def test_12_resolver_priority(self):
# Test the priority of resolvers.
# we create resolvers with the same user in it. Depending on the
# priority we either get the one or the other user.
save_resolver({"resolver": "double1",
"type": "passwdresolver",
"fileName": PWFILE})
save_resolver({"resolver": "double2",
"type": "passwdresolver",
"fileName": PWFILE})
save_resolver({"resolver": "double3",
"type": "passwdresolver",
"fileName": PWFILE})
(added, failed) = set_realm("double",
["double1", "double2", "double3"],
priority={"double1": 2,
"double2": 1,
"double3": 3})
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 3)
user = get_user_from_param({"user": "******", "realm": "double"})
self.assertEqual(user.resolver, "double2")
(added, failed) = set_realm("double",
["double1", "double2", "double3"],
priority={"double1": 3,
"double2": 2,
"double3": 1})
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 3)
user = get_user_from_param({"user": "******", "realm": "double"})
self.assertEqual(user.resolver, "double3")
def test_12_resolver_priority(self):
# Test the priority of resolvers.
# we create resolvers with the same user in it. Depending on the
# priority we either get the one or the other user.
save_resolver({"resolver": "double1",
"type": "passwdresolver",
"fileName": PWFILE})
save_resolver({"resolver": "double2",
"type": "passwdresolver",
"fileName": PWFILE})
save_resolver({"resolver": "double3",
"type": "passwdresolver",
"fileName": PWFILE})
(added, failed) = set_realm("double",
["double1", "double2", "double3"],
priority={"double1": 2,
"double2": 1,
"double3": 3})
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 3)
user = get_user_from_param({"user": "******", "realm": "double"})
self.assertEqual(user.resolver, "double2")
(added, failed) = set_realm("double",
["double1", "double2", "double3"],
priority={"double1": 3,
"double2": 2,
"double3": 1})
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 3)
user = get_user_from_param({"user": "******", "realm": "double"})
self.assertEqual(user.resolver, "double3")
def test_01_create_realm(self):
rid = save_resolver({"resolver": self.resolvername1,
"type": "passwdresolver",
"fileName": "/etc/passwd"})
self.assertTrue(rid > 0, rid)
rid = save_resolver({"resolver": self.resolvername2,
"type": "passwdresolver",
"fileName": "/etc/secrets"})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(self.realm1,
[self.resolvername1,
self.resolvername2])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 2)
# test the realms
realms = get_realms()
self.assertTrue(self.realm1 in realms, realms)
self.assertTrue(realms.get("realm1").get("default"), realms)
# try to create realm with invalid name
self.assertRaises(Exception, set_realm, "#####")
# update the resolver list:
(added, failed) = set_realm(self.realm1,
[self.resolvername1,
"non exiting"])
self.assertTrue(len(failed) == 1)
self.assertTrue(len(added) == 1)
self.assertTrue(realm_is_defined(self.realm1))
self.assertTrue(realm_is_defined("non exist") is False)
def test_02_failing_resolver(self):
ldap3mock.setLDAPDirectory([])
# define, that we want to get an exception
ldap3mock.set_exception()
# Create an LDAP Realm as default realm
params = {
'LDAPURI':
'ldap://localhost',
'LDAPBASE':
'o=test',
'BINDDN':
'cn=manager,ou=example,o=test',
'BINDPW':
'ldaptest',
'LOGINNAMEATTRIBUTE':
'cn',
'LDAPSEARCHFILTER':
'(cn=*)',
'USERINFO':
'{ "username": "******",'
'"phone" : "telephoneNumber", '
'"mobile" : "mobile"'
', "email" : "mail", '
'"surname" : "sn", '
'"givenname" : "givenName" }',
'UIDTYPE':
'DN',
"resolver":
"ldap1",
"type":
"ldapresolver"
}
save_resolver(params)
set_realm("ldap1", ["ldap1"])
set_default_realm("ldap1")
# Try to login as internal admin with a failing LDAP resolver
with mock.patch("logging.Logger.warning") as mock_log:
with self.app.test_request_context('/auth',
method='POST',
data={
"username": "******",
"password": "******"
}):
res = self.app.full_dispatch_request()
self.assertEqual(200, res.status_code, res)
result = res.json.get("result")
self.assertTrue(result.get("status"), result)
self.assertIn('token', result.get("value"), result)
# role should be 'admin'
self.assertEqual('admin', result['value']['role'], result)
mock_log.assert_called_once_with(
"Problem resolving user testadmin in realm ldap1: LDAP request failed."
)
delete_realm("ldap1")
delete_resolver("ldap1")
ldap3mock.set_exception(False)
def test_05_get_set_realms(self):
set_realm(self.realm2)
db_token = Token.query.filter_by(serial=self.serial1).first()
token = TokenClass(db_token)
realms = token.get_realms()
self.assertTrue(len(realms) == 1, realms)
token.set_realms([self.realm1, self.realm2])
realms = token.get_realms()
self.assertTrue(len(realms) == 2, realms)
def create(name, resolver):
"""
Create a new realm.
This will create a new realm with the given resolver.
*restriction*: The new realm will only contain one resolver!
:return:
"""
from privacyidea.lib.realm import set_realm
set_realm(name, [resolver])
def test_00_create_user(self):
rid = save_resolver({"resolver": self.resolvername1,
"type": "passwdresolver",
"fileName": PWFILE})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(self.realm1,
[self.resolvername1])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
user = User(login="******",
realm=self.realm1,
resolver=self.resolvername1)
user_str = "{0!s}".format(user)
self.assertTrue(user_str == "<root.resolver1@realm1>", user_str)
# check proper unicode() and str() handling
self.assertIsInstance(str(user), bytes)
self.assertIsInstance(unicode(user), unicode)
self.assertFalse(user.is_empty())
self.assertTrue(User().is_empty())
user_repr = "{0!r}".format(user)
expected = "User(login='******', realm='realm1', resolver='resolver1')"
self.assertTrue(user_repr == expected, user_repr)
def setUp_user_realm2(self):
# create user realm
rid = save_resolver({
"resolver": self.resolvername1,
"type": "passwdresolver",
"fileName": PWFILE
})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(self.realm2, [self.resolvername1])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
user = User(login="******",
realm=self.realm2,
resolver=self.resolvername1)
user_str = "{0!s}".format(user)
self.assertTrue(user_str == "<root.resolver1@realm2>", user_str)
self.assertFalse(user.is_empty())
self.assertTrue(User().is_empty())
user_repr = "{0!r}".format(user)
expected = "User(login='******', realm='realm2', resolver='resolver1')"
self.assertTrue(user_repr == expected, user_repr)
def _create_ldap_realm(self):
rid = save_resolver(self.ldap_parameters)
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(self.ldap_realm, [self.ldap_resolver])
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 1)
def _create_sql_realm(self):
rid = save_resolver(self.sql_parameters)
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(self.sql_realm, [self.sql_resolver])
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 1)
def setUp_sqlite_resolver_realm(self, sqlite_file, realm):
parameters = {
'resolver':
"sqlite_resolver",
"type":
"sqlresolver",
'Driver':
'sqlite',
'Server':
'/tests/testdata/',
'Database':
sqlite_file,
'Table':
'users',
'Encoding':
'utf8',
'Editable':
True,
'Map':
"""{ "username": "******",
"userid" : "id",
"email" : "email",
"surname" : "name",
"givenname" : "givenname",
"password" : "password",
"phone": "phone",
"mobile": "mobile"}"""
}
r = save_resolver(parameters)
self.assertTrue(r)
success, fail = set_realm(realm, ["sqlite_resolver"])
self.assertEqual(len(success), 1)
self.assertEqual(len(fail), 0)
def test_02_userstore_password(self):
# create a realm, where cornelius has a password test
rid = save_resolver({"resolver": "myreso",
"type": "passwdresolver",
"fileName": PWFILE2})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm("r1", ["myreso"])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
# now create a policy with userstore PW
set_policy(name="pol1",
scope=SCOPE.AUTH,
action="%s=%s" % (ACTION.OTPPIN, ACTIONVALUE.USERSTORE))
g = FakeFlaskG()
P = PolicyClass()
g.policy_object = P
options = {"g": g}
# Wrong password
r = auth_otppin(self.fake_check_otp, None,
"WrongPW", options=options,
user=User("cornelius", realm="r1"))
self.assertFalse(r)
# Correct password from userstore: "test"
r = auth_otppin(self.fake_check_otp, None,
"test", options=options,
user=User("cornelius", realm="r1"))
self.assertTrue(r)
delete_policy("pol1")
def test_00_create_user(self):
rid = save_resolver({
"resolver": self.resolvername1,
"type": "passwdresolver",
"fileName": PWFILE
})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(self.realm1, [self.resolvername1])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
user = User(login="******",
realm=self.realm1,
resolver=self.resolvername1)
user_str = "{0!s}".format(user)
self.assertTrue(user_str == "<root.resolver1@realm1>", user_str)
# check proper unicode() / str() handling
if six.PY2:
self.assertIsInstance(str(user), bytes)
self.assertIsInstance(unicode(user), unicode)
else:
self.assertIsInstance(six.text_type(user), six.text_type)
self.assertFalse(user.is_empty())
self.assertTrue(User().is_empty())
user_repr = "{0!r}".format(user)
expected = "User(login='******', realm='realm1', resolver='resolver1')"
self.assertTrue(user_repr == expected, user_repr)
def setUp_user_realms(self):
# create user realm
rid = save_resolver({
"resolver": self.resolvername1,
"type": "passwdresolver",
"fileName": PWFILE
})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(self.realm1a, [self.resolvername1])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
(added, failed) = set_realm(self.realm2b, [self.resolvername1])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
def test_09_get_user_from_param(self):
user = get_user_from_param({"user": "******"})
self.assertTrue(user.realm == self.realm1, user)
self.assertTrue(user.resolver == self.resolvername1, user)
user = get_user_from_param({"realm": self.realm1})
self.assertTrue(user.realm == self.realm1, user)
self.assertTrue(user.login == "", user)
self.assertTrue(user.resolver == "", user.resolver)
user = get_user_from_param({
"user": "******",
"resolver": self.resolvername1
})
self.assertTrue(user.realm == self.realm1, user)
