def check_maxtoken_for_user_by_type(user, type_of_token):
'''
This internal function checks the number of assigned tokens to a user
restricted by the policies:
"scope = enrollment", action = "maxtokenTOKENTYPE = <number>"
:param user: to whom the token should belong
:param type_of_token: which type of token should be enrolled or assigned
:raises PolicyException: if maxtoken policy would be violated
'''
_ = context['translate']
if not user or not user.login:
return
client = _get_client()
user_realms = _getUserRealms(user)
log.debug("checking the already assigned tokens for user %r, realms %s"
% (user, user_realms))
# ------------------------------------------------------------------ --
# check the maxtokenTOKENTYPE policy
typed_tokens = linotp.lib.token.getTokens4UserOrSerial(
user, token_type=type_of_token)
for user_realm in user_realms:
policies = get_client_policy(client,
action="maxtoken%s" % type_of_token.upper(),
scope='enrollment',
realm=user_realm,
user=user.login,
userObj=user)
if not policies:
continue
# compare the tokens of the user with the max numbers of the policy
total_maxtoken = get_action_value(
policies, scope='enrollment',
action="maxtoken%s" % type_of_token.upper(), default=-1)
if total_maxtoken == -1 or isinstance(total_maxtoken, bool):
continue
if len(typed_tokens) + 1 > total_maxtoken:
error_msg = _("The maximum number of allowed tokens of type %s "
"per user is exceeded. Check the policies "
"scope=enrollment, action=maxtoken%s"
% (type_of_token, type_of_token.upper()))
raise linotp.lib.policy.MaxTokenTypeUserPolicyException(error_msg)
def check_maxtoken_for_user(user):
'''
This internal function checks the number of assigned tokens to a user
restricted by the policies:
"scope = enrollment", action = "maxtoken = <number>"
:param user: to whom the token should belong
:raises PolicyException: if maxtoken policy would be violated
'''
_ = context['translate']
if not user or not user.login:
return
client = _get_client()
user_realms = _getUserRealms(user)
log.debug("checking the already assigned tokens for user %r, realms %s" %
(user, user_realms))
# ----------------------------------------------------------------------- --
# check the maxtoken policy
action = "maxtoken"
tokens = linotp.lib.token.getTokens4UserOrSerial(user, "")
for user_realm in user_realms:
policies = get_client_policy(client,
scope='enrollment',
action=action,
realm=user_realm,
user=user.login,
userObj=user)
if not policies:
continue
total_maxtoken = get_action_value(policies,
scope='enrollment',
action=action,
default=-1)
if total_maxtoken == -1 or isinstance(total_maxtoken, bool):
continue
if len(tokens) + 1 > total_maxtoken:
error_msg = _("The maximum number of allowed tokens "
"per user is exceeded. Check the "
"policies scope=enrollment, "
"action=maxtoken")
raise linotp.lib.policy.MaxTokenUserPolicyException(error_msg)
def get_pre_context(client):
"""
get the rendering context before the login is shown, so the rendering
of the login page could be controlled if realm_box or mfa_login is
defined
:param client: the rendering is client dependend, so we need the info
:return: context dict, with all rendering attributes
"""
# check for mfa_login, autoassign and autoenroll in policy definition
mfa_login_policy = get_client_policy(client=client,
scope='selfservice',
action='mfa_login')
mfa_3_fields_policy = get_client_policy(client=client,
scope='selfservice',
action='mfa_3_fields')
autoassignment_policy = get_client_policy(client=client,
scope='enrollment',
action='autoassignment')
autoenrollment_policy = get_client_policy(client=client,
scope='enrollment',
action='autoenrollment')
