def test_02_userstore_password(self): # create a realm, where cornelius has a password test rid = save_resolver({"resolver": "myreso", "type": "passwdresolver", "fileName": PWFILE2}) self.assertTrue(rid > 0, rid) (added, failed) = set_realm("r1", ["myreso"]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 1) # now create a policy with userstore PW set_policy(name="pol1", scope=SCOPE.AUTH, action="%s=%s" % (ACTION.OTPPIN, ACTIONVALUE.USERSTORE)) g = FakeFlaskG() P = PolicyClass() g.policy_object = P options = {"g": g} # Wrong password r = auth_otppin(self.fake_check_otp, None, "WrongPW", options=options, user=User("cornelius", realm="r1")) self.assertFalse(r) # Correct password from userstore: "test" r = auth_otppin(self.fake_check_otp, None, "test", options=options, user=User("cornelius", realm="r1")) self.assertTrue(r) delete_policy("pol1")
def test_01_otppin(self): my_user = User("cornelius", realm="r1") set_policy(name="pol1", scope=SCOPE.AUTH, action="%s=%s" % (ACTION.OTPPIN, ACTIONVALUE.NONE)) g = FakeFlaskG() P = PolicyClass() g.policy_object = P options = {"g": g} # NONE with empty PIN -> success r = auth_otppin(self.fake_check_otp, None, "", options=options, user=my_user) self.assertTrue(r) # NONE with empty PIN -> success, even if the authentication is done # for a serial and not a user, since the policy holds for all realms token = init_token({"type": "HOTP", "otpkey": "1234"}) r = auth_otppin(self.fake_check_otp, token, "", options=options, user=None) self.assertTrue(r) # NONE with some pin -> fail r = auth_otppin(self.fake_check_otp, None, "some pin", options=options, user=my_user) self.assertFalse(r) delete_policy("pol1") set_policy(name="pol1", scope=SCOPE.AUTH, action="%s=%s" % (ACTION.OTPPIN, ACTIONVALUE.TOKENPIN)) g = FakeFlaskG() P = PolicyClass() g.policy_object = P options = {"g": g} r = auth_otppin(self.fake_check_otp, None, "FAKE", options=options, user=my_user) self.assertTrue(r) r = auth_otppin(self.fake_check_otp, None, "Wrong Pin", options=options, user=my_user) self.assertFalse(r) delete_policy("pol1")
def test_03_otppin_for_serial(self): # now create a policy with userstore PW set_policy(name="pol1", scope=SCOPE.AUTH, action="%s=%s" % (ACTION.OTPPIN, ACTIONVALUE.USERSTORE)) g = FakeFlaskG() P = PolicyClass() g.policy_object = P options = {"g": g, "serial": "T001"} # create a token and assign to user cornelius token = init_token({"serial": "T001", "type": "hotp", "genkey": 1}, user=User("cornelius", realm="r1")) self.assertTrue(token) # Wrong password # Not identified by the user but by the token owner r = auth_otppin(self.fake_check_otp, token, "WrongPW", options=options, user=None) self.assertFalse(r) # Correct password from userstore: "test" # Not identified by the user but by the token owner r = auth_otppin(self.fake_check_otp, token, "test", options=options, user=None) self.assertTrue(r) delete_policy("pol1") remove_token("T001")
def test_03_otppin_for_serial(self): # now create a policy with userstore PW set_policy(name="pol1", scope=SCOPE.AUTH, action="{0!s}={1!s}".format(ACTION.OTPPIN, ACTIONVALUE.USERSTORE)) g = FakeFlaskG() P = PolicyClass() g.policy_object = P g.audit_object = FakeAudit() options = {"g": g, "serial": "T001"} # create a token and assign to user cornelius token = init_token({"serial": "T001", "type": "hotp", "genkey": 1}, user=User("cornelius", realm="r1")) self.assertTrue(token) # Wrong password # Not identified by the user but by the token owner r = auth_otppin(self.fake_check_otp, token, "WrongPW", options=options, user=None) self.assertFalse(r) # Correct password from userstore: "test" # Not identified by the user but by the token owner r = auth_otppin(self.fake_check_otp, token, "test", options=options, user=None) self.assertTrue(r) delete_policy("pol1") remove_token("T001")
def test_02_userstore_password(self): # create a realm, where cornelius has a password test rid = save_resolver({"resolver": "myreso", "type": "passwdresolver", "fileName": PWFILE2}) self.assertTrue(rid > 0, rid) (added, failed) = set_realm("r1", ["myreso"]) self.assertTrue(len(failed) == 0) self.assertTrue(len(added) == 1) # now create a policy with userstore PW set_policy(name="pol1", scope=SCOPE.AUTH, action="{0!s}={1!s}".format(ACTION.OTPPIN, ACTIONVALUE.USERSTORE)) g = FakeFlaskG() P = PolicyClass() g.policy_object = P g.audit_object = FakeAudit() options = {"g": g} # Wrong password r = auth_otppin(self.fake_check_otp, None, "WrongPW", options=options, user=User("cornelius", realm="r1")) self.assertFalse(r) # Correct password from userstore: "test" r = auth_otppin(self.fake_check_otp, None, "test", options=options, user=User("cornelius", realm="r1")) self.assertTrue(r) delete_policy("pol1")