# create a realm, where cornelius is in two resolvers!
rid = save_resolver({
"resolver": self.resolvername3,
"type": "passwdresolver",
"fileName": PWFILE2
})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(self.realm2,
[self.resolvername1, self.resolvername3])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 2)
# get user cornelius, who is in two resolvers!
param = {"user": "******", "realm": self.realm2}
user = get_user_from_param(param)
self.assertEqual("{0!s}".format(user), "<cornelius.resolver1@realm2>")
def test_03_is_password_reset(self):
# create resolver and realm
param = self.parameters
param["resolver"] = "register"
param["type"] = "sqlresolver"
r = save_resolver(param)
self. assertTrue(r > 0)
added, failed = set_realm("register", resolvers=["register"])
self.assertTrue(added > 0)
self.assertEqual(len(failed), 0)
# No user policy at all
r = is_password_reset()
self.assertEqual(r, True)
# create policy
set_policy(name="pwrest", scope=SCOPE.USER, action=ACTION.PASSWORDRESET)
r = is_password_reset()
self.assertEqual(r, True)
# create policy that does not allow password_reset
set_policy(name="pwrest", scope=SCOPE.USER, action=ACTION.DELETE)
r = is_password_reset()
self.assertEqual(r, False)
def test_16_ordered_resolver(self):
rid = save_resolver({
"resolver": "resolver2",
"type": "passwdresolver",
"fileName": PWFILE
})
rid = save_resolver({
"resolver": "reso4",
"type": "passwdresolver",
"fileName": PWFILE
})
(added,
failed) = set_realm("sort_realm",
["resolver1", "resolver2", "reso3", "reso4"],
priority={
"resolver1": 30,
"resolver2": 10,
"reso3": 27,
"reso4": 5
})
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 4)
root = User("root", "sort_realm")
r = root.get_ordererd_resolvers()
self.assertEqual(r[0], "reso4")
self.assertEqual(r[1], "resolver2")
self.assertEqual(r[2], "reso3")
self.assertEqual(r[3], "resolver1")
delete_realm("sort_realm")
def test_14_create_delete_user(self):
realm = "sqlrealm"
resolver = "SQL1"
parameters = self.parameters
parameters["resolver"] = resolver
parameters["type"] = "sqlresolver"
rid = save_resolver(parameters)
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(realm, [resolver])
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 1)
# Create the user
uid = create_user(resolver, {"username": "******",
"givenname": "achmed"},
password="******")
self.assertTrue(uid > 6)
user = User("achmed3", realm=realm)
r = user.check_password("secret")
# delete user
r = user.delete()
self.assertTrue(r)
def test_02_userstore_password(self):
# create a realm, where cornelius has a password test
rid = save_resolver({"resolver": "myreso",
"type": "passwdresolver",
"fileName": PWFILE2})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm("r1", ["myreso"])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
# now create a policy with userstore PW
set_policy(name="pol1",
scope=SCOPE.AUTH,
action="{0!s}={1!s}".format(ACTION.OTPPIN, ACTIONVALUE.USERSTORE))
g = FakeFlaskG()
P = PolicyClass()
g.policy_object = P
g.audit_object = FakeAudit()
options = {"g": g}
# Wrong password
r = auth_otppin(self.fake_check_otp, None,
"WrongPW", options=options,
user=User("cornelius", realm="r1"))
self.assertFalse(r)
# Correct password from userstore: "test"
r = auth_otppin(self.fake_check_otp, None,
"test", options=options,
user=User("cornelius", realm="r1"))
self.assertTrue(r)
delete_policy("pol1")
def test_17_check_nonascii_user(self):
realm = "sqlrealm"
resolver = "SQL1"
parameters = self.parameters
parameters["resolver"] = resolver
parameters["type"] = "sqlresolver"
rid = save_resolver(parameters)
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(realm, [resolver])
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 1)
# check non-ascii password of non-ascii user
self.assertFalse(User(login=u"nönäscii",
realm=realm).check_password("wrong"))
self.assertTrue(User(login=u"nönäscii",
realm=realm).check_password(u"sömepassword"))
# check proper unicode() and str() handling
user_object = User(login=u"nönäscii", realm=realm)
if six.PY2:
self.assertEqual(unicode(user_object), u'<nönäscii.SQL1@sqlrealm>')
self.assertEqual(str(user_object), '<n\xc3\xb6n\xc3\xa4scii.SQL1@sqlrealm>')
else:
self.assertEqual(six.text_type(user_object), u'<nönäscii.SQL1@sqlrealm>')
self.assertEqual(six.text_type(user_object).encode('utf8'),
b'<n\xc3\xb6n\xc3\xa4scii.SQL1@sqlrealm>')
def test_00_create_user(self):
rid = save_resolver({
"resolver": self.resolvername1,
"type": "passwdresolver",
"fileName": PWFILE
})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(self.realm1, [self.resolvername1])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
user = User(login="******",
realm=self.realm1,
resolver=self.resolvername1)
user_str = "%s" % user
self.assertTrue(user_str == "<root.resolver1@realm1>", user_str)
self.assertFalse(user.is_empty())
self.assertTrue(User().is_empty())
user_repr = "%r" % user
expected = "User(login='******', realm='realm1', resolver='resolver1')"
self.assertTrue(user_repr == expected, user_repr)
def test_16_ordered_resolver(self):
rid = save_resolver({"resolver": "resolver2",
"type": "passwdresolver",
"fileName": PWFILE})
rid = save_resolver({"resolver": "reso4",
"type": "passwdresolver",
"fileName": PWFILE})
(added, failed) = set_realm("sort_realm",
["resolver1", "resolver2", "reso3",
"reso4"],
priority={"resolver1": 30,
"resolver2": 10,
"reso3": 27,
"reso4": 5})
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 4)
root = User("root", "sort_realm")
r = root.get_ordererd_resolvers()
self.assertEqual(r[0], "reso4")
self.assertEqual(r[1], "resolver2")
self.assertEqual(r[2], "reso3")
self.assertEqual(r[3], "resolver1")
delete_realm("sort_realm")
def test_17_check_nonascii_user(self):
realm = "sqlrealm"
resolver = "SQL1"
parameters = self.parameters
parameters["resolver"] = resolver
parameters["type"] = "sqlresolver"
rid = save_resolver(parameters)
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(realm, [resolver])
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 1)
# check non-ascii password of non-ascii user
self.assertFalse(
User(login=u"nönäscii", realm=realm).check_password("wrong"))
self.assertTrue(
User(login=u"nönäscii",
realm=realm).check_password(u"sömepassword"))
# check proper unicode() and str() handling
user_object = User(login=u"nönäscii", realm=realm)
self.assertEqual(unicode(user_object), u'<nönäscii.SQL1@sqlrealm>')
self.assertEqual(str(user_object),
'<n\xc3\xb6n\xc3\xa4scii.SQL1@sqlrealm>')
def test_01_authenticate_admin_from_realm(self):
