def test_12_resolver_priority(self): # Test the priority of resolvers. # we create resolvers with the same user in it. Depending on the # priority we either get the one or the other user. save_resolver({"resolver": "double1", "type": "passwdresolver", "fileName": PWFILE}) save_resolver({"resolver": "double2", "type": "passwdresolver", "fileName": PWFILE}) save_resolver({"resolver": "double3", "type": "passwdresolver", "fileName": PWFILE}) (added, failed) = set_realm("double", ["double1", "double2", "double3"], priority={"double1": 2, "double2": 1, "double3": 3}) self.assertEqual(len(failed), 0) self.assertEqual(len(added), 3) user = get_user_from_param({"user": "******", "realm": "double"}) self.assertEqual(user.resolver, "double2") (added, failed) = set_realm("double", ["double1", "double2", "double3"], priority={"double1": 3, "double2": 2, "double3": 1}) self.assertEqual(len(failed), 0) self.assertEqual(len(added), 3) user = get_user_from_param({"user": "******", "realm": "double"}) self.assertEqual(user.resolver, "double3")
def test_01_create_realm(self): rid = save_resolver({"resolver": self.resolvername1, "type": "passwdresolver", "fileName": "/etc/passwd"}) self.assertTrue(rid > 0, rid) rid = save_resolver({"resolver": self.resolvername2, "type": "passwdresolver", "fileName": "/etc/secrets"}) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(self.realm1, [self.resolvername1, self.resolvername2]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 2) # test the realms realms = get_realms() self.assertTrue(self.realm1 in realms, realms) self.assertTrue(realms.get("realm1").get("default"), realms) # try to create realm with invalid name self.assertRaises(Exception, set_realm, "#####") # update the resolver list: (added, failed) = set_realm(self.realm1, [self.resolvername1, "non exiting"]) self.assertTrue(len(failed) == 1) self.assertTrue(len(added) == 1) self.assertTrue(realm_is_defined(self.realm1)) self.assertTrue(realm_is_defined("non exist") is False)
def test_02_failing_resolver(self): ldap3mock.setLDAPDirectory([]) # define, that we want to get an exception ldap3mock.set_exception() # Create an LDAP Realm as default realm params = { 'LDAPURI': 'ldap://localhost', 'LDAPBASE': 'o=test', 'BINDDN': 'cn=manager,ou=example,o=test', 'BINDPW': 'ldaptest', 'LOGINNAMEATTRIBUTE': 'cn', 'LDAPSEARCHFILTER': '(cn=*)', 'USERINFO': '{ "username": "******",' '"phone" : "telephoneNumber", ' '"mobile" : "mobile"' ', "email" : "mail", ' '"surname" : "sn", ' '"givenname" : "givenName" }', 'UIDTYPE': 'DN', "resolver": "ldap1", "type": "ldapresolver" } save_resolver(params) set_realm("ldap1", ["ldap1"]) set_default_realm("ldap1") # Try to login as internal admin with a failing LDAP resolver with mock.patch("logging.Logger.warning") as mock_log: with self.app.test_request_context('/auth', method='POST', data={ "username": "******", "password": "******" }): res = self.app.full_dispatch_request() self.assertEqual(200, res.status_code, res) result = res.json.get("result") self.assertTrue(result.get("status"), result) self.assertIn('token', result.get("value"), result) # role should be 'admin' self.assertEqual('admin', result['value']['role'], result) mock_log.assert_called_once_with( "Problem resolving user testadmin in realm ldap1: LDAP request failed." ) delete_realm("ldap1") delete_resolver("ldap1") ldap3mock.set_exception(False)
def test_05_get_set_realms(self): set_realm(self.realm2) db_token = Token.query.filter_by(serial=self.serial1).first() token = TokenClass(db_token) realms = token.get_realms() self.assertTrue(len(realms) == 1, realms) token.set_realms([self.realm1, self.realm2]) realms = token.get_realms() self.assertTrue(len(realms) == 2, realms)
def create(name, resolver): """ Create a new realm. This will create a new realm with the given resolver. *restriction*: The new realm will only contain one resolver! :return: """ from privacyidea.lib.realm import set_realm set_realm(name, [resolver])
def test_00_create_user(self): rid = save_resolver({"resolver": self.resolvername1, "type": "passwdresolver", "fileName": PWFILE}) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(self.realm1, [self.resolvername1]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 1) user = User(login="******", realm=self.realm1, resolver=self.resolvername1) user_str = "{0!s}".format(user) self.assertTrue(user_str == "<root.resolver1@realm1>", user_str) # check proper unicode() and str() handling self.assertIsInstance(str(user), bytes) self.assertIsInstance(unicode(user), unicode) self.assertFalse(user.is_empty()) self.assertTrue(User().is_empty()) user_repr = "{0!r}".format(user) expected = "User(login='******', realm='realm1', resolver='resolver1')" self.assertTrue(user_repr == expected, user_repr)
def setUp_user_realm2(self): # create user realm rid = save_resolver({ "resolver": self.resolvername1, "type": "passwdresolver", "fileName": PWFILE }) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(self.realm2, [self.resolvername1]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 1) user = User(login="******", realm=self.realm2, resolver=self.resolvername1) user_str = "{0!s}".format(user) self.assertTrue(user_str == "<root.resolver1@realm2>", user_str) self.assertFalse(user.is_empty()) self.assertTrue(User().is_empty()) user_repr = "{0!r}".format(user) expected = "User(login='******', realm='realm2', resolver='resolver1')" self.assertTrue(user_repr == expected, user_repr)
def _create_ldap_realm(self): rid = save_resolver(self.ldap_parameters) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(self.ldap_realm, [self.ldap_resolver]) self.assertEqual(len(failed), 0) self.assertEqual(len(added), 1)
def _create_sql_realm(self): rid = save_resolver(self.sql_parameters) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(self.sql_realm, [self.sql_resolver]) self.assertEqual(len(failed), 0) self.assertEqual(len(added), 1)
def setUp_sqlite_resolver_realm(self, sqlite_file, realm): parameters = { 'resolver': "sqlite_resolver", "type": "sqlresolver", 'Driver': 'sqlite', 'Server': '/tests/testdata/', 'Database': sqlite_file, 'Table': 'users', 'Encoding': 'utf8', 'Editable': True, 'Map': """{ "username": "******", "userid" : "id", "email" : "email", "surname" : "name", "givenname" : "givenname", "password" : "password", "phone": "phone", "mobile": "mobile"}""" } r = save_resolver(parameters) self.assertTrue(r) success, fail = set_realm(realm, ["sqlite_resolver"]) self.assertEqual(len(success), 1) self.assertEqual(len(fail), 0)
def test_02_userstore_password(self): # create a realm, where cornelius has a password test rid = save_resolver({"resolver": "myreso", "type": "passwdresolver", "fileName": PWFILE2}) self.assertTrue(rid > 0, rid) (added, failed) = set_realm("r1", ["myreso"]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 1) # now create a policy with userstore PW set_policy(name="pol1", scope=SCOPE.AUTH, action="%s=%s" % (ACTION.OTPPIN, ACTIONVALUE.USERSTORE)) g = FakeFlaskG() P = PolicyClass() g.policy_object = P options = {"g": g} # Wrong password r = auth_otppin(self.fake_check_otp, None, "WrongPW", options=options, user=User("cornelius", realm="r1")) self.assertFalse(r) # Correct password from userstore: "test" r = auth_otppin(self.fake_check_otp, None, "test", options=options, user=User("cornelius", realm="r1")) self.assertTrue(r) delete_policy("pol1")
