def test_16_ordered_resolver(self):
rid = save_resolver({"resolver": "resolver2",
"type": "passwdresolver",
"fileName": PWFILE})
rid = save_resolver({"resolver": "reso4",
"type": "passwdresolver",
"fileName": PWFILE})
(added, failed) = set_realm("sort_realm",
["resolver1", "resolver2", "reso3",
"reso4"],
priority={"resolver1": 30,
"resolver2": 10,
"reso3": 27,
"reso4": 5})
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 4)
root = User("root", "sort_realm")
r = root.get_ordererd_resolvers()
self.assertEqual(r[0], "reso4")
self.assertEqual(r[1], "resolver2")
self.assertEqual(r[2], "reso3")
self.assertEqual(r[3], "resolver1")
delete_realm("sort_realm")
def test_16_ordered_resolver(self):
rid = save_resolver({
"resolver": "resolver2",
"type": "passwdresolver",
"fileName": PWFILE
})
rid = save_resolver({
"resolver": "reso4",
"type": "passwdresolver",
"fileName": PWFILE
})
(added,
failed) = set_realm("sort_realm",
["resolver1", "resolver2", "reso3", "reso4"],
priority={
"resolver1": 30,
"resolver2": 10,
"reso3": 27,
"reso4": 5
})
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 4)
root = User("root", "sort_realm")
r = root.get_ordererd_resolvers()
self.assertEqual(r[0], "reso4")
self.assertEqual(r[1], "resolver2")
self.assertEqual(r[2], "reso3")
self.assertEqual(r[3], "resolver1")
delete_realm("sort_realm")
def test_01_create_realm(self):
rid = save_resolver({"resolver": self.resolvername1,
"type": "passwdresolver",
"fileName": "/etc/passwd"})
self.assertTrue(rid > 0, rid)
rid = save_resolver({"resolver": self.resolvername2,
"type": "passwdresolver",
"fileName": "/etc/secrets"})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(self.realm1,
[self.resolvername1,
self.resolvername2])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 2)
# test the realms
realms = get_realms()
self.assertTrue(self.realm1 in realms, realms)
self.assertTrue(realms.get("realm1").get("default"), realms)
# try to create realm with invalid name
self.assertRaises(Exception, set_realm, "#####")
# update the resolver list:
(added, failed) = set_realm(self.realm1,
[self.resolvername1,
"non exiting"])
self.assertTrue(len(failed) == 1)
self.assertTrue(len(added) == 1)
self.assertTrue(realm_is_defined(self.realm1))
self.assertTrue(realm_is_defined("non exist") is False)
def test_02_failing_resolver(self):
ldap3mock.setLDAPDirectory([])
# define, that we want to get an exception
ldap3mock.set_exception()
# Create an LDAP Realm as default realm
params = {
'LDAPURI':
'ldap://localhost',
'LDAPBASE':
'o=test',
'BINDDN':
'cn=manager,ou=example,o=test',
'BINDPW':
'ldaptest',
'LOGINNAMEATTRIBUTE':
'cn',
'LDAPSEARCHFILTER':
'(cn=*)',
'USERINFO':
'{ "username": "******",'
'"phone" : "telephoneNumber", '
'"mobile" : "mobile"'
', "email" : "mail", '
'"surname" : "sn", '
'"givenname" : "givenName" }',
'UIDTYPE':
'DN',
"resolver":
"ldap1",
"type":
"ldapresolver"
}
save_resolver(params)
set_realm("ldap1", ["ldap1"])
set_default_realm("ldap1")
# Try to login as internal admin with a failing LDAP resolver
with mock.patch("logging.Logger.warning") as mock_log:
with self.app.test_request_context('/auth',
method='POST',
data={
"username": "******",
"password": "******"
}):
res = self.app.full_dispatch_request()
self.assertEqual(200, res.status_code, res)
result = res.json.get("result")
self.assertTrue(result.get("status"), result)
self.assertIn('token', result.get("value"), result)
# role should be 'admin'
self.assertEqual('admin', result['value']['role'], result)
mock_log.assert_called_once_with(
"Problem resolving user testadmin in realm ldap1: LDAP request failed."
)
delete_realm("ldap1")
delete_resolver("ldap1")
ldap3mock.set_exception(False)
def test_13_update_resolver(self):
ldap3mock.setLDAPDirectory(LDAPDirectory)
# --------------------------------
# First we create an LDAP resolver
rid = save_resolver(
{
"resolver": "myLDAPres",
"type": "ldapresolver",
"LDAPURI": "ldap://localhost",
"LDAPBASE": "o=test",
"BINDDN": "cn=manager,ou=example,o=test",
"BINDPW": "ldaptest",
"LOGINNAMEATTRIBUTE": "cn",
"LDAPSEARCHFILTER": "(cn=*)",
"LDAPFILTER": "(&(cn=%s))",
"USERINFO": '{ "username": "******",'
'"phone" : "telephoneNumber", '
'"mobile" : "mobile"'
', "email" : "mail", '
'"surname" : "sn", '
'"givenname" : "givenName" }',
"UIDTYPE": "DN",
}
)
self.assertTrue(rid > 0, rid)
reso_list = get_resolver_list()
self.assertTrue("myLDAPres" in reso_list, reso_list)
ui = ResolverConfig.query.filter(ResolverConfig.Key == "USERINFO").first().Value
# Check that the email is contained in the UI
self.assertTrue("email" in ui, ui)
# --------------------------------
# Then we update the LDAP resolver
rid = save_resolver(
{
"resolver": "myLDAPres",
"type": "ldapresolver",
"LDAPURI": "ldap://localhost",
"LDAPBASE": "o=test",
"BINDDN": "cn=manager,ou=example,o=test",
"BINDPW": "ldaptest",
"LOGINNAMEATTRIBUTE": "cn",
"LDAPSEARCHFILTER": "(cn=*)",
"LDAPFILTER": "(&(cn=%s))",
"USERINFO": '{ "username": "******",'
'"phone" : "telephoneNumber", '
'"surname" : "sn", '
'"givenname" : "givenName" }',
"UIDTYPE": "DN",
}
)
self.assertTrue(rid > 0, rid)
reso_list = get_resolver_list(filter_resolver_name="myLDAPres")
# TODO check the data
ui = ResolverConfig.query.filter(ResolverConfig.Key == "USERINFO").first().Value
# Check that the email is NOT contained in the UI
self.assertTrue("email" not in ui, ui)
def test_12_multiple_resolvers(self):
# one realm, two SQL resolvers
parameters_a = self.sql_parameters.copy()
# first resolver only contains users with phone numbers
parameters_a['Where'] = 'phone LIKE %'
parameters_a['resolver'] = 'reso_a'
rid_a = save_resolver(parameters_a)
self.assertTrue(rid_a > 0, rid_a)
# second resolver contains all users
parameters_b = self.sql_parameters.copy()
parameters_b['resolver'] = 'reso_b'
rid_b = save_resolver(parameters_b)
self.assertTrue(rid_b > 0, rid_b)
# First ask reso_a, then reso_b
(added, failed) = set_realm(self.sql_realm, ['reso_a', 'reso_b'], {
'reso_a': 1,
'reso_b': 2
})
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 2)
# Now, query the user and populate the cache
self.assertEqual(UserCache.query.count(), 0)
user1 = User('wordpressuser', self.sql_realm)
self.assertEqual(user1.uid, '6')
# Assert it was found in reso_b (as it does not have a phone number)!
self.assertEqual(user1.resolver, 'reso_b')
self.assertEqual(
UserCache.query.filter(UserCache.username == 'wordpressuser',
UserCache.user_id == 6).one().resolver,
'reso_b')
# Add a phone number. We do not use the User API to do that to simulate that the change is performed
# out of privacyIDEA's control. Using `update_user_info` would invalidate the cache, which would be unrealistic.
info = user1.info
new_info = info.copy()
new_info['phone'] = '123456'
get_resolver_object('reso_a').update_user(user1.uid, new_info)
# Ensure that the user's association with reso_b is still cached.
self.assertEqual(
UserCache.query.filter(UserCache.username == 'wordpressuser',
UserCache.user_id == 6).one().resolver,
'reso_b')
# Now, it should be located in reso_a!
user2 = User('wordpressuser', self.sql_realm)
self.assertEqual(user2.uid, '6')
self.assertEqual(user2.resolver, 'reso_a')
# ... but the cache still contains entries for both!
resolver_query = UserCache.query.filter(
UserCache.username == 'wordpressuser',
UserCache.user_id == 6).order_by(UserCache.timestamp.desc())
cached_resolvers = [entry.resolver for entry in resolver_query.all()]
self.assertEqual(cached_resolvers, ['reso_a', 'reso_b'])