# Define an admin realm!
(added, failed) = set_realm("adminrealm",
[self.resolvername1])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
# "selfservice" is a user in adminrealm. He should be able to
# authenticate
with self.app.test_request_context('/auth',
method='POST',
data={"username":
"******",
"password": "******"}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = json.loads(res.data.decode('utf8')).get("result")
self.assertTrue(result.get("status"), res.data)
# In self.at_user we store the user token
self.at_admin = result.get("value").get("token")
# check that this is a user
role = result.get("value").get("role")
self.assertTrue(role == "admin", result)
delete_realm("adminrealm")
def test_13_update_user(self):
realm = "sqlrealm"
resolver = "SQL1"
parameters = self.parameters
parameters["resolver"] = resolver
parameters["type"] = "sqlresolver"
rid = save_resolver(parameters)
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(realm, [resolver])
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 1)
user = User(login="******", realm=realm)
uinfo = user.info
self.assertEqual(uinfo.get("givenname", ""), "")
user.update_user_info({"givenname": "wordy",
"username": "******"})
uinfo = user.info
self.assertEqual(uinfo.get("givenname"), "wordy")
self.assertEqual(user.login, "WordpressUser")
user.update_user_info({"givenname": "",
"username": "******"})
def setUp_user_realm2(self):
# create user realm
rid = save_resolver({"resolver": self.resolvername1,
"type": "passwdresolver",
"fileName": PWFILE})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(self.realm2,
[self.resolvername1])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
user = User(login="******",
realm=self.realm2,
resolver=self.resolvername1)
user_str = "{0!s}".format(user)
self.assertTrue(user_str == "<root.resolver1@realm2>", user_str)
self.assertFalse(user.is_empty())
self.assertTrue(User().is_empty())
user_repr = "{0!r}".format(user)
expected = "User(login='******', realm='realm2', resolver='resolver1')"
self.assertTrue(user_repr == expected, user_repr)
def test_01_authenticate_admin_from_realm(self):
# Define an admin realm!
(added, failed) = set_realm("adminrealm",
[self.resolvername1])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
# "selfservice" is a user in adminrealm. He should be able to
# authenticate
with self.app.test_request_context('/auth',
method='POST',
data={"username":
"******",
"password": "******"}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = json.loads(res.data).get("result")
self.assertTrue(result.get("status"), res.data)
# In self.at_user we store the user token
self.at_admin = result.get("value").get("token")
# check that this is a user
role = result.get("value").get("role")
self.assertTrue(role == "admin", result)
delete_realm("adminrealm")
def _create_user_wordy(self):
"""
This creates a user "wordy" in the realm "sqlrealm"
"""
realm = "sqlrealm"
resolver = "SQL1"
parameters = self.parameters
parameters["resolver"] = resolver
parameters["type"] = "sqlresolver"
rid = save_resolver(parameters)
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(realm, [resolver])
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 1)
with self.app.test_request_context('/user/',
method='POST',
data={"user": "******",
"resolver": resolver,
"surname": "zappa",
"givenname": "frank",
"email": "*****@*****.**",
"phone": "12345",
"mobile": "12345",
"password": "******"},
headers={'Authorization': self.at}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = res.json.get("result")
self.assertTrue(result.get("value") > 6, result.get("value"))
def test_13_update_user(self):
realm = "sqlrealm"
resolver = "SQL1"
parameters = self.parameters
parameters["resolver"] = resolver
parameters["type"] = "sqlresolver"
rid = save_resolver(parameters)
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(realm, [resolver])
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 1)
user = User(login="******", realm=realm)
uinfo = user.info
self.assertEqual(uinfo.get("givenname", ""), "")
user.update_user_info({
"givenname": "wordy",
"username": "******"
})
uinfo = user.info
self.assertEqual(uinfo.get("givenname"), "wordy")
self.assertEqual(user.login, "WordpressUser")
user.update_user_info({"givenname": "", "username": "******"})
def test_14_create_delete_user(self):
realm = "sqlrealm"
resolver = "SQL1"
parameters = self.parameters
parameters["resolver"] = resolver
parameters["type"] = "sqlresolver"
rid = save_resolver(parameters)
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(realm, [resolver])
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 1)
# Create the user
uid = create_user(resolver, {
"username": "******",
"givenname": "achmed"
},
password="******")
self.assertTrue(uid > 6)
user = User("achmed3", realm=realm)
r = user.check_password("secret")
# delete user
r = user.delete()
self.assertTrue(r)
def test_09_get_user_from_param(self):
user = get_user_from_param({"user": "******"})
self.assertTrue(user.realm == self.realm1, user)
self.assertTrue(user.resolver == self.resolvername1, user)
user = get_user_from_param({"realm": self.realm1})
self.assertTrue(user.realm == self.realm1, user)
self.assertTrue(user.login == "", user)
self.assertTrue(user.resolver == "", user.resolver)
user = get_user_from_param({"user": "******",
"resolver": self.resolvername1})
self.assertTrue(user.realm == self.realm1, user)
# create a realm, where cornelius is in two resolvers!
rid = save_resolver({"resolver": self.resolvername3,
"type": "passwdresolver",
"fileName": PWFILE2})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(self.realm2,
[self.resolvername1,
self.resolvername3])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 2)
# get user cornelius, who is in two resolvers!
param = {"user": "******",
"realm": self.realm2}
user = get_user_from_param(param)
self.assertEqual("{0!s}".format(user), "<cornelius.resolver1@realm2>")
def test_12_multiple_resolvers(self):
# one realm, two SQL resolvers
parameters_a = self.sql_parameters.copy()
# first resolver only contains users with phone numbers
parameters_a['Where'] = 'phone LIKE %'
parameters_a['resolver'] = 'reso_a'
rid_a = save_resolver(parameters_a)
self.assertTrue(rid_a > 0, rid_a)
# second resolver contains all users
parameters_b = self.sql_parameters.copy()
parameters_b['resolver'] = 'reso_b'
rid_b = save_resolver(parameters_b)
self.assertTrue(rid_b > 0, rid_b)
# First ask reso_a, then reso_b
(added, failed) = set_realm(self.sql_realm, ['reso_a', 'reso_b'], {
'reso_a': 1,
'reso_b': 2
})
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 2)
# Now, query the user and populate the cache
self.assertEqual(UserCache.query.count(), 0)
user1 = User('wordpressuser', self.sql_realm)
self.assertEqual(user1.uid, '6')
# Assert it was found in reso_b (as it does not have a phone number)!
self.assertEqual(user1.resolver, 'reso_b')
self.assertEqual(
UserCache.query.filter(UserCache.username == 'wordpressuser',
UserCache.user_id == 6).one().resolver,
'reso_b')
# Add a phone number. We do not use the User API to do that to simulate that the change is performed
# out of privacyIDEA's control. Using `update_user_info` would invalidate the cache, which would be unrealistic.
info = user1.info
new_info = info.copy()
new_info['phone'] = '123456'
get_resolver_object('reso_a').update_user(user1.uid, new_info)
# Ensure that the user's association with reso_b is still cached.
self.assertEqual(
UserCache.query.filter(UserCache.username == 'wordpressuser',
UserCache.user_id == 6).one().resolver,
'reso_b')
# Now, it should be located in reso_a!
user2 = User('wordpressuser', self.sql_realm)
self.assertEqual(user2.uid, '6')
self.assertEqual(user2.resolver, 'reso_a')