def test_00_create_user(self): rid = save_resolver({ "resolver": self.resolvername1, "type": "passwdresolver", "fileName": PWFILE }) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(self.realm1, [self.resolvername1]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 1) user = User(login="******", realm=self.realm1, resolver=self.resolvername1) user_str = "{0!s}".format(user) self.assertTrue(user_str == "<root.resolver1@realm1>", user_str) # check proper unicode() / str() handling if six.PY2: self.assertIsInstance(str(user), bytes) self.assertIsInstance(unicode(user), unicode) else: self.assertIsInstance(six.text_type(user), six.text_type) self.assertFalse(user.is_empty()) self.assertTrue(User().is_empty()) user_repr = "{0!r}".format(user) expected = "User(login='******', realm='realm1', resolver='resolver1')" self.assertTrue(user_repr == expected, user_repr)
def setUp_user_realms(self): # create user realm rid = save_resolver({ "resolver": self.resolvername1, "type": "passwdresolver", "fileName": PWFILE }) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(self.realm1a, [self.resolvername1]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 1) (added, failed) = set_realm(self.realm2b, [self.resolvername1]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 1)
def test_09_get_user_from_param(self): user = get_user_from_param({"user": "******"}) self.assertTrue(user.realm == self.realm1, user) self.assertTrue(user.resolver == self.resolvername1, user) user = get_user_from_param({"realm": self.realm1}) self.assertTrue(user.realm == self.realm1, user) self.assertTrue(user.login == "", user) self.assertTrue(user.resolver == "", user.resolver) user = get_user_from_param({ "user": "******", "resolver": self.resolvername1 }) self.assertTrue(user.realm == self.realm1, user) # create a realm, where cornelius is in two resolvers! rid = save_resolver({ "resolver": self.resolvername3, "type": "passwdresolver", "fileName": PWFILE2 }) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(self.realm2, [self.resolvername1, self.resolvername3]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 2) # get user cornelius, who is in two resolvers! param = {"user": "******", "realm": self.realm2} user = get_user_from_param(param) self.assertEqual("{0!s}".format(user), "<cornelius.resolver1@realm2>")
def test_03_is_password_reset(self): # create resolver and realm param = self.parameters param["resolver"] = "register" param["type"] = "sqlresolver" r = save_resolver(param) self. assertTrue(r > 0) added, failed = set_realm("register", resolvers=["register"]) self.assertTrue(added > 0) self.assertEqual(len(failed), 0) # No user policy at all r = is_password_reset() self.assertEqual(r, True) # create policy set_policy(name="pwrest", scope=SCOPE.USER, action=ACTION.PASSWORDRESET) r = is_password_reset() self.assertEqual(r, True) # create policy that does not allow password_reset set_policy(name="pwrest", scope=SCOPE.USER, action=ACTION.DELETE) r = is_password_reset() self.assertEqual(r, False)
def test_16_ordered_resolver(self): rid = save_resolver({ "resolver": "resolver2", "type": "passwdresolver", "fileName": PWFILE }) rid = save_resolver({ "resolver": "reso4", "type": "passwdresolver", "fileName": PWFILE }) (added, failed) = set_realm("sort_realm", ["resolver1", "resolver2", "reso3", "reso4"], priority={ "resolver1": 30, "resolver2": 10, "reso3": 27, "reso4": 5 }) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 4) root = User("root", "sort_realm") r = root.get_ordererd_resolvers() self.assertEqual(r[0], "reso4") self.assertEqual(r[1], "resolver2") self.assertEqual(r[2], "reso3") self.assertEqual(r[3], "resolver1") delete_realm("sort_realm")
def test_14_create_delete_user(self): realm = "sqlrealm" resolver = "SQL1" parameters = self.parameters parameters["resolver"] = resolver parameters["type"] = "sqlresolver" rid = save_resolver(parameters) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(realm, [resolver]) self.assertEqual(len(failed), 0) self.assertEqual(len(added), 1) # Create the user uid = create_user(resolver, {"username": "******", "givenname": "achmed"}, password="******") self.assertTrue(uid > 6) user = User("achmed3", realm=realm) r = user.check_password("secret") # delete user r = user.delete() self.assertTrue(r)
def test_02_userstore_password(self): # create a realm, where cornelius has a password test rid = save_resolver({"resolver": "myreso", "type": "passwdresolver", "fileName": PWFILE2}) self.assertTrue(rid > 0, rid) (added, failed) = set_realm("r1", ["myreso"]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 1) # now create a policy with userstore PW set_policy(name="pol1", scope=SCOPE.AUTH, action="{0!s}={1!s}".format(ACTION.OTPPIN, ACTIONVALUE.USERSTORE)) g = FakeFlaskG() P = PolicyClass() g.policy_object = P g.audit_object = FakeAudit() options = {"g": g} # Wrong password r = auth_otppin(self.fake_check_otp, None, "WrongPW", options=options, user=User("cornelius", realm="r1")) self.assertFalse(r) # Correct password from userstore: "test" r = auth_otppin(self.fake_check_otp, None, "test", options=options, user=User("cornelius", realm="r1")) self.assertTrue(r) delete_policy("pol1")
def test_17_check_nonascii_user(self): realm = "sqlrealm" resolver = "SQL1" parameters = self.parameters parameters["resolver"] = resolver parameters["type"] = "sqlresolver" rid = save_resolver(parameters) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(realm, [resolver]) self.assertEqual(len(failed), 0) self.assertEqual(len(added), 1) # check non-ascii password of non-ascii user self.assertFalse(User(login=u"nönäscii", realm=realm).check_password("wrong")) self.assertTrue(User(login=u"nönäscii", realm=realm).check_password(u"sömepassword")) # check proper unicode() and str() handling user_object = User(login=u"nönäscii", realm=realm) if six.PY2: self.assertEqual(unicode(user_object), u'<nönäscii.SQL1@sqlrealm>') self.assertEqual(str(user_object), '<n\xc3\xb6n\xc3\xa4scii.SQL1@sqlrealm>') else: self.assertEqual(six.text_type(user_object), u'<nönäscii.SQL1@sqlrealm>') self.assertEqual(six.text_type(user_object).encode('utf8'), b'<n\xc3\xb6n\xc3\xa4scii.SQL1@sqlrealm>')
def test_00_create_user(self): rid = save_resolver({ "resolver": self.resolvername1, "type": "passwdresolver", "fileName": PWFILE }) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(self.realm1, [self.resolvername1]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 1) user = User(login="******", realm=self.realm1, resolver=self.resolvername1) user_str = "%s" % user self.assertTrue(user_str == "<root.resolver1@realm1>", user_str) self.assertFalse(user.is_empty()) self.assertTrue(User().is_empty()) user_repr = "%r" % user expected = "User(login='******', realm='realm1', resolver='resolver1')" self.assertTrue(user_repr == expected, user_repr)
def test_16_ordered_resolver(self): rid = save_resolver({"resolver": "resolver2", "type": "passwdresolver", "fileName": PWFILE}) rid = save_resolver({"resolver": "reso4", "type": "passwdresolver", "fileName": PWFILE}) (added, failed) = set_realm("sort_realm", ["resolver1", "resolver2", "reso3", "reso4"], priority={"resolver1": 30, "resolver2": 10, "reso3": 27, "reso4": 5}) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 4) root = User("root", "sort_realm") r = root.get_ordererd_resolvers() self.assertEqual(r[0], "reso4") self.assertEqual(r[1], "resolver2") self.assertEqual(r[2], "reso3") self.assertEqual(r[3], "resolver1") delete_realm("sort_realm")
