def test_16_admin_realm(self): P = PolicyClass() logged_in_user = { "username": "******", "role": "admin", "realm": "realm1" } # Without policies, the admin gets all tt = P.ui_get_enroll_tokentypes("127.0.0.1", logged_in_user) self.assertTrue("hotp" in tt) self.assertTrue("totp" in tt) self.assertTrue("motp" in tt) self.assertTrue("sms" in tt) self.assertTrue("spass" in tt) self.assertTrue("sshkey" in tt) self.assertTrue("email" in tt) self.assertTrue("certificate" in tt) self.assertTrue("yubico" in tt) self.assertTrue("yubikey" in tt) self.assertTrue("radius" in tt) # An admin in realm1 may only enroll Yubikeys set_policy(name="tokenEnroll", scope=SCOPE.ADMIN, adminrealm="realm1", action="enrollYUBIKEY") P = PolicyClass() tt = P.ui_get_enroll_tokentypes("127.0.0.1", logged_in_user) self.assertFalse("hotp" in tt) self.assertFalse("totp" in tt) self.assertFalse("motp" in tt) self.assertFalse("sms" in tt) self.assertFalse("spass" in tt) self.assertFalse("sshkey" in tt) self.assertFalse("email" in tt) self.assertFalse("certificate" in tt) self.assertFalse("yubico" in tt) self.assertTrue("yubikey" in tt) self.assertFalse("radius" in tt) # An admin in another admin realm may enroll nothing. logged_in_user = { "username": "******", "role": "admin", "realm": "OtherRealm" } tt = P.ui_get_enroll_tokentypes("127.0.0.1", logged_in_user) self.assertFalse("hotp" in tt) self.assertFalse("totp" in tt) self.assertFalse("motp" in tt) self.assertFalse("sms" in tt) self.assertFalse("spass" in tt) self.assertFalse("sshkey" in tt) self.assertFalse("email" in tt) self.assertFalse("certificate" in tt) self.assertFalse("yubico" in tt) self.assertFalse("yubikey" in tt) self.assertFalse("radius" in tt) delete_policy("tokenEnroll")
def test_16_admin_realm(self): P = PolicyClass() logged_in_user = {"username": "******", "role": "admin", "realm": "realm1"} # Without policies, the admin gets all tt = P.ui_get_enroll_tokentypes("127.0.0.1", logged_in_user) self.assertTrue("hotp" in tt) self.assertTrue("totp" in tt) self.assertTrue("motp" in tt) self.assertTrue("sms" in tt) self.assertTrue("spass" in tt) self.assertTrue("sshkey" in tt) self.assertTrue("email" in tt) self.assertTrue("certificate" in tt) self.assertTrue("yubico" in tt) self.assertTrue("yubikey" in tt) self.assertTrue("radius" in tt) # An admin in realm1 may only enroll Yubikeys set_policy(name="tokenEnroll", scope=SCOPE.ADMIN, adminrealm="realm1", action="enrollYUBIKEY") P = PolicyClass() tt = P.ui_get_enroll_tokentypes("127.0.0.1", logged_in_user) self.assertFalse("hotp" in tt) self.assertFalse("totp" in tt) self.assertFalse("motp" in tt) self.assertFalse("sms" in tt) self.assertFalse("spass" in tt) self.assertFalse("sshkey" in tt) self.assertFalse("email" in tt) self.assertFalse("certificate" in tt) self.assertFalse("yubico" in tt) self.assertTrue("yubikey" in tt) self.assertFalse("radius" in tt) # An admin in another admin realm may enroll nothing. logged_in_user = {"username": "******", "role": "admin", "realm": "OtherRealm"} tt = P.ui_get_enroll_tokentypes("127.0.0.1", logged_in_user) self.assertFalse("hotp" in tt) self.assertFalse("totp" in tt) self.assertFalse("motp" in tt) self.assertFalse("sms" in tt) self.assertFalse("spass" in tt) self.assertFalse("sshkey" in tt) self.assertFalse("email" in tt) self.assertFalse("certificate" in tt) self.assertFalse("yubico" in tt) self.assertFalse("yubikey" in tt) self.assertFalse("radius" in tt) delete_policy("tokenEnroll")
