def test_01_create_radius(self):
r = add_radius(identifier="myserver",
server="1.2.3.4",
secret="testing123")
self.assertTrue(r > 0)
r = add_radius(identifier="myserver1",
server="1.2.3.4",
secret="testing123")
r = add_radius(identifier="myserver2",
server="1.2.3.4",
secret="testing123")
server_list = get_radiusservers()
self.assertTrue(server_list)
self.assertEqual(len(server_list), 3)
server_list = get_radiusservers(identifier="myserver")
self.assertTrue(server_list[0].config.identifier, "myserver")
self.assertTrue(server_list[0].config.port, 1812)
for server in ["myserver", "myserver1", "myserver2"]:
r = delete_radius(server)
self.assertTrue(r > 0)
server_list = get_radiusservers()
self.assertEqual(len(server_list), 0)
def test_02_updateserver(self):
r = add_radius(identifier="myserver", server="1.2.3.4",
secret="testing123")
self.assertTrue(r > 0)
server_list = get_radiusservers(identifier="myserver")
self.assertTrue(server_list[0].config.server, "1.2.3.4")
r = add_radius(identifier="myserver", server="100.2.3.4",
secret="testing123")
self.assertTrue(r > 0)
server_list = get_radiusservers(identifier="myserver")
self.assertTrue(server_list[0].config.server, "100.2.3.4")
def test_02_updateserver(self):
r = add_radius(identifier="myserver", server="1.2.3.4",
secret="testing123")
self.assertTrue(r > 0)
server_list = get_radiusservers(identifier="myserver")
self.assertTrue(server_list[0].config.server, "1.2.3.4")
r = add_radius(identifier="myserver", server="100.2.3.4",
secret="testing123")
self.assertTrue(r > 0)
server_list = get_radiusservers(identifier="myserver")
self.assertTrue(server_list[0].config.server, "100.2.3.4")
def create(identifier=None):
"""
This call creates or updates a RADIUS server definition.
:param identifier: The unique name of the RADIUS server definition
:param server: The FQDN or IP of the RADIUS server
:param port: The port of the RADIUS server
:param secret: The RADIUS secret of the RADIUS server
:param description: A description for the definition
"""
param = request.all_data
identifier = identifier.replace(" ", "_")
server = getParam(param, "server", required)
port = int(getParam(param, "port", default=1812))
secret = getParam(param, "secret", required)
description = getParam(param, "description", default="")
dictionary = getParam(param,
"dictionary",
default="/etc/privacyidea/dictionary")
r = add_radius(identifier,
server,
secret,
port=port,
description=description,
dictionary=dictionary)
g.audit_object.log({'success': r > 0, 'info': r})
return send_result(r > 0)
def test_13_privacyidea_challenge_response(self):
# This tests the challenge response with the privacyIDEA PIN.
# First an authentication request with only the local PIN of the
# radius token is sent.
r = add_radius(identifier="myserver", server="1.2.3.4",
secret="testing123", dictionary=DICT_FILE)
self.assertTrue(r > 0)
token = init_token({"type": "radius",
"pin": "local",
"radius.identifier": "myserver",
"radius.local_checkpin": True,
"radius.user": u"nönäscii"})
r = token.is_challenge_request("local")
self.assertTrue(r)
# create challenge of privacyidea
r, message, transaction_id, _attr = token.create_challenge()
self.assertTrue(r)
self.assertEqual("Enter your RADIUS tokencode:", message)
# check, if there is a challenge in the DB
chals = get_challenges(token.token.serial)
self.assertEqual(len(chals), 1)
self.assertEqual(chals[0].transaction_id, transaction_id)
# check if this is a response to a previously sent challenge
r = token.is_challenge_response("radiuscode", options={"transaction_id": transaction_id})
self.assertTrue(r)
# Now check, if the answer for the challenge is correct
radiusmock.setdata(response=radiusmock.AccessAccept)
r = token.check_challenge_response(passw="radiuscode",
options={"transaction_id": transaction_id})
self.assertTrue(r)
def test_00_test_check_radius(self):
r = add_radius(identifier="myserver",
server="1.2.3.4",
secret="testing123",
dictionary=DICT_FILE)
self.assertTrue(r > 0)
token = init_token({
"type": "radius",
"radius.identifier": "myserver",
"radius.local_checkpin": True,
"radius.user": u"nönäscii"
})
# check the working of internal _check_radius
radiusmock.setdata(response=radiusmock.AccessChallenge)
r = token._check_radius("123456")
self.assertEqual(r, radiusmock.AccessChallenge)
radiusmock.setdata(response=radiusmock.AccessAccept)
r = token._check_radius("123456")
self.assertEqual(r, radiusmock.AccessAccept)
radiusmock.setdata(response=radiusmock.AccessReject)
r = token._check_radius("123456")
self.assertEqual(r, radiusmock.AccessReject)
def create(identifier=None):
"""
This call creates or updates a RADIUS server definition.