# ... but the cache still contains entries for both!
resolver_query = UserCache.query.filter(
UserCache.username == 'wordpressuser',
UserCache.user_id == 6).order_by(UserCache.timestamp.desc())
cached_resolvers = [entry.resolver for entry in resolver_query.all()]
self.assertEqual(cached_resolvers, ['reso_a', 'reso_b'])
# Remove the phone number.
get_resolver_object('reso_a').update_user(user1.uid, {'phone': None})
delete_realm(self.sql_realm)
delete_resolver('reso_a')
delete_resolver('reso_b')
def test_01_create_realm(self):
rid = save_resolver({
"resolver": self.resolvername1,
"type": "passwdresolver",
"fileName": "/etc/passwd"
})
self.assertTrue(rid > 0, rid)
rid = save_resolver({
"resolver": self.resolvername2,
"type": "passwdresolver",
"fileName": "/etc/secrets"
})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(self.realm1,
[self.resolvername1, self.resolvername2])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 2)
(added, failed) = set_realm(self.realm_dot,
[self.resolvername1, self.resolvername2])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 2)
# test the realms
realms = get_realms()
self.assertTrue(self.realm1 in realms, realms)
self.assertTrue(realms.get("realm1").get("default"), realms)
self.assertTrue(self.realm_dot in realms, realms)
# delete dot realm
delete_realm(self.realm_dot)
# try to create realm with invalid name
self.assertRaises(Exception, set_realm, "#####")
# update the resolver list:
(added, failed) = set_realm(self.realm1,
[self.resolvername1, "non exiting"])
self.assertTrue(len(failed) == 1)
self.assertTrue(len(added) == 1)
self.assertTrue(realm_is_defined(self.realm1))
self.assertTrue(realm_is_defined("non exist") is False)
def test_02_REMOTE_USER(self):
# Allow remote user
set_policy(name="remote",
scope=SCOPE.WEBUI,
action="{0!s}=allowed".format(ACTION.REMOTE_USER))
# Admin remote user
with self.app.test_request_context(
'/auth',
method='POST',
data={"username": "******"},
environ_base={"REMOTE_USER": "******"}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = json.loads(res.data).get("result")
self.assertTrue("token" in result.get("value"))
self.assertTrue("username" in result.get("value"))
self.assertEqual(result.get("value").get("role"), "admin")
self.assertTrue(result.get("status"), res.data)
self.setUp_user_realms()
# User "cornelius" from the default realm as normale user
with self.app.test_request_context(
'/auth',
method='POST',
data={"username": "******"},
environ_base={"REMOTE_USER": "******"}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = json.loads(res.data).get("result")
self.assertTrue("token" in result.get("value"))
self.assertTrue("username" in result.get("value"))
self.assertEqual(result.get("value").get("role"), "user")
self.assertTrue(result.get("status"), res.data)
# Define the superuser_realm: "adminrealm"
(added, failed) = set_realm("adminrealm", [self.resolvername1])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
# user cornelius is a member of the superuser_realm...
with self.app.test_request_context(
'/auth',
method='POST',
data={"username": "******"},
environ_base={"REMOTE_USER": "******"}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = json.loads(res.data).get("result")
self.assertTrue("token" in result.get("value"))
self.assertTrue("username" in result.get("value"))
# ...and will have the role admin
self.assertEqual(result.get("value").get("role"), "admin")
self.assertTrue(result.get("status"), res.data)
delete_policy("remote")
def _create_realm(self):
rid = save_resolver({"resolver": self.resolvername1,
"type": "passwdresolver",
"fileName": self.PWFILE,
"type.fileName": "string",
"desc.fileName": "The name of the file"})
self.assertTrue(rid > 0, rid)
rid = set_realm(realm=self.realm1, resolvers=[self.resolvername1])
self.assertTrue(rid > 0, rid)
def _create_realm(self):
rid = save_resolver({"resolver": self.resolvername1,
"type": "passwdresolver",
"fileName": self.PWFILE,
"type.fileName": "string",
"desc.fileName": "The name of the file"})
self.assertTrue(rid > 0, rid)
rid = set_realm(realm=self.realm1, resolvers=[self.resolvername1])
self.assertTrue(rid > 0, rid)
def test_12_multiple_resolvers(self):
# one realm, two SQL resolvers
parameters_a = self.sql_parameters.copy()
# first resolver only contains users with phone numbers
parameters_a['Where'] = 'phone LIKE %'
parameters_a['resolver'] = 'reso_a'
rid_a = save_resolver(parameters_a)
self.assertTrue(rid_a > 0, rid_a)
# second resolver contains all users
parameters_b = self.sql_parameters.copy()
parameters_b['resolver'] = 'reso_b'
rid_b = save_resolver(parameters_b)
self.assertTrue(rid_b > 0, rid_b)
# First ask reso_a, then reso_b
(added, failed) = set_realm(self.sql_realm, ['reso_a', 'reso_b'], {
'reso_a': 1,
'reso_b': 2
})
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 2)
# Now, query the user and populate the cache
self.assertEqual(UserCache.query.count(), 0)
user1 = User('wordpressuser', self.sql_realm)
self.assertEqual(user1.uid, 6)
# Assert it was found in reso_b (as it does not have a phone number)!
self.assertEqual(user1.resolver, 'reso_b')
self.assertEqual(UserCache.query.filter(UserCache.username == 'wordpressuser',
UserCache.user_id == 6).one().resolver,
'reso_b')
# Add a phone number. We do not use the User API to do that to simulate that the change is performed
# out of privacyIDEA's control. Using `update_user_info` would invalidate the cache, which would be unrealistic.
info = user1.info
new_info = info.copy()
new_info['phone'] = '123456'
get_resolver_object('reso_a').update_user(user1.uid, new_info)
# Ensure that the user's association with reso_b is still cached.
self.assertEqual(UserCache.query.filter(UserCache.username == 'wordpressuser',
UserCache.user_id == 6).one().resolver,
'reso_b')
# Now, it should be located in reso_a!
user2 = User('wordpressuser', self.sql_realm)
self.assertEqual(user2.uid, 6)
self.assertEqual(user2.resolver, 'reso_a')
# ... but the cache still contains entries for both!
resolver_query = UserCache.query.filter(UserCache.username == 'wordpressuser',
UserCache.user_id == 6).order_by(UserCache.timestamp.desc())
cached_resolvers = [entry.resolver for entry in resolver_query.all()]
self.assertEqual(cached_resolvers, ['reso_a', 'reso_b'])
# Remove the phone number.
get_resolver_object('reso_a').update_user(user1.uid, {'phone': None})
delete_realm(self.sql_realm)
delete_resolver('reso_a')
delete_resolver('reso_b')
def test_02_REMOTE_USER(self):
# Allow remote user
set_policy(name="remote", scope=SCOPE.WEBUI, action="%s=allowed" %
ACTION.REMOTE_USER)
# Admin remote user
with self.app.test_request_context('/auth', method='POST',
data={"username": "******"},
environ_base={"REMOTE_USER":
"******"}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = json.loads(res.data).get("result")
self.assertTrue("token" in result.get("value"))
self.assertTrue("username" in result.get("value"))
self.assertEqual(result.get("value").get("role"), "admin")
self.assertTrue(result.get("status"), res.data)
self.setUp_user_realms()
# User "cornelius" from the default realm as normale user
with self.app.test_request_context('/auth', method='POST',
data={"username": "******"},
environ_base={"REMOTE_USER":
"******"}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = json.loads(res.data).get("result")
self.assertTrue("token" in result.get("value"))
self.assertTrue("username" in result.get("value"))
self.assertEqual(result.get("value").get("role"), "user")
self.assertTrue(result.get("status"), res.data)
# Define the superuser_realm: "adminrealm"
(added, failed) = set_realm("adminrealm",
[self.resolvername1])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
# user cornelius is a member of the superuser_realm...
with self.app.test_request_context('/auth', method='POST',
data={"username":
"******"},
environ_base={"REMOTE_USER":
"******"}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = json.loads(res.data).get("result")
self.assertTrue("token" in result.get("value"))
self.assertTrue("username" in result.get("value"))
# ...and will have the role admin
self.assertEqual(result.get("value").get("role"), "admin")
self.assertTrue(result.get("status"), res.data)
delete_policy("remote")
def test_01_admin_and_user_same_name(self):
# Test the logging, if admin and user have the same name (testamdin/testpw)
# Now create a default realm, that contains the used "testadmin"
rid = save_resolver({
"resolver": self.resolvername1,
"type": "passwdresolver",
"fileName": PWFILE
})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(self.realm1, [self.resolvername1])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
set_default_realm(self.realm1)
# If the admin logs in, everything is fine
with mock.patch("logging.Logger.info") as mock_log:
with self.app.test_request_context('/auth',
method='POST',
data={
"username": "******",
"password": "******"
}):
res = self.app.full_dispatch_request()
self.assertEqual(200, res.status_code, res)
result = res.json.get("result")
self.assertTrue(result.get("status"), result)
self.assertIn('token', result.get("value"), result)
# role should be 'admin'
self.assertEqual('admin', result['value']['role'], result)
mock_log.assert_called_with(
"Local admin 'testadmin' successfully logged in.")
