def test_01_create_radius(self): r = add_radius(identifier="myserver", server="1.2.3.4", secret="testing123") self.assertTrue(r > 0) r = add_radius(identifier="myserver1", server="1.2.3.4", secret="testing123") r = add_radius(identifier="myserver2", server="1.2.3.4", secret="testing123") server_list = get_radiusservers() self.assertTrue(server_list) self.assertEqual(len(server_list), 3) server_list = get_radiusservers(identifier="myserver") self.assertTrue(server_list[0].config.identifier, "myserver") self.assertTrue(server_list[0].config.port, 1812) for server in ["myserver", "myserver1", "myserver2"]: r = delete_radius(server) self.assertTrue(r > 0) server_list = get_radiusservers() self.assertEqual(len(server_list), 0)
def test_02_updateserver(self): r = add_radius(identifier="myserver", server="1.2.3.4", secret="testing123") self.assertTrue(r > 0) server_list = get_radiusservers(identifier="myserver") self.assertTrue(server_list[0].config.server, "1.2.3.4") r = add_radius(identifier="myserver", server="100.2.3.4", secret="testing123") self.assertTrue(r > 0) server_list = get_radiusservers(identifier="myserver") self.assertTrue(server_list[0].config.server, "100.2.3.4")
def create(identifier=None): """ This call creates or updates a RADIUS server definition. :param identifier: The unique name of the RADIUS server definition :param server: The FQDN or IP of the RADIUS server :param port: The port of the RADIUS server :param secret: The RADIUS secret of the RADIUS server :param description: A description for the definition """ param = request.all_data identifier = identifier.replace(" ", "_") server = getParam(param, "server", required) port = int(getParam(param, "port", default=1812)) secret = getParam(param, "secret", required) description = getParam(param, "description", default="") dictionary = getParam(param, "dictionary", default="/etc/privacyidea/dictionary") r = add_radius(identifier, server, secret, port=port, description=description, dictionary=dictionary) g.audit_object.log({'success': r > 0, 'info': r}) return send_result(r > 0)
def test_13_privacyidea_challenge_response(self): # This tests the challenge response with the privacyIDEA PIN. # First an authentication request with only the local PIN of the # radius token is sent. r = add_radius(identifier="myserver", server="1.2.3.4", secret="testing123", dictionary=DICT_FILE) self.assertTrue(r > 0) token = init_token({"type": "radius", "pin": "local", "radius.identifier": "myserver", "radius.local_checkpin": True, "radius.user": u"nönäscii"}) r = token.is_challenge_request("local") self.assertTrue(r) # create challenge of privacyidea r, message, transaction_id, _attr = token.create_challenge() self.assertTrue(r) self.assertEqual("Enter your RADIUS tokencode:", message) # check, if there is a challenge in the DB chals = get_challenges(token.token.serial) self.assertEqual(len(chals), 1) self.assertEqual(chals[0].transaction_id, transaction_id) # check if this is a response to a previously sent challenge r = token.is_challenge_response("radiuscode", options={"transaction_id": transaction_id}) self.assertTrue(r) # Now check, if the answer for the challenge is correct radiusmock.setdata(response=radiusmock.AccessAccept) r = token.check_challenge_response(passw="radiuscode", options={"transaction_id": transaction_id}) self.assertTrue(r)
