def test_01_create_simple_policy(self): p = set_policy(name="pol1", action="read", scope="system") self.assertTrue(p > 0) p = set_policy(name="pol2", action="tokentype=HOTP", scope=SCOPE.AUTHZ) self.assertTrue(p > 0) p = set_policy(name="pol3", action="serial=OATH", scope=SCOPE.AUTHZ) self.assertTrue(p > 0) p = set_policy(name="pol4", action="enroll, init, disable , enable", scope="admin") self.assertTrue(p > 0) P = PolicyClass() policies = P.get_policies(name="pol3") # only one policy found self.assertTrue(len(policies) == 1, len(policies)) policies = P.get_policies(scope=SCOPE.AUTHZ) self.assertTrue(len(policies) == 2, len(policies)) policies = P.get_policies(scope=SCOPE.AUTHZ, action="tokentype") self.assertTrue(len(policies) == 1, len(policies)) policies = P.get_policies(scope="admin", action="disable") self.assertTrue(len(policies) == 1, len(policies)) self.assertTrue(policies[0].get("name") == "pol4")
def test_11_import_policy(self): with self.app.test_request_context('/policy/import/policy.cfg', method='POST', data=dict(file=(POLICYFILE, 'policy.cfg')), headers={'Authorization': self.at}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) result = json.loads(res.data).get("result") self.assertTrue(result["status"] is True, result) self.assertTrue(result["value"] == 2, result) # check if policies are there P = PolicyClass() p1 = P.get_policies(name="importpol1") self.assertTrue(len(p1) == 1, p1) p2 = P.get_policies(name="importpol2") self.assertTrue(len(p2) == 1, p2) # import empty file with self.app.test_request_context( "/policy/import/" "policy_empty_file.cfg", method='POST', data=dict(file=(POLICYEMPTY, "policy_empty_file.cfg")), headers={'Authorization': self.at}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 400, res)
def test_11_import_policy(self): with self.app.test_request_context('/policy/import/policy.cfg', method='POST', data=dict(file=(POLICYFILE, 'policy.cfg')), headers={'Authorization': self.at}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) result = json.loads(res.data).get("result") self.assertTrue(result["status"] is True, result) self.assertTrue(result["value"] == 2, result) # check if policies are there P = PolicyClass() p1 = P.get_policies(name="importpol1") self.assertTrue(len(p1) == 1, p1) p2 = P.get_policies(name="importpol2") self.assertTrue(len(p2) == 1, p2) # import empty file with self.app.test_request_context("/policy/import/" "policy_empty_file.cfg", method='POST', data=dict(file=(POLICYEMPTY, "policy_empty_file.cfg")), headers={'Authorization': self.at}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 400, res)
def test_08_user_policies(self): set_policy(name="pol1", scope="s", user="******") set_policy(name="pol2", scope="s", user="******") set_policy(name="pol3", scope="s", user="******") set_policy(name="pol4", scope="s", user="******") # get policies for user1 P = PolicyClass() p = P.get_policies(user="******") self.assertTrue(len(p) == 3, (len(p), p)) self.assertTrue(_check_policy_name("pol1", p), p) self.assertTrue(_check_policy_name("pol2", p), p) self.assertFalse(_check_policy_name("pol3", p), p) self.assertTrue(_check_policy_name("pol4", p), p) # get policies for root p = P.get_policies(user="******") self.assertTrue(len(p) == 3, p) self.assertTrue(_check_policy_name("pol1", p), p) self.assertTrue(_check_policy_name("pol2", p), p) self.assertTrue(_check_policy_name("pol3", p), p) self.assertFalse(_check_policy_name("pol4", p), p) # get policies for admin p = P.get_policies(user="******") self.assertTrue(len(p) == 4, p) self.assertTrue(_check_policy_name("pol1", p), p) self.assertTrue(_check_policy_name("pol2", p), p) self.assertTrue(_check_policy_name("pol3", p), p) self.assertTrue(_check_policy_name("pol4", p), p)
def test_09_realm_resolver_policy(self): set_policy(name="pol1", scope="s", realm="r1") set_policy(name="pol2", scope="s", realm="r1", resolver="reso1") set_policy(name="pol3", scope="s", realm="", resolver="reso2") set_policy(name="pol4", scope="s", realm="r2", active=True) P = PolicyClass() p = P.get_policies(realm="r1") self.assertTrue(len(p) == 3, p) self.assertTrue(_check_policy_name("pol1", p), p) self.assertTrue(_check_policy_name("pol2", p), p) self.assertTrue(_check_policy_name("pol3", p), p) self.assertFalse(_check_policy_name("pol4", p), p) p = P.get_policies(realm="r2") self.assertTrue(len(p) == 2, p) self.assertFalse(_check_policy_name("pol1", p), p) self.assertFalse(_check_policy_name("pol2", p), p) self.assertTrue(_check_policy_name("pol3", p), p) self.assertTrue(_check_policy_name("pol4", p), p) p = P.get_policies(resolver="reso1") self.assertEqual(len(p), 3) self.assertTrue(_check_policy_name("pol1", p), p) self.assertTrue(_check_policy_name("pol2", p), p) self.assertFalse(_check_policy_name("pol3", p), p) self.assertTrue(_check_policy_name("pol4", p), p) p = P.get_policies(resolver="reso2") self.assertTrue(len(p) == 3, p) self.assertTrue(_check_policy_name("pol1", p), p) self.assertFalse(_check_policy_name("pol2", p), p) self.assertTrue(_check_policy_name("pol3", p), p) self.assertTrue(_check_policy_name("pol4", p), p)
