def test_09_invalidate_edit_user(self): # Validate that editing users actually invalidates the cache. For that, we first need an editable resolver self._create_sql_realm() # The cache is initially empty self.assertEquals(UserCache.query.count(), 0) # The following adds an entry to the cache user = User(login="******", realm=self.sql_realm) self.assertEquals(UserCache.query.count(), 1) uinfo = user.info self.assertEqual(uinfo.get("givenname", ""), "") user.update_user_info({"givenname": "wordy"}) uinfo = user.info self.assertEqual(uinfo.get("givenname"), "wordy") # This should have removed the entry from the cache self.assertEqual(UserCache.query.count(), 0) # But now it gets added again user2 = User(login="******", realm=self.sql_realm) self.assertEqual(UserCache.query.count(), 1) # Change it back for the other tests user.update_user_info({"givenname": ""}) uinfo = user.info self.assertEqual(uinfo.get("givenname", ""), "") self.assertEqual(UserCache.query.count(), 0) self._delete_sql_realm()
def test_13_update_user(self): realm = "sqlrealm" resolver = "SQL1" parameters = self.parameters parameters["resolver"] = resolver parameters["type"] = "sqlresolver" rid = save_resolver(parameters) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(realm, [resolver]) self.assertEqual(len(failed), 0) self.assertEqual(len(added), 1) user = User(login="******", realm=realm) uinfo = user.info self.assertEqual(uinfo.get("givenname", ""), "") user.update_user_info({ "givenname": "wordy", "username": "******" }) uinfo = user.info self.assertEqual(uinfo.get("givenname"), "wordy") self.assertEqual(user.login, "WordpressUser") user.update_user_info({"givenname": "", "username": "******"})
def test_13_update_user(self): realm = "sqlrealm" resolver = "SQL1" parameters = self.parameters parameters["resolver"] = resolver parameters["type"] = "sqlresolver" rid = save_resolver(parameters) self.assertTrue(rid > 0, rid) (added, failed) = set_realm(realm, [resolver]) self.assertEqual(len(failed), 0) self.assertEqual(len(added), 1) user = User(login="******", realm=realm) uinfo = user.info self.assertEqual(uinfo.get("givenname", ""), "") user.update_user_info({"givenname": "wordy", "username": "******"}) uinfo = user.info self.assertEqual(uinfo.get("givenname"), "wordy") self.assertEqual(user.login, "WordpressUser") user.update_user_info({"givenname": "", "username": "******"})
def test_09_invalidate_edit_user(self): # Validate that editing users actually invalidates the cache. For that, we first need an editable resolver self._create_sql_realm() # The cache is initially empty self.assertEquals(UserCache.query.count(), 0) # The following adds an entry to the cache user = User(login="******", realm=self.sql_realm) self.assertEquals(UserCache.query.count(), 1) uinfo = user.info self.assertEqual(uinfo.get("givenname", ""), "") user.update_user_info({"givenname": "wordy"}) uinfo = user.info self.assertEqual(uinfo.get("givenname"), "wordy") # This should have removed the entry from the cache self.assertEqual(UserCache.query.count(), 0) # But now it gets added again user2 = User(login="******", realm=self.sql_realm) self.assertEqual(UserCache.query.count(), 1) # Change it back for the other tests user.update_user_info({"givenname": ""}) uinfo = user.info self.assertEqual(uinfo.get("givenname", ""), "") self.assertEqual(UserCache.query.count(), 0) self._delete_sql_realm()
def update_user(): """ Edit a user in the user store. The resolver must have the flag editable, so that the user can be deleted. Only administrators are allowed to edit users. **Example request**: .. sourcecode:: http PUT /user user=existing_user resolver=<resolvername> surname=... givenname=... email=... mobile=... phone=... password=... description=... Host: example.com Accept: application/json .. note:: Also a user can call this function to e.g. change his password. But in this case the parameter "user" and "resolver" get overwritten by the values of the authenticated user, even if he specifies another username. """ attributes = _get_attributes_from_param(request.all_data) username = getParam(request.all_data, "user", optional=False) resolvername = getParam(request.all_data, "resolver", optional=False) userid = getParam(request.all_data, "userid") if userid is not None: # Create the user object by uid user_obj = User(resolver=resolvername, uid=userid) else: user_obj = User(login=username, resolver=resolvername) # Remove the password from the attributes, so that we can hide it in the # logs password = attributes.get("password") if password: del attributes["password"] r = user_obj.update_user_info(attributes, password=password) g.audit_object.log({ "success": True, "info": u"{0!s}: {1!s}/{2!s}".format(r, username, resolvername) }) return send_result(r)
