def test_14_required_email(self): g.logged_in_user = {"username": "******", "role": "admin"} builder = EnvironBuilder(method='POST', data={'serial': "OATH123456"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" req = Request(env) # Set a mangle policy to change the username # and only use the last 4 characters of the username set_policy(name="email1", scope=SCOPE.REGISTER, action="%s=/.*@mydomain\..*" % ACTION.REQUIREDEMAIL) g.policy_object = PolicyClass() # request, that matches the policy req.all_data = {"email": "*****@*****.**"} # This emails is allowed r = required_email(req) self.assertTrue(r) # This email is not allowed req.all_data = {"email": "*****@*****.**"} # This emails is allowed self.assertRaises(RegistrationError, required_email, req) delete_policy("email1") g.policy_object = PolicyClass() # Without a policy, this email can register req.all_data = {"email": "*****@*****.**"} # This emails is allowed r = required_email(req) self.assertTrue(r)
def test_14_required_email(self): g.logged_in_user = {"username": "******", "role": "admin"} builder = EnvironBuilder(method='POST', data={'serial': "OATH123456"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" req = Request(env) # Set a mangle policy to change the username # and only use the last 4 characters of the username set_policy(name="email1", scope=SCOPE.REGISTER, action="%s=/.*@mydomain\..*" % ACTION.REQUIREDEMAIL) g.policy_object = PolicyClass() # request, that matches the policy req.all_data = {"email": "*****@*****.**"} # This emails is allowed r = required_email(req) self.assertTrue(r) # This email is not allowed req.all_data = {"email": "*****@*****.**"} # This emails is allowed self.assertRaises(RegistrationError, required_email, req) delete_policy("email1") g.policy_object = PolicyClass() # Without a policy, this email can register req.all_data = {"email": "*****@*****.**"} # This emails is allowed r = required_email(req) self.assertTrue(r)
def test_03_check_token_upload(self): g.logged_in_user = {"username": "******", "role": "admin"} builder = EnvironBuilder(method='POST', data={'serial': "OATH123456"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" req = Request(env) req.all_data = {"filename": "token.xml"} # Set a policy, that does allow the action set_policy(name="pol1", scope=SCOPE.ADMIN, action="enrollTOTP, enrollHOTP, %s" % ACTION.IMPORT, client="10.0.0.0/8") g.policy_object = PolicyClass() # Try to import tokens r = check_token_upload(req) self.assertTrue(r) # The admin can not upload from another IP address # An exception is raised env["REMOTE_ADDR"] = "192.168.0.1" req = Request(env) req.all_data = {"filename": "token.xml"} self.assertRaises(PolicyError, check_token_upload, req) # finally delete policy delete_policy("pol1")
def test_02_check_token_init(self): g.logged_in_user = {"username": "******", "role": "admin"} builder = EnvironBuilder(method='POST', data={'serial': "OATH123456"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" req = Request(env) req.all_data = {"type": "totp"} # Set a policy, that does allow the action set_policy(name="pol1", scope=SCOPE.ADMIN, action="enrollTOTP, enrollHOTP", client="10.0.0.0/8") g.policy_object = PolicyClass() # Enrolling TOTP is cool r = check_token_init(req) self.assertTrue(r) # Another Token type can not be enrolled: # An exception is raised req.all_data = {"type": "motp"} self.assertRaises(PolicyError, check_token_init, req) # A normal user can "enroll", since no user policies are defined. g.logged_in_user = {"username": "******", "role": "user"} r = check_token_init(req) self.assertTrue(r) # finally delete policy delete_policy("pol1")
def test_03_check_token_upload(self): g.logged_in_user = {"username": "******", "role": "admin"} builder = EnvironBuilder(method='POST', data={'serial': "OATH123456"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" req = Request(env) req.all_data = {"filename": "token.xml"} # Set a policy, that does allow the action set_policy(name="pol1", scope=SCOPE.ADMIN, action="enrollTOTP, enrollHOTP, %s" % ACTION.IMPORT, client="10.0.0.0/8") g.policy_object = PolicyClass() # Try to import tokens r = check_token_upload(req) self.assertTrue(r) # The admin can not upload from another IP address # An exception is raised env["REMOTE_ADDR"] = "192.168.0.1" req = Request(env) req.all_data = {"filename": "token.xml"} self.assertRaises(PolicyError, check_token_upload, req) # finally delete policy delete_policy("pol1")
def test_04_check_max_token_user(self): g.logged_in_user = {"username": "******", "role": "admin"} builder = EnvironBuilder(method='POST', data={'serial': "OATH123456"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" g.client_ip = env["REMOTE_ADDR"] req = Request(env) req.all_data = {"user": "******", "realm": self.realm1} # Set a policy, that allows two tokens per user set_policy(name="pol1", scope=SCOPE.ENROLL, action="{0!s}={1!s}".format(ACTION.MAXTOKENUSER, 2)) g.policy_object = PolicyClass() # The user has one token, everything is fine. self.setUp_user_realms() tokenobject = init_token( { "serial": "NEW001", "type": "hotp", "otpkey": "1234567890123456" }, user=User(login="******", realm=self.realm1)) tokenobject_list = get_tokens( user=User(login="******", realm=self.realm1)) self.assertTrue(len(tokenobject_list) == 1) self.assertTrue(check_max_token_user(req)) # Now the user gets his second token tokenobject = init_token( { "serial": "NEW002", "type": "hotp", "otpkey": "1234567890123456" }, user=User(login="******", realm=self.realm1)) tokenobject_list = get_tokens( user=User(login="******", realm=self.realm1)) self.assertTrue(len(tokenobject_list) == 2) # The user has two tokens. The check that will run in this case, # before the user would be assigned the 3rd token, will raise a # PolicyError self.assertRaises(PolicyError, check_max_token_user, req) # The check for a token, that has no username in it, must not # succeed. I.e. in the realm new tokens must be enrollable. req.all_data = {} self.assertTrue(check_max_token_user(req)) req.all_data = {"realm": self.realm1} self.assertTrue(check_max_token_user(req)) # finally delete policy delete_policy("pol1") remove_token("NEW001") remove_token("NEW002")
def test_04_check_max_token_user(self): g.logged_in_user = {"username": "******", "role": "admin"} builder = EnvironBuilder(method='POST', data={'serial': "OATH123456"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" g.client_ip = env["REMOTE_ADDR"] req = Request(env) req.all_data = {"user": "******", "realm": self.realm1} # Set a policy, that allows two tokens per user set_policy(name="pol1", scope=SCOPE.ENROLL, action="{0!s}={1!s}".format(ACTION.MAXTOKENUSER, 2)) g.policy_object = PolicyClass() # The user has one token, everything is fine. self.setUp_user_realms() tokenobject = init_token({"serial": "NEW001", "type": "hotp", "otpkey": "1234567890123456"}, user=User(login="******", realm=self.realm1)) tokenobject_list = get_tokens(user=User(login="******", realm=self.realm1)) self.assertTrue(len(tokenobject_list) == 1) self.assertTrue(check_max_token_user(req)) # Now the user gets his second token tokenobject = init_token({"serial": "NEW002", "type": "hotp", "otpkey": "1234567890123456"}, user=User(login="******", realm=self.realm1)) tokenobject_list = get_tokens(user=User(login="******", realm=self.realm1)) self.assertTrue(len(tokenobject_list) == 2) # The user has two tokens. The check that will run in this case, # before the user would be assigned the 3rd token, will raise a # PolicyError self.assertRaises(PolicyError, check_max_token_user, req) # The check for a token, that has no username in it, must not # succeed. I.e. in the realm new tokens must be enrollable. req.all_data = {} self.assertTrue(check_max_token_user(req)) req.all_data = {"realm": self.realm1} self.assertTrue(check_max_token_user(req)) # finally delete policy delete_policy("pol1") remove_token("NEW001") remove_token("NEW002")
