.lib.prepolicy.check_max_token_realm(request=None, action=None)[source]¶
Pre Policy This checks the maximum token per realm. Check ACTION.MAXTOKENREALM
- This decorator can wrap:
/token/init (with a realm and user) /token/assign /token/tokenrealms
- Parameters:
req (Request Object) – The request that is intercepted during the API call
action (basestring) – An optional Action
- Returns:
True otherwise raises an Exception
- edumfa.api.lib.prepolicy.check_max_token_user(request=None, action=None)[source]¶
Pre Policy This checks the maximum token per user policy. Check ACTION.MAXTOKENUSER Check ACTION.MAXACTIVETOKENUSER
- This decorator can wrap:
/token/init (with a realm and user) /token/assign
- Parameters:
req
action
- Returns:
True otherwise raises an Exception
- edumfa.api.lib.prepolicy.check_otp_pin(request=None, action=None)[source]¶
This policy function checks if the OTP PIN that is about to be set follows the OTP PIN policies ACTION.OTPPINMAXLEN, ACTION.OTPPINMINLEN and ACTION.OTPPINCONTENTS and token-type-specific PIN policy actions in the SCOPE.USER or SCOPE.ADMIN. It is used to decorate the API functions.
The pin is investigated in the params as “otppin” or “pin”
In case the given OTP PIN does not match the requirements an exception is raised.
- edumfa.api.lib.prepolicy.check_token_init(request=None, action=None)[source]¶
This decorator function takes the request and verifies if the requested tokentype is allowed to be enrolled in the SCOPE ADMIN or the SCOPE USER. :param request: :param action: :return: True or an Exception is raised
- edumfa.api.lib.prepolicy.check_token_upload(request=None, action=None)[source]¶
This decorator function takes the request and verifies the given action for scope ADMIN :param req: :param filename: :return:
- edumfa.api.lib.prepolicy.encrypt_pin(request=None, action=None)[source]¶
This policy function is to be used as a decorator for several API functions. E.g. token/assign, token/setpin, token/init If the policy is set to define the PIN to be encrypted, the request.all_data is modified like this: encryptpin = True
It uses the policy SCOPE.ENROLL, ACTION.ENCRYPTPIN
- edumfa.api.lib.prepolicy.enroll_pin(request=None, action=None)[source]¶
This policy function is used as decorator for init token. It checks, if the user or the admin is allowed to set a token PIN during enrollment. If not, it deleted the PIN from the request.
- edumfa.api.lib.prepolicy.hide_audit_columns(request=None, action=None)[source]¶
This pre condition checks for the policy hide_audit_columns and sets the “hidden_columns” parameter for the audit search. The given columns will be removed from the returned audit dict.
Check ACTION.HIDE_AUDIT_COLUMNS
The decorator should wrap GET /audit/
- Parameters:
request (Request Object) – The request that is intercepted during the API call
action (basestring) – An optional Action
- Returns:
Always true. Modified the parameter request
- edumfa.api.lib.prepolicy.hide_tokeninfo(request=None, action=None)[source]¶
This decorator checks for the policy hide_tokeninfo and sets the hidden_tokeninfo parameter.
The given tokeninfo keys will be removed from the response.
The decorator wraps GET /token/
- Parameters:
request (Request Object) – The request that is intercepted during the API call
action (str) – An optional Action
- Returns:
Always true. Modifies the parameter request
- Return type:
bool
- edumfa.api.lib.prepolicy.increase_failcounter_on_challenge(request=None, action=None)[source]¶
This is a decorator for /validate/check, validate/triggerchallenge and auth which sets the parameter increase_failcounter_on_challenge
- edumfa.api.lib.prepolicy.indexedsecret_force_attribute(request, action)[source]¶
This is a token specific wrapper for indexedsecret token for the endpoint /token/init The otpkey is overwritten with the value from the user attribute specified in policy scope=SCOPE.USER and SCOPE.ADMIN, action=PIIXACTION.FORCE_ATTRIBUTE. :param request: :param action: :return:
- edumfa.api.lib.prepolicy.init_ca_connector(request=None, action=None)[source]¶
This is a pre decorator for the endpoint ‘/token/init’. It reads the policy scope=enrollment, action=certificate_ca_connector and sets the API parameter “ca” accordingly.
