def test_03_check_token_upload(self):
g.logged_in_user = {"username": "******", "role": "admin"}
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
req = Request(env)
req.all_data = {"filename": "token.xml"}
# Set a policy, that does allow the action
set_policy(name="pol1",
scope=SCOPE.ADMIN,
action="enrollTOTP, enrollHOTP, %s" % ACTION.IMPORT,
client="10.0.0.0/8")
g.policy_object = PolicyClass()
# Try to import tokens
r = check_token_upload(req)
self.assertTrue(r)
# The admin can not upload from another IP address
# An exception is raised
env["REMOTE_ADDR"] = "192.168.0.1"
req = Request(env)
req.all_data = {"filename": "token.xml"}
self.assertRaises(PolicyError, check_token_upload, req)
# finally delete policy
delete_policy("pol1")
def test_authenticate():
"""Tests authenticate."""
setup_db()
users_db_client = make_users_db_client()
has = HubzeroAuthenticationStrategy(MockApp(GOOD_CONFIG), users_db_client)
# no request
with pytest.raises(AttributeError):
has.authenticate(None)
# wrong content type
# passing a dict as data below will create a form-encoded request
env = create_environ('/sessions', 'http://localhost:1234', method='POST', \
data={'hz_session': 'gibberish'})
with pytest.raises(UnsupportedMediaType):
has.authenticate(Request(env))
# correct content type: note the explicit content type and that data no
# longer receives a dict--it's quoted
# no hz_session
env = create_environ('/sessions', 'http://localhost:1234', method='POST', \
data='{"other": "whatever"}', content_type='application/json')
assert has.authenticate(Request(env)) is None
# mock db condition: no match for hz_session
with mock.patch('nest_py.knoweng.flask.accounts.knoweng_authentication.' + \
'HubzeroAuthenticationStrategy.fetch_session', return_value=None):
env = create_environ('/sessions', 'http://localhost:1234', \
method='POST', data='{"hz_session": "gibberish"}', \
content_type='application/json')
assert has.authenticate(Request(env)) is None
# mock db condition: match for hz_session
with mock.patch('nest_py.knoweng.flask.accounts.knoweng_authentication.' + \
'HubzeroAuthenticationStrategy.fetch_session', return_value={\
u'userid': '150',
u'username': '******',
u'givenName': 'HUBZero',
u'surname': 'User',
u'picture': 'profile.png'}):
env = create_environ('/sessions', 'http://localhost:1234', \
method='POST', data='{"hz_session": "gibberish"}', \
content_type='application/json')
user = has.authenticate(Request(env))
assert user.get_nest_id() is not None
assert user.get_username() == "hzuser"
assert user.get_given_name() == "HUBZero"
assert user.get_family_name() == "User"
assert user.get_external_id() == "150"
assert user.get_origin() == "hubzero"
assert user.get_thumb_url() == \
"http://apphost/members/150/Image:thumb.png"
finish_up()
return
def __call__(self, environ: Dict, start_response: Callable) -> Callable:
response = None
request = Request(environ)
session = self.session_interface.open_session( # type: ignore
self.proxy_app, request)
# callback request
if request.base_url == self.callback_url:
response = self.callback(session, request)
return self._response(environ, start_response, session, response)
# logout request
elif request.path == self.logout_uri:
response = self.logout(session)
return self._response(environ, start_response, session, response)
# logout redirect uri
elif request.path == self.logout_redirect_uri:
return self.app(environ, start_response)
# unauthorized request
elif "user" not in session:
response = self.login(session)
return self._response(environ, start_response, session, response)
# authorized request
else:
return self.app(environ, start_response)
def __call__(self, environ, start_response):
"""
middleware to capture request header from incoming http request
"""
request = Request(environ)
over_limit = self.over_limit
per = self.per
limit = self.limit
send_x_headers = self.send_x_headers
key = "rate-limit:{}:{}".format(request.remote_addr, request.path)
r_limit = RateLimit(key_prefix=key, limit=limit, per=per, send_x_headers=send_x_headers)
def new_start_response(status, response_headers, exc_info=None):
"""
set custom response headers
"""
# set the request header as response header
g._view_rate_limit = r_limit