def test_00_test_check_radius(self): r = add_radius(identifier="myserver", server="1.2.3.4", secret="testing123", dictionary=DICT_FILE) self.assertTrue(r > 0) token = init_token({ "type": "radius", "radius.identifier": "myserver", "radius.local_checkpin": True, "radius.user": u"nönäscii" }) # check the working of internal _check_radius radiusmock.setdata(response=radiusmock.AccessChallenge) r = token._check_radius("123456") self.assertEqual(r, radiusmock.AccessChallenge) radiusmock.setdata(response=radiusmock.AccessAccept) r = token._check_radius("123456") self.assertEqual(r, radiusmock.AccessAccept) radiusmock.setdata(response=radiusmock.AccessReject) r = token._check_radius("123456") self.assertEqual(r, radiusmock.AccessReject)
def test_07_non_ascii(self): radiusmock.setdata(response=radiusmock.AccessAccept) r = add_radius(identifier="myserver", server="1.2.3.4", secret="testing123", dictionary=DICT_FILE) self.assertTrue(r > 0) radius = get_radius("myserver") r = RADIUSServer.request(radius.config, u"nönäscii", u"passwörd") self.assertEqual(r, True)
def test_05_RADIUS_request(self): radiusmock.setdata(success=True, timeout=True) r = add_radius(identifier="myserver", server="1.2.3.4", secret="testing123", dictionary=DICT_FILE) self.assertTrue(r > 0) radius = get_radius("myserver") # A timeout will return false r = RADIUSServer.request(radius.config, "user", "password") self.assertEqual(r, False)
def test_05_RADIUS_request(self): radiusmock.setdata(response=radiusmock.AccessAccept, timeout=True) r = add_radius(identifier="myserver", server="1.2.3.4", secret="testing123", dictionary=DICT_FILE) self.assertTrue(r > 0) radius = get_radius("myserver") # A timeout will return false r = RADIUSServer.request(radius.config, "user", "password") self.assertEqual(r, False)
def test_16_passthru_assign(self): user = User("cornelius", realm="r1") passw = "{0!s}test".format(self.valid_otp_values[1]) options = {} # remove all tokens of cornelius remove_token(user=user) # create unassigned tokens in realm r1 init_token({"type": "hotp", "otpkey": "00"*20, "serial": "TOKFAIL"}, tokenrealms=["r1"]) init_token({"type": "hotp", "otpkey": self.otpkey, "serial": "TOKMATCH"}, tokenrealms=["r1"]) # A user with no tokens will fail to authenticate self.assertEqual(get_tokens(user=user, count=True), 0) rv = auth_user_passthru(check_user_pass, user, passw, options) self.assertFalse(rv[0]) self.assertEqual(rv[1].get("message"), "The user has no tokens assigned") # Now add a PASSTHRU policy to a RADIUS config radiusmock.setdata(success=True) set_policy(name="pol1", scope=SCOPE.AUTH, action="{0!s}=radiusconfig1".format(ACTION.PASSTHRU)) r = add_radius("radiusconfig1", "1.2.3.4", "testing123", dictionary=DICT_FILE) self.assertTrue(r > 0) set_policy(name="pol2", scope=SCOPE.AUTH, action="{0!s}=6:pin:1234".format(ACTION.PASSTHRU_ASSIGN)) g = FakeFlaskG() g.policy_object = PolicyClass() g.audit_object = FakeAudit() options = {"g": g} rv = auth_user_passthru(check_user_pass, user, passw, options=options) self.assertTrue(rv[0]) self.assertTrue(u"against RADIUS server radiusconfig1 due to 'pol1'" in rv[1].get("message")) self.assertTrue(u"autoassigned TOKMATCH" in rv[1].get("message")) # Check if the token is assigned and can authenticate r = check_user_pass(User("cornelius", "r1"), "test{0!s}".format(self.valid_otp_values[2])) self.assertTrue(r[0]) self.assertEqual(r[1].get("serial"), "TOKMATCH") remove_token("TOKFAIL") remove_token("TOKMATCH") delete_policy("pol1") delete_policy("pol2")
def test_04_RADIUS_request(self): radiusmock.setdata(success=True) r = add_radius(identifier="myserver", server="1.2.3.4", secret="testing123", dictionary=DICT_FILE) self.assertTrue(r > 0) radius = get_radius("myserver") r = RADIUSServer.request(radius.config, "user", "password") self.assertEqual(r, True) radiusmock.setdata(success=False) r = RADIUSServer.request(radius.config, "user", "password") self.assertEqual(r, False)
