def test_get_selfservice_actions2(self, mocked__get_client,
mocked__get_policies,
mocked_get_policy_definitions):
"""Verify the policy evaluation via helper get_selfservice_actions"""
mocked__get_client.return_value = '127.0.0.1'
simple_user = LinotpUser(login='******', realm='defaultrealm')
anonym_user = LinotpUser(login='******', realm='defaultrealm')
policy_set = copy.deepcopy(PolicySet)
# ----------------------------------------------------------------- --
mocked_get_policy_definitions.return_value = {
'selfservice': {
'otp_pin_maxlength': {
'type': 'int'
},
'enrollHMAC': {
'type': 'bool'
},
'reset': {
'type': 'bool'
},
}
}
# verify that general policy is honored
policy_set['general']['action'] = (
'otp_pin_maxlength=4, enrollHMAC, reset')
mocked__get_policies.return_value = policy_set
res = get_selfservice_actions(simple_user, 'otp_pin_maxlength')
assert 'otp_pin_maxlength' in res
assert res['otp_pin_maxlength'] == 4
# ----------------------------------------------------------------- --
# verify that user specific policy is honored
policy_set['simple_user']['action'] = (
'otp_pin_maxlength=6, delete, reset')
mocked__get_policies.return_value = policy_set
res = get_selfservice_actions(simple_user, 'otp_pin_maxlength')
assert 'otp_pin_maxlength' in res
assert res['otp_pin_maxlength'] == 6
# ----------------------------------------------------------------- --
# verify that user specific policy is honored but only for the user
res = get_selfservice_actions(anonym_user, 'otp_pin_maxlength')
assert 'otp_pin_maxlength' in res
assert res['otp_pin_maxlength'] == 4
def webprovisiongoogletoken(self):
"""
This is the form for an google token to do web provisioning.
"""
try:
c.actions = get_selfservice_actions(self.authUser)
return render("/selfservice/webprovisiongoogle.mako")
except Exception as exx:
log.error("[webprovisiongoogletoken] failed with error: %r", exx)
return sendError(response, exx)
def get_context(config, user, client):
"""
get the user dependend rendering context
:param user: the selfservice auth user
:param realm: the selfservice realm
:param client: the selfservice client info - required for pre_context
:return: context dict, with all rendering attributes
"""
context = get_pre_context(client)
context["user"] = get_userinfo(user)
context["imprint"] = get_imprint(user.realm)
context["tokenArray"] = getTokenForUser(user)
context["actions"] = list()
for action_name, action_value in get_selfservice_actions(user).items():
if action_value is True:
context["actions"].append(action_name)
else:
context["settings"][action_name] = action_value
return context
def __before__(self, **params):
"""
__before__ is called before every action
This is the authentication to self service. If you want to do
ANYTHING with the selfservice, you need to be authenticated. The
_before_ is executed before any other function in this controller.
:param params: list of named arguments
:return: -nothing- or in case of an error a Response
created by sendError with the context info 'before'
"""
action = request_context['action']
self.redirect = None
try:
c.version = get_version()
c.licenseinfo = get_copyright_info()
c.version_ref = base64.encodebytes(c.version.encode())[:6]
g.audit['success'] = False
self.client = get_client(request)
g.audit['client'] = self.client
# -------------------------------------------------------------- --
# handle requests which dont require authetication
if action in ['logout', 'custom_style']:
return
# -------------------------------------------------------------- --
# get the authenticated user
auth_type, auth_user, auth_state = get_auth_user(request)
# -------------------------------------------------------------- --
# handle not authenticated requests
if not auth_user or auth_type not in ['user_selfservice']:
if action in ['login']:
return
if action in ['index']:
self.redirect = True
return redirect(url_for('.login'))
else:
raise Unauthorized('No valid session')
# -------------------------------------------------------------- --
# handle authenticated requests
# there is only one special case, which is the login that
# could be forwarded to the index page
if action in ['login']:
if auth_state != 'authenticated':
return
self.redirect = True
return redirect(url_for('.index'))
# -------------------------------------------------------------- --
# in case of user_selfservice, an unauthenticated request should always go to login
if auth_user and auth_type == 'user_selfservice' \
and auth_state != 'authenticated':
self.redirect = True
return redirect(url_for('.login'))
# futher processing with the authenticated user
if auth_state != 'authenticated':
raise Unauthorized('No valid session')
c.user = auth_user.login
c.realm = auth_user.realm
self.authUser = auth_user
# -------------------------------------------------------------- --
# authenticated session verification
if auth_type == 'user_selfservice':
# checking the session only for not_form_access actions
if action not in self.form_access_methods:
valid_session = check_session(request,
auth_user,
self.client)
if not valid_session:
g.audit['action'] = request.path[1:]
g.audit['info'] = "session expired"
current_app.audit_obj.log(g.audit)
raise Unauthorized('No valid session')
# -------------------------------------------------------------- --
c.imprint = get_imprint(c.realm)
c.tokenArray = []
c.user = self.authUser.login
c.realm = self.authUser.realm
# only the defined actions should be displayed
# - remark: the generic actions like enrollTT are allready approved
# to have a rendering section and included
actions = get_selfservice_actions(self.authUser)
