def test_16_ordered_resolver(self): rid = save_resolver({"resolver": "resolver2", "type": "passwdresolver", "fileName": PWFILE}) rid = save_resolver({"resolver": "reso4", "type": "passwdresolver", "fileName": PWFILE}) (added, failed) = set_realm("sort_realm", ["resolver1", "resolver2", "reso3", "reso4"], priority={"resolver1": 30, "resolver2": 10, "reso3": 27, "reso4": 5}) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 4) root = User("root", "sort_realm") r = root.get_ordererd_resolvers() self.assertEqual(r[0], "reso4") self.assertEqual(r[1], "resolver2") self.assertEqual(r[2], "reso3") self.assertEqual(r[3], "resolver1") delete_realm("sort_realm")
def test_16_ordered_resolver(self): rid = save_resolver({ "resolver": "resolver2", "type": "passwdresolver", "fileName": PWFILE }) rid = save_resolver({ "resolver": "reso4", "type": "passwdresolver", "fileName": PWFILE }) (added, failed) = set_realm("sort_realm", ["resolver1", "resolver2", "reso3", "reso4"], priority={ "resolver1": 30, "resolver2": 10, "reso3": 27, "reso4": 5 }) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 4) root = User("root", "sort_realm") r = root.get_ordererd_resolvers() self.assertEqual(r[0], "reso4") self.assertEqual(r[1], "resolver2") self.assertEqual(r[2], "reso3") self.assertEqual(r[3], "resolver1") delete_realm("sort_realm")
def test_01_create_realm(self): rid = save_resolver({"resolver": self.resolvername1, "type": "passwdresolver", "fileName": "/etc/passwd"}) self.assertTrue(rid > 0, rid) rid = save_resolver({"resolver": self.resolvername2, "type": "passwdresolver", "fileName": "/etc/secrets"}) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(self.realm1, [self.resolvername1, self.resolvername2]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 2) # test the realms realms = get_realms() self.assertTrue(self.realm1 in realms, realms) self.assertTrue(realms.get("realm1").get("default"), realms) # try to create realm with invalid name self.assertRaises(Exception, set_realm, "#####") # update the resolver list: (added, failed) = set_realm(self.realm1, [self.resolvername1, "non exiting"]) self.assertTrue(len(failed) == 1) self.assertTrue(len(added) == 1) self.assertTrue(realm_is_defined(self.realm1)) self.assertTrue(realm_is_defined("non exist") is False)
def test_02_failing_resolver(self): ldap3mock.setLDAPDirectory([]) # define, that we want to get an exception ldap3mock.set_exception() # Create an LDAP Realm as default realm params = { 'LDAPURI': 'ldap://localhost', 'LDAPBASE': 'o=test', 'BINDDN': 'cn=manager,ou=example,o=test', 'BINDPW': 'ldaptest', 'LOGINNAMEATTRIBUTE': 'cn', 'LDAPSEARCHFILTER': '(cn=*)', 'USERINFO': '{ "username": "******",' '"phone" : "telephoneNumber", ' '"mobile" : "mobile"' ', "email" : "mail", ' '"surname" : "sn", ' '"givenname" : "givenName" }', 'UIDTYPE': 'DN', "resolver": "ldap1", "type": "ldapresolver" } save_resolver(params) set_realm("ldap1", ["ldap1"]) set_default_realm("ldap1") # Try to login as internal admin with a failing LDAP resolver with mock.patch("logging.Logger.warning") as mock_log: with self.app.test_request_context('/auth', method='POST', data={ "username": "******", "password": "******" }): res = self.app.full_dispatch_request() self.assertEqual(200, res.status_code, res) result = res.json.get("result") self.assertTrue(result.get("status"), result) self.assertIn('token', result.get("value"), result) # role should be 'admin' self.assertEqual('admin', result['value']['role'], result) mock_log.assert_called_once_with( "Problem resolving user testadmin in realm ldap1: LDAP request failed." ) delete_realm("ldap1") delete_resolver("ldap1") ldap3mock.set_exception(False)
def test_13_update_resolver(self): ldap3mock.setLDAPDirectory(LDAPDirectory) # -------------------------------- # First we create an LDAP resolver rid = save_resolver( { "resolver": "myLDAPres", "type": "ldapresolver", "LDAPURI": "ldap://localhost", "LDAPBASE": "o=test", "BINDDN": "cn=manager,ou=example,o=test", "BINDPW": "ldaptest", "LOGINNAMEATTRIBUTE": "cn", "LDAPSEARCHFILTER": "(cn=*)", "LDAPFILTER": "(&(cn=%s))", "USERINFO": '{ "username": "******",' '"phone" : "telephoneNumber", ' '"mobile" : "mobile"' ', "email" : "mail", ' '"surname" : "sn", ' '"givenname" : "givenName" }', "UIDTYPE": "DN", } ) self.assertTrue(rid > 0, rid) reso_list = get_resolver_list() self.assertTrue("myLDAPres" in reso_list, reso_list) ui = ResolverConfig.query.filter(ResolverConfig.Key == "USERINFO").first().Value # Check that the email is contained in the UI self.assertTrue("email" in ui, ui) # -------------------------------- # Then we update the LDAP resolver rid = save_resolver( { "resolver": "myLDAPres", "type": "ldapresolver", "LDAPURI": "ldap://localhost", "LDAPBASE": "o=test", "BINDDN": "cn=manager,ou=example,o=test", "BINDPW": "ldaptest", "LOGINNAMEATTRIBUTE": "cn", "LDAPSEARCHFILTER": "(cn=*)", "LDAPFILTER": "(&(cn=%s))", "USERINFO": '{ "username": "******",' '"phone" : "telephoneNumber", ' '"surname" : "sn", ' '"givenname" : "givenName" }', "UIDTYPE": "DN", } ) self.assertTrue(rid > 0, rid) reso_list = get_resolver_list(filter_resolver_name="myLDAPres") # TODO check the data ui = ResolverConfig.query.filter(ResolverConfig.Key == "USERINFO").first().Value # Check that the email is NOT contained in the UI self.assertTrue("email" not in ui, ui)
def test_12_multiple_resolvers(self): # one realm, two SQL resolvers parameters_a = self.sql_parameters.copy() # first resolver only contains users with phone numbers parameters_a['Where'] = 'phone LIKE %' parameters_a['resolver'] = 'reso_a' rid_a = save_resolver(parameters_a) self.assertTrue(rid_a > 0, rid_a) # second resolver contains all users parameters_b = self.sql_parameters.copy() parameters_b['resolver'] = 'reso_b' rid_b = save_resolver(parameters_b) self.assertTrue(rid_b > 0, rid_b) # First ask reso_a, then reso_b (added, failed) = set_realm(self.sql_realm, ['reso_a', 'reso_b'], { 'reso_a': 1, 'reso_b': 2 }) self.assertEqual(len(failed), 0) self.assertEqual(len(added), 2) # Now, query the user and populate the cache self.assertEqual(UserCache.query.count(), 0) user1 = User('wordpressuser', self.sql_realm) self.assertEqual(user1.uid, '6') # Assert it was found in reso_b (as it does not have a phone number)! self.assertEqual(user1.resolver, 'reso_b') self.assertEqual( UserCache.query.filter(UserCache.username == 'wordpressuser', UserCache.user_id == 6).one().resolver, 'reso_b') # Add a phone number. We do not use the User API to do that to simulate that the change is performed # out of privacyIDEA's control. Using `update_user_info` would invalidate the cache, which would be unrealistic. info = user1.info new_info = info.copy() new_info['phone'] = '123456' get_resolver_object('reso_a').update_user(user1.uid, new_info) # Ensure that the user's association with reso_b is still cached. self.assertEqual( UserCache.query.filter(UserCache.username == 'wordpressuser', UserCache.user_id == 6).one().resolver, 'reso_b') # Now, it should be located in reso_a! user2 = User('wordpressuser', self.sql_realm) self.assertEqual(user2.uid, '6') self.assertEqual(user2.resolver, 'reso_a') # ... but the cache still contains entries for both! resolver_query = UserCache.query.filter( UserCache.username == 'wordpressuser', UserCache.user_id == 6).order_by(UserCache.timestamp.desc()) cached_resolvers = [entry.resolver for entry in resolver_query.all()] self.assertEqual(cached_resolvers, ['reso_a', 'reso_b']) # Remove the phone number. get_resolver_object('reso_a').update_user(user1.uid, {'phone': None}) delete_realm(self.sql_realm) delete_resolver('reso_a') delete_resolver('reso_b')
