async def get_user(self, token):
        cache_key = self.get_user_cache_key(token['id'])
        store = cache.get_memory_cache()
        try:
            return store[cache_key]
        except KeyError:
            pass

        user_id = token.get('id')
        if user_id is None:
            return

        user_data = await utils.find_user(username=user_id)

        user = GuillotinaUser(user_id=user_data['username'],
                              properties=user_data['data'])
        user.password = user_data['password']
        # in oauth context, user can choose to only grant subset of all
        # available. In this context, we give them access to everything
        # on the container
        self.apply_scope(
            user, {
                'allowed_scopes': user_data['allowed_scopes'],
                'scope': user_data['allowed_scopes'],
            })
        store[cache_key] = user
        return user
Ejemplo n.º 2
0
    async def validate(self, token):
        """Return the user from the token."""
        if token.get('type') != 'bearer':
            return None

        if '.' not in token.get('token', ''):
            # quick way to check if actually might be jwt
            return None

        try:
            try:
                validated_jwt = jwt.decode(
                    token['token'],
                    app_settings['jwt']['secret'],
                    algorithms=[app_settings['jwt']['algorithm']])
            except jwt.exceptions.ExpiredSignatureError:
                logger.warn("Token Expired")
                raise HTTPUnauthorized()
            except jwt.InvalidIssuedAtError:
                logger.warn("Back to the future")
                validated_jwt = jwt.decode(
                    token['token'],
                    app_settings['jwt']['secret'],
                    algorithms=[app_settings['jwt']['algorithm']],
                    options=NON_IAT_VERIFY)

            user = GuillotinaUser(self.request)
            user.name = validated_jwt['fullname']
            user.id = validated_jwt['sub']
            return user

        except jwt.exceptions.DecodeError:
            pass

        return None
Ejemplo n.º 3
0
async def test_inherit(container_requester):
    async with container_requester as requester:
        response, status = await requester(
            "POST", "/db/guillotina/", data=json.dumps({"@type": "Item", "id": "testing"})
        )
        assert status == 201

        response, status = await requester(
            "POST",
            "/db/guillotina/@sharing",
            data=json.dumps(
                {"prinrole": [{"principal": "user1", "role": "guillotina.Reader", "setting": "Allow"}]}
            ),
        )

        assert status == 200

        response, status = await requester(
            "POST",
            "/db/guillotina/testing/@sharing",
            data=json.dumps({"perminhe": [{"permission": "guillotina.ViewContent", "setting": "Deny"}]}),
        )
        assert status == 200

        response, status = await requester("GET", "/db/guillotina/testing/@all_permissions")
        assert status == 200

        container = await utils.get_container(requester=requester)
        content = await container.async_get("testing")

        user = GuillotinaUser("user1")

        utils.login(user=user)

        policy = get_security_policy()
        assert policy.check_permission("guillotina.ViewContent", container)
        assert not policy.check_permission("guillotina.ViewContent", content)

        response, status = await requester("GET", "/db/guillotina/testing")
        assert status == 401

        response, status = await requester(
            "POST",
            "/db/guillotina/testing/@sharing",
            data=json.dumps(
                {
                    "roleperm": [
                        {
                            "permission": "guillotina.ViewContent",
                            "role": "guillotina.Manager",
                            "setting": "Allow",
                        }
                    ]
                }
            ),
        )
        assert status == 200

        response, status = await requester("GET", "/db/guillotina/testing")
        assert status == 200
Ejemplo n.º 4
0
def login_user(request, user_data):
    """Logs user in to guillotina so the job has the correct access

    """
    if 'id' in user_data:
        user = GuillotinaUser(
            user_id=user_data['id'],
            groups=user_data.get('groups', []),
            roles={name: Allow
                   for name in user_data['roles']})
        user.data = user_data.get('data', {})
        set_authenticated_user(user)
    else:
        set_authenticated_user(None)

    if user_data.get('Authorization'):
        # leave in for b/w compat, remove at later date
        request.headers['Authorization'] = user_data['Authorization']
    for name, value in (user_data.get('headers') or {}).items():
        request.headers[name] = value
Ejemplo n.º 5
0
def login_user(request, user_data):
    """Logs user in to guillotina so the job has the correct access