def test_16_passthru_assign(self): user = User("cornelius", realm="r1") passw = "{0!s}test".format(self.valid_otp_values[1]) options = {} # remove all tokens of cornelius remove_token(user=user) # create unassigned tokens in realm r1 init_token({"type": "hotp", "otpkey": "00"*20, "serial": "TOKFAIL"}, tokenrealms=["r1"]) init_token({"type": "hotp", "otpkey": self.otpkey, "serial": "TOKMATCH"}, tokenrealms=["r1"]) # A user with no tokens will fail to authenticate self.assertEqual(get_tokens(user=user, count=True), 0) rv = auth_user_passthru(check_user_pass, user, passw, options) self.assertFalse(rv[0]) self.assertEqual(rv[1].get("message"), "The user has no tokens assigned") # Now add a PASSTHRU policy to a RADIUS config radiusmock.setdata(response=radiusmock.AccessAccept) set_policy(name="pol1", scope=SCOPE.AUTH, action="{0!s}=radiusconfig1".format(ACTION.PASSTHRU)) r = add_radius("radiusconfig1", "1.2.3.4", "testing123", dictionary=DICT_FILE) self.assertTrue(r > 0) set_policy(name="pol2", scope=SCOPE.AUTH, action="{0!s}=6:pin:1234".format(ACTION.PASSTHRU_ASSIGN)) g = FakeFlaskG() g.policy_object = PolicyClass() g.audit_object = FakeAudit() options = {"g": g} rv = auth_user_passthru(check_user_pass, user, passw, options=options) self.assertTrue(rv[0]) self.assertTrue(u"against RADIUS server radiusconfig1 due to 'pol1'" in rv[1].get("message")) self.assertTrue(u"autoassigned TOKMATCH" in rv[1].get("message")) # Check if the token is assigned and can authenticate r = check_user_pass(User("cornelius", "r1"), "test{0!s}".format(self.valid_otp_values[2])) self.assertTrue(r[0]) self.assertEqual(r[1].get("serial"), "TOKMATCH") remove_token("TOKFAIL") remove_token("TOKMATCH") delete_policy("pol1") delete_policy("pol2")
def test_12_non_ascii(self): set_privacyidea_config("radius.dictfile", DICT_FILE) radiusmock.setdata(response=radiusmock.AccessAccept) r = add_radius(identifier="myserver", server="1.2.3.4", secret="testing123", dictionary=DICT_FILE) self.assertTrue(r > 0) token = init_token({"type": "radius", "radius.identifier": "myserver", "radius.user": u"nönäscii"}) r = token.authenticate(u"passwörd") self.assertEqual(r[0], True) self.assertEqual(r[1], 1)
def test_14_simple_challenge_response_in_radius_server(self): # In this case we test a simple challenge response in # the radius server. The PIN is checked locally. # A AccessRequest is sent to the RADIUS server, the RADIUS server # answers with an AccessChallenge, which creates a transaction id # in privacyIDEA. # This is answered and the RADIUS server sends an AccessAccept r = add_radius(identifier="myserver", server="1.2.3.4", secret="testing123", dictionary=DICT_FILE) self.assertTrue(r > 0) token = init_token({"type": "radius", "radius.identifier": "myserver", "radius.local_checkpin": False, "radius.user": u"nönäscii"}) # Check if the remote PIN would create a RADIUS challenge state1 = [b"123456"] radiusmock.setdata(timeout=False, response=radiusmock.AccessChallenge, response_data={"State": state1, "Reply_Message": ["Please provide more information."]}) opts = {} r = token.is_challenge_request("some_remote_value", options=opts) self.assertTrue(r) self.assertEqual(opts.get("radius_message"), "Please provide more information.") self.assertEqual(opts.get("radius_result"), radiusmock.AccessChallenge) self.assertEqual(opts.get("radius_state"), state1[0]) # Creating the challenge within privacyIDEA r, message, transaction_id, _attr = token.create_challenge(options=opts) self.assertTrue(r) self.assertEqual(message, "Please provide more information.") # Check if a challenge is created chals = get_challenges(token.token.serial) self.assertEqual(len(chals), 1) self.assertEqual(chals[0].transaction_id, transaction_id) # Checking, if this is the answer attempt to a challenge r = token.is_challenge_response("some_response", options={"transaction_id": transaction_id}) self.assertTrue(r) # Check what happens if the RADIUS server rejects the response radiusmock.setdata(timeout=False, response=radiusmock.AccessReject) r = token.check_challenge_response(passw="some_response", options={"transaction_id": transaction_id}) self.assertLess(r, 0) # Now checking the response to the challenge and we issue a RADIUS request radiusmock.setdata(timeout=False, response=radiusmock.AccessAccept) r = token.check_challenge_response(passw="some_response", options={"transaction_id": transaction_id}) self.assertGreaterEqual(r, 0)
def test_11_RADIUS_request(self): set_privacyidea_config("radius.dictfile", DICT_FILE) radiusmock.setdata(success=True) r = add_radius(identifier="myserver", server="1.2.3.4", secret="testing123", dictionary=DICT_FILE) self.assertTrue(r > 0) token = init_token({"type": "radius", "radius.identifier": "myserver", "radius.user": "******"}) r = token.authenticate("radiuspassword") self.assertEqual(r[0], True) self.assertEqual(r[1], 0) self.assertEqual(r[2].get("message"), "matching 1 tokens")
def test_16_single_shot_radius(self): # This is a single shot authentication, no challenge response. # One single auth request against the radius server. r = add_radius(identifier="myserver", server="1.2.3.4", secret="testing123", dictionary=DICT_FILE) self.assertTrue(r > 0) token = init_token({"type": "radius", "radius.identifier": "myserver", "radius.local_checkpin": False, "radius.user": u"nönäscii"}) radiusmock.setdata(timeout=False, response=radiusmock.AccessAccept) r, otp_count, _rpl = token.authenticate("some_remote_value") self.assertTrue(r) self.assertTrue(otp_count > 0) radiusmock.setdata(timeout=False, response=radiusmock.AccessReject) r, otp_count, _rpl = token.authenticate("some_remote_value") self.assertFalse(r) self.assertTrue(otp_count < 0)
def test_06_passthru(self): user = User("cornelius", realm="r1") passw = "test" options = {} # A user with no tokens will fail to authenticate self.assertEqual(get_tokens(user=user, count=True), 0) rv = auth_user_passthru(check_user_pass, user, passw, options) self.assertFalse(rv[0]) self.assertEqual(rv[1].get("message"), "The user has no tokens assigned") # Now we set a PASSTHRU policy, so that the user may authenticate # against his userstore (old style) set_policy(name="pol1", scope=SCOPE.AUTH, action=ACTION.PASSTHRU) g = FakeFlaskG() g.policy_object = PolicyClass() g.audit_object = FakeAudit() options = {"g": g} rv = auth_user_passthru(check_user_pass, user, passw, options=options) self.assertTrue(rv[0]) self.assertEqual(rv[1].get("message"), u"against userstore due to 'pol1'") # Now set a PASSTHRU policy to the userstore (new style) set_policy(name="pol1", scope=SCOPE.AUTH, action="{0!s}=userstore".format(ACTION.PASSTHRU)) g = FakeFlaskG() g.policy_object = PolicyClass() g.audit_object = FakeAudit() options = {"g": g} rv = auth_user_passthru(check_user_pass, user, passw, options=options) self.assertTrue(rv[0]) self.assertEqual(rv[1].get("message"), u"against userstore due to 'pol1'") # Now set a PASSTHRU policy to a RADIUS config (new style) radiusmock.setdata(success=True) set_policy(name="pol1", scope=SCOPE.AUTH, action="{0!s}=radiusconfig1".format(ACTION.PASSTHRU)) r = add_radius("radiusconfig1", "1.2.3.4", "testing123", dictionary=DICT_FILE) self.assertTrue(r > 0) g = FakeFlaskG() g.policy_object = PolicyClass() g.audit_object = FakeAudit() options = {"g": g} rv = auth_user_passthru(check_user_pass, user, passw, options=options) self.assertTrue(rv[0]) self.assertEqual(rv[1].get("message"), u"against RADIUS server radiusconfig1 due to 'pol1'") # Now assign a token to the user. If the user has a token and the # passthru policy is set, the user must not be able to authenticate # with his userstore password. init_token({ "serial": "PTHRU", "type": "spass", "pin": "Hallo" }, user=user) rv = auth_user_passthru(check_user_pass, user, passw, options=options) self.assertFalse(rv[0]) self.assertEqual(rv[1].get("message"), "wrong otp pin") remove_token("PTHRU") delete_policy("pol1")
