def test_02_failing_resolver(self):
ldap3mock.setLDAPDirectory([])
# define, that we want to get an exception
ldap3mock.set_exception()
# Create an LDAP Realm as default realm
params = {
'LDAPURI':
'ldap://localhost',
'LDAPBASE':
'o=test',
'BINDDN':
'cn=manager,ou=example,o=test',
'BINDPW':
'ldaptest',
'LOGINNAMEATTRIBUTE':
'cn',
'LDAPSEARCHFILTER':
'(cn=*)',
'USERINFO':
'{ "username": "******",'
'"phone" : "telephoneNumber", '
'"mobile" : "mobile"'
', "email" : "mail", '
'"surname" : "sn", '
'"givenname" : "givenName" }',
'UIDTYPE':
'DN',
"resolver":
"ldap1",
"type":
"ldapresolver"
}
save_resolver(params)
set_realm("ldap1", ["ldap1"])
set_default_realm("ldap1")
# Try to login as internal admin with a failing LDAP resolver
with mock.patch("logging.Logger.warning") as mock_log:
with self.app.test_request_context('/auth',
method='POST',
data={
"username": "******",
"password": "******"
}):
res = self.app.full_dispatch_request()
self.assertEqual(200, res.status_code, res)
result = res.json.get("result")
self.assertTrue(result.get("status"), result)
self.assertIn('token', result.get("value"), result)
# role should be 'admin'
self.assertEqual('admin', result['value']['role'], result)
mock_log.assert_called_once_with(
"Problem resolving user testadmin in realm ldap1: LDAP request failed."
)
delete_realm("ldap1")
delete_resolver("ldap1")
ldap3mock.set_exception(False)
def test_01_admin_and_user_same_name(self):
# Test the logging, if admin and user have the same name (testamdin/testpw)
# Now create a default realm, that contains the used "testadmin"
rid = save_resolver({
"resolver": self.resolvername1,
"type": "passwdresolver",
"fileName": PWFILE
})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(self.realm1, [self.resolvername1])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
set_default_realm(self.realm1)
# If the admin logs in, everything is fine
with mock.patch("logging.Logger.info") as mock_log:
with self.app.test_request_context('/auth',
method='POST',
data={
"username": "******",
"password": "******"
}):
res = self.app.full_dispatch_request()
self.assertEqual(200, res.status_code, res)
result = res.json.get("result")
self.assertTrue(result.get("status"), result)
self.assertIn('token', result.get("value"), result)
# role should be 'admin'
self.assertEqual('admin', result['value']['role'], result)
mock_log.assert_called_with(
"Local admin 'testadmin' successfully logged in.")
# If a user logs in, with the same name as the admin, this event is logged in warning
with mock.patch("logging.Logger.warning") as mock_log:
with self.app.test_request_context('/auth',
method='POST',
data={
"username": "******",
"password": "******"
}):
res = self.app.full_dispatch_request()
self.assertEqual(200, res.status_code, res)
result = res.json.get("result")
self.assertTrue(result.get("status"), result)
self.assertIn('token', result.get("value"), result)
# role should be 'user'
self.assertEqual('user', result['value']['role'], result)
# check if we have this log entry
mock_log.assert_called_with(
"A user 'testadmin' exists as local admin and as user "
"in your default realm!")
