def test_14_required_email(self):
g.logged_in_user = {"username": "******", "role": "admin"}
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
req = Request(env)
# Set a mangle policy to change the username
# and only use the last 4 characters of the username
set_policy(name="email1",
scope=SCOPE.REGISTER,
action="%s=/.*@mydomain\..*" % ACTION.REQUIREDEMAIL)
g.policy_object = PolicyClass()
# request, that matches the policy
req.all_data = {"email": "*****@*****.**"}
# This emails is allowed
r = required_email(req)
self.assertTrue(r)
# This email is not allowed
req.all_data = {"email": "*****@*****.**"}
# This emails is allowed
self.assertRaises(RegistrationError, required_email, req)
delete_policy("email1")
g.policy_object = PolicyClass()
# Without a policy, this email can register
req.all_data = {"email": "*****@*****.**"}
# This emails is allowed
r = required_email(req)
self.assertTrue(r)
def test_14_required_email(self):
g.logged_in_user = {"username": "******",
"role": "admin"}
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
req = Request(env)
# Set a mangle policy to change the username
# and only use the last 4 characters of the username
set_policy(name="email1",
scope=SCOPE.REGISTER,
action="%s=/.*@mydomain\..*" % ACTION.REQUIREDEMAIL)
g.policy_object = PolicyClass()
# request, that matches the policy
req.all_data = {"email": "*****@*****.**"}
# This emails is allowed
r = required_email(req)
self.assertTrue(r)
# This email is not allowed
req.all_data = {"email": "*****@*****.**"}
# This emails is allowed
self.assertRaises(RegistrationError, required_email, req)
delete_policy("email1")
g.policy_object = PolicyClass()
# Without a policy, this email can register
req.all_data = {"email": "*****@*****.**"}
# This emails is allowed
r = required_email(req)
self.assertTrue(r)
def test_03_check_token_upload(self):
g.logged_in_user = {"username": "******", "role": "admin"}
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
req = Request(env)
req.all_data = {"filename": "token.xml"}
# Set a policy, that does allow the action
set_policy(name="pol1",
scope=SCOPE.ADMIN,
action="enrollTOTP, enrollHOTP, %s" % ACTION.IMPORT,
client="10.0.0.0/8")
g.policy_object = PolicyClass()
# Try to import tokens
r = check_token_upload(req)
self.assertTrue(r)
# The admin can not upload from another IP address
# An exception is raised
env["REMOTE_ADDR"] = "192.168.0.1"
req = Request(env)
req.all_data = {"filename": "token.xml"}
self.assertRaises(PolicyError, check_token_upload, req)
# finally delete policy
delete_policy("pol1")
def test_02_check_token_init(self):
g.logged_in_user = {"username": "******", "role": "admin"}
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
req = Request(env)
req.all_data = {"type": "totp"}
# Set a policy, that does allow the action
set_policy(name="pol1",
scope=SCOPE.ADMIN,
action="enrollTOTP, enrollHOTP",
client="10.0.0.0/8")
g.policy_object = PolicyClass()
# Enrolling TOTP is cool
r = check_token_init(req)
self.assertTrue(r)
# Another Token type can not be enrolled:
# An exception is raised
req.all_data = {"type": "motp"}
self.assertRaises(PolicyError, check_token_init, req)
# A normal user can "enroll", since no user policies are defined.
g.logged_in_user = {"username": "******", "role": "user"}
r = check_token_init(req)
self.assertTrue(r)
# finally delete policy
delete_policy("pol1")
def test_03_check_token_upload(self):
g.logged_in_user = {"username": "******",
"role": "admin"}
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
req = Request(env)
req.all_data = {"filename": "token.xml"}
# Set a policy, that does allow the action
set_policy(name="pol1",
scope=SCOPE.ADMIN,
action="enrollTOTP, enrollHOTP, %s" % ACTION.IMPORT,
client="10.0.0.0/8")
g.policy_object = PolicyClass()
# Try to import tokens
r = check_token_upload(req)
self.assertTrue(r)
# The admin can not upload from another IP address
# An exception is raised
env["REMOTE_ADDR"] = "192.168.0.1"
req = Request(env)
req.all_data = {"filename": "token.xml"}
self.assertRaises(PolicyError,
check_token_upload, req)
# finally delete policy
delete_policy("pol1")
def test_04_check_max_token_user(self):
g.logged_in_user = {"username": "******", "role": "admin"}
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
g.client_ip = env["REMOTE_ADDR"]
req = Request(env)
req.all_data = {"user": "******", "realm": self.realm1}
# Set a policy, that allows two tokens per user
set_policy(name="pol1",
scope=SCOPE.ENROLL,
action="{0!s}={1!s}".format(ACTION.MAXTOKENUSER, 2))
g.policy_object = PolicyClass()
# The user has one token, everything is fine.
self.setUp_user_realms()
tokenobject = init_token(
{
"serial": "NEW001",
"type": "hotp",
"otpkey": "1234567890123456"
},
user=User(login="******", realm=self.realm1))
tokenobject_list = get_tokens(
user=User(login="******", realm=self.realm1))
self.assertTrue(len(tokenobject_list) == 1)
self.assertTrue(check_max_token_user(req))
# Now the user gets his second token
tokenobject = init_token(
{
"serial": "NEW002",
"type": "hotp",
"otpkey": "1234567890123456"
},
user=User(login="******", realm=self.realm1))
tokenobject_list = get_tokens(
user=User(login="******", realm=self.realm1))
self.assertTrue(len(tokenobject_list) == 2)
# The user has two tokens. The check that will run in this case,
# before the user would be assigned the 3rd token, will raise a
# PolicyError
self.assertRaises(PolicyError, check_max_token_user, req)
# The check for a token, that has no username in it, must not
# succeed. I.e. in the realm new tokens must be enrollable.
req.all_data = {}
self.assertTrue(check_max_token_user(req))
req.all_data = {"realm": self.realm1}
self.assertTrue(check_max_token_user(req))
# finally delete policy
delete_policy("pol1")
remove_token("NEW001")
remove_token("NEW002")
def test_04_check_max_token_user(self):
g.logged_in_user = {"username": "******",
"role": "admin"}
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
g.client_ip = env["REMOTE_ADDR"]
req = Request(env)
req.all_data = {"user": "******",
"realm": self.realm1}
# Set a policy, that allows two tokens per user
set_policy(name="pol1",
scope=SCOPE.ENROLL,
action="{0!s}={1!s}".format(ACTION.MAXTOKENUSER, 2))
g.policy_object = PolicyClass()
# The user has one token, everything is fine.
self.setUp_user_realms()
tokenobject = init_token({"serial": "NEW001", "type": "hotp",
"otpkey": "1234567890123456"},
user=User(login="******",
realm=self.realm1))
tokenobject_list = get_tokens(user=User(login="******",
realm=self.realm1))
self.assertTrue(len(tokenobject_list) == 1)
self.assertTrue(check_max_token_user(req))
# Now the user gets his second token
tokenobject = init_token({"serial": "NEW002", "type": "hotp",
"otpkey": "1234567890123456"},
user=User(login="******",
realm=self.realm1))
tokenobject_list = get_tokens(user=User(login="******",
realm=self.realm1))
self.assertTrue(len(tokenobject_list) == 2)
# The user has two tokens. The check that will run in this case,
# before the user would be assigned the 3rd token, will raise a
# PolicyError
self.assertRaises(PolicyError,
check_max_token_user, req)
