def test_add_mfa_existing(self):
"""
Attempts to add mfa to a user account with an existing task
"""
user = fake_clients.FakeUser(
name="*****@*****.**", password="******",
email="*****@*****.**")
setup_identity_cache(users=[user])
headers = {
'project_name': "test_project",
'project_id': "test_project_id",
'roles': "_member_",
'username': "******",
'user_id': user.id,
'authenticated': True
}
url = "/v1/openstack/edit-mfa"
response = self.client.post(url, {}, format='json', headers=headers)
self.assertEqual(response.status_code, status.HTTP_200_OK)
provisoning_uri = response.data.get('otpauth')
token = response.data.get('token_id')
self.assertNotEqual(provisoning_uri, None)
self.assertEqual(Task.objects.count(), 1)
response = self.client.post(url, {}, format='json', headers=headers)
self.assertEqual(response.status_code, status.HTTP_200_OK)
provisoning_uri2 = response.data.get('otpauth')
token2 = response.data.get('token_id')
self.assertEqual(token, token2)
self.assertEqual(provisoning_uri, provisoning_uri2)
self.assertEqual(Task.objects.count(), 1)
secret = urlparse.parse_qs(
urlparse.urlsplit(provisoning_uri).query).get('secret')[0]
manager = FakeManager()
creds = manager.list_credentials(user.id, 'totp-draft')
server_secret = json.loads(creds[0].blob)['secret']
self.assertEqual(secret, server_secret)
self.assertNotEqual(token, None)
code = generate_totp_passcode(secret)
url = "/v1/tokens/" + token
data = {'passcode': code}
response = self.client.post(url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_200_OK)
def test_add_mfa_draft_removed(self):
"""
Existing user, valid tenant, correct passcode, however the draft-totp
code is removed between post_approve and token
"""
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
setup_identity_cache(users=[user])
task = Task.objects.create(ip_address="0.0.0.0",
keystone_user={
'roles': ['admin', 'project_mod'],
'project_id': 'test_project_id',
'project_domain_id': 'default',
'id': user.id
})
data = {'user_id': user.id, 'delete': False}
action = EditMFAAction(data, task=task, order=1)
action.pre_approve()
self.assertEqual(action.valid, True)
action.post_approve()
self.assertEqual(action.valid, True)
manager = FakeManager()
user_draft = manager.list_credentials(user_id=user.id,
cred_type='totp-draft')
self.assertEqual(len(user_draft), 1)
secret = json.loads(user_draft[0].blob)['secret']
manager.clear_credential_type(user_id=user.id, cred_type='totp-draft')
passcode = generate_totp_passcode(secret)
token_data = {'passcode': passcode}
return_data = action.submit(token_data)
self.assertEqual(action.valid, False)
self.assertEqual(return_data.get('errors'), 'TOTP Secret Removed')
user_draft = manager.list_credentials(user_id=user.id,
cred_type='totp-draft')
self.assertEqual(len(user_draft), 0)
def test_remove_mfa(self):
"""
Existing user, valid tenant, correct passcode, mfa setup
"""
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
cred = fake_clients.FakeCredential(blob=base64.b32encode(
os.urandom(20)).decode('utf-8'),
cred_type='totp',
user_id=user.id)
setup_identity_cache(users=[user], credentials=[cred])
task = Task.objects.create(ip_address="0.0.0.0",
keystone_user={
'roles': ['admin', 'project_mod'],
'project_id': 'test_project_id',
'project_domain_id': 'default',
'id': user.id
})
data = {'user_id': user.id, 'delete': True}
action = EditMFAAction(data, task=task, order=1)
action.pre_approve()
self.assertEqual(action.valid, True)
action.post_approve()
self.assertEqual(action.valid, True)
token_data = {'passcode': generate_totp_passcode(cred.blob)}
action.submit(token_data)
self.assertEqual(action.valid, True)
manager = FakeManager()
# Check for no creds
user_totp = manager.list_credentials(user_id=user.id, cred_type='totp')
self.assertEqual(len(user_totp), 0)
user_draft = manager.list_credentials(user_id=user.id,
cred_type='totp-draft')
self.assertEqual(len(user_draft), 0)
def test_remove_mfa_existing(self):
"""
Ensure the reset user workflow goes as expected for existing tasks.
