def handleRequest(self, environ, start_response, path, consumer_info):
"""
Will handle the setup of the Idp.
The user must be authenticated.
:param environ:
:param start_response:
:param filePath:
:return:
"""
identity = None
try:
identity = environ["repoze.who.identity"]["user"]
except:
return self.unauthorized(environ, start_response)
#try:
if identity is None or len(identity) == 0:
return self.unauthorized(environ, start_response)
elif DeclarativeAuth.getInstance().userMatchRule(path, identity["uid"][0]):
qs = self.getQueryDict(environ)
if path == self.CONST_SETUPLOGUT:
return self.handleLogout(environ, start_response)
if path == self.CONST_SETUPABOUT:
return self.handleAbout(environ, start_response)
elif path == self.CONST_SETUPSTYLES:
return self.handleStyles(environ, start_response)
elif path == self.CONST_SETUP:
return self.handleSetup(environ, start_response)
elif path == self.CONST_SETUPSERVICE:
return self.handleSetupService(environ, start_response, qs, consumer_info)
elif path == self.CONST_SAVESECRET:
return self.handleSaveSecret(environ, start_response, qs)
else:
return self.handleUnknown(environ, start_response, path)
else:
return self.handleNotAuthorized(environ, start_response)
def testUserInRole(self):
"""
Verify that users will be in correct roles.
"""
filename = os.path.dirname(os.path.abspath(__file__))+"/authSetup.json"
dAuth = DeclarativeAuth.getInstance(filename)
self.assertTrue(dAuth.userInRole("haho", {"user": ["*"]}), '')
self.assertTrue(dAuth.userInRole("haho", {"admin": ["writer"]}), '')
self.assertTrue(dAuth.userInRole("haho", {"admin": ["reader"]}), '')
self.assertTrue(dAuth.userInRole("haho", {"admin": ["*"]}), '')
self.assertTrue(dAuth.userInRole("haho", {"admin": ["reader","writer"]}), '')
self.assertTrue(dAuth.userInRole("haho", {"economics": ["writer"]}), '')
self.assertTrue(dAuth.userInRole("haho", {"economics": ["reader"]}), '')
self.assertTrue(dAuth.userInRole("haho", {"economics": ["*"]}), '')
self.assertTrue(dAuth.userInRole("haho", {"economics": ["reader","writer"]}), '')
self.assertTrue(dAuth.userInRole("test1", {"user": ["*"]}), '')
self.assertFalse(dAuth.userInRole("test1", {"admin": ["writer"]}), '')
self.assertFalse(dAuth.userInRole("test1", {"admin": ["reader"]}), '')
self.assertFalse(dAuth.userInRole("test1", {"admin": ["*"]}), '')
self.assertFalse(dAuth.userInRole("test1", {"admin": ["reader","writer"]}), '')
self.assertFalse(dAuth.userInRole("test1", {"economics": ["writer"]}), '')
self.assertTrue(dAuth.userInRole("test1", {"economics": ["reader"]}), '')
self.assertTrue(dAuth.userInRole("test1", {"economics": ["*"]}), '')
self.assertTrue(dAuth.userInRole("test1", {"economics": ["reader","writer"]}), '')
self.assertTrue(dAuth.userInRole("test2", {"user": ["*"]}), '')
self.assertFalse(dAuth.userInRole("test2", {"admin": ["writer"]}), '')
self.assertFalse(dAuth.userInRole("test2", {"admin": ["reader"]}), '')
self.assertFalse(dAuth.userInRole("test2", {"admin": ["*"]}), '')
self.assertFalse(dAuth.userInRole("test2", {"admin": ["reader","writer"]}), '')
self.assertTrue(dAuth.userInRole("test2", {"economics": ["writer"]}), '')
self.assertFalse(dAuth.userInRole("test2", {"economics": ["reader"]}), '')
self.assertTrue(dAuth.userInRole("test2", {"economics": ["*"]}), '')
self.assertTrue(dAuth.userInRole("test2", {"economics": ["reader","writer"]}), '')
self.assertTrue(dAuth.userInRole("test3", {"user": ["*"]}), '')
self.assertFalse(dAuth.userInRole("test3", {"admin": ["writer"]}), '')
self.assertTrue(dAuth.userInRole("test3", {"admin": ["reader"]}), '')
self.assertTrue(dAuth.userInRole("test3", {"admin": ["*"]}), '')
self.assertTrue(dAuth.userInRole("test3", {"admin": ["reader","writer"]}), '')
self.assertTrue(dAuth.userInRole("test3", {"economics": ["writer"]}), '')
self.assertTrue(dAuth.userInRole("test3", {"economics": ["reader"]}), '')
self.assertTrue(dAuth.userInRole("test3", {"economics": ["*"]}), '')
self.assertTrue(dAuth.userInRole("test3", {"economics": ["reader","writer"]}), '')
def testMethod(self):
"""
Verify that the JSON file kan be read, by checking if rules, users and roles exists.
