def load_google_specific_user_data(db_session, test_user_d):
    """Add Google-specific user data to Fence db."""

    gpg = GoogleProxyGroup(id=userd_dict["gpg_id"],
                           email=userd_dict["gpg_email"])

    gsak = GoogleServiceAccountKey(
        id=userd_dict["gsak_id"],
        key_id=userd_dict["gsak_key_id"],
        service_account_id=userd_dict["gsa_id"],
    )
    gsa = GoogleServiceAccount(
        id=userd_dict["gsa_id"],
        google_unique_id="d_gui",
        user_id=userd_dict["user_id"],
        google_project_id="d_gpid",
        email=userd_dict["gsa_email"],
    )
    bkt = Bucket(id=userd_dict["bucket_id"])
    gbag = GoogleBucketAccessGroup(
        id=userd_dict["gbag_id"],
        bucket_id=userd_dict["bucket_id"],
        email=userd_dict["gbag_email"],
    )
    gpg_gbag = GoogleProxyGroupToGoogleBucketAccessGroup(
        id=userd_dict["gpg_to_gbag_id"],
        proxy_group_id=userd_dict["gpg_id"],
        access_group_id=userd_dict["gbag_id"],
    )
    uga = UserGoogleAccount(
        id=userd_dict["uga_id"],
        email=userd_dict["uga_email"],
        user_id=userd_dict["user_id"],
    )
    uga_pg = UserGoogleAccountToProxyGroup(
        user_google_account_id=userd_dict["uga_id"],
        proxy_group_id=userd_dict["gpg_id"])
    db_session.add_all([gpg, gsak, gsa, bkt, gbag, gpg_gbag, uga, uga_pg])

    user = (db_session.query(User).filter_by(
        username=userd_dict["user_username"]).first())
    user.google_proxy_group_id = userd_dict["gpg_id"]

    db_session.commit()
Beispiel #2
0
def force_update_user_google_account_expiration(user_google_account,
                                                proxy_group_id, google_email,
                                                expiration, session):
    """
    Adds user's google account to proxy group and/or updates expiration for
    that google account's access.

    WARNING: This assumes that provided arguments represent valid information.
             This BLINDLY adds without verification. Do verification
             before this.

    Specifically, this ASSUMES that the proxy group provided belongs to the
    given user and that the user has ALREADY authenticated to prove the
    provided google_email is also their's.

    Args:
        user_google_account (str): User's linked Google account
        google_email (str): User's Google email
        proxy_group_id (str): User's Proxy Google group id
        expiration (int): new expiration for User's linked Google account to live in
            the proxy group
        session: db session to work with
    """
    account_in_proxy_group = (
        session.query(UserGoogleAccountToProxyGroup).filter(
            UserGoogleAccountToProxyGroup.user_google_account_id ==
            user_google_account.id).first())
    if account_in_proxy_group:
        account_in_proxy_group.expires = expiration
    else:
        account_in_proxy_group = UserGoogleAccountToProxyGroup(
            user_google_account_id=user_google_account.id,
            proxy_group_id=proxy_group_id,
            expires=expiration,
        )
        session.add(account_in_proxy_group)

        _add_google_email_to_proxy_group(google_email=google_email,
                                         proxy_group_id=proxy_group_id)
Beispiel #3
0
def test_google_id_token_linked(db_session, encoded_creds_jwt,
                                oauth_test_client):
    """
    Test google email and link expiration are in id_token for a linked account
    """
    user_id = encoded_creds_jwt["user_id"]
    proxy_group_id = encoded_creds_jwt["proxy_group_id"]

    original_expiration = 1000
    google_account = "*****@*****.**"

    # add google account and link
    existing_account = UserGoogleAccount(email=google_account, user_id=user_id)
    db_session.add(existing_account)
    db_session.commit()
    g_account_access = UserGoogleAccountToProxyGroup(
        user_google_account_id=existing_account.id,
        proxy_group_id=proxy_group_id,
        expires=original_expiration,
    )
    db_session.add(g_account_access)
    db_session.commit()

    # get google account info with utility function
    assert get_linked_google_account_email(user_id) == google_account
    assert get_linked_google_account_exp(user_id) == original_expiration

