def test_05_get_default_settings(self): params = {} g = FakeFlaskG() g.audit_object = FakeAudit() # trusted path for a user g.logged_in_user = {"user": "******", "realm": "default", "role": "user"} set_policy("pol1", scope=SCOPE.USER, action="{0!s}=tests/testdata/attestation/".format( ACTION.TRUSTED_CA_PATH)) g.policy_object = PolicyClass() p = CertificateTokenClass.get_default_settings(g, params) self.assertEqual(["tests/testdata/attestation/"], p.get(ACTION.TRUSTED_CA_PATH)) delete_policy("pol1") # the same should work for an admin user g.logged_in_user = {"user": "******", "realm": "super", "role": "admin"} set_policy("pol1", scope=SCOPE.ADMIN, action="{0!s}=tests/testdata/attestation/".format( ACTION.TRUSTED_CA_PATH)) g.policy_object = PolicyClass() p = CertificateTokenClass.get_default_settings(g, params) self.assertEqual(["tests/testdata/attestation/"], p.get(ACTION.TRUSTED_CA_PATH)) delete_policy("pol1") # If we have no policy, we revert to default g.policy_object = PolicyClass() p = CertificateTokenClass.get_default_settings(g, params) self.assertEqual(["/etc/privacyidea/trusted_attestation_ca"], p.get(ACTION.TRUSTED_CA_PATH))
def test_03_class_methods(self): db_token = Token.query.filter(Token.serial == self.serial1).first() token = CertificateTokenClass(db_token) info = token.get_class_info() self.assertTrue(info.get("title") == "Certificate Token", info) info = token.get_class_info("title") self.assertTrue(info == "Certificate Token", info)
def test_03_class_methods(self): db_token = Token.query.filter(Token.serial == self.serial1).first() token = CertificateTokenClass(db_token) info = token.get_class_info() self.assertTrue(info.get("title") == "Certificate Token", info) info = token.get_class_info("title") self.assertTrue(info == "Certificate Token", info)
def test_02a_fail_request_with_attestation(self): cwd = os.getcwd() # setup ca connector r = save_caconnector({ "cakey": CAKEY, "cacert": CACERT, "type": "local", "caconnector": "localCA", "openssl.cnf": OPENSSLCNF, "CSRDir": "", "CertificateDir": "", "WorkingDir": cwd + "/" + WORKINGDIR }) db_token = Token(self.serial2, tokentype="certificate") db_token.save() token = CertificateTokenClass(db_token) # A cert request will fail, since the attestation certificate does not match self.assertRaises(privacyIDEAError, token.update, { "ca": "localCA", "attestation": BOGUS_ATTESTATION, "request": REQUEST }) remove_token(self.serial2)
def test_02_create_token_from_request(self): cwd = os.getcwd() # setup ca connector r = save_caconnector({ "cakey": CAKEY, "cacert": CACERT, "type": "local", "caconnector": "localCA", "openssl.cnf": OPENSSLCNF, "CSRDir": "", "CertificateDir": "", "WorkingDir": cwd + "/" + WORKINGDIR }) db_token = Token(self.serial2, tokentype="certificate") db_token.save() token = CertificateTokenClass(db_token) # just upload a ready certificate token.update({"ca": "localCA", "request": REQUEST}) self.assertTrue(token.token.serial == self.serial2, token) self.assertTrue(token.token.tokentype == "certificate", token.token.tokentype) self.assertTrue(token.type == "certificate", token) class_prefix = token.get_class_prefix() self.assertTrue(class_prefix == "CRT", class_prefix) self.assertTrue(token.get_class_type() == "certificate", token) detail = token.get_init_detail() certificate = detail.get("certificate") # At each testrun, the certificate might get another serial number! x509obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate) self.assertEqual( "{0!r}".format(x509obj.get_issuer()), "<X509Name object '/C=DE/ST=Hessen" "/O=privacyidea/CN=CA001'>") self.assertEqual( "{0!r}".format(x509obj.get_subject()), "<X509Name object '/C=DE/ST=Hessen" "/O=privacyidea/CN=requester.localdomain'>") # Test, if the certificate is also completely stored in the tokeninfo # and if we can retrieve it from the tokeninfo token = get_tokens(serial=self.serial2)[0] certificate = token.get_tokeninfo("certificate") x509obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate) self.assertEqual( "{0!r}".format(x509obj.get_issuer()), "<X509Name object '/C=DE/ST=Hessen" "/O=privacyidea/CN=CA001'>") self.assertEqual( "{0!r}".format(x509obj.get_subject()), "<X509Name object '/C=DE/ST=Hessen" "/O=privacyidea/CN=requester.localdomain'>") remove_token(self.serial2)