def update_user(): """ Edit a user in the user store. The resolver must have the flag editable, so that the user can be deleted. Only administrators are allowed to edit users. **Example request**: .. sourcecode:: http PUT /user user=existing_user resolver=<resolvername> surname=... givenname=... email=... mobile=... phone=... password=... description=... Host: example.com Accept: application/json .. note:: Also a user can call this function to e.g. change his password. But in this case the parameter "user" and "resolver" get overwritten by the values of the authenticated user, even if he specifies another username. """ attributes = _get_attributes_from_param(request.all_data) username = getParam(request.all_data, "user", optional=False) resolvername = getParam(request.all_data, "resolver", optional=False) user_obj = User(login=username, resolver=resolvername) # Remove the password from the attributes, so that we can hide it in the # logs password = attributes.get("password") if password: del attributes["password"] r = user_obj.update_user_info(attributes, password=password) g.audit_object.log({"success": True, "info": u"{0!s}: {1!s}/{2!s}".format(r, username, resolvername)}) return send_result(r)
def update_user(): """ Edit a user in the user store. The resolver must have the flag editable, so that the user can be deleted. Only administrators are allowed to edit users. **Example request**: .. sourcecode:: http PUT /user user=existing_user resolver=<resolvername> surname=... givenname=... email=... mobile=... phone=... password=... description=... Host: example.com Accept: application/json .. note:: Also a user can call this function to e.g. change his password. But in this case the parameter "user" and "resolver" get overwritten by the values of the authenticated user, even if he specifies another username. """ attributes = _get_attributes_from_param(request.all_data) username = getParam(request.all_data, "user", optional=False) resolvername = getParam(request.all_data, "resolver", optional=False) user_obj = User(login=username, resolver=resolvername) r = user_obj.update_user_info(attributes) g.audit_object.log({ "success": True, "info": "%s: %s/%s" % (r, username, resolvername) }) return send_result(r)
def assign_user(resolver, realm, username, email, givenname, surname, serial, pin, validity, hard_or_soft): app = create_app(config_name="production", config_file="/etc/privacyidea/pi.cfg", silent=True) with app.app_context(): # User operations try: print("+ Processing user {0!s} in {1!s}/{2!s}.".format( username, resolver, realm)) user_obj = User(username, realm, resolver=resolver) except UserError as err: sys.stderr.write(" +-- Failed finding user: {0!s}.\n".format(err)) return if not user_obj.exist(): # Create new user print(" +- Creating user {0!s} in {1!s}/{2!s}.".format( username, resolver, realm)) try: create_user(resolver, { "username": username, "email": email, "givenname": givenname, "surname": surname }, password="") user_obj = User(username, realm, resolver=resolver) except UserError as err: sys.stderr.write( "+-- Failed to create user: {0!s}.\n".format(err)) return except Exception as err: sys.stderr.write( "+-- Failed to create user: {0!s}.\n".format(err)) return else: # Update existing user print(" +- Updating user {0!s} in {1!s}/{2!s}.".format( username, resolver, realm)) user_obj.update_user_info({ "email": email, "givenname": givenname, "surname": surname }) # Token operations ## Assign token or create registration code if hard_or_soft.strip().upper() == HARDWARE: if serial: # Assign an existing token try: print(" +- Processing token {0!s}".format(serial)) t = assign_token(serial, user_obj, pin) print( " +-- Assigned token to user {0!s}.".format(user_obj)) except TokenAdminError as err: sys.stderr.write( " +-- Failed assigning token {0!s}: {1!s}.\n".format( serial, err)) except ResourceNotFoundError as err: sys.stderr.write( " +-- Failed assigning token {0!s}: {1!s}.\n".format( serial, err)) else: sys.stderr.write( "+-- User {0!s} is supposed to get a hardware token, but no serial defined!" .format(user_obj)) elif hard_or_soft.strip().upper() == SOFTWARE: # Create a registration code, since no serial number is given print(" +- Creating token of type {0!s}.".format(TOKEN_TYPE)) params = { "type": TOKEN_TYPE, "genkey": 1, "user": user_obj.login, "realm": user_obj.realm } r = requests.post('https://localhost/token/init', verify=False, data=params, headers={"Authorization": get_auth_tok()}) if not r.json().get("result").get("status"): sys.stderr.write( " +-- Failed to create token for user {0!s}.".format( user_obj)) else: sys.stderr.write( "+-- Unknown Hard/Soft specifier for user {0!s}: {1!s}".format( user_obj, hard_or_soft)) # Create RADIUS token with validity period print(" +- Creating RADIUS token for user {0!s}.".format(user_obj)) tok = init_token( { "type": "radius", "radius.identifier": RADIUS_IDENTIFIER, "radius.user": user_obj.login }, user=user_obj) for k, v in TOKENINFO.items(): tok.add_tokeninfo(k, v) validity_end = datetime.datetime.now() + datetime.timedelta( int(validity)) tok.set_validity_period_end( validity_end.strftime("%Y-%m-%d %H:%M:00 CET"))