"""
filename = os.path.dirname(os.path.abspath(__file__))+"/authSetup.json"
#filename = os.path.dirname(os.path.abspath(__file__))+"/test.json"
dAuth = DeclarativeAuth.getInstance(filename)
self.assertTrue(dAuth.userExists("haho"), 'dAuth.userExists("haho") should be true')
self.assertTrue(dAuth.ruleExists("*"), 'dAuth.ruleExists("*") should be true')
self.assertTrue(dAuth.ruleExists("/admin"), 'dAuth.ruleExists("/admin") should be true')
self.assertTrue(dAuth.roleExists({"admin": ["reader","writer"]}), 'dAuth.roleExists({"admin":["reader","writer"]}) should be true')
self.assertTrue(dAuth.roleExists({"admin": ["reader"]}), 'dAuth.roleExists({"admin":["reader"]}) should be true')
self.assertTrue(dAuth.roleExists({"admin": ["*"]}), 'dAuth.roleExists({"admin": ["*"]}) should be true')
self.assertFalse(dAuth.roleExists({"admin": ["whatever"]}), 'dAuth.roleExists({"admin": ["whatever"]}) should be false')
def testUserMatchRule(self):
"""
Verify that users can get access to protected areas, or get prevented from access areas.
"""
filename = os.path.dirname(os.path.abspath(__file__))+"/authSetup.json"
dAuth = DeclarativeAuth.getInstance(filename)
self.assertTrue(dAuth.userMatchRule("/anypage","haho"), '')
self.assertTrue(dAuth.userMatchRule("/admin/anypage","haho"), '')
self.assertTrue(dAuth.userMatchRule("/admin","haho"), '')
self.assertTrue(dAuth.userMatchRule("/admin/setup/","haho"), '')
self.assertTrue(dAuth.userMatchRule("/admin/setup/anypage","haho"), '')
self.assertTrue(dAuth.userMatchRule("/economics/test.html","haho"), '')
self.assertTrue(dAuth.userMatchRule("/economics/setup/anypage","haho"), '')
self.assertTrue(dAuth.userMatchRule("/economics/setup/","haho"), '')
self.assertTrue(dAuth.userMatchRule("/about","haho"), '')
#Verify that the singleton pattern really works.
dAuth = DeclarativeAuth.getInstance()
self.assertTrue(dAuth.userMatchRule("/anypage","test1"), '')
self.assertFalse(dAuth.userMatchRule("/admin/anypage","test1"), '')
self.assertFalse(dAuth.userMatchRule("/admin","test1"), '')
self.assertFalse(dAuth.userMatchRule("/admin/setup/","test1"), '')
self.assertFalse(dAuth.userMatchRule("/admin/setup/anypage","test1"), '')
self.assertTrue(dAuth.userMatchRule("/economics/test.html","test1"), '')
self.assertFalse(dAuth.userMatchRule("/economics/setup/anypage","test1"), '')
self.assertFalse(dAuth.userMatchRule("/economics/setup/","test1"), '')
self.assertTrue(dAuth.userMatchRule("/about","test1"), '')
self.assertTrue(dAuth.userMatchRule("/anypage","test2"), '')
self.assertFalse(dAuth.userMatchRule("/admin/anypage","test2"), '')
self.assertFalse(dAuth.userMatchRule("/admin","test2"), '')
self.assertFalse(dAuth.userMatchRule("/admin/setup/","test2"), '')
self.assertFalse(dAuth.userMatchRule("/admin/setup/anypage","test2"), '')
self.assertTrue(dAuth.userMatchRule("/economics/test.html","test2"), '')
self.assertTrue(dAuth.userMatchRule("/economics/setup/anypage","test2"), '')
self.assertTrue(dAuth.userMatchRule("/economics/setup/","test2"), '')
self.assertTrue(dAuth.userMatchRule("/about","test2"), '')
self.assertTrue(dAuth.userMatchRule("/anypage", "test3"), '')
self.assertTrue(dAuth.userMatchRule("/admin/anypage", "test3"), '')
self.assertTrue(dAuth.userMatchRule("/admin", "test3"), '')
self.assertFalse(dAuth.userMatchRule("/admin/setup/", "test3"), '')
self.assertFalse(dAuth.userMatchRule("/admin/setup/anypage", "test3"), '')
self.assertTrue(dAuth.userMatchRule("/economics/test.html", "test3"), '')