def test_05_check_max_token_realm(self): g.logged_in_user = {"username": "******", "role": "admin"} builder = EnvironBuilder(method='POST', data={'serial': "OATH123456"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" g.client_ip = env["REMOTE_ADDR"] req = Request(env) req.all_data = {"realm": self.realm1} # Set a policy, that allows two tokens per realm set_policy(name="pol1", scope=SCOPE.ENROLL, action="max_token_per_realm=2", realm=self.realm1) g.policy_object = PolicyClass() self.setUp_user_realms() # Add the first token into the realm tokenobject = init_token({ "serial": "NEW001", "type": "hotp", "otpkey": "1234567890123456" }) set_realms("NEW001", [self.realm1]) # check the realm, only one token is in it the policy condition will # pass tokenobject_list = get_tokens(realm=self.realm1) self.assertTrue(len(tokenobject_list) == 1) self.assertTrue(check_max_token_realm(req)) # add a second token to the realm tokenobject = init_token({ "serial": "NEW002", "type": "hotp", "otpkey": "1234567890123456" }) set_realms("NEW002", [self.realm1]) tokenobject_list = get_tokens(realm=self.realm1) self.assertTrue(len(tokenobject_list) == 2) # request with a user object, not with a realm req.all_data = {"user": "******".format(self.realm1)} # Now a new policy check will fail, since there are already two # tokens in the realm self.assertRaises(PolicyError, check_max_token_realm, req) # finally delete policy delete_policy("pol1") remove_token("NEW001") remove_token("NEW002")
def test_05_check_max_token_realm(self): g.logged_in_user = {"username": "******", "role": "admin"} builder = EnvironBuilder(method='POST', data={'serial': "OATH123456"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" g.client_ip = env["REMOTE_ADDR"] req = Request(env) req.all_data = {"realm": self.realm1} # Set a policy, that allows two tokens per realm set_policy(name="pol1", scope=SCOPE.ENROLL, action="max_token_per_realm=2", realm=self.realm1) g.policy_object = PolicyClass() self.setUp_user_realms() # Add the first token into the realm tokenobject = init_token({"serial": "NEW001", "type": "hotp", "otpkey": "1234567890123456"}) set_realms("NEW001", [self.realm1]) # check the realm, only one token is in it the policy condition will # pass tokenobject_list = get_tokens(realm=self.realm1) self.assertTrue(len(tokenobject_list) == 1) self.assertTrue(check_max_token_realm(req)) # add a second token to the realm tokenobject = init_token({"serial": "NEW002", "type": "hotp", "otpkey": "1234567890123456"}) set_realms("NEW002", [self.realm1]) tokenobject_list = get_tokens(realm=self.realm1) self.assertTrue(len(tokenobject_list) == 2) # request with a user object, not with a realm req.all_data = {"user": "******".format(self.realm1)} # Now a new policy check will fail, since there are already two # tokens in the realm self.assertRaises(PolicyError, check_max_token_realm, req) # finally delete policy delete_policy("pol1") remove_token("NEW001") remove_token("NEW002")
def test_09_pin_policies(self): g.logged_in_user = {"username": "******", "role": "user"} builder = EnvironBuilder(method='POST', data={'serial': "OATH123456"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" req = Request(env) # Set a policy that defines PIN policy set_policy(name="pol1", scope=SCOPE.USER, action="%s=%s,%s=%s,%s=%s" % (ACTION.OTPPINMAXLEN, "10", ACTION.OTPPINMINLEN, "4", ACTION.OTPPINCONTENTS, "cn")) g.policy_object = PolicyClass() req.all_data = {"realm": "somerealm", "user": "******", "realm": "home"} # The minimum OTP length is 4 self.assertRaises(PolicyError, check_otp_pin, req) req.all_data = {"realm": "somerealm", "user": "******", "realm": "home", "pin": "12345566890012"} # Fail maximum OTP length self.assertRaises(PolicyError, check_otp_pin, req) req.all_data = {"realm": "somerealm", "user": "******", "realm": "home", "pin": "123456"} # Good OTP length, but missing character A-Z self.assertRaises(PolicyError, check_otp_pin, req) req.all_data = {"realm": "somerealm", "user": "******", "realm": "home", "pin": "abc123"} # Good length and goot contents self.assertTrue(check_otp_pin(req)) # finally delete policy delete_policy("pol1")
def test_16_init_token_defaults(self): g.logged_in_user = {"username": "******", "role": "user"} builder = EnvironBuilder(method='POST', data={'type': "totp", "genkey": "1"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" g.client_ip = env["REMOTE_ADDR"] req = Request(env) # Set a policy that defines the default totp settings set_policy(name="pol1", scope=SCOPE.USER, action="totp_otplen=8,totp_hashlib=sha256,totp_timestep=60") g.policy_object = PolicyClass() # request, that matches the policy req.all_data = { "type": "totp", "genkey": "1"} init_token_defaults(req) # Check, if the token defaults were added self.assertEqual(req.all_data.get("totp.hashlib"), "sha256") self.assertEqual(req.all_data.get("otplen"), "8") self.assertEqual(req.all_data.get("timeStep"), "60") # finally delete policy delete_policy("pol1")
def test_10_api_endpoint(self): fixed = "ebedeeefegeheiej" otpkey = "cc17a4d77eaed96e9d14b5c87a02e718" uid = "000000000000" otps = ["ebedeeefegeheiejtjtrutblehenfjljrirgdihrfuetljtt", "ebedeeefegeheiejlekvlrlkrcluvctenlnnjfknrhgtjned", "ebedeeefegeheiejktudedbktcnbuntrhdueikggtrugckij", "ebedeeefegeheiejjvjncbnffdrvjcvrbgdfufjgndfetieu", "ebedeeefegeheiejdruibhvlvktcgfjiruhltketifnitbuk" ] token = init_token({"type": "yubikey", "otpkey": otpkey, "otplen": len(otps[0]), "yubikey.prefix": fixed, "serial": "UBAM12345678_1"}) builder = EnvironBuilder(method='GET', headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" g.client_ip = env["REMOTE_ADDR"] req = Request(env) nonce = "random nonce" apiid = "hallo" apikey = "1YMEbMZijD3DzL21UfKGnOOI13c=" set_privacyidea_config("yubikey.apiid.{0!s}".format(apiid), apikey) req.all_data = {'id': apiid, "otp": otps[0], "nonce": nonce} text_type, result = YubikeyTokenClass.api_endpoint(req, g) self.assertEqual(text_type, "plain") self.assertTrue("status=OK" in result, result) self.assertTrue("nonce={0!s}".format(nonce) in result, result)
def test_03_loggingevent_parameter(self, capture): # simple logging event with user defined values self.setUp_user_realms() g = FakeFlaskG() g.audit_object = FakeAudit() env = EnvironBuilder(method='POST', headers={}, path='/auth').get_environ() req = Request(env) req.all_data = {} req.User = User("cornelius", self.realm1) resp = Response(response="""{"result": {"value": true}}""") options = { "g": g, "request": req, "response": resp, "handler_def": { 'options': { 'name': 'eventlogger-privacyidea', 'level': 'WARN', 'message': 'Hello {username}!' } } } log_handler = LoggingEventHandler() res = log_handler.do("logging", options=options) self.assertTrue(res) capture.check_present( ('eventlogger-privacyidea', 'WARNING', 'Hello cornelius!'))