def test_07_client_policies(self): delete_policy(name="pol2a") set_policy(name="pol1", scope="s", client="172.16.0.3, 172.16.0.4/24") set_policy(name="pol2", scope="s", client="192.168.0.0/16, " "-192.168.1.1") set_policy(name="pol3", scope="s", client="10.0.0.1, 10.0.0.2, " "10.0.0.3") set_policy(name="pol4", scope="s") # One policy with matching client, one without any clients P = PolicyClass() p = P.get_policies(client="10.0.0.1") self.assertTrue(_check_policy_name("pol3", p), p) self.assertTrue(_check_policy_name("pol4", p), p) self.assertTrue(len(p) == 2, p) # client matches pol4 and pol2 p = P.get_policies(client="192.168.2.3") self.assertTrue(_check_policy_name("pol2", p), p) self.assertTrue(_check_policy_name("pol4", p), p) self.assertTrue(len(p) == 2, p) # client only matches pol4, since it is excluded in pol2 p = P.get_policies(client="192.168.1.1") self.assertTrue(_check_policy_name("pol4", p), p) self.assertTrue(len(p) == 1, p)
def test_09_realm_resolver_policy(self): set_policy(name="pol1", scope="s", realm="r1") set_policy(name="pol2", scope="s", realm="r1", resolver="reso1") set_policy(name="pol3", scope="s", realm="", resolver="reso2") set_policy(name="pol4", scope="s", realm="r2", active="true") P = PolicyClass() p = P.get_policies(realm="r1") self.assertTrue(len(p) == 3, p) self.assertTrue(_check_policy_name("pol1", p), p) self.assertTrue(_check_policy_name("pol2", p), p) self.assertTrue(_check_policy_name("pol3", p), p) self.assertFalse(_check_policy_name("pol4", p), p) p = P.get_policies(realm="r2") self.assertTrue(len(p) == 2, p) self.assertFalse(_check_policy_name("pol1", p), p) self.assertFalse(_check_policy_name("pol2", p), p) self.assertTrue(_check_policy_name("pol3", p), p) self.assertTrue(_check_policy_name("pol4", p), p) p = P.get_policies(resolver="reso1") self.assertTrue(len(p) == 3, p) self.assertTrue(_check_policy_name("pol1", p), p) self.assertTrue(_check_policy_name("pol2", p), p) self.assertFalse(_check_policy_name("pol3", p), p) self.assertTrue(_check_policy_name("pol4", p), p) p = P.get_policies(resolver="reso2") self.assertTrue(len(p) == 3, p) self.assertTrue(_check_policy_name("pol1", p), p) self.assertFalse(_check_policy_name("pol2", p), p) self.assertTrue(_check_policy_name("pol3", p), p) self.assertTrue(_check_policy_name("pol4", p), p)
def test_22_non_ascii_user(self): set_policy(name="polnonascii", action="enroll, otppin=1", user=u'nönäscii', scope='s') P = PolicyClass() p = P.get_policies(action="enroll", user='******') self.assertEqual(len(p), 0) p = P.get_policies(action="enroll", user=u'nönäscii') self.assertEqual(len(p), 1)
def test_05_export_policies(self): P = PolicyClass() policies = P.get_policies() file = export_policies(policies) self.assertTrue("[pol1]" in file, file) self.assertTrue("[pol2]" in file, file) self.assertTrue("[pol3]" in file, file)
def get_config_documentation(): """ returns an restructured text document, that describes the complete configuration. """ P = PolicyClass() config = get_from_config() resolvers = get_resolver_list() realms = get_realms() policies = P.get_policies() admins = get_db_admins() context = { "system": socket.getfqdn(socket.gethostname()), "date": datetime.datetime.now().strftime("%Y-%m-%d %H:%M"), "systemconfig": config, "appconfig": current_app.config, "resolverconfig": resolvers, "realmconfig": realms, "policyconfig": policies, "admins": admins } g.audit_object.log({"success": True}) # Three or more line breaks will be changed to two. return re.sub("\n{3,}", "\n\n", render_template("documentation.rst", context=context))
def get_config_documentation(): """ returns an restructured text document, that describes the complete configuration. """ P = PolicyClass() config = get_from_config() resolvers = get_resolver_list() realms = get_realms() policies = P.get_policies() admins = get_db_admins() context = {"system": socket.getfqdn(socket.gethostname()), "date": datetime.datetime.now().strftime("%Y-%m-%d %H:%M"), "systemconfig": config, "appconfig": current_app.config, "resolverconfig": resolvers, "realmconfig": realms, "policyconfig": policies, "admins": admins} g.audit_object.log({"success": True}) # Three or more line breaks will be changed to two. return re.sub("\n{3,}", "\n\n", render_template("documentation.rst", context=context))
def test_10_action_policies(self): set_policy(name="pol1", action="enroll, init, disable") set_policy(name="pol2", action="enroll, otppin=1") set_policy(name="pol3", action="*, -disable") set_policy(name="pol4", action="*, -otppin=2") P = PolicyClass() p = P.get_policies(action="enroll") self.assertTrue(len(p) == 4, (len(p), p)) p = P.get_policies(action="init") self.assertTrue(len(p) == 3, (len(p), p)) p = P.get_policies(action="disable") self.assertTrue(len(p) == 2, (len(p), p)) p = P.get_policies(action="otppin") self.assertTrue(len(p) == 2, (len(p), p))
