def test_16_admin_realm(self):
P = PolicyClass()
logged_in_user = {
"username": "******",
"role": "admin",
"realm": "realm1"
}
# Without policies, the admin gets all
tt = P.ui_get_enroll_tokentypes("127.0.0.1", logged_in_user)
self.assertTrue("hotp" in tt)
self.assertTrue("totp" in tt)
self.assertTrue("motp" in tt)
self.assertTrue("sms" in tt)
self.assertTrue("spass" in tt)
self.assertTrue("sshkey" in tt)
self.assertTrue("email" in tt)
self.assertTrue("certificate" in tt)
self.assertTrue("yubico" in tt)
self.assertTrue("yubikey" in tt)
self.assertTrue("radius" in tt)
# An admin in realm1 may only enroll Yubikeys
set_policy(name="tokenEnroll",
scope=SCOPE.ADMIN,
adminrealm="realm1",
action="enrollYUBIKEY")
P = PolicyClass()
tt = P.ui_get_enroll_tokentypes("127.0.0.1", logged_in_user)
self.assertFalse("hotp" in tt)
self.assertFalse("totp" in tt)
self.assertFalse("motp" in tt)
self.assertFalse("sms" in tt)
self.assertFalse("spass" in tt)
self.assertFalse("sshkey" in tt)
self.assertFalse("email" in tt)
self.assertFalse("certificate" in tt)
self.assertFalse("yubico" in tt)
self.assertTrue("yubikey" in tt)
self.assertFalse("radius" in tt)
# An admin in another admin realm may enroll nothing.
logged_in_user = {
"username": "******",
"role": "admin",
"realm": "OtherRealm"
}
tt = P.ui_get_enroll_tokentypes("127.0.0.1", logged_in_user)
self.assertFalse("hotp" in tt)
self.assertFalse("totp" in tt)
self.assertFalse("motp" in tt)
self.assertFalse("sms" in tt)
self.assertFalse("spass" in tt)
self.assertFalse("sshkey" in tt)
self.assertFalse("email" in tt)
self.assertFalse("certificate" in tt)
self.assertFalse("yubico" in tt)
self.assertFalse("yubikey" in tt)
self.assertFalse("radius" in tt)
delete_policy("tokenEnroll")
def test_16_admin_realm(self):
P = PolicyClass()
logged_in_user = {"username": "******",
"role": "admin",
"realm": "realm1"}
# Without policies, the admin gets all
tt = P.ui_get_enroll_tokentypes("127.0.0.1", logged_in_user)
self.assertTrue("hotp" in tt)
self.assertTrue("totp" in tt)
self.assertTrue("motp" in tt)
self.assertTrue("sms" in tt)
self.assertTrue("spass" in tt)
self.assertTrue("sshkey" in tt)
self.assertTrue("email" in tt)
self.assertTrue("certificate" in tt)
self.assertTrue("yubico" in tt)
self.assertTrue("yubikey" in tt)
self.assertTrue("radius" in tt)
# An admin in realm1 may only enroll Yubikeys
set_policy(name="tokenEnroll", scope=SCOPE.ADMIN,
adminrealm="realm1",
action="enrollYUBIKEY")
P = PolicyClass()
tt = P.ui_get_enroll_tokentypes("127.0.0.1", logged_in_user)
self.assertFalse("hotp" in tt)
self.assertFalse("totp" in tt)
self.assertFalse("motp" in tt)
self.assertFalse("sms" in tt)
self.assertFalse("spass" in tt)
self.assertFalse("sshkey" in tt)
self.assertFalse("email" in tt)
self.assertFalse("certificate" in tt)
self.assertFalse("yubico" in tt)
self.assertTrue("yubikey" in tt)
self.assertFalse("radius" in tt)