def test_01_create_resolver(self): rid = save_resolver( { "resolver": self.resolvername1, "type": "passwdresolver", "fileName": "/etc/passwd", "type.fileName": "string", "desc.fileName": "The name of the file", } ) self.assertTrue(rid > 0, rid) # description with missing main key params = {"resolver": "reso2", "type": "passwdresolver", "type.fileName": "string"} self.assertRaises(Exception, save_resolver, params) # type with missing main key params = {"resolver": "reso2", "type": "passwdresolver", "desc.fileName": "The file name"} self.assertRaises(Exception, save_resolver, params) # not allowed resolver name params = {"resolver": "res with blank", "type": "passwdresolver"} self.assertRaises(Exception, save_resolver, params) # unknown type params = {"resolver": "validname", "type": "unknown_type"} self.assertRaises(Exception, save_resolver, params) # same name with different type params = {"resolver": self.resolvername1, "type": "ldapresolver", "fileName": "/etc/secrets"} self.assertRaises(Exception, save_resolver, params) # similar name with different type params = {"resolver": "Resolver1", "type": "ldapresolver", "fileName": "/etc/secrets"} self.assertRaises(Exception, save_resolver, params) # check that the resolver was successfully created reso_list = get_resolver_list() self.assertTrue(self.resolvername1 in reso_list) # test error: type without data params = {"resolver": self.resolvername2, "type": "ldapresolver", "type.BindPW": "topsecret"} self.assertRaises(Exception, save_resolver, params) # test error: description without data params = {"resolver": self.resolvername2, "type": "ldapresolver", "desc.BindPW": "something else"} self.assertRaises(Exception, save_resolver, params) # key not supported by the resolver # The resolver is created anyway params = {"resolver": self.resolvername2, "type": "passwdresolver", "UnknownKey": "something else"} rid = save_resolver(params) self.assertTrue(rid > 0) # check that the resolver was successfully created reso_list = get_resolver_list() self.assertTrue(self.resolvername2 in reso_list)
def test_12_multiple_resolvers(self): # one realm, two SQL resolvers parameters_a = self.sql_parameters.copy() # first resolver only contains users with phone numbers parameters_a['Where'] = 'phone LIKE %' parameters_a['resolver'] = 'reso_a' rid_a = save_resolver(parameters_a) self.assertTrue(rid_a > 0, rid_a) # second resolver contains all users parameters_b = self.sql_parameters.copy() parameters_b['resolver'] = 'reso_b' rid_b = save_resolver(parameters_b) self.assertTrue(rid_b > 0, rid_b) # First ask reso_a, then reso_b (added, failed) = set_realm(self.sql_realm, ['reso_a', 'reso_b'], { 'reso_a': 1, 'reso_b': 2 }) self.assertEqual(len(failed), 0) self.assertEqual(len(added), 2) # Now, query the user and populate the cache self.assertEqual(UserCache.query.count(), 0) user1 = User('wordpressuser', self.sql_realm) self.assertEqual(user1.uid, 6) # Assert it was found in reso_b (as it does not have a phone number)! self.assertEqual(user1.resolver, 'reso_b') self.assertEqual(UserCache.query.filter(UserCache.username == 'wordpressuser', UserCache.user_id == 6).one().resolver, 'reso_b') # Add a phone number. We do not use the User API to do that to simulate that the change is performed # out of privacyIDEA's control. Using `update_user_info` would invalidate the cache, which would be unrealistic. info = user1.info new_info = info.copy() new_info['phone'] = '123456' get_resolver_object('reso_a').update_user(user1.uid, new_info) # Ensure that the user's association with reso_b is still cached. self.assertEqual(UserCache.query.filter(UserCache.username == 'wordpressuser', UserCache.user_id == 6).one().resolver, 'reso_b') # Now, it should be located in reso_a! user2 = User('wordpressuser', self.sql_realm) self.assertEqual(user2.uid, 6) self.assertEqual(user2.resolver, 'reso_a') # ... but the cache still contains entries for both! resolver_query = UserCache.query.filter(UserCache.username == 'wordpressuser', UserCache.user_id == 6).order_by(UserCache.timestamp.desc()) cached_resolvers = [entry.resolver for entry in resolver_query.all()] self.assertEqual(cached_resolvers, ['reso_a', 'reso_b']) # Remove the phone number. get_resolver_object('reso_a').update_user(user1.uid, {'phone': None}) delete_realm(self.sql_realm) delete_resolver('reso_a') delete_resolver('reso_b')
def test_11_otppin_with_resolvers(self): # This tests, if the otppin policy differentiates between users in # the same realm but in different resolvers. r = save_resolver({"resolver": "reso001", "type": "passwdresolver", "fileName": "tests/testdata/passwords"}) # user "cornelius" is in resolver reso001 self.assertTrue(r > 0) r = save_resolver({"resolver": "reso002", "type": "passwdresolver", "fileName": "tests/testdata/pw-2nd-resolver"}) # user "userresolver2" is in resolver reso002 self.assertTrue(r > 0) (added, failed) = set_realm("myrealm", ["reso001", "reso002"]) self.assertEqual(len(added), 2) self.assertEqual(len(failed), 0) my_user_1 = User("cornelius", realm="myrealm") my_user_2 = User("userresolver2", realm="myrealm") # We set a policy only for resolver reso002 set_policy(name="pol1", scope=SCOPE.AUTH, realm="myrealm", resolver="reso002", action="{0!s}={1!s}".format(ACTION.OTPPIN, ACTIONVALUE.NONE)) g = FakeFlaskG() P = PolicyClass() g.policy_object = P g.audit_object = FakeAudit() options = {"g": g} # user in reso001 fails with empty PIN, since the policy does not # match for him r = auth_otppin(self.fake_check_otp, None, "", options=options, user=my_user_1) self.assertFalse(r) # user in reso002 succeeds with empty PIN, since policy pol1 matches # for him r = auth_otppin(self.fake_check_otp, None, "", options=options, user=my_user_2) self.assertTrue(r) # user in reso002 fails with any PIN, since policy pol1 matches # for him r = auth_otppin(self.fake_check_otp, None, "anyPIN", options=options, user=my_user_2) self.assertFalse(r) delete_policy("pol1") delete_realm("myrealm") delete_resolver("reso001") delete_resolver("reso002")
def _create_sql_realm(self): rid = save_resolver(self.sql_parameters) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(self.sql_realm, [self.sql_resolver]) self.assertEqual(len(failed), 0) self.assertEqual(len(added), 1)
def test_14_create_delete_user(self): realm = "sqlrealm" resolver = "SQL1" parameters = self.parameters parameters["resolver"] = resolver parameters["type"] = "sqlresolver" rid = save_resolver(parameters) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(realm, [resolver]) self.assertEqual(len(failed), 0) self.assertEqual(len(added), 1) # Create the user uid = create_user(resolver, {"username": "******", "givenname": "achmed"}, password="******") self.assertTrue(uid > 6) user = User("achmed3", realm=realm) r = user.check_password("secret") # delete user r = user.delete() self.assertTrue(r)
def test_03_is_password_reset(self): # create resolver and realm param = self.parameters param["resolver"] = "register" param["type"] = "sqlresolver" r = save_resolver(param) self. assertTrue(r > 0) added, failed = set_realm("register", resolvers=["register"]) self.assertTrue(added > 0) self.assertEqual(len(failed), 0) # No user policy at all r = is_password_reset() self.assertEqual(r, True) # create policy set_policy(name="pwrest", scope=SCOPE.USER, action=ACTION.PASSWORDRESET) r = is_password_reset() self.assertEqual(r, True) # create policy that does not allow password_reset set_policy(name="pwrest", scope=SCOPE.USER, action=ACTION.DELETE) r = is_password_reset() self.assertEqual(r, False)
