def test_01_create_simple_policy(self):
p = set_policy(name="pol1", action="read", scope="system")
self.assertTrue(p > 0)
p = set_policy(name="pol2", action="tokentype=HOTP", scope=SCOPE.AUTHZ)
self.assertTrue(p > 0)
p = set_policy(name="pol3", action="serial=OATH", scope=SCOPE.AUTHZ)
self.assertTrue(p > 0)
p = set_policy(name="pol4", action="enroll, init, disable , enable", scope="admin")
self.assertTrue(p > 0)
P = PolicyClass()
policies = P.get_policies(name="pol3")
# only one policy found
self.assertTrue(len(policies) == 1, len(policies))
policies = P.get_policies(scope=SCOPE.AUTHZ)
self.assertTrue(len(policies) == 2, len(policies))
policies = P.get_policies(scope=SCOPE.AUTHZ, action="tokentype")
self.assertTrue(len(policies) == 1, len(policies))
policies = P.get_policies(scope="admin", action="disable")
self.assertTrue(len(policies) == 1, len(policies))
self.assertTrue(policies[0].get("name") == "pol4")
def test_11_import_policy(self):
with self.app.test_request_context('/policy/import/policy.cfg',
method='POST',
data=dict(file=(POLICYFILE,
'policy.cfg')),
headers={'Authorization': self.at}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = json.loads(res.data).get("result")
self.assertTrue(result["status"] is True, result)
self.assertTrue(result["value"] == 2, result)
# check if policies are there
P = PolicyClass()
p1 = P.get_policies(name="importpol1")
self.assertTrue(len(p1) == 1, p1)
p2 = P.get_policies(name="importpol2")
self.assertTrue(len(p2) == 1, p2)
# import empty file
with self.app.test_request_context(
"/policy/import/"
"policy_empty_file.cfg",
method='POST',
data=dict(file=(POLICYEMPTY, "policy_empty_file.cfg")),
headers={'Authorization': self.at}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 400, res)
def test_11_import_policy(self):
with self.app.test_request_context('/policy/import/policy.cfg',
method='POST',
data=dict(file=(POLICYFILE,
'policy.cfg')),
headers={'Authorization': self.at}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = json.loads(res.data).get("result")
self.assertTrue(result["status"] is True, result)
self.assertTrue(result["value"] == 2, result)
# check if policies are there
P = PolicyClass()
p1 = P.get_policies(name="importpol1")
self.assertTrue(len(p1) == 1, p1)
p2 = P.get_policies(name="importpol2")
self.assertTrue(len(p2) == 1, p2)
# import empty file
with self.app.test_request_context("/policy/import/"
"policy_empty_file.cfg",
method='POST',
data=dict(file=(POLICYEMPTY,
"policy_empty_file.cfg")),
headers={'Authorization': self.at}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 400, res)
def test_08_user_policies(self):
set_policy(name="pol1", scope="s", user="******")
set_policy(name="pol2", scope="s", user="******")
set_policy(name="pol3", scope="s", user="******")
set_policy(name="pol4", scope="s", user="******")
# get policies for user1
P = PolicyClass()
p = P.get_policies(user="******")
self.assertTrue(len(p) == 3, (len(p), p))
self.assertTrue(_check_policy_name("pol1", p), p)
self.assertTrue(_check_policy_name("pol2", p), p)
self.assertFalse(_check_policy_name("pol3", p), p)
self.assertTrue(_check_policy_name("pol4", p), p)
# get policies for root
p = P.get_policies(user="******")
self.assertTrue(len(p) == 3, p)
self.assertTrue(_check_policy_name("pol1", p), p)
self.assertTrue(_check_policy_name("pol2", p), p)
self.assertTrue(_check_policy_name("pol3", p), p)
self.assertFalse(_check_policy_name("pol4", p), p)
# get policies for admin
p = P.get_policies(user="******")
self.assertTrue(len(p) == 4, p)
self.assertTrue(_check_policy_name("pol1", p), p)
self.assertTrue(_check_policy_name("pol2", p), p)
self.assertTrue(_check_policy_name("pol3", p), p)
self.assertTrue(_check_policy_name("pol4", p), p)
def test_01_create_simple_policy(self):
p = set_policy(name="pol1", action="read", scope="system")
self.assertTrue(p > 0)
p = set_policy(name="pol2", action="tokentype=HOTP", scope=SCOPE.AUTHZ)
self.assertTrue(p > 0)
p = set_policy(name="pol3", action="serial=OATH", scope=SCOPE.AUTHZ)
self.assertTrue(p > 0)
p = set_policy(name="pol4",
action="enroll, init, disable , enable",
scope="admin")
self.assertTrue(p > 0)
P = PolicyClass()
policies = P.get_policies(name="pol3")
# only one policy found
self.assertTrue(len(policies) == 1, len(policies))
policies = P.get_policies(scope=SCOPE.AUTHZ)
self.assertTrue(len(policies) == 2, len(policies))
policies = P.get_policies(scope=SCOPE.AUTHZ, action="tokentype")
self.assertTrue(len(policies) == 1, len(policies))
policies = P.get_policies(scope="admin", action="disable")
self.assertTrue(len(policies) == 1, len(policies))
self.assertTrue(policies[0].get("name") == "pol4")
def test_09_realm_resolver_policy(self):
set_policy(name="pol1", scope="s", realm="r1")
set_policy(name="pol2", scope="s", realm="r1", resolver="reso1")
set_policy(name="pol3", scope="s", realm="", resolver="reso2")
set_policy(name="pol4", scope="s", realm="r2", active=True)
P = PolicyClass()
p = P.get_policies(realm="r1")
self.assertTrue(len(p) == 3, p)
self.assertTrue(_check_policy_name("pol1", p), p)
self.assertTrue(_check_policy_name("pol2", p), p)
self.assertTrue(_check_policy_name("pol3", p), p)
self.assertFalse(_check_policy_name("pol4", p), p)
p = P.get_policies(realm="r2")
self.assertTrue(len(p) == 2, p)
self.assertFalse(_check_policy_name("pol1", p), p)
self.assertFalse(_check_policy_name("pol2", p), p)
self.assertTrue(_check_policy_name("pol3", p), p)
self.assertTrue(_check_policy_name("pol4", p), p)
p = P.get_policies(resolver="reso1")
self.assertEqual(len(p), 3)
self.assertTrue(_check_policy_name("pol1", p), p)
self.assertTrue(_check_policy_name("pol2", p), p)
self.assertFalse(_check_policy_name("pol3", p), p)