# The check for a token, that has no username in it, must not
# succeed. I.e. in the realm new tokens must be enrollable.
req.all_data = {}
self.assertTrue(check_max_token_user(req))
req.all_data = {"realm": self.realm1}
self.assertTrue(check_max_token_user(req))
# finally delete policy
delete_policy("pol1")
remove_token("NEW001")
remove_token("NEW002")
def test_05_check_max_token_realm(self):
g.logged_in_user = {"username": "******", "role": "admin"}
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
g.client_ip = env["REMOTE_ADDR"]
req = Request(env)
req.all_data = {"realm": self.realm1}
# Set a policy, that allows two tokens per realm
set_policy(name="pol1",
scope=SCOPE.ENROLL,
action="max_token_per_realm=2",
realm=self.realm1)
g.policy_object = PolicyClass()
self.setUp_user_realms()
# Add the first token into the realm
tokenobject = init_token({
"serial": "NEW001",
"type": "hotp",
"otpkey": "1234567890123456"
})
set_realms("NEW001", [self.realm1])
# check the realm, only one token is in it the policy condition will
# pass
tokenobject_list = get_tokens(realm=self.realm1)
self.assertTrue(len(tokenobject_list) == 1)
self.assertTrue(check_max_token_realm(req))
# add a second token to the realm
tokenobject = init_token({
"serial": "NEW002",
"type": "hotp",
"otpkey": "1234567890123456"
})
set_realms("NEW002", [self.realm1])
tokenobject_list = get_tokens(realm=self.realm1)
self.assertTrue(len(tokenobject_list) == 2)
# request with a user object, not with a realm
req.all_data = {"user": "******".format(self.realm1)}
# Now a new policy check will fail, since there are already two
# tokens in the realm
self.assertRaises(PolicyError, check_max_token_realm, req)
# finally delete policy
delete_policy("pol1")
remove_token("NEW001")
remove_token("NEW002")
def test_05_check_max_token_realm(self):
g.logged_in_user = {"username": "******",
"role": "admin"}
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
g.client_ip = env["REMOTE_ADDR"]
req = Request(env)
req.all_data = {"realm": self.realm1}
# Set a policy, that allows two tokens per realm
set_policy(name="pol1",
scope=SCOPE.ENROLL,
action="max_token_per_realm=2",
realm=self.realm1)
g.policy_object = PolicyClass()
self.setUp_user_realms()
# Add the first token into the realm
tokenobject = init_token({"serial": "NEW001", "type": "hotp",
"otpkey": "1234567890123456"})
set_realms("NEW001", [self.realm1])
# check the realm, only one token is in it the policy condition will
# pass
tokenobject_list = get_tokens(realm=self.realm1)
self.assertTrue(len(tokenobject_list) == 1)
self.assertTrue(check_max_token_realm(req))
# add a second token to the realm
tokenobject = init_token({"serial": "NEW002", "type": "hotp",
"otpkey": "1234567890123456"})
set_realms("NEW002", [self.realm1])
tokenobject_list = get_tokens(realm=self.realm1)
self.assertTrue(len(tokenobject_list) == 2)
# request with a user object, not with a realm
req.all_data = {"user": "******".format(self.realm1)}
# Now a new policy check will fail, since there are already two
# tokens in the realm
self.assertRaises(PolicyError,
check_max_token_realm, req)
# finally delete policy
delete_policy("pol1")
remove_token("NEW001")
remove_token("NEW002")
def test_09_pin_policies(self):
g.logged_in_user = {"username": "******",
"role": "user"}
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
req = Request(env)
# Set a policy that defines PIN policy
set_policy(name="pol1",
scope=SCOPE.USER,
action="%s=%s,%s=%s,%s=%s" % (ACTION.OTPPINMAXLEN, "10",
ACTION.OTPPINMINLEN, "4",
ACTION.OTPPINCONTENTS, "cn"))
g.policy_object = PolicyClass()
req.all_data = {"realm": "somerealm",
"user": "******",
"realm": "home"}
# The minimum OTP length is 4
self.assertRaises(PolicyError, check_otp_pin, req)
req.all_data = {"realm": "somerealm",
"user": "******",
"realm": "home",
"pin": "12345566890012"}
# Fail maximum OTP length
self.assertRaises(PolicyError, check_otp_pin, req)
req.all_data = {"realm": "somerealm",
"user": "******",
"realm": "home",
"pin": "123456"}
# Good OTP length, but missing character A-Z
self.assertRaises(PolicyError, check_otp_pin, req)
req.all_data = {"realm": "somerealm",
"user": "******",
"realm": "home",
"pin": "abc123"}
# Good length and goot contents
self.assertTrue(check_otp_pin(req))
# finally delete policy
delete_policy("pol1")
def test_16_init_token_defaults(self):
g.logged_in_user = {"username": "******",
"role": "user"}
builder = EnvironBuilder(method='POST',
data={'type': "totp",
"genkey": "1"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
g.client_ip = env["REMOTE_ADDR"]
req = Request(env)
# Set a policy that defines the default totp settings
set_policy(name="pol1",
scope=SCOPE.USER,
action="totp_otplen=8,totp_hashlib=sha256,totp_timestep=60")
g.policy_object = PolicyClass()
# request, that matches the policy
req.all_data = {
"type": "totp",
"genkey": "1"}
init_token_defaults(req)
# Check, if the token defaults were added
self.assertEqual(req.all_data.get("totp.hashlib"), "sha256")
self.assertEqual(req.all_data.get("otplen"), "8")
self.assertEqual(req.all_data.get("timeStep"), "60")
# finally delete policy
delete_policy("pol1")
def test_10_api_endpoint(self):
fixed = "ebedeeefegeheiej"
otpkey = "cc17a4d77eaed96e9d14b5c87a02e718"
uid = "000000000000"
otps = ["ebedeeefegeheiejtjtrutblehenfjljrirgdihrfuetljtt",
"ebedeeefegeheiejlekvlrlkrcluvctenlnnjfknrhgtjned",
"ebedeeefegeheiejktudedbktcnbuntrhdueikggtrugckij",
"ebedeeefegeheiejjvjncbnffdrvjcvrbgdfufjgndfetieu",
"ebedeeefegeheiejdruibhvlvktcgfjiruhltketifnitbuk"
]
token = init_token({"type": "yubikey",
"otpkey": otpkey,
"otplen": len(otps[0]),
"yubikey.prefix": fixed,
"serial": "UBAM12345678_1"})
builder = EnvironBuilder(method='GET',
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
g.client_ip = env["REMOTE_ADDR"]
req = Request(env)
nonce = "random nonce"
apiid = "hallo"
apikey = "1YMEbMZijD3DzL21UfKGnOOI13c="
set_privacyidea_config("yubikey.apiid.{0!s}".format(apiid), apikey)
req.all_data = {'id': apiid,
"otp": otps[0],
"nonce": nonce}
text_type, result = YubikeyTokenClass.api_endpoint(req, g)
self.assertEqual(text_type, "plain")
self.assertTrue("status=OK" in result, result)
self.assertTrue("nonce={0!s}".format(nonce) in result, result)
def test_03_loggingevent_parameter(self, capture):
# simple logging event with user defined values
self.setUp_user_realms()
g = FakeFlaskG()
g.audit_object = FakeAudit()
env = EnvironBuilder(method='POST', headers={},
path='/auth').get_environ()
req = Request(env)
req.all_data = {}
req.User = User("cornelius", self.realm1)
resp = Response(response="""{"result": {"value": true}}""")
options = {
"g": g,
"request": req,
"response": resp,
"handler_def": {
'options': {
'name': 'eventlogger-privacyidea',
'level': 'WARN',
'message': 'Hello {username}!'
}
}
}
log_handler = LoggingEventHandler()
res = log_handler.do("logging", options=options)
self.assertTrue(res)
capture.check_present(
('eventlogger-privacyidea', 'WARNING', 'Hello cornelius!'))