def test_15_multi_challenge_response_in_radius_server(self): # The RADIUS server issues a AccessChallenge on the first and on the # second request r = add_radius(identifier="myserver", server="1.2.3.4", secret="testing123", dictionary=DICT_FILE) self.assertTrue(r > 0) token = init_token({"type": "radius", "radius.identifier": "myserver", "radius.local_checkpin": False, "radius.user": u"nönäscii"}) # Check if the remote PIN would create a RADIUS challenge state1 = [b"123456"] state2 = [b"999999"] radiusmock.setdata(timeout=False, response=radiusmock.AccessChallenge, response_data={"State": state1, "Reply_Message": ["Please provide more information."]}) opts = {} r = token.is_challenge_request("some_remote_value", options=opts) self.assertTrue(r) self.assertEqual(opts.get("radius_message"), "Please provide more information.") self.assertEqual(opts.get("radius_result"), radiusmock.AccessChallenge) self.assertEqual(opts.get("radius_state"), state1[0]) # Creating the challenge within privacyIDEA r, message, transaction_id, _attr = token.create_challenge(options=opts) self.assertTrue(r) self.assertEqual(message, "Please provide more information.") # Check if a challenge is created chals = get_challenges(token.token.serial) self.assertEqual(len(chals), 1) self.assertEqual(chals[0].transaction_id, transaction_id) # Checking, if this is the answer attempt to a challenge r = token.is_challenge_response("some_response", options={"transaction_id": transaction_id}) self.assertTrue(r) # Now checking the response to the challenge and we issue a RADIUS request # But the RADIUS server answers with a second AccessChallenge radiusmock.setdata(timeout=False, response=radiusmock.AccessChallenge, response_data={"State": state2, "Reply_Message": ["Please provide even more information."]}) opts2 = {"transaction_id": transaction_id} r = token.check_challenge_response(passw="some_response", options=opts2) # The answer might be correct, but since the RADIUS server want to get more answers, we get a -1 self.assertEqual(r, -1) # but we get a new Challenge! self.assertEqual(opts2.get("radius_result"), radiusmock.AccessChallenge) self.assertEqual(opts2.get("radius_state"), state2[0]) self.assertEqual(opts2.get("radius_message"), "Please provide even more information.") transaction_id2 = opts2.get("transaction_id") # Finally we send the last auth request opts3 = {"transaction_id": transaction_id2} radiusmock.setdata(timeout=False, response=radiusmock.AccessAccept) r = token.check_challenge_response(passw="some_other_response", options=opts3) # The answer is correct, self.assertEqual(r, 1) # and we do not get a new challenge, it is the same as before self.assertEqual(opts3.get("radius_result"), radiusmock.AccessAccept) transaction_id3 = opts3.get("transaction_id") self.assertEqual(transaction_id3, transaction_id2)
