14.2.1.8. Policy Decorators

These are the policy decorator functions for internal (lib) policy decorators. policy decorators for the API (pre/post) are defined in api/lib/policy

The functions of this module are tested in tests/test_lib_policy_decorator.py

edumfa.lib.policydecorators.auth_cache(wrapped_function, user_object, passw, options=None)[source]

Decorate lib.token:check_user_pass. Verify, if the authentication can be found in the auth_cache.

Parameters:
  • wrapped_function – usually “check_user_pass”

  • user_object – User who tries to authenticate

  • passw – The PIN and OTP

  • options – Dict containing values for “g” and “clientip”.

Returns:

Tuple of True/False and reply-dictionary

edumfa.lib.policydecorators.auth_lastauth(wrapped_function, user_or_serial, passw, options=None)[source]

This decorator checks the policy settings of ACTION.LASTAUTH If the last authentication stored in tokeninfo last_auth_success of a token is exceeded, the authentication is denied.

The wrapped function is usually token.check_user_pass, which takes the arguments (user, passw, options={}) OR token.check_serial_pass with the arguments (user, passw, options={})

Parameters:
  • wrapped_function – either check_user_pass or check_serial_pass

  • user_or_serial – either the User user_or_serial or a serial

  • passw

  • options – Dict containing values for “g” and “clientip”

Returns:

Tuple of True/False and reply-dictionary

edumfa.lib.policydecorators.auth_otppin(wrapped_function, *args, **kwds)[source]

Decorator to decorate the tokenclass.check_pin function.

Depending on the ACTION.OTPPIN it
  • either simply accepts an empty pin

  • checks the pin against the userstore

  • or passes the request to the wrapped_function

Parameters:
Returns:

True or False

edumfa.lib.policydecorators.auth_user_does_not_exist(wrapped_function, user_object, passw, options=None)[source]

This decorator checks, if the user does exist at all. If the user does exist, the wrapped function is called.

The wrapped function is usually token.check_user_pass, which takes the arguments (user, passw, options={})

Parameters:
  • wrapped_function

  • user_object

  • passw

  • options – Dict containing values for “g” and “clientip”

Returns:

Tuple of True/False and reply-dictionary

edumfa.lib.policydecorators.auth_user_has_no_token(wrapped_function, user_object, passw, options=None)[source]

This decorator checks if the user has a token at all. If the user has a token, the wrapped function is called.

The wrapped function is usually token.check_user_pass, which takes the arguments (user, passw, options={})

Parameters:
  • wrapped_function

  • user_object

  • passw

  • options – Dict containing values for “g” and “clientip”

Returns:

Tuple of True/False and reply-dictionary

edumfa.lib.policydecorators.auth_user_passthru(wrapped_function, user_object, passw, options=None)[source]

This decorator checks the policy settings of ACTION.PASSTHRU. If the authentication against the userstore is not successful, the wrapped function is called.

The wrapped function is usually token.check_user_pass, which takes the arguments (user, passw, options={})

Parameters:
  • wrapped_function

  • user_object

  • passw

  • options – Dict containing values for “g” and “clientip”

Returns:

Tuple of True/False and reply-dictionary

edumfa.lib.policydecorators.auth_user_timelimit(wrapped_function, user_object, passw, options=None)[source]

This decorator checks the policy settings of ACTION.AUTHMAXSUCCESS, ACTION.AUTHMAXFAIL If the authentication was successful, it checks, if the number of allowed successful authentications is exceeded (AUTHMAXSUCCESS).

If the AUTHMAXFAIL is exceed it denies even a successful authentication.

The wrapped function is usually token.check_user_pass, which takes the arguments (user, passw, options={})

Parameters:
  • wrapped_function

  • user_object

  • passw

  • options – Dict containing values for “g” and “clientip”

Returns:

Tuple of True/False and reply-dictionary

edumfa.lib.policydecorators.challenge_response_allowed(func)[source]

This decorator is used to wrap tokenclass.is_challenge_request. It checks, if a challenge response authentication is allowed for this token type. To allow this, the policy

scope:authentication, action:challenge_response must be set.

If the tokentype is not allowed for challenge_response, this decorator returns false.

See challenge_response.

Parameters:

func – wrapped function

edumfa.lib.policydecorators.config_lost_token(wrapped_function, *args, **kwds)[source]

Decorator to decorate the lib.token.lost_token function. Depending on ACTION.LOSTTOKENVALID, ACTION.LOSTTOKENPWCONTENTS, ACTION.LOSTTOKENPWLEN it sets the check_otp parameter, to signal how the lostToken should be generated.

Parameters:
  • wrapped_function – Usually the function lost_token()

  • *args – argument “serial” as the old serial number

  • **kwds – keyword arguments like “validity”, “contents”, “pw_len” kwds[“options”] contains the flask g

Returns:

calls the original function with the modified “validity”, “contents” and “pw_len” argument

class edumfa.lib.policydecorators.libpolicy(decorator_function)[source]

This is the decorator wrapper to call a specific function before a library call in contrast to prepolicy and postpolicy, which are to be called in API Calls.

The decorator expects a named parameter “options”. In this options dict it will look for the flask global “g”.

Parameters:

decorator_function – This is the policy function that is to be

called :type decorator_function: function

edumfa.lib.policydecorators.login_mode(wrapped_function, *args, **kwds)[source]

Decorator to decorate the lib.auth.check_webui_user function. Depending on ACTION.LOGINMODE it sets the check_otp parameter, to signal that the authentication should be performed against eduMFA.

Parameters:
  • wrapped_function – Usually the function check_webui_user

  • *args – arguments user_obj and password

  • **kwds – keyword arguments like options and !check_otp! kwds[“options”] contains the flask g

Returns:

calls the original function with the modified “check_otp” argument

edumfa.lib.policydecorators.reset_all_user_tokens(wrapped_function, *args, **kwds)[source]

Resets all tokens if the corresponding policy is set.

Parameters:
  • token – The successful token, the tokenowner is used to find policies.

  • tokenobject_list – The list of all the tokens of the user

  • options – options dictionary containing g.

Returns:

None