def test_06_import_policies(self): P = PolicyClass() file = export_policies(P.get_policies()) delete_policy("pol1") delete_policy("pol2") delete_policy("pol3") P = PolicyClass() policies = P.get_policies() self.assertFalse(_check_policy_name("pol1", policies), policies) self.assertFalse(_check_policy_name("pol2", policies), policies) self.assertFalse(_check_policy_name("pol3", policies), policies) # Now import the policies again num = import_policies(file) self.assertTrue(num == 4, num) P = PolicyClass() policies = P.get_policies() self.assertTrue(_check_policy_name("pol1", policies), policies) self.assertTrue(_check_policy_name("pol2", policies), policies) self.assertTrue(_check_policy_name("pol3", policies), policies)
def test_18_policy_with_time(self): set_policy(name="time1", scope=SCOPE.AUTHZ, action="tokentype=hotp totp, enroll", time="Mon-Wed: 0-23:59") tn = datetime.datetime.now() dow = tn.isoweekday() P = PolicyClass() policies = P.get_policies(name="time1", scope=SCOPE.AUTHZ, all_times=True) self.assertEqual(len(policies), 1) policies = P.get_policies(name="time1", scope=SCOPE.AUTHZ) if dow in [1, 2, 3]: self.assertEqual(len(policies), 1) else: self.assertEqual(len(policies), 0) delete_policy("time1")
def list(): """ list the policies """ P = PolicyClass() policies = P.get_policies() print "Active \t Name \t Scope" print 40*"=" for policy in policies: print("%s \t %s \t %s" % (policy.get("active"), policy.get("name"), policy.get("scope")))
def single_page_application(): instance = request.script_root if instance == "/": instance = "" # The backend URL should come from the configuration of the system. backend_url = "" # The default theme. We can change this later theme = current_app.config.get("PI_CSS", DEFAULT_THEME) # Get further customizations customization = current_app.config.get("PI_CUSTOMIZATION", "/static/customize/") customization = customization.strip('/') # TODO: we should add the CSS into PI_CUSTOMZATION/css # Enrollment-Wizard: # PI_CUSTOMIZATION/views/includes/token.enroll.pre.top.html # PI_CUSTOMIZATION/views/includes/token.enroll.pre.bottom.html # PI_CUSTOMIZATION/views/includes/token.enroll.post.top.html # PI_CUSTOMIZATION/views/includes/token.enroll.post.bottom.html browser_lang = request.accept_languages.best_match(["en", "de"]) # check if login with REMOTE_USER is allowed. remote_user = "" password_reset = False if not hasattr(request, "all_data"): request.all_data = {} # Depending on displaying the realm dropdown, we fill realms or not. policy_object = PolicyClass() realms = "" client_ip = request.access_route[0] if request.access_route else \ request.remote_addr realm_dropdown = policy_object.get_policies(action=ACTION.REALMDROPDOWN, scope=SCOPE.WEBUI, client=client_ip) if realm_dropdown: realms = ",".join(get_realms().keys()) try: if is_remote_user_allowed(request): remote_user = request.remote_user password_reset = is_password_reset() hsm_ready = True except HSMException: hsm_ready = False return render_template("index.html", instance=instance, backendUrl=backend_url, browser_lang=browser_lang, remote_user=remote_user, theme=theme, password_reset=password_reset, hsm_ready=hsm_ready, customization=customization, realms=realms)
def is_password_reset(): """ Check if password reset is allowed. We need to check, if a user policy with password_reset exists AND if an editable resolver exists. Otherwise password_reset does not make any sense. :return: True or False """ rlist = get_resolver_list(editable=True) log.debug("Number of editable resolvers: %s" % len(rlist)) Policy = PolicyClass() policy_at_all = Policy.get_policies(scope=SCOPE.USER, active=True) log.debug("Policy at all: %s" % policy_at_all) policy_reset_pw = Policy.get_policies(scope=SCOPE.USER, action=ACTION.PASSWORDRESET) log.debug("Password reset policy: %s" % policy_reset_pw) pwreset = (policy_at_all and policy_reset_pw) or not policy_at_all log.debug("Password reset allowed via policy: %s" % pwreset) return bool(rlist and pwreset)
def is_password_reset(): """ Check if password reset is allowed. We need to check, if a user policy with password_reset exists AND if an editable resolver exists. Otherwise password_reset does not make any sense. :return: True or False """ rlist = get_resolver_list(editable=True) log.debug("Number of editable resolvers: {0!s}".format(len(rlist))) Policy = PolicyClass() policy_at_all = Policy.get_policies(scope=SCOPE.USER, active=True) log.debug("Policy at all: {0!s}".format(policy_at_all)) policy_reset_pw = Policy.get_policies(scope=SCOPE.USER, action=ACTION.PASSWORDRESET) log.debug("Password reset policy: {0!s}".format(policy_reset_pw)) pwreset = (policy_at_all and policy_reset_pw) or not policy_at_all log.debug("Password reset allowed via policy: {0!s}".format(pwreset)) return bool(rlist and pwreset)