def test_17_check_nonascii_user(self): realm = "sqlrealm" resolver = "SQL1" parameters = self.parameters parameters["resolver"] = resolver parameters["type"] = "sqlresolver" rid = save_resolver(parameters) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(realm, [resolver]) self.assertEqual(len(failed), 0) self.assertEqual(len(added), 1) # check non-ascii password of non-ascii user self.assertFalse( User(login=u"nönäscii", realm=realm).check_password("wrong")) self.assertTrue( User(login=u"nönäscii", realm=realm).check_password(u"sömepassword")) # check proper unicode() and str() handling user_object = User(login=u"nönäscii", realm=realm) self.assertEqual(unicode(user_object), u'<nönäscii.SQL1@sqlrealm>') self.assertEqual(str(user_object), '<n\xc3\xb6n\xc3\xa4scii.SQL1@sqlrealm>')
def test_01_authenticate_admin_from_realm(self): # Define an admin realm! (added, failed) = set_realm("adminrealm", [self.resolvername1]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 1) # "selfservice" is a user in adminrealm. He should be able to # authenticate with self.app.test_request_context('/auth', method='POST', data={"username": "******", "password": "******"}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) result = json.loads(res.data.decode('utf8')).get("result") self.assertTrue(result.get("status"), res.data) # In self.at_user we store the user token self.at_admin = result.get("value").get("token") # check that this is a user role = result.get("value").get("role") self.assertTrue(role == "admin", result) delete_realm("adminrealm")
def test_13_update_user(self): realm = "sqlrealm" resolver = "SQL1" parameters = self.parameters parameters["resolver"] = resolver parameters["type"] = "sqlresolver" rid = save_resolver(parameters) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(realm, [resolver]) self.assertEqual(len(failed), 0) self.assertEqual(len(added), 1) user = User(login="******", realm=realm) uinfo = user.info self.assertEqual(uinfo.get("givenname", ""), "") user.update_user_info({"givenname": "wordy", "username": "******"}) uinfo = user.info self.assertEqual(uinfo.get("givenname"), "wordy") self.assertEqual(user.login, "WordpressUser") user.update_user_info({"givenname": "", "username": "******"})
def setUp_user_realm2(self): # create user realm rid = save_resolver({"resolver": self.resolvername1, "type": "passwdresolver", "fileName": PWFILE}) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(self.realm2, [self.resolvername1]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 1) user = User(login="******", realm=self.realm2, resolver=self.resolvername1) user_str = "{0!s}".format(user) self.assertTrue(user_str == "<root.resolver1@realm2>", user_str) self.assertFalse(user.is_empty()) self.assertTrue(User().is_empty()) user_repr = "{0!r}".format(user) expected = "User(login='******', realm='realm2', resolver='resolver1')" self.assertTrue(user_repr == expected, user_repr)
def test_01_authenticate_admin_from_realm(self): # Define an admin realm! (added, failed) = set_realm("adminrealm", [self.resolvername1]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 1) # "selfservice" is a user in adminrealm. He should be able to # authenticate with self.app.test_request_context('/auth', method='POST', data={"username": "******", "password": "******"}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) result = json.loads(res.data).get("result") self.assertTrue(result.get("status"), res.data) # In self.at_user we store the user token self.at_admin = result.get("value").get("token") # check that this is a user role = result.get("value").get("role") self.assertTrue(role == "admin", result) delete_realm("adminrealm")
def _create_user_wordy(self): """ This creates a user "wordy" in the realm "sqlrealm" """ realm = "sqlrealm" resolver = "SQL1" parameters = self.parameters parameters["resolver"] = resolver parameters["type"] = "sqlresolver" rid = save_resolver(parameters) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(realm, [resolver]) self.assertEqual(len(failed), 0) self.assertEqual(len(added), 1) with self.app.test_request_context('/user/', method='POST', data={"user": "******", "resolver": resolver, "surname": "zappa", "givenname": "frank", "email": "*****@*****.**", "phone": "12345", "mobile": "12345", "password": "******"}, headers={'Authorization': self.at}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) result = res.json.get("result") self.assertTrue(result.get("value") > 6, result.get("value"))
def test_13_update_user(self): realm = "sqlrealm" resolver = "SQL1" parameters = self.parameters parameters["resolver"] = resolver parameters["type"] = "sqlresolver" rid = save_resolver(parameters) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(realm, [resolver]) self.assertEqual(len(failed), 0) self.assertEqual(len(added), 1) user = User(login="******", realm=realm) uinfo = user.info self.assertEqual(uinfo.get("givenname", ""), "") user.update_user_info({ "givenname": "wordy", "username": "******" }) uinfo = user.info self.assertEqual(uinfo.get("givenname"), "wordy") self.assertEqual(user.login, "WordpressUser") user.update_user_info({"givenname": "", "username": "******"})
def test_14_create_delete_user(self): realm = "sqlrealm" resolver = "SQL1" parameters = self.parameters parameters["resolver"] = resolver parameters["type"] = "sqlresolver" rid = save_resolver(parameters) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(realm, [resolver]) self.assertEqual(len(failed), 0) self.assertEqual(len(added), 1) # Create the user uid = create_user(resolver, { "username": "******", "givenname": "achmed" }, password="******") self.assertTrue(uid > 6) user = User("achmed3", realm=realm) r = user.check_password("secret") # delete user r = user.delete() self.assertTrue(r)
def test_09_get_user_from_param(self): user = get_user_from_param({"user": "******"}) self.assertTrue(user.realm == self.realm1, user) self.assertTrue(user.resolver == self.resolvername1, user) user = get_user_from_param({"realm": self.realm1}) self.assertTrue(user.realm == self.realm1, user) self.assertTrue(user.login == "", user) self.assertTrue(user.resolver == "", user.resolver) user = get_user_from_param({"user": "******", "resolver": self.resolvername1}) self.assertTrue(user.realm == self.realm1, user) # create a realm, where cornelius is in two resolvers! rid = save_resolver({"resolver": self.resolvername3, "type": "passwdresolver", "fileName": PWFILE2}) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(self.realm2, [self.resolvername1, self.resolvername3]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 2) # get user cornelius, who is in two resolvers! param = {"user": "******", "realm": self.realm2} user = get_user_from_param(param) self.assertEqual("{0!s}".format(user), "<cornelius.resolver1@realm2>")