return {
"version": get_version(),
"copyright": get_copyright_info(),
"realms": _get_realms_(),
"settings": {
"default_realm": getDefaultRealm(),
"realm_box": getRealmBox(),
"mfa_login": bool(mfa_login_policy),
"mfa_3_fields": bool(mfa_3_fields_policy),
"autoassign": bool(autoassignment_policy),
"autoenroll": bool(autoenrollment_policy),
},
}
def test_get_client_policy(self, mock_context,
mocked_new_get_client_policy,
mocked_legacy_get_client_policy,
mocked_LOG_error):
"""
test for 'get_client_policy'
"""
scope = 'enrollment'
action = 'otp_pin_random'
largs = [None]
kwargs = {
'action': action,
'scope': scope,
'realm': 'mydefrealm',
'user': '',
'find_resolver': True,
'userObj': User(login='', realm='mydefrealm')
}
ret_policy = {
'self_02': {
'realm': 'myotherrealm',
'name': 'self_02',
'active': 'True',
'client': '*',
'user': '******',
'time': '*',
'action': ('enrollMOTP, disable, resync, setOTPPIN,'
' setMOTPPIN'),
'scope': 'selfservice'
}
}
# ----------------------------------------------------------------- --
# switch to the new one
mock_context.__getitem__.return_value = {
'NewPolicyEvaluation': 'True',
'NewPolicyEvaluation.compare': 'False'
}
mocked_new_get_client_policy.return_value = ret_policy
# run the call
_return_value = get_client_policy(*largs, **kwargs)
mocked_new_get_client_policy.assert_called_once_with(*largs, **kwargs)
mocked_legacy_get_client_policy.assert_not_called()
mocked_new_get_client_policy.reset_mock()
mocked_legacy_get_client_policy.reset_mock()
# ----------------------------------------------------------------- --
# switch to the old one
mock_context.__getitem__.return_value = {
'NewPolicyEvaluation': 'False',
'NewPolicyEvaluation.compare': 'False'
}
mocked_new_get_client_policy.return_value = ret_policy
mocked_legacy_get_client_policy.return_value = ret_policy
# run the call
_return_value = get_client_policy(*largs, **kwargs)
mocked_new_get_client_policy.assert_not_called()
mocked_legacy_get_client_policy.assert_called_once_with(
*largs, **kwargs)
mocked_new_get_client_policy.reset_mock()
mocked_legacy_get_client_policy.reset_mock()
mocked_LOG_error.reset_mock()
# ----------------------------------------------------------------- --
# switch to old one and compare
mock_context.__getitem__.return_value = {
'NewPolicyEvaluation': 'False',
'NewPolicyEvaluation.compare': 'True'
}
mocked_new_get_client_policy.return_value = ret_policy
mocked_legacy_get_client_policy.return_value = ret_policy
# run the call
_return_value = get_client_policy(*largs, **kwargs)
# check the call
mocked_new_get_client_policy.assert_called_once_with(*largs, **kwargs)
mocked_legacy_get_client_policy.assert_called_once_with(
*largs, **kwargs)
mocked_LOG_error.assert_not_called()
mocked_new_get_client_policy.reset_mock()
mocked_legacy_get_client_policy.reset_mock()
mocked_LOG_error.reset_mock()
# ----------------------------------------------------------------- --
# switch to old one and compare - with error
mock_context.__getitem__.return_value = {
'NewPolicyEvaluation': 'False',
'NewPolicyEvaluation.compare': 'True'
}
new_pols = ret_policy
mocked_new_get_client_policy.return_value = new_pols
old_pols = copy.deepcopy(ret_policy)
old_pols['old'] = {'oldy': True}
mocked_legacy_get_client_policy.return_value = old_pols
# run the call
return_value = get_client_policy(*largs, **kwargs)
# check the calling
mocked_new_get_client_policy.assert_called_once_with(*largs, **kwargs)
mocked_legacy_get_client_policy.assert_called_once_with(
*largs, **kwargs)
call = ('old: new %r <> %r', old_pols, new_pols)
mocked_LOG_error.assert_any_call(*call)
self.assertTrue('old' in return_value)