self.assertTrue(_check_policy_name("pol4", p), p)
p = P.get_policies(resolver="reso2")
self.assertTrue(len(p) == 3, p)
self.assertTrue(_check_policy_name("pol1", p), p)
self.assertFalse(_check_policy_name("pol2", p), p)
self.assertTrue(_check_policy_name("pol3", p), p)
self.assertTrue(_check_policy_name("pol4", p), p)
def test_07_client_policies(self):
delete_policy(name="pol2a")
set_policy(name="pol1", scope="s", client="172.16.0.3, 172.16.0.4/24")
set_policy(name="pol2", scope="s", client="192.168.0.0/16, "
"-192.168.1.1")
set_policy(name="pol3", scope="s", client="10.0.0.1, 10.0.0.2, "
"10.0.0.3")
set_policy(name="pol4", scope="s")
# One policy with matching client, one without any clients
P = PolicyClass()
p = P.get_policies(client="10.0.0.1")
self.assertTrue(_check_policy_name("pol3", p), p)
self.assertTrue(_check_policy_name("pol4", p), p)
self.assertTrue(len(p) == 2, p)
# client matches pol4 and pol2
p = P.get_policies(client="192.168.2.3")
self.assertTrue(_check_policy_name("pol2", p), p)
self.assertTrue(_check_policy_name("pol4", p), p)
self.assertTrue(len(p) == 2, p)
# client only matches pol4, since it is excluded in pol2
p = P.get_policies(client="192.168.1.1")
self.assertTrue(_check_policy_name("pol4", p), p)
self.assertTrue(len(p) == 1, p)
def test_07_client_policies(self):
delete_policy(name="pol2a")
set_policy(name="pol1", scope="s", client="172.16.0.3, 172.16.0.4/24")
set_policy(name="pol2",
scope="s",
client="192.168.0.0/16, "
"-192.168.1.1")
set_policy(name="pol3",
scope="s",
client="10.0.0.1, 10.0.0.2, "
"10.0.0.3")
set_policy(name="pol4", scope="s")
# One policy with matching client, one without any clients
P = PolicyClass()
p = P.get_policies(client="10.0.0.1")
self.assertTrue(_check_policy_name("pol3", p), p)
self.assertTrue(_check_policy_name("pol4", p), p)
self.assertTrue(len(p) == 2, p)
# client matches pol4 and pol2
p = P.get_policies(client="192.168.2.3")
self.assertTrue(_check_policy_name("pol2", p), p)
self.assertTrue(_check_policy_name("pol4", p), p)
self.assertTrue(len(p) == 2, p)
# client only matches pol4, since it is excluded in pol2
p = P.get_policies(client="192.168.1.1")
self.assertTrue(_check_policy_name("pol4", p), p)
self.assertTrue(len(p) == 1, p)
def test_08_user_policies(self):
set_policy(name="pol1", scope="s", user="******")
set_policy(name="pol2", scope="s", user="******")
set_policy(name="pol3", scope="s", user="******")
set_policy(name="pol4", scope="s", user="******")
# get policies for user1
P = PolicyClass()
p = P.get_policies(user="******")
self.assertTrue(len(p) == 3, (len(p), p))
self.assertTrue(_check_policy_name("pol1", p), p)
self.assertTrue(_check_policy_name("pol2", p), p)
self.assertFalse(_check_policy_name("pol3", p), p)
self.assertTrue(_check_policy_name("pol4", p), p)
# get policies for root
p = P.get_policies(user="******")
self.assertTrue(len(p) == 3, p)
self.assertTrue(_check_policy_name("pol1", p), p)
self.assertTrue(_check_policy_name("pol2", p), p)
self.assertTrue(_check_policy_name("pol3", p), p)
self.assertFalse(_check_policy_name("pol4", p), p)
# get policies for admin
p = P.get_policies(user="******")
self.assertTrue(len(p) == 4, p)
self.assertTrue(_check_policy_name("pol1", p), p)
self.assertTrue(_check_policy_name("pol2", p), p)
self.assertTrue(_check_policy_name("pol3", p), p)
self.assertTrue(_check_policy_name("pol4", p), p)
def test_09_realm_resolver_policy(self):
set_policy(name="pol1", scope="s", realm="r1")
set_policy(name="pol2", scope="s", realm="r1", resolver="reso1")
set_policy(name="pol3", scope="s", realm="", resolver="reso2")
set_policy(name="pol4", scope="s", realm="r2", active="true")
P = PolicyClass()
p = P.get_policies(realm="r1")
self.assertTrue(len(p) == 3, p)
self.assertTrue(_check_policy_name("pol1", p), p)
self.assertTrue(_check_policy_name("pol2", p), p)
self.assertTrue(_check_policy_name("pol3", p), p)
self.assertFalse(_check_policy_name("pol4", p), p)
p = P.get_policies(realm="r2")
self.assertTrue(len(p) == 2, p)
self.assertFalse(_check_policy_name("pol1", p), p)
self.assertFalse(_check_policy_name("pol2", p), p)
self.assertTrue(_check_policy_name("pol3", p), p)
self.assertTrue(_check_policy_name("pol4", p), p)
p = P.get_policies(resolver="reso1")
self.assertTrue(len(p) == 3, p)
self.assertTrue(_check_policy_name("pol1", p), p)
self.assertTrue(_check_policy_name("pol2", p), p)
self.assertFalse(_check_policy_name("pol3", p), p)
self.assertTrue(_check_policy_name("pol4", p), p)
p = P.get_policies(resolver="reso2")
self.assertTrue(len(p) == 3, p)
self.assertTrue(_check_policy_name("pol1", p), p)
self.assertFalse(_check_policy_name("pol2", p), p)
self.assertTrue(_check_policy_name("pol3", p), p)
self.assertTrue(_check_policy_name("pol4", p), p)
def test_22_non_ascii_user(self):
set_policy(name="polnonascii",
action="enroll, otppin=1",
user=u'nönäscii',
scope='s')
P = PolicyClass()
p = P.get_policies(action="enroll", user='******')
self.assertEqual(len(p), 0)
p = P.get_policies(action="enroll", user=u'nönäscii')
self.assertEqual(len(p), 1)
def test_22_non_ascii_user(self):
set_policy(name="polnonascii",
action="enroll, otppin=1",
user=u'nönäscii',
scope='s')
P = PolicyClass()
p = P.get_policies(action="enroll", user='******')
self.assertEqual(len(p), 0)
p = P.get_policies(action="enroll", user=u'nönäscii')
self.assertEqual(len(p), 1)
def test_05_export_policies(self):
P = PolicyClass()
policies = P.get_policies()
file = export_policies(policies)
self.assertTrue("[pol1]" in file, file)
self.assertTrue("[pol2]" in file, file)
self.assertTrue("[pol3]" in file, file)
def get_config_documentation():
"""
returns an restructured text document, that describes the complete
configuration.