def test_02_set_default_realm(self):
(added, failed) = set_realm("realm2", [self.resolvername2])
self.assertTrue(len(added) == 1)
self.assertTrue(len(failed) == 0)
realm = get_default_realm()
self.assertTrue(realm == self.realm1)
set_default_realm("realm2")
realm = get_default_realm()
self.assertTrue(realm == "realm2")
set_default_realm()
realm = get_default_realm()
self.assertTrue(realm is None, realm)
def test_02_set_default_realm(self):
(added, failed) = set_realm("realm2",
[self.resolvername2])
self.assertTrue(len(added) == 1)
self.assertTrue(len(failed) == 0)
realm = get_default_realm()
self.assertTrue(realm == self.realm1)
set_default_realm("realm2")
realm = get_default_realm()
self.assertTrue(realm == "realm2")
set_default_realm()
realm = get_default_realm()
self.assertTrue(realm is None, realm)
def test_00_set_ldap_realm(self):
ldap3mock.setLDAPDirectory(LDAPDirectory)
params = {
'LDAPURI':
'ldap://localhost',
'LDAPBASE':
'o=test',
'BINDDN':
'cn=manager,ou=example,o=test',
'BINDPW':
'ldaptest',
'LOGINNAMEATTRIBUTE':
'cn',
'LDAPSEARCHFILTER':
'(cn=*)',
'MULTIVALUEATTRIBUTES':
'["groups"]',
'USERINFO':
'{ "username": "******",'
'"phone" : "telephoneNumber", '
'"mobile" : "mobile"'
', "email" : "mail", '
'"surname" : "sn", '
'"groups": "memberOf", '
'"givenname" : "givenName" }',
'UIDTYPE':
'DN',
"resolver":
"ldapgroups",
"type":
"ldapresolver"
}
r = save_resolver(params)
self.assertTrue(r > 0)
r = set_realm("ldaprealm", resolvers=["ldapgroups"])
set_default_realm("ldaprealm")
self.assertEqual(r, (["ldapgroups"], []))
# find a user, check the groups
alice = User("alice", "ldaprealm")
self.assertEqual(alice.info["groups"],
["cn=admins,o=test", "cn=users,o=test"])
def test_01_setup_eventhandlers(self):
# This test create an HOTP token with C/R with a pre-event handler
# and the user uses this HOTP token to directly login to /auth
# Setup realm
rid = save_resolver({
"resolver": self.resolvername1,
"type": "passwdresolver",
"fileName": PWFILE
})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(self.realm1, [self.resolvername1])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
set_default_realm(self.realm1)
# set a policy to authenticate against privacyIDEA
set_policy("piLogin",
scope=SCOPE.WEBUI,
action="{0!s}=privacyIDEA".format(ACTION.LOGINMODE))
# set a policy to for otppin=userstore
set_policy("otppin",
scope=SCOPE.AUTH,
action="{0!s}=userstore".format(ACTION.OTPPIN))
# Set a policy to do C/R with HOTP tokens
set_policy("crhotp",
scope=SCOPE.AUTH,
action="{0!s}=hotp".format(ACTION.CHALLENGERESPONSE))
# Create an event handler, that creates HOTP token on /auth with default OTP key
eid = set_event(
"createtoken",
event=["auth"],
handlermodule="Token",
action="enroll",
position="pre",
conditions={CONDITION.USER_TOKEN_NUMBER: 0},
options={
"tokentype": "hotp",
"user": "******",
"additional_params": {
'otpkey': self.otpkey,
# We need to set gekey=0, otherwise the Tokenhandler will
# generate a random otpkey
'genkey': 0
}
})
# cleanup tokens
remove_token(user=User("someuser", self.realm1))
# user tries to log in with his userstore password and gets a transaction_id
with self.app.test_request_context('/auth',
method='POST',
data={
"username": "******",
"password": "******"
}):
res = self.app.full_dispatch_request()
self.assertEqual(401, res.status_code, res)
result = res.json.get("result")
self.assertFalse(result.get("status"), result)
detail = res.json.get("detail")
self.assertEqual("please enter otp: ", detail.get("message"))
transaction_id = detail.get("transaction_id")
# Check if the token was enrolled
toks = get_tokens(user=User("someuser", self.realm1))
self.assertEqual(len(toks), 1)
self.assertEqual(toks[0].token.tokentype, "hotp")
serial = toks[0].token.serial
# Check if the correct otpkey was used
hotptoken = toks[0]
r = hotptoken.check_otp(self.valid_otp_values[1])
self.assertTrue(r >= 0)
# Now the user logs in with the second step of C/R with OTP value of new token
with self.app.test_request_context('/auth',
method='POST',
data={
"username": "******",
"transaction_id":
transaction_id,
"password":
self.valid_otp_values[2]
}):
res = self.app.full_dispatch_request()
self.assertEqual(200, res.status_code, res)
result = res.json.get("result")
self.assertTrue(result.get("status"))
self.assertTrue(result.get("value"))
# Check that there is still only one token
toks = get_tokens(user=User("someuser", self.realm1))
self.assertEqual(len(toks), 1)
self.assertEqual(toks[0].token.tokentype, "hotp")
self.assertEqual(serial, toks[0].token.serial)
# cleanup
delete_policy("piLogin")
delete_policy("otppin")
delete_policy("crhotp")
delete_event(eid)
remove_token(hotptoken.token.serial)