def test_12_multiple_resolvers(self): # one realm, two SQL resolvers parameters_a = self.sql_parameters.copy() # first resolver only contains users with phone numbers parameters_a['Where'] = 'phone LIKE %' parameters_a['resolver'] = 'reso_a' rid_a = save_resolver(parameters_a) self.assertTrue(rid_a > 0, rid_a) # second resolver contains all users parameters_b = self.sql_parameters.copy() parameters_b['resolver'] = 'reso_b' rid_b = save_resolver(parameters_b) self.assertTrue(rid_b > 0, rid_b) # First ask reso_a, then reso_b (added, failed) = set_realm(self.sql_realm, ['reso_a', 'reso_b'], { 'reso_a': 1, 'reso_b': 2 }) self.assertEqual(len(failed), 0) self.assertEqual(len(added), 2) # Now, query the user and populate the cache self.assertEqual(UserCache.query.count(), 0) user1 = User('wordpressuser', self.sql_realm) self.assertEqual(user1.uid, '6') # Assert it was found in reso_b (as it does not have a phone number)! self.assertEqual(user1.resolver, 'reso_b') self.assertEqual( UserCache.query.filter(UserCache.username == 'wordpressuser', UserCache.user_id == 6).one().resolver, 'reso_b') # Add a phone number. We do not use the User API to do that to simulate that the change is performed # out of privacyIDEA's control. Using `update_user_info` would invalidate the cache, which would be unrealistic. info = user1.info new_info = info.copy() new_info['phone'] = '123456' get_resolver_object('reso_a').update_user(user1.uid, new_info) # Ensure that the user's association with reso_b is still cached. self.assertEqual( UserCache.query.filter(UserCache.username == 'wordpressuser', UserCache.user_id == 6).one().resolver, 'reso_b') # Now, it should be located in reso_a! user2 = User('wordpressuser', self.sql_realm) self.assertEqual(user2.uid, '6') self.assertEqual(user2.resolver, 'reso_a') # ... but the cache still contains entries for both! resolver_query = UserCache.query.filter( UserCache.username == 'wordpressuser', UserCache.user_id == 6).order_by(UserCache.timestamp.desc()) cached_resolvers = [entry.resolver for entry in resolver_query.all()] self.assertEqual(cached_resolvers, ['reso_a', 'reso_b']) # Remove the phone number. get_resolver_object('reso_a').update_user(user1.uid, {'phone': None}) delete_realm(self.sql_realm) delete_resolver('reso_a') delete_resolver('reso_b')
def test_01_create_realm(self): rid = save_resolver({ "resolver": self.resolvername1, "type": "passwdresolver", "fileName": "/etc/passwd" }) self.assertTrue(rid > 0, rid) rid = save_resolver({ "resolver": self.resolvername2, "type": "passwdresolver", "fileName": "/etc/secrets" }) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(self.realm1, [self.resolvername1, self.resolvername2]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 2) (added, failed) = set_realm(self.realm_dot, [self.resolvername1, self.resolvername2]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 2) # test the realms realms = get_realms() self.assertTrue(self.realm1 in realms, realms) self.assertTrue(realms.get("realm1").get("default"), realms) self.assertTrue(self.realm_dot in realms, realms) # delete dot realm delete_realm(self.realm_dot) # try to create realm with invalid name self.assertRaises(Exception, set_realm, "#####") # update the resolver list: (added, failed) = set_realm(self.realm1, [self.resolvername1, "non exiting"]) self.assertTrue(len(failed) == 1) self.assertTrue(len(added) == 1) self.assertTrue(realm_is_defined(self.realm1)) self.assertTrue(realm_is_defined("non exist") is False)
def test_02_REMOTE_USER(self): # Allow remote user set_policy(name="remote", scope=SCOPE.WEBUI, action="{0!s}=allowed".format(ACTION.REMOTE_USER)) # Admin remote user with self.app.test_request_context( '/auth', method='POST', data={"username": "******"}, environ_base={"REMOTE_USER": "******"}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) result = json.loads(res.data).get("result") self.assertTrue("token" in result.get("value")) self.assertTrue("username" in result.get("value")) self.assertEqual(result.get("value").get("role"), "admin") self.assertTrue(result.get("status"), res.data) self.setUp_user_realms() # User "cornelius" from the default realm as normale user with self.app.test_request_context( '/auth', method='POST', data={"username": "******"}, environ_base={"REMOTE_USER": "******"}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) result = json.loads(res.data).get("result") self.assertTrue("token" in result.get("value")) self.assertTrue("username" in result.get("value")) self.assertEqual(result.get("value").get("role"), "user") self.assertTrue(result.get("status"), res.data) # Define the superuser_realm: "adminrealm" (added, failed) = set_realm("adminrealm", [self.resolvername1]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 1) # user cornelius is a member of the superuser_realm... with self.app.test_request_context( '/auth', method='POST', data={"username": "******"}, environ_base={"REMOTE_USER": "******"}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) result = json.loads(res.data).get("result") self.assertTrue("token" in result.get("value")) self.assertTrue("username" in result.get("value")) # ...and will have the role admin self.assertEqual(result.get("value").get("role"), "admin") self.assertTrue(result.get("status"), res.data) delete_policy("remote")
def _create_realm(self): rid = save_resolver({"resolver": self.resolvername1, "type": "passwdresolver", "fileName": self.PWFILE, "type.fileName": "string", "desc.fileName": "The name of the file"}) self.assertTrue(rid > 0, rid) rid = set_realm(realm=self.realm1, resolvers=[self.resolvername1]) self.assertTrue(rid > 0, rid)
def test_12_multiple_resolvers(self): # one realm, two SQL resolvers parameters_a = self.sql_parameters.copy() # first resolver only contains users with phone numbers parameters_a['Where'] = 'phone LIKE %' parameters_a['resolver'] = 'reso_a' rid_a = save_resolver(parameters_a) self.assertTrue(rid_a > 0, rid_a) # second resolver contains all users parameters_b = self.sql_parameters.copy() parameters_b['resolver'] = 'reso_b' rid_b = save_resolver(parameters_b) self.assertTrue(rid_b > 0, rid_b) # First ask reso_a, then reso_b (added, failed) = set_realm(self.sql_realm, ['reso_a', 'reso_b'], { 'reso_a': 1, 'reso_b': 2 }) self.assertEqual(len(failed), 0) self.assertEqual(len(added), 2) # Now, query the user and populate the cache self.assertEqual(UserCache.query.count(), 0) user1 = User('wordpressuser', self.sql_realm) self.assertEqual(user1.uid, 6) # Assert it was found in reso_b (as it does not have a phone number)! self.assertEqual(user1.resolver, 'reso_b') self.assertEqual(UserCache.query.filter(UserCache.username == 'wordpressuser', UserCache.user_id == 6).one().resolver, 'reso_b') # Add a phone number. We do not use the User API to do that to simulate that the change is performed # out of privacyIDEA's control. Using `update_user_info` would invalidate the cache, which would be unrealistic. info = user1.info new_info = info.copy() new_info['phone'] = '123456' get_resolver_object('reso_a').update_user(user1.uid, new_info) # Ensure that the user's association with reso_b is still cached. self.assertEqual(UserCache.query.filter(UserCache.username == 'wordpressuser', UserCache.user_id == 6).one().resolver, 'reso_b') # Now, it should be located in reso_a! user2 = User('wordpressuser', self.sql_realm) self.assertEqual(user2.uid, 6) self.assertEqual(user2.resolver, 'reso_a') # ... but the cache still contains entries for both! resolver_query = UserCache.query.filter(UserCache.username == 'wordpressuser', UserCache.user_id == 6).order_by(UserCache.timestamp.desc()) cached_resolvers = [entry.resolver for entry in resolver_query.all()] self.assertEqual(cached_resolvers, ['reso_a', 'reso_b']) # Remove the phone number. get_resolver_object('reso_a').update_user(user1.uid, {'phone': None}) delete_realm(self.sql_realm) delete_resolver('reso_a') delete_resolver('reso_b')