def single_page_application(): instance = request.script_root if instance == "/": instance = "" # The backend URL should come from the configuration of the system. backend_url = "" # The default theme. We can change this later theme = current_app.config.get("PI_CSS", DEFAULT_THEME) # Get further customizations customization = current_app.config.get("PI_CUSTOMIZATION", "/static/customize/") customization = customization.strip('/') # TODO: we should add the CSS into PI_CUSTOMZATION/css # Enrollment-Wizard: # PI_CUSTOMIZATION/views/includes/token.enroll.pre.top.html # PI_CUSTOMIZATION/views/includes/token.enroll.pre.bottom.html # PI_CUSTOMIZATION/views/includes/token.enroll.post.top.html # PI_CUSTOMIZATION/views/includes/token.enroll.post.bottom.html browser_lang = request.accept_languages.best_match(["en", "de"]) # check if login with REMOTE_USER is allowed. remote_user = "" password_reset = False # Depending on displaying the realm dropdown, we fill realms or not. policy_object = PolicyClass() realms = "" client_ip = request.access_route[0] if request.access_route else \ request.remote_addr realm_dropdown = policy_object.get_policies(action=ACTION.REALMDROPDOWN, scope=SCOPE.WEBUI, client=client_ip) if realm_dropdown: realms = ",".join(get_realms().keys()) try: if is_remote_user_allowed(request): remote_user = request.remote_user password_reset = is_password_reset() hsm_ready = True except HSMException: hsm_ready = False return render_template("index.html", instance=instance, backendUrl=backend_url, browser_lang=browser_lang, remote_user=remote_user, theme=theme, password_reset=password_reset, hsm_ready=hsm_ready, customization=customization, realms=realms)
def test_21_check_all_resolver(self): # check_all_resolver allows to find a policy for a secondary user # resolver. # We create one realm "realm1" with the resolvers # reso1 (prio 1) # reso2 (prio 2) # reso3 (prio 3) # A user user@realm1 will be identified as user.reso1@realm1. # But we will also match policies for reso2. # no realm and resolver r = get_realms() self.assertEqual(r, {}) r = get_resolver_list() self.assertEqual(r, {}) # create user realm for reso in ["reso1", "resoX", "resoA"]: rid = save_resolver({"resolver": reso, "type": "passwdresolver", "fileName": PWFILE}) self.assertTrue(rid > 0, rid) # create a realm with reso1 being the resolver with the highest priority (added, failed) = set_realm("realm1", ["reso1", "resoX", "resoA"], priority={"reso1": 1, "resoX": 2, "resoA": 3}) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 3) user = User(login="******", realm="realm1") # The user, that is created, is cornelius.reso1@realm1 user_str = "{0!s}".format(user) self.assertEqual(user_str, "<cornelius.reso1@realm1>") # But the user "cornelius" is also contained in other resolves in # this realm r = user.get_ordererd_resolvers() self.assertEqual(r, ["reso1", "resoX", "resoA"]) self.assertFalse(user.is_empty()) self.assertTrue(User().is_empty()) # define a policy with the wrong resolver p = set_policy(name="checkAll", scope=SCOPE.AUTHZ, realm="realm1", resolver="resoX", action="{0}=totp".format(ACTION.TOKENTYPE)) self.assertTrue(p > 0) p = set_policy(name="catchAll", scope=SCOPE.AUTHZ, realm="realm1", action="{0}=totp".format(ACTION.TOKENTYPE)) self.assertTrue(p > 0) P = PolicyClass() pols = P.get_policies(scope=SCOPE.AUTHZ, realm=user.realm, resolver=user.resolver, user=user.login) self.assertEqual(len(pols), 1) # Now we change the policy, so that it uses check_all_resolver, i.e. p = set_policy(name="checkAll", scope=SCOPE.AUTHZ, realm="realm1", resolver="resoX", check_all_resolvers=True, action="{0}=totp".format(ACTION.TOKENTYPE)) self.assertTrue(p > 0) P = PolicyClass() pols = P.get_policies(scope=SCOPE.AUTHZ, realm=user.realm, resolver=user.resolver, user=user.login) self.assertEqual(len(pols), 2) # delete policy delete_policy("checkAll") delete_policy("catchAll") # delete resolvers and realm delete_realm("realm1") for reso in ["reso1", "resoX", "resoA"]: rid = delete_resolver(reso) self.assertTrue(rid > 0, rid)
def test_23_priorities(self): # create three policies with three different texts and different priorities set_policy(name="email1", scope=SCOPE.AUTH, action="emailtext=text 1", priority=4) set_policy(name="email2", scope=SCOPE.AUTH, action="emailtext=text 2", priority=1) set_policy(name="email3", scope=SCOPE.AUTH, action="emailtext=text 3", priority=77) # this chooses email2, because it has the highest priority P = PolicyClass() self.assertEqual( P.get_action_values(action="emailtext", scope=SCOPE.AUTH, unique=True, allow_white_space_in_action=True), ["text 2"]) delete_policy("email2") P.reload_from_db() # with email2 gone, this chooses email1 self.assertEqual( P.get_action_values(action="emailtext", scope=SCOPE.AUTH, unique=True, allow_white_space_in_action=True), ["text 1"]) # if we now add another policy with priority 