def test_17_ui_get_rights(self): P = PolicyClass() logged_in_user = { "username": "******", "role": "admin", "realm": "realm1" } # Without policies, the admin gets all rights = P.ui_get_rights(SCOPE.ADMIN, "realm1", "admin") self.assertEqual(len(rights), 39) # An admin may only enroll Yubikeys set_policy(name="tokenEnroll", scope=SCOPE.ADMIN, action="enrollYUBIKEY") P = PolicyClass() rights = P.ui_get_rights(SCOPE.ADMIN, "realm1", "admin") self.assertEqual(rights, ["enrollYUBIKEY"]) # A user may do something else... set_policy(name="userpol", scope=SCOPE.USER, action="enable") P = PolicyClass() rights = P.ui_get_rights(SCOPE.USER, "realm2", "user") # there was still another policy... self.assertEqual(rights, ["enable", "disable"])
def test_17b_ui_rights_users_in_different_resolvers(self): # Create a realm with two resolvers rid = save_resolver({ "resolver": "passwd", "type": "passwdresolver", "fileName": FILE_PASSWD }) self.assertTrue(rid > 0, rid) rid = save_resolver({ "resolver": "passwords", "type": "passwdresolver", "fileName": FILE_PASSWORDS }) self.assertTrue(rid > 0, rid) # create user realm (added, failed) = set_realm("realm4", ["passwd", "passwords"]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 2) # A user may do something else... set_policy(name="userpol41", scope=SCOPE.USER, action="enable", realm="realm4", resolver="passwd") set_policy(name="userpol42", scope=SCOPE.USER, action="remove", realm="realm4", resolver="passwords") P = PolicyClass() # The two users are in different resolvers and get different rights rights = P.ui_get_rights(SCOPE.USER, "realm4", "postfix") self.assertEqual(set(rights), {"enable", "disable"}) rights = P.ui_get_rights(SCOPE.USER, "realm4", "usernotoken") self.assertEqual(set(rights), {"disable", "remove"}) delete_policy("userpol41") delete_policy("userpol42") delete_realm("realm4") delete_resolver("passwords") delete_resolver("passwd")
def test_17_ui_get_rights(self): P = PolicyClass() logged_in_user = {"username": "******", "role": "admin", "realm": "realm1"} # Without policies, the admin gets all rights = P.ui_get_rights(SCOPE.ADMIN, "realm1", "admin") self.assertEqual(len(rights), 39) # An admin may only enroll Yubikeys set_policy(name="tokenEnroll", scope=SCOPE.ADMIN, action="enrollYUBIKEY") P = PolicyClass() rights = P.ui_get_rights(SCOPE.ADMIN, "realm1", "admin") self.assertEqual(rights, ["enrollYUBIKEY"]) # A user may do something else... set_policy(name="userpol", scope=SCOPE.USER, action="enable") P = PolicyClass() rights = P.ui_get_rights(SCOPE.USER, "realm2", "user") # there was still another policy... self.assertEqual(rights, ["enable", "disable"])
def test_17_ui_get_rights(self): P = PolicyClass() # Without policies, the admin gets all rights = P.ui_get_rights(SCOPE.ADMIN, "realm1", "admin") self.assertTrue(len(rights) >= 60) # An admin may only enroll Yubikeys set_policy(name="tokenEnroll", scope=SCOPE.ADMIN, action="enrollYUBIKEY") P = PolicyClass() rights = P.ui_get_rights(SCOPE.ADMIN, "realm1", "admin") self.assertEqual(rights, ["enrollYUBIKEY"]) # A user may do something else... set_policy(name="userpol", scope=SCOPE.USER, action="enable") P = PolicyClass() rights = P.ui_get_rights(SCOPE.USER, "realm2", "user") # there was still another policy... self.assertEqual(rights, ["enable", "disable"]) delete_policy("tokenEnroll") delete_policy("userpol") # Two admins: # adminA is allowed to enroll tokens in all realms # adminB is allowed to enroll tokens only in realmB set_policy(name="polAdminA", scope=SCOPE.ADMIN, user="******", action="enrollHOTP, enrollTOTP") set_policy(name="polAdminB", scope=SCOPE.ADMIN, user="******", realm="realmB", action="enrollHOTP") P = PolicyClass() # realm is empty, since in case of an admin, this is the admin realm rights = P.ui_get_rights(SCOPE.ADMIN, realm=None, username="******") self.assertTrue("enrollTOTP" in rights) self.assertTrue("enrollHOTP" in rights) rights = P.ui_get_rights(SCOPE.ADMIN, realm=None, username="******") self.assertTrue("enrollTOTP" not in rights) self.assertTrue("enrollHOTP" in rights) rights = P.ui_get_rights(SCOPE.ADMIN, realm=None, username="******") self.assertEqual(rights, []) delete_policy("polAdminA") delete_policy("polAdminB")
def test_17_ui_get_rights(self): P = PolicyClass() # Without policies, the admin gets all rights = P.ui_get_rights(SCOPE.ADMIN, "realm1", "admin") self.assertTrue(len(rights) >= 60) # An admin may only enroll Yubikeys set_policy(name="tokenEnroll", scope=SCOPE.ADMIN, action="enrollYUBIKEY") P = PolicyClass() rights = P.ui_get_rights(SCOPE.ADMIN, "realm1", "admin") self.assertEqual(rights, ["enrollYUBIKEY"]) # A user may do something else... set_policy(name="userpol", scope=SCOPE.USER, action="enable") P = PolicyClass() rights = P.ui_get_rights(SCOPE.USER, "realm2", "user") # there was still another policy... self.assertEqual(rights, ["enable", "disable"]) delete_policy("tokenEnroll") delete_policy("userpol") # Two admins: # adminA is allowed to enroll tokens in all realms # adminB is allowed to enroll tokens only in realmB set_policy(name="polAdminA", scope=SCOPE.ADMIN, user="******", action="enrollHOTP, enrollTOTP") set_policy(name="polAdminB", scope=SCOPE.ADMIN, user="******", realm="realmB", action="enrollHOTP") P = PolicyClass() # realm is empty, since in case of an admin, this is the admin realm rights = P.ui_get_rights(SCOPE.ADMIN, realm=None, username="******") self.assertTrue("enrollTOTP" in rights) self.assertTrue("enrollHOTP" in rights) rights = P.ui_get_rights(SCOPE.ADMIN, realm=None, username="******") self.assertTrue("enrollTOTP" not in rights) self.assertTrue("enrollHOTP" in rights) rights = P.ui_get_rights(SCOPE.ADMIN, realm=None, username="******") self.assertEqual(rights, []) delete_policy("polAdminA") delete_policy("polAdminB")