- Parameters:
request – The request to enhance
- Returns:
None, but we modify the request
- edumfa.api.lib.prepolicy.init_ca_template(request=None, action=None)[source]¶
This is a pre decorator for the endpoint ‘/token/init’. It reads the policy scope=enrollment, action=certificate_template and sets the API parameter “template” accordingly.
- Parameters:
request – The request to enhance
- Returns:
None, but we modify the request
- edumfa.api.lib.prepolicy.init_random_pin(request=None, action=None)[source]¶
This policy function is to be used as a decorator in the API init function If the policy is set accordingly it adds a random PIN to the request.all_data like.
It uses the policy SCOPE.ENROLL, ACTION.OTPPINRANDOM and ACTION.OTPPINCONTENTS to set a random OTP PIN during Token enrollment
- edumfa.api.lib.prepolicy.init_subject_components(request=None, action=None)[source]¶
This is a pre decorator for the endpoint ‘/token/init’. It reads the policy scope=enrollment, action=certificate_request_subject_component and sets the API parameter “subject_component” accordingly.
- Parameters:
request – The request to enhance
- Returns:
None, but we modify the request
- edumfa.api.lib.prepolicy.init_token_defaults(request=None, action=None)[source]¶
This policy function is used as a decorator for the API init function. Depending on policy settings it can add token specific default values like totp_hashlib, hotp_hashlib, totp_otplen…
- edumfa.api.lib.prepolicy.init_token_length_contents(request=None, action=None)[source]¶
This policy function is to be used as a decorator in the API token init function.
It can set the parameters for automatic code or password created in regards to length and contents for the tokentypes ‘registration’ and ‘pw’.
If there is a valid policy set the action values of REGISTRATIONCODE_LENGTH / PASSWORD_LENGTH and REGISTRATIONCODE_CONTENTS / PASSWORD_CONTENTS are added to request.all_data as
{ ‘registration.length’: ‘10’, ‘registration.contents’: ‘cn’ } or { ‘pw.length’: ‘10’, ‘pw.contents’: ‘cn’ }
- edumfa.api.lib.prepolicy.init_tokenlabel(request=None, action=None)[source]¶
This policy function is to be used as a decorator in the API init function. It adds the tokenlabel definition to the params like this: params : { “tokenlabel”: “<u>@<r>” }
In addition it adds the tokenissuer to the params like this: params : { “tokenissuer”: “eduMFA instance” }
It also checks if the force_app_pin policy is set and adds the corresponding value to params.
It uses the policy SCOPE.ENROLL, ACTION.TOKENLABEL and ACTION.TOKENISSUER to set the tokenlabel and tokenissuer of Smartphone tokens during enrollment and this fill the details of the response.
- edumfa.api.lib.prepolicy.is_remote_user_allowed(req, write_to_audit_log=True)[source]¶
Checks if the REMOTE_USER server variable is allowed to be used.
Note
This is not used as a decorator!
- Parameters:
req – The flask request, containing the remote user and the client IP
write_to_audit_log (bool) – whether the policy name should be added to the audit log entry
- Returns:
Return a value or REMOTE_USER, can be “disable”, “active” or “force”.
- Return type:
str
- edumfa.api.lib.prepolicy.legacypushtoken_wait(request, action)[source]¶
This is a auth specific wrapper to decorate /validate/check According to the policy scope=SCOPE.AUTH, action=push_wait
- Parameters:
request
action
- Returns:
- edumfa.api.lib.prepolicy.mangle(request=None, action=None)[source]¶
This pre condition checks if either of the parameters pass, user or realm in a validate/check request should be rewritten based on an authentication policy with action “mangle”. See mangle for an example.