:param identifier: The unique name of the RADIUS server definition
:param server: The FQDN or IP of the RADIUS server
:param port: The port of the RADIUS server
:param secret: The RADIUS secret of the RADIUS server
:param description: A description for the definition
"""
param = request.all_data
identifier = identifier.replace(" ", "_")
server = getParam(param, "server", required)
port = int(getParam(param, "port", default=1812))
secret = getParam(param, "secret", required)
description = getParam(param, "description", default="")
dictionary = getParam(param, "dictionary",
default="/etc/privacyidea/dictionary")
r = add_radius(identifier, server, secret, port=port,
description=description, dictionary=dictionary)
g.audit_object.log({'success': r > 0,
'info': r})
return send_result(r > 0)
def test_07_non_ascii(self):
radiusmock.setdata(response=radiusmock.AccessAccept)
r = add_radius(identifier="myserver", server="1.2.3.4",
secret="testing123", dictionary=DICT_FILE)
self.assertTrue(r > 0)
radius = get_radius("myserver")
r = RADIUSServer.request(radius.config, u"nönäscii", u"passwörd")
self.assertEqual(r, True)
def test_05_RADIUS_request(self):
radiusmock.setdata(success=True, timeout=True)
r = add_radius(identifier="myserver", server="1.2.3.4",
secret="testing123", dictionary=DICT_FILE)
self.assertTrue(r > 0)
radius = get_radius("myserver")
# A timeout will return false
r = RADIUSServer.request(radius.config, "user", "password")
self.assertEqual(r, False)
def test_05_RADIUS_request(self):
radiusmock.setdata(response=radiusmock.AccessAccept, timeout=True)
r = add_radius(identifier="myserver", server="1.2.3.4",
secret="testing123", dictionary=DICT_FILE)
self.assertTrue(r > 0)
radius = get_radius("myserver")
# A timeout will return false
r = RADIUSServer.request(radius.config, "user", "password")
self.assertEqual(r, False)
def test_16_passthru_assign(self):
user = User("cornelius", realm="r1")
passw = "{0!s}test".format(self.valid_otp_values[1])
options = {}
# remove all tokens of cornelius
remove_token(user=user)
# create unassigned tokens in realm r1
init_token({"type": "hotp",
"otpkey": "00"*20,
"serial": "TOKFAIL"}, tokenrealms=["r1"])
init_token({"type": "hotp",
"otpkey": self.otpkey,
"serial": "TOKMATCH"}, tokenrealms=["r1"])
# A user with no tokens will fail to authenticate
self.assertEqual(get_tokens(user=user, count=True), 0)
rv = auth_user_passthru(check_user_pass, user, passw, options)
self.assertFalse(rv[0])
self.assertEqual(rv[1].get("message"),
"The user has no tokens assigned")
# Now add a PASSTHRU policy to a RADIUS config
radiusmock.setdata(success=True)
set_policy(name="pol1",
scope=SCOPE.AUTH,
action="{0!s}=radiusconfig1".format(ACTION.PASSTHRU))
r = add_radius("radiusconfig1", "1.2.3.4", "testing123",
dictionary=DICT_FILE)
self.assertTrue(r > 0)
set_policy(name="pol2",
scope=SCOPE.AUTH,
action="{0!s}=6:pin:1234".format(ACTION.PASSTHRU_ASSIGN))
g = FakeFlaskG()
g.policy_object = PolicyClass()
g.audit_object = FakeAudit()
options = {"g": g}
rv = auth_user_passthru(check_user_pass, user, passw, options=options)
self.assertTrue(rv[0])