def test_15_ui_tokentypes(self): P = PolicyClass() logged_in_user = { "username": "******", "role": "admin", "realm": "realm1" } # Without policies, the admin gets all tt = P.ui_get_enroll_tokentypes("127.0.0.1", logged_in_user) self.assertTrue("hotp" in tt) self.assertTrue("totp" in tt) self.assertTrue("motp" in tt) self.assertTrue("sms" in tt) self.assertTrue("spass" in tt) self.assertTrue("sshkey" in tt) self.assertTrue("email" in tt) self.assertTrue("certificate" in tt) self.assertTrue("yubico" in tt) self.assertTrue("yubikey" in tt) self.assertTrue("radius" in tt) # An admin may only enroll Yubikeys set_policy(name="tokenEnroll", scope=SCOPE.ADMIN, action="enrollYUBIKEY") P = PolicyClass() tt = P.ui_get_enroll_tokentypes("127.0.0.1", logged_in_user) self.assertFalse("hotp" in tt) self.assertFalse("totp" in tt) self.assertFalse("motp" in tt) self.assertFalse("sms" in tt) self.assertFalse("spass" in tt) self.assertFalse("sshkey" in tt) self.assertFalse("email" in tt) self.assertFalse("certificate" in tt) self.assertFalse("yubico" in tt) self.assertTrue("yubikey" in tt) self.assertFalse("radius" in tt) # A user may enroll nothing set_policy(name="someUserAction", scope=SCOPE.USER, action="disable") P = PolicyClass() tt = P.ui_get_enroll_tokentypes("127.0.0.1", { "username": "******", "realm": "realm", "role": "user" }) self.assertEqual(len(tt), 0) delete_policy("tokenEnroll")
def test_15_ui_tokentypes(self): P = PolicyClass() logged_in_user = {"username": "******", "role": "admin", "realm": "realm1"} # Without policies, the admin gets all tt = P.ui_get_enroll_tokentypes("127.0.0.1", logged_in_user) self.assertTrue("hotp" in tt) self.assertTrue("totp" in tt) self.assertTrue("motp" in tt) self.assertTrue("sms" in tt) self.assertTrue("spass" in tt) self.assertTrue("sshkey" in tt) self.assertTrue("email" in tt) self.assertTrue("certificate" in tt) self.assertTrue("yubico" in tt) self.assertTrue("yubikey" in tt) self.assertTrue("radius" in tt) # An admin may only enroll Yubikeys set_policy(name="tokenEnroll", scope=SCOPE.ADMIN, action="enrollYUBIKEY") P = PolicyClass() tt = P.ui_get_enroll_tokentypes("127.0.0.1", logged_in_user) self.assertFalse("hotp" in tt) self.assertFalse("totp" in tt) self.assertFalse("motp" in tt) self.assertFalse("sms" in tt) self.assertFalse("spass" in tt) self.assertFalse("sshkey" in tt) self.assertFalse("email" in tt) self.assertFalse("certificate" in tt) self.assertFalse("yubico" in tt) self.assertTrue("yubikey" in tt) self.assertFalse("radius" in tt) # A user may enroll nothing set_policy(name="someUserAction", scope=SCOPE.USER, action="disable") P = PolicyClass() tt = P.ui_get_enroll_tokentypes("127.0.0.1", {"username": "******", "realm": "realm", "role": "user"}) self.assertEqual(len(tt), 0) delete_policy("tokenEnroll")
def test_15_ui_tokentypes(self): P = PolicyClass() logged_in_user = {"username": "******", "role": "admin", "realm": "realm1"} # Without policies, the admin gets all tt = P.ui_get_enroll_tokentypes("127.0.0.1", logged_in_user) self.assertTrue("hotp" in tt) self.assertTrue("totp" in tt) self.assertTrue("motp" in tt) self.assertTrue("sms" in tt) self.assertTrue("spass" in tt) self.assertTrue("sshkey" in tt) self.assertTrue("email" in tt) self.assertTrue("certificate" in tt) self.assertTrue("yubico" in tt) self.assertTrue("yubikey" in tt) self.assertTrue("radius" in tt) # An admin may only enroll Yubikeys set_policy(name="tokenEnroll", scope=SCOPE.ADMIN, action="enrollYUBIKEY") P = PolicyClass() tt = P.ui_get_enroll_tokentypes("127.0.0.1", logged_in_user) self.assertFalse("hotp" in tt) self.assertFalse("totp" in tt) self.assertFalse("motp" in tt) self.assertFalse("sms" in tt) self.assertFalse("spass" in tt) self.assertFalse("sshkey" in tt) self.assertFalse("email" in tt) self.assertFalse("certificate" in