def _create_ldap_realm(self): rid = save_resolver(self.ldap_parameters) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(self.ldap_realm, [self.ldap_resolver]) self.assertEqual(len(failed), 0) self.assertEqual(len(added), 1)
def setUp_sqlite_resolver_realm(self, sqlite_file, realm): parameters = { 'resolver': "sqlite_resolver", "type": "sqlresolver", 'Driver': 'sqlite', 'Server': '/tests/testdata/', 'Database': sqlite_file, 'Table': 'users', 'Encoding': 'utf8', 'Editable': True, 'Map': """{ "username": "******", "userid" : "id", "email" : "email", "surname" : "name", "givenname" : "givenname", "password" : "password", "phone": "phone", "mobile": "mobile"}""" } r = save_resolver(parameters) self.assertTrue(r) success, fail = set_realm(realm, ["sqlite_resolver"]) self.assertEqual(len(success), 1) self.assertEqual(len(fail), 0)
def test_09_get_user_from_param(self): user = get_user_from_param({"user": "******"}) self.assertTrue(user.realm == self.realm1, user) self.assertTrue(user.resolver == self.resolvername1, user) user = get_user_from_param({"realm": self.realm1}) self.assertTrue(user.realm == self.realm1, user) self.assertTrue(user.login == "", user) self.assertTrue(user.resolver == "", user.resolver) user = get_user_from_param({ "user": "******", "resolver": self.resolvername1 }) self.assertTrue(user.realm == self.realm1, user) # create a realm, where cornelius is in two resolvers! rid = save_resolver({ "resolver": self.resolvername3, "type": "passwdresolver", "fileName": PWFILE2 }) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(self.realm2, [self.resolvername1, self.resolvername3]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 2) # get user cornelius, who is in two resolvers! param = {"user": "******", "realm": self.realm2} user = get_user_from_param(param) self.assertEqual("{0!s}".format(user), "<cornelius.resolver1@realm2>")
def setUp_user_realm2(self): # create user realm rid = save_resolver({ "resolver": self.resolvername1, "type": "passwdresolver", "fileName": PWFILE }) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(self.realm2, [self.resolvername1]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 1) user = User(login="******", realm=self.realm2, resolver=self.resolvername1) user_str = "{0!s}".format(user) self.assertTrue(user_str == "<root.resolver1@realm2>", user_str) self.assertFalse(user.is_empty()) self.assertTrue(User().is_empty()) user_repr = "{0!r}".format(user) expected = "User(login='******', realm='realm2', resolver='resolver1')" self.assertTrue(user_repr == expected, user_repr)
def test_02_userstore_password(self): # create a realm, where cornelius has a password test rid = save_resolver({"resolver": "myreso", "type": "passwdresolver", "fileName": PWFILE2}) self.assertTrue(rid > 0, rid) (added, failed) = set_realm("r1", ["myreso"]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 1) # now create a policy with userstore PW set_policy(name="pol1", scope=SCOPE.AUTH, action="%s=%s" % (ACTION.OTPPIN, ACTIONVALUE.USERSTORE)) g = FakeFlaskG() P = PolicyClass() g.policy_object = P options = {"g": g} # Wrong password r = auth_otppin(self.fake_check_otp, None, "WrongPW", options=options, user=User("cornelius", realm="r1")) self.assertFalse(r) # Correct password from userstore: "test" r = auth_otppin(self.fake_check_otp, None, "test", options=options, user=User("cornelius", realm="r1")) self.assertTrue(r) delete_policy("pol1")
def _create_user_wordy(self): """ This creates a user "wordy" in the realm "sqlrealm" """ realm = "sqlrealm" resolver = "SQL1" parameters = self.parameters parameters["resolver"] = resolver parameters["type"] = "sqlresolver" rid = save_resolver(parameters) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(realm, [resolver]) self.assertEqual(len(failed), 0) self.assertEqual(len(added), 1) with self.app.test_request_context('/user/', method='POST', data={"user": "******", "resolver": resolver, "surname": "zappa", "givenname": "frank", "email": "*****@*****.**", "phone": "12345", "mobile": "12345", "password": "******"}, headers={'Authorization': self.at}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) result = res.json.get("result") self.assertTrue(result.get("value") > 6, result.get("value"))
def test_04_create_recovery_nonascii(self): smtpmock.setdata(response={"*****@*****.**": (200, "OK")}) recoverycode = "reccode" # create resolver and realm param = self.parameters param["resolver"] = "register" param["type"] = "sqlresolver" r = save_resolver(param) self.assertTrue(r > 0) # recover password with "recovery.identifier" r = add_smtpserver(identifier="myserver", server="1.2.3.4") self.assertTrue(r > 0) set_privacyidea_config("recovery.identifier", "myserver") r = create_recoverycode(User(u"nönäscii", "register"), recoverycode=recoverycode) self.assertEqual(r, True) user = User(u"nönäscii", "register") r = check_recoverycode(user, recoverycode) self.assertEqual(r, True) # The recovery code is not valid a second time r = check_recoverycode(user, recoverycode) self.assertEqual(r, False)
def setUp_user_realm2(self): # create user realm rid = save_resolver({"resolver": self.resolvername1, "type": "passwdresolver", "fileName": PWFILE}) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(self.realm2, [self.resolvername1]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 1) user = User(login="******", realm=self.realm2, resolver=self.resolvername1) user_str = "{0!s}".format(user) self.assertTrue(user_str == "<root.resolver1@realm2>", user_str) self.assertFalse(user.is_empty()) self.assertTrue(User().is_empty()) user_repr = "{0!r}".format(user) expected = "User(login='******', realm='realm2', resolver='resolver1')" self.assertTrue(user_repr == expected, user_repr)
def test_09_get_user_from_param(self): user = get_user_from_param({"user": "******"}) self.assertTrue(user.realm == self.realm1, user) self.assertTrue(user.resolver == self.resolvername1, user) user = get_user_from_param({"realm": self.realm1}) self.assertTrue(user.realm == self.realm1, user) self.assertTrue(user.login == "", user) self.assertTrue(user.resolver == "", user.resolver) user = get_user_from_param({"user": "******", "resolver": self.resolvername1}) self.assertTrue(user.realm == self.realm1, user) # create a realm, where cornelius is in two resolvers! rid = save_resolver({"resolver": self.resolvername3, "type": "passwdresolver", "fileName": PWFILE2}) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(self.realm2, [self.resolvername1, self.resolvername3]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 2) # get user cornelius, who is in two resolvers! param = {"user": "******", "realm": self.realm2} user = get_user_from_param(param) self.assertEqual("{0!s}".format(user), "<cornelius.resolver1@realm2>")
def test_02_userstore_password(self): # create a realm, where cornelius has a password test rid = save_resolver({"resolver": "myreso", "type": "passwdresolver", "fileName": PWFILE2}) self.assertTrue(rid > 0, rid) (added, failed) = set_realm("r1", ["myreso"]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 1) # now create a policy with userstore PW set_policy(name="pol1", scope=SCOPE.AUTH, action="{0!s}={1!s}".format(ACTION.OTPPIN, ACTIONVALUE.USERSTORE)) g = FakeFlaskG() P = PolicyClass() g.policy_object = P g.audit_object = FakeAudit() options = {"g": g} # Wrong password r = auth_otppin(self.fake_check_otp, None, "WrongPW", options=options, user=User("cornelius", realm="r1")) self.assertFalse(r) # Correct password from userstore: "test" r = auth_otppin(self.fake_check_otp, None, "test", options=options, user=User("cornelius", realm="r1")) self.assertTrue(r) delete_policy("pol1")