77, we get no conflict # because email1 is chosen set_policy(name="email4", scope=SCOPE.AUTH, action="emailtext=text 4", priority=77) P.reload_from_db() self.assertEqual( P.get_action_values(action="emailtext", scope=SCOPE.AUTH, unique=True, allow_white_space_in_action=True), ["text 1"]) # but we get a conflict if we change the priority of email4 to 4 set_policy(name="email4", scope=SCOPE.AUTH, action="emailtext=text 4", priority=4) P.reload_from_db() with self.assertRaises(PolicyError) as cm: P.get_action_values(action="emailtext", scope=SCOPE.AUTH, unique=True, allow_white_space_in_action=True) self.assertIn("policies with conflicting actions", str(cm.exception)) pols = P.get_policies(action="emailtext", scope=SCOPE.AUTH) self.assertEqual(len(pols), 3) with self.assertRaises(PolicyError) as cm: P.check_for_conflicts(pols, "emailtext") P.check_for_conflicts([], "emailtext") P.check_for_conflicts([pols[0]], "emailtext") # we can also change the priority set_policy(name="email4", priority=3) P.reload_from_db() self.assertEqual( P.get_action_values(action="emailtext", scope=SCOPE.AUTH, unique=True, allow_white_space_in_action=True), ["text 4"]) # now we have # email1, priority=4 # email3, priority=77 # email4, priority=3 # export, delete all, re-import exported = export_policies(P.get_policies()) self.assertIn("priority = 4", exported) self.assertIn("priority = 77", exported) delete_all_policies() import_policies(exported) pols = P.get_policies(action="emailtext", scope=SCOPE.AUTH) self.assertEqual(len(pols), 3) # this sorts by priority self.assertEqual([p['name'] for p in pols], ['email4', 'email1', 'email3']) # priority must be at least 1 with self.assertRaises(ParameterError): set_policy(name="email4", scope=SCOPE.AUTH, priority=0) with self.assertRaises(ParameterError): set_policy(name="email4", scope=SCOPE.AUTH, priority=-5) delete_policy("email1") delete_policy("email3") delete_policy("email4")
def single_page_application(): instance = request.script_root if instance == "/": instance = "" # The backend URL should come from the configuration of the system. backend_url = "" if current_app.config.get("PI_UI_DEACTIVATED"): # Do not provide the UI return render_template("deactivated.html") # The default theme. We can change this later theme = current_app.config.get("PI_CSS", DEFAULT_THEME) # Get further customizations customization = current_app.config.get("PI_CUSTOMIZATION", "/static/customize/") customization = customization.strip('/') # TODO: we should add the CSS into PI_CUSTOMZATION/css # Enrollment-Wizard: # PI_CUSTOMIZATION/views/includes/token.enroll.pre.top.html # PI_CUSTOMIZATION/views/includes/token.enroll.pre.bottom.html # PI_CUSTOMIZATION/views/includes/token.enroll.post.top.html # PI_CUSTOMIZATION/views/includes/token.enroll.post.bottom.html # Get the hidden external links external_links = current_app.config.get("PI_EXTERNAL_LINKS", True) # Get the logo file logo = current_app.config.get("PI_LOGO", "privacyIDEA1.png") browser_lang = request.accept_languages.best_match(["en", "de"]) # check if login with REMOTE_USER is allowed. remote_user = "" password_reset = False if not hasattr(request, "all_data"): request.all_data = {} # Depending on displaying the realm dropdown, we fill realms or not. policy_object = PolicyClass() realms = "" client_ip = request.access_route[0] if request.access_route else \ request.remote_addr realm_dropdown = policy_object.get_policies(action=ACTION.REALMDROPDOWN, scope=SCOPE.WEBUI, client=client_ip, active=True) if realm_dropdown: try: realm_dropdown_values = policy_object.get_action_values( action=ACTION.REALMDROPDOWN, scope=SCOPE.WEBUI, client=client_ip) # Use the realms from the policy. realms = ",".join(realm_dropdown_values) except AttributeError as ex: # The policy is still a boolean realm_dropdown action # Thus we display ALL realms realms = ",".join(get_realms().keys()) if realms: realms = "," + realms try: if is_remote_user_allowed(request): remote_user = request.remote_user password_reset = is_password_reset() hsm_ready = True except HSMException: hsm_ready = False return render_template("index.html", instance=instance, backendUrl=backend_url, browser_lang=browser_lang, remote_user=remote_user, theme=theme, password_reset=password_reset, hsm_ready=hsm_ready, customization=customization, realms=realms, external_links=external_links, logo=logo)