def test_01a_admin_realms(self):
admin1 = {"username": "******", "role": "admin", "realm": "realm1"}
admin2 = {"username": "******", "role": "admin", "realm": "realm2"}
set_policy(name="pol",
scope=SCOPE.ADMIN,
action="*",
adminrealm="realm1")
g.policy_object = PolicyClass()
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
req = Request(env)
req.all_data = {}
# admin1 is allowed to do everything
g.logged_in_user = admin1
r = check_base_action(req, action="delete")
self.assertTrue(r)
# admin2 is not allowed.
g.logged_in_user = admin2
self.assertRaises(PolicyError, check_base_action, req, action="delete")
delete_policy("pol")
def test_06_set_tokenlabel(self):
g.logged_in_user = {"username": "******", "role": "admin"}
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
req = Request(env)
# Set a policy that defines the tokenlabel
set_policy(name="pol1",
scope=SCOPE.ENROLL,
action="%s=%s" % (ACTION.TOKENLABEL, "<u>@<r>"))
set_policy(name="pol2",
scope=SCOPE.ENROLL,
action="%s=%s" % (ACTION.TOKENISSUER, "myPI"))
g.policy_object = PolicyClass()
# request, that matches the policy
req.all_data = {"user": "******", "realm": "home"}
init_tokenlabel(req)
# Check, if the tokenlabel was added
self.assertEqual(req.all_data.get("tokenlabel"), "<u>@<r>")
# Check, if the tokenissuer was added
self.assertEqual(req.all_data.get("tokenissuer"), "myPI")
# finally delete policy
delete_policy("pol1")
delete_policy("pol2")
def test_04_loggingevent_broken_parameter(self, capture):
# simple logging event with faulty parameters
self.setUp_user_realms()
g = FakeFlaskG()
g.audit_object = FakeAudit()
env = EnvironBuilder(method='POST', headers={},
path='/auth').get_environ()
req = Request(env)
req.all_data = {}
req.User = User("cornelius", self.realm1)
resp = Response(response="""{"result": {"value": true}}""")
options = {
"g": g,
"request": req,
"response": resp,
"handler_def": {
'options': {
'name': None,
'level': 'some_level',
'message': None
}
}
}
log_handler = LoggingEventHandler()
res = log_handler.do("logging", options=options)
self.assertTrue(res)
capture.check_present(('root', 'INFO', 'event=/auth triggered'))
def test_10_check_external(self):
g.logged_in_user = {"username": "******",
"role": "user"}
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
req = Request(env)
g.policy_object = PolicyClass()
req.all_data = {
"user": "******",
"realm": "home"}
# Check success on no definition
r = check_external(req)
self.assertTrue(r)
# Check success with external function
current_app.config["PI_INIT_CHECK_HOOK"] = \
"privacyidea.api.lib.prepolicy.mock_success"
r = check_external(req)
self.assertTrue(r)
# Check exception with external function
current_app.config["PI_INIT_CHECK_HOOK"] = \
"privacyidea.api.lib.prepolicy.mock_fail"
self.assertRaises(Exception, check_external, req)
def test_15_reset_password(self):
builder = EnvironBuilder(method='POST',
data={'user': "******",
"realm": self.realm1},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
req = Request(env)
# Set a mangle policy to change the username
# and only use the last 4 characters of the username
set_policy(name="recover",
scope=SCOPE.USER,
action="%s" % ACTION.RESYNC)
g.policy_object = PolicyClass()
req.all_data = {"user": "******", "realm": self.realm1}
# There is a user policy without password reset, so an exception is
# raised
self.assertRaises(PolicyError, check_anonymous_user, req,
ACTION.PASSWORDRESET)
# The password reset is allowed
set_policy(name="recover",
scope=SCOPE.USER,
action="%s" % ACTION.PASSWORDRESET)
g.policy_object = PolicyClass()
r = check_anonymous_user(req, ACTION.PASSWORDRESET)
self.assertEqual(r, True)
def test_08_check_conditions_serial(self):
uhandler = UserNotificationEventHandler()
# check a serial with regexp
builder = EnvironBuilder(method='POST',
data={'user': "******"},
headers={})
env = builder.get_environ()
req = Request(env)
req.all_data = {"user": "******", "serial": "OATH123456"}
req.User = User("cornelius", "realm1")
resp = Response()
resp.data = """{"result": {"value": true}}"""
r = uhandler.check_condition({
"g": {},
"handler_def": {
"conditions": {
"serial": "^OATH.*"
}
},
"request": req,
"response": resp
})
# Serial matches the regexp
self.assertEqual(r, True)
def test_06_check_conditions_realm(self):
uhandler = UserNotificationEventHandler()
# check a locked token with maxfail = failcount
builder = EnvironBuilder(method='POST',
data={'user': "******"},
headers={})
env = builder.get_environ()
req = Request(env)
req.all_data = {"user": "******"}
req.User = User("cornelius", "realm1")
resp = Response()
resp.data = """{"result": {"value": false}}"""
r = uhandler.check_condition({
"g": {},
"handler_def": {
"conditions": {
"realm": "realm2"
}
},
"request": req,
"response": resp
})
# wrong realm
self.assertEqual(r, False)
def test_15_reset_password(self):
builder = EnvironBuilder(method='POST',
data={
'user': "******",
"realm": self.realm1
},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
req = Request(env)
# Set a mangle policy to change the username
# and only use the last 4 characters of the username
set_policy(name="recover",
scope=SCOPE.USER,
action="%s" % ACTION.RESYNC)
g.policy_object = PolicyClass()
req.all_data = {"user": "******", "realm": self.realm1}
# There is a user policy without password reset, so an exception is
# raised
self.assertRaises(PolicyError, check_anonymous_user, req,
ACTION.PASSWORDRESET)
# The password reset is allowed
set_policy(name="recover",
scope=SCOPE.USER,
action="%s" % ACTION.PASSWORDRESET)
g.policy_object = PolicyClass()
r = check_anonymous_user(req, ACTION.PASSWORDRESET)
self.assertEqual(r, True)
def test_08_encrypt_pin(self):
g.logged_in_user = {"username": "******",
"role": "admin"}
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
req = Request(env)
# Set a policy that defines the PIN to be encrypted
set_policy(name="pol1",
scope=SCOPE.ENROLL,
action=ACTION.ENCRYPTPIN)
g.policy_object = PolicyClass()
# request, that matches the policy
req.all_data = {
"user": "******",
"realm": "home"}
encrypt_pin(req)
# Check, if the tokenlabel was added
self.assertEqual(req.all_data.get("encryptpin"), "True")
# finally delete policy
delete_policy("pol1")
def test_01a_admin_realms(self):
admin1 = {"username": "******",
"role": "admin",
"realm": "realm1"}
admin2 = {"username": "******",
"role": "admin",
"realm": "realm2"}
set_policy(name="pol",
scope=SCOPE.ADMIN,
action="*", adminrealm="realm1")
g.policy_object = PolicyClass()
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
req = Request(env)
req.all_data = {}
# admin1 is allowed to do everything
g.logged_in_user = admin1
r = check_base_action(req, action="delete")
self.assertTrue(r)
