def test_09_invalidate_edit_user(self):
# Validate that editing users actually invalidates the cache. For that, we first need an editable resolver
self._create_sql_realm()
# The cache is initially empty
self.assertEquals(UserCache.query.count(), 0)
# The following adds an entry to the cache
user = User(login="******", realm=self.sql_realm)
self.assertEquals(UserCache.query.count(), 1)
uinfo = user.info
self.assertEqual(uinfo.get("givenname", ""), "")
user.update_user_info({"givenname": "wordy"})
uinfo = user.info
self.assertEqual(uinfo.get("givenname"), "wordy")
# This should have removed the entry from the cache
self.assertEqual(UserCache.query.count(), 0)
# But now it gets added again
user2 = User(login="******", realm=self.sql_realm)
self.assertEqual(UserCache.query.count(), 1)
# Change it back for the other tests
user.update_user_info({"givenname": ""})
uinfo = user.info
self.assertEqual(uinfo.get("givenname", ""), "")
self.assertEqual(UserCache.query.count(), 0)
self._delete_sql_realm()
def test_13_update_user(self):
realm = "sqlrealm"
resolver = "SQL1"
parameters = self.parameters
parameters["resolver"] = resolver
parameters["type"] = "sqlresolver"
rid = save_resolver(parameters)
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(realm, [resolver])
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 1)
user = User(login="******", realm=realm)
uinfo = user.info
self.assertEqual(uinfo.get("givenname", ""), "")
user.update_user_info({
"givenname": "wordy",
"username": "******"
})
uinfo = user.info
self.assertEqual(uinfo.get("givenname"), "wordy")
self.assertEqual(user.login, "WordpressUser")
user.update_user_info({"givenname": "", "username": "******"})
def test_13_update_user(self):
realm = "sqlrealm"
resolver = "SQL1"
parameters = self.parameters
parameters["resolver"] = resolver
parameters["type"] = "sqlresolver"
rid = save_resolver(parameters)
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(realm, [resolver])
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 1)
user = User(login="******", realm=realm)
uinfo = user.info
self.assertEqual(uinfo.get("givenname", ""), "")
user.update_user_info({"givenname": "wordy",
"username": "******"})
uinfo = user.info
self.assertEqual(uinfo.get("givenname"), "wordy")
self.assertEqual(user.login, "WordpressUser")
user.update_user_info({"givenname": "",
"username": "******"})
def test_09_invalidate_edit_user(self):
# Validate that editing users actually invalidates the cache. For that, we first need an editable resolver
self._create_sql_realm()
# The cache is initially empty
self.assertEquals(UserCache.query.count(), 0)
# The following adds an entry to the cache
user = User(login="******", realm=self.sql_realm)
self.assertEquals(UserCache.query.count(), 1)
uinfo = user.info
self.assertEqual(uinfo.get("givenname", ""), "")
user.update_user_info({"givenname": "wordy"})
uinfo = user.info
self.assertEqual(uinfo.get("givenname"), "wordy")
# This should have removed the entry from the cache
self.assertEqual(UserCache.query.count(), 0)
# But now it gets added again
user2 = User(login="******", realm=self.sql_realm)
self.assertEqual(UserCache.query.count(), 1)
# Change it back for the other tests
user.update_user_info({"givenname": ""})
uinfo = user.info
self.assertEqual(uinfo.get("givenname", ""), "")
self.assertEqual(UserCache.query.count(), 0)
self._delete_sql_realm()
def update_user():
"""
Edit a user in the user store.
The resolver must have the flag editable, so that the user can be deleted.
Only administrators are allowed to edit users.
**Example request**:
.. sourcecode:: http
PUT /user
user=existing_user
resolver=<resolvername>
surname=...
givenname=...
email=...
mobile=...
phone=...
password=...
description=...
Host: example.com
Accept: application/json
.. note:: Also a user can call this function to e.g. change his password.
But in this case the parameter "user" and "resolver" get overwritten
by the values of the authenticated user, even if he specifies another
username.
"""
attributes = _get_attributes_from_param(request.all_data)
username = getParam(request.all_data, "user", optional=False)
resolvername = getParam(request.all_data, "resolver", optional=False)
userid = getParam(request.all_data, "userid")
if userid is not None:
# Create the user object by uid
user_obj = User(resolver=resolvername, uid=userid)
else:
user_obj = User(login=username, resolver=resolvername)
# Remove the password from the attributes, so that we can hide it in the
# logs
password = attributes.get("password")
if password:
del attributes["password"]
r = user_obj.update_user_info(attributes, password=password)
g.audit_object.log({
"success":
True,
"info":
u"{0!s}: {1!s}/{2!s}".format(r, username, resolvername)
})
return send_result(r)
def update_user():
"""
Edit a user in the user store.
The resolver must have the flag editable, so that the user can be deleted.
Only administrators are allowed to edit users.
**Example request**:
.. sourcecode:: http
PUT /user
user=existing_user
resolver=<resolvername>
surname=...
givenname=...
email=...
mobile=...
phone=...
password=...
description=...