def single_page_application(): instance = request.script_root if instance == "/": instance = "" # The backend URL should come from the configuration of the system. backend_url = "" if current_app.config.get("PI_UI_DEACTIVATED"): # Do not provide the UI return render_template("deactivated.html") # The default theme. We can change this later theme = current_app.config.get("PI_CSS", DEFAULT_THEME) # Get further customizations customization = current_app.config.get("PI_CUSTOMIZATION", "/static/customize/") customization = customization.strip('/') # TODO: we should add the CSS into PI_CUSTOMZATION/css # Enrollment-Wizard: # PI_CUSTOMIZATION/views/includes/token.enroll.pre.top.html # PI_CUSTOMIZATION/views/includes/token.enroll.pre.bottom.html # PI_CUSTOMIZATION/views/includes/token.enroll.post.top.html # PI_CUSTOMIZATION/views/includes/token.enroll.post.bottom.html # Get the hidden external links external_links = current_app.config.get("PI_EXTERNAL_LINKS", True) # Get the logo file logo = current_app.config.get("PI_LOGO", "privacyIDEA1.png") browser_lang = request.accept_languages.best_match( ["en", "de", "de-DE"], default="en").split("-")[0] # The page title can be configured in pi.cfg page_title = current_app.config.get("PI_PAGE_TITLE", "privacyIDEA Authentication System") # check if login with REMOTE_USER is allowed. remote_user = "" password_reset = False if not hasattr(request, "all_data"): request.all_data = {} # Depending on displaying the realm dropdown, we fill realms or not. policy_object = PolicyClass() realms = "" client_ip = get_client_ip(request, get_from_config(SYSCONF.OVERRIDECLIENT)) realm_dropdown = policy_object.get_policies(action=ACTION.REALMDROPDOWN, scope=SCOPE.WEBUI, client=client_ip, active=True) if realm_dropdown: try: realm_dropdown_values = policy_object.get_action_values( action=ACTION.REALMDROPDOWN, scope=SCOPE.WEBUI, client=client_ip) # Use the realms from the policy. realms = ",".join(realm_dropdown_values) except AttributeError as ex: # The policy is still a boolean realm_dropdown action # Thus we display ALL realms realms = ",".join(get_realms()) try: if is_remote_user_allowed(request): remote_user = request.remote_user password_reset = is_password_reset() hsm_ready = True except HSMException: hsm_ready = False # Use policies to determine the customization of menu # and baseline. get_action_values returns an array! sub_state = subscription_status() customization_menu_file = policy_object.get_action_values( allow_white_space_in_action=True, action=ACTION.CUSTOM_MENU, scope=SCOPE.WEBUI, client=client_ip, unique=True) if len(customization_menu_file) and list(customization_menu_file)[0] \ and sub_state not in [1, 2]: customization_menu_file = list(customization_menu_file)[0] else: customization_menu_file = "templates/menu.html" customization_baseline_file = policy_object.get_action_values( allow_white_space_in_action=True, action=ACTION.CUSTOM_BASELINE, scope=SCOPE.WEBUI, client=client_ip, unique=True) if len(customization_baseline_file) and list(customization_baseline_file)[0] \ and sub_state not in [1, 2]: customization_baseline_file = list(customization_baseline_file)[0] else: customization_baseline_file = "templates/baseline.html" login_text = policy_object.get_action_values( allow_white_space_in_action=True, action=ACTION.LOGIN_TEXT, scope=SCOPE.WEBUI, client=client_ip, unique=True) if len(login_text) and list(login_text)[0] and sub_state not in [1, 2]: login_text = list(login_text)[0] else: login_text = "" return render_template( "index.html", instance=instance, backendUrl=backend_url, browser_lang=browser_lang, remote_user=remote_user, theme=theme, password_reset=password_reset, hsm_ready=hsm_ready, has_job_queue=str(has_job_queue()), customization=customization, customization_menu_file=customization_menu_file, customization_baseline_file=customization_baseline_file, realms=realms, external_links=external_links, login_text=login_text, logo=logo, page_title=page_title)
def test_04_delete_policy(self): delete_policy(name="pol4") P = PolicyClass() pol4 = P.get_policies(name="pol4") self.assertTrue(pol4 == [], pol4)
def test_21_check_all_resolver(self): # check_all_resolver allows to find a policy for a secondary user # resolver. # We create one realm "realm1" with the resolvers # reso1 (prio 1) # reso2 (prio 2) # reso3 (prio 3) # A user user@realm1 will be identified as user.reso1@realm1. # But we will also match policies for reso2. # no realm and resolver r = get_realms() self.assertEqual(r, {}) r = get_resolver_list() self.assertEqual(r, {}) # create user realm for reso in ["reso1", "resoX", "resoA"]: rid = save_resolver({ "resolver": reso, "type": "passwdresolver", "fileName": PWFILE }) self.assertTrue(rid > 0, rid) # create a realm with reso1 being the resolver with the highest priority (added, failed) = set_realm("realm1", ["reso1", "resoX", "resoA"], priority={ "reso1": 1, "resoX": 2, "resoA": 3 }) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 3) user = User(login="******", realm="realm1") # The user, that is created, is cornelius.reso1@realm1 user_str = "{0!s}".format(user) self.assertEqual(user_str, "<cornelius.reso1@realm1>") # But the user "cornelius" is also contained in other resolves in # this realm r = user.get_ordererd_resolvers() self.assertEqual(r, ["reso1", "resoX", "resoA"]) self.assertFalse(user.is_empty()) self.assertTrue(User().is_empty()) # define a policy with the wrong resolver p = set_policy(name="checkAll", scope=SCOPE.AUTHZ, realm="realm1", resolver="resoX", action="{0}=totp".format(ACTION.TOKENTYPE)) self.assertTrue(p > 0) p = set_policy(name="catchAll", scope=SCOPE.AUTHZ, realm="realm1", action="{0}=totp".format(ACTION.TOKENTYPE)) self.assertTrue(p > 0) P = PolicyClass() pols = P.get_policies(scope=SCOPE.AUTHZ, realm=user.realm, resolver=user.resolver, user=user.login) self.assertEqual(len(pols), 1) # Now we change the policy, so that it uses check_all_resolver, i.e. p = set_policy(name="checkAll", scope=SCOPE.AUTHZ, realm="realm1", resolver="resoX", check_all_resolvers=True, action="{0}=totp".format(ACTION.TOKENTYPE)) self.assertTrue(p > 0) P = PolicyClass() pols = P.get_policies(scope=SCOPE.AUTHZ, realm=user.realm, resolver=user.resolver, user=user.login) self.assertEqual(len(pols), 2) # delete policy delete_policy("checkAll") delete_policy("catchAll") # delete resolvers and realm delete_realm("realm1") for reso in ["reso1", "resoX", "resoA"]: rid = delete_resolver(reso) self.assertTrue(rid > 0, rid)
def single_page_application(): instance = request.script_root if instance == "/": instance = "" # The backend URL should come from the configuration of the system. backend_url = "" if current_app.config.get("PI_UI_DEACTIVATED"): # Do not provide the UI return render_template("deactivated.html") # The default theme. We can change this later theme = current_app.config.get("PI_CSS", DEFAULT_THEME) # Get further customizations customization = current_app.config.get("PI_CUSTOMIZATION", "/static/customize/") customization = customization.strip('/') # TODO: we should add the CSS into PI_CUSTOMZATION/css # Enrollment-Wizard: # PI_CUSTOMIZATION/views/includes/token.enroll.pre.top.html # PI_CUSTOMIZATION/views/includes/token.enroll.pre.bottom.html # PI_CUSTOMIZATION/views/includes/token.enroll.post.top.html # PI_CUSTOMIZATION/views/includes/token.enroll.post.bottom.html # Get the hidden external links external_links = current_app.config.get("PI_EXTERNAL_LINKS", True) # Get the logo file logo = current_app.config.get("PI_LOGO", "privacyIDEA1.png") browser_lang = request.accept_languages.best_match(["en", "de"]) # check if login with REMOTE_USER is allowed. remote_user = "" password_reset = False if not hasattr(request, "all_data"): request.all_data = {} # Depending on displaying the realm dropdown, we fill realms or not. policy_object = PolicyClass() realms = "" client_ip = request.access_route[0] if request.access_route else \ request.remote_addr realm_dropdown = policy_object.get_policies(action=ACTION.REALMDROPDOWN, scope=SCOPE.WEBUI, client=client_ip, active=True) if realm_dropdown: try: realm_dropdown_values = policy_object.get_action_values( action=ACTION.REALMDROPDOWN, scope=SCOPE.WEBUI, client=client_ip) # Use the realms from the policy. realms = ",".join(realm_dropdown_values) except AttributeError as ex: # The policy is still a boolean realm_dropdown action # Thus we display ALL realms realms = ",".join(get_realms().keys()) if realms: realms = "," + realms try: if is_remote_user_allowed(request): remote_user = request.remote_user password_reset = is_password_reset() hsm_ready = True except HSMException: hsm_ready = False # Use policies to determine the customization of menu # and baseline. get_action_values returns an array! sub_state = subscription_status() customization_menu_file = policy_object.get_action_values( allow_white_space_in_action=True, action=ACTION.CUSTOM_MENU, scope=SCOPE.WEBUI, client=client_ip, unique=True) if len(customization_menu_file) and customization_menu_file[0] \ and sub_state not in [1, 2]: customization_menu_file = customization_menu_file[0] else: customization_menu_file = "templates/menu.html" customization_baseline_file = policy_object.get_action_values( allow_white_space_in_action=True, action=ACTION.CUSTOM_BASELINE, scope=SCOPE.WEBUI, client=client_ip, unique=True) if len(customization_baseline_file) and customization_baseline_file[0] \ and sub_state not in [1, 2]: customization_baseline_file = customization_baseline_file[0] else: customization_baseline_file = "templates/baseline.html" return render_template("index.html", instance=instance, backendUrl=backend_url, browser_lang=browser_lang, remote_user=remote_user, theme=theme, password_reset=password_reset, hsm_ready=hsm_ready, customization=customization, customization_menu_file=customization_menu_file, customization_baseline_file=customization_baseline_file, realms=realms, external_links=external_links, logo=logo)