# admin2 is not allowed.
g.logged_in_user = admin2
self.assertRaises(PolicyError, check_base_action, req, action="delete")
delete_policy("pol")
def test_10_check_conditions_tokentype(self):
uhandler = UserNotificationEventHandler()
# check if tokenrealm is contained
builder = EnvironBuilder(method='POST',
data={'user': "******"},
headers={})
tok = init_token({"serial": "oath1234", "type": "spass"},
user=User("cornelius", "realm1"))
env = builder.get_environ()
req = Request(env)
req.all_data = {"user": "******",
"serial": "oath1234"}
req.User = User("cornelius", "realm1")
resp = Response()
resp.data = """{"result": {"value": true}}"""
r = uhandler.check_condition(
{"g": {},
"handler_def": {"conditions": {"tokentype": "totp,spass,oath,"}},
"request": req,
"response": resp
}
)
# Serial matches the regexp
self.assertEqual(r, True)
def test_07_set_random_pin(self):
g.logged_in_user = {"username": "******",
"role": "admin"}
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
req = Request(env)
# Set a policy that defines the tokenlabel
set_policy(name="pol1",
scope=SCOPE.ENROLL,
action="%s=%s" % (ACTION.OTPPINRANDOM, "12"))
set_policy(name="pinhandling",
scope=SCOPE.ENROLL,
action="%s=privacyidea.lib.pinhandling.base.PinHandler" %
ACTION.PINHANDLING)
g.policy_object = PolicyClass()
# request, that matches the policy
req.all_data = {
"user": "******",
"realm": "home"}
init_random_pin(req)
# Check, if the tokenlabel was added
self.assertEqual(len(req.all_data.get("pin")), 12)
# finally delete policy
delete_policy("pol1")
delete_policy("pinhandling")
def test_06_offline_auth(self):
# Test that a machine definition will return offline hashes
self.setUp_user_realms()
serial = "offline01"
tokenobject = init_token({
"serial": serial,
"type": "hotp",
"otpkey": "3132333435363738393031"
"323334353637383930",
"pin": "offline",
"user": "******"
})
# Set the Machine and MachineToken
resolver1 = save_resolver({
"name": "reso1",
"type": "hosts",
"filename": HOSTSFILE
})
mt = attach_token(serial, "offline", hostname="gandalf")
self.assertEqual(mt.token.serial, serial)
self.assertEqual(mt.token.machine_list[0].machine_id, "192.168.0.1")
# The request with an OTP value and a PIN of a user, who has not
# token assigned
builder = EnvironBuilder(method='POST', data={}, headers={})
env = builder.get_environ()
env["REMOTE_ADDR"] = "192.168.0.1"
req = Request(env)
req.all_data = {"user": "******", "pass": "******"}
res = {
"jsonrpc": "2.0",
"result": {
"status": True,
"value": True
},
"version": "privacyIDEA test",
"detail": {
"serial": serial
},
"id": 1
}
resp = Response(json.dumps(res))
new_response = offline_info(req, resp)
jresult = json.loads(new_response.data)
self.assertTrue(jresult.get("result").get("value"), jresult)
self.assertEqual(jresult.get("detail").get("serial"), serial)
# Check the hashvalues in the offline tree
auth_items = jresult.get("auth_items")
self.assertEqual(len(auth_items), 1)
response = auth_items.get("offline")[0].get("response")
self.assertEqual(len(response), 100)
# check if the counter of the token was increased to 100
tokenobject = get_tokens(serial=serial)[0]
self.assertEqual(tokenobject.token.count, 101)
delete_policy("pol2")
def test_07_set_random_pin(self):
g.logged_in_user = {"username": "******", "role": "admin"}
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
req = Request(env)
# Set a policy that defines the tokenlabel
set_policy(name="pol1",
scope=SCOPE.ENROLL,
action="%s=%s" % (ACTION.OTPPINRANDOM, "12"))
set_policy(name="pinhandling",
scope=SCOPE.ENROLL,
action="%s=privacyidea.lib.pinhandling.base.PinHandler" %
ACTION.PINHANDLING)
g.policy_object = PolicyClass()
# request, that matches the policy
req.all_data = {"user": "******", "realm": "home"}
init_random_pin(req)
# Check, if the tokenlabel was added
self.assertEqual(len(req.all_data.get("pin")), 12)
# finally delete policy
delete_policy("pol1")
delete_policy("pinhandling")
def test_06_set_tokenlabel(self):
g.logged_in_user = {"username": "******",
"role": "admin"}
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
req = Request(env)
# Set a policy that defines the tokenlabel
set_policy(name="pol1",
scope=SCOPE.ENROLL,
action="%s=%s" % (ACTION.TOKENLABEL, "<u>@<r>"))
set_policy(name="pol2",
scope=SCOPE.ENROLL,
action="%s=%s" % (ACTION.TOKENISSUER, "myPI"))
g.policy_object = PolicyClass()
# request, that matches the policy
req.all_data = {
"user": "******",
"realm": "home"}
init_tokenlabel(req)
# Check, if the tokenlabel was added
self.assertEqual(req.all_data.get("tokenlabel"), "<u>@<r>")
# Check, if the tokenissuer was added
self.assertEqual(req.all_data.get("tokenissuer"), "myPI")
# finally delete policy
delete_policy("pol1")
delete_policy("pol2")
def test_10_check_conditions_token_has_owner(self):
uhandler = UserNotificationEventHandler()
# check if tokenrealm is contained
builder = EnvironBuilder(method='POST',
data={'user': "******"},
headers={})
tok = init_token({
"serial": "oath1234",
"type": "spass"
},
user=User("cornelius", "realm1"))
env = builder.get_environ()
req = Request(env)
req.all_data = {"user": "******", "serial": "oath1234"}
req.User = User("cornelius", "realm1")
resp = Response()
resp.data = """{"result": {"value": true}}"""
r = uhandler.check_condition({
"g": {},
"handler_def": {
"conditions": {
CONDITION.TOKEN_HAS_OWNER: "True"
}
},
"request": req,
"response": resp
})
# Token has an owner
self.assertEqual(r, True)
r = uhandler.check_condition({
"g": {},
"handler_def": {
"conditions": {
CONDITION.TOKEN_HAS_OWNER: "False"
}
},
"request": req,
"response": resp
})
# Token has an owner, but the condition is wrong
self.assertEqual(r, False)
# unassign token, no owner
unassign_token("oath1234")
r = uhandler.check_condition({
"g": {},
"handler_def": {
"conditions": {
CONDITION.TOKEN_HAS_OWNER: "False"
}
},
"request": req,
"response": resp
})
# The condition was, token-not-assigned and the token has no user
self.assertEqual(r, True)
def test_05_loggingevent_tags(self, capture):
class UserAgentMock:
string = "hello world"
browser = "browser"
# simple logging event with all tags
self.setUp_sqlite_resolver_realm('testuser.sqlite', 'sqliterealm')
available_tags = [
'admin', 'realm', 'action', 'serial', 'url', 'user', 'surname',
'givenname', 'username', 'userrealm', 'tokentype', 'time', 'date',
'client_ip', 'ua_browser', 'ua_string'
]
tok = init_token(
{
"serial": "testserial",
"type": "spass",
"pin": "pin"
},
user=User("cornelius", "sqliterealm"))
g = FakeFlaskG()
g.audit_object = FakeAudit()
g.logged_in_user = {
"username": "******",
"role": "admin",
"realm": "super"
}
env = EnvironBuilder(method='POST', headers={},
path='/auth').get_environ()
req = Request(env)
req.user_agent = UserAgentMock()
req.all_data = {'serial': 'testserial'}
req.User = User("cornelius", 'sqliterealm')
resp = Response(response="""{"result": {"value": true}}""")
options = {
"g": g,
"request": req,
"response": resp,
"handler_def": {
'options': {
'message':
' '.join(
['{0!s}={{{0!s}}}'.format(x) for x in available_tags])
}
}
}
current_utc_time = datetime(2018, 3, 4, 5, 6, 8)
with mock.patch('privacyidea.lib.utils.datetime') as mock_dt:
mock_dt.now.return_value = current_utc_time
log_handler = LoggingEventHandler()
res = log_handler.do("logging", options=options)
self.assertTrue(res)
capture.check_present(
('pi-eventlogger', 'INFO',
u'admin=admin realm=super action=/auth serial=testserial '
u'url=http://localhost/ user=Cornelius surname=Kölbel '
u'givenname=None username=cornelius userrealm=sqliterealm '
u'tokentype=spass time=05:06:08 date=2018-03-04 '
u'client_ip=None ua_browser=browser ua_string=hello world'))
def test_05_autoassign_any_pin(self):
# init a token, that does has no uwser
self.setUp_user_realms()
tokenobject = init_token({"serial": "UASSIGN1", "type": "hotp",
"otpkey": "3132333435363738393031"
"323334353637383930"},
tokenrealms=[self.realm1])
user_obj = User("autoassignuser", self.realm1)
# unassign all tokens from the user autoassignuser
try:
unassign_token(None, user=user_obj)
except Exception:
print("no need to unassign token")
# The request with an OTP value and a PIN of a user, who has not
# token assigned
builder = EnvironBuilder(method='POST',
data={},
headers={})
env = builder.get_environ()
env["REMOTE_ADDR"] = "10.0.0.1"
g.client_ip = env["REMOTE_ADDR"]
req = Request(env)
req.all_data = {"user": "******", "realm": self.realm1,
"pass": "******"}
# The response with a failed request
res = {"jsonrpc": "2.0",
"result": {"status": True,
"value": False},
"version": "privacyIDEA test",
"id": 1}
resp = Response(json.dumps(res))
# Set the autoassign policy
# to "any_pin"
set_policy(name="pol2",
scope=SCOPE.ENROLL,
action="{0!s}={1!s}".format(ACTION.AUTOASSIGN, AUTOASSIGNVALUE.NONE),
client="10.0.0.0/8")
g.policy_object = PolicyClass()
new_response = autoassign(req, resp)
jresult = json.loads(new_response.data)
self.assertTrue(jresult.get("result").get("value"), jresult)
self.assertEqual(jresult.get("detail").get("serial"), "UASSIGN1")
# test the token with test287082 will fail
res, dict = check_user_pass(User("autoassignuser", self.realm1),
"test287082")
self.assertFalse(res)
# test the token with test359152 will succeed
res, dict = check_user_pass(User("autoassignuser", self.realm1),