    """
    if "id" in user_data:
        user = GuillotinaUser(
            user_id=user_data["id"],
            groups=user_data.get("groups", []),
            roles={name: Allow
                   for name in user_data["roles"]},
        )
        user.data = user_data.get("data", {})
        set_authenticated_user(user)
    else:
        set_authenticated_user(None)

    if user_data.get("Authorization"):
        # leave in for b/w compat, remove at later date
        request.headers["Authorization"] = user_data["Authorization"]
    for name, value in (user_data.get("headers") or {}).items():
        request.headers[name] = value
Ejemplo n.º 6
0
async def test_allowsingle(container_requester):
    async with container_requester as requester:
        response, status = await requester(
            "POST", "/db/guillotina/", data=json.dumps({"@type": "Item", "id": "testing"})
        )
        assert status == 201

        response, status = await requester(
            "POST",
            "/db/guillotina/@sharing",
            data=json.dumps(
                {
                    "prinperm": [
                        {
                            "principal": "group1",
                            "permission": "guillotina.AccessContent",
                            "setting": "AllowSingle",
                        }
                    ]
                }
            ),
        )

        assert status == 200

        response, status = await requester(
            "POST",
            "/db/guillotina/testing/@sharing",
            data=json.dumps(
                {
                    "prinperm": [
                        {"principal": "group2", "permission": "guillotina.AccessContent", "setting": "Allow"}
                    ]
                }
            ),
        )

        assert status == 200

        container = await utils.get_container(requester=requester)
        content = await container.async_get("testing")

        user = GuillotinaUser("user1")
        user._groups = ["group1", "group2"]

        utils.login(user=user)
        policy = get_security_policy(user)
        assert policy.check_permission("guillotina.AccessContent", container)
        assert policy.check_permission("guillotina.AccessContent", content)

        user = GuillotinaUser("user2")
        user._groups = ["group1"]

        utils.login(user=user)

        policy = get_security_policy(user)
        assert policy.check_permission("guillotina.AccessContent", container)
        assert not policy.check_permission("guillotina.AccessContent", content)
Ejemplo n.º 7
0
async def test_allowsingle(container_requester):
    async with container_requester as requester:
        response, status = await requester('POST',
                                           '/db/guillotina/',
                                           data=json.dumps({
                                               '@type': 'Item',
                                               'id': 'testing'
                                           }))
        assert status == 201

        response, status = await requester('POST',
                                           '/db/guillotina/@sharing',
                                           data=json.dumps({
                                               'prinperm': [{
                                                   'principal':
                                                   'group1',
                                                   'permission':
                                                   'guillotina.AccessContent',
                                                   'setting':
                                                   'AllowSingle'
                                               }]
                                           }))

        assert status == 200

        response, status = await requester('POST',
                                           '/db/guillotina/testing/@sharing',
                                           data=json.dumps({
                                               'prinperm': [{
                                                   'principal': 'group2',
                                                   'permission':
                                                   'guillotina.AccessContent',
                                                   'setting': 'Allow'
                                               }]
                                           }))

        assert status == 200

        container = await utils.get_container(requester=requester)
        content = await container.async_get('testing')

        user = GuillotinaUser('user1')
        user._groups = ['group1', 'group2']

        utils.login(user=user)
        policy = get_security_policy(user)
        assert policy.check_permission('guillotina.AccessContent', container)
        assert policy.check_permission('guillotina.AccessContent', content)

        user = GuillotinaUser('user2')
        user._groups = ['group1']

        utils.login(user=user)

        policy = get_security_policy(user)
        assert policy.check_permission('guillotina.AccessContent', container)
        assert not policy.check_permission('guillotina.AccessContent', content)
Ejemplo n.º 8
0
def login_user(request, user_data):
    request.security = Interaction(request)
    participation = GuillotinaParticipation(request)
    participation.interaction = None

    if 'id' in user_data:
        user = GuillotinaUser(request)
        user.id = user_data['id']
        user._groups = user_data.get('groups', [])
        user._roles = user_data.get('roles', [])
        user.data = user_data.get('data', {})
        participation.principal = user
        request._cache_user = user

    request.security.add(participation)
    request.security.invalidate_cache()
    request._cache_groups = {}
    if user_data.get('Authorization'):
        request.headers['Authorization'] = user_data['Authorization']
Ejemplo n.º 9
0
async def test_allowsingle2(container_requester):
    async with container_requester as requester:
        response, status = await requester("POST",
                                           "/db/guillotina/",
                                           data=json.dumps({
                                               "@type": "Folder",
                                               "id": "testing"
                                           }))
        assert status == 201

