def test_display_home(self): Roles.set_roles([('Allow', 'CONSORTIUM_EDUCATION_ADMINISTRATOR_1', ('view', 'logout', 'display_home'))]) user = User() rel_chain = [RoleRelation('CONSORTIUM_EDUCATION_ADMINISTRATOR_1', 'CA', 'CA', '1', '2')] user.set_context(rel_chain) context = user.get_user_context() self.assertTrue(context['displayHome'])
def test_default_permission(self): mappings = {('Allow', 'DEPLOYMENT_ADMINISTRATOR', ('view', 'logout', 'default')), ('Allow', 'SYSTEM_ADMINISTRATOR', ('view', 'logout')), ('Allow', 'DATA_LOADER', ('view', 'logout'))} Roles.set_roles(mappings) default = Roles.get_default_permission() self.assertEqual('DEPLOYMENT_ADMINISTRATOR', default)
def test_good_and_bad_roles(self): mappings = {('Allow', 'DEPLOYMENT_ADMINISTRATOR', ('view', 'logout')), ('Allow', 'SYSTEM_ADMINISTRATOR', ('view', 'logout')), ('Allow', 'DATA_LOADER', ('view', 'logout'))} Roles.set_roles(mappings) self.assertTrue( Roles.has_undefined_roles([ 'DEPLOYMENT_ADMINISTRATOR', 'DEPLOYMENT_ADMINISTRATOR', 'Bad Role', 'DATA_LOADER' ]))
def test_display_home(self): Roles.set_roles([('Allow', 'CONSORTIUM_EDUCATION_ADMINISTRATOR_1', ('view', 'logout', 'display_home'))]) user = User() rel_chain = [ RoleRelation('CONSORTIUM_EDUCATION_ADMINISTRATOR_1', 'CA', 'CA', '1', '2') ] user.set_context(rel_chain) context = user.get_user_context() self.assertTrue(context['displayHome'])
def login(request): ''' forbidden_view_config decorator indicates that this is the route to redirect to when an user has no access to a page ''' # Get session id from cookie session_id = unauthenticated_userid(request) # Get roles principals = effective_principals(request) # Requests will be forwarded here when users aren't authorized to those pages # If they are unauthorized to those pages, they should have session id and principals # and, if there is a session id and principals, return 403 # Here, we return 403 for users that has a role of None # This can be an user that has no role from IDP or has a role that we don't know of if Roles.get_invalid_role() in principals or (principals and session_id): write_security_event("Forbidden view being accessed", SECURITY_EVENT_TYPE.WARN, session_id) return HTTPForbidden() # clear out the session if we found one in the cookie if session_id is not None: expire_session(session_id) handlers = [_handle_OAUTH2_Implicit_login_flow, _handle_SAML2_login_flow] for handler in handlers: response = handler(request) if response is not None: return response return HTTPForbidden()
def get_roles(attributes): ''' find roles from Attributes Element (SAMLResponse) ''' roles = [] values = attributes.get("memberOf", None) if values is not None: for value in values: cn = re.search('cn=(.*?),', value.lower()) if cn is not None: role = cn.group(1).upper() roles.append(role) # If user has no roles or has a role that is not defined if not roles or Roles.has_undefined_roles(roles): roles.append(Roles.get_invalid_role()) return roles
def set_context(self, role_inst_rel_list_all): # For now set the roles and tenant like this to make everything continue to work role_inst_rel_list = [] default_permission = Roles.get_default_permission() # Replace role with default role if the role is not in our defined list and clone every role relation with default Permission for rel_chain in role_inst_rel_list_all: if Roles.has_undefined_roles([rel_chain.role]): rel_chain.role = default_permission elif rel_chain.role != default_permission: appended_role_rel = RoleRelation(default_permission, rel_chain.tenant, rel_chain.state_code, rel_chain.district_id, rel_chain.school_id) role_inst_rel_list += self._populate_role_relation(appended_role_rel) role_inst_rel_list += self._populate_role_relation(rel_chain) # If there is no roles, set it to an invalid one so user can logout if not role_inst_rel_list: self._add_role(Roles.get_invalid_role()) self.__context = UserContext(role_inst_rel_list) # Check whether 'home' is enabled self.__info[UserConstants.DISPLAYHOME] = Roles.has_display_home_permission(self.__info[UserConstants.ROLES])
def setUp(self): # delete all user_session before test mappings = {('Allow', 'TEACHER', ('view', 'logout', 'default')), ('Allow', 'SYSTEM_ADMINISTRATOR', ('view', 'logout')), ('Allow', 'DATA_LOADER', ('view', 'logout')), ('Allow', 'NONE', ('logout'))} Roles.set_roles(mappings) set_tenant_map({get_unittest_tenant_name(): 'NC'}) self.__request = DummyRequest() reg = Registry() reg.settings = {} reg.settings['session.backend.type'] = 'beaker' reg.settings['cache.expire'] = 10 reg.settings['cache.regions'] = 'session' reg.settings['cache.type'] = 'memory' reg.settings['ldap.base.dn'] = 'ou=environment,dc=edwdc,dc=net' reg.settings['batch.user.session.timeout'] = 15 component.provideUtility(SessionBackend(reg.settings), ISessionBackend) # Must set hook_zca to false to work with uniittest_with_sqlite self.__config = testing.setUp(registry=reg, request=self.__request, hook_zca=False)
def test_good_and_bad_roles(self): mappings = {('Allow', 'DEPLOYMENT_ADMINISTRATOR', ('view', 'logout')), ('Allow', 'SYSTEM_ADMINISTRATOR', ('view', 'logout')), ('Allow', 'DATA_LOADER', ('view', 'logout'))} Roles.set_roles(mappings) self.assertTrue(Roles.has_undefined_roles(['DEPLOYMENT_ADMINISTRATOR', 'DEPLOYMENT_ADMINISTRATOR', 'Bad Role', 'DATA_LOADER']))
def test_one_bad_role(self): self.assertTrue(Roles.has_undefined_roles(['I do not exist']))
def set_roles(roles): ''' Sets the list of known roles for authentication. Roles is a list of tuples. ''' Roles.set_roles(roles)