Check ACTION.MANGLE
- This decorator should wrap
/validate/check
- Parameters:
request (Request Object) – The request that is intercepted during the API call
action (basestring) – An optional Action
- Returns:
Always true. Modified the parameter request
- edumfa.api.lib.prepolicy.mock_fail(req, action)[source]¶
This is a mock function as an example for check_external. This function creates a problem situation and the token/init or token/assign will show this exception accordingly.
- edumfa.api.lib.prepolicy.mock_success(req, action)[source]¶
This is a mock function as an example for check_external. This function returns success and the API call will go on unmodified.
- edumfa.api.lib.prepolicy.papertoken_count(request=None, action=None)[source]¶
This is a token specific wrapper for paper token for the endpoint /token/init. According to the policy scope=SCOPE.ENROLL, action=PAPERACTION.PAPER_COUNT it sets the parameter papertoken_count to enroll a paper token with such many OTP values.
- Parameters:
request
action
- Returns:
- class edumfa.api.lib.prepolicy.prepolicy(function, request, action=None)[source]¶
This is the decorator wrapper to call a specific function before an API call. The prepolicy decorator is to be used in the API calls. A prepolicy decorator then will modify the request data or raise an exception
- Parameters:
function (function) – This is the policy function the is to be called
request (Request Object) – The original request object, that needs to be passed
- edumfa.api.lib.prepolicy.pushtoken_add_config(request, action)[source]¶
This is a token specific wrapper for push token for the endpoint /token/init According to the policy scope=SCOPE.ENROLL, action=SSL_VERIFY or action=FIREBASE_CONFIG the parameters are added to the enrollment step. :param request: :param action: :return:
- edumfa.api.lib.prepolicy.pushtoken_disable_wait(request, action)[source]¶
This is used for the /auth endpoint and sets the PUSH_ACTION.WAIT parameter to False.
- Parameters:
request
action
- Returns:
- edumfa.api.lib.prepolicy.pushtoken_wait(request, action)[source]¶
This is a auth specific wrapper to decorate /validate/check According to the policy scope=SCOPE.AUTH, action=push_wait
- Parameters:
request
action
- Returns:
- edumfa.api.lib.prepolicy.realmadmin(request=None, action=None)[source]¶
This decorator adds the first REALM to the parameters if the administrator, calling this API is a realm admin. This way, if the admin calls e.g. GET /user without realm parameter, he will not see all users, but only users in one of his realms.
- TODO: If a realm admin is allowed to see more than one realm,
this is not handled at the moment. We need to change the underlying library functions!
- Parameters:
request – The HTTP reqeust
action – The action like ACTION.USERLIST
- edumfa.api.lib.prepolicy.require_description(request=None, action=None)[source]¶
Pre Policy This checks if a description is required to roll out a specific token. scope=SCOPE.ENROLL, action=REQUIRE_DESCRIPTION
An exception is raised, if the tokentypes specified in the REQUIRE_DESCRIPTION policy match the token to be rolled out, but no description is given.
- Parameters:
request
action
- Returns:
- edumfa.api.lib.prepolicy.required_email(request=None, action=None)[source]¶
This precondition checks if the “email” parameter matches the regular expression in the policy scope=register, action=requiredemail. See requiredemail.
Check ACTION.REQUIREDEMAIL
This decorator should wrap POST /register
- Parameters:
request – The Request Object
action – An optional Action
- Returns:
Modifies the request parameters or raises an Exception
- edumfa.api.lib.prepolicy.required_piv_attestation(request, action=None)[source]¶
This is a token specific decorator for certificate tokens for the endpoint /token/init According to the policy scope=SCOPE.ENROLL, action=REQUIRE_ATTESTATION an exception is raised, if no attestation parameter is given.