"test359152")
self.assertTrue(res)
delete_policy("pol2")
def test_06_set_realm(self):
g.logged_in_user = {"username": "******", "role": "admin"}
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
g.client_ip = env["REMOTE_ADDR"]
req = Request(env)
# Set a policy, that allows two tokens per realm
set_policy(name="pol1",
scope=SCOPE.AUTHZ,
action="{0!s}={1!s}".format(ACTION.SETREALM, self.realm1),
realm="somerealm")
g.policy_object = PolicyClass()
# request, that matches the policy
req.all_data = {"realm": "somerealm"}
set_realm(req)
# Check, if the realm was modified to the realm specified in the policy
self.assertTrue(req.all_data.get("realm") == self.realm1)
# A request, that does not match the policy:
req.all_data = {"realm": "otherrealm"}
set_realm(req)
# Check, if the realm is still the same
self.assertEqual(req.all_data.get("realm"), "otherrealm")
# If there are several policies, which will produce different realms,
# we get an exception
set_policy(name="pol2",
scope=SCOPE.AUTHZ,
action="{0!s}={1!s}".format(ACTION.SETREALM,
"ConflictRealm"),
realm="somerealm")
g.policy_object = PolicyClass()
# This request will trigger two policies with different realms to set
req.all_data = {"realm": "somerealm"}
self.assertRaises(PolicyError, set_realm, req)
# finally delete policy
delete_policy("pol1")
delete_policy("pol2")
def test_06_set_realm(self):
g.logged_in_user = {"username": "******",
"role": "admin"}
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
g.client_ip = env["REMOTE_ADDR"]
req = Request(env)
# Set a policy, that allows two tokens per realm
set_policy(name="pol1",
scope=SCOPE.AUTHZ,
action="{0!s}={1!s}".format(ACTION.SETREALM, self.realm1),
realm="somerealm")
g.policy_object = PolicyClass()
# request, that matches the policy
req.all_data = {"realm": "somerealm"}
set_realm(req)
# Check, if the realm was modified to the realm specified in the policy
self.assertTrue(req.all_data.get("realm") == self.realm1)
# A request, that does not match the policy:
req.all_data = {"realm": "otherrealm"}
set_realm(req)
# Check, if the realm is still the same
self.assertEqual(req.all_data.get("realm"), "otherrealm")
# If there are several policies, which will produce different realms,
# we get an exception
set_policy(name="pol2",
scope=SCOPE.AUTHZ,
action="{0!s}={1!s}".format(ACTION.SETREALM, "ConflictRealm"),
realm="somerealm")
g.policy_object = PolicyClass()
# This request will trigger two policies with different realms to set
req.all_data = {"realm": "somerealm"}
self.assertRaises(PolicyError, set_realm, req)
# finally delete policy
delete_policy("pol1")
delete_policy("pol2")
def test_14_send_to_adminrealm(self):
# setup realms
self.setUp_user_realms()
r = add_smtpserver(identifier="myserver", server="1.2.3.4", tls=False)
self.assertTrue(r > 0)
smtpmock.setdata(response={"*****@*****.**": (200, "OK")},
support_tls=False)
g = FakeFlaskG()
audit_object = FakeAudit()
audit_object.audit_data["serial"] = "123456"
g.logged_in_user = {"user": "******", "role": "admin", "realm": ""}
g.audit_object = audit_object
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
g.client_ip = env["REMOTE_ADDR"]
req = Request(env)
req.all_data = {"serial": "SomeSerial", "user": "******"}
req.User = User("cornelius", self.realm1)
resp = Response()
resp.data = """{"result": {"value": true},
"detail": {"registrationcode": "12345678910"}
}
"""
# send email to user in adminrealm "realm1"
# Although this is no admin realm, but this realm contains some email
# addresses.
options = {
"g": g,
"request": req,
"response": resp,
"handler_def": {
"conditions": {
"serial": "123.*"
},
"options": {
"body": "your {registrationcode}",
"emailconfig": "myserver",
"To": NOTIFY_TYPE.ADMIN_REALM,
"To " + NOTIFY_TYPE.ADMIN_REALM: "realm1"
}
}
}
un_handler = UserNotificationEventHandler()
res = un_handler.do("sendmail", options=options)
self.assertTrue(res)
def test_08_get_webui_settings(self):
# Test that a machine definition will return offline hashes
self.setUp_user_realms()
serial = "offline01"
tokenobject = init_token({"serial": serial, "type": "hotp",
"otpkey": "3132333435363738393031"
"323334353637383930",
"pin": "offline",
"user": "******"})
# Set the Machine and MachineToken
resolver1 = save_resolver({"name": "reso1",
"type": "hosts",
"filename": HOSTSFILE})
mt = attach_token(serial, "offline", hostname="gandalf")
self.assertEqual(mt.token.serial, serial)
self.assertEqual(mt.token.machine_list[0].machine_id, "192.168.0.1")
# The request with an OTP value and a PIN of a user, who has not
# token assigned
builder = EnvironBuilder(method='POST',
data={},
headers={})
env = builder.get_environ()
env["REMOTE_ADDR"] = "192.168.0.1"
g.client_ip = env["REMOTE_ADDR"]
req = Request(env)
req.all_data = {"user": "******",
"pass": "******"}
res = {"jsonrpc": "2.0",
"result": {"status": True,
"value": {"role": "user",
"username": "******"}},
"version": "privacyIDEA test",
"detail": {"serial": serial},
"id": 1}
resp = Response(json.dumps(res))
new_response = get_webui_settings(req, resp)
jresult = json.loads(new_response.data)
self.assertEqual(jresult.get("result").get("value").get(
"token_wizard"), False)
# Set a policy. User has not token, so "token_wizard" will be True
set_policy(name="pol_wizard",
scope=SCOPE.WEBUI,
action=ACTION.TOKENWIZARD)
g.policy_object = PolicyClass()
new_response = get_webui_settings(req, resp)
jresult = json.loads(new_response.data)
self.assertEqual(jresult.get("result").get("value").get(
"token_wizard"), True)
delete_policy("pol_wizard")
def test_06_offline_auth(self):
# Test that a machine definition will return offline hashes
self.setUp_user_realms()
serial = "offline01"
tokenobject = init_token({"serial": serial, "type": "hotp",
"otpkey": "3132333435363738393031"
"323334353637383930",
"pin": "offline",
"user": "******"})
# Set the Machine and MachineToken
resolver1 = save_resolver({"name": "reso1",
"type": "hosts",
"filename": HOSTSFILE})
mt = attach_token(serial, "offline", hostname="gandalf")
self.assertEqual(mt.token.serial, serial)
self.assertEqual(mt.token.machine_list[0].machine_id, "192.168.0.1")
# The request with an OTP value and a PIN of a user, who has not
# token assigned
builder = EnvironBuilder(method='POST',
data={},
headers={})
env = builder.get_environ()
env["REMOTE_ADDR"] = "192.168.0.1"
g.client_ip = env["REMOTE_ADDR"]
req = Request(env)
req.all_data = {"user": "******",
"pass": "******"}
res = {"jsonrpc": "2.0",
"result": {"status": True,
"value": True},
"version": "privacyIDEA test",
"detail": {"serial": serial},
"id": 1}
resp = Response(json.dumps(res))
new_response = offline_info(req, resp)
jresult = json.loads(new_response.data)
self.assertTrue(jresult.get("result").get("value"), jresult)
self.assertEqual(jresult.get("detail").get("serial"), serial)
# Check the hashvalues in the offline tree
auth_items = jresult.get("auth_items")
self.assertEqual(len(auth_items), 1)
response = auth_items.get("offline")[0].get("response")
self.assertEqual(len(response), 100)
# check if the counter of the token was increased to 100
tokenobject = get_tokens(serial=serial)[0]
self.assertEqual(tokenobject.token.count, 101)
delete_policy("pol2")
def test_12_mangle(self):
g.logged_in_user = {"username": "******",
"role": "admin"}
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
g.client_ip = env["REMOTE_ADDR"]
req = Request(env)
# Set a mangle policy to change the username
# and only use the last 4 characters of the username
set_policy(name="mangle1",
scope=SCOPE.AUTH,
action="{0!s}=user/.*(.{{4}}$)/\\1/".format(ACTION.MANGLE))
g.policy_object = PolicyClass()
# request, that matches the policy
req.all_data = {"user": "******"}
mangle(req)
# Check if the user was modified
self.assertEqual(req.all_data.get("user"), "user")
# Set a mangle policy to remove blanks from realm name
set_policy(name="mangle2",
scope=SCOPE.AUTH,
action="{0!s}=realm/\\s//".format(ACTION.MANGLE))
g.policy_object = PolicyClass()
# request, that matches the policy
req.all_data = {"realm": "lower Realm"}
mangle(req)
# Check if the realm was modified
self.assertEqual(req.all_data.get("realm"), "lowerRealm")
# finally delete policy
delete_policy("mangle1")
delete_policy("mangle2")
def test_09_pin_policies(self):
g.logged_in_user = {"username": "******", "role": "user"}
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
g.client_ip = env["REMOTE_ADDR"]
req = Request(env)
# Set a policy that defines PIN policy
set_policy(name="pol1",
scope=SCOPE.USER,
action="{0!s}={1!s},{2!s}={3!s},{4!s}={5!s}".format(
ACTION.OTPPINMAXLEN, "10", ACTION.OTPPINMINLEN, "4",
ACTION.OTPPINCONTENTS, "cn"))
g.policy_object = PolicyClass()
req.all_data = {"user": "******", "realm": "home"}
# The minimum OTP length is 4
self.assertRaises(PolicyError, check_otp_pin, req)
req.all_data = {
"user": "******",
"realm": "home",
"pin": "12345566890012"
}
# Fail maximum OTP length
self.assertRaises(PolicyError, check_otp_pin, req)
req.all_data = {"user": "******", "realm": "home", "pin": "123456"}
# Good OTP length, but missing character A-Z
self.assertRaises(PolicyError, check_otp_pin, req)
req.all_data = {"user": "******", "realm": "home", "pin": "abc123"}
# Good length and good contents
self.assertTrue(check_otp_pin(req))
