def test_display_home(self):
Roles.set_roles([('Allow', 'CONSORTIUM_EDUCATION_ADMINISTRATOR_1', ('view', 'logout', 'display_home'))])
user = User()
rel_chain = [RoleRelation('CONSORTIUM_EDUCATION_ADMINISTRATOR_1', 'CA', 'CA', '1', '2')]
user.set_context(rel_chain)
context = user.get_user_context()
self.assertTrue(context['displayHome'])
def test_default_permission(self):
mappings = {('Allow', 'DEPLOYMENT_ADMINISTRATOR', ('view', 'logout', 'default')),
('Allow', 'SYSTEM_ADMINISTRATOR', ('view', 'logout')),
('Allow', 'DATA_LOADER', ('view', 'logout'))}
Roles.set_roles(mappings)
default = Roles.get_default_permission()
self.assertEqual('DEPLOYMENT_ADMINISTRATOR', default)
def test_default_permission(self):
mappings = {('Allow', 'DEPLOYMENT_ADMINISTRATOR', ('view', 'logout',
'default')),
('Allow', 'SYSTEM_ADMINISTRATOR', ('view', 'logout')),
('Allow', 'DATA_LOADER', ('view', 'logout'))}
Roles.set_roles(mappings)
default = Roles.get_default_permission()
self.assertEqual('DEPLOYMENT_ADMINISTRATOR', default)
def test_good_and_bad_roles(self):
mappings = {('Allow', 'DEPLOYMENT_ADMINISTRATOR', ('view', 'logout')),
('Allow', 'SYSTEM_ADMINISTRATOR', ('view', 'logout')),
('Allow', 'DATA_LOADER', ('view', 'logout'))}
Roles.set_roles(mappings)
self.assertTrue(
Roles.has_undefined_roles([
'DEPLOYMENT_ADMINISTRATOR', 'DEPLOYMENT_ADMINISTRATOR',
'Bad Role', 'DATA_LOADER'
]))
def test_display_home(self):
Roles.set_roles([('Allow', 'CONSORTIUM_EDUCATION_ADMINISTRATOR_1',
('view', 'logout', 'display_home'))])
user = User()
rel_chain = [
RoleRelation('CONSORTIUM_EDUCATION_ADMINISTRATOR_1', 'CA', 'CA',
'1', '2')
]
user.set_context(rel_chain)
context = user.get_user_context()
self.assertTrue(context['displayHome'])
def login(request):
'''
forbidden_view_config decorator indicates that this is the route to redirect to when an user
has no access to a page
'''
# Get session id from cookie
session_id = unauthenticated_userid(request)
# Get roles
principals = effective_principals(request)
# Requests will be forwarded here when users aren't authorized to those pages
# If they are unauthorized to those pages, they should have session id and principals
# and, if there is a session id and principals, return 403
# Here, we return 403 for users that has a role of None
# This can be an user that has no role from IDP or has a role that we don't know of
if Roles.get_invalid_role() in principals or (principals and session_id):
write_security_event("Forbidden view being accessed",
SECURITY_EVENT_TYPE.WARN, session_id)
return HTTPForbidden()
# clear out the session if we found one in the cookie
if session_id is not None:
expire_session(session_id)
handlers = [_handle_OAUTH2_Implicit_login_flow, _handle_SAML2_login_flow]
for handler in handlers:
response = handler(request)
if response is not None:
return response
return HTTPForbidden()
def get_roles(attributes):
'''
find roles from Attributes Element (SAMLResponse)
'''
roles = []
values = attributes.get("memberOf", None)
if values is not None:
for value in values:
cn = re.search('cn=(.*?),', value.lower())
if cn is not None:
role = cn.group(1).upper()
roles.append(role)
# If user has no roles or has a role that is not defined
if not roles or Roles.has_undefined_roles(roles):
roles.append(Roles.get_invalid_role())
return roles
def get_roles(attributes):
'''
find roles from Attributes Element (SAMLResponse)
'''
roles = []
values = attributes.get("memberOf", None)
if values is not None:
for value in values:
cn = re.search('cn=(.*?),', value.lower())
if cn is not None:
role = cn.group(1).upper()
roles.append(role)
# If user has no roles or has a role that is not defined
if not roles or Roles.has_undefined_roles(roles):
