Beispiel #1
0
def _create_user(request, username=None):
    """
    helper to create users 
    ie POST /user or PUT /user/<username>
    """
    if not request.context.user.has_perm(PERM_CREATE, User): 
        return HttpResponse(status=401)

    try:
        params = _get_params_by_ct(request)
        if username is None:
            username = params.get('username')

        # validate
        if not VALID_USERNAME.match(username):
            return HttpResponse('Invalid username', status=400, content_type="text/plain")

        if 'password' in params: 
            if (not 'password2' in params or 
                params['password2'] != params['password']): 
                return HttpResponse('Passwords did not match', status=400, content_type="text/plain")
    except:
        return HttpResponse('Error parsing parameters', status=400, content_type="text/plain")

    try:
        user = User(username=username)
        if 'password' in params:
            user.set_password(params['password'])
        user.store(request.context.get_users_database())
        return HttpResponse(status=201)
    except ResourceConflict:
        return HttpResponse(status=409)
Beispiel #2
0
    def setUp(self):
        # XXX load it!
        self.config = {'web.apps': ['radarpost.web.api'], 
                       'web.debug': True,
                       'web.static_files_url': '/static',
                       'beaker.session.type': 'memory', 
                       'couchdb.users_database': self.TEST_USERS_DB,
                       'couchdb.address': 'http://localhost:5984',
                       'couchdb.prefix': 'radar/'
                       }

        self.url_gen = URLGenerator(build_routes(self.config), {})

        # set-up users database
        couchdb = get_couchdb_server(self.config)
        dbname = self.config['couchdb.users_database']
        if dbname in couchdb: 
            del couchdb[dbname]
        self._users_db = couchdb.create(dbname)
        
        # create an admin
        admin = User(username=self.TEST_ADMIN_USER,
                     password=self.TEST_ADMIN_PASSWORD)
        admin.roles = [ROLE_ADMIN]
        admin.store(self._users_db)
Beispiel #3
0
    def test_user_exists(self):
        uname = 'joe'
        udb = self.get_users_database()
        user_url = self.url_for('user_rest', userid=uname)

        c = self.get_test_app()
        c.head(user_url, status=404)

        user = User(username=uname)
        user.store(udb)

        c.head(user_url, status=200)    
Beispiel #4
0
    def test_delete_user(self):
        uname = 'joe'
        udb = self.get_users_database()
        user_url = self.url_for('user_rest', userid=uname)
        user = User(username=uname)
        user.store(udb)

        c = self.get_test_app()
        self.login_as_admin(c)
        c.head(user_url, status=200)
        c.delete(user_url, status=200)
        c.head(user_url, status=404)
        c.delete(user_url, status=404)
Beispiel #5
0
def test_user_id_requirement():
    user = User(username='******', password='******')
    
    assert user.username == 'joe'
    assert user.id == "org.couchdb.user:joe"

    db = create_test_users_db()
    
    user.store(db)
    user = User.load(db, "org.couchdb.user:joe")
    assert user.username == 'joe'
    
    user = User.get_by_username(db, "joe")
    assert user.username == 'joe'
    assert user.id == "org.couchdb.user:joe"
Beispiel #6
0
    def setUp(self):
        self.config = load_test_config()
        self.url_gen = URLGenerator(build_routes(self.config), {})

        # set-up users database
        couchdb = get_couchdb_server(self.config)
        dbname = self.config['couchdb.users_database']
        if dbname in couchdb: 
            del couchdb[dbname]
        self._users_db = couchdb.create(dbname)
        
        # create an admin
        admin = User(username=self.config['test.admin_user'],
                     password=self.config['test.admin_password'])
        admin.roles = [ROLE_ADMIN]
        admin.store(self._users_db)
Beispiel #7
0
def _update_user(request, username):
    """
    updates user info 
    ie POST /user/<username>
    """
    udb = request.context.get_users_database()
    user = User.get_by_username(udb, username)
    if user is None: 
        return HttpResponse(status=404)

    if not request.context.user.has_perm(PERM_UPDATE, obj=user):
        return HttpResponse(status=401)

    try:
        params = _get_params_by_ct(request)

        if 'password' in params: 
            if (not 'password2' in params or 
                params['password2'] != params['password']): 
                return HttpResponse('Passwords did not match', status=400, content_type="text/plain")
            user.set_password(params['password'])
    except: 
        return HttpResponse(status=400)

    try: 
        user.store(udb)
        return HttpResponse(status=200)
    except ResourceConflict:
        return HttpResponse(status=409)
Beispiel #8
0
def login(request):
    """
    handles session login
    """
    try:
        params = _get_params_by_ct(request)
        username = params['username']
        password = params['password']
    except: 
        return HttpResponse(status=400)
        