if r_limit and r_limit.send_headers:
response_headers.append(('X-RateLimit-Limit', str(r_limit.limit)))
response_headers.append(('X-RateLimit-Remaining', str(r_limit.remaining)))
response_headers.append(('X-RateLimit-Reset', str(r_limit.reset)))
return start_response(status, response_headers, exc_info)
if over_limit and r_limit.over_limit:
res = Response(json.dumps({
"error": "403",
"data": "Too many requests, You hit the rate limit"
}), content_type="application/json", status=403)
return res(environ, start_response)
return self.app(environ, new_start_response)
def __call__(self, environ, start_response):
request = Request(environ)
for i in self.public_prefixes:
if i.match(request.path):
return self.app(environ, start_response)
user_dict = decode_cookie(request.cookies.get(COOKIE_NAME, ''))
if user_dict:
environ['myauthmiddleware'] = user_dict
return self.app(environ, start_response)
is_json = False
for i in self.json_prefixes:
if i.match(request.path):
is_json = True
break
else:
is_json = (request.headers.get('HTTP-ACCEPT')
or '').find('application/json') >= 0
if is_json:
response = Response(mimetype='application/json')
response.status_code = 401
response.set_data(
json.dumps({
'error':
_('authentication required to access requested url')
}))
return response(environ, start_response)
url = self.authentication_url + '?r=' + \
urllib.quote(base64.b64encode(request.url))
return redirect(url, code=303)(environ, start_response)
def test_10_check_conditions_tokentype(self):
uhandler = UserNotificationEventHandler()
# check if tokenrealm is contained
builder = EnvironBuilder(method='POST',
data={'user': "******"},
headers={})
tok = init_token({"serial": "oath1234", "type": "spass"},
user=User("cornelius", "realm1"))
env = builder.get_environ()
req = Request(env)
req.all_data = {"user": "******",
"serial": "oath1234"}
req.User = User("cornelius", "realm1")
resp = Response()
resp.data = """{"result": {"value": true}}"""
r = uhandler.check_condition(
{"g": {},
"handler_def": {"conditions": {"tokentype": "totp,spass,oath,"}},
"request": req,
"response": resp
}
)
# Serial matches the regexp
self.assertEqual(r, True)
def test_02_check_token_init(self):
g.logged_in_user = {"username": "******", "role": "admin"}
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
req = Request(env)
req.all_data = {"type": "totp"}
# Set a policy, that does allow the action
set_policy(name="pol1",
scope=SCOPE.ADMIN,
action="enrollTOTP, enrollHOTP",
client="10.0.0.0/8")
g.policy_object = PolicyClass()
# Enrolling TOTP is cool
r = check_token_init(req)
self.assertTrue(r)
# Another Token type can not be enrolled:
# An exception is raised
req.all_data = {"type": "motp"}
self.assertRaises(PolicyError, check_token_init, req)
# A normal user can "enroll", since no user policies are defined.
g.logged_in_user = {"username": "******", "role": "user"}
r = check_token_init(req)
self.assertTrue(r)
# finally delete policy
delete_policy("pol1")
def test_07_sign_response(self):
builder = EnvironBuilder(method='POST', data={}, headers={})
env = builder.get_environ()
env["REMOTE_ADDR"] = "192.168.0.1"
req = Request(env)
req.values = {
"user": "******",
"pass": "******",
"nonce": "12345678"
}
res = {
"jsonrpc": "2.0",
"result": {
"status": True,
"value": True
},
"version": "privacyIDEA test",
"id": 1
}
resp = Response(json.dumps(res))
from privacyidea.lib.crypto import Sign
g.sign_object = Sign("tests/testdata/private.pem",
"tests/testdata/public.pem")
new_response = sign_response(req, resp)
jresult = json.loads(new_response.data)
self.assertEqual(jresult.get("nonce"), "12345678")
self.assertEqual(
jresult.get("signature"),
"7220461805369685253863294214862525311437731987121534735993146952136348520396812489782945679627890785973634896605293523175424850299832912878523161817380029213546063467888018205435416020286712762804412024065559270543774578319469096483246637875013247101135063221604113204491121777932147776087110152414627230087278622508771143940031542890514380486863296102037208395371717795767683973979032142677315402422403254992482761563612174177151960004042109847122772813717599078313600692433727690239340230353616318691769042290314664126975201679642739717702497638318611217001361093950139025744740660953017413716736691777322916588328"