"""
P = PolicyClass()
config = get_from_config()
resolvers = get_resolver_list()
realms = get_realms()
policies = P.get_policies()
admins = get_db_admins()
context = {
"system": socket.getfqdn(socket.gethostname()),
"date": datetime.datetime.now().strftime("%Y-%m-%d %H:%M"),
"systemconfig": config,
"appconfig": current_app.config,
"resolverconfig": resolvers,
"realmconfig": realms,
"policyconfig": policies,
"admins": admins
}
g.audit_object.log({"success": True})
# Three or more line breaks will be changed to two.
return re.sub("\n{3,}", "\n\n",
render_template("documentation.rst", context=context))
def get_config_documentation():
"""
returns an restructured text document, that describes the complete
configuration.
"""
P = PolicyClass()
config = get_from_config()
resolvers = get_resolver_list()
realms = get_realms()
policies = P.get_policies()
admins = get_db_admins()
context = {"system": socket.getfqdn(socket.gethostname()),
"date": datetime.datetime.now().strftime("%Y-%m-%d %H:%M"),
"systemconfig": config,
"appconfig": current_app.config,
"resolverconfig": resolvers,
"realmconfig": realms,
"policyconfig": policies,
"admins": admins}
g.audit_object.log({"success": True})
# Three or more line breaks will be changed to two.
return re.sub("\n{3,}", "\n\n", render_template("documentation.rst",
context=context))
def test_05_export_policies(self):
P = PolicyClass()
policies = P.get_policies()
file = export_policies(policies)
self.assertTrue("[pol1]" in file, file)
self.assertTrue("[pol2]" in file, file)
self.assertTrue("[pol3]" in file, file)
def test_10_action_policies(self):
set_policy(name="pol1", action="enroll, init, disable")
set_policy(name="pol2", action="enroll, otppin=1")
set_policy(name="pol3", action="*, -disable")
set_policy(name="pol4", action="*, -otppin=2")
P = PolicyClass()
p = P.get_policies(action="enroll")
self.assertTrue(len(p) == 4, (len(p), p))
p = P.get_policies(action="init")
self.assertTrue(len(p) == 3, (len(p), p))
p = P.get_policies(action="disable")
self.assertTrue(len(p) == 2, (len(p), p))
p = P.get_policies(action="otppin")
self.assertTrue(len(p) == 2, (len(p), p))
def test_10_action_policies(self):
set_policy(name="pol1", action="enroll, init, disable")
set_policy(name="pol2", action="enroll, otppin=1")
set_policy(name="pol3", action="*, -disable")
set_policy(name="pol4", action="*, -otppin=2")
P = PolicyClass()
p = P.get_policies(action="enroll")
self.assertTrue(len(p) == 4, (len(p), p))
p = P.get_policies(action="init")
self.assertTrue(len(p) == 3, (len(p), p))
p = P.get_policies(action="disable")
self.assertTrue(len(p) == 2, (len(p), p))
p = P.get_policies(action="otppin")
self.assertTrue(len(p) == 2, (len(p), p))
def test_06_import_policies(self):
P = PolicyClass()
file = export_policies(P.get_policies())
delete_policy("pol1")
delete_policy("pol2")
delete_policy("pol3")
P = PolicyClass()
policies = P.get_policies()
self.assertFalse(_check_policy_name("pol1", policies), policies)
self.assertFalse(_check_policy_name("pol2", policies), policies)
self.assertFalse(_check_policy_name("pol3", policies), policies)
# Now import the policies again
num = import_policies(file)
self.assertTrue(num == 4, num)
P = PolicyClass()
policies = P.get_policies()
self.assertTrue(_check_policy_name("pol1", policies), policies)
self.assertTrue(_check_policy_name("pol2", policies), policies)
self.assertTrue(_check_policy_name("pol3", policies), policies)
def test_18_policy_with_time(self):
set_policy(name="time1",
scope=SCOPE.AUTHZ,
action="tokentype=hotp totp, enroll",
time="Mon-Wed: 0-23:59")
tn = datetime.datetime.now()
dow = tn.isoweekday()
P = PolicyClass()
policies = P.get_policies(name="time1",
scope=SCOPE.AUTHZ,
all_times=True)
self.assertEqual(len(policies), 1)
policies = P.get_policies(name="time1", scope=SCOPE.AUTHZ)
if dow in [1, 2, 3]:
self.assertEqual(len(policies), 1)
else:
self.assertEqual(len(policies), 0)
delete_policy("time1")
def test_18_policy_with_time(self):
set_policy(name="time1", scope=SCOPE.AUTHZ,
action="tokentype=hotp totp, enroll",
time="Mon-Wed: 0-23:59")
tn = datetime.datetime.now()
dow = tn.isoweekday()
P = PolicyClass()
policies = P.get_policies(name="time1",
scope=SCOPE.AUTHZ,
all_times=True)
self.assertEqual(len(policies), 1)
policies = P.get_policies(name="time1",
scope=SCOPE.AUTHZ)
if dow in [1, 2, 3]:
self.assertEqual(len(policies), 1)
else:
self.assertEqual(len(policies), 0)
delete_policy("time1")
def test_06_import_policies(self):
P = PolicyClass()
file = export_policies(P.get_policies())
delete_policy("pol1")
delete_policy("pol2")
delete_policy("pol3")
P = PolicyClass()
policies = P.get_policies()
self.assertFalse(_check_policy_name("pol1", policies), policies)
self.assertFalse(_check_policy_name("pol2", policies), policies)
self.assertFalse(_check_policy_name("pol3", policies), policies)
# Now import the policies again
num = import_policies(file)
self.assertTrue(num == 4, num)
P = PolicyClass()
policies = P.get_policies()
self.assertTrue(_check_policy_name("pol1", policies), policies)
self.assertTrue(_check_policy_name("pol2", policies), policies)
self.assertTrue(_check_policy_name("pol3", policies), policies)
def list():
"""
list the policies
"""
P = PolicyClass()
policies = P.get_policies()
print "Active \t Name \t Scope"
print 40*"="
for policy in policies:
print("%s \t %s \t %s" % (policy.get("active"), policy.get("name"),
policy.get("scope")))
def single_page_application():
instance = request.script_root
if instance == "/":
instance = ""