    # attempt actual login...
    udb = request.context.get_users_database()
    user = User.get_by_username(udb, username)
        
    if user is None: 
        return HttpResponse(status=401)
    
    if not user.check_password(password):
        return HttpResponse(status=401)
        
    # password was good, record in session
    request.context.set_session_user(user)

    if 'next' in params:
        req = HttpResponse(status=304)
        req.location = params['next']
        return req
    else: 
        return HttpResponse()
Beispiel #9
0
    def __call__(self, username, is_locked=False):
        """
        Reset the password of the user with the given username.
        is_locked - if True, lock the user's password
        """
        couchdb = Server(self.config['couchdb.address'])
        try:
            udb = couchdb[self.config['couchdb.users_database']]
        except: 
            print "Failed to connect to couchdb at %s/%s" % (self.config['couchdb.address'], 
                                                             self.config['couchdb.users_database'])
            return 1
        
        try:
            user = User.get_by_username(udb, username)
        except ResourceNotFound: 
            print 'User "%s" does not exist' % username
            return 1
            
        if not is_locked:
            done = False
            while(not done):
                password = getpass(prompt="New password for %s: " % username)
                password2 = getpass(prompt="Repeat password: "******"Passwords did not match, try again.\n"        
            user.set_password(password)
        else: 
            user.lock_password()

        user.store(udb)
        print 'Password changed for user "%s"' % username
Beispiel #10
0
    def test_login_json(self):
        uname = 'joe'
        password = '******'
        badpw = 'lb0w'

        udb = self.get_users_database()
        user = User(username=uname, password=password)
        user.store(udb)

        login_url = self.url_for('login')
        logout_url = self.url_for('logout')

        c = self.get_test_app()

        # not logged in 
        res = c.get(self.url_for('current_user_info'))
        info = json.loads(res.body)
        assert info['is_anonymous'] == True
        assert info.get('userid', None) is None
        
        # bad login 
        c.post(login_url, json.dumps({'username': uname, 'password': badpw}), 
               content_type="application/json", status=401)
        res = c.get(self.url_for('current_user_info'))
        info = json.loads(res.body)
        assert info['is_anonymous'] == True
        assert info.get('userid', None) is None

        # successfull login
        c.post(login_url, json.dumps({'username': uname, 'password': password}), 
               content_type="application/json", status=200)
        res = c.get(self.url_for('current_user_info'))
        info = json.loads(res.body)
        assert info['is_anonymous'] == False
        assert info['userid'] == 'joe'

        # logout
        c.post(logout_url, status=200)
        res = c.get(self.url_for('current_user_info'))
        info = json.loads(res.body)
        assert info['is_anonymous'] == True
        assert info.get('userid', None) is None
Beispiel #11
0
def _user_exists(request, username):
    """
    tests existance of user with the given username
    ie HEAD /user/<username>
    """
    udb = request.context.get_users_database()
    user = User.get_by_username(udb, username)
    if user is None or not user.type == 'user':
        return HttpResponse(status=404)
    else:
        return HttpResponse(status=200)
Beispiel #12
0
    def __call__(self, username, is_locked=False, is_admin=False):
        """
        Create a user with the given username. 
        is_locked - if True, create with a locked password
        is_admin  - if True, grant administrative rights to the user
        """
        couchdb = Server(self.config['couchdb.address'])
        try:
            udb = couchdb[self.config['couchdb.users_database']]
        except: 
            print "Failed to connect to couchdb at %s/%s" % (self.config['couchdb.address'], 
                                                             self.config['couchdb.users_database'])
            return 1
            
        new_user = User(username=username)
        if new_user.id in udb: 
            print 'User "%s" already exists' % username
            return 1
        
        if not is_locked:
            done = False
            while(not done):
                password = getpass(prompt="Password for %s: " % username)
                password2 = getpass(prompt="Repeat password: "******"Passwords did not match, try again.\n"        
            new_user.set_password(password)

        if is_admin:
            new_user.roles = [ROLE_ADMIN]