)
def test_06_check_conditions_realm(self):
uhandler = UserNotificationEventHandler()
# check a locked token with maxfail = failcount
builder = EnvironBuilder(method='POST',
data={'user': "******"},
headers={})
env = builder.get_environ()
req = Request(env)
req.all_data = {"user": "******"}
req.User = User("cornelius", "realm1")
resp = Response()
resp.data = """{"result": {"value": false}}"""
r = uhandler.check_condition({
"g": {},
"handler_def": {
"conditions": {
"realm": "realm2"
}
},
"request": req,
"response": resp
})
# wrong realm
self.assertEqual(r, False)
def test_04_loggingevent_broken_parameter(self, capture):
# simple logging event with faulty parameters
self.setUp_user_realms()
g = FakeFlaskG()
g.audit_object = FakeAudit()
env = EnvironBuilder(method='POST', headers={},
path='/auth').get_environ()
req = Request(env)
req.all_data = {}
req.User = User("cornelius", self.realm1)
resp = Response(response="""{"result": {"value": true}}""")
options = {
"g": g,
"request": req,
"response": resp,
"handler_def": {
'options': {
'name': None,
'level': 'some_level',
'message': None
}
}
}
log_handler = LoggingEventHandler()
res = log_handler.do("logging", options=options)
self.assertTrue(res)
capture.check_present(('root', 'INFO', 'event=/auth triggered'))
def test_03_loggingevent_parameter(self, capture):
# simple logging event with user defined values
self.setUp_user_realms()
g = FakeFlaskG()
g.audit_object = FakeAudit()
env = EnvironBuilder(method='POST', headers={},
path='/auth').get_environ()
req = Request(env)
req.all_data = {}
req.User = User("cornelius", self.realm1)
resp = Response(response="""{"result": {"value": true}}""")
options = {
"g": g,
"request": req,
"response": resp,
"handler_def": {
'options': {
'name': 'eventlogger-privacyidea',
'level': 'WARN',
'message': 'Hello {username}!'
}
}
}
log_handler = LoggingEventHandler()
res = log_handler.do("logging", options=options)
self.assertTrue(res)
capture.check_present(
('eventlogger-privacyidea', 'WARNING', 'Hello cornelius!'))
def test_valid(self):
builder = EnvironBuilder(method='POST', data={**valid_payload})
env = builder.get_environ()
req = Request(env)
f = DatacheckSubmissionForm(req.form)
f = set_dynamic_choices(f)
self.assertTrue(f.validate())
def __call__(self, addr):
'''Since an instance of HttpServer is passed to the Service
class (with appropriate request_handler established during
initialization), this __call__ method is what's actually
invoked by diesel.
'''
data = None
while True:
try:
h = HttpParser()
body = []
while True:
if data:
used = h.execute(data, len(data))
if h.is_headers_complete():
body.append(h.recv_body())
if h.is_message_complete():
data = data[used:]
break
data = receive()
env = h.get_wsgi_environ()
if 'HTTP_CONTENT_LENGTH' in env:
env['CONTENT_LENGTH'] = env.pop("HTTP_CONTENT_LENGTH")
if 'HTTP_CONTENT_TYPE' in env:
env['CONTENT_TYPE'] = env.pop("HTTP_CONTENT_TYPE")
env.update({
'wsgi.version': (1, 0),
'wsgi.url_scheme': 'http', # XXX incomplete
'wsgi.input': cStringIO.StringIO(''.join(body)),
'wsgi.errors': FileLikeErrorLogger(hlog),
'wsgi.multithread': False,
'wsgi.multiprocess': False,
'wsgi.run_once': False,
'REMOTE_ADDR': addr[0],
'SERVER_NAME': HOSTNAME,
'SERVER_PORT': str(self.port),
})
req = Request(env)
resp = self.request_handler(req)
if 'Server' not in resp.headers:
resp.headers.add('Server', SERVER_TAG)
if 'Date' not in resp.headers:
resp.headers.add(
'Date',
utcnow().strftime("%a, %d %b %Y %H:%M:%S UTC"))
assert resp, "HTTP request handler _must_ return a response"
self.send_response(resp, version=h.get_version())
if (not h.should_keep_alive()) or \
resp.headers.get('Connection', '').lower() == "close" or \
resp.headers.get('Content-Length') == None:
return
except ConnectionClosed:
break
def badge_img_for_participant(uid):
badge_query = g.db.execute("""SELECT badge_img
FROM badges WHERE uid=?""", (uid, ))
badge_img_results = badge_query.fetchone()
if not badge_img_results:
abort(404)
return Request(badge_img_results[0], mimetype='image/png')
def test_08_check_conditions_serial(self):