def test_02_REMOTE_USER(self): # Allow remote user set_policy(name="remote", scope=SCOPE.WEBUI, action="%s=allowed" % ACTION.REMOTE_USER) # Admin remote user with self.app.test_request_context('/auth', method='POST', data={"username": "******"}, environ_base={"REMOTE_USER": "******"}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) result = json.loads(res.data).get("result") self.assertTrue("token" in result.get("value")) self.assertTrue("username" in result.get("value")) self.assertEqual(result.get("value").get("role"), "admin") self.assertTrue(result.get("status"), res.data) self.setUp_user_realms() # User "cornelius" from the default realm as normale user with self.app.test_request_context('/auth', method='POST', data={"username": "******"}, environ_base={"REMOTE_USER": "******"}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) result = json.loads(res.data).get("result") self.assertTrue("token" in result.get("value")) self.assertTrue("username" in result.get("value")) self.assertEqual(result.get("value").get("role"), "user") self.assertTrue(result.get("status"), res.data) # Define the superuser_realm: "adminrealm" (added, failed) = set_realm("adminrealm", [self.resolvername1]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 1) # user cornelius is a member of the superuser_realm... with self.app.test_request_context('/auth', method='POST', data={"username": "******"}, environ_base={"REMOTE_USER": "******"}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) result = json.loads(res.data).get("result") self.assertTrue("token" in result.get("value")) self.assertTrue("username" in result.get("value")) # ...and will have the role admin self.assertEqual(result.get("value").get("role"), "admin") self.assertTrue(result.get("status"), res.data) delete_policy("remote")
def test_01_admin_and_user_same_name(self): # Test the logging, if admin and user have the same name (testamdin/testpw) # Now create a default realm, that contains the used "testadmin" rid = save_resolver({ "resolver": self.resolvername1, "type": "passwdresolver", "fileName": PWFILE }) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(self.realm1, [self.resolvername1]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 1) set_default_realm(self.realm1) # If the admin logs in, everything is fine with mock.patch("logging.Logger.info") as mock_log: with self.app.test_request_context('/auth', method='POST', data={ "username": "******", "password": "******" }): res = self.app.full_dispatch_request() self.assertEqual(200, res.status_code, res) result = res.json.get("result") self.assertTrue(result.get("status"), result) self.assertIn('token', result.get("value"), result) # role should be 'admin' self.assertEqual('admin', result['value']['role'], result) mock_log.assert_called_with( "Local admin 'testadmin' successfully logged in.") # If a user logs in, with the same name as the admin, this event is logged in warning with mock.patch("logging.Logger.warning") as mock_log: with self.app.test_request_context('/auth', method='POST', data={ "username": "******", "password": "******" }): res = self.app.full_dispatch_request() self.assertEqual(200, res.status_code, res) result = res.json.get("result") self.assertTrue(result.get("status"), result) self.assertIn('token', result.get("value"), result) # role should be 'user' self.assertEqual('user', result['value']['role'], result) # check if we have this log entry mock_log.assert_called_with( "A user 'testadmin' exists as local admin and as user " "in your default realm!")
def test_37_is_orphaned(self): resolver = "orphreso" realm = "orphrealm" rid = save_resolver({"resolver": resolver, "type": "passwdresolver", "fileName": PWFILE}) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(realm, [resolver]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 1) # Assign token to user "cornelius" "realm1", "resolver1" "uid=1000 db_token = Token("orphaned", tokentype="spass", userid=1000, resolver=resolver, realm=realm) db_token.save() token_obj = TokenClass(db_token) orph = token_obj.is_orphaned() self.assertFalse(orph) # clean up token token_obj.delete_token() # Assign a token to a user in a resolver. user_id does not exist db_token = Token("orphaned", tokentype="spass", userid=872812, resolver=resolver, realm=realm) db_token.save() token_obj = TokenClass(db_token) orph = token_obj.is_orphaned() self.assertTrue(orph) # clean up token token_obj.delete_token() # A token, which a resolver name, that does not exist anymore db_token = Token("orphaned", tokentype="spass", userid=1000, resolver=resolver, realm=realm) db_token.save() # delete the realm delete_realm(realm) # token is orphaned token_obj = TokenClass(db_token) orph = token_obj.is_orphaned() self.assertTrue(orph) # delete the resolver delete_resolver(resolver) # token is orphaned token_obj = TokenClass(db_token) orph = token_obj.is_orphaned() self.assertTrue(orph) # clean up token token_obj.delete_token()
def test_11_otppin_with_resolvers(self): # This tests, if the otppin policy differentiates between users in # the same realm but in different resolvers. r = save_resolver({"resolver": "reso001", "type": "passwdresolver", "fileName": "tests/testdata/passwords"}) # user "cornelius" is in resolver reso001 self.assertTrue(r > 0) r = save_resolver({"resolver": "reso002", "type": "passwdresolver", "fileName": "tests/testdata/pw-2nd-resolver"}) # user "userresolver2" is in resolver reso002 self.assertTrue(r > 0) (added, failed) = set_realm("myrealm", ["reso001", "reso002"]) self.assertEqual(len(added), 2) self.assertEqual(len(failed), 0) my_user_1 = User("cornelius", realm="myrealm") my_user_2 = User("userresolver2", realm="myrealm") # We set a policy only for resolver reso002 set_policy(name="pol1", scope=SCOPE.AUTH, realm="myrealm", resolver="reso002", action="{0!s}={1!s}".format(ACTION.OTPPIN, ACTIONVALUE.NONE)) g = FakeFlaskG() P = PolicyClass() g.policy_object = P g.audit_object = FakeAudit() options = {"g": g} # user in reso001 fails with empty PIN, since the policy does not # match for him r = auth_otppin(self.fake_check_otp, None, "", options=options, user=my_user_1) self.assertFalse(r) # user in reso002 succeeds with empty PIN, since policy pol1 matches # for him r = auth_otppin(self.fake_check_otp, None, "", options=options, user=my_user_2) self.assertTrue(r) # user in reso002 fails with any PIN, since policy pol1 matches # for him r = auth_otppin(self.fake_check_otp, None, "anyPIN", options=options, user=my_user_2) self.assertFalse(r) delete_policy("pol1") delete_realm("myrealm") delete_resolver("reso001") delete_resolver("reso002")