def test_01_otppin(self): my_user = User("cornelius", realm="r1") set_policy(name="pol1", scope=SCOPE.AUTH, action="{0!s}={1!s}".format(ACTION.OTPPIN, ACTIONVALUE.NONE)) g = FakeFlaskG() P = PolicyClass() g.policy_object = P options = {"g": g} # NONE with empty PIN -> success r = auth_otppin(self.fake_check_otp, None, "", options=options, user=my_user) self.assertTrue(r) # NONE with empty PIN -> success, even if the authentication is done # for a serial and not a user, since the policy holds for all realms token = init_token({"type": "HOTP", "otpkey": "1234"}) r = auth_otppin(self.fake_check_otp, token, "", options=options, user=None) self.assertTrue(r) # NONE with some pin -> fail r = auth_otppin(self.fake_check_otp, None, "some pin", options=options, user=my_user) self.assertFalse(r) delete_policy("pol1") set_policy(name="pol1", scope=SCOPE.AUTH, action="{0!s}={1!s}".format(ACTION.OTPPIN, ACTIONVALUE.TOKENPIN)) g = FakeFlaskG() P = PolicyClass() g.policy_object = P options = {"g": g} r = auth_otppin(self.fake_check_otp, None, "FAKE", options=options, user=my_user) self.assertTrue(r) r = auth_otppin(self.fake_check_otp, None, "Wrong Pin", options=options, user=my_user) self.assertFalse(r) delete_policy("pol1")
def test_11_otppin_with_resolvers(self): # This tests, if the otppin policy differentiates between users in # the same realm but in different resolvers. r = save_resolver({"resolver": "reso001", "type": "passwdresolver", "fileName": "tests/testdata/passwords"}) # user "cornelius" is in resolver reso001 self.assertTrue(r > 0) r = save_resolver({"resolver": "reso002", "type": "passwdresolver", "fileName": "tests/testdata/pw-2nd-resolver"}) # user "userresolver2" is in resolver reso002 self.assertTrue(r > 0) (added, failed) = set_realm("myrealm", ["reso001", "reso002"]) self.assertEqual(len(added), 2) self.assertEqual(len(failed), 0) my_user_1 = User("cornelius", realm="myrealm") my_user_2 = User("userresolver2", realm="myrealm") # We set a policy only for resolver reso002 set_policy(name="pol1", scope=SCOPE.AUTH, realm="myrealm", resolver="reso002", action="{0!s}={1!s}".format(ACTION.OTPPIN, ACTIONVALUE.NONE)) g = FakeFlaskG() P = PolicyClass() g.policy_object = P g.audit_object = FakeAudit() options = {"g": g} # user in reso001 fails with empty PIN, since the policy does not # match for him r = auth_otppin(self.fake_check_otp, None, "", options=options, user=my_user_1) self.assertFalse(r) # user in reso002 succeeds with empty PIN, since policy pol1 matches # for him r = auth_otppin(self.fake_check_otp, None, "", options=options, user=my_user_2) self.assertTrue(r) # user in reso002 fails with any PIN, since policy pol1 matches # for him r = auth_otppin(self.fake_check_otp, None, "anyPIN", options=options, user=my_user_2) self.assertFalse(r) delete_policy("pol1") delete_realm("myrealm") delete_resolver("reso001") delete_resolver("reso002")
def test_14_otppin_priority(self): my_user = User("cornelius", realm="r1") set_policy(name="pol1", scope=SCOPE.AUTH, action="{0!s}={1!s}".format(ACTION.OTPPIN, ACTIONVALUE.NONE), priority=2) set_policy(name="pol2", scope=SCOPE.AUTH, action="{0!s}={1!s}".format(ACTION.OTPPIN, ACTIONVALUE.TOKENPIN), priority=2) g = FakeFlaskG() P = PolicyClass() g.policy_object = P g.audit_object = FakeAudit() options = {"g": g} # error because of conflicting policies with self.assertRaises(PolicyError): auth_otppin(self.fake_check_otp, None, "", options=options, user=my_user) # lower pol2 priority set_policy(name="pol2", priority=3) g.policy_object.reload_from_db() # NONE with empty PIN -> success r = auth_otppin(self.fake_check_otp, None, "", options=options, user=my_user) self.assertTrue(r) # NONE with empty PIN -> success, even if the authentication is done # for a serial and not a user, since the policy holds for all realms token = init_token({"type": "HOTP", "otpkey": "1234"}) r = auth_otppin(self.fake_check_otp, token, "", options=options, user=None) self.assertTrue(r) # NONE with some pin -> fail r = auth_otppin(self.fake_check_otp, None, "some pin", options=options, user=my_user) self.assertFalse(r) # increase pol2 priority set_policy(name="pol2", priority=1) g.policy_object.reload_from_db() r = auth_otppin(self.fake_check_otp, None, "FAKE", options=options, user=my_user) self.assertTrue(r) r = auth_otppin(self.fake_check_otp, None, "Wrong Pin", options=options, user=my_user) self.assertFalse(r) delete_policy("pol1") delete_policy("pol2")