def check_maxtoken_for_user_by_type(user, type_of_token): ''' This internal function checks the number of assigned tokens to a user restricted by the policies: "scope = enrollment", action = "maxtokenTOKENTYPE = <number>" :param user: to whom the token should belong :param type_of_token: which type of token should be enrolled or assigned :raises PolicyException: if maxtoken policy would be violated ''' _ = context['translate'] if not user or not user.login: return client = _get_client() user_realms = _getUserRealms(user) log.debug("checking the already assigned tokens for user %r, realms %s" % (user, user_realms)) # ------------------------------------------------------------------ -- # check the maxtokenTOKENTYPE policy typed_tokens = linotp.lib.token.getTokens4UserOrSerial( user, token_type=type_of_token) for user_realm in user_realms: policies = get_client_policy(client, action="maxtoken%s" % type_of_token.upper(), scope='enrollment', realm=user_realm, user=user.login, userObj=user) if not policies: continue # compare the tokens of the user with the max numbers of the policy total_maxtoken = get_action_value( policies, scope='enrollment', action="maxtoken%s" % type_of_token.upper(), default=-1) if total_maxtoken == -1 or isinstance(total_maxtoken, bool): continue if len(typed_tokens) + 1 > total_maxtoken: error_msg = _("The maximum number of allowed tokens of type %s " "per user is exceeded. Check the policies " "scope=enrollment, action=maxtoken%s" % (type_of_token, type_of_token.upper())) raise linotp.lib.policy.MaxTokenTypeUserPolicyException(error_msg)
def check_maxtoken_for_user(user): ''' This internal function checks the number of assigned tokens to a user restricted by the policies: "scope = enrollment", action = "maxtoken = <number>" :param user: to whom the token should belong :raises PolicyException: if maxtoken policy would be violated ''' _ = context['translate'] if not user or not user.login: return client = _get_client() user_realms = _getUserRealms(user) log.debug("checking the already assigned tokens for user %r, realms %s" % (user, user_realms)) # ----------------------------------------------------------------------- -- # check the maxtoken policy action = "maxtoken" tokens = linotp.lib.token.getTokens4UserOrSerial(user, "") for user_realm in user_realms: policies = get_client_policy(client, scope='enrollment', action=action, realm=user_realm, user=user.login, userObj=user) if not policies: continue total_maxtoken = get_action_value(policies, scope='enrollment', action=action, default=-1) if total_maxtoken == -1 or isinstance(total_maxtoken, bool): continue if len(tokens) + 1 > total_maxtoken: error_msg = _("The maximum number of allowed tokens " "per user is exceeded. Check the " "policies scope=enrollment, " "action=maxtoken") raise linotp.lib.policy.MaxTokenUserPolicyException(error_msg)
def get_pre_context(client): """ get the rendering context before the login is shown, so the rendering of the login page could be controlled if realm_box or mfa_login is defined :param client: the rendering is client dependend, so we need the info :return: context dict, with all rendering attributes """ # check for mfa_login, autoassign and autoenroll in policy definition mfa_login_policy = get_client_policy(client=client, scope='selfservice', action='mfa_login') mfa_3_fields_policy = get_client_policy(client=client, scope='selfservice', action='mfa_3_fields') autoassignment_policy = get_client_policy(client=client, scope='enrollment', action='autoassignment') autoenrollment_policy = get_client_policy(client=client, scope='enrollment', action='autoenrollment') return { "version": get_version(), "copyright": get_copyright_info(), "realms": _get_realms_(), "settings": { "default_realm": getDefaultRealm(), "realm_box": getRealmBox(), "mfa_login": bool(mfa_login_policy), "mfa_3_fields": bool(mfa_3_fields_policy), "autoassign": bool(autoassignment_policy), "autoenroll": bool(autoenrollment_policy), }, }
def test_get_client_policy(self, mock_context, mocked_new_get_client_policy, mocked_legacy_get_client_policy, mocked_LOG_error): """ test for 'get_client_policy' """ scope = 'enrollment' action = 'otp_pin_random' largs = [None] kwargs = { 'action': action, 'scope': scope, 'realm': 'mydefrealm', 'user': '', 'find_resolver': True, 'userObj': User(login='', realm='mydefrealm') } ret_policy = { 'self_02': { 'realm': 'myotherrealm', 'name': 'self_02', 'active': 'True', 'client': '*', 'user': '******', 'time': '*', 'action': ('enrollMOTP, disable, resync, setOTPPIN,' ' setMOTPPIN'), 'scope': 'selfservice' } } # ----------------------------------------------------------------- -- # switch to the new one mock_context.__getitem__.return_value = { 'NewPolicyEvaluation': 'True', 'NewPolicyEvaluation.compare': 'False' } mocked_new_get_client_policy.return_value = ret_policy # run the call _return_value = get_client_policy(*largs, **kwargs) mocked_new_get_client_policy.assert_called_once_with(*largs, **kwargs) mocked_legacy_get_client_policy.assert_not_called() mocked_new_get_client_policy.reset_mock() mocked_legacy_get_client_policy.reset_mock() # ----------------------------------------------------------------- -- # switch to the old one mock_context.