# A token that does not use pins is ignored.
init_token({"type": "certificate", "serial": "certificate"})
req.all_data = {
"serial": "certificate",
"realm": "somerealm",
"user": "******",
"pin": ""
}
self.assertTrue(check_otp_pin(req))
init_token({"type": "sshkey", "serial": "sshkey", "sshkey": SSHKEY})
req.all_data = {
"serial": "sshkey",
"realm": "somerealm",
"user": "******",
"pin": ""
}
self.assertTrue(check_otp_pin(req))
# finally delete policy
delete_policy("pol1")
def test_12_mangle(self):
g.logged_in_user = {"username": "******", "role": "admin"}
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
g.client_ip = env["REMOTE_ADDR"]
req = Request(env)
# Set a mangle policy to change the username
# and only use the last 4 characters of the username
set_policy(name="mangle1",
scope=SCOPE.AUTH,
action="{0!s}=user/.*(.{{4}}$)/\\1/".format(ACTION.MANGLE))
g.policy_object = PolicyClass()
# request, that matches the policy
req.all_data = {"user": "******"}
mangle(req)
# Check if the user was modified
self.assertEqual(req.all_data.get("user"), "user")
# Set a mangle policy to remove blanks from realm name
set_policy(name="mangle2",
scope=SCOPE.AUTH,
action="{0!s}=realm/\\s//".format(ACTION.MANGLE))
g.policy_object = PolicyClass()
# request, that matches the policy
req.all_data = {"realm": "lower Realm"}
mangle(req)
# Check if the realm was modified
self.assertEqual(req.all_data.get("realm"), "lowerRealm")
# finally delete policy
delete_policy("mangle1")
delete_policy("mangle2")
def test_03_sendsms(self):
# setup realms
self.setUp_user_realms()
r = set_smsgateway(identifier="myGW",
providermodule="privacyidea.lib.smsprovider."
"SmtpSMSProvider.SmtpSMSProvider",
options={
"SMTPIDENTIFIER": "myserver",
"MAILTO": "*****@*****.**"
})
self.assertTrue(r > 0)
smtpmock.setdata(response={"*****@*****.**": (200, "OK")},
support_tls=False)
g = FakeFlaskG()
audit_object = FakeAudit()
audit_object.audit_data["serial"] = "123456"
g.logged_in_user = {"user": "******", "role": "admin", "realm": ""}
g.audit_object = audit_object
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
g.client_ip = env["REMOTE_ADDR"]
req = Request(env)
req.all_data = {"serial": "SomeSerial", "user": "******"}
req.User = User("cornelius", self.realm1)
resp = Response()
resp.data = """{"result": {"value": true}}"""
options = {
"g": g,
"request": req,
"response": resp,
"handler_def": {
"options": {
"smsconfig": "myGW"
}
}
}
un_handler = UserNotificationEventHandler()
res = un_handler.do("sendsms", options=options)
self.assertTrue(res)
def test_02_loggingevent_default(self, capture):
# simple logging event with default values
g = FakeFlaskG()
g.audit_object = FakeAudit()
env = EnvironBuilder(method='POST', headers={},
path='/auth').get_environ()
req = Request(env)
req.all_data = {}
resp = Response(response="""{"result": {"value": true}}""")
options = {"g": g, "request": req, "response": resp, "handler_def": {}}
log_handler = LoggingEventHandler()
res = log_handler.do("logging", options=options)
self.assertTrue(res)
capture.check(('pi-eventlogger', 'INFO', 'event=/auth triggered'))
def test_02_check_token_init(self):
g.logged_in_user = {"username": "******",
"role": "admin"}
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
g.client_ip = env["REMOTE_ADDR"]
req = Request(env)
req.all_data = {"type": "totp"}
# Set a policy, that does allow the action
set_policy(name="pol1",
scope=SCOPE.ADMIN,
action="enrollTOTP, enrollHOTP",
client="10.0.0.0/8")
g.policy_object = PolicyClass()
# Enrolling TOTP is cool
r = check_token_init(req)
self.assertTrue(r)
# Another Token type can not be enrolled:
# An exception is raised
req.all_data = {"type": "motp"}
self.assertRaises(PolicyError,
check_token_init, req)