def test_18_user_with_several_phones(self): ldap3mock.setLDAPDirectory(LDAPDirectory_small) params = ({ 'LDAPURI': 'ldap://localhost', 'LDAPBASE': 'o=test', 'BINDDN': 'cn=manager,ou=example,o=test', 'BINDPW': 'ldaptest', 'LOGINNAMEATTRIBUTE': 'cn', 'LDAPSEARCHFILTER': '(|(cn=*))', # we use this weird search filter to get a unique resolver ID 'USERINFO': '{ "username": "******",' '"phone" : "telephoneNumber", ' '"mobile" : "mobile"' ', "email" : "mail", ' '"surname" : "sn", ' '"givenname" : "givenName" }', 'UIDTYPE': 'objectGUID', 'NOREFERRALS': True, 'CACHE_TIMEOUT': 0 }) params["resolver"] = "ldapresolver" params["type"] = "ldapresolver" rid = save_resolver(params) self.assertTrue(rid > 0) (added, failed) = set_realm("ldap", ["ldapresolver"]) self.assertEqual(len(added), 1) self.assertEqual(len(failed), 0) u = User("salesman", "ldap") # get the complete list r = u.get_user_phone("mobile") self.assertEqual(r, ["1234", "3456"]) # get the first entry r = u.get_user_phone("mobile", index=0) self.assertEqual(r, "1234") # Index out of range r = u.get_user_phone("mobile", index=2) self.assertEqual(r, "") delete_realm("ldap") delete_resolver("ldapresolver")
def test_02_set_default_realm(self): (added, failed) = set_realm("realm2", [self.resolvername2]) self.assertTrue(len(added) == 1) self.assertTrue(len(failed) == 0) realm = get_default_realm() self.assertTrue(realm == self.realm1) set_default_realm("realm2") realm = get_default_realm() self.assertTrue(realm == "realm2") set_default_realm() realm = get_default_realm() self.assertTrue(realm is None, realm)
def test_17b_ui_rights_users_in_different_resolvers(self): # Create a realm with two resolvers rid = save_resolver({ "resolver": "passwd", "type": "passwdresolver", "fileName": FILE_PASSWD }) self.assertTrue(rid > 0, rid) rid = save_resolver({ "resolver": "passwords", "type": "passwdresolver", "fileName": FILE_PASSWORDS }) self.assertTrue(rid > 0, rid) # create user realm (added, failed) = set_realm("realm4", ["passwd", "passwords"]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 2) # A user may do something else... set_policy(name="userpol41", scope=SCOPE.USER, action="enable", realm="realm4", resolver="passwd") set_policy(name="userpol42", scope=SCOPE.USER, action="remove", realm="realm4", resolver="passwords") P = PolicyClass() # The two users are in different resolvers and get different rights rights = P.ui_get_rights(SCOPE.USER, "realm4", "postfix") self.assertEqual(set(rights), {"enable", "disable"}) rights = P.ui_get_rights(SCOPE.USER, "realm4", "usernotoken") self.assertEqual(set(rights), {"disable", "remove"}) delete_policy("userpol41") delete_policy("userpol42") delete_realm("realm4") delete_resolver("passwords") delete_resolver("passwd")
def test_10_check_user_password(self): (added, failed) = set_realm("passwordrealm", [self.resolvername3]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 1) self.assertTrue(User(login="******", realm="passwordrealm").check_password("test")) self.assertFalse(User(login="******", realm="passwordrealm").check_password("wrong")) self.assertFalse(User(login="******", realm="passwordrealm").check_password("wrong")) # test cornelius@realm2, since he is located in more than one # resolver. self.assertEqual(User(login="******", realm="realm2").check_password("test"), None)
def test_00_set_ldap_realm(self): ldap3mock.setLDAPDirectory(LDAPDirectory) params = { 'LDAPURI': 'ldap://localhost', 'LDAPBASE': 'o=test', 'BINDDN': 'cn=manager,ou=example,o=test', 'BINDPW': 'ldaptest', 'LOGINNAMEATTRIBUTE': 'cn', 'LDAPSEARCHFILTER': '(cn=*)', 'MULTIVALUEATTRIBUTES': '["groups"]', 'USERINFO': '{ "username": "******",' '"phone" : "telephoneNumber", ' '"mobile" : "mobile"' ', "email" : "mail", ' '"surname" : "sn", ' '"groups": "memberOf", ' '"givenname" : "givenName" }', 'UIDTYPE': 'DN', "resolver": "ldapgroups", "type": "ldapresolver" } r = save_resolver(params) self.assertTrue(r > 0) r = set_realm("ldaprealm", resolvers=["ldapgroups"]) set_default_realm("ldaprealm") self.assertEqual(r, (["ldapgroups"], [])) # find a user, check the groups alice = User("alice", "ldaprealm") self.assertEqual(alice.info["groups"], ["cn=admins,o=test", "cn=users,o=test"])
def test_00_create_user_realm(self): rid = save_resolver({"resolver": self.resolvername1, "type": "passwdresolver", "fileName": PWFILE}) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(self.realm1, [self.resolvername1]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 1) user = User(login="******", realm=self.realm1, resolver=self.resolvername1) user_str = "%s" % user self.assertTrue(user_str == "<root.resolver1@realm1>", user_str) self.assertFalse(user.is_empty()) self.assertTrue(User().is_empty()) user_repr = "%r" % user expected = "User(login='******', realm='realm1', resolver='resolver1')" self.assertTrue(user_repr == expected, user_repr)
def test_18_user_with_several_phones(self): ldap3mock.setLDAPDirectory(LDAPDirectory_small) params = ({'LDAPURI': 'ldap://localhost', 'LDAPBASE': 'o=test', 'BINDDN': 'cn=manager,ou=example,o=test', 'BINDPW': 'ldaptest', 'LOGINNAMEATTRIBUTE': 'cn', 'LDAPSEARCHFILTER': '(|(cn=*))', # we use this weird search filter to get a unique resolver ID 'USERINFO': '{ "username": "******",' '"phone" : "telephoneNumber", ' '"mobile" : "mobile"' ', "email" : "mail", ' '"surname" : "sn", ' '"givenname" : "givenName" }', 'UIDTYPE': 'objectGUID', 'NOREFERRALS': True, 'CACHE_TIMEOUT': 0 }) params["resolver"] = "ldapresolver" params["type"] = "ldapresolver" rid = save_resolver(params) self.assertTrue(rid > 0) (added, failed) = set_realm("ldap", ["ldapresolver"]) self.assertEqual(len(added), 1) self.assertEqual(len(failed), 0) u = User("salesman", "ldap") # get the complete list r = u.get_user_phone("mobile") self.assertEqual(r, ["1234", "3456"]) # get the first entry r = u.get_user_phone("mobile", index=0) self.assertEqual(r, "1234") # Index out of range r = u.get_user_phone("mobile", index=2) self.assertEqual(r, "") delete_realm("ldap") delete_resolver("ldapresolver")
def test_02_create_update_delete_user(self): realm = "sqlrealm" resolver = "SQL1" parameters = self.parameters parameters["resolver"] = resolver parameters["type"] = "sqlresolver" rid = save_resolver(parameters) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(realm, [resolver]) self.assertEqual(len(failed), 0) self.assertEqual(len(added), 1) # CREATE a user with self.app.test_request_context('/user/', method='POST', data={"user": "******", "resolver": resolver, "surname": "zappa", "givenname": "frank", "email": "*****@*****.**", "phone": "12345", "mobile": "12345", "password": "******"}, headers={'Authorization': self.at}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) result = json.loads(res.data).get("result") self.assertTrue(result.get("value") > 6, result.get("value")) # Get users with self.app.test_request_context('/user/', method='GET', query_string=urlencode( {"username": "******"}), headers={'Authorization': self.at}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) result = json.loads(res.data).get("result") self.assertTrue(result.get("status")) self.assertEqual(result.get("value")[0].get("username"), "wordy") # Update by administrator. Set the password to "passwort" with self.app.test_request_context('/user/', method='PUT', query_string=urlencode( {"user": "******", "resolver": resolver, "password": "******"}), headers={'Authorization': self.at}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) result = json.loads(res.data).get("result") self.assertTrue(result.get("value")) # Get user authentication and update by user. with self.app.test_request_context('/auth', method='POST', data={"username": "******".format(realm), "password": "******"}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) result = json.loads(res.data).get("result") self.assertTrue(result.get("status"), res.data) # In self.at_user we store the user token wordy_auth_token = result.get("value").get("token") # check that this is a user role = result.get("value").get("role") self.assertTrue(role == "user", result) # Even if a user specifies another username, the username is # overwritten by his own name! with self.app.test_request_context('/user/', method='PUT', query_string=urlencode( {"user": "******", "resolver": resolver, "password": "******"}), headers={'Authorization': wordy_auth_token}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) result = json.loads(res.data).get("result") self.assertTrue(result.get("value")) # Although the user "wordy" tried to update the password of user # "wordy2", he updated his own password. with self.app.test_request_context('/auth', method='POST', data={"username": "******".format(realm), "password": "******"}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) result = json.loads(res.data).get("result") self.assertTrue(result.get("status"), res.data) # In self.at_user we store the user token wordy_auth_token = result.get("value").get("token") # check that this is a user role = result.get("value").get("role") self.assertTrue(role == "user", result) # Delete the users with self.app.test_request_context('/user/{0!s}/{1!s}'.format(resolver, "wordy"), method='DELETE', headers={'Authorization': self.at}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) result = json.loads(res.data).get("result") self.assertTrue(result.get("value"))
def test_02_REMOTE_USER(self): # Allow remote user set_policy(name="remote", scope=SCOPE.WEBUI, action="{0!s}=allowed".format( ACTION.REMOTE_USER)) # Admin remote user with self.app.test_request_context('/auth', method='POST', data={"username": "******"}, environ_base={"REMOTE_USER": "******"}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) result = json.loads(res.data.decode('utf8')).get("result") self.assertTrue("token" in result.get("value")) self.assertTrue("username" in result.get("value")) self.assertEqual(result.get("value").get("role"), "admin") self.assertTrue(result.get("status"), res.data) # Check if the /auth request writes the policyname "remote" to the audit entry with self.app.test_request_context('/audit/', method='GET', headers={'Authorization': self.at}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) auditentry = res.json.get("result").get("value").get("auditdata")[0] self.assertTrue("remote" in auditentry.get("policies")) self.setUp_user_realms() # User "cornelius" from the default realm as normale user with self.app.test_request_context('/auth', method='POST', data={"username": "******"}, environ_base={"REMOTE_USER": "******"}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) result = json.loads(res.data.decode('utf8')).get("result") self.assertTrue("token" in result.get("value")) self.assertTrue("username" in result.get("value")) self.assertEqual(result.get("value").get("role"), "user") self.assertTrue(result.get("status"), res.data) # Define the superuser_realm: "adminrealm" (added, failed) = set_realm("adminrealm", [self.resolvername1]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 1) # user cornelius is a member of the superuser_realm... with self.app.test_request_context('/auth', method='POST', data={"username": "******"}, environ_base={"REMOTE_USER": "******"}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) result = json.loads(res.data.decode('utf8')).get("result") self.assertTrue("token" in result.get("value")) self.assertTrue("username" in result.get("value")) # ...and will have the role admin self.assertEqual(result.get("value").get("role"), "admin") self.assertTrue(result.get("status"), res.data) delete_policy("remote")
def test_01_register_user(self): smtpmock.setdata(response={"*****@*****.**": (200, "OK")}) # create resolver and realm param = self.parameters param["resolver"] = "register" param["type"] = "sqlresolver" r = save_resolver(param) self. assertTrue(r > 0) added, failed = set_realm("register", resolvers=["register"]) self.assertTrue(added > 0) self.assertEqual(len(failed), 0) # create policy r = set_policy(name="pol2", scope=SCOPE.REGISTER, action="{0!s}={1!s}, {2!s}={3!s}".format(ACTION.REALM, "register", ACTION.RESOLVER, "register")) # Try to register, but missing parameter with self.app.test_request_context('/register', method='POST', data={"username": "******", "surname": "Kölbel"}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 400, res) # Register fails, missing SMTP config with self.app.test_request_context('/register', method='POST', data={"username": "******", "surname": "Kölbel", "givenname": "Cornelius", "password": "******", "email": "*****@*****.**"}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 400, res) data = json.loads(res.data.decode('utf8')) self.assertEqual(data.get("result").get("error").get("code"), ERROR.REGISTRATION) self.assertEqual(data.get("result").get("error").get("message"), u'ERR402: No SMTP server configuration specified!') # Set SMTP config and policy add_smtpserver("myserver", "1.2.3.4", sender="pi@localhost") set_policy("pol3", scope=SCOPE.REGISTER, action="{0!s}=myserver".format(ACTION.EMAILCONFIG)) with self.app.test_request_context('/register', method='POST', data={"username": "******", "surname": "Kölbel", "givenname": "Cornelius", "password": "******", "email": "*****@*****.**"}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) # Registering the user a second time will fail with self.app.test_request_context('/register', method='POST', data={"username": "******", "surname": "Kölbel", "givenname": "Cornelius", "password": "******", "email": "*****@*****.**"}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 400, res) # get the register status with self.app.test_request_context('/register', method='GET'): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) data = json.loads(res.data.decode('utf8')) self.assertEqual(data.get("result").get("value"), True)
def test_21_check_all_resolver(self): # check_all_resolver allows to find a policy for a secondary user # resolver. # We create one realm "realm1" with the resolvers # reso1 (prio 1) # reso2 (prio 2) # reso3 (prio 3) # A user user@realm1 will be identified as user.reso1@realm1. # But we will also match policies for reso2. # no realm and resolver r = get_realms() self.assertEqual(r, {}) r = get_resolver_list() self.assertEqual(r, {}) # create user realm for reso in ["reso1", "resoX", "resoA"]: rid = save_resolver({"resolver": reso, "type": "passwdresolver", "fileName": PWFILE}) self.assertTrue(rid > 0, rid) # create a realm with reso1 being the resolver with the highest priority (added, failed) = set_realm("realm1", ["reso1", "resoX", "resoA"], priority={"reso1": 1, "resoX": 2, "resoA": 3}) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 3) user = User(login="******", realm="realm1") # The user, that is created, is cornelius.reso1@realm1 user_str = "{0!s}".format(user) self.assertEqual(user_str, "<cornelius.reso1@realm1>") # But the user "cornelius" is also contained in other resolves in # this realm r = user.get_ordererd_resolvers() self.assertEqual(r, ["reso1", "resoX", "resoA"]) self.assertFalse(user.is_empty()) self.assertTrue(User().is_empty()) # define a policy with the wrong resolver p = set_policy(name="checkAll", scope=SCOPE.AUTHZ, realm="realm1", resolver="resoX", action="{0}=totp".format(ACTION.TOKENTYPE)) self.assertTrue(p > 0) p = set_policy(name="catchAll", scope=SCOPE.AUTHZ, realm="realm1", action="{0}=totp".format(ACTION.TOKENTYPE)) self.assertTrue(p > 0) P = PolicyClass() pols = P.get_policies(scope=SCOPE.AUTHZ, realm=user.realm, resolver=user.resolver, user=user.login) self.assertEqual(len(pols), 1) # Now we change the policy, so that it uses check_all_resolver, i.e. p = set_policy(name="checkAll", scope=SCOPE.AUTHZ, realm="realm1", resolver="resoX", check_all_resolvers=True, action="{0}=totp".format(ACTION.TOKENTYPE)) self.assertTrue(p > 0) P = PolicyClass() pols = P.get_policies(scope=SCOPE.AUTHZ, realm=user.realm, resolver=user.resolver, user=user.login) self.assertEqual(len(pols), 2) # delete policy delete_policy("checkAll") delete_policy("catchAll") # delete resolvers and realm delete_realm("realm1") for reso in ["reso1", "resoX", "resoA"]: rid = delete_resolver(reso) self.assertTrue(rid > 0, rid)
