Ejemplo n.º 1
0
    def test_access_controller(self):
        logging.debug('')
        logging.debug('test_access_controller')

        # Credential-to-role mapping.
        owner = get_credentials()
        controller = AccessController()
        self.assertEqual(controller.get_role(None), '')
        self.assertEqual(controller.get_role(owner), 'owner')
        user = Credentials()
        user.user = '******'
        self.assertEqual(controller.get_role(user), 'user')
        assert_raises(self, 'controller.get_role(object())', globals(), locals(),
                      TypeError, 'credentials is not a Credentials object')

        # Proxy role-to-credential mapping.
        obj = Object()
        assert_raises(self, 'controller.get_proxy_credentials(obj.no_rbac, user)',
                      globals(), locals(), RoleError, 'No RBAC for method')
        self.assertEqual(controller.get_proxy_credentials(obj.single_role, user),
                         user)
        self.assertEqual(controller.get_proxy_credentials(obj.proxy_role, user),
                         owner)
        assert_raises(self,
                      'controller.get_proxy_credentials(obj.proxy_other, user)',
                      globals(), locals(), RoleError,
                      'No credentials for proxy role other')
        assert_raises(self, "controller.set_proxy_credentials('other', object())",
                      globals(), locals(), TypeError,
                      'credentials is not a Credentials object')
        other = Credentials()
        other.user = '******'
        controller.set_proxy_credentials('other', other)
        self.assertEqual(controller.get_proxy_credentials(obj.proxy_other, user),
                         other)

        # Attribute access.
        controller.check_access('user', '__getattr__', obj, 'dummy')
        controller.check_access('owner', '__setattr__', obj, 'dummy')
        assert_raises(self,
                      "controller.check_access('user', '__delattr__', obj, 'dummy')",
                      globals(), locals(), RoleError,
                      "No __delattr__ access to 'dummy' by role 'user'")
        assert_raises(self,
                      "controller.check_access('', '__getattr__', obj, 'dummy')",
                      globals(), locals(), RoleError, 'No access by null role')

        # Attribute proxying.
        proxy_value = ProxyRequired()
        self.assertFalse(controller.need_proxy(obj, 'dummy', proxy_value))
        controller.attr_proxy_required(obj, 'dummy')
        self.assertTrue(controller.need_proxy(obj, 'dummy', proxy_value))
        controller.attr_proxy_required(obj, 'dummy', False)
        self.assertFalse(controller.need_proxy(obj, 'dummy', proxy_value))
        controller.class_proxy_required(ProxyRequired)
        self.assertTrue(controller.need_proxy(obj, 'dummy', proxy_value))
Ejemplo n.º 2
0
    def post(self):
        server_creds = Credentials()
        print 'server creds:\n', server_creds

        # single user... only allow same user@host as the server to log in
        allowed_users = {server_creds.user: server_creds.public_key}
        encoded = self.get_argument('encoded')
        client_creds = Credentials.verify(encoded, allowed_users)
        print 'client creds:\n', client_creds

        if client_creds:
            self.set_secure_cookie('user', client_creds.user)
        self.redirect('/')
Ejemplo n.º 3
0
    def test_3_access(self):
        logging.debug('')
        logging.debug('test_access')

        # This 'spook' creation is only for testing.
        # Normally the protector would run with regular credentials
        # in effect at the proprietary site.
        user = '******'+socket.gethostname()
        key_pair = get_key_pair(user)
        data = '\n'.join([user, '0', key_pair.publickey().exportKey()])
        hash = hashlib.sha256(data).digest()
        signature = key_pair.sign(hash, get_random_bytes)
        spook = Credentials((data, signature, None))

        credentials = get_credentials()
        allowed_users = {credentials.user: credentials.public_key,
                         spook.user: spook.public_key}
        factory = self.start_factory(allowed_users=allowed_users)

        # Create model and run it.
        saved = get_credentials()
        set_credentials(spook)
        box = factory.create(_MODULE+'.ProtectedBox',
                             allowed_users=allowed_users)
        set_credentials(saved)

        model = set_as_top(Model(box))
        model.run()

        # Check results.
        for width in range(1, 2):
            for height in range(1, 3):
                for depth in range(1, 4):
                    case = model.driver.recorders[0].cases.pop(0)
                    self.assertEqual(case.outputs[0][2], width*height*depth)
Ejemplo n.º 4
0
    def test_access_controller(self):
        logging.debug('')
        logging.debug('test_access_controller')