# Remove the phone number.
get_resolver_object('reso_a').update_user(user1.uid, {'phone': None})
delete_realm(self.sql_realm)
delete_resolver('reso_a')
delete_resolver('reso_b')
def test_01_create_resolver(self):
rid = save_resolver(
{
"resolver": self.resolvername1,
"type": "passwdresolver",
"fileName": "/etc/passwd",
"type.fileName": "string",
"desc.fileName": "The name of the file",
}
)
self.assertTrue(rid > 0, rid)
# description with missing main key
params = {"resolver": "reso2", "type": "passwdresolver", "type.fileName": "string"}
self.assertRaises(Exception, save_resolver, params)
# type with missing main key
params = {"resolver": "reso2", "type": "passwdresolver", "desc.fileName": "The file name"}
self.assertRaises(Exception, save_resolver, params)
# not allowed resolver name
params = {"resolver": "res with blank", "type": "passwdresolver"}
self.assertRaises(Exception, save_resolver, params)
# unknown type
params = {"resolver": "validname", "type": "unknown_type"}
self.assertRaises(Exception, save_resolver, params)
# same name with different type
params = {"resolver": self.resolvername1, "type": "ldapresolver", "fileName": "/etc/secrets"}
self.assertRaises(Exception, save_resolver, params)
# similar name with different type
params = {"resolver": "Resolver1", "type": "ldapresolver", "fileName": "/etc/secrets"}
self.assertRaises(Exception, save_resolver, params)
# check that the resolver was successfully created
reso_list = get_resolver_list()
self.assertTrue(self.resolvername1 in reso_list)
# test error: type without data
params = {"resolver": self.resolvername2, "type": "ldapresolver", "type.BindPW": "topsecret"}
self.assertRaises(Exception, save_resolver, params)
# test error: description without data
params = {"resolver": self.resolvername2, "type": "ldapresolver", "desc.BindPW": "something else"}
self.assertRaises(Exception, save_resolver, params)
# key not supported by the resolver
# The resolver is created anyway
params = {"resolver": self.resolvername2, "type": "passwdresolver", "UnknownKey": "something else"}
rid = save_resolver(params)
self.assertTrue(rid > 0)
# check that the resolver was successfully created
reso_list = get_resolver_list()
self.assertTrue(self.resolvername2 in reso_list)
def test_12_multiple_resolvers(self):
# one realm, two SQL resolvers
parameters_a = self.sql_parameters.copy()
# first resolver only contains users with phone numbers
parameters_a['Where'] = 'phone LIKE %'
parameters_a['resolver'] = 'reso_a'
rid_a = save_resolver(parameters_a)
self.assertTrue(rid_a > 0, rid_a)
# second resolver contains all users
parameters_b = self.sql_parameters.copy()
parameters_b['resolver'] = 'reso_b'
rid_b = save_resolver(parameters_b)
self.assertTrue(rid_b > 0, rid_b)
# First ask reso_a, then reso_b
(added, failed) = set_realm(self.sql_realm, ['reso_a', 'reso_b'], {
'reso_a': 1,
'reso_b': 2
})
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 2)
# Now, query the user and populate the cache
self.assertEqual(UserCache.query.count(), 0)
user1 = User('wordpressuser', self.sql_realm)
self.assertEqual(user1.uid, 6)
# Assert it was found in reso_b (as it does not have a phone number)!
self.assertEqual(user1.resolver, 'reso_b')
self.assertEqual(UserCache.query.filter(UserCache.username == 'wordpressuser',
UserCache.user_id == 6).one().resolver,
'reso_b')
# Add a phone number. We do not use the User API to do that to simulate that the change is performed
# out of privacyIDEA's control. Using `update_user_info` would invalidate the cache, which would be unrealistic.
info = user1.info
new_info = info.copy()
new_info['phone'] = '123456'
get_resolver_object('reso_a').update_user(user1.uid, new_info)
# Ensure that the user's association with reso_b is still cached.
self.assertEqual(UserCache.query.filter(UserCache.username == 'wordpressuser',
UserCache.user_id == 6).one().resolver,
'reso_b')
# Now, it should be located in reso_a!
user2 = User('wordpressuser', self.sql_realm)
self.assertEqual(user2.uid, 6)
self.assertEqual(user2.resolver, 'reso_a')
# ... but the cache still contains entries for both!
resolver_query = UserCache.query.filter(UserCache.username == 'wordpressuser',
UserCache.user_id == 6).order_by(UserCache.timestamp.desc())
cached_resolvers = [entry.resolver for entry in resolver_query.all()]
self.assertEqual(cached_resolvers, ['reso_a', 'reso_b'])
# Remove the phone number.
get_resolver_object('reso_a').update_user(user1.uid, {'phone': None})
delete_realm(self.sql_realm)
delete_resolver('reso_a')
delete_resolver('reso_b')
def test_11_otppin_with_resolvers(self):
# This tests, if the otppin policy differentiates between users in
# the same realm but in different resolvers.
r = save_resolver({"resolver": "reso001",
"type": "passwdresolver",
"fileName": "tests/testdata/passwords"})
# user "cornelius" is in resolver reso001
self.assertTrue(r > 0)
r = save_resolver({"resolver": "reso002",
"type": "passwdresolver",
"fileName": "tests/testdata/pw-2nd-resolver"})
# user "userresolver2" is in resolver reso002
self.assertTrue(r > 0)
(added, failed) = set_realm("myrealm", ["reso001", "reso002"])
self.assertEqual(len(added), 2)
self.assertEqual(len(failed), 0)
my_user_1 = User("cornelius", realm="myrealm")
my_user_2 = User("userresolver2", realm="myrealm")
# We set a policy only for resolver reso002
set_policy(name="pol1",
scope=SCOPE.AUTH,
realm="myrealm",
resolver="reso002",
action="{0!s}={1!s}".format(ACTION.OTPPIN, ACTIONVALUE.NONE))
g = FakeFlaskG()
P = PolicyClass()
g.policy_object = P
g.audit_object = FakeAudit()
options = {"g": g}
# user in reso001 fails with empty PIN, since the policy does not
# match for him
r = auth_otppin(self.fake_check_otp, None,
"", options=options, user=my_user_1)
self.assertFalse(r)
# user in reso002 succeeds with empty PIN, since policy pol1 matches
# for him
r = auth_otppin(self.fake_check_otp, None,
"", options=options, user=my_user_2)
self.assertTrue(r)
# user in reso002 fails with any PIN, since policy pol1 matches
# for him
r = auth_otppin(self.fake_check_otp, None,
"anyPIN", options=options, user=my_user_2)
self.assertFalse(r)
delete_policy("pol1")
delete_realm("myrealm")
delete_resolver("reso001")
delete_resolver("reso002")
def test_11_otppin_with_resolvers(self):