__getitem__.return_value = { 'NewPolicyEvaluation': 'False', 'NewPolicyEvaluation.compare': 'False' } mocked_new_get_client_policy.return_value = ret_policy mocked_legacy_get_client_policy.return_value = ret_policy # run the call _return_value = get_client_policy(*largs, **kwargs) mocked_new_get_client_policy.assert_not_called() mocked_legacy_get_client_policy.assert_called_once_with( *largs, **kwargs) mocked_new_get_client_policy.reset_mock() mocked_legacy_get_client_policy.reset_mock() mocked_LOG_error.reset_mock() # ----------------------------------------------------------------- -- # switch to old one and compare mock_context.__getitem__.return_value = { 'NewPolicyEvaluation': 'False', 'NewPolicyEvaluation.compare': 'True' } mocked_new_get_client_policy.return_value = ret_policy mocked_legacy_get_client_policy.return_value = ret_policy # run the call _return_value = get_client_policy(*largs, **kwargs) # check the call mocked_new_get_client_policy.assert_called_once_with(*largs, **kwargs) mocked_legacy_get_client_policy.assert_called_once_with( *largs, **kwargs) mocked_LOG_error.assert_not_called() mocked_new_get_client_policy.reset_mock() mocked_legacy_get_client_policy.reset_mock() mocked_LOG_error.reset_mock() # ----------------------------------------------------------------- -- # switch to old one and compare - with error mock_context.__getitem__.return_value = { 'NewPolicyEvaluation': 'False', 'NewPolicyEvaluation.compare': 'True' } new_pols = ret_policy mocked_new_get_client_policy.return_value = new_pols old_pols = copy.deepcopy(ret_policy) old_pols['old'] = {'oldy': True} mocked_legacy_get_client_policy.return_value = old_pols # run the call return_value = get_client_policy(*largs, **kwargs) # check the calling mocked_new_get_client_policy.assert_called_once_with(*largs, **kwargs) mocked_legacy_get_client_policy.assert_called_once_with( *largs, **kwargs) call = ('old: new %r <> %r', old_pols, new_pols) mocked_LOG_error.assert_any_call(*call) self.assertTrue('old' in return_value) mocked_new_get_client_policy.reset_mock() mocked_legacy_get_client_policy.reset_mock() mocked_LOG_error.reset_mock() return
def test_get_client_policy( self, mock_context, mocked_new_get_client_policy, mocked_legacy_get_client_policy, mocked_LOG_error): """ test for 'get_client_policy' """ scope = 'enrollment' action = 'otp_pin_random' largs = [None] legacy_kwargs = { 'action': action, 'scope': scope, 'realm': 'mydefrealm', 'user': '', 'find_resolver': True, 'userObj': User(login='', realm='mydefrealm')} kwargs = {} kwargs.update(legacy_kwargs) kwargs['active_only'] = True ret_policy = {'self_02': { 'realm': 'myotherrealm', 'name': 'self_02', 'active': 'True', 'client': '*', 'user': '******', 'time': '*', 'action': ('enrollMOTP, disable, resync, setOTPPIN,' ' setMOTPPIN'), 'scope': 'selfservice'}} # ----------------------------------------------------------------- -- # switch to the new one mock_context.__getitem__.return_value = { 'NewPolicyEvaluation': 'True', 'NewPolicyEvaluation.compare': 'False'} mocked_new_get_client_policy.return_value = ret_policy # run the call _return_value = get_client_policy(*largs, **kwargs) mocked_new_get_client_policy.assert_called_once_with(*largs, **kwargs) mocked_legacy_get_client_policy.assert_not_called() mocked_new_get_client_policy.reset_mock() mocked_legacy_get_client_policy.reset_mock() # ----------------------------------------------------------------- -- # switch to the old one mock_context.__getitem__.return_value = { 'NewPolicyEvaluation': 'False', 'NewPolicyEvaluation.compare': 'False'} mocked_new_get_client_policy.return_value = ret_policy mocked_legacy_get_client_policy.return_value = ret_policy # run the call _return_value = get_client_policy(*largs, **kwargs) mocked_new_get_client_policy.assert_not_called() mocked_legacy_get_client_policy.assert_called_once_with( *largs, **legacy_kwargs) mocked_new_get_client_policy.reset_mock() mocked_legacy_get_client_policy.reset_mock() mocked_LOG_error.reset_mock() # ----------------------------------------------------------------- -- # switch to old one and compare mock_context.__getitem__.return_value = { 'NewPolicyEvaluation': 'False', 'NewPolicyEvaluation.compare': 'True'} mocked_new_get_client_policy.return_value = ret_policy mocked_legacy_get_client_policy.return_value = ret_policy # run the call _return_value = get_client_policy(*largs, **kwargs) # check the call mocked_new_get_client_policy.assert_called_once_with(*largs, **kwargs) mocked_legacy_get_client_policy.assert_called_once_with( *largs, **legacy_kwargs) mocked_LOG_error.assert_not_called() mocked_new_get_client_policy.reset_mock() mocked_legacy_get_client_policy.reset_mock() mocked_LOG_error.reset_mock() # ----------------------------------------------------------------- -- # switch to old one and compare - with error mock_context.__getitem__.return_value = { 'NewPolicyEvaluation': 'False', 'NewPolicyEvaluation.compare': 'True'} new_pols = ret_policy mocked_new_get_client_policy.return_value = new_pols old_pols = copy.deepcopy(ret_policy) old_pols['old'] = {'oldy': True} mocked_legacy_get_client_policy.return_value = old_pols # run the call return_value = get_client_policy(*largs, **kwargs) # check the calling mocked_new_get_client_policy.assert_called_once_with(*largs, **kwargs) mocked_legacy_get_client_policy.assert_called_once_with( *largs, **legacy_kwargs) call = ('old: new %r <> %r', old_pols, new_pols) mocked_LOG_error.assert_any_call(*call) self.assertTrue('old' in return_value) mocked_new_get_client_policy.reset_mock() mocked_legacy_get_client_policy.reset_mock() mocked_LOG_error.reset_mock() return