def test_13_update_user(self): realm = "sqlrealm" resolver = "SQL1" parameters = self.parameters parameters["resolver"] = resolver parameters["type"] = "sqlresolver" rid = save_resolver(parameters) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(realm, [resolver]) self.assertEqual(len(failed), 0) self.assertEqual(len(added), 1) user = User(login="******", realm=realm) uinfo = user.info self.assertEqual(uinfo.get("givenname", ""), "") user.update_user_info({ "givenname": "wordy", "username": "******" }) uinfo = user.info self.assertEqual(uinfo.get("givenname"), "wordy") self.assertEqual(user.login, "WordpressUser") user.update_user_info({"givenname": "", "username": "******"})
def test_17_check_nonascii_user(self): realm = "sqlrealm" resolver = "SQL1" parameters = self.parameters parameters["resolver"] = resolver parameters["type"] = "sqlresolver" rid = save_resolver(parameters) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(realm, [resolver]) self.assertEqual(len(failed), 0) self.assertEqual(len(added), 1) # check non-ascii password of non-ascii user self.assertFalse(User(login=u"nönäscii", realm=realm).check_password("wrong")) self.assertTrue(User(login=u"nönäscii", realm=realm).check_password(u"sömepassword")) # check proper unicode() and str() handling user_object = User(login=u"nönäscii", realm=realm) if six.PY2: self.assertEqual(unicode(user_object), u'<nönäscii.SQL1@sqlrealm>') self.assertEqual(str(user_object), '<n\xc3\xb6n\xc3\xa4scii.SQL1@sqlrealm>') else: self.assertEqual(six.text_type(user_object), u'<nönäscii.SQL1@sqlrealm>') self.assertEqual(six.text_type(user_object).encode('utf8'), b'<n\xc3\xb6n\xc3\xa4scii.SQL1@sqlrealm>')
def test_00_create_user(self): rid = save_resolver({ "resolver": self.resolvername1, "type": "passwdresolver", "fileName": PWFILE }) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(self.realm1, [self.resolvername1]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 1) user = User(login="******", realm=self.realm1, resolver=self.resolvername1) user_str = "{0!s}".format(user) self.assertTrue(user_str == "<root.resolver1@realm1>", user_str) # check proper unicode() / str() handling if six.PY2: self.assertIsInstance(str(user), bytes) self.assertIsInstance(unicode(user), unicode) else: self.assertIsInstance(six.text_type(user), six.text_type) self.assertFalse(user.is_empty()) self.assertTrue(User().is_empty()) user_repr = "{0!r}".format(user) expected = "User(login='******', realm='realm1', resolver='resolver1')" self.assertTrue(user_repr == expected, user_repr)
def test_00_create_user(self): rid = save_resolver({ "resolver": self.resolvername1, "type": "passwdresolver", "fileName": PWFILE }) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(self.realm1, [self.resolvername1]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 1) user = User(login="******", realm=self.realm1, resolver=self.resolvername1) user_str = "%s" % user self.assertTrue(user_str == "<root.resolver1@realm1>", user_str) self.assertFalse(user.is_empty()) self.assertTrue(User().is_empty()) user_repr = "%r" % user expected = "User(login='******', realm='realm1', resolver='resolver1')" self.assertTrue(user_repr == expected, user_repr)
def test_17_check_nonascii_user(self): realm = "sqlrealm" resolver = "SQL1" parameters = self.parameters parameters["resolver"] = resolver parameters["type"] = "sqlresolver" rid = save_resolver(parameters) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(realm, [resolver]) self.assertEqual(len(failed), 0) self.assertEqual(len(added), 1) # check non-ascii password of non-ascii user self.assertFalse( User(login=u"nönäscii", realm=realm).check_password("wrong")) self.assertTrue( User(login=u"nönäscii", realm=realm).check_password(u"sömepassword")) # check proper unicode() and str() handling user_object = User(login=u"nönäscii", realm=realm) self.assertEqual(unicode(user_object), u'<nönäscii.SQL1@sqlrealm>') self.assertEqual(str(user_object), '<n\xc3\xb6n\xc3\xa4scii.SQL1@sqlrealm>')
def test_13_update_user(self): realm = "sqlrealm" resolver = "SQL1" parameters = self.parameters parameters["resolver"] = resolver parameters["type"] = "sqlresolver" rid = save_resolver(parameters) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(realm, [resolver]) self.assertEqual(len(failed), 0) self.assertEqual(len(added), 1) user = User(login="******", realm=realm) uinfo = user.info self.assertEqual(uinfo.get("givenname", ""), "") user.update_user_info({"givenname": "wordy", "username": "******"}) uinfo = user.info self.assertEqual(uinfo.get("givenname"), "wordy") self.assertEqual(user.login, "WordpressUser") user.update_user_info({"givenname": "", "username": "******"})
def test_00_create_user(self): rid = save_resolver({"resolver": self.resolvername1, "type": "passwdresolver", "fileName": PWFILE}) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(self.realm1, [self.resolvername1]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 1) user = User(login="******", realm=self.realm1, resolver=self.resolvername1) user_str = "{0!s}".format(user) self.assertTrue(user_str == "<root.resolver1@realm1>", user_str) # check proper unicode() and str() handling self.assertIsInstance(str(user), bytes) self.assertIsInstance(unicode(user), unicode) self.assertFalse(user.is_empty()) self.assertTrue(User().is_empty()) user_repr = "{0!r}".format(user) expected = "User(login='******', realm='realm1', resolver='resolver1')" self.assertTrue(user_repr == expected, user_repr)
def test_14_create_delete_user(self): realm = "sqlrealm" resolver = "SQL1" parameters = self.parameters parameters["resolver"] = resolver parameters["type"] = "sqlresolver" rid = save_resolver(parameters) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(realm, [resolver]) self.assertEqual(len(failed), 0) self.assertEqual(len(added), 1) # Create the user uid = create_user(resolver, { "username": "******", "givenname": "achmed" }, password="******") self.assertTrue(uid > 6) user = User("achmed3", realm=realm) r = user.check_password("secret") # delete user r = user.delete() self.assertTrue(r)
def test_17b_ui_rights_users_in_different_resolvers(self): # Create a realm with two resolvers rid = save_resolver({ "resolver": "passwd", "type": "passwdresolver", "fileName": FILE_PASSWD }) self.assertTrue(rid > 0, rid) rid = save_resolver({ "resolver": "passwords", "type": "passwdresolver", "fileName": FILE_PASSWORDS }) self.assertTrue(rid > 0, rid) # create user realm (added, failed) = set_realm("realm4", ["passwd", "passwords"]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 2) # A user may do something else... set_policy(name="userpol41", scope=SCOPE.USER, action="enable", realm="realm4", resolver="passwd") set_policy(name="userpol42", scope=SCOPE.USER, action="remove", realm="realm4", resolver="passwords") P = PolicyClass() # The two users are in different resolvers and get different rights rights = P.ui_get_rights(SCOPE.USER, "realm4", "postfix") self.assertEqual(set(rights), {"enable", "disable"}) rights = P.ui_get_rights(SCOPE.USER, "realm4", "usernotoken") self.assertEqual(set(rights), {"disable", "remove"}) delete_policy("userpol41") delete_policy("userpol42") delete_realm("realm4") delete_resolver("passwords") delete_resolver("passwd")