Host: example.com
Accept: application/json
.. note:: Also a user can call this function to e.g. change his password.
But in this case the parameter "user" and "resolver" get overwritten
by the values of the authenticated user, even if he specifies another
username.
"""
attributes = _get_attributes_from_param(request.all_data)
username = getParam(request.all_data, "user", optional=False)
resolvername = getParam(request.all_data, "resolver", optional=False)
user_obj = User(login=username, resolver=resolvername)
# Remove the password from the attributes, so that we can hide it in the
# logs
password = attributes.get("password")
if password:
del attributes["password"]
r = user_obj.update_user_info(attributes, password=password)
g.audit_object.log({"success": True,
"info": u"{0!s}: {1!s}/{2!s}".format(r, username, resolvername)})
return send_result(r)
def update_user():
"""
Edit a user in the user store.
The resolver must have the flag editable, so that the user can be deleted.
Only administrators are allowed to edit users.
**Example request**:
.. sourcecode:: http
PUT /user
user=existing_user
resolver=<resolvername>
surname=...
givenname=...
email=...
mobile=...
phone=...
password=...
description=...
Host: example.com
Accept: application/json
.. note:: Also a user can call this function to e.g. change his password.
But in this case the parameter "user" and "resolver" get overwritten
by the values of the authenticated user, even if he specifies another
username.
"""
attributes = _get_attributes_from_param(request.all_data)
username = getParam(request.all_data, "user", optional=False)
resolvername = getParam(request.all_data, "resolver", optional=False)
user_obj = User(login=username, resolver=resolvername)
r = user_obj.update_user_info(attributes)
g.audit_object.log({
"success": True,
"info": "%s: %s/%s" % (r, username, resolvername)
})
return send_result(r)
def assign_user(resolver, realm, username, email, givenname, surname, serial,
pin, validity, hard_or_soft):
app = create_app(config_name="production",
config_file="/etc/privacyidea/pi.cfg",
silent=True)
with app.app_context():
# User operations
try:
print("+ Processing user {0!s} in {1!s}/{2!s}.".format(
username, resolver, realm))
user_obj = User(username, realm, resolver=resolver)
except UserError as err:
sys.stderr.write(" +-- Failed finding user: {0!s}.\n".format(err))
return
if not user_obj.exist():
# Create new user
print(" +- Creating user {0!s} in {1!s}/{2!s}.".format(
username, resolver, realm))
try:
create_user(resolver, {
"username": username,
"email": email,
"givenname": givenname,
"surname": surname
},
password="")
user_obj = User(username, realm, resolver=resolver)
except UserError as err:
sys.stderr.write(
"+-- Failed to create user: {0!s}.\n".format(err))
return
except Exception as err:
sys.stderr.write(
"+-- Failed to create user: {0!s}.\n".format(err))
return
else:
# Update existing user
print(" +- Updating user {0!s} in {1!s}/{2!s}.".format(
username, resolver, realm))
user_obj.update_user_info({
"email": email,
"givenname": givenname,
"surname": surname
})
# Token operations
## Assign token or create registration code
if hard_or_soft.strip().upper() == HARDWARE:
if serial:
# Assign an existing token
try:
print(" +- Processing token {0!s}".format(serial))
t = assign_token(serial, user_obj, pin)
print(
" +-- Assigned token to user {0!s}.".format(user_obj))
except TokenAdminError as err:
sys.stderr.write(
" +-- Failed assigning token {0!s}: {1!s}.\n".format(
serial, err))
except ResourceNotFoundError as err:
sys.stderr.write(
" +-- Failed assigning token {0!s}: {1!s}.\n".format(
serial, err))
else:
sys.stderr.write(
"+-- User {0!s} is supposed to get a hardware token, but no serial defined!"
.format(user_obj))
elif hard_or_soft.strip().upper() == SOFTWARE:
# Create a registration code, since no serial number is given
print(" +- Creating token of type {0!s}.".format(TOKEN_TYPE))
params = {
"type": TOKEN_TYPE,
"genkey": 1,
"user": user_obj.login,
"realm": user_obj.realm
}
r = requests.post('https://localhost/token/init',
verify=False,
data=params,
headers={"Authorization": get_auth_tok()})
if not r.json().get("result").get("status"):
sys.stderr.write(
" +-- Failed to create token for user {0!s}.".format(
user_obj))
else:
sys.stderr.write(
"+-- Unknown Hard/Soft specifier for user {0!s}: {1!s}".format(
user_obj, hard_or_soft))
# Create RADIUS token with validity period
print(" +- Creating RADIUS token for user {0!s}.".format(user_obj))
tok = init_token(
{
"type": "radius",
"radius.identifier": RADIUS_IDENTIFIER,
"radius.user": user_obj.login
},
user=user_obj)
for k, v in TOKENINFO.items():
tok.add_tokeninfo(k, v)
validity_end = datetime.datetime.now() + datetime.timedelta(
int(validity))
tok.set_validity_period_end(
validity_end.strftime("%Y-%m-%d %H:%M:00 CET"))