self.assertTrue(u"against RADIUS server radiusconfig1 due to 'pol1'" in rv[1].get("message"))
self.assertTrue(u"autoassigned TOKMATCH" in rv[1].get("message"))
# Check if the token is assigned and can authenticate
r = check_user_pass(User("cornelius", "r1"), "test{0!s}".format(self.valid_otp_values[2]))
self.assertTrue(r[0])
self.assertEqual(r[1].get("serial"), "TOKMATCH")
remove_token("TOKFAIL")
remove_token("TOKMATCH")
delete_policy("pol1")
delete_policy("pol2")
def test_04_RADIUS_request(self):
radiusmock.setdata(success=True)
r = add_radius(identifier="myserver", server="1.2.3.4",
secret="testing123", dictionary=DICT_FILE)
self.assertTrue(r > 0)
radius = get_radius("myserver")
r = RADIUSServer.request(radius.config, "user", "password")
self.assertEqual(r, True)
radiusmock.setdata(success=False)
r = RADIUSServer.request(radius.config, "user", "password")
self.assertEqual(r, False)
def test_16_passthru_assign(self):
user = User("cornelius", realm="r1")
passw = "{0!s}test".format(self.valid_otp_values[1])
options = {}
# remove all tokens of cornelius
remove_token(user=user)
# create unassigned tokens in realm r1
init_token({"type": "hotp",
"otpkey": "00"*20,
"serial": "TOKFAIL"}, tokenrealms=["r1"])
init_token({"type": "hotp",
"otpkey": self.otpkey,
"serial": "TOKMATCH"}, tokenrealms=["r1"])
# A user with no tokens will fail to authenticate
self.assertEqual(get_tokens(user=user, count=True), 0)
rv = auth_user_passthru(check_user_pass, user, passw, options)
self.assertFalse(rv[0])
self.assertEqual(rv[1].get("message"),
"The user has no tokens assigned")
# Now add a PASSTHRU policy to a RADIUS config
radiusmock.setdata(response=radiusmock.AccessAccept)
set_policy(name="pol1",
scope=SCOPE.AUTH,
action="{0!s}=radiusconfig1".format(ACTION.PASSTHRU))
r = add_radius("radiusconfig1", "1.2.3.4", "testing123",
dictionary=DICT_FILE)
self.assertTrue(r > 0)
set_policy(name="pol2",
scope=SCOPE.AUTH,
action="{0!s}=6:pin:1234".format(ACTION.PASSTHRU_ASSIGN))
g = FakeFlaskG()
g.policy_object = PolicyClass()
g.audit_object = FakeAudit()
options = {"g": g}
rv = auth_user_passthru(check_user_pass, user, passw, options=options)
self.assertTrue(rv[0])
self.assertTrue(u"against RADIUS server radiusconfig1 due to 'pol1'" in rv[1].get("message"))
self.assertTrue(u"autoassigned TOKMATCH" in rv[1].get("message"))
# Check if the token is assigned and can authenticate
r = check_user_pass(User("cornelius", "r1"), "test{0!s}".format(self.valid_otp_values[2]))
self.assertTrue(r[0])
self.assertEqual(r[1].get("serial"), "TOKMATCH")
remove_token("TOKFAIL")
remove_token("TOKMATCH")
delete_policy("pol1")
delete_policy("pol2")
def test_12_non_ascii(self):
set_privacyidea_config("radius.dictfile", DICT_FILE)
radiusmock.setdata(response=radiusmock.AccessAccept)
r = add_radius(identifier="myserver", server="1.2.3.4",
secret="testing123", dictionary=DICT_FILE)
self.assertTrue(r > 0)
token = init_token({"type": "radius",
"radius.identifier": "myserver",
"radius.user": u"nönäscii"})
r = token.authenticate(u"passwörd")
self.assertEqual(r[0], True)
self.assertEqual(r[1], 1)
def test_14_simple_challenge_response_in_radius_server(self):