# If a user logs in, with the same name as the admin, this event is logged in warning
with mock.patch("logging.Logger.warning") as mock_log:
with self.app.test_request_context('/auth',
method='POST',
data={
"username": "******",
"password": "******"
}):
res = self.app.full_dispatch_request()
self.assertEqual(200, res.status_code, res)
result = res.json.get("result")
self.assertTrue(result.get("status"), result)
self.assertIn('token', result.get("value"), result)
# role should be 'user'
self.assertEqual('user', result['value']['role'], result)
# check if we have this log entry
mock_log.assert_called_with(
"A user 'testadmin' exists as local admin and as user "
"in your default realm!")
def test_37_is_orphaned(self):
resolver = "orphreso"
realm = "orphrealm"
rid = save_resolver({"resolver": resolver,
"type": "passwdresolver",
"fileName": PWFILE})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(realm,
[resolver])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
# Assign token to user "cornelius" "realm1", "resolver1" "uid=1000
db_token = Token("orphaned", tokentype="spass", userid=1000,
resolver=resolver, realm=realm)
db_token.save()
token_obj = TokenClass(db_token)
orph = token_obj.is_orphaned()
self.assertFalse(orph)
# clean up token
token_obj.delete_token()
# Assign a token to a user in a resolver. user_id does not exist
db_token = Token("orphaned", tokentype="spass", userid=872812,
resolver=resolver, realm=realm)
db_token.save()
token_obj = TokenClass(db_token)
orph = token_obj.is_orphaned()
self.assertTrue(orph)
# clean up token
token_obj.delete_token()
# A token, which a resolver name, that does not exist anymore
db_token = Token("orphaned", tokentype="spass", userid=1000,
resolver=resolver, realm=realm)
db_token.save()
# delete the realm
delete_realm(realm)
# token is orphaned
token_obj = TokenClass(db_token)
orph = token_obj.is_orphaned()
self.assertTrue(orph)
# delete the resolver
delete_resolver(resolver)
# token is orphaned
token_obj = TokenClass(db_token)
orph = token_obj.is_orphaned()
self.assertTrue(orph)
# clean up token
token_obj.delete_token()
def test_11_otppin_with_resolvers(self):
# This tests, if the otppin policy differentiates between users in
# the same realm but in different resolvers.
r = save_resolver({"resolver": "reso001",
"type": "passwdresolver",
"fileName": "tests/testdata/passwords"})
# user "cornelius" is in resolver reso001
self.assertTrue(r > 0)
r = save_resolver({"resolver": "reso002",
"type": "passwdresolver",
"fileName": "tests/testdata/pw-2nd-resolver"})
# user "userresolver2" is in resolver reso002
self.assertTrue(r > 0)
(added, failed) = set_realm("myrealm", ["reso001", "reso002"])
self.assertEqual(len(added), 2)
self.assertEqual(len(failed), 0)
my_user_1 = User("cornelius", realm="myrealm")
my_user_2 = User("userresolver2", realm="myrealm")
# We set a policy only for resolver reso002
set_policy(name="pol1",
scope=SCOPE.AUTH,
realm="myrealm",
resolver="reso002",
action="{0!s}={1!s}".format(ACTION.OTPPIN, ACTIONVALUE.NONE))
g = FakeFlaskG()
P = PolicyClass()
g.policy_object = P
g.audit_object = FakeAudit()
options = {"g": g}
# user in reso001 fails with empty PIN, since the policy does not
# match for him
r = auth_otppin(self.fake_check_otp, None,
"", options=options, user=my_user_1)
self.assertFalse(r)
# user in reso002 succeeds with empty PIN, since policy pol1 matches
# for him
r = auth_otppin(self.fake_check_otp, None,
"", options=options, user=my_user_2)
self.assertTrue(r)
# user in reso002 fails with any PIN, since policy pol1 matches
# for him
r = auth_otppin(self.fake_check_otp, None,
"anyPIN", options=options, user=my_user_2)
self.assertFalse(r)
delete_policy("pol1")
delete_realm("myrealm")
delete_resolver("reso001")
delete_resolver("reso002")
def test_37_is_orphaned(self):
resolver = "orphreso"
realm = "orphrealm"
rid = save_resolver({"resolver": resolver,
"type": "passwdresolver",
"fileName": PWFILE})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(realm,
[resolver])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
# Assign token to user "cornelius" "realm1", "resolver1" "uid=1000
db_token = Token("orphaned", tokentype="spass", userid=1000,
resolver=resolver, realm=realm)
db_token.save()
token_obj = TokenClass(db_token)
orph = token_obj.is_orphaned()
self.assertFalse(orph)
# clean up token
token_obj.delete_token()
# Assign a token to a user in a resolver. user_id does not exist
db_token = Token("orphaned", tokentype="spass", userid=872812,
resolver=resolver, realm=realm)
db_token.save()
token_obj = TokenClass(db_token)
orph = token_obj.is_orphaned()
self.assertTrue(orph)
# clean up token
token_obj.delete_token()
# A token, which a resolver name, that does not exist anymore
db_token = Token("orphaned", tokentype="spass", userid=1000,
resolver=resolver, realm=realm)
db_token.save()
# delete the realm
delete_realm(realm)
# token is orphaned
token_obj = TokenClass(db_token)
orph = token_obj.is_orphaned()
self.assertTrue(orph)
# delete the resolver
delete_resolver(resolver)
# token is orphaned
token_obj = TokenClass(db_token)
orph = token_obj.is_orphaned()
self.assertTrue(orph)
# clean up token
token_obj.delete_token()
def test_11_otppin_with_resolvers(self):
