14.3.1. The database model¶
- class edumfa.models.Admin(**kwargs)[source]¶
The administrators for managing the system. To manage the administrators use the command edumfa-manage.
In addition certain realms can be defined to be administrative realms.
- Parameters:
username (basestring) – The username of the admin
password (basestring) – The password of the admin (stored using PBKDF2, salt and pepper)
email (basestring) – The email address of the admin (not used at the moment)
A simple constructor that allows initialization from kwargs.
Sets attributes on the constructed instance using the names and values in
kwargs
.Only keys that are present as attributes of the instance’s class are allowed. These could be, for example, any mapped columns or relationships.
- query: t.ClassVar[Query]¶
A SQLAlchemy query for a model. Equivalent to
db.session.query(Model)
. Can be customized per-model by overridingquery_class
.Warning
The query interface is considered legacy in SQLAlchemy. Prefer using
session.execute(select())
instead.
- class edumfa.models.Audit(action='', success=0, serial='', token_type='', user='', realm='', resolver='', administrator='', action_detail='', info='', edumfa_server='', client='', loglevel='default', clearance_level='default', thread_id='0', policies='', startdate=None, duration=None)[source]¶
This class stores the Audit entries
- query: t.ClassVar[Query]¶
A SQLAlchemy query for a model. Equivalent to
db.session.query(Model)
. Can be customized per-model by overridingquery_class
.Warning
The query interface is considered legacy in SQLAlchemy. Prefer using
session.execute(select())
instead.
- class edumfa.models.AuthCache(username, realm, resolver, authentication, first_auth=None, last_auth=None)[source]¶
- class edumfa.models.CAConnector(name, catype)[source]¶
The table “caconnector” contains the names and types of the defined CA connectors. Each connector has a different configuration, that is stored in the table “caconnectorconfig”.
- query: t.ClassVar[Query]¶
A SQLAlchemy query for a model. Equivalent to
db.session.query(Model)
. Can be customized per-model by overridingquery_class
.Warning
The query interface is considered legacy in SQLAlchemy. Prefer using
session.execute(select())
instead.
- class edumfa.models.CAConnectorConfig(caconnector_id=None, Key=None, Value=None, caconnector=None, Type='', Description='')[source]¶
Each CAConnector can have multiple configuration entries. Each CA Connector type can have different required config values. Therefor the configuration is stored in simple key/value pairs. If the type of a config entry is set to “password” the value of this config entry is stored encrypted.
The config entries are referenced by the id of the resolver.
A simple constructor that allows initialization from kwargs.
Sets attributes on the constructed instance using the names and values in
kwargs
.Only keys that are present as attributes of the instance’s class are allowed. These could be, for example, any mapped columns or relationships.
- query: t.ClassVar[Query]¶
A SQLAlchemy query for a model. Equivalent to
db.session.query(Model)
. Can be customized per-model by overridingquery_class
.Warning
The query interface is considered legacy in SQLAlchemy. Prefer using
session.execute(select())
instead.
- class edumfa.models.Challenge(serial, transaction_id=None, challenge='', data='', session='', validitytime=120)[source]¶
Table for handling of the generic challenges.
- get(timestamp=False)[source]¶
return a dictionary of all vars in the challenge class
- Parameters:
timestamp (bool) – if true, the timestamp will given in a readable format 2014-11-29 21:56:43.057293
- Returns:
dict of vars
- get_otp_status()[source]¶
This returns how many OTPs were already received for this challenge. and if a valid OTP was received.
- Returns:
tuple of count and True/False
- Return type:
tuple
- class edumfa.models.ClientApplication(**kwargs)[source]¶
This table stores the clients, which sent an authentication request to eduMFA. This table is filled automatically by authentication requests.
A simple constructor that allows initialization from kwargs.
Sets attributes on the constructed instance using the names and values in
kwargs
.Only keys that are present as attributes of the instance’s class are allowed. These could be, for example, any mapped columns or relationships.
- class edumfa.models.Config(Key, Value, Type='', Description='')[source]¶
The config table holds all the system configuration in key value pairs.
Additional configuration for realms, resolvers and machine resolvers is stored in specific tables.
- class edumfa.models.CustomUserAttribute(user_id, resolver, realm_id, Key, Value, Type=None)[source]¶
The table “customuserattribute” is used to store additional, custom attributes for users.
A user is identified by the user_id, the resolver_id and the realm_id.
The additional attributes are stored in Key and Value. The Type can hold extra information like e.g. an encrypted value / password.
