def test_lar_case_sensitive_resolver_names(app):
admin_realm_name = app.config["ADMIN_REALM_NAME"]
admin_resolvers_key = f"useridresolver.group.{admin_realm_name}"
admin_resolvers = getFromConfig(admin_resolvers_key, "")
lar = LocalAdminResolver(app)
# Replace the local admin resolver name in the realm with a
# name that is the same but in uppercase. If we then try to
# re-add the original local admin resolver using the officially
# approved `.add_to_admin_realm()` method, it should show
# up if names are compared case-sensitively.
prefix, _, name = admin_resolvers.rpartition(".")
new_name = f"{prefix}.{name.upper()}"
set_config(
key=admin_resolvers_key,
value=new_name,
typ="text",
description="None",
update=True,
)
db.session.commit()
refreshConfig() # force config reload
lar.add_to_admin_realm()
refreshConfig() # force config reload
new_admin_resolvers = getFromConfig(admin_resolvers_key, "")
assert (
new_admin_resolvers == admin_resolvers + "," +
new_name), "local admin resolver name comparison is not case-sensitive"
def test_local_admins_enable_command(app, runner, resolver, res_list):
# Forcibly remove the resolver from the admin realm.
admin_realm_name = app.config["ADMIN_REALM_NAME"].lower()
admin_resolvers_key = f"useridresolver.group.{admin_realm_name}"
set_config(
key=admin_resolvers_key,
value=res_list,
typ="text",
description="None",
)
resolver.session.commit()
# Try to re-add it using the enable command.
result = runner.invoke(cli_main, ["local-admins", "enable"])
assert result.exit_code == 0
# See whether it is there now.
admin_resolvers = getFromConfig(admin_resolvers_key, "")
if admin_resolvers:
first_resolver = admin_resolvers.split(",")[0].strip()
assert (
first_resolver
== "useridresolver.SQLIdResolver.IdResolver."
+ resolver.admin_resolver_name
)
else:
assert False, "still no resolvers in admin realm"
def create_admin_resolver(admin_resolver_name):
"""create the default managed admin resolver
to ease the programming, we work on an sql query result
"""
entries = [
("sqlresolver.Connect.admin_resolver", "", "text", "None"),
("sqlresolver.conParams.admin_resolver", "", "text", "None"),
("sqlresolver.Database.admin_resolver", "", "text", "None"),
("sqlresolver.Driver.admin_resolver", "", "text", "None"),
("sqlresolver.Encoding.admin_resolver", "utf-8", "text", "None"),
("sqlresolver.Limit.admin_resolver", "1000", "int", "None"),
(
"sqlresolver.Map.admin_resolver",
'{"userid": "userid", "username": "******", "phone": "phone", "mobile": "mobile", "email": "email", "surname": "surname", "givenname": "givenname", "password": "******", "groupid": "groupid"}',
"text",
"None",
),
(
"sqlresolver.Password.admin_resolver",
"a31b6178b78637d5e4fa5fb5f19d5493:599e786159a3f544d1bb0d810830587d",
"encrypted_data",
"None",
),
("sqlresolver.Port.admin_resolver", "", "text", "None"),
("sqlresolver.readonly.admin_resolver", "True", "boolean", "None"),
("sqlresolver.Server.admin_resolver", "", "text", "None"),
("sqlresolver.Table.admin_resolver", "imported_user", "text", "None"),
("sqlresolver.User.admin_resolver", "", "text", "None"),
(
"sqlresolver.Where.admin_resolver",
"groupid = 'admin_resolver'",
"text",
"None",
),
]
for key, value, typ, description in entries:
key = key.replace("admin_resolver", admin_resolver_name)
value = value.replace("admin_resolver", admin_resolver_name)
# as this is a managed resolver, we can replace the data type as the
# encrypted value is never used
if typ.strip() == "encrypted_data":
typ = "text"
set_config(
key=key,
value=value,
typ=typ,
description=description,
)
def create_admin_realm(admin_realm_name, admin_resolver_name):
"""
create the default managed admin realm
"""
admin_realm_name = admin_realm_name.lower()
set_config(
key=f"useridresolver.group.{admin_realm_name}",
value=(
f"useridresolver.SQLIdResolver.IdResolver.{admin_resolver_name}"),
typ="text",
description="None",
)
if not Realm.query.filter_by(name=admin_realm_name).count():
admin_realm = Realm(admin_realm_name)
admin_realm.storeRealm()
def add_to_admin_realm(self) -> None:
"""Checks whether the resolver is part of the admin realm and adds it
if necessary. This may be needed if the user adds a different resolver
to the admin realm and then removes this one. (This resolver cannot
be deleted outright, but it can be removed from the admin realm.)
We assume that the admin realm itself exists already, or, more
precisely, LinOTP doesn't care if you add a resolver to a realm that
doesn't exist.