# In this case we test a simple challenge response in
# the radius server. The PIN is checked locally.
# A AccessRequest is sent to the RADIUS server, the RADIUS server
# answers with an AccessChallenge, which creates a transaction id
# in privacyIDEA.
# This is answered and the RADIUS server sends an AccessAccept
r = add_radius(identifier="myserver", server="1.2.3.4",
secret="testing123", dictionary=DICT_FILE)
self.assertTrue(r > 0)
token = init_token({"type": "radius",
"radius.identifier": "myserver",
"radius.local_checkpin": False,
"radius.user": u"nönäscii"})
# Check if the remote PIN would create a RADIUS challenge
state1 = [b"123456"]
radiusmock.setdata(timeout=False, response=radiusmock.AccessChallenge,
response_data={"State": state1,
"Reply_Message": ["Please provide more information."]})
opts = {}
r = token.is_challenge_request("some_remote_value", options=opts)
self.assertTrue(r)
self.assertEqual(opts.get("radius_message"), "Please provide more information.")
self.assertEqual(opts.get("radius_result"), radiusmock.AccessChallenge)
self.assertEqual(opts.get("radius_state"), state1[0])
# Creating the challenge within privacyIDEA
r, message, transaction_id, _attr = token.create_challenge(options=opts)
self.assertTrue(r)
self.assertEqual(message, "Please provide more information.")
# Check if a challenge is created
chals = get_challenges(token.token.serial)
self.assertEqual(len(chals), 1)
self.assertEqual(chals[0].transaction_id, transaction_id)
# Checking, if this is the answer attempt to a challenge
r = token.is_challenge_response("some_response", options={"transaction_id": transaction_id})
self.assertTrue(r)
# Check what happens if the RADIUS server rejects the response
radiusmock.setdata(timeout=False, response=radiusmock.AccessReject)
r = token.check_challenge_response(passw="some_response",
options={"transaction_id": transaction_id})
self.assertLess(r, 0)
# Now checking the response to the challenge and we issue a RADIUS request
radiusmock.setdata(timeout=False, response=radiusmock.AccessAccept)
r = token.check_challenge_response(passw="some_response",
options={"transaction_id": transaction_id})
self.assertGreaterEqual(r, 0)
def test_01_create_radius(self):
r = add_radius(identifier="myserver", server="1.2.3.4",
secret="testing123")
self.assertTrue(r > 0)
r = add_radius(identifier="myserver1", server="1.2.3.4",
secret="testing123")
r = add_radius(identifier="myserver2", server="1.2.3.4",
secret="testing123")
server_list = get_radiusservers()
self.assertTrue(server_list)
self.assertEqual(len(server_list), 3)
server_list = get_radiusservers(identifier="myserver")
self.assertTrue(server_list[0].config.identifier, "myserver")
self.assertTrue(server_list[0].config.port, 1812)
for server in ["myserver", "myserver1", "myserver2"]:
r = delete_radius(server)
self.assertTrue(r > 0)
server_list = get_radiusservers()
self.assertEqual(len(server_list), 0)
def test_11_RADIUS_request(self):
set_privacyidea_config("radius.dictfile", DICT_FILE)
radiusmock.setdata(success=True)
r = add_radius(identifier="myserver", server="1.2.3.4",
secret="testing123", dictionary=DICT_FILE)
self.assertTrue(r > 0)
token = init_token({"type": "radius",
"radius.identifier": "myserver",
"radius.user": "******"})
r = token.authenticate("radiuspassword")
self.assertEqual(r[0], True)
self.assertEqual(r[1], 0)
self.assertEqual(r[2].get("message"), "matching 1 tokens")
def test_11_RADIUS_request(self):
set_privacyidea_config("radius.dictfile", DICT_FILE)
radiusmock.setdata(success=True)
r = add_radius(identifier="myserver", server="1.2.3.4",
secret="testing123", dictionary=DICT_FILE)
self.assertTrue(r > 0)
token = init_token({"type": "radius",
"radius.identifier": "myserver",
"radius.user": "******"})
r = token.authenticate("radiuspassword")
self.assertEqual(r[0], True)
self.assertEqual(r[1], 0)
self.assertEqual(r[2].get("message"), "matching 1 tokens")
def test_16_single_shot_radius(self):