# An admin in another admin realm may enroll nothing.
logged_in_user = {"username": "******",
"role": "admin",
"realm": "OtherRealm"}
tt = P.ui_get_enroll_tokentypes("127.0.0.1", logged_in_user)
self.assertFalse("hotp" in tt)
self.assertFalse("totp" in tt)
self.assertFalse("motp" in tt)
self.assertFalse("sms" in tt)
self.assertFalse("spass" in tt)
self.assertFalse("sshkey" in tt)
self.assertFalse("email" in tt)
self.assertFalse("certificate" in tt)
self.assertFalse("yubico" in tt)
self.assertFalse("yubikey" in tt)
self.assertFalse("radius" in tt)
delete_policy("tokenEnroll")
def test_15_ui_tokentypes(self):
P = PolicyClass()
logged_in_user = {
"username": "******",
"role": "admin",
"realm": "realm1"
}
# Without policies, the admin gets all
tt = P.ui_get_enroll_tokentypes("127.0.0.1", logged_in_user)
self.assertTrue("hotp" in tt)
self.assertTrue("totp" in tt)
self.assertTrue("motp" in tt)
self.assertTrue("sms" in tt)
self.assertTrue("spass" in tt)
self.assertTrue("sshkey" in tt)
self.assertTrue("email" in tt)
self.assertTrue("certificate" in tt)
self.assertTrue("yubico" in tt)
self.assertTrue("yubikey" in tt)
self.assertTrue("radius" in tt)
# An admin may only enroll Yubikeys
set_policy(name="tokenEnroll",
scope=SCOPE.ADMIN,
action="enrollYUBIKEY")
P = PolicyClass()
tt = P.ui_get_enroll_tokentypes("127.0.0.1", logged_in_user)
self.assertFalse("hotp" in tt)
self.assertFalse("totp" in tt)
self.assertFalse("motp" in tt)
self.assertFalse("sms" in tt)
self.assertFalse("spass" in tt)
self.assertFalse("sshkey" in tt)
self.assertFalse("email" in tt)
self.assertFalse("certificate" in tt)
self.assertFalse("yubico" in tt)
self.assertTrue("yubikey" in tt)
self.assertFalse("radius" in tt)
# A user may enroll nothing
set_policy(name="someUserAction", scope=SCOPE.USER, action="disable")
P = PolicyClass()
tt = P.ui_get_enroll_tokentypes("127.0.0.1", {
"username": "******",
"realm": "realm",
"role": "user"
})
self.assertEqual(len(tt), 0)
delete_policy("tokenEnroll")
def test_15_ui_tokentypes(self):
P = PolicyClass()
logged_in_user = {"username": "******",
"role": "admin",
"realm": "realm1"}
# Without policies, the admin gets all
tt = P.ui_get_enroll_tokentypes("127.0.0.1", logged_in_user)
self.assertTrue("hotp" in tt)
self.assertTrue("totp" in tt)
self.assertTrue("motp" in tt)
self.assertTrue("sms" in tt)
self.assertTrue("spass" in tt)
self.assertTrue("sshkey" in tt)
self.assertTrue("email" in tt)
self.assertTrue("certificate" in tt)
self.assertTrue("yubico" in tt)
self.assertTrue("yubikey" in tt)
self.assertTrue("radius" in tt)
# An admin may only enroll Yubikeys
set_policy(name="tokenEnroll", scope=SCOPE.ADMIN,
action="enrollYUBIKEY")
P = PolicyClass()
tt = P.ui_get_enroll_tokentypes("127.0.0.1", logged_in_user)
self.assertFalse("hotp" in tt)
self.assertFalse("totp" in tt)
self.assertFalse("motp" in tt)
self.assertFalse("sms" in tt)
self.assertFalse("spass" in tt)
self.assertFalse("sshkey" in tt)
self.assertFalse("email" in tt)
self.assertFalse("certificate" in tt)
self.assertFalse("yubico" in tt)
self.assertTrue("yubikey" in tt)
self.assertFalse("radius" in tt)
# A user may enroll nothing
set_policy(name="someUserAction", scope=SCOPE.USER,
action="disable")
P = PolicyClass()
tt = P.ui_get_enroll_tokentypes("127.0.0.1", {"username": "******",
"realm": "realm",
"role": "user"})
self.assertEqual(len(tt), 0)
delete_policy("tokenEnroll")
def test_15_ui_tokentypes(self):
P = PolicyClass()
logged_in_user = {"username": "******",
"role": "admin",
"realm": "realm1"}
# Without policies, the admin gets all
tt = P.ui_get_enroll_tokentypes("127.0.0.1", logged_in_user)
self.assertTrue("hotp" in tt)
self.assertTrue("totp" in tt)
self.assertTrue("motp" in tt)
self.assertTrue("sms" in tt)
self.assertTrue("spass" in tt)
self.assertTrue("sshkey" in tt)
self.assertTrue("email" in tt)
self.assertTrue("certificate" in tt)
self.assertTrue("yubico" in tt)
self.assertTrue("yubikey" in tt)
self.assertTrue("radius" in tt)
# An admin may only enroll Yubikeys
set_policy(name="tokenEnroll", scope=SCOPE.ADMIN,