# A normal user can "enroll", since no user policies are defined.
g.logged_in_user = {"username": "******",
"role": "user"}
r = check_token_init(req)
self.assertTrue(r)
# finally delete policy
delete_policy("pol1")
def test_11_api_key_required(self):
g.logged_in_user = {}
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
g.client_ip = env["REMOTE_ADDR"]
req = Request(env)
g.policy_object = PolicyClass()
# No policy and no Auth token
req.all_data = {}
r = api_key_required(req)
# The request was not modified
self.assertTrue(r)
# Set a policy, that allows two tokens per realm
set_policy(name="pol_api", scope=SCOPE.AUTHZ, action=ACTION.APIKEY)
g.policy_object = PolicyClass()
# A request with no API Key fails
self.assertRaises(PolicyError, api_key_required, req)
# A request with an API key succeeds
secret = current_app.config.get("SECRET_KEY")
token = jwt.encode(
{
"role": ROLE.VALIDATE,
"exp": datetime.utcnow() + timedelta(hours=1)
}, secret)
req.headers = {"Authorization": token}
r = api_key_required(req)
self.assertTrue(r)
# A request with a valid Admin Token does not succeed
token = jwt.encode(
{
"role": ROLE.ADMIN,
"username": "******",
"exp": datetime.utcnow() + timedelta(hours=1)
}, secret)
req.headers = {"Authorization": token}
self.assertRaises(PolicyError, api_key_required, req)
delete_policy("pol_api")
def test_01_set_tokenrealm(self):
# setup realms
self.setUp_user_realms()
self.setUp_user_realm2()
init_token({"serial": "SPASS01", "type": "spass"})
g = FakeFlaskG()
audit_object = FakeAudit()
audit_object.audit_data["serial"] = "SPASS01"
g.logged_in_user = {"user": "******", "role": "admin", "realm": ""}
g.audit_object = audit_object
builder = EnvironBuilder(method='POST',
data={'serial': "SPASS01"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
g.client_ip = env["REMOTE_ADDR"]
req = Request(env)
req.all_data = {"serial": "SPASS01", "type": "spass"}
resp = Response()
resp.data = """{"result": {"value": true}}"""
# Now the initiailized token will be set in realm2
options = {
"g": g,
"request": req,
"response": resp,
"handler_def": {
"options": {
"realm": "realm2"
}
}
}
t_handler = TokenEventHandler()
res = t_handler.do(ACTION_TYPE.SET_TOKENREALM, options=options)
self.assertTrue(res)
# Check if the token is contained in realm2
realms = get_realms_of_token("SPASS01")
self.assertTrue("realm2" in realms)
remove_token("SPASS01")
def test_11_api_key_required(self):
g.logged_in_user = {}
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
g.client_ip = env["REMOTE_ADDR"]
req = Request(env)
g.policy_object = PolicyClass()
# No policy and no Auth token
req.all_data = {}
r = api_key_required(req)
# The request was not modified
self.assertTrue(r)
# Set a policy, that allows two tokens per realm
set_policy(name="pol_api",
scope=SCOPE.AUTHZ,
action=ACTION.APIKEY)
g.policy_object = PolicyClass()
# A request with no API Key fails
self.assertRaises(PolicyError, api_key_required, req)
# A request with an API key succeeds
secret = current_app.config.get("SECRET_KEY")
token = jwt.encode({"role": ROLE.VALIDATE,
"exp": datetime.utcnow() + timedelta(hours=1)},
secret)
req.headers = {"Authorization": token}
r = api_key_required(req)
self.assertTrue(r)
# A request with a valid Admin Token does not succeed
token = jwt.encode({"role": ROLE.ADMIN,
"username": "******",
"exp": datetime.utcnow() + timedelta(hours=1)},
secret)
req.headers = {"Authorization": token}
self.assertRaises(PolicyError, api_key_required, req)
delete_policy("pol_api")
def test_07_locked_token_wrong_pin(self):
tok = init_token({
"serial": "lock2",
"type": "spass",
"pin": "pin"
},
user=User("cornelius", "realm1"))
# lock it
tok.set_failcount(10)
uhandler = UserNotificationEventHandler()
resp = Response()
resp.data = """{"result": {"value": false}}"""
builder = EnvironBuilder(method='POST')
env = builder.get_environ()
req = Request(env)
req.all_data = {"user": "******", "pass": "******"}
req.User = User("cornelius", self.realm1)
# check the do action.
g = FakeFlaskG()
audit_object = FakeAudit()
audit_object.audit_data["serial"] = None
g.audit_object = audit_object
options = {
"g": g,
"handler_def": {
"conditions": {
"token_locked": "True"
}
},
"response": resp,
"request": req
}
r = add_smtpserver(identifier="myserver", server="1.2.3.4", tls=False)
self.assertTrue(r > 0)
smtpmock.setdata(response={"*****@*****.**": (200, "OK")},
support_tls=False)
r = uhandler.check_condition(options)
self.assertEqual(r, True)
r = uhandler.do("sendmail", options=options)
self.assertEqual(r, True)
def test_04_unassign(self):
# setup realms
self.setUp_user_realms()
init_token({
"serial": "SPASS01",
"type": "spass"
}, User("cornelius", self.realm1))
t = get_tokens(serial="SPASS01")
uid = t[0].get_user_id()
self.assertEqual(uid, "1000")
g = FakeFlaskG()
audit_object = FakeAudit()
audit_object.audit_data["serial"] = "SPASS01"
g.logged_in_user = {"user": "******", "role": "admin", "realm": ""}
g.audit_object = audit_object
builder = EnvironBuilder(method='POST',
data={'serial': "SPASS01"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
g.client_ip = env["REMOTE_ADDR"]
req = Request(env)
req.all_data = {"serial": "SPASS01", "type": "spass"}
resp = Response()
resp.data = """{"result": {"value": true}}"""
# Now the initiailized token will be set in realm2
options = {"g": g, "request": req, "response": resp, "handler_def": {}}
t_handler = TokenEventHandler()
res = t_handler.do(ACTION_TYPE.UNASSIGN, options=options)
self.assertTrue(res)
# Check if the token was unassigned
t = get_tokens(serial="SPASS01")
uid = t[0].get_user_id()
self.assertEqual(uid, "")
remove_token("SPASS01")
def test_02_sendmail(self):
# setup realms
self.setUp_user_realms()
r = add_smtpserver(identifier="myserver", server="1.2.3.4", tls=False)
self.assertTrue(r > 0)
smtpmock.setdata(response={"*****@*****.**": (200, "OK")},
support_tls=False)
g = FakeFlaskG()
audit_object = FakeAudit()
audit_object.audit_data["serial"] = "123456"
g.logged_in_user = {"user": "******", "role": "admin", "realm": ""}
g.audit_object = audit_object
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
g.client_ip = env["REMOTE_ADDR"]
req = Request(env)
req.all_data = {"serial": "SomeSerial", "user": "******"}
req.User = User("cornelius", self.realm1)
resp = Response()
resp.data = """{"result": {"value": true}}"""
options = {
"g": g,
"request": req,
"response": resp,
"handler_def": {
"options": {
"emailconfig": "myserver"
}
}
}
un_handler = UserNotificationEventHandler()
res = un_handler.do("sendmail", options=options)
self.assertTrue(res)
def test_03_enable_disable(self):
# setup realms
self.setUp_user_realms()
init_token({"serial": "SPASS01", "type": "spass"})
g = FakeFlaskG()
audit_object = FakeAudit()
audit_object.audit_data["serial"] = "SPASS01"
g.logged_in_user = {"user": "******", "role": "admin", "realm": ""}
g.audit_object = audit_object
builder = EnvironBuilder(method='POST',
data={'serial': "SPASS01"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
g.client_ip = env["REMOTE_ADDR"]
req = Request(env)
req.all_data = {"serial": "SPASS01", "type": "spass"}
resp = Response()
resp.data = """{"result": {"value": true}}"""
# Now the initiailized token will be set in realm2
options = {"g": g, "request": req, "response": resp, "handler_def": {}}
t_handler = TokenEventHandler()
res = t_handler.do(ACTION_TYPE.DISABLE, options=options)
self.assertTrue(res)
# Check if the token does not exist anymore
t = get_tokens(serial="SPASS01")
self.assertFalse(t[0].is_active())
res = t_handler.do(ACTION_TYPE.ENABLE, options=options)
self.assertTrue(res)
# Check if the token does not exist anymore
t = get_tokens(serial="SPASS01")
self.assertTrue(t[0].is_active())
remove_token("SPASS01")
def test_03_sendsms(self):
# setup realms
self.setUp_user_realms()
r = set_smsgateway(identifier="myGW",
providermodule="privacyidea.lib.smsprovider."