"""
admin_resolver_name = ("useridresolver.SQLIdResolver.IdResolver."
f"{self.admin_resolver_name}")
# Check magic config database entry for the list of resolvers
# in the admin realm.
admin_resolvers_key = f"useridresolver.group.{self.admin_realm_name}"
admin_resolvers = getFromConfig(admin_resolvers_key, "")
if admin_resolvers: # Avoid splitting an empty string
for name in admin_resolvers.split(","):
if name.strip() == admin_resolver_name:
return # Resolver is in realm, we're done here
# If we get here, the `admin_resolver_name` doesn't occur in
# the list of resolvers associated with the admin realm, so we
# add it and write the list back to the database. (We're
# deliberately sticking it in front so broken resolvers after
# it don't cause problems when trying to find users in this
# one.)
admin_resolvers_new = admin_resolver_name
if admin_resolvers:
admin_resolvers_new += "," + admin_resolvers
set_config(
key=admin_resolvers_key,
value=admin_resolvers_new,
typ="text",
description="None",
update=True,
)
self.session.commit()
def set_defaults(app):
"""
add linotp default config settings
:return: - nothing -
"""
app.logger.info("Adding config default data...")
is_upgrade = Config.query.filter_by(Key="Config").count() != 0
if is_upgrade:
# if it is an upgrade and no welcome screen was shown before,
# make sure an upgrade screen is shown
set_config(key="welcome_screen.version", value="0", typ="text")
set_config(key="welcome_screen.last_shown", value="0", typ="text")
set_config(key="welcome_screen.opt_out", value="false", typ="text")
else:
# we have a fresh new database, so we add some new defaults
admin_realm_name = app.config["ADMIN_REALM_NAME"]
admin_resolver_name = app.config["ADMIN_RESOLVER_NAME"]
create_admin_resolver(admin_resolver_name)
create_admin_realm(admin_realm_name, admin_resolver_name)
set_config(
key="NewPolicyEvaluation",
value="True",
typ="boolean",
description="use the new policy engine",
)
set_config(
key="NewPolicyEvaluation.compare",
value="False",
typ="boolean",
description=("compare the new policy engine with the old one"),
)
set_config(
key="DefaultMaxFailCount",
value="10",
typ="int",
description=("The default maximum count for unsuccessful logins"),
)
set_config(
key="DefaultCountWindow",
value="10",
typ="int",
description=("The default lookup window for tokens out of sync "),
)
set_config(
key="DefaultSyncWindow",
value="1000",
typ="int",
description=("The default lookup window for tokens out of sync "),
)
set_config(
key="DefaultChallengeValidityTime",
value="120",
typ="int",
description=("The default time, a challenge is regarded as valid."),
)
set_config(
key="DefaultResetFailCount",
value="True",
typ="bool",
description="The default maximum count for unsucessful logins",
)
set_config(
key="DefaultOtpLen",
value="6",
typ="int",
description="The default len of the otp values",
)
set_config(
key="QRTokenOtpLen",
value="8",
typ="int",
description="The default len of the otp values",
)
set_config(
key="QRChallengeValidityTime",
value="150",
typ="int",
description=(
"The default qrtoken time, a challenge is regarded as valid."),
)
set_config(
key="QRMaxChallenges",
value="4",
typ="int",
description="Maximum open QRToken challenges",
)
set_config(
key="PushChallengeValidityTime",
value="150",
typ="int",
description=(
"The pushtoken default time, a challenge is regarded as valid."),
)
set_config(
key="PushMaxChallenges",
value="4",
typ="int",
description="Maximum open pushtoken challenges",
)
set_config(
key="PrependPin",
value="True",
typ="bool",
description="is the pin prepended - most cases",
)
set_config(
key="FailCounterIncOnFalsePin",
value="True",
typ="bool",
description="increment the FailCounter, if pin did not match",
)
set_config(
key="SMSProvider",
value="smsprovider.HttpSMSProvider.HttpSMSProvider",
typ="text",
description="SMS Default Provider via HTTP",
)
set_config(
key="SMSProviderTimeout",
value="300",
typ="int",
description="Timeout until registration must be done",
)
set_config(
key="SMSBlockingTimeout",
value="30",
typ="int",
description="Delay until next challenge is created",
)
set_config(
key="DefaultBlockingTimeout",
value="0",
typ="int",
description="Delay until next challenge is created",
)
# setup for totp defaults
# "linotp.totp.timeStep";"60";"None";"None"
# "linotp.totp.timeWindow";"600";"None";"None"
# "linotp.totp.timeShift";"240";"None";"None"
set_config(
key="totp.timeStep",
value="30",
typ="int",
description="Time stepping of the time based otp token ",
)
set_config(
key="totp.timeWindow",
value="300",
typ="int",
description=("Lookahead time window of the time based otp token "),
)
set_config(
key="totp.timeShift",
value="0",
typ="int",
description="Shift between server and totp token",
)
set_config(
key="AutoResyncTimeout",
value="240",
typ="int",
description="Autosync timeout for an totp token",
)
# emailtoken defaults
set_config(
key="EmailProvider",
value="linotp.provider.emailprovider.SMTPEmailProvider",
typ="string",
description="Default EmailProvider class",
)
set_config(
key="EmailChallengeValidityTime",
value="600",
typ="int",
description=(
"Time that an e-mail token challenge stays valid (seconds)"),
)
set_config(
key="EmailBlockingTimeout",
value="120",
typ="int",
description="Time during which no new e-mail is sent out",
)
set_config(
key="OATHTokenSupport",
value="False",
typ="bool",
description="support for hmac token in oath format",
)
# use the system certificate handling, especially for ldaps
set_config(
key="certificates.use_system_certificates",
value="False",
typ="bool",
description="use system certificate handling",
)
set_config(
key="user_lookup_cache.enabled",
value="False",
typ="bool",
description="enable user loookup caching",
)
set_config(
key="resolver_lookup_cache.enabled",
value="False",
typ="bool",
description="enable realm resolver caching",
)
set_config(
key="user_lookup_cache.expiration",
value="64800",
typ="int",
description="expiration of user caching entries",
)
set_config(
key="resolver_lookup_cache.expiration",
value="64800",
typ="int",
description="expiration of resolver caching entries",
)