allura.lib.multifactor

class allura.lib.multifactor.GoogleAuthenticatorFile

Parse & write server-side .google_authenticator files for PAM. https://github.com/google/google-authenticator/blob/master/libpam/FILEFORMAT

class allura.lib.multifactor.GoogleAuthenticatorPamFilesystemRecoveryCodeService
get_codes(user)
Parameters:user – a User
Returns:list[str]
replace_codes(user, codes)
Parameters:user – a User
verify_and_remove_code(user, code)

Verify and remove recovery codes. Also check for rate limiting.

Parameters:
  • user – a User
  • code – str
Raises:

InvalidRecoveryCode

Raises:

MultifactorRateLimitError

class allura.lib.multifactor.GoogleAuthenticatorPamFilesystemTotpService

Store in home directories, compatible with the TOTP PAM module for Google Authenticator https://github.com/google/google-authenticator/tree/master/libpam

get_secret_key(user)
Parameters:user – a User
Returns:key
set_secret_key(user, key)
Parameters:
  • user – a User
  • key (bytes|None) – may be None to clear out a key
class allura.lib.multifactor.MongodbRecoveryCodeService
get_codes(user)
Parameters:user – a User
Returns:list[str]
replace_codes(user, codes)
Parameters:user – a User
verify_and_remove_code(user, code)

Verify and remove recovery codes. Also check for rate limiting.

Parameters:
  • user – a User
  • code – str
Raises:

InvalidRecoveryCode

Raises:

MultifactorRateLimitError

class allura.lib.multifactor.MongodbTotpService

Store in TOTP keys in mongodb.

get_secret_key(user)
Parameters:user – a User
Returns:key
set_secret_key(user, key)
Parameters:
  • user – a User
  • key (bytes|None) – may be None to clear out a key
class allura.lib.multifactor.RecoveryCodeService

An interface for handling multifactor recovery codes. Common functionality is provided in this base class, and specific subclasses implement different storage options. A provider must implement get_codes(), replace_codes(), and verify_and_remove_code().

To use a new provider, expose an entry point in setup.py:

[allura.multifactor.recovery_code]
myrecovery = foo.bar:MyRecoveryCodeService

Then in your .ini file, set auth.multifactor.recovery_code.service=myrecovery

classmethod get()
Return type:RecoveryCodeService
get_codes(user)
Parameters:user – a User
Returns:list[str]
regenerate_codes(user)

Regenerate and replace existing codes

Parameters:user – a User
Returns:codes, list[str]
replace_codes(user, codes)
Parameters:user – a User
verify_and_remove_code(user, code)

Verify and remove recovery codes. Also check for rate limiting.

Parameters:
  • user – a User
  • code – str
Raises:

InvalidRecoveryCode

Raises:

MultifactorRateLimitError

class allura.lib.multifactor.TotpService

An interface for handling multifactor auth TOTP secret keys. Common functionality is provided in this base class, and specific subclasses implement different storage options. A provider must implement get_secret_key() and set_secret_key() and enforce_rate_limit()

To use a new provider, expose an entry point in setup.py:

[allura.multifactor.totp_service]
mytotp = foo.bar:MyTotpService

Then in your .ini file, set auth.multifactor.totp.service=mytotp

enforce_rate_limit(user)
Parameters:user – a User
Raises:MultifactorRateLimitError
classmethod get()
Return type:TotpService
get_secret_key(user)
Parameters:user – a User
Returns:key
get_totp(user)
Parameters:user – a User
Returns:
set_secret_key(user, key)
Parameters:
  • user – a User
  • key (bytes|None) – may be None to clear out a key
allura.lib.multifactor.check_rate_limit(num_allowed, time_allowed, attempts)
Parameters:
  • num_allowed (int) –
  • time_allowed (int) –
  • attempts (list[int]) –
Returns:

tuple: ok (bool), attempts still in window (list[int])