def test_02_userstore_password(self):
# create a realm, where cornelius has a password test
rid = save_resolver({"resolver": "myreso",
"type": "passwdresolver",
"fileName": PWFILE2})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm("r1", ["myreso"])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
# now create a policy with userstore PW
set_policy(name="pol1",
scope=SCOPE.AUTH,
action="%s=%s" % (ACTION.OTPPIN, ACTIONVALUE.USERSTORE))
g = FakeFlaskG()
P = PolicyClass()
g.policy_object = P
options = {"g": g}
# Wrong password
r = auth_otppin(self.fake_check_otp, None,
"WrongPW", options=options,
user=User("cornelius", realm="r1"))
self.assertFalse(r)
# Correct password from userstore: "test"
r = auth_otppin(self.fake_check_otp, None,
"test", options=options,
user=User("cornelius", realm="r1"))
self.assertTrue(r)
delete_policy("pol1")
def test_01_otppin(self):
my_user = User("cornelius", realm="r1")
set_policy(name="pol1", scope=SCOPE.AUTH, action="%s=%s" % (ACTION.OTPPIN, ACTIONVALUE.NONE))
g = FakeFlaskG()
P = PolicyClass()
g.policy_object = P
options = {"g": g}
# NONE with empty PIN -> success
r = auth_otppin(self.fake_check_otp, None, "", options=options, user=my_user)
self.assertTrue(r)
# NONE with empty PIN -> success, even if the authentication is done
# for a serial and not a user, since the policy holds for all realms
token = init_token({"type": "HOTP", "otpkey": "1234"})
r = auth_otppin(self.fake_check_otp, token, "", options=options, user=None)
self.assertTrue(r)
# NONE with some pin -> fail
r = auth_otppin(self.fake_check_otp, None, "some pin", options=options, user=my_user)
self.assertFalse(r)
delete_policy("pol1")
set_policy(name="pol1", scope=SCOPE.AUTH, action="%s=%s" % (ACTION.OTPPIN, ACTIONVALUE.TOKENPIN))
g = FakeFlaskG()
P = PolicyClass()
g.policy_object = P
options = {"g": g}
r = auth_otppin(self.fake_check_otp, None, "FAKE", options=options, user=my_user)
self.assertTrue(r)
r = auth_otppin(self.fake_check_otp, None, "Wrong Pin", options=options, user=my_user)
self.assertFalse(r)
delete_policy("pol1")
def test_03_otppin_for_serial(self):
# now create a policy with userstore PW
set_policy(name="pol1",
scope=SCOPE.AUTH,
action="%s=%s" % (ACTION.OTPPIN, ACTIONVALUE.USERSTORE))
g = FakeFlaskG()
P = PolicyClass()
g.policy_object = P
options = {"g": g,
"serial": "T001"}
# create a token and assign to user cornelius
token = init_token({"serial": "T001", "type": "hotp", "genkey": 1},
user=User("cornelius", realm="r1"))
self.assertTrue(token)
# Wrong password
# Not identified by the user but by the token owner
r = auth_otppin(self.fake_check_otp, token,
"WrongPW", options=options,
user=None)
self.assertFalse(r)
# Correct password from userstore: "test"
# Not identified by the user but by the token owner
r = auth_otppin(self.fake_check_otp, token,
"test", options=options,
user=None)
self.assertTrue(r)
delete_policy("pol1")
remove_token("T001")
def test_03_otppin_for_serial(self):
# now create a policy with userstore PW
set_policy(name="pol1",
scope=SCOPE.AUTH,
action="{0!s}={1!s}".format(ACTION.OTPPIN, ACTIONVALUE.USERSTORE))
g = FakeFlaskG()
P = PolicyClass()
g.policy_object = P
g.audit_object = FakeAudit()
options = {"g": g,
"serial": "T001"}
# create a token and assign to user cornelius
token = init_token({"serial": "T001", "type": "hotp", "genkey": 1},
user=User("cornelius", realm="r1"))
self.assertTrue(token)
# Wrong password
# Not identified by the user but by the token owner
r = auth_otppin(self.fake_check_otp, token,
"WrongPW", options=options,
user=None)
self.assertFalse(r)
# Correct password from userstore: "test"
# Not identified by the user but by the token owner
r = auth_otppin(self.fake_check_otp, token,
"test", options=options,
user=None)
self.assertTrue(r)
delete_policy("pol1")
remove_token("T001")
def test_02_userstore_password(self):
# create a realm, where cornelius has a password test
rid = save_resolver({"resolver": "myreso",
"type": "passwdresolver",
"fileName": PWFILE2})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm("r1", ["myreso"])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
# now create a policy with userstore PW
set_policy(name="pol1",
scope=SCOPE.AUTH,
action="{0!s}={1!s}".format(ACTION.OTPPIN, ACTIONVALUE.USERSTORE))
g = FakeFlaskG()
P = PolicyClass()
g.policy_object = P
g.audit_object = FakeAudit()
options = {"g": g}
# Wrong password
r = auth_otppin(self.fake_check_otp, None,
"WrongPW", options=options,
user=User("cornelius", realm="r1"))
self.assertFalse(r)
# Correct password from userstore: "test"
r = auth_otppin(self.fake_check_otp, None,
"test", options=options,
user=User("cornelius", realm="r1"))
self.assertTrue(r)
delete_policy("pol1")
def test_01_otppin(self):
my_user = User("cornelius", realm="r1")
set_policy(name="pol1",
scope=SCOPE.AUTH,
action="{0!s}={1!s}".format(ACTION.OTPPIN,
ACTIONVALUE.NONE))
g = FakeFlaskG()
P = PolicyClass()
g.policy_object = P
options = {"g": g}
# NONE with empty PIN -> success
r = auth_otppin(self.fake_check_otp,
None,
"",
options=options,
user=my_user)
self.assertTrue(r)
# NONE with empty PIN -> success, even if the authentication is done
# for a serial and not a user, since the policy holds for all realms
token = init_token({"type": "HOTP", "otpkey": "1234"})
r = auth_otppin(self.fake_check_otp,
token,
"",
options=options,
user=None)
self.assertTrue(r)
# NONE with some pin -> fail
r = auth_otppin(self.fake_check_otp,
None,
"some pin",
options=options,
user=my_user)
self.assertFalse(r)
delete_policy("pol1")
set_policy(name="pol1",
scope=SCOPE.AUTH,
action="{0!s}={1!s}".format(ACTION.OTPPIN,
ACTIONVALUE.TOKENPIN))
g = FakeFlaskG()
P = PolicyClass()
g.policy_object = P
options = {"g": g}
r = auth_otppin(self.fake_check_otp,
None,
"FAKE",
options=options,
user=my_user)
self.assertTrue(r)
r = auth_otppin(self.fake_check_otp,
None,
"Wrong Pin",
options=options,
user=my_user)
self.assertFalse(r)
delete_policy("pol1")
def test_11_otppin_with_resolvers(self):
# This tests, if the otppin policy differentiates between users in
# the same realm but in different resolvers.
r = save_resolver({"resolver": "reso001",
"type": "passwdresolver",
"fileName": "tests/testdata/passwords"})
# user "cornelius" is in resolver reso001
self.assertTrue(r > 0)
r = save_resolver({"resolver": "reso002",
"type": "passwdresolver",
"fileName": "tests/testdata/pw-2nd-resolver"})
# user "userresolver2" is in resolver reso002
self.assertTrue(r > 0)
(added, failed) = set_realm("myrealm", ["reso001", "reso002"])
self.assertEqual(len(added), 2)
self.assertEqual(len(failed), 0)
my_user_1 = User("cornelius", realm="myrealm")
my_user_2 = User("userresolver2", realm="myrealm")
# We set a policy only for resolver reso002
set_policy(name="pol1",
scope=SCOPE.AUTH,
realm="myrealm",
resolver="reso002",
action="{0!s}={1!s}".format(ACTION.OTPPIN, ACTIONVALUE.NONE))
g = FakeFlaskG()
P = PolicyClass()
g.policy_object = P
g.audit_object = FakeAudit()
options = {"g": g}
# user in reso001 fails with empty PIN, since the policy does not
# match for him
r = auth_otppin(self.fake_check_otp, None,
"", options=options, user=my_user_1)
self.assertFalse(r)
# user in reso002 succeeds with empty PIN, since policy pol1 matches
# for him
r = auth_otppin(self.fake_check_otp, None,
"", options=options, user=my_user_2)
self.assertTrue(r)
# user in reso002 fails with any PIN, since policy pol1 matches
# for him
r = auth_otppin(self.fake_check_otp, None,
"anyPIN", options=options, user=my_user_2)
self.assertFalse(r)
delete_policy("pol1")
delete_realm("myrealm")
delete_resolver("reso001")
delete_resolver("reso002")
def test_11_otppin_with_resolvers(self):
# This tests, if the otppin policy differentiates between users in
# the same realm but in different resolvers.
r = save_resolver({"resolver": "reso001",
"type": "passwdresolver",
"fileName": "tests/testdata/passwords"})
# user "cornelius" is in resolver reso001
self.assertTrue(r > 0)
r = save_resolver({"resolver": "reso002",
"type": "passwdresolver",
"fileName": "tests/testdata/pw-2nd-resolver"})
# user "userresolver2" is in resolver reso002
self.assertTrue(r > 0)
(added, failed) = set_realm("myrealm", ["reso001", "reso002"])
self.assertEqual(len(added), 2)
self.assertEqual(len(failed), 0)
my_user_1 = User("cornelius", realm="myrealm")
my_user_2 = User("userresolver2", realm="myrealm")
# We set a policy only for resolver reso002
set_policy(name="pol1",
scope=SCOPE.AUTH,
realm="myrealm",
resolver="reso002",
action="{0!s}={1!s}".format(ACTION.OTPPIN, ACTIONVALUE.NONE))
g = FakeFlaskG()
P = PolicyClass()
g.policy_object = P
g.audit_object = FakeAudit()
options = {"g": g}
# user in reso001 fails with empty PIN, since the policy does not
# match for him
r = auth_otppin(self.fake_check_otp, None,
"", options=options, user=my_user_1)
self.assertFalse(r)
# user in reso002 succeeds with empty PIN, since policy pol1 matches
# for him
r = auth_otppin(self.fake_check_otp, None,
"", options=options, user=my_user_2)
self.assertTrue(r)
# user in reso002 fails with any PIN, since policy pol1 matches
# for him
r = auth_otppin(self.fake_check_otp, None,
"anyPIN", options=options, user=my_user_2)
self.assertFalse(r)
delete_policy("pol1")
delete_realm("myrealm")
delete_resolver("reso001")
delete_resolver("reso002")
def test_14_otppin_priority(self):
my_user = User("cornelius", realm="r1")
set_policy(name="pol1",
scope=SCOPE.AUTH,
action="{0!s}={1!s}".format(ACTION.OTPPIN, ACTIONVALUE.NONE),
priority=2)
set_policy(name="pol2",
scope=SCOPE.AUTH,
action="{0!s}={1!s}".format(ACTION.OTPPIN, ACTIONVALUE.TOKENPIN),
priority=2)
g = FakeFlaskG()
P = PolicyClass()
g.policy_object = P
g.audit_object = FakeAudit()
options = {"g": g}
# error because of conflicting policies
with self.assertRaises(PolicyError):
auth_otppin(self.fake_check_otp, None,
"", options=options, user=my_user)
# lower pol2 priority
set_policy(name="pol2",
priority=3)
g.policy_object.reload_from_db()
# NONE with empty PIN -> success
r = auth_otppin(self.fake_check_otp, None,
"", options=options, user=my_user)
self.assertTrue(r)
# NONE with empty PIN -> success, even if the authentication is done
# for a serial and not a user, since the policy holds for all realms
token = init_token({"type": "HOTP", "otpkey": "1234"})
r = auth_otppin(self.fake_check_otp, token,
"", options=options, user=None)
self.assertTrue(r)
# NONE with some pin -> fail
r = auth_otppin(self.fake_check_otp, None,
"some pin", options=options, user=my_user)
self.assertFalse(r)
# increase pol2 priority
set_policy(name="pol2", priority=1)
g.policy_object.reload_from_db()
r = auth_otppin(self.fake_check_otp, None,
"FAKE", options=options,
user=my_user)
self.assertTrue(r)
r = auth_otppin(self.fake_check_otp, None,
"Wrong Pin", options=options,
user=my_user)
self.assertFalse(r)
delete_policy("pol1")
delete_policy("pol2")
def test_14_otppin_priority(self):
my_user = User("cornelius", realm="r1")
set_policy(name="pol1",
scope=SCOPE.AUTH,
action="{0!s}={1!s}".format(ACTION.OTPPIN, ACTIONVALUE.NONE),
priority=2)
set_policy(name="pol2",
scope=SCOPE.AUTH,
action="{0!s}={1!s}".format(ACTION.OTPPIN, ACTIONVALUE.TOKENPIN),
priority=2)
g = FakeFlaskG()
P = PolicyClass()
g.policy_object = P
g.audit_object = FakeAudit()
options = {"g": g}
# error because of conflicting policies
with self.assertRaises(PolicyError):
auth_otppin(self.fake_check_otp, None,
"", options=options, user=my_user)
# lower pol2 priority
set_policy(name="pol2",
priority=3)
g.policy_object.reload_from_db()
# NONE with empty PIN -> success
r = auth_otppin(self.fake_check_otp, None,
"", options=options, user=my_user)
self.assertTrue(r)
# NONE with empty PIN -> success, even if the authentication is done
# for a serial and not a user, since the policy holds for all realms
token = init_token({"type": "HOTP", "otpkey": "1234"})
r = auth_otppin(self.fake_check_otp, token,
"", options=options, user=None)
self.assertTrue(r)
# NONE with some pin -> fail
r = auth_otppin(self.fake_check_otp, None,
"some pin", options=options, user=my_user)
self.assertFalse(r)
# increase pol2 priority
set_policy(name="pol2", priority=1)
g.policy_object.reload_from_db()
r = auth_otppin(self.fake_check_otp, None,
"FAKE", options=options,
user=my_user)
self.assertTrue(r)
r = auth_otppin(self.fake_check_otp, None,
"Wrong Pin", options=options,
user=my_user)
self.assertFalse(r)
delete_policy("pol1")
delete_policy("pol2")