# The backend URL should come from the configuration of the system.
backend_url = ""
# The default theme. We can change this later
theme = current_app.config.get("PI_CSS", DEFAULT_THEME)
# Get further customizations
customization = current_app.config.get("PI_CUSTOMIZATION",
"/static/customize/")
customization = customization.strip('/')
# TODO: we should add the CSS into PI_CUSTOMZATION/css
# Enrollment-Wizard:
# PI_CUSTOMIZATION/views/includes/token.enroll.pre.top.html
# PI_CUSTOMIZATION/views/includes/token.enroll.pre.bottom.html
# PI_CUSTOMIZATION/views/includes/token.enroll.post.top.html
# PI_CUSTOMIZATION/views/includes/token.enroll.post.bottom.html
browser_lang = request.accept_languages.best_match(["en", "de"])
# check if login with REMOTE_USER is allowed.
remote_user = ""
password_reset = False
if not hasattr(request, "all_data"):
request.all_data = {}
# Depending on displaying the realm dropdown, we fill realms or not.
policy_object = PolicyClass()
realms = ""
client_ip = request.access_route[0] if request.access_route else \
request.remote_addr
realm_dropdown = policy_object.get_policies(action=ACTION.REALMDROPDOWN,
scope=SCOPE.WEBUI,
client=client_ip)
if realm_dropdown:
realms = ",".join(get_realms().keys())
try:
if is_remote_user_allowed(request):
remote_user = request.remote_user
password_reset = is_password_reset()
hsm_ready = True
except HSMException:
hsm_ready = False
return render_template("index.html",
instance=instance,
backendUrl=backend_url,
browser_lang=browser_lang,
remote_user=remote_user,
theme=theme,
password_reset=password_reset,
hsm_ready=hsm_ready,
customization=customization,
realms=realms)
def is_password_reset():
"""
Check if password reset is allowed.
We need to check, if a user policy with password_reset exists AND if an
editable resolver exists. Otherwise password_reset does not make any sense.
:return: True or False
"""
rlist = get_resolver_list(editable=True)
log.debug("Number of editable resolvers: %s" % len(rlist))
Policy = PolicyClass()
policy_at_all = Policy.get_policies(scope=SCOPE.USER, active=True)
log.debug("Policy at all: %s" % policy_at_all)
policy_reset_pw = Policy.get_policies(scope=SCOPE.USER,
action=ACTION.PASSWORDRESET)
log.debug("Password reset policy: %s" % policy_reset_pw)
pwreset = (policy_at_all and policy_reset_pw) or not policy_at_all
log.debug("Password reset allowed via policy: %s" % pwreset)
return bool(rlist and pwreset)
def is_password_reset():
"""
Check if password reset is allowed.
We need to check, if a user policy with password_reset exists AND if an
editable resolver exists. Otherwise password_reset does not make any sense.
:return: True or False
"""
rlist = get_resolver_list(editable=True)
log.debug("Number of editable resolvers: {0!s}".format(len(rlist)))
Policy = PolicyClass()
policy_at_all = Policy.get_policies(scope=SCOPE.USER, active=True)
log.debug("Policy at all: {0!s}".format(policy_at_all))
policy_reset_pw = Policy.get_policies(scope=SCOPE.USER,
action=ACTION.PASSWORDRESET)
log.debug("Password reset policy: {0!s}".format(policy_reset_pw))
pwreset = (policy_at_all and policy_reset_pw) or not policy_at_all
log.debug("Password reset allowed via policy: {0!s}".format(pwreset))
return bool(rlist and pwreset)
def single_page_application():
instance = request.script_root
if instance == "/":
instance = ""
# The backend URL should come from the configuration of the system.
backend_url = ""
# The default theme. We can change this later
theme = current_app.config.get("PI_CSS", DEFAULT_THEME)
# Get further customizations
customization = current_app.config.get("PI_CUSTOMIZATION",
"/static/customize/")
customization = customization.strip('/')
# TODO: we should add the CSS into PI_CUSTOMZATION/css
# Enrollment-Wizard:
# PI_CUSTOMIZATION/views/includes/token.enroll.pre.top.html
# PI_CUSTOMIZATION/views/includes/token.enroll.pre.bottom.html
# PI_CUSTOMIZATION/views/includes/token.enroll.post.top.html
# PI_CUSTOMIZATION/views/includes/token.enroll.post.bottom.html
browser_lang = request.accept_languages.best_match(["en", "de"])
# check if login with REMOTE_USER is allowed.
remote_user = ""
password_reset = False
# Depending on displaying the realm dropdown, we fill realms or not.
policy_object = PolicyClass()
realms = ""
client_ip = request.access_route[0] if request.access_route else \
request.remote_addr
realm_dropdown = policy_object.get_policies(action=ACTION.REALMDROPDOWN,
scope=SCOPE.WEBUI,
client=client_ip)
if realm_dropdown:
realms = ",".join(get_realms().keys())
try:
if is_remote_user_allowed(request):
remote_user = request.remote_user
password_reset = is_password_reset()
hsm_ready = True
except HSMException:
hsm_ready = False
return render_template("index.html", instance=instance,
backendUrl=backend_url,
browser_lang=browser_lang,
remote_user=remote_user,
theme=theme,
password_reset=password_reset,
hsm_ready=hsm_ready,
customization=customization,
realms=realms)
def test_21_check_all_resolver(self):
