privacyidea icon indicating copy to clipboard operation
privacyidea copied to clipboard

Published 20 hours ago verified publisher icon privacyidea

Migrate tokens: provide functions to move/copy tokens via dicts between processes

Open cornelinux opened this issue 3 years ago • 2 comments

We need an easy way to move/copy tokens between processes or installations. The requirement for this functionality keeps popping up in different migration scripts.

We should provide these functions in the genericly shipped library functions.

It could look like this:

To create a token with all its tokeninfo:

def create_token_from_dict(serialized_token, info_list):
    """    
    :param serialized_token: dict containing all token objects 
    :return: database ID of the token
    """
    # create database object directly, since we have the encrypted data
    r = Token(**serialized_token).save()
    for ti in info_list:
        ti["token_id"] = r
        TokenInfo(**ti).save()
    return r

To create the dict from the database token:

def token_to_dict(token):
    """
    Store the database columns of the token into a dict.
    Also store the tokeninfo into a list of dicts.

    :param token: The database token object
    :return: a dict, containing the token and the tokeninfo
    """
    token_dict = {}
    columns = token.__table__.c
    for column in columns:
        value = getattr(token, column.key)
        if column.key not in ('id'):
            token_dict[column.key] = value
    # Now add the tokeninfo
    info_list = []
    for ti in token.info_list:
        tokeninfo = {"Description": ti.Description,
                     "Key": ti.Key,
                     "Type": ti.Type,
                     "Value": ti.Value}
        info_list.append(tokeninfo)
    token_dict["info_list"] = info_list
    return token_dict

This could either be implemented as methods of the Token class or as functions in lib/token.py

cornelinux avatar Feb 16 '22 22:02 cornelinux

PSKC provides a simple user identification entry: https://datatracker.ietf.org/doc/html/rfc6030#section-4.3.3

plettich avatar Feb 17 '22 16:02 plettich

Interesting. PSKC is rather used to transport crypto data between different systems. These will most probably also handle user names or identifiers differently. This would need to be adaptable.

However, In this issue I am looking for an internal machanism to transport token data on a Python level (privacyidea.lib) to e.g. allow moving tokens between different privacyIDEA app contexts. So this should be Python objects (being either a dict or a new specific object)

Also, if we have this mentioned internal lib-function to export token, then this could also be used in an exporter script, that exports to whatever format. But this is not the current idea of this issue!

cornelinux avatar Feb 20 '22 08:02 cornelinux

The functions token_dump returns a token as dict. The function token_load creates a token from a dict. This way we can read tokens from one privacyIDEA instance and write it to another one.

cornelinux avatar Jan 03 '24 10:01 cornelinux