It also checks the policy if the attestation should be verified and sets the parameter verify_attestation accordingly.
- Parameters:
request
action
- Returns:
- edumfa.api.lib.prepolicy.save_client_application_type(request, action)[source]¶
This decorator is used to write the client IP and the HTTP user agent ( clienttype) to the database.
In fact this is not a policy decorator, as it checks no policy. In fact, we could however one day define this as a policy, too. :param req: :return:
- edumfa.api.lib.prepolicy.set_random_pin(request=None, action=None)[source]¶
This policy function is to be used as a decorator in the API setrandompin function If the policy is set accordingly it adds a random PIN to the request.all_data like.
It uses the policy ACTION.OTPPINSETRANDOM in SCOPE.ADMIN or SCOPE.USER to set a random OTP PIN
- edumfa.api.lib.prepolicy.set_realm(request=None, action=None)[source]¶
Pre Policy This pre condition gets the current realm and verifies if the realm should be rewritten due to the policy definition. I takes the realm from the request and - if a policy matches - replaces this realm with the realm defined in the policy
Check ACTION.SETREALM
- This decorator should wrap
/validate/check
- Parameters:
request (Request Object) – The request that is intercepted during the API call
action (basestring) – An optional Action
- Returns:
Always true. Modified the parameter request
- edumfa.api.lib.prepolicy.sms_identifiers(request=None, action=None)[source]¶
This is a token specific wrapper for sms tokens to be used with the endpoint /token/init. According to the policy scope=SCOPE.ADMIN or scope=SCOPE.USER action=SMSACTION.GATEWAYS the sms.identifier is only allowed to be set to the listed gateways.
- Parameters:
request
action
- Returns:
- edumfa.api.lib.prepolicy.tantoken_count(request=None, action=None)[source]¶
This is a token specific wrapper for tan token for the endpoint /token/init. According to the policy scope=SCOPE.ENROLL, action=TANACTION.TANTOKEN_COUNT it sets the parameter tantoken_count to enroll a tan token with such many OTP values.
- Parameters:
request
action
- Returns:
- edumfa.api.lib.prepolicy.twostep_enrollment_activation(request=None, action=None)[source]¶
This policy function enables the two-step enrollment process according to the configured policies. It is used to decorate the
/token/init
endpoint.If a
<type>_2step
policy matches, the2stepinit
parameter is handled according to the policy. If no policy matches, the2stepinit
parameter is removed from the request data.
- edumfa.api.lib.prepolicy.twostep_enrollment_parameters(request=None, action=None)[source]¶
If the
2stepinit
parameter is set to true, this policy function reads additional configuration from policies and adds it torequest.all_data
, that is:{type}_2step_serversize
is written to2step_serversize
{type}_2step_clientsize
is written to2step_clientsize
{type}_2step_difficulty
is written to2step_difficulty
If no policy matches, the value passed by the user is kept.
This policy function is used to decorate the
/token/init
endpoint.
- edumfa.api.lib.prepolicy.u2ftoken_allowed(request, action)[source]¶
- This is a token specific wrapper for u2f token for the endpoint
/token/init. According to the policy scope=SCOPE.ENROLL, action=U2FACTION.REQ it checks, if the assertion certificate is an allowed U2F token type.
If the token, which is enrolled contains a non allowed attestation certificate, we bail out.
- Parameters:
request
action
- Returns:
- edumfa.api.lib.prepolicy.u2ftoken_verify_cert(request, action)[source]¶
This is a token specific wrapper for u2f token for the endpoint /token/init According to the policy scope=SCOPE.ENROLL, action=U2FACTION.NO_VERIFY_CERT it can add a parameter to the enrollment parameters to not verify the attestation certificate. The default is to verify the cert. :param request: :param action: :return:
- edumfa.api.lib.prepolicy.verify_enrollment(request=None, action=None)[source]¶
This is used to verify an already enrolled token. The parameter “verify” is used to do so. If successful, the current rollout_state “verify” of the token will be changed to “enrolled”.