uhandler = UserNotificationEventHandler()
# check a serial with regexp
builder = EnvironBuilder(method='POST',
data={'user': "******"},
headers={})
env = builder.get_environ()
req = Request(env)
req.all_data = {"user": "******", "serial": "OATH123456"}
req.User = User("cornelius", "realm1")
resp = Response()
resp.data = """{"result": {"value": true}}"""
r = uhandler.check_condition({
"g": {},
"handler_def": {
"conditions": {
"serial": "^OATH.*"
}
},
"request": req,
"response": resp
})
# Serial matches the regexp
self.assertEqual(r, True)
def test_09_pin_policies(self):
g.logged_in_user = {"username": "******", "role": "user"}
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
g.client_ip = env["REMOTE_ADDR"]
req = Request(env)
# Set a policy that defines PIN policy
set_policy(name="pol1",
scope=SCOPE.USER,
action="{0!s}={1!s},{2!s}={3!s},{4!s}={5!s}".format(
ACTION.OTPPINMAXLEN, "10", ACTION.OTPPINMINLEN, "4",
ACTION.OTPPINCONTENTS, "cn"))
g.policy_object = PolicyClass()
req.all_data = {"user": "******", "realm": "home"}
# The minimum OTP length is 4
self.assertRaises(PolicyError, check_otp_pin, req)
req.all_data = {
"user": "******",
"realm": "home",
"pin": "12345566890012"
}
# Fail maximum OTP length
self.assertRaises(PolicyError, check_otp_pin, req)
req.all_data = {"user": "******", "realm": "home", "pin": "123456"}
# Good OTP length, but missing character A-Z
self.assertRaises(PolicyError, check_otp_pin, req)
req.all_data = {"user": "******", "realm": "home", "pin": "abc123"}
# Good length and good contents
self.assertTrue(check_otp_pin(req))
# A token that does not use pins is ignored.
init_token({"type": "certificate", "serial": "certificate"})
req.all_data = {
"serial": "certificate",
"realm": "somerealm",
"user": "******",
"pin": ""
}
self.assertTrue(check_otp_pin(req))
init_token({"type": "sshkey", "serial": "sshkey", "sshkey": SSHKEY})
req.all_data = {
"serial": "sshkey",
"realm": "somerealm",
"user": "******",
"pin": ""
}
self.assertTrue(check_otp_pin(req))
# finally delete policy
delete_policy("pol1")
def on_connect(sid, envrion):
request = Request(envrion)
token = request.args.get('token')
user_id = _get_user_id(token)
# 用户一连接im服务器, 就让其进入自己的用户id对应的房间 room="2"
print("进入房间: %s" % user_id)
sio.enter_room(sid, str(user_id))
def test_06_offline_auth(self):
# Test that a machine definition will return offline hashes
self.setUp_user_realms()
serial = "offline01"
tokenobject = init_token({
"serial": serial,
"type": "hotp",
"otpkey": "3132333435363738393031"
"323334353637383930",
"pin": "offline",
"user": "******"
})
# Set the Machine and MachineToken
resolver1 = save_resolver({
"name": "reso1",
"type": "hosts",
"filename": HOSTSFILE
})
mt = attach_token(serial, "offline", hostname="gandalf")
self.assertEqual(mt.token.serial, serial)
self.assertEqual(mt.token.machine_list[0].machine_id, "192.168.0.1")
# The request with an OTP value and a PIN of a user, who has not
# token assigned
builder = EnvironBuilder(method='POST', data={}, headers={})
env = builder.get_environ()
env["REMOTE_ADDR"] = "192.168.0.1"
req = Request(env)
req.all_data = {"user": "******", "pass": "******"}
res = {
"jsonrpc": "2.0",
"result": {
"status": True,
"value": True
},
"version": "privacyIDEA test",
"detail": {
"serial": serial
},
"id": 1
}
resp = Response(json.dumps(res))
new_response = offline_info(req, resp)
jresult = json.loads(new_response.data)
self.assertTrue(jresult.get("result").get("value"), jresult)
self.assertEqual(jresult.get("detail").get("serial"), serial)
# Check the hashvalues in the offline tree
auth_items = jresult.get("auth_items")
self.assertEqual(len(auth_items), 1)
response = auth_items.get("offline")[0].get("response")
self.assertEqual(len(response), 100)
# check if the counter of the token was increased to 100
tokenobject = get_tokens(serial=serial)[0]
self.assertEqual(tokenobject.token.count, 101)
delete_policy("pol2")
def test_full_access_to_name_request(test_name, \
name_request_number, temp_request_number, user_email, user_phone, \
header_name_request_number, header_temp_request_number, header_user_email, header_user_phone, \
expected):
"""Assure that this contains the headers required to fully access an NR."""