# This tests, if the otppin policy differentiates between users in
# the same realm but in different resolvers.
r = save_resolver({"resolver": "reso001",
"type": "passwdresolver",
"fileName": "tests/testdata/passwords"})
# user "cornelius" is in resolver reso001
self.assertTrue(r > 0)
r = save_resolver({"resolver": "reso002",
"type": "passwdresolver",
"fileName": "tests/testdata/pw-2nd-resolver"})
# user "userresolver2" is in resolver reso002
self.assertTrue(r > 0)
(added, failed) = set_realm("myrealm", ["reso001", "reso002"])
self.assertEqual(len(added), 2)
self.assertEqual(len(failed), 0)
my_user_1 = User("cornelius", realm="myrealm")
my_user_2 = User("userresolver2", realm="myrealm")
# We set a policy only for resolver reso002
set_policy(name="pol1",
scope=SCOPE.AUTH,
realm="myrealm",
resolver="reso002",
action="{0!s}={1!s}".format(ACTION.OTPPIN, ACTIONVALUE.NONE))
g = FakeFlaskG()
P = PolicyClass()
g.policy_object = P
g.audit_object = FakeAudit()
options = {"g": g}
# user in reso001 fails with empty PIN, since the policy does not
# match for him
r = auth_otppin(self.fake_check_otp, None,
"", options=options, user=my_user_1)
self.assertFalse(r)
# user in reso002 succeeds with empty PIN, since policy pol1 matches
# for him
r = auth_otppin(self.fake_check_otp, None,
"", options=options, user=my_user_2)
self.assertTrue(r)
# user in reso002 fails with any PIN, since policy pol1 matches
# for him
r = auth_otppin(self.fake_check_otp, None,
"anyPIN", options=options, user=my_user_2)
self.assertFalse(r)
delete_policy("pol1")
delete_realm("myrealm")
delete_resolver("reso001")
delete_resolver("reso002")
def test_18_user_with_several_phones(self):
ldap3mock.setLDAPDirectory(LDAPDirectory_small)
params = ({
'LDAPURI':
'ldap://localhost',
'LDAPBASE':
'o=test',
'BINDDN':
'cn=manager,ou=example,o=test',
'BINDPW':
'ldaptest',
'LOGINNAMEATTRIBUTE':
'cn',
'LDAPSEARCHFILTER':
'(|(cn=*))', # we use this weird search filter to get a unique resolver ID
'USERINFO':
'{ "username": "******",'
'"phone" : "telephoneNumber", '
'"mobile" : "mobile"'
', "email" : "mail", '
'"surname" : "sn", '
'"givenname" : "givenName" }',
'UIDTYPE':
'objectGUID',
'NOREFERRALS':
True,
'CACHE_TIMEOUT':
0
})
params["resolver"] = "ldapresolver"
params["type"] = "ldapresolver"
rid = save_resolver(params)
self.assertTrue(rid > 0)
(added, failed) = set_realm("ldap", ["ldapresolver"])
self.assertEqual(len(added), 1)
self.assertEqual(len(failed), 0)
u = User("salesman", "ldap")
# get the complete list
r = u.get_user_phone("mobile")
self.assertEqual(r, ["1234", "3456"])
# get the first entry
r = u.get_user_phone("mobile", index=0)
self.assertEqual(r, "1234")
# Index out of range
r = u.get_user_phone("mobile", index=2)
self.assertEqual(r, "")
delete_realm("ldap")
delete_resolver("ldapresolver")
def test_02_set_default_realm(self):
(added, failed) = set_realm("realm2", [self.resolvername2])
self.assertTrue(len(added) == 1)
self.assertTrue(len(failed) == 0)
realm = get_default_realm()
self.assertTrue(realm == self.realm1)
set_default_realm("realm2")
realm = get_default_realm()
self.assertTrue(realm == "realm2")
set_default_realm()
realm = get_default_realm()
self.assertTrue(realm is None, realm)
def test_02_set_default_realm(self):
(added, failed) = set_realm("realm2",
[self.resolvername2])
self.assertTrue(len(added) == 1)
self.assertTrue(len(failed) == 0)
realm = get_default_realm()
self.assertTrue(realm == self.realm1)
set_default_realm("realm2")
realm = get_default_realm()
self.assertTrue(realm == "realm2")
set_default_realm()
realm = get_default_realm()
self.assertTrue(realm is None, realm)
def test_17b_ui_rights_users_in_different_resolvers(self):
# Create a realm with two resolvers
rid = save_resolver({
"resolver": "passwd",
"type": "passwdresolver",
"fileName": FILE_PASSWD
})
self.assertTrue(rid > 0, rid)
rid = save_resolver({
"resolver": "passwords",
"type": "passwdresolver",
"fileName": FILE_PASSWORDS
})
self.assertTrue(rid > 0, rid)
# create user realm
(added, failed) = set_realm("realm4", ["passwd", "passwords"])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 2)
# A user may do something else...
set_policy(name="userpol41",
scope=SCOPE.USER,
action="enable",
realm="realm4",
resolver="passwd")
set_policy(name="userpol42",
scope=SCOPE.USER,
action="remove",
realm="realm4",
resolver="passwords")
P = PolicyClass()
# The two users are in different resolvers and get different rights
rights = P.ui_get_rights(SCOPE.USER, "realm4", "postfix")
self.assertEqual(set(rights), {"enable", "disable"})
rights = P.ui_get_rights(SCOPE.USER, "realm4", "usernotoken")
self.assertEqual(set(rights), {"disable", "remove"})
delete_policy("userpol41")
delete_policy("userpol42")
delete_realm("realm4")
delete_resolver("passwords")
delete_resolver("passwd")
def test_10_check_user_password(self):
(added, failed) = set_realm("passwordrealm",
[self.resolvername3])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
self.assertTrue(User(login="******",
realm="passwordrealm").check_password("test"))
self.assertFalse(User(login="******",
realm="passwordrealm").check_password("wrong"))
self.assertFalse(User(login="******",
realm="passwordrealm").check_password("wrong"))
# test cornelius@realm2, since he is located in more than one
# resolver.
self.assertEqual(User(login="******",
realm="realm2").check_password("test"), None)
def test_10_check_user_password(self):
(added, failed) = set_realm("passwordrealm",
[self.resolvername3])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
self.assertTrue(User(login="******",
realm="passwordrealm").check_password("test"))
self.assertFalse(User(login="******",
realm="passwordrealm").check_password("wrong"))
self.assertFalse(User(login="******",
realm="passwordrealm").check_password("wrong"))
# test cornelius@realm2, since he is located in more than one
# resolver.
self.assertEqual(User(login="******",
realm="realm2").check_password("test"), None)
def test_00_set_ldap_realm(self):
ldap3mock.setLDAPDirectory(LDAPDirectory)
params = {
'LDAPURI':
'ldap://localhost',
'LDAPBASE':
'o=test',
'BINDDN':
'cn=manager,ou=example,o=test',
'BINDPW':
'ldaptest',
'LOGINNAMEATTRIBUTE':
'cn',
'LDAPSEARCHFILTER':
'(cn=*)',
'MULTIVALUEATTRIBUTES':
'["groups"]',
'USERINFO':
'{ "username": "******",'
'"phone" : "telephoneNumber", '
'"mobile" : "mobile"'
', "email" : "mail", '
'"surname" : "sn", '
'"groups": "memberOf", '
'"givenname" : "givenName" }',
'UIDTYPE':
'DN',
"resolver":
"ldapgroups",
"type":
"ldapresolver"
}
r = save_resolver(params)
self.assertTrue(r > 0)
r = set_realm("ldaprealm", resolvers=["ldapgroups"])
set_default_realm("ldaprealm")
self.assertEqual(r, (["ldapgroups"], []))
# find a user, check the groups
alice = User("alice", "ldaprealm")
self.assertEqual(alice.info["groups"],
["cn=admins,o=test", "cn=users,o=test"])
def test_00_create_user_realm(self):
rid = save_resolver({"resolver": self.resolvername1, "type": "passwdresolver", "fileName": PWFILE})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(self.realm1, [self.resolvername1])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
user = User(login="******", realm=self.realm1, resolver=self.resolvername1)
user_str = "%s" % user
self.assertTrue(user_str == "<root.resolver1@realm1>", user_str)
self.assertFalse(user.is_empty())
self.assertTrue(User().is_empty())
user_repr = "%r" % user
expected = "User(login='******', realm='realm1', resolver='resolver1')"
self.assertTrue(user_repr == expected, user_repr)
def test_18_user_with_several_phones(self):
ldap3mock.setLDAPDirectory(LDAPDirectory_small)
params = ({'LDAPURI': 'ldap://localhost',
'LDAPBASE': 'o=test',
'BINDDN': 'cn=manager,ou=example,o=test',
'BINDPW': 'ldaptest',
'LOGINNAMEATTRIBUTE': 'cn',
'LDAPSEARCHFILTER': '(|(cn=*))', # we use this weird search filter to get a unique resolver ID
'USERINFO': '{ "username": "******",'
'"phone" : "telephoneNumber", '
'"mobile" : "mobile"'
', "email" : "mail", '
'"surname" : "sn", '
'"givenname" : "givenName" }',
'UIDTYPE': 'objectGUID',
'NOREFERRALS': True,
'CACHE_TIMEOUT': 0
})
params["resolver"] = "ldapresolver"
params["type"] = "ldapresolver"
rid = save_resolver(params)
self.assertTrue(rid > 0)
(added, failed) = set_realm("ldap", ["ldapresolver"])
self.assertEqual(len(added), 1)
self.assertEqual(len(failed), 0)
u = User("salesman", "ldap")
# get the complete list
r = u.get_user_phone("mobile")
self.assertEqual(r, ["1234", "3456"])
# get the first entry
r = u.get_user_phone("mobile", index=0)
self.assertEqual(r, "1234")
# Index out of range
r = u.get_user_phone("mobile", index=2)
self.assertEqual(r, "")
delete_realm("ldap")
delete_resolver("ldapresolver")
def test_02_create_update_delete_user(self):
realm = "sqlrealm"
resolver = "SQL1"
parameters = self.parameters
parameters["resolver"] = resolver
parameters["type"] = "sqlresolver"
rid = save_resolver(parameters)
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(realm, [resolver])
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 1)
# CREATE a user
with self.app.test_request_context('/user/',
method='POST',
data={"user": "******",
"resolver": resolver,
"surname": "zappa",
"givenname": "frank",
"email": "*****@*****.**",
"phone": "12345",
"mobile": "12345",
"password": "******"},
headers={'Authorization': self.at}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = json.loads(res.data).get("result")
self.assertTrue(result.get("value") > 6, result.get("value"))
# Get users
with self.app.test_request_context('/user/',
method='GET',
query_string=urlencode(
{"username": "******"}),
headers={'Authorization': self.at}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = json.loads(res.data).get("result")
self.assertTrue(result.get("status"))
self.assertEqual(result.get("value")[0].get("username"), "wordy")
# Update by administrator. Set the password to "passwort"
with self.app.test_request_context('/user/',
method='PUT',
query_string=urlencode(
{"user": "******",
"resolver": resolver,
"password": "******"}),
headers={'Authorization': self.at}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = json.loads(res.data).get("result")
self.assertTrue(result.get("value"))