Create task + create token, get existing task, submit token.
"""
user = fake_clients.FakeUser(
name="*****@*****.**", password="******",
email="*****@*****.**")
cred = fake_clients.FakeCredential(
user_id=user.id, cred_type='totp',
blob=base64.b32encode(os.urandom(20)).decode('utf-8'))
setup_identity_cache(users=[user], credentials=[cred])
headers = {
'project_name': "test_project",
'project_id': "test_project_id",
'roles': "_member_",
'username': "******",
'user_id': user.id,
'authenticated': True
}
url = "/v1/openstack/edit-mfa"
data = {}
response = self.client.delete(url, data,
format='json', headers=headers)
self.assertEqual(response.status_code, status.HTTP_200_OK)
token = response.data.get('token_id')
self.assertNotEqual(token, None)
self.assertEqual(Task.objects.count(), 1)
response = self.client.delete(url, data,
format='json', headers=headers)
self.assertEqual(response.status_code, status.HTTP_200_OK)
token2 = response.data.get('token_id')
self.assertEqual(token, token2)
self.assertEqual(Task.objects.count(), 1)
code = generate_totp_passcode(cred.blob)
url = "/v1/tokens/" + token
data = {'passcode': code}
response = self.client.post(url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_200_OK)
def test_add_mfa(self):
"""
Existing user, valid tenant, correct passcode, mfa not previously
setup
"""
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
setup_identity_cache(users=[user])
task = Task.objects.create(ip_address="0.0.0.0",
keystone_user={
'roles': ['admin', 'project_mod'],
'project_id': 'test_project_id',
'project_domain_id': 'default',
'id': user.id
})
data = {'user_id': user.id, 'delete': False}
action = EditMFAAction(data, task=task, order=1)
action.pre_approve()
self.assertEqual(action.valid, True)
action.post_approve()
self.assertEqual(action.valid, True)
manager = FakeManager()
user_cred = manager.list_credentials
self.assertEqual(len(user_cred(user.id, 'totp-draft')), 1)
secret = json.loads(user_cred(user.id, 'totp-draft')[0].blob)['secret']
passcode = generate_totp_passcode(secret)
token_data = {'passcode': passcode}
action.submit(token_data)
self.assertEqual(action.valid, True)
self.assertEqual(len(user_cred(user.id, 'totp')), 1)
self.assertEqual(len(user_cred(user.id, 'totp-draft')), 0)
def test_add_mfa_incorrect_passcode(self):
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
setup_identity_cache(users=[user])
task = Task.objects.create(ip_address="0.0.0.0",
keystone_user={
'roles': ['admin', 'project_mod'],
'project_id': 'test_project_id',
'project_domain_id': 'default',
'id': user.id
})
data = {'user_id': user.id, 'delete': False}
action = EditMFAAction(data, task=task, order=1)
action.pre_approve()
self.assertEqual(action.valid, True)
action.post_approve()
self.assertEqual(action.valid, True)
manager = FakeManager()
user_draft = manager.list_credentials(user_id=user.id,
cred_type='totp-draft')
self.assertEqual(len(user_draft), 1)
passcode = generate_totp_passcode(
base64.b32encode(os.urandom(20)).decode('utf-8'))
token_data = {'passcode': passcode}
action.submit(token_data)
self.assertEqual(action.valid, False)
# Should not have updated the credentials
user_totp = manager.list_credentials(user_id=user.id, cred_type='totp')
self.assertEqual(len(user_totp), 0)
user_draft = manager.list_credentials(user_id=user.id,
cred_type='totp-draft')
self.assertEqual(len(user_draft), 1)