def test_02_update_policies(self): p = set_policy(name="pol1", action="read", scope="system", realm="*", resolver="*", user="******", client="0.0.0.0/0", active="False") self.assertTrue(p > 0) p = set_policy(name="pol2", action="tokentype=HOTP", scope=SCOPE.AUTHZ, realm="*") self.assertTrue(p > 0) p = set_policy(name="pol2a", action="tokentype=TOTP", scope=SCOPE.AUTHZ, realm="realm2") self.assertTrue(p > 0) p = set_policy(name="pol3", action="serial=OATH", scope=SCOPE.AUTHZ, realm="realm1", resolver="resolver1") self.assertTrue(p > 0) p = set_policy(name="pol4", action="enroll, init, disable , enable", scope="admin", realm="realm2", user="******") self.assertTrue(p > 0) # enable and disable policies policies = PolicyClass().get_policies(active=False) num_old = len(policies) p = enable_policy("pol4", False) policies = PolicyClass().get_policies(active=False) self.assertTrue(num_old + 1 == len(policies), (num_old, len(policies))) p = enable_policy("pol4", True) policies = PolicyClass().get_policies(active=False) self.assertTrue(num_old == len(policies), len(policies)) # find inactive policies P = PolicyClass() policies = P.get_policies(active=False) self.assertTrue(len(policies) == 1, len(policies)) self.assertTrue(policies[0].get("name") == "pol1") # find policies action tokentype policies = P.get_policies(action="tokentype") self.assertTrue(len(policies) == 2, policies) # find policies action serial policies = P.get_policies(action="serial") self.assertTrue(len(policies) == 1, policies) # find policies with scope authorization policies = P.get_policies(scope=SCOPE.AUTHZ) self.assertTrue(len(policies) == 3, policies) # find policies authorization and realm2 policies = P.get_policies(action="tokentype", scope=SCOPE.AUTHZ) self.assertTrue(len(policies) == 2, policies) # find policies with user admin policies = P.get_policies(scope="admin", user="******") self.assertTrue(len(policies) == 1, "{0!s}".format(len(policies))) # find policies with resolver2 and authorization. THe result should # be pol2 and pol2a policies = P.get_policies(resolver="resolver2", scope=SCOPE.AUTHZ) self.assertTrue(len(policies) == 2, policies) # find policies with realm1 and authorization. We also include the # "*" into the result list. We find pol2 and pol3 policies = P.get_policies(realm="realm1", scope=SCOPE.AUTHZ) self.assertTrue(len(policies) == 2, policies) # find policies with resolver1 and authorization. # All other authorization policies will also match, since they either # user * or # have no destinct information about resolvers policies = P.get_policies(resolver="resolver1", scope=SCOPE.AUTHZ) self.assertTrue(len(policies) == 3, policies)
def test_02_update_policies(self): p = set_policy(name="pol1", action="read", scope="system", realm="*", resolver="*", user="******", client="0.0.0.0/0", active=False) self.assertTrue(p > 0) p = set_policy(name="pol2", action="tokentype=HOTP", scope=SCOPE.AUTHZ, realm="*") self.assertTrue(p > 0) p = set_policy(name="pol2a", action="tokentype=TOTP", scope=SCOPE.AUTHZ, realm="realm2") self.assertTrue(p > 0) p = set_policy(name="pol3", action="serial=OATH", scope=SCOPE.AUTHZ, realm="realm1", resolver="resolver1") self.assertTrue(p > 0) p = set_policy(name="pol4", action="enroll, init, disable , enable", scope="admin", realm="realm2", user="******") self.assertTrue(p > 0) # enable and disable policies policies = PolicyClass().get_policies(active=False) num_old = len(policies) p = enable_policy("pol4", False) policies = PolicyClass().get_policies(active=False) self.assertTrue(num_old + 1 == len(policies), (num_old, len(policies))) p = enable_policy("pol4", True) policies = PolicyClass().get_policies(active=False) self.assertTrue(num_old == len(policies), len(policies)) # find inactive policies P = PolicyClass() policies = P.get_policies(active=False) self.assertTrue(len(policies) == 1, len(policies)) self.assertTrue(policies[0].get("name") == "pol1") # find policies action tokentype policies = P.get_policies(action="tokentype") self.assertTrue(len(policies) == 2, policies) # find policies action serial policies = P.get_policies(action="serial") self.assertTrue(len(policies) == 1, policies) # find policies with scope authorization policies = P.get_policies(scope=SCOPE.AUTHZ) self.assertTrue(len(policies) == 3, policies) # find policies authorization and realm2 policies = P.get_policies(action="tokentype", scope=SCOPE.AUTHZ) self.assertTrue(len(policies) == 2, policies) # find policies with user admin policies = P.get_policies(scope="admin", user="******") self.assertTrue(len(policies) == 1, "{0!s}".format(len(policies))) # find policies with resolver2 and authorization. THe result should # be pol2 and pol2a policies = P.get_policies(resolver="resolver2", scope=SCOPE.AUTHZ) self.assertTrue(len(policies) == 2, policies) # find policies with realm1 and authorization. We also include the # "*" into the result list. We find pol2 and pol3 policies = P.get_policies(realm="realm1", scope=SCOPE.AUTHZ) self.assertTrue(len(policies) == 2, policies) # find policies with resolver1 and authorization. # All other authorization policies will also match, since they either # user * or # have no destinct information about resolvers policies = P.get_policies(resolver="resolver1", scope=SCOPE.AUTHZ) self.assertTrue(len(policies) == 3, policies)