    # get the id token through endpoint
    data = {"confirm": "yes"}
    oauth_test_client.authorize(data=data)
    tokens = oauth_test_client.token()
    id_token = jwt.decode(tokens.id_token, verify=False)

    assert "google" in id_token["context"]["user"]
    assert (id_token["context"]["user"]["google"].get("linked_google_account")
            == google_account)
    assert (id_token["context"]["user"]["google"].get(
        "linked_google_account_exp") == original_expiration)
Beispiel #4
0
def test_google_link_g_account_access_extension(
    app,
    client,
    db_session,
    encoded_creds_jwt,
    add_new_g_acnt_mock,
    google_auth_get_user_info_mock,
    add_google_email_to_proxy_group_mock,
):
    """
    Test the link endpoint that gets hit after authN when the provided Google
    account is already linked. This time test if we correctly extend the
    google accounts access.
    """
    user_id = encoded_creds_jwt["user_id"]
    proxy_group_id = encoded_creds_jwt["proxy_group_id"]

    original_expiration = 1000
    test_auth_code = "abc123"
    redirect = "http://localhost"
    google_account = "*****@*****.**"

    test_session_jwt = create_session_token(
        app.keypairs[0],
        config.get("SESSION_TIMEOUT"),
        context={
            "google_link": True,
            "user_id": user_id,
            "google_proxy_group_id": proxy_group_id,
            "redirect": redirect,
        },
    )

    existing_account = UserGoogleAccount(email=google_account, user_id=user_id)
    db_session.add(existing_account)
    db_session.commit()
    g_account_access = UserGoogleAccountToProxyGroup(
        user_google_account_id=existing_account.id,
        proxy_group_id=proxy_group_id,
        expires=original_expiration,
    )
    db_session.add(g_account_access)
    db_session.commit()

    # manually set cookie for initial session
    client.set_cookie("localhost", config["SESSION_COOKIE_NAME"],
                      test_session_jwt)

    # simulate successfully authed reponse with user email
    google_auth_get_user_info_mock.return_value = {"email": google_account}

    r = client.get("/link/google/callback",
                   query_string={"code": test_auth_code})

    account_in_proxy_group = (
        db_session.query(UserGoogleAccountToProxyGroup).filter(
            UserGoogleAccountToProxyGroup.user_google_account_id ==
            existing_account.id).first())
    assert account_in_proxy_group.proxy_group_id == proxy_group_id

    # check that expiration changed and that it's less than the cfg
    # expires in (since this check will happen a few seconds after
    # it gets set)
    assert account_in_proxy_group.expires != original_expiration
    assert account_in_proxy_group.expires <= (
        int(time.time()) + config["GOOGLE_ACCOUNT_ACCESS_EXPIRES_IN"])

    assert not add_new_g_acnt_mock.called
    assert r.status_code == 302

    parsed_url = urlparse(r.headers["Location"])
    query_params = parse_qs(parsed_url.query)
    response_redirect = urlunparse(
        (parsed_url.scheme, parsed_url.netloc, parsed_url.path, "", "", ""))
    assert "exp" in query_params
    assert query_params["linked_email"][0] == google_account
    assert response_redirect == redirect

    assert not flask.session.get("google_link")
    assert not flask.session.get("user_id")
    assert not flask.session.get("google_proxy_group_id")

    assert not add_google_email_to_proxy_group_mock.called
Beispiel #5
0
def test_patch_google_link_account_not_in_token(
    app,
    client,
    db_session,
    encoded_creds_jwt,
    google_auth_get_user_info_mock,
    add_google_email_to_proxy_group_mock,
):
    """
    Test extending expiration for previously linked G account access via PATCH.

    This will test the case where the linking happened during the life
    of an access token and the same access token is used here (e.g.
    account exists but a new token hasn't been generated with the linkage
    info yet)
    """
    encoded_credentials_jwt = encoded_creds_jwt["jwt"]
    user_id = encoded_creds_jwt["user_id"]
    proxy_group_id = encoded_creds_jwt["proxy_group_id"]

    original_expiration = 1000
    google_account = "*****@*****.**"

    test_session_jwt = create_session_token(
        app.keypairs[0],
        config.get("SESSION_TIMEOUT"),
        context={"google_proxy_group_id": proxy_group_id},
    )

    existing_account = UserGoogleAccount(email=google_account, user_id=user_id)
    db_session.add(existing_account)
    db_session.commit()
    g_account_access = UserGoogleAccountToProxyGroup(
        user_google_account_id=existing_account.id,
        proxy_group_id=proxy_group_id,
        expires=original_expiration,
    )
    db_session.add(g_account_access)
    db_session.commit()