# This tests, if the otppin policy differentiates between users in
# the same realm but in different resolvers.
r = save_resolver({"resolver": "reso001",
"type": "passwdresolver",
"fileName": "tests/testdata/passwords"})
# user "cornelius" is in resolver reso001
self.assertTrue(r > 0)
r = save_resolver({"resolver": "reso002",
"type": "passwdresolver",
"fileName": "tests/testdata/pw-2nd-resolver"})
# user "userresolver2" is in resolver reso002
self.assertTrue(r > 0)
(added, failed) = set_realm("myrealm", ["reso001", "reso002"])
self.assertEqual(len(added), 2)
self.assertEqual(len(failed), 0)
my_user_1 = User("cornelius", realm="myrealm")
my_user_2 = User("userresolver2", realm="myrealm")
# We set a policy only for resolver reso002
set_policy(name="pol1",
scope=SCOPE.AUTH,
realm="myrealm",
resolver="reso002",
action="{0!s}={1!s}".format(ACTION.OTPPIN, ACTIONVALUE.NONE))
g = FakeFlaskG()
P = PolicyClass()
g.policy_object = P
g.audit_object = FakeAudit()
options = {"g": g}
# user in reso001 fails with empty PIN, since the policy does not
# match for him
r = auth_otppin(self.fake_check_otp, None,
"", options=options, user=my_user_1)
self.assertFalse(r)
# user in reso002 succeeds with empty PIN, since policy pol1 matches
# for him
r = auth_otppin(self.fake_check_otp, None,
"", options=options, user=my_user_2)
self.assertTrue(r)
# user in reso002 fails with any PIN, since policy pol1 matches
# for him
r = auth_otppin(self.fake_check_otp, None,
"anyPIN", options=options, user=my_user_2)
self.assertFalse(r)
delete_policy("pol1")
delete_realm("myrealm")
delete_resolver("reso001")
delete_resolver("reso002")
def _create_sql_realm(self):
rid = save_resolver(self.sql_parameters)
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(self.sql_realm, [self.sql_resolver])
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 1)
def test_14_create_delete_user(self):
realm = "sqlrealm"
resolver = "SQL1"
parameters = self.parameters
parameters["resolver"] = resolver
parameters["type"] = "sqlresolver"
rid = save_resolver(parameters)
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(realm, [resolver])
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 1)
# Create the user
uid = create_user(resolver, {"username": "******",
"givenname": "achmed"},
password="******")
self.assertTrue(uid > 6)
user = User("achmed3", realm=realm)
r = user.check_password("secret")
# delete user
r = user.delete()
self.assertTrue(r)
def test_03_is_password_reset(self):
# create resolver and realm
param = self.parameters
param["resolver"] = "register"
param["type"] = "sqlresolver"
r = save_resolver(param)
self. assertTrue(r > 0)
added, failed = set_realm("register", resolvers=["register"])
self.assertTrue(added > 0)
self.assertEqual(len(failed), 0)
# No user policy at all
r = is_password_reset()
self.assertEqual(r, True)
# create policy
set_policy(name="pwrest", scope=SCOPE.USER, action=ACTION.PASSWORDRESET)
r = is_password_reset()
self.assertEqual(r, True)
# create policy that does not allow password_reset
set_policy(name="pwrest", scope=SCOPE.USER, action=ACTION.DELETE)
r = is_password_reset()
self.assertEqual(r, False)
def _create_ldap_realm(self):
rid = save_resolver(self.ldap_parameters)
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(self.ldap_realm, [self.ldap_resolver])
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 1)
def setUp_sqlite_resolver_realm(self, sqlite_file, realm):
parameters = {
'resolver':
"sqlite_resolver",
"type":
"sqlresolver",
'Driver':
'sqlite',
'Server':
'/tests/testdata/',
'Database':
sqlite_file,
'Table':
'users',
'Encoding':
'utf8',
'Editable':
True,
'Map':
"""{ "username": "******",
"userid" : "id",
"email" : "email",
"surname" : "name",
"givenname" : "givenname",
"password" : "password",
"phone": "phone",
"mobile": "mobile"}"""
}
r = save_resolver(parameters)
self.assertTrue(r)
success, fail = set_realm(realm, ["sqlite_resolver"])
self.assertEqual(len(success), 1)
self.assertEqual(len(fail), 0)
def test_09_get_user_from_param(self):
user = get_user_from_param({"user": "******"})
self.assertTrue(user.realm == self.realm1, user)
self.assertTrue(user.resolver == self.resolvername1, user)
user = get_user_from_param({"realm": self.realm1})
self.assertTrue(user.realm == self.realm1, user)
self.assertTrue(user.login == "", user)
self.assertTrue(user.resolver == "", user.resolver)
user = get_user_from_param({
"user": "******",
"resolver": self.resolvername1
})
self.assertTrue(user.realm == self.realm1, user)
# create a realm, where cornelius is in two resolvers!
rid = save_resolver({
"resolver": self.resolvername3,
"type": "passwdresolver",
"fileName": PWFILE2
})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(self.realm2,
[self.resolvername1, self.resolvername3])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 2)
# get user cornelius, who is in two resolvers!
param = {"user": "******", "realm": self.realm2}
user = get_user_from_param(param)
self.assertEqual("{0!s}".format(user), "<cornelius.resolver1@realm2>")
def setUp_user_realm2(self):
# create user realm
rid = save_resolver({
"resolver": self.resolvername1,
"type": "passwdresolver",
"fileName": PWFILE
})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(self.realm2, [self.resolvername1])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
user = User(login="******",
realm=self.realm2,
resolver=self.resolvername1)
user_str = "{0!s}".format(user)
self.assertTrue(user_str == "<root.resolver1@realm2>", user_str)
self.assertFalse(user.is_empty())
self.assertTrue(User().is_empty())
user_repr = "{0!r}".format(user)
expected = "User(login='******', realm='realm2', resolver='resolver1')"
self.assertTrue(user_repr == expected, user_repr)
def test_02_userstore_password(self):
# create a realm, where cornelius has a password test
rid = save_resolver({"resolver": "myreso",
"type": "passwdresolver",
"fileName": PWFILE2})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm("r1", ["myreso"])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
# now create a policy with userstore PW
set_policy(name="pol1",
scope=SCOPE.AUTH,
action="%s=%s" % (ACTION.OTPPIN, ACTIONVALUE.USERSTORE))
g = FakeFlaskG()
P = PolicyClass()
g.policy_object = P
options = {"g": g}
# Wrong password
r = auth_otppin(self.fake_check_otp, None,
"WrongPW", options=options,
user=User("cornelius", realm="r1"))
self.assertFalse(r)
# Correct password from userstore: "test"
r = auth_otppin(self.fake_check_otp, None,
"test", options=options,
user=User("cornelius", realm="r1"))
self.assertTrue(r)
delete_policy("pol1")
def _create_user_wordy(self):
"""
This creates a user "wordy" in the realm "sqlrealm"
"""
realm = "sqlrealm"
resolver = "SQL1"
parameters = self.parameters
parameters["resolver"] = resolver
parameters["type"] = "sqlresolver"
rid = save_resolver(parameters)
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(realm, [resolver])
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 1)
with self.app.test_request_context('/user/',
method='POST',
data={"user": "******",
"resolver": resolver,
"surname": "zappa",
"givenname": "frank",
"email": "*****@*****.**",
"phone": "12345",
"mobile": "12345",
"password": "******"},
headers={'Authorization': self.at}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = res.json.get("result")
self.assertTrue(result.get("value") > 6, result.get("value"))
def test_04_create_recovery_nonascii(self):
smtpmock.setdata(response={"*****@*****.**": (200, "OK")})
recoverycode = "reccode"
# create resolver and realm
param = self.parameters
param["resolver"] = "register"
param["type"] = "sqlresolver"
r = save_resolver(param)
self.assertTrue(r > 0)
# recover password with "recovery.identifier"
r = add_smtpserver(identifier="myserver", server="1.2.3.4")
self.assertTrue(r > 0)
set_privacyidea_config("recovery.identifier", "myserver")
r = create_recoverycode(User(u"nönäscii", "register"),
recoverycode=recoverycode)
self.assertEqual(r, True)
user = User(u"nönäscii", "register")
r = check_recoverycode(user, recoverycode)
self.assertEqual(r, True)
# The recovery code is not valid a second time
r = check_recoverycode(user, recoverycode)
self.assertEqual(r, False)
def setUp_user_realm2(self):
# create user realm
rid = save_resolver({"resolver": self.resolvername1,
"type": "passwdresolver",
"fileName": PWFILE})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(self.realm2,
[self.resolvername1])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
user = User(login="******",
realm=self.realm2,
resolver=self.resolvername1)
user_str = "{0!s}".format(user)
self.assertTrue(user_str == "<root.resolver1@realm2>", user_str)
self.assertFalse(user.is_empty())
self.assertTrue(User().is_empty())
user_repr = "{0!r}".format(user)
expected = "User(login='******', realm='realm2', resolver='resolver1')"
self.assertTrue(user_repr == expected, user_repr)
def test_09_get_user_from_param(self):
user = get_user_from_param({"user": "******"})
self.assertTrue(user.realm == self.realm1, user)
self.assertTrue(user.resolver == self.resolvername1, user)
user = get_user_from_param({"realm": self.realm1})
self.assertTrue(user.realm == self.realm1, user)
self.assertTrue(user.login == "", user)
self.assertTrue(user.resolver == "", user.resolver)
user = get_user_from_param({"user": "******",
"resolver": self.resolvername1})
self.assertTrue(user.realm == self.realm1, user)
# create a realm, where cornelius is in two resolvers!
rid = save_resolver({"resolver": self.resolvername3,
"type": "passwdresolver",
"fileName": PWFILE2})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(self.realm2,
[self.resolvername1,
self.resolvername3])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 2)