        response, status = await requester("POST",
                                           "/db/guillotina/testing/",
                                           data=json.dumps({
                                               "@type": "Item",
                                               "id": "test1"
                                           }))
        assert status == 201

        response, status = await requester("POST",
                                           "/db/guillotina/testing/",
                                           data=json.dumps({
                                               "@type": "Item",
                                               "id": "test2"
                                           }))
        assert status == 201

        response, status = await requester(
            "POST",
            "/db/guillotina/@sharing",
            data=json.dumps({
                "prinperm": [{
                    "principal": "group1",
                    "permission": "guillotina.AccessContent",
                    "setting": "AllowSingle",
                }]
            }),
        )

        assert status == 200

        response, status = await requester(
            "POST",
            "/db/guillotina/testing/@sharing",
            data=json.dumps({
                "prinperm": [
                    {
                        "principal": "group2",
                        "permission": "guillotina.AccessContent",
                        "setting": "Allow"
                    },
                    {
                        "principal": "group1",
                        "permission": "guillotina.ViewContent",
                        "setting": "AllowSingle",
                    },
                ]
            }),
        )

        assert status == 200

        response, status = await requester(
            "POST",
            "/db/guillotina/testing/test1/@sharing",
            data=json.dumps({
                "prinperm": [{
                    "principal": "group3",
                    "permission": "guillotina.ViewContent",
                    "setting": "Allow"
                }]
            }),
        )

        assert status == 200

        response, status = await requester(
            "POST",
            "/db/guillotina/testing/test2/@sharing",
            data=json.dumps({
                "prinrole": [{
                    "principal": "group2",
                    "role": "guillotina.Reader",
                    "setting": "Allow"
                }],
                "roleperm": [{
                    "role": "guillotina.Reader",
                    "permission": "guillotina.ViewContent",
                    "setting": "Allow",
                }],
            }),
        )

        assert status == 200

        container = await utils.get_container(requester=requester)
        content = await container.async_get("testing")

        user = GuillotinaUser("user1")
        user._groups = ["group2", "group1"]

        utils.login(user=user)

        policy = get_security_policy()
        assert policy.check_permission("guillotina.AccessContent", container)
        assert policy.check_permission("guillotina.AccessContent", content)

        user = GuillotinaUser("user2")
        user._groups = ["group1"]

        utils.login(user=user)

        policy = get_security_policy(user)
        assert policy.check_permission("guillotina.AccessContent", container)
        assert not policy.check_permission("guillotina.AccessContent", content)

        user = GuillotinaUser("user3")
        user._groups = ["group1", "group2", "group3"]
        user._roles = {"testing.Role1": Allow}

        utils.login(user=user)
        test1 = await content.async_get("test1")
        test2 = await content.async_get("test2")

        policy = get_security_policy(user)
        assert policy.check_permission("guillotina.ViewContent", test1)
        assert policy.check_permission("guillotina.ViewContent", test2)

        roles = get_roles_principal(test2)
        assert "guillotina.Reader" in roles
        assert "guillotina.Anonymous" in roles
        assert "guillotina.Authenticated" in roles
        assert "testing.Role1" in roles
Ejemplo n.º 10
0
async def test_allowsingle2(container_requester):
    async with container_requester as requester:
        response, status = await requester('POST',
                                           '/db/guillotina/',
                                           data=json.dumps({
                                               '@type': 'Folder',
                                               'id': 'testing'
                                           }))
        assert status == 201

        response, status = await requester('POST',
                                           '/db/guillotina/testing/',
                                           data=json.dumps({
                                               '@type': 'Item',
                                               'id': 'test1'
                                           }))
        assert status == 201

        response, status = await requester('POST',
                                           '/db/guillotina/testing/',
                                           data=json.dumps({
                                               '@type': 'Item',
                                               'id': 'test2'
                                           }))
        assert status == 201

        response, status = await requester('POST',
                                           '/db/guillotina/@sharing',
                                           data=json.dumps({
                                               'prinperm': [{
                                                   'principal':
                                                   'group1',
                                                   'permission':
                                                   'guillotina.AccessContent',
                                                   'setting':
                                                   'AllowSingle'
                                               }]
                                           }))