from namex.utils.auth import full_access_to_name_request
# setup
nr = RequestDAO()
nr.nrNum = name_request_number or temp_request_number
nr.stateCd = State.DRAFT
nr._source = ValidSources.NAMEREQUEST.value
applicant = Applicant()
applicant.phoneNumber = user_phone
applicant.emailAddress = user_email
nr.applicants.append(applicant)
nr.save_to_db()
builder = EnvironBuilder(method='POST',
data={},
headers={
'BCREG_NR': header_name_request_number,
'BCREG_NRL': header_temp_request_number,
'BCREG-User-Email': header_user_email,
'BCREG-User-Phone': header_user_phone
})
env = builder.get_environ()
req = Request(env)
print(req)
assert expected == full_access_to_name_request(req)
def test_01a_admin_realms(self):
admin1 = {"username": "******", "role": "admin", "realm": "realm1"}
admin2 = {"username": "******", "role": "admin", "realm": "realm2"}
set_policy(name="pol",
scope=SCOPE.ADMIN,
action="*",
adminrealm="realm1")
g.policy_object = PolicyClass()
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
req = Request(env)
req.all_data = {}
# admin1 is allowed to do everything
g.logged_in_user = admin1
r = check_base_action(req, action="delete")
self.assertTrue(r)
# admin2 is not allowed.
g.logged_in_user = admin2
self.assertRaises(PolicyError, check_base_action, req, action="delete")
delete_policy("pol")
def test_04_check_max_token_user(self):
g.logged_in_user = {"username": "******", "role": "admin"}
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
g.client_ip = env["REMOTE_ADDR"]
req = Request(env)
req.all_data = {"user": "******", "realm": self.realm1}
# Set a policy, that allows two tokens per user
set_policy(name="pol1",
scope=SCOPE.ENROLL,
action="{0!s}={1!s}".format(ACTION.MAXTOKENUSER, 2))
g.policy_object = PolicyClass()
# The user has one token, everything is fine.
self.setUp_user_realms()
tokenobject = init_token(
{
"serial": "NEW001",
"type": "hotp",
"otpkey": "1234567890123456"
},
user=User(login="******", realm=self.realm1))
tokenobject_list = get_tokens(
user=User(login="******", realm=self.realm1))
self.assertTrue(len(tokenobject_list) == 1)
self.assertTrue(check_max_token_user(req))
# Now the user gets his second token
tokenobject = init_token(
{
"serial": "NEW002",
"type": "hotp",
"otpkey": "1234567890123456"
},
user=User(login="******", realm=self.realm1))
tokenobject_list = get_tokens(
user=User(login="******", realm=self.realm1))
self.assertTrue(len(tokenobject_list) == 2)
# The user has two tokens. The check that will run in this case,
# before the user would be assigned the 3rd token, will raise a
# PolicyError
self.assertRaises(PolicyError, check_max_token_user, req)