# get user cornelius, who is in two resolvers!
param = {"user": "******",
"realm": self.realm2}
user = get_user_from_param(param)
self.assertEqual("{0!s}".format(user), "<cornelius.resolver1@realm2>")
def test_02_userstore_password(self):
# create a realm, where cornelius has a password test
rid = save_resolver({"resolver": "myreso",
"type": "passwdresolver",
"fileName": PWFILE2})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm("r1", ["myreso"])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
# now create a policy with userstore PW
set_policy(name="pol1",
scope=SCOPE.AUTH,
action="{0!s}={1!s}".format(ACTION.OTPPIN, ACTIONVALUE.USERSTORE))
g = FakeFlaskG()
P = PolicyClass()
g.policy_object = P
g.audit_object = FakeAudit()
options = {"g": g}
# Wrong password
r = auth_otppin(self.fake_check_otp, None,
"WrongPW", options=options,
user=User("cornelius", realm="r1"))
self.assertFalse(r)
# Correct password from userstore: "test"
r = auth_otppin(self.fake_check_otp, None,
"test", options=options,
user=User("cornelius", realm="r1"))
self.assertTrue(r)
delete_policy("pol1")
def test_13_update_user(self):
realm = "sqlrealm"
resolver = "SQL1"
parameters = self.parameters
parameters["resolver"] = resolver
parameters["type"] = "sqlresolver"
rid = save_resolver(parameters)
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(realm, [resolver])
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 1)
user = User(login="******", realm=realm)
uinfo = user.info
self.assertEqual(uinfo.get("givenname", ""), "")
user.update_user_info({
"givenname": "wordy",
"username": "******"
})
uinfo = user.info
self.assertEqual(uinfo.get("givenname"), "wordy")
self.assertEqual(user.login, "WordpressUser")
user.update_user_info({"givenname": "", "username": "******"})
def test_17_check_nonascii_user(self):
realm = "sqlrealm"
resolver = "SQL1"
parameters = self.parameters
parameters["resolver"] = resolver
parameters["type"] = "sqlresolver"
rid = save_resolver(parameters)
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(realm, [resolver])
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 1)
# check non-ascii password of non-ascii user
self.assertFalse(User(login=u"nönäscii",
realm=realm).check_password("wrong"))
self.assertTrue(User(login=u"nönäscii",
realm=realm).check_password(u"sömepassword"))
# check proper unicode() and str() handling
user_object = User(login=u"nönäscii", realm=realm)
if six.PY2:
self.assertEqual(unicode(user_object), u'<nönäscii.SQL1@sqlrealm>')
self.assertEqual(str(user_object), '<n\xc3\xb6n\xc3\xa4scii.SQL1@sqlrealm>')
else:
self.assertEqual(six.text_type(user_object), u'<nönäscii.SQL1@sqlrealm>')
self.assertEqual(six.text_type(user_object).encode('utf8'),
b'<n\xc3\xb6n\xc3\xa4scii.SQL1@sqlrealm>')
def test_00_create_user(self):
rid = save_resolver({
"resolver": self.resolvername1,
"type": "passwdresolver",
"fileName": PWFILE
})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(self.realm1, [self.resolvername1])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
user = User(login="******",
realm=self.realm1,
resolver=self.resolvername1)
user_str = "{0!s}".format(user)
self.assertTrue(user_str == "<root.resolver1@realm1>", user_str)
# check proper unicode() / str() handling
if six.PY2:
self.assertIsInstance(str(user), bytes)
self.assertIsInstance(unicode(user), unicode)
else:
self.assertIsInstance(six.text_type(user), six.text_type)
self.assertFalse(user.is_empty())
self.assertTrue(User().is_empty())
user_repr = "{0!r}".format(user)
expected = "User(login='******', realm='realm1', resolver='resolver1')"
self.assertTrue(user_repr == expected, user_repr)
def test_00_create_user(self):
rid = save_resolver({
"resolver": self.resolvername1,
"type": "passwdresolver",
"fileName": PWFILE
})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(self.realm1, [self.resolvername1])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
user = User(login="******",
realm=self.realm1,
resolver=self.resolvername1)
user_str = "%s" % user
self.assertTrue(user_str == "<root.resolver1@realm1>", user_str)
self.assertFalse(user.is_empty())
self.assertTrue(User().is_empty())
user_repr = "%r" % user
expected = "User(login='******', realm='realm1', resolver='resolver1')"
self.assertTrue(user_repr == expected, user_repr)
def test_17_check_nonascii_user(self):
realm = "sqlrealm"
resolver = "SQL1"
parameters = self.parameters
parameters["resolver"] = resolver
parameters["type"] = "sqlresolver"
rid = save_resolver(parameters)
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(realm, [resolver])
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 1)
# check non-ascii password of non-ascii user
self.assertFalse(
User(login=u"nönäscii", realm=realm).check_password("wrong"))
self.assertTrue(
User(login=u"nönäscii",
realm=realm).check_password(u"sömepassword"))
# check proper unicode() and str() handling
user_object = User(login=u"nönäscii", realm=realm)
self.assertEqual(unicode(user_object), u'<nönäscii.SQL1@sqlrealm>')
self.assertEqual(str(user_object),
'<n\xc3\xb6n\xc3\xa4scii.SQL1@sqlrealm>')
def test_13_update_user(self):
realm = "sqlrealm"
resolver = "SQL1"
parameters = self.parameters
parameters["resolver"] = resolver
parameters["type"] = "sqlresolver"
rid = save_resolver(parameters)
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(realm, [resolver])
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 1)
user = User(login="******", realm=realm)
uinfo = user.info
self.assertEqual(uinfo.get("givenname", ""), "")
user.update_user_info({"givenname": "wordy",
"username": "******"})
uinfo = user.info
self.assertEqual(uinfo.get("givenname"), "wordy")
self.assertEqual(user.login, "WordpressUser")
user.update_user_info({"givenname": "",
"username": "******"})
def test_00_create_user(self):
rid = save_resolver({"resolver": self.resolvername1,
"type": "passwdresolver",
"fileName": PWFILE})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(self.realm1,
[self.resolvername1])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
user = User(login="******",
realm=self.realm1,
resolver=self.resolvername1)
user_str = "{0!s}".format(user)
self.assertTrue(user_str == "<root.resolver1@realm1>", user_str)
# check proper unicode() and str() handling
self.assertIsInstance(str(user), bytes)
self.assertIsInstance(unicode(user), unicode)
self.assertFalse(user.is_empty())
self.assertTrue(User().is_empty())
user_repr = "{0!r}".format(user)
expected = "User(login='******', realm='realm1', resolver='resolver1')"
self.assertTrue(user_repr == expected, user_repr)
def test_14_create_delete_user(self):
realm = "sqlrealm"
resolver = "SQL1"
parameters = self.parameters
parameters["resolver"] = resolver
parameters["type"] = "sqlresolver"
rid = save_resolver(parameters)
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(realm, [resolver])
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 1)
# Create the user
uid = create_user(resolver, {
"username": "******",
"givenname": "achmed"
},
password="******")
self.assertTrue(uid > 6)
user = User("achmed3", realm=realm)
r = user.check_password("secret")
# delete user
r = user.delete()
self.assertTrue(r)
def test_17b_ui_rights_users_in_different_resolvers(self):
# Create a realm with two resolvers
rid = save_resolver({
"resolver": "passwd",
"type": "passwdresolver",
"fileName": FILE_PASSWD
})
self.assertTrue(rid > 0, rid)
rid = save_resolver({
"resolver": "passwords",
"type": "passwdresolver",
"fileName": FILE_PASSWORDS
})
self.assertTrue(rid > 0, rid)
# create user realm
(added, failed) = set_realm("realm4", ["passwd", "passwords"])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 2)
