def test_it_sets_client_authority_principal(self, auth_client):
principals = util.principals_for_auth_client(auth_client)
assert (
"client_authority:{authority}".format(authority=auth_client.authority)
in principals
)
def test_it_sets_client_authority_principal(self, auth_client):
principals = util.principals_for_auth_client(auth_client)
assert (
"client_authority:{authority}".format(authority=auth_client.authority)
in principals
)
def test_it_sets_auth_client_principal(self, auth_client):
principals = util.principals_for_auth_client(auth_client)
assert (
"client:{client_id}@{authority}".format(
client_id=auth_client.id, authority=auth_client.authority
)
in principals
)
def test_it_sets_auth_client_principal(self, auth_client):
principals = util.principals_for_auth_client(auth_client)
assert (
"client:{client_id}@{authority}".format(
client_id=auth_client.id, authority=auth_client.authority
)
in principals
)
def check(username, password, request):
"""
Return list of appropriate principals or None if authentication is
unsuccessful.
Validate the basic auth credentials from the request by matching them to
an auth_client record in the DB.
If an HTTP ``X-Forwarded-User`` header is present in the request, this
represents the intent to authenticate "on behalf of" a user within
the auth_client's authority. If this header is present, the user indicated
by its value (a :py:attr:`h.models.user.User.userid`) _must_ exist and
be within the auth_client's authority, or authentication will fail.
:param username: username parsed out of Authorization header (Basic)
:param password: password parsed out of Authorization header (Basic)
:returns: additional principals for the auth_client or None
:rtype: list or None
"""
client_id = username
client_secret = password
# validate that the credentials in BasicAuth header
# match an AuthClient record in the db
client = util.verify_auth_client(client_id, client_secret, request.db)
if client is None:
return None
forwarded_userid = AuthClientPolicy._forwarded_userid(request)
if (
forwarded_userid is None
): # No forwarded user; set principals for basic auth_client
return util.principals_for_auth_client(client)
user_service = request.find_service(name="user")
try:
user = user_service.fetch(forwarded_userid)
except ValueError: # raised if userid is invalid format
return None # invalid user, so we are failing here
if user and user.authority == client.authority:
return util.principals_for_auth_client_user(user, client)
return None
def check(username, password, request):
"""
Return list of appropriate principals or None if authentication is
unsuccessful.
Validate the basic auth credentials from the request by matching them to
an auth_client record in the DB.
If an HTTP ``X-Forwarded-User`` header is present in the request, this
represents the intent to authenticate "on behalf of" a user within
the auth_client's authority. If this header is present, the user indicated
by its value (a :py:attr:`h.models.user.User.userid`) _must_ exist and
be within the auth_client's authority, or authentication will fail.
:param username: username parsed out of Authorization header (Basic)
:param password: password parsed out of Authorization header (Basic)
:returns: additional principals for the auth_client or None
:rtype: list or None
"""
client_id = username
client_secret = password
# validate that the credentials in BasicAuth header
# match an AuthClient record in the db
client = util.verify_auth_client(client_id, client_secret, request.db)
if client is None:
return None
forwarded_userid = AuthClientPolicy._forwarded_userid(request)
if (
forwarded_userid is None
): # No forwarded user; set principals for basic auth_client
return util.principals_for_auth_client(client)
user_service = request.find_service(name="user")
try:
user = user_service.fetch(forwarded_userid)
except ValueError: # raised if userid is invalid format
return None # invalid user, so we are failing here
if user and user.authority == client.authority:
return util.principals_for_auth_client_user(user, client)
return None
def test_it_returns_principals_as_list(self, auth_client):
principals = util.principals_for_auth_client(auth_client)
assert isinstance(principals, list)
def test_it_does_not_set_user_role(self, auth_client):
principals = util.principals_for_auth_client(auth_client)
assert role.User not in principals
def test_it_sets_authclient_role(self, auth_client):
principals = util.principals_for_auth_client(auth_client)
assert role.AuthClient in principals
def test_it_returns_principals_as_list(self, auth_client):
principals = util.principals_for_auth_client(auth_client)
assert isinstance(principals, list)
def test_it_does_not_set_user_role(self, auth_client):
principals = util.principals_for_auth_client(auth_client)
assert role.User not in principals
def test_it_sets_authclient_role(self, auth_client):
principals = util.principals_for_auth_client(auth_client)
assert role.AuthClient in principals