tt) self.assertFalse("yubico" in tt) self.assertTrue("yubikey" in tt) self.assertFalse("radius" in tt) # A user may enroll nothing set_policy(name="someUserAction", scope=SCOPE.USER, action="disable") P = PolicyClass() tt = P.ui_get_enroll_tokentypes("127.0.0.1", {"username": "******", "realm": "realm", "role": "user"}) self.assertEqual(len(tt), 0) delete_policy("tokenEnroll") # Two admins: # adminA is allowed to enroll tokens in all realms # adminB is allowed to enroll tokens only in realmB set_policy(name="polAdminA", scope=SCOPE.ADMIN, user="******", action="enrollHOTP, enrollTOTP") set_policy(name="polAdminB", scope=SCOPE.ADMIN, user="******", realm="realmB", action="enrollHOTP") P = PolicyClass() # realm is empty, since in case of an admin, this is the admin realm rights = P.ui_get_enroll_tokentypes(None, {"role": SCOPE.ADMIN, "realm": None, "username": "******"}) self.assertTrue("hotp" in rights) self.assertTrue("totp" in rights) rights = P.ui_get_enroll_tokentypes(None, {"role": SCOPE.ADMIN, "realm": "", "username": "******"}) self.assertTrue("totp" not in rights) self.assertTrue("hotp" in rights) rights = P.ui_get_enroll_tokentypes(None, {"role": SCOPE.ADMIN, "realm": "", "username": "******"}) self.assertEqual(rights, {}) delete_policy("polAdminA") delete_policy("polAdminB")
def test_15_ui_tokentypes(self): P = PolicyClass() logged_in_user = { "username": "******", "role": "admin", "realm": "realm1" } # Without policies, the admin gets all tt = P.ui_get_enroll_tokentypes("127.0.0.1", logged_in_user) self.assertTrue("hotp" in tt) self.assertTrue("totp" in tt) self.assertTrue("motp" in tt) self.assertTrue("sms" in tt) self.assertTrue("spass" in tt) self.assertTrue("sshkey" in tt) self.assertTrue("email" in tt) self.assertTrue("certificate" in tt) self.assertTrue("yubico" in tt) self.assertTrue("yubikey" in tt) self.assertTrue("radius" in tt) # An admin may only enroll Yubikeys set_policy(name="tokenEnroll", scope=SCOPE.ADMIN, action="enrollYUBIKEY") P = PolicyClass() tt = P.ui_get_enroll_tokentypes("127.0.0.1", logged_in_user) self.assertFalse("hotp" in tt) self.assertFalse("totp" in tt) self.assertFalse("motp" in tt) self.assertFalse("sms" in tt) self.assertFalse("spass" in tt) self.assertFalse("sshkey" in tt) self.assertFalse("email" in tt) self.assertFalse("certificate" in tt) self.assertFalse("yubico" in tt) self.assertTrue("yubikey" in tt) self.assertFalse("radius" in tt) # A user may enroll nothing set_policy(name="someUserAction", scope=SCOPE.USER, action="disable") P = PolicyClass() tt = P.ui_get_enroll_tokentypes("127.0.0.1", { "username": "******", "realm": "realm", "role": "user" }) self.assertEqual(len(tt), 0) delete_policy("tokenEnroll") # Two admins: # adminA is allowed to enroll tokens in all realms # adminB is allowed to enroll tokens only in realmB set_policy(name="polAdminA", scope=SCOPE.ADMIN, user="******", action="enrollHOTP, enrollTOTP") set_policy(name="polAdminB", scope=SCOPE.ADMIN, user="******", realm="realmB", action="enrollHOTP") P = PolicyClass() # realm is empty, since in case of an admin, this is the admin realm rights = P.ui_get_enroll_tokentypes(None, { "role": SCOPE.ADMIN, "realm": None, "username": "******" }) self.assertTrue("hotp" in rights) self.assertTrue("totp" in rights) rights = P.ui_get_enroll_tokentypes(None, { "role": SCOPE.ADMIN, "realm": "", "username": "******" }) self.assertTrue("totp" not in rights) self.assertTrue("hotp" in rights) rights = P.ui_get_enroll_tokentypes(None, { "role": SCOPE.ADMIN, "realm": "", "username": "******" }) self.assertEqual(rights, {}) delete_policy("polAdminA") delete_policy("polAdminB")