# The check for a token, that has no username in it, must not
# succeed. I.e. in the realm new tokens must be enrollable.
req.all_data = {}
self.assertTrue(check_max_token_user(req))
req.all_data = {"realm": self.realm1}
self.assertTrue(check_max_token_user(req))
# finally delete policy
delete_policy("pol1")
remove_token("NEW001")
remove_token("NEW002")
def test_10_api_endpoint(self):
fixed = "ebedeeefegeheiej"
otpkey = "cc17a4d77eaed96e9d14b5c87a02e718"
uid = "000000000000"
otps = ["ebedeeefegeheiejtjtrutblehenfjljrirgdihrfuetljtt",
"ebedeeefegeheiejlekvlrlkrcluvctenlnnjfknrhgtjned",
"ebedeeefegeheiejktudedbktcnbuntrhdueikggtrugckij",
"ebedeeefegeheiejjvjncbnffdrvjcvrbgdfufjgndfetieu",
"ebedeeefegeheiejdruibhvlvktcgfjiruhltketifnitbuk"
]
token = init_token({"type": "yubikey",
"otpkey": otpkey,
"otplen": len(otps[0]),
"yubikey.prefix": fixed,
"serial": "UBAM12345678_1"})
builder = EnvironBuilder(method='GET',
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
g.client_ip = env["REMOTE_ADDR"]
req = Request(env)
nonce = "random nonce"
apiid = "hallo"
apikey = "1YMEbMZijD3DzL21UfKGnOOI13c="
set_privacyidea_config("yubikey.apiid.{0!s}".format(apiid), apikey)
req.all_data = {'id': apiid,
"otp": otps[0],
"nonce": nonce}
text_type, result = YubikeyTokenClass.api_endpoint(req, g)
self.assertEqual(text_type, "plain")
self.assertTrue("status=OK" in result, result)
self.assertTrue("nonce={0!s}".format(nonce) in result, result)
def __call__(self, environ, start_response):
try:
request = Request(environ)
url = urlparse(request.url)
headers = request.headers
if ('/auth/login' in url.path):
r = json.dumps({'result': self.login(headers)})
body = bytes(r, 'utf-8')
status = '200 OK'
headers = [('Content-type', 'application/json')]
start_response(status, headers)
return [body]
else:
if (self.checkToken(headers)):
return self.app(environ, start_response)
else:
print("Aqui")
r = {
'success': False,
'message': 'Token is invalid.',
'token': -7
}
r = json.dumps({'result': r})
body = bytes(r, 'utf-8')
status = '401 Unauthorized'
headers = [('Content-type', 'application/json')]
start_response(status, headers)
return [body]
except Exception as e:
logger.error(e)
def test_15_reset_password(self):
builder = EnvironBuilder(method='POST',
data={
'user': "******",
"realm": self.realm1
},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
req = Request(env)
# Set a mangle policy to change the username
# and only use the last 4 characters of the username
set_policy(name="recover",
scope=SCOPE.USER,
action="%s" % ACTION.RESYNC)
g.policy_object = PolicyClass()
req.all_data = {"user": "******", "realm": self.realm1}
# There is a user policy without password reset, so an exception is
# raised
self.assertRaises(PolicyError, check_anonymous_user, req,
ACTION.PASSWORDRESET)
# The password reset is allowed
set_policy(name="recover",
scope=SCOPE.USER,
action="%s" % ACTION.PASSWORDRESET)
g.policy_object = PolicyClass()
r = check_anonymous_user(req, ACTION.PASSWORDRESET)
self.assertEqual(r, True)
def __call__(self, environ, start_response):
from flask import Request
req = Request(environ)
endpoint = req.path
start_time = default_timer()
def start_response_wrapper(status, headers, exc_info=None):
ret = start_response(status, headers, exc_info)
status_code = int(status.split()[0])
# instrument request total count
self.metrics_request_total.labels(
endpoint=endpoint,
service_version=self.bento_service.version,
http_response_code=status_code,
).inc()
# instrument request duration
total_time = max(default_timer() - start_time, 0)
self.metrics_request_duration.labels(
endpoint=endpoint,
service_version=self.bento_service.version,
http_response_code=status_code,
).observe(total_time)
return ret
with self.metrics_request_in_progress.labels(
endpoint=endpoint,
service_version=self.bento_service.version).track_inprogress():
return self.app(environ, start_response_wrapper)
def test_14_required_email(self):
g.logged_in_user = {"username": "******", "role": "admin"}
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
req = Request(env)
# Set a mangle policy to change the username
# and only use the last 4 characters of the username
set_policy(name="email1",
scope=SCOPE.REGISTER,
action="%s=/.*@mydomain\..*" % ACTION.REQUIREDEMAIL)
g.policy_object = PolicyClass()
# request, that matches the policy
req.all_data = {"email": "*****@*****.**"}
# This emails is allowed
r = required_email(req)
self.assertTrue(r)
# This email is not allowed
req.all_data = {"email": "*****@*****.**"}
# This emails is allowed
self.assertRaises(RegistrationError, required_email, req)
delete_policy("email1")
g.policy_object = PolicyClass()
# Without a policy, this email can register
req.all_data = {"email": "*****@*****.**"}
# This emails is allowed
r = required_email(req)
self.assertTrue(r)
def test_13_remote_user(self):
g.logged_in_user = {"username": "******", "role": "admin"}
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
env["REMOTE_USER"] = "******"
req = Request(env)