# This is a single shot authentication, no challenge response.
# One single auth request against the radius server.
r = add_radius(identifier="myserver", server="1.2.3.4",
secret="testing123", dictionary=DICT_FILE)
self.assertTrue(r > 0)
token = init_token({"type": "radius",
"radius.identifier": "myserver",
"radius.local_checkpin": False,
"radius.user": u"nönäscii"})
radiusmock.setdata(timeout=False, response=radiusmock.AccessAccept)
r, otp_count, _rpl = token.authenticate("some_remote_value")
self.assertTrue(r)
self.assertTrue(otp_count > 0)
radiusmock.setdata(timeout=False, response=radiusmock.AccessReject)
r, otp_count, _rpl = token.authenticate("some_remote_value")
self.assertFalse(r)
self.assertTrue(otp_count < 0)
def test_06_passthru(self):
user = User("cornelius", realm="r1")
passw = "test"
options = {}
# A user with no tokens will fail to authenticate
self.assertEqual(get_tokens(user=user, count=True), 0)
rv = auth_user_passthru(check_user_pass, user, passw, options)
self.assertFalse(rv[0])
self.assertEqual(rv[1].get("message"),
"The user has no tokens assigned")
# Now we set a PASSTHRU policy, so that the user may authenticate
# against his userstore (old style)
set_policy(name="pol1", scope=SCOPE.AUTH, action=ACTION.PASSTHRU)
g = FakeFlaskG()
g.policy_object = PolicyClass()
g.audit_object = FakeAudit()
options = {"g": g}
rv = auth_user_passthru(check_user_pass, user, passw, options=options)
self.assertTrue(rv[0])
self.assertEqual(rv[1].get("message"),
u"against userstore due to 'pol1'")
# Now set a PASSTHRU policy to the userstore (new style)
set_policy(name="pol1",
scope=SCOPE.AUTH,
action="{0!s}=userstore".format(ACTION.PASSTHRU))
g = FakeFlaskG()
g.policy_object = PolicyClass()
g.audit_object = FakeAudit()
options = {"g": g}
rv = auth_user_passthru(check_user_pass, user, passw, options=options)
self.assertTrue(rv[0])
self.assertEqual(rv[1].get("message"),
u"against userstore due to 'pol1'")
# Now set a PASSTHRU policy to a RADIUS config (new style)
radiusmock.setdata(success=True)
set_policy(name="pol1",
scope=SCOPE.AUTH,
action="{0!s}=radiusconfig1".format(ACTION.PASSTHRU))
r = add_radius("radiusconfig1",
"1.2.3.4",
"testing123",
dictionary=DICT_FILE)
self.assertTrue(r > 0)
g = FakeFlaskG()
g.policy_object = PolicyClass()
g.audit_object = FakeAudit()
options = {"g": g}
rv = auth_user_passthru(check_user_pass, user, passw, options=options)
self.assertTrue(rv[0])
self.assertEqual(rv[1].get("message"),
u"against RADIUS server radiusconfig1 due to 'pol1'")