"SmtpSMSProvider.SmtpSMSProvider",
options={"SMTPIDENTIFIER": "myserver",
"MAILTO": "*****@*****.**"})
self.assertTrue(r > 0)
smtpmock.setdata(response={"*****@*****.**": (200, "OK")},
support_tls=False)
g = FakeFlaskG()
audit_object = FakeAudit()
audit_object.audit_data["serial"] = "123456"
g.logged_in_user = {"user": "******",
"role": "admin",
"realm": ""}
g.audit_object = audit_object
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
g.client_ip = env["REMOTE_ADDR"]
req = Request(env)
req.all_data = {"serial": "SomeSerial",
"user": "******"}
options = {"g": g,
"request": req,
"smsconfig": "myGW"}
un_handler = UserNotificationEventHandler()
res = un_handler.do("sendsms", options=options)
self.assertTrue(res)
def test_02_sendmail(self):
# setup realms
self.setUp_user_realms()
r = add_smtpserver(identifier="myserver", server="1.2.3.4", tls=False)
self.assertTrue(r > 0)
smtpmock.setdata(response={"*****@*****.**": (200, "OK")},
support_tls=False)
g = FakeFlaskG()
audit_object = FakeAudit()
audit_object.audit_data["serial"] = "123456"
g.logged_in_user = {"user": "******",
"role": "admin",
"realm": ""}
g.audit_object = audit_object
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
g.client_ip = env["REMOTE_ADDR"]
req = Request(env)
req.all_data = {"serial": "SomeSerial",
"user": "******"}
options = {"g": g,
"request": req,
"emailconfig": "myserver"}
un_handler = UserNotificationEventHandler()
res = un_handler.do("sendmail", options=options)
self.assertTrue(res)
def test_02_api_endpoint(self):
pin = "tiqr"
token = init_token({"type": "tiqr",
"pin": pin,
"user": "******",
"realm": self.realm1})
idetail = token.get_init_detail()
value = idetail.get("tiqrenroll").get("value")
# 'tiqrenroll://None?action=metadata&session=b81ecdf74118dcf6fa1cd41d3d4b2fec56c9107f&serial=TiQR000163CB
# get the serial and the session
m = re.search('&serial=(.*)$', value)
serial = m.group(1)
m = re.search('&session=(.*)&', value)
session = m.group(1)
# test meta data
builder = EnvironBuilder(method='POST',
data={},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
req = Request(env)
req.all_data = {"action": "metadata",
"session": session,
"serial": serial}
r = TiqrTokenClass.api_endpoint(req, g)
self.assertEqual(r[0], "json")
self.assertTrue("identity" in r[1], r[1])
self.assertTrue("service" in r[1], r[1])
# Test invalid action
req.all_data = {"action": "unknown"}
self.assertRaises(Exception,
TiqrTokenClass.api_endpoint, req, g)
# test enrollment with invalid session
req.all_data = {"action": "enrollment",
"serial": serial,
"session": "123",
"secret": KEY20}
self.assertRaises(ParameterError,
TiqrTokenClass.api_endpoint, req, g)
# test enrollment with valid session
req.all_data = {"action": "enrollment",
"serial": serial,
"session": session,
"secret": KEY20}
r = TiqrTokenClass.api_endpoint(req, g)
self.assertEqual(r[0], "text")
self.assertEqual(r[1], "OK")
# test authentication endpoint
# create a challenge by issuing validate/check with user and pin
session = ""
challenge = ""
with self.app.test_request_context('/validate/check',
method='GET',
query_string=urlencode({
"user": "******",
"realm": self.realm1,
"pass": pin})):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = json.loads(res.data).get("result")
detail = json.loads(res.data).get("detail")
self.assertTrue(result.get("status") is True, result)
self.assertTrue(result.get("value") is False, result)
transaction_id = detail.get("transaction_id")
image_url = detail.get("attributes").get("value")
self.assertTrue(image_url.startswith("tiqrauth"))
# u'tiqrauth://[email protected]
# /12335970131032896263/e0fac7bb2e3ea4219ead'
# session = 12335970131032896263
# challenge = e0fac7bb2e3ea4219ead
r = image_url.split("/")
session = r[3]
challenge = r[4]
ocrasuite = token.get_tokeninfo("ocrasuite")
ocra_object = OCRA(ocrasuite, key=binascii.unhexlify(KEY20))
# Calculate Response with the challenge.
response = ocra_object.get_response(challenge)
# First, send a wrong response
req.all_data = {"response": "12345",
"userId": "cornelius_%s" % self.realm1,
"sessionKey": session,
"operation": "login"}
r = TiqrTokenClass.api_endpoint(req, g)
self.assertEqual(r[0], "text")
self.assertEqual(r[1], "INVALID_RESPONSE")
# Send the correct response
req.all_data = {"response": response,
"userId": "cornelius_%s" % self.realm1,
"sessionKey": session,
"operation": "login"}
r = TiqrTokenClass.api_endpoint(req, g)
self.assertEqual(r[0], "text")
self.assertEqual(r[1], "OK")
# Send the same response a second time would not work
# since the Challenge is marked as answered
req.all_data = {"response": response,
"userId": "cornelius_%s" % self.realm1,
"sessionKey": session,
"operation": "login"}
r = TiqrTokenClass.api_endpoint(req, g)
self.assertEqual(r[0], "text")
self.assertEqual(r[1], "INVALID_CHALLENGE")
# Finally we check the OTP status:
r = token.check_challenge_response(options={"transaction_id":
transaction_id})
self.assertTrue(r > 0, r)
# Check the same challenge again. It will fail, since the
# challenge was deleted from the database
r = token.check_challenge_response(options={"transaction_id":
transaction_id})
self.assertTrue(r < 0, r)
def test_09_pin_policies(self):
g.logged_in_user = {"username": "******",
"role": "user"}
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
g.client_ip = env["REMOTE_ADDR"]
req = Request(env)
# Set a policy that defines PIN policy
set_policy(name="pol1",
scope=SCOPE.USER,
action="{0!s}={1!s},{2!s}={3!s},{4!s}={5!s}".format(ACTION.OTPPINMAXLEN, "10",
ACTION.OTPPINMINLEN, "4",
ACTION.OTPPINCONTENTS, "cn"))
g.policy_object = PolicyClass()
req.all_data = {
"user": "******",
"realm": "home"}
# The minimum OTP length is 4
self.assertRaises(PolicyError, check_otp_pin, req)
req.all_data = {
"user": "******",
"realm": "home",
"pin": "12345566890012"}
# Fail maximum OTP length
self.assertRaises(PolicyError, check_otp_pin, req)
req.all_data = {
"user": "******",
"realm": "home",
"pin": "123456"}
# Good OTP length, but missing character A-Z
self.assertRaises(PolicyError, check_otp_pin, req)
req.all_data = {
"user": "******",
"realm": "home",
"pin": "abc123"}
# Good length and good contents
self.assertTrue(check_otp_pin(req))
# A token that does not use pins is ignored.
init_token({"type": "certificate",
"serial": "certificate"})
req.all_data = {"serial": "certificate",
"realm": "somerealm",
"user": "******",
"pin": ""}
self.assertTrue(check_otp_pin(req))
init_token({"type": "sshkey",
"serial": "sshkey",
"sshkey": SSHKEY})
req.all_data = {"serial": "sshkey",
"realm": "somerealm",
"user": "******",
"pin": ""}
self.assertTrue(check_otp_pin(req))
# finally delete policy
delete_policy("pol1")
def test_01_check_token_action(self):
g.logged_in_user = {"username": "******",
"role": "admin"}
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
req = Request(env)
req.all_data = {"serial": "SomeSerial"}
# Set a policy, that does allow the action
set_policy(name="pol1",
scope=SCOPE.ADMIN,
action="enable", client="10.0.0.0/8")
g.policy_object = PolicyClass()
# Action enable is cool
r = check_base_action(request=req, action="enable")
self.assertTrue(r)
# Another action - like "disable" - is not allowed
# An exception is
self.assertRaises(PolicyError,
check_base_action, req, "disable")
# Action delete is not allowed
self.assertRaises(PolicyError,
check_base_action, req, "delete")
# check action with a token realm
set_policy(name="pol1",
scope=SCOPE.ADMIN,
action="enable", client="10.0.0.0/8",
realm="realm1")
set_policy(name="pol2",
scope=SCOPE.ADMIN,
action="*", client="10.0.0.0/8",
realm="realm2")
g.policy_object = PolicyClass()
# set a polrealm1 and a polrealm2
# setup realm1
self.setUp_user_realms()
# setup realm2
self.setUp_user_realm2()
tokenobject = init_token({"serial": "POL001", "type": "hotp",
"otpkey": "1234567890123456"})
r = set_realms("POL001", [self.realm1])
tokenobject = init_token({"serial": "POL002", "type": "hotp",
"otpkey": "1234567890123456"})
r = set_realms("POL002", [self.realm2])
# Token in realm1 can not be deleted
req.all_data = {"serial": "POL001"}
self.assertRaises(PolicyError,
check_base_action, req, "delete")
# while token in realm2 can be deleted
req.all_data = {"serial": "POL002"}
r = check_base_action(req, action="delete")
self.assertTrue(r)
# A normal user can "disable", since no user policies are defined.
g.logged_in_user = {"username": "******",
"role": "user"}
r = check_base_action(req, "disable")
self.assertTrue(r)
delete_policy("pol1")
delete_policy("pol2")
remove_token("POL001")
remove_token("POL002")
