Conditions of application of the policies

JoseMa · June 22, 2018, 1:07pm

I have a question about the application of the policies.
I have created a policy that allows the assignment of tokens to the users that belong to a certain resolver, but it applies to all those that are validated in the system and not only to those of the resolver.
What options do I have to put in the definition of the policy?
Do I have to also put the domain to which it belongs?
So far I have only put the condition in the resolver.

cornelinux · June 22, 2018, 3:29pm

The user policy (assign) is governed by the check_base_action decorator. This does only honour the resolver from the parameter list.

So: It works as programmed! (You see I am neither using “designed” nor “intended”!)

github.com

privacyidea/privacyidea/blob/master/privacyidea/api/lib/prepolicy.py#L935


    scope = SCOPE.USER
    # Reset the admin realm
    admin_realm = None
    realm = realm or g.logged_in_user.get("realm")


# In certain cases we can not resolve the user by the serial!
if action not in [ACTION.AUDIT]:
    realm = params.get("realm")
    if type(realm) == list and len(realm) == 1:
        realm = realm[0]
    resolver = params.get("resolver")
    # get the realm by the serial:
    if not realm and params.get("serial"):
        realm = get_realms_of_token(params.get("serial"),
                                    only_first_realm=True)


    # get the realm by the serial, while the serial is part of the URL like
    # DELETE /token/serial
    if not realm and request.view_args and request.view_args.get("serial"):
        realm = get_realms_of_token(request.view_args.get("serial"),
                                    only_first_realm=True)

JoseMa · June 27, 2018, 8:06am

I do not know what is happening or what I am doing wrong, but the “Estudiantes” policy applies to all users of the system but I wanted it to only apply to the users who have accessed the system according to the “PRUEBAS-ESTUDIANTES” resolver. In this policy I allow the users of the “PRUEBAS-ESTUDIANTES” revolver the token assignment by SMS. In the policy “AccesoUsuarios” I allow the TOTP and HOTP token without domain restriction or resolve. But both policies apply to all users who access the system. I have tried to add options to the policies and the changes are correctly reflected when users log in again but I can not restrict the application of the policy to a specific resolver.