- Note: Since the users are external, i.e. no objects in this database,
there is not logic reference on a database level. Since users could be deleted from user stores without eduMFA realizing that, this table could pile up with remnants of attributes.
Create a new customuserattribute for a user tuple
- class edumfa.models.EventCounter(name, value=0, node='')[source]¶
This table stores counters of the event handler “Counter”.
Note that an event counter name does not correspond to just one, but rather several table rows, because we store event counters for each eduMFA node separately. This is intended to improve the performance of replicated setups, because each eduMFA node then only writes to its own “private” table row. This way, we avoid locking issues that would occur if all nodes write to the same table row.
A simple constructor that allows initialization from kwargs.
Sets attributes on the constructed instance using the names and values in
kwargs
.Only keys that are present as attributes of the instance’s class are allowed. These could be, for example, any mapped columns or relationships.
- query: t.ClassVar[Query]¶
A SQLAlchemy query for a model. Equivalent to
db.session.query(Model)
. Can be customized per-model by overridingquery_class
.Warning
The query interface is considered legacy in SQLAlchemy. Prefer using
session.execute(select())
instead.
- class edumfa.models.EventHandler(name, event, handlermodule, action, condition='', ordering=0, options=None, id=None, conditions=None, active=True, position='post')[source]¶
This model holds the list of defined events and actions to this events. A handler module can be bound to an event with the corresponding condition and action.
- class edumfa.models.EventHandlerCondition(eventhandler_id, Key, Value, comparator='equal')[source]¶
Each EventHandler entry can have additional conditions according to the handler module
A simple constructor that allows initialization from kwargs.
Sets attributes on the constructed instance using the names and values in
kwargs
.Only keys that are present as attributes of the instance’s class are allowed. These could be, for example, any mapped columns or relationships.
- query: t.ClassVar[Query]¶
A SQLAlchemy query for a model. Equivalent to
db.session.query(Model)
. Can be customized per-model by overridingquery_class
.Warning
The query interface is considered legacy in SQLAlchemy. Prefer using
session.execute(select())
instead.
- class edumfa.models.EventHandlerOption(eventhandler_id, Key, Value, Type='', Description='')[source]¶
Each EventHandler entry can have additional options according to the handler module.
A simple constructor that allows initialization from kwargs.
Sets attributes on the constructed instance using the names and values in
kwargs
.Only keys that are present as attributes of the instance’s class are allowed. These could be, for example, any mapped columns or relationships.
- query: t.ClassVar[Query]¶
A SQLAlchemy query for a model. Equivalent to
db.session.query(Model)
. Can be customized per-model by overridingquery_class
.Warning
The query interface is considered legacy in SQLAlchemy. Prefer using
session.execute(select())
instead.
- class edumfa.models.MachineResolver(name, rtype)[source]¶
This model holds the definition to the machinestore. Machines could be located in flat files, LDAP directory or in puppet services or other…
The usual MachineResolver just holds a name and a type and a reference to its config
- class edumfa.models.MachineResolverConfig(resolver_id=None, Key=None, Value=None, resolver=None, Type='', Description='')[source]¶
Each Machine Resolver can have multiple configuration entries. The config entries are referenced by the id of the machine resolver
A simple constructor that allows initialization from kwargs.
Sets attributes on the constructed instance using the names and values in
kwargs
.Only keys that are present as attributes of the instance’s class are allowed. These could be, for example, any mapped columns or relationships.
- query: t.ClassVar[Query]¶
A SQLAlchemy query for a model. Equivalent to
db.session.query(Model)
. Can be customized per-model by overridingquery_class
.Warning
The query interface is considered legacy in SQLAlchemy. Prefer using
session.execute(select())
instead.
- class edumfa.models.MachineToken(machineresolver_id=None, machineresolver=None, machine_id=None, token_id=None, serial=None, application=None)[source]¶
The MachineToken assigns a Token and an application type to a machine. The Machine is represented as the tuple of machineresolver.id and the machine_id. The machine_id is defined by the machineresolver.
This can be an n:m mapping.
- class edumfa.models.MachineTokenOptions(machinetoken_id, key, value)[source]¶
This class holds an Option for the token assigned to a certain client machine. Each Token-Clientmachine-Combination can have several options.
A simple constructor that allows initialization from kwargs.
Sets attributes on the constructed instance using the names and values in
kwargs
.Only keys that are present as attributes of the instance’s class are allowed. These could be, for example, any mapped columns or relationships.