# A user may do something else...
set_policy(name="userpol41",
scope=SCOPE.USER,
action="enable",
realm="realm4",
resolver="passwd")
set_policy(name="userpol42",
scope=SCOPE.USER,
action="remove",
realm="realm4",
resolver="passwords")
P = PolicyClass()
# The two users are in different resolvers and get different rights
rights = P.ui_get_rights(SCOPE.USER, "realm4", "postfix")
self.assertEqual(set(rights), {"enable", "disable"})
rights = P.ui_get_rights(SCOPE.USER, "realm4", "usernotoken")
self.assertEqual(set(rights), {"disable", "remove"})
delete_policy("userpol41")
delete_policy("userpol42")
delete_realm("realm4")
delete_resolver("passwords")
delete_resolver("passwd")
def test_01_create_realm(self):
rid = save_resolver({
"resolver": self.resolvername1,
"type": "passwdresolver",
"fileName": "/etc/passwd"
})
self.assertTrue(rid > 0, rid)
rid = save_resolver({
"resolver": self.resolvername2,
"type": "passwdresolver",
"fileName": "/etc/secrets"
})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(self.realm1,
[self.resolvername1, self.resolvername2])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 2)
(added, failed) = set_realm(self.realm_dot,
[self.resolvername1, self.resolvername2])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 2)
# test the realms
realms = get_realms()
self.assertTrue(self.realm1 in realms, realms)
self.assertTrue(realms.get("realm1").get("default"), realms)
self.assertTrue(self.realm_dot in realms, realms)
# delete dot realm
delete_realm(self.realm_dot)
# try to create realm with invalid name
self.assertRaises(Exception, set_realm, "#####")
# update the resolver list:
(added, failed) = set_realm(self.realm1,
[self.resolvername1, "non exiting"])
self.assertTrue(len(failed) == 1)
self.assertTrue(len(added) == 1)
self.assertTrue(realm_is_defined(self.realm1))
self.assertTrue(realm_is_defined("non exist") is False)
def test_07_invalidate_save_resolver(self):
self._create_realm()
self._populate_cache()
# call save_resolver on resolver1, which should invalidate all entries of "resolver1"
# (even the expired 'hans2' one)
save_resolver({"resolver": self.resolvername1,
"type": "passwdresolver",
"fileName": self.PWFILE,
"type.fileName": "string",
"desc.fileName": "Some change"
})
self.assertEquals(UserCache.query.count(), 1)
# Only hans3 in resolver2 should still be in the cache
# We can use get_username to ensure it is fetched from the cache
# because resolver2 does not actually exist
u_name = get_username("uid2", "resolver2")
self.assertEquals("hans3", u_name)
delete_user_cache()
self._delete_realm()
def _create_realm(self):
rid = save_resolver({"resolver": self.resolvername1,
"type": "passwdresolver",
"fileName": self.PWFILE,
"type.fileName": "string",
"desc.fileName": "The name of the file"})
self.assertTrue(rid > 0, rid)
rid = set_realm(realm=self.realm1, resolvers=[self.resolvername1])
self.assertTrue(rid > 0, rid)
def test_07_invalidate_save_resolver(self):
self._create_realm()
self._populate_cache()
# call save_resolver on resolver1, which should invalidate all entries of "resolver1"
# (even the expired 'hans2' one)
save_resolver({"resolver": self.resolvername1,
"type": "passwdresolver",
"fileName": self.PWFILE,
"type.fileName": "string",
"desc.fileName": "Some change"
})
self.assertEquals(UserCache.query.count(), 1)
# Only hans3 in resolver2 should still be in the cache
# We can use get_username to ensure it is fetched from the cache
# because resolver2 does not actually exist
u_name = get_username("uid2", "resolver2")
self.assertEquals("hans3", u_name)
delete_user_cache()
self._delete_realm()
def _create_realm(self):
rid = save_resolver({"resolver": self.resolvername1,
"type": "passwdresolver",
"fileName": self.PWFILE,
"type.fileName": "string",
"desc.fileName": "The name of the file"})
self.assertTrue(rid > 0, rid)
rid = set_realm(realm=self.realm1, resolvers=[self.resolvername1])
self.assertTrue(rid > 0, rid)
def create(name, rtype, filename):
"""
Create a new resolver with name and type (ldapresolver, sqlresolver).
Read the necessary resolver parameters from the filename. The file should
contain a python dictionary.
:param name: The name of the resolver
:param rtype: The type of the resolver like ldapresolver or sqlresolver
:param filename: The name of the config file.
:return:
"""
from privacyidea.lib.resolver import save_resolver
import ast
f = open(filename, 'r')
contents = f.read()
f.close()
params = ast.literal_eval(contents)
params["resolver"] = name
params["type"] = rtype
save_resolver(params)
def test_01_admin_and_user_same_name(self):
# Test the logging, if admin and user have the same name (testamdin/testpw)
# Now create a default realm, that contains the used "testadmin"
rid = save_resolver({
"resolver": self.resolvername1,
"type": "passwdresolver",
"fileName": PWFILE
})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(self.realm1, [self.resolvername1])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
set_default_realm(self.realm1)
# If the admin logs in, everything is fine
with mock.patch("logging.Logger.info") as mock_log:
with self.app.test_request_context('/auth',
method='POST',
data={
"username": "******",
"password": "******"
}):
res = self.app.full_dispatch_request()
self.assertEqual(200, res.status_code, res)
result = res.json.get("result")
self.assertTrue(result.get("status"), result)
self.assertIn('token', result.get("value"), result)
# role should be 'admin'
self.assertEqual('admin', result['value']['role'], result)
mock_log.assert_called_with(
"Local admin 'testadmin' successfully logged in.")
# If a user logs in, with the same name as the admin, this event is logged in warning
with mock.patch("logging.Logger.warning") as mock_log:
with self.app.test_request_context('/auth',
method='POST',
data={
"username": "******",
"password": "******"
}):
res = self.app.full_dispatch_request()
self.assertEqual(200, res.status_code, res)
result = res.json.get("result")
self.assertTrue(result.get("status"), result)
self.assertIn('token', result.get("value"), result)
# role should be 'user'
self.assertEqual('user', result['value']['role'], result)
# check if we have this log entry
mock_log.assert_called_with(
"A user 'testadmin' exists as local admin and as user "
"in your default realm!")
def test_12_resolver_priority(self):
# Test the priority of resolvers.
# we create resolvers with the same user in it. Depending on the
# priority we either get the one or the other user.
save_resolver({"resolver": "double1",
"type": "passwdresolver",
"fileName": PWFILE})
save_resolver({"resolver": "double2",
"type": "passwdresolver",
"fileName": PWFILE})
save_resolver({"resolver": "double3",
"type": "passwdresolver",
"fileName": PWFILE})
(added, failed) = set_realm("double",
["double1", "double2", "double3"],
priority={"double1": 2,
"double2": 1,
"double3": 3})
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 3)
user = get_user_from_param({"user": "******", "realm": "double"})
self.assertEqual(user.resolver, "double2")
(added, failed) = set_realm("double",
["double1", "double2", "double3"],
priority={"double1": 3,
"double2": 2,
"double3": 1})
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 3)
user = get_user_from_param({"user": "******", "realm": "double"})
self.assertEqual(user.resolver, "double3")
def test_12_resolver_priority(self):
# Test the priority of resolvers.
# we create resolvers with the same user in it. Depending on the
# priority we either get the one or the other user.
save_resolver({"resolver": "double1",
"type": "passwdresolver",
"fileName": PWFILE})
save_resolver({"resolver": "double2",
"type": "passwdresolver",
"fileName": PWFILE})
save_resolver({"resolver": "double3",
"type": "passwdresolver",
"fileName": PWFILE})
(added, failed) = set_realm("double",
["double1", "double2", "double3"],
priority={"double1": 2,
"double2": 1,
"double3": 3})
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 3)
user = get_user_from_param({"user": "******", "realm": "double"})
self.assertEqual(user.resolver, "double2")
(added, failed) = set_realm("double",
["double1", "double2", "double3"],
priority={"double1": 3,
"double2": 2,
"double3": 1})
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 3)
user = get_user_from_param({"user": "******", "realm": "double"})
self.assertEqual(user.resolver, "double3")
def test_37_is_orphaned(self):
resolver = "orphreso"
realm = "orphrealm"
rid = save_resolver({"resolver": resolver,
"type": "passwdresolver",
"fileName": PWFILE})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(realm,
[resolver])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
# Assign token to user "cornelius" "realm1", "resolver1" "uid=1000
db_token = Token("orphaned", tokentype="spass", userid=1000,