        new_user.store(udb)
        print 'Created user "%s"' % username
Beispiel #13
0
def _delete_user(request, username): 
    """
    deletes a user
    """    
    udb = request.context.get_users_database()
    user = User.get_by_username(udb, username)
    if user is None or not user.type == 'user' or not user.username == username:
        return HttpResponse(status=404)

    if not request.context.user.has_perm(PERM_DELETE, user):
        return HttpResponse(status=401)

    del udb[user.id]
    return HttpResponse(status=200)
Beispiel #14
0
def check_http_auth(request):
    if request.authorization:
        ctx = request.context
        try:
            meth, params = request.authorization
            if meth.lower() == 'basic':
                username, password = base64.b64decode(params).split(':')
                udb = ctx.get_users_database()
                user = User.get_by_username(udb, username)
                if user is not None and user.check_password(password) == True:
                    ctx.set_request_user(user)
                    return
        except:
            pass
        raise BadAuthenticator()
Beispiel #15
0
    def test_login_basic_auth(self):
        uname = 'joe'
        password = '******'
        badpw = 'lb0w'

        udb = self.get_users_database()
        user = User(username=uname, password=password)
        user.store(udb)

        c = self.get_test_app()

        # not logged in 
        # res = c.get(self.url_for('current_user_info'))
        # info = json.loads(res.body)
        # assert info['is_anonymous'] == True
        # assert info.get('userid', None) is None
        

        bad_method = ('Authorization', 'Bad Bad=News')
        c.get(self.url_for('current_user_info'), headers=[bad_method], status=401)
        
        bad_auth = _basic_auth(uname, badpw)
        c.get(self.url_for('current_user_info'), headers=[bad_auth], status=401)
        
        # should be joe for this request
        good_auth = _basic_auth(uname, password)
        res = c.get(self.url_for('current_user_info'), headers=[good_auth])
        info = json.loads(res.body)
        assert info['is_anonymous'] == False
        assert info['userid'] == 'joe'

        # but this is not persistent
        res = c.get(self.url_for('current_user_info'))
        info = json.loads(res.body)
        assert info['is_anonymous'] == True
        assert info.get('userid', None) is None
Beispiel #16
0
def test_user_password():

    user = User(username='******', password='******')
    
    
    assert user.username == 'joe'
    assert user.check_password('fr3d')
    assert not user.check_password('fr01d')
    
    db = create_test_users_db()
    
    user.store(db)
    user = User.load(db, user.id)
    
    assert user.check_password('fr3d')
    assert not user.check_password('fr01d')
    assert user.username == 'joe'
Beispiel #17
0
    def test_create_user_json_put(self):
        """
        tests creating a user by PUT'ing json-encoded parameters
        to /user/<username>
        """
        uname = 'joe'
        uid = 'org.couchdb.user:%s' % uname
        udb = self.get_users_database()

        create_url = self.url_for('user_rest', userid=uname)

        assert not uid in udb
        c = self.get_test_app()
        self.login_as_admin(c)
        c.put(create_url, json.dumps({}), 
              content_type="application/json", status=201)
        assert uid in udb
        c.put(create_url, json.dumps({}),
              content_type="application/json", status=409)
        del udb[uid]

        # test passwords.
        password = '******'
        bad_pass = '******'
        # missing password 2
        c.put(create_url, json.dumps({'password': password}), 
              content_type="application/json",
              status=400)
        assert uid not in udb

        # passwords don't match
        c.put(create_url, json.dumps({'password': password, 
                            'password2': bad_pass}), 
                            content_type="application/json",
                            status=400)
        assert uid not in udb

        # okay 
        c.put(create_url, json.dumps({'password': password, 
                           'password2': password}), 
                           content_type="application/json",
                           status=201)

        user = User.get_by_username(udb, uname)
        assert user.check_password(password)
        assert not user.check_password(bad_pass)
Beispiel #18
0
    def user(self):
        """
        Property that returns the currently logged in user
        """

        if self._current_user is None and self.USER_SESSION_KEY in self.session:
            try:
                user_id = self.session[self.USER_SESSION_KEY]
                udb = self.get_users_database()
                self._current_user = User.load(udb, user_id)
            except ResourceNotFound:
                # non-existant user, wipe this session
                self.session.invalidate()

        if self._current_user is None:
            self._current_user = AnonymousUser() 
        