        assert status == 200

        response, status = await requester('POST',
                                           '/db/guillotina/testing/@sharing',
                                           data=json.dumps({
                                               'prinperm': [{
                                                   'principal': 'group2',
                                                   'permission':
                                                   'guillotina.AccessContent',
                                                   'setting': 'Allow'
                                               }, {
                                                   'principal':
                                                   'group1',
                                                   'permission':
                                                   'guillotina.ViewContent',
                                                   'setting':
                                                   'AllowSingle'
                                               }]
                                           }))

        assert status == 200

        response, status = await requester(
            'POST',
            '/db/guillotina/testing/test1/@sharing',
            data=json.dumps({
                'prinperm': [{
                    'principal': 'group3',
                    'permission': 'guillotina.ViewContent',
                    'setting': 'Allow'
                }]
            }))

        assert status == 200

        response, status = await requester(
            'POST',
            '/db/guillotina/testing/test2/@sharing',
            data=json.dumps({
                'prinrole': [{
                    'principal': 'group2',
                    'role': 'guillotina.Reader',
                    'setting': 'Allow'
                }],
                'roleperm': [{
                    'role': 'guillotina.Reader',
                    'permission': 'guillotina.ViewContent',
                    'setting': 'Allow'
                }]
            }))

        assert status == 200

        request = utils.get_mocked_request(requester.db)
        container = await utils.get_container(requester, request)
        content = await container.async_get('testing')

        user = GuillotinaUser(request)
        user.id = 'user1'
        user._groups = ['group2', 'group1']

        utils.login(request, user)

        assert request.security.check_permission('guillotina.AccessContent',
                                                 request.container)
        assert request.security.check_permission('guillotina.AccessContent',
                                                 content)

        user = GuillotinaUser(request)
        user.id = 'user2'
        user._groups = ['group1']

        utils.login(request, user)

        assert request.security.check_permission('guillotina.AccessContent',
                                                 request.container)
        assert not request.security.check_permission(
            'guillotina.AccessContent', content)

        user = GuillotinaUser(request)
        user.id = 'user3'
        user._groups = ['group1', 'group2', 'group3']

        utils.login(request, user)
        test1 = await content.async_get('test1')
        test2 = await content.async_get('test2')

        assert request.security.check_permission('guillotina.ViewContent',
                                                 test1)
        assert request.security.check_permission('guillotina.ViewContent',
                                                 test2)
Ejemplo n.º 11
0
async def test_inherit(container_requester):
    async with container_requester as requester:
        response, status = await requester('POST',
                                           '/db/guillotina/',
                                           data=json.dumps({
                                               '@type': 'Item',
                                               'id': 'testing'
                                           }))
        assert status == 201

        response, status = await requester('POST',
                                           '/db/guillotina/@sharing',
                                           data=json.dumps({
                                               'prinrole': [{
                                                   'principal': 'user1',
                                                   'role': 'guillotina.Reader',
                                                   'setting': 'Allow'
                                               }]
                                           }))

        assert status == 200

        response, status = await requester('POST',
                                           '/db/guillotina/testing/@sharing',
                                           data=json.dumps({
                                               'perminhe': [{
                                                   'permission':
                                                   'guillotina.ViewContent',
                                                   'setting': 'Deny'
                                               }]
                                           }))
        assert status == 200

        response, status = await requester(
            'GET', '/db/guillotina/testing/@all_permissions')
        assert status == 200

        request = utils.get_mocked_request(requester.db)
        container = await utils.get_container(requester, request)
        content = await container.async_get('testing')

        user = GuillotinaUser(request)
        user.id = 'user1'

        utils.login(request, user)

        assert request.security.check_permission('guillotina.ViewContent',
                                                 request.container)
        assert not request.security.check_permission('guillotina.ViewContent',
                                                     content)

        response, status = await requester('GET', '/db/guillotina/testing')
        assert status == 401

        response, status = await requester('POST',
                                           '/db/guillotina/testing/@sharing',
                                           data=json.dumps({
                                               'roleperm': [{
                                                   'permission':
                                                   'guillotina.ViewContent',
                                                   'role':
                                                   'guillotina.Manager',
                                                   'setting': 'Allow'
                                               }]
                                           }))
        assert status == 200

        response, status = await requester('GET', '/db/guillotina/testing')
        assert status == 200