resolver=resolver, realm=realm)
db_token.save()
token_obj = TokenClass(db_token)
orph = token_obj.is_orphaned()
self.assertFalse(orph)
# clean up token
token_obj.delete_token()
# Assign a token to a user in a resolver. user_id does not exist
db_token = Token("orphaned", tokentype="spass", userid=872812,
resolver=resolver, realm=realm)
db_token.save()
token_obj = TokenClass(db_token)
orph = token_obj.is_orphaned()
self.assertTrue(orph)
# clean up token
token_obj.delete_token()
# A token, which a resolver name, that does not exist anymore
db_token = Token("orphaned", tokentype="spass", userid=1000,
resolver=resolver, realm=realm)
db_token.save()
# delete the realm
delete_realm(realm)
# token is orphaned
token_obj = TokenClass(db_token)
orph = token_obj.is_orphaned()
self.assertTrue(orph)
# delete the resolver
delete_resolver(resolver)
# token is orphaned
token_obj = TokenClass(db_token)
orph = token_obj.is_orphaned()
self.assertTrue(orph)
# clean up token
token_obj.delete_token()
def test_37_is_orphaned(self):
resolver = "orphreso"
realm = "orphrealm"
rid = save_resolver({"resolver": resolver,
"type": "passwdresolver",
"fileName": PWFILE})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(realm,
[resolver])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
# Assign token to user "cornelius" "realm1", "resolver1" "uid=1000
db_token = Token("orphaned", tokentype="spass", userid=1000,
resolver=resolver, realm=realm)
db_token.save()
token_obj = TokenClass(db_token)
orph = token_obj.is_orphaned()
self.assertFalse(orph)
# clean up token
token_obj.delete_token()
# Assign a token to a user in a resolver. user_id does not exist
db_token = Token("orphaned", tokentype="spass", userid=872812,
resolver=resolver, realm=realm)
db_token.save()
token_obj = TokenClass(db_token)
orph = token_obj.is_orphaned()
self.assertTrue(orph)
# clean up token
token_obj.delete_token()
# A token, which a resolver name, that does not exist anymore
db_token = Token("orphaned", tokentype="spass", userid=1000,
resolver=resolver, realm=realm)
db_token.save()
# delete the realm
delete_realm(realm)
# token is orphaned
token_obj = TokenClass(db_token)
orph = token_obj.is_orphaned()
self.assertTrue(orph)
# delete the resolver
delete_resolver(resolver)
# token is orphaned
token_obj = TokenClass(db_token)
orph = token_obj.is_orphaned()
self.assertTrue(orph)
# clean up token
token_obj.delete_token()
def test_18_user_with_several_phones(self):
ldap3mock.setLDAPDirectory(LDAPDirectory_small)
params = ({
'LDAPURI':
'ldap://localhost',
'LDAPBASE':
'o=test',
'BINDDN':
'cn=manager,ou=example,o=test',
'BINDPW':
'ldaptest',
'LOGINNAMEATTRIBUTE':
'cn',
'LDAPSEARCHFILTER':
'(|(cn=*))', # we use this weird search filter to get a unique resolver ID
'USERINFO':
'{ "username": "******",'
'"phone" : "telephoneNumber", '
'"mobile" : "mobile"'
', "email" : "mail", '
'"surname" : "sn", '
'"givenname" : "givenName" }',
'UIDTYPE':
'objectGUID',
'NOREFERRALS':
True,
'CACHE_TIMEOUT':
0
})
params["resolver"] = "ldapresolver"
params["type"] = "ldapresolver"
rid = save_resolver(params)
self.assertTrue(rid > 0)
(added, failed) = set_realm("ldap", ["ldapresolver"])
self.assertEqual(len(added), 1)
self.assertEqual(len(failed), 0)
u = User("salesman", "ldap")
# get the complete list
r = u.get_user_phone("mobile")
self.assertEqual(r, ["1234", "3456"])
# get the first entry
r = u.get_user_phone("mobile", index=0)
self.assertEqual(r, "1234")
# Index out of range
r = u.get_user_phone("mobile", index=2)
self.assertEqual(r, "")
delete_realm("ldap")
delete_resolver("ldapresolver")
def test_11_base_resolver_class(self):
save_resolver({"resolver": "baseresolver", "type": "UserIdResolver"})
y = get_resolver_object("baseresolver")
self.assertTrue(y, y)
rtype = y.getResolverType()
self.assertTrue(rtype == "UserIdResolver", rtype)
# close hook
desc = y.getResolverDescriptor()
self.assertTrue("clazz" in desc.get("UserIdResolver"), desc)
self.assertTrue("config" in desc.get("UserIdResolver"), desc)
id = y.getUserId("some user")
self.assertTrue(id == "dummy_user_id", id)
name = y.getUsername("some user")
self.assertTrue(name == "dummy_user_name", name)
self.assertTrue(y.getUserInfo("dummy") == {})
self.assertTrue(len(y.getUserList()) == 1)
self.assertTrue(len(y.getUserList()) == 1)
rid = y.getResolverId()
self.assertTrue(rid == "baseid", rid)
self.assertFalse(y.checkPass("dummy", "pw"))
y.close()
def test_11_base_resolver_class(self):
save_resolver({"resolver": "baseresolver", "type": "UserIdResolver"})
y = get_resolver_object("baseresolver")
self.assertTrue(y, y)
rtype = y.getResolverType()
self.assertTrue(rtype == "UserIdResolver", rtype)
# close hook
desc = y.getResolverDescriptor()
self.assertTrue("clazz" in desc.get("UserIdResolver"), desc)
self.assertTrue("config" in desc.get("UserIdResolver"), desc)
id = y.getUserId("some user")
self.assertTrue(id == "dummy_user_id", id)
name = y.getUsername("some user")
self.assertTrue(name == "dummy_user_name", name)
self.assertTrue(y.getUserInfo("dummy") == {})
self.assertTrue(len(y.getUserList()) == 1)
self.assertTrue(len(y.getUserList()) == 1)
rid = y.getResolverId()
self.assertTrue(rid == "baseid", rid)
self.assertFalse(y.checkPass("dummy", "pw"))
y.close()
def setUp_user_realms(self):
# create user realm
rid = save_resolver({
"resolver": self.resolvername1,
"type": "passwdresolver",
"fileName": PWFILE
})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(self.realm1a, [self.resolvername1])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
(added, failed) = set_realm(self.realm2b, [self.resolvername1])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
def test_00_set_ldap_realm(self):
ldap3mock.setLDAPDirectory(LDAPDirectory)
params = {
'LDAPURI':
'ldap://localhost',
'LDAPBASE':
'o=test',
'BINDDN':
'cn=manager,ou=example,o=test',
'BINDPW':
'ldaptest',
'LOGINNAMEATTRIBUTE':
'cn',
'LDAPSEARCHFILTER':
'(cn=*)',
'MULTIVALUEATTRIBUTES':
'["groups"]',
'USERINFO':
'{ "username": "******",'
'"phone" : "telephoneNumber", '
'"mobile" : "mobile"'
', "email" : "mail", '
'"surname" : "sn", '
'"groups": "memberOf", '
'"givenname" : "givenName" }',
'UIDTYPE':
'DN',
"resolver":
"ldapgroups",
"type":
"ldapresolver"
}
r = save_resolver(params)
self.assertTrue(r > 0)
r = set_realm("ldaprealm", resolvers=["ldapgroups"])
set_default_realm("ldaprealm")
self.assertEqual(r, (["ldapgroups"], []))
# find a user, check the groups
alice = User("alice", "ldaprealm")
self.assertEqual(alice.info["groups"],
["cn=admins,o=test", "cn=users,o=test"])
def test_17_check_nonascii_user(self):
realm = u"sqlrealm"
resolver = u"SQL1"
parameters = self.parameters
parameters["resolver"] = resolver
parameters["type"] = "sqlresolver"
rid = save_resolver(parameters)
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(realm, [resolver])
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 1)
# check non-ascii password of non-ascii user
self.assertFalse(
User(login=u"nönäscii", realm=realm).check_password("wrong"))
self.assertTrue(
User(login=u"nönäscii",
realm=realm).check_password(u"sömepassword"))
# check proper unicode() and str() handling
user_object = User(login=u"nönäscii", realm=realm)
if six.PY2:
self.assertEqual(unicode(user_object), u'<nönäscii.SQL1@sqlrealm>')
self.assertEqual(str(user_object),
'<n\xc3\xb6n\xc3\xa4scii.SQL1@sqlrealm>')
else:
self.assertEqual(six.text_type(user_object),
u'<nönäscii.SQL1@sqlrealm>')
self.assertEqual(
six.text_type(user_object).encode('utf8'),
b'<n\xc3\xb6n\xc3\xa4scii.SQL1@sqlrealm>')
# also check the User object representation
user_repr = repr(user_object)
if six.PY2:
self.assertEqual(
"User(login=u'n\\xf6n\\xe4scii', "
"realm=u'sqlrealm', resolver=u'SQL1')", user_repr, user_repr)
else:
self.assertEqual(
"User(login='******', "
"realm='sqlrealm', resolver='SQL1')", user_repr, user_repr)
def test_00_create_user_realm(self):
rid = save_resolver({"resolver": self.resolvername1, "type": "passwdresolver", "fileName": PWFILE})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(self.realm1, [self.resolvername1])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
user = User(login="******", realm=self.realm1, resolver=self.resolvername1)
user_str = "%s" % user
self.assertTrue(user_str == "<root.resolver1@realm1>", user_str)
self.assertFalse(user.is_empty())
self.assertTrue(User().is_empty())
user_repr = "%r" % user
expected = "User(login='******', realm='realm1', resolver='resolver1')"
self.assertTrue(user_repr == expected, user_repr)
def test_17_check_nonascii_user(self):
realm = "sqlrealm"
resolver = "SQL1"
parameters = self.parameters
parameters["resolver"] = resolver
parameters["type"] = "sqlresolver"
rid = save_resolver(parameters)