def test_04_create_token_on_server(self): self.setUp_user_realms() cwd = os.getcwd() # setup ca connector r = save_caconnector({"cakey": CAKEY, "cacert": CACERT, "type": "local", "caconnector": "localCA", "openssl.cnf": OPENSSLCNF, "CSRDir": "", "CertificateDir": "", "WorkingDir": cwd + "/" + WORKINGDIR}) db_token = Token(self.serial3, tokentype="certificate") db_token.save() token = CertificateTokenClass(db_token) # missing user self.assertRaises(ParameterError, token.update, {"ca": "localCA","genkey": 1}) token.update({"ca": "localCA", "genkey": 1, "user": "******"}) self.assertEqual(token.token.serial, self.serial3) self.assertEqual(token.token.tokentype, "certificate") self.assertEqual(token.type, "certificate") detail = token.get_init_detail() certificate = detail.get("certificate") # At each testrun, the certificate might get another serial number! x509obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate) self.assertEqual("{0!r}".format(x509obj.get_issuer()), "<X509Name object '/C=DE/ST=Hessen" "/O=privacyidea/CN=CA001'>") self.assertEqual("{0!r}".format(x509obj.get_subject()), "<X509Name object '/OU=realm1/CN=cornelius/[email protected]'>") # Test, if the certificate is also completely stored in the tokeninfo # and if we can retrieve it from the tokeninfo token = get_tokens(serial=self.serial3)[0] certificate = token.get_tokeninfo("certificate") x509obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate) self.assertEqual("{0!r}".format(x509obj.get_issuer()), "<X509Name object '/C=DE/ST=Hessen" "/O=privacyidea/CN=CA001'>") self.assertEqual("{0!r}".format(x509obj.get_subject()), "<X509Name object '/OU=realm1/CN=cornelius/[email protected]'>") privatekey = token.get_tokeninfo("privatekey") self.assertTrue(privatekey.startswith("-----BEGIN PRIVATE KEY-----")) # check for pkcs12 self.assertTrue(detail.get("pkcs12")) # revoke the token r = token.revoke() self.assertEqual(r, int_to_hex(x509obj.get_serial_number()))
def test_04_create_token_on_server(self): self.setUp_user_realms() cwd = os.getcwd() # setup ca connector r = save_caconnector({"cakey": CAKEY, "cacert": CACERT, "type": "local", "caconnector": "localCA", "openssl.cnf": OPENSSLCNF, "CSRDir": "", "CertificateDir": "", "WorkingDir": cwd + "/" + WORKINGDIR}) db_token = Token(self.serial3, tokentype="certificate") db_token.save() token = CertificateTokenClass(db_token) # missing user self.assertRaises(ParameterError, token.update, {"ca": "localCA","genkey": 1}) token.update({"ca": "localCA", "genkey": 1, "user": "******"}) self.assertEqual(token.token.serial, self.serial3) self.assertEqual(token.token.tokentype, "certificate") self.assertEqual(token.type, "certificate") detail = token.get_init_detail() certificate = detail.get("certificate") # At each testrun, the certificate might get another serial number! x509obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate) self.assertEqual("{0!r}".format(x509obj.get_issuer()), "<X509Name object '/C=DE/ST=Hessen" "/O=privacyidea/CN=CA001'>") self.assertEqual("{0!r}".format(x509obj.get_subject()), "<X509Name object '/OU=realm1/CN=cornelius/[email protected]'>") # Test, if the certificate is also completely stored in the tokeninfo # and if we can retrieve it from the tokeninfo token = get_tokens(serial=self.serial3)[0] certificate = token.get_tokeninfo("certificate") x509obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate) self.assertEqual("{0!r}".format(x509obj.get_issuer()), "<X509Name object '/C=DE/ST=Hessen" "/O=privacyidea/CN=CA001'>") self.assertEqual("{0!r}".format(x509obj.get_subject()), "<X509Name object '/OU=realm1/CN=cornelius/[email protected]'>") privatekey = token.get_tokeninfo("privatekey") self.assertTrue(privatekey.startswith("-----BEGIN PRIVATE KEY-----")) # check for pkcs12 self.assertTrue(detail.get("pkcs12"))