def test_01_create_realm(self): rid = save_resolver({ "resolver": self.resolvername1, "type": "passwdresolver", "fileName": "/etc/passwd" }) self.assertTrue(rid > 0, rid) rid = save_resolver({ "resolver": self.resolvername2, "type": "passwdresolver", "fileName": "/etc/secrets" }) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(self.realm1, [self.resolvername1, self.resolvername2]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 2) (added, failed) = set_realm(self.realm_dot, [self.resolvername1, self.resolvername2]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 2) # test the realms realms = get_realms() self.assertTrue(self.realm1 in realms, realms) self.assertTrue(realms.get("realm1").get("default"), realms) self.assertTrue(self.realm_dot in realms, realms) # delete dot realm delete_realm(self.realm_dot) # try to create realm with invalid name self.assertRaises(Exception, set_realm, "#####") # update the resolver list: (added, failed) = set_realm(self.realm1, [self.resolvername1, "non exiting"]) self.assertTrue(len(failed) == 1) self.assertTrue(len(added) == 1) self.assertTrue(realm_is_defined(self.realm1)) self.assertTrue(realm_is_defined("non exist") is False)
def test_07_invalidate_save_resolver(self): self._create_realm() self._populate_cache() # call save_resolver on resolver1, which should invalidate all entries of "resolver1" # (even the expired 'hans2' one) save_resolver({"resolver": self.resolvername1, "type": "passwdresolver", "fileName": self.PWFILE, "type.fileName": "string", "desc.fileName": "Some change" }) self.assertEquals(UserCache.query.count(), 1) # Only hans3 in resolver2 should still be in the cache # We can use get_username to ensure it is fetched from the cache # because resolver2 does not actually exist u_name = get_username("uid2", "resolver2") self.assertEquals("hans3", u_name) delete_user_cache() self._delete_realm()
def _create_realm(self): rid = save_resolver({"resolver": self.resolvername1, "type": "passwdresolver", "fileName": self.PWFILE, "type.fileName": "string", "desc.fileName": "The name of the file"}) self.assertTrue(rid > 0, rid) rid = set_realm(realm=self.realm1, resolvers=[self.resolvername1]) self.assertTrue(rid > 0, rid)
def create(name, rtype, filename): """ Create a new resolver with name and type (ldapresolver, sqlresolver). Read the necessary resolver parameters from the filename. The file should contain a python dictionary. :param name: The name of the resolver :param rtype: The type of the resolver like ldapresolver or sqlresolver :param filename: The name of the config file. :return: """ from privacyidea.lib.resolver import save_resolver import ast f = open(filename, 'r') contents = f.read() f.close() params = ast.literal_eval(contents) params["resolver"] = name params["type"] = rtype save_resolver(params)
def test_01_admin_and_user_same_name(self): # Test the logging, if admin and user have the same name (testamdin/testpw) # Now create a default realm, that contains the used "testadmin" rid = save_resolver({ "resolver": self.resolvername1, "type": "passwdresolver", "fileName": PWFILE }) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(self.realm1, [self.resolvername1]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 1) set_default_realm(self.realm1) # If the admin logs in, everything is fine with mock.patch("logging.Logger.info") as mock_log: with self.app.test_request_context('/auth', method='POST', data={ "username": "******", "password": "******" }): res = self.app.full_dispatch_request() self.assertEqual(200, res.status_code, res) result = res.json.get("result") self.assertTrue(result.get("status"), result) self.assertIn('token', result.get("value"), result) # role should be 'admin' self.assertEqual('admin', result['value']['role'], result) mock_log.assert_called_with( "Local admin 'testadmin' successfully logged in.") # If a user logs in, with the same name as the admin, this event is logged in warning with mock.patch("logging.Logger.warning") as mock_log: with self.app.test_request_context('/auth', method='POST', data={ "username": "******", "password": "******" }): res = self.app.full_dispatch_request() self.assertEqual(200, res.status_code, res) result = res.json.get("result") self.assertTrue(result.get("status"), result) self.assertIn('token', result.get("value"), result) # role should be 'user' self.assertEqual('user', result['value']['role'], result) # check if we have this log entry mock_log.assert_called_with( "A user 'testadmin' exists as local admin and as user " "in your default realm!")
def test_12_resolver_priority(self): # Test the priority of resolvers. # we create resolvers with the same user in it. Depending on the # priority we either get the one or the other user. save_resolver({"resolver": "double1", "type": "passwdresolver", "fileName": PWFILE}) save_resolver({"resolver": "double2", "type": "passwdresolver", "fileName": PWFILE}) save_resolver({"resolver": "double3", "type": "passwdresolver", "fileName": PWFILE}) (added, failed) = set_realm("double", ["double1", "double2", "double3"], priority={"double1": 2, "double2": 1, "double3": 3}) self.assertEqual(len(failed), 0) self.assertEqual(len(added), 3) user = get_user_from_param({"user": "******", "realm": "double"}) self.assertEqual(user.resolver, "double2") (added, failed) = set_realm("double", ["double1", "double2", "double3"], priority={"double1": 3, "double2": 2, "double3": 1}) self.assertEqual(len(failed), 0) self.assertEqual(len(added), 3) user = get_user_from_param({"user": "******", "realm": "double"}) self.assertEqual(user.resolver, "double3")
def test_37_is_orphaned(self): resolver = "orphreso" realm = "orphrealm" rid = save_resolver({"resolver": resolver, "type": "passwdresolver", "fileName": PWFILE}) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(realm, [resolver]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 1) # Assign token to user "cornelius" "realm1", "resolver1" "uid=1000 db_token = Token("orphaned", tokentype="spass", userid=1000, resolver=resolver, realm=realm) db_token.save() token_obj = TokenClass(db_token) orph = token_obj.is_orphaned() self.assertFalse(orph) # clean up token token_obj.delete_token() # Assign a token to a user in a resolver. user_id does not exist db_token = Token("orphaned", tokentype="spass", userid=872812, resolver=resolver, realm=realm) db_token.save() token_obj = TokenClass(db_token) orph = token_obj.is_orphaned() self.assertTrue(orph) # clean up token token_obj.delete_token() # A token, which a resolver name, that does not exist anymore db_token = Token("orphaned", tokentype="spass", userid=1000, resolver=resolver, realm=realm) db_token.save() # delete the realm delete_realm(realm) # token is orphaned token_obj = TokenClass(db_token) orph = token_obj.is_orphaned() self.assertTrue(orph) # delete the resolver delete_resolver(resolver) # token is orphaned token_obj = TokenClass(db_token) orph = token_obj.is_orphaned() self.assertTrue(orph) # clean up token token_obj.delete_token()