# Now assign a token to the user. If the user has a token and the
# passthru policy is set, the user must not be able to authenticate
# with his userstore password.
init_token({
"serial": "PTHRU",
"type": "spass",
"pin": "Hallo"
},
user=user)
rv = auth_user_passthru(check_user_pass, user, passw, options=options)
self.assertFalse(rv[0])
self.assertEqual(rv[1].get("message"), "wrong otp pin")
remove_token("PTHRU")
delete_policy("pol1")
def test_15_multi_challenge_response_in_radius_server(self):
# The RADIUS server issues a AccessChallenge on the first and on the
# second request
r = add_radius(identifier="myserver", server="1.2.3.4",
secret="testing123", dictionary=DICT_FILE)
self.assertTrue(r > 0)
token = init_token({"type": "radius",
"radius.identifier": "myserver",
"radius.local_checkpin": False,
"radius.user": u"nönäscii"})
# Check if the remote PIN would create a RADIUS challenge
state1 = [b"123456"]
state2 = [b"999999"]
radiusmock.setdata(timeout=False, response=radiusmock.AccessChallenge,
response_data={"State": state1,
"Reply_Message": ["Please provide more information."]})
opts = {}
r = token.is_challenge_request("some_remote_value", options=opts)
self.assertTrue(r)
self.assertEqual(opts.get("radius_message"), "Please provide more information.")
self.assertEqual(opts.get("radius_result"), radiusmock.AccessChallenge)
self.assertEqual(opts.get("radius_state"), state1[0])
# Creating the challenge within privacyIDEA
r, message, transaction_id, _attr = token.create_challenge(options=opts)
self.assertTrue(r)
self.assertEqual(message, "Please provide more information.")
# Check if a challenge is created
chals = get_challenges(token.token.serial)
self.assertEqual(len(chals), 1)
self.assertEqual(chals[0].transaction_id, transaction_id)
# Checking, if this is the answer attempt to a challenge
r = token.is_challenge_response("some_response", options={"transaction_id": transaction_id})
self.assertTrue(r)
# Now checking the response to the challenge and we issue a RADIUS request
# But the RADIUS server answers with a second AccessChallenge
radiusmock.setdata(timeout=False, response=radiusmock.AccessChallenge,
response_data={"State": state2,
"Reply_Message": ["Please provide even more information."]})
opts2 = {"transaction_id": transaction_id}
r = token.check_challenge_response(passw="some_response", options=opts2)
# The answer might be correct, but since the RADIUS server want to get more answers, we get a -1
self.assertEqual(r, -1)
# but we get a new Challenge!
self.assertEqual(opts2.get("radius_result"), radiusmock.AccessChallenge)
self.assertEqual(opts2.get("radius_state"), state2[0])
self.assertEqual(opts2.get("radius_message"), "Please provide even more information.")
transaction_id2 = opts2.get("transaction_id")
# Finally we send the last auth request
opts3 = {"transaction_id": transaction_id2}
radiusmock.setdata(timeout=False, response=radiusmock.AccessAccept)
r = token.check_challenge_response(passw="some_other_response",
options=opts3)
# The answer is correct,
self.assertEqual(r, 1)
# and we do not get a new challenge, it is the same as before
self.assertEqual(opts3.get("radius_result"), radiusmock.AccessAccept)
transaction_id3 = opts3.get("transaction_id")
self.assertEqual(transaction_id3, transaction_id2)
def test_06_passthru(self):
user = User("cornelius", realm="r1")
passw = "test"
options = {}
# A user with no tokens will fail to authenticate
self.assertEqual(get_tokens(user=user, count=True), 0)
rv = auth_user_passthru(check_user_pass, user, passw, options)
self.assertFalse(rv[0])
self.assertEqual(rv[1].get("message"),
"The user has no tokens assigned")
# Now we set a PASSTHRU policy, so that the user may authenticate
# against his userstore (old style)
set_policy(name="pol1",
scope=SCOPE.AUTH,
action=ACTION.PASSTHRU)
g = FakeFlaskG()
g.policy_object = PolicyClass()
g.audit_object = FakeAudit()
options = {"g": g}
rv = auth_user_passthru(check_user_pass, user, passw,
options=options)
self.assertTrue(rv[0])
self.assertEqual(rv[1].get("message"),
u"against userstore due to 'pol1'")
# Now set a PASSTHRU policy to the userstore (new style)
set_policy(name="pol1",
scope=SCOPE.AUTH,
action="{0!s}=userstore".format(ACTION.PASSTHRU))
g = FakeFlaskG()
g.policy_object = PolicyClass()
g.audit_object = FakeAudit()
options = {"g": g}
rv = auth_user_passthru(check_user_pass, user, passw,
options=options)
self.assertTrue(rv[0])
self.assertEqual(rv[1].get("message"),
u"against userstore due to 'pol1'")
# Now set a PASSTHRU policy to a RADIUS config (new style)
radiusmock.setdata(success=True)
set_policy(name="pol1",
scope=SCOPE.AUTH,
action="{0!s}=radiusconfig1".format(ACTION.PASSTHRU))
r = add_radius("radiusconfig1", "1.2.3.4", "testing123",
dictionary=DICT_FILE)
self.assertTrue(r > 0)
g = FakeFlaskG()
g.policy_object = PolicyClass()
g.audit_object = FakeAudit()
options = {"g": g}
rv = auth_user_passthru(check_user_pass, user, passw,
options=options)
self.assertTrue(rv[0])
self.assertEqual(rv[1].get("message"),
u"against RADIUS server radiusconfig1 due to 'pol1'")