        # Credential-to-role mapping.
        owner = get_credentials()
        controller = AccessController()
        self.assertEqual(controller.get_role(None), '')
        self.assertEqual(controller.get_role(owner), 'owner')
        user = Credentials()
        user.user = '******'
        self.assertEqual(controller.get_role(user), 'user')
        assert_raises(self, 'controller.get_role(object())', globals(),
                      locals(), TypeError,
                      'credentials is not a Credentials object')

        # Proxy role-to-credential mapping.
        obj = Object()
        assert_raises(self,
                      'controller.get_proxy_credentials(obj.no_rbac, user)',
                      globals(), locals(), RoleError, 'No RBAC for method')
        self.assertEqual(
            controller.get_proxy_credentials(obj.single_role, user), user)
        self.assertEqual(
            controller.get_proxy_credentials(obj.proxy_role, user), owner)
        assert_raises(
            self, 'controller.get_proxy_credentials(obj.proxy_other, user)',
            globals(), locals(), RoleError,
            'No credentials for proxy role other')
        assert_raises(self,
                      "controller.set_proxy_credentials('other', object())",
                      globals(), locals(), TypeError,
                      'credentials is not a Credentials object')
        other = Credentials()
        other.user = '******'
        controller.set_proxy_credentials('other', other)
        self.assertEqual(
            controller.get_proxy_credentials(obj.proxy_other, user), other)

        # Attribute access.
        controller.check_access('user', '__getattr__', obj, 'dummy')
        controller.check_access('owner', '__setattr__', obj, 'dummy')
        assert_raises(
            self,
            "controller.check_access('user', '__delattr__', obj, 'dummy')",
            globals(), locals(), RoleError,
            "No __delattr__ access to 'dummy' by role 'user'")
        assert_raises(
            self, "controller.check_access('', '__getattr__', obj, 'dummy')",
            globals(), locals(), RoleError, 'No access by null role')

        # Attribute proxying.
        proxy_value = ProxyRequired()
        self.assertFalse(controller.need_proxy(obj, 'dummy', proxy_value))
        controller.attr_proxy_required(obj, 'dummy')
        self.assertTrue(controller.need_proxy(obj, 'dummy', proxy_value))
        controller.attr_proxy_required(obj, 'dummy', False)
        self.assertFalse(controller.need_proxy(obj, 'dummy', proxy_value))
        controller.class_proxy_required(ProxyRequired)
        self.assertTrue(controller.need_proxy(obj, 'dummy', proxy_value))
Ejemplo n.º 5
0
    def post(self):
        server_creds = Credentials()
        print 'server creds:\n', server_creds

        # single user... only allow same user@host as the server to log in
        allowed_users = {server_creds.user: server_creds.public_key}
        encoded = self.get_argument('encoded')
        client_creds = Credentials.verify(encoded, allowed_users)
        print 'client creds:\n', client_creds

        if client_creds:
            self.set_secure_cookie('user', client_creds.user)
        self.redirect('/')
Ejemplo n.º 6
0
    def test_rsh(self):
        logging.debug('')
        logging.debug('test_rsh')

        testdir = 'external_rsh'
        if os.path.exists(testdir):
            shutil.rmtree(testdir, onerror=onerror)
        os.mkdir(testdir)
        os.chdir(testdir)

        factory = None
        try:
            # Try to set command line on remote ExternalCode instance.
            typname = 'openmdao.lib.components.external_code.ExternalCode'
            factory = ObjServerFactory(allowed_types=[typname])
            exec_comp = factory.create(typname)
            try:
                exec_comp.command = ['this-should-fail']
            except RemoteError as exc:
                msg = "RoleError: No __setattr__ access to 'command'"
                logging.debug('msg: %s', msg)
                logging.debug('exc: %s', exc)
                self.assertTrue(msg in str(exc))
            else:
                self.fail('Expected RemoteError')

            exec_comp.set('command', ['this-should-pass'])

            # Try to set via remote-looking access.
            creds = get_credentials()
            creds.client_creds = Credentials()
            logging.debug('    using %s', creds)
            try:
                exec_comp.set('command', ['this-should-fail'])
            except RemoteError as exc:
                fragment = ": 'command' may not be set() remotely"
                if fragment not in str(exc):
                    self.fail('%s not in %s' % (fragment, exc))
            finally:
                creds.client_creds = None

        finally:
            if factory is not None:
                factory.cleanup()
            os.chdir('..')
            if sys.platform == 'win32':
                time.sleep(2)  # Wait for process shutdown.
            keep_dirs = int(os.environ.get('OPENMDAO_KEEPDIRS', '0'))
            if not keep_dirs:
                shutil.rmtree(testdir, onerror=onerror)
Ejemplo n.º 7
0
 def get(self):
     # single user scenario, auto-login based on username
     server_creds = Credentials()
     print "server_creds:\n", server_creds
     self.set_secure_cookie('user', server_creds.user)
     self.redirect('/')
Ejemplo n.º 8
0
    def test_credentials(self):
        logging.debug('')
        logging.debug('test_credentials')