def test_01a_admin_realms(self): admin1 = {"username": "******", "role": "admin", "realm": "realm1"} admin2 = {"username": "******", "role": "admin", "realm": "realm2"} set_policy(name="pol", scope=SCOPE.ADMIN, action="*", adminrealm="realm1") g.policy_object = PolicyClass() builder = EnvironBuilder(method='POST', data={'serial': "OATH123456"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" req = Request(env) req.all_data = {} # admin1 is allowed to do everything g.logged_in_user = admin1 r = check_base_action(req, action="delete") self.assertTrue(r) # admin2 is not allowed. g.logged_in_user = admin2 self.assertRaises(PolicyError, check_base_action, req, action="delete") delete_policy("pol")
def test_06_set_tokenlabel(self): g.logged_in_user = {"username": "******", "role": "admin"} builder = EnvironBuilder(method='POST', data={'serial': "OATH123456"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" req = Request(env) # Set a policy that defines the tokenlabel set_policy(name="pol1", scope=SCOPE.ENROLL, action="%s=%s" % (ACTION.TOKENLABEL, "<u>@<r>")) set_policy(name="pol2", scope=SCOPE.ENROLL, action="%s=%s" % (ACTION.TOKENISSUER, "myPI")) g.policy_object = PolicyClass() # request, that matches the policy req.all_data = {"user": "******", "realm": "home"} init_tokenlabel(req) # Check, if the tokenlabel was added self.assertEqual(req.all_data.get("tokenlabel"), "<u>@<r>") # Check, if the tokenissuer was added self.assertEqual(req.all_data.get("tokenissuer"), "myPI") # finally delete policy delete_policy("pol1") delete_policy("pol2")
def test_04_loggingevent_broken_parameter(self, capture): # simple logging event with faulty parameters self.setUp_user_realms() g = FakeFlaskG() g.audit_object = FakeAudit() env = EnvironBuilder(method='POST', headers={}, path='/auth').get_environ() req = Request(env) req.all_data = {} req.User = User("cornelius", self.realm1) resp = Response(response="""{"result": {"value": true}}""") options = { "g": g, "request": req, "response": resp, "handler_def": { 'options': { 'name': None, 'level': 'some_level', 'message': None } } } log_handler = LoggingEventHandler() res = log_handler.do("logging", options=options) self.assertTrue(res) capture.check_present(('root', 'INFO', 'event=/auth triggered'))
def test_10_check_external(self): g.logged_in_user = {"username": "******", "role": "user"} builder = EnvironBuilder(method='POST', data={'serial': "OATH123456"}, headers={}) env = builder.get_environ() req = Request(env) g.policy_object = PolicyClass() req.all_data = { "user": "******", "realm": "home"} # Check success on no definition r = check_external(req) self.assertTrue(r) # Check success with external function current_app.config["PI_INIT_CHECK_HOOK"] = \ "privacyidea.api.lib.prepolicy.mock_success" r = check_external(req) self.assertTrue(r) # Check exception with external function current_app.config["PI_INIT_CHECK_HOOK"] = \ "privacyidea.api.lib.prepolicy.mock_fail" self.assertRaises(Exception, check_external, req)
def test_15_reset_password(self): builder = EnvironBuilder(method='POST', data={'user': "******", "realm": self.realm1}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" req = Request(env) # Set a mangle policy to change the username # and only use the last 4 characters of the username set_policy(name="recover", scope=SCOPE.USER, action="%s" % ACTION.RESYNC) g.policy_object = PolicyClass() req.all_data = {"user": "******", "realm": self.realm1} # There is a user policy without password reset, so an exception is # raised self.assertRaises(PolicyError, check_anonymous_user, req, ACTION.PASSWORDRESET) # The password reset is allowed set_policy(name="recover", scope=SCOPE.USER, action="%s" % ACTION.PASSWORDRESET) g.policy_object = PolicyClass() r = check_anonymous_user(req, ACTION.PASSWORDRESET) self.assertEqual(r, True)
def test_08_check_conditions_serial(self): uhandler = UserNotificationEventHandler() # check a serial with regexp builder = EnvironBuilder(method='POST', data={'user': "******"}, headers={}) env = builder.get_environ() req = Request(env) req.all_data = {"user": "******", "serial": "OATH123456"} req.User = User("cornelius", "realm1") resp = Response() resp.data = """{"result": {"value": true}}""" r = uhandler.check_condition({ "g": {}, "handler_def": { "conditions": { "serial": "^OATH.*" } }, "request": req, "response": resp }) # Serial matches the regexp self.assertEqual(r, True)
def test_06_check_conditions_realm(self): uhandler = UserNotificationEventHandler() # check a locked token with maxfail = failcount builder = EnvironBuilder(method='POST', data={'user': "******"}, headers={}) env = builder.get_environ() req = Request(env) req.all_data = {"user": "******"} req.User = User("cornelius", "realm1") resp = Response() resp.data = """{"result": {"value": false}}""" r = uhandler.check_condition({ "g": {}, "handler_def": { "conditions": { "realm": "realm2" } }, "request": req, "response": resp }) # wrong realm self.assertEqual(r, False)
def test_15_reset_password(self): builder = EnvironBuilder(method='POST', data={ 'user': "******", "realm": self.realm1 }, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" req = Request(env) # Set a mangle policy to change the username # and only use the last 4 characters of the username set_policy(name="recover", scope=SCOPE.USER, action="%s" % ACTION.RESYNC) g.policy_object = PolicyClass() req.all_data = {"user": "******", "realm": self.realm1} # There is a user policy without password reset, so an exception is # raised self.assertRaises(PolicyError, check_anonymous_user, req, ACTION.PASSWORDRESET) # The password reset is allowed set_policy(name="recover", scope=SCOPE.USER, action="%s" % ACTION.PASSWORDRESET) g.policy_object = PolicyClass() r = check_anonymous_user(req, ACTION.PASSWORDRESET) self.assertEqual(r, True)
def test_08_encrypt_pin(self): g.logged_in_user = {"username": "******", "role": "admin"} builder = EnvironBuilder(method='POST', data={'serial': "OATH123456"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" req = Request(env) # Set a policy that defines the PIN to be encrypted set_policy(name="pol1", scope=SCOPE.ENROLL, action=ACTION.ENCRYPTPIN) g.policy_object = PolicyClass() # request, that matches the policy req.all_data = { "user": "******", "realm": "home"} encrypt_pin(req) # Check, if the tokenlabel was added self.assertEqual(req.all_data.get("encryptpin"), "True") # finally delete policy delete_policy("pol1")
def test_01a_admin_realms(self): admin1 = {"username": "******", "role": "admin", "realm": "realm1"} admin2 = {"username": "******", "role": "admin", "realm": "realm2"} set_policy(name="pol", scope=SCOPE.ADMIN, action="*", adminrealm="realm1") g.policy_object = PolicyClass() builder = EnvironBuilder(method='POST', data={'serial': "OATH123456"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" req = Request(env) req.all_data = {} # admin1 is allowed to do everything g.logged_in_user = admin1 r = check_base_action(req, action="delete") self.assertTrue(r) # admin2 is not allowed. g.logged_in_user = admin2 self.assertRaises(PolicyError, check_base_action, req, action="delete") delete_policy("pol")
def test_10_check_conditions_tokentype(self): uhandler = UserNotificationEventHandler() # check if tokenrealm is contained builder = EnvironBuilder(method='POST', data={'user': "******"}, headers={}) tok = init_token({"serial": "oath1234", "type": "spass"}, user=User("cornelius", "realm1")) env = builder.get_environ() req = Request(env) req.all_data = {"user": "******", "serial": "oath1234"} req.User = User("cornelius", "realm1") resp = Response() resp.data = """{"result": {"value": true}}""" r = uhandler.check_condition( {"g": {}, "handler_def": {"conditions": {"tokentype": "totp,spass,oath,"}}, "request": req, "response": resp } ) # Serial matches the regexp self.assertEqual(r, True)