- query: t.ClassVar[Query]¶
A SQLAlchemy query for a model. Equivalent to
db.session.query(Model)
. Can be customized per-model by overridingquery_class
.Warning
The query interface is considered legacy in SQLAlchemy. Prefer using
session.execute(select())
instead.
- class edumfa.models.MethodsMixin[source]¶
This class mixes in some common Class table functions like delete and save
- class edumfa.models.MonitoringStats(timestamp, key, value)[source]¶
This is the table that stores measured, arbitrary statistic points in time.
This could be used to store time series but also to store current values, by simply fetching the last value from the database.
Create a new database entry in the monitoring stats table :param timestamp: The time of the measurement point :type timestamp: timezone-naive datetime :param key: The key of the measurement :type key: basestring :param value: The value of the measurement :type value: Int
- class edumfa.models.PasswordReset(recoverycode, username, realm, resolver='', email=None, timestamp=None, expiration=None, expiration_seconds=3600)[source]¶
Table for handling password resets. This table stores the recoverycodes sent to a given user
The application should save the HASH of the recovery code. Just like the password for the Admins the application shall salt and pepper the hash of the recoverycode. A database admin will not be able to inject a rogue recovery code.
A user can get several recoverycodes. A recovery code has a validity period
Optional: The email to which the recoverycode was sent, can be stored.
- class edumfa.models.PeriodicTask(name, active, interval, node_list, taskmodule, ordering, options=None, id=None, retry_if_failed=True)[source]¶
This class stores tasks that should be run periodically.
- Parameters:
name – Unique name of the periodic task as unicode
active – a boolean
retry_if_failed – a boalean
interval – a unicode specifying the periodicity of the task
node_list – a list of unicodes, denoting the node names that should execute that task. If we update an existing PeriodicTask entry, PeriodicTaskLastRun entries referring to nodes that are not present in
node_list
any more will be deleted.taskmodule – a unicode
ordering – an integer. Lower tasks are executed first.
options – a dictionary of options, mapping unicode keys to values. Values will be converted to unicode. If we update an existing PeriodicTask entry, all options that have been set previously but are not present in
options
will be deleted.id – the ID of an existing entry, if any
- property aware_last_update¶
Return self.last_update with attached UTC tzinfo
- get()[source]¶
Return the serialized periodic task object including the options and last runs. The last runs are returned as timezone-aware UTC datetimes.
- Returns:
complete dict
- class edumfa.models.PeriodicTaskLastRun(periodictask_id, node, timestamp)[source]¶
Each PeriodicTask entry stores, for each node, the timestamp of the last successful run.
- Parameters:
periodictask_id – ID of the periodic task we are referring to
node – Node name as unicode
timestamp – Time of the last run as a datetime. A timezone must not be set! We require the time to be given in UTC.
- property aware_timestamp¶
Return self.timestamp with attached UTC tzinfo
- query: t.ClassVar[Query]¶
A SQLAlchemy query for a model. Equivalent to
db.session.query(Model)
. Can be customized per-model by overridingquery_class
.Warning
The query interface is considered legacy in SQLAlchemy. Prefer using
session.execute(select())
instead.
- class edumfa.models.PeriodicTaskOption(periodictask_id, key, value)[source]¶
Each PeriodicTask entry can have additional options according to the task module.
A simple constructor that allows initialization from kwargs.
Sets attributes on the constructed instance using the names and values in
kwargs
.Only keys that are present as attributes of the instance’s class are allowed. These could be, for example, any mapped columns or relationships.
- query: t.ClassVar[Query]¶
A SQLAlchemy query for a model. Equivalent to
db.session.query(Model)
. Can be customized per-model by overridingquery_class
.Warning
The query interface is considered legacy in SQLAlchemy. Prefer using
session.execute(select())
instead.
- class edumfa.models.Policy(name, active=True, scope='', action='', realm='', adminrealm='', adminuser='', resolver='', user='', client='', time='', edumfanode='', priority=1, check_all_resolvers=False, conditions=None)[source]¶
The policy table contains the policy definitions.
- The Policies control the behaviour in the scopes
enrollment
authentication
authorization
administration
user actions
webui
- get(key=None)[source]¶
Either returns the complete policy entry or a single value :param key: return the value for this key :type key: string :return: complete dict or single value :rytpe: dict or value
- class edumfa.models.PolicyCondition(**kwargs)[source]¶
A simple constructor that allows initialization from kwargs.
Sets attributes on the constructed instance using the names and values in
kwargs
.Only keys that are present as attributes of the instance’s class are allowed. These could be, for example, any mapped columns or relationships.