# Now assign a token to the user. If the user has a token and the
# passthru policy is set, the user must not be able to authenticate
# with his userstore password.
init_token({"serial": "PTHRU",
"type": "spass", "pin": "Hallo"},
user=user)
rv = auth_user_passthru(check_user_pass, user, passw,
options=options)
self.assertFalse(rv[0])
self.assertEqual(rv[1].get("message"), "wrong otp pin")
remove_token("PTHRU")
delete_policy("pol1")
def test_13_passthru_priorities(self):
user = User("cornelius", realm="r1")
passw = "test"
options = {}
# remove all tokens of cornelius
remove_token(user=user)
# A user with no tokens will fail to authenticate
self.assertEqual(get_tokens(user=user, count=True), 0)
rv = auth_user_passthru(check_user_pass, user, passw, options)
self.assertFalse(rv[0])
self.assertEqual(rv[1].get("message"),
"The user has no tokens assigned")
# Now set a PASSTHRU policy to the userstore
set_policy(name="pol1",
scope=SCOPE.AUTH,
action="{0!s}=userstore".format(ACTION.PASSTHRU))
g = FakeFlaskG()
g.policy_object = PolicyClass()
g.audit_object = FakeAudit()
options = {"g": g}
rv = auth_user_passthru(check_user_pass, user, passw,
options=options)
self.assertTrue(rv[0])
self.assertEqual(rv[1].get("message"),
u"against userstore due to 'pol1'")
# Now add a PASSTHRU policy to a RADIUS config
radiusmock.setdata(success=True)
set_policy(name="pol2",
scope=SCOPE.AUTH,
action="{0!s}=radiusconfig1".format(ACTION.PASSTHRU))
r = add_radius("radiusconfig1", "1.2.3.4", "testing123",
dictionary=DICT_FILE)
self.assertTrue(r > 0)
g = FakeFlaskG()
g.policy_object = PolicyClass()
g.audit_object = FakeAudit()
options = {"g": g}
# They will conflict, because they use the same priority
with self.assertRaises(PolicyError):
auth_user_passthru(check_user_pass, user, passw, options=options)
# Lower pol1 priority
set_policy(name="pol1", priority=2)
g.policy_object.reload_from_db()
rv = auth_user_passthru(check_user_pass, user, passw, options=options)
self.assertTrue(rv[0])
self.assertEqual(rv[1].get("message"),
u"against RADIUS server radiusconfig1 due to 'pol2'")
# Lower pol2 priority
set_policy(name="pol2", priority=3)
g.policy_object.reload_from_db()
rv = auth_user_passthru(check_user_pass, user, passw, options=options)
self.assertTrue(rv[0])
self.assertEqual(rv[1].get("message"),
u"against userstore due to 'pol1'")
# Add old style priority
set_policy(name="pol3",
scope=SCOPE.AUTH,
action=ACTION.PASSTHRU)
g.policy_object.reload_from_db()
rv = auth_user_passthru(check_user_pass, user, passw, options=options)
self.assertTrue(rv[0])
self.assertEqual(rv[1].get("message"),
u"against userstore due to 'pol3'")
set_policy(name="pol3", priority=2)
g.policy_object.reload_from_db()
# They will conflict, because they use the same priority
with self.assertRaises(PolicyError):
auth_user_passthru(check_user_pass, user, passw, options=options)
delete_policy("pol3")
g.policy_object.reload_from_db()