def test_06_passthru(self): user = User("cornelius", realm="r1") passw = "test" options = {} # A user with no tokens will fail to authenticate self.assertEqual(get_tokens(user=user, count=True), 0) rv = auth_user_passthru(check_user_pass, user, passw, options) self.assertFalse(rv[0]) self.assertEqual(rv[1].get("message"), "The user has no tokens assigned") # Now we set a PASSTHRU policy, so that the user may authenticate # against his userstore (old style) set_policy(name="pol1", scope=SCOPE.AUTH, action=ACTION.PASSTHRU) g = FakeFlaskG() g.policy_object = PolicyClass() g.audit_object = FakeAudit() options = {"g": g} rv = auth_user_passthru(check_user_pass, user, passw, options=options) self.assertTrue(rv[0]) self.assertEqual(rv[1].get("message"), u"against userstore due to 'pol1'") # Now set a PASSTHRU policy to the userstore (new style) set_policy(name="pol1", scope=SCOPE.AUTH, action="{0!s}=userstore".format(ACTION.PASSTHRU)) g = FakeFlaskG() g.policy_object = PolicyClass() g.audit_object = FakeAudit() options = {"g": g} rv = auth_user_passthru(check_user_pass, user, passw, options=options) self.assertTrue(rv[0]) self.assertEqual(rv[1].get("message"), u"against userstore due to 'pol1'") # Now set a PASSTHRU policy to a RADIUS config (new style) radiusmock.setdata(success=True) set_policy(name="pol1", scope=SCOPE.AUTH, action="{0!s}=radiusconfig1".format(ACTION.PASSTHRU)) r = add_radius("radiusconfig1", "1.2.3.4", "testing123", dictionary=DICT_FILE) self.assertTrue(r > 0) g = FakeFlaskG() g.policy_object = PolicyClass() g.audit_object = FakeAudit() options = {"g": g} rv = auth_user_passthru(check_user_pass, user, passw, options=options) self.assertTrue(rv[0]) self.assertEqual(rv[1].get("message"), u"against RADIUS server radiusconfig1 due to 'pol1'") # Now assign a token to the user. If the user has a token and the # passthru policy is set, the user must not be able to authenticate # with his userstore password. init_token({"serial": "PTHRU", "type": "spass", "pin": "Hallo"}, user=user) rv = auth_user_passthru(check_user_pass, user, passw, options=options) self.assertFalse(rv[0]) self.assertEqual(rv[1].get("message"), "wrong otp pin") remove_token("PTHRU") delete_policy("pol1")
def test_13_passthru_priorities(self): user = User("cornelius", realm="r1") passw = "test" options = {} # remove all tokens of cornelius remove_token(user=user) # A user with no tokens will fail to authenticate self.assertEqual(get_tokens(user=user, count=True), 0) rv = auth_user_passthru(check_user_pass, user, passw, options) self.assertFalse(rv[0]) self.assertEqual(rv[1].get("message"), "The user has no tokens assigned") # Now set a PASSTHRU policy to the userstore set_policy(name="pol1", scope=SCOPE.AUTH, action="{0!s}=userstore".format(ACTION.PASSTHRU)) g = FakeFlaskG() g.policy_object = PolicyClass() g.audit_object = FakeAudit() options = {"g": g} rv = auth_user_passthru(check_user_pass, user, passw, options=options) self.assertTrue(rv[0]) self.assertEqual(rv[1].get("message"), u"against userstore due to 'pol1'") # Now add a PASSTHRU policy to a RADIUS config radiusmock.setdata(success=True) set_policy(name="pol2", scope=SCOPE.AUTH, action="{0!s}=radiusconfig1".format(ACTION.PASSTHRU)) r = add_radius("radiusconfig1", "1.2.3.4", "testing123", dictionary=DICT_FILE) self.assertTrue(r > 0) g = FakeFlaskG() g.policy_object = PolicyClass() g.audit_object = FakeAudit() options = {"g": g} # They will conflict, because they use the same priority with self.assertRaises(PolicyError): auth_user_passthru(check_user_pass, user, passw, options=options) # Lower pol1 priority set_policy(name="pol1", priority=2) g.policy_object.reload_from_db() rv = auth_user_passthru(check_user_pass, user, passw, options=options) self.assertTrue(rv[0]) self.assertEqual(rv[1].get("message"), u"against RADIUS server radiusconfig1 due to 'pol2'") # Lower pol2 priority set_policy(name="pol2", priority=3) g.policy_object.reload_from_db() rv = auth_user_passthru(check_user_pass, user, passw, options=options) self.assertTrue(rv[0]) self.assertEqual(rv[1].get("message"), u"against userstore due to 'pol1'") # Add old style priority set_policy(name="pol3", scope=SCOPE.AUTH, action=ACTION.PASSTHRU) g.policy_object.reload_from_db() rv = auth_user_passthru(check_user_pass, user, passw, options=options) self.assertTrue(rv[0]) self.assertEqual(rv[1].get("message"), u"against userstore due to 'pol3'") set_policy(name="pol3", priority=2) g.policy_object.reload_from_db() # They will conflict, because they use the same priority with self.assertRaises(PolicyError): auth_user_passthru(check_user_pass, user, passw, options=options) delete_policy("pol3") g.policy_object.reload_from_db() # Now assign a token to the user. If the user has a token and the # passthru policy is set, the user must not be able to authenticate # with his userstore password. init_token({"serial": "PTHRU", "type": "spass", "pin": "Hallo"}, user=user) rv = auth_user_passthru(check_user_pass, user, passw, options=options) self.assertFalse(rv[0]) self.assertEqual(rv[1].get("message"), "wrong otp pin") remove_token("PTHRU") delete_policy("pol1") delete_policy("pol2")
def test_13_passthru_priorities(self): user = User("cornelius", realm="r1") passw = "test" options = {} # remove all tokens of cornelius remove_token(user=user) # A user with no tokens will fail to authenticate self.assertEqual(get_tokens(user=user, count=True), 0) rv = auth_user_passthru(check_user_pass, user, passw, options) self.assertFalse(rv[0]) self.assertEqual(rv[1].get("message"), "The user has no tokens assigned") # Now set a PASSTHRU policy to the userstore set_policy(name="pol1", scope=SCOPE.AUTH, action="{0!s}=userstore".format(ACTION.PASSTHRU)) g = FakeFlaskG() g.policy_object = PolicyClass() g.audit_object = FakeAudit() options = {"g": g} rv = auth_user_passthru(check_user_pass, user, passw, options=options) self.assertTrue(rv[0]) self.assertEqual(rv[1].get("message"), u"against userstore due to 'pol1'") # Now add a PASSTHRU policy to a RADIUS config radiusmock.setdata(response=radiusmock.AccessAccept) set_policy(name="pol2", scope=SCOPE.AUTH, action="{0!s}=radiusconfig1".format(ACTION.PASSTHRU)) r = add_radius("radiusconfig1", "1.2.3.4", "testing123", dictionary=DICT_FILE) self.assertTrue(r > 0) g = FakeFlaskG() g.policy_object = PolicyClass() g.audit_object = FakeAudit() options = {"g": g} # They will conflict, because they use the same priority with self.assertRaises(PolicyError): auth_user_passthru(check_user_pass, user, passw, options=options) # Lower pol1 priority set_policy(name="pol1", priority=2) rv = auth_user_passthru(check_user_pass, user, passw, options=options) self.assertTrue(rv[0]) self.assertEqual(rv[1].get("message"), u"against RADIUS server radiusconfig1 due to 'pol2'") # Lower pol2 priority set_policy(name="pol2", priority=3) rv = auth_user_passthru(check_user_pass, user, passw, options=options) self.assertTrue(rv[0]) self.assertEqual(rv[1].get("message"), u"against userstore due to 'pol1'") # Add old style priority set_policy(name="pol3", scope=SCOPE.AUTH, action=ACTION.PASSTHRU) rv = auth_user_passthru(check_user_pass, user, passw, options=options) self.assertTrue(rv[0]) self.assertEqual(rv[1].get("message"), u"against userstore due to 'pol3'") set_policy(name="pol3", priority=2) # They will conflict, because they use the same priority with self.assertRaises(PolicyError): auth_user_passthru(check_user_pass, user, passw, options=options) delete_policy("pol3") # Now assign a token to the user. If the user has a token and the # passthru policy is set, the user must not be able to authenticate # with his userstore password. init_token({"serial": "PTHRU", "type": "spass", "pin": "Hallo"}, user=user) rv = auth_user_passthru(check_user_pass, user, passw, options=options) self.assertFalse(rv[0]) self.assertEqual(rv[1].get("message"), "wrong otp pin") remove_token("PTHRU") delete_policy("pol1") delete_policy("pol2")