revoke token

A token has two new states: revoked and locked. If a token gets revoked it is revoked and locked. A locked token can not be modified anymore. We still need to disable some edit buttons in the webui. Working on #135
privacyidea · Aug 27, 2015 · 887736a · 887736a
1 parent a25010d
commit 887736a
Show file tree

Hide file tree

Showing 21 changed files with 467 additions and 145 deletions.
diff --git a/doc/faq/ha-setups.rst b/doc/faq/ha-setups.rst
@@ -22,7 +22,8 @@ Using one central DBMS
 .. figure:: images/ha-one-dbms.png
    :width: 500
 
-If you already have a high available, redundant DBMS which might even be
+If you already have a high available, redundant DBMS -
+like MariaDB Galera Cluster - which might even be
 addressable via one cluster IP address the configuration is fairly simple.
 In such a case you can configure the same ``SQLALCHEMY_DATABASE_URI`` on all
 instances.

diff --git a/doc/policies/admin.rst b/doc/policies/admin.rst
@@ -69,6 +69,17 @@ Tokens can be enabled and disabled. Disabled tokens can not be
 used to authenticate. The ``disable`` action allows the 
 administrator to disable tokens.
 
+revoke
+~~~~~~
+
+type: bool
+
+Tokens can be revoked. Usually this means the token is disabled and locked.
+A locked token can not be modified anymore. It can only be deleted.
+
+Certain token types like *certificate* may define special actions when
+revoking a token.
+
 set
 ~~~
 

diff --git a/doc/policies/user.rst b/doc/policies/user.rst
@@ -263,3 +263,15 @@ attributes in the user store.
 
 .. note:: To be able to edit the attributes, the resolver must be defined as
    editable.
+
+
+revoke
+~~~~~~
+
+type: bool
+
+Tokens can be revoked. Usually this means the token is disabled and locked.
+A locked token can not be modified anymore. It can only be deleted.
+
+Certain token types like *certificate* may define special actions when
+revoking a token.
diff --git a/doc/requirements.txt b/doc/requirements.txt
@@ -22,7 +22,7 @@ gunicorn==19.3.0
 itsdangerous==0.24
 Jinja2==2.7.3
 ldap3==0.9.8.4
-Mako==1.0.0
+Mako>=0.9.1
 MarkupSafe==0.23
 mock==1.0.1
 MySQL-python==1.2.5

diff --git a/migrations/versions/20969b4cbf06_.py b/migrations/versions/20969b4cbf06_.py
@@ -0,0 +1,37 @@
+"""Add column revoked to Token table
+
+Revision ID: 20969b4cbf06
+Revises: 4d9178fa8336
+Create Date: 2015-08-27 12:19:57.272525
+
+"""
+
+# revision identifiers, used by Alembic.
+revision = '20969b4cbf06'
+down_revision = '4d9178fa8336'
+
+from alembic import op
+import sqlalchemy as sa
+
+
+def upgrade():
+    try:
+        op.add_column('token', sa.Column('revoked', sa.Boolean(),
+                                         nullable=False,
+                                         default=False))
+    except Exception as exx:
+        print "Could not add column 'revoked' to table 'token'"
+        print (exx)
+
+    try:
+        op.add_column('token', sa.Column('locked', sa.Boolean(),
+                                         nullable=False,
+                                         default=False))
+    except Exception as exx:
+        print "Could not add column 'locked' to table 'token'"
+        print (exx)
+
+
+def downgrade():
+    op.drop_column('token', 'revoked')
+    op.drop_column('token', 'locked')