def test_01a_admin_realms(self):
admin1 = {"username": "******",
"role": "admin",
"realm": "realm1"}
admin2 = {"username": "******",
"role": "admin",
"realm": "realm2"}
set_policy(name="pol",
scope=SCOPE.ADMIN,
action="*", adminrealm="realm1")
g.policy_object = PolicyClass()
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
req = Request(env)
req.all_data = {}
# admin1 is allowed to do everything
g.logged_in_user = admin1
r = check_base_action(req, action="delete")
self.assertTrue(r)
# admin2 is not allowed.
g.logged_in_user = admin2
self.assertRaises(PolicyError, check_base_action, req, action="delete")
delete_policy("pol")
def test_01a_admin_realms(self):
admin1 = {"username": "******", "role": "admin", "realm": "realm1"}
admin2 = {"username": "******", "role": "admin", "realm": "realm2"}
set_policy(name="pol",
scope=SCOPE.ADMIN,
action="*",
adminrealm="realm1")
g.policy_object = PolicyClass()
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
req = Request(env)
req.all_data = {}
# admin1 is allowed to do everything
g.logged_in_user = admin1
r = check_base_action(req, action="delete")
self.assertTrue(r)
# admin2 is not allowed.
g.logged_in_user = admin2
self.assertRaises(PolicyError, check_base_action, req, action="delete")
delete_policy("pol")
def test_01_check_token_action(self):
g.logged_in_user = {"username": "******",
"role": "admin"}
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
req = Request(env)
req.all_data = {"serial": "SomeSerial"}
# Set a policy, that does allow the action
set_policy(name="pol1",
scope=SCOPE.ADMIN,
action="enable", client="10.0.0.0/8")
g.policy_object = PolicyClass()
# Action enable is cool
r = check_base_action(request=req, action="enable")
self.assertTrue(r)
# Another action - like "disable" - is not allowed
# An exception is
self.assertRaises(PolicyError,
check_base_action, req, "disable")
# Action delete is not allowed
self.assertRaises(PolicyError,
check_base_action, req, "delete")
# check action with a token realm
set_policy(name="pol1",
scope=SCOPE.ADMIN,
action="enable", client="10.0.0.0/8",
realm="realm1")
set_policy(name="pol2",
scope=SCOPE.ADMIN,
action="*", client="10.0.0.0/8",
realm="realm2")
g.policy_object = PolicyClass()
# set a polrealm1 and a polrealm2
# setup realm1
self.setUp_user_realms()
# setup realm2
self.setUp_user_realm2()
tokenobject = init_token({"serial": "POL001", "type": "hotp",
"otpkey": "1234567890123456"})
r = set_realms("POL001", [self.realm1])
tokenobject = init_token({"serial": "POL002", "type": "hotp",
"otpkey": "1234567890123456"})
r = set_realms("POL002", [self.realm2])
# Token in realm1 can not be deleted
req.all_data = {"serial": "POL001"}
self.assertRaises(PolicyError,
check_base_action, req, "delete")
# while token in realm2 can be deleted
req.all_data = {"serial": "POL002"}
r = check_base_action(req, action="delete")
self.assertTrue(r)
# A normal user can "disable", since no user policies are defined.
g.logged_in_user = {"username": "******",
"role": "user"}
r = check_base_action(req, "disable")
self.assertTrue(r)
delete_policy("pol1")
delete_policy("pol2")
remove_token("POL001")
remove_token("POL002")
def test_01_check_token_action(self):
g.logged_in_user = {"username": "******", "role": "admin"}
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
req = Request(env)
req.all_data = {"serial": "SomeSerial"}
# Set a policy, that does allow the action
set_policy(name="pol1",
scope=SCOPE.ADMIN,
action="enable",
client="10.0.0.0/8")
g.policy_object = PolicyClass()
# Action enable is cool
r = check_base_action(request=req, action="enable")
self.assertTrue(r)
# Another action - like "disable" - is not allowed
# An exception is
self.assertRaises(PolicyError, check_base_action, req, "disable")
# Action delete is not allowed
self.assertRaises(PolicyError, check_base_action, req, "delete")
# check action with a token realm
set_policy(name="pol1",
scope=SCOPE.ADMIN,
action="enable",
client="10.0.0.0/8",
realm="realm1")
set_policy(name="pol2",
scope=SCOPE.ADMIN,
action="*",
client="10.0.0.0/8",
realm="realm2")
g.policy_object = PolicyClass()
# set a polrealm1 and a polrealm2
# setup realm1
self.setUp_user_realms()
# setup realm2
self.setUp_user_realm2()
tokenobject = init_token({
"serial": "POL001",
"type": "hotp",
"otpkey": "1234567890123456"
})
r = set_realms("POL001", [self.realm1])
tokenobject = init_token({
"serial": "POL002",
"type": "hotp",
"otpkey": "1234567890123456"
})
r = set_realms("POL002", [self.realm2])
# Token in realm1 can not be deleted
req.all_data = {"serial": "POL001"}
self.assertRaises(PolicyError, check_base_action, req, "delete")
# while token in realm2 can be deleted
req.all_data = {"serial": "POL002"}
r = check_base_action(req, action="delete")
self.assertTrue(r)
# A normal user can "disable", since no user policies are defined.
g.logged_in_user = {"username": "******", "role": "user"}
r = check_base_action(req, "disable")
self.assertTrue(r)
delete_policy("pol1")
delete_policy("pol2")
remove_token("POL001")
remove_token("POL002")