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(realm, [resolver])
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 1)
# check non-ascii password of non-ascii user
self.assertFalse(
User(login=u"nönäscii", realm=realm).check_password("wrong"))
self.assertTrue(
User(login=u"nönäscii",
realm=realm).check_password(u"sömepassword"))
def test_18_user_with_several_phones(self):
ldap3mock.setLDAPDirectory(LDAPDirectory_small)
params = ({'LDAPURI': 'ldap://localhost',
'LDAPBASE': 'o=test',
'BINDDN': 'cn=manager,ou=example,o=test',
'BINDPW': 'ldaptest',
'LOGINNAMEATTRIBUTE': 'cn',
'LDAPSEARCHFILTER': '(|(cn=*))', # we use this weird search filter to get a unique resolver ID
'USERINFO': '{ "username": "******",'
'"phone" : "telephoneNumber", '
'"mobile" : "mobile"'
', "email" : "mail", '
'"surname" : "sn", '
'"givenname" : "givenName" }',
'UIDTYPE': 'objectGUID',
'NOREFERRALS': True,
'CACHE_TIMEOUT': 0
})
params["resolver"] = "ldapresolver"
params["type"] = "ldapresolver"
rid = save_resolver(params)
self.assertTrue(rid > 0)
(added, failed) = set_realm("ldap", ["ldapresolver"])
self.assertEqual(len(added), 1)
self.assertEqual(len(failed), 0)
u = User("salesman", "ldap")
# get the complete list
r = u.get_user_phone("mobile")
self.assertEqual(r, ["1234", "3456"])
# get the first entry
r = u.get_user_phone("mobile", index=0)
self.assertEqual(r, "1234")
# Index out of range
r = u.get_user_phone("mobile", index=2)
self.assertEqual(r, "")
delete_realm("ldap")
delete_resolver("ldapresolver")
def test_08_no_ldap_password(self):
params = {'LDAPURI': 'ldap://localhost',
'LDAPBASE': 'o=test',
'BINDDN': 'cn=manager,ou=example,o=test',
'BINDPW': 'ldaptest',
'LOGINNAMEATTRIBUTE': 'cn',
'LDAPSEARCHFILTER': '(cn=*)',
'USERINFO': '{ "username": "******", "phone": "telephoneNumber", '
'"mobile" : "mobile", "email": "mail", '
'"surname" : "sn", "givenname": "givenName" }',
'UIDTYPE': 'DN',
'type': 'ldapresolver',
'resolver': 'testL'}
r = save_resolver(params)
self.assertTrue(r)
with self.app.test_request_context('/resolver/testL',
method='GET',
headers={'Authorization': self.at}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = json.loads(res.data.decode('utf8')).get("result")
self.assertTrue(result["status"] is True, result)
data = result["value"]["testL"]["data"]
self.assertEqual(data.get("BINDPW"), CENSORED)
with self.app.test_request_context('/resolver/',
method='GET',
headers={'Authorization': self.at}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = json.loads(res.data.decode('utf8')).get("result")
self.assertTrue(result["status"] is True, result)
data = result["value"]["testL"]["data"]
self.assertEqual(data.get("BINDPW"), CENSORED)
r = delete_resolver(params.get("resolver"))
self.assertTrue(r)
def test_04_create_recovery_nonascii(self):
smtpmock.setdata(response={"*****@*****.**": (200, "OK")})
recoverycode = "reccode"
# create resolver and realm
param = self.parameters
param["resolver"] = "register"
param["type"] = "sqlresolver"
r = save_resolver(param)
self. assertTrue(r > 0)
# recover password with "recovery.identifier"
r = add_smtpserver(identifier="myserver", server="1.2.3.4")
self.assertTrue(r > 0)
set_privacyidea_config("recovery.identifier", "myserver")
r = create_recoverycode(User(u"nönäscii", "register"), recoverycode=recoverycode)
self.assertEqual(r, True)
user = User(u"nönäscii", "register")
r = check_recoverycode(user, recoverycode)
self.assertEqual(r, True)
# The recovery code is not valid a second time
r = check_recoverycode(user, recoverycode)
self.assertEqual(r, False)
def test_01_register_user(self):
smtpmock.setdata(response={"*****@*****.**": (200, "OK")})
# create resolver and realm
param = self.parameters
param["resolver"] = "register"
param["type"] = "sqlresolver"
r = save_resolver(param)
self. assertTrue(r > 0)
added, failed = set_realm("register", resolvers=["register"])
self.assertTrue(added > 0)
self.assertEqual(len(failed), 0)
# create policy
r = set_policy(name="pol2", scope=SCOPE.REGISTER,
action="{0!s}={1!s}, {2!s}={3!s}".format(ACTION.REALM, "register",
ACTION.RESOLVER, "register"))
# Try to register, but missing parameter
with self.app.test_request_context('/register',
method='POST',
data={"username": "******",
"surname": "Kölbel"}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 400, res)
# Register fails, missing SMTP config
with self.app.test_request_context('/register',
method='POST',
data={"username": "******",
"surname": "Kölbel",
"givenname": "Cornelius",
"password": "******",
"email":
"*****@*****.**"}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 400, res)
data = json.loads(res.data.decode('utf8'))
self.assertEqual(data.get("result").get("error").get("code"), ERROR.REGISTRATION)
self.assertEqual(data.get("result").get("error").get("message"),
u'ERR402: No SMTP server configuration specified!')
# Set SMTP config and policy
add_smtpserver("myserver", "1.2.3.4", sender="pi@localhost")
set_policy("pol3", scope=SCOPE.REGISTER,
action="{0!s}=myserver".format(ACTION.EMAILCONFIG))
with self.app.test_request_context('/register',
method='POST',
data={"username": "******",
"surname": "Kölbel",
"givenname": "Cornelius",
"password": "******",
"email":
"*****@*****.**"}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
# Registering the user a second time will fail
with self.app.test_request_context('/register',
method='POST',
data={"username": "******",
"surname": "Kölbel",
"givenname": "Cornelius",
"password": "******",
"email":
"*****@*****.**"}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 400, res)
# get the register status
with self.app.test_request_context('/register',
method='GET'):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
data = json.loads(res.data.decode('utf8'))
self.assertEqual(data.get("result").get("value"), True)
def test_12_authcache(self):
password = "******"
username = "******"
realm = "myrealm"
resolver = "reso001"
pw_hash = binascii.hexlify(hashlib.sha256(password).digest())
r = save_resolver({"resolver": "reso001",
"type": "passwdresolver",
"fileName": "tests/testdata/passwords"})
(added, failed) = set_realm("myrealm", ["reso001"])
def fake_check_user_pass(user, passw, options=None):
return True, {"message": "Fake Authentication"}
set_policy(name="pol1",
scope=SCOPE.AUTH,
realm=realm,
resolver=resolver,
action="{0!s}={1!s}".format(ACTION.AUTH_CACHE, "4h/5m"))
g = FakeFlaskG()
P = PolicyClass()
g.policy_object = P
g.audit_object = FakeAudit()
options = {"g": g}
# This successfully authenticates against the authcache
# We have an authentication, that is within the policy timeout
AuthCache(username, realm, resolver, pw_hash,
first_auth=datetime.datetime.utcnow() - timedelta(hours=3),
last_auth=datetime.datetime.utcnow() - timedelta(minutes=1)).save()
r = auth_cache(fake_check_user_pass, User("cornelius", "myrealm"),
password, options=options)
self.assertTrue(r[0])
self.assertEqual(r[1].get("message"), "Authenticated by AuthCache." )
# We have an authentication, that is not read from the authcache,
# since the authcache first_auth is too old.
delete_from_cache(username, realm, resolver, pw_hash)
AuthCache(username, realm, resolver, pw_hash,
first_auth=datetime.datetime.utcnow() - timedelta(hours=5),
last_auth=datetime.datetime.utcnow() - timedelta(
minutes=1)).save()
r = auth_cache(fake_check_user_pass, User("cornelius", "myrealm"),
password, options=options)
self.assertTrue(r[0])
self.assertEqual(r[1].get("message"), "Fake Authentication")
# We have an authentication, that is not read from authcache, since
# the last_auth is too old = 10 minutes.
delete_from_cache(username, realm, resolver, pw_hash)
AuthCache(username, realm, resolver, pw_hash,
first_auth=datetime.datetime.utcnow() - timedelta(hours=1),
last_auth=datetime.datetime.utcnow() - timedelta(
minutes=10)).save()
r = auth_cache(fake_check_user_pass, User("cornelius", "myrealm"),
password, options=options)
self.assertTrue(r[0])
self.assertEqual(r[1].get("message"), "Fake Authentication")
# We have a policy, with no special last_auth
delete_policy("pol1")
set_policy(name="pol1",
scope=SCOPE.AUTH,
realm=realm,
resolver=resolver,
action="{0!s}={1!s}".format(ACTION.AUTH_CACHE, "4h"))
g = FakeFlaskG()
P = PolicyClass()
g.policy_object = P
g.audit_object = FakeAudit()
options = {"g": g}
delete_from_cache(username, realm, resolver, pw_hash)
AuthCache(username, realm, resolver, pw_hash,
first_auth=datetime.datetime.utcnow() - timedelta(hours=2),
last_auth=datetime.datetime.utcnow() - timedelta(
hours=1)).save()
r = auth_cache(fake_check_user_pass, User("cornelius", "myrealm"),
password, options=options)
self.assertTrue(r[0])
self.assertEqual(r[1].get("message"), "Authenticated by AuthCache.")