# Get user authentication and update by user.
with self.app.test_request_context('/auth',
method='POST',
data={"username": "******".format(realm),
"password": "******"}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = json.loads(res.data).get("result")
self.assertTrue(result.get("status"), res.data)
# In self.at_user we store the user token
wordy_auth_token = result.get("value").get("token")
# check that this is a user
role = result.get("value").get("role")
self.assertTrue(role == "user", result)
# Even if a user specifies another username, the username is
# overwritten by his own name!
with self.app.test_request_context('/user/',
method='PUT',
query_string=urlencode(
{"user": "******",
"resolver": resolver,
"password": "******"}),
headers={'Authorization':
wordy_auth_token}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = json.loads(res.data).get("result")
self.assertTrue(result.get("value"))
# Although the user "wordy" tried to update the password of user
# "wordy2", he updated his own password.
with self.app.test_request_context('/auth',
method='POST',
data={"username": "******".format(realm),
"password": "******"}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = json.loads(res.data).get("result")
self.assertTrue(result.get("status"), res.data)
# In self.at_user we store the user token
wordy_auth_token = result.get("value").get("token")
# check that this is a user
role = result.get("value").get("role")
self.assertTrue(role == "user", result)
# Delete the users
with self.app.test_request_context('/user/{0!s}/{1!s}'.format(resolver, "wordy"),
method='DELETE',
headers={'Authorization': self.at}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = json.loads(res.data).get("result")
self.assertTrue(result.get("value"))
def test_02_REMOTE_USER(self):
# Allow remote user
set_policy(name="remote", scope=SCOPE.WEBUI, action="{0!s}=allowed".format(
ACTION.REMOTE_USER))
# Admin remote user
with self.app.test_request_context('/auth', method='POST',
data={"username": "******"},
environ_base={"REMOTE_USER":
"******"}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = json.loads(res.data.decode('utf8')).get("result")
self.assertTrue("token" in result.get("value"))
self.assertTrue("username" in result.get("value"))
self.assertEqual(result.get("value").get("role"), "admin")
self.assertTrue(result.get("status"), res.data)
# Check if the /auth request writes the policyname "remote" to the audit entry
with self.app.test_request_context('/audit/',
method='GET',
headers={'Authorization':
self.at}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
auditentry = res.json.get("result").get("value").get("auditdata")[0]
self.assertTrue("remote" in auditentry.get("policies"))
self.setUp_user_realms()
# User "cornelius" from the default realm as normale user
with self.app.test_request_context('/auth', method='POST',
data={"username": "******"},
environ_base={"REMOTE_USER":
"******"}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = json.loads(res.data.decode('utf8')).get("result")
self.assertTrue("token" in result.get("value"))
self.assertTrue("username" in result.get("value"))
self.assertEqual(result.get("value").get("role"), "user")
self.assertTrue(result.get("status"), res.data)
# Define the superuser_realm: "adminrealm"
(added, failed) = set_realm("adminrealm",
[self.resolvername1])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
# user cornelius is a member of the superuser_realm...
with self.app.test_request_context('/auth', method='POST',
data={"username":
"******"},
environ_base={"REMOTE_USER":
"******"}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = json.loads(res.data.decode('utf8')).get("result")
self.assertTrue("token" in result.get("value"))
self.assertTrue("username" in result.get("value"))
# ...and will have the role admin
self.assertEqual(result.get("value").get("role"), "admin")
self.assertTrue(result.get("status"), res.data)
delete_policy("remote")
def test_01_register_user(self):
smtpmock.setdata(response={"*****@*****.**": (200, "OK")})
# create resolver and realm
param = self.parameters
param["resolver"] = "register"
param["type"] = "sqlresolver"
r = save_resolver(param)
self. assertTrue(r > 0)
added, failed = set_realm("register", resolvers=["register"])
self.assertTrue(added > 0)
self.assertEqual(len(failed), 0)
# create policy
r = set_policy(name="pol2", scope=SCOPE.REGISTER,
action="{0!s}={1!s}, {2!s}={3!s}".format(ACTION.REALM, "register",
ACTION.RESOLVER, "register"))
# Try to register, but missing parameter
with self.app.test_request_context('/register',
method='POST',
data={"username": "******",
"surname": "Kölbel"}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 400, res)
# Register fails, missing SMTP config
with self.app.test_request_context('/register',
method='POST',
data={"username": "******",
"surname": "Kölbel",
"givenname": "Cornelius",
"password": "******",
"email":
"*****@*****.**"}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 400, res)
data = json.loads(res.data.decode('utf8'))
self.assertEqual(data.get("result").get("error").get("code"), ERROR.REGISTRATION)
self.assertEqual(data.get("result").get("error").get("message"),
u'ERR402: No SMTP server configuration specified!')
# Set SMTP config and policy
add_smtpserver("myserver", "1.2.3.4", sender="pi@localhost")
set_policy("pol3", scope=SCOPE.REGISTER,
action="{0!s}=myserver".format(ACTION.EMAILCONFIG))
with self.app.test_request_context('/register',
method='POST',
data={"username": "******",
"surname": "Kölbel",
"givenname": "Cornelius",
"password": "******",
"email":
"*****@*****.**"}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
# Registering the user a second time will fail
with self.app.test_request_context('/register',
method='POST',
data={"username": "******",
"surname": "Kölbel",
"givenname": "Cornelius",
"password": "******",
"email":
"*****@*****.**"}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 400, res)
# get the register status
with self.app.test_request_context('/register',
method='GET'):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
data = json.loads(res.data.decode('utf8'))
self.assertEqual(data.get("result").get("value"), True)
def test_21_check_all_resolver(self):