- Parameters:
request
action
- Returns:
- edumfa.api.lib.prepolicy.webauthntoken_allowed(request, action)[source]¶
This is a token specific wrapper for WebAuthn token for the endpoint /token/init.
According to the policy scope=SCOPE.ENROLL, action=WEBAUTHNACTION.REQ it checks, if the assertion certificate is for an allowed WebAuthn token type. According to the policy scope=SCOPE.ENROLL, action=WEBAUTHNACTION.AUTHENTICATOR_SELECTION_LIST it checks, whether the AAGUID is whitelisted. Note: If self-attestation is allowed, it is – of course – possible to bypass the check for WEBAUTHNACTION.REQ
If the token, which is being enrolled does not contain an allowed attestation certificate, or does not have an allowed AAGUID, we bail out.
A very similar check (same policy actions, different policy scope) is performed during authorization, however due to architectural limitations, this lives within the token implementation itself.
- Parameters:
request
action
- Returns:
- Return type:
- edumfa.api.lib.prepolicy.webauthntoken_auth(request, action)[source]¶
This is a WebAuthn token specific wrapper for the endpoints /validate/triggerchallenge, /validate/check, and /auth.
This will enrich the challenge creation request for WebAuthn tokens with the necessary configuration information from policy actions with scope=SCOPE.AUTH. The request will be augmented with the allowed transports and the text to display to the user when asking to confirm the challenge on the token, as specified by the actions WEBAUTHNACTION.ALLOWED_TRANSPORTS, and ACTION.CHALLENGETEXT, respectively.
Both of these policies are optional, and have sensible defaults.
- Parameters:
request
action
- Returns:
- Return type:
- edumfa.api.lib.prepolicy.webauthntoken_authz(request, action)[source]¶
This is a WebAuthn token specific wrapper for the /auth, and /validate/check endpoints.
This will enrich the authorization request for WebAuthn tokens with the necessary configuration information from policy actions with scope=SCOPE.AUTHZ. This is currently the authorization pendant to webauthntoken_allowed(), but maybe expanded to cover other authorization policies in the future, should any be added. The request will as of now simply be augmented with the policies the attestation certificate is to be matched against.
- Parameters:
request
action
- Returns:
- Return type:
- edumfa.api.lib.prepolicy.webauthntoken_enroll(request, action)[source]¶
This is a token specific wrapper for the WebAuthn token for the endpoint /token/init.
This will enrich the initialization request for WebAuthn tokens with the necessary configuration information from policy actions with scope=SCOPE.ENROLL. The request will be augmented with a name and id for the relying party, as specified by the with actions WEBAUTHNACTION.RELYING_PARTY_NAME and WEBAUTHNACTION.RELYING_PARTY_ID, respectively, authenticator attachment preference, public key credential algorithm preferences, authenticator attestation requirement level, authenticator attestation requirement form, allowed AAGUIDs, and the text to display to the user when asking to confirm the challenge on the token, as specified by the actions WEBAUTHNACTION.AUTHENTICATOR_ATTACHMENT, WEBAUTHNACTION.PUBLIC_KEY_CREDENTIAL_ALGORITHM_PREFERENCE, WEBAUTHNACTION.AUTHENTICATOR_ATTESTATION_LEVEL, WEBAUTHNACTION.AUTHENTICATOR_ATTESTATION_FORM, WEAUTHNACTION.AVOID_DOUBLE_REGISTRATION, WEBAUTHNACTION.AUTHENTICATOR_SELECTION_LIST, and ACTION.CHALLENGETEXT, respectively.
Setting WEBAUTHNACTION.RELYING_PARTY_NAME and WEBAUTHNACTION.RELYING_PARTY_ID is mandatory, and if either of these is not set, we bail out.