# A user, for whom the login via REMOTE_USER is allowed.
set_policy(name="ruser",
scope=SCOPE.WEBUI,
action="%s=%s" % (ACTION.REMOTE_USER, REMOTE_USER.ACTIVE))
g.policy_object = PolicyClass()
r = is_remote_user_allowed(req)
self.assertEqual(r, [REMOTE_USER.ACTIVE])
# Login for the REMOTE_USER is not allowed.
# Only allowed for user "super", but REMOTE_USER=admin
set_policy(name="ruser",
scope=SCOPE.WEBUI,
action="%s=%s" % (ACTION.REMOTE_USER, REMOTE_USER.ACTIVE),
user="******")
g.policy_object = PolicyClass()
r = is_remote_user_allowed(req)
self.assertEqual(r, [])
delete_policy("ruser")
def test_07_set_random_pin(self):
g.logged_in_user = {"username": "******", "role": "admin"}
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
req = Request(env)
# Set a policy that defines the tokenlabel
set_policy(name="pol1",
scope=SCOPE.ENROLL,
action="%s=%s" % (ACTION.OTPPINRANDOM, "12"))
set_policy(name="pinhandling",
scope=SCOPE.ENROLL,
action="%s=privacyidea.lib.pinhandling.base.PinHandler" %
ACTION.PINHANDLING)
g.policy_object = PolicyClass()
# request, that matches the policy
req.all_data = {"user": "******", "realm": "home"}
init_random_pin(req)
# Check, if the tokenlabel was added
self.assertEqual(len(req.all_data.get("pin")), 12)
# finally delete policy
delete_policy("pol1")
delete_policy("pinhandling")
def test_06_set_tokenlabel(self):
g.logged_in_user = {"username": "******", "role": "admin"}
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
req = Request(env)
# Set a policy that defines the tokenlabel
set_policy(name="pol1",
scope=SCOPE.ENROLL,
action="%s=%s" % (ACTION.TOKENLABEL, "<u>@<r>"))
set_policy(name="pol2",
scope=SCOPE.ENROLL,
action="%s=%s" % (ACTION.TOKENISSUER, "myPI"))
g.policy_object = PolicyClass()
# request, that matches the policy
req.all_data = {"user": "******", "realm": "home"}
init_tokenlabel(req)
# Check, if the tokenlabel was added
self.assertEqual(req.all_data.get("tokenlabel"), "<u>@<r>")
# Check, if the tokenissuer was added
self.assertEqual(req.all_data.get("tokenissuer"), "myPI")
# finally delete policy
delete_policy("pol1")
delete_policy("pol2")
def test_04_no_detail_on_fail(self):
builder = EnvironBuilder(method='POST',
data={'serial': "HOTP123435"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
g.client_ip = env["REMOTE_ADDR"]
req = Request(env)
# The response contains the token type SPASS
res = {
"jsonrpc": "2.0",
"result": {
"status": True,
"value": False
},
"version": "privacyIDEA test",
"id": 1,
"detail": {
"message": "matching 1 tokens",
"serial": "HOTP123456",
"type": "hotp"
}
}
resp = Response(json.dumps(res))
# Set a policy, that does not allow the detail on success
set_policy(name="pol2",
scope=SCOPE.AUTHZ,
action="no_detail_on_fail",
client="10.0.0.0/8")
g.policy_object = PolicyClass()
new_response = no_detail_on_fail(req, resp)
jresult = json.loads(new_response.data)
self.assertTrue("detail" not in jresult, jresult)
# A successful call has a detail in the response!
res = {
"jsonrpc": "2.0",
"result": {
"status": True,
"value": True
},
"version": "privacyIDEA test",
"id": 1,
"detail": {
"message": "matching 1 tokens",
"serial": "HOTP123456",
"type": "hotp"
}
}
resp = Response(json.dumps(res))
new_response = no_detail_on_fail(req, resp)
jresult = json.loads(new_response.data)
self.assertTrue("detail" in jresult, jresult)
delete_policy("pol2")