c.actions = actions
for action_name, action_value in actions.items():
if action_value is True:
c.__setattr__(action_name, -1)
continue
c.__setattr__(action_name, action_value)
c.dynamic_actions = add_dynamic_selfservice_enrollment(config,
c.actions)
# we require to establish all token local defined
# policies to be initialiezd
additional_policies = add_dynamic_selfservice_policies(config,
actions)
for policy in additional_policies:
c.__setattr__(policy, -1)
c.otplen = -1
c.totp_len = -1
c.pin_policy = _get_auth_PinPolicy(user=self.authUser)
except (flap.HTTPUnauthorized, flap.HTTPForbidden) as acc:
# the exception, when an abort() is called if forwarded
log.info("[__before__::%r] webob.exception %r" % (action, acc))
db.session.rollback()
raise acc
except Exception as e:
log.exception("[__before__] failed with error: %r" % e)
db.session.rollback()
return sendError(response, e, context='before')
def test_get_selfservice_actions(
self,
mocked__get_client,
mocked__get_policies,
mocked_get_policy_definitions,
):
"""Verify the policy evaluation via helper get_selfservice_actions"""
mocked__get_client.return_value = "127.0.0.1"
simple_user = LinotpUser(login="******", realm="defaultrealm")
anonym_user = LinotpUser(login="******", realm="defaultrealm")
policy_set = copy.deepcopy(PolicySet)
mocked_get_policy_definitions.return_value = {
"selfservice": {
"setDescription": {
"type": "bool"
},
"enrollHMAC": {
"type": "bool"
},
"reset": {
"type": "bool"
},
}
}
# ----------------------------------------------------------------- --
# verify that general policy is honored
policy_set["general"]["action"] = "setDescription, enrollHMAC, reset"
mocked__get_policies.return_value = policy_set
res = get_selfservice_actions(simple_user, "setDescription")
assert "setDescription" in res
assert res["setDescription"]
res = get_selfservice_actions(simple_user)
assert "setDescription" not in res
assert "disable" in res
assert get_selfservice_actions(simple_user, "setDescription")
assert not get_selfservice_actions(anonym_user, "disable")
# ----------------------------------------------------------------- --
# verify that user specific policy is honored
policy_set["simple_user"]["action"] = "setDescription, disable"
mocked__get_policies.return_value = policy_set
res = get_selfservice_actions(simple_user)
assert "setDescription" in res
assert "disable" in res
assert "reset" not in res
def test_get_selfservice_actions2(
self,
mocked__get_client,
mocked__get_policies,
mocked_get_policy_definitions,
):
"""Verify the policy evaluation via helper get_selfservice_actions"""
mocked__get_client.return_value = "127.0.0.1"
simple_user = LinotpUser(login="******", realm="defaultrealm")
anonym_user = LinotpUser(login="******", realm="defaultrealm")
policy_set = copy.deepcopy(PolicySet)
# ----------------------------------------------------------------- --
mocked_get_policy_definitions.return_value = {
"selfservice": {
"otp_pin_maxlength": {
"type": "int"
},
"enrollHMAC": {
"type": "bool"
},
"reset": {
"type": "bool"
},
}
}
# verify that general policy is honored
policy_set["general"][
"action"] = "otp_pin_maxlength=4, enrollHMAC, reset"
mocked__get_policies.return_value = policy_set
res = get_selfservice_actions(simple_user, "otp_pin_maxlength")
assert "otp_pin_maxlength" in res
assert res["otp_pin_maxlength"] == 4
# ----------------------------------------------------------------- --
# verify that user specific policy is honored
policy_set["simple_user"][
"action"] = "otp_pin_maxlength=6, delete, reset"
mocked__get_policies.return_value = policy_set
res = get_selfservice_actions(simple_user, "otp_pin_maxlength")
assert "otp_pin_maxlength" in res
assert res["otp_pin_maxlength"] == 6
# ----------------------------------------------------------------- --
# verify that user specific policy is honored but only for the user
res = get_selfservice_actions(anonym_user, "otp_pin_maxlength")
assert "otp_pin_maxlength" in res
assert res["otp_pin_maxlength"] == 4
def test_get_selfservice_actions(self, mocked__get_client,
mocked__get_policies,
mocked_get_policy_definitions):
"""Verify the policy evaluation via helper get_selfservice_actions"""
mocked__get_client.return_value = '127.0.0.1'
simple_user = LinotpUser(login='******', realm='defaultrealm')
anonym_user = LinotpUser(login='******', realm='defaultrealm')
policy_set = copy.deepcopy(PolicySet)
mocked_get_policy_definitions.return_value = {
'selfservice': {
'setDescription': {
'type': 'bool'
},
'enrollHMAC': {
'type': 'bool'
},
'reset': {
'type': 'bool'
},
}
}
# ----------------------------------------------------------------- --
# verify that general policy is honored
policy_set['general']['action'] = ('setDescription, enrollHMAC, reset')
mocked__get_policies.return_value = policy_set
res = get_selfservice_actions(simple_user, 'setDescription')
assert 'setDescription' in res
assert res['setDescription']
res = get_selfservice_actions(simple_user)
assert 'setDescription' not in res
assert 'disable' in res
assert get_selfservice_actions(simple_user, 'setDescription')
assert not get_selfservice_actions(anonym_user, 'disable')
# ----------------------------------------------------------------- --
# verify that user specific policy is honored
policy_set['simple_user']['action'] = ('setDescription, disable')
mocked__get_policies.return_value = policy_set
res = get_selfservice_actions(simple_user)
assert 'setDescription' in res
assert 'disable' in res
assert 'reset' not in res