- Parameters:
request
action
- Returns:
- Return type:
- edumfa.api.lib.prepolicy.webauthntoken_request(request, action)[source]¶
This is a WebAuthn token specific wrapper for all endpoints using WebAuthn tokens.
This wraps the endpoints /token/init, /validate/triggerchallenge, /auth, and /validate/check. It will add WebAuthn configuration information to the requests, wherever a piece of information is needed for several different requests and thus cannot be provided by one of the more specific wrappers without adding unnecessary redundancy.
Depending on the type of request, the request will be augmented with some (or all) of the authenticator timeout, user verification requirement and list of allowed AAGUIDs for the current scope, as specified by the policies with the determined scope and the actions WEBAUTHNACTION.TIMEOUT, WEBAUTHNACTION.USER_VERIFICATION_REQUIREMENT, and WEBAUTHNACTION.AUTHENTICATOR_SELECTION_LIST, respectively.
The value of the ORIGIN http header will also be added to the request for the ENROLL and AUTHZ scopes. This is to make the unit tests not require mocking.
- Parameters:
request
action
- Returns:
- Return type:
14.2.1.7.2. Post Policies¶
These are the policy decorators as POST conditions for the API calls. I.e. these conditions are executed after the wrapped API call. This module uses the policy base functions from edumfa.lib.policy but also components from flask like g.
Wrapping the functions in a decorator class enables easy modular testing.
The functions of this module are tested in tests/test_api_lib_policy.py
- edumfa.api.lib.postpolicy.add_user_detail_to_response(request, response)[source]¶
This policy decorated is used in the AUTHZ scope. If the boolean value add_user_in_response is set, the details will contain a dictionary “user” with all user details.
- Parameters:
request
response
- Returns:
- edumfa.api.lib.postpolicy.autoassign(request, response)[source]¶
This decorator decorates the function /validate/check. Depending on ACTION.AUTOASSIGN it checks if the user has no token and if the given OTP-value matches a token in the users realm, that is not yet assigned to any user.
If a token can be found, it assigns the token to the user also taking into account ACTION.MAXTOKENUSER and ACTION.MAXTOKENREALM. :return:
- edumfa.api.lib.postpolicy.check_serial(request, response)[source]¶
This policy function is to be used in a decorator of an API function. It checks, if the token, that was used in the API call has a serial number that is allowed to be used.
If not, a PolicyException is raised.
- Parameters:
response (Response object) – The response of the decorated function
- Returns:
A new (maybe modified) response
- edumfa.api.lib.postpolicy.check_tokeninfo(request, response)[source]¶
This policy function is used as a decorator for the validate API. It checks after a successful authentication if the token has a matching tokeninfo field. If it does not match, authorization is denied. Then a PolicyException is raised.
- Parameters:
response (Response object) – The response of the decorated function
- Returns:
A new modified response
- edumfa.api.lib.postpolicy.check_tokentype(request, response)[source]¶
This policy function is to be used in a decorator of an API function. It checks, if the token, that was used in the API call is of a type that is allowed to be used.
If not, a PolicyException is raised.
- Parameters:
response (Response object) – The response of the decorated function
- Returns:
A new (maybe modified) response
- edumfa.api.lib.postpolicy.check_verify_enrollment(request, response)[source]¶
This policy decorator is used in the ENROLL scope to decorate the /token/init It will check for action=verify_enrollment and ask the user in a 2nd step to provide information to verify, that the token was successfully enrolled.
- Parameters:
request
response
- Returns:
- edumfa.api.lib.postpolicy.construct_radius_response(request, response)[source]¶
This decorator implements the /validate/radiuscheck endpoint. In case this URL was requested, a successful authentication results in an empty response with a HTTP 204 status code. An unsuccessful authentication results in an empty response with a HTTP 400 status code. :return:
- edumfa.api.lib.postpolicy.get_webui_settings(request, response)[source]¶
This decorator is used in the /auth API to add configuration information like the logout_time or the policy_template_url to the response. :param request: flask request object :param response: flask response object :return: the response
- edumfa.api.lib.postpolicy.is_authorized(request, response)[source]¶
This policy decorator is used in the AUTHZ scope to decorate the /validate/check and /validate/triggerchallenge endpoint. It will cause authentication to fail, if the policy authorized=deny_access is set.
