allura.lib.multifactor

class allura.lib.multifactor.GoogleAuthenticatorFile

Parse & write server-side .google_authenticator files for PAM. https://github.com/google/google-authenticator/blob/master/libpam/FILEFORMAT

class allura.lib.multifactor.GoogleAuthenticatorPamFilesystemRecoveryCodeService
get_codes(user)
Parameters:

user – a User

Returns:

list[str]

replace_codes(user, codes)
Parameters:

user – a User

verify_and_remove_code(user, code)

Verify and remove recovery codes. Also check for rate limiting.

Parameters:

  • user – a User

  • code – str

Raises:

InvalidRecoveryCode

Raises:

MultifactorRateLimitError

class allura.lib.multifactor.GoogleAuthenticatorPamFilesystemTotpService

Store in home directories, compatible with the TOTP PAM module for Google Authenticator https://github.com/google/google-authenticator/tree/master/libpam

get_secret_key(user)
Parameters:

user – a User

Returns:

key

set_secret_key(user, key)
Parameters:

  • user – a User

  • key (bytes|None) – may be None to clear out a key

class allura.lib.multifactor.MongodbRecoveryCodeService
get_codes(user)
Parameters:

user – a User

Returns:

list[str]

replace_codes(user, codes)
Parameters:

user – a User

verify_and_remove_code(user, code)

Verify and remove recovery codes. Also check for rate limiting.

Parameters:

  • user – a User

  • code – str

Raises:

InvalidRecoveryCode

Raises:

MultifactorRateLimitError

class allura.lib.multifactor.MongodbTotpService

Store in TOTP keys in mongodb.

get_secret_key(user)
Parameters:

user – a User

Returns:

key

set_secret_key(user, key)
Parameters:

  • user – a User

  • key (bytes|None) – may be None to clear out a key

class allura.lib.multifactor.RecoveryCodeService

An interface for handling multifactor recovery codes. Common functionality is provided in this base class, and specific subclasses implement different storage options. A provider must implement get_codes(), replace_codes(), and verify_and_remove_code().

To use a new provider, expose an entry point in setup.py:

[allura.multifactor.recovery_code]
myrecovery = foo.bar:MyRecoveryCodeService

Then in your .ini file, set auth.multifactor.recovery_code.service=myrecovery

classmethod get()
Return type:

RecoveryCodeService

get_codes(user)
Parameters:

user – a User

Returns:

list[str]

regenerate_codes(user)

Regenerate and replace existing codes

Parameters:

user – a User

Returns:

codes, list[str]

replace_codes(user, codes)
Parameters:

user – a User

verify_and_remove_code(user, code)

Verify and remove recovery codes. Also check for rate limiting.

Parameters:

  • user – a User

  • code – str

Raises:

InvalidRecoveryCode

Raises:

MultifactorRateLimitError

class allura.lib.multifactor.TotpService

An interface for handling multifactor auth TOTP secret keys. Common functionality is provided in this base class, and specific subclasses implement different storage options. A provider must implement get_secret_key() and set_secret_key() and enforce_rate_limit()

To use a new provider, expose an entry point in setup.py:

[allura.multifactor.totp_service]
mytotp = foo.bar:MyTotpService

Then in your .ini file, set auth.multifactor.totp.service=mytotp

enforce_rate_limit(user)
Parameters:

user – a User

Raises:

MultifactorRateLimitError

classmethod get()
Return type:

TotpService

get_secret_key(user)
Parameters:

user – a User

Returns:

key

get_totp(user)
Parameters:

user – a User

Returns:

set_secret_key(user, key)
Parameters:

  • user – a User

  • key (bytes|None) – may be None to clear out a key

allura.lib.multifactor.check_rate_limit(num_allowed, time_allowed, attempts)
Parameters:

  • num_allowed (int) –

  • time_allowed (int) –

  • attempts (list[int]) –

Returns:

tuple: ok (bool), attempts still in window (list[int])