# Clean up
delete_policy("pol1")
delete_realm("myrealm")
delete_resolver("reso001")
def test_12_passwdresolver(self):
# Create a resolver with an empty filename
# will use the filename /etc/passwd
rid = save_resolver(
{
"resolver": self.resolvername1,
"type": "passwdresolver",
"fileName": "",
"type.fileName": "string",
"desc.fileName": "The name of the file",
}
)
self.assertTrue(rid > 0, rid)
y = get_resolver_object(self.resolvername1)
y.loadFile()
delete_resolver(self.resolvername1)
# Load a file with an empty line
rid = save_resolver(
{
"resolver": self.resolvername1,
"type": "passwdresolver",
"fileName": PWFILE,
"type.fileName": "string",
"desc.fileName": "The name of the file",
}
)
self.assertTrue(rid > 0, rid)
y = get_resolver_object(self.resolvername1)
y.loadFile()
ulist = y.getUserList({"username": "******"})
self.assertTrue(len(ulist) > 1, ulist)
self.assertTrue(y.checkPass("1000", "test"))
self.assertFalse(y.checkPass("1000", "wrong password"))
self.assertRaises(NotImplementedError, y.checkPass, "1001", "secret")
self.assertFalse(y.checkPass("1002", "no pw at all"))
self.assertTrue(y.getUsername("1000") == "cornelius", y.getUsername("1000"))
self.assertTrue(y.getUserId(u"cornelius") == "1000", y.getUserId("cornelius"))
self.assertTrue(y.getUserId("user does not exist") == "")
sF = y.getSearchFields({"username": "******"})
self.assertTrue(sF.get("username") == "text", sF)
# unknown search fields. We get an empty userlist
r = y.getUserList({"blabla": "something"})
self.assertTrue(r == [], r)
# list exactly one user
r = y.getUserList({"userid": "=1000"})
self.assertTrue(len(r) == 1, r)
r = y.getUserList({"userid": "<1001"})
self.assertTrue(len(r) == 1, r)
r = y.getUserList({"userid": ">1000"})
self.assertTrue(len(r) > 1, r)
r = y.getUserList({"userid": "between 1000, 1001"})
self.assertTrue(len(r) == 2, r)
r = y.getUserList({"userid": "between 1001, 1000"})
self.assertTrue(len(r) == 2, r)
r = y.getUserList({"userid": "<=1000"})
self.assertTrue(len(r) == 1, "%s" % r)
r = y.getUserList({"userid": ">=1000"})
self.assertTrue(len(r) > 1, r)
r = y.getUserList({"description": "field1"})
self.assertTrue(len(r) == 0, r)
r = y.getUserList({"email": "field1"})
self.assertTrue(len(r) == 0, r)
rid = y.getResolverId()
self.assertTrue(rid == PWFILE, rid)
rtype = y.getResolverType()
self.assertTrue(rtype == "passwdresolver", rtype)
rdesc = y.getResolverDescriptor()
self.assertTrue("config" in rdesc.get("passwdresolver"), rdesc)
self.assertTrue("clazz" in rdesc.get("passwdresolver"), rdesc)
# internal stringMatch function
self.assertTrue(y._stringMatch(u"Hallo", "*lo"))
self.assertTrue(y._stringMatch("Hallo", u"Hal*"))
self.assertFalse(y._stringMatch("Duda", "Hal*"))
self.assertTrue(y._stringMatch("HalloDuda", "*Du*"))
self.assertTrue(y._stringMatch("Duda", "Duda"))
def test_02_create_update_delete_user(self):
realm = "sqlrealm"
resolver = "SQL1"
parameters = self.parameters
parameters["resolver"] = resolver
parameters["type"] = "sqlresolver"
rid = save_resolver(parameters)
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(realm, [resolver])
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 1)
# CREATE a user
with self.app.test_request_context('/user/',
method='POST',
data={"user": "******",
"resolver": resolver,
"surname": "zappa",
"givenname": "frank",
"email": "*****@*****.**",
"phone": "12345",
"mobile": "12345",
"password": "******"},
headers={'Authorization': self.at}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = json.loads(res.data).get("result")
self.assertTrue(result.get("value") > 6, result.get("value"))
# Get users
with self.app.test_request_context('/user/',
method='GET',
query_string=urlencode(
{"username": "******"}),
headers={'Authorization': self.at}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = json.loads(res.data).get("result")
self.assertTrue(result.get("status"))
self.assertEqual(result.get("value")[0].get("username"), "wordy")
# Update by administrator. Set the password to "passwort"
with self.app.test_request_context('/user/',
method='PUT',
query_string=urlencode(
{"user": "******",
"resolver": resolver,
"password": "******"}),
headers={'Authorization': self.at}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = json.loads(res.data).get("result")
self.assertTrue(result.get("value"))
# Get user authentication and update by user.
with self.app.test_request_context('/auth',
method='POST',
data={"username": "******".format(realm),
"password": "******"}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = json.loads(res.data).get("result")
self.assertTrue(result.get("status"), res.data)
# In self.at_user we store the user token
wordy_auth_token = result.get("value").get("token")
# check that this is a user
role = result.get("value").get("role")
self.assertTrue(role == "user", result)
# Even if a user specifies another username, the username is
# overwritten by his own name!
with self.app.test_request_context('/user/',
method='PUT',
query_string=urlencode(
{"user": "******",
"resolver": resolver,
"password": "******"}),
headers={'Authorization':
wordy_auth_token}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = json.loads(res.data).get("result")
self.assertTrue(result.get("value"))
# Although the user "wordy" tried to update the password of user
# "wordy2", he updated his own password.
with self.app.test_request_context('/auth',
method='POST',
data={"username": "******".format(realm),
"password": "******"}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = json.loads(res.data).get("result")
self.assertTrue(result.get("status"), res.data)
# In self.at_user we store the user token
wordy_auth_token = result.get("value").get("token")
# check that this is a user
role = result.get("value").get("role")
self.assertTrue(role == "user", result)
# Delete the users
with self.app.test_request_context('/user/{0!s}/{1!s}'.format(resolver, "wordy"),
method='DELETE',
headers={'Authorization': self.at}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = json.loads(res.data).get("result")
self.assertTrue(result.get("value"))
def test_21_check_all_resolver(self):
# check_all_resolver allows to find a policy for a secondary user
# resolver.
# We create one realm "realm1" with the resolvers
# reso1 (prio 1)
# reso2 (prio 2)
# reso3 (prio 3)
# A user user@realm1 will be identified as user.reso1@realm1.
# But we will also match policies for reso2.
# no realm and resolver
r = get_realms()
self.assertEqual(r, {})
r = get_resolver_list()
self.assertEqual(r, {})
# create user realm
for reso in ["reso1", "resoX", "resoA"]:
rid = save_resolver({"resolver": reso,
"type": "passwdresolver",
"fileName": PWFILE})
self.assertTrue(rid > 0, rid)
# create a realm with reso1 being the resolver with the highest priority
(added, failed) = set_realm("realm1",
["reso1", "resoX", "resoA"],
priority={"reso1": 1,
"resoX": 2,
"resoA": 3})
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 3)
user = User(login="******",
realm="realm1")
# The user, that is created, is cornelius.reso1@realm1
user_str = "{0!s}".format(user)
self.assertEqual(user_str, "<cornelius.reso1@realm1>")
# But the user "cornelius" is also contained in other resolves in
# this realm
r = user.get_ordererd_resolvers()
self.assertEqual(r, ["reso1", "resoX", "resoA"])
self.assertFalse(user.is_empty())
self.assertTrue(User().is_empty())
# define a policy with the wrong resolver
p = set_policy(name="checkAll", scope=SCOPE.AUTHZ, realm="realm1",
resolver="resoX",
action="{0}=totp".format(ACTION.TOKENTYPE))
self.assertTrue(p > 0)
p = set_policy(name="catchAll", scope=SCOPE.AUTHZ, realm="realm1",
action="{0}=totp".format(ACTION.TOKENTYPE))
self.assertTrue(p > 0)
P = PolicyClass()
pols = P.get_policies(scope=SCOPE.AUTHZ, realm=user.realm,
resolver=user.resolver, user=user.login)
self.assertEqual(len(pols), 1)
# Now we change the policy, so that it uses check_all_resolver, i.e.
p = set_policy(name="checkAll", scope=SCOPE.AUTHZ, realm="realm1",
resolver="resoX", check_all_resolvers=True,
action="{0}=totp".format(ACTION.TOKENTYPE))
self.assertTrue(p > 0)
P = PolicyClass()
pols = P.get_policies(scope=SCOPE.AUTHZ, realm=user.realm,
resolver=user.resolver, user=user.login)
self.assertEqual(len(pols), 2)
# delete policy
delete_policy("checkAll")
delete_policy("catchAll")
# delete resolvers and realm
delete_realm("realm1")
for reso in ["reso1", "resoX", "resoA"]:
rid = delete_resolver(reso)
self.assertTrue(rid > 0, rid)