def test_18_user_with_several_phones(self): ldap3mock.setLDAPDirectory(LDAPDirectory_small) params = ({ 'LDAPURI': 'ldap://localhost', 'LDAPBASE': 'o=test', 'BINDDN': 'cn=manager,ou=example,o=test', 'BINDPW': 'ldaptest', 'LOGINNAMEATTRIBUTE': 'cn', 'LDAPSEARCHFILTER': '(|(cn=*))', # we use this weird search filter to get a unique resolver ID 'USERINFO': '{ "username": "******",' '"phone" : "telephoneNumber", ' '"mobile" : "mobile"' ', "email" : "mail", ' '"surname" : "sn", ' '"givenname" : "givenName" }', 'UIDTYPE': 'objectGUID', 'NOREFERRALS': True, 'CACHE_TIMEOUT': 0 }) params["resolver"] = "ldapresolver" params["type"] = "ldapresolver" rid = save_resolver(params) self.assertTrue(rid > 0) (added, failed) = set_realm("ldap", ["ldapresolver"]) self.assertEqual(len(added), 1) self.assertEqual(len(failed), 0) u = User("salesman", "ldap") # get the complete list r = u.get_user_phone("mobile") self.assertEqual(r, ["1234", "3456"]) # get the first entry r = u.get_user_phone("mobile", index=0) self.assertEqual(r, "1234") # Index out of range r = u.get_user_phone("mobile", index=2) self.assertEqual(r, "") delete_realm("ldap") delete_resolver("ldapresolver")
def test_11_base_resolver_class(self): save_resolver({"resolver": "baseresolver", "type": "UserIdResolver"}) y = get_resolver_object("baseresolver") self.assertTrue(y, y) rtype = y.getResolverType() self.assertTrue(rtype == "UserIdResolver", rtype) # close hook desc = y.getResolverDescriptor() self.assertTrue("clazz" in desc.get("UserIdResolver"), desc) self.assertTrue("config" in desc.get("UserIdResolver"), desc) id = y.getUserId("some user") self.assertTrue(id == "dummy_user_id", id) name = y.getUsername("some user") self.assertTrue(name == "dummy_user_name", name) self.assertTrue(y.getUserInfo("dummy") == {}) self.assertTrue(len(y.getUserList()) == 1) self.assertTrue(len(y.getUserList()) == 1) rid = y.getResolverId() self.assertTrue(rid == "baseid", rid) self.assertFalse(y.checkPass("dummy", "pw")) y.close()
def setUp_user_realms(self): # create user realm rid = save_resolver({ "resolver": self.resolvername1, "type": "passwdresolver", "fileName": PWFILE }) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(self.realm1a, [self.resolvername1]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 1) (added, failed) = set_realm(self.realm2b, [self.resolvername1]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 1)
def test_00_set_ldap_realm(self): ldap3mock.setLDAPDirectory(LDAPDirectory) params = { 'LDAPURI': 'ldap://localhost', 'LDAPBASE': 'o=test', 'BINDDN': 'cn=manager,ou=example,o=test', 'BINDPW': 'ldaptest', 'LOGINNAMEATTRIBUTE': 'cn', 'LDAPSEARCHFILTER': '(cn=*)', 'MULTIVALUEATTRIBUTES': '["groups"]', 'USERINFO': '{ "username": "******",' '"phone" : "telephoneNumber", ' '"mobile" : "mobile"' ', "email" : "mail", ' '"surname" : "sn", ' '"groups": "memberOf", ' '"givenname" : "givenName" }', 'UIDTYPE': 'DN', "resolver": "ldapgroups", "type": "ldapresolver" } r = save_resolver(params) self.assertTrue(r > 0) r = set_realm("ldaprealm", resolvers=["ldapgroups"]) set_default_realm("ldaprealm") self.assertEqual(r, (["ldapgroups"], [])) # find a user, check the groups alice = User("alice", "ldaprealm") self.assertEqual(alice.info["groups"], ["cn=admins,o=test", "cn=users,o=test"])
def test_17_check_nonascii_user(self): realm = u"sqlrealm" resolver = u"SQL1" parameters = self.parameters parameters["resolver"] = resolver parameters["type"] = "sqlresolver" rid = save_resolver(parameters) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(realm, [resolver]) self.assertEqual(len(failed), 0) self.assertEqual(len(added), 1) # check non-ascii password of non-ascii user self.assertFalse( User(login=u"nönäscii", realm=realm).check_password("wrong")) self.assertTrue( User(login=u"nönäscii", realm=realm).check_password(u"sömepassword")) # check proper unicode() and str() handling user_object = User(login=u"nönäscii", realm=realm) if six.PY2: self.assertEqual(unicode(user_object), u'<nönäscii.SQL1@sqlrealm>') self.assertEqual(str(user_object), '<n\xc3\xb6n\xc3\xa4scii.SQL1@sqlrealm>') else: self.assertEqual(six.text_type(user_object), u'<nönäscii.SQL1@sqlrealm>') self.assertEqual( six.text_type(user_object).encode('utf8'), b'<n\xc3\xb6n\xc3\xa4scii.SQL1@sqlrealm>') # also check the User object representation user_repr = repr(user_object) if six.PY2: self.assertEqual( "User(login=u'n\\xf6n\\xe4scii', " "realm=u'sqlrealm', resolver=u'SQL1')", user_repr, user_repr) else: self.assertEqual( "User(login='******', " "realm='sqlrealm', resolver='SQL1')", user_repr, user_repr)
def test_00_create_user_realm(self): rid = save_resolver({"resolver": self.resolvername1, "type": "passwdresolver", "fileName": PWFILE}) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(self.realm1, [self.resolvername1]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 1) user = User(login="******", realm=self.realm1, resolver=self.resolvername1) user_str = "%s" % user self.assertTrue(user_str == "<root.resolver1@realm1>", user_str) self.assertFalse(user.is_empty()) self.assertTrue(User().is_empty()) user_repr = "%r" % user expected = "User(login='******', realm='realm1', resolver='resolver1')" self.assertTrue(user_repr == expected, user_repr)
def test_17_check_nonascii_user(self): realm = "sqlrealm" resolver = "SQL1" parameters = self.parameters parameters["resolver"] = resolver parameters["type"] = "sqlresolver" rid = save_resolver(parameters) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(realm, [resolver]) self.assertEqual(len(failed), 0) self.assertEqual(len(added), 1) # check non-ascii password of non-ascii user self.assertFalse( User(login=u"nönäscii", realm=realm).check_password("wrong")) self.assertTrue( User(login=u"nönäscii", realm=realm).check_password(u"sömepassword"))
def test_18_user_with_several_phones(self): ldap3mock.setLDAPDirectory(LDAPDirectory_small) params = ({'LDAPURI': 'ldap://localhost', 'LDAPBASE': 'o=test', 'BINDDN': 'cn=manager,ou=example,o=test', 'BINDPW': 'ldaptest', 'LOGINNAMEATTRIBUTE': 'cn', 'LDAPSEARCHFILTER': '(|(cn=*))', # we use this weird search filter to get a unique resolver ID 'USERINFO': '{ "username": "******",' '"phone" : "telephoneNumber", ' '"mobile" : "mobile"' ', "email" : "mail", ' '"surname" : "sn", ' '"givenname" : "givenName" }', 'UIDTYPE': 'objectGUID', 'NOREFERRALS': True, 'CACHE_TIMEOUT': 0 }) params["resolver"] = "ldapresolver" params["type"] = "ldapresolver" rid = save_resolver(params) self.assertTrue(rid > 0) (added, failed) = set_realm("ldap", ["ldapresolver"]) self.assertEqual(len(added), 1) self.assertEqual(len(failed), 0) u = User("salesman", "ldap") # get the complete list r = u.get_user_phone("mobile") self.assertEqual(r, ["1234", "3456"]) # get the first entry r = u.get_user_phone("mobile", index=0) self.assertEqual(r, "1234") # Index out of range r = u.get_user_phone("mobile", index=2) self.assertEqual(r, "") delete_realm("ldap") delete_resolver("ldapresolver")
def test_08_no_ldap_password(self): params = {'LDAPURI': 'ldap://localhost', 'LDAPBASE': 'o=test', 'BINDDN': 'cn=manager,ou=example,o=test', 'BINDPW': 'ldaptest', 'LOGINNAMEATTRIBUTE': 'cn', 'LDAPSEARCHFILTER': '(cn=*)', 'USERINFO': '{ "username": "******", "phone": "telephoneNumber", ' '"mobile" : "mobile", "email": "mail", ' '"surname" : "sn", "givenname": "givenName" }', 'UIDTYPE': 'DN', 'type': 'ldapresolver', 'resolver': 'testL'} r = save_resolver(params) self.assertTrue(r) with self.app.test_request_context('/resolver/testL', method='GET', headers={'Authorization': self.at}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) result = json.loads(res.data.decode('utf8')).get("result") self.assertTrue(result["status"] is True, result) data = result["value"]["testL"]["data"] self.assertEqual(data.get("BINDPW"), CENSORED) with self.app.test_request_context('/resolver/', method='GET', headers={'Authorization': self.at}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) result = json.loads(res.data.decode('utf8')).get("result") self.assertTrue(result["status"] is True, result) data = result["value"]["testL"]["data"] self.assertEqual(data.get("BINDPW"), CENSORED) r = delete_resolver(params.get("resolver")) self.assertTrue(r)