# check_all_resolver allows to find a policy for a secondary user
# resolver.
# We create one realm "realm1" with the resolvers
# reso1 (prio 1)
# reso2 (prio 2)
# reso3 (prio 3)
# A user user@realm1 will be identified as user.reso1@realm1.
# But we will also match policies for reso2.
# no realm and resolver
r = get_realms()
self.assertEqual(r, {})
r = get_resolver_list()
self.assertEqual(r, {})
# create user realm
for reso in ["reso1", "resoX", "resoA"]:
rid = save_resolver({"resolver": reso,
"type": "passwdresolver",
"fileName": PWFILE})
self.assertTrue(rid > 0, rid)
# create a realm with reso1 being the resolver with the highest priority
(added, failed) = set_realm("realm1",
["reso1", "resoX", "resoA"],
priority={"reso1": 1,
"resoX": 2,
"resoA": 3})
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 3)
user = User(login="******",
realm="realm1")
# The user, that is created, is cornelius.reso1@realm1
user_str = "{0!s}".format(user)
self.assertEqual(user_str, "<cornelius.reso1@realm1>")
# But the user "cornelius" is also contained in other resolves in
# this realm
r = user.get_ordererd_resolvers()
self.assertEqual(r, ["reso1", "resoX", "resoA"])
self.assertFalse(user.is_empty())
self.assertTrue(User().is_empty())
# define a policy with the wrong resolver
p = set_policy(name="checkAll", scope=SCOPE.AUTHZ, realm="realm1",
resolver="resoX",
action="{0}=totp".format(ACTION.TOKENTYPE))
self.assertTrue(p > 0)
p = set_policy(name="catchAll", scope=SCOPE.AUTHZ, realm="realm1",
action="{0}=totp".format(ACTION.TOKENTYPE))
self.assertTrue(p > 0)
P = PolicyClass()
pols = P.get_policies(scope=SCOPE.AUTHZ, realm=user.realm,
resolver=user.resolver, user=user.login)
self.assertEqual(len(pols), 1)
# Now we change the policy, so that it uses check_all_resolver, i.e.
p = set_policy(name="checkAll", scope=SCOPE.AUTHZ, realm="realm1",
resolver="resoX", check_all_resolvers=True,
action="{0}=totp".format(ACTION.TOKENTYPE))
self.assertTrue(p > 0)
P = PolicyClass()
pols = P.get_policies(scope=SCOPE.AUTHZ, realm=user.realm,
resolver=user.resolver, user=user.login)
self.assertEqual(len(pols), 2)
# delete policy
delete_policy("checkAll")
delete_policy("catchAll")
# delete resolvers and realm
delete_realm("realm1")
for reso in ["reso1", "resoX", "resoA"]:
rid = delete_resolver(reso)
self.assertTrue(rid > 0, rid)
def test_23_priorities(self):
# create three policies with three different texts and different priorities
set_policy(name="email1",
scope=SCOPE.AUTH,
action="emailtext=text 1",
priority=4)
set_policy(name="email2",
scope=SCOPE.AUTH,
action="emailtext=text 2",
priority=1)
set_policy(name="email3",
scope=SCOPE.AUTH,
action="emailtext=text 3",
priority=77)
# this chooses email2, because it has the highest priority
P = PolicyClass()
self.assertEqual(
P.get_action_values(action="emailtext",
scope=SCOPE.AUTH,
unique=True,
allow_white_space_in_action=True), ["text 2"])
delete_policy("email2")
P.reload_from_db()
# with email2 gone, this chooses email1
self.assertEqual(
P.get_action_values(action="emailtext",
scope=SCOPE.AUTH,
unique=True,
allow_white_space_in_action=True), ["text 1"])
# if we now add another policy with priority 77, we get no conflict
# because email1 is chosen
set_policy(name="email4",
scope=SCOPE.AUTH,
action="emailtext=text 4",
priority=77)
P.reload_from_db()
self.assertEqual(
P.get_action_values(action="emailtext",
scope=SCOPE.AUTH,
unique=True,
allow_white_space_in_action=True), ["text 1"])
# but we get a conflict if we change the priority of email4 to 4
set_policy(name="email4",
scope=SCOPE.AUTH,
action="emailtext=text 4",
priority=4)
P.reload_from_db()
with self.assertRaises(PolicyError) as cm:
P.get_action_values(action="emailtext",
scope=SCOPE.AUTH,
unique=True,
allow_white_space_in_action=True)
self.assertIn("policies with conflicting actions", str(cm.exception))
pols = P.get_policies(action="emailtext", scope=SCOPE.AUTH)
self.assertEqual(len(pols), 3)
with self.assertRaises(PolicyError) as cm:
P.check_for_conflicts(pols, "emailtext")
P.check_for_conflicts([], "emailtext")
P.check_for_conflicts([pols[0]], "emailtext")
# we can also change the priority
set_policy(name="email4", priority=3)
P.reload_from_db()
self.assertEqual(
P.get_action_values(action="emailtext",
scope=SCOPE.AUTH,
unique=True,
allow_white_space_in_action=True), ["text 4"])
# now we have
# email1, priority=4
# email3, priority=77
# email4, priority=3
# export, delete all, re-import
exported = export_policies(P.get_policies())
self.assertIn("priority = 4", exported)
self.assertIn("priority = 77", exported)
delete_all_policies()
import_policies(exported)
pols = P.get_policies(action="emailtext", scope=SCOPE.AUTH)
self.assertEqual(len(pols), 3)
# this sorts by priority
self.assertEqual([p['name'] for p in pols],
['email4', 'email1', 'email3'])
# priority must be at least 1
with self.assertRaises(ParameterError):
set_policy(name="email4", scope=SCOPE.AUTH, priority=0)
with self.assertRaises(ParameterError):
set_policy(name="email4", scope=SCOPE.AUTH, priority=-5)
delete_policy("email1")
delete_policy("email3")
delete_policy("email4")
def single_page_application():
instance = request.script_root
if instance == "/":
instance = ""