roles.append(Roles.get_invalid_role())
return roles
def set_context(self, role_inst_rel_list_all):
# For now set the roles and tenant like this to make everything continue to work
role_inst_rel_list = []
default_permission = Roles.get_default_permission()
# Replace role with default role if the role is not in our defined list and clone every role relation with default Permission
for rel_chain in role_inst_rel_list_all:
if Roles.has_undefined_roles([rel_chain.role]):
rel_chain.role = default_permission
elif rel_chain.role != default_permission:
appended_role_rel = RoleRelation(default_permission, rel_chain.tenant, rel_chain.state_code, rel_chain.district_id, rel_chain.school_id)
role_inst_rel_list += self._populate_role_relation(appended_role_rel)
role_inst_rel_list += self._populate_role_relation(rel_chain)
# If there is no roles, set it to an invalid one so user can logout
if not role_inst_rel_list:
self._add_role(Roles.get_invalid_role())
self.__context = UserContext(role_inst_rel_list)
# Check whether 'home' is enabled
self.__info[UserConstants.DISPLAYHOME] = Roles.has_display_home_permission(self.__info[UserConstants.ROLES])
def setUp(self):
# delete all user_session before test
mappings = {('Allow', 'TEACHER', ('view', 'logout', 'default')),
('Allow', 'SYSTEM_ADMINISTRATOR', ('view', 'logout')),
('Allow', 'DATA_LOADER', ('view', 'logout')),
('Allow', 'NONE', ('logout'))}
Roles.set_roles(mappings)
set_tenant_map({get_unittest_tenant_name(): 'NC'})
self.__request = DummyRequest()
reg = Registry()
reg.settings = {}
reg.settings['session.backend.type'] = 'beaker'
reg.settings['cache.expire'] = 10
reg.settings['cache.regions'] = 'session'
reg.settings['cache.type'] = 'memory'
reg.settings['ldap.base.dn'] = 'ou=environment,dc=edwdc,dc=net'
reg.settings['batch.user.session.timeout'] = 15
component.provideUtility(SessionBackend(reg.settings), ISessionBackend)
# Must set hook_zca to false to work with uniittest_with_sqlite
self.__config = testing.setUp(registry=reg, request=self.__request, hook_zca=False)
def setUp(self):
# delete all user_session before test
mappings = {('Allow', 'TEACHER', ('view', 'logout', 'default')),
('Allow', 'SYSTEM_ADMINISTRATOR', ('view', 'logout')),
('Allow', 'DATA_LOADER', ('view', 'logout')),
('Allow', 'NONE', ('logout'))}
Roles.set_roles(mappings)
set_tenant_map({get_unittest_tenant_name(): 'NC'})
self.__request = DummyRequest()
reg = Registry()
reg.settings = {}
reg.settings['session.backend.type'] = 'beaker'
reg.settings['cache.expire'] = 10
reg.settings['cache.regions'] = 'session'
reg.settings['cache.type'] = 'memory'
reg.settings['ldap.base.dn'] = 'ou=environment,dc=edwdc,dc=net'
reg.settings['batch.user.session.timeout'] = 15
component.provideUtility(SessionBackend(reg.settings), ISessionBackend)
# Must set hook_zca to false to work with uniittest_with_sqlite
self.__config = testing.setUp(registry=reg,
request=self.__request,
hook_zca=False)
def test_good_and_bad_roles(self):
mappings = {('Allow', 'DEPLOYMENT_ADMINISTRATOR', ('view', 'logout')),
('Allow', 'SYSTEM_ADMINISTRATOR', ('view', 'logout')),
('Allow', 'DATA_LOADER', ('view', 'logout'))}
Roles.set_roles(mappings)
self.assertTrue(Roles.has_undefined_roles(['DEPLOYMENT_ADMINISTRATOR', 'DEPLOYMENT_ADMINISTRATOR', 'Bad Role', 'DATA_LOADER']))
def test_one_bad_role(self):
self.assertTrue(Roles.has_undefined_roles(['I do not exist']))
def test_one_bad_role(self):
self.assertTrue(Roles.has_undefined_roles(['I do not exist']))
def set_roles(roles):
'''
Sets the list of known roles for authentication. Roles is a list of tuples.
'''
Roles.set_roles(roles)