action="enrollYUBIKEY")
P = PolicyClass()
tt = P.ui_get_enroll_tokentypes("127.0.0.1", logged_in_user)
self.assertFalse("hotp" in tt)
self.assertFalse("totp" in tt)
self.assertFalse("motp" in tt)
self.assertFalse("sms" in tt)
self.assertFalse("spass" in tt)
self.assertFalse("sshkey" in tt)
self.assertFalse("email" in tt)
self.assertFalse("certificate" in tt)
self.assertFalse("yubico" in tt)
self.assertTrue("yubikey" in tt)
self.assertFalse("radius" in tt)
# A user may enroll nothing
set_policy(name="someUserAction", scope=SCOPE.USER,
action="disable")
P = PolicyClass()
tt = P.ui_get_enroll_tokentypes("127.0.0.1", {"username": "******",
"realm": "realm",
"role": "user"})
self.assertEqual(len(tt), 0)
delete_policy("tokenEnroll")
# Two admins:
# adminA is allowed to enroll tokens in all realms
# adminB is allowed to enroll tokens only in realmB
set_policy(name="polAdminA", scope=SCOPE.ADMIN, user="******",
action="enrollHOTP, enrollTOTP")
set_policy(name="polAdminB", scope=SCOPE.ADMIN, user="******",
realm="realmB",
action="enrollHOTP")
P = PolicyClass()
# realm is empty, since in case of an admin, this is the admin realm
rights = P.ui_get_enroll_tokentypes(None, {"role": SCOPE.ADMIN,
"realm": None,
"username": "******"})
self.assertTrue("hotp" in rights)
self.assertTrue("totp" in rights)
rights = P.ui_get_enroll_tokentypes(None, {"role": SCOPE.ADMIN,
"realm": "",
"username": "******"})
self.assertTrue("totp" not in rights)
self.assertTrue("hotp" in rights)
rights = P.ui_get_enroll_tokentypes(None, {"role": SCOPE.ADMIN,
"realm": "",
"username": "******"})
self.assertEqual(rights, {})
delete_policy("polAdminA")
delete_policy("polAdminB")
def test_15_ui_tokentypes(self):
P = PolicyClass()
logged_in_user = {
"username": "******",
"role": "admin",
"realm": "realm1"
}
# Without policies, the admin gets all
tt = P.ui_get_enroll_tokentypes("127.0.0.1", logged_in_user)
self.assertTrue("hotp" in tt)
self.assertTrue("totp" in tt)
self.assertTrue("motp" in tt)
self.assertTrue("sms" in tt)
self.assertTrue("spass" in tt)
self.assertTrue("sshkey" in tt)
self.assertTrue("email" in tt)
self.assertTrue("certificate" in tt)
self.assertTrue("yubico" in tt)
self.assertTrue("yubikey" in tt)
self.assertTrue("radius" in tt)
# An admin may only enroll Yubikeys
set_policy(name="tokenEnroll",
scope=SCOPE.ADMIN,
action="enrollYUBIKEY")
P = PolicyClass()
tt = P.ui_get_enroll_tokentypes("127.0.0.1", logged_in_user)
self.assertFalse("hotp" in tt)
self.assertFalse("totp" in tt)
self.assertFalse("motp" in tt)
self.assertFalse("sms" in tt)
self.assertFalse("spass" in tt)
self.assertFalse("sshkey" in tt)
self.assertFalse("email" in tt)
self.assertFalse("certificate" in tt)
self.assertFalse("yubico" in tt)
self.assertTrue("yubikey" in tt)
self.assertFalse("radius" in tt)
# A user may enroll nothing
set_policy(name="someUserAction", scope=SCOPE.USER, action="disable")
P = PolicyClass()
tt = P.ui_get_enroll_tokentypes("127.0.0.1", {
"username": "******",
"realm": "realm",
"role": "user"
})
self.assertEqual(len(tt), 0)
delete_policy("tokenEnroll")
# Two admins:
# adminA is allowed to enroll tokens in all realms
# adminB is allowed to enroll tokens only in realmB
set_policy(name="polAdminA",
scope=SCOPE.ADMIN,
user="******",
action="enrollHOTP, enrollTOTP")
set_policy(name="polAdminB",
scope=SCOPE.ADMIN,
user="******",
realm="realmB",
action="enrollHOTP")
P = PolicyClass()
# realm is empty, since in case of an admin, this is the admin realm
rights = P.ui_get_enroll_tokentypes(None, {
"role": SCOPE.ADMIN,
"realm": None,
"username": "******"
})
self.assertTrue("hotp" in rights)
self.assertTrue("totp" in rights)
rights = P.ui_get_enroll_tokentypes(None, {
"role": SCOPE.ADMIN,
"realm": "",
"username": "******"
})
self.assertTrue("totp" not in rights)
self.assertTrue("hotp" in rights)
rights = P.ui_get_enroll_tokentypes(None, {
"role": SCOPE.ADMIN,
"realm": "",
"username": "******"
})
self.assertEqual(rights, {})
delete_policy("polAdminA")
delete_policy("polAdminB")