        # Basic form.
        owner = Credentials()
        if sys.platform == 'win32' and not HAVE_PYWIN32:
            self.assertEqual('%s' % owner, owner.user+' (transient)')
        else:
            self.assertEqual('%s' % owner, owner.user)

        # Comparison.
        user = Credentials()
        self.assertEqual(user, owner)
        user.user = '******'
        self.assertNotEqual(user, owner)
        self.assertNotEqual(user, 'xyzzy')

        # Thread storage.
        try:
            del threading.current_thread().credentials  # Ensure empty.
        except AttributeError:
            pass
        self.assertEqual(get_credentials(), owner)

        # Sign/verify.
        encoded = owner.encode()
        Credentials.verify(encoded, allowed_users=None)  # 'First sighting'.
        Credentials.verify(encoded, allowed_users=None)  # Cached verification.
        data, signature, client_creds = encoded

        encoded = (data[:1], signature, client_creds)
        assert_raises(self, 'Credentials.verify(encoded, None)',
                      globals(), locals(), CredentialsError, 'Invalid data')

        encoded = (data[:-1], signature, client_creds)
        assert_raises(self, 'Credentials.verify(encoded, None)',
                      globals(), locals(), CredentialsError, 'Invalid signature')

        encoded = (data, signature[:-1], client_creds)
        assert_raises(self, 'Credentials.verify(encoded, None)',
                      globals(), locals(), CredentialsError, 'Invalid signature')

        newline = data.find('\n')  # .user
        newline = data.find('\n', newline+1)  # .transient
        # Expecting '-'
        mangled = data[:newline+1] + '*' + data[newline+2:]
        encoded = (mangled, signature, client_creds)
        assert_raises(self, 'Credentials.verify(encoded, None)',
                      globals(), locals(), CredentialsError, 'Invalid key')

        # Detect mismatched key.
        get_key_pair(owner.user, overwrite_cache=True)
        spook = Credentials()
        encoded = spook.encode()
        assert_raises(self, 'Credentials.verify(encoded, None)',
                      globals(), locals(), CredentialsError,
                      'Public key mismatch')

        # Check if remote access.
        self.assertFalse(remote_access())
Ejemplo n.º 9
0
    def test_credentials(self):
        logging.debug('')
        logging.debug('test_credentials')

        # Basic form.
        owner = Credentials()
        if sys.platform == 'win32' and not HAVE_PYWIN32:
            self.assertEqual('%s' % owner, owner.user + ' (transient)')
        else:
            self.assertEqual('%s' % owner, owner.user)

        # Comparison.
        user = Credentials()
        self.assertEqual(user, owner)
        user.user = '******'
        self.assertNotEqual(user, owner)
        self.assertNotEqual(user, 'xyzzy')

        # Thread storage.
        try:
            del threading.current_thread().credentials  # Ensure empty.
        except AttributeError:
            pass
        self.assertEqual(get_credentials(), owner)

        # Sign/verify.
        encoded = owner.encode()
        Credentials.verify(encoded, allowed_users=None)  # 'First sighting'.
        Credentials.verify(encoded, allowed_users=None)  # Cached verification.
        data, signature, client_creds = encoded

        encoded = (data[:1], signature, client_creds)
        assert_raises(self, 'Credentials.verify(encoded, None)', globals(),
                      locals(), CredentialsError, 'Invalid data')

        encoded = (data[:-1], signature, client_creds)
        assert_raises(self, 'Credentials.verify(encoded, None)', globals(),
                      locals(), CredentialsError, 'Invalid signature')

        encoded = (data, signature[:-1], client_creds)
        assert_raises(self, 'Credentials.verify(encoded, None)', globals(),
                      locals(), CredentialsError, 'Invalid signature')

        newline = data.find('\n')  # .user
        newline = data.find('\n', newline + 1)  # .transient
        # Expecting '-'
        mangled = data[:newline + 1] + '*' + data[newline + 2:]
        encoded = (mangled, signature, client_creds)
        assert_raises(self, 'Credentials.verify(encoded, None)', globals(),
                      locals(), CredentialsError, 'Invalid key')

        # Detect mismatched key.
        get_key_pair(owner.user, overwrite_cache=True)
        spook = Credentials()
        encoded = spook.encode()
        assert_raises(self, 'Credentials.verify(encoded, None)', globals(),
                      locals(), CredentialsError, 'Public key mismatch')

        # Check if remote access.
        self.assertFalse(remote_access())