        return self._current_user
Beispiel #19
0
def _user_info(request, user):
    """
    helper that handles retreiving user info
    ie GET /user/<userid> or GET /user
    """
    if isinstance(user, basestring):
        udb = request.context.get_users_database()
        user = User.get_by_username(udb, user)
        if user is None: 
            return HttpResponse(status=404)

    if user.is_anonymous():
        info = {'is_anonymous': True}
    else:
        info = {'is_anonymous': False,
                'userid': user.username,
                'name': user.get_public_id()}

    return HttpResponse(json.dumps(info),
                        content_type="application/json")
Beispiel #20
0
    def test_create_user_urlenc_post(self):
        """
        tests creating a user by POST'ing form-encoded parameters
        to /user
        """
        uname = 'joe'
        uid = 'org.couchdb.user:%s' % uname
        udb = self.get_users_database()

        create_url = self.url_for('create_user')

        assert not uid in udb
        c = self.get_test_app()
        self.login_as_admin(c)
        c.post(create_url, {'username': uname}, status=201)
        assert uid in udb
        c.post(create_url, {'username': uname}, status=409)
        del udb[uid]
        
        # test passwords.
        password = '******'
        bad_pass = '******'
        # missing password 2
        c.post(create_url, {'username': uname, 'password': password}, status=400)
        assert uid not in udb
        
        # passwords don't match
        c.post(create_url, {'username': uname, 
                            'password': password, 
                            'password2': bad_pass}, status=400)
        assert uid not in udb
        
        # okay 
        c.post(create_url, {'username': uname, 
                            'password': password, 
                            'password2': password}, status=201)
        user = User.get_by_username(udb, uname)
        assert user.check_password(password)
        assert not user.check_password(bad_pass)
Beispiel #21
0
    def test_basic_auth_overrides_cookie(self):
        uname = 'joe'
        password = '******'
        badpw = 'lb0w'
        
        uname2 = 'jane'
        password2 = 'j03'

        udb = self.get_users_database()
        user = User(username=uname, password=password)
        user.store(udb)

        user2 = User(username=uname2, password=password2)
        user2.store(udb)

        c = self.get_test_app()

        # not logged in 
        res = c.get(self.url_for('current_user_info'))
        info = json.loads(res.body)
        assert info['is_anonymous'] == True
        assert info.get('userid', None) is None

        # successfull login 
        login_url = self.url_for('login')
        c.post(login_url, {'username': user.username, 'password': password}, status=200)
        res = c.get(self.url_for('current_user_info'))
        info = json.loads(res.body)
        assert info['is_anonymous'] == False
        assert info['userid'] == user.username
        
        # do a request with basic auth for the other user...
        res = c.get(self.url_for('current_user_info'), headers=[_basic_auth(user2.username, password2)])
        info = json.loads(res.body)
        assert info['is_anonymous'] == False
        assert info['userid'] == user2.username
        
        # this should not affect the session.
        res = c.get(self.url_for('current_user_info'))
        info = json.loads(res.body)
        assert info['is_anonymous'] == False
        assert info['userid'] == user.username
Beispiel #22
0
    def test_update_user_passwd_post_urlenc(self):
        uname = 'joe'
        pw1 = 'bl0w'
        pw2 = 'b0w1'
        udb = self.get_users_database()
        user_url = self.url_for('user_rest', userid=uname)
        c = self.get_test_app()
        self.login_as_admin(c)
        c.post(user_url, {}, status=404)

        user = User(username=uname, password=pw1)
        user.store(udb)

        user = User.get_by_username(udb, uname)
        assert user.check_password(pw1)
        assert not user.check_password(pw2)

        # missing password2
        c.post(user_url, {'username': uname, 'password': pw2}, 
                status=400)
        user = User.get_by_username(udb, uname)
        assert user.check_password(pw1)
        assert not user.check_password(pw2)

        # passwords don't match
        c.post(user_url, {'username': uname, 
                            'password': pw2, 
                            'password2': pw1}, 
                             status=400)
        user = User.get_by_username(udb, uname)
        assert user.check_password(pw1)
        assert not user.check_password(pw2)


        # okay 
        c.post(user_url, {'username': uname, 
                            'password': pw2, 
                            'password2': pw2}, 
                             status=200)
        user = User.get_by_username(udb, uname)
        assert user.check_password(pw2)
        assert not user.check_password(pw1)