- class edumfa.models.RADIUSServer(**kwargs)[source]¶
This table can store configurations of RADIUS servers. https://github.com/privacyidea/privacyidea/issues/321
It saves * a unique name * a description * an IP address a * a Port * a secret * timeout in seconds (default 5) * retries (default 3) * Enforcement of the Message-Authenticator attribute
These RADIUS server definition can be used in RADIUS tokens or in a radius passthru policy.
A simple constructor that allows initialization from kwargs.
Sets attributes on the constructed instance using the names and values in
kwargs
.Only keys that are present as attributes of the instance’s class are allowed. These could be, for example, any mapped columns or relationships.
- class edumfa.models.Realm(realm)[source]¶
The realm table contains the defined realms. User Resolvers can be grouped to realms. This very table contains just contains the names of the realms. The linking to resolvers is stored in the table “resolverrealm”.
- class edumfa.models.Resolver(name, rtype)[source]¶
The table “resolver” contains the names and types of the defined User Resolvers. As each Resolver can have different required config values the configuration of the resolvers is stored in the table “resolverconfig”.
- class edumfa.models.ResolverConfig(resolver_id=None, Key=None, Value=None, resolver=None, Type='', Description='')[source]¶
Each Resolver can have multiple configuration entries. Each Resolver type can have different required config values. Therefor the configuration is stored in simple key/value pairs. If the type of a config entry is set to “password” the value of this config entry is stored encrypted.
The config entries are referenced by the id of the resolver.
- class edumfa.models.ResolverRealm(resolver_id=None, realm_id=None, resolver_name=None, realm_name=None, priority=None)[source]¶
This table stores which Resolver is located in which realm This is a N:M relation
- class edumfa.models.SMSGateway(identifier, providermodule, description=None, options=None, headers=None)[source]¶
This table stores the SMS Gateway definitions.
It saves the * unique name * a description * the SMS provider module
All options and parameters are saved in other tables.
- property header_dict¶
Return all connected headers as a dictionary
- Returns:
dict
- property option_dict¶
Return all connected options as a dictionary
- Returns:
dict
- class edumfa.models.SMSGatewayOption(gateway_id, Key, Value, Type=None)[source]¶
This table stores the options, parameters and headers for an SMS Gateway definition.
Create a new gateway_option for the gateway_id
- class edumfa.models.SMTPServer(**kwargs)[source]¶
This table can store configurations for SMTP servers. Each entry represents an SMTP server. EMail Token, SMS SMTP Gateways or Notifications like PIN handlers are supposed to use a reference to to a server definition. Each Machine Resolver can have multiple configuration entries. The config entries are referenced by the id of the machine resolver
A simple constructor that allows initialization from kwargs.
Sets attributes on the constructed instance using the names and values in
kwargs
.Only keys that are present as attributes of the instance’s class are allowed. These could be, for example, any mapped columns or relationships.
- class edumfa.models.Serviceid(servicename, description=None)[source]¶
The serviceid table contains the defined service IDs. These service ID describe services like “webservers” or “dbservers” which e.g. request SSH keys from the eduMFA system.
- class edumfa.models.Subscription(**kwargs)[source]¶
This table stores the imported subscription files.
A simple constructor that allows initialization from kwargs.
Sets attributes on the constructed instance using the names and values in
kwargs
.Only keys that are present as attributes of the instance’s class are allowed. These could be, for example, any mapped columns or relationships.
- class edumfa.models.TimestampMethodsMixin[source]¶
This class mixes in the table functions including update of the timestamp
- class edumfa.models.Token(serial, tokentype='', isactive=True, otplen=6, otpkey='', userid=None, resolver=None, realm=None, **kwargs)[source]¶
The “Token” table contains the basic token data.
- It contains data like
serial number
secret key
PINs
…
The table
edumfa.models.TokenOwner
contains the owner information of the specified token. The tableedumfa.models.TokenInfo
contains additional information that is specific to the tokentype.- del_info(key=None)[source]¶
Deletes tokeninfo for a given token. If the key is omitted, all Tokeninfo is deleted.
- Parameters:
key – searches for the given key to delete the entry
- Returns:
- del_tokengroup(tokengroup=None, tokengroup_id=None)[source]¶
Deletes the tokengroup from the given token. If tokengroup name and id are omitted, all tokengroups are deleted.