self.assertTrue(dAuth.userMatchRule("/economics/setup/anypage", "test3"), '')
self.assertTrue(dAuth.userMatchRule("/economics/setup/", "test3"), '')
self.assertTrue(dAuth.userMatchRule("/about","test3"), '')
self.assertFalse(dAuth.userMatchRule("/anypage", "test4"), '')
self.assertFalse(dAuth.userMatchRule("/admin/anypage", "test4"), '')
self.assertFalse(dAuth.userMatchRule("/admin", "test4"), '')
self.assertFalse(dAuth.userMatchRule("/admin/setup/", "test4"), '')
self.assertFalse(dAuth.userMatchRule("/admin/setup/anypage", "test4"), '')
self.assertFalse(dAuth.userMatchRule("/economics/test.html", "test4"), '')
self.assertFalse(dAuth.userMatchRule("/economics/setup/anypage", "test4"), '')
self.assertFalse(dAuth.userMatchRule("/economics/setup/", "test4"), '')
self.assertFalse(dAuth.userMatchRule("/about","test4"), '')
def testMethod(self):
"""
Verify that the singleton works
"""
self.assertEqual(DeclarativeAuth.getInstance().classId(), DeclarativeAuth.getInstance().classId(),
'DeclarativeAuth.getInstance().classId() = DeclarativeAuth.getInstance().classId()')
def initAuthApp(self, application, metadataList, conf, secretFile, configfilePath=None):
"""
Will add authentication middleware to the WSGI application.
:param self:
:param application: Function for main WSGI application
:rtype : PluggableAuthenticationMiddleware
:return:
"""
self.CONST_SETUP = "/setup"
self.CONST_SETUPSERVICE = "/setup/service"
self.CONST_SETUPSTYLES = "/setup/styles"
self.CONST_SAVESECRET = "/setup/SaveSecret"
self.CONST_SETUPABOUT = "/setup/about"
self.CONST_SETUPLOGUT = "/setup/logout"
self.CONST_SESSION_USER = "******"
self.CONST_KEY = "key"
self.CONST_SECRET = "secret"
if configfilePath is None:
self.CONST_ROOT = os.path.dirname(os.path.abspath(__file__))
else:
self.CONST_ROOT = configfilePath
self.CONST_AUTH_FILE = IdpSetupSp._instance.CONST_ROOT + "/auth.json"
self.CONST_STATIC_FILE = IdpSetupSp._instance.CONST_ROOT + "/files/static/"
self.CONST_STATIC_MAKO = IdpSetupSp._instance.CONST_ROOT + "/files/mako/"
self.CONST_LOOKUP = TemplateLookup(directories=[self.CONST_STATIC_MAKO + 'templates', self.CONST_STATIC_MAKO + 'htdocs'],
module_directory=self.CONST_STATIC_MAKO + 'modules',
input_encoding='utf-8', output_encoding='utf-8')
self.CONST_ONTS = {
saml.NAMESPACE: saml,
mdui.NAMESPACE: mdui,
mdattr.NAMESPACE: mdattr,
dri.NAMESPACE: dri,
ui.NAMESPACE: ui,
idpdisc.NAMESPACE: idpdisc,
md.NAMESPACE: md,
xmldsig.NAMESPACE: xmldsig,
xmlenc.NAMESPACE: xmlenc
}
self.CONST_ATTRCONV = attribute_converter.ac_factory("attributemaps")
try:
xmlsec_path = get_xmlsec_binary(["/opt/local/bin"])
except:
try:
xmlsec_path = get_xmlsec_binary(["/usr/local/bin"])
except:
xmlsec_path = '/usr/bin/xmlsec1'
for metadata in metadataList:
mds = MetadataStore(self.CONST_ONTS.values(), self.CONST_ATTRCONV, xmlsec_path,
disable_ssl_certificate_validation=True)
mds.imp(metadata)
for entityId in mds.keys():
self.spKeyList.append(entityId)
for key in conf:
self.socialServiceKeyList.append(conf[key]["name"])
self.secretFile = secretFile
currentPath = os.path.dirname(os.path.abspath(__file__))
lib_path = os.path.abspath(self.CONST_ROOT)
sys.path.append(lib_path)
DeclarativeAuth.getInstance(self.CONST_AUTH_FILE)
app_with_auth = make_middleware_with_config(application, {"here": "."},
self.CONST_ROOT+'/who.ini',
log_file=self.CONST_ROOT+"/repoze_who.log")
return app_with_auth
def verifyHandleRequest(self, path):
return DeclarativeAuth.getInstance().ruleMatch(path)