# The backend URL should come from the configuration of the system.
backend_url = ""
if current_app.config.get("PI_UI_DEACTIVATED"):
# Do not provide the UI
return render_template("deactivated.html")
# The default theme. We can change this later
theme = current_app.config.get("PI_CSS", DEFAULT_THEME)
# Get further customizations
customization = current_app.config.get("PI_CUSTOMIZATION",
"/static/customize/")
customization = customization.strip('/')
# TODO: we should add the CSS into PI_CUSTOMZATION/css
# Enrollment-Wizard:
# PI_CUSTOMIZATION/views/includes/token.enroll.pre.top.html
# PI_CUSTOMIZATION/views/includes/token.enroll.pre.bottom.html
# PI_CUSTOMIZATION/views/includes/token.enroll.post.top.html
# PI_CUSTOMIZATION/views/includes/token.enroll.post.bottom.html
# Get the hidden external links
external_links = current_app.config.get("PI_EXTERNAL_LINKS", True)
# Get the logo file
logo = current_app.config.get("PI_LOGO", "privacyIDEA1.png")
browser_lang = request.accept_languages.best_match(["en", "de"])
# check if login with REMOTE_USER is allowed.
remote_user = ""
password_reset = False
if not hasattr(request, "all_data"):
request.all_data = {}
# Depending on displaying the realm dropdown, we fill realms or not.
policy_object = PolicyClass()
realms = ""
client_ip = request.access_route[0] if request.access_route else \
request.remote_addr
realm_dropdown = policy_object.get_policies(action=ACTION.REALMDROPDOWN,
scope=SCOPE.WEBUI,
client=client_ip,
active=True)
if realm_dropdown:
try:
realm_dropdown_values = policy_object.get_action_values(
action=ACTION.REALMDROPDOWN,
scope=SCOPE.WEBUI,
client=client_ip)
# Use the realms from the policy.
realms = ",".join(realm_dropdown_values)
except AttributeError as ex:
# The policy is still a boolean realm_dropdown action
# Thus we display ALL realms
realms = ",".join(get_realms().keys())
if realms:
realms = "," + realms
try:
if is_remote_user_allowed(request):
remote_user = request.remote_user
password_reset = is_password_reset()
hsm_ready = True
except HSMException:
hsm_ready = False
return render_template("index.html", instance=instance,
backendUrl=backend_url,
browser_lang=browser_lang,
remote_user=remote_user,
theme=theme,
password_reset=password_reset,
hsm_ready=hsm_ready,
customization=customization,
realms=realms,
external_links=external_links,
logo=logo)
def single_page_application():
instance = request.script_root
if instance == "/":
instance = ""
# The backend URL should come from the configuration of the system.
backend_url = ""
if current_app.config.get("PI_UI_DEACTIVATED"):
# Do not provide the UI
return render_template("deactivated.html")
# The default theme. We can change this later
theme = current_app.config.get("PI_CSS", DEFAULT_THEME)
# Get further customizations
customization = current_app.config.get("PI_CUSTOMIZATION",
"/static/customize/")
customization = customization.strip('/')
# TODO: we should add the CSS into PI_CUSTOMZATION/css
# Enrollment-Wizard:
# PI_CUSTOMIZATION/views/includes/token.enroll.pre.top.html
# PI_CUSTOMIZATION/views/includes/token.enroll.pre.bottom.html
# PI_CUSTOMIZATION/views/includes/token.enroll.post.top.html
# PI_CUSTOMIZATION/views/includes/token.enroll.post.bottom.html
# Get the hidden external links
external_links = current_app.config.get("PI_EXTERNAL_LINKS", True)
# Get the logo file
logo = current_app.config.get("PI_LOGO", "privacyIDEA1.png")
browser_lang = request.accept_languages.best_match(
["en", "de", "de-DE"], default="en").split("-")[0]
# The page title can be configured in pi.cfg
page_title = current_app.config.get("PI_PAGE_TITLE",
"privacyIDEA Authentication System")
# check if login with REMOTE_USER is allowed.
remote_user = ""
password_reset = False
if not hasattr(request, "all_data"):
request.all_data = {}
# Depending on displaying the realm dropdown, we fill realms or not.
policy_object = PolicyClass()
realms = ""
client_ip = get_client_ip(request, get_from_config(SYSCONF.OVERRIDECLIENT))
realm_dropdown = policy_object.get_policies(action=ACTION.REALMDROPDOWN,
scope=SCOPE.WEBUI,
client=client_ip,
active=True)
if realm_dropdown:
try:
realm_dropdown_values = policy_object.get_action_values(
action=ACTION.REALMDROPDOWN,
scope=SCOPE.WEBUI,
client=client_ip)
# Use the realms from the policy.
realms = ",".join(realm_dropdown_values)
except AttributeError as ex:
# The policy is still a boolean realm_dropdown action
# Thus we display ALL realms
realms = ",".join(get_realms())
try:
if is_remote_user_allowed(request):
remote_user = request.remote_user
password_reset = is_password_reset()
hsm_ready = True
except HSMException:
hsm_ready = False
# Use policies to determine the customization of menu
# and baseline. get_action_values returns an array!
sub_state = subscription_status()
customization_menu_file = policy_object.get_action_values(
allow_white_space_in_action=True,
action=ACTION.CUSTOM_MENU,
scope=SCOPE.WEBUI,
client=client_ip,
unique=True)
if len(customization_menu_file) and list(customization_menu_file)[0] \
and sub_state not in [1, 2]:
customization_menu_file = list(customization_menu_file)[0]
else:
customization_menu_file = "templates/menu.html"
customization_baseline_file = policy_object.get_action_values(
allow_white_space_in_action=True,
action=ACTION.CUSTOM_BASELINE,
scope=SCOPE.WEBUI,
client=client_ip,
unique=True)
if len(customization_baseline_file) and list(customization_baseline_file)[0] \
and sub_state not in [1, 2]:
customization_baseline_file = list(customization_baseline_file)[0]
else:
customization_baseline_file = "templates/baseline.html"
login_text = policy_object.get_action_values(
allow_white_space_in_action=True,
action=ACTION.LOGIN_TEXT,
scope=SCOPE.WEBUI,
client=client_ip,
unique=True)
if len(login_text) and list(login_text)[0] and sub_state not in [1, 2]:
login_text = list(login_text)[0]
else:
login_text = ""
return render_template(
"index.html",
instance=instance,
backendUrl=backend_url,
browser_lang=browser_lang,
remote_user=remote_user,
theme=theme,
password_reset=password_reset,
hsm_ready=hsm_ready,
has_job_queue=str(has_job_queue()),
customization=customization,
customization_menu_file=customization_menu_file,
customization_baseline_file=customization_baseline_file,
realms=realms,
external_links=external_links,
login_text=login_text,
logo=logo,
page_title=page_title)
def test_04_delete_policy(self):
delete_policy(name="pol4")
P = PolicyClass()
pol4 = P.get_policies(name="pol4")
self.assertTrue(pol4 == [], pol4)
def test_21_check_all_resolver(self):