def test_07_set_random_pin(self): g.logged_in_user = {"username": "******", "role": "admin"} builder = EnvironBuilder(method='POST', data={'serial': "OATH123456"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" req = Request(env) # Set a policy that defines the tokenlabel set_policy(name="pol1", scope=SCOPE.ENROLL, action="%s=%s" % (ACTION.OTPPINRANDOM, "12")) set_policy(name="pinhandling", scope=SCOPE.ENROLL, action="%s=privacyidea.lib.pinhandling.base.PinHandler" % ACTION.PINHANDLING) g.policy_object = PolicyClass() # request, that matches the policy req.all_data = { "user": "******", "realm": "home"} init_random_pin(req) # Check, if the tokenlabel was added self.assertEqual(len(req.all_data.get("pin")), 12) # finally delete policy delete_policy("pol1") delete_policy("pinhandling")
def test_06_offline_auth(self): # Test that a machine definition will return offline hashes self.setUp_user_realms() serial = "offline01" tokenobject = init_token({ "serial": serial, "type": "hotp", "otpkey": "3132333435363738393031" "323334353637383930", "pin": "offline", "user": "******" }) # Set the Machine and MachineToken resolver1 = save_resolver({ "name": "reso1", "type": "hosts", "filename": HOSTSFILE }) mt = attach_token(serial, "offline", hostname="gandalf") self.assertEqual(mt.token.serial, serial) self.assertEqual(mt.token.machine_list[0].machine_id, "192.168.0.1") # The request with an OTP value and a PIN of a user, who has not # token assigned builder = EnvironBuilder(method='POST', data={}, headers={}) env = builder.get_environ() env["REMOTE_ADDR"] = "192.168.0.1" req = Request(env) req.all_data = {"user": "******", "pass": "******"} res = { "jsonrpc": "2.0", "result": { "status": True, "value": True }, "version": "privacyIDEA test", "detail": { "serial": serial }, "id": 1 } resp = Response(json.dumps(res)) new_response = offline_info(req, resp) jresult = json.loads(new_response.data) self.assertTrue(jresult.get("result").get("value"), jresult) self.assertEqual(jresult.get("detail").get("serial"), serial) # Check the hashvalues in the offline tree auth_items = jresult.get("auth_items") self.assertEqual(len(auth_items), 1) response = auth_items.get("offline")[0].get("response") self.assertEqual(len(response), 100) # check if the counter of the token was increased to 100 tokenobject = get_tokens(serial=serial)[0] self.assertEqual(tokenobject.token.count, 101) delete_policy("pol2")
def test_07_set_random_pin(self): g.logged_in_user = {"username": "******", "role": "admin"} builder = EnvironBuilder(method='POST', data={'serial': "OATH123456"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" req = Request(env) # Set a policy that defines the tokenlabel set_policy(name="pol1", scope=SCOPE.ENROLL, action="%s=%s" % (ACTION.OTPPINRANDOM, "12")) set_policy(name="pinhandling", scope=SCOPE.ENROLL, action="%s=privacyidea.lib.pinhandling.base.PinHandler" % ACTION.PINHANDLING) g.policy_object = PolicyClass() # request, that matches the policy req.all_data = {"user": "******", "realm": "home"} init_random_pin(req) # Check, if the tokenlabel was added self.assertEqual(len(req.all_data.get("pin")), 12) # finally delete policy delete_policy("pol1") delete_policy("pinhandling")
def test_06_set_tokenlabel(self): g.logged_in_user = {"username": "******", "role": "admin"} builder = EnvironBuilder(method='POST', data={'serial': "OATH123456"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" req = Request(env) # Set a policy that defines the tokenlabel set_policy(name="pol1", scope=SCOPE.ENROLL, action="%s=%s" % (ACTION.TOKENLABEL, "<u>@<r>")) set_policy(name="pol2", scope=SCOPE.ENROLL, action="%s=%s" % (ACTION.TOKENISSUER, "myPI")) g.policy_object = PolicyClass() # request, that matches the policy req.all_data = { "user": "******", "realm": "home"} init_tokenlabel(req) # Check, if the tokenlabel was added self.assertEqual(req.all_data.get("tokenlabel"), "<u>@<r>") # Check, if the tokenissuer was added self.assertEqual(req.all_data.get("tokenissuer"), "myPI") # finally delete policy delete_policy("pol1") delete_policy("pol2")
def test_10_check_conditions_token_has_owner(self): uhandler = UserNotificationEventHandler() # check if tokenrealm is contained builder = EnvironBuilder(method='POST', data={'user': "******"}, headers={}) tok = init_token({ "serial": "oath1234", "type": "spass" }, user=User("cornelius", "realm1")) env = builder.get_environ() req = Request(env) req.all_data = {"user": "******", "serial": "oath1234"} req.User = User("cornelius", "realm1") resp = Response() resp.data = """{"result": {"value": true}}""" r = uhandler.check_condition({ "g": {}, "handler_def": { "conditions": { CONDITION.TOKEN_HAS_OWNER: "True" } }, "request": req, "response": resp }) # Token has an owner self.assertEqual(r, True) r = uhandler.check_condition({ "g": {}, "handler_def": { "conditions": { CONDITION.TOKEN_HAS_OWNER: "False" } }, "request": req, "response": resp }) # Token has an owner, but the condition is wrong self.assertEqual(r, False) # unassign token, no owner unassign_token("oath1234") r = uhandler.check_condition({ "g": {}, "handler_def": { "conditions": { CONDITION.TOKEN_HAS_OWNER: "False" } }, "request": req, "response": resp }) # The condition was, token-not-assigned and the token has no user self.assertEqual(r, True)
def test_05_loggingevent_tags(self, capture): class UserAgentMock: string = "hello world" browser = "browser" # simple logging event with all tags self.setUp_sqlite_resolver_realm('testuser.sqlite', 'sqliterealm') available_tags = [ 'admin', 'realm', 'action', 'serial', 'url', 'user', 'surname', 'givenname', 'username', 'userrealm', 'tokentype', 'time', 'date', 'client_ip', 'ua_browser', 'ua_string' ] tok = init_token( { "serial": "testserial", "type": "spass", "pin": "pin" }, user=User("cornelius", "sqliterealm")) g = FakeFlaskG() g.audit_object = FakeAudit() g.logged_in_user = { "username": "******", "role": "admin", "realm": "super" } env = EnvironBuilder(method='POST', headers={}, path='/auth').get_environ() req = Request(env) req.user_agent = UserAgentMock() req.all_data = {'serial': 'testserial'} req.User = User("cornelius", 'sqliterealm') resp = Response(response="""{"result": {"value": true}}""") options = { "g": g, "request": req, "response": resp, "handler_def": { 'options': { 'message': ' '.join( ['{0!s}={{{0!s}}}'.format(x) for x in available_tags]) } } } current_utc_time = datetime(2018, 3, 4, 5, 6, 8) with mock.patch('privacyidea.lib.utils.datetime') as mock_dt: mock_dt.now.return_value = current_utc_time log_handler = LoggingEventHandler() res = log_handler.do("logging", options=options) self.assertTrue(res) capture.check_present( ('pi-eventlogger', 'INFO', u'admin=admin realm=super action=/auth serial=testserial ' u'url=http://localhost/ user=Cornelius surname=Kölbel ' u'givenname=None username=cornelius userrealm=sqliterealm ' u'tokentype=spass time=05:06:08 date=2018-03-04 ' u'client_ip=None ua_browser=browser ua_string=hello world'))