# Now assign a token to the user. If the user has a token and the
# passthru policy is set, the user must not be able to authenticate
# with his userstore password.
init_token({"serial": "PTHRU",
"type": "spass", "pin": "Hallo"},
user=user)
rv = auth_user_passthru(check_user_pass, user, passw,
options=options)
self.assertFalse(rv[0])
self.assertEqual(rv[1].get("message"), "wrong otp pin")
remove_token("PTHRU")
delete_policy("pol1")
delete_policy("pol2")
def test_13_passthru_priorities(self):
user = User("cornelius", realm="r1")
passw = "test"
options = {}
# remove all tokens of cornelius
remove_token(user=user)
# A user with no tokens will fail to authenticate
self.assertEqual(get_tokens(user=user, count=True), 0)
rv = auth_user_passthru(check_user_pass, user, passw, options)
self.assertFalse(rv[0])
self.assertEqual(rv[1].get("message"),
"The user has no tokens assigned")
# Now set a PASSTHRU policy to the userstore
set_policy(name="pol1",
scope=SCOPE.AUTH,
action="{0!s}=userstore".format(ACTION.PASSTHRU))
g = FakeFlaskG()
g.policy_object = PolicyClass()
g.audit_object = FakeAudit()
options = {"g": g}
rv = auth_user_passthru(check_user_pass, user, passw,
options=options)
self.assertTrue(rv[0])
self.assertEqual(rv[1].get("message"),
u"against userstore due to 'pol1'")
# Now add a PASSTHRU policy to a RADIUS config
radiusmock.setdata(response=radiusmock.AccessAccept)
set_policy(name="pol2",
scope=SCOPE.AUTH,
action="{0!s}=radiusconfig1".format(ACTION.PASSTHRU))
r = add_radius("radiusconfig1", "1.2.3.4", "testing123",
dictionary=DICT_FILE)
self.assertTrue(r > 0)
g = FakeFlaskG()
g.policy_object = PolicyClass()
g.audit_object = FakeAudit()
options = {"g": g}
# They will conflict, because they use the same priority
with self.assertRaises(PolicyError):
auth_user_passthru(check_user_pass, user, passw, options=options)
# Lower pol1 priority
set_policy(name="pol1", priority=2)
rv = auth_user_passthru(check_user_pass, user, passw, options=options)
self.assertTrue(rv[0])
self.assertEqual(rv[1].get("message"),
u"against RADIUS server radiusconfig1 due to 'pol2'")
# Lower pol2 priority
set_policy(name="pol2", priority=3)
rv = auth_user_passthru(check_user_pass, user, passw, options=options)
self.assertTrue(rv[0])
self.assertEqual(rv[1].get("message"),
u"against userstore due to 'pol1'")
# Add old style priority
set_policy(name="pol3",
scope=SCOPE.AUTH,
action=ACTION.PASSTHRU)
rv = auth_user_passthru(check_user_pass, user, passw, options=options)
self.assertTrue(rv[0])
self.assertEqual(rv[1].get("message"),
u"against userstore due to 'pol3'")
set_policy(name="pol3", priority=2)
# They will conflict, because they use the same priority
with self.assertRaises(PolicyError):
auth_user_passthru(check_user_pass, user, passw, options=options)
delete_policy("pol3")
# Now assign a token to the user. If the user has a token and the
# passthru policy is set, the user must not be able to authenticate
# with his userstore password.
init_token({"serial": "PTHRU",
"type": "spass", "pin": "Hallo"},
user=user)
rv = auth_user_passthru(check_user_pass, user, passw,
options=options)
self.assertFalse(rv[0])
self.assertEqual(rv[1].get("message"), "wrong otp pin")
remove_token("PTHRU")
delete_policy("pol1")
delete_policy("pol2")