# check_all_resolver allows to find a policy for a secondary user
# resolver.
# We create one realm "realm1" with the resolvers
# reso1 (prio 1)
# reso2 (prio 2)
# reso3 (prio 3)
# A user user@realm1 will be identified as user.reso1@realm1.
# But we will also match policies for reso2.
# no realm and resolver
r = get_realms()
self.assertEqual(r, {})
r = get_resolver_list()
self.assertEqual(r, {})
# create user realm
for reso in ["reso1", "resoX", "resoA"]:
rid = save_resolver({
"resolver": reso,
"type": "passwdresolver",
"fileName": PWFILE
})
self.assertTrue(rid > 0, rid)
# create a realm with reso1 being the resolver with the highest priority
(added, failed) = set_realm("realm1", ["reso1", "resoX", "resoA"],
priority={
"reso1": 1,
"resoX": 2,
"resoA": 3
})
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 3)
user = User(login="******", realm="realm1")
# The user, that is created, is cornelius.reso1@realm1
user_str = "{0!s}".format(user)
self.assertEqual(user_str, "<cornelius.reso1@realm1>")
# But the user "cornelius" is also contained in other resolves in
# this realm
r = user.get_ordererd_resolvers()
self.assertEqual(r, ["reso1", "resoX", "resoA"])
self.assertFalse(user.is_empty())
self.assertTrue(User().is_empty())
# define a policy with the wrong resolver
p = set_policy(name="checkAll",
scope=SCOPE.AUTHZ,
realm="realm1",
resolver="resoX",
action="{0}=totp".format(ACTION.TOKENTYPE))
self.assertTrue(p > 0)
p = set_policy(name="catchAll",
scope=SCOPE.AUTHZ,
realm="realm1",
action="{0}=totp".format(ACTION.TOKENTYPE))
self.assertTrue(p > 0)
P = PolicyClass()
pols = P.get_policies(scope=SCOPE.AUTHZ,
realm=user.realm,
resolver=user.resolver,
user=user.login)
self.assertEqual(len(pols), 1)
# Now we change the policy, so that it uses check_all_resolver, i.e.
p = set_policy(name="checkAll",
scope=SCOPE.AUTHZ,
realm="realm1",
resolver="resoX",
check_all_resolvers=True,
action="{0}=totp".format(ACTION.TOKENTYPE))
self.assertTrue(p > 0)
P = PolicyClass()
pols = P.get_policies(scope=SCOPE.AUTHZ,
realm=user.realm,
resolver=user.resolver,
user=user.login)
self.assertEqual(len(pols), 2)
# delete policy
delete_policy("checkAll")
delete_policy("catchAll")
# delete resolvers and realm
delete_realm("realm1")
for reso in ["reso1", "resoX", "resoA"]:
rid = delete_resolver(reso)
self.assertTrue(rid > 0, rid)
def single_page_application():
instance = request.script_root
if instance == "/":
instance = ""
# The backend URL should come from the configuration of the system.
backend_url = ""
if current_app.config.get("PI_UI_DEACTIVATED"):
# Do not provide the UI
return render_template("deactivated.html")
# The default theme. We can change this later
theme = current_app.config.get("PI_CSS", DEFAULT_THEME)
# Get further customizations
customization = current_app.config.get("PI_CUSTOMIZATION",
"/static/customize/")
customization = customization.strip('/')
# TODO: we should add the CSS into PI_CUSTOMZATION/css
# Enrollment-Wizard:
# PI_CUSTOMIZATION/views/includes/token.enroll.pre.top.html
# PI_CUSTOMIZATION/views/includes/token.enroll.pre.bottom.html
# PI_CUSTOMIZATION/views/includes/token.enroll.post.top.html
# PI_CUSTOMIZATION/views/includes/token.enroll.post.bottom.html
# Get the hidden external links
external_links = current_app.config.get("PI_EXTERNAL_LINKS", True)
# Get the logo file
logo = current_app.config.get("PI_LOGO", "privacyIDEA1.png")
browser_lang = request.accept_languages.best_match(["en", "de"])
# check if login with REMOTE_USER is allowed.
remote_user = ""
password_reset = False
if not hasattr(request, "all_data"):
request.all_data = {}
# Depending on displaying the realm dropdown, we fill realms or not.
policy_object = PolicyClass()
realms = ""
client_ip = request.access_route[0] if request.access_route else \
request.remote_addr
realm_dropdown = policy_object.get_policies(action=ACTION.REALMDROPDOWN,
scope=SCOPE.WEBUI,
client=client_ip,
active=True)
if realm_dropdown:
try:
realm_dropdown_values = policy_object.get_action_values(
action=ACTION.REALMDROPDOWN,
scope=SCOPE.WEBUI,
client=client_ip)
# Use the realms from the policy.
realms = ",".join(realm_dropdown_values)
except AttributeError as ex:
# The policy is still a boolean realm_dropdown action
# Thus we display ALL realms
realms = ",".join(get_realms().keys())
if realms:
realms = "," + realms
try:
if is_remote_user_allowed(request):
remote_user = request.remote_user
password_reset = is_password_reset()
hsm_ready = True
except HSMException:
hsm_ready = False
# Use policies to determine the customization of menu
# and baseline. get_action_values returns an array!
sub_state = subscription_status()
customization_menu_file = policy_object.get_action_values(
allow_white_space_in_action=True,
action=ACTION.CUSTOM_MENU,
scope=SCOPE.WEBUI,
client=client_ip, unique=True)
if len(customization_menu_file) and customization_menu_file[0] \
and sub_state not in [1, 2]:
customization_menu_file = customization_menu_file[0]
else:
customization_menu_file = "templates/menu.html"
customization_baseline_file = policy_object.get_action_values(
allow_white_space_in_action=True,
action=ACTION.CUSTOM_BASELINE,
scope=SCOPE.WEBUI,
client=client_ip, unique=True)
if len(customization_baseline_file) and customization_baseline_file[0] \
and sub_state not in [1, 2]:
customization_baseline_file = customization_baseline_file[0]
else:
customization_baseline_file = "templates/baseline.html"
return render_template("index.html", instance=instance,
backendUrl=backend_url,
browser_lang=browser_lang,
remote_user=remote_user,
theme=theme,
password_reset=password_reset,
hsm_ready=hsm_ready,
customization=customization,
customization_menu_file=customization_menu_file,
customization_baseline_file=customization_baseline_file,
realms=realms,
external_links=external_links,
logo=logo)
def test_02_update_policies(self):
p = set_policy(name="pol1",
action="read",
scope="system",
realm="*",
resolver="*",
user="******",
client="0.0.0.0/0",
active="False")
self.assertTrue(p > 0)
p = set_policy(name="pol2",
action="tokentype=HOTP",
scope=SCOPE.AUTHZ,
realm="*")
self.assertTrue(p > 0)
p = set_policy(name="pol2a",
action="tokentype=TOTP",
scope=SCOPE.AUTHZ,
realm="realm2")
self.assertTrue(p > 0)
p = set_policy(name="pol3",
action="serial=OATH",
scope=SCOPE.AUTHZ,
realm="realm1",
resolver="resolver1")
self.assertTrue(p > 0)
p = set_policy(name="pol4",
action="enroll, init, disable , enable",
scope="admin",
realm="realm2",
user="******")
self.assertTrue(p > 0)
# enable and disable policies
policies = PolicyClass().get_policies(active=False)
num_old = len(policies)
p = enable_policy("pol4", False)
policies = PolicyClass().get_policies(active=False)
self.assertTrue(num_old + 1 == len(policies), (num_old, len(policies)))
p = enable_policy("pol4", True)
policies = PolicyClass().get_policies(active=False)
self.assertTrue(num_old == len(policies), len(policies))
# find inactive policies
P = PolicyClass()
policies = P.get_policies(active=False)
self.assertTrue(len(policies) == 1, len(policies))
self.assertTrue(policies[0].get("name") == "pol1")
# find policies action tokentype
policies = P.get_policies(action="tokentype")
self.assertTrue(len(policies) == 2, policies)
# find policies action serial
policies = P.get_policies(action="serial")
self.assertTrue(len(policies) == 1, policies)
# find policies with scope authorization
policies = P.get_policies(scope=SCOPE.AUTHZ)
self.assertTrue(len(policies) == 3, policies)
# find policies authorization and realm2
policies = P.get_policies(action="tokentype", scope=SCOPE.AUTHZ)
self.assertTrue(len(policies) == 2, policies)
# find policies with user admin
policies = P.get_policies(scope="admin", user="******")
self.assertTrue(len(policies) == 1, "{0!s}".format(len(policies)))
# find policies with resolver2 and authorization. THe result should
# be pol2 and pol2a
policies = P.get_policies(resolver="resolver2", scope=SCOPE.AUTHZ)
self.assertTrue(len(policies) == 2, policies)
# find policies with realm1 and authorization. We also include the
# "*" into the result list. We find pol2 and pol3
policies = P.get_policies(realm="realm1", scope=SCOPE.AUTHZ)
self.assertTrue(len(policies) == 2, policies)
# find policies with resolver1 and authorization.
# All other authorization policies will also match, since they either
# user * or
# have no destinct information about resolvers
policies = P.get_policies(resolver="resolver1", scope=SCOPE.AUTHZ)
self.assertTrue(len(policies) == 3, policies)
def test_04_delete_policy(self):
delete_policy(name="pol4")
P = PolicyClass()
pol4 = P.get_policies(name="pol4")
self.assertTrue(pol4 == [], pol4)
def test_02_update_policies(self):
p = set_policy(name="pol1",
action="read",
scope="system",
realm="*",
resolver="*",
user="******",
client="0.0.0.0/0",
active=False)
self.assertTrue(p > 0)
p = set_policy(name="pol2",
action="tokentype=HOTP",
scope=SCOPE.AUTHZ,
realm="*")
self.assertTrue(p > 0)
p = set_policy(name="pol2a",
action="tokentype=TOTP",
scope=SCOPE.AUTHZ,
realm="realm2")
self.assertTrue(p > 0)
p = set_policy(name="pol3",
action="serial=OATH",
scope=SCOPE.AUTHZ,
realm="realm1",
resolver="resolver1")
self.assertTrue(p > 0)
p = set_policy(name="pol4",
action="enroll, init, disable , enable",
scope="admin",
realm="realm2",
user="******")
self.assertTrue(p > 0)
# enable and disable policies
policies = PolicyClass().get_policies(active=False)
num_old = len(policies)
p = enable_policy("pol4", False)
policies = PolicyClass().get_policies(active=False)
self.assertTrue(num_old + 1 == len(policies), (num_old, len(policies)))
p = enable_policy("pol4", True)
policies = PolicyClass().get_policies(active=False)
self.assertTrue(num_old == len(policies), len(policies))
# find inactive policies
P = PolicyClass()
policies = P.get_policies(active=False)
self.assertTrue(len(policies) == 1, len(policies))
self.assertTrue(policies[0].get("name") == "pol1")
# find policies action tokentype
policies = P.get_policies(action="tokentype")
self.assertTrue(len(policies) == 2, policies)
# find policies action serial
policies = P.get_policies(action="serial")
self.assertTrue(len(policies) == 1, policies)
# find policies with scope authorization
policies = P.get_policies(scope=SCOPE.AUTHZ)
self.assertTrue(len(policies) == 3, policies)
# find policies authorization and realm2
policies = P.get_policies(action="tokentype", scope=SCOPE.AUTHZ)
self.assertTrue(len(policies) == 2, policies)
# find policies with user admin
policies = P.get_policies(scope="admin", user="******")
self.assertTrue(len(policies) == 1, "{0!s}".format(len(policies)))
# find policies with resolver2 and authorization. THe result should
# be pol2 and pol2a
policies = P.get_policies(resolver="resolver2", scope=SCOPE.AUTHZ)
self.assertTrue(len(policies) == 2, policies)
# find policies with realm1 and authorization. We also include the
# "*" into the result list. We find pol2 and pol3
policies = P.get_policies(realm="realm1", scope=SCOPE.AUTHZ)
self.assertTrue(len(policies) == 2, policies)
# find policies with resolver1 and authorization.
# All other authorization policies will also match, since they either
# user * or
# have no destinct information about resolvers
policies = P.get_policies(resolver="resolver1", scope=SCOPE.AUTHZ)
self.assertTrue(len(policies) == 3, policies)
