Token janitor for expired Token

marc_weber · February 12, 2025, 10:14am

Hello everyone,

We roll out our Users with the help of registration token.
We create the token with a validity period.

Now I want to use the token janitor to find and delete registration token which have expired and werent used up by the User.

I tried the following line;

privacyidea-token-janitor find --tokentype registration --has-tokeninfo-key validity_period_end --tokeninfo-value-before ‘$(date)’

but this finds all Token that have a validity-period-end attribute.
So I thought

privacyidea-token-janitor find --tokentype registration --tokeninfo-value-before ‘$(date)’

would work, but this just finds all registration Token no matter the validity date.
What am I doing wrong, the Token-janitor seems to not include the "–tokeninfo-value-before ‘$(date)’ " part in the query because I get Token that cleary dont match those values

As you can see in the Screenshot a token with a future date in validity_period_end is found, I even set no validity_period_start value to exclude it from the potential error sources

Thanks for any help

Regards

Marc

Manuel · February 17, 2025, 5:30pm

Hi Marc,

instead of “–has-tokeninfo-key” you might use “–tokenattribute validity_period_end”.
For more information have a look at the documentation: 12.4. Tools — privacyIDEA 3.10dev1 documentation

marc_weber · February 19, 2025, 7:49am

the validity period end is no a Token Attribute

Unknown token attribute. Allowed attributes are id, description, serial, tokentype, user_pin, user_pin_iv, so_pin, so_pin_iv, pin_seed, otplen, pin_hash, key_enc, key_iv, maxfail, active, revoked, locked, failcount, count, count_window, sync_window, rollout_state

plettich · February 19, 2025, 10:14am

You need to add the --tokeninfo-key option to specify on which key the --tokeninfo-value-... option should operate:

privacyidea-token-janitor find --has-tokeninfo-key validity_period_end --tokeninfo-key validity_period_end --tokeninfo-value-before "$(date --iso-8601)"

marc_weber · February 19, 2025, 10:40am

Hi, thanks for the advice, but this results in the following error

Traceback (most recent call last):und
File “/usr/bin/privacyidea-token-janitor”, line 8, in
sys.exit(cli())
File “/opt/privacyidea/lib/python3.10/site-packages/click/core.py”, line 829, in call
return self.main(*args, **kwargs)
File “/opt/privacyidea/lib/python3.10/site-packages/flask/cli.py”, line 586, in main
return super(FlaskGroup, self).main(*args, **kwargs)
File “/opt/privacyidea/lib/python3.10/site-packages/click/core.py”, line 782, in main
rv = self.invoke(ctx)
File “/opt/privacyidea/lib/python3.10/site-packages/click/core.py”, line 1259, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File “/opt/privacyidea/lib/python3.10/site-packages/click/core.py”, line 1066, in invoke
return ctx.invoke(self.callback, **ctx.params)
File “/opt/privacyidea/lib/python3.10/site-packages/click/core.py”, line 610, in invoke
return callback(*args, **kwargs)
File “/opt/privacyidea/lib/python3.10/site-packages/click/decorators.py”, line 21, in new_func
return f(get_current_context(), *args, **kwargs)
File “/opt/privacyidea/lib/python3.10/site-packages/flask/cli.py”, line 426, in decorator
return __ctx.invoke(f, *args, **kwargs)
File “/opt/privacyidea/lib/python3.10/site-packages/click/core.py”, line 610, in invoke
return callback(*args, **kwargs)
File “/opt/privacyidea/lib/python3.10/site-packages/privacyidea/cli/privacyideatokenjanitor/findtokens.py”, line 506, in findtokens
for tlist in generator:
File “/opt/privacyidea/lib/python3.10/site-packages/privacyidea/cli/privacyideatokenjanitor/findtokens.py”, line 306, in _get_tokenlist
if not all(comparator(value) for comparator in tokeninfo_value_filter):
File “/opt/privacyidea/lib/python3.10/site-packages/privacyidea/cli/privacyideatokenjanitor/findtokens.py”, line 306, in
if not all(comparator(value) for comparator in tokeninfo_value_filter):
File “/opt/privacyidea/lib/python3.10/site-packages/privacyidea/cli/privacyideatokenjanitor/findtokens.py”, line 197, in comparator
return _parse_datetime(key, value) < given_value_string
TypeError: ‘<’ not supported between instances of ‘datetime.datetime’ and ‘str’

georgp · March 7, 2025, 8:27pm

same Problem, you can delete these tokens with:

privacyidea-token-janitor find --tokeninfo-key=validity_period_end --tokeninfo-value=2025-01-31 --action delete

obviously this only works if you know the expiration date, use some loops or whatever

cornelinux · March 7, 2025, 8:29pm

You can use the privacyidea-token-janitor parameters tokeninfo-value-after and tokeinfo-value-before if you have correctly formatted dates in the tokeninfo.

plettich · April 7, 2025, 9:04am

Just a follow-up, we introduced a bug when comparing dates in privacyIDEA v3.10 when moving the token-janitor to the new CLI framework. This is fixed in v3.11.
If needed here is a patch for v3.10:
tokenjanitor_date_v3_10.patch (1.3 KB)
Apply with patch -p1 < tokenjanitor_date_v3_10.patch in the privacyidea source directory (Test it with --dry-run first).