def test_05_autoassign_any_pin(self): # init a token, that does has no uwser self.setUp_user_realms() tokenobject = init_token({"serial": "UASSIGN1", "type": "hotp", "otpkey": "3132333435363738393031" "323334353637383930"}, tokenrealms=[self.realm1]) user_obj = User("autoassignuser", self.realm1) # unassign all tokens from the user autoassignuser try: unassign_token(None, user=user_obj) except Exception: print("no need to unassign token") # The request with an OTP value and a PIN of a user, who has not # token assigned builder = EnvironBuilder(method='POST', data={}, headers={}) env = builder.get_environ() env["REMOTE_ADDR"] = "10.0.0.1" g.client_ip = env["REMOTE_ADDR"] req = Request(env) req.all_data = {"user": "******", "realm": self.realm1, "pass": "******"} # The response with a failed request res = {"jsonrpc": "2.0", "result": {"status": True, "value": False}, "version": "privacyIDEA test", "id": 1} resp = Response(json.dumps(res)) # Set the autoassign policy # to "any_pin" set_policy(name="pol2", scope=SCOPE.ENROLL, action="{0!s}={1!s}".format(ACTION.AUTOASSIGN, AUTOASSIGNVALUE.NONE), client="10.0.0.0/8") g.policy_object = PolicyClass() new_response = autoassign(req, resp) jresult = json.loads(new_response.data) self.assertTrue(jresult.get("result").get("value"), jresult) self.assertEqual(jresult.get("detail").get("serial"), "UASSIGN1") # test the token with test287082 will fail res, dict = check_user_pass(User("autoassignuser", self.realm1), "test287082") self.assertFalse(res) # test the token with test359152 will succeed res, dict = check_user_pass(User("autoassignuser", self.realm1), "test359152") self.assertTrue(res) delete_policy("pol2")
def test_06_set_realm(self): g.logged_in_user = {"username": "******", "role": "admin"} builder = EnvironBuilder(method='POST', data={'serial': "OATH123456"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" g.client_ip = env["REMOTE_ADDR"] req = Request(env) # Set a policy, that allows two tokens per realm set_policy(name="pol1", scope=SCOPE.AUTHZ, action="{0!s}={1!s}".format(ACTION.SETREALM, self.realm1), realm="somerealm") g.policy_object = PolicyClass() # request, that matches the policy req.all_data = {"realm": "somerealm"} set_realm(req) # Check, if the realm was modified to the realm specified in the policy self.assertTrue(req.all_data.get("realm") == self.realm1) # A request, that does not match the policy: req.all_data = {"realm": "otherrealm"} set_realm(req) # Check, if the realm is still the same self.assertEqual(req.all_data.get("realm"), "otherrealm") # If there are several policies, which will produce different realms, # we get an exception set_policy(name="pol2", scope=SCOPE.AUTHZ, action="{0!s}={1!s}".format(ACTION.SETREALM, "ConflictRealm"), realm="somerealm") g.policy_object = PolicyClass() # This request will trigger two policies with different realms to set req.all_data = {"realm": "somerealm"} self.assertRaises(PolicyError, set_realm, req) # finally delete policy delete_policy("pol1") delete_policy("pol2")
def test_06_set_realm(self): g.logged_in_user = {"username": "******", "role": "admin"} builder = EnvironBuilder(method='POST', data={'serial': "OATH123456"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" g.client_ip = env["REMOTE_ADDR"] req = Request(env) # Set a policy, that allows two tokens per realm set_policy(name="pol1", scope=SCOPE.AUTHZ, action="{0!s}={1!s}".format(ACTION.SETREALM, self.realm1), realm="somerealm") g.policy_object = PolicyClass() # request, that matches the policy req.all_data = {"realm": "somerealm"} set_realm(req) # Check, if the realm was modified to the realm specified in the policy self.assertTrue(req.all_data.get("realm") == self.realm1) # A request, that does not match the policy: req.all_data = {"realm": "otherrealm"} set_realm(req) # Check, if the realm is still the same self.assertEqual(req.all_data.get("realm"), "otherrealm") # If there are several policies, which will produce different realms, # we get an exception set_policy(name="pol2", scope=SCOPE.AUTHZ, action="{0!s}={1!s}".format(ACTION.SETREALM, "ConflictRealm"), realm="somerealm") g.policy_object = PolicyClass() # This request will trigger two policies with different realms to set req.all_data = {"realm": "somerealm"} self.assertRaises(PolicyError, set_realm, req) # finally delete policy delete_policy("pol1") delete_policy("pol2")
def test_14_send_to_adminrealm(self): # setup realms self.setUp_user_realms() r = add_smtpserver(identifier="myserver", server="1.2.3.4", tls=False) self.assertTrue(r > 0) smtpmock.setdata(response={"*****@*****.**": (200, "OK")}, support_tls=False) g = FakeFlaskG() audit_object = FakeAudit() audit_object.audit_data["serial"] = "123456" g.logged_in_user = {"user": "******", "role": "admin", "realm": ""} g.audit_object = audit_object builder = EnvironBuilder(method='POST', data={'serial': "OATH123456"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" g.client_ip = env["REMOTE_ADDR"] req = Request(env) req.all_data = {"serial": "SomeSerial", "user": "******"} req.User = User("cornelius", self.realm1) resp = Response() resp.data = """{"result": {"value": true}, "detail": {"registrationcode": "12345678910"} } """ # send email to user in adminrealm "realm1" # Although this is no admin realm, but this realm contains some email # addresses. options = { "g": g, "request": req, "response": resp, "handler_def": { "conditions": { "serial": "123.*" }, "options": { "body": "your {registrationcode}", "emailconfig": "myserver", "To": NOTIFY_TYPE.ADMIN_REALM, "To " + NOTIFY_TYPE.ADMIN_REALM: "realm1" } } } un_handler = UserNotificationEventHandler() res = un_handler.do("sendmail", options=options) self.assertTrue(res)
def test_08_get_webui_settings(self): # Test that a machine definition will return offline hashes self.setUp_user_realms() serial = "offline01" tokenobject = init_token({"serial": serial, "type": "hotp", "otpkey": "3132333435363738393031" "323334353637383930", "pin": "offline", "user": "******"}) # Set the Machine and MachineToken resolver1 = save_resolver({"name": "reso1", "type": "hosts", "filename": HOSTSFILE}) mt = attach_token(serial, "offline", hostname="gandalf") self.assertEqual(mt.token.serial, serial) self.assertEqual(mt.token.machine_list[0].machine_id, "192.168.0.1") # The request with an OTP value and a PIN of a user, who has not # token assigned builder = EnvironBuilder(method='POST', data={}, headers={}) env = builder.get_environ() env["REMOTE_ADDR"] = "192.168.0.1" g.client_ip = env["REMOTE_ADDR"] req = Request(env) req.all_data = {"user": "******", "pass": "******"} res = {"jsonrpc": "2.0", "result": {"status": True, "value": {"role": "user", "username": "******"}}, "version": "privacyIDEA test", "detail": {"serial": serial}, "id": 1} resp = Response(json.dumps(res)) new_response = get_webui_settings(req, resp) jresult = json.loads(new_response.data) self.assertEqual(jresult.get("result").get("value").get( "token_wizard"), False) # Set a policy. User has not token, so "token_wizard" will be True set_policy(name="pol_wizard", scope=SCOPE.WEBUI, action=ACTION.TOKENWIZARD) g.policy_object = PolicyClass() new_response = get_webui_settings(req, resp) jresult = json.loads(new_response.data) self.assertEqual(jresult.get("result").get("value").get( "token_wizard"), True) delete_policy("pol_wizard")
def test_06_offline_auth(self): # Test that a machine definition will return offline hashes self.setUp_user_realms() serial = "offline01" tokenobject = init_token({"serial": serial, "type": "hotp", "otpkey": "3132333435363738393031" "323334353637383930", "pin": "offline", "user": "******"}) # Set the Machine and MachineToken resolver1 = save_resolver({"name": "reso1", "type": "hosts", "filename": HOSTSFILE}) mt = attach_token(serial, "offline", hostname="gandalf") self.assertEqual(mt.token.serial, serial) self.assertEqual(mt.token.machine_list[0].machine_id, "192.168.0.1") # The request with an OTP value and a PIN of a user, who has not # token assigned builder = EnvironBuilder(method='POST', data={}, headers={}) env = builder.get_environ() env["REMOTE_ADDR"] = "192.168.0.1" g.client_ip = env["REMOTE_ADDR"] req = Request(env) req.all_data = {"user": "******", "pass": "******"} res = {"jsonrpc": "2.0", "result": {"status": True, "value": True}, "version": "privacyIDEA test", "detail": {"serial": serial}, "id": 1} resp = Response(json.dumps(res)) new_response = offline_info(req, resp) jresult = json.loads(new_response.data) self.assertTrue(jresult.get("result").get("value"), jresult) self.assertEqual(jresult.get("detail").get("serial"), serial) # Check the hashvalues in the offline tree auth_items = jresult.get("auth_items") self.assertEqual(len(auth_items), 1) response = auth_items.get("offline")[0].get("response") self.assertEqual(len(response), 100) # check if the counter of the token was increased to 100 tokenobject = get_tokens(serial=serial)[0] self.assertEqual(tokenobject.token.count, 101) delete_policy("pol2")