- Parameters:
tokengroup (str) – The name of the tokengroup
tokengroup_id (int) – The id of the tokengroup
- Returns:
- get(key=None, fallback=None, save=False)[source]¶
simulate the dict behaviour to make challenge processing easier, as this will have to deal as well with ‘dict only challenges’
- Parameters:
key – the attribute name - in case of key is not provided, a dict of all class attributes are returned
fallback – if the attribute is not found, the fallback is returned
save – in case of all attributes and save==True, the timestamp is converted to a string representation
- get_hashed_pin(pin)[source]¶
calculate a hash from a pin Fix for working with MS SQL servers MS SQL servers sometimes return a ‘<space>’ when the column is empty: ‘’
- Parameters:
pin (str) – the pin to hash
- Returns:
hashed pin with current pin_seed
- Return type:
str
- get_realms()[source]¶
return a list of the assigned realms
- Returns:
the realms of the token
- Return type:
list
- set_hashed_pin(pin)[source]¶
Set the pin of the token in hashed format
- Parameters:
pin (str) – the pin to hash
- Returns:
the hashed pin
- Return type:
str
- set_info(info)[source]¶
Set the additional token info for this token
Entries that end with “.type” are used as type for the keys. I.e. two entries sshkey=”XYZ” and sshkey.type=”password” will store the key sshkey as type “password”.
- Parameters:
info (dict) – The key-values to set for this token
- set_realms(realms, add=False)[source]¶
Set the list of the realms.
This is done by filling the
eduMFA.models.TokenRealm
table.- Parameters:
realms (list[str]) – realms
add (bool) – If set, the realms are added. I.e. old realms are not deleted
- set_so_pin(soPin)[source]¶
For smartcards this sets the security officer pin of the token
:rtype : None
- set_tokengroups(tokengroups, add=False)[source]¶
Set the list of the tokengroups.
This is done by filling the
edumfa.models.TokenTokengroup
table.- Parameters:
tokengroups (list[str]) – the tokengroups
add (bool) – If set, the tokengroups are added. I.e. old tokengroups are not deleted
- class edumfa.models.TokenInfo(token_id, Key, Value, Type=None, Description=None)[source]¶
The table “tokeninfo” is used to store additional, long information that is specific to the tokentype. E.g. the tokentype “TOTP” has additional entries in the tokeninfo table for “timeStep” and “timeWindow”, which are stored in the column “Key” and “Value”.
The tokeninfo is reference by the foreign key to the “token” table.
Create a new tokeninfo for a given token_id
- class edumfa.models.TokenOwner(token_id=None, serial=None, user_id=None, resolver=None, realm_id=None, realmname=None)[source]¶
This tables stores the owner of a token. A token can be assigned to several users.
Create a new token assignment to a user.
- Parameters:
token_id – The database ID of the token
serial – The alternate serial number of the token
resolver – The identifying name of the resolver
realm_id – The database ID of the realm
realmname – The alternate name of realm
- class edumfa.models.TokenRealm(realm_id=0, token_id=0, realmname=None)[source]¶
This table stores to which realms a token is assigned. A token is in the realm of the user it is assigned to. But a token can also be put into many additional realms.
Create a new TokenRealm entry. :param realm_id: The id of the realm :param token_id: The id of the token
- class edumfa.models.TokenTokengroup(tokengroup_id=0, token_id=0, tokengroupname=None)[source]¶
This table stores the assignment of tokens to tokengroups. A token can be assigned to several different token groups.
Create a new TokenTokengroup assignment :param tokengroup_id: The id of the token group :param tokengroupname: the name of the tokengroup :param token_id: The id of the token
- class edumfa.models.Tokengroup(groupname, description=None)[source]¶
The tokengroup table contains the definition of available token groups. A token can then be assigned to several of these tokengroups.
- class edumfa.models.eduMFAServer(**kwargs)[source]¶
This table can store remote eduMFA server definitions
A simple constructor that allows initialization from kwargs.
Sets attributes on the constructed instance using the names and values in
kwargs
.Only keys that are present as attributes of the instance’s class are allowed. These could be, for example, any mapped columns or relationships.
- edumfa.models.get_machineresolver_id(resolvername)[source]¶
Return the database ID of the machine resolver :param resolvername: :return:
- edumfa.models.get_machinetoken_ids(machine_id, resolver_name, serial, application)[source]¶
Returns a list of the ID in the machinetoken table
- Parameters:
machine_id (basestring) – The resolverdependent machine_id
resolver_name (basestring) – The name of the resolver
serial (basestring) – the serial number of the token
application (basestring) – The application type
- Returns:
A list of IDs of the machinetoken entry
- Return type:
list of int