mocked_new_get_client_policy.reset_mock()
mocked_legacy_get_client_policy.reset_mock()
mocked_LOG_error.reset_mock()
return
def test_get_client_policy(
self,
mock_context,
mocked_new_get_client_policy,
mocked_legacy_get_client_policy,
mocked_LOG_error):
"""
test for 'get_client_policy'
"""
scope = 'enrollment'
action = 'otp_pin_random'
largs = [None]
legacy_kwargs = {
'action': action,
'scope': scope,
'realm': 'mydefrealm',
'user': '',
'find_resolver': True,
'userObj': User(login='', realm='mydefrealm')}
kwargs = {}
kwargs.update(legacy_kwargs)
kwargs['active_only'] = True
ret_policy = {'self_02': {
'realm': 'myotherrealm',
'name': 'self_02',
'active': 'True',
'client': '*',
'user': '******',
'time': '*',
'action': ('enrollMOTP, disable, resync, setOTPPIN,'
' setMOTPPIN'),
'scope': 'selfservice'}}
# ----------------------------------------------------------------- --
# switch to the new one
mock_context.__getitem__.return_value = {
'NewPolicyEvaluation': 'True',
'NewPolicyEvaluation.compare': 'False'}
mocked_new_get_client_policy.return_value = ret_policy
# run the call
_return_value = get_client_policy(*largs, **kwargs)
mocked_new_get_client_policy.assert_called_once_with(*largs, **kwargs)
mocked_legacy_get_client_policy.assert_not_called()
mocked_new_get_client_policy.reset_mock()
mocked_legacy_get_client_policy.reset_mock()
# ----------------------------------------------------------------- --
# switch to the old one
mock_context.__getitem__.return_value = {
'NewPolicyEvaluation': 'False',
'NewPolicyEvaluation.compare': 'False'}
mocked_new_get_client_policy.return_value = ret_policy
mocked_legacy_get_client_policy.return_value = ret_policy
# run the call
_return_value = get_client_policy(*largs, **kwargs)
mocked_new_get_client_policy.assert_not_called()
mocked_legacy_get_client_policy.assert_called_once_with(
*largs,
**legacy_kwargs)
mocked_new_get_client_policy.reset_mock()
mocked_legacy_get_client_policy.reset_mock()
mocked_LOG_error.reset_mock()
# ----------------------------------------------------------------- --
# switch to old one and compare
mock_context.__getitem__.return_value = {
'NewPolicyEvaluation': 'False',
'NewPolicyEvaluation.compare': 'True'}
mocked_new_get_client_policy.return_value = ret_policy
mocked_legacy_get_client_policy.return_value = ret_policy
# run the call
_return_value = get_client_policy(*largs, **kwargs)
# check the call
mocked_new_get_client_policy.assert_called_once_with(*largs, **kwargs)
mocked_legacy_get_client_policy.assert_called_once_with(
*largs,
**legacy_kwargs)
mocked_LOG_error.assert_not_called()
mocked_new_get_client_policy.reset_mock()
mocked_legacy_get_client_policy.reset_mock()
mocked_LOG_error.reset_mock()
# ----------------------------------------------------------------- --
# switch to old one and compare - with error
mock_context.__getitem__.return_value = {
'NewPolicyEvaluation': 'False',
'NewPolicyEvaluation.compare': 'True'}
new_pols = ret_policy
mocked_new_get_client_policy.return_value = new_pols
old_pols = copy.deepcopy(ret_policy)
old_pols['old'] = {'oldy': True}
mocked_legacy_get_client_policy.return_value = old_pols
# run the call
return_value = get_client_policy(*largs, **kwargs)
# check the calling
mocked_new_get_client_policy.assert_called_once_with(*largs, **kwargs)
mocked_legacy_get_client_policy.assert_called_once_with(
*largs,
**legacy_kwargs)
call = ('old: new %r <> %r', old_pols, new_pols)
mocked_LOG_error.assert_any_call(*call)
self.assertTrue('old' in return_value)
mocked_new_get_client_policy.reset_mock()
mocked_legacy_get_client_policy.reset_mock()
mocked_LOG_error.reset_mock()
return