- Parameters:
request
response
- Returns:
- edumfa.api.lib.postpolicy.mangle_challenge_response(request, response)[source]¶
This policy decorator is used in the AUTH scope to decorate the /validate/check endpoint. It can modify the contents of the response “detail”->”message” to allow a better readability for a challenge response text.
- Parameters:
request
response
- Returns:
- edumfa.api.lib.postpolicy.multichallenge_enroll_via_validate(request, response)[source]¶
This is a post decorator to allow enrolling tokens via /validate/check. It checks the AUTH policy ENROLL_VIA_MULTICHALLENGE and enrolls the corresponding token type. It also modifies the response accordingly, so that the client/plugin can display necessary data for the enrollment to the user.
- Parameters:
request
response
- Returns:
- edumfa.api.lib.postpolicy.no_detail_on_fail(request, response)[source]¶
This policy function is used with the AUTHZ scope. If the boolean value no_detail_on_fail is set, the details will be stripped if the authentication request failed.
- Parameters:
request
response
- Returns:
- edumfa.api.lib.postpolicy.no_detail_on_success(request, response)[source]¶
This policy function is used with the AUTHZ scope. If the boolean value no_detail_on_success is set, the details will be stripped if the authentication request was successful.
- Parameters:
request
response
- Returns:
- edumfa.api.lib.postpolicy.offline_info(request, response)[source]¶
This decorator is used with the function /validate/check. It is not triggered by an ordinary policy but by a MachineToken definition. If for the given Token an offline application is defined, the response is enhanced with the offline information - the hashes of the OTP.
- class edumfa.api.lib.postpolicy.postpolicy(function, request=None)[source]¶
Decorator that allows one to call a specific function after the decorated function. The postpolicy decorator is to be used in the API calls.
- Parameters:
function (function) – This is the policy function the is to be called
request (Request Object) – The original request object, that needs to be passed
- class edumfa.api.lib.postpolicy.postrequest(function, request=None)[source]¶
Decorator that is supposed to be used with after_request.
- Parameters:
function (function) – This is the policy function the is to be called
request (Request Object) – The original request object, that needs to be passed
- edumfa.api.lib.postpolicy.preferred_client_mode(request, response)[source]¶
This policy function is used to add the preferred client mode. The admin can set the list of client modes in the policy in the same order as he preferred them. The faction will pick the first client mode from the list, that is also in the multichallenge and set it as preferred client mode
- Parameters:
request
response
- Returns:
- edumfa.api.lib.postpolicy.save_pin_change(request, response, serial=None)[source]¶
This policy function checks if the next_pin_change date should be stored in the tokeninfo table.
Check scope:enrollment and ACTION.CHANGE_PIN_FIRST_USE. This action is used, when the administrator enrolls a token or sets a PIN
Check scope:enrollment and ACTION.CHANGE_PIN_EVERY is used, if the user changes the PIN.
This function decorates /token/init and /token/setpin. The parameter “pin” and “otppin” is investigated.
- Parameters:
request
action
- Returns:
- edumfa.api.lib.postpolicy.sign_response(request, response)[source]¶
This decorator is used to sign the response. It adds the nonce from the request, if it exists and adds the nonce and the signature to the response.
Note
This only works for JSON responses. So if we fail to decode the JSON, we just pass on.
The usual way to use it is, to wrap the after_request, so that we can also sign errors.
@postrequest(sign_response, request=request) def after_request(response):
- Parameters:
request – The Request object
response – The Response object