def test_12_mangle(self): g.logged_in_user = {"username": "******", "role": "admin"} builder = EnvironBuilder(method='POST', data={'serial': "OATH123456"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" g.client_ip = env["REMOTE_ADDR"] req = Request(env) # Set a mangle policy to change the username # and only use the last 4 characters of the username set_policy(name="mangle1", scope=SCOPE.AUTH, action="{0!s}=user/.*(.{{4}}$)/\\1/".format(ACTION.MANGLE)) g.policy_object = PolicyClass() # request, that matches the policy req.all_data = {"user": "******"} mangle(req) # Check if the user was modified self.assertEqual(req.all_data.get("user"), "user") # Set a mangle policy to remove blanks from realm name set_policy(name="mangle2", scope=SCOPE.AUTH, action="{0!s}=realm/\\s//".format(ACTION.MANGLE)) g.policy_object = PolicyClass() # request, that matches the policy req.all_data = {"realm": "lower Realm"} mangle(req) # Check if the realm was modified self.assertEqual(req.all_data.get("realm"), "lowerRealm") # finally delete policy delete_policy("mangle1") delete_policy("mangle2")
def test_09_pin_policies(self): g.logged_in_user = {"username": "******", "role": "user"} builder = EnvironBuilder(method='POST', data={'serial': "OATH123456"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" g.client_ip = env["REMOTE_ADDR"] req = Request(env) # Set a policy that defines PIN policy set_policy(name="pol1", scope=SCOPE.USER, action="{0!s}={1!s},{2!s}={3!s},{4!s}={5!s}".format( ACTION.OTPPINMAXLEN, "10", ACTION.OTPPINMINLEN, "4", ACTION.OTPPINCONTENTS, "cn")) g.policy_object = PolicyClass() req.all_data = {"user": "******", "realm": "home"} # The minimum OTP length is 4 self.assertRaises(PolicyError, check_otp_pin, req) req.all_data = { "user": "******", "realm": "home", "pin": "12345566890012" } # Fail maximum OTP length self.assertRaises(PolicyError, check_otp_pin, req) req.all_data = {"user": "******", "realm": "home", "pin": "123456"} # Good OTP length, but missing character A-Z self.assertRaises(PolicyError, check_otp_pin, req) req.all_data = {"user": "******", "realm": "home", "pin": "abc123"} # Good length and good contents self.assertTrue(check_otp_pin(req)) # A token that does not use pins is ignored. init_token({"type": "certificate", "serial": "certificate"}) req.all_data = { "serial": "certificate", "realm": "somerealm", "user": "******", "pin": "" } self.assertTrue(check_otp_pin(req)) init_token({"type": "sshkey", "serial": "sshkey", "sshkey": SSHKEY}) req.all_data = { "serial": "sshkey", "realm": "somerealm", "user": "******", "pin": "" } self.assertTrue(check_otp_pin(req)) # finally delete policy delete_policy("pol1")
def test_12_mangle(self): g.logged_in_user = {"username": "******", "role": "admin"} builder = EnvironBuilder(method='POST', data={'serial': "OATH123456"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" g.client_ip = env["REMOTE_ADDR"] req = Request(env) # Set a mangle policy to change the username # and only use the last 4 characters of the username set_policy(name="mangle1", scope=SCOPE.AUTH, action="{0!s}=user/.*(.{{4}}$)/\\1/".format(ACTION.MANGLE)) g.policy_object = PolicyClass() # request, that matches the policy req.all_data = {"user": "******"} mangle(req) # Check if the user was modified self.assertEqual(req.all_data.get("user"), "user") # Set a mangle policy to remove blanks from realm name set_policy(name="mangle2", scope=SCOPE.AUTH, action="{0!s}=realm/\\s//".format(ACTION.MANGLE)) g.policy_object = PolicyClass() # request, that matches the policy req.all_data = {"realm": "lower Realm"} mangle(req) # Check if the realm was modified self.assertEqual(req.all_data.get("realm"), "lowerRealm") # finally delete policy delete_policy("mangle1") delete_policy("mangle2")
def test_03_sendsms(self): # setup realms self.setUp_user_realms() r = set_smsgateway(identifier="myGW", providermodule="privacyidea.lib.smsprovider." "SmtpSMSProvider.SmtpSMSProvider", options={ "SMTPIDENTIFIER": "myserver", "MAILTO": "*****@*****.**" }) self.assertTrue(r > 0) smtpmock.setdata(response={"*****@*****.**": (200, "OK")}, support_tls=False) g = FakeFlaskG() audit_object = FakeAudit() audit_object.audit_data["serial"] = "123456" g.logged_in_user = {"user": "******", "role": "admin", "realm": ""} g.audit_object = audit_object builder = EnvironBuilder(method='POST', data={'serial': "OATH123456"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" g.client_ip = env["REMOTE_ADDR"] req = Request(env) req.all_data = {"serial": "SomeSerial", "user": "******"} req.User = User("cornelius", self.realm1) resp = Response() resp.data = """{"result": {"value": true}}""" options = { "g": g, "request": req, "response": resp, "handler_def": { "options": { "smsconfig": "myGW" } } } un_handler = UserNotificationEventHandler() res = un_handler.do("sendsms", options=options) self.assertTrue(res)
def test_02_loggingevent_default(self, capture): # simple logging event with default values g = FakeFlaskG() g.audit_object = FakeAudit() env = EnvironBuilder(method='POST', headers={}, path='/auth').get_environ() req = Request(env) req.all_data = {} resp = Response(response="""{"result": {"value": true}}""") options = {"g": g, "request": req, "response": resp, "handler_def": {}} log_handler = LoggingEventHandler() res = log_handler.do("logging", options=options) self.assertTrue(res) capture.check(('pi-eventlogger', 'INFO', 'event=/auth triggered'))
def test_02_check_token_init(self): g.logged_in_user = {"username": "******", "role": "admin"} builder = EnvironBuilder(method='POST', data={'serial': "OATH123456"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" g.client_ip = env["REMOTE_ADDR"] req = Request(env) req.all_data = {"type": "totp"} # Set a policy, that does allow the action set_policy(name="pol1", scope=SCOPE.ADMIN, action="enrollTOTP, enrollHOTP", client="10.0.0.0/8") g.policy_object = PolicyClass() # Enrolling TOTP is cool r = check_token_init(req) self.assertTrue(r) # Another Token type can not be enrolled: # An exception is raised req.all_data = {"type": "motp"} self.assertRaises(PolicyError, check_token_init, req) # A normal user can "enroll", since no user policies are defined. g.logged_in_user = {"username": "******", "role": "user"} r = check_token_init(req) self.assertTrue(r) # finally delete policy delete_policy("pol1")
def test_11_api_key_required(self): g.logged_in_user = {} builder = EnvironBuilder(method='POST', data={'serial': "OATH123456"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" g.client_ip = env["REMOTE_ADDR"] req = Request(env) g.policy_object = PolicyClass() # No policy and no Auth token req.all_data = {} r = api_key_required(req) # The request was not modified self.assertTrue(r) # Set a policy, that allows two tokens per realm set_policy(name="pol_api", scope=SCOPE.AUTHZ, action=ACTION.APIKEY) g.policy_object = PolicyClass() # A request with no API Key fails self.assertRaises(PolicyError, api_key_required, req) # A request with an API key succeeds secret = current_app.config.get("SECRET_KEY") token = jwt.encode( { "role": ROLE.VALIDATE, "exp": datetime.utcnow() + timedelta(hours=1) }, secret) req.headers = {"Authorization": token} r = api_key_required(req) self.assertTrue(r) # A request with a valid Admin Token does not succeed token = jwt.encode( { "role": ROLE.ADMIN, "username": "******", "exp": datetime.utcnow() + timedelta(hours=1) }, secret) req.headers = {"Authorization": token} self.assertRaises(PolicyError, api_key_required, req) delete_policy("pol_api")
