14.2.1.2.1. 4 Eyes Token¶
- class edumfa.lib.tokens.foureyestoken.FourEyesTokenClass(db_token)[source]¶
The FourEyes token can be used to implement the Two Man Rule. The FourEyes token defines how many tokens of which realms are required like:
2 tokens of RealmA
1 token of RealmB
Then users (the owners of those tokens) need to login by everyone entering their OTP PIN and OTP value. It does not matter, in which order they enter the values. All their PINs and OTPs are concatenated into one password field but need to be separated by the splitting sign.
The FourEyes token again splits the password value and tries to authenticate each of the these passwords in the realms using the function
check_realm_pass
.The FourEyes token itself does not provide an OTP PIN.
The token is initialized using additional parameters at token/init:
Example Authentication Request:
POST /auth HTTP/1.1 Host: example.com Accept: application/json type=4eyes user=cornelius realm=realm1 4eyes=realm1:2,realm2:1 separator=%20
- Parameters:
db_token (database token object) – the token
- authenticate(passw, user=None, options=None)[source]¶
do the authentication on base of password / otp and user and options, the request parameters.
Here we contact the other eduMFA server to validate the OtpVal.
- Parameters:
passw – the password / otp
user – the requesting user
options – the additional request parameters
- Returns:
tuple of (success, otp_count - 0 or -1, reply)
- check_challenge_response(user=None, passw=None, options=None)[source]¶
This method verifies if the given response is the PIN + OTP of one of the remaining tokens. In case of success it then returns
1
- Parameters:
user (User object) – the requesting user
passw (string) – the password: PIN + OTP
options (dict) – additional arguments from the request, which could be token specific. Usually “transaction_id”
- Returns:
return 1 if the answer to the challenge is correct, -1 otherwise.
- Return type:
int
- static convert_realms(realms)[source]¶
This function converts the realms as given by the API parameter to a dictionary:
"realm1:2,realm2:1" -> {"realm1":2, "realm2":1}
- Parameters:
realms (str) – a serialized list of realms
- Returns:
dict of realms
- Return type:
dict
- create_challenge(transactionid=None, options=None)[source]¶
This method creates a challenge, which is submitted to the user. The submitted challenge will be preserved in the challenge database.
If no transaction id is given, the system will create a transaction id and return it, so that the response can refer to this transaction.
- Parameters:
transactionid – the id of this challenge
options (dict) – the request context parameters / data
- Returns:
tuple of (bool, message, transactionid, reply_dict)
- Return type:
tuple
The return tuple builds up like this:
bool
if submit was successful;message
which is displayed in the JSON response; additional challengereply_dict
, which are displayed in the JSON challenges response.
- static get_class_info(key=None, ret='all')[source]¶
returns a subtree of the token definition
- Parameters:
key (string) – subsection identifier
ret (user defined) – default return value, if nothing is found
- Returns:
subsection if key exists or user defined
- Return type:
dict or scalar
- has_further_challenge(options=None)[source]¶
Check if there are still more tokens to be authenticated :param options: Options dict :return: True, if further challenge is required.
- is_challenge_request(passw, user=None, options=None)[source]¶
The 4eyes token can act as a challenge response token.
- Either
if the first passw given is the PIN of the 4eyes token or
if the first passw given is the complete PIN+OTP from one of the admintokens.
- Parameters:
passw (str) – password, which might be pin or pin+otp
user (User object) – The user from the authentication request
options (dict) – dictionary of additional request parameters
- Returns:
true or false
- Return type:
bool
- static realms_dict_to_string(realms)[source]¶
This function converts the realms - if it is a dictionary - to a string:
{"realm1": {"selected": True, "count": 1 }, "realm2": {"selected": True, "count": 2}} -> "realm1:1,realm2:2"
- Parameters:
realms (dict) – the realms as they are passed from the WebUI
- Returns:
realms
- Return type:
str