def test_02_create_token_from_request(self): cwd = os.getcwd() # setup ca connector r = save_caconnector({"cakey": CAKEY, "cacert": CACERT, "type": "local", "caconnector": "localCA", "openssl.cnf": OPENSSLCNF, "CSRDir": "", "CertificateDir": "", "WorkingDir": cwd + "/" + WORKINGDIR}) db_token = Token(self.serial2, tokentype="certificate") db_token.save() token = CertificateTokenClass(db_token) # just upload a ready certificate token.update({"ca": "localCA", "request": REQUEST}) self.assertTrue(token.token.serial == self.serial2, token) self.assertTrue(token.token.tokentype == "certificate", token.token.tokentype) self.assertTrue(token.type == "certificate", token) class_prefix = token.get_class_prefix() self.assertTrue(class_prefix == "CRT", class_prefix) self.assertTrue(token.get_class_type() == "certificate", token) detail = token.get_init_detail() certificate = detail.get("certificate") # At each testrun, the certificate might get another serial number! x509obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate) self.assertEqual("{0!r}".format(x509obj.get_issuer()), "<X509Name object '/C=DE/ST=Hessen" "/O=privacyidea/CN=CA001'>") self.assertEqual("{0!r}".format(x509obj.get_subject()), "<X509Name object '/C=DE/ST=Hessen" "/O=privacyidea/CN=requester.localdomain'>") # Test, if the certificate is also completely stored in the tokeninfo # and if we can retrieve it from the tokeninfo token = get_tokens(serial=self.serial2)[0] certificate = token.get_tokeninfo("certificate") x509obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate) self.assertEqual("{0!r}".format(x509obj.get_issuer()), "<X509Name object '/C=DE/ST=Hessen" "/O=privacyidea/CN=CA001'>") self.assertEqual("{0!r}".format(x509obj.get_subject()), "<X509Name object '/C=DE/ST=Hessen" "/O=privacyidea/CN=requester.localdomain'>")
def test_01_create_token_from_certificate(self): db_token = Token(self.serial1, tokentype="certificate") db_token.save() token = CertificateTokenClass(db_token) # just upload a ready certificate token.update({"certificate": CERT}) self.assertTrue(token.token.serial == self.serial1, token) self.assertTrue(token.token.tokentype == "certificate", token.token.tokentype) self.assertTrue(token.type == "certificate", token) class_prefix = token.get_class_prefix() self.assertTrue(class_prefix == "CRT", class_prefix) self.assertEqual(token.get_class_type(), "certificate") detail = token.get_init_detail() self.assertEqual(detail.get("certificate"), CERT)
def test_01_create_token_from_certificate(self): db_token = Token(self.serial1, tokentype="certificate") db_token.save() token = CertificateTokenClass(db_token) # just upload a ready certificate token.update({"certificate": CERT}) self.assertTrue(token.token.serial == self.serial1, token) self.assertTrue(token.token.tokentype == "certificate", token.token.tokentype) self.assertTrue(token.type == "certificate", token) class_prefix = token.get_class_prefix() self.assertTrue(class_prefix == "CRT", class_prefix) self.assertEqual(token.get_class_type(), "certificate") detail = token.get_init_detail() self.assertEqual(detail.get("certificate"), CERT)
def test_02b_success_request_with_attestation(self): cwd = os.getcwd() # setup ca connector r = save_caconnector({ "cakey": CAKEY, "cacert": CACERT, "type": "local", "caconnector": "localCA", "openssl.cnf": OPENSSLCNF, "CSRDir": "", "CertificateDir": "", "WorkingDir": cwd + "/" + WORKINGDIR }) db_token = Token(self.serial2, tokentype="certificate") db_token.save() token = CertificateTokenClass(db_token) # The cert request will success with a valid attestation certificate token.update({ "ca": "localCA", "attestation": YUBIKEY_ATTEST, "request": YUBIKEY_CSR, ACTION.TRUSTED_CA_PATH: ["tests/testdata/attestation/"] }) class_prefix = token.get_class_prefix() self.assertTrue(class_prefix == "CRT", class_prefix) self.assertTrue(token.get_class_type() == "certificate", token) detail = token.get_init_detail() certificate = detail.get("certificate") # At each testrun, the certificate might get another serial number! x509obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate) self.assertEqual( "{0!r}".format(x509obj.get_issuer()), "<X509Name object '/C=DE/ST=Hessen" "/O=privacyidea/CN=CA001'>") self.assertEqual("{0!r}".format(x509obj.get_subject()), "<X509Name object '/CN=cn=cornelius'>") remove_token(self.serial2)