def test_01_set_tokenrealm(self): # setup realms self.setUp_user_realms() self.setUp_user_realm2() init_token({"serial": "SPASS01", "type": "spass"}) g = FakeFlaskG() audit_object = FakeAudit() audit_object.audit_data["serial"] = "SPASS01" g.logged_in_user = {"user": "******", "role": "admin", "realm": ""} g.audit_object = audit_object builder = EnvironBuilder(method='POST', data={'serial': "SPASS01"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" g.client_ip = env["REMOTE_ADDR"] req = Request(env) req.all_data = {"serial": "SPASS01", "type": "spass"} resp = Response() resp.data = """{"result": {"value": true}}""" # Now the initiailized token will be set in realm2 options = { "g": g, "request": req, "response": resp, "handler_def": { "options": { "realm": "realm2" } } } t_handler = TokenEventHandler() res = t_handler.do(ACTION_TYPE.SET_TOKENREALM, options=options) self.assertTrue(res) # Check if the token is contained in realm2 realms = get_realms_of_token("SPASS01") self.assertTrue("realm2" in realms) remove_token("SPASS01")
def test_11_api_key_required(self): g.logged_in_user = {} builder = EnvironBuilder(method='POST', data={'serial': "OATH123456"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" g.client_ip = env["REMOTE_ADDR"] req = Request(env) g.policy_object = PolicyClass() # No policy and no Auth token req.all_data = {} r = api_key_required(req) # The request was not modified self.assertTrue(r) # Set a policy, that allows two tokens per realm set_policy(name="pol_api", scope=SCOPE.AUTHZ, action=ACTION.APIKEY) g.policy_object = PolicyClass() # A request with no API Key fails self.assertRaises(PolicyError, api_key_required, req) # A request with an API key succeeds secret = current_app.config.get("SECRET_KEY") token = jwt.encode({"role": ROLE.VALIDATE, "exp": datetime.utcnow() + timedelta(hours=1)}, secret) req.headers = {"Authorization": token} r = api_key_required(req) self.assertTrue(r) # A request with a valid Admin Token does not succeed token = jwt.encode({"role": ROLE.ADMIN, "username": "******", "exp": datetime.utcnow() + timedelta(hours=1)}, secret) req.headers = {"Authorization": token} self.assertRaises(PolicyError, api_key_required, req) delete_policy("pol_api")
def test_07_locked_token_wrong_pin(self): tok = init_token({ "serial": "lock2", "type": "spass", "pin": "pin" }, user=User("cornelius", "realm1")) # lock it tok.set_failcount(10) uhandler = UserNotificationEventHandler() resp = Response() resp.data = """{"result": {"value": false}}""" builder = EnvironBuilder(method='POST') env = builder.get_environ() req = Request(env) req.all_data = {"user": "******", "pass": "******"} req.User = User("cornelius", self.realm1) # check the do action. g = FakeFlaskG() audit_object = FakeAudit() audit_object.audit_data["serial"] = None g.audit_object = audit_object options = { "g": g, "handler_def": { "conditions": { "token_locked": "True" } }, "response": resp, "request": req } r = add_smtpserver(identifier="myserver", server="1.2.3.4", tls=False) self.assertTrue(r > 0) smtpmock.setdata(response={"*****@*****.**": (200, "OK")}, support_tls=False) r = uhandler.check_condition(options) self.assertEqual(r, True) r = uhandler.do("sendmail", options=options) self.assertEqual(r, True)
def test_04_unassign(self): # setup realms self.setUp_user_realms() init_token({ "serial": "SPASS01", "type": "spass" }, User("cornelius", self.realm1)) t = get_tokens(serial="SPASS01") uid = t[0].get_user_id() self.assertEqual(uid, "1000") g = FakeFlaskG() audit_object = FakeAudit() audit_object.audit_data["serial"] = "SPASS01" g.logged_in_user = {"user": "******", "role": "admin", "realm": ""} g.audit_object = audit_object builder = EnvironBuilder(method='POST', data={'serial': "SPASS01"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" g.client_ip = env["REMOTE_ADDR"] req = Request(env) req.all_data = {"serial": "SPASS01", "type": "spass"} resp = Response() resp.data = """{"result": {"value": true}}""" # Now the initiailized token will be set in realm2 options = {"g": g, "request": req, "response": resp, "handler_def": {}} t_handler = TokenEventHandler() res = t_handler.do(ACTION_TYPE.UNASSIGN, options=options) self.assertTrue(res) # Check if the token was unassigned t = get_tokens(serial="SPASS01") uid = t[0].get_user_id() self.assertEqual(uid, "") remove_token("SPASS01")
def test_02_sendmail(self): # setup realms self.setUp_user_realms() r = add_smtpserver(identifier="myserver", server="1.2.3.4", tls=False) self.assertTrue(r > 0) smtpmock.setdata(response={"*****@*****.**": (200, "OK")}, support_tls=False) g = FakeFlaskG() audit_object = FakeAudit() audit_object.audit_data["serial"] = "123456" g.logged_in_user = {"user": "******", "role": "admin", "realm": ""} g.audit_object = audit_object builder = EnvironBuilder(method='POST', data={'serial': "OATH123456"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" g.client_ip = env["REMOTE_ADDR"] req = Request(env) req.all_data = {"serial": "SomeSerial", "user": "******"} req.User = User("cornelius", self.realm1) resp = Response() resp.data = """{"result": {"value": true}}""" options = { "g": g, "request": req, "response": resp, "handler_def": { "options": { "emailconfig": "myserver" } } } un_handler = UserNotificationEventHandler() res = un_handler.do("sendmail", options=options) self.assertTrue(res)
def test_03_enable_disable(self): # setup realms self.setUp_user_realms() init_token({"serial": "SPASS01", "type": "spass"}) g = FakeFlaskG() audit_object = FakeAudit() audit_object.audit_data["serial"] = "SPASS01" g.logged_in_user = {"user": "******", "role": "admin", "realm": ""} g.audit_object = audit_object builder = EnvironBuilder(method='POST', data={'serial': "SPASS01"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" g.client_ip = env["REMOTE_ADDR"] req = Request(env) req.all_data = {"serial": "SPASS01", "type": "spass"} resp = Response() resp.data = """{"result": {"value": true}}""" # Now the initiailized token will be set in realm2 options = {"g": g, "request": req, "response": resp, "handler_def": {}} t_handler = TokenEventHandler() res = t_handler.do(ACTION_TYPE.DISABLE, options=options) self.assertTrue(res) # Check if the token does not exist anymore t = get_tokens(serial="SPASS01") self.assertFalse(t[0].is_active()) res = t_handler.do(ACTION_TYPE.ENABLE, options=options) self.assertTrue(res) # Check if the token does not exist anymore t = get_tokens(serial="SPASS01") self.assertTrue(t[0].is_active()) remove_token("SPASS01")
def test_03_sendsms(self): # setup realms self.setUp_user_realms() r = set_smsgateway(identifier="myGW", providermodule="privacyidea.lib.smsprovider." "SmtpSMSProvider.SmtpSMSProvider", options={"SMTPIDENTIFIER": "myserver", "MAILTO": "*****@*****.**"}) self.assertTrue(r > 0) smtpmock.setdata(response={"*****@*****.**": (200, "OK")}, support_tls=False) g = FakeFlaskG() audit_object = FakeAudit() audit_object.audit_data["serial"] = "123456" g.logged_in_user = {"user": "******", "role": "admin", "realm": ""} g.audit_object = audit_object builder = EnvironBuilder(method='POST', data={'serial': "OATH123456"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" g.client_ip = env["REMOTE_ADDR"] req = Request(env) req.all_data = {"serial": "SomeSerial", "user": "******"} options = {"g": g, "request": req, "smsconfig": "myGW"} un_handler = UserNotificationEventHandler() res = un_handler.do("sendsms", options=options) self.assertTrue(res)