def test_03_get_allowed_audit_realm(self): # Check than an internal admin is allowed to see all realms # A helpdesk user in "adminrealm" is only allowerd to see realm1A Audit(action="enroll", success=1, realm="realm1A").save() Audit(action="enroll", success=1, realm="realm1A").save() Audit(action="enroll", success=1, realm="realm2B").save() Audit(action="enroll", success=1, realm="realm2B").save() Audit(action="enroll", success=1, realm="realm2B").save() # check, that we see all audit entries with self.app.test_request_context('/audit/', method='GET', data={"realm": "realm1A"}, headers={'Authorization': self.at}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) json_response = json.loads(res.data.decode('utf8')) self.assertTrue(json_response.get("result").get("status"), res) self.assertEqual(json_response.get("result").get("value").get( "count"), 5) with self.app.test_request_context('/audit/', method='GET', data={"realm": "realm2B"}, headers={ 'Authorization': self.at}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) json_response = json.loads(res.data.decode('utf8')) self.assertTrue(json_response.get("result").get("status"), res) self.assertEqual(json_response.get("result").get("value").get( "count"), 7) # set policy: helpdesk users in adminrealm are only allowed to # view "realm1A". set_policy("audit01", scope=SCOPE.ADMIN, action=ACTION.AUDIT, adminrealm="adminrealm", realm="realm1A") # Test admin is allowed to view unrestricted logs! set_policy("audit02", scope=SCOPE.ADMIN, action=ACTION.AUDIT, user="******") rid = save_resolver({"resolver": self.resolvername1, "type": "passwdresolver", "fileName": PWFILE}) self.assertTrue(rid > 0, rid) (added, failed) = set_realm("adminrealm", [self.resolvername1]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 1) helpdesk_authorization = None with self.app.test_request_context('/auth', method='POST', data={'username': '******', 'password': '******'}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) json_response = json.loads(res.data.decode('utf8')) value = json_response.get("result").get("value") # Helpdesk user is allowed to view the audit log. self.assertTrue("auditlog" in value.get("rights")) helpdesk_authorization = value.get("token") # check, that we only see allowed audit realms with self.app.test_request_context('/audit/', method='GET', headers={'Authorization': helpdesk_authorization}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) json_response = json.loads(res.data.decode('utf8')) self.assertTrue(json_response.get("result").get("status"), res) # We now have 3 entries, as we added one by the search in line #43 count = json_response.get("result").get("value").get("count") auditdata = json_response.get("result").get("value").get("auditdata") self.assertEqual(count, 6) # All entries are in realm1A! for ad in auditdata: self.assertEqual(ad.get("realm"), "realm1A") # Now check, that the testadmin (self.at) sees all entries! with self.app.test_request_context('/audit/', method='GET', headers={'Authorization': self.at}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) json_response = json.loads(res.data.decode('utf8')) self.assertTrue(json_response.get("result").get("status"), res) # We now have 3 entries, as we added one by the search in line #43 count = json_response.get("result").get("value").get("count") auditdata = json_response.get("result").get("value").get("auditdata") self.assertEqual(count, 21) # delete policy delete_policy("audit01") delete_policy("audit02")
def test_12_authcache(self): password = "******" username = "******" realm = "myrealm" resolver = "reso001" pw_hash = binascii.hexlify(hashlib.sha256(password).digest()) r = save_resolver({"resolver": "reso001", "type": "passwdresolver", "fileName": "tests/testdata/passwords"}) (added, failed) = set_realm("myrealm", ["reso001"]) def fake_check_user_pass(user, passw, options=None): return True, {"message": "Fake Authentication"} set_policy(name="pol1", scope=SCOPE.AUTH, realm=realm, resolver=resolver, action="{0!s}={1!s}".format(ACTION.AUTH_CACHE, "4h/5m")) g = FakeFlaskG() P = PolicyClass() g.policy_object = P g.audit_object = FakeAudit() options = {"g": g} # This successfully authenticates against the authcache # We have an authentication, that is within the policy timeout AuthCache(username, realm, resolver, pw_hash, first_auth=datetime.datetime.utcnow() - timedelta(hours=3), last_auth=datetime.datetime.utcnow() - timedelta(minutes=1)).save() r = auth_cache(fake_check_user_pass, User("cornelius", "myrealm"), password, options=options) self.assertTrue(r[0]) self.assertEqual(r[1].get("message"), "Authenticated by AuthCache." ) # We have an authentication, that is not read from the authcache, # since the authcache first_auth is too old. delete_from_cache(username, realm, resolver, pw_hash) AuthCache(username, realm, resolver, pw_hash, first_auth=datetime.datetime.utcnow() - timedelta(hours=5), last_auth=datetime.datetime.utcnow() - timedelta( minutes=1)).save() r = auth_cache(fake_check_user_pass, User("cornelius", "myrealm"), password, options=options) self.assertTrue(r[0]) self.assertEqual(r[1].get("message"), "Fake Authentication") # We have an authentication, that is not read from authcache, since # the last_auth is too old = 10 minutes. delete_from_cache(username, realm, resolver, pw_hash) AuthCache(username, realm, resolver, pw_hash, first_auth=datetime.datetime.utcnow() - timedelta(hours=1), last_auth=datetime.datetime.utcnow() - timedelta( minutes=10)).save() r = auth_cache(fake_check_user_pass, User("cornelius", "myrealm"), password, options=options) self.assertTrue(r[0]) self.assertEqual(r[1].get("message"), "Fake Authentication") # We have a policy, with no special last_auth delete_policy("pol1") set_policy(name="pol1", scope=SCOPE.AUTH, realm=realm, resolver=resolver, action="{0!s}={1!s}".format(ACTION.AUTH_CACHE, "4h")) g = FakeFlaskG() P = PolicyClass() g.policy_object = P g.audit_object = FakeAudit() options = {"g": g} delete_from_cache(username, realm, resolver, pw_hash) AuthCache(username, realm, resolver, pw_hash, first_auth=datetime.datetime.utcnow() - timedelta(hours=2), last_auth=datetime.datetime.utcnow() - timedelta( hours=1)).save() r = auth_cache(fake_check_user_pass, User("cornelius", "myrealm"), password, options=options) self.assertTrue(r[0]) self.assertEqual(r[1].get("message"), "Authenticated by AuthCache.") # Clean up delete_policy("pol1") delete_realm("myrealm") delete_resolver("reso001")