# check_all_resolver allows to find a policy for a secondary user
# resolver.
# We create one realm "realm1" with the resolvers
# reso1 (prio 1)
# reso2 (prio 2)
# reso3 (prio 3)
# A user user@realm1 will be identified as user.reso1@realm1.
# But we will also match policies for reso2.
# no realm and resolver
r = get_realms()
self.assertEqual(r, {})
r = get_resolver_list()
self.assertEqual(r, {})
# create user realm
for reso in ["reso1", "resoX", "resoA"]:
rid = save_resolver({"resolver": reso,
"type": "passwdresolver",
"fileName": PWFILE})
self.assertTrue(rid > 0, rid)
# create a realm with reso1 being the resolver with the highest priority
(added, failed) = set_realm("realm1",
["reso1", "resoX", "resoA"],
priority={"reso1": 1,
"resoX": 2,
"resoA": 3})
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 3)
user = User(login="******",
realm="realm1")
# The user, that is created, is cornelius.reso1@realm1
user_str = "{0!s}".format(user)
self.assertEqual(user_str, "<cornelius.reso1@realm1>")
# But the user "cornelius" is also contained in other resolves in
# this realm
r = user.get_ordererd_resolvers()
self.assertEqual(r, ["reso1", "resoX", "resoA"])
self.assertFalse(user.is_empty())
self.assertTrue(User().is_empty())
# define a policy with the wrong resolver
p = set_policy(name="checkAll", scope=SCOPE.AUTHZ, realm="realm1",
resolver="resoX",
action="{0}=totp".format(ACTION.TOKENTYPE))
self.assertTrue(p > 0)
p = set_policy(name="catchAll", scope=SCOPE.AUTHZ, realm="realm1",
action="{0}=totp".format(ACTION.TOKENTYPE))
self.assertTrue(p > 0)
P = PolicyClass()
pols = P.get_policies(scope=SCOPE.AUTHZ, realm=user.realm,
resolver=user.resolver, user=user.login)
self.assertEqual(len(pols), 1)
# Now we change the policy, so that it uses check_all_resolver, i.e.
p = set_policy(name="checkAll", scope=SCOPE.AUTHZ, realm="realm1",
resolver="resoX", check_all_resolvers=True,
action="{0}=totp".format(ACTION.TOKENTYPE))
self.assertTrue(p > 0)
P = PolicyClass()
pols = P.get_policies(scope=SCOPE.AUTHZ, realm=user.realm,
resolver=user.resolver, user=user.login)
self.assertEqual(len(pols), 2)
# delete policy
delete_policy("checkAll")
delete_policy("catchAll")
# delete resolvers and realm
delete_realm("realm1")
for reso in ["reso1", "resoX", "resoA"]:
rid = delete_resolver(reso)
self.assertTrue(rid > 0, rid)
def test_03_get_allowed_audit_realm(self):
# Check than an internal admin is allowed to see all realms
# A helpdesk user in "adminrealm" is only allowerd to see realm1A
Audit(action="enroll", success=1, realm="realm1A").save()
Audit(action="enroll", success=1, realm="realm1A").save()
Audit(action="enroll", success=1, realm="realm2B").save()
Audit(action="enroll", success=1, realm="realm2B").save()
Audit(action="enroll", success=1, realm="realm2B").save()
# check, that we see all audit entries
with self.app.test_request_context('/audit/',
method='GET',
data={"realm": "realm1A"},
headers={'Authorization': self.at}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
json_response = json.loads(res.data.decode('utf8'))
self.assertTrue(json_response.get("result").get("status"), res)
self.assertEqual(json_response.get("result").get("value").get(
"count"), 5)
with self.app.test_request_context('/audit/',
method='GET',
data={"realm": "realm2B"},
headers={
'Authorization': self.at}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
json_response = json.loads(res.data.decode('utf8'))
self.assertTrue(json_response.get("result").get("status"), res)
self.assertEqual(json_response.get("result").get("value").get(
"count"), 7)
# set policy: helpdesk users in adminrealm are only allowed to
# view "realm1A".
set_policy("audit01", scope=SCOPE.ADMIN, action=ACTION.AUDIT,
adminrealm="adminrealm", realm="realm1A")
# Test admin is allowed to view unrestricted logs!
set_policy("audit02", scope=SCOPE.ADMIN, action=ACTION.AUDIT,
user="******")
rid = save_resolver({"resolver": self.resolvername1,
"type": "passwdresolver",
"fileName": PWFILE})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm("adminrealm",
[self.resolvername1])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
helpdesk_authorization = None
with self.app.test_request_context('/auth',
method='POST', data={'username': '******',
'password': '******'}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
json_response = json.loads(res.data.decode('utf8'))
value = json_response.get("result").get("value")
# Helpdesk user is allowed to view the audit log.
self.assertTrue("auditlog" in value.get("rights"))
helpdesk_authorization = value.get("token")
# check, that we only see allowed audit realms
with self.app.test_request_context('/audit/',
method='GET',
headers={'Authorization': helpdesk_authorization}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
json_response = json.loads(res.data.decode('utf8'))
self.assertTrue(json_response.get("result").get("status"), res)
# We now have 3 entries, as we added one by the search in line #43
count = json_response.get("result").get("value").get("count")
auditdata = json_response.get("result").get("value").get("auditdata")
self.assertEqual(count, 6)
# All entries are in realm1A!
for ad in auditdata:
self.assertEqual(ad.get("realm"), "realm1A")
# Now check, that the testadmin (self.at) sees all entries!
with self.app.test_request_context('/audit/',
method='GET',
headers={'Authorization': self.at}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
json_response = json.loads(res.data.decode('utf8'))
self.assertTrue(json_response.get("result").get("status"), res)
# We now have 3 entries, as we added one by the search in line #43
count = json_response.get("result").get("value").get("count")
auditdata = json_response.get("result").get("value").get("auditdata")
self.assertEqual(count, 21)
# delete policy
delete_policy("audit01")
delete_policy("audit02")
def test_12_authcache(self):
password = "******"
username = "******"
realm = "myrealm"
resolver = "reso001"
pw_hash = binascii.hexlify(hashlib.sha256(password).digest())
r = save_resolver({"resolver": "reso001",
"type": "passwdresolver",
"fileName": "tests/testdata/passwords"})
(added, failed) = set_realm("myrealm", ["reso001"])
def fake_check_user_pass(user, passw, options=None):
return True, {"message": "Fake Authentication"}
set_policy(name="pol1",
scope=SCOPE.AUTH,
realm=realm,
resolver=resolver,
action="{0!s}={1!s}".format(ACTION.AUTH_CACHE, "4h/5m"))
g = FakeFlaskG()
P = PolicyClass()
g.policy_object = P
g.audit_object = FakeAudit()
options = {"g": g}
# This successfully authenticates against the authcache
# We have an authentication, that is within the policy timeout
AuthCache(username, realm, resolver, pw_hash,
first_auth=datetime.datetime.utcnow() - timedelta(hours=3),
last_auth=datetime.datetime.utcnow() - timedelta(minutes=1)).save()
r = auth_cache(fake_check_user_pass, User("cornelius", "myrealm"),
password, options=options)
self.assertTrue(r[0])
self.assertEqual(r[1].get("message"), "Authenticated by AuthCache." )
# We have an authentication, that is not read from the authcache,
# since the authcache first_auth is too old.
delete_from_cache(username, realm, resolver, pw_hash)
AuthCache(username, realm, resolver, pw_hash,
first_auth=datetime.datetime.utcnow() - timedelta(hours=5),
last_auth=datetime.datetime.utcnow() - timedelta(
minutes=1)).save()
r = auth_cache(fake_check_user_pass, User("cornelius", "myrealm"),
password, options=options)
self.assertTrue(r[0])
self.assertEqual(r[1].get("message"), "Fake Authentication")
# We have an authentication, that is not read from authcache, since
# the last_auth is too old = 10 minutes.
delete_from_cache(username, realm, resolver, pw_hash)
AuthCache(username, realm, resolver, pw_hash,
first_auth=datetime.datetime.utcnow() - timedelta(hours=1),
last_auth=datetime.datetime.utcnow() - timedelta(
minutes=10)).save()
r = auth_cache(fake_check_user_pass, User("cornelius", "myrealm"),
password, options=options)
self.assertTrue(r[0])
self.assertEqual(r[1].get("message"), "Fake Authentication")
# We have a policy, with no special last_auth
delete_policy("pol1")
set_policy(name="pol1",
scope=SCOPE.AUTH,
realm=realm,
resolver=resolver,
action="{0!s}={1!s}".format(ACTION.AUTH_CACHE, "4h"))
g = FakeFlaskG()
P = PolicyClass()
g.policy_object = P
g.audit_object = FakeAudit()
options = {"g": g}
delete_from_cache(username, realm, resolver, pw_hash)
AuthCache(username, realm, resolver, pw_hash,
first_auth=datetime.datetime.utcnow() - timedelta(hours=2),
last_auth=datetime.datetime.utcnow() - timedelta(
hours=1)).save()
r = auth_cache(fake_check_user_pass, User("cornelius", "myrealm"),
password, options=options)
self.assertTrue(r[0])
self.assertEqual(r[1].get("message"), "Authenticated by AuthCache.")
# Clean up
delete_policy("pol1")
delete_realm("myrealm")
delete_resolver("reso001")