def test_02_sendmail(self): # setup realms self.setUp_user_realms() r = add_smtpserver(identifier="myserver", server="1.2.3.4", tls=False) self.assertTrue(r > 0) smtpmock.setdata(response={"*****@*****.**": (200, "OK")}, support_tls=False) g = FakeFlaskG() audit_object = FakeAudit() audit_object.audit_data["serial"] = "123456" g.logged_in_user = {"user": "******", "role": "admin", "realm": ""} g.audit_object = audit_object builder = EnvironBuilder(method='POST', data={'serial': "OATH123456"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" g.client_ip = env["REMOTE_ADDR"] req = Request(env) req.all_data = {"serial": "SomeSerial", "user": "******"} options = {"g": g, "request": req, "emailconfig": "myserver"} un_handler = UserNotificationEventHandler() res = un_handler.do("sendmail", options=options) self.assertTrue(res)
def test_02_api_endpoint(self): pin = "tiqr" token = init_token({"type": "tiqr", "pin": pin, "user": "******", "realm": self.realm1}) idetail = token.get_init_detail() value = idetail.get("tiqrenroll").get("value") # 'tiqrenroll://None?action=metadata&session=b81ecdf74118dcf6fa1cd41d3d4b2fec56c9107f&serial=TiQR000163CB # get the serial and the session m = re.search('&serial=(.*)$', value) serial = m.group(1) m = re.search('&session=(.*)&', value) session = m.group(1) # test meta data builder = EnvironBuilder(method='POST', data={}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" req = Request(env) req.all_data = {"action": "metadata", "session": session, "serial": serial} r = TiqrTokenClass.api_endpoint(req, g) self.assertEqual(r[0], "json") self.assertTrue("identity" in r[1], r[1]) self.assertTrue("service" in r[1], r[1]) # Test invalid action req.all_data = {"action": "unknown"} self.assertRaises(Exception, TiqrTokenClass.api_endpoint, req, g) # test enrollment with invalid session req.all_data = {"action": "enrollment", "serial": serial, "session": "123", "secret": KEY20} self.assertRaises(ParameterError, TiqrTokenClass.api_endpoint, req, g) # test enrollment with valid session req.all_data = {"action": "enrollment", "serial": serial, "session": session, "secret": KEY20} r = TiqrTokenClass.api_endpoint(req, g) self.assertEqual(r[0], "text") self.assertEqual(r[1], "OK") # test authentication endpoint # create a challenge by issuing validate/check with user and pin session = "" challenge = "" with self.app.test_request_context('/validate/check', method='GET', query_string=urlencode({ "user": "******", "realm": self.realm1, "pass": pin})): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) result = json.loads(res.data).get("result") detail = json.loads(res.data).get("detail") self.assertTrue(result.get("status") is True, result) self.assertTrue(result.get("value") is False, result) transaction_id = detail.get("transaction_id") image_url = detail.get("attributes").get("value") self.assertTrue(image_url.startswith("tiqrauth")) # u'tiqrauth://[email protected] # /12335970131032896263/e0fac7bb2e3ea4219ead' # session = 12335970131032896263 # challenge = e0fac7bb2e3ea4219ead r = image_url.split("/") session = r[3] challenge = r[4] ocrasuite = token.get_tokeninfo("ocrasuite") ocra_object = OCRA(ocrasuite, key=binascii.unhexlify(KEY20)) # Calculate Response with the challenge. response = ocra_object.get_response(challenge) # First, send a wrong response req.all_data = {"response": "12345", "userId": "cornelius_%s" % self.realm1, "sessionKey": session, "operation": "login"} r = TiqrTokenClass.api_endpoint(req, g) self.assertEqual(r[0], "text") self.assertEqual(r[1], "INVALID_RESPONSE") # Send the correct response req.all_data = {"response": response, "userId": "cornelius_%s" % self.realm1, "sessionKey": session, "operation": "login"} r = TiqrTokenClass.api_endpoint(req, g) self.assertEqual(r[0], "text") self.assertEqual(r[1], "OK") # Send the same response a second time would not work # since the Challenge is marked as answered req.all_data = {"response": response, "userId": "cornelius_%s" % self.realm1, "sessionKey": session, "operation": "login"} r = TiqrTokenClass.api_endpoint(req, g) self.assertEqual(r[0], "text") self.assertEqual(r[1], "INVALID_CHALLENGE") # Finally we check the OTP status: r = token.check_challenge_response(options={"transaction_id": transaction_id}) self.assertTrue(r > 0, r) # Check the same challenge again. It will fail, since the # challenge was deleted from the database r = token.check_challenge_response(options={"transaction_id": transaction_id}) self.assertTrue(r < 0, r)
def test_09_pin_policies(self): g.logged_in_user = {"username": "******", "role": "user"} builder = EnvironBuilder(method='POST', data={'serial': "OATH123456"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" g.client_ip = env["REMOTE_ADDR"] req = Request(env) # Set a policy that defines PIN policy set_policy(name="pol1", scope=SCOPE.USER, action="{0!s}={1!s},{2!s}={3!s},{4!s}={5!s}".format(ACTION.OTPPINMAXLEN, "10", ACTION.OTPPINMINLEN, "4", ACTION.OTPPINCONTENTS, "cn")) g.policy_object = PolicyClass() req.all_data = { "user": "******", "realm": "home"} # The minimum OTP length is 4 self.assertRaises(PolicyError, check_otp_pin, req) req.all_data = { "user": "******", "realm": "home", "pin": "12345566890012"} # Fail maximum OTP length self.assertRaises(PolicyError, check_otp_pin, req) req.all_data = { "user": "******", "realm": "home", "pin": "123456"} # Good OTP length, but missing character A-Z self.assertRaises(PolicyError, check_otp_pin, req) req.all_data = { "user": "******", "realm": "home", "pin": "abc123"} # Good length and good contents self.assertTrue(check_otp_pin(req)) # A token that does not use pins is ignored. init_token({"type": "certificate", "serial": "certificate"}) req.all_data = {"serial": "certificate", "realm": "somerealm", "user": "******", "pin": ""} self.assertTrue(check_otp_pin(req)) init_token({"type": "sshkey", "serial": "sshkey", "sshkey": SSHKEY}) req.all_data = {"serial": "sshkey", "realm": "somerealm", "user": "******", "pin": ""} self.assertTrue(check_otp_pin(req)) # finally delete policy delete_policy("pol1")
def test_01_check_token_action(self): g.logged_in_user = {"username": "******", "role": "admin"} builder = EnvironBuilder(method='POST', data={'serial': "OATH123456"}, headers={}) env = builder.get_environ() # Set the remote address so that we can filter for it env["REMOTE_ADDR"] = "10.0.0.1" req = Request(env) req.all_data = {"serial": "SomeSerial"} # Set a policy, that does allow the action set_policy(name="pol1", scope=SCOPE.ADMIN, action="enable", client="10.0.0.0/8") g.policy_object = PolicyClass() # Action enable is cool r = check_base_action(request=req, action="enable") self.assertTrue(r) # Another action - like "disable" - is not allowed # An exception is self.assertRaises(PolicyError, check_base_action, req, "disable") # Action delete is not allowed self.assertRaises(PolicyError, check_base_action, req, "delete") # check action with a token realm set_policy(name="pol1", scope=SCOPE.ADMIN, action="enable", client="10.0.0.0/8", realm="realm1") set_policy(name="pol2", scope=SCOPE.ADMIN, action="*", client="10.0.0.0/8", realm="realm2") g.policy_object = PolicyClass() # set a polrealm1 and a polrealm2 # setup realm1 self.setUp_user_realms() # setup realm2 self.setUp_user_realm2() tokenobject = init_token({"serial": "POL001", "type": "hotp", "otpkey": "1234567890123456"}) r = set_realms("POL001", [self.realm1]) tokenobject = init_token({"serial": "POL002", "type": "hotp", "otpkey": "1234567890123456"}) r = set_realms("POL002", [self.realm2]) # Token in realm1 can not be deleted req.all_data = {"serial": "POL001"} self.assertRaises(PolicyError, check_base_action, req, "delete") # while token in realm2 can be deleted req.all_data = {"serial": "POL002"} r = check_base_action(req, action="delete") self.assertTrue(r) # A normal user can "disable", since no user policies are defined. g.logged_in_user = {"username": "******", "role": "user"} r = check_base_action(req, "disable") self.assertTrue(r) delete_policy("pol1") delete_policy("pol2") remove_token("POL001") remove_token("POL002")