def test_04_create_recovery_nonascii(self): smtpmock.setdata(response={"*****@*****.**": (200, "OK")}) recoverycode = "reccode" # create resolver and realm param = self.parameters param["resolver"] = "register" param["type"] = "sqlresolver" r = save_resolver(param) self. assertTrue(r > 0) # recover password with "recovery.identifier" r = add_smtpserver(identifier="myserver", server="1.2.3.4") self.assertTrue(r > 0) set_privacyidea_config("recovery.identifier", "myserver") r = create_recoverycode(User(u"nönäscii", "register"), recoverycode=recoverycode) self.assertEqual(r, True) user = User(u"nönäscii", "register") r = check_recoverycode(user, recoverycode) self.assertEqual(r, True) # The recovery code is not valid a second time r = check_recoverycode(user, recoverycode) self.assertEqual(r, False)
def test_01_register_user(self): smtpmock.setdata(response={"*****@*****.**": (200, "OK")}) # create resolver and realm param = self.parameters param["resolver"] = "register" param["type"] = "sqlresolver" r = save_resolver(param) self. assertTrue(r > 0) added, failed = set_realm("register", resolvers=["register"]) self.assertTrue(added > 0) self.assertEqual(len(failed), 0) # create policy r = set_policy(name="pol2", scope=SCOPE.REGISTER, action="{0!s}={1!s}, {2!s}={3!s}".format(ACTION.REALM, "register", ACTION.RESOLVER, "register")) # Try to register, but missing parameter with self.app.test_request_context('/register', method='POST', data={"username": "******", "surname": "Kölbel"}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 400, res) # Register fails, missing SMTP config with self.app.test_request_context('/register', method='POST', data={"username": "******", "surname": "Kölbel", "givenname": "Cornelius", "password": "******", "email": "*****@*****.**"}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 400, res) data = json.loads(res.data.decode('utf8')) self.assertEqual(data.get("result").get("error").get("code"), ERROR.REGISTRATION) self.assertEqual(data.get("result").get("error").get("message"), u'ERR402: No SMTP server configuration specified!') # Set SMTP config and policy add_smtpserver("myserver", "1.2.3.4", sender="pi@localhost") set_policy("pol3", scope=SCOPE.REGISTER, action="{0!s}=myserver".format(ACTION.EMAILCONFIG)) with self.app.test_request_context('/register', method='POST', data={"username": "******", "surname": "Kölbel", "givenname": "Cornelius", "password": "******", "email": "*****@*****.**"}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) # Registering the user a second time will fail with self.app.test_request_context('/register', method='POST', data={"username": "******", "surname": "Kölbel", "givenname": "Cornelius", "password": "******", "email": "*****@*****.**"}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 400, res) # get the register status with self.app.test_request_context('/register', method='GET'): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) data = json.loads(res.data.decode('utf8')) self.assertEqual(data.get("result").get("value"), True)
def test_12_authcache(self): password = "******" username = "******" realm = "myrealm" resolver = "reso001" pw_hash = binascii.hexlify(hashlib.sha256(password).digest()) r = save_resolver({"resolver": "reso001", "type": "passwdresolver", "fileName": "tests/testdata/passwords"}) (added, failed) = set_realm("myrealm", ["reso001"]) def fake_check_user_pass(user, passw, options=None): return True, {"message": "Fake Authentication"} set_policy(name="pol1", scope=SCOPE.AUTH, realm=realm, resolver=resolver, action="{0!s}={1!s}".format(ACTION.AUTH_CACHE, "4h/5m")) g = FakeFlaskG() P = PolicyClass() g.policy_object = P g.audit_object = FakeAudit() options = {"g": g} # This successfully authenticates against the authcache # We have an authentication, that is within the policy timeout AuthCache(username, realm, resolver, pw_hash, first_auth=datetime.datetime.utcnow() - timedelta(hours=3), last_auth=datetime.datetime.utcnow() - timedelta(minutes=1)).save() r = auth_cache(fake_check_user_pass, User("cornelius", "myrealm"), password, options=options) self.assertTrue(r[0]) self.assertEqual(r[1].get("message"), "Authenticated by AuthCache." ) # We have an authentication, that is not read from the authcache, # since the authcache first_auth is too old. delete_from_cache(username, realm, resolver, pw_hash) AuthCache(username, realm, resolver, pw_hash, first_auth=datetime.datetime.utcnow() - timedelta(hours=5), last_auth=datetime.datetime.utcnow() - timedelta( minutes=1)).save() r = auth_cache(fake_check_user_pass, User("cornelius", "myrealm"), password, options=options) self.assertTrue(r[0]) self.assertEqual(r[1].get("message"), "Fake Authentication") # We have an authentication, that is not read from authcache, since # the last_auth is too old = 10 minutes. delete_from_cache(username, realm, resolver, pw_hash) AuthCache(username, realm, resolver, pw_hash, first_auth=datetime.datetime.utcnow() - timedelta(hours=1), last_auth=datetime.datetime.utcnow() - timedelta( minutes=10)).save() r = auth_cache(fake_check_user_pass, User("cornelius", "myrealm"), password, options=options) self.assertTrue(r[0]) self.assertEqual(r[1].get("message"), "Fake Authentication") # We have a policy, with no special last_auth delete_policy("pol1") set_policy(name="pol1", scope=SCOPE.AUTH, realm=realm, resolver=resolver, action="{0!s}={1!s}".format(ACTION.AUTH_CACHE, "4h")) g = FakeFlaskG() P = PolicyClass() g.policy_object = P g.audit_object = FakeAudit() options = {"g": g} delete_from_cache(username, realm, resolver, pw_hash) AuthCache(username, realm, resolver, pw_hash, first_auth=datetime.datetime.utcnow() - timedelta(hours=2), last_auth=datetime.datetime.utcnow() - timedelta( hours=1)).save() r = auth_cache(fake_check_user_pass, User("cornelius", "myrealm"), password, options=options) self.assertTrue(r[0]) self.assertEqual(r[1].get("message"), "Authenticated by AuthCache.") # Clean up delete_policy("pol1") delete_realm("myrealm") delete_resolver("reso001")
def test_12_passwdresolver(self): # Create a resolver with an empty filename # will use the filename /etc/passwd rid = save_resolver( { "resolver": self.resolvername1, "type": "passwdresolver", "fileName": "", "type.fileName": "string", "desc.fileName": "The name of the file", } ) self.assertTrue(rid > 0, rid) y = get_resolver_object(self.resolvername1) y.loadFile() delete_resolver(self.resolvername1) # Load a file with an empty line rid = save_resolver( { "resolver": self.resolvername1, "type": "passwdresolver", "fileName": PWFILE, "type.fileName": "string", "desc.fileName": "The name of the file", } ) self.assertTrue(rid > 0, rid) y = get_resolver_object(self.resolvername1) y.loadFile() ulist = y.getUserList({"username": "******"}) self.assertTrue(len(ulist) > 1, ulist) self.assertTrue(y.checkPass("1000", "test")) self.assertFalse(y.checkPass("1000", "wrong password")) self.assertRaises(NotImplementedError, y.checkPass, "1001", "secret") self.assertFalse(y.checkPass("1002", "no pw at all")) self.assertTrue(y.getUsername("1000") == "cornelius", y.getUsername("1000")) self.assertTrue(y.getUserId(u"cornelius") == "1000", y.getUserId("cornelius")) self.assertTrue(y.getUserId("user does not exist") == "") sF = y.getSearchFields({"username": "******"}) self.assertTrue(sF.get("username") == "text", sF) # unknown search fields. We get an empty userlist r = y.getUserList({"blabla": "something"}) self.assertTrue(r == [], r) # list exactly one user r = y.getUserList({"userid": "=1000"}) self.assertTrue(len(r) == 1, r) r = y.getUserList({"userid": "<1001"}) self.assertTrue(len(r) == 1, r) r = y.getUserList({"userid": ">1000"}) self.assertTrue(len(r) > 1, r) r = y.getUserList({"userid": "between 1000, 1001"}) self.assertTrue(len(r) == 2, r) r = y.getUserList({"userid": "between 1001, 1000"}) self.assertTrue(len(r) == 2, r) r = y.getUserList({"userid": "<=1000"}) self.assertTrue(len(r) == 1, "%s" % r) r = y.getUserList({"userid": ">=1000"}) self.assertTrue(len(r) > 1, r) r = y.getUserList({"description": "field1"}) self.assertTrue(len(r) == 0, r) r = y.getUserList({"email": "field1"}) self.assertTrue(len(r) == 0, r) rid = y.getResolverId() self.assertTrue(rid == PWFILE, rid) rtype = y.getResolverType() self.assertTrue(rtype == "passwdresolver", rtype) rdesc = y.getResolverDescriptor() self.assertTrue("config" in rdesc.get("passwdresolver"), rdesc) self.assertTrue("clazz" in rdesc.get("passwdresolver"), rdesc) # internal stringMatch function self.assertTrue(y._stringMatch(u"Hallo", "*lo")) self.assertTrue(y._stringMatch("Hallo", u"Hal*")) self.assertFalse(y._stringMatch("Duda", "Hal*")) self.assertTrue(y._stringMatch("HalloDuda", "*Du*")) self.assertTrue(y._stringMatch("Duda", "Duda"))
def test_02_create_update_delete_user(self): realm = "sqlrealm" resolver = "SQL1" parameters = self.parameters parameters["resolver"] = resolver parameters["type"] = "sqlresolver" rid = save_resolver(parameters) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(realm, [resolver]) self.assertEqual(len(failed), 0) self.assertEqual(len(added), 1) # CREATE a user with self.app.test_request_context('/user/', method='POST', data={"user": "******", "resolver": resolver, "surname": "zappa", "givenname": "frank", "email": "*****@*****.**", "phone": "12345", "mobile": "12345", "password": "******"}, headers={'Authorization': self.at}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) result = json.loads(res.data).get("result") self.assertTrue(result.get("value") > 6, result.get("value")) # Get users with self.app.test_request_context('/user/', method='GET', query_string=urlencode( {"username": "******"}), headers={'Authorization': self.at}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) result = json.loads(res.data).get("result") self.assertTrue(result.get("status")) self.assertEqual(result.get("value")[0].get("username"), "wordy") # Update by administrator. Set the password to "passwort" with self.app.test_request_context('/user/', method='PUT', query_string=urlencode( {"user": "******", "resolver": resolver, "password": "******"}), headers={'Authorization': self.at}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) result = json.loads(res.data).get("result") self.assertTrue(result.get("value")) # Get user authentication and update by user. with self.app.test_request_context('/auth', method='POST', data={"username": "******".format(realm), "password": "******"}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) result = json.loads(res.data).get("result") self.assertTrue(result.get("status"), res.data) # In self.at_user we store the user token wordy_auth_token = result.get("value").get("token") # check that this is a user role = result.get("value").get("role") self.assertTrue(role == "user", result) # Even if a user specifies another username, the username is # overwritten by his own name! with self.app.test_request_context('/user/', method='PUT', query_string=urlencode( {"user": "******", "resolver": resolver, "password": "******"}), headers={'Authorization': wordy_auth_token}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) result = json.loads(res.data).get("result") self.assertTrue(result.get("value")) # Although the user "wordy" tried to update the password of user # "wordy2", he updated his own password. with self.app.test_request_context('/auth', method='POST', data={"username": "******".format(realm), "password": "******"}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) result = json.loads(res.data).get("result") self.assertTrue(result.get("status"), res.data) # In self.at_user we store the user token wordy_auth_token = result.get("value").get("token") # check that this is a user role = result.get("value").get("role") self.assertTrue(role == "user", result) # Delete the users with self.app.test_request_context('/user/{0!s}/{1!s}'.format(resolver, "wordy"), method='DELETE', headers={'Authorization': self.at}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) result = json.loads(res.data).get("result") self.assertTrue(result.get("value"))
def test_21_check_all_resolver(self): # check_all_resolver allows to find a policy for a secondary user # resolver. # We create one realm "realm1" with the resolvers # reso1 (prio 1) # reso2 (prio 2) # reso3 (prio 3) # A user user@realm1 will be identified as user.reso1@realm1. # But we will also match policies for reso2. # no realm and resolver r = get_realms() self.assertEqual(r, {}) r = get_resolver_list() self.assertEqual(r, {}) # create user realm for reso in ["reso1", "resoX", "resoA"]: rid = save_resolver({"resolver": reso, "type": "passwdresolver", "fileName": PWFILE}) self.assertTrue(rid > 0, rid) # create a realm with reso1 being the resolver with the highest priority (added, failed) = set_realm("realm1", ["reso1", "resoX", "resoA"], priority={"reso1": 1, "resoX": 2, "resoA": 3}) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 3) user = User(login="******", realm="realm1") # The user, that is created, is cornelius.reso1@realm1 user_str = "{0!s}".format(user) self.assertEqual(user_str, "<cornelius.reso1@realm1>") # But the user "cornelius" is also contained in other resolves in # this realm r = user.get_ordererd_resolvers() self.assertEqual(r, ["reso1", "resoX", "resoA"]) self.assertFalse(user.is_empty()) self.assertTrue(User().is_empty()) # define a policy with the wrong resolver p = set_policy(name="checkAll", scope=SCOPE.AUTHZ, realm="realm1", resolver="resoX", action="{0}=totp".format(ACTION.TOKENTYPE)) self.assertTrue(p > 0) p = set_policy(name="catchAll", scope=SCOPE.AUTHZ, realm="realm1", action="{0}=totp".format(ACTION.TOKENTYPE)) self.assertTrue(p > 0) P = PolicyClass() pols = P.get_policies(scope=SCOPE.AUTHZ, realm=user.realm, resolver=user.resolver, user=user.login) self.assertEqual(len(pols), 1) # Now we change the policy, so that it uses check_all_resolver, i.e. p = set_policy(name="checkAll", scope=SCOPE.AUTHZ, realm="realm1", resolver="resoX", check_all_resolvers=True, action="{0}=totp".format(ACTION.TOKENTYPE)) self.assertTrue(p > 0) P = PolicyClass() pols = P.get_policies(scope=SCOPE.AUTHZ, realm=user.realm, resolver=user.resolver, user=user.login) self.assertEqual(len(pols), 2) # delete policy delete_policy("checkAll") delete_policy("catchAll") # delete resolvers and realm delete_realm("realm1") for reso in ["reso1", "resoX", "resoA"]: rid = delete_resolver(reso) self.assertTrue(rid > 0, rid)