    # manually set cookie for initial session
    client.set_cookie("localhost", config["SESSION_COOKIE_NAME"],
                      test_session_jwt)

    r = client.patch(
        "/link/google",
        headers={"Authorization": "Bearer " + encoded_credentials_jwt})

    assert r.status_code == 200

    account_in_proxy_group = (
        db_session.query(UserGoogleAccountToProxyGroup).filter(
            UserGoogleAccountToProxyGroup.user_google_account_id ==
            existing_account.id).first())
    assert account_in_proxy_group.proxy_group_id == proxy_group_id

    # check that expiration changed and that it's less than the cfg
    # expires in (since this check will happen a few seconds after
    # it gets set)
    assert account_in_proxy_group.expires != original_expiration
    assert account_in_proxy_group.expires <= (
        int(time.time()) + config["GOOGLE_ACCOUNT_ACCESS_EXPIRES_IN"])

    assert not add_google_email_to_proxy_group_mock.called
Beispiel #6
0
def test_patch_google_link(
    app,
    client,
    db_session,
    encoded_creds_jwt,
    google_auth_get_user_info_mock,
    add_google_email_to_proxy_group_mock,
):
    """
    Test extending expiration for previously linked G account access via PATCH.
    Test valid and invalid expires_in parameters.
    """
    encoded_credentials_jwt = encoded_creds_jwt["jwt"]
    user_id = encoded_creds_jwt["user_id"]
    proxy_group_id = encoded_creds_jwt["proxy_group_id"]

    original_expiration = 1000
    google_account = "*****@*****.**"

    test_session_jwt = create_session_token(
        app.keypairs[0],
        config.get("SESSION_TIMEOUT"),
        context={
            "google_proxy_group_id": proxy_group_id,
            "linked_google_email": google_account,
        },
    )

    existing_account = UserGoogleAccount(email=google_account, user_id=user_id)
    db_session.add(existing_account)
    db_session.commit()
    g_account_access = UserGoogleAccountToProxyGroup(
        user_google_account_id=existing_account.id,
        proxy_group_id=proxy_group_id,
        expires=original_expiration,
    )
    db_session.add(g_account_access)
    db_session.commit()

    # manually set cookie for initial session
    client.set_cookie("localhost", config["SESSION_COOKIE_NAME"],
                      test_session_jwt)

    r = client.patch(
        "/link/google",
        headers={"Authorization": "Bearer " + encoded_credentials_jwt})

    assert r.status_code == 200

    account_in_proxy_group = (
        db_session.query(UserGoogleAccountToProxyGroup).filter(
            UserGoogleAccountToProxyGroup.user_google_account_id ==
            existing_account.id).first())
    assert account_in_proxy_group.proxy_group_id == proxy_group_id

    # check that expiration changed and that it's less than the cfg
    # expires in (since this check will happen a few seconds after
    # it gets set)
    updated_expiration = account_in_proxy_group.expires
    assert updated_expiration != original_expiration
    assert updated_expiration <= (int(time.time()) +
                                  config["GOOGLE_ACCOUNT_ACCESS_EXPIRES_IN"])

    assert not add_google_email_to_proxy_group_mock.called

    # invalid expires_in: should fail
    requested_exp = "abc"  # expires_in must be int >0
    r = client.patch(
        "/link/google?expires_in={}".format(requested_exp),
        headers={"Authorization": "Bearer " + encoded_credentials_jwt},
    )
    assert r.status_code == 400

    # valid expires_in: should succeed
    requested_exp = 60
    r = client.patch(
        "/link/google?expires_in={}".format(requested_exp),
        headers={"Authorization": "Bearer " + encoded_credentials_jwt},
    )
    assert r.status_code == 200

    account_in_proxy_group = (
        db_session.query(UserGoogleAccountToProxyGroup).filter(
            UserGoogleAccountToProxyGroup.user_google_account_id ==
            existing_account.id).first())
    # make sure the link is valid for the requested time
    # (allow up to 15 sec for runtime)
    diff = account_in_proxy_group.expires - int(time